Spamhaus Calls for Fining Operators of Insecure Servers

Barence writes "Anti-spam outfit Spamhaus has called on the UK government to fine those who are running Internet infrastructure that could be exploited by criminals. Those who leave open Domain Name Server resolvers vulnerable to attack should be fined, if they have previously received a warning, said chief information officer of Spamhaus, Richard Cox. When Spamhaus was hit by a massive distributed DDoS possibly the biggest ever recorded at more than 300Gbits/sec — open DNS resolvers were used to amplify the hit, which was aimed at one of the organization's upstream partners. 'Once they know it can be used for attacks and fraud, that should be an offense,' Cox said. 'You should be subject to something like a parking ticket... where the fine is greater than the cost of fixing it."

Another cure that is worse than the disease

[melonman]

This sounds great in theory but, in practice, it's going to be almost impossible to enforce (eg whose definition of 'vulnerable'?) and it would promptly create several new Internet plagues, eg the "Your server has a vulnerability, pay us now to stop us reporting it" spam email.

Re:Another cure that is worse than the disease

I disagree. This is a classic example of making [stupid|apathy] hurt. In this case, the hurt is financial, but the effect is there.

If a company can't be arsed to protect their systems to prevent it, they need to pay for it. If a person (or small business) can't be arsed to have an IT person, either part-time or contracted out through an agency to secure their systems, then they need to pay the price. If that same SMB relies upon their vendor/provider for security, and they fail to deliver, it's time to find another vendor/provider.

When that price becomes higher than the cost of compliance to prevent an actual, measurable problem then we will see a shift.

Most people want to do the right thing. For some people, you need to provide the carrot & stick approach.

Re:Another cure that is worse than the disease

[poetmatt]

I disagree 100% - It's not hard at all.

Checklist of known vulnerabilities -> if your server is suspected of sending huge volumes of spam and fails -> fines after a 2nd or 3rd notice of these failures. It establishes a baseline of "don't be a fuckup with managing your servers".

Re:Another cure that is worse than the disease

[bws111]

How are they at all analogues? Emitted radiation can be directly measured, "vulnerability" can not.

Re:Another cure that is worse than the disease

[BringsApples]

I agree. SPAM is so 2003. I run my own email server at home, and with absolutely no SPAM protection (I used to use spamassassin and mimedefang but once my server crashed, I never took the time to install it all again). I give my email address to all the basic sites in order to make purchases. I do receive SPAM, but very little. The SPAM fight seems to have erupted into craziness with no gains.

Re:Another cure that is worse than the disease

[bws111]

If your server is sending huge volumes of spam then it is actually doing something, not just sitting there being vulnerable. Fining someone for being involved in sending spam is completely different than fining someone because they could potentially be used to send spam.

Re:Another cure that is worse than the disease

[sumdumass]

It is a bit more dificult then that. Suppose the hacker in question is the help desk drone you gave access to in orrder to fix the system. Suppose the vulnerability is little more than me who was dating your daughter until i found her with another guy and until then, i had legitimate access. You will never know how it happened and most likely lack the ability to find out where emissions can be measured with a device you can hold in you hand.

Anyways, the fine is a bad idea because it will lead to approved software from approved only venders else you will be fined. Worse yet, it will subject you to fines for zero day expliots where no fixes are availible.

Re:Another cure that is worse than the disease

[somersault]

It doesn't. Not needing any credentials at all is quite different from duplicitously stealing existing user credentials or otherwise illegally gaining access to their servers.

Re:Another cure that is worse than the disease

[UPi]

You are merely lucky. I run 3 small mail servers, all very similar in setup. 1 also receives no spam whatsoever, the other two are flooded by it. I need to use Spamhaus's XBL, SPF and graylisting to stem the tide. If I removed either of the three, SPAM volume would exceed regular mail volume about 20x. (This is not because of a lack of regular mail.)

