Re: SECURITY Digest - 23 Sep 2005 to 26 Sep 2005 (#2005-176)

[Jeff Kell <jeff-kell () UTC EDU>]

Valdis Kletnieks wrote:

> The answers to this, of course, all are very dependent on *why* you're trying
> to get rid of Yahoo messenger - most often, it's a case of shooting the messenger.
> The *REAL* concern probably isn't "We don't like Yahoo Messenger", it's more likely
> some variant on "holes in Yahoo Messenger can compromise systems and expose data".

Since I brought this up, let me clarify:

Valdis wrote:

> Jeff - you've been in this business about as long as I have.  :)

Well, yes, and dinosaurs should stick together, especially in light of the oil crisis.  But...

I wasn't the least bit interested in blocking Yahoo Messenger.

By "Gee, this blows my security model astray" I was referring to:

* non-SMTP servers opening outside to connnections to 25 (SMTP) are taboo,
* enough connections to [different hosts] port 25 (SMTP) fast enough are really taboo,
* enough connections to [different hosts] port 23 (telnet) fast enough are also taboo,

The new Yahoo messenger keeps retrying when connections are blocked (discarded), further aggravating the connection 
counts and rates.

These conditions, in my current model, raise flags, make noises, and generally draw attention.  It appears we have a 
misbehaving internal host, and we try to insure we're good netizens and investigate.

The first case looks like misconfigured SMTP (not such a big deal).
The second case looks like a spambot/proxy.
The third case looks like a DoS/scan/brute-force telnet attack.

All three look suspicious.  But now it appears I'll have to make exceptions for the relevant Yahoo subnets.

Jeff