Carrier Trick To Save IPv4 Could Help Spammers

Julie188 writes "As public IPv4 addresses dwindle and carriers roll out IPv6, a new problem has surfaced. We have to move through a gray phase where the only new globally routable addresses we can get are IPv6, but most public content we want to reach is still IPv4. Multiple-layers of NAT will be required to sustain the Internet for that time, perhaps for years. But use of Large Scale NAT (LSN) systems by service providers will cause problems for many applications and one of them is reputation filtering. Many security filtering systems use lists of public IPv4 addresses to identify 'undesirable' hosts on the Internet. As more ISPs deploy LSN systems, the effectiveness of these IPv4 filtering systems will be hurt."

Why not just use longer names?

Like microsoft.company.com Simple solution.

Re:Why not just use longer names?

[MrEricSir]

Domain name != IP address

Re:Why not just use longer names?

[windcask]

Subdomains have nothing to do with IP addresses, other than they can point to them using A Records. DNS != IPV4

Re:Why not just use longer names?

The grandparent sounds ignorant, but in essence is correct. This is what was done with phone numbers and area codes for example, and by simple logic is the way around this problem. It's the DNS implementation that is the technical difficulty, but only because the people who work on networks tend to be the PhDs who picked networking as a specialty because they weren't smart enough to work with the better people in their department, and do graphics or programming languages for example.

Re:Why not just use longer names?

[ldobehardcore]

-1 for not even remotely knowing what you're talking about.
But anyway, IPv6 is essentially the same thing as using a longer name. Instead of having only 2^32 addresses, IPv6 has 2^128 addresses. Enough to give every man woman and child on earth a trillion permanent addresses a year for 4.85*10^16 years. (caveat: assuming the population will stay at 7 billion people for 4.85*10^16 years)

Re:Why not just use longer names?

[hairyfeet]

While what you say is true, what you and the other "just switch to IPV6 already" folks seem to be missing out on is if everyone was to switch at noon tomorrow in all likelihood you would be looking at MASSIVE outages, which would go on for weeks if not months. Why? Multiple reasons:

One, thanks to offshoring IT has been a dying field for quite awhile now, with fewer and fewer new blood coming in. What that means is in the flyover states you have most if not all the backbones being run by old guys who haven't kept up on the tech, and from the ones I've talked to most are looking to get out of IT if at all possible. That means the experience just isn't there, it isn't gonna be there, and many will take early retirement or just get out rather than deal with the IPV6 mess. That in turn means things that take minutes to fix in IPV4 will take days in IPV6 simply because nobody knows how to use the new tools.

Two: Infrastructure. There is a hell of a lot of VERY expensive equipment out there that either cannot be upgraded to IPV4, or could be but is no longer "supported" by the OEM, which means a MASSIVE amount of money will have to be spent in a dead economy. Now considering these cableco/teleco duopoly sure as hell ain't gonna take a CEO pay cut, that either means pay for it by gouging the customers even deeper, which in most flyover areas Internet usage is declining thanks to price gouging, or make it up by screwing the workers even harder, which results in number one above. Then add in the fact a good 90%+ of the routers and firewalls and other network devices in consumer homes WILL NOT support IPV6, and in fact most of the routers sold today STILL DON'T support IPv6 and the ones that do are triple price compared to the others, means you are talking MASSIVE amount of eWaste is about to be hitting the environment. You are talking truckloads of routers, modems, all having to be shitcanned. Again this will raise cost that the consumer WILL get stuck with in a dead economy.

So you see, there is a damned good reason that they are gonna string along IPV4 for every last second they can. They will do so because it is gonna be a massive clusterfuck when the switchover comes, with complaining customers because NOTHING in their house works, no IT guys with experience enough to fix even the simplest of problems, and warehouses worth of gear, both dirt cheap and ridiculously expensive, all having to be taken straight to the dump. Frankly it is NOT gonna be pretty, not at all.

Re:Why not just use longer names?

[Pf0tzenpfritz]

While what you say is true, what you and the other "just switch to IPV6 already" folks seem to be missing out on is if everyone was to switch at noon tomorrow in all likelihood you would be looking at MASSIVE outages, which would go on for weeks if not months.

If that's all, I'll be fine with it.

Re:Why not just use longer names?

[butlerm]

IPv6 has 2^128 addresses

Network addressing is hierarchical, so we will probably be running out of IPv6 addresses long before ~2^48 subnets are allocated. Of course that is still a few trillion.

You couldn't make a router big enough to process 2^48 subnets (let alone 2^64) directly. The hierarchy is necessary, and hierarchy means lots of "wasted" address space. To say nothing of the fact that the right most 2^64 bits of each IPv6 address aren't really routable at all - not without playing games at any rate.

So the whole idea that IPv6 supports 2^128 addresses in real life is some sort of cosmic joke. I bet it won't be a hundred years before people are chafing at the limitations of the IPv6 addressing system.

Re:Why not just use longer names?

[butlerm]

err, right most 64 bits, not 2^64...

Re:Why not just use longer names?

you really slid that anti-networking jab in there, didn't you.
the idea that network people aren't as smart as graphics people is ludicrous, and mostly highlights the chip on your shoulder.

Figures

[DarkKnightRadick]

Those who said NAT wasn't the answer: You are correct, unless you are a spammer, in which case this is a windfall.

Re:Figures

[Ironchew]

NAT is fine for people who only make outgoing connections; i.e. the passive internet consumer.
It's hell for the rest of us, but hey, since when did the massive media conglomerates ever have the techies' interests at heart?

Re:Figures

[petermgreen]

ISP level nat sucks but I don't think we have a lot of choice.

IPv4 IPs will become a scarce resource and as such will get reallocated from less lucrative customers to more lucrative ones. Whether that allocation will only happen within ISPs or whether it will be allowed to happen between ISPs is unclear at the moment but it is pretty sure to happen.

Those who aren't profitable enough to give a public V4 IP will still need to reach IPV4 only servers and/or use IPV4 only applications (remember apps both client and server have to support v6, not just the OS) for the forseeable future. ISP level NAT is the only way to deliver that.

Re:Figures

[Ironchew]

remember apps both client and server have to support v6, not just the OS

Really badly written programs.
Seriously. I've written stuff in C with the sockets API that is IPv4/v6 agnostic. It's easy to do; there is no excuse for not implementing it.

Re:Figures

[jamesh]

NAT is fine for people who only make outgoing connections; i.e. the passive internet consumer.

Unless the passive internet consumer uses P2P software, or VoIP (from a provider which is not their ISP), which is harder with NAT and probably requires active participation from the ISP to make it work. The RIAA might have a few things to say about that.

Re:Figures

[JSG]

My ISP (AAISP) actively encourage IPv4 address exhaustion AFAICT.

They gave me a /29 + a /32 for my router for home use and probably would have given me more if I'd asked. At work I asked for a /28 and got a /27.

They also give out a /48 IPv6 subnet to all customers and instructions for use. They can do IPv6 over PPPoA (this is the UKoGB) natively and provide a IPv6 to 4 tunnel broker for those that need it.

Have a look at your Spam Assassin headers and see that quite a lot of marks are not related to IP address. I have found DNSBLs handy up to now but I think I'll accept that as these lose their efficiency during IP version handover my spamds and MTAs will get a bit more of a battering for a while.

Never mind processing power is pretty cheap.

I have a customer with around 16 million unique IPs trying to get in each week - a spambot net of some sort (Russian and Chinese IP feature a lot). An Exim process is being spawned for each connection along with a spamd and possibly clamd session. The box is a dinky Dell single processor server and it barely breaks a sweat.

Cheers
Jon

Re:Figures

[petermgreen]

Really badly written programs.
Or just old programs.

Afaict windows didn't have getaddrinfo until XP (unless you count the version in the IPV6 technology preview for 2K). It's predecessor gethostbyname only supports IPV4. MS does offer a wrapper to help with this but afaict that only helps if you are coding with MSVC[++] (I ended up writing my own wrappers for fpc/delphi, not too hard but definitely extra effort)

Further it seems while windows has wsaasyncgethostbyname there is no wsaasyncgetaddrinfo. So if you want to do a v6 capable name lookup without blocking the rest of your app you have to do it on another thread.

P.S. yes I HAVE implemented code (in delphi style pascal) directly on the low level apis that supported both v4 and v6 and async lookups (by using a thread) and supported older operating systems (by using getprocaddress and my own "v4onlygetaddrinfo" if the getprocaddress fails). I wouldn't exactly call it trivial though.

Re:Figures

[petermgreen]

My ISP (AAISP) actively encourage IPv4 address exhaustion AFAICT.
It's really not in ISPs interests to conserve IPs at this point. The more IPs they can get out of the RIRs now the more IPs they will have to reuse for more lucrative customers later.

Re:Figures

[icebraining]

Or non-dedicated game hosting. Wasn't Modern Warfare dependent on users hosting the games themselves? How would that work with NAT?

Re:Figures

[easyTree]

The RIAA might have a few things to say about that.

"Damn you filthy file-sharers! Thanks to you, at my last party I only had seven buckets of blow and forty hookers rather than the ten buckets and sixty hookers that are accepted as an industry-norm for this type of affair. Damn you all!"

for example

Re:Figures

[Skrapion]

Those aren't insurmountable. We're talking about a transition period here, so the assumption is that people will have unNATed IPv6 addresses, and you can use those to connect to peers. VoIP also doesn't necessarily need to allow incoming traffic, as long as there's a central server that can bounce the traffic. Services like Skype and MSN already do this, because customers usually aren't handy with opening ports.

Re:Figures

[Skrapion]

All of the players will either have:
* an IPv6 address and a (possibly NATed) IPv4 address, or
* an unNATed IPv4 address.

If the entire group of players falls into the same category, then it's a non-issue. If it's mixed, then one of the players in the second category should run the server.

Re:Figures

[segin]

Pastebin example code or it didn't happen.

Re:Figures

[shentino]

In short, the gold rush is beginning.

Re:Figures

[Z00L00K]

Until the day when a major ISP implements LSN and then gets blocked. Then they do figure that it's a bad idea.

However most ISP:s are extremely lazy and aren't even considering IPv6 because they are waiting for everyone else to do it.

Re:Figures

async calls in WinSock are deprecated - use a worker thread

Re:Figures

[TheRaven64]

The protocol agnostic socket functions (getaddrinfo() and friends) were not part of POSIX until 2004, and were not widely supported until a bit later (even now, most resolvers don't check SRV records when using getaddrinfo()). If you've got any C libraries that are more than a couple of years old, they'll either only support IPv4 or need different code paths for different network protocols (and guess how well tested the IPv6 path will be).

Re:Figures

[SuricouRaven]

Many ISPs hate P2P software because it uses so much bandwidth they are forced to spend more on their infrastructure, and some also hate VoIP because it competes with their very lucrative phone businesses. I imagine that if they were to incidentially break both while deploying NAT, they would be quite happy with this. Plus many of those ISPs are also cable TV companies, or otherwise have business ties to media production, which gives them another reason to celebrate their 'accidential' breaking of P2P.

Re:Figures

[SuricouRaven]

And if all the players have a NATed IPv4 address?

Re:Figures

[Skrapion]

I'm not sure what you mean by that.

If you meant "What if all the players fall in the first category?", then that's a non-problem. In that scenario, everybody has IPv6 access, so they'll have no problem talking over that.

If you meant "Isn't there another category where players have a NATed IPv4 address and no IPv6 address?", then that's unlikely. NATing IPv4 addresses is a transitional technique, so it doesn't make much sense to do that until you support IPv6.

It's not going to be flawless -- there's a lot of routers in peoples homes that don't support IPv6, and there's doubtlessly a lot of games that don't support IPv6 -- but it's not the end of the world, and being behind a NAT is actually good incentive to get people to switch to IPv6.

Re:Figures

[leuk_he]

Nat only wil be sold as lowly "browse and mail" , for gaming you need the advanced internet subscription. The provider cannot help this becuase of the limited amount of ipv4 adresses available.

Re:Figures

[SuricouRaven]

Ah, you assume actual forwards planning takes place. Let's look at a more cynical scenario:

Techie: We can't grow the network any longer! There's just no space.
Manager: Anything you can do to fix it?
Techie: I can throw together something with NAT in a few weeks, that'll let us keep going, but really we need to move to IPv6. It's going to cost millions to fix.
Manager: But... this NAT thing... that'll fix it? And it's cheap?
Techie: Well, yes, but -
Manager: And it'll let us keep getting new customers?
Techie: Yes, for years, but the long-term consequences for the wider internet -
Manager: Do it. We can't afford millions. I've got shareholder dividends to pay.

Re:Figures

[perlchild]

Let's not turn this into another NAT vs IPv6 debate...
The only problem between large scale NAT and ip-reputation-based ip systems is that the mappings are too transient and too broad to be useful for reputation, also they are talking about sharing ips between subscribers, right now, that's more rarely done and not to that scale(socks4/5 let people share addresses with a process on the natting machine to act as a nat-helper, so it's not a new problem). And that suggests the fix the fix has always been to move the id of the system behind the nat. Aka, you'd need providers using LSN to have reputation based systems already and not letting just anyone connect and relay.