I used to love Spamhaus

[LordKaT]

Honestly, I used to love Spamhaus, but as the years wore on, I got into the IT world, and I had to interact with them I've come to really loathe them. A decent service, I guess, but every single person that is involved with them comes across like a whining child, and I hate ever having to interact with them.

Re:I used to love Spamhaus

[Krojack]

This is exactly what I ran into. My company got a new block of IP's and several IP's within that was on their block list. I could never get through to them thus never got the IP's removed.

I stopped using their blacklist years ago because their service is unreliable. They seem to have this "We're better than you" mentality.

Re:I used to love Spamhaus

Dealing with them is like dealing with Eric Cartman when he was deputized. "Respect my authoritai!"

If they decided you weren't kissing their asses with sufficient deference they would happily violate their stated policies and expand and entrench the black listing in spite of no spam coming from any of the IPs listed.

As long...

...as server operators can fine Spamhaus for false positives.

Re:As long...

[FireFury03]

That depends on how much you're letting spamhaus validate actual positives. It has to go both ways.

We've been having significant problems with the CBL's ill-thought-out policies (and Spamhaus imports data from the CBL)...
http://blog.nexusuk.org/2013/09/problems-with-cbl.html

Re:As long...

[FireFury03]

We've been having significant problems with the CBL's ill-thought-out policies

I am not sure what is ill-thought-out about their policies. In both scenarios, IP address is sending SPAM. IP address gets blocked.

The ill-thought-out bit is that the CBL is an *spam email* blocklist, but their heuristics cause networks that aren't sending spam email to get listed and therefore blocked. Whilst there is no arguement that the networks were infected with malware, listing them on the CBL serves no useful purpose since they were of no threat to the systems that would be using the CBL (mail servers).

Previously, sharing an IP address between multiple services was a reasonable idea - there was never a reason not to do this and it conserves IP addresses. However, with the advent of the CBL using an HTTP honeypot to populate an SMTP blocklist, there simply isn't any sensible way to run a network in this configuration - it just takes one person to connect an infected laptop to the network for a short period of time, and all the email starts getting blocked.

Because of this, we are now having to standardise on running mail servers on a separate IP address - this does nothing to decrease the incidence of malware, it simply stops an infected network being listed on the CBL.

The author (you?) ask for a list of honeypot addresses, but you could be a spammer, who could use that list to delay blocking of the SPAM.

I could be a spammer, but I'm not.

The idea was that as the malware was always connecting through the transparent proxy servers, having a list of honeypot addresses or some other way of fingerprinting the request we could (1) automatically isolate the affected system, and (2) automatically inform the sysadmin so (s)he could clean up the mess. This would be a Good Thing for everyone.

As it turns out, the CBL maintainers were not cooperative (for whatever reason), so we're stuck with the aforementioned interrim measure of separating services onto different IPs rather than actually resolving the root problem.

People in the business of securing networks really do need to trust each other to some extent - if they refuse to cooperate out of paranoia then the spammers have basically won already since there's no way anyone can effectively defend against spam and malware in isolation.

Also, I have not seen a SPAM bot that uses the smarthost. This doesn't mean that they don't exist, but I think that they are rare.

Indeed. That was the point I was making: the only way to send email out of the affected networks was via authenticated smarthosts. Yes its posible that some malware could extract the authentication credentials out of a user's mail client (if they have one configured) and use those to send spam, but that's a lot of effort to go to and I've never seen any malware do that (and if malware does do that then *everyone*'s screwed because it'll start sending spam through corporate email servers, gmail, etc.). So the networks in question were essentially immune to sending spam email, yet were still being blocked by the CBL from sending email because they had a client making spammy web requests - this makes no sense.

Hence blocking direct access to port 25 through the firewall stops most spambots from actually sending spam.

And this is exactly how the networks in question are set up, yet this does nothing to prevent the network from being listed on the CBL since the CBL's honeypot is checking for suspicious HTTP connections rather than SMTP traffic.

