On Wed, Nov 28, 2007 at 05:14:05PM -0800, Lynda wrote: > Yeah, no surprise from me. Personally, I don't much care for blacklists. > I find them a bit heavy handed, and I think they aren't effective.
Well...if I may, let me mumble about a few things. ('Cause it beats going for a run in the sleet. ;-) ) First, nobody would go through the trouble of compiling a blacklist if there weren't motivation for doing so. The fact that so many people have done so (there are 500-1000 public blacklists plus an unknown but likely very much larger number of private ones) indicates that said motivation really does exist. See below for why. Second, some of them are quite accurate. The Spamhaus "Zen" DNSBL zone, for example, is very good, as are the zones maintained by NJABL and DSBL, and most of the zones run by SORBS. On the other hand, the zones run by APEWS are of poor quality. And "effectiveness" is hard thing to measure globally because everyone's spam/not-spam mix is different. I'll go so far as to say it's impossible to measure globally, not only because it can't reduced to a single number of set of numbers, but because part of measuring "effectiveness" has to do with measuring how well it implements policy -- and policies vary widely. Third, use of blacklists (for blocking, as opposed to for scoring) is one of the most resource-frugal ways to stop spam. After all: why should I expend my bandwidth, my memory, my CPU, etc. accepting the entire body of a mail message and then analyzing it...when it is already known (by virtue of the connecting IP address) that it originates with a spammer? It's not *my* problem to sort whether it's spam or not: if it's from a spammer, then I don't want it, no matter what it is. Fourth, if an IP address is emitting spam, then at least one of these two things is true: 1. It is broken (e.g., open SMTP relay). 2. It is 0wned by spammers. I see no reason to accept mail from broken or 0wned systems. It is the responsibility of their caretakers to either (1) fix them or (2) un-0wn them. Those who can't or won't do this are a menace to the rest of the Internet. (I could say the same thing about IP addresses emitting viruses, or participating in DoS attacks, or other abuse. We're all responsible for making sure that everything we run is not an operational hazard to the rest of the Internet. Or, "don't build it if you can't run it properly".) Fifth, I suppose I have this view in part because of my views on proper network operation. To illustrate using a header fragment from a spam sample that arrived this morning: Received: from adsl-67-126-134-137.dsl.irvnca.pacbell.net (adsl-67-126-134-137.dsl.irvnca.pacbell.net [67.126.134.137]) Whose spam is that? It's Pacbell's. It came from THEIR network, on THEIR watch, adn THEY allowed it to get out. Therefore they have responsibility for it. (Oh, I'm not letting the owner of the compromised system off the hook, nor am I letting the spammer off either. They're also responsible.) But were Pacbell staff doing their jobs properly, then I would not received this, neither would a *lot* of other people, and thus we would not find: *.dsl.irvnca.pacbell.net in quite a few blacklists, because it wouldn't be necessary. But it's there, and it's there because of the long-term incompetence and negligence of Pacbell. s/Pacbell/Comcast/ s/Pacbell/Verizon/ s/Pacbell/just about every other ISP/ Pacbell has no right to complain about this, of course: it's their own fault. And Pacbell customers impacted by it need to take 100% of their complaints solely to Pacbell, again, because it's Pacbell's fault. To put it another way: it is everyone's job to control abuse outbound from their operation, or supported by their operation (i.e., DNS provided to spammers, web site hosting for spyware, etc.). Anyone who can't do that simply isn't good enough to operate any portion of the Internet. Of course, this isn't how things actually work. Apparently my view is an archaic relic of .ARPA days, when "allowing your network to be a problem for others" implied "you will soon have your connection yanked". So -- because nobody's going to yank Pacbell's, or Verizon's, or Comcast's connection(s) any time soon, one of the few available methods for achieving an equivalent result is pervasive blacklisting. To put it another way, we can't remove them from the Internet, but we can certainly remove the Internet from them, albeit one piece at a time. The bottom line is that many of the problems we currently face could be mitigated in large part by selectively blacklisting problem hosts/networks and refusing to un-blacklist them until they're fixed. Yes, that's draconian and inflexible, but (a) it works, because it forces the cost of fixing the problem back on the entity responsible for it and (b) nothing else works. "If you give people the means to hurt you, and they do it, and you take no action except to continue giving them the means to hurt you, and they take no action except to keep hurting you, then one of the ways you can describe the situation is "it isn't scaling well". --- Paul Vixie on NANOG ---Rsk _______________________________________________ Nanog-futures mailing list Nanog-futures@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog-futures