RE: On-going Internet Emergency and Domain Names
[In the message entitled RE: On-going Internet Emergency and Domain Names on Mar 31, 15:26, Matt Ghali writes:] On Sat, 31 Mar 2007, Fergie wrote: So very clever. If you're not part of the solution... etc. I feel so worthless standing next to you, the Solver. Guys. We *all* (everyone reading this) have a role to play in dealing with problems on the Internet. There is *no* one true solution to what amounts to criminal activity - not on the Internet, and not in real life. We, collectively, have enabled a new frontier of civilization. The Internet is ever growing and changing, and we, collectively, need to address problems as they come up. The dominant OS vendor is currently part of the issue, certainly. But if that dominant OS vendor were (insert your favorite UNIX OS vendor), the same problems would exist. We are not fighting technology. We are dealing with very well organized, smart, and well-funded people. We need to focus on solutions that we can deploy, which will address the problems at hand, as we discover them. That means we will deploy things that do not solve underlying prolems, but address the symptoms as best we can, to prevent the entire mess from falling down. That means that we must look at short-range solutions to address things in near-real-time, and we need to look at changing the legal system to catch up. We also need to look at the policies which enable people to abuse the systems we have deployed. And we need to look at user education. And fixing the operating systems. And improving infrastructure, so we can deal with 15 Gbps attacks. And... There is no one true solution to this. That means you, as network operators, need to look at what makes sense *today*, and *DEPLOY IT*. Someone else isn't going to solve these issues, and waiting for them is folly. Do what you can, today, to address the problems you know about. Do what you can, today, to protect your users. Do what you can, today, to stop malicious behaviour from leaving your network. Do what you can, today, to improve your internal organization to ensure that these task can be done without a 6 month delay. Please - we all need to work on this together. But we need to do it now. --
Re: adviCe on network security report
[In the message entitled Re: adviCe on network security report on Nov 2, 8:54, J. Oquendo writes:] Out of curiousity (and I doubt many will respond publicly to this) how many people have had success versus failure when dealing with abuse issues. I'm thinking for every answered message sent to abuse (non autoresponder), one will likely see more than 7-10 failures. Failures include an autoresponse, nothing ever done, no response ever returned, a response returned a quarter of a century later... I did a study on this a few years ago. I sent out about 20,000 abuse reports, all by hand, to various network around the world. They all came from this email address, and were clearly identified as non-robotic, personal messages. There were many bounces. Less that 5% received any response. Less than 1% received any action within 30 days. With apologies to Sean, I know that ISP abuse desks are overworked, and under-empowered. *MANY* of the abuse desks today use spam content filters (!) on their abuse desks, which certainly cut down on the number of spam reports they get! However, this is an unacceptable way to run, in my personal opinion. Part of the problem is scale. The industry has not given ISPs the tools to deal with masses of end user computers. The vast majority of the problems today are compromised end-user computers. Many ISPs are unaware, even at the abuse desk level, of the number of compromised computers on their networks. Some ISPs, the exception rather than the norm, do take an active role in monitoring their networks, and alerting customers to unusual behavior. Typically, this is done with custom applications, usually written in-house. And yes, the company I work for is working on solutions for this. --
Re: adviCe on network security report
