Botted Hosts tracking, v0.01alpha
Hello. I have an pre alpha version of the compromised host tracking system ready, and I need some guinea pigs. This is based on my earlier AOL scomp complaint work. If you would like to receive a daily html summary email of the this is spam complaints for your ip space, please reply. The report includes ip, subject, and timestamp of the complaint, and is intended to be used to identify obviously infected hosts, not to respond to individual complaints. I'll need to know your Ip block, and the address you'd like the report sent to. It takes aol a while to setup the feedback loops, so there may be more features by the time it actually starts working. -ejay
RE: botted hosts
I will build this if there is interest and it doesn't exist elsewhere. Is there a need for a centralized repository of this information? (I know about dshield, but without a way to aggregate the data it's not altogether useful.) -ejay -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Petri Helenius Sent: Monday, April 04, 2005 1:45 PM To: Peter Corlett Cc: [EMAIL PROTECTED] Subject: Re: botted hosts Peter Corlett wrote: A side-effect of the greylisting and other mail checks is that I've got a lovely list of compromised hosts. Is there any way I can usefully share these with the community? Set up a website where one can input a route and can see hosts covered with it? Pete
Re: botted hosts
On Monday 04 Apr 2005 9:56 pm, Sam Hayes Merritt, III wrote: AOL blocks outbound 25. In the UK they proxy outbound port 25, some of the time. Blocking it would be far simpler for us, but I suspect create more support calls.
Re: botted hosts
On Monday 04 Apr 2005 11:06 am, Sean Donelan wrote: Although Microsoft probably did more to create the problem than anyone else, they finally have stepped up to the plate. In the last year they have been more successful than anyone else at fixing their piece of the problem. Like anyone else was going to fix Microsoft software? XP SP2 reduced the brand-new computer zombie problem. Alas couple of weeks back local firms were still shipping SP1 patched XP boxes sigh.
Re: botted hosts
On Mon, 4 Apr 2005, Dean Anderson wrote: Err, not likely. SPF came out, and now bots can find the ISPs closed relays with very little trouble at all. AFAIK bots use the MX of a parent domain of the infected machine's hostname to find an outgoing relay, not SPF. This is based on an incident I dealt with in September, and the Spamhaus article http://www.spamhaus.org/news.lasso?article=158 Fortunately it isn't too hard to lock down MXs to incoming only. Tony. -- f.a.n.finch [EMAIL PROTECTED] http://dotat.at/ BISCAY: WEST 5 OR 6 BECOMING VARIABLE 3 OR 4. SHOWERS AT FIRST. MODERATE OR GOOD.
Re: botted hosts
On Apr 5, 2005 3:33 PM, Tony Finch [EMAIL PROTECTED] wrote: AFAIK bots use the MX of a parent domain of the infected machine's hostname to find an outgoing relay, not SPF. This is based on an incident I dealt with in September, and the Spamhaus article http://www.spamhaus.org/news.lasso?article=158 Fortunately it isn't too hard to lock down MXs to incoming only. Some bots do that. Others just grab the smtp server (and AUTH settings if any) from your MUA - easier if its Outlook / OE - and send using that smarthost. Just that when you have SMTP AUTH usernames in your logs, and virus sign, it is quite easy to locate and lock down that user, or maybe use your radius server to drop his login session, then restrict his next login to a walled garden VLAN, or maybe cut it off altogether till the issue is fixed. -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: botted hosts
On Tue, 5 Apr 2005, Suresh Ramasubramanian wrote: Others just grab the smtp server (and AUTH settings if any) from your MUA - easier if its Outlook / OE - and send using that smarthost. Has that actually been observed in the wild? Tony. -- f.a.n.finch [EMAIL PROTECTED] http://dotat.at/ BISCAY: WEST 5 OR 6 BECOMING VARIABLE 3 OR 4. SHOWERS AT FIRST. MODERATE OR GOOD.
Re: botted hosts
On Apr 5, 2005 5:56 PM, Tony Finch [EMAIL PROTECTED] wrote: On Tue, 5 Apr 2005, Suresh Ramasubramanian wrote: Others just grab the smtp server (and AUTH settings if any) from your MUA - easier if its Outlook / OE - and send using that smarthost. Has that actually been observed in the wild? We (Outblaze) have been seeing this for over a year now. Carl Hutzler at AOL has posted in various lists about having seen it for rather longer than that. I think it also hit the register after they interviewed someone at spamhaus -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: botted hosts
--- Tony Finch [EMAIL PROTECTED] wrote: On Tue, 5 Apr 2005, Suresh Ramasubramanian wrote: Others just grab the smtp server (and AUTH settings if any) from your MUA - easier if its Outlook / OE - and send using that smarthost. Has that actually been observed in the wild? yes -charles http://www.bullguard.com/antivirus/vit_bugbear_b.aspx (and others)
Re: botted hosts
Florian Weimer wrote: * Suresh Ramasubramanian: Find them, isolate them into what some providers call a walled garden - vlan them into their own segment from where all they can access are antivirus / service pack downloads Service pack downloads? Do you expect ISPs to pirate Windows (or large parts thereof)? Or has Microsoft finally seen the light? Walled garden is a term to describe selective external availability. This does not violate the usual download license conditions because no copy is made or stored at any time. The ISP can choose which external services are made available to the infected parties. Pete
Re: botted hosts
On Mon, 4 Apr 2005 [EMAIL PROTECTED] wrote: The problem arises when you are trying to push signal (spam) to a non-cooperating recipient. I've seen spam that's so obfuscated that it's unclear whether it's trying to sell me a R00leckss or medications. At that point, it may be able to pass under the effective-bandwidth filter of your covert channel. You are making the assumption that spam means to sell something. Spam includes mailbombing, in which the purpose is not commercial at all, but rather purely for annoyance. (there may be secondary commercial purposes, ie, to annoy users at a certain ISP to harm its business, but we can't discover that purpose by looking a single message. The terribly obfuscated spams never seem to be genuinely commercial. But its hard to count*. The confluence of CAN-SPAM and rapid early genuine spammer adoption of SPF records has revealed some interesting things about how much spam is genuinely commercial and how much is annoyance. It gave us a way to label commercial spam in an easily countable way. The numbers suggested that only about 6% of spam was genuinely commercial. And so leaving the other 94% as non-commercial garbage of one kind or another*. [See Malicious Cryptography: Exposing Cryptovirology by Adam Young et al. Unintelligible spam-like messages may be parts of an encrypted message sent to a mix-net] If you hide the spam in a steganographic message inside a .JPG of a giraffe, it will almost certainly make it to the mailbox. But at that point, the user is left looking at a picture of a giraffe.. And on the girafe, the spots spell out a message that is immediately recognizable to a human. Sort of just like those crawler-thwarting image authenticators do now. Partly, this example is a deviation from info theory. The girafe example is just reliant on the fact that machines aren't as good a human at these sort of recognition tasks. If machines were, we'd have other problems, but unwanted messages would still be one of them. Info theory is much deeper. --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000
Re: botted hosts
