Spamhaus Calls for Fining Operators of Insecure Servers

Barence writes "Anti-spam outfit Spamhaus has called on the UK government to fine those who are running Internet infrastructure that could be exploited by criminals. Those who leave open Domain Name Server resolvers vulnerable to attack should be fined, if they have previously received a warning, said chief information officer of Spamhaus, Richard Cox. When Spamhaus was hit by a massive distributed DDoS possibly the biggest ever recorded at more than 300Gbits/sec — open DNS resolvers were used to amplify the hit, which was aimed at one of the organization's upstream partners. 'Once they know it can be used for attacks and fraud, that should be an offense,' Cox said. 'You should be subject to something like a parking ticket... where the fine is greater than the cost of fixing it."

Another cure that is worse than the disease

[melonman]

This sounds great in theory but, in practice, it's going to be almost impossible to enforce (eg whose definition of 'vulnerable'?) and it would promptly create several new Internet plagues, eg the "Your server has a vulnerability, pay us now to stop us reporting it" spam email.

Re:Another cure that is worse than the disease

[fatphil]

Perhaps, but is it any less enforceable than the FCC's RF emissions laws? Both are spewing crap into a finite broadcast medium, I think it's possible for the two to be considered almost analogues.

Re:Another cure that is worse than the disease

[somersault]

I would have thought having an SMTP server which does unintended open relaying as everyone's definition of vulnerable..

Re:Another cure that is worse than the disease

Also: if UK starts fining, just move the servers to another country.

Depending on what kind of business you do, you might also export your official address to another country. If that is not possible: just outsource your servers to an external company in another country.

Loopholes galore.

Re:Another cure that is worse than the disease

I disagree. This is a classic example of making [stupid|apathy] hurt. In this case, the hurt is financial, but the effect is there.

If a company can't be arsed to protect their systems to prevent it, they need to pay for it. If a person (or small business) can't be arsed to have an IT person, either part-time or contracted out through an agency to secure their systems, then they need to pay the price. If that same SMB relies upon their vendor/provider for security, and they fail to deliver, it's time to find another vendor/provider.

When that price becomes higher than the cost of compliance to prevent an actual, measurable problem then we will see a shift.

Most people want to do the right thing. For some people, you need to provide the carrot & stick approach.

Re:Another cure that is worse than the disease

[poetmatt]

I disagree 100% - It's not hard at all.

Checklist of known vulnerabilities -> if your server is suspected of sending huge volumes of spam and fails -> fines after a 2nd or 3rd notice of these failures. It establishes a baseline of "don't be a fuckup with managing your servers".

Re:Another cure that is worse than the disease

[bws111]

How are they at all analogues? Emitted radiation can be directly measured, "vulnerability" can not.

Re:Another cure that is worse than the disease

[BringsApples]

I agree. SPAM is so 2003. I run my own email server at home, and with absolutely no SPAM protection (I used to use spamassassin and mimedefang but once my server crashed, I never took the time to install it all again). I give my email address to all the basic sites in order to make purchases. I do receive SPAM, but very little. The SPAM fight seems to have erupted into craziness with no gains.

Re:Another cure that is worse than the disease

[bws111]

If your server is sending huge volumes of spam then it is actually doing something, not just sitting there being vulnerable. Fining someone for being involved in sending spam is completely different than fining someone because they could potentially be used to send spam.

Re:Another cure that is worse than the disease

Someone fill this out for them...

http://craphound.com/spamsolutions.txt

Re:Another cure that is worse than the disease

[mlts]

I run my own incoming E-mail server at home. However, the incoming and outgoing mechanisms are pretty separate.

Incoming port 25 goes through the usual anti-spam measures.

Outgoing port 25 goes to either my ISP's SMTP server or a dedicated third party. Either way, Bog forbid and my server starts sending UCE, -outgoing- spam is corked, and I'm far more worried about spam coming from my domain than to it.

Re:Another cure that is worse than the disease

[jythie]

I imagine if such legislation did exist it would be similar to 'negligence' no specific definition but if something goes wrong there is a legal tool to examine it.

Re:Another cure that is worse than the disease

[sumdumass]

It is a bit more dificult then that. Suppose the hacker in question is the help desk drone you gave access to in orrder to fix the system. Suppose the vulnerability is little more than me who was dating your daughter until i found her with another guy and until then, i had legitimate access. You will never know how it happened and most likely lack the ability to find out where emissions can be measured with a device you can hold in you hand.

Anyways, the fine is a bad idea because it will lead to approved software from approved only venders else you will be fined. Worse yet, it will subject you to fines for zero day expliots where no fixes are availible.

Re:Another cure that is worse than the disease

How about not "vulnerable" but having sent exactly 1 spam detected message? That DEMONSTRATES the vulnerability and is evidence.

Re:Another cure that is worse than the disease

[sumdumass]

Not if your intent is to offer access to dissidents in oppressed countries.

I can see a lot of uninrended consequences.

Re:Another cure that is worse than the disease

[somersault]

There are lots of options for that which don't leave your server free for abuse. Besides, any sane email server is set to start blocking mail from such sources after they're blacklisted anyway..

Re:Another cure that is worse than the disease

[0123456]

How about not "vulnerable" but having sent exactly 1 spam detected message? That DEMONSTRATES the vulnerability and is evidence.

I get plenty of 'detected' emails in my spam folder that are not spam. Who's going to decide what is and what isn't?

Re:Another cure that is worse than the disease

[fatphil]

OK, I overlooked the "could". Those which have actually been exploited can be detected, as the emitted packets can be measured.

Alas the story doesn't link to an actual official statement from spamhaus, so it's impossible to see exactly what he said, there isn't even anything on spamhaus' own website, so is it an official spamhaus statement at all?

Re:Another cure that is worse than the disease

[MightyMartian]

I'll agree to the fine, providing there is an equally onerous one for every RBL's that wrongfully put IPs on their lists.

Re:Another cure that is worse than the disease

That works until a brilliant student of business decides that anyone who runs software that was not produced by #parentCompany is a security risk.

Re:Another cure that is worse than the disease

[Charliemopps]

You enforce it after the breach. There was a DDOS attach, they investigate, find out you were running things years out of date or whatever, then the fines kick in. Much like how it's illegal to not use a seat-belt in the US. They can't really look in every car and be sure as it's driving down the road. But if you get pulled over for something else or you get into an accident that's when you usually get a ticket for it.

Then the fine makes for good evidence in a legal case against the company by whomever was attacked.

Re:Another cure that is worse than the disease

[tlhIngan]

Perhaps, but is it any less enforceable than the FCC's RF emissions laws? Both are spewing crap into a finite broadcast medium, I think it's possible for the two to be considered almost analogues.

The FCC RF laws are highly enforceable. All it takes is a licensed user complaining about interference and the FCC can send a van around to monitor it. And the fines for operating equipment like that can be pretty harsh, too. The lightest of them is basically turning off the equipment, to seizure of said equipment to some rather large fines.

And it's the owner/operator who's responsible for the equipment, too.

If a licensed user's lawful use of equipment causes degradation of performance or other to unlicensed equipment, the FCC is powerless because the unlicensed equipment is forced ot accept the interference, even when it disrupts normal operation.

Of course, there are also licensed users who have "community sense" who often will fix other people's problems for free (e.g., cable TV is notably bad and often pixks up stray ham transmissions - ask nicely and they'll often fix the problem even though it's technically your fault.

And if the interference is temporary well, you can usually easily get away with it quite easily since by the time it's detected, it's too late.

Re:Another cure that is worse than the disease

[g0bshiTe]

Again define vulnerable.

If your wife of girlfriend take nude photos you are more likely to have them end up on the net, if they take no nude photos and you have no webcams you can reasonably expect pictures would never be posted.

Re:Another cure that is worse than the disease

[g0bshiTe]

Whenever something goes wrong there are always legal "tools" to examine it.

Re:Another cure that is worse than the disease

[g0bshiTe]

How does this address a botted users box that has an SMTP server as part of the bot?

Re:Another cure that is worse than the disease

I would have thought having an SMTP server which does unintended open relaying as everyone's definition of vulnerable.

You would think it would fit, but what do you think of his example, "Your server has a vulnerability, pay us now to stop us reporting it"?

Being vulnerable is objective and something we can possibly all agree on. It's easy enough, for me to telnet to your port 25 and try to send an email.

