On 13/04/07, Steven Adair <steven@xxxxxxxxxxxxxxxx> wrote:
Is this in anyway surprising? I think we all know the answer is no. Many Fortune 500 companies have more employees than some ISPs have customers. Should we really expect differently?
Yes! Off the top of my head: 1. Corporations should have more of an economic incentive to prevent compromises on their internal networks. E.g. "TJX breach could cost company $1B" - http://weblog.infoworld.com/zeroday/archives/2007/04/tjx_breach_coul.html Now, a typical spambot will cost almost nothing compared with that, but the point is you don't know the extent of the compromise until you've examined the machines involved. 2. Corporations have a lot more influence over their employee's behaviour than ISPs do over their customers. Customers can walk away to a new ISP with minimal fuss if sanctions are threatened. 3. Corporations can lock down their firewalls a lot tighter than ISPs can. If my ISP blocked the way my employer does, I would be looking for a new ISP. 4. ISPs don't own the data on their customer's computers. Corps very much do own most of the data on their employees computers. Therefore they need to worry about confidentiality in a way that ISPs do not. I used to look after security at a large-ish university and odd activity would stand out because there the baseline was largely 'normal' traffic. ISPs have little chance to detect 'odd' behaviour because everyone is doing 'odd' things. Corps should only have a very few 'odd' things happening on their networks and a single outgoing portscan or IRC session are grounds for serious concern. (Assuming IRC is forbidden by policy - if not, you can still profile the IRC servers you expect to be talking to and those you don't.) It's not hard to find infected machines at a corp.
Also, as a side note, I would like to add that just because SPAM is coming from a certain gateway does not necessarily mean that the machines on their network are infected. We could assume this, but then again I would have to assume Microsoft's network is full of bots because I get SPAM originating from Hotmail.com. It might be logical and in many cases to assume this, but it's worth noting this may not be the case.
Based on the Received headers, or just on the From line ? The latter is trivial to forge and has been routinely forged pretty much forever. If Received headers show that mail has been relayed from within your organisation, then you have a serious problem, and it's better to learn of it by checking for outgoing spam than when someone notices something worse six months down the line. cheers, Jamie -- Jamie Riden / jamesr@xxxxxxxxxx / jamie@xxxxxxxxxxxxxxx UK Honeynet Project: http://www.ukhoneynet.org/