Most providers already hook into systems like sorbs, so telling them they need to run and update something like bld-toolshttp://packages.debian.org/sid/bld-tools should not make it impossible.

We have a fix(ipv6) for not using nat, and there are many hurdles to getting the new design in place. Now I'm sure we will have a long slashdot-classic discussion about the merits of NAT and applications that can't use it, but IMHO, they're all off-topic to the article.

Re:Figures

[butlerm]

Until the day when a major ISP implements LSN and then gets blocked.

No one is going to put mail servers or any other kind of server on an LSN IP address if they can help it. With the gradual re-allocation of 'consumer' IPv4 address blocks to LSN, there will be enough static IPv4 addresses for public facing servers for decades to come. Not pretty, but that's the way it is.

And if there were a shortage of static IPv4 addresses for servers and others willing to pay extra for them, there are no end of much more effective techniques to multiplex IPv4 addresses for server usage than NAT. Application layer proxies, in particular.

Most small businesses could run with a single static IPv4 address if they operate their own servers, or if they outsource proxy services hundreds of small businesses could share the same static IPv4 address for server usage using a central proxy and SNI.

The real question is for how long will 'residential' customers be able to get a static IPv4 address, and how much will it cost them. I imagine that most will be able to get static IPv4 addresses at a reasonable monthly fee for some time to come. Unless they are so unfortunate as to be Comcast customers, of course.

Really?

[lymond01]

Because when one of our university email account gets hacked and starts spamming, other providers block our SMTP server, effectively knocking out communications between us and that ISP. NATing wouldn't change that, unless spammers use their own SMTP server behind a NAT router.

Bring on DNSSEC and DKIM.

Re:Really?

[AvitarX]

They wouldn't need to hack the server anymore.

Re:Really?

[icebike]

More to the point, SMTP hosts will be pretty much forced to do something more productive than blocking via IP, which amounts to group punishment. (Something apparently only tolerated on the internet).

Its sad that the most broken of protocols has this much sway over the net. SMTP needs a ground up re-write, and it will need it just as much (if not more) after IPV6 is deployed.

Re:Really?

[JSG]

Are you seriously telling me (us) that your Uni doesn't check outgoing as well as incoming mail? At the very least, pass it through ClamAV.

I hope your IT staff don't teach "mail relaying 101"

You *do* check incoming mail, don't you?

Cheers
Jon

Re:Really?

Because when one of our university email account gets hacked and starts spamming

Another satisfied Microsoft customer?

Seriously, though ... you guys ever think about, oh I dunno, securing your e-mail servers?

Re:Really?

[blue+trane]

I like how efnet bans all ip ranges for virgin mobile broadband because someone was spamming email (not even affecting efnet!) from one of them. Maybe this will change that :)

Re:Really?

[dimeglio]

All that's required is a more creative solution to prevent spamming. Only one of many system may become problematic with ipv6. That's all. I'm looking forward to having my fridge order groceries automatically when we're about to run out.

Re:Really?

[afidel]

Actually, we will just ban or greatly increase the spam score of anything coming from these NAT pools just like we do today with dialup and consumer broadband IP pools today. People with real servers will continue to have dedicated IP addresses that aren't behind these NAT pools and so we will judge them individually based on reputation (or lack thereof).

Re:Really?

[grahammm]

It is interesting that even now we are still using Simple Mail Transfer Protocol. With spam, phishing etc, maybe it is time to replace SMTP by either a plain Mail Transfer Protocol or even a Complex Mail Transfer Protocol.

Re:Really?

[mibus]

More to the point, SMTP hosts will be pretty much forced to do something more productive than blocking via IP, which amounts to group punishment. (Something apparently only tolerated on the internet).

Not really. By the time you're talking about LSN/CGN, you're talking about customers that send mail via their ISP's mailserver, not directly. Business customers wanting to send mail direct to the Internet without worrying about NAT making "their" IP look worse, will undoubtedly be able to buy a non-NATted IP.

(Disclaimer: I work for an ISP but am not speaking for them).

Re:Really?

[flonker]

What would you change about SMTP that would have an effect on spam? (And why can it not be done as an extension for SMTP?)

Re:Really?

[hardwarefreak]

SMTP needs a ground up re-write, and it will need it just as much (if not more) after IPV6 is deployed.

SMTP isn't the problem and is not in need of a ground up rewrite. The problem is social, between spammers and suckers, their victims. As has been shown via NNTP, instant messaging, and Facebook spam et al, there is no technology immune to spam. Spam will be with us as long as suckers exist, and there are people willing to exploit those suckers. Yes, basically for eternity.

There will start to be IPv6 dnsbls and mail OPs will start keeping IPv6 local block lists. It's the same old game with a new numbering scheme. As for multilayer NAT I don't see it being a problem WRT SMTP. As others have stated it will be relegated to consumer broadband ISP space and possibly colocation centers, which most mail OPs already outright SMTP block (if they're smart).

Re:Really?

Are you seriously telling me (us) that your Uni doesn't check outgoing as well as incoming mail? At the very least, pass it through ClamAV.

I hope your IT staff don't teach "mail relaying 101"

You *do* check incoming mail, don't you?

Cheers
Jon

Here's how things are going to progress.
1. Keep in mind that right now we are close to running out of unsold IP's, but most ISP's have plenty of unused IP space.
2. Many ISP's bought enough wiggle room to get them through to 2012 or 2013 without changing anything. The slow economy has had a huge impact on subscriber growth rates.
3. The first mitagation technique will NOT be large-scale NAT. It will be customer-level NAT; the ISP's will start telling customers they only get ONE public IP, and will have to use their own NAT'd router if they want multiple devices at home. Right now most ISP's allow more than 1, and many of them will allow up to around 8 or 12. I used to work at an ISP with about 2 million internet subscribers, and as recently as last month they averaged 3 public IP's per account so right off the bat they'd free up 2/3's of their space by restricting to 1 IP per sub. (exceptions for business subscribers who have a need for static IP's of course)
4. If for some wild, insane reason those measures don't last long enough, the ISP's will start implementing wide-scale NAT for Residential classes of service. These classes of service have no business sending mail on port 25 to any server other than the ISP-provided mail relay... which is how they already work at 99% of the ISP's today. This would be a stop-gap measure, but other than trying to run a VPN tunnel through the NAT won't cause problems for most consumers.

5. Most of the largest ISP's are already planning to be fully ipv6 by the end of next year. Point 3 above will provide more than enough time and address space to get us through the end of 2012 no problem, even when the usable space has pretty much run bone dry.

Re:Really?

