Slashdot Mirror
Recovering the Slums of the Internet?
turtleshadow writes "Brian Krebs of the Security Fix Blog analyzes the McColo Spamming one year later and asks an interesting question: 'How does one renovate and recoup the lost trust to the slums of the Internet and reclaim back all the domains and IPs that have been blacklisted?' Indeed, the economic benefits abound when a huge swath of illegal and annoying activity ceases — but given the basic design of the Internet, what happens over the long run to IP space and DNS when hosting companies come and go and vary in their trustworthiness? So too, now Geocities is dead [as a business], but does that still live in your filter list? It still appears in OpenDNS under several policy categories. How, in a few years, will I tell if some Hosting/Colo sold me Whitechapel Road/Ventura Avenue for Mayfair/Boardwalk prices, and no one is going to accept my mail from a former slum? When do you, if ever, roll back the blacklists and filters for 'dead' threats and spammers?"
Burn them to the ground.
IPv6!
OMG WTF PONNIES!!!
did not Godaddy get its start registering pr0n sites?
- Minutus cantorum, minutus balorum, minutus carborata descendum pantorum.
I thought they'd switched off geocities already?
Seven puppies were harmed during the making of this post.
Stop relying on blacklists as your primarily (or only!) filtering mechanism. There are far more sophisticated filtering solutions out there these days. Filtering based solely on blacklists is antiquated, ineffective, and vulnerable to massive issues with false positives. If you only use blacklisting as a very small part of your overall filter scoring, you won't have problems when the IPs in question get turned over to non-spammers. Sure, they'll still end up with a non-zero "spam" score, but not a high enough one to be blocked.
And, of course, you should regularly be looking at your entire setup, including filtering, on a regular basis to make sure the solution you have is still the best one for your situation. Technology, and the Internet, changes too rapidly to take a "set and forget" attitude toward anything, especially filtering.
You don't. The Internet never forgets, never forgives.
that SORBS bastard wanted to charge me $50 to take my new block of IPs off his/her/its list!
hah, good luck SORBS is out of business now!
I think I've gone aphasic. The summary/quote didn't make an ounce of sense to me.
When do I clean addresses and domains out of my filters? Usually never. It's just too much trouble to keep tabs on all of them and actively look for them being cleaned up. Once they're in the filters, there they stay until something happens to make me take a look at them. Usually that something'll be someone I know getting caught by the e-mail filters and contacting me out-of-band to find out why I'm not responding to their mail. Or it might be me trying to go to a site I added to the filters ages ago and being blocked when I know it should be clean now, and I go and find it and remove it. But generally, unless something like that motivates me, I've got better things to do with my time than keeping track of all the bad guys I've run across over the years and whether they've mended their ways or not.
In addition, at least one fraud expert who works with a number of big name retailers said online retail fraud rates fell from around $250,000 per day to zero for a short time following McColo's takedow
Why aren't the cops there getting customers lists from McColo and going after the fraudsters?
As far as the toxic waste is concerned, have the Government take those toxic address and have the Government turn their current addresses back into the pool. That will detox those addresses quick.
It's NOT me! It's the meds! I'm on 1000mg of Fukitol.
Before you order a co-lo, agree that it has to pass certain checks, such as a blacklist check.
http://www.mxtoolbox.com/blacklists.aspx
As for decreasing IP space, IPv6 (real or tunneling) is available at most large co-lo places, so that won't be a problem.
Read this before you post again.
As the purchaser, you probably can't. But what you can do is demand that your provider move you to a better IP neighborhood, or renegotiate (read: "tear up") the contract.
Blocklists aren't about playing whack-a-mole with spammers, they're about disincentivizing spam-friendly providers.
If you're an ISP or hosting provider, and you harbor spammers and botnets, the IP ranges you hold are permanently devalued. That means it's harder for you to get customers, more expensive to support your legitimate customers, and your business, when you decide to sell it, is worth less than if you'd booted the goddamn spammers off your network when you had the chance.
Car Analogy: If you're doing your own oil changes, and instead of hauling the waste oil to a recycler, you dump it into your backyard, don't complain when you try and sell your house and the highest bid still leaves you $100,000 underwater on your mortgage, or requires you to spend $150,000 remediating it. Your property is worth less than it could have been, had you only been a better steward of it.
...because 90 percent of everything is crap.
> So too, now Geocities is dead [as a business], but does that still live in your filter list? It still appears in OpenDNS under several policy categories.
If you filter via OpenDNS, then you get what you deserve.
If you've done *any* metamoderating of OpenDNS website classifications, you will soon decide that poo flinging chimpanzees are more accurate.
I came, I saw, I ran away screaming.
--
BMO
I'm straight up gangsta from south central Ironforge...
isnt THAT the slum of the internet?
I once passed a shop offering "Sandwich boxe's". I call it hedge-your-bets punctuation...
Everything should expire after a year.
I also would suggest this in government. That all laws get renewed to automatically expire after 10 years. That way we can keep the law makers busy keeping the good laws while letting the old ones die, as well as keeping them from making crappy new ones that won't survive a 10 year renewal.
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
You don't. The Internet never forgets, never forgives.
Never sleeps either. The internet waits.
Saying your "phone ran out of batteries" is like saying your "car ran out of gas tanks".
Indeed, the economic benefits abound when a huge swath of illegal and annoying activity ceases
Translated from corporatocracy-ese to english:
"once we've quashed the disruptive technological utopia people created on the web, the economic opportunity to carve it up and sell it back to only those who can pay abounds!"
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
Surely you reject mail at SMTP time, allowing the sending server to notify the sender that the mail didn't get through, right?
The word is "incite".
They're desperate to show that they're doing something. Make it so they have to do something to maintain the status quo and everybody's happy.
This sounds reasonable. How do I go about making sure my ISP/hosting provider is not harboring spammers/botnets? Is there a reputable site somewhere where this kinda info is tracked?
Don't you mean 'hedge-you'r-bet's"?
well I'm from south central Orgrimmar we will bust a spell in yours
I always wondered how Downbelow really could really happen in an enlightened, spacefaring society.
See - http://en.wikipedia.org/wiki/Babylon_5_(space_station)
Substitute "IP slums" for "Downbelow" and "information-based" for "spacefaring."
See - http://en.wikipedia.org/wiki/Geocities#Neighborhoods
Pathological kinda promises Path + Logical - but instead, you get stuck with pathetic.
Village of the Spammed?
And surfs for porn in the interim.
... never lies, and is always right
For justice, we must go to Don Corleone
What's the problem? That was a completely correct use of the colon!
Three days from now?? Thats tomorrow!! ~Peter Griffin
While this is good policy on it's face, it has a severe problem - the ISP itself is not permanent. What if the spam-friendly ISP goes out of business and it's IP range is reassigned to a spam-hostile provider?
The parent seems to conflate an IP address assignment with an ISP. IP assignment is not permanent - IP addresses and ranges can and have been reassigned from one provider to another.
Based on the type of permanent blacklisting argued for by the parent, the spam-hostile provider is still blocked simply because they reside in the a range previously owned by spammers. Over time, spammers move around and contaminate an ever growing portion of the IP space. If this IP space cannot be reclaimed the number of useful IP addresses will shrink over time.
In some sense, IPv6 is the solution - but until that blessed day arrives, IPv4 addresses are in short supply. As a result, some method of reclaiming "bad" IP addresses once their owners reform must be made available.
That is precisely the question under discussion here.
I once passed a shop offering "Sandwich boxe's". I call it hedge-your-bets punctuation...
Dude. I was in a Safeway that claimed to be selling "Mrs Whites pie's". I cried. Three words, three mistakes: HOW?
Then I pulled out a Sharpie and fixed it, which is why my friends used to call me Conan The Grammarian. Bad grammar modded for free!
Nostalgia's not what it used to be.
How about you don't accept the IP addresses of the slums and ask your provider for clean ones?
Aside from calling the IP allocations formerly used by criminals "slums", this is actually a very important question. All of McColo's space is still in my edge routers as "drop". I only checked because of the connection with this story. Does it make sense to drop those blocks now? I'm not entirely sure, and since no one is complaining (as yet), why WOULD I remove them?
