Forwarding for the record my response to Ross and the lists yesterday - it
didn't get to the lists be/ I sent it from the wrong account.
---------------------------------------------------------------------------
Ross,
As always in this business, paranoia is a good thing - but there is no
hidden agenda in this request.
This request is not related to what Calmail will be doing - either during
an emergency or in the future. This request only relates to SNS
activities. The preface mentioning Calmail and Socrates was an
abbreviated way of explaining how SNS even gets involved in email virus
incidents.
Normally we don't attempt to track email viruses - email traffic is not
examined via IDS. However there are emergency circumstances when we try
to help control the anti-virus processing load on these central mail
servers. When an anti-virus signature is not immediately available it is
possible for the sudden virus laden email load to threaten the capacity of
these servers - the early casualties quickly spawn very dramatic increases
in traffic.
Under these circumstances SNS will process logs provided by CCS and
attempt to squash the outbreak by performing emergency immediate blocking
of infected hosts.
By gathering information on what are the major departmental servers we
hope to avoid blocking them next time a crisis occurs (this has happened
in the past). Email servers which are 'official' tend to handle a lot of
traffic, hence they are the ones that can most look like an infected host.
They are also the ones which can cause a real problem for the department
if they are mistakenly blocked.
This information will also be useful to us when scanning the campus for
vulnerabilities and anomalous traffic. As mentioned in the request we are
going to be gathering information on all types of servers in order to
refine our detection and notification processes.
-Sherry, SNS
On Thu, 26 Aug 2004 rossd@quantum.me.berkeley.edu wrote:
> ----- Forwarded message from Intrusion Detection Team <security@berkeley.edu> -----
> Below is a list of hosts within your department that appear to be running
> SMTP (email) software. We are asking you to identify - by IP address - the
> official mailserver(s) for your department (those that should be exempt from
> blocking) and return this information to us as soon as possible.
> ----- End forwarded message -----
>
> What I gues this implies is that we are being asked to make the determination
> of which hosts within the department are "official".
>
> "Officially", anyone in my department can run their own mailserver,
> with the proviso it is not causing an operational issue, et alii ad nauseum.
> Several research groups "manage" (i know, i use the term loosely) their
> own mailservers.
>
> What this request for information implies is that at some point, CalMail will
> be blocking mail from ALL campus hosts not officially on some SNS whitelist
> that lists such IP address as an official mailserver.
>
> Is that the correct assumption?
>
> --
> "No government has the right to decide on the truth of scientific
> principles" - Richard P. Feynman (May 11, 1918 - February 15, 1988)
> -------------------------------------
> Sent via the ucb-security mailing list.
>
-------------------------------------------------------------------------
Sherry M. Rogers University of California, Berkeley
System & Network Security phone (510)642-7157
-------------------------------------------------------------------------
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
Received on Fri Aug 27 11:06:41 2004
This archive was generated by hypermail 2.1.8 : Fri Aug 27 2004 - 11:06:51 PDT