This morning I was daydreaming about the time my server got hacked into a couple years ago. I didn’t notice for a few days, and luckily it was a spammer who wasn’t a genius and left a lot of junk lying around my server for me to figure out what was going on.
It occurred to me that normally only maybe 100 email messages get sent from my server on a given day. If that number skyrockets to 10,000 or 10,000,000 it’s pretty obvious something’s going on. Similarly, if I never log into IRC servers and suddenly I have ten open connections to IRC servers, this is another indication. I think both of these things were true the day my box became a spambot.
I could pretty easily detect this by having a very simple, separate firewall system that monitors how many packets go out on each port each day and reports oddities by emailing or paging me. I guess I could even set up something like this on my server itself, although if the server got hacked into I couldn’t rely on those measures to keep working.
It struck me that this is a lot of trouble to go to, for just myself. It would be really nice if network providers would start providing this kind of service. They should be monitoring their own network and calling you when they see your server suddenly increase its mail output by 1000x. This should work like the Discover Card fraud prevention services. They call you a couple times a year and say they noticed some strange behavior on your account and want to make sure it’s intentional.
It would make a lot of sense for routers at the edge of the network (if this is the right term for those closest to customers) to have features to provide this kind of analysis and alerting automatically. I think there is a lot of room for network providers to distinguish themselves in this area and compete.