Slashdot Mirror
@Home Responds to the UDP Notice
To the USENET Community:
In response to the recent UDP call for @Home Network to be removed from interacting on the USENET, we are submitting an official response with a proposal of short term and long term news spam prevention initiatives. Excite@Home is very committed to participating respectfully on the Internet, and we have taken previous requests for action seriously.
We have found that the primary source of our excessive USENET posting history comes from subscribers who have installed proxy software incorrectly. Unbeknownst to the customer, this mis-configuration has allowed outside access to the @Home news servers, and has resulted in our subscribers becoming spam relays. Because these various IP addresses create holes in our network, spammers have taken advantage of this mis-configuration, and have posted thousands of newsgroup messages through our news machines.
As of today, we are stepping up our involvement and taking more aggressive action by performing frequent network wide scans of our customer base to target proxy servers. Once these customers are identified, we are suspending their news service immediately. Re-enabling will not occur until we are assured that their machines are secure. We feel that this proactive effort will dramatically decrease the amount of extraneous news traffic originating from home.com.
We are committed to promoting better Excite@Home participation on the USENET, and we are in the process of modifying our current news product and news architecture. We are also implementing more user education as a parallel initiative.
With these new tactics in place, we are asking for an extension to our USENET access beyond the 18th of January and we are confident that the USENET community will see positive news statistics coming in the next few days.
David Jackson
Manager, Network Policy Management
Excite@Home
davjackson@excitehome.net
I sent an email to Shaw@Home (Canadian supplier of the @Home service) yesterday regarding the UDP, and here's what they had to say:
--- begin e-mail
We are aware that a UDP has been issued against @Home and it is clearly an @Home issue. @Home is aware of the problem and is working on meeting the requirements to have the UDP lifted so that you will continue to enjoy the use of the news service. Due to the current activity and attention to this issue Shaw does not anticipate that the UDP will go into effect.
--- end e-mail
There are several reasons why. #1: Consider that the volumes of spam we're talking about - probably gigabytes upon gigabytes - would easily paralyze a cable modem connection, particularly when, for most @Home users, the upload cap is approximately 128Kbps (approx. ISDN speed). For anyone to make use of this exploit would require probably a dozen cracked systems per spammer.
#2 Every one of those systems is already being used by a human being (scratch that - several human beings; we are talking about a proxy here), who are going to complain to @Home, at which point they would have put a stop to the spamming.
#3: A UDP is only proposed after repeated attempts to notify the non-compliant admins of the problem. When @Home was notified, they could have found the addresses that the spam was posted from and discovered this "proxy" problem much earlier. Indeed, proxy problem or not, @Home could have remedied the situation much earlier than they are.
#4: Occam's Razor. Mr. Jackson's explanation is not the simplest one that fits all the facts. The simplest explanation is that @Home users are being allowed to post unadulterated spam and not being punished for it.
Having said that, I'm betting the spam problem goes away before the deadline. This is the usual "we don't have a problem and we're fixing it" notice that goes out after most of the UDP's, and usually, the UDP doesn't have to be enacted because the ISP knows (and simply refuses to admit) that they have a problem - and they fix it to avoid the punishment.
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
Woah. Woah there. Slow down just a second.
Right. Burn 'em at the stake? Let's see why again?
They didn't say they did. They said they will.
Right, I just don't get this. Do you know how long a scan takes? I'm not talking a script kiddie's nmap for open ports. I mean systematically probing an entire network for a stated behaviour with a sufficient timeout that you won't miss really slow servers (like, oh, say, ones that are already pumping piles of spam). They announced they'd start this as of today. Clue: it's not done yet.
And what do ports 8000 and 8080 have to do with this anyway? Are you talking about web proxies? They're a problem, sure, but tell me again how scanning for web proxies will get @Home out of the UDP? Can you even tell if @Home is scanning you on the NNTP port?
Heh. Gotta love the way you admit breaking your own ISP's rules on a public forum. And there are ways to judge relative security of an ISP. "I've run lots of scans and not been busted yet" is not one of them.
Signal 11, and everyone else, stop jumping on people when they admit they have a problem. This is good. @Home are doing the right thing when they admit this. It is the vital first step without which no further action can be taken. I know it's tempting to scream and roar at someone because they're evil, or because they snubbed you in the past. But these same people that are evil or snubbed you are the ones that we most need to take this step.
Please. If you think you can challenge @Home's statement, forward your evidence to the UDP people so they can consider it properly (clue: slashdot is not the best place to do this). But every time I see someone taking that first step and being met with ill-informed cries to burn, let 'em burn, I have to ask myself if I can actually ask the next guy to take it in good faith. I'm rapidly coming to the conclusion that I can't.
Dave
--
Nor would they be intimately aware with the number of emails or phone calls the @Home abuse department has made to their customers to correct misconfigured proxies.
The wonderful thing about the UDP is precisely that it forces the spam issue regardless of the ISP's internal issues. The UDP folks look (rightly, imo) at ISPs as basically black boxes which either generate/perpetuate spam or do not, and act accordingly.
Look at it from another angle: Joe Ethical Admin has been bugging Sandy Clueless Manager for weeks or months about this, but gotten no real mandate to put fixes in because of low priority. UDP drives that priority up, and actually _helps_ Joe do the right thing!
As long as UDP remains ethical and fair in the 'prelude' phase (documented, adequate time to repent, adequate technical assistance) I have no problem with it, or with the pain it causes target ISPs. Sometimes you need to feel pain to know something needs fixing.
The bottom line (IMO) is that USENET has given @Home an ultimatum, and @Home is responding. But this is not the sort of problem that @Home can fix overnight.
Well, if they are responding adequately, I'm sure the UDP will be suspended or lifted. Check up on the history of the UDP: the 'judges' are pretty forgiving of truly repentant offenders.
The nature of their service and the shared network topology inherent in the cable network design create some unique security hassles. Everyone should do their best to understand the nature of the work required before they blast @Home for being unresponsive or for just not caring.
If they didn't think of abuse issues ahead of time during the design phase, they deserve what they get! It's not like IP networking hasn't existed for 20+ years.. There's solutions to this, which quite honestly should have been documented and applied at the time of the network rollout. And if the technically correct behavior is being stifled by non-technical considerations, it's things like UDP and MAPS that help force technical concerns up higher in the list, and that's nothing but a good thing.
Your Working Boy,
OK, so they posted a response. I actually know the guy that posted it (somewhat). Yay Mr. Jackson. You read the news.admin.* groups.
However, let's look at how it was posted. First, it was crossposted to the news.admin hierarchy. This is a no-no. They want you posting to the newsgroup that it is appropriate to. But let's overlook that transgression. It might have been an oversight on Mr. Jackson's part.
But he also forged the approval headers for the moderated newsgroups that he posted to. And that is a big no-no. Especially when you're pleading for your network's life. And it requires premeditation. You don't forge the headers by accident.
And not only that, but he has now attempted this three times. The first time it was canceled by someone who I assume is one of the moderators with the message "No forged headers on my watch". Then Mr. Jackson posted it again. It was cancelled again with the message "No, kids, you don't get it. No forge-approvals. No crossposting in NANAP." Now it has been posted a third time.
So how serious can @Home be if they have commited multiple acts of net abuse all on their own in responding to the action being taken against them for their customers' net abuse?
-Todd
---
"The details of my life are quite inconsequential..."