[Modus] OT: Allowing SMTP on an ISP's Network + Nachi (Welchia) worm

[Mark Thornton]

Pretty on topic if you ask me...   We only allow smtp servers with outbound smtp access on aggreement with the client. They have to offer up some body part or first born as insurance against abuse. Otherwise all traffic goes through modus, no questions taken.   We do very limited filtering at our core router, primarily of the abused netbios ports and the sql server port that has no value in an internet setting. We do a bit more filtering on a case by case basis on ports to apartments complexes and the like to deal with specific issues, but none of it is too heavy.   We monitor bandwidth regularly with our manager and contact users who are obviously infected. Usually they call us complaining about access speed before we notice, since their connection is usually hosed because of the virus. Mark Thornton San Marcos Internet, Inc 512-393-5300   ----- Original Message ----- From: Mike McTee To: [EMAIL PROTECTED] Sent: Monday, December 15, 2003 3:28 PM Subject: [Modus] OT: Allowing SMTP on an ISP's Network + Nachi (Welchia) worm This is an Off Topic post.  Due to the possibility of causing grief to some on this list with an Off Topic post�s sometimes excessive amount of responses, please reply to me in private with your policies, thoughts, or responses.  Also, this is really two questions in one e-mail, so it may generate more e-mails than most would want to see on the list anyway. J   1). As an ISP, what is the general consensus of allowing anyone (or everyone) to have the ability to have an SMTP server in operation on their machine while connected to the ISP�s network?   This question arises from time to time because we get complaints from various other people of spam being relayed from one of our IP Addresses and upon verifying who was using that IP Address at the time the relaying occurred, it comes back to dynamically assigned IP Address pools (both dialup and DSL).       2). As an ISP, what has everyone done to guard against bandwidth hogging infected machines (the latest seems to have been the Nachi or Welchia worm outbreak)?   A.      Did everyone choose to disable this by blocking those ports the worm uses (which incidentally blocks the ability to use ping and tracert as testing tools)? B.       Or, is there another way to do this that still lets us test across the network with ping and tracert?       Sincerely, Mike McTee Internet Systems Technician Eastex Net (www.eastex.net)