On Mon, 4 Apr 2005, Sam Hayes Merritt, III wrote: Unblocking on customer request is an expensive operation, for both the ISP and the customer. And they frequently assume that network operations changes are free---Comcast reported that it would cost $58 million to implement port 25 blocking and notify customers, just for Comcast. Anyone can come up with a number to convince themselves that they don't need to do the 'right thing'. Comcast is probably using Docsis. Docsis makes applying filters on a per user basis pretty darn easy. Thats not the only thing they have to do. They have to (probably) 1) change the user service agreements 2) notify users of upcoming change several times 3) alter docsis on networks in hundreds of cities. 4) Staff additional support to handle calls. 5) lose business because many people want to send email to the server of their choice. AOL blocks outbound 25. They've said this for many years, but I have hundreds of AOL addresses that have tried to abuse our relays. Maybe they do in some places, but not everywhere. Aug 6 2003 172.155.12.106 Trace 1638 This sort of attempted open relay abuse stopped only after the open relay blacklists shutdown in late 2003. Indeed, after about a year of complete quiet, abuse just started up again about mid March, but not as strong as before: Very few hosts, very few nets. Pretty lame, really, in comparision with the old days. All from Korea, and China targeting Korean ISPs, and one from Uruguay targeting Uruguayan ISP. Pretty definitely mailbombing by some open relay zealots or script kiddies, who probably pass themselves off as anti-spammers. It was interesting because I first got wind when some bounces were recieved from a Korean open relay. I got them because they were forged av8 from: addresses. Possibly, av8 was the target. Now who would target av8 with mailbombing? --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000
Re: botted hosts
On Tue, 5 Apr 2005, Tony Finch wrote: On Mon, 4 Apr 2005, Dean Anderson wrote: Err, not likely. SPF came out, and now bots can find the ISPs closed relays with very little trouble at all. AFAIK bots use the MX of a parent domain of the infected machine's hostname to find an outgoing relay, not SPF. This is based on an incident I dealt with in September, and the Spamhaus article http://www.spamhaus.org/news.lasso?article=158 Fortunately it isn't too hard to lock down MXs to incoming only. Yes. Many ISPs have MXs incoming only for reasons besides spam. But SPF identifies _outgoing_ mailservers. Just what a bot needs. --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000
Re: botted hosts
[In the message entitled Re: botted hosts on Apr 4, 1:10, Sean Donelan writes:] On Sun, 3 Apr 2005, Dave Rand wrote: The Kelkea (what used to be MAPS) DUL, with more than 150 million entries in it stopped about 41% of the spam last month. The QIL, a new product, stopped about 55%, with the remainder being stopped by the RBL, OPS and RSS. A view of this from a different perspective (an unrelated ISP) is available at http://status.hiwaay.net/spam.html That means that if just the ISPs that we have identified as having dynamically assigned addresses were to install port 25 blocking, more than 1/3 of the spam would vanish. Why does anyone accept SMTP conenctions from known dynamically assigned addresses? DUL, QIL, etc should drop all those connections on the floor. If everyone was using DUL, QIL, etc, why do they still complain about getting spam from dynamically assigned addresses? If mail admins were to install DUL lists Does port 25 blocking actually make a difference? Any public data from before and after? Or does it just annoy people, cause problems and not fix anything? I would not complain, mind you - having more customers is good for my business. But why do you think it is right to shift the burden on the recipient to block access, when it could be done at the source. Yes, it means that the people getting the cash from the customer would have to actually support said customer by making it non-annoying for them. Blocking port 25 has been a good idea for 8 years. Many ISPs have already done it (some better than others), and it absolutely does fix things. --
Re: botted hosts
On Mon, 4 Apr 2005, Suresh Ramasubramanian wrote: That said, Joe St.Sauver put it fairly well in his presentation at maawg san diego, when he said it is cough sirup for lung cancer, and what you need along with the cough sirup of port 25 filtering, is some stronger measures to locate and take down botted hosts, which of course can be used for nastier things (DDoS botnets for example) as well, things that do just fine without port 25. Yep. I've saying that for several years, and then immediately get shouted down. A secure computer doesn't spam, spy, ddos, attack, zombie, bot or any of the other awful things. A compromised computer can do all that and more. Locating bots is relatively easy. If you think that is the hard part, you don't understand the problem. Unfortunately, researchers haven't come up with a better way to fix compromised machines without destroying the innocent victims' work. Several grad students have told me they consider coming up with better ways to recover a compromised computer too hard of a problem for their thesis. Many people prefer to keep using a compromised computer rather than attempt to fix it. And as anyone with a relative and a computer knows, if you ever help someone with a compromised computer, everything that ever goes wrong with the computer in the future becomes your fault. So how do you encourage people to fix their computers, without the press writing lots of stories about evil ISPs cut off service to grandmother's on social security looking at pictures of their grandchildren. There are at least 20 million and probably more compromised computers on the Internet. Who has a plan to fix them?
Re: botted hosts
Suresh Ramasubramanian [EMAIL PROTECTED] wrote: [...] Neither DUL, nor SORBS DUHL, nor the several other lesser known variants can claim to do even a fraction of a perfect job - and providers who do stuff like happily mix static IP and dynamic IP netblocks, maintain vague or inconstant rDNS or even no rDNS at all for these, etc don't help at all, leading to the usual funny situation of someone's static IP dsl getting blocked as dynamic [but that's another story altogether] I agree that blocking based on any sort of DUL is asking for trouble, but recent experiments on our customer MXers has shown that applying greylisting to said hosts works a treat. Personally, I'd apply it across the board, but customers moan that important mail is being delayed. Nobody has yet complained that junk from compromised hosts is being delayed :) A side-effect of the greylisting and other mail checks is that I've got a lovely list of compromised hosts. Is there any way I can usefully share these with the community? -- PGP key ID E85DC776 - finger [EMAIL PROTECTED] for full key
Re: botted hosts
--On 04 April 2005 04:59 -0400 Sean Donelan [EMAIL PROTECTED] wrote: I've saying that for several years, and then immediately get shouted down. Statistically, most anti-spam options (good and bad) have been brought up many times for several years, and have been shouted down. Why would you expect your views to be treated any differently? :-) We now return to the normal program of more heat than light... Alex
Re: botted hosts
On Mon, 4 Apr 2005, Brad Knowles wrote: Microsoft will solve all problems. You just have to trust them and use their DRM and their trustworthy computing initiatives. DRM isn't about keeping your computer secure. DRM is about letting other people install stuff on your computer they control, i.e. wait until DRM meets Bots (more than it already has). Although Microsoft probably did more to create the problem than anyone else, they finally have stepped up to the plate. In the last year they have been more successful than anyone else at fixing their piece of the problem. XP SP2 reduced the brand-new computer zombie problem. I think auto-update has helped a bit, but its harder to quantify. Microsoft hasn't fixed the click here to install bot problem. If you can track sources, rather than noise level, the bot graph is looking better. Most of the security vendors prefer to publish noise graphs. Although the noise level was increasing, the absolute number of bots has been amazingly constant for the last 12 months. That is good news because the overall infection rate declined. Some people are worried its too quiet and we're due for big incident soon.