But with being reported as vulnerable, the only objective truth is that a report was made. As for the report's accuracy or relevance, nobody knows. "I got this spam from here," someone says, but then you try to use that relay, and it doesn't work for you. So was the report accurate (the relay is partially open, under some kind of conditions which may, or may, not be easy to reproduce), or was it maliciously false (fine the reporter 100x instead), or an honest mistake? YOU DON'T KNOW.

Re:Another cure that is worse than the disease

[somersault]

It doesn't. Not needing any credentials at all is quite different from duplicitously stealing existing user credentials or otherwise illegally gaining access to their servers.

Re:Another cure that is worse than the disease

[UPi]

You are merely lucky. I run 3 small mail servers, all very similar in setup. 1 also receives no spam whatsoever, the other two are flooded by it. I need to use Spamhaus's XBL, SPF and graylisting to stem the tide. If I removed either of the three, SPAM volume would exceed regular mail volume about 20x. (This is not because of a lack of regular mail.)

Re:Another cure that is worse than the disease

I run my own incoming E-mail server at home.

I run one at a small college. After the DNSBL/RBL filters, we get about 600 spam for each email.

Re:Another cure that is worse than the disease

[morgauxo]

"Of course, there are also licensed users who have "community sense" who often will fix other people's problems for free"

Funny, I was thinking the opposite due to the opposite of your example:

Try getting a cable company with leaky coax to stop interfering with ham radio! Good luck!

Re:Another cure that is worse than the disease

[Pope]

"You know, it'd be a *real* shame if your wife/girlfriend got this nice camera for Christmas this year..."

Re:Another cure that is worse than the disease

[BringsApples]

Yup, and if you're on AT&T, then that's how you have to do it, as all packets on port 25 outbound from AT&T's network are dropped.

Re:Another cure that is worse than the disease

[X0563511]

Post your email right into the text here, and see how long that lasts...

Re:Another cure that is worse than the disease

Try posting your email address somewhere public (like here) and then see how much spam you get.

I get on the order of 600-800 spams a day to my public email address.

Re:Another cure that is worse than the disease

The authorities in charge of national domain check DNS systems for availability in my country. Maybe the .uk domain authority does the same already and such vulnerability checks should be easy to add into the framework? Losing the domain might be the naturally following consequence as well.
Then there is the question of how many SMBs or even large companies actually run their domain using their own DNS servers.

Re:Another cure that is worse than the disease

[macpacheco]

It should apply only to widely know vulnerabilities. Stuff like an open dns server, open smtp server, accounts without passwords or very easy ones.
Of course you can't require everyone to have a patch that was released yesterday applied to their systems...
The problem is coding this into law...
Only vulnerabilities that can be detected with an open service where the owner of the server can enter his valid ip and ask the service to scan for known vulnerabilities.
There are way too many systems in the wild with stupidities like that.

Re:Another cure that is worse than the disease

[macpacheco]

This isn't so much about spam anymore, but about massive DDOS attacks.
I even admit I had a few systems with wrongly configured DNS servers, there were used in DNS amplification attacks, and I would have loved to know about it before they were used for that. All fixed now.
DDOS attacks are reaching 100Gbps for christ's sakes.
If this prevents large sections of the Internet from griding to a halt, I'm all for it.

Of course, this makes NO sense if it gets adopted in the UK only, needs to be enabled at least for USA + Canada + European Union countries to make any sense !
It's sort of like the Kyoto protocol.

Re:Another cure that is worse than the disease

[sjames]

They're also talking about DNS servers or any other sort of server. Then there's the question of what to do about zero day problems.

Re:Another cure that is worse than the disease

[Karl+Cocknozzle]

Another cure that is worse than the disease

Ha! I've used that to describe spamhaus and their minions... Years ago I had a client who ended up getting blocked randomly because (drumroll please) spamhaus added an entire /22 to their IP blocklist! The client's /29 was inside that block, so naturally they got blocked by anybody honoring spamhaus' block list... (And to the legion of assholes that troll anybody criticizing spamhaus' slipshod work and labels them a "spammer," Fuck you! They didn't send any spam, EVER. And blocking an entire /22 (covering some of a datacenter's customers, but not others) is arbitrary to the point of negligence.

When it had all played out the /22 block was a result of (wait for it!) a disgruntled employee at the datacenter exploiting Spamhaus' notoriously weak quality-control to screw-over his former employer with an annoying, somewhat hard to identify problem... Annoying because spamhaus will keep blocking it in perpetuity until somebody figures out how to make them stop. Somewhat hard to identify because it wasn't every client having problems, and the ones having problems weren't having it with all recipients. Now, of course, we know that description of symptoms can easily be an RBL run amok... Of course then the question becomes "which one?"

I don't like spam any more than the next guy, but dealing with the shrill assholes who have made it their life's work to fight spam (hint: When somebody tells this to you, FFS, don't laugh!) is just one step less-unpleasant than repeated, unneeded root canal... The high and mighty, pompous, and arrogant attitudes (anybody who disagrees with us is stupid or a spammer!) make the low-quality of the work produced that much more glaring. Honestly, haven't you people ever heard of IronPort, Barracuda, or MXLogic? Seriously: Get a life. Reporting each spam individually is the least efficient way to fight the problem. What makes it worse is when you tell these Don Quixote types that they're wasting their lives they accuse YOU of being a spammer!

Re:Another cure that is worse than the disease

[WaffleMonster]

This isn't so much about spam anymore, but about massive DDOS attacks. I even admit I had a few systems with wrongly configured DNS servers, there were used in DNS amplification attacks, and I would have loved to know about it before they were used for that. All fixed now.

Except it's not fixed.

Of course, this makes NO sense if it gets adopted in the UK only, needs to be enabled at least for USA + Canada + European Union countries to make any sense !
It's sort of like the Kyoto protocol.

Political solutions to technical problems is exactly what the Internet needs.

Re:Another cure that is worse than the disease

[Zamphatta]

Are you serious? This is entirely enforceable without unreasonable difficulty. It's easy to find out who owns an IP address and there's always contact info attached to that record. If the fine isn't paid or isn't paid on time, it's only a simple matter of shutting the company's site down 'til the fine is paid. We're not talkin' about individuals here, but companies, especially hosting services, etc. Notification would come through an official gov't somebody, not something like a spamish-lookin-email. Anybody who's setting up servers that falls for a spamish-looking-email about this, deserves whatever problems they get as a result of believing such an email. They really should know better.

And while they're at it, they should fine everyone who's DB is stolen due to stupid insecure setups... SQL injections, plaintext passwords, etc. This stuff isn't excusable, and it's pretty shocking that it's still common in late 2013. Can you imagine how much money the gov't would've made off Adobe and SONY over the past few years? That'd probably help lower our taxes (in theory).

Re:Another cure that is worse than the disease

[WaffleMonster]

Are you serious? This is entirely enforceable without unreasonable difficulty. It's easy to find out who owns an IP address and there's always contact info attached to that record.

LOL the MPAA wishes this were true.

If the fine isn't paid or isn't paid on time, it's only a simple matter of shutting the company's site down 'til the fine is paid.

I am beginning to loose my faith in humanity and Slashdot in particular. That there really are people here begging for legal intervention makes me sick. The technical basis for arguments being spewed here are not even factually accurate.

We're not talkin' about individuals here,

Who's we? There is plenty of consumer gear with broken DNS proxies and plenty of users who run their own servers something we should be encouraging not discouraging with our dreams of offloading liability from criminals to the users.

but companies, especially hosting services, etc. Notification would come through an official gov't somebody, not something like a spamish-lookin-email.

Hosting companies are the least of your problems.

Anybody who's setting up servers that falls for a spamish-looking-email about this, deserves whatever problems they get as a result of believing such an email. They really should know better.

Now this is the ticket. This is the kind of spirit the Internet needs to retain. If you act stupidly the Internet bitch slaps you for it.

And while they're at it, they should fine everyone who's DB is stolen due to stupid insecure setups... SQL injections, plaintext passwords, etc. This stuff isn't excusable

Who determines what is stupid? And how would anyone but the lawyers benefit from that arrangement? It is not like there is not already massive legal and financial disincentive against getting p0wn3d. I can think of a few inexcusable security transgressions that remain standard industry practice to this day. Do I get to write the law?

