Recovering the Slums of the Internet? 218
turtleshadow writes "Brian Krebs of the Security Fix Blog analyzes the McColo Spamming one year later and asks an interesting question: 'How does one renovate and recoup the lost trust to the slums of the Internet and reclaim back all the domains and IPs that have been blacklisted?' Indeed, the economic benefits abound when a huge swath of illegal and annoying activity ceases — but given the basic design of the Internet, what happens over the long run to IP space and DNS when hosting companies come and go and vary in their trustworthiness? So too, now Geocities is dead [as a business], but does that still live in your filter list? It still appears in OpenDNS under several policy categories. How, in a few years, will I tell if some Hosting/Colo sold me Whitechapel Road/Ventura Avenue for Mayfair/Boardwalk prices, and no one is going to accept my mail from a former slum? When do you, if ever, roll back the blacklists and filters for 'dead' threats and spammers?"
Solution (Score:2, Informative)
Re: (Score:2, Interesting)
Re:Solution (Score:5, Funny)
Simple. Do not call your web site goatse, or geocities. If someone registers that domain name, because he's too young to remember, or whatever... He'll figure out pretty quickly that things don't work for him, so he'll pick a different domain name, like goatsrus, geotowns, geomegacities, or whatever.
Frankly, I think that there are more pressing problems to think about.
Re: (Score:3, Funny)
Simple. Do not call your web site goatse, or geocities. If someone registers that domain name, because he's too young to remember, or whatever... He'll figure out pretty quickly that things don't work for him, so he'll pick a different domain name, like goatsrus, geotowns, geomegacities, or whatever.
I'm going to start a free hosting service for shock sites called Goatsecities...
Re: (Score:2)
And God knows we can't even consider solving a problem properly when more pressing problems exist.
Re: (Score:2, Funny)
Re: (Score:3, Interesting)
Re: (Score:2)
I don't understand why geocities old IP addresses would be a bad location? Why was geocities.com filtered?
Re: (Score:3, Funny)
OMG WTF PONNIES!!! (Score:2, Funny)
OMG WTF PONNIES!!!
who's on first? (Score:2)
Re: (Score:2, Funny)
Re:who's on first? (Score:4, Funny)
Re:who's on first? (Score:5, Informative)
nslookup -q=ptr 69.69.69.69.in-addr.arpa
Non-authoritative answer:
69.69.69.69.in-addr.arpa name = the-coolest-ip-on-the-net.com
Well, I'll be... I honestly didn't expect that. Duh...
Re: (Score:3, Interesting)
It makes me sad that it points to a link farm...
Re: (Score:3, Interesting)
Re: (Score:2)
> did not Godaddy get its start registering pr0n sites?
So what?
Re:who's on first? (Score:4, Funny)
You see porn is bad. Because it has naked people in it pretending to have sex. Which is bad because sex isn't fun, its a terrible thing that must be endured for the betterment of society. Or something. I dunno, don't ask me hard questions. Its in the bible, right after god said to go forth and multiply...
Sex = bad! Stop questioning things!
What slums? (Score:3, Funny)
I thought they'd switched off geocities already?
Re: (Score:3, Informative)
Re: (Score:3, Funny)
What filter rules? I mean, okay, that light on dark text and background midi and blinking marquees were annoying, but still, you could just not visit...
Re: (Score:2)
Re: (Score:3, Funny)
Well, it still wouldn't hurt their reputation as badly as if they'd called it Bio-Dome [imdb.com].
Easy solution: (Score:3, Informative)
And, of course, you should regularly be looking at your entire setup, including filtering, on a regular basis to make sure the solution you have is still the best one for your situation. Technology, and the Internet, changes too rapidly to take a "set and forget" attitude toward anything, especially filtering.
Re: (Score:2)
The people with the problem (the new owners of the IP address space) are not the people who can make the problem go away by your suggestion. Yes, it might be nice if everyone did make this change, but it is also highly unlikely.
