I am seeing an increasing number of hosts on our network become an open proxy. So far the response to this has been reactive, once I receive complaints from spam victims I deal with the source of the problem. Is there an accepted way of blocking open proxy and open relay traffic at the network edge? Adi
On Thu, Apr 24, 2003 at 02:11:12PM -0500, Adi Linden wrote:
I am seeing an increasing number of hosts on our network become an open proxy. So far the response to this has been reactive, once I receive complaints from spam victims I deal with the source of the problem.
Is there an accepted way of blocking open proxy and open relay traffic at the network edge?
The obvious way would be to block the commonly abused ports... presumably, you will have very few customers who actually need to have port 1080, 3128 8080, or whatever open. Obviously, I can't say whether this would be effective for your particular application. Also, you could consider running proactive scans on your network with available proxy-checking tools. I use proxycheck to manually check hosts for open proxies (http://www.corpit.ru/mjt/proxycheck.html)... you could script this (or a similar tool) and run scans of your entire network. -- "Since when is skepticism un-American? Dissent's not treason but they talk like it's the same..." (Sleater-Kinney - "Combat Rock")
--On Thursday, April 24, 2003 12:16 PM -0700 Will Yardley <william+nanog@hq.dreamhost.com> wrote:
On Thu, Apr 24, 2003 at 02:11:12PM -0500, Adi Linden wrote:
Is there an accepted way of blocking open proxy and open relay traffic at the network edge?
The obvious way would be to block the commonly abused ports... presumably, you will have very few customers who actually need to have port 1080, 3128 8080, or whatever open. Obviously, I can't say whether this would be effective for your particular application.
This list of "commonly abused ports" is ever increasing. Might as well block everything and let through specific stuff if you're going down that path.
Also, you could consider running proactive scans on your network with available proxy-checking tools.
I use proxycheck to manually check hosts for open proxies (http://www.corpit.ru/mjt/proxycheck.html)... you could script this (or a similar tool) and run scans of your entire network.
That's what I would suggest. You could also reactively test your customers when they make a connection to your webserver or mailserver.
I use proxycheck to manually check hosts for open proxies (http://www.corpit.ru/mjt/proxycheck.html)... you could script this (or a similar tool) and run scans of your entire network.
That's what I would suggest. You could also reactively test your customers when they make a connection to your webserver or mailserver.
that won't catch the case where a proxy is open and is being abused but the resulting traffic is directed outside of the local isp, which is going to be the common case since parasites don't like to endanger their hosts. every network owner should routinely scan/probe every address they are responsible for, looking for everything from ntpd vulnerabilities to sendmail or bind vulnerabilities to open proxies to open relays to etc. by "routinely" i mean every day. if something's found, block it 'til it's fixed. this will save you huge money in abuse@ staffing costs, as well as giving you "n'ya n'ya" rights when you meet uunet at the nanog bar :-). this is as important as having abuse@ and noc@ mailboxes, or doing uRPF on customer edges. if you're an ISP and your customer agreement doesn't explicitly demand the ability to do this testing, then have it updated. i now think that http://www.icann.org/committees/security/sac004.htm was not nearly draconian enough, even though it claims... 3 - DDoS Vector 3.1. The typical vector for DDoS launches is a personal computer (PC) running operating system and application software that purposely trades off security for convenience. These computers are usually poorly managed, such that there are weak passwords or no passwords, known security "holes" that are never patched or closed, and services offered to the global Internet that the owner has no knowledge and no use for. 3.2. From the point of view of almost any single purveyor -- or consumer -- of operating system and application software, convenience will almost always have more perceived value than security. It is only when viewed in the aggregate that the value of security becomes obviously higher than the value of convenience. 3.3. With the advent of high speed "always on" connections, these PCs add up to either an enormous global threat, or a bonanza of freely retargetable resources, depending upon one's point of view. 3.4. Bad actors, in teams or acting alone, exert constant background effort to locate these hosts, probe them for known weaknesses, and subvert them in any way possible. There are software "kits" available that make all of this trivially easy, so no actual technical skill is needed to locate, subvert, and direct an army of thousands of high performance drones. ...to be aware of this problem. -- Paul Vixie
--On Thursday, April 24, 2003 8:45 PM +0000 Paul Vixie <vixie@vix.com> wrote:
I use proxycheck to manually check hosts for open proxies (http://www.corpit.ru/mjt/proxycheck.html)... you could script this (or a similar tool) and run scans of your entire network.
That's what I would suggest. You could also reactively test your customers when they make a connection to your webserver or mailserver.
that won't catch the case where a proxy is open and is being abused but the resulting traffic is directed outside of the local isp, which is going to be the common case since parasites don't like to endanger their hosts.