Re: botted hosts
On Mon, 4 Apr 2005, Dave Rand wrote: But why do you think it is right to shift the burden on the recipient to block access, when it could be done at the source. Yes, it means that the people getting the cash from the customer would have to actually support said customer by making it non-annoying for them. Do you want an Internet where your provider decides for you, with whom and when you are allowed to communicate? Or do you want to decide for yourself whether to accept or not accept the communication? There are always at least two customers to the communications. The sender and the recipient. Both the sender and the recipient are paying someone. Both sender and recipient providers are getting cash. And if you believe your argument, both the sender and receiver are engaged in cost-shifting. Blocking the communications a priori also prevents the two parties from deciding on a call-by-call basis whether or not they want the communications. If the e-mail is in your bulk mail folder, you can decide what you want. If the e-mail is blocked by the sender's ISP, you don't have the option anymore. A lot of people want to use inexpensive broadband connections, and use mail servers at their university or company. For whatever reason, the university and company mail admins only support port 25. If the ISP blocks port 25, the university and company mail admins loose their choice and have to spend money to upgrade their mail servers to support port 587 or something else. So there is lots of cost-shifting. Do a google search for universities and mail hosting providers that aren't supporting port 587 and offer to help them update their mail servers. When you are finished, then you can advocate ISPs block port 25.
Re: botted hosts
On Apr 4, 2005 2:18 PM, Dave Rand [EMAIL PROTECTED] wrote: But why do you think it is right to shift the burden on the recipient to block access, when it could be done at the source. Yes, it means that the people getting the cash from the customer would have to actually support said customer by making it non-annoying for them. On that point - here's what Carl Hutzler has to say. Several of you have read it before on circleid, or on the list where Carl's email was first posted, but anyway.. http://www.circleid.com/article/917_0_1_0_C/ -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: botted hosts
On Apr 4, 2005 2:29 PM, Sean Donelan [EMAIL PROTECTED] wrote: Unfortunately, researchers haven't come up with a better way to fix compromised machines without destroying the innocent victims' work. Sad. Then what the man does is to hire someone to take a backup of everything and go over the backup for virus infections. Or maybe he could wait for when the infections in his PC finally ruin it beyond use for him .. So how do you encourage people to fix their computers, without the press writing lots of stories about evil ISPs cut off service to grandmother's on social security looking at pictures of their grandchildren. There are at least 20 million and probably more compromised computers on the Internet. Who has a plan to fix them? Cut them off at any rate. Symantec's turntide antispam router (really an IDS + stateful firewall for spam) seems a godawful idea for inbound mail right now, given the current behavior of proxy trojans, but I can see where it'd be quite useful on an outbound mail stream from an ISP's IP space Find them, isolate them into what some providers call a walled garden - vlan them into their own segment from where all they can access are antivirus / service pack downloads and an 1-800 number to call tech support at their ISP -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: botted hosts
On Mon, 4 Apr 2005, Dave Rand wrote: [In the message entitled Re: botted hosts on Apr 4, 1:10, Sean Donelan writes:] On Sun, 3 Apr 2005, Dave Rand wrote: That means that if just the ISPs that we have identified as having dynamically assigned addresses were to install port 25 blocking, more than 1/3 of the spam would vanish. Does port 25 blocking actually make a difference? Any public data from before and after? Or does it just annoy people, cause problems and not fix anything? Blocking port 25 has been a good idea for 8 years. Many ISPs have already done it (some better than others), and it absolutely does fix things. just to be clear, from which 'customer' types are you asking to have tcp/25 blocked? Dial? DSL? Cable-modem? Dedicated? can your providers go block tcp/25 from your links today?
Re: botted hosts
On Mon, Apr 04, 2005 at 07:09:51AM -0400, Sean Donelan wrote: A lot of people want to use inexpensive broadband connections, and use mail servers at their university or company. For whatever reason, the university and company mail admins only support port 25. If the ISP blocks port 25, the university and company mail admins loose their choice and have to spend money to upgrade their mail servers to support port 587 or something else. So there is lots of cost-shifting. Do a google search for universities and mail hosting providers that aren't supporting port 587 and offer to help them update their mail servers. When you are finished, then you can advocate ISPs block port 25. With all due respect to Sean and others, could we all please read block outgoing traffic from your net to other people's port 25 as including except for users who request the block be removed at all times? Yes, I realize that it means you have to approach the block slightly differently, and that it's slightly more work and money to do it that way. But it *does*, does it not, fix most of both sides of the problem, if you do it that way? Cheers, -- jra -- Jay R. Ashworth[EMAIL PROTECTED] Designer Baylink RFC 2100 Ashworth AssociatesThe Things I Think'87 e24 St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274 If you can read this... thank a system administrator. Or two. --me
Re: botted hosts
