All good points - but missing the essential point that, even if the internet ports were redivided into "server" at (say) 1-10240 and "user" at 10241+ (like the current division at 1024) this worm would *still* have spread like wildfire. the service exploited is a legitimate service, so would be expected to run on a server port. Filtering would allow you to block certain services at the expense of blocking anyone being able to run those servers legitimately ( which may be borderline acceptable to filter dialup/home users and protect all those insecure MSDE owners out there) but would still not have slowed the infection of legitimate servers; The only place to close ports to inbound traffic is at the server running that service in the first place.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
