turtleshadow writes "Brian Krebs of the Security Fix Blog analyzes the McColo Spamming one year later and asks an interesting question: 'How does one renovate and recoup the lost trust to the slums of the Internet and reclaim back all the domains and IPs that have been blacklisted?' Indeed, the economic benefits abound when a huge swath of illegal and annoying activity ceases — but given the basic design of the Internet, what happens over the long run to IP space and DNS when hosting companies come and go and vary in their trustworthiness? So too, now Geocities is dead [as a business], but does that still live in your filter list? It still appears in OpenDNS under several policy categories. How, in a few years, will I tell if some Hosting/Colo sold me Whitechapel Road/Ventura Avenue for Mayfair/Boardwalk prices, and no one is going to accept my mail from a former slum? When do you, if ever, roll back the blacklists and filters for 'dead' threats and spammers?"
That will prevent us from running out of unblocked IP addresses, but it does nothing to aviod being bitten by filtering rules based on a previously bad domain name (like geocities.com).
Simple. Do not call your web site goatse, or geocities. If someone registers that domain name, because he's too young to remember, or whatever... He'll figure out pretty quickly that things don't work for him, so he'll pick a different domain name, like goatsrus, geotowns, geomegacities, or whatever.
Frankly, I think that there are more pressing problems to think about.
Simple. Do not call your web site goatse, or geocities. If someone registers that domain name, because he's too young to remember, or whatever... He'll figure out pretty quickly that things don't work for him, so he'll pick a different domain name, like goatsrus, geotowns, geomegacities, or whatever.
I'm going to start a free hosting service for shock sites called Goatsecities...
So did everybody else, no? I'm happy for URLs. Back when you could only connect by knowing the correct IP, 69.69.69.69 was pretty much the only porn site on the web... well, strand.
My favorite IP is 4.8. I often ping it, just for the joy of, well, pinging 4.8! I can't really describe it. You'll just have to try it to see what I mean.
You see porn is bad. Because it has naked people in it pretending to have sex. Which is bad because sex isn't fun, its a terrible thing that must be endured for the betterment of society. Or something. I dunno, don't ask me hard questions. Its in the bible, right after god said to go forth and multiply...
Yes, but if someone tries to create a new Biosphere and call the project "GeoCity", a website about the project will find itself needlessly blocked by filter rules set years ago and were never removed.
What filter rules? I mean, okay, that light on dark text and background midi and blinking marquees were annoying, but still, you could just not visit...
Yes, but if someone tries to create a new Biosphere and call the project "GeoCity", a website about the project will find itself needlessly blocked by filter rules set years ago and were never removed.
Well, it still wouldn't hurt their reputation as badly as if they'd called it Bio-Dome [imdb.com].
Stop relying on blacklists as your primarily (or only!) filtering mechanism. There are far more sophisticated filtering solutions out there these days. Filtering based solely on blacklists is antiquated, ineffective, and vulnerable to massive issues with false positives. If you only use blacklisting as a very small part of your overall filter scoring, you won't have problems when the IPs in question get turned over to non-spammers. Sure, they'll still end up with a non-zero "spam" score, but not a high enough one to be blocked.
And, of course, you should regularly be looking at your entire setup, including filtering, on a regular basis to make sure the solution you have is still the best one for your situation. Technology, and the Internet, changes too rapidly to take a "set and forget" attitude toward anything, especially filtering.
Stop relying on blacklists as your primarily (or only!) filtering mechanism
The people with the problem (the new owners of the IP address space) are not the people who can make the problem go away by your suggestion. Yes, it might be nice if everyone did make this change, but it is also highly unlikely.
I have seen even worse use of blacklists -- for example I came across one company that was rejecting email if a blacklist was matched anyhere in the "Received" lines, and their set of blacklists included
What if our operating systems were more secure, or if virtualization became universally used? Wouldn't that make it less necessary to use blacklists? I mean, if there's no danger from malware, then I don't have to worry so much if I open an attachment from an email that looks like it's coming from a friend. Worst thing it can do is blow up my virtual machine and I can just close a window and keep on going. It would also make hackers look for other ways to do evil besides attacking our desktops.
Is virtualization as secure as I think it is? I admit I don't know a lot about internet security beyond just being careful and using protection, so I'd like to hear what those of you who have expertise think.