Can you imagine how much money the gov't would've made off Adobe and SONY over the past few years? That'd probably help lower our taxes (in theory).

And your buying power (in fact).

Re:Another cure that is worse than the disease

[Bacon+Bits]

20X seems to be a fairly normal rate of spam based on what I've seen at the organizations I've worked for, with spikes up to about 40X.

Re:Another cure that is worse than the disease

[Karl+Cocknozzle]

You enforce it after the breach. There was a DDOS attach, they investigate, find out you were running things years out of date or whatever, then the fines kick in. Much like how it's illegal to not use a seat-belt in the US. They can't really look in every car and be sure as it's driving down the road. But if you get pulled over for something else or you get into an accident that's when you usually get a ticket for it.

Then the fine makes for good evidence in a legal case against the company by whomever was attacked.

Think about that for a moment... It's totally unenforceable because nobody is legally obligated to keep a full version-control of every setting, piece of software, or chunk of code they're running, so unless the law requires them to continue running with "vulnerabilities" in place until an investigator can record them for fine-tallying purpose then it is extremely unlikely that any fine will ever actually be assessed because in the end the sorts of shops that run open-relays and rootable DNS servers aren't likely to have good documentation practices, either.

Re:Another cure that is worse than the disease

[poetmatt]

I don't think you can reasonably hold people accountable for zero days, especially when the government is encouraging them to be so plentiful. So I agree, it needs more specificity and more definitions - but that doesn't make this simply impossible if technical people are involved.

Given the government involved though, I would say it's impossible for *them* to understand, yes.

Re:Another cure that is worse than the disease

[BringsApples]

chuck@chuckstevens.com

bring it

I used to love Spamhaus

[LordKaT]

Honestly, I used to love Spamhaus, but as the years wore on, I got into the IT world, and I had to interact with them I've come to really loathe them. A decent service, I guess, but every single person that is involved with them comes across like a whining child, and I hate ever having to interact with them.

Re:I used to love Spamhaus

Honestly, I used to love Spamhaus, but as the years wore on, I got into the IT world, and I had to interact with them I've come to really loathe them. A decent service, I guess, but every single person that is involved with them comes across like a whining child, and I hate ever having to interact with them.

Yes, it's rather ironic thinking that if their whining were to be heard loud and clear by everyone, they would not have a reason to exist.

Re:I used to love Spamhaus

[sumdumass]

At least you got to talk to someone. My experience consisted of automated forms and links to other sites with absolutely no confirmation that something moved forward or not.

There is no better feeling than telling your boss that the rootkit found on his kids laptop that he uses to babysit the kid when he brings her in was behind the problem and you think maybe the problem might be getting fixed. Its kind of like poking a sleeping bear with a bee hive taped to a stick and wondering if the stick is long enough.

Re:I used to love Spamhaus

[smartr]

Just think of all the government funding though! The NSA could just whip up another batch of attacks and after laying the groundwork to break the previously up to date servers, they can collect moneys on their hacking work... kind of like if a cop pulled you over and took a baseball bat to your taillight because they think they're immune to oversight.

Re:I used to love Spamhaus

[Krojack]

This is exactly what I ran into. My company got a new block of IP's and several IP's within that was on their block list. I could never get through to them thus never got the IP's removed.

I stopped using their blacklist years ago because their service is unreliable. They seem to have this "We're better than you" mentality.

Re:I used to love Spamhaus

Dealing with them is like dealing with Eric Cartman when he was deputized. "Respect my authoritai!"

If they decided you weren't kissing their asses with sufficient deference they would happily violate their stated policies and expand and entrench the black listing in spite of no spam coming from any of the IPs listed.

Fine all server owners?

There is not now, never has been and never will be such a thing as a "Secure Server". Only relative levels of the attempts to keep it unbreached vs. efforts to breach it. Some are very weak but have never been breached while much stronger defended ones have been breached repeatedly.

Re:Fine all server owners?

[kav2k]

At this point it's called a tax.

UK of all places?

'You should be subject to something like a parking ticket... where the fine is greater than the cost of fixing it."

I am surprised they do not have such a law, considering the goofball laws they pass. I think fines are more productive and cheaper on government (ie no need to waste resources putting non violent criminals into prisons) but at the same time what makes you think there going to pay the fines? That's of course if you find them!

As long...

...as server operators can fine Spamhaus for false positives.

Re:As long...

[poetmatt]

That depends on how much you're letting spamhaus validate actual positives. It has to go both ways.

Re:As long...

[goldaryn]

...as server operators can fine Spamhaus for false positives.

All these fines should go towards counselling for the servers to help resolve their insecurities

WON'T SOMEONE PLEASE THINK OF THE SERVERS?

Re:As long...

[NoNonAlphaCharsHere]

WON'T SOMEONE PLEASE THINK OF THE SERVERS?

Little "MOMS" will go to bed tonight running XP. It can't remember the last time it had a full update. Won't you please help? Send your generous donations to...

Re:As long...

[FireFury03]

That depends on how much you're letting spamhaus validate actual positives. It has to go both ways.

We've been having significant problems with the CBL's ill-thought-out policies (and Spamhaus imports data from the CBL)...
http://blog.nexusuk.org/2013/09/problems-with-cbl.html

Re:As long...

[whoever57]

We've been having significant problems with the CBL's ill-thought-out policies

I am not sure what is ill-thought-out about their policies. In both scenarios, IP address is sending SPAM. IP address gets blocked. The author (you?) ask for a list of honeypot addresses, but you could be a spammer, who could use that list to delay blocking of the SPAM.

Also, I have not seen a SPAM bot that uses the smarthost. This doesn't mean that they don't exist, but I think that they are rare. Hence blocking direct access to port 25 through the firewall stops most spambots from actually sending spam.

If the spams are relayed through your own smarthosts, then how about some kind of rate-limiting mechanism with alerts to the administrator? Quick action by the admin would prevent listing.

Re:As long...

If only there were a law/fine for libel and extortion...

Re:As long...

Wanting it to go both ways was the point being made...

Re:As long...

[FireFury03]

We've been having significant problems with the CBL's ill-thought-out policies

I am not sure what is ill-thought-out about their policies. In both scenarios, IP address is sending SPAM. IP address gets blocked.

The ill-thought-out bit is that the CBL is an *spam email* blocklist, but their heuristics cause networks that aren't sending spam email to get listed and therefore blocked. Whilst there is no arguement that the networks were infected with malware, listing them on the CBL serves no useful purpose since they were of no threat to the systems that would be using the CBL (mail servers).

Previously, sharing an IP address between multiple services was a reasonable idea - there was never a reason not to do this and it conserves IP addresses. However, with the advent of the CBL using an HTTP honeypot to populate an SMTP blocklist, there simply isn't any sensible way to run a network in this configuration - it just takes one person to connect an infected laptop to the network for a short period of time, and all the email starts getting blocked.

Because of this, we are now having to standardise on running mail servers on a separate IP address - this does nothing to decrease the incidence of malware, it simply stops an infected network being listed on the CBL.

The author (you?) ask for a list of honeypot addresses, but you could be a spammer, who could use that list to delay blocking of the SPAM.

I could be a spammer, but I'm not.

The idea was that as the malware was always connecting through the transparent proxy servers, having a list of honeypot addresses or some other way of fingerprinting the request we could (1) automatically isolate the affected system, and (2) automatically inform the sysadmin so (s)he could clean up the mess. This would be a Good Thing for everyone.

As it turns out, the CBL maintainers were not cooperative (for whatever reason), so we're stuck with the aforementioned interrim measure of separating services onto different IPs rather than actually resolving the root problem.

People in the business of securing networks really do need to trust each other to some extent - if they refuse to cooperate out of paranoia then the spammers have basically won already since there's no way anyone can effectively defend against spam and malware in isolation.

Also, I have not seen a SPAM bot that uses the smarthost. This doesn't mean that they don't exist, but I think that they are rare.

Indeed. That was the point I was making: the only way to send email out of the affected networks was via authenticated smarthosts. Yes its posible that some malware could extract the authentication credentials out of a user's mail client (if they have one configured) and use those to send spam, but that's a lot of effort to go to and I've never seen any malware do that (and if malware does do that then *everyone*'s screwed because it'll start sending spam through corporate email servers, gmail, etc.). So the networks in question were essentially immune to sending spam email, yet were still being blocked by the CBL from sending email because they had a client making spammy web requests - this makes no sense.