[In the message entitled Re: adviCe on network security report on Nov 2, 16:39, Sean Donelan writes:] On Thu, 2 Nov 2006, Dave Rand wrote: I did a study on this a few years ago. I sent out about 20,000 abuse reports, all by hand, to various network around the world. They all came from this email address, and were clearly identified as non-robotic, personal messages. There were many bounces. Less that 5% received any response. Less than 1% received any action within 30 days. An excellent example of not listening to ISP abuse and security folks, and what kind of results you get by not working with them. As mentioned, this was done a few years ago (2000, if I recall correctly). The idea was to find out what was required, and to deliver a customizable approach. I know every ISP is different. Some won't respond to anything. Others will do everything possible to figure out your complaint. But listening to the ones in the middle, and figuring out how to work with them will probably help improve things above 1%. Because they take so much abuse as part of their normal job, even the most motivated abuse people don't go out of their way to have more people shout You Suck at them. On the other hand, I suspect if they believe you can make their jobs easier and not shout at them, they can be very gregarious about what they need. Over the last few years, I have worked with many ISPs. The majority of the problems had little to do with the format/style/volume of abuse complaints, and a lot to do with empowering the abuse desks to take action. you suck was not an enabling message :-) And yes, this has made a significant change in how much abuse comes from those ISPs, so working with the ISPs does pay off. Often it is essential to gain upper management's attention, however, so that the abuse desks can be empowered to take action. But the security industry is still just beginning to understand the problems that are faced by an ISP that suddenly gets 40,000 boxes 0wned. Delivering tools that help them deal with these types of problems should be our focus. Bridging the gap is what is required - it isn't the ISP's fault that the box got owned, but the abuse that comes from that IP address is their responsibility to mitigate as best as reasonably possible. --
Oceanic/RR AS10838
All of the folks I knew at RR seem to have moved on - could someone from Oceanic please contact me off list? --
BCP for Abuse Desk
Of late, I have found many large ISPs that are employing anti-spam filters on their abuse@ addresses. Needless to say, they seem surprised that their customers have any abuse issues involving spam at all :-) I know that there was a Abuse Desk BCP working group started a few years ago. Can anyone give me an update on BCP practices that I can refer ISPs to? --
Re: Proxad? (Was: Drone Armies)
[In the message entitled Re: Proxad? (Was: Drone Armies) on May 16, 18:34, Rich Kulawiec writes:] On Tue, May 16, 2006 at 03:57:20PM -0600, Michael Loftis wrote: Now this is interesting to me, because proxad has been at least as big a pain in my side as far as drones and SPAM sources. [snip] Anyone else seeing the same amount of problems with these guys? Yes. My current list shows 5032 distinct hosts emitting spam from within their network, and that's as measured from a very small test server -- I would imagine that large production servers are seeing a lot more. This places them behind Comcast, Verizon and a couple of others, but still solidly in the top ten. France, in general, has crept up the list of spam-producing countries. The ranking of French ISPs is different, depending on if you consider the volume of spam (weights high-bandwidth ISPs heavier) or number of hosts. By volume of spam, it is: Proxad 12322 38% France Telecom 3215 22% LDCOMNET (cegetel) 15557 17% NOOS 6778 6% Cegetel 8228 5% By number of hosts, Proxad and France telecom swap places. The number of hosts, probably compromised, is very, very high on both. I'm seeing about 70,000 hosts used per month on F.T., and about 35,000 per month on Proxad, but the aggregated number of compromised hosts is much higher. --
Re: Schneier: ISPs should bear security burden
[In the message entitled Re: Schneier: ISPs should bear security burden on May 1, 12:25, Jay R. Ashworth writes:] Ok, so here's a question for your, Dave: do you have a procedure for entertaining requests to be excluded from your replies from people with legitimate needs to operate MTA's, who have been given (let us say) static addresses by their providers which fall within a range you understand to be dialup? (I'm assuming you include cable and DSL end-user address pools; this is the sort of thing I'm asking about.) Of course, Jay. First off, static addresses don't belong on the DUL (unless the ISP chooses to list them). Second, any address can be removed by the ISP (even if it is a /32 in the middle of an otherwise all dynamic /16). End-users are directed to have their ISP contact us, as we *do not* take the end-users word for it. A quick note to [EMAIL PROTECTED] will get it handled. --
Re: Schneier: ISPs should bear security burden