Should we look to some authority to publish a list, something like the SpamHaus DROP list?
Should we start looking to ICANN to more strongly enforce removing bad actors? What rules, which guide lines? Is sending spam ok, but not being known to host fraud sites? Why? Who decides?
I think it highly ironic that SAVVIS commented upon IP allocations that are "poison" for email. Perhaps it's a case of "the burned hand teaches best." Those that deal with more than a modicum of email will know the back story to that vis-a-vi SAVVIS networks.
I may not be smart enough to have the answers, but I think I'm smart enough to know when someone asks a pretty drun good question. I think this is one.
Part of the answer may be for a system of distributed log inspection. Obviously, some of the information will need to be sanitized before being sent to third parties. Just as obviously, some way to keep the system from being abused by governments needs to be considered. How to do that without giving repressive governments a very powerful tool is something I've been thinking about for over five years. To date, I don't know that it can be done. I do think that if it cannot be closely kept to identifying command and control or infected hosts, it should NOT be done.
I want to shut down and stop criminals - not stifle those that protest against their governments.
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
When I setup my first postfix daemon, I failed. Took my days. One day, it seemed like it was working, but wasn't accepting username and password logins. I went to bed, didn't stop postfix.
The next day I get an email from my colo asking why some of my IPs are being blacklisted. The colo apparently got notified that two of my IP addresses are spammers. I looked at my logs and sure enough, I stupidly let postfix run as an open smtp server and some guy started using it to send out spam.
So I stopped that, but now what? Yahoo won't accept my emails. Craigslist won't accept my emails. Hotmail moves them into the junk folder. Yahoo had the best help.
http://help.yahoo.com/l/us/yahoo/mail/postmaster/errors/;_ylt=ArX8PxnGVabUYKQmtOrSQN5vMiV4
So the error message I was getting from Yahoo was related to spamhaus. I stopped postfix, finally got it up and running properly with authentication, and sent an email to the SBL list guys ( http://www.spamhaus.org/sbl/delistingprocedure.html ) and got delisted pretty quickly.
Sending emails to Yahoo now worked fine. Other places were slower to realize that I was not a spammer, but all in all, it took about 6 months for the dust to settle, and a few more emails to various places to say "hey! I am not a spammer!".
For a major business, this can be a problem, but these lists aren't private. When doing research on where to create your new home on the internet, checking to see if they are blacklisted anywhere first would be a prudent thing to do.
I'm god, but it's a bit of a drag really...
Don't worry, once IPv6 hits, IPs will be given out based on location. Don't like Russia, ban one subnet and you're good.
A heavily blocklisted network quickly becomes unattractive to legitimate businesses
Is that like a blacklisted net? Can someone spam them an editor please?
Or this.
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
I just looked at wikipedia under slum
That which matched for me for lack of better words were:
I drew a parallel of corruption or chaotic governance to the named ISP's by Krebs and as such seemed to have met the analogy well enough.
I rejected Ghetto for wiki's alignment to ethnicity or the word Barrio which upscales in a certain language and Hooverville which implied an economic basis.
I possibly could say Mos Eisley or Tatooine both are a more focused but lesser known reference and wouldn't work with the reference to Monopoly addresses which are cheap vs expensive based on arbitrary or cultural value.
Spam kings may not work out of Kibeira directly but they could somehow make .NG totally worthless if spammers/malware moved in and everybody else started to filter them out based on this. This is actually a real threat in my mind to developing nations and would injure innocent persons by the acts of such persons willing to sacrifice them for a fast buck.
Realistically, many people in business do look at your TLD and determine on that alone if they are going to continue to do business with you.
My point in asking was how get opinions to recover and redeem such a place which is exactly I think your alluding to. I don't condemn or demean any people who in real life are in such places not by choice or don't have a way out.
Shouldn't that be "Conan, The Grammarian?"
Hogwash: Building codes are regulatory, just like FCC and FAA rules, or public utilities commission rules. The only laws involved are usually rather simple and to the point in delegating the authority to an administrative agency generally controlled by the executive branch of the appropriate government.
