Slashdot Mirror
Recovering the Slums of the Internet?
turtleshadow writes "Brian Krebs of the Security Fix Blog analyzes the McColo Spamming one year later and asks an interesting question: 'How does one renovate and recoup the lost trust to the slums of the Internet and reclaim back all the domains and IPs that have been blacklisted?' Indeed, the economic benefits abound when a huge swath of illegal and annoying activity ceases — but given the basic design of the Internet, what happens over the long run to IP space and DNS when hosting companies come and go and vary in their trustworthiness? So too, now Geocities is dead [as a business], but does that still live in your filter list? It still appears in OpenDNS under several policy categories. How, in a few years, will I tell if some Hosting/Colo sold me Whitechapel Road/Ventura Avenue for Mayfair/Boardwalk prices, and no one is going to accept my mail from a former slum? When do you, if ever, roll back the blacklists and filters for 'dead' threats and spammers?"
Burn them to the ground.
IPv6!
OMG WTF PONNIES!!!
did not Godaddy get its start registering pr0n sites?
- Minutus cantorum, minutus balorum, minutus carborata descendum pantorum.
I thought they'd switched off geocities already?
Seven puppies were harmed during the making of this post.
Stop relying on blacklists as your primarily (or only!) filtering mechanism. There are far more sophisticated filtering solutions out there these days. Filtering based solely on blacklists is antiquated, ineffective, and vulnerable to massive issues with false positives. If you only use blacklisting as a very small part of your overall filter scoring, you won't have problems when the IPs in question get turned over to non-spammers. Sure, they'll still end up with a non-zero "spam" score, but not a high enough one to be blocked.
And, of course, you should regularly be looking at your entire setup, including filtering, on a regular basis to make sure the solution you have is still the best one for your situation. Technology, and the Internet, changes too rapidly to take a "set and forget" attitude toward anything, especially filtering.
You don't. The Internet never forgets, never forgives.
that SORBS bastard wanted to charge me $50 to take my new block of IPs off his/her/its list!
hah, good luck SORBS is out of business now!
I think I've gone aphasic. The summary/quote didn't make an ounce of sense to me.
When do I clean addresses and domains out of my filters? Usually never. It's just too much trouble to keep tabs on all of them and actively look for them being cleaned up. Once they're in the filters, there they stay until something happens to make me take a look at them. Usually that something'll be someone I know getting caught by the e-mail filters and contacting me out-of-band to find out why I'm not responding to their mail. Or it might be me trying to go to a site I added to the filters ages ago and being blocked when I know it should be clean now, and I go and find it and remove it. But generally, unless something like that motivates me, I've got better things to do with my time than keeping track of all the bad guys I've run across over the years and whether they've mended their ways or not.
In addition, at least one fraud expert who works with a number of big name retailers said online retail fraud rates fell from around $250,000 per day to zero for a short time following McColo's takedow
Why aren't the cops there getting customers lists from McColo and going after the fraudsters?
As far as the toxic waste is concerned, have the Government take those toxic address and have the Government turn their current addresses back into the pool. That will detox those addresses quick.
It's NOT me! It's the meds! I'm on 1000mg of Fukitol.
Amen, brother.
Before you order a co-lo, agree that it has to pass certain checks, such as a blacklist check.
http://www.mxtoolbox.com/blacklists.aspx
As for decreasing IP space, IPv6 (real or tunneling) is available at most large co-lo places, so that won't be a problem.
Read this before you post again.
As the purchaser, you probably can't. But what you can do is demand that your provider move you to a better IP neighborhood, or renegotiate (read: "tear up") the contract.
Blocklists aren't about playing whack-a-mole with spammers, they're about disincentivizing spam-friendly providers.
If you're an ISP or hosting provider, and you harbor spammers and botnets, the IP ranges you hold are permanently devalued. That means it's harder for you to get customers, more expensive to support your legitimate customers, and your business, when you decide to sell it, is worth less than if you'd booted the goddamn spammers off your network when you had the chance.
