Home page logo
/

nanog logo nanog mailing list archives

RE: Thanks & Let's Prevent this in the Future.
From: George Bonser <gbonser () seven com>
Date: Wed, 1 Feb 2012 17:00:43 +0000

I'd like to get a conversation going and possibly some support of an
initiative to spend that extra 30-seconds to verify ownership and
authorization of network space to be advertised.  Additionally, if
someone rings your NOC's line an industry-standard process of verifying
"ownership"
and immediately responding by filtering out announcements. There's no
sense in allowing a service provider to be impaired because a spammer
doesn't want to give up clean IP space.  Do you protect a bad customer
or the Internet as a whole?  I pick the Internet as a whole.

How can we prevent anyone else from ever enduring this again?  While we
may never stop it from ever happening, spammers (that's what we got hit
by
today) are a dime a dozen and will do everything possible to hit an
Inbox, so how can we establish a protocol to immediate mitigate the
effects of an traffic-stopping advertisement?

One problem is the number of routing registries and the requirements differ for them.  The nefarious operator can enter 
routes in an IRR just as easily as a legitimate operator.  There was a time when some significant networks used the 
IRRs for their filtration policy.  I'm not sure how many still do.

But generally speaking, if someone calls me and I can verify that they really are a POC for the entity that is assigned 
an address allocation (generally some verification method beyond email if the subnet their MX record points to is part 
of the hijacking!) then I am going to do whatever I can to help them out provided what they are asking for is 
reasonable and within my capabilities.  It shouldn't be too hard to verify.  If someone claims to be with a commercial 
entity of Foo.COM then the entity is likely listed in the phone book and a phone call can take care of my personal 
verification requirement.  

Back in the days of Cyberpromo and Sanford Wallace, what I did was used TCP wrappers on my mail server so that when I 
received a connection from a Cyberpromo net block, I hairpinned the connection back to his MX server using netcat so 
when he connected to me, the HELO he received was from his own mail server, which gladly accepted mail from Cyberpromo. 
 He could pump mail to me all day long if he wanted to, but his mailq wasn't going to get any smaller.

The problem of email spam is an interesting one that has been battled for a very long time and is probably better 
discussed on a list dedicated to that topic.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]