Slashdot Mirror
Recovering the Slums of the Internet?
turtleshadow writes "Brian Krebs of the Security Fix Blog analyzes the McColo Spamming one year later and asks an interesting question: 'How does one renovate and recoup the lost trust to the slums of the Internet and reclaim back all the domains and IPs that have been blacklisted?' Indeed, the economic benefits abound when a huge swath of illegal and annoying activity ceases — but given the basic design of the Internet, what happens over the long run to IP space and DNS when hosting companies come and go and vary in their trustworthiness? So too, now Geocities is dead [as a business], but does that still live in your filter list? It still appears in OpenDNS under several policy categories. How, in a few years, will I tell if some Hosting/Colo sold me Whitechapel Road/Ventura Avenue for Mayfair/Boardwalk prices, and no one is going to accept my mail from a former slum? When do you, if ever, roll back the blacklists and filters for 'dead' threats and spammers?"
Stop relying on blacklists as your primarily (or only!) filtering mechanism. There are far more sophisticated filtering solutions out there these days. Filtering based solely on blacklists is antiquated, ineffective, and vulnerable to massive issues with false positives. If you only use blacklisting as a very small part of your overall filter scoring, you won't have problems when the IPs in question get turned over to non-spammers. Sure, they'll still end up with a non-zero "spam" score, but not a high enough one to be blocked.
And, of course, you should regularly be looking at your entire setup, including filtering, on a regular basis to make sure the solution you have is still the best one for your situation. Technology, and the Internet, changes too rapidly to take a "set and forget" attitude toward anything, especially filtering.
You don't. The Internet never forgets, never forgives.
When do I clean addresses and domains out of my filters? Usually never. It's just too much trouble to keep tabs on all of them and actively look for them being cleaned up. Once they're in the filters, there they stay until something happens to make me take a look at them. Usually that something'll be someone I know getting caught by the e-mail filters and contacting me out-of-band to find out why I'm not responding to their mail. Or it might be me trying to go to a site I added to the filters ages ago and being blocked when I know it should be clean now, and I go and find it and remove it. But generally, unless something like that motivates me, I've got better things to do with my time than keeping track of all the bad guys I've run across over the years and whether they've mended their ways or not.
In addition, at least one fraud expert who works with a number of big name retailers said online retail fraud rates fell from around $250,000 per day to zero for a short time following McColo's takedow
Why aren't the cops there getting customers lists from McColo and going after the fraudsters?
As far as the toxic waste is concerned, have the Government take those toxic address and have the Government turn their current addresses back into the pool. That will detox those addresses quick.
It's NOT me! It's the meds! I'm on 1000mg of Fukitol.
Yes, but if someone tries to create a new Biosphere and call the project "GeoCity", a website about the project will find itself needlessly blocked by filter rules set years ago and were never removed.
Before you order a co-lo, agree that it has to pass certain checks, such as a blacklist check.
http://www.mxtoolbox.com/blacklists.aspx
As for decreasing IP space, IPv6 (real or tunneling) is available at most large co-lo places, so that won't be a problem.
As the purchaser, you probably can't. But what you can do is demand that your provider move you to a better IP neighborhood, or renegotiate (read: "tear up") the contract.
Blocklists aren't about playing whack-a-mole with spammers, they're about disincentivizing spam-friendly providers.
If you're an ISP or hosting provider, and you harbor spammers and botnets, the IP ranges you hold are permanently devalued. That means it's harder for you to get customers, more expensive to support your legitimate customers, and your business, when you decide to sell it, is worth less than if you'd booted the goddamn spammers off your network when you had the chance.
Car Analogy: If you're doing your own oil changes, and instead of hauling the waste oil to a recycler, you dump it into your backyard, don't complain when you try and sell your house and the highest bid still leaves you $100,000 underwater on your mortgage, or requires you to spend $150,000 remediating it. Your property is worth less than it could have been, had you only been a better steward of it.
...because 90 percent of everything is crap.
> So too, now Geocities is dead [as a business], but does that still live in your filter list? It still appears in OpenDNS under several policy categories.