Hence blocking direct access to port 25 through the firewall stops most spambots from actually sending spam.

And this is exactly how the networks in question are set up, yet this does nothing to prevent the network from being listed on the CBL since the CBL's honeypot is checking for suspicious HTTP connections rather than SMTP traffic.

If the spams are relayed through your own smarthosts, then how about some kind of rate-limiting mechanism with alerts to the administrator? Quick action by the admin would prevent listing.

To reiterate, in case it wasn't clear from the blog article, there was no spam email leaving the network - port 25 is blocked, the only way

Re:As long...

[whoever57]

The issue is purely that the smarthost shares the same IP address as the web proxy and the CBL honeypot looks for *HTTP* traffic (which was leaving the network) rather than *SMTP* traffic.

It wasn't clear to me from the article that this was the problem. However, It's still not clear to me that this is the case. You assert that fetching some "spammy" URLs causes the listing, but the folks at CBL don't say what their listing criteria is, so I assume you have some hard evidence and not just suspicions that the fetching of honeypot URLs causes a listing?

From my reading about Zbot, the only URLs it fetches are from C&C servers, so the CBL operators would have to have taken over a Zbot C&C server (or have access to the logs from a someone who has gained control of a C&C server).

Re:As long...

[FireFury03]

The issue is purely that the smarthost shares the same IP address as the web proxy and the CBL honeypot looks for *HTTP* traffic (which was leaving the network) rather than *SMTP* traffic.

It wasn't clear to me from the article that this was the problem. However, It's still not clear to me that this is the case. You assert that fetching some "spammy" URLs causes the listing, but the folks at CBL don't say what their listing criteria is, so I assume you have some hard evidence and not just suspicions that the fetching of honeypot URLs causes a listing?

When you get listed, you can look up the reason why and it tells you.

From my reading about Zbot, the only URLs it fetches are from C&C servers, so the CBL operators would have to have taken over a Zbot C&C server (or have access to the logs from a someone who has gained control of a C&C server).

I believe (and I'm not altogether clear whether this is accurate) that Zbot uses C&C domains that are generated programmatically based on the time of day, so CBL have managed to register some of those domains before the real bot owners and therefore set up a honeypot of C&C servers.

Re:As long...

[whoever57]

I believe (and I'm not altogether clear whether this is accurate) that Zbot uses C&C domains that are generated programmatically based on the time of day, so CBL have managed to register some of those domains before the real bot owners and therefore set up a honeypot of C&C servers.

Some more googling suggests that the CBL tells you the honeypot IP after listing. If this is true, could you not look in your proxy logs to see what the URLs to the C&C servers look like and block them based on a pattern that matches the part after the domain name?

Also there seems to be something called "ZeuS Tracker" which provides the necessary IP addresses to block.

Re:As long...

[whoever57]

Even more.... the ZeuS Tracker web pages include information on how to use the C&C server lists in Squid.

Re:As long...

[FireFury03]

Some more googling suggests that the CBL tells you the honeypot IP after listing. If this is true, could you not look in your proxy logs to see what the URLs to the C&C servers look like and block them based on a pattern that matches the part after the domain name?

There wasn't an especially obvious fingerprint I could derive from the requests when I looked (i.e. each time I've seen this, the request has been considerably different)

Re:As long...

Because, as we all know, it is mandatory that all email administrators use Smaphaus.

Free Speech

[CanHasDIY]

If things like public defecation, nudity, and pan-handling can be successfully argued as free speech (which they all have, at some point, somewhere), I think it would be a pretty simple affair to claim that running open, unsecured internet infrastructure is also a form of free expression.

"The trouble with fighting for human freedom is that one spends most of one's time defending scoundrels."

Re:Free Speech

[spacepimp]

Sadly that is a repercussion of having liberties. Free speech means the right for people to say things you don't agree with. If free speech was easy, then everyone would have it.

Re:Free Speech

If things like public defecation, nudity, and pan-handling can be successfully argued as free speech (which they all have, at some point, somewhere), I think it would be a pretty simple affair to claim that running open, unsecured internet infrastructure is also a form of free expression.

The examples you've provided can be easily argued as affecting a limited group or subset of those immediately surrounding the "artist" performing.

When running a spam server (unintentionally or otherwise) that affects hundreds of millions, one can easily argue that spam "art" is about as welcome as tinkering with radioactive material in a neighborhood garage because some "artist" thinks mushroom clouds are pretty.

Sorry, not gonna buy the free speech bullshit in this case. If that Right is so distorted anyway for the rest of us, why the hell should we allow it to be abused in the worst fucking way.

Re:Free Speech

[jythie]

True, but free speech has always had limitations when it comes to the speech having specific impacts, esp when that speech is part of a crime.

Re:Free Speech

[CanHasDIY]

Sadly that is a repercussion of having liberties. Free speech means the right for people to say things you don't agree with.

That's not sad, it's what makes life interesting.

I think living in an echo chamber would be unbelievably boring.

Re:Free Speech

[CanHasDIY]

True, but free speech has always had limitations when it comes to the speech having specific impacts, esp when that speech is part of a crime.

You'll have to be more specific.

I know that speech which directly causes harm (like yelling 'fire' in a crowded, not-on-fire place) is patently illegal; I also know that knowingly providing information or services to individuals in the commission of a crime is not protected speech.

But this isn't one of those situations; nobody's handing the car keys to the bank robber, they've just left the keys in the ignition with the doors unlocked. Pretty sure that's not illegal.

Re:Free Speech

[interkin3tic]

What's accepted as fair arguments in court is a separate issue that depends on context. From a quick google search, it seems like the context for at least one case of public defecation as free speech was homelessness. Didn't do a lot of reading on it, but it sounds like in Santa Cruz, they decided to get rid of unsightly homeless people by getting rid of public toilets and declaring public defecation illegal. That seems to be a common approach. And frankly, that's bullshit. In that specific context, I think declaring pooping on a city that is trying to boot you out is fair.

Re:Free Speech

[UPi]

This is just a guess, because it has never happened to me before. However, I imagine that after being on a receiving end of a massive DDOS I would no longer think of not patching your servers as a form of free speech. Instead, I would think of it as negligence.

Re:Free Speech

You falsely assume that everyone would think and act the same if there were no people explicitly trying to break the rules. Which leads me to believe you're one of the scoundrels being defended...

Re:Free Speech

[CanHasDIY]

This is just a guess, because it has never happened to me before. However, I imagine that after being on a receiving end of a massive DDOS I would no longer think of not patching your servers as a form of free speech. Instead, I would think of it as negligence.

So... if you left the keys in your car, and some sociopath took said car and ran over a few people with it, you think you should be charged with negligence?

I think if it did happen to you, you might feel differently. People are funny that way.

Re:Free Speech

[UPi]

I would prefer a non-car analogy please. It's been a while since the last good one.

In any case, if the event you described did happen, I would feel VERY bad about it, and would be very careful not to leave the keys in the car again. If one of my servers was hijacked to do bad things, be it DDOS or spamming, I would feel bad about that also.

Re:Free Speech

'You should be subject to something like a parking ticket... where the fine is greater than the cost of fixing it.'

I can understand it being considered negligence. But the above quote proves that this guy is just being a whiny child that doesn't care about the reality of the situation. In technology companies, some things can get so expensive that if they had to pay a fine that was more, they would be incapable of paying for the upgrade. Sure, a simple software patch would be easy. But what if the attack infected every system on the internal network, which had to be wiped and reinstalled manually on an individual basis? And what if that company had tens of thousands of computers on the internal network? The man-hours alone would become prohibitively expensive...

Re:Free Speech

[Fnord666]

I would prefer a non-car analogy please. It's been a while since the last good one.

Ok, if you were Peter Parker then ...

Re:Free Speech

[sjames]

And because you would feel bad about it, you would fix it. Fining you on top of that would just be rubbing salt in your wounds.

Re:Free Speech

[CanHasDIY]

I would prefer a non-car analogy please. It's been a while since the last good one.

In any case, if the event you described did happen, I would feel VERY bad about it, and would be very careful not to leave the keys in the car again. If one of my servers was hijacked to do bad things, be it DDOS or spamming, I would feel bad about that also.

As far as car analogies go, I'd say this is one of the rare ones that actually makes sense and is in context to the general point.