I have seen even worse use of blacklists -- for example I came across one company that was rejecting email if a blacklist was matched anyhere in the "Received" lines, and their set of blacklists included
Re: (Score:2)
What if our operating systems were more secure, or if virtualization became universally used? Wouldn't that make it less necessary to use blacklists? I mean, if there's no danger from malware, then I don't have to worry so much if I open an attachment from an email that looks like it's coming from a friend. Worst thing it can do is blow up my virtual machine and I can just close a window and keep on going. It would also make hackers look for other ways to do evil besides attacking our desktops.
Is virtua
Re: (Score:3, Interesting)
What if our operating systems were more secure, or if virtualization became universally used? Wouldn't that make it less necessary to use blacklists? I mean, if there's no danger from malware, then I don't have to worry so much if I open an attachment from an email that looks like it's coming from a friend. Worst thing it can do is blow up my virtual machine and I can just close a window and keep on going. It would also make hackers look for other ways to do evil besides attacking our desktops.
Is virtualization as secure as I think it is? I admit I don't know a lot about internet security beyond just being careful and using protection, so I'd like to hear what those of you who have expertise think.
It's not a about viruses it's the shear volume of spam hitting mail servers that makes blacklisting necessary.
If you remove it your essentially allowing yourself to be DOS'd.
Re: (Score:2, Funny)
aEN
Re: (Score:2)
Well I'm happy to hear that you are so filthy rich that you do not care about paying for extra bandwidth just to receive other people's junk.
Re: (Score:2)
It even doesn't have much to do with data bandwidth.
It has to do with human processing ability.
If you don't filter the spam out, then you'll miss quite a lot of legitimate e-mails, and may not even check your e-mail at all.
Re: (Score:2)
Makes sense. Thanks for the explanation.
I saw "hackers" mentioned above and I thought the problem with the large number of blacklisted IPs was malware.
Re: (Score:2)
Greylisting takes out 90% of the spam for me.
And if there are false positives in that, then it's time for the sender to properly set up their e-mail system. Greylisting is based on senders having proper mailers. A single retry after a few minutes and you're through. It's just that spammers' fire-and-forget mailers do not retry.
And after that it's SpamAssassin looking at the rest, using a.o. various RBLs.
I wouldn't consider using any RBL as fully authoritative though, like blocking on SMTP level based on
Re: (Score:2)
I considered using greylisting but the number one issue with greylisting for me is that it turns email from "arrives in 3 to 30 seconds" to "arrives in 3 seconds to 6 hours". Also, most greylisting setups I've had to deal with were kind of, for lack of a better description, wonky and paranoid ("You're not on our Good Guys(tm) list? REJECTED!"). I suppose greylisting is better than the horribly broken approach of rejecting incoming mail where reverse lookup doesn't match (e.g. email from somecompany.com whic
Re: (Score:2)
The delay is only for new senders and admittedly can be irritating if you're waiting for a web sign-up reply or so (but then you could just use mailinator for that). It saves so much spam processing that I consider it a very good trade-off.
For anyone e-mailing me more than once every three months or so (as in all regular contacts) there is no extra delay.
Re: (Score:2)
You're assuming that everyone doing greylisting is doing it "properly" and even then it's an inconvenience.
/Mikael
Re: (Score:2)
Stop relying on blacklists as your primarily (or only!) filtering mechanism. There are far more sophisticated filtering solutions out there these days. Filtering based solely on blacklists is antiquated, ineffective, and vulnerable to massive issues with false positives.
Avoiding a primary reliance on blacklists is generally good advice, but let's not overstate things.
In a SOHO environment, for example, it could be considered perfectly acceptable, and offers a surprisingly effective and simple setup with non
Re: (Score:2)
Re: (Score:3, Interesting)
You didn't provide him a solution at all. Not really. Don't get me wrong, you are entirely correct in your advice.
However, how are you supposed to get that advice to , or even communicate reliably, with stubborn and/or stupid mail server admins? The problem most often is on the *other* side.
The mail server admins at Craigslist.org deserve to be shot (they really do, at least with rubber bullets). I have run into problems getting email to a mail server in which I am apparently blocked by five-ten-sg.com.
Re: (Score:2)
However, how are you supposed to get that advice to , or even communicate reliably, with stubborn and/or stupid mail server admins? The problem most often is on the *other* side.