It's not a about viruses it's the shear volume of spam hitting mail servers that makes blacklisting necessary.
If you remove it your essentially allowing yourself to be DOS'd.
You didn't provide him a solution at all. Not really. Don't get me wrong, you are entirely correct in your advice.
However, how are you supposed to get that advice to , or even communicate reliably, with stubborn and/or stupid mail server admins? The problem most often is on the *other* side.
The mail server admins at Craigslist.org deserve to be shot (they really do, at least with rubber bullets). I have run into problems getting email to a mail server in which I am apparently blocked by five-ten-sg.com.
When do I clean addresses and domains out of my filters? Usually never. It's just too much trouble to keep tabs on all of them and actively look for them being cleaned up. Once they're in the filters, there they stay until something happens to make me take a look at them. Usually that something'll be someone I know getting caught by the e-mail filters and contacting me out-of-band to find out why I'm not responding to their mail. Or it might be me trying to go to a site I added to the filters ages ago and being blocked when I know it should be clean now, and I go and find it and remove it. But generally, unless something like that motivates me, I've got better things to do with my time than keeping track of all the bad guys I've run across over the years and whether they've mended their ways or not.
In addition, at least one fraud expert who works with a number of big name retailers said online retail fraud rates fell from around $250,000 per day to zero for a short time following McColo's takedow
Why aren't the cops there getting customers lists from McColo and going after the fraudsters?
As far as the toxic waste is concerned, have the Government take those toxic address and have the Government turn their current addresses back into the pool. That will detox those addresses quick.
How, in a few years, will I tell if some Hosting/Colo sold me Whitechapel Road/Ventura Avenue for Mayfair/Boardwalk prices, and no one is going to accept my mail from a former slum?
As the purchaser, you probably can't. But what you can do is demand that your provider move you to a better IP neighborhood, or renegotiate (read: "tear up") the contract.
Blocklists aren't about playing whack-a-mole with spammers, they're about disincentivizing spam-friendly providers.
If you're an ISP or hosting provider, and you harbor spammers and botnets, the IP ranges you hold are permanently devalued. That means it's harder for you to get customers, more expensive to support your legitimate customers, and your business, when you decide to sell it, is worth less than if you'd booted the goddamn spammers off your network when you had the chance.
Car Analogy: If you're doing your own oil changes, and instead of hauling the waste oil to a recycler, you dump it into your backyard, don't complain when you try and sell your house and the highest bid still leaves you $100,000 underwater on your mortgage, or requires you to spend $150,000 remediating it. Your property is worth less than it could have been, had you only been a better steward of it.
> So too, now Geocities is dead [as a business], but does that still live in your filter list? It still appears in OpenDNS under several policy categories.
If you filter via OpenDNS, then you get what you deserve.
If you've done *any* metamoderating of OpenDNS website classifications, you will soon decide that poo flinging chimpanzees are more accurate.
Seriously; if maintaining your level of faith in the compassion, empathy, and fundamental decency of the human species is something you care about, don't ever visit 4chan.
That site is very little more than a showcase of the very worst, morally, psychologically, and emotionally, that humanity is capable of.
I also would suggest this in government. That all laws get renewed to automatically expire after 10 years. That way we can keep the law makers busy keeping the good laws while letting the old ones die, as well as keeping them from making crappy new ones that won't survive a 10 year renewal.
Agreed. Also, all laws must be read into the record. That'll put an upper bound on the sheer magnitude of legislation and guaranteed that the aforementioned laws have been read at least once.
Reading every law? What about the building code? What about trade duty schedules? What about the tax law (a lot of the complexity of which is actually necessary)? I'm sure you can find many more examples [cornell.edu]. It's as if you're asking for every computer program to be dictated by telephone. Your request reflects a very naive view, namely that complex societies like ours can be governed by simple laws.
If we actually tried what you suggest, what we'd see is simple legislation. Because these laws would have simple, they couldn't address subtleties and special cases, and as a result, these laws would cause a lot of injustice. Is this the world you'd really like to live in?
I never understood how people like you can see all law as universally bad, and how you actually hope for a "gridlock". Bad government is bad, yes, but good government is also good. You'd argue that all government is bad government, but if you look around, any reasonable person will see that argument is nonsense. Only ideologues maintain that government is always the problem.