Car Analogy: If you're doing your own oil changes, and instead of hauling the waste oil to a recycler, you dump it into your backyard, don't complain when you try and sell your house and the highest bid still leaves you $100,000 underwater on your mortgage, or requires you to spend $150,000 remediating it. Your property is worth less than it could have been, had you only been a better steward of it.
Followed by handing over the domains to a rich developer to build an on-line sports stadium.
You do not use the apostrophe to pluralise.
...because 90 percent of everything is crap.
> So too, now Geocities is dead [as a business], but does that still live in your filter list? It still appears in OpenDNS under several policy categories.
If you filter via OpenDNS, then you get what you deserve.
If you've done *any* metamoderating of OpenDNS website classifications, you will soon decide that poo flinging chimpanzees are more accurate.
I came, I saw, I ran away screaming.
--
BMO
I'm straight up gangsta from south central Ironforge...
isnt THAT the slum of the internet?
Everything should expire after a year.
I also would suggest this in government. That all laws get renewed to automatically expire after 10 years. That way we can keep the law makers busy keeping the good laws while letting the old ones die, as well as keeping them from making crappy new ones that won't survive a 10 year renewal.
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
You don't. The Internet never forgets, never forgives.
Never sleeps either. The internet waits.
Saying your "phone ran out of batteries" is like saying your "car ran out of gas tanks".
$SPAMLIST is an ill-maintained and disreputable, even renegade, rbl that is nearly defunct and we are not aware of many legitimate mail domains that would use it for any purpose. However, if this listing is causing you actual problems then you are probably a spammer. . . .
Indeed, the economic benefits abound when a huge swath of illegal and annoying activity ceases
Translated from corporatocracy-ese to english:
"once we've quashed the disruptive technological utopia people created on the web, the economic opportunity to carve it up and sell it back to only those who can pay abounds!"
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
Surely you reject mail at SMTP time, allowing the sending server to notify the sender that the mail didn't get through, right?
The word is "incite".
They're desperate to show that they're doing something. Make it so they have to do something to maintain the status quo and everybody's happy.
This sounds reasonable. How do I go about making sure my ISP/hosting provider is not harboring spammers/botnets? Is there a reputable site somewhere where this kinda info is tracked?
Yes, spammers and the IPs they use, and areas that the poorest of the poor live in is a really good analogy.
well I'm from south central Orgrimmar we will bust a spell in yours
I always wondered how Downbelow really could really happen in an enlightened, spacefaring society.
See - http://en.wikipedia.org/wiki/Babylon_5_(space_station)
Substitute "IP slums" for "Downbelow" and "information-based" for "spacefaring."
See - http://en.wikipedia.org/wiki/Geocities#Neighborhoods
Pathological kinda promises Path + Logical - but instead, you get stuck with pathetic.
The problem with this is when ARIN takes back IP space and then hands it back out to another ISP. Such is the case at my company where one of our new /18's apparently had some /24s in it that were listed on blacklists PRIOR to our having ever had this IP space. It was obviously space ARIN got back from some other company and then assigned it to us when we requested more IPs.
I think another example would be many of the morality crimes as well.
@turtleshadow: Is 'slum' the best analogy you can come up with? As though slums everywhere are singularly about criminality? Do you live in Palm Beach or something? Monaco? What a thoughtless way to caricature people all round the world, and miss the point you want to make about criminality on the internet. See, in real life, slums are where people live when they've trying to make ends meet but just don't have the resources or infrastructure they need. You won't find spam kings working from Kibeira.
I wouldn't call it the slums of the internet. While it may be true that with the poor we have a lot of criminal activity it can be said that with the rich we have the most destructive type of criminal activity. And for the internet the blacklisted IPs represent the places with criminal activity, nothing more and nothing less.
And surfs for porn in the interim.
... never lies, and is always right
For justice, we must go to Don Corleone
What's the problem? That was a completely correct use of the colon!