Indeed, I once had an issue with a Turkish ISP (forgot the name of them) that had some seriously misconfigured mail server that kept throwing a lot of traffic my way (thousands of junk bounces per day for several days while one of my domains (that has a proper SPF record setup btw) was getting joe-jobbed), I tried contacting them, explained the issue and in what way their server was misbehaving and got a reply back that could be summed up as "Why should we listen to you? You're just some spammer trying to m
How does one renovate and recoup the lost trust t (Score:3, Insightful)
Re:How does one renovate and recoup the lost trust (Score:5, Funny)
You don't. The Internet never forgets, never forgives.
Never sleeps either. The internet waits.
What slums trust who now? (Score:2)
Re: (Score:2)
Yeah, no joke.
Even for Slashdot, that's a lot of slashes. I sprained my Wernicke's Area [wikipedia.org] trying to parse that.
Re: (Score:2)
Ventura Ave is a common mis-reading of Ventnor Ave, a yellow property next to the water works.
Usually never (Score:4, Insightful)
When do I clean addresses and domains out of my filters? Usually never. It's just too much trouble to keep tabs on all of them and actively look for them being cleaned up. Once they're in the filters, there they stay until something happens to make me take a look at them. Usually that something'll be someone I know getting caught by the e-mail filters and contacting me out-of-band to find out why I'm not responding to their mail. Or it might be me trying to go to a site I added to the filters ages ago and being blocked when I know it should be clean now, and I go and find it and remove it. But generally, unless something like that motivates me, I've got better things to do with my time than keeping track of all the bad guys I've run across over the years and whether they've mended their ways or not.
Why you're not responding? (Score:2)
Surely you reject mail at SMTP time, allowing the sending server to notify the sender that the mail didn't get through, right?
Re: (Score:2)
SMTP protocol? Hello, why am I wasting my CPU cycles and bandwidth on reading and rejecting a spammer's SMTP exchange? Their IP ranges go into my firewall and their packets get dropped long before they get anywhere near the SMTP server. If they get through that and get caught by the SMTP server's checks then yes they'll get an appropriate error code back, but that's a last-ditch check because Rule #1: you can't trust anything a spammer sends you, this includes their HELO/EHLO command.
Re: (Score:2)
So why are people's emails going into a blackhole, rather than them getting a bounce from their server?
Or maybe I misread your original sentence about people contacting you out-of-band; I interpreted that to mean they had no clue why you weren't answering, but it could easily be as a result of an undeliverable notification. My bad.
Re: (Score:2)
If he firewalls, they will get a "message undeliverable" from their own mailserver, since it can't connect to his mailserver to hand the message off. The message won't dissappear from their local mail queue just because he's bit-bucketing the packets that are trying to establish connection.
Re: (Score:2)
Like you, I blacklist at my firewall... I also send reports to the block's owner... unlike you (apparently :) I go through my blacklist every few months, and if there haven't been any hits from that block, I'll remove it. I figure that will prevent the list from eventually becoming 0.0.0.0/0. :)
Re: (Score:2)
Where are the cops? (Score:3, Interesting)
In addition, at least one fraud expert who works with a number of big name retailers said online retail fraud rates fell from around $250,000 per day to zero for a short time following McColo's takedow
Why aren't the cops there getting customers lists from McColo and going after the fraudsters?
As far as the toxic waste is concerned, have the Government take those toxic address and have the Government turn their current addresses back into the pool. That will detox those addresses quick.
Re: (Score:2, Interesting)
Why aren't the cops there getting customers lists from McColo and going after the fraudsters?
In the case of McColo (and RBN), many of the fraudsters probably are cops, or at least have cops on the payroll.
Re:Where are the cops? (Score:4, Insightful)
Why aren't the cops there getting customers lists from McColo and going after the fraudsters?
Because the police are far too busy going after the real [lockergnome.com] criminals [cnn.com] to waste time with legitimate fraudsters.
Re: (Score:3, Interesting)
You know... That's a really good idea.
Signed IP swapping somehow... Reverify those IP addresses as valid.
It would only require transferring them to a host processing site.
Then, they could be removed from block lists and be reallocated.
It would be a fuck load of record updates, though.
