 |
 |
Good morning, I'm gonna put my neck out and ask a really stupid question. Due to the recent plague of password protected .ZIP files in bogus email messages, and the fact that the vast majority of virus scanning systems can't open them, I've been wracking my brain trying to figure out how to limit the damage from these messages. My question goes more toward the folks at the Computer Laboratory, and probably requires more expertise than I have. My thought was this: in many cases, the PCs and laptops getting infrected and broadcasting emails are individual machines, not legitimate mail servers. Many of the infected machines may be reaching campus via the dialup and external entry points onto campus. Most of those lie within the 35.12.xx.yy range of addresses. My question is this: can specific ranges within 35.12.xx be identified as STRICTLY dialup users, and could those user addresses have common SMTP server ports blocked? If no individual PC connecting though dialup should be allowed to act like an email server, yet infected PCs usually do when trying to sent out emails, would that create enough of a profile to allow some ranges to block SMTP ports to prevent some of the spread of these infections onto the campus network? I know that this is difficult, considering that a legitimate client may have the need to connect to specific SMTP ports to deliver valid email. Also, and IPS would be better suited to at least detect PCs trying to engage in massive amounts of SMTP connections as possiblly infected machines. I'm just trying to brainstorm a way to try to reduce the amount of infected traffic we all have to contend with. Now that I've thrown this out there, I'd love to hear comments, suggestions, criticisms, and most importantly, alternatives that may help us all with this problem. Thanks to the Computer Lab folks for keeping on top of these issues when they crop up. John A. Resotko Head of Systems Administration MSU - Detroit College of Law 208 Law College Building East Lansing, MI 48824-1300 email: [log in to unmask] Phone: 517-432-6836 Fax: 517-432-6861