On Wed, Nov 28, 2007 at 05:14:05PM -0800, Lynda wrote:
> Yeah, no surprise from me. Personally, I don't much care for blacklists.
> I find them a bit heavy handed, and I think they aren't effective.
Well...if I may, let me mumble about a few things. ('Cause it beats
going for a run in the sleet. ;-) )
First, nobody would go through the trouble of compiling a blacklist
if there weren't motivation for doing so. The fact that so many people
have done so (there are 500-1000 public blacklists plus an unknown but
likely very much larger number of private ones) indicates that said
motivation really does exist. See below for why.
Second, some of them are quite accurate. The Spamhaus "Zen" DNSBL
zone, for example, is very good, as are the zones maintained by NJABL
and DSBL, and most of the zones run by SORBS. On the other hand,
the zones run by APEWS are of poor quality. And "effectiveness" is
hard thing to measure globally because everyone's spam/not-spam mix
is different. I'll go so far as to say it's impossible to measure
globally, not only because it can't reduced to a single number of set
of numbers, but because part of measuring "effectiveness" has to
do with measuring how well it implements policy -- and policies
vary widely.
Third, use of blacklists (for blocking, as opposed to for scoring) is
one of the most resource-frugal ways to stop spam. After all: why should
I expend my bandwidth, my memory, my CPU, etc. accepting the entire body
of a mail message and then analyzing it...when it is already known
(by virtue of the connecting IP address) that it originates with
a spammer? It's not *my* problem to sort whether it's spam or not:
if it's from a spammer, then I don't want it, no matter what it is.
Fourth, if an IP address is emitting spam, then at least one of these
two things is true:
1. It is broken (e.g., open SMTP relay).
2. It is 0wned by spammers.
I see no reason to accept mail from broken or 0wned systems. It is
the responsibility of their caretakers to either (1) fix them or
(2) un-0wn them. Those who can't or won't do this are a menace to the
rest of the Internet. (I could say the same thing about IP addresses
emitting viruses, or participating in DoS attacks, or other abuse.
We're all responsible for making sure that everything we run is not
an operational hazard to the rest of the Internet. Or, "don't build
it if you can't run it properly".)
Fifth, I suppose I have this view in part because of my views on
proper network operation. To illustrate using a header fragment
from a spam sample that arrived this morning:
Received: from adsl-67-126-134-137.dsl.irvnca.pacbell.net
(adsl-67-126-134-137.dsl.irvnca.pacbell.net [67.126.134.137])
Whose spam is that? It's Pacbell's. It came from THEIR network,
on THEIR watch, adn THEY allowed it to get out. Therefore they
have responsibility for it. (Oh, I'm not letting the owner of
the compromised system off the hook, nor am I letting the spammer
off either. They're also responsible.) But were Pacbell staff
doing their jobs properly, then I would not received this, neither
would a *lot* of other people, and thus we would not find:
*.dsl.irvnca.pacbell.net
in quite a few blacklists, because it wouldn't be necessary. But it's
there, and it's there because of the long-term incompetence and
negligence of Pacbell.
s/Pacbell/Comcast/
s/Pacbell/Verizon/
s/Pacbell/just about every other ISP/
Pacbell has no right to complain about this, of course: it's their
own fault. And Pacbell customers impacted by it need to take 100% of
their complaints solely to Pacbell, again, because it's Pacbell's fault.
To put it another way: it is everyone's job to control abuse outbound
from their operation, or supported by their operation (i.e., DNS provided
to spammers, web site hosting for spyware, etc.). Anyone who can't
do that simply isn't good enough to operate any portion of the Internet.
Of course, this isn't how things actually work. Apparently my view is
an archaic relic of .ARPA days, when "allowing your network to be a
problem for others" implied "you will soon have your connection yanked".
So -- because nobody's going to yank Pacbell's, or Verizon's, or Comcast's
connection(s) any time soon, one of the few available methods for achieving
an equivalent result is pervasive blacklisting. To put it another
way, we can't remove them from the Internet, but we can certainly
remove the Internet from them, albeit one piece at a time.
The bottom line is that many of the problems we currently face could be
mitigated in large part by selectively blacklisting problem hosts/networks
and refusing to un-blacklist them until they're fixed. Yes, that's
draconian and inflexible, but (a) it works, because it forces the cost
of fixing the problem back on the entity responsible for it and
(b) nothing else works.
"If you give people the means to hurt you, and they do it, and
you take no action except to continue giving them the means to
hurt you, and they take no action except to keep hurting you,
then one of the ways you can describe the situation is "it isn't
scaling well".
--- Paul Vixie on NANOG
---Rsk
_______________________________________________
Nanog-futures mailing list
Nanog-futures@nanog.org
http://mailman.nanog.org/mailman/listinfo/nanog-futures