Indeed, the economic benefits abound when a huge swath of illegal and annoying activity ceases
Translated from corporatocracy-ese to english:
"once we've quashed the disruptive technological utopia people created on the web, the economic opportunity to carve it up and sell it back to only those who can pay abounds!"
When I setup my first postfix daemon, I failed. Took my days. One day, it seemed like it was working, but wasn't accepting username and password logins. I went to bed, didn't stop postfix.
The next day I get an email from my colo asking why some of my IPs are being blacklisted. The colo apparently got notified that two of my IP addresses are spammers. I looked at my logs and sure enough, I stupidly let postfix run as an open smtp server and some guy started using it to send out spam.
So I stopped that, but now what? Yahoo won't accept my emails. Craigslist won't accept my emails. Hotmail moves them into the junk folder. Yahoo had the best help.
So the error message I was getting from Yahoo was related to spamhaus. I stopped postfix, finally got it up and running properly with authentication, and sent an email to the SBL list guys ( http://www.spamhaus.org/sbl/delistingprocedure.html [spamhaus.org] ) and got delisted pretty quickly.
Sending emails to Yahoo now worked fine. Other places were slower to realize that I was not a spammer, but all in all, it took about 6 months for the dust to settle, and a few more emails to various places to say "hey! I am not a spammer!".
For a major business, this can be a problem, but these lists aren't private. When doing research on where to create your new home on the internet, checking to see if they are blacklisted anywhere first would be a prudent thing to do.
The problem here seems to be badly maintained blacklists. After seeing way too many false positives on various blacklists out there, the only lists I would use are ones that expire their entries in a matter of days or hours. The good ones that I use are uatraps [openbsd.org] (greytrapping generated, 24 hour expiry) and nixspam [heise.de] (IIRC max 4 days after last seen spam activity). Then of course I maintain my own greytrap list (see the traplist homepage [bsdly.net] and the traplist ethics page [bsdly.net]for details).
The point is, you need to expire entries aggressively. Keeping entries around because somebody received a spam from somewhere in that general direction four years ago is just silly. And don't get me started on blacklisting domains. If there is one thing we know with almost total certainty, it is that spammers never use From: or Reply-to: addresses that have anything vaguely to do with the real senders.
My problem with that is when you get reassigned IP space from a spammer. My host aquired a block from ARIN, which used to host russian servers. Well these russian servers were apparently spambots because I just recently found out yahoo does not accept mail from any of my servers. This is a major problem and jumping ship to another host does not guarantee this problem will go away. I had no clue who to contact and ended up requesting new ip space from my provider... but that caused a world of pain for my customers.
I used to think my old boss was crazy when he said he never wanted our antispam solution to rely on any blacklist provider and it didn't really sink in until I was on the opposite end of the spectrum. Blacklists are bad.
I like the blacklist... i have a quarter million addresses in mine. if you're on one, you need to pitch the address and get fresh one. because you're never getting clean internet access again. The addresses are tainted for at least a decade. I don't even let blacklisters surf my sites.
though I would like to see ARIN report a list of freshened addresses (with purchaser approval of course), with digital sig and time stamp, so I could fix my blacklist.. I dont see any easier feasible way to proceed.
It will be nearly impossible to get delisted, too, and for good reason. For years the Russian malware gangs played silly buggers with changing names, corporations and hosting providers to pretend to be different unrelated entities whilst still engaging in the abuse.
So “but I bought this netblock from someone else, I'm not a hacker!” is, unfortunately, something we've already heard many times from the hackers.
Solution (Score:2, Informative)
Re: (Score:2, Interesting)
Re:Solution (Score:5, Funny)
Simple. Do not call your web site goatse, or geocities. If someone registers that domain name, because he's too young to remember, or whatever... He'll figure out pretty quickly that things don't work for him, so he'll pick a different domain name, like goatsrus, geotowns, geomegacities, or whatever.
Frankly, I think that there are more pressing problems to think about.
Reply to This
Parent
Re: (Score:3, Funny)
Simple. Do not call your web site goatse, or geocities. If someone registers that domain name, because he's too young to remember, or whatever... He'll figure out pretty quickly that things don't work for him, so he'll pick a different domain name, like goatsrus, geotowns, geomegacities, or whatever.