True, but most people who end up with an open proxy trojan will also be using the machine to read their ISP provided email, etc
On 24 Apr 2003 14:11:12 -0500 (CDT), Adi Linden <adil@adis.on.ca> asked: | I am seeing an increasing number of hosts on our network become an open | proxy. So far the response to this has been reactive, once I receive | complaints from spam victims I deal with the source of the problem. | | Is there an accepted way of blocking open proxy and open relay traffic | at the network edge? It's been established by several people that a number of recent viruses (such as jeem, sobig.a; see http://www.lurhq.com/sobig.html) are used to install or pave the way for remote installation of abusable proxies. Because those installed proxies do NOT listen any consistent port number you cannot rely on even proactive port-scanning to identify the proxy. What the proxy does is to "phone home" and report its IP and port: so detecting it by that behaviour will not always be straightforward. Therefore if you get a complaint about virus activity from a user IP it should be regarded as a free-of-charge heads-up that there may very soon be an open proxy on that machine. As you'll see from the above URL, the installation process is not immediate and therefore you may need to develop a working procedure to analyse the situation as it develops. If I could amplify Joe St Sauver's point, having an working and trusted abuse address is half the battle; having a trained team who can spot the signs and act on them *in a timely way* is the other, and perhaps more important half. Remember that your reports will be likely to be coming from the other side of the planet, and may therefore not observe your local office hours. 24hr coverage by abuse staff (or by NOC staff who can oversee the mailbox for relevant reports) is a great bonus here. If you can deal with the situation quickly, you reduce the complaints to a bare minimum and enhance your own reputation in the process. SpamCop, for all the criticism it gets, DOES report abused proxies quickly and with great reliability - far more reliably in the case of proxies than, say, the human victims of the abuse. It might pay to set up a special process with Spamcop to get those reports at an unpublished box, and put them through an automated process to spot any with the "proxy" keywords. One other point to note is that a lot of the scanning for installed trojans, such as Netbus and Sub-Seven, is specifically done to install proxies using tools such as Firedaemon (actual cases of this have been found, where the user had no knowledge of the Firedaemon and Analog-X installations on their machine). Reports of THIS type of activity need to be taken seriously, as the person who reports it (usually from a firewall log) will be the one that escaped, but how many users in that same /24 did not have a firewall and therefore got hit? A selection of scanner-traps sitting on spare IPs will alert you to what's going on. When you find out how MUCH of it is going on right now, it will become obvious why there are so many open proxies being complained about. On our DSL lines we provide the firewall and insist on it being used! -- Richard Cox
SpamCop, for all the criticism it gets, DOES report abused proxies quickly and with great reliability - far more reliably in the case of proxies than, say, the human victims of the abuse. It might pay to set up a special process with Spamcop to get those reports at an unpublished box, and put them through an automated process to spot any with the "proxy" keywords.
Pity that spamcop spams people.
On Fri, 25 Apr 2003, Roland Verlander wrote:
Spam complints are not spam.
Try getting a few forged spamruns in your name, and having to go to spamcop every time to report it was a forgery :P Paul -- Lawyer: "Now sir, I'm sure you are an intelligent and honest man--" Witness: "Thank you. If I weren't under oath, I'd return the compliment." http://www.rinkworks.com/said/courtroom.shtml
Paul Wouters wrote:
On Fri, 25 Apr 2003, Roland Verlander wrote:
Spam complints are not spam.
Try getting a few forged spamruns in your name, and having to go to spamcop every time to report it was a forgery :P
Hit the button that says don't send me more reports, contact spamcop concerning the forgery, etc. SpamCop is relatively good at not reporting forgeries. It is a lot better than Joe EU that will report every envelope from despite the fact it is guaranteed forgery. -Jack
Pity that spamcop spams people.
Spam complints are not spam.
they can be. and in spamcop's case, they usually are. for reference, check http://www.mail-abuse.org/standard.html and decide whether robotic spam complaints can or cannot often fit all of (1) (2) and (3) as shown.
And the spam promoting SpamCop was from some spammer who didn't like SpamCop.
that's not what i'm referring to. spamcop has complained to me about everything from rfc1918 addresses to mail/news gateway spam to mailing list spam. i eventually had to just hard-reject all mail from spamcop in order to make it stop. this kind of sloppy work just dilutes the mix and makes valid hand-generated spam complaints less welcome by association with the unending crap that comes out of spamcop's robotware. (if it's any consolation to julian, the helpmesoft approach is even worse.) -- Paul Vixie
Paul Vixie wrote:
they can be. and in spamcop's case, they usually are. for reference, check http://www.mail-abuse.org/standard.html and decide whether robotic spam complaints can or cannot often fit all of (1) (2) and (3) as shown.
"(1) the recipient's personal identity and context are irrelevant because the message is equally applicable to many other potential recipients" The message is applicable only to the person that spamcop sends it to. They are reporting a problem, and they are reporting it to the proper role accounts for that problem. In most cases, the reports reach the right place for the right problem. "(3) the transmission and reception of the message appears to the recipient to give a disproportionate benefit to the sender" Actually, the benefit is for the recipient. It is a method for SC to inform the recipient reguarding an issue that is problematic to others. You definately have the right to not be informed, just as they have the right to blacklist. However, SC feels that it is beneficial to everyone as a whole if they do inform the responsible parties concerning the problem so that hopefully the problem can be resolved. -Jack
Yes Neil, it is a shame. Is there any known way to opt out of spamcop? I'm sure I could ACL out all SMTP traffic coming from their netspace. Or better yet, set up an IDS rule that emails their upstream provider. If a few of us did this I'm sure the spamcop folks would find a way to make their spam engine a bit more selective. The spamcop complaints that really set me off are the "spamvertised website" complaints. Just the mere fact that you host a site that was advertised by spam enjoins you in the spamcop chain of causation, even if the spam mail did not originate from your network. Since the PDRK is now ready to prove they have nuclear weapons, it's a shame that the wasted spamcop computing resources could not be put to a better use, such as DOS'ing the PDRK's uranium enrichment operation. Regards, Christopher J. Wolff, VP CIO Broadband Laboratories, Inc. http://www.bblabs.com -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Neil J. McRae Sent: Thursday, April 24, 2003 11:59 PM To: richard@mandarin.com Cc: nanog@merit.edu Subject: Re: Open relays and open proxies
SpamCