[geeks] .hk, .cn, .info considered harmful

[Rich Kulawiec]

On Thu, Jun 05, 2008 at 06:55:10PM +0100, Mike Meredith wrote:
> This seems like more work (setup a proxy, configure clients
> (automatically via dhcp), block unproxied web traffic), but may save
> work in the long run. Populating a firewall ruleset with netblocks that
> constantly change is a lot of work.
> 
> Similarly blocking mail from unsuitable locations is probably better
> done in an MTA as most have better ways of blocking that just by IP
> address.

I largely concur with this, especially the "lot of work" part. ;-)

Let me add something as an adjunct: whether you need to block outbound
SMTP or HTTP traffic to various TLDs/domains/ASNs/network blocks depends
in part on how your user population behaves.  If they're constantly
trying to reply to spammers and constantly following links provided in
spam/phish messages, then yep, outbound blocking is probably a good idea
to save future headaches.  But if they're disciplined enough to refrain
from doing so, it might be superfluous.

And I say "might" because lots of malware phones home regardless of
overt user action or lack thereof -- which means, I suppose, that having
some concept of how infested users' machines are is helpful as well.
And that may be easy for some folks to acquire, difficult for others.

I've been gradually arriving at the viewpoint that systemic blocking
of what I'll call (for lack of a better term) "bad actors" is necessary.
For most purposes, spammers and phishers and spyware authors and botnet
operators and so on *are the same people*, so once they're identified,
there's no point in allowing any further traffic to or from them -- thus
I'm shifting more and more measures from application protocol servers
to the firewall.

Of course, that leaves the small problem of identification, but that
is left as an exercise for the reader. ;-)

---Rsk