I'm going to start a free hosting service for shock sites called Goatsecities...
Re: (Score:3, Interesting)
Re: (Score:3, Funny)
OMG WTF PONNIES!!! (Score:2, Funny)
OMG WTF PONNIES!!!
who's on first? (Score:2)
Re: (Score:2, Funny)
Re:who's on first? (Score:4, Funny)
Reply to This
Parent
Re:who's on first? (Score:5, Informative)
nslookup -q=ptr 69.69.69.69.in-addr.arpa
Non-authoritative answer:
69.69.69.69.in-addr.arpa name = the-coolest-ip-on-the-net.com
Well, I'll be... I honestly didn't expect that. Duh...
Reply to This
Parent
Re: (Score:3, Interesting)
It makes me sad that it points to a link farm...
Re: (Score:3, Interesting)
Re:who's on first? (Score:4, Funny)
You see porn is bad. Because it has naked people in it pretending to have sex. Which is bad because sex isn't fun, its a terrible thing that must be endured for the betterment of society. Or something. I dunno, don't ask me hard questions. Its in the bible, right after god said to go forth and multiply...
Sex = bad! Stop questioning things!
Reply to This
Parent
What slums? (Score:3, Funny)
I thought they'd switched off geocities already?
Reply to This
Re: (Score:3, Informative)
Re: (Score:3, Funny)
What filter rules? I mean, okay, that light on dark text and background midi and blinking marquees were annoying, but still, you could just not visit...
Re: (Score:3, Funny)
Well, it still wouldn't hurt their reputation as badly as if they'd called it Bio-Dome [imdb.com].
Easy solution: (Score:3, Informative)
And, of course, you should regularly be looking at your entire setup, including filtering, on a regular basis to make sure the solution you have is still the best one for your situation. Technology, and the Internet, changes too rapidly to take a "set and forget" attitude toward anything, especially filtering.
Reply to This
Re: (Score:2)
The people with the problem (the new owners of the IP address space) are not the people who can make the problem go away by your suggestion. Yes, it might be nice if everyone did make this change, but it is also highly unlikely.
I have seen even worse use of blacklists -- for example I came across one company that was rejecting email if a blacklist was matched anyhere in the "Received" lines, and their set of blacklists included
Re: (Score:3, Interesting)
What if our operating systems were more secure, or if virtualization became universally used? Wouldn't that make it less necessary to use blacklists? I mean, if there's no danger from malware, then I don't have to worry so much if I open an attachment from an email that looks like it's coming from a friend. Worst thing it can do is blow up my virtual machine and I can just close a window and keep on going. It would also make hackers look for other ways to do evil besides attacking our desktops.
Is virtualization as secure as I think it is? I admit I don't know a lot about internet security beyond just being careful and using protection, so I'd like to hear what those of you who have expertise think.
It's not a about viruses it's the shear volume of spam hitting mail servers that makes blacklisting necessary.
If you remove it your essentially allowing yourself to be DOS'd.
Re: (Score:3, Interesting)
You didn't provide him a solution at all. Not really. Don't get me wrong, you are entirely correct in your advice.
However, how are you supposed to get that advice to , or even communicate reliably, with stubborn and/or stupid mail server admins? The problem most often is on the *other* side.
The mail server admins at Craigslist.org deserve to be shot (they really do, at least with rubber bullets). I have run into problems getting email to a mail server in which I am apparently blocked by five-ten-sg.com.
How does one renovate and recoup the lost trust t (Score:3, Insightful)
Reply to This
Re:How does one renovate and recoup the lost trust (Score:5, Funny)
You don't. The Internet never forgets, never forgives.
Never sleeps either. The internet waits.
Reply to This
Parent
What slums trust who now? (Score:2)
Re: (Score:2)
Yeah, no joke.
Even for Slashdot, that's a lot of slashes. I sprained my Wernicke's Area [wikipedia.org] trying to parse that.
Usually never (Score:4, Insightful)
When do I clean addresses and domains out of my filters? Usually never. It's just too much trouble to keep tabs on all of them and actively look for them being cleaned up. Once they're in the filters, there they stay until something happens to make me take a look at them. Usually that something'll be someone I know getting caught by the e-mail filters and contacting me out-of-band to find out why I'm not responding to their mail. Or it might be me trying to go to a site I added to the filters ages ago and being blocked when I know it should be clean now, and I go and find it and remove it. But generally, unless something like that motivates me, I've got better things to do with my time than keeping track of all the bad guys I've run across over the years and whether they've mended their ways or not.
