Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spamhaus Calls for Fining Operators of Insecure Servers

Posted by Unknown on from the banned-from-the-net dept.

Barence writes "Anti-spam outfit Spamhaus has called on the UK government to fine those who are running Internet infrastructure that could be exploited by criminals. Those who leave open Domain Name Server resolvers vulnerable to attack should be fined, if they have previously received a warning, said chief information officer of Spamhaus, Richard Cox. When Spamhaus was hit by a massive distributed DDoS possibly the biggest ever recorded at more than 300Gbits/sec — open DNS resolvers were used to amplify the hit, which was aimed at one of the organization's upstream partners. 'Once they know it can be used for attacks and fraud, that should be an offense,' Cox said. 'You should be subject to something like a parking ticket... where the fine is greater than the cost of fixing it."

6 of 170 comments (clear)

  1. Open != Open by Anonymous Coward · · Score: 3, Informative

    Ambiguity warning! Open DNS servers are perfectly fine, they can be used against censorship or for speed. They should even be encouraged. I use the Caesidean root, for example. What they mean by "open" are drastically misconfigured DNS servers.

    Anyway, Spamhaus are a bunch of whining vigilante pussies and bad losers, so fuck them.

  2. Re:As long... by FireFury03 · · Score: 3, Informative

    That depends on how much you're letting spamhaus validate actual positives. It has to go both ways.

    We've been having significant problems with the CBL's ill-thought-out policies (and Spamhaus imports data from the CBL)...
    http://blog.nexusuk.org/2013/09/problems-with-cbl.html

    --
    http://blog.nexusuk.org
  3. Re:Another cure that is worse than the disease by UPi · · Score: 5, Informative

    You are merely lucky. I run 3 small mail servers, all very similar in setup. 1 also receives no spam whatsoever, the other two are flooded by it. I need to use Spamhaus's XBL, SPF and graylisting to stem the tide. If I removed either of the three, SPAM volume would exceed regular mail volume about 20x. (This is not because of a lack of regular mail.)

  4. Re:I used to love Spamhaus by Krojack · · Score: 3, Informative

    This is exactly what I ran into. My company got a new block of IP's and several IP's within that was on their block list. I could never get through to them thus never got the IP's removed.

    I stopped using their blacklist years ago because their service is unreliable. They seem to have this "We're better than you" mentality.

  5. Have to agree by Todd+Knarr · · Score: 3, Informative

    I have to agree with penalizing operators of open recursive DNS responders. DNS servers fall into roughly 4 categories:

    1. Internal nameservers within a network, including caching nameservers. These should never be getting legitimate queries from outside the local network, so they never have any reason to respond to those queries.
    2. Authoritative nameservers for a domain. These should never be doing recursive name resolution, and they should be responding only to queries for domains they're authoritative for. Queries for domains the server isn't authoritative for should get a short, to-the-point NXDOMAIN response not signed with DNSSEC.
    3. External private nameservers, ie. ones that live outside the the network they server but are only supposed to serve that network. As with internal nameservers they shouldn't be responding to queries from any networks but the one they're supposed to be serving, they just need more configuration than purely internal ones. They should have a default-deny configuration with the networks they serve listed specifically. Anyone who doesn't know how to do this shouldn't be operating one of these.
    4. Deliberately public nameservers. These are ones that are set up intentionally to be resolvers for anyone who wants to use them. They have to respond to all requests and do recursive resolution. They're the problematic open nameservers. They require configuration to control traffic rates to minimize the impact when they're used for DNS-based attacks. If you don't know how to configure that or you aren't prepared to oversee a public server and respond to abuse 24x7, you shouldn't be running one of these. If you go ahead anyway, the results should be painful for you.

    My guess would be 99+% of all nameservers fall into the first three categories, 95+% fall into the first two, and 90+% of authoritative servers (category 2) are operated by a DNS hosting company rather than directly by the domain owner. If you're in the (relatively) small number needing to run a category 3 server you just need to take a few minutes to read the configuration docs and set it up for "don't respond to queries unless they're from a network I've listed", and if you can't or won't you deserve smacked with the newspaper. If you're in the even smaller number who want to run a category 4 server you need to know what you're doing, if you don't and go ahead anyway you deserve whatever you get (up to and including losing your Internet access).

  6. Re:I used to love Spamhaus by Anonymous Coward · · Score: 2, Informative

    Dealing with them is like dealing with Eric Cartman when he was deputized. "Respect my authoritai!"

    If they decided you weren't kissing their asses with sufficient deference they would happily violate their stated policies and expand and entrench the black listing in spite of no spam coming from any of the IPs listed.