Naming and Shaming "Bad" ISPs

An anonymous reader writes "Brian Krebs takes a provocative look at ISP reputations, collecting data from 10 different sources that track 'badness' from a multitude of angles, from phishing to malware to botnet command and control centers. Some of the lists show very interesting and useful results; the ISPs that are most common among the various reputation services are some of the largest ISPs and hosting providers, including ThePlanet and Softlayer. The story has generated quite a bit of discussion in the security community as to whether these various efforts are measuring the wrong things, or if it is indeed valid and useful to keep public attention focused on the bigger providers, since these are generally US-based and have the largest abuse problems in terms of overall numbers."

Wow, I feel bad for ThePlanet.com

[jeffmeden]

These measurements might not be 100% accurate at identifying the root of each of the problem areas, but when an ISP is on all but one of the top ten lists, you have to start wondering what they are doing wrong. ThePlanet.com, what gives? Too many undereducated customers running infected servers? No top level detection and deactivation process in place? Seems like there are a lot of things missing.

I think it'a about the same all over

[agoliveira]

One of the largest ISPs in Brazil, Locaweb, is the main source of spam and malware I get and it's not only about numbers. They just ignore every single complain I've done.

ThePlanet

[Manip]

It is a shame that ThePlanet is doing so badly. I've used them before for dedicated hosting and was very happy with the service I received. I will say that they are very "hands off" (which is generally good, but bad in this case). I think one has to remember that this is a chart of which ISPs are most responsive and active in stopping abuse originating from their network and not some kind of general review of the service they offer.

That being said I think all the ISPs listed should be unhappy about appearing on these lists and should actively be trying to fix their reputation or risk getting blacklisted.

Network neutrality

[BadAnalogyGuy]

You take the good. You take the bad. You take them both, and there you have Net Neutrality.

Net Neutrality. When the world never seems to be living up to your dreams, and suddenly you're finding out Net Neutrality isn't all about you.

Re:New Jersey

[sopssa]

Some of the ISP's in the list are huge hosting companies, namely ThePlanet, Layered Tech, Leaseweb, OVH.. You have no idea how big they are unless you've visited one of their data centers. They host millions of servers. How would they check it all? For that matter, who wants their data center staff snooping around in your server?

Being one of the largest hosting companies in the planet obviously brings in bad guys too.

Re:New Jersey

[agoliveira]

Please. If you are a big company you need to be prepared to deal with larger portions of the same: good tools, good (and bigger) staff, a specialized security/response team. It's like any other company, One can't expect to run a large company with the same resources used in a small one.

Laughable

[Threni]

Why would anyone (home user/corporate etc) care about any of that? It doesn't make their network/access any less safe. People go for cost, then performance. If I can get a good deal from an ISP, why do I care about how many follow customers are incapable of managing their systems?

Re:Laughable

[Antique+Geekmeister]

Because it does make your network less safe. Having the script kiddies, the spammers, and the harvesters active on your subnet exposes you much more directly to their abuses, and to the likelihood that your logs will be cluttered with the attacks from their servers. It also gets _you_ added to email blacklists and routing table blackholes, because your customers may be tired of the abuse from your network and find it far simply to simply block you.

The expense of a more reliable and secure server is an issue. But there's nothing like the self-righteous DDOS attacks that have occurred against networks that serve abusers to clutter the traffic of even innocent clients: it imperils the service for legitimate, paying customers. Cases like "agis.net", who hosted the Cyberpromo spammers before a DDOS against them finally got them to take action, make a fascinating study in the risks of hosting abusers. Conversely, xinnet.com in China is happy to host spammers: with the size of their service and the limited choices available to consumers in China, they're effectively immune from prosecution or attack.

It's not my problem, my customer is doing this!

[wowbagger]

The big hosting providers ALL have the same attitude when you contact them about abuse:

"WE aren't doing this, that is one of the customers of one of our resellers, we won't do anything, talk to the reseller."

Of course, the reseller says "Screw you, they are paying us good money and you aren't."