[EMAIL PROTECTED] (Sean Donelan) writes: Do you want an Internet where your provider decides for you, with whom and when you are allowed to communicate? Or do you want to decide for yourself whether to accept or not accept the communication? i want weak protocols restricted to LANs or at most campuses or ISPs. that means UDP/137, UDP/139, and TCP/25 at the moment. stay tuned, we might be adding more. oh and as long as you're considering whether to restrict things to your LAN/campus/ISP, i'm ready to see rfc1918 filters deployed... #sfo2b.f:i386# tcpdump -n -c 10 src net \( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 \) tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on fxp0, link-type EN10MB (Ethernet), capture size 96 bytes 16:55:10.349179 IP 172.16.1.2.1063 192.5.5.241.53: 5330 [1au] MX? mails.hu. (37) 16:55:10.351035 IP 172.16.8.1.1158 192.5.5.241.53: 3130 A? www.consumerinput.com. (39) 16:55:10.351528 IP 172.16.8.1.1158 192.5.5.241.53: 5184 A? www.consumerinput.com. (39) 16:55:10.352908 IP 172.16.8.1.1158 192.5.5.241.53: 15435 A? www.consumerinput.com. (39) 16:55:10.513272 IP 10.14.0.16.32768 192.5.5.241.53: 7623% [1au] A? smtp107.apmailer.com. (49) 16:55:10.609281 IP 10.204.1.19.1075 192.5.5.241.53: 8176 [1au] PTR? 25.2.0.192.in-addr.arpa. (52) 16:55:10.669655 IP 192.168.240.250.33753 192.5.5.241.53: 29750 A? as.adwave.com.L19212.wflu.com. (47) 16:55:10.750369 IP 10.8.224.32.59429 192.5.5.241.53: 44783% [1au] A6? ns.mint.net. (40) 16:55:10.770704 IP 192.168.240.250.33753 192.5.5.241.53: 56680 A? img07.allegro.pl. (34) 16:55:10.770709 IP 192.168.240.250.33753 192.5.5.241.53: 61108 A? img10.allegro.pl. (34) 10 packets captured hell, as long as we're making a list of the things sender-side network admins should filter on their end since they're innappropriate for the wide area, could we increase the readership of BCP38 (if your hair isn't pointy) and/or SAC004 (otherwise)? oh and if 15,000 of your dsl-connected hosts all start sending one packet per second to the same distant endpoint, please stop them. senders and sender-isp's have a long list of things they have to do in order to not be compared to toxic polluters (a term i believe michael rathbun coined for use in this context, and for which i am thankful.) don't try to make this about right-to-communicate or who-gets-to-decide. -- Paul Vixie
so, how would you justify giving users security? [was: Re: botted hosts]
senders and sender-isp's have a long list of things they have to do in order to not be compared to toxic polluters (a term i believe michael rathbun coined for use in this context, and for which i am thankful.) don't try to make this about right-to-communicate or who-gets-to-decide. I don't see why not? Point is, most ISP's today try and sell security in the form of a shiny new AV suite, maybe a personal firewall. Anyone ever considered just closing these ports? People will pay you more and just for your ACL services! You can put all your troubles behind some firewall and forget about 9/8th of the helpdesk calls about: - My connection is slow! - My computer is slow! - Whatever else doesn't work! Oooh, shiny! More costs savings! Ooh, shiny, less warez servers, pr0n and what not servers running on your bandwidth. Less DDoS coming from you - less bandwidth - more fun! More profit! Then if they (the users) want ports open (oh gosh, a smart luser in the bunch!) you can take a bit more money again and make them a customer that can pollute. Why is this such a bad idea? I believe the above suggestions make such perfect sense in any reasoning that not going through with getting off blacklists and a nutty house of worms is pretty much ludicrous. Give me a break people. Most people won't care about their freedom if they can do whatever they want by asking for it. Most users want Web, Mail and IM. Three things. How are any of these guys who could easily get their privileges (and your responsibilities) back again even going to guess that some big right is being taken away? They have complete freedom and x9000 more safety. They can even sign a paper stating exactly that. So, costs savings on bandwidth and support. Less net abuse. Ouch - less demand on AV sales? Run the numbers people. Gadi.
Re: so, how would you justify giving users security? [was: Re: botted hosts]
On 04/04/05, Gadi Evron [EMAIL PROTECTED] wrote: Most people won't care about their freedom if they can do whatever they want by asking for it. Most users want Web, Mail and IM. Three things. How are any of these guys who could easily get their privileges (and your responsibilities) back again even going to guess that some big right is being taken away? They have complete freedom and x9000 more safety. They can even sign a paper stating exactly that. So, costs savings on bandwidth and support. Less net abuse. Ouch - less demand on AV sales? Run the numbers people. Problem is, this conversation is mostly taking place amongst geeks -- and most of us geeks /do/ want open access. So the gut reaction is oh shit, I won't be able to run my personal mail server at home anymore! even though the consumers of consumer- grade services don't know how to do that, and don't care. -- J.D. Falk uncertainty is only a virtue [EMAIL PROTECTED]when you don't know the answer yet
Re: so, how would you justify giving users security? [was: Re: botted hosts]
J.D. Falk wrote: On 04/04/05, Gadi Evron [EMAIL PROTECTED] wrote: Most people won't care about their freedom if they can do whatever they want by asking for it. Most users want Web, Mail and IM. Three things. How are any of these guys who could easily get their privileges (and your responsibilities) back again even going to guess that some big right is being taken away? They have complete freedom and x9000 more safety. They can even sign a paper stating exactly that. So, costs savings on bandwidth and support. Less net abuse. Ouch - less demand on AV sales? Run the numbers people. Problem is, this conversation is mostly taking place amongst geeks -- and most of us geeks /do/ want open access. So the gut reaction is oh shit, I won't be able to run my personal mail server at home anymore! even though the consumers of consumer- grade services don't know how to do that, and don't care. Okay, as a geek; do you want to be on an ISP where you will get scanned 1000 times a minute or just twice? As a geek, do you want service-on-demand or just getting all the lusers around you roaming free with phasers? As a geek, do you not want the Internet to still be here *completely* OPEN and FREE in the future? Lastly, I suppose that as a geek ISP, one might want to sell more bandwidth. After all, the more sh*t that goes through the tubes the bigger tubes people buy. Between spam, spyware and worms, not to mention scans ad attacks, I suppose that a large percentage of the Internet already is pay-for-junk? Gadi.