Feeling bad is good - showing remorse is a sign that you're not a sociopath. But feeling guilty doesn't make a person legally culpable for another person's actions, which is my position on the matter.

Re:Free Speech

[UPi]

OK, let's go with the car analogy.

You step out of your car, leaving your keys in the ignition. Someone comes up to you and tells you that the area is crawling with pychotic people, and there is a likelihood that one of them will be taking your car and hitting someone with it. You say it's not your problem and you leave the keys anyway. It is my understanding that Spamhaus is suggesting that you should be fined for that. We can argue that makes sense or not, but can we please agree that this is not about free speech?

Re:Free Speech

[CanHasDIY]

OK, let's go with the car analogy.

You step out of your car, leaving your keys in the ignition. Someone comes up to you and tells you that the area is crawling with pychotic people, and there is a likelihood that one of them will be taking your car and hitting someone with it. You say it's not your problem and you leave the keys anyway. It is my understanding that Spamhaus is suggesting that you should be fined for that. We can argue that makes sense or not, but can we please agree that this is not about free speech?

But it is free speech; or, more specifically, free expression (which is protected by the same Amendment for us 'Mericans).

Because I have a right to tell that person, "Yea, well, fuck you, because my shit is none of your damn business."

But I'll play your game, since the free speech angle doesn't even have to come into play:

What Spamhaus is suggesting is a perfect example of 'blaming the victim.' Someone steals your shit and uses it for a crime, and they say the person whose shit got stolen should be held accountable? That's not just stupid, it's fucking evil. Like saying a rapist isn't really a rapist because the woman he raped was wearing tight jeans. Oh, and she has to pay a fine for being so damn rape-able.

Re:Free Speech

The United States does not have freedom of expression laws. It has freedom of speech laws only. International law may add freedom of expression, but so far we haven't seen a lot of particularly interesting examples of it being enjoyed.

A similar case

[tech.kyle]

It's fairly accepted that just because a car is left unlocked doesn't mean anyone's allowed to go in and take what's inside it. Even when you do lock it, there are ways to get in. The fault isn't the owner's for not locking it, it's the attacker's fault. I don't see why online services are any different. The interruption of service and potential loss of data is enough incentive to keep them from leaving it insecure in the first place. If not, they'll sure be taking a look at security after.

Re:A similar case

[msauve]

Welcome to the new world. It's not the attacker's fault, either. He was abused as a child and bullied in school. Society made him steal from that car, it wasn't free will.

Re:A similar case

If you leave your car unlocked and someone steals your car and commits vehicular manslaughter with your car, do you bear any responsibility?

Re:A similar case

[dcw3]

Let's try another analogy...

Suppose you have a pool in your backyard, and some kids use it w/o your permission. When one of them drowns, who's liable?

Now, I'm not taking Spamhaus' side on this, but analogies are just that, and often apples vs. oranges.

Re:A similar case

[wonkey_monkey]

The fault isn't the owner's for not locking it, it's the attacker's fault.

Not from the insurance company's point of view.

Re:A similar case

If you leave your car unlocked and someone steals your car and commits vehicular manslaughter with your car, do you bear any responsibility?

Well, I suppose that depends on your illusion that current case law even remotely resembles the law you learned about in civics class.

Criminally, you're probably fine in this odd scenario. But you'll be fucked with in a civil lawsuit...just because. And even when you win, you lose, since you're $25,000 in debt at that point defending something that should not have even been allowed to be a court case.

Re:A similar case

It all depends on the judge, the da, their moods, the day, the alignment of constellation xyz, and the policies of the powers that be. Any legal determination these days seem to be completely random.

Re:A similar case

[Cajun+Hell]

It's fairly accepted that just because a car is left unlocked doesn't mean anyone's allowed to go in and take what's inside it.

Unfortunately, it's also fairly accepted that there are such things as "attractive nuisances."

Classic example is the swimming pool on your private property, where you ruthlessly shoot and kill all trespassers whenever you see them climbing the electrified barbed wire fence around your pool. As long as you successfully kill each one of them before they get to the pool, you're safe. But if one of them makes it to the pool, jumps in and drowns, his family is the new owner of your house. Then you have to spend one of your family member's lives in order to get it back (tip: have cement trucks idling out in front of the house before your family member's counter-suicide-sacrifice, waiting and ready to fill in the pool, the instant that you re-acquire ownership).

It gets worse.

Suppose you're on patrol in your car, driving around the perimeter of your property, looking for pool-suiciders before they get too close to your pool. Suddenly you see a mob of them pushing against the fence on the east side. You take the M16 from your car's gun rack, go stand by the fence, and shoot them all. Now you've got this stinking pile of rotting corpses over by the fence, and you know you have only 10 minutes at the most, before Municipal Zoning Enforcement comes over and condemns your property. So you put the M16 back onto your gun rack, take the shovel out of the trunk, and start digging a mass grave.

Little do you know, that the mob you just massacred was TEAM A. That's the decoy team. Meanwhile, upon hearing the sound of the gunfire, TEAM B and TEAM C put on the bypass clips to reroute the current on the north fence, cut through the wires, and advance onto your property.

TEAM C immediately heads toward the pool area at maximum speed, while TEAM B stealthily sneaks toward your car, parked over by the east fence. They peek around from behind your car, and see you digging the mass grave. Now is their chance! They break into the car, and take the M16 off your gunrack. Just then, you hear an alert siren and your radio crackles to life. "MAYDAY! MAYDAY!" your wife in the tower yells, in a panic, over the radio, "People are jumping into the pool!" You hear the distant sound of rifle fire (she is now shooting at TEAM C).

The body burying can wait. You need to get to the pool area now, to help your wife kill pool-jumpers and then try to pump the pool water out of the lungs of anyone who has already drowned. You throw down your shovel and run toward the car, and that's where you see .. oh fuck, who is that? There's four dudes milling around your car. One of them sees you and and yells "he's coming! Now! Give it to me! Here!" and grabs the M16 out of one of the other thieves' hands. He quickly shoots the other members of his team, and then puts the end of the barrel into his mouth. You're running right at him, and in just a few more seco--pop. He falls to the ground.

You're fucked. That M16 was an attractive nuisance. You are responsible for all four of the deaths around the car, and who knows how many people have already made it into the pool by now. You grab the M16, throw it onto the passenger seat, jump into the car, and hit the gas. One of the members of TEAM B, as he died, fell such that he was partly under your car, and so now your rear Firestone tire drives over his head, crushing it, spilling jellied brains onto the dirt. Bump. The M16 slips down the passenger seat and .. what happened? Did it? You're in shock. It takes a few seconds to register. "Hey, my leg," you say, stunned.

"Oh fuck, my leg." Just when things were at their darkest,this happened! Un-fucking-believable. You don't hear your wife firing in the distance any more. She's probably worried. Totally demoralized and surrendered, mayb

Re:A similar case

[Lawrence_Bird]

No. I am under no obligation what so ever to lock or otherwise secure my property. What will you suggest next? If I leave a lighter on my porch and you steal it and torch the house down the block that I share the blame?

Re:A similar case

[sjames]

If the pool is fenced in but the lock on the gate is easy to pick?

Re:A similar case

Bravo, bravo. Has to be one of the most entertaining /. posts I've read in many years. It has everything a good /. comment needs:

  * Analogies
  * Cars
  * Guns
  * Kids who won't stay off your lawn
  * Large corporations
  * Endangered species

I'm saving this one.

Re:A similar case

[mjwx]

If the pool is fenced in but the lock on the gate is easy to pick?

In Australia you have to have your pool fenced in on all sides with a fence no less than 1.2 meters in height and a latch no less than 1.5 metres off the ground, vertical bars no more than 100mm apart and no horizontal bars that can be used for climbing, finally, no fixed climbable objects within 900 mm of the fence. If your fence meets these requirements you have no liability if they are bypassed.

There is no requirement for a lock (in fact, if you think about it that is a pretty bad idea).

Re:A similar case

Moreover, is it my fault because my car doesn't have a "break my windows and an alarm'll go off" system? I think not.

Open != Open

Ambiguity warning! Open DNS servers are perfectly fine, they can be used against censorship or for speed. They should even be encouraged. I use the Caesidean root, for example. What they mean by "open" are drastically misconfigured DNS servers.

Anyway, Spamhaus are a bunch of whining vigilante pussies and bad losers, so fuck them.