Reply to This
Why you're not responding? (Score:2)
Surely you reject mail at SMTP time, allowing the sending server to notify the sender that the mail didn't get through, right?
Where are the cops? (Score:3, Interesting)
In addition, at least one fraud expert who works with a number of big name retailers said online retail fraud rates fell from around $250,000 per day to zero for a short time following McColo's takedow
Why aren't the cops there getting customers lists from McColo and going after the fraudsters?
As far as the toxic waste is concerned, have the Government take those toxic address and have the Government turn their current addresses back into the pool. That will detox those addresses quick.
Reply to This
Re: (Score:2, Interesting)
Why aren't the cops there getting customers lists from McColo and going after the fraudsters?
In the case of McColo (and RBN), many of the fraudsters probably are cops, or at least have cops on the payroll.
Re:Where are the cops? (Score:4, Insightful)
Why aren't the cops there getting customers lists from McColo and going after the fraudsters?
Because the police are far too busy going after the real [lockergnome.com] criminals [cnn.com] to waste time with legitimate fraudsters.
Reply to This
Parent
Re: (Score:3, Interesting)
You know... That's a really good idea.
Signed IP swapping somehow... Reverify those IP addresses as valid.
It would only require transferring them to a host processing site.
Then, they could be removed from block lists and be reallocated.
It would be a fuck load of record updates, though.
Easy (Score:4, Interesting)
Before you order a co-lo, agree that it has to pass certain checks, such as a blacklist check.
http://www.mxtoolbox.com/blacklists.aspx
As for decreasing IP space, IPv6 (real or tunneling) is available at most large co-lo places, so that won't be a problem.
Reply to This
You Don't. That's the point. (Score:5, Insightful)
As the purchaser, you probably can't. But what you can do is demand that your provider move you to a better IP neighborhood, or renegotiate (read: "tear up") the contract.
Blocklists aren't about playing whack-a-mole with spammers, they're about disincentivizing spam-friendly providers.
If you're an ISP or hosting provider, and you harbor spammers and botnets, the IP ranges you hold are permanently devalued. That means it's harder for you to get customers, more expensive to support your legitimate customers, and your business, when you decide to sell it, is worth less than if you'd booted the goddamn spammers off your network when you had the chance.
Car Analogy: If you're doing your own oil changes, and instead of hauling the waste oil to a recycler, you dump it into your backyard, don't complain when you try and sell your house and the highest bid still leaves you $100,000 underwater on your mortgage, or requires you to spend $150,000 remediating it. Your property is worth less than it could have been, had you only been a better steward of it.
Reply to This
90 percent of blacklists are crap... (Score:5, Funny)
...because 90 percent of everything is crap.
> So too, now Geocities is dead [as a business], but does that still live in your filter list? It still appears in OpenDNS under several policy categories.
If you filter via OpenDNS, then you get what you deserve.
If you've done *any* metamoderating of OpenDNS website classifications, you will soon decide that poo flinging chimpanzees are more accurate.
I came, I saw, I ran away screaming.
--
BMO
Reply to This
4chan (Score:5, Insightful)
Reply to This
Re: (Score:3, Funny)
/b/ is the fist thing that came to my mind as well
Re:4chan (Score:4, Insightful)
Mod parent +5,000, Insightful.
Seriously; if maintaining your level of faith in the compassion, empathy, and fundamental decency of the human species is something you care about, don't ever visit 4chan.
That site is very little more than a showcase of the very worst, morally, psychologically, and emotionally, that humanity is capable of.
Reply to This
Parent
Re:4chan (Score:5, Funny)
Mod parent +5,000, Insightful.
You missed your chance, dude. You should have said: Mod parent over 9000, Insightful.
Reply to This
Parent
1 year (Score:5, Insightful)
Everything should expire after a year.
I also would suggest this in government. That all laws get renewed to automatically expire after 10 years. That way we can keep the law makers busy keeping the good laws while letting the old ones die, as well as keeping them from making crappy new ones that won't survive a 10 year renewal.