Re: so, how would you justify giving users security? [was: Re: botted hosts]
Gadi Evron wrote: Between spam, spyware and worms, not to mention scans ad attacks, I suppose that a large percentage of the Internet already is pay-for-junk? No. Most of the Internet is p2p file sharing, which does not fall into the categories mentioned. (at least mostly it doesn't) Pete
Re: so, how would you justify giving users security? [was: Re: botted hosts]
On Mon, Apr 04, 2005 at 08:46:42PM +0200, Gadi Evron wrote: As a geek, do you not want the Internet to still be here *completely* OPEN and FREE in the future? And this is the point question. Much innovation is due to the open end-to-end characteristic of the current network. By all means, let's trap port 25 where possible, for those who don't care (or ask), but let's not go all baby-and-bathwater by filtering *everything* either... Cheers, -- jra -- Jay R. Ashworth[EMAIL PROTECTED] Designer Baylink RFC 2100 Ashworth AssociatesThe Things I Think'87 e24 St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274 If you can read this... thank a system administrator. Or two. --me
Re: botted hosts
Peter Corlett wrote: A side-effect of the greylisting and other mail checks is that I've got a lovely list of compromised hosts. Is there any way I can usefully share these with the community? Set up a website where one can input a route and can see hosts covered with it? Pete
Re: so, how would you justify giving users security? [was: Re: botted hosts]
On Mon, 4 Apr 2005, Gadi Evron wrote: Anyone ever considered just closing these ports? People will pay you more and just for your ACL services! You can put all your troubles you would need to do this on a per customer interface basis ie not at an aggregation point but on each ppp interface.. does that scale? i've not tried it, what i mean by scale is if this is eg auto-config'd by radius to cisco does it move the switching path to software or do anything else that would crash a fully load dialup/lac/lns/etc ? Steve
Re: botted hosts
Sean Donelan wrote: Locating bots is relatively easy. If you think that is the hard part, you don't understand the problem. It's easy to some extent, databases to a few hundred thousand are easy to collect but going to the millions is harder. So how do you encourage people to fix their computers, without the press writing lots of stories about evil ISPs cut off service to grandmother's on social security looking at pictures of their grandchildren. Experience tells that telling (obviously automatically) the users that their computer is too unsafe to be on the public internet and it'll stay that way until they either fix it or change to a less clueful provider works wonders. There are at least 20 million and probably more compromised computers on the Internet. Who has a plan to fix them? If the nanog readership is a few thousands, that's only ~5-10k for each of us. Piece of cake. And I still don't buy the number. I might buy 2M. Pete
Re: botted hosts
* Paul Vixie: hell, as long as we're making a list of the things sender-side network admins should filter on their end since they're innappropriate for the wide area, Technically, HTTP is inappropriate for wide-area networks. A lot of HTTP applications still do not support persistent connections (resulting in lots of unnecessary round trip delays). HTTP does not perform any checksums, and the TCP checksum alone is insufficient across the Internet (failures are rare, but when they happen, they are reproducible across the affected router). HTTP does not provide confidentiality. The frameworks usually used to build HTTP applications do not offer adequate security, and often encourage risky programming styles. Implementation quality is as poor as it can get. And so on. DNS is even worse, and thanks to DNSSEC, we will never see fixes for the most pressing issues. So inappropriate is the wrong word here, you can filter it and you can get away with it is closer to reality IMHO. senders and sender-isp's have a long list of things they have to do in order to not be compared to toxic polluters (a term i believe michael rathbun coined for use in this context, and for which i am thankful.) But detection and response are more important than prevention. You cannot block 80/TCP bidirectionally, so there will always be a malware problem. At the moment, 25/TCP c blocks are sufficient to outrun the competition, but this will change as such filters become more and more common. Blocks might be cheaper at this point, but I hope it's economically viable to skip this stage (because it's so disruptive and will only result in more SOAP lookalikes) and invest into the next one.
Re: botted hosts
* Paul Vixie: hell, as long as we're making a list of the things sender-side network admins should filter on their end since they're innappropriate for the wide area, 'sender side' == 'network owner' or if you are an ISP 'your customer'. So, read this as: your customers should really be filtering these protocols at their edge to 'you'. Is that your intent here Paul?
Re: botted hosts
On Mon, 04 Apr 2005 22:31:50 +0300, Petri Helenius said: There are at least 20 million and probably more compromised computers on the Internet. Who has a plan to fix them? If the nanog readership is a few thousands, that's only ~5-10k for each of us. Piece of cake. And I still don't buy the number. I might buy 2M. The problem is that of my 10K share, probably at most 2-4K are actually inside an AS that I can do anything about, and the other 6-8K are inside other AS's that are both clueless and not represented on NANOG... pgpjEmw0wg9Te.pgp Description: PGP signature
Re: botted hosts
On Sun, 3 Apr 2005, Dave Rand wrote: The problem has always been that ISPs do not see any tangible benefit to stopping spam *leaving* their networks. And just what blacklists work to detect spam in outgoing email? Spam leaving the network is stopped as soon as abuse complaints roll in. This is a tremendous exaggeration. Most networks spend a lot of time and money dealing with abuse on their network. no tangible benefit, indeed. -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000
Re: so, how would you justify giving users security? [was: Re: botted hosts]
As a point of discussion regarding port 25 filtering. Let's look at two possible future models: For both these models, today's weak-security SMTP is still used for email. The ISP having the sender of email is called SendISP. The ISP with the recipient mailserver is called RecvISP. MODEL A: ISPs filter at the source; spam is reduced ISP's filter outgoing port 25 traffic from networks; allowing exceptions. SendISP limits outgoing mail. RecvISP has less incentive to block incoming. If a customer of SendISP want's to run a mail server, SendISP has motivation to make an exception. Customer's wanting exceptions tend to be rare. MODEL B: ISPs filter incoming mail traffic; spam is reduced. ISP's increase the effectiveness of blacklists and locating dynamic IPs; allowing exceptions as requested by the mail server admins/users. (Filtering may occur at network level or in mail servers.) SendISP does not limit outgoing mail. RecvISP has strong incentives to block. If a customer of SendISP want's to run a mail server, RecvISP has almost no motivation to make a blacklist exception. RecvISP is more concerned about _their_ customers/users. Which model really provides us with the best of both worlds: less spam yet more freedom to innovate? I would say model A does. However, I am not convinced of this. Please pick apart my models.. (As if I have to ask...) John At 01:25 PM 4/4/2005, Jay R. Ashworth wrote: On Mon, Apr 04, 2005 at 08:46:42PM +0200, Gadi Evron wrote: As a geek, do you not want the Internet to still be here *completely* OPEN and FREE in the future? And this is the point question. Much innovation is due to the open end-to-end characteristic of the current network. By all means, let's trap port 25 where possible, for those who don't care (or ask), but let's not go all baby-and-bathwater by filtering *everything* either... Cheers, -- jra -- Jay R. Ashworth [EMAIL PROTECTED] Designer Baylink RFC 2100 Ashworth Associates The Things I Think '87 e24 St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274 If you can read this... thank a system administrator. Or two. --me
Re: botted hosts