Re:Open != Open

[RobertLTux]

to be exact

a DNS that is open to being "read" ie Who is 234.45.42.103 is fine

a DNS that is open to being WRITTEN ie 234.45.42.103 is HappyPlaytoy.uy (without somebody up the chain proving it) is BAD

a DNS that can redirect traffic going to HappyPlaytoy.uy to say IBM.com (or wespeakforthetrees.org) as part of a DDOS is EVIL BAD and WRONG

Re:Open != Open

This will not stop the attack, the DNS is used a amplification source not for target direction, there for any DNS server that replies to forged UDP packages is useful.

Wouldn't it make more sense?

[rabbit994]

For ISPs to simply drop UDP packets that are outbound where source address is not inside their network. Is there some legit use for sending forged UDP packets?

Re:Wouldn't it make more sense?

[SuricouRaven]

Not really. But that wouldn't stop DNS amplification attacks. Just make it harder to avoid tracing - and any half-competent attacker is going to be using compromised hosts as the launching point anyway.

Re:Wouldn't it make more sense?

[Shakrai]

But that wouldn't stop DNS amplification attacks

It would drastically limit your choice of available targets. How do you hit 192.168.10.1 with an amplification attack if you use it as a source address? You could pwn a few machines on the same network, and send out the queries that way, but you're not going to be able to achieve the same volume of traffic as you could by using a botnet with hundreds of thousands of hosts that are able to send out queries "from" 192.168.10.1.....

Re:Wouldn't it make more sense?

That assumes the NAT translator on everyone's router will not happily say 'oh from 192.168.1.10 that is really xx.yy.zz.ww let me fill that in for you.

I still agree. There is no legitimate reason not to drop traffic that does not originate from inside my network though.

Sure these items may be 'simple' to get around. But guess what? I am not going to make it easier for them because 'they do nothing'. The more annoying I make it the less likely they will keep messing with it and move on.

Re:Wouldn't it make more sense?

once "network" has tree topology where u can go up or down the tree, u are right (alas node down = subtree cut off)
but it somewheres (internet map?) resemble network of neurons - as it was designed, (node down - every other node has it own links with others)

Re:Wouldn't it make more sense?

It would stop the attack as the attacker depends on forged packages to get there traffic to the target ( the source is generally there target )

Punishment

Funny how an organisation as Spamhouse, who is guilty of systematic depriving random and quite innocent internet users of connectivity -- and proud of it too -- , suddenly thinks that whomever interferes with their connectivity should be punished by law. Hypocrisy.

Although I think their service does have its good points, their attitude makes me want to hurl.

Re:Punishment

[UPi]

Let me guess: you call your operation "marketing", right?

Hypocrisy...

Re:Punishment

Let me guess, you call your operation 'The free internet', right?

Hypocrisy....

Re:Punishment

[UPi]

Oh my. Did I touch a nerve?

Re:Punishment

I think in your rush to troll, you missed the point. "Free internet" not as in "it's a free country, I can do what I want." I think what was meant was that, "The internet is free, it can easily be made (and likely will without marketing) not free".

Not a bad idea

[gravis777]

As much as I hate to side with Spamhaus, this actually sounds plausable. This isn't fining everyone with an insecure server, it is fining those who have recieved warnings already and have done nothing about it. Problem is, I don't see how that would really be enforcable. Wouldn't the government of each country in the world have to impose similar measures?

I think its a great idea, I just don't see how you could really enforce it.

Re:Not a bad idea

No, it's a DUMB idea, by what measure is "secure".

Send out a jillion Christmas cards to your clients, get flagged and then fined?

NOPE.

Re:Not a bad idea

[Jason+Levine]

Let's assume you could somehow magically solve the enforcement problem. It's still a horrible idea because now there's the question of who issues warnings. Would Spamhaus be the one to issue warnings? Would other, similar organizations get to issue warnings? What if one organization has a draconian view of what constitutes "spamming"? Do their warnings count the same as a group with a more lenient view? Would individual users issue warnings? How do you handle false positives? (Such as: User signs up for newsletter. User forgets signing up. User gets newsletter. User reports newsletter sender as being a spammer.)

This system would just be riddled with problems and - again, even magically solving the enforcement issue - would lend itself to corruption. (Group becomes a "certified spam reporter." Starts issuing warnings and then fines to groups that they disagree with. Or issues fines as a business plan.)

This is a horrible, horrible plan. The only good thing about it is that it is so completely unworkable in the real world that I don't see anyone actually pushing this into existence.

Blaming DNS for reflection attacks?

[Shakrai]

That seems like misplaced blame to me. Any connectionless protocol that responds with larger packets than the inbound query can be used for a reflection attack, it's one of the items that comes up from time to time on the NTP Pool server admin's mailing list. We've seen a few attempts at using some of our servers in such attacks, there was a host that went around a few months ago that was sending about 60kbit/s worth of queries to several dozen servers in the pool, mine included. There are a few best practices you can use to mitigate this issue -- noquery with ntpd, firewall rate-limits for both NTP and DNS -- but you'll never actually solve the problem at the application level.

The proper way to address reflection attacks is for network operators to set up rules that preclude forged packets from leaving their network. There's no reason the router solely responsible for 192.168.1.0/24 should be passing along outbound traffic with a source address of 172.25.1.15. A handful of progressive networks have made this change, but they're the exception, not the rule.

Re:Blaming DNS for reflection attacks?

[Warbothong]

The proper way to address reflection attacks is for network operators to set up rules that preclude forged packets from leaving their network. There's no reason the router solely responsible for 192.168.1.0/24 should be passing along outbound traffic with a source address of 172.25.1.15. A handful of progressive networks have made this change, but they're the exception, not the rule.

I don't forsee this working for IPv6, where one of the benefits of having so many addresses is that we can tie a load of them to individual devices and not have to suffer NAT. As a side-effect, the leaves on a network won't necessarily have correlated addresses.

Re:Blaming DNS for reflection attacks?

I don't forsee this working for IPv6

Do you know how prefix filtering actually works?? Guess not.

Re:Blaming DNS for reflection attacks?

[suutar]

The addresses which you are supposed to be using as source addresses on outgoing internet-routed packets have a common prefix, assigned by your provider. Addresses not in that block that you are likely to use are private blocks (not to be routed on the internet), link-local addresses (not generally meant to be routed at all), and multicast addresses (to be used as destination addrs, not source).

Re:Blaming DNS for reflection attacks?

[sjames]

Sure they will. IPv6 still has prefixes. There is no good reason to send out a UDP packet that has the wrong prefix in the source address.

Obviously including....

[grumpyman]

Windows XP desktops!

Re:Obviously including....

Suck my hairy balls, fucking moron.

Trust network for email

[CauseBy]

I've always thought that email should be delivered from account to account according to a network of trust. For you to send me an email, I must trust you, or there must be a chain of trust between us.

This wouldn't be as hard to implement as it sounds because major players like Google and Yahoo can 'trust' eachother. It's not like we would each individually have to maintain compicated and changing trust connections -- although we could if we wanted to. Your IP can establish 'trust' with a 'trust clearinghouse' maybe. And if someone violates the trust, then you break that part of the trust chain and the messages don't get delivered.

So if I ever receive a spam message, I could check the chain of trust which brought me that message and figure out what link in the chain failed to be trustworthy. I would disconnect that link, and I wouldn't get any more spam from that source. Mix in crowdsourcing and suddenly it becomes practically impossible to get spam out of your mailserver.

It would be possible for email deliverers to do this today. When Google, for instance, notices that practically all emails coming from a certain source are spam, why don't they disallow that source? I know, I know, that's sort of what spamhaus is, and sometimes providers do stuff like that, but it's not consistent enough to be effective.

Juristiction

[benjfowler]

Who issues the tickets? Under whose authority? Lazy/cheap businesses will just shop around for juristdictions where it's cheaper to operate, no matter what.

Why not just do a name-and-shame, naming businesses and vulnerable services -- but only after the postmaster of the opening domain, or WHOIS domain owner gets notified first. I'm sure that such a list would concentrate minds wonderfully...

I wonder...

[Frosty+Piss]

I wonder if "open relays" are even that much of a problem these days when I can hire non-"p0wnd" servers in certain Eastern European countries for a pittance? Why bother with "open relays" when I can pay quite reasonable rates to have my SPAM enter the Tubes quite legitimately?

