Recovering the Slums of the Internet? 218
turtleshadow writes "Brian Krebs of the Security Fix Blog analyzes the McColo Spamming one year later and asks an interesting question: 'How does one renovate and recoup the lost trust to the slums of the Internet and reclaim back all the domains and IPs that have been blacklisted?' Indeed, the economic benefits abound when a huge swath of illegal and annoying activity ceases — but given the basic design of the Internet, what happens over the long run to IP space and DNS when hosting companies come and go and vary in their trustworthiness? So too, now Geocities is dead [as a business], but does that still live in your filter list? It still appears in OpenDNS under several policy categories. How, in a few years, will I tell if some Hosting/Colo sold me Whitechapel Road/Ventura Avenue for Mayfair/Boardwalk prices, and no one is going to accept my mail from a former slum? When do you, if ever, roll back the blacklists and filters for 'dead' threats and spammers?"
Re:Solution (Score:2, Interesting)
Where are the cops? (Score:3, Interesting)
In addition, at least one fraud expert who works with a number of big name retailers said online retail fraud rates fell from around $250,000 per day to zero for a short time following McColo's takedow
Why aren't the cops there getting customers lists from McColo and going after the fraudsters?
As far as the toxic waste is concerned, have the Government take those toxic address and have the Government turn their current addresses back into the pool. That will detox those addresses quick.
Easy (Score:4, Interesting)
Before you order a co-lo, agree that it has to pass certain checks, such as a blacklist check.
http://www.mxtoolbox.com/blacklists.aspx
As for decreasing IP space, IPv6 (real or tunneling) is available at most large co-lo places, so that won't be a problem.
Re:Where are the cops? (Score:2, Interesting)
Why aren't the cops there getting customers lists from McColo and going after the fraudsters?
In the case of McColo (and RBN), many of the fraudsters probably are cops, or at least have cops on the payroll.
Re:Easy solution: (Score:3, Interesting)
What if our operating systems were more secure, or if virtualization became universally used? Wouldn't that make it less necessary to use blacklists? I mean, if there's no danger from malware, then I don't have to worry so much if I open an attachment from an email that looks like it's coming from a friend. Worst thing it can do is blow up my virtual machine and I can just close a window and keep on going. It would also make hackers look for other ways to do evil besides attacking our desktops.
Is virtualization as secure as I think it is? I admit I don't know a lot about internet security beyond just being careful and using protection, so I'd like to hear what those of you who have expertise think.
It's not a about viruses it's the shear volume of spam hitting mail servers that makes blacklisting necessary.
If you remove it your essentially allowing yourself to be DOS'd.
Re:Easy solution: (Score:3, Interesting)
You didn't provide him a solution at all. Not really. Don't get me wrong, you are entirely correct in your advice.
However, how are you supposed to get that advice to , or even communicate reliably, with stubborn and/or stupid mail server admins? The problem most often is on the *other* side.
The mail server admins at Craigslist.org deserve to be shot (they really do, at least with rubber bullets). I have run into problems getting email to a mail server in which I am apparently blocked by five-ten-sg.com. Of course, you cannot communicate with five-ten-sg.com *at all*. I did perform an audit of our system to see if we were indeed compromised before accusing them and everything was fine. You just can't communicate with the other side when there is a legitimate problem.
Ostensibly, mail server admins should be checking the postmaster and abuse accounts *every single day*. I bet most have not checked in 6 months. How else do mail server admins work things out amongst themselves?
I think the solution is a polite, but strongly worded email to the customer of the offending mail server (sent from someplace else like gmail) informing them of the problem and the fact their mail server is being run by a monkey. In more polite and diplomatic language of course, but informing them that the reason they can't get email from the other person is that the hosting company does not have their mail server's being run correctly.
Throw the ball back into their court. If you write the letter nicely enough with some informative links to what you basically outlined in your post you might even turn a mail server admin from the stupid-side of the force.
I have to hope that problems receiving email due to such behavior are not isolated and that eventually the mail servers being run unwisely will just lose their customers.
Re:I like the Ras Al Gul approach (Score:5, Interesting)
I used to think my old boss was crazy when he said he never wanted our antispam solution to rely on any blacklist provider and it didn't really sink in until I was on the opposite end of the spectrum. Blacklists are bad.
aEN
Re:who's on first? (Score:3, Interesting)
My situation (Score:5, Interesting)
When I setup my first postfix daemon, I failed. Took my days. One day, it seemed like it was working, but wasn't accepting username and password logins. I went to bed, didn't stop postfix.
The next day I get an email from my colo asking why some of my IPs are being blacklisted. The colo apparently got notified that two of my IP addresses are spammers. I looked at my logs and sure enough, I stupidly let postfix run as an open smtp server and some guy started using it to send out spam.
So I stopped that, but now what? Yahoo won't accept my emails. Craigslist won't accept my emails. Hotmail moves them into the junk folder. Yahoo had the best help.
http://help.yahoo.com/l/us/yahoo/mail/postmaster/errors/;_ylt=ArX8PxnGVabUYKQmtOrSQN5vMiV4 [yahoo.com]
So the error message I was getting from Yahoo was related to spamhaus. I stopped postfix, finally got it up and running properly with authentication, and sent an email to the SBL list guys ( http://www.spamhaus.org/sbl/delistingprocedure.html [spamhaus.org] ) and got delisted pretty quickly.
Sending emails to Yahoo now worked fine. Other places were slower to realize that I was not a spammer, but all in all, it took about 6 months for the dust to settle, and a few more emails to various places to say "hey! I am not a spammer!".
For a major business, this can be a problem, but these lists aren't private. When doing research on where to create your new home on the internet, checking to see if they are blacklisted anywhere first would be a prudent thing to do.
Re:who's on first? (Score:3, Interesting)
It makes me sad that it points to a link farm...
Re:Where are the cops? (Score:3, Interesting)
You know... That's a really good idea.
Signed IP swapping somehow... Reverify those IP addresses as valid.
It would only require transferring them to a host processing site.
Then, they could be removed from block lists and be reallocated.
It would be a fuck load of record updates, though.
Blacklists should expire agressively (Score:3, Interesting)
The point is, you need to expire entries aggressively. Keeping entries around because somebody received a spam from somewhere in that general direction four years ago is just silly. And don't get me started on blacklisting domains. If there is one thing we know with almost total certainty, it is that spammers never use From: or Reply-to: addresses that have anything vaguely to do with the real senders.
Re:Solution (Score:3, Interesting)