If the spams are relayed through your own smarthosts, then how about some kind of rate-limiting mechanism with alerts to the administrator? Quick action by the admin would prevent listing.

To reiterate, in case it wasn't clear from the blog article, there was no spam email leaving the network - port 25 is blocked, the only way

Re:As long...

[FireFury03]

The issue is purely that the smarthost shares the same IP address as the web proxy and the CBL honeypot looks for *HTTP* traffic (which was leaving the network) rather than *SMTP* traffic.

It wasn't clear to me from the article that this was the problem. However, It's still not clear to me that this is the case. You assert that fetching some "spammy" URLs causes the listing, but the folks at CBL don't say what their listing criteria is, so I assume you have some hard evidence and not just suspicions that the fetching of honeypot URLs causes a listing?

When you get listed, you can look up the reason why and it tells you.

From my reading about Zbot, the only URLs it fetches are from C&C servers, so the CBL operators would have to have taken over a Zbot C&C server (or have access to the logs from a someone who has gained control of a C&C server).

I believe (and I'm not altogether clear whether this is accurate) that Zbot uses C&C domains that are generated programmatically based on the time of day, so CBL have managed to register some of those domains before the real bot owners and therefore set up a honeypot of C&C servers.

Free Speech

[CanHasDIY]

If things like public defecation, nudity, and pan-handling can be successfully argued as free speech (which they all have, at some point, somewhere), I think it would be a pretty simple affair to claim that running open, unsecured internet infrastructure is also a form of free expression.

"The trouble with fighting for human freedom is that one spends most of one's time defending scoundrels."

Re:Free Speech

[spacepimp]

Sadly that is a repercussion of having liberties. Free speech means the right for people to say things you don't agree with. If free speech was easy, then everyone would have it.

A similar case

[tech.kyle]

It's fairly accepted that just because a car is left unlocked doesn't mean anyone's allowed to go in and take what's inside it. Even when you do lock it, there are ways to get in. The fault isn't the owner's for not locking it, it's the attacker's fault. I don't see why online services are any different. The interruption of service and potential loss of data is enough incentive to keep them from leaving it insecure in the first place. If not, they'll sure be taking a look at security after.

Re:A similar case

[Lawrence_Bird]

No. I am under no obligation what so ever to lock or otherwise secure my property. What will you suggest next? If I leave a lighter on my porch and you steal it and torch the house down the block that I share the blame?

Open != Open

Ambiguity warning! Open DNS servers are perfectly fine, they can be used against censorship or for speed. They should even be encouraged. I use the Caesidean root, for example. What they mean by "open" are drastically misconfigured DNS servers.

Anyway, Spamhaus are a bunch of whining vigilante pussies and bad losers, so fuck them.

Wouldn't it make more sense?

[rabbit994]

For ISPs to simply drop UDP packets that are outbound where source address is not inside their network. Is there some legit use for sending forged UDP packets?

Punishment

Funny how an organisation as Spamhouse, who is guilty of systematic depriving random and quite innocent internet users of connectivity -- and proud of it too -- , suddenly thinks that whomever interferes with their connectivity should be punished by law. Hypocrisy.

Although I think their service does have its good points, their attitude makes me want to hurl.

Blaming DNS for reflection attacks?

[Shakrai]

That seems like misplaced blame to me. Any connectionless protocol that responds with larger packets than the inbound query can be used for a reflection attack, it's one of the items that comes up from time to time on the NTP Pool server admin's mailing list. We've seen a few attempts at using some of our servers in such attacks, there was a host that went around a few months ago that was sending about 60kbit/s worth of queries to several dozen servers in the pool, mine included. There are a few best practices you can use to mitigate this issue -- noquery with ntpd, firewall rate-limits for both NTP and DNS -- but you'll never actually solve the problem at the application level.

