Whip-lash Kneel before me... for I am Root!
Joined: 20 Nov 2000 Posts: 573
|
Posted: Thu Jul 08, 2004 11:30 am Post subject: Infected, Malicious, and Spammer Systems Block |
|
|
EFFECTIVE IMMEDIATELY
The following rules are now in place concerning network and port level blocks for traffic coming from virus infected system:
- 1-5 messages with an actual known virus - SMTP port block from originating IP
- 6-10 messages - Block all ports except HTTP*
- 11+ messages - Full network block
(note: duration of block in this ruleset should be assumed permanent, but will be handled on a case by case basis)
This next ruleset concerns blocks on systems with assumed or actual malicious intent:
- Rapid, short term hits on dangerous ports (SMB, etc.) - Temporary 2-hour full network block
- Continuous hits on same dangerous ports - Permanent full network block
- Port scans, DoS attacks, etc. - Full network block (time period will vary depending on the type of attack, duration, etc.)
- Bruteforce login attacks - Full network block (time period will vary depending on the authentication system, duration of attack, etc.)
This final ruleset concerns blocks on Spammer systems:
- Originating network addresses or blocks owned or operated by Spam Houses - Full Network Block (duration will depend on how long the address or block is listed in specific RBL's)
- All messages with a calculated SpamAssassin score of at least 4, or otherwise marked as spam - SMTP port block (duration to be handled on a case by case basis)
(note: the virus ruleset supersedes the spammer ruleset, since many messages detected as viruses are detected as spam as well)
This may seem to be a little extreme, however with the current state of system security, and the lack of responsible antivirus management of both personal and corporate machines, I have been forced to implement this rule.
To prevent your system or gateway from being blocked, I highly recommend installing a virus scanner, keeping both your system and antivirus signatures up to date, and performing regular, complete antivirus scans. If your system is already infected, disinfect it, or have someone else clean it for you. Also make sure it is clear of spyware.
If you are an advertising or spam firm and have been blocked, tough luck.
I will be discussing with other administrators (including the Planetfurry Administrative Staff, and other domain name site owners) concerning whether the blocked network addresses should be made publicly available, what data standard should be used, etc.
If you have any questions or comments concerning this new policy, please send me an email, private message, or leave a message in the Systems Block Policy Discussion thread. If you need to contact me through other means (such as if you are being blocked through email, etc.), please try the following contacts:
- Email: [email protected]
- Private Message: here
- Fax: 1 (603) 954-0067
- Mail: 2891-B Walnut View Ct.
Attn: Planetfurry Admin Staff
Winston-Salem, NC 27103
* This will not be the normal webserver, but a forward to a static web server containing a message describing why you are blocked, etc., and contact information to possibly be unblocked.
Edit: spam ruleset modified to be more strict to check all messages (not just 6+) from an IP with a score of at least 4 (instead of greater than 5), or is otherwise determined as spam through a blacklist, bayesian classification, etc. |
|