[In the message entitled Re: Schneier: ISPs should bear security burden on Apr 28, 10:20, Steve Sobol writes:] There are some basic rules of thumb you can use. The problem is that they're not guaranteed to work. The best solution was created years ago (Gordon Fecyk's DUL, which lists IP ranges the ISPs specifically register as dynamic/not supposed to host servers) and eventually came under the purview of Kelkea/MAPS, but there wasn't a ton of ISP buy-in. If we could create a similar list and actually get ISPs to register the appropriate netblocks (and not mix in IPs where servers are allowed, and IPs where they aren't, in the same block), that'd be great. Dunno what a ton of ISP buy-in is, but the MAPS DUL now contains about 190,000,000 entries. We've been working on it very hard for the last year or two. Most ISP-level subscribers figure it stops a pretty large percentage of the compromised-home-computer spam. --
Re: Schneier: ISPs should bear security burden
[In the message entitled Re: Schneier: ISPs should bear security burden on Apr 29, 17:23, Steven J. Sobol writes:] On Fri, 29 Apr 2005, Dave Rand wrote: Dunno what a ton of ISP buy-in is, but the MAPS DUL now contains about 190,000,000 entries. We've been working on it very hard for the last year or two. Most ISP-level subscribers figure it stops a pretty large percentage of the compromised-home-computer spam. Well, that's it then: for the last year or two - I don't recall a lot of entries being on the DUL in its original incarnation. (Not for lack of trying.) I'm sure there was more than one reason that it was not as large as it is today. Regardless, it's here, it's effective, and it is very widely used. --
RE: Schneier: ISPs should bear security burden
[In the message entitled RE: Schneier: ISPs should bear security burden on Apr 29, 15:32, Miller, Mark writes:] Unfortunately, a lot of static business DSL IP space is still on those lists and legitimate mail servers can get blocked. I usually use the DUL as a white list to negate hits on the traditional dnsbls since those are almost always stale. We have worked very hard with the ISPs to ensure that legitimate static space isn't on the lists. We also do extensive amounts of work to ensure that isn't the case. You may be thinking of some other list, not the DUL. --
Re: Port 25 - Blacklash
[In the message entitled Re: Port 25 - Blacklash on Apr 26, 16:30, [EMAIL PROTECTED] writes:] Comcast.net has 31,923 addresses listed at the moment. Do they have 30,000 zombies, or 30,000 customers that post to popular mailing lists? Quite possibly at least partly the latter, as 24.22.118.199 ranks a 3.0 and isn't (as far as I know) a spam zombie, but a frequent poster to the linux-kernel list. Meanwhile, of those 31,923, only 1,969 have a monthly magnitude of 4.7 or more, the 4.8 cutoff is at 1,567, and the last 4.9 is at 1,012. And that 4.9 is (roughly) twice as much as I generate... They have approximately 40,000 zombies (as mesured over all of their ASNs, from 01-JAN to yesterday). Total 277646 7207 1731415 36396 --
Re: Port 25 - Blacklash
[In the message entitled Re: Port 25 - Blacklash on Apr 26, 17:50, Daniel Golding writes:] Do all of Comcast's markets block port 25? Is there a correlation between spam volume and the ones that do (or don't)? No. Yes. The ones that don't block port 25 emit more spam than the ones that do. In any event the malware is already ahead of port 25 blocking and is leveraging ISP smarthosting. SMTP-Auth is the pill to ease this pain/ Correct. And/or rate limiting, by understanding which customers are using which IP addresses (more or less tying the networking infrastructure to the email infrastructure, which is something that many ISP are not yet doing). --
Re: botted hosts
[In the message entitled Re: botted hosts on Apr 4, 1:10, Sean Donelan writes:] On Sun, 3 Apr 2005, Dave Rand wrote: The Kelkea (what used to be MAPS) DUL, with more than 150 million entries in it stopped about 41% of the spam last month. The QIL, a new product, stopped about 55%, with the remainder being stopped by the RBL, OPS and RSS. A view of this from a different perspective (an unrelated ISP) is available at http://status.hiwaay.net/spam.html That means that if just the ISPs that we have identified as having dynamically assigned addresses were to install port 25 blocking, more than 1/3 of the spam would vanish. Why does anyone accept SMTP conenctions from known dynamically assigned addresses? DUL, QIL, etc should drop all those connections on the floor. If everyone was using DUL, QIL, etc, why do they still complain about getting spam from dynamically assigned addresses? If mail admins were to install DUL lists Does port 25 blocking actually make a difference? Any public data from before and after? Or does it just annoy people, cause problems and not fix anything? I would not complain, mind you - having more customers is good for my business. But why do you think it is right to shift the burden on the recipient to block access, when it could be done at the source. Yes, it means that the people getting the cash from the customer would have to actually support said customer by making it non-annoying for them. Blocking port 25 has been a good idea for 8 years. Many ISPs have already done it (some better than others), and it absolutely does fix things. --