The proper way to address reflection attacks is for network operators to set up rules that preclude forged packets from leaving their network. There's no reason the router solely responsible for 192.168.1.0/24 should be passing along outbound traffic with a source address of 172.25.1.15. A handful of progressive networks have made this change, but they're the exception, not the rule.

or yum update. unsafe car too?

[raymorris]

That sounds like an awful lot of trouble to avoid taking ten minutes to fix the configuration, or yum update for a correct default configuration. Do you also move to some third world country to avoid the law requiring working turn signals?

blame the victim!

[larry+bagina]

Would they also fine rape victims for wearing sexy clothes?

Re:I wonder...

[Talderas]

The way I read the summary it sounded like Spamhaus was seeking revenge over being subjected to a DDoS and desiring to use government to enact it.

Fine Spamhaus!

Agreed. I feel exactly the same way. Once you find out how Spamhaus is operated, you realize the Internet would be better off without them. They're a disgrace.

Perhaps they should be fined for inattentive and reckless operation of an internet service, KNOWING it's being used to block mail, and KNOWING that their data is crap, full of spite listings and sources from which no abuse comes.

Re:Not a bad idea

[Jason+Levine]

Let's assume you could somehow magically solve the enforcement problem. It's still a horrible idea because now there's the question of who issues warnings. Would Spamhaus be the one to issue warnings? Would other, similar organizations get to issue warnings? What if one organization has a draconian view of what constitutes "spamming"? Do their warnings count the same as a group with a more lenient view? Would individual users issue warnings? How do you handle false positives? (Such as: User signs up for newsletter. User forgets signing up. User gets newsletter. User reports newsletter sender as being a spammer.)

This system would just be riddled with problems and - again, even magically solving the enforcement issue - would lend itself to corruption. (Group becomes a "certified spam reporter." Starts issuing warnings and then fines to groups that they disagree with. Or issues fines as a business plan.)

This is a horrible, horrible plan. The only good thing about it is that it is so completely unworkable in the real world that I don't see anyone actually pushing this into existence.

Have to agree

[Todd+Knarr]

I have to agree with penalizing operators of open recursive DNS responders. DNS servers fall into roughly 4 categories:

1. Internal nameservers within a network, including caching nameservers. These should never be getting legitimate queries from outside the local network, so they never have any reason to respond to those queries.
2. Authoritative nameservers for a domain. These should never be doing recursive name resolution, and they should be responding only to queries for domains they're authoritative for. Queries for domains the server isn't authoritative for should get a short, to-the-point NXDOMAIN response not signed with DNSSEC.
3. External private nameservers, ie. ones that live outside the the network they server but are only supposed to serve that network. As with internal nameservers they shouldn't be responding to queries from any networks but the one they're supposed to be serving, they just need more configuration than purely internal ones. They should have a default-deny configuration with the networks they serve listed specifically. Anyone who doesn't know how to do this shouldn't be operating one of these.
4. Deliberately public nameservers. These are ones that are set up intentionally to be resolvers for anyone who wants to use them. They have to respond to all requests and do recursive resolution. They're the problematic open nameservers. They require configuration to control traffic rates to minimize the impact when they're used for DNS-based attacks. If you don't know how to configure that or you aren't prepared to oversee a public server and respond to abuse 24x7, you shouldn't be running one of these. If you go ahead anyway, the results should be painful for you.

My guess would be 99+% of all nameservers fall into the first three categories, 95+% fall into the first two, and 90+% of authoritative servers (category 2) are operated by a DNS hosting company rather than directly by the domain owner. If you're in the (relatively) small number needing to run a category 3 server you just need to take a few minutes to read the configuration docs and set it up for "don't respond to queries unless they're from a network I've listed", and if you can't or won't you deserve smacked with the newspaper. If you're in the even smaller number who want to run a category 4 server you need to know what you're doing, if you don't and go ahead anyway you deserve whatever you get (up to and including losing your Internet access).