[SuricouRaven]

That solves it for email, but think of the trolling concerns. Forums, wikis and IRC channels would no longer be able to ban individuals by IP address, only massive blocks of translated addresses. Just imagine Wikipedia getting persistantly trolled by one person vandalising pages, and having no way to stop it short of banning every Comcast customer in a major city.

Re:Really?

[mibus]

But that already happens in numerous situations - governments run large NAT gateways / proxies, some 3G carriers use 10.0.0.0/8 and NAT/proxy, etc.

It's a perfectly valid issue *today*, not just in the future. Sure, it'll get worse, but at least there's now a solution in sight (ie., move to IPv6 to get better service).

It'll Be OK

[WrongSizeGlass]

I'm sure if we wait just a little while some spammer will send us the 'magic bullet' for this problem via their preferred delivery method.

Useless

[sexconker]

IP filtering has always been useless from a security standpoint. Same goes for MAC address filtering.

Anyone anywhere can change both easily. Blocking addresses is only a matter of convenience.

This "news" just means that tons of "security" software and filtering hardware (Barricuda, anyone?), is being exposed as the useless, inflexible crap that they are, and the companies behind them are trying to point fingers at large network operators while simultaneously touting their next version, which will have IPv6 support. Maybe. Which totally won't solve the IPv4 issues, but never you mind that.

Re:Useless

IP filtering has always been useless from a security standpoint. Same goes for MAC address filtering.

Anyone anywhere can change both easily. Blocking addresses is only a matter of convenience.

Foolproof? No. Useless? Hardly.

Locks on your front door are useless. You can buy a hammer really cheap from, well, pretty much anywhere. The fact that windows exist, however, does not diminish the fact that door locks provide a very important layer of security - just as IP filtering does.

Re:Useless

[sexconker]

IP filtering has always been useless from a security standpoint. Same goes for MAC address filtering.

Anyone anywhere can change both easily. Blocking addresses is only a matter of convenience.

Foolproof? No. Useless? Hardly.

Locks on your front door are useless. You can buy a hammer really cheap from, well, pretty much anywhere. The fact that windows exist, however, does not diminish the fact that door locks provide a very important layer of security - just as IP filtering does.

Bad analogy is bad.

Blocking an IP or a MAC address is completely pointless. It requires less than 5 seconds of effort to get a new one. There are no windows or hammers involved. You simply walk right in the front door because it will be unlocked when you say "My name is ... Mr. Snrub.".

Re:Useless

[icebraining]

How do you simply get a new IP address accepted by the ISP?

Re:Useless

[SuricouRaven]

Depends on the ISP. If it's dialup, you can usually just reconnect. DSL, trickier. Cable, I find it is associated with the MAC address of the device connected to the modem. Release DHCP, change MAC, get new lease... takes about five seconds if you script it.

Re:Useless

[icebraining]

I don't think my (ISP issued) ARRIS TM502G allows to programmatically change its MAC address.

Re:Useless

[butlerm]

IP filtering has always been useless from a security standpoint. Same goes for MAC address filtering. Anyone anywhere can change both easily

Unless you have unfiltered BGP access to a major backbone, you have no hope of conducting a real conversation over the Internet using someone else's IP address, because the return packets will be routed back to them, not to you.

Comment removed

[account_deleted]

Comment removed based on user account deletion

inb4 NAT

Keep all your bullshit about NAT saving the world in this thread where it can be ignored by people who actually know what they are talking about please.

The Only Real Solution

[windcask]

Welcome back, Gopher.

Re:The Only Real Solution

[windcask]

First rule of Slashdot...never be in such a hurry to make a joke as to expose your own ignorance about a topic. IGNORE.

Nonsense

[vanyel]

end user customer networks (the ones most likely to go this route) are already on various "mail shouldn't be coming from here" blacklists, and those customers also should be already using the isp's mail servers for outgoing mail. it's a small incremental step, nothing more. Those running servers will necessarily get unique addresses and not be affected by reputable blacklists that are correctable.

Re:Nonsense

[tepples]

end user customer networks (the ones most likely to go this route) are already on various "mail shouldn't be coming from here" blacklists, and those customers also should be already using the isp's mail servers for outgoing mail.

I assume you're talking about end users connecting on port 25 (MTA-to-MTA communication), not port 587 (MSA-to-MTA). Otherwise, what should people do when the monopoly broadband ISP has unreliable mail servers, or when they're using mail on a laptop temporarily connected to an ISP other than their own?

Re:Nonsense

[vanyel]

authenticated mail (which can be done on port 25, it doesn't have to be 587, but should be these days because of port 25 filtering) is not normally subjected to blacklist filtering, and is thus not affected.

The vast majority of people don't run their own mail servers though, so their mail clients are configured to use their isp's mail server. Again, not affected.

If your isp has unreliable mail service, then find another one --- there is no shortage of options there. For practical purposes, in that case, you're roaming, in which case you have to authenticate to send mail anyhow to bypass the relaying blocks, and thus again, not affected.

Trivial if you want to go the extra mile

[Khopesh]

I work for an IP reputation company (and am not representing it in this post).

This is not a complicated issue. The LSN portals will merely have to add a tracking header to all mail they process (and block anonymous direct mail if they want to escape DNSBLs' wrath). This is already an issue with webmail (e.g. Google doesn't add the tracking header, so it's MUCH harder to trap spam originating through GMail than it is through providers like Hotmail who do provide this extra tracker).

Re:Trivial if you want to go the extra mile

[fbartho]

How much spam actually is originating through gmail?

How does one prevent a spammer from spoofing these headers?

Re:Trivial if you want to go the extra mile

[Khopesh]

How much spam actually is originating through gmail?

Sorry, I can't give you data. Suffice it to say it's a problem.

How does one prevent a spammer from spoofing these headers?

The headers aren't spoofed. When you use Hotmail or Yahoo, your IP is added to a tracking header by the webmail server so that IP reputation systems can pass along the blame as if it were a Received: header (there's more to it than that, but this should give you the principle). Since GMail doesn't do that, there's nothing to be done; the tracking can't go beyond Google's servers.

If a spammer spoofs headers so as to pretend to pass blame on, the trust doesn't extend far enough; the relay used by the spammer to add those fake headers isn't trusted and so the buck stops there. When dealing with real webmail providers, the trust can be extended to the established webmail relays and then followed into the IP tracking header.

We have meandered a bit off topic here ... my point is that this is possible for the nearly identical problem of webmail, so somebody merely needs to figure out how to do it for the IPv6->IPv4 routing process. The simplest solution is the one I outlined above; require a mail relay that speaks both protocols so it can properly record the conversion with a Received header. Modern IP reputation systems (and the clients that poll them) are fully IPv6-ready and will process this perfectly.