If you filter via OpenDNS, then you get what you deserve.
If you've done *any* metamoderating of OpenDNS website classifications, you will soon decide that poo flinging chimpanzees are more accurate.
I came, I saw, I ran away screaming.
--
BMO
Simple. Do not call your web site goatse, or geocities. If someone registers that domain name, because he's too young to remember, or whatever... He'll figure out pretty quickly that things don't work for him, so he'll pick a different domain name, like goatsrus, geotowns, geomegacities, or whatever.
Frankly, I think that there are more pressing problems to think about.
isnt THAT the slum of the internet?
I once passed a shop offering "Sandwich boxe's". I call it hedge-your-bets punctuation...
Everything should expire after a year.
I also would suggest this in government. That all laws get renewed to automatically expire after 10 years. That way we can keep the law makers busy keeping the good laws while letting the old ones die, as well as keeping them from making crappy new ones that won't survive a 10 year renewal.
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
You don't. The Internet never forgets, never forgives.
Never sleeps either. The internet waits.
Saying your "phone ran out of batteries" is like saying your "car ran out of gas tanks".
Simple. Do not call your web site goatse, or geocities. If someone registers that domain name, because he's too young to remember, or whatever... He'll figure out pretty quickly that things don't work for him, so he'll pick a different domain name, like goatsrus, geotowns, geomegacities, or whatever.
I'm going to start a free hosting service for shock sites called Goatsecities...
My problem with that is when you get reassigned IP space from a spammer. My host aquired a block from ARIN, which used to host russian servers. Well these russian servers were apparently spambots because I just recently found out yahoo does not accept mail from any of my servers. This is a major problem and jumping ship to another host does not guarantee this problem will go away. I had no clue who to contact and ended up requesting new ip space from my provider... but that caused a world of pain for my customers.
I used to think my old boss was crazy when he said he never wanted our antispam solution to rely on any blacklist provider and it didn't really sink in until I was on the opposite end of the spectrum. Blacklists are bad.
aEN
It's still the coolest IP on the net.
nslookup -q=ptr 69.69.69.69.in-addr.arpa
Non-authoritative answer:
69.69.69.69.in-addr.arpa name = the-coolest-ip-on-the-net.com
Well, I'll be... I honestly didn't expect that. Duh...
No sig
When I setup my first postfix daemon, I failed. Took my days. One day, it seemed like it was working, but wasn't accepting username and password logins. I went to bed, didn't stop postfix.
The next day I get an email from my colo asking why some of my IPs are being blacklisted. The colo apparently got notified that two of my IP addresses are spammers. I looked at my logs and sure enough, I stupidly let postfix run as an open smtp server and some guy started using it to send out spam.
So I stopped that, but now what? Yahoo won't accept my emails. Craigslist won't accept my emails. Hotmail moves them into the junk folder. Yahoo had the best help.
http://help.yahoo.com/l/us/yahoo/mail/postmaster/errors/;_ylt=ArX8PxnGVabUYKQmtOrSQN5vMiV4
So the error message I was getting from Yahoo was related to spamhaus. I stopped postfix, finally got it up and running properly with authentication, and sent an email to the SBL list guys ( http://www.spamhaus.org/sbl/delistingprocedure.html ) and got delisted pretty quickly.
Sending emails to Yahoo now worked fine. Other places were slower to realize that I was not a spammer, but all in all, it took about 6 months for the dust to settle, and a few more emails to various places to say "hey! I am not a spammer!".
For a major business, this can be a problem, but these lists aren't private. When doing research on where to create your new home on the internet, checking to see if they are blacklisted anywhere first would be a prudent thing to do.
I'm god, but it's a bit of a drag really...
You see porn is bad. Because it has naked people in it pretending to have sex. Which is bad because sex isn't fun, its a terrible thing that must be endured for the betterment of society. Or something. I dunno, don't ask me hard questions. Its in the bible, right after god said to go forth and multiply...
Sex = bad! Stop questioning things!