Three days from now?? Thats tomorrow!! ~Peter Griffin
While this is good policy on it's face, it has a severe problem - the ISP itself is not permanent. What if the spam-friendly ISP goes out of business and it's IP range is reassigned to a spam-hostile provider?
The parent seems to conflate an IP address assignment with an ISP. IP assignment is not permanent - IP addresses and ranges can and have been reassigned from one provider to another.
Based on the type of permanent blacklisting argued for by the parent, the spam-hostile provider is still blocked simply because they reside in the a range previously owned by spammers. Over time, spammers move around and contaminate an ever growing portion of the IP space. If this IP space cannot be reclaimed the number of useful IP addresses will shrink over time.
In some sense, IPv6 is the solution - but until that blessed day arrives, IPv4 addresses are in short supply. As a result, some method of reclaiming "bad" IP addresses once their owners reform must be made available.
That is precisely the question under discussion here.
How about you don't accept the IP addresses of the slums and ask your provider for clean ones?
Aside from calling the IP allocations formerly used by criminals "slums", this is actually a very important question. All of McColo's space is still in my edge routers as "drop". I only checked because of the connection with this story. Does it make sense to drop those blocks now? I'm not entirely sure, and since no one is complaining (as yet), why WOULD I remove them?
Should we look to some authority to publish a list, something like the SpamHaus DROP list?
Should we start looking to ICANN to more strongly enforce removing bad actors? What rules, which guide lines? Is sending spam ok, but not being known to host fraud sites? Why? Who decides?
I think it highly ironic that SAVVIS commented upon IP allocations that are "poison" for email. Perhaps it's a case of "the burned hand teaches best." Those that deal with more than a modicum of email will know the back story to that vis-a-vi SAVVIS networks.
I may not be smart enough to have the answers, but I think I'm smart enough to know when someone asks a pretty drun good question. I think this is one.
Part of the answer may be for a system of distributed log inspection. Obviously, some of the information will need to be sanitized before being sent to third parties. Just as obviously, some way to keep the system from being abused by governments needs to be considered. How to do that without giving repressive governments a very powerful tool is something I've been thinking about for over five years. To date, I don't know that it can be done. I do think that if it cannot be closely kept to identifying command and control or infected hosts, it should NOT be done.
I want to shut down and stop criminals - not stifle those that protest against their governments.
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
When I setup my first postfix daemon, I failed. Took my days. One day, it seemed like it was working, but wasn't accepting username and password logins. I went to bed, didn't stop postfix.
The next day I get an email from my colo asking why some of my IPs are being blacklisted. The colo apparently got notified that two of my IP addresses are spammers. I looked at my logs and sure enough, I stupidly let postfix run as an open smtp server and some guy started using it to send out spam.
So I stopped that, but now what? Yahoo won't accept my emails. Craigslist won't accept my emails. Hotmail moves them into the junk folder. Yahoo had the best help.
http://help.yahoo.com/l/us/yahoo/mail/postmaster/errors/;_ylt=ArX8PxnGVabUYKQmtOrSQN5vMiV4
So the error message I was getting from Yahoo was related to spamhaus. I stopped postfix, finally got it up and running properly with authentication, and sent an email to the SBL list guys ( http://www.spamhaus.org/sbl/delistingprocedure.html ) and got delisted pretty quickly.
Sending emails to Yahoo now worked fine. Other places were slower to realize that I was not a spammer, but all in all, it took about 6 months for the dust to settle, and a few more emails to various places to say "hey! I am not a spammer!".
For a major business, this can be a problem, but these lists aren't private. When doing research on where to create your new home on the internet, checking to see if they are blacklisted anywhere first would be a prudent thing to do.
I'm god, but it's a bit of a drag really...
Have you tried a new website, google.com?
Don't worry, once IPv6 hits, IPs will be given out based on location. Don't like Russia, ban one subnet and you're good.