Re:Trivial if you want to go the extra mile

[fbartho]

So what you're saying is that Google has decided to fully claim reputation-ownership of the mail their users are sending. They're staking their reputation that their users don't generally spam. If it was a big enough problem you would blackhole all of gmail, right now you're upset because due to the large volume that gmail sends, any percentage of spam is a problem.

I don't mean to attack or defend anyone here, just curious.

I think the deal is just that anything that comes through gmail needs a more heuristics based filter, and you can't just blackhole on the particular client. As long as the percentage of bad e-mails coming through there is lower than the percentage of good e-mail then the reputation system is working...

Re:Trivial if you want to go the extra mile

So 51% ham means their system works? By GMail's own filtering proficiency on incoming mail is vastly superior to their ability to stop outgoing spam. (It's not 51% --that was merely an illustration of what you were saying-- but it isn't 0.0% either.)

Re:Trivial if you want to go the extra mile

[John+Hasler]

So what you're saying is that Google has decided to fully claim reputation-ownership of the mail their users are sending. They're staking their reputation that their users don't generally spam.

Google Groups is a major source of Usenet spam.

Re:Trivial if you want to go the extra mile

[fbartho]

I could have sworn we were talking about "email"

I totally have experienced the google-groups spam. I'm hoping this is a symptom of an improving spam service and this will eventually go away.

Re:Trivial if you want to go the extra mile

[Arlet]

Google Groups is a major source of Usenet spam.

And Google has shown no willingness to filter Groups spam. I used to read Usenet through Google Groups, but it's now totally unusable.

Re:Trivial if you want to go the extra mile

That's not trivial if I'm requiring TLS end-to-end from my MTA to the recipients MTA, how does the LSN portal inject headers? Even if the start TLS, they will not match the certificate chain.

Re:Trivial if you want to go the extra mile

[TheRaven64]

Yes, it's working. It is in Google's interest for gmail accounts to have less spam than other email accounts. Aggressively filtering incoming email and not caring if their users are sending spam (unless they are sending it to other gmail users) helps this.

Re:Trivial if you want to go the extra mile

[Khopesh]

If it's encrypted, any properly configured MTA won't care; you're authenticated (and therefore trusted). Blocklists and friends (including IP reputation systems) only examine the last external connection if it is untrusted.

Re:Trivial if you want to go the extra mile

[ralphdaugherty]

How much spam actually is originating through gmail?

From my perspective of a small website, if I drop the ban on *@gmail.com I start getting spam registrations within minutes.

Re:Trivial if you want to go the extra mile

[fbartho]

Is a captcha not enough of a barrier? I've never seen a website that actually banned @gmail addresses. I'm curious, and highly surprised.

Re:Trivial if you want to go the extra mile

[ralphdaugherty]

Is a captcha not enough of a barrier? I've never seen a website that actually banned @gmail addresses. I'm curious, and highly surprised.

The phpBB version 2 Captchas are broken, they are automatically identified by bots. I checked on the new version of phpBB and #1 I don't like the new features and #2 a new Captcha system was still being perfected.

I have posted through the years on Captcha and the phpBB is trivially simple but there are others on other sites that are so non-trivial I quite frankly can't read the letters. There are good Captchas whose letters overlap but are still plainly readable, however it's my understanding from posts through the years that algorithms measure a density or signature of Captchas for anything widespread enough to make the effort and thus "break" those Captchas as well. It would narrow it down quite a bit though.

In the end however, there are armies of people available to type in any human required entry that bots send their way and use to complete the registration so I don't see that as a solution to unending spam registrations and postings if they were allowed through.

You would not believe what I have blocked and continue to add to blockings and I still get two to three spam registrations per day. Someone depending on Captcha alone would be inundated or perhaps don't care I don't know.

The spam registrations and ultimately postings are quite sophisticated and cannot be detected by content, only by identifying links as "bad" using some service. Most sites that use services to stop spam registrations beyond Captcha also depend on those sites listing by IP address.

ipv6 is a spammers nirvana.

  rd

Not just spammers

[Todd+Knarr]

It's not just spammers. A lot of on-line games, for instance, record the IP address used to log in to a game in the account's history. Customer Support then uses that to help determine eg. whether a claim of a hacked account is valid or bogus. Large-scale NAT is going to mess with that by confusing the record: one computer may appear to be using a different IP address for each login, and multiple unrelated computers can appear to have the same IP address. And with a lot of games moving towards RMT, a hacked account can mean the loss of real money for the player. When CS tells that player "Sorry, the login where the items were sold/transferred came from one of the IP addresses you normally log in from, the problem's on your end." and the player learns that that's because his ISP is NATing their entire network, he's not going to be happy.

Re:Not just spammers

[jamesh]

and the player learns that that's because his ISP is NATing their entire network, he's not going to be happy.

</reality>... and he goes to forums where such things are discussed and finds out that other users are using IPv6 and don't have problems like that and asks his ISP why they don't support IPv6. The ISP listens to their customers and makes rolling out IPv6 their #1 priority. IPv6 gets everywhere, world peace is finally achieved, and we enter a golden age of the internet.<reality>

Re:Not just spammers

I see what your non-standard-order-HTML tags did there...

Re:Not just spammers

It's not just spammers. A lot of on-line games, for instance, record the IP address used to log in to a game in the account's history. Customer Support then uses that to help determine eg. whether a claim of a hacked account is valid or bogus. Large-scale NAT is going to mess with that by confusing the record: one computer may appear to be using a different IP address for each login, and multiple unrelated computers can appear to have the same IP address. And with a lot of games moving towards RMT, a hacked account can mean the loss of real money for the player. When CS tells that player "Sorry, the login where the items were sold/transferred came from one of the IP addresses you normally log in from, the problem's on your end." and the player learns that that's because his ISP is NATing their entire network, he's not going to be happy.

I'm not sure what the likelihood of the hacker winding up behind the same NAT as you is going to be. Generally the hackers will be in a different country from you. So while this may have the potential to cause that problem I think they will be very
  few and far between.

Re:Not just spammers

[mewsenews]

When CS tells that player "Sorry, the login where the items were sold/transferred came from one of the IP addresses you normally log in from, the problem's on your end." and the player learns that that's because his ISP is NATing their entire network, he's not going to be happy.

I understand the point you are trying to make, and I agree with you. I just have to be pedantic and point out that currently, for WoW accounts that have been tampered with, it doesn't matter that the activity was on the same IP address.

If it did matter, there would be a lot of guys with neglected girlfriends that would be unable to get their characters restored.

Re:Not just spammers

[icebraining]

Assuming the game & its servers support IPv6...

Re:Not just spammers

[DarkOx]

Easy enough solution to that. Just run a local 4to6 NAT. You can do SNAT from as many v4 192 addresses as you need to translate to the 6 hosts you want to connect to remotely. Then just use the 192 address in your app. It will be an extra step and you might have to set up the NAT on both the client and the server but it should work.

Re:Not just spammers

[mcrbids]

When CS tells that player "Sorry, the login where the items were sold/transferred came from one of the IP addresses you normally log in from, the problem's on your end." and the player learns that that's because his ISP is NATing their entire network, he's not going to be happy.

Further missing the point: the NAT referenced here isn't the kind of NAT that you are thinking, between an IPV4 public address (EG: 208.39.22.13) and a non-routable IPV4 address. (EG: 192.168.1.19)

The NAT being referenced here is between IPV4 (which doesn't understand IPV6 address space) and IPV6. All connections coming from an IPV4 address to an IPV6 address will have to involve NAT, where the ISP has a NAT gateway so that internally hosted IPV6 addresses initiate connections through NAT to the IPV4 network, and vice-versa. In this scenario, WoW can fix the problem simply by providing an IPV6 host, bypassing the need for the NAT gateway.

Re:Not just spammers

[fast+turtle]

and blizzard is already adressing this problem through the use of 2nd channel Authentication. If you've got a Blizzard account, simply spend the $7.00 U.S and buy their stand-alone authenticator and configure your account to use it. Problem solved and cheaply at that.

Re:Not just spammers

If it did matter, there would be a lot of guys with neglected girlfriends that would be unable to get their characters restored.

s/neglected/jpg/

Sigh.

The irony...

is delicious.

identd?

[paskie]

So, why not just have a public database of LSNs and have them run extended ident service? (I.e., you supply it with local-remote port pair and it will tell you the IPv6 address of the NAT'd peer. Then you just use that for the peer identification from then on.)

Re:identd?

[blair1q]

If I have IPv6 why do I need this?

Re:identd?

So that you can talk to all these pitiful IPv4-only hosts.

Can we just stop using IPv4?

[asm2750]

Seriously, IPv6 is there to replace IPv4. Tell everyone who whines 'tough shit' switch over already. If I have to pay an extra 5 dollars a month for a year to my ISP for that to happen then I would. Just stop trying to extend the life of IPv4 when there is a suitable replacement already available.

Re:Can we just stop using IPv4?

[Khopesh]

Seriously, IPv6 is there to replace IPv4. Tell everyone who whines 'tough shit' switch over already.

Are you trying to create the massive failures we were supposed to have for Y2K? IPv6 compliance is a rather low priorities for most companies and is not being taken seriously to the level that Y2K was. You're asking for a lot of "tough shit" to come your way even if you and your immediate provider are fully IPv6-compliant.

If I have to pay an extra 5 dollars a month for a year to my ISP for that to happen then I would. Just stop trying to extend the life of IPv4 when there is a suitable replacement already available.

You want to pay $5/mo in order to stick it to those who don't think like you? This is a capitalist system -- use it: discount customers five dollars a month to be stuck without IPv4 (or to spin the same concept differently, charge an extra $5/mo for a public IPv4 address). Heck, this doesn't even require IPv6 since it can be done with a NAT, but if it's aspiring to promote IPv6, the service would merely issue public IPv6 addresses and NAT anything using IPv4 as a temporary measure.

Re:Can we just stop using IPv4?

[shutdown+-p+now]

Fine. You are the first to switch, though (IPv6 only, otherwise it is pointless).

Only an escaltion of the ongoing game

[NoExQQ]

Having been intimately involved with spammers over the years I can say that this change will only escalate the ongoing game of use / burn / blacklist / move on. Yes, more poor commercial entities will unknowingly and unwillingly have to call in Wally the IT guy to help them get off some blacklist somewhere so their mail will flow, but in the grand scheme this will not change the processing power of the mail bots or tilt the scales in a significant manor. IMHO.

Re:Only an escaltion of the ongoing game

[skids]

I'm beginning to think there's only one way to stop email spam. Develop some new flashy service that "replaces" email. Then get everyone who is stupid enouh to fall for aPhish or to answer a UCE to switch to this new-fangled fad. Then once only people smart enough to never reply to spam are using email, there will be no motivation to spam.

Re:Only an escaltion of the ongoing game

[John+Hasler]

> Develop some new flashy service that "replaces" email.

Perhaps we could call it "Facebook" or "Twitter".

Re:Only an escaltion of the ongoing game

[skids]

Nah it has to be work-friendly-sounding. You have to be able to use it for job related things.

LinkedIn might work.

Reputation by IP

[Skapare]

... lists of public IPv4 addresses to identify "undesirable" hosts ...

Legitimate mail servers will still need an IP address, whether that is IPv4 or IPv6. Their outbound SMTP connections can just use that same IP address. The real issue involves all those end user (broadband and dialup) IP addresses, which more and more will be multiple users sharing them for outbound connections, with no inbound. Make those have zero reputation. Let the IP addresses which are associated with real mail servers have the reputation earned by its behavior.

One big difficulty will be mail servers stuck only on IPv6 trying to deliver mail to those on IPv4, and visa-versa. But this is at least a substantial subset of the IP space. That means it can hold out for a while on IPv4, until enough IPv6 is deployed to make a "mad rush to IPv6 for email" can happen. But in the mean time, those who can do mail exchange between servers on IPv6 will be pretty much spam free, for at least a while. When spammers get on IPv6, then we know IPv6 is "happening".

To encourage IPv6, those who are on it can do things like adding extra goodies to IPv6 users. I do know a lot of porn is already there. Maybe extra features on web sites can be made to work on IPv6, too.

Help in the short term only

[XCondE]

Maybe as all mail behind NATs get blocked by spam filters the network administrators will actually start blocking mail from infected hosts in their network so that legit mail is accepted again. Wishful thinking?

Doesn't follow

[Spazmania]

As more ISPs deploy LSN systems, the effectiveness of these IPv4 filtering systems will be hurt.

That doesn't follow. The folks in dynamic space (the same space that will be served by LSNs) are already considered spammers when they connect to a non-local SMTP server. The only reason they're scored instead of outright blocked is that there's no rigorous list of what is and isn't a dynamic space. It makes no difference to the server whether it filters a range of IPs or a single IP.

Identifying the individual spammer from an abuse report is slightly more difficult, but only slightly. And if you're behaving like a good net citizen, you probably blocked outbound 25 at the LSN box to begin with so you're not getting any reports because your virus-laden customers aren't able to successfully spam.

So move to IPv6

[metamatic]

If your mail server supports IPv6, the mail will go sender's client to sender's MTA to your MTA, all via IPv6, with full headers. So the problem only affects recipients who are slow getting their mail servers IPv6 enabled, who force senders to reroute their mail through an IPv6 to IPv4 gateway. So seems to me it's a good reason to hurry up and get your servers on IPv6.

Thank you.

[reiisi]

I still think the best way to handle this would have been by high bit extension in each octet field.

Yeah, I know, the theoretical non-constant numeric address length would have been a serious pain to predict the hardware for back in the '80s, when (ergo, I wish) they might have had the foresight to reserve the high bits at each level for possible other uses.

But it would have been nice if an ISP could have, by definition, its own extendable address space to allocate out of, and any customer could further extend their own allocation, down to, say, 6 octets max in the '80s, 7 max in the '90s, 8 in the decade just completing.

I appreciate the fact that IPV6 should give us this ability, at least in a one- or two-shot way, but I think it's generally a mistake when the data structure itself limits a resource that is known to have a tendency to expand.

(And, yes, I consider the above to be funny in the sick humor sort of way.)

+1 funny

[reiisi]

The last time I contacted my ISP about this they told me (again) that they have no plans to implement IPv6.

This was just a few months ago.

Re:+1 funny

[Ant+P.]

Mine doesn't even know what IPv6 is. A few months ago they force-upgraded us to ADSL2 and sent everyone a replacement Netgear piece of trash with non-upgradable firmware and no debug mode backdoor.

Please talk to my ISP.

[reiisi]

My requests have been meeting deaf ears for years.

Unfortunately, the alternative ISPs are doing the same thing here. (But I should check again soon. I'm getting tired of these guys since the legacy monopoly here bought them out.)

Don't worry!

[saleenS281]

You shouldn't be running a "server" at home anyways. The internet was created so that you could buy services from large companies like your ISP. Running your own server at home is socialist. Think of the children!

Most of us are afraid to admit it aloud but...

[JoltinJoe77]

Many IT professionals including myself feel that IPv6 is a joke and is unnecessary in most practical scenarios. Arguments I tend to throw out on face value are "why not IPv6?" and "we're running out of IPv4 addresses". Keep NAT'ing IPv4 until the cows come home - no one except tech geeks will really care if we do.

Re:Most of us are afraid to admit it aloud but...

[shutdown+-p+now]

Oh, the non geeks will care a lot when they suddenly cannot download new releases via P2P of the day, because there are no seeders.

Re:Most of us are afraid to admit it aloud but...

[kobaz]

The biggest problem with everyone staying on ipv4 and natting until the cows come home (which will be never... these cows will *not* come home for ipv4) is that all of a sudden you have thousands, millions of end-users on nat going through overloaded 4 to 6 proxies.

And if no one switches to v6, only rich content providers will be able to afford direct ipv4
And then, due to the fact that end users will certainly not have a public ip address:
- streaming media of any kind will eventually be unusable due to overload of aforementioned 4 to 6 gateways
- you can't do end to end links (like with voip and video conferencing)... you would of course be able to pay your isp for the privilege to use *their* voip.
- bittorrent and friends will vanish
- self-hosted online gaming will go the way of the dodo and players will be at the mercy of the corporations for whether they can play their old games online or not.
- the LSNs will probably be blocked by most mail servers to prevent spam. You say that's good? Watch the price of email hosting and hosting in general skyrocket because of the high fees companies will need to pay in order to purchase ipv4 addresses from each other. Prices of ipv4 *will* go up due to supply and demand.
- the lack of cheap addresses will force small services out of business and will force many free services to shut down
- the lack of small providers will leave only the big ones remaining
- with the big players the only ones left on the internet, they would love to turn the internet into a dumbed down content distribution system like cable tv... lovely

Still think sticking with ipv4 is a good thing?

it was the subject, not the cat

heh sweet that means slashdot can never ban me right?

your friendly neighborhood synonymous coward

wait did i do that right?

very simple solution

all dynamic ip users, are restricted to their provider (isp) smtp service. ISP acts as the only smtp relay. Users are not allowed to open port 25 beyond the ISP's address space.

they filter and monitor everything (e.g. torrents). why not filter port 25, even validate against proper SPF. Am I the only one using SPF for my domains...?

I work for an IP reputation company (What's that?)

I work for an IP reputation company by Khopesh (112447)
on Friday December 17, @07:00PM (#34594978) Homepage

What's that mean exactly? What sort of work goes on around that (in other words, online? What is it you & your colleagues do to protect "IP reputation"??)??

Just curious.

It might even help against the spammers.

A responsible ISP already blocks outgoing smtp port by default unless explicitly requested otherwise by the user. Let's hope more ISPs will join that camp with LSN because they are too lazy to cope with the abuse mails...

Re:I work for an IP reputation company (What's tha

[SuricouRaven]

It's a vague term. I've seen it before, but it can mean anything from a company that gets mistakes removed from IP blacklists (usually a consequence of a computer being compromised - once it's resecured, the blacklists need fixing too) to companies hired to manipulate google rankings, submit glowing product reviews to shopping sites and threaten critics with legal action. Just a very vague description

I use a static IPv4

So I won't be subject to LSN (NAT) ever.

DYT?

[AnotherBlackHat]

Many security filtering systems use lists of public IPv4 addresses to identify 'undesirable' hosts on the Internet. As more ISPs deploy LSN systems, the effectiveness of these IPv4 filtering systems will be hurt."

In other words, as IPv4 dies, using IPv4 for stuff won't work as well.

Using an IP address to determine the content of a message is a bad idea anyway.
It's like determining what cars are carrying drugs by looking at the license plates, and then punishing the car dealer for selling the car.

Your IPv4 black list is broken. IPv6 makes it more broken. Cry me a river.

Re:DYT?

[ralphdaugherty]

Using an IP address to determine the content of a message is a bad idea anyway.

and what are your suggested alternatives to blocking website spammers? I block by IP address because the only thing coming to my website from certain areas of the world is spam.

  rd

Re:I work for an IP reputation company (What's tha

[Khopesh]

"IP Reputation" systems are basically a step beyond DNSBLs (which only consider things as white vs black). There is a decent explanation in Wikipedia's Sender's IP verification section of their E-mail authentication article.

On GMail's lack of web client IP tracking

[Khopesh]

So what you're saying is that Google has decided to fully claim reputation-ownership of the mail their users are sending. They're staking their reputation that their users don't generally spam. If it was a big enough problem you would blackhole all of gmail, right now you're upset because due to the large volume that gmail sends, any percentage of spam is a problem.