Softlayer is a VERY good example of this: a Softlayer hosted site has repeatedly been spamming the Wine Developers mailing list for their crap. I have personally emailed Softlayer about it on more than 10 separate occasions, and have heard ZERO back from them. They don't care (even though their site claims they are aggressively anti-spam - BULLSHIT! words are cheap, actions are not, and Softlayer HASN'T ACTED!)

The spam problem isn't complicated to solve, it is actually pretty simple to solve (though not EASY to solve!) - just follow the "shit flows downstream" principle. If a host is doing bad things, look up who owns the network they are on, and MAKE IT THAT ENTITIE'S PROBLEM to solve it. However the problem is solved - be it "Hey, your server's infected" "OOPS fixed now sorry!", be it "We have blocked outgoing connections from your system until you fix it.", be it "Boss axed me an' Nunzio to has a talk wit ju about youses' server...." - doesn't matter as long as the problem gets solved. If it DOESN'T get solved, then the network owner becomes the problem entity, and you move to their hosts.

The only hard part is bringing some form of negative consequences to bear upon the network owners - you either need a law (and then you have a hard time dealing with systems outside your law's reach - all you can do is place the problem on the point of demarcation to your jurisdiction), or you need something with a wider reach, like publicity.

(and to all you morons about to copy and paste the "spam solutions form" - that meme is old enough to drink and vote, let it die already, OK?)

Re:New Jersey

[Antique+Geekmeister]

True, but you also have to prepare a budget for it. You can choose the contracts for careless or even malicious customers who would not accept a more sane or secure overall environment, including spammers and l33t d00dz who insist that "the Internet is free!!!" and "why can't I run my own NFS/SMB/HTTP/SMTP/FTP/IRC/Bittorrent server, I paid my $19.99/month!!!!" And slapping them down and turning them away lowers your potential customer base: a lot of ISP's worry a lot about "market penetration", and rely on being the locally dominant player. Following up properly on complaints against those abuse customsers also takes serious engineering and legal reources, none of which generates revenue.

Conversely, some ISP's do well with the superior service being security aware can provide. They don't get overwhelmed by surprise Bittorrent or FTP deluges against hosted servers, they channel outbound SMTP through servers that require authentication so the spambots can achieve nothing without passwords and they disconnect machines spewing Windows worms around their local network. and they keep their routers up-to-date with security patches to avoid getting re-routed. Some of us appreciate the resulting protection, and pay for it in our monthly bill rather than in expensive internal engineering cleaning up the messes.

Major domains being exploited

[Animats]

We've been doing something like this at SiteTruth for two years. We have the list of major domains being exploited by active phishing scams. This is simply a list of domains that are both in PhishTank (about 100,000 entries) and Open Directory (about 1.5 million entries). Today, 84 domains are in both. There's been a surge; it was 54 two days ago.

Domains are on this list for one of several reasons.

1. They had a break-in, and didn't clean it up. Generally, the sites with this problem for long periods are ones without effective contact information, so there's no easy way to tell them about their problem.
2. They have an open redirector. Those are rare now, but were common two years ago. Yahoo, eBay, and Microsoft Live all used to have open redirectors. After much nagging, and some press coverage, the big players have plugged that hole.
3. They're a hosting service, especially a free hosting service. Free hosting services need to be very aggressive about checking themselves for exploits. The smarter players now read the PhishTank and APWG feeds automatically, to detect abuses of their own systems. Right now, "t35.com" is suffering from a massive attack, with 227 pages in PhishTank. Their problem is that they're being attacked by a program, but are cleaning up by hand. Every day they kick off hundreds of phishing pages, but they can't keep up. The previous site with the worst problems was "piczo.com" (some kind of social network/hosting service for teenage girls), but they've been gaining on the problem.
4. They're an ISP There are a few ISPs with phishing sites they just never seem to kick off. Most of the active ones were kicked off long ago. In fact, other than ISPs which are also hosting services, we show only one entry in this category, and it's a DSL line on RoadRunner that redirects to a dead page.
5. They're a "short URL" service. These are popular as a way to get phishing URLs past spam filters. The "short URL" services have become much more aggressive about kicking off phishing URLs over the last year.

While this is to some extent a "blame the victim" approach, it's more effective than "phishing education" aimed at end users. Hundreds of webmasters have to be educated, not hundreds of millions of end users.