Reply to This
Re: (Score:3, Insightful)
Agreed. Also, all laws must be read into the record. That'll put an upper bound on the sheer magnitude of legislation and guaranteed that the aforementioned laws have been read at least once.
Re:1 year (Score:4, Insightful)
Reading every law? What about the building code? What about trade duty schedules? What about the tax law (a lot of the complexity of which is actually necessary)? I'm sure you can find many more examples [cornell.edu]. It's as if you're asking for every computer program to be dictated by telephone. Your request reflects a very naive view, namely that complex societies like ours can be governed by simple laws.
If we actually tried what you suggest, what we'd see is simple legislation. Because these laws would have simple, they couldn't address subtleties and special cases, and as a result, these laws would cause a lot of injustice. Is this the world you'd really like to live in?
I never understood how people like you can see all law as universally bad, and how you actually hope for a "gridlock". Bad government is bad, yes, but good government is also good. You'd argue that all government is bad government, but if you look around, any reasonable person will see that argument is nonsense. Only ideologues maintain that government is always the problem.
Reply to This
Parent
"illegal activity" is another person's "freedom" (Score:2)
Indeed, the economic benefits abound when a huge swath of illegal and annoying activity ceases
Translated from corporatocracy-ese to english:
"once we've quashed the disruptive technological utopia people created on the web, the economic opportunity to carve it up and sell it back to only those who can pay abounds!"
My situation (Score:5, Interesting)
When I setup my first postfix daemon, I failed. Took my days. One day, it seemed like it was working, but wasn't accepting username and password logins. I went to bed, didn't stop postfix.
The next day I get an email from my colo asking why some of my IPs are being blacklisted. The colo apparently got notified that two of my IP addresses are spammers. I looked at my logs and sure enough, I stupidly let postfix run as an open smtp server and some guy started using it to send out spam.
So I stopped that, but now what? Yahoo won't accept my emails. Craigslist won't accept my emails. Hotmail moves them into the junk folder. Yahoo had the best help.
http://help.yahoo.com/l/us/yahoo/mail/postmaster/errors/;_ylt=ArX8PxnGVabUYKQmtOrSQN5vMiV4 [yahoo.com]
So the error message I was getting from Yahoo was related to spamhaus. I stopped postfix, finally got it up and running properly with authentication, and sent an email to the SBL list guys ( http://www.spamhaus.org/sbl/delistingprocedure.html [spamhaus.org] ) and got delisted pretty quickly.
Sending emails to Yahoo now worked fine. Other places were slower to realize that I was not a spammer, but all in all, it took about 6 months for the dust to settle, and a few more emails to various places to say "hey! I am not a spammer!".
For a major business, this can be a problem, but these lists aren't private. When doing research on where to create your new home on the internet, checking to see if they are blacklisted anywhere first would be a prudent thing to do.
Reply to This
Blacklists should expire agressively (Score:3, Interesting)
The point is, you need to expire entries aggressively. Keeping entries around because somebody received a spam from somewhere in that general direction four years ago is just silly. And don't get me started on blacklisting domains. If there is one thing we know with almost total certainty, it is that spammers never use From: or Reply-to: addresses that have anything vaguely to do with the real senders.
Reply to This
Re: (Score:2, Informative)
Re:Obligatory grammar nazi (Score:5, Funny)
I once passed a shop offering "Sandwich boxe's". I call it hedge-your-bets punctuation...
Reply to This
Parent
Re:I like the Ras Al Gul approach (Score:5, Interesting)
I used to think my old boss was crazy when he said he never wanted our antispam solution to rely on any blacklist provider and it didn't really sink in until I was on the opposite end of the spectrum. Blacklists are bad.
aEN
Reply to This
Parent
Re: (Score:3, Insightful)
though I would like to see ARIN report a list of freshened addresses (with purchaser approval of course), with digital sig and time stamp, so I could fix my blacklist.. I dont see any easier feasible way to proceed.
Stor
Re: (Score:3, Informative)
It will be nearly impossible to get delisted, too, and for good reason. For years the Russian malware gangs played silly buggers with changing names, corporations and hosting providers to pretend to be different unrelated entities whilst still engaging in the abuse.
So “but I bought this netblock from someone else, I'm not a hacker!” is, unfortunately, something we've already heard many times from the hackers.