Recovering the Slums of the Internet?

turtleshadow writes "Brian Krebs of the Security Fix Blog analyzes the McColo Spamming one year later and asks an interesting question: 'How does one renovate and recoup the lost trust to the slums of the Internet and reclaim back all the domains and IPs that have been blacklisted?' Indeed, the economic benefits abound when a huge swath of illegal and annoying activity ceases — but given the basic design of the Internet, what happens over the long run to IP space and DNS when hosting companies come and go and vary in their trustworthiness? So too, now Geocities is dead [as a business], but does that still live in your filter list? It still appears in OpenDNS under several policy categories. How, in a few years, will I tell if some Hosting/Colo sold me Whitechapel Road/Ventura Avenue for Mayfair/Boardwalk prices, and no one is going to accept my mail from a former slum? When do you, if ever, roll back the blacklists and filters for 'dead' threats and spammers?"

Solution

[blakelarson]

IPv6!

Easy solution:

[eln]

Stop relying on blacklists as your primarily (or only!) filtering mechanism. There are far more sophisticated filtering solutions out there these days. Filtering based solely on blacklists is antiquated, ineffective, and vulnerable to massive issues with false positives. If you only use blacklisting as a very small part of your overall filter scoring, you won't have problems when the IPs in question get turned over to non-spammers. Sure, they'll still end up with a non-zero "spam" score, but not a high enough one to be blocked.

And, of course, you should regularly be looking at your entire setup, including filtering, on a regular basis to make sure the solution you have is still the best one for your situation. Technology, and the Internet, changes too rapidly to take a "set and forget" attitude toward anything, especially filtering.

Re:What slums?

[Tubal-Cain]

Yes, but if someone tries to create a new Biosphere and call the project "GeoCity", a website about the project will find itself needlessly blocked by filter rules set years ago and were never removed.

Re:haha funny

Read this before you post again.

Re:who's on first?

[secolactico]

nslookup -q=ptr 69.69.69.69.in-addr.arpa

Non-authoritative answer:
69.69.69.69.in-addr.arpa name = the-coolest-ip-on-the-net.com

Well, I'll be... I honestly didn't expect that. Duh...

Cleaning Dirty IP Addresses (howto)

It takes a bit of time, but if you inherate a 'dirty' IP Address. AKA, one that was used by a spammer or porn website, you need to visit the maintainers of the blacklists.

http://www.spamhaus.org/

and

http://www.spamcop.net/

You send them an email about your situation, and the ISP that issued you the IP addresses need to Also contact them. They (spamhaus and spamcop) will then base your request of if they receive anymore spam complaints.

Then you can 'clean' the 'dirty' IP Address.

As far as Spam goes, that is how you do it. But, for other blacklists, you have to contact them.

Just send them an Email and claim your a new owner and are not affiliated with the 'Slum Lords' past or with them in any way,

Re:I like the Ras Al Gul approach

[Bob+Ince]

It will be nearly impossible to get delisted, too, and for good reason. For years the Russian malware gangs played silly buggers with changing names, corporations and hosting providers to pretend to be different unrelated entities whilst still engaging in the abuse.

So “but I bought this netblock from someone else, I'm not a hacker!” is, unfortunately, something we've already heard many times from the hackers.

Re:I like the Ras Al Gul approach

[Trolan]

You mean something like http://lists.arin.net/pipermail/arin-issued/?

Not digitally signed, but it's easy enough to validate the source from the source IP and headers anyway for this kind of thing. The main item of note would be the deletes, as they indicate a return of address space.