Re: botted hosts
[In the message entitled botted hosts on Apr 3, 19:13, Petri Helenius writes:] I run some summaries about spam-sources by country, AS and containing BGP route. These are from a smallish set of servers whole March aggregated. Percentage indicates incidents out of total. Conclusion is that blocking 25 inbound from a handful of prefixes would stop 10% of spam. This would be correct. In the bigger perspective, blocking port 25 on all ISP's consumer circuits would currently stop over 99% of the spam. Yes, spammers would adjust to this over time. It is still a great idea to block port 25 by default, and unblock it on customer request. The problem has always been that ISPs do not see any tangible benefit to stopping spam *leaving* their networks. Even the largest networks, some who complain that if only other networks would stop their spam, have serious, and long term spam leaving their networks. From my (limited) view of the world, involving only about 200 Million spams that I logged last month (down from 230M in February), here's what I see: Logged Spam by country: Percent Country 24.64 REPUBLIC OF KOREA 21.96 UNITED STATES 15.45 CHINA 4.21 CANADA 4.02 FRANCE 3.38 SPAIN 3.33 JAPAN 2.03 BRAZIL 1.52 UNITED KINGDOM 1.48 ITALY The Kelkea (what used to be MAPS) DUL, with more than 150 million entries in it stopped about 41% of the spam last month. The QIL, a new product, stopped about 55%, with the remainder being stopped by the RBL, OPS and RSS. A view of this from a different perspective (an unrelated ISP) is available at http://status.hiwaay.net/spam.html That means that if just the ISPs that we have identified as having dynamically assigned addresses were to install port 25 blocking, more than 1/3 of the spam would vanish. Compromised computers are a large problem today. Before that, it was open proxies. Before that it was open relays. Before that it was stolen ISP accounts... From the ISP perspective, here's what I see: PercentASN Name 10.80 4766 KIXS-AS-KR Korea Telecom 6.24 4134 CHINANET-BACKBONE No.31,Jin-rong Street 4.08 9318 HANARO-AS HANARO Telecom 3.62 4812 CHINANET-SH-AP China Telecom (Group) 2.00 5690 VIANET-NO - Via Computer and Communications (ViaNet) 1.99 4837 CHINA169-BACKBONE CNCGROUP China169 Backbone 1.97 7132 SBIS-AS - SBC Internet Services 1.73 6478 ATT-INTERNET3 - ATT WorldNet Services 1.63 9277 THRUNET-AS-KR THRUNET 1.38 12322 PROXAD AS for Proxad ISP In summary, yes, blocking port 25 from a handful of prefixes would in fact block more than 10% of the spam now being received. The bigger issue is getting the ISPs to see that they in fact have a problem, and they need to work on it. As always, I have details available for any time period, for any ISP that cares. I can extract details by address range, ASN, or pretty much anything else you want. --
Re: BGP list of phishing sites?
[In the message entitled Re: BGP list of phishing sites? on Jun 28, 18:43, Simon Lockhart writes:] On Mon Jun 28, 2004 at 04:47:21PM +, Paul Vixie wrote: if it's easier for you to BGP-blackhole these bad sources and the only reason you don't is because you think it would be unfair, then you're part of the problem and you're helping to make the problem worse. It's wholy unfair to the innocent parties affected by the blacklisting. i.e. the collateral damage. Say a phising site is hosted by geocities. Should geocities IP addresses be added to the blacklist? None of this would be an issue, if abuse desks were: 1. Responsive 2. Responsible 3. Empowered 4. Accountable Today, they are none of the above. If any of you out there think that isn't the case with your network, please let me know. I'll be happy to provide you with the spam from your network over the last 24 hours (or 24 days, or 24 months, or whatever other period you like). Blackholing is simply a way to draw immediate, and unmistakable attention to a problem, instead of sweeping it under the carpet. The problem is going to get worse before it gets better, much as it pains me to say that. Let's look at ways that it can be made better. A BGP feed, or other real time distribution method, can be used to let your abuse desk know that there is a problem, and to address it faster. It can be abused for this purpose as well, so it's important for *whatever* method is used to be run by responsible, accountable people. Think about it. Please. --