A heavily blocklisted network quickly becomes unattractive to legitimate businesses
Is that like a blacklisted net? Can someone spam them an editor please?
Or this.
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
We are legion. Expect us.
Hogwash: Building codes are regulatory, just like FCC and FAA rules, or public utilities commission rules. The only laws involved are usually rather simple and to the point in delegating the authority to an administrative agency generally controlled by the executive branch of the appropriate government.
As far as tax law, it's only necessary to not have a graduated flat tax (e.g. taxed on what you earn above minimum was times 2080 hours + $1) if you are intent on hiding your legislative cronyism, malfeasance, kickbacks, and unfunded mandates in the tax code. If you want to legislate social policy, then be honest and legislate social policy, and if what you do is unpopular, you don't get reelected.
Also, I remember a debate from my college days when it was suggested that the best form of government was in fact a benevolent dictatorship. No thank you.
P.S.: I'd still like someone to explain to me why the disincentive for second degree murder should be less than the disincentive for first degree murder; the victim is still just as dead, right?
-- Terry
OK Im mistaken Kibera is in Nairobi,Kenya not Nigeria.
Wait a few years. In five years or so, those addresses will have scrolled off blacklists. It's not a big deal.
It takes a bit of time, but if you inherate a 'dirty' IP Address. AKA, one that was used by a spammer or porn website, you need to visit the maintainers of the blacklists.
http://www.spamhaus.org/
and
http://www.spamcop.net/
You send them an email about your situation, and the ISP that issued you the IP addresses need to Also contact them. They (spamhaus and spamcop) will then base your request of if they receive anymore spam complaints.
Then you can 'clean' the 'dirty' IP Address.
As far as Spam goes, that is how you do it. But, for other blacklists, you have to contact them.
Just send them an Email and claim your a new owner and are not affiliated with the 'Slum Lords' past or with them in any way,
On my webserver, I delete the upper third of all addresses in /etc/hosts.deny every couple of weeks.
One hour later they usually are back at the bottom of the file. Maybe I should run a weekly line count and collect some stats on it.
Oh, the beautiful gloss of greality!
> Never sleeps either. The internet waits.
I thought Al Gore was the Internet, not Chuck Norris?
The problem here seems to be badly maintained blacklists. After seeing way too many false positives on various blacklists out there, the only lists I would use are ones that expire their entries in a matter of days or hours. The good ones that I use are uatraps (greytrapping generated, 24 hour expiry) and nixspam (IIRC max 4 days after last seen spam activity). Then of course I maintain my own greytrap list (see the traplist homepage and the traplist ethics pagefor details).
The point is, you need to expire entries aggressively. Keeping entries around because somebody received a spam from somewhere in that general direction four years ago is just silly. And don't get me started on blacklisting domains. If there is one thing we know with almost total certainty, it is that spammers never use From: or Reply-to: addresses that have anything vaguely to do with the real senders.
-- That grumpy BSD guy - http://bsdly.blogspot.com/
Stormwind Mage Quarter represesent yo! Chilling with the homies in the basement of the Slaughtered Lamb.
Car Analogy: If you're doing your own oil changes, and instead of hauling the waste oil to a recycler, you dump it into your backyard, don't complain when you try and sell your house and the highest bid still leaves you $100,000 underwater on your mortgage, or requires you to spend $150,000 remediating it. Your property is worth less than it could have been, had you only been a better steward of it.
I'd hate to see your house analogies.
I read it as "slurms".
...where will Helba live?
I have been trying to get one of my IPs unblocked by Slashdot for several months now and have seem to have hit a black hole, emails go in never to be seen again...
Imagine if we treated real mail the same way?
Block by carrier? (Sorry USPS, you delivered too much junk mail)
Block by street? Neighborhood? City? State? (Sorry New Hampshire).
... is Mother, is Father...
Change the name.Period.
I'd like to buy homeland for our 10 million people. http://twitter.com/mahadiga