I think many folks agree with you. Spam, at it's heart, is an intractable social problem, not a technical problem. I'll refrain from my regular tragedy of the commons economics discussion. However, most of the folks on this list must work at the technical angle. How do we reduce spam by making it more difficult to spam? I'd be interested in seeing your proof when you finish it. John On a deeper level, I discovered (its not at proof level, but probably at 'strong conjecture' level) that results from information theory show that spam cannot be stopped technically. I'll write it up a bit more formally, and post a link. (And I'll see if I can carry it out to a proof) To summarize, I show that spam is equivalent to a covert/sneaky channel [or rather, sneaky channel in the network liturature and other names in other areas of liturature--e.g. covert channel is usually specific to multi-user OS analysis, but the concepts are the same]. Then I show that since one can't prove an information system is free of covert/sneaky channels, it can't be proven free of spam either. And the conclusion is that a technical solution to spam doesn't exist. Yes, there are things that can still be done---one can continue to play whack-a-mole, but it never gets better than whack-a-mole. There are still technical methods that aren't fully exploited (text analysis for intent, bayesian, etc) but for each of these things, there are countermeasures that the abuser can do to fool them. If you want to talk information theory and spam, contact me off-list. --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000
Re: botted hosts
On Mon, 04 Apr 2005 16:12:51 EDT, Dean Anderson said: On a deeper level, I discovered (its not at proof level, but probably at 'strong conjecture' level) that results from information theory show that spam cannot be stopped technically. I'll write it up a bit more formally, and post a link. (And I'll see if I can carry it out to a proof) To summarize, I show that spam is equivalent to a covert/sneaky channel [or rather, sneaky channel in the network liturature and other names in other areas of liturature--e.g. covert channel is usually specific to multi-user OS analysis, but the concepts are the same]. Then I show that since one can't prove an information system is free of covert/sneaky channels, it can't be proven free of spam either. The thing your analysis will probably fall short on is that although you can *at best* limit the bandwidth of a covert channel (a well understood concept as far back as the old Orange Book), there's the assumption that a covert channel has a cooperating sender and receiver, both doing the moral equivalent of an FFT to extract the signal from the noise. The problem arises when you are trying to push signal (spam) to a non-cooperating recipient. I've seen spam that's so obfuscated that it's unclear whether it's trying to sell me a R00leckss or medications. At that point, it may be able to pass under the effective-bandwidth filter of your covert channel. But it's also likely to be under the effective bandwidth needed to actually deliver a message to an end-user. If you hide the spam in a steganographic message inside a .JPG of a giraffe, it will almost certainly make it to the mailbox. But at that point, the user is left looking at a picture of a giraffe.. pgpENAu3bSivn.pgp Description: PGP signature
Re: botted hosts
My apologies to the list for sending HTML email. A plain text version: As a point of discussion regarding port 25 filtering. Let's look at two possible future models: For both these models, today's weak-security SMTP is still used for email. The ISP having the sender of email is called SendISP. The ISP with the recipient mailserver is called RecvISP. MODEL A: ISPs filter at the source; spam is reduced ISP's filter outgoing port 25 traffic from networks; allowing exceptions. SendISP limits outgoing mail. RecvISP has less incentive to block incoming. If a customer of SendISP want's to run a mail server, SendISP has motivation to make an exception. Customer's wanting exceptions tend to be rare. MODEL B: ISPs filter incoming mail traffic; spam is reduced. ISP's increase the effectiveness of blacklists and locating dynamic IPs; allowing exceptions as requested by the mail server admins/users. (Filtering may occur at network level or in mail servers.) SendISP does not limit outgoing mail. RecvISP has strong incentives to block. If a customer of SendISP want's to run a mail server, RecvISP has almost no motivation to make a blacklist exception. RecvISP is more concerned about _their_ customers/users. Which model really provides us with the best of both worlds: less spam yet more freedom to innovate? I would say model A does. However, I am not convinced of this. Please pick apart my models.. (As if I have to ask...) John
Re: botted hosts
* Suresh Ramasubramanian: Find them, isolate them into what some providers call a walled garden - vlan them into their own segment from where all they can access are antivirus / service pack downloads Service pack downloads? Do you expect ISPs to pirate Windows (or large parts thereof)? Or has Microsoft finally seen the light?
Re: botted hosts
* Dean Anderson: Spam leaving the network is stopped as soon as abuse complaints roll in. Apparently, complaints are no longer a sufficient indicator because there are too few complaints. Maybe we are not quite at this point, but look at non-spoofed DDoS attacks and port scans. We will get there eventually.
Re: botted hosts
Unblocking on customer request is an expensive operation, for both the ISP and the customer. And they frequently assume that network operations changes are free---Comcast reported that it would cost $58 million to implement port 25 blocking and notify customers, just for Comcast. Anyone can come up with a number to convince themselves that they don't need to do the 'right thing'. Comcast is probably using Docsis. Docsis makes applying filters on a per user basis pretty darn easy. AOL blocks outbound 25. Earthlink for the most part does (we only refused 148 emails from them yesterday from places like user-0c2i2vr.cable.earthlink.net and user-0c2if7q.cable.earthlink.net, they might block port 25 by fefault for as much as I know) We block outbound port 25 on our residential connections by default. Of those, only 2.4% currently have requested that we not filter them. The $ excuse just doesn't fly. RR and Comcast know this. Other providers have tackled the problem. I've seen the Spamcop reports on our retail connections drop to just about nothing since filtering our users. On a deeper level, I discovered (its not at proof level, but probably at 'strong conjecture' level) that results from information theory show that spam cannot be stopped technically. Yep. Cannot be stopped. But if I disable what I am currently doing to keep the rest of the world out, my users damn sure notice. I do what I can, grab the low lying fruit, get them knocked out of the way and then go for the harder problems. sam
Re: botted hosts
On Mon, 04 Apr 2005 15:45:01 CDT, John Dupuy said: MODEL A: ISPs filter at the source; spam is reduced MODEL B: ISPs filter incoming mail traffic; spam is reduced. ISP's increase the effectiveness of blacklists and locating dynamic Which model really provides us with the best of both worlds: less spam yet more freedom to innovate? I would say model A does. However, I am not convinced of this. Please pick apart my models.. Obviously, the filtering has to be done at least at one end. And although it would be nice if I lived in a world where the ISP originating the mail was filtering it, I don't live there. So unless you have a *realistic* proposal to make all the spam-haven ISPs find religion, see the light, and oust their spammers *without* the do it or be blocked everyplace (your plan B), it's not going to happen in our lifetime... pgpTm20evVCmd.pgp Description: PGP signature
Re: botted hosts
Petri Helenius [EMAIL PROTECTED] wrote: [...] If the nanog readership is a few thousands, that's only ~5-10k for each of us. Piece of cake. And I still don't buy the number. I might buy 2M. If the nanog readership is a few thousands, I suspect most of the readership is small fry looking after a small amount of address space. For example, I'm pretty much lost on the radar given my purview is but a pair of /19s. Not everybody can be a Tier 1 provider... Even though my user base may not be considered the most well-behaved netizens (IRCNet I-lines were probably invented for them) I suspect that trying to find 5-10k rogue users in an address space covering about 16,000 hosts may still be a tad optimistic. -- PGP key ID E85DC776 - finger [EMAIL PROTECTED] for full key
Re: botted hosts
* Petri Helenius: There are at least 20 million and probably more compromised computers on the Internet. Who has a plan to fix them? If the nanog readership is a few thousands, that's only ~5-10k for each of us. Piece of cake. And I still don't buy the number. I might buy 2M. 2M was a rather conservative estimate for Agobot/Phatbot infections *alone* when it started to hit big. The number of distinct IP addresses per day at the load-test servers was surprisingly high and matched the published estimates (which must have looked like fearmongering to most operators back then).
