Home page logo
/

nanog logo nanog mailing list archives

Re: Stealth Blocking
From: dlr () bungi com (Dave Rand)
Date: Thu, 24 May 2001 11:59:11 PDT


[In the message entitled "Re: Stealth Blocking" on May 24, 14:05, Mitch Halmu writes:]

On Thu, 24 May 2001, Dave Rand wrote:

The MAPS RSS(sm) is a list of open relays *which have been abused*.  These
are sites which have been reported to MAPS as open relays, and have spam
samples.  Once the spam has been verified, a test is performed to verify
that the site is, indeed, an open relay.  If a sample message is accepted,
and then returned by the site as a relay, the host is listed.  Removal from
the RSS requires that the host no longer relays.  Automated probes are never
done - a human must request the test, and spam must be available.  Because
of the very large number of hosts listed (around 100,000 as I write this),
it's generally used in DNS mode only.  It's pretty easy to get a host which
is an open relay that has transmitted spam onto the list.  Between 100 and
1,500 hosts per day are added, and hundreds per day are taken off (as soon
as they let MAPS know that the relay has been closed).

Very interesting statistics. It gives you a clear picture of the magnitude
of the squeeze. Now I understand why such heavy hammer was needed at the
helm full-time. Supposing that 100,000 server owners plus those forcibly
're-educated' get together and do something about it, like scream, or jump 
of a 12 inch stool, or donate $10 each, would they be able to shake Dave 
off his high horse? How about if they also rally their users that were 
suddenly cut off?

The vast majority of the open relays that are left are on systems that are
unmanned.  Another is on systems that "aren't running a mail server" (the
classic case is "that is my DNS server, not my mail server!  Why is it on
the RSS?" - of course, they didn't realize that they had, in fact, left the
mail server enabled).

No need to shake me off a horse - just close the open mail server.  It's a
few minutes of work, in most cases, and a few hours in some.  Yes, there are
some "hard cases" that take much longer to close for various reasons, but it
is 2001, not 1997.  There's been plenty of time for people to close their
mail servers.

And note, again, that these hosts are on the RSS.  A BGP feed of the RSS is
not practical, so only hosts that choose to run the DNS version of RSS on
their mail servers will have their mail affected.


The collateral damage in blocking 100,000 hosts is simply unacceptable.
Especially because there are only a few hundred die-hard professional
spammers that need to be rooted out, and the problem diminishes, or at
least becomes manageable in another way. As an ISP, I have yet to see
a list of black sheep compiled consisting of individuals, spam companies, 
or credit cards used to defraud that should not be subscribed. Banks
share such information, why can't ISPs?

It would be wonderful if we could.  And I do agree that there are relatively
few hard-core spammers.  And we are rooting them out, one by one, and
forcing them into a smaller, and smaller number of ISPs that still permit
anonymous sign-up, or unrestricted port 25 access from their dialup ports.

The latest kick is to break into machines, and install spamware on them.
That's a great sign that the spammers have well and truely crossed the
line into already illegal ground.

It can also be argued that the collateral damage from *not* blocking spam is
unacceptable.  

But *no one* is forcing you to use any blocking methods.  If you don't want
to, don't.  If you want to, go ahead.  Your wires:  your rules.  Your
equipment:  your rules.  If you choose not to accept mail from people with
two wives, that's your choice to make.  If you want to accept traffic only
from even-numbered IP addresses, that's also your choice.

The RSS simply gives you a method to choose from. "These host have be abused
in the past, and we have verified them as still open.  The traffic you get
from here might be spam.".  Some people reject it, some mark it.  Others
don't.  What's the problem?


No matter how noble the cause, the methods are wrong. In all the debate, 
it was perhaps lost that no viable technological solution to roaming, 
meaning one that is happily accepted by the end user, exists yet. And 
please don't mention SMTP Auth, it's not perfected yet.


Many large ISPs are quite happily using pop-before-smtp, and other secondary
authentication schemes.  Other ISPs are using various other methods to
ensure that only their customers get to relay through their mail server.

If you have a better method for ferreting out spam, please let us know.  If
you think you can find a way to stop known spammers (when court orders,
fines, ANI blocking, and the like have failed), I'm all ears.

Until a better method comes along, I'll continue to make the RSS available.

It's my earnest desire that the count of hosts in the RSS reach zero.
It's my earnest desire that the count of hosts in the RBL reach zero.

Help achiving this goal, by eliminating spam, is appreciated.

-- 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault