Recovering the Slums of the Internet?

← Back to Stories (view on slashdot.org)

Recovering the Slums of the Internet?

Posted by timothy on Thursday November 12, 2009 @10:57AM from the english-monopoly-names dept.

turtleshadow writes "Brian Krebs of the Security Fix Blog analyzes the McColo Spamming one year later and asks an interesting question: 'How does one renovate and recoup the lost trust to the slums of the Internet and reclaim back all the domains and IPs that have been blacklisted?' Indeed, the economic benefits abound when a huge swath of illegal and annoying activity ceases — but given the basic design of the Internet, what happens over the long run to IP space and DNS when hosting companies come and go and vary in their trustworthiness? So too, now Geocities is dead [as a business], but does that still live in your filter list? It still appears in OpenDNS under several policy categories. How, in a few years, will I tell if some Hosting/Colo sold me Whitechapel Road/Ventura Avenue for Mayfair/Boardwalk prices, and no one is going to accept my mail from a former slum? When do you, if ever, roll back the blacklists and filters for 'dead' threats and spammers?"

48 of 218 comments (clear)

Solution by blakelarson · 2009-11-12 10:59 · Score: 2, Informative

IPv6!
1. Re:Solution by Tubal-Cain · 2009-11-12 11:05 · Score: 2, Interesting
  
  That will prevent us from running out of unblocked IP addresses, but it does nothing to aviod being bitten by filtering rules based on a previously bad domain name (like geocities.com).
2. Re:Solution by stephanruby · 2009-11-12 11:21 · Score: 4, Funny
  
  Simple. Do not call your web site goatse, or geocities. If someone registers that domain name, because he's too young to remember, or whatever... He'll figure out pretty quickly that things don't work for him, so he'll pick a different domain name, like goatsrus, geotowns, geomegacities, or whatever.
  Frankly, I think that there are more pressing problems to think about.
3. Re:Solution by Anonymous Coward · 2009-11-12 11:41 · Score: 3, Funny
  
  Simple. Do not call your web site goatse, or geocities. If someone registers that domain name, because he's too young to remember, or whatever... He'll figure out pretty quickly that things don't work for him, so he'll pick a different domain name, like goatsrus, geotowns, geomegacities, or whatever.
  I'm going to start a free hosting service for shock sites called Goatsecities...
4. Re:Solution by sentientbeing · 2009-11-12 12:27 · Score: 2, Funny
  
  It was condemned due to an infestation of Noobs.
  
  --
  
  ------
  beware he who would deny you access to information, for in his mind he dreams himself your master
5. Re:Solution by AndroidCat · 2009-11-12 23:39 · Score: 2, Funny
  
  And never try to use any domain that has doubleclick as part of the name. Only a fool or someone intent on evil would do that.
  
  --
  One line blog. I hear that they're called Twitters now.
6. Re:Solution by TheRaven64 · 2009-11-13 00:26 · Score: 2, Interesting
  
  Yup, you can't trust anyone who says anything on a domain with doubleclick in its name.
  
  --
  I am TheRaven on Soylent News
OMG WTF PONNIES!!! by Anonymous Coward · 2009-11-12 10:59 · Score: 2, Funny

OMG WTF PONNIES!!!
What slums? by Dunbal · 2009-11-12 11:02 · Score: 2, Funny

I thought they'd switched off geocities already?

--
Seven puppies were harmed during the making of this post.
1. Re:What slums? by Tubal-Cain · 2009-11-12 11:09 · Score: 3, Informative
  
  Yes, but if someone tries to create a new Biosphere and call the project "GeoCity", a website about the project will find itself needlessly blocked by filter rules set years ago and were never removed.
2. Re:What slums? by Arancaytar · 2009-11-12 12:15 · Score: 2, Funny
  
  What filter rules? I mean, okay, that light on dark text and background midi and blinking marquees were annoying, but still, you could just not visit...
3. Re:What slums? by MoellerPlesset2 · 2009-11-12 14:25 · Score: 2, Funny
  
  Yes, but if someone tries to create a new Biosphere and call the project "GeoCity", a website about the project will find itself needlessly blocked by filter rules set years ago and were never removed.
  Well, it still wouldn't hurt their reputation as badly as if they'd called it Bio-Dome.
Easy solution: by eln · 2009-11-12 11:05 · Score: 3, Informative

Stop relying on blacklists as your primarily (or only!) filtering mechanism. There are far more sophisticated filtering solutions out there these days. Filtering based solely on blacklists is antiquated, ineffective, and vulnerable to massive issues with false positives. If you only use blacklisting as a very small part of your overall filter scoring, you won't have problems when the IPs in question get turned over to non-spammers. Sure, they'll still end up with a non-zero "spam" score, but not a high enough one to be blocked.