I see no reason for that kind of gall. It's merely not a priority for them to open up that kind of information because it helps third party spam filters. Suppressing that data grants a competitive advantage to the GMail (and possibly Postini) services as using that internal information would lead to better filtering of a large email source. ... Don't forget that Google wants to manage your corporate email.

If you're considering the privacy angle, that's rather far-fetched. All other email systems (including webmail and SMTP) track this (so there is no reasonable expectation to place on this sort of behavior; those who want to hide their IP should be using TOR or some other anonymizing proxy).

Find another what?

[tepples]

authenticated mail (which can be done on port 25, it doesn't have to be 587, but should be these days because of port 25 filtering) is not normally subjected to blacklist filtering

Authenticated mail on port 25 is subject to port 25 blocks by those ISPs that don't deep-packet-inspect to distinguish unauthenticated SMTP from authenticated SMTP (RFC 2554) or encrypted SMTP (RFC 2487). But I guess ISPs are far less likely to block 465 or 587.

If your isp has unreliable mail service, then find another one --- there is no shortage of options there.

Find another what? Did you mean find another mail service, aka a "smarthost"? That's difficult if your ISP blocks the ports that smarthosts use. Find another ISP? In a lot of cases, it's either the one broadband ISP in your area or dial-up.

Thanks 4 answer: I asked the question... apk

""IP Reputation" systems are basically a step beyond DNSBLs (which only consider things as white vs black). There is a decent explanation in Wikipedia's Sender's IP verification section of their E-mail authentication article" - by Khopesh (112447) on Saturday December 18, @01:54PM (#34601326) Homepage

Thanks - that's to BOTH yourself, and SuricouRavenn, who also replied here in regards to "IP Reputation" & what it is (I have a message for SuricouRavenn here also -> http://yro.slashdot.org/comments.pl?sid=1903798&cid=34559886 regarding Windows Defender/Microsoft Security Essentials) - thank you!

I do MUCH THE SAME as a DNSBL, albeit locally... via custom HOSTS files - here is why (long read, but detailed & I think you MAY find it, informative, possibly):

---

20++ ADVANTAGES OF HOSTS FILES OVER DNS SERVERS &/or ADBLOCK ALONE for added layered security:

1.) Adblock blocks ads in only 1 browser family (Disclaimer: Opera now has an AdBlock addon (now that Opera has addons above widgets), but I am not certain the same people make it as they do for FF or Chrome etc.).

2.) HOSTS files are useable for all these purposes because they are present on all Operating Systems that have a BSD based IP stack (even ANDROID) and do adblocking for ANY webbrowser, email program, etc. (any webbound program).

3.) Adblock doesn't protect email programs external to FF, Hosts files do. THIS IS GOOD VS. SPAM MAIL or MAILS THAT BEAR MALICIOUS SCRIPT, or, THAT POINT TO MALICIOUS SCRIPT VIA URLS etc.

4.) Adblock won't get you to your favorite sites if a DNS server goes down or is DNS-poisoned, hosts will (this leads to points 4-7 next below).

5.) Adblock doesn't allow you to hardcode in your favorite websites into it so you don't make DNS server calls and so you can avoid tracking by DNS request logs, hosts do (DNS servers are also being abused by the Chinese lately and by the Kaminsky flaw -> http://www.networkworld.com/news/2008/082908-kaminsky-flaw-prompts-dns-server.html for years now). Hosts protect against those problems via hardcodes of your fav sites (you should verify against the TLD that does nothing but cache IPAddress-to-domainname/hostname resolutions via NSLOOKUP, PINGS, &/or WHOIS though, regularly, so you have the correct IP & it's current)).

6.) HOSTS files protect you vs. DNS-poisoning &/or the Kaminsky flaw in DNS servers, and allow you to get to sites reliably vs. things like the Chinese are doing to DNS -> http://yro.slashdot.org/story/10/11/29/1755230/Chinese-DNS-Tampering-a-Real-Threat-To-Outsiders

7.) AdBlock doesn't let you block out known bad sites or servers that are known to be maliciously scripted, hosts can and many reputable lists for this exist:

GOOD INFORMATION ON MALWARE BEHAVIOR LISTING BOTNET C&C SERVERS + MORE (AS WELL AS REMOVAL LISTS FOR HOSTS):

http://ddanchev.blogspot.com/
http://www.malware.com.br/lists.shtml
http://www.stopbadware.org/
http://blog.fireeye.com/
http://mtc.sri.com/
http://news.netcraft.com/
http://www.shadowserver.org/

REGULARLY UPDATED HOSTS FILES SITES (reputable/reliable sources):

http://www.mvps.org/winhelp2002/hosts.htm
http://someonewhocares.org/hosts/

Thanks - & some help on Windows Defender 4U! a

"It's a vague term. I've seen it before, but it can mean anything from a company that gets mistakes removed from IP blacklists (usually a consequence of a computer being compromised - once it's resecured, the blacklists need fixing too) to companies hired to manipulate google rankings, submit glowing product reviews to shopping sites and threaten critics with legal action. Just a very vague description" - by SuricouRaven (1897204) on Saturday December 18, @10:39AM (#34599726)

Thanks - that's to BOTH yourself, and Khopesh, who also replied here in regards to "IP Reputation" & what it is, since he does it also!

YOU MAY FIND HIS EXPLANATION INFORMATIVE -> http://tech.slashdot.org/comments.pl?sid=1915408&cid=34606948 because it's quite detailed, & of course, it comes from "the horses' mouth" (in that he does that & works for such a concern, etc./et al).

(NOW - I also have a message for YOU, which I believe you WILL FIND HELPFUL! It's in regard to Windows Defender also -> http://yro.slashdot.org/comments.pl?sid=1903798&cid=34559886 regarding Windows Defender/Microsoft Security Essentials).

USE WINDOWS DEFENDER or MICROSOFT SECURITY ESSENTIALS "SETTINGS" TAB, & "Excluded Files and Location" list item IF NEED BE, to exclude custom HOSTS files from scanning!

That's just information you may be able to use, to overcome hassles you say you saw with Windows Defender (the precursor to Microsoft Security Essentials) & HOSTS files!

Funny part is, even though I use a custom HOSTS file with well over 913,000++ items blacklisted in it? I have YET TO SEE MICROSOFT SECURITY ESSENTIALS BOTHER ME ON HOSTS FILES! I give you the "work-around"... easy to do!

APK

P.S.=> Again - Thats information on Windows Defender OR Microsoft Security Essentials? That's in return for your, and Khopesh's reply, on what an "IP REPUTATION" service is, & what it does... apk