[Modus] OT: Allowing SMTP on an ISP's Network + Nachi (Welchia) worm

[Ronnie Franklin]

Title: Message

Simple, we do not allow anyone to run any type of server unless they are paying us to do that.  This is included in their contract and it works very well.  We have had no one leave our service or complain about the policy AFTER they have signed up... because they agreed to it from the start.  We do have a few business customers that want their own server of some sort and we allow them to, normally at a higher rate than a person not running a server.   As for port blocking, we have an extensive access-list on our ports to the Internet and some less extensive access-lists on our modem, DSL and Wireless ports.  We have had NO problem blocking those ports.  If a customer needs a specific port open then we open that port for his/her static IP address, but we have had only one customer needing a port open. We also have applied an access-list that Cisco did for the Nachi worm.  That basically has eliminated any inbound attempts to infect and we saw a great reduction in traffic!   We are also running Snort and it monitors all IP addresses. It is easy to find those with the Welchian or Nachi worm, normally brought in when they change from another ISP to us, or they have multiple accounts.  Once we identify a customer with one of the worms they are given 24 hours to clean up or get shut down. Ronnie Internet Texas     -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike McTee Sent: Monday, December 15, 2003 3:28 PM To: [EMAIL PROTECTED] Subject: [Modus] OT: Allowing SMTP on an ISP's Network + Nachi (Welchia) worm This is an Off Topic post.  Due to the possibility of causing grief to some on this list with an Off Topic post’s sometimes excessive amount of responses, please reply to me in private with your policies, thoughts, or responses.  Also, this is really two questions in one e-mail, so it may generate more e-mails than most would want to see on the list anyway. J   1). As an ISP, what is the general consensus of allowing anyone (or everyone) to have the ability to have an SMTP server in operation on their machine while connected to the ISP’s network?   This question arises from time to time because we get complaints from various other people of spam being relayed from one of our IP Addresses and upon verifying who was using that IP Address at the time the relaying occurred, it comes back to dynamically assigned IP Address pools (both dialup and DSL).       2). As an ISP, what has everyone done to guard against bandwidth hogging infected machines (the latest seems to have been the Nachi or Welchia worm outbreak)?   A.      Did everyone choose to disable this by blocking those ports the worm uses (which incidentally blocks the ability to use ping and tracert as testing tools)? B.       Or, is there another way to do this that still lets us test across the network with ping and tracert?       Sincerely, Mike McTee Internet Systems Technician Eastex Net (www.eastex.net)