And, of course, you should regularly be looking at your entire setup, including filtering, on a regular basis to make sure the solution you have is still the best one for your situation. Technology, and the Internet, changes too rapidly to take a "set and forget" attitude toward anything, especially filtering.
1. Re:Easy solution: by genner · 2009-11-12 12:12 · Score: 2, Interesting
  
  What if our operating systems were more secure, or if virtualization became universally used? Wouldn't that make it less necessary to use blacklists? I mean, if there's no danger from malware, then I don't have to worry so much if I open an attachment from an email that looks like it's coming from a friend. Worst thing it can do is blow up my virtual machine and I can just close a window and keep on going. It would also make hackers look for other ways to do evil besides attacking our desktops.
  Is virtualization as secure as I think it is? I admit I don't know a lot about internet security beyond just being careful and using protection, so I'd like to hear what those of you who have expertise think.
  It's not a about viruses it's the shear volume of spam hitting mail servers that makes blacklisting necessary.
  If you remove it your essentially allowing yourself to be DOS'd.
2. Re:Easy solution: by EdIII · 2009-11-12 12:17 · Score: 2, Interesting
  
  You didn't provide him a solution at all. Not really. Don't get me wrong, you are entirely correct in your advice.
  However, how are you supposed to get that advice to , or even communicate reliably, with stubborn and/or stupid mail server admins? The problem most often is on the *other* side.
  The mail server admins at Craigslist.org deserve to be shot (they really do, at least with rubber bullets). I have run into problems getting email to a mail server in which I am apparently blocked by five-ten-sg.com. Of course, you cannot communicate with five-ten-sg.com *at all*. I did perform an audit of our system to see if we were indeed compromised before accusing them and everything was fine. You just can't communicate with the other side when there is a legitimate problem.
  Ostensibly, mail server admins should be checking the postmaster and abuse accounts *every single day*. I bet most have not checked in 6 months. How else do mail server admins work things out amongst themselves?
  I think the solution is a polite, but strongly worded email to the customer of the offending mail server (sent from someplace else like gmail) informing them of the problem and the fact their mail server is being run by a monkey. In more polite and diplomatic language of course, but informing them that the reason they can't get email from the other person is that the hosting company does not have their mail server's being run correctly.
  Throw the ball back into their court. If you write the letter nicely enough with some informative links to what you basically outlined in your post you might even turn a mail server admin from the stupid-side of the force.
  I have to hope that problems receiving email due to such behavior are not isolated and that eventually the mail servers being run unwisely will just lose their customers.
3. Re:Easy solution: by AnEducatedNegro · 2009-11-12 12:25 · Score: 2, Funny
  
  not my fault you have small pipes.
  
  aEN
How does one renovate and recoup the lost trust t by DeadDecoy · 2009-11-12 11:06 · Score: 3, Insightful

You don't. The Internet never forgets, never forgives.
Usually never by Todd+Knarr · 2009-11-12 11:08 · Score: 3, Insightful

When do I clean addresses and domains out of my filters? Usually never. It's just too much trouble to keep tabs on all of them and actively look for them being cleaned up. Once they're in the filters, there they stay until something happens to make me take a look at them. Usually that something'll be someone I know getting caught by the e-mail filters and contacting me out-of-band to find out why I'm not responding to their mail. Or it might be me trying to go to a site I added to the filters ages ago and being blocked when I know it should be clean now, and I go and find it and remove it. But generally, unless something like that motivates me, I've got better things to do with my time than keeping track of all the bad guys I've run across over the years and whether they've mended their ways or not.
Where are the cops? by NoYob · 2009-11-12 11:09 · Score: 3, Interesting

In addition, at least one fraud expert who works with a number of big name retailers said online retail fraud rates fell from around $250,000 per day to zero for a short time following McColo's takedow
Why aren't the cops there getting customers lists from McColo and going after the fraudsters?
As far as the toxic waste is concerned, have the Government take those toxic address and have the Government turn their current addresses back into the pool. That will detox those addresses quick.

--
It's NOT me! It's the meds! I'm on 1000mg of Fukitol.
1. Re:Where are the cops? by ShaunC · 2009-11-12 11:13 · Score: 2, Interesting
  
  Why aren't the cops there getting customers lists from McColo and going after the fraudsters?
  In the case of McColo (and RBN), many of the fraudsters probably are cops, or at least have cops on the payroll.
  
  --
  Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
2. Re:Where are the cops? by Dunbal · 2009-11-12 11:21 · Score: 3, Insightful
  
  Why aren't the cops there getting customers lists from McColo and going after the fraudsters?
  Because the police are far too busy going after the real criminals to waste time with legitimate fraudsters.
  
  --
  Seven puppies were harmed during the making of this post.
3. Re:Where are the cops? by screeble · 2009-11-12 17:38 · Score: 2, Interesting
  
  You know... That's a really good idea.
  Signed IP swapping somehow... Reverify those IP addresses as valid.
  It would only require transferring them to a host processing site.
  Then, they could be removed from block lists and be reallocated.
  It would be a fuck load of record updates, though.
Re:who's on first? by tacarat · 2009-11-12 11:10 · Score: 2, Funny

So did everybody else, no? I'm happy for URLs. Back when you could only connect by knowing the correct IP, 69.69.69.69 was pretty much the only porn site on the web... well, strand.

--
"Common sense will be the death of us all"
Easy by Jazz-Masta · 2009-11-12 11:10 · Score: 3, Interesting

Before you order a co-lo, agree that it has to pass certain checks, such as a blacklist check.
http://www.mxtoolbox.com/blacklists.aspx
As for decreasing IP space, IPv6 (real or tunneling) is available at most large co-lo places, so that won't be a problem.
Re:haha funny by Anonymous Coward · 2009-11-12 11:11 · Score: 2, Informative

Read this before you post again.
You Don't. That's the point. by Tackhead · 2009-11-12 11:12 · Score: 5, Insightful

How, in a few years, will I tell if some Hosting/Colo sold me Whitechapel Road/Ventura Avenue for Mayfair/Boardwalk prices, and no one is going to accept my mail from a former slum?

As the purchaser, you probably can't. But what you can do is demand that your provider move you to a better IP neighborhood, or renegotiate (read: "tear up") the contract.
Blocklists aren't about playing whack-a-mole with spammers, they're about disincentivizing spam-friendly providers.
If you're an ISP or hosting provider, and you harbor spammers and botnets, the IP ranges you hold are permanently devalued. That means it's harder for you to get customers, more expensive to support your legitimate customers, and your business, when you decide to sell it, is worth less than if you'd booted the goddamn spammers off your network when you had the chance.
Car Analogy: If you're doing your own oil changes, and instead of hauling the waste oil to a recycler, you dump it into your backyard, don't complain when you try and sell your house and the highest bid still leaves you $100,000 underwater on your mortgage, or requires you to spend $150,000 remediating it. Your property is worth less than it could have been, had you only been a better steward of it.
90 percent of blacklists are crap... by bmo · 2009-11-12 11:21 · Score: 4, Funny

...because 90 percent of everything is crap.
> So too, now Geocities is dead [as a business], but does that still live in your filter list? It still appears in OpenDNS under several policy categories.
If you filter via OpenDNS, then you get what you deserve.
If you've done *any* metamoderating of OpenDNS website classifications, you will soon decide that poo flinging chimpanzees are more accurate.
I came, I saw, I ran away screaming.
--
BMO
4chan by meow27 · 2009-11-12 11:29 · Score: 5, Insightful

isnt THAT the slum of the internet?
1. Re:4chan by Fry-kun · 2009-11-12 11:42 · Score: 2, Funny
  
  /b/ is the fist thing that came to my mind as well
  
  --
  Did you know that "FTW" ("for the win") is a direct translation of "Sieg Heil"?
2. Re:4chan by petrus4 · 2009-11-12 12:35 · Score: 3, Insightful
  
  Mod parent +5,000, Insightful.
  Seriously; if maintaining your level of faith in the compassion, empathy, and fundamental decency of the human species is something you care about, don't ever visit 4chan.
  That site is very little more than a showcase of the very worst, morally, psychologically, and emotionally, that humanity is capable of.
3. Re:4chan by foo1752 · 2009-11-12 13:29 · Score: 5, Funny
  
  Mod parent +5,000, Insightful.
  You missed your chance, dude. You should have said: Mod parent over 9000, Insightful.
Re:Obligatory grammar nazi by ledow · 2009-11-12 11:30 · Score: 4, Funny

I once passed a shop offering "Sandwich boxe's". I call it hedge-your-bets punctuation...
1 year by scorp1us · 2009-11-12 11:30 · Score: 4, Insightful

Everything should expire after a year.
I also would suggest this in government. That all laws get renewed to automatically expire after 10 years. That way we can keep the law makers busy keeping the good laws while letting the old ones die, as well as keeping them from making crappy new ones that won't survive a 10 year renewal.

--
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
1. Re:1 year by zippthorne · 2009-11-12 13:01 · Score: 2, Insightful
  
  Agreed. Also, all laws must be read into the record. That'll put an upper bound on the sheer magnitude of legislation and guaranteed that the aforementioned laws have been read at least once.
  
  --
  Can you be Even More Awesome?!
2. Re:1 year by QuoteMstr · 2009-11-12 13:42 · Score: 3, Insightful
  
  Reading every law? What about the building code? What about trade duty schedules? What about the tax law (a lot of the complexity of which is actually necessary)? I'm sure you can find many more examples. It's as if you're asking for every computer program to be dictated by telephone. Your request reflects a very naive view, namely that complex societies like ours can be governed by simple laws.
  If we actually tried what you suggest, what we'd see is simple legislation. Because these laws would have simple, they couldn't address subtleties and special cases, and as a result, these laws would cause a lot of injustice. Is this the world you'd really like to live in?
  I never understood how people like you can see all law as universally bad, and how you actually hope for a "gridlock". Bad government is bad, yes, but good government is also good. You'd argue that all government is bad government, but if you look around, any reasonable person will see that argument is nonsense. Only ideologues maintain that government is always the problem.
Re:How does one renovate and recoup the lost trust by proxy318 · 2009-11-12 11:32 · Score: 5, Funny

You don't. The Internet never forgets, never forgives.
Never sleeps either. The internet waits.

--
Saying your "phone ran out of batteries" is like saying your "car ran out of gas tanks".
Re:I like the Ras Al Gul approach by AnEducatedNegro · 2009-11-12 12:23 · Score: 5, Interesting

My problem with that is when you get reassigned IP space from a spammer. My host aquired a block from ARIN, which used to host russian servers. Well these russian servers were apparently spambots because I just recently found out yahoo does not accept mail from any of my servers. This is a major problem and jumping ship to another host does not guarantee this problem will go away. I had no clue who to contact and ended up requesting new ip space from my provider... but that caused a world of pain for my customers.

I used to think my old boss was crazy when he said he never wanted our antispam solution to rely on any blacklist provider and it didn't really sink in until I was on the opposite end of the spectrum. Blacklists are bad.

aEN
Re:who's on first? by tubeguy · 2009-11-12 12:28 · Score: 4, Funny

It's still the coolest IP on the net.
Re:who's on first? by secolactico · 2009-11-12 13:36 · Score: 5, Informative

nslookup -q=ptr 69.69.69.69.in-addr.arpa
Non-authoritative answer: 69.69.69.69.in-addr.arpa name = the-coolest-ip-on-the-net.com
Well, I'll be... I honestly didn't expect that. Duh...

