Naming and Shaming "Bad" ISPs

An anonymous reader writes "Brian Krebs takes a provocative look at ISP reputations, collecting data from 10 different sources that track 'badness' from a multitude of angles, from phishing to malware to botnet command and control centers. Some of the lists show very interesting and useful results; the ISPs that are most common among the various reputation services are some of the largest ISPs and hosting providers, including ThePlanet and Softlayer. The story has generated quite a bit of discussion in the security community as to whether these various efforts are measuring the wrong things, or if it is indeed valid and useful to keep public attention focused on the bigger providers, since these are generally US-based and have the largest abuse problems in terms of overall numbers."

Re:New Jersey

[Antique Geekmeister]

True, but you also have to prepare a budget for it. You can choose the contracts for careless or even malicious customers who would not accept a more sane or secure overall environment, including spammers and l33t d00dz who insist that "the Internet is free!!!" and "why can't I run my own NFS/SMB/HTTP/SMTP/FTP/IRC/Bittorrent server, I paid my $19.99/month!!!!" And slapping them down and turning them away lowers your potential customer base: a lot of ISP's worry a lot about "market penetration", and rely on being the locally dominant player. Following up properly on complaints against those abuse customsers also takes serious engineering and legal reources, none of which generates revenue.

Conversely, some ISP's do well with the superior service being security aware can provide. They don't get overwhelmed by surprise Bittorrent or FTP deluges against hosted servers, they channel outbound SMTP through servers that require authentication so the spambots can achieve nothing without passwords and they disconnect machines spewing Windows worms around their local network. and they keep their routers up-to-date with security patches to avoid getting re-routed. Some of us appreciate the resulting protection, and pay for it in our monthly bill rather than in expensive internal engineering cleaning up the messes.

Major domains being exploited

[Animats]

We've been doing something like this at SiteTruth for two years. We have the list of major domains being exploited by active phishing scams [sitetruth.com]. This is simply a list of domains that are both in PhishTank (about 100,000 entries) and Open Directory (about 1.5 million entries). Today, 84 domains are in both. There's been a surge; it was 54 two days ago.

Domains are on this list for one of several reasons.

1. They had a break-in, and didn't clean it up. Generally, the sites with this problem for long periods are ones without effective contact information, so there's no easy way to tell them about their problem.
2. They have an open redirector. [mitre.org] Those are rare now, but were common two years ago. Yahoo, eBay, and Microsoft Live all used to have open redirectors. After much nagging, and some press coverage, the big players have plugged that hole.
3. They're a hosting service, especially a free hosting service. Free hosting services need to be very aggressive about checking themselves for exploits. The smarter players now read the PhishTank and APWG feeds automatically, to detect abuses of their own systems. Right now, "t35.com" is suffering from a massive attack, with 227 pages in PhishTank. Their problem is that they're being attacked by a program, but are cleaning up by hand. Every day they kick off hundreds of phishing pages, but they can't keep up. The previous site with the worst problems was "piczo.com" (some kind of social network/hosting service for teenage girls), but they've been gaining on the problem.
4. They're an ISP There are a few ISPs with phishing sites they just never seem to kick off. Most of the active ones were kicked off long ago. In fact, other than ISPs which are also hosting services, we show only one entry in this category, and it's a DSL line on RoadRunner that redirects to a dead page.
5. They're a "short URL" service. These are popular as a way to get phishing URLs past spam filters. The "short URL" services have become much more aggressive about kicking off phishing URLs over the last year.

While this is to some extent a "blame the victim" approach, it's more effective than "phishing education" aimed at end users. Hundreds of webmasters have to be educated, not hundreds of millions of end users.