Getting Ready for the Holidays

Published: 2005-12-23
Last Updated: 2005-12-23 21:26:26 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
We had a couple reports from readers, who tried to contact abuse departments or notify companies about breached systems, only to receive a "vacation" reply indicating that the systems are on autopilot until sometime next year.

Unless you turn off the systems, they will still need a bit of watching and caring. Do you have someone on call in case the burglar alarm goes off? Make sure you have someone checking the 'abuse' or 'security' mailboxes once a day (at least). You may have them even forwarded to a pager if you can filter the spam.

And while I am on the topic: Make sure you do actually have an 'abuse' and a 'security' alias for all of your domains. There are a number of aliases you should define for each of your domains:

RFC2142 provides a number of references to other RFCs, and suggests the following aliases:
  • postmaster@domain (RFC822). This should exist on all mail servers. You should also have postmaster@IP-Address-of-the-mail-server.
  • usenet@domain (RFC977). I know a lot of people will write to say differently. But I consider usenet dead for all practical purposes. You can probably do without this address.
  • abuse@domain
  • trouble@domain
  • noc@domain
  • security@domain
Take a look at your domain name and IP address whois entries and make sure they are current. For IP addresses, you may just find your ISPs contact info, which is fine as long as they notify you.

Spam to these addresses has become a problem. I don't think there is a great solution, as some of the mail sent to these mail boxes may include copies of spam messages (even if you don't send them, others may impersonate you and you still want to know. Abuse reports are one way you will find out).

I can't find a reference right now  (but I am sure someone will write with the correct RFC for it), but it is commonly suggested to also maintain a '/security' URL on all your websites. This URL should be used to provide contact information for security issues and information about security patches or such for any products you may offer. But this standard, while usefull, is not widely implemented (is it still a 'standard'?).

Last but not least: Have fun this weekend. I think I will run some network cable in my house (already got the big drill, but still need one more Home Depot trip for some conduit). The holiday security guide should be live sometime tomorrow. We got some great input.

0 comment(s)


Diary Archives