Easy (Score:4, Interesting)
Before you order a co-lo, agree that it has to pass certain checks, such as a blacklist check.
http://www.mxtoolbox.com/blacklists.aspx
As for decreasing IP space, IPv6 (real or tunneling) is available at most large co-lo places, so that won't be a problem.
You Don't. That's the point. (Score:5, Insightful)
As the purchaser, you probably can't. But what you can do is demand that your provider move you to a better IP neighborhood, or renegotiate (read: "tear up") the contract.
Blocklists aren't about playing whack-a-mole with spammers, they're about disincentivizing spam-friendly providers.
If you're an ISP or hosting provider, and you harbor spammers and botnets, the IP ranges you hold are permanently devalued. That means it's harder for you to get customers, more expensive to support your legitimate customers, and your business, when you decide to sell it, is worth less than if you'd booted the goddamn spammers off your network when you had the chance.
Car Analogy: If you're doing your own oil changes, and instead of hauling the waste oil to a recycler, you dump it into your backyard, don't complain when you try and sell your house and the highest bid still leaves you $100,000 underwater on your mortgage, or requires you to spend $150,000 remediating it. Your property is worth less than it could have been, had you only been a better steward of it.
"incentivize" (Score:2)
The word is "incite".
Re: (Score:2)
It is irritating to see the birth of yet another corporate-speak word. Unfortunately I don't think incite is going to ever be a good replacement. Incite has the strong connotation of encouraging someone to do something bad instead of something good.
Unfortunately, given its origins, "incentivize" is likely to acquire the same connotation over time.
Re: (Score:2)
Try 'motivate'.
90 percent of blacklists are crap... (Score:5, Funny)
...because 90 percent of everything is crap.
> So too, now Geocities is dead [as a business], but does that still live in your filter list? It still appears in OpenDNS under several policy categories.
If you filter via OpenDNS, then you get what you deserve.
If you've done *any* metamoderating of OpenDNS website classifications, you will soon decide that poo flinging chimpanzees are more accurate.
I came, I saw, I ran away screaming.
--
BMO
4chan (Score:5, Insightful)
Re: (Score:3, Funny)
/b/ is the fist thing that came to my mind as well
Re: (Score:2)
Re:4chan (Score:4, Insightful)
Mod parent +5,000, Insightful.
Seriously; if maintaining your level of faith in the compassion, empathy, and fundamental decency of the human species is something you care about, don't ever visit 4chan.
That site is very little more than a showcase of the very worst, morally, psychologically, and emotionally, that humanity is capable of.
Re:4chan (Score:5, Funny)
Mod parent +5,000, Insightful.
You missed your chance, dude. You should have said: Mod parent over 9000, Insightful.
Re: (Score:2)
That site is very little more than a showcase of the very worst, morally, psychologically, and emotionally, that humanity is capable of.
Which is why /b/ tends to provide great entertainment. It is always impressive to see how low people can go for their 15 seconds of "fame".
1 year (Score:5, Insightful)
Everything should expire after a year.
I also would suggest this in government. That all laws get renewed to automatically expire after 10 years. That way we can keep the law makers busy keeping the good laws while letting the old ones die, as well as keeping them from making crappy new ones that won't survive a 10 year renewal.
Exactly!! (Score:2, Insightful)
They're desperate to show that they're doing something. Make it so they have to do something to maintain the status quo and everybody's happy.
Re: (Score:3, Insightful)
Agreed. Also, all laws must be read into the record. That'll put an upper bound on the sheer magnitude of legislation and guaranteed that the aforementioned laws have been read at least once.
Re:1 year (Score:4, Insightful)
Reading every law? What about the building code? What about trade duty schedules? What about the tax law (a lot of the complexity of which is actually necessary)? I'm sure you can find many more examples [cornell.edu]. It's as if you're asking for every computer program to be dictated by telephone. Your request reflects a very naive view, namely that complex societies like ours can be governed by simple laws.
If we actually tried what you suggest, what we'd see is simple legislation. Because these laws would have simple, they couldn't address subtleties and special cases, and as a result, these laws would cause a lot of injustice. Is this the world you'd really like to live in?