As far as tax law, it's only necessary to not have a graduated flat tax (e.g. taxed on what you earn above minimum was times 2080 hours + $1) if you are intent on hiding your legislative cronyism, malfeasance, kickbacks, and unfunded mandates in the tax code. If you want to legislate social policy, then be honest and legislate social policy, and if what you do is unpopular, you don't get reelected.
Also, I remember a debate from my college days when it was suggested that the best form of government was in fact a benevolent dictatorship. No thank you.
P.S.: I'd still like someone to explain to me why the disincentive for second degree murder should be less than the disincentive for first degree murder; the victim is still just as dead, right?
-- Terry
OK Im mistaken Kibera is in Nairobi,Kenya not Nigeria.
Wait a few years. In five years or so, those addresses will have scrolled off blacklists. It's not a big deal.
It takes a bit of time, but if you inherate a 'dirty' IP Address. AKA, one that was used by a spammer or porn website, you need to visit the maintainers of the blacklists.
http://www.spamhaus.org/
and
http://www.spamcop.net/
You send them an email about your situation, and the ISP that issued you the IP addresses need to Also contact them. They (spamhaus and spamcop) will then base your request of if they receive anymore spam complaints.
Then you can 'clean' the 'dirty' IP Address.
As far as Spam goes, that is how you do it. But, for other blacklists, you have to contact them.
Just send them an Email and claim your a new owner and are not affiliated with the 'Slum Lords' past or with them in any way,
On my webserver, I delete the upper third of all addresses in /etc/hosts.deny every couple of weeks.
One hour later they usually are back at the bottom of the file. Maybe I should run a weekly line count and collect some stats on it.
Oh, the beautiful gloss of greality!
The problem here seems to be badly maintained blacklists. After seeing way too many false positives on various blacklists out there, the only lists I would use are ones that expire their entries in a matter of days or hours. The good ones that I use are uatraps (greytrapping generated, 24 hour expiry) and nixspam (IIRC max 4 days after last seen spam activity). Then of course I maintain my own greytrap list (see the traplist homepage and the traplist ethics pagefor details).
The point is, you need to expire entries aggressively. Keeping entries around because somebody received a spam from somewhere in that general direction four years ago is just silly. And don't get me started on blacklisting domains. If there is one thing we know with almost total certainty, it is that spammers never use From: or Reply-to: addresses that have anything vaguely to do with the real senders.
-- That grumpy BSD guy - http://bsdly.blogspot.com/
And now you don't have an friends left.
Oh, the inory...
Stormwind Mage Quarter represesent yo! Chilling with the homies in the basement of the Slaughtered Lamb.
Car Analogy: If you're doing your own oil changes, and instead of hauling the waste oil to a recycler, you dump it into your backyard, don't complain when you try and sell your house and the highest bid still leaves you $100,000 underwater on your mortgage, or requires you to spend $150,000 remediating it. Your property is worth less than it could have been, had you only been a better steward of it.
I'd hate to see your house analogies.
I see only two mistakes. I hope your third correction wasn't to put a full stop after Mrs, because it ends in the same letter as the word it abbreviates.
...where will Helba live?
Interesting. I was taught that any abbreviation was marked with a full stop unless it was just an elided vowel or syllable, in which case it was marked with an apostrophe. Do you have a source for the abbreviation rule? I'd be glad to convert.
Nostalgia's not what it used to be.
I have been trying to get one of my IPs unblocked by Slashdot for several months now and have seem to have hit a black hole, emails go in never to be seen again...
... is Mother, is Father...
Fowler's Modern English Usage, p480. Bryson's Dictionary of Troublesome Words (see excerpt). FWIW the first is a British source and the second says that it's a British rule, so if they have Safeways somewhere else I may owe you an apology.
I'm in the USA, where our grammar rules are not only looser than yours, but also more loosely interpreted. But it's an interesting rule (and I love Bill Bryson's stuff, and was surprised to see a book of his that I don't already have.) Now I have a quest to see if it holds hereabouts. Thanks for the references.
Nostalgia's not what it used to be.
Don't you mean "hedge-you'r-bet's'"?
if only
Change the name.Period.
I'd like to buy homeland for our 10 million people. http://twitter.com/mahadiga