[afnog] UCEPROTECT-Network Level 3, who takes the blame?

S. Oduor soduor at accesskenya.com
Tue Jul 24 13:15:25 UTC 2007 

> Even after hardening our mailserver, the MailScanner kept
> showing huge amounts of spam from the AccessKenya network.
> I emailed the then admin to sort it out and (s)he promised
> to look into it but after a week of no change I technically
> dropped communication

By you emailing the admin directly might not have been very wise even if
you knew him on personal basis, Most admins normally receive so much mails
& they filter them based on from addresses to manage system
alerts/notifications & a few emails from known individuals so definatly
some mails go unread by the admin especially those not logged on their
selected folders. most abuse calls are normmally logged to abuse at foo.bar,
postmaster at foo.bar or support at foo.bar did you do this ? Did you get a
ticket number on the same ? What range did you block and what is the
current status on your server ? I have forwarded this complaint to the
right party if you have the ticket that was assigned pls forward it
off-list & would also like to know the range that was blacklisted on your
server ? are you a provider of some sort & how many domains do you host if
so.


> Which now begs the question who should take the
> responsibility of cleaning up downstream hosts coming into
> your network?

The responsibility starts with the downstream host admin & also service
provider. On service provider level you may need to work on things to
regulate connectivity to your hosts like blocking port 25 to mitigate
exploits and probably forcing them to use your outbound mail server that
does scanning of emails but this really has to rely on your internal
policy or you might end up becoming a regulator than a provider, in some
1st world you can be sued for this so policy will be very important. For
errant cases of a spamming host due to malware or open relay the Service
provider normally blocks off outbound communication until this is
re-addressed its better than having an Rbl block your downstream host that
ends up spoiling your reputation.


>it looks like UCEPROTECT opted to do exactly what i did - it may not be
right, but it does provide a quick relief of sorts, with casualties ofcourse.

I disagree , so did you block all the IP's that start with 196.207.0.0/8 ,
what criteria did you deploy and what loss has you company or firm gotten
from your act ? You have just blocked probably more than 5 Providers
because you cant single out a subnet thats errant pls re-visit the
solutions to your problems its even causing more problems to you and your
customers.

Off topic KCCT.AC.KE seems to be owned by the Govt & I know a percentage
of the money I work for goes to support it in form of Tax, if you are sure
you've applied policies similar to UCEPROTECT thats criminal pls sort it
out , I want value for my money.

Rgds
Oduor Sam.












-----------------------------------------
This email was sent using Communicatons Solutions LTD WebMail.
   " "
http://www.accesskenya.com/

More information about the afnog mailing list