Perhaps Spamhaus is looking for relevancy.

Re:I wonder...

[Talderas]

The way I read the summary it sounded like Spamhaus was seeking revenge over being subjected to a DDoS and desiring to use government to enact it.

Re:I wonder...

Just like medicine and preventive hygiene is revenge against germs.

Just because spamhaus is all butthurt about being DDoS'ed doesn't automatically mean they're full of shit in whatever they ask for.

Re:I wonder...

[Reziac]

And maybe envisioning themselves as the collection agency, for a suitable cut of the fines.

or yum update. unsafe car too?

[raymorris]

That sounds like an awful lot of trouble to avoid taking ten minutes to fix the configuration, or yum update for a correct default configuration. Do you also move to some third world country to avoid the law requiring working turn signals?

Re:or yum update. unsafe car too?

There's a law about turn signals?

Re:or yum update. unsafe car too?

I've got it covered.

Re:or yum update. unsafe car too?

That sounds like an awful lot of trouble to avoid taking ten minutes to fix the configuration, or yum update for a correct default configuration. Do you also move to some third world country to avoid the law requiring working turn signals?

If I could just ship my turn signals to another country, while still enjoying my car here, then yes I would. The AC wasn't suggesting moving all the employees, just server operations - the difference is switching costs.

blame the victim!

[larry+bagina]

Would they also fine rape victims for wearing sexy clothes?

Yeah!

[goldaryn]

This is long overdue, and you know who else should be brought to bear? Organisations like Slashdot with their Slashdot effect! I, for one, thNO CARRIER

Upstream cut off

Upstream providers need to be more proactive in simply cutting off the service. Your server has an impact on the rest of the network, if you are too incompetent or lazy to prevent it from causing problems you should have your access cut off.

very clear in context, and easy configuation fix

[raymorris]

While it's certainly possible for Pelosi or her UK counterpart to pass a dumb law so that they can find out what's in it, I don't think that's what Spamhaus is suggesting. In context, they could be talking about either of two things:

First, one could get a ticket for the specific issue that caused the problem in the article. The law doesn't say "your car must be safe", it explicitly says "your turn signals must work". Same here, you could specifically say that this particular common problem could result in a ticket.

Alternatively, TFA made reference to "once you know that your server is participating in an attack". A law could be made that once you're notified that your server is being used in an attack, you then need to take reasonable measures to prevent that from continuing or recurring. Here again "vulnerable" is clearly defined - if your server is still participating in the attack 48 hours after being notified, you can get a ticket. You can defend that ticket if you show that you took reasonable measures to address the problem.

Tor Exit Nodes

[grumbel]

This seems like a great underhanded way to make it illegal to run Tor exit nodes, free VPNs, proxies or similar services that give anonymous people ways to interact with the net.

Laugh

[koan]

The entire Internet can be used for attacks and fraud, what would you propose we do?
Change human behaviour?
Make the Internet nothing more than a TV?

Great idea!

[pla]

No doubt, the UK government fining all those spam relays in Russia, China, and India will put a stop to spam ASAP - Good thinking, Spamhaus!

There are laws

[future+assassin]

that say if your car is left unlocked and someone steal it/does something with it you can be charged with leaving it unlocked or get fined by the city

Fine Spamhaus!

Agreed. I feel exactly the same way. Once you find out how Spamhaus is operated, you realize the Internet would be better off without them. They're a disgrace.

Perhaps they should be fined for inattentive and reckless operation of an internet service, KNOWING it's being used to block mail, and KNOWING that their data is crap, full of spite listings and sources from which no abuse comes.

News at 11 someone with power

[future+assassin]

wants more power to direct peoples lives for their own gain.

I call on the UK government...

...to fine Spamhaus, for wasting all of our time with their nonsense.

However, I'm an American, so they'll probably tell me to sod off.

Have to agree

[Todd+Knarr]

I have to agree with penalizing operators of open recursive DNS responders. DNS servers fall into roughly 4 categories:

1. Internal nameservers within a network, including caching nameservers. These should never be getting legitimate queries from outside the local network, so they never have any reason to respond to those queries.
2. Authoritative nameservers for a domain. These should never be doing recursive name resolution, and they should be responding only to queries for domains they're authoritative for. Queries for domains the server isn't authoritative for should get a short, to-the-point NXDOMAIN response not signed with DNSSEC.
3. External private nameservers, ie. ones that live outside the the network they server but are only supposed to serve that network. As with internal nameservers they shouldn't be responding to queries from any networks but the one they're supposed to be serving, they just need more configuration than purely internal ones. They should have a default-deny configuration with the networks they serve listed specifically. Anyone who doesn't know how to do this shouldn't be operating one of these.
4. Deliberately public nameservers. These are ones that are set up intentionally to be resolvers for anyone who wants to use them. They have to respond to all requests and do recursive resolution. They're the problematic open nameservers. They require configuration to control traffic rates to minimize the impact when they're used for DNS-based attacks. If you don't know how to configure that or you aren't prepared to oversee a public server and respond to abuse 24x7, you shouldn't be running one of these. If you go ahead anyway, the results should be painful for you.

My guess would be 99+% of all nameservers fall into the first three categories, 95+% fall into the first two, and 90+% of authoritative servers (category 2) are operated by a DNS hosting company rather than directly by the domain owner. If you're in the (relatively) small number needing to run a category 3 server you just need to take a few minutes to read the configuration docs and set it up for "don't respond to queries unless they're from a network I've listed", and if you can't or won't you deserve smacked with the newspaper. If you're in the even smaller number who want to run a category 4 server you need to know what you're doing, if you don't and go ahead anyway you deserve whatever you get (up to and including losing your Internet access).

Apply for your internet license here!

[Servercide]

No license is required to stand up a DNS server on the internet. Anyone can do it in theory. Doctors, pilots, and real engineers are held liable that their work meets guidelines set forth by government and private party specs. We don't have that in IT.

I am going to start fining people who don't have sufficient spam filters, don't maintain a failover cluster, or utilize something like cloud flare. (When pigs fly, right?)

Piss off Spamhaus and come down off your narcissistic rooftop. I never asked you to play internet vigilante for me.

DNS is broke not the operators

[WaffleMonster]

Each time someone makes the claim misconfiguration of DNS enables amplification they are contributing to the problem by refusing to address the root cause.

DNS is flawed by design. You can still extract perfectly useful amplification factors out of non-recursive servers or servers with DNSSEC enabled. All turning off recursion does is cut out ultra low hanging fruit while leaving the problem unaddressed.

There are several ways to actually solve this problem.

1. Use TCP for DNS

2. Implement DNS cookies

3. Globally apply ingress filtering with sufficient granularity to prevent source address spoofing.

I think #1 coupled with TCP fast open extension is the best of the three options. With fast open the setup delay is mostly gone, TCP support is already widely deployed and fast open extensions to TCP can be deployed later as available to optimize RTT delay. With IPv6, DNSSEC and the shitty state of IP layer fragmentation support TCP is necessary regardless.

#2 in the form of http://tools.ietf.org/html/draft-eastlake-dnsext-cookies-03 requires more work to push out to DNS infrastructure yet after a few years I can see it following the same trajectory as SYN cookies.

#3 Ingress filtering... am not an operator I don't pretend to know how viable this is to roll out globally, from what comments I have read it is non-viable. This is the only option that would concurrently address all broken UDP protocols susceptible to amplification from a spoofed source address. The downside is spoofing source address can sometimes be a feature. For example it can be used to enable communication without revealing the speakers source address.

Re:DNS is broke not the operators

[marka63]

Firstly IP level fragmentations problems are self inflicted. IP fragments get though fine if you haven't put up a firewall to block them.
Even with fast open one needs vastly more compute power to support DNS over TCP to the equivalent level of DNS over UDP.

cookies needs more work though as a general idea it is the way to go.

Ingress filtering is possible to deploy and it doesn't have to be a perfect filter or require universal deployment to be helpful. Just reducing the number of machines that can send spoofed traffic or reducing the range of addresses that can be spoofed is useful. Often perfect gets is the way of good enough to be helpful.