Re: botted hosts
--Dean On 4 Apr 2005, Paul Vixie wrote: [EMAIL PROTECTED] (Sean Donelan) writes: Do you want an Internet where your provider decides for you, with whom and when you are allowed to communicate? Or do you want to decide for yourself whether to accept or not accept the communication? i want weak protocols restricted to LANs or at most campuses or ISPs. that means UDP/137, UDP/139, and TCP/25 at the moment. stay tuned, we might be adding more. oh and as long as you're considering whether to restrict things to your LAN/campus/ISP, i'm ready to see rfc1918 filters deployed... Does that include DNS? That's a pretty weak protocol. --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000
Re: botted hosts
On Mon, 04 Apr 2005 19:14:26 EDT, Dean Anderson said: On 4 Apr 2005, Paul Vixie wrote: i want weak protocols restricted to LANs or at most campuses or ISPs. that means UDP/137, UDP/139, and TCP/25 at the moment. stay tuned, we might be adding more. oh and as long as you're considering whether to restrict things to your LAN/campus/ISP, i'm ready to see rfc1918 filters deployed... Does that include DNS? That's a pretty weak protocol. One must wonder if this proposal would get more traction, or less, if we changed from weak protocol to lame protocol. Now where's my asbestos skivvies? :) pgp03UmtNEP1H.pgp Description: PGP signature
Re: botted hosts
On Apr 5, 2005 2:18 AM, Florian Weimer [EMAIL PROTECTED] wrote: * Suresh Ramasubramanian: Find them, isolate them into what some providers call a walled garden - vlan them into their own segment from where all they can access are antivirus / service pack downloads Service pack downloads? Do you expect ISPs to pirate Windows (or large parts thereof)? Or has Microsoft finally seen the light? I do believe I heard somewhere about ISPs bundling a pack of free AV / spyware remover tools with their install CD - AVG and such. However when it comes to allowing downloads, I guess something like cisco's NBAR would help even if it were offsite downloads - these URLs / URL regexes are allowed, the rest are not, at least till the user disinfects his PC. -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: botted hosts
On Mon, 4 Apr 2005 [EMAIL PROTECTED] wrote: On Mon, 04 Apr 2005 15:45:01 CDT, John Dupuy said: MODEL A: ISPs filter at the source; spam is reduced MODEL B: ISPs filter incoming mail traffic; spam is reduced. ISP's increase the effectiveness of blacklists and locating dynamic Which model really provides us with the best of both worlds: less spam yet more freedom to innovate? I would say model A does. However, I am not convinced of this. Please pick apart my models.. Obviously, the filtering has to be done at least at one end. And although it would be nice if I lived in a world where the ISP originating the mail was filtering it, I don't live there. where ISP could be, for instance, cable-modem-provider-C that forces their customers through their relays and would filter outbound email? So unless you have a *realistic* proposal to make all the spam-haven ISPs find religion, see the light, and oust their spammers *without* the do it or FAUSP ?
botted hosts
I run some summaries about spam-sources by country, AS and containing BGP route. These are from a smallish set of servers whole March aggregated. Percentage indicates incidents out of total. Conclusion is that blocking 25 inbound from a handful of prefixes would stop 10% of spam. +-+--+ | 26.8013 | US | | 25.6489 | KR | | 11.2896 | CN | | 4.3139 | FR | | 2.8045 | BR | +-+--+ | 11.3916 | 4766 | | 6.3791 | 9318 | | 5.1094 | 4134 | | 3.3910 | 7132 | | 3.1717 |29963 | ++--+ | 2.0754 | 207.182.144.0/20 | | 1.7184 | 4.0.0.0/8| | 1.3054 | 82.224.0.0/11| | 1.1116 | 221.144.0.0/12 | | 1.0963 | 207.182.136.0/21 | | 0.9943 | 61.78.37.0/24| | 0.9586 | 218.144.0.0/12 | | 0.9484 | 222.96.0.0/12| | 0.7394 | 222.65.0.0/16| | 0.7343 | 211.200.0.0/13 | Pete
Re: botted hosts
Not all bots On Apr 3, 2005 9:43 PM, Petri Helenius [EMAIL PROTECTED] wrote: Conclusion is that blocking 25 inbound from a handful of prefixes would stop 10% of spam. Using two or three carefully chosen DNSBLs would be a superset of your conclusion ++--+ | 2.0754 | 207.182.144.0/20 | and from later down in your list | 1.0963 | 207.182.136.0/21 | http://www.spamhaus.org/sbl/sbl.lasso?query=SBL9198 - 207.182.128.0/19 in ROKSO as a potentially hijacked netblock | 1.7184 | 4.0.0.0/8| That's old BBN netspace, now Level 3. Level 3 provides dialups to a whole lot of providers, and .. hell, I dont need to tell you about level 3. Anyway a good dialup list (DUHL, or maybe the DUL if you want to license it) should help. | 1.3054 | 82.224.0.0/11| Proxad in France - dialup / broadband dynamic IP space I expect | 1.1116 | 221.144.0.0/12 | Korea. Likely to be a good mix of direct spam sources and botted hosts. Spamhaus SBL and XBL, plus a dynamic IP list just might help | 0.9943 | 61.78.37.0/24| | 0.9586 | 218.144.0.0/12 | | 0.9484 | 222.96.0.0/12| | 0.7394 | 222.65.0.0/16| | 0.7343 | 211.200.0.0/13 | SBL + XBL + Dynamic IPs Then, surbl.org catches a few more for you (I can recommend ob.surbl.org on the principle of eating our own dogfood, we use it ..) -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: botted hosts
On Sun, 3 Apr 2005, Petri Helenius wrote: I run some summaries about spam-sources by country, AS and containing BGP route. These are from a smallish set of servers whole March aggregated. Percentage indicates incidents out of total. Conclusion is that blocking 25 inbound from a handful of prefixes would stop 10% of spam. and your second highest is 4.0.0.0/8 your advice is blocking it would help your email? Steve +-+--+ | 26.8013 | US | | 25.6489 | KR | | 11.2896 | CN | | 4.3139 | FR | | 2.8045 | BR | +-+--+ | 11.3916 | 4766 | | 6.3791 | 9318 | | 5.1094 | 4134 | | 3.3910 | 7132 | | 3.1717 |29963 | ++--+ | 2.0754 | 207.182.144.0/20 | | 1.7184 | 4.0.0.0/8| | 1.3054 | 82.224.0.0/11| | 1.1116 | 221.144.0.0/12 | | 1.0963 | 207.182.136.0/21 | | 0.9943 | 61.78.37.0/24| | 0.9586 | 218.144.0.0/12 | | 0.9484 | 222.96.0.0/12| | 0.7394 | 222.65.0.0/16| | 0.7343 | 211.200.0.0/13 | Pete
Re: botted hosts
