Jump to content

Tools for ISPs


hkunsei

Recommended Posts

I'm wish to know more about the tools an ISP could use to perdict if a spammer is working within it's network, if there is any.

I'm looking at ways where we could stop it before it starts to spread.

Also what so of tools after from the mail stuff does this site have.

Link to comment
Share on other sites

Probably the single most important thing to do as an ISP is to block, or at the very least monitor port 25 traffic. In general, except for a few users that may use external SMTP servers at their webhosts, there should be no traffic on port 25 going from within your network to the internet, except from your known mail servers. Watching for this type of traffic at your routers can be an excellent way to know when a problem is developing.

This can generally be done using free tools available from the router manufacturer, though I'm sure there are much more sophisticated (and expensive) tools available that will do much more beyond basic monitoring.

Another important step as an ISP is to maintain the RFC REQUIRED abuse[at] email address, publish that address in your WHOIS data so people know it exists, and read and act on every report you receive at that address, even if it just means contacting a customer to let them know their computer may be infected with a virus.

Link to comment
Share on other sites

Probably the single most important thing to do as an ISP is to block, or at the very least monitor port 25 traffic.

Agree for sure. Anyone sending spam mail from within a domain should show up as an unusually greedy user of outgoing connections on port 25. Also port 587 might be used in some rare cases for sending out mail. You would look for connections on these ports to machines (MX mail hosts, most likely) outside your domain, which really shouldn't be happening in most cases, and certainly not in spam-like quantities. The best practice is for a domain to funnel all its users' outgoing mail through its own mail hosts; individual users should not be sending mail directly to outside MX hosts.

Also, if zombies are being used to "host" spam websites (actually, to be reverse proxies), then you might also see an unusual degree of incoming traffic on port 80 to individual users' machines. It is not a good practice to allow typical ISP subscribers to run "bootleg" public web servers on their home computers. If I were running an ISP, I would probably prefer to block inbound port 80 traffic for all hosts other than bona-fide web servers in my domain.

Likewise if the zombies are serving as nameserver proxies, you would also see incoming traffic on port 53 that is not going to one of your own nameservers. Again, an individual ISP subscriber probably has no business running a nameserver from his connection.

-- rick

Link to comment
Share on other sites

...Another important step as an ISP is to maintain the RFC REQUIRED abuse[at] email address, publish that address in your WHOIS data so people know it exists, and read and act on every report you receive at that address, even if it just means contacting a customer to let them know their computer may be infected with a virus.
O/P is posting from Australia, such follow-up is pretty much required of Oz providers by ACMA, it's not an option.

Some of the tools sought might be found in The List of Lists

Link to comment
Share on other sites

Also port 587 might be used in some rare cases for sending out mail. You would look for connections on these ports to machines (MX mail hosts, most likely) outside your domain, which really shouldn't be happening in most cases, and certainly not in spam-like quantities. The best practice is for a domain to funnel all its users' outgoing mail through its own mail hosts; individual users should not be sending mail directly to outside MX hosts.

I would suggest blocking port 25 but monitoring port 587. Services like spamcops outgoing SMTP would be useless without the possibility of using an external SMTP server.

I use it for several reasons.

1. It is rarely on any serious blocklists and is muuch more reliable, so the messages get through. The same can not be said for all my other ISP's servers.

2. My laptop is frequently on many different internet connections. Re-configuring for each time I move is crazy. Daily, I am connected using both the network at work (where I also have Outlook to my work account) and my home ISP. I also have dial-up for the weekends away at the in-laws and WiFi connections elsewhere.

3. Some people have need to send all work related emails through their work server. I have VPN access to accomplish this at this position, but previous employer used port 587 authorized connections for this purpose.

Link to comment
Share on other sites

Thanks folks for jumping in here. This was originally posted into;

Suggested Tools and Applications

A Forum for pointing to those neat fixes and solutions that we've all been looking for. Free is great, open-source even better. Noting issues with Spyware/Adware would also be appreciated.

My first reaction to the post ... where are the "suggested tools" ??? OK, it's a request, not an offering ....

My next reaction ... how is anyone here supposed to offer up a list of server tools when the server, operating system, versions and flavors, etc. not defined? *NIX tools woldn't be helpful for a Windows-based server, and Exchange-specific stuff sure wouldn't do any good for a SendMail user .....

Follow-on reaction ... hard to believe someone would ask here about how to configure a network, monitor that network, handle that network 'here' .. with the request sounding like becoming an ISP would be a pretty kewl thing to do .... there's the web, most "ISP type" software does come with documentation, there are books available, most schools these days offer various courses ... surely, this isn't what was actually being asked.

So, I simply moved this Topic to the Lounge area (again, the post contained no 'suggested tools') .. the thought being that if someone actually did throw up a list of 'suggested tools' it might be moved back into that Forum section ... but I suspected that this wasn't going to happen, actually. I posted no reply at that time, in hoipes that someone else would show up with a totally different perspective. Thankfully, this 'plan' worked. The activity, input, and thoughts are much appreciated.

I'm still of the belief that there is a probable language issue involved, but that's just a guess. This may have contributed to the question about the availablility of software downloads here (there are none) .... now actually wondering if the Topic starter will actually return ....

Link to comment
Share on other sites

Follow-on reaction ... hard to believe someone would ask here about how to configure a network, monitor that network, handle that network 'here' .. with the request sounding like becoming an ISP would be a pretty kewl thing to do .... there's the web, most "ISP type" software does come with documentation, there are books available, most schools these days offer various courses ... surely, this isn't what was actually being asked.
I kinda figured it might have been one of those situations where someone hires his wife's brother-in-law's boss's nephew to be an admin for the summer because he is "good with computers," and the kid is stuck with the task of "getting rid of spam."

-- rick

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...