I never understood how people like you can see all law as universally bad, and how you actually hope for a "gridlock". Bad government is bad, yes, but good government is also good. You'd argue that all government is bad government, but if you look around, any reasonable person will see that argument is nonsense. Only ideologues maintain that government is always the problem.
Hogwash: Building codes are regulatory (Score:2)
Hogwash: Building codes are regulatory, just like FCC and FAA rules, or public utilities commission rules. The only laws involved are usually rather simple and to the point in delegating the authority to an administrative agency generally controlled by the executive branch of the appropriate government.
As far as tax law, it's only necessary to not have a graduated flat tax (e.g. taxed on what you earn above minimum was times 2080 hours + $1) if you are intent on hiding your legislative cronyism, malfeasanc
Re: (Score:2)
Of course the best form of government is benevolent dictatorship. The only problem is that benevolent dictatorships tend not to stay benevolent, especially when authority is passed down to the dictator's heirs.
Re: (Score:2)
However, in a jury system, if juries are given power to interpret the laws, then you get interesting consequences.
Intentionally vague laws can be abused, yes, but they're also flexible in the other direction.
Re: (Score:2)
You'd argue that all government is bad government, but if you look around, any reasonable person will see that argument is nonsense. Only ideologues maintain that government is always the problem.
Has the thought ever occurred to you that some of us may see the expansion of government as evidence of a decline in society? It's like public schools in inner cities. Why are the expensive? It's because they are the only institution with money and so everyone hangs their hat on them. You can either underfund th
Re: (Score:2)
Everything should expire after a year.
I also would suggest this in government. That all laws get renewed to automatically expire after 10 years. That way we can keep the law makers busy keeping the good laws while letting the old ones die, as well as keeping them from making crappy new ones that won't survive a 10 year renewal.
I used to think that would be a good idea, but then I realised politicians would be involved. Think of the pressure that could be put on a weak government if the opposition felt that their new bill had to be passed before they would support renewing the law against tax evasion. The opposition wouldn't lose the support that they would if they tried it with laws against murder etc, but it would cripple the government.
"illegal activity" is another person's "freedom" (Score:2)
Indeed, the economic benefits abound when a huge swath of illegal and annoying activity ceases
Translated from corporatocracy-ese to english:
"once we've quashed the disruptive technological utopia people created on the web, the economic opportunity to carve it up and sell it back to only those who can pay abounds!"
Downbelow finally explained (Score:2)
I always wondered how Downbelow really could really happen in an enlightened, spacefaring society.
See - http://en.wikipedia.org/wiki/Babylon_5_(space_station) [wikipedia.org]
Substitute "IP slums" for "Downbelow" and "information-based" for "spacefaring."
See - http://en.wikipedia.org/wiki/Geocities#Neighborhoods [wikipedia.org]
Re: (Score:2)
I think they explained that pretty well in the series, and even discussed the social conditions that lead to it.
1) Lots of people on speculative journeys (think gold-rush mentality) that had a tough time and can't afford the return trip home.
2) Refugees from war, political and religious persecution, etc.
Throw in some compassion on the administration's part (eg, not just going to throw them out an airlock), but not full-fledged socialism, and voila, a slum.
Re: (Score:2)
I acknowledge the explanation - and truly appreciate your clarification of it.
I've always seen slums as something that holds over from the past, and couldn't really understand how they got them in a new space station. It was a bias on my part.
But seeing it occur in fairly new tech (per this article / thread), kinda opened the door for me to begin to accept how that worked.
be careful (Score:2)
Good question (Score:2)
Aside from calling the IP allocations formerly used by criminals "slums", this is actually a very important question. All of McColo's space is still in my edge routers as "drop". I only checked because of the connection with this story. Does it make sense to drop those blocks now? I'm not entirely sure, and since no one is complaining (as yet), why WOULD I remove them?
Should we look to some authority to publish a list, something like the SpamHaus DROP list?
Should we start looking to ICANN to more strongly e
My situation (Score:5, Interesting)
When I setup my first postfix daemon, I failed. Took my days. One day, it seemed like it was working, but wasn't accepting username and password logins. I went to bed, didn't stop postfix.