Stephen J. Wilcox wrote: On Sun, 3 Apr 2005, Petri Helenius wrote: I run some summaries about spam-sources by country, AS and containing BGP route. These are from a smallish set of servers whole March aggregated. Percentage indicates incidents out of total. Conclusion is that blocking 25 inbound from a handful of prefixes would stop 10% of spam. and your second highest is 4.0.0.0/8 your advice is blocking it would help your email? The abuse from 4/8 seems to be coming from the first quarter of the address space. To be fair, 24.0.0.0/8 should get equal treatment to 4.0.0.0/8, whichever the reader feels appropriate. There are worse populations on other /8's but none of them are controlled by a single entity. Pete Steve +-+--+ | 26.8013 | US | | 25.6489 | KR | | 11.2896 | CN | | 4.3139 | FR | | 2.8045 | BR | +-+--+ | 11.3916 | 4766 | | 6.3791 | 9318 | | 5.1094 | 4134 | | 3.3910 | 7132 | | 3.1717 |29963 | ++--+ | 2.0754 | 207.182.144.0/20 | | 1.7184 | 4.0.0.0/8| | 1.3054 | 82.224.0.0/11| | 1.1116 | 221.144.0.0/12 | | 1.0963 | 207.182.136.0/21 | | 0.9943 | 61.78.37.0/24| | 0.9586 | 218.144.0.0/12 | | 0.9484 | 222.96.0.0/12| | 0.7394 | 222.65.0.0/16| | 0.7343 | 211.200.0.0/13 | Pete
Re: botted hosts
[In the message entitled botted hosts on Apr 3, 19:13, Petri Helenius writes:] I run some summaries about spam-sources by country, AS and containing BGP route. These are from a smallish set of servers whole March aggregated. Percentage indicates incidents out of total. Conclusion is that blocking 25 inbound from a handful of prefixes would stop 10% of spam. This would be correct. In the bigger perspective, blocking port 25 on all ISP's consumer circuits would currently stop over 99% of the spam. Yes, spammers would adjust to this over time. It is still a great idea to block port 25 by default, and unblock it on customer request. The problem has always been that ISPs do not see any tangible benefit to stopping spam *leaving* their networks. Even the largest networks, some who complain that if only other networks would stop their spam, have serious, and long term spam leaving their networks. From my (limited) view of the world, involving only about 200 Million spams that I logged last month (down from 230M in February), here's what I see: Logged Spam by country: Percent Country 24.64 REPUBLIC OF KOREA 21.96 UNITED STATES 15.45 CHINA 4.21 CANADA 4.02 FRANCE 3.38 SPAIN 3.33 JAPAN 2.03 BRAZIL 1.52 UNITED KINGDOM 1.48 ITALY The Kelkea (what used to be MAPS) DUL, with more than 150 million entries in it stopped about 41% of the spam last month. The QIL, a new product, stopped about 55%, with the remainder being stopped by the RBL, OPS and RSS. A view of this from a different perspective (an unrelated ISP) is available at http://status.hiwaay.net/spam.html That means that if just the ISPs that we have identified as having dynamically assigned addresses were to install port 25 blocking, more than 1/3 of the spam would vanish. Compromised computers are a large problem today. Before that, it was open proxies. Before that it was open relays. Before that it was stolen ISP accounts... From the ISP perspective, here's what I see: PercentASN Name 10.80 4766 KIXS-AS-KR Korea Telecom 6.24 4134 CHINANET-BACKBONE No.31,Jin-rong Street 4.08 9318 HANARO-AS HANARO Telecom 3.62 4812 CHINANET-SH-AP China Telecom (Group) 2.00 5690 VIANET-NO - Via Computer and Communications (ViaNet) 1.99 4837 CHINA169-BACKBONE CNCGROUP China169 Backbone 1.97 7132 SBIS-AS - SBC Internet Services 1.73 6478 ATT-INTERNET3 - ATT WorldNet Services 1.63 9277 THRUNET-AS-KR THRUNET 1.38 12322 PROXAD AS for Proxad ISP In summary, yes, blocking port 25 from a handful of prefixes would in fact block more than 10% of the spam now being received. The bigger issue is getting the ISPs to see that they in fact have a problem, and they need to work on it. As always, I have details available for any time period, for any ISP that cares. I can extract details by address range, ASN, or pretty much anything else you want. --
Re: botted hosts
+-+--+ | 26.8013 | US | | 25.6489 | KR | | 11.2896 | CN | | 4.3139 | FR | | 2.8045 | BR | amerika no ka oi!
Re: botted hosts
On Sun, 3 Apr 2005, Dave Rand wrote: The Kelkea (what used to be MAPS) DUL, with more than 150 million entries in it stopped about 41% of the spam last month. The QIL, a new product, stopped about 55%, with the remainder being stopped by the RBL, OPS and RSS. A view of this from a different perspective (an unrelated ISP) is available at http://status.hiwaay.net/spam.html That means that if just the ISPs that we have identified as having dynamically assigned addresses were to install port 25 blocking, more than 1/3 of the spam would vanish. Why does anyone accept SMTP conenctions from known dynamically assigned addresses? DUL, QIL, etc should drop all those connections on the floor. If everyone was using DUL, QIL, etc, why do they still complain about getting spam from dynamically assigned addresses? If mail admins were to install DUL lists Does port 25 blocking actually make a difference? Any public data from before and after? Or does it just annoy people, cause problems and not fix anything?
Re: botted hosts
On Apr 4, 2005 10:40 AM, Sean Donelan [EMAIL PROTECTED] wrote: Why does anyone accept SMTP conenctions from known dynamically assigned addresses? DUL, QIL, etc should drop all those connections on the floor. Consider, if you will, the UNKNOWN dynamic IP ranges Neither DUL, nor SORBS DUHL, nor the several other lesser known variants can claim to do even a fraction of a perfect job - and providers who do stuff like happily mix static IP and dynamic IP netblocks, maintain vague or inconstant rDNS or even no rDNS at all for these, etc don't help at all, leading to the usual funny situation of someone's static IP dsl getting blocked as dynamic [but that's another story altogether] And even with port 25 filtering, if it is one way only, people can use so-called triangular routing to spoof IP packets, using botnet controled hosts on dialups, and a master control center with a fat pipe + spamware, and a bank of POTS lines. Port 25 both ways, and then uRPF to stop source address spoofing .. Does port 25 blocking actually make a difference? Any public data from before and after? Or does it just annoy people, cause problems and not fix anything? The last time this thread came up on nanog (I think you were the one to ask this question then as well) I do belive people came up to say yes, it does make a difference That said, Joe St.Sauver put it fairly well in his presentation at maawg san diego, when he said it is cough sirup for lung cancer, and what you need along with the cough sirup of port 25 filtering, is some stronger measures to locate and take down botted hosts, which of course can be used for nastier things (DDoS botnets for example) as well, things that do just fine without port 25. -srs -- Suresh Ramasubramanian ([EMAIL PROTECTED])