Re:DNS is broke not the operators

[Todd+Knarr]

Ingress/egress filtering depends heavily on where you're doing it. The problem is transit networks, networks that carry a lot of traffic for other networks. Towards the core of the network connections lean heavily towards transit networks, so ingress/egress filtering isn't feasible because the router operators either don't know conclusively what networks are "beyond" which interface, or there's so many networks the filter rules become too much for the hardware.

The closer to the edges of the Internet you get, though, the more feasible it becomes. Your average residential-service ISP, for instance, knows exactly what networks it operates and doesn't permit transit networks on residential accounts. So where that ISP connects to it's upstream it knows every netblock it needs to worry about traffic for crossing the interface and it only needs to worry about it's own. My home network's the most extreme example: 2 /24 networks inside, no transit traffic, I can filter at the interfaces of my router with a 100% guarantee of accuracy as far as allowed networks go. If filtering is routine towards the edges (and it can be, by contractual requirements imposed by upstream ISPs) then the inability to filter near the core isn't nearly as much of a problem.

And no, spoofing source addresses is rarely useful. You can't use TCP for most purposes with a spoofed address (or at least one spoofed to be on a different network), so spoofing almost automatically renders you incapable of communicating. The same goes for UDP if you care to hear a response, which most protocols do. That gives it very limited utility outside of diagnosing local network problems.

Re:DNS is broke not the operators

[WaffleMonster]

Firstly IP level fragmentations problems are self inflicted. IP fragments get though fine if you haven't put up a firewall to block them.
Even with fast open one needs vastly more compute power to support DNS over TCP to the equivalent level of DNS over UDP.

What does vastly more compute power mean and does it matter? Lets assume it costs 100% more CPU time and 100% more RAM per DNS query to use TCP.. who cares? The long tail of DNS servers sit idle and every server that becomes a TCP only server is a server that cannot be used for amplification.

cookies needs more work though as a general idea it is the way to go.

Yet for countless years it sits and **NOTHING** gets done. The only leadership I've seen in addressing this issue is futile attempt at discriminating thinking human adversaries from legitimate users (e.g. DNS RRL)

Re:DNS is broke not the operators

[WaffleMonster]

And no, spoofing source addresses is rarely useful. You can't use TCP for most purposes with a spoofed address (or at least one spoofed to be on a different network), so spoofing almost automatically renders you incapable of communicating. The same goes for UDP if you care to hear a response, which most protocols do. That gives it very limited utility outside of diagnosing local network problems.

While general purpose protocols do not work consider a messaging system of anonymous users where the outcome is known/broadcast globally while contributors remain secret. You can send a one-sided UDP message anonymously and be informed via public channel. I think on balance getting rid of amplification is likely more important but I do see some value in it especially in states ruled more by fear than consent.

Re:DNS is broke not the operators

[marka63]

Firstly IP level fragmentations problems are self inflicted. IP fragments get though fine if you haven't put up a firewall to block them.
Even with fast open one needs vastly more compute power to support DNS over TCP to the equivalent level of DNS over UDP.

What does vastly more compute power mean and does it matter? Lets assume it costs 100% more CPU time and 100% more RAM per DNS query to use TCP.. who cares? The long tail of DNS servers sit idle and every server that becomes a TCP only server is a server that cannot be used for amplification.

While most do sit around idle there are still many that are busy all the time like TLD and ISP servers. Switching to TCP only will seriously increase their costs and mean additional machines to maintain the normal query loads supported over UDP. Lots of extra packets. Lots of extra state. Lots of extra sockets to manage.

cookies needs more work though as a general idea it is the way to go.

Yet for countless years it sits and **NOTHING** gets done. The only leadership I've seen in addressing this issue is futile attempt at discriminating thinking human adversaries from legitimate users (e.g. DNS RRL)

RRL discriminates caching resolver vs some classes of malware. It is only a stop gap measure.

But who is really responsible?

[dskoll]

Is it the server operator? Or is the OS provider liable for producing a defective product? And if the OS is open-source, who do you go after?

I understand where Spamhaus is coming from... I'd also love to penalize idiots who make the Internet a worse place. But I don't think it's a practical option and trying to implement it opens up a huge can of worms.

Better to Shame

Rather than fine them, wouldn't it be better to use free speech to shame them? Publish a list . . .

same for Slashdot "foes" list?

[raymorris]

Should you be fined if you put someone on your Slashdot "foes"list? It's pretty much the same thing. It's a list of IPs that Spamhaus is wary of because their system detected [criteria].

As it happens, some of their lists also works pretty well as an element to feed Spamassassin to help determine the likelihood that a message is spam. How that's weighted and if it's considered at all is entirely up to the admin of the system you're sending mail to.

Re:same for Slashdot "foes" list?

No that's completely retarded.

Foes lists are personal and all they mean is "I don't like reading this guy's crap". RBLs are advertised as spammer blocklists and people other than the maintainers are actively encouraged to use them.

Re:very clear in context, and easy configuation fi

[sjames]

If we let the legislature come up with the checklist, they'll tell us we must have a licensed plumber snake the tubes every 6 months.

Prevention should be advocated instead..

[houbou]

What would be better is an authoritative body charged with the mandate of inspecting Internet infrastructure and determining if they are vulnerable or not and provide them with solutions to fix their issues. Of course, someone has to pay for this, but still, I think it would make more sense. But that's just my opinion.

BCP38

[fuzzel]

Can we change that at first to just start with the very simple:

Organisations transferring IP packets should be kicked off the Internet if they do not implement BCP38.

That would make al kind of spoofed attacks already impossible, that being the DNS, NTP, Quake-alike and many many others...

But, as there is no money to be earned with this, ISPs do not enforce it.

(and yes, it does cost some cash to implement as not all routers support it unfortunately..... )

Answer me a question

How would you defend against attacks on DNS FastFlux botnets use, DNS Server side?

* ClientSide I do by using custom hosts files...

APK

P.S.=> Afaik, FastFlux literally takes advantage of the very nature of DNS itself (weak in default non-DNSSEC form) forcing zone-transfers of most likely SPOOFED host-domain name to IP Address equations/lists-tables (forced via port 51/53 UDP broadcasts to said DNS servers, fooling them when they DON'T KNOW the correct resolution of a host-domain name to IP address especially if a new one that a botnet's using is asked for, opening the door for this type of fooling them)... apk

What about blindly rejecting mail

[MikeBabcock]

Can we do something instead about all the mail system operators who've handed over spam controls to third parties and accept messages, then blackhole them without telling either the sender or the intended recipient? Whitelists aren't a solution because they don't help fix the actual problem of bad filtering. Individuals who filter their own E-mail can tweak their settings, but servers that reject mail should do so at connection time ... a 5xx or 4xx message response should be *required* if you're not actually going to deliver it.

I'm sick and tired of explaining to customers that their perfectly legitimate E-mails aren't getting through because the person they're trying to contact uses Cloudmark, or some other "easy" solution company.

Do it yourself

Ironically Spamhaus and other mail server blacklist providers are in the best position to effect any kind of change. They already tell every other mail server on the internet to block incoming/outgoing mail for an affected domain, they just don't bother to notify the postmaster at the affected servers (or the contacts in the SOA records).

Spamhaus Doesn't Understand DNS

Why not fine the people administering those zones with 4K TXT records who are actually at fault. If they really need records that size, why can't they rate limit queries?

This is the equivalent of suggesting a lawsuit against a parking garage after I checked out my Formula 100 racecar and let a stranger take it for a joyride.

Corporate liability

[stoatwblr]

if your network is used in an attack agianst me which costs money to defend against, I should have the ability to reclainm those costs - along with some penalties to make sure you don't just trreat it as a cost of doing business.

The single biggest problem on the Internet at the moment is that the large ISPs have vritually zero acountability to anyone about how they run their network when it's causing damage to those who aren't their own customers.

Spamhaus has managed to get some large networks disconnected for allowing sustained abuse, but there needs to be a much better way of applying bricks to the sides of the skulls of those who need it.

Special Interests

Special interests lobbying by a private company that is setup in the UK ONLY via a virtual office and that has no employees in the UK. A company that boasts non-profit status while advertising their for-profit companies via spamming a role account that they, themselves lobbied to mandate. Now they want to lobby for support from the UK Gov. because they can't do their jobs right...sad! Fighting spam is one thing...capitalism from spam is another. You noticed that Spamhaus and Cloudflare (the #1 Blackhat ISP) are in bed together right? One supports the spam that the other profits from suppressing...do you get it yet?