The next day I get an email from my colo asking why some of my IPs are being blacklisted. The colo apparently got notified that two of my IP addresses are spammers. I looked at my logs and sure enough, I stupidly let postfix run as an open smtp server and some guy started using it to send out spam.
So I stopped that, but now what? Yahoo won't accept my emails. Craigslist won't accept my emails. Hotmail moves them into the junk folder. Yahoo had the best help.
http://help.yahoo.com/l/us/yahoo/mail/postmaster/errors/;_ylt=ArX8PxnGVabUYKQmtOrSQN5vMiV4 [yahoo.com]
So the error message I was getting from Yahoo was related to spamhaus. I stopped postfix, finally got it up and running properly with authentication, and sent an email to the SBL list guys ( http://www.spamhaus.org/sbl/delistingprocedure.html [spamhaus.org] ) and got delisted pretty quickly.
Sending emails to Yahoo now worked fine. Other places were slower to realize that I was not a spammer, but all in all, it took about 6 months for the dust to settle, and a few more emails to various places to say "hey! I am not a spammer!".
For a major business, this can be a problem, but these lists aren't private. When doing research on where to create your new home on the internet, checking to see if they are blacklisted anywhere first would be a prudent thing to do.
blocklisted? (Score:2)
A heavily blocklisted network quickly becomes unattractive to legitimate businesses
Is that like a blacklisted net? Can someone spam them an editor please?
Re: (Score:2, Insightful)
Among antispam industry professionals (yes, I am one) the term blocklist appears to be slowly displacing blacklist as the term of choice.
Wait a few years (Score:2)
Wait a few years. In five years or so, those addresses will have scrolled off blacklists. It's not a big deal.
Blacklists should expire agressively (Score:3, Interesting)
The point is, you need to expire entries aggressively. Keeping entries around because somebody received a spam from somewhere in that general direction four years ago is just silly. And don't get me started on blacklisting domains. If there is one thing we know with almost total certainty, it is that spammers never use From: or Reply-to: addresses that have anything vaguely to do with the real senders.
Re: (Score:2, Informative)
Re: (Score:2)
Re: (Score:2)
Re:Obligatory grammar nazi (Score:5, Funny)
I once passed a shop offering "Sandwich boxe's". I call it hedge-your-bets punctuation...
Re: (Score:2)
Don't you mean 'hedge-you'r-bet's"?
Re: (Score:2)
I once passed a shop offering "Sandwich boxe's". I call it hedge-your-bets punctuation...
Dude. I was in a Safeway that claimed to be selling "Mrs Whites pie's". I cried. Three words, three mistakes: HOW?
Then I pulled out a Sharpie and fixed it, which is why my friends used to call me Conan The Grammarian. Bad grammar modded for free!
Re: (Score:2)
I see only two mistakes. I hope your third correction wasn't to put a full stop after Mrs, because it ends in the same letter as the word it abbreviates.
Re: (Score:2)
And now you don't have an friends left.
Oh, the inory...
Re: (Score:2)
There are worst things out there than SORBS. There is a certain mail trust tool that blocks any auto blocks any ip with a negative spam to real percentage until the score returns to positive. Whatever genius thought that auto kill system up forgot that you can't detect when the spam to real email percentage improves if you never accept email from the sender.
Re:I like the Ras Al Gul approach (Score:5, Interesting)
I used to think my old boss was crazy when he said he never wanted our antispam solution to rely on any blacklist provider and it didn't really sink in until I was on the opposite end of the spectrum. Blacklists are bad.
aEN
Re: (Score:3, Insightful)
though I would like to see ARIN report a list of freshened addresses (with purchaser approval of course), with digital sig and time stamp, so I could fix my blacklist.. I dont see any easier feasible way to proceed.
Stor
Re: (Score:3, Informative)
It will be nearly impossible to get delisted, too, and for good reason. For years the Russian malware gangs played silly buggers with changing names, corporations and hosting providers to pretend to be different unrelated entities whilst still engaging in the abuse.
So “but I bought this netblock from someone else, I'm not a hacker!” is, unfortunately, something we've already heard many times from the hackers.
Re: (Score:2)