--
No sig
Re:who's on first? by bipbop · 2009-11-12 13:43 · Score: 2, Interesting

My favorite IP is 4.8. I often ping it, just for the joy of, well, pinging 4.8! I can't really describe it. You'll just have to try it to see what I mean.
My situation by i_ate_god · 2009-11-12 14:09 · Score: 4, Interesting

When I setup my first postfix daemon, I failed. Took my days. One day, it seemed like it was working, but wasn't accepting username and password logins. I went to bed, didn't stop postfix.
The next day I get an email from my colo asking why some of my IPs are being blacklisted. The colo apparently got notified that two of my IP addresses are spammers. I looked at my logs and sure enough, I stupidly let postfix run as an open smtp server and some guy started using it to send out spam.
So I stopped that, but now what? Yahoo won't accept my emails. Craigslist won't accept my emails. Hotmail moves them into the junk folder. Yahoo had the best help.
http://help.yahoo.com/l/us/yahoo/mail/postmaster/errors/;_ylt=ArX8PxnGVabUYKQmtOrSQN5vMiV4
So the error message I was getting from Yahoo was related to spamhaus. I stopped postfix, finally got it up and running properly with authentication, and sent an email to the SBL list guys ( http://www.spamhaus.org/sbl/delistingprocedure.html ) and got delisted pretty quickly.
Sending emails to Yahoo now worked fine. Other places were slower to realize that I was not a spammer, but all in all, it took about 6 months for the dust to settle, and a few more emails to various places to say "hey! I am not a spammer!".
For a major business, this can be a problem, but these lists aren't private. When doing research on where to create your new home on the internet, checking to see if they are blacklisted anywhere first would be a prudent thing to do.

--
I'm god, but it's a bit of a drag really...
Re:who's on first? by geminidomino · 2009-11-12 17:27 · Score: 2, Interesting

It makes me sad that it points to a link farm...
Re:who's on first? by aussie_a · 2009-11-12 18:25 · Score: 3, Funny

You see porn is bad. Because it has naked people in it pretending to have sex. Which is bad because sex isn't fun, its a terrible thing that must be endured for the betterment of society. Or something. I dunno, don't ask me hard questions. Its in the bible, right after god said to go forth and multiply...
Sex = bad! Stop questioning things!
Re:blocklisted? by gujo-odori · 2009-11-12 19:00 · Score: 2, Insightful

Among antispam industry professionals (yes, I am one) the term blocklist appears to be slowly displacing blacklist as the term of choice.
Re:I like the Ras Al Gul approach by tempest69 · 2009-11-12 19:14 · Score: 2, Insightful

I like the blacklist... i have a quarter million addresses in mine. if you're on one, you need to pitch the address and get fresh one. because you're never getting clean internet access again. The addresses are tainted for at least a decade. I don't even let blacklisters surf my sites.
though I would like to see ARIN report a list of freshened addresses (with purchaser approval of course), with digital sig and time stamp, so I could fix my blacklist.. I dont see any easier feasible way to proceed.
Storm
Blacklists should expire agressively by badger.foo · 2009-11-12 20:02 · Score: 2, Interesting

The problem here seems to be badly maintained blacklists. After seeing way too many false positives on various blacklists out there, the only lists I would use are ones that expire their entries in a matter of days or hours. The good ones that I use are uatraps (greytrapping generated, 24 hour expiry) and nixspam (IIRC max 4 days after last seen spam activity). Then of course I maintain my own greytrap list (see the traplist homepage and the traplist ethics pagefor details).

The point is, you need to expire entries aggressively. Keeping entries around because somebody received a spam from somewhere in that general direction four years ago is just silly. And don't get me started on blacklisting domains. If there is one thing we know with almost total certainty, it is that spammers never use From: or Reply-to: addresses that have anything vaguely to do with the real senders.

--
-- That grumpy BSD guy - http://bsdly.blogspot.com/
Re:I like the Ras Al Gul approach by Bob+Ince · 2009-11-12 23:06 · Score: 2, Informative

It will be nearly impossible to get delisted, too, and for good reason. For years the Russian malware gangs played silly buggers with changing names, corporations and hosting providers to pretend to be different unrelated entities whilst still engaging in the abuse.
So “but I bought this netblock from someone else, I'm not a hacker!” is, unfortunately, something we've already heard many times from the hackers.
Re:I like the Ras Al Gul approach by Trolan · 2009-11-13 00:49 · Score: 2, Informative

You mean something like http://lists.arin.net/pipermail/arin-issued/?
Not digitally signed, but it's easy enough to validate the source from the source IP and headers anyway for this kind of thing. The main item of note would be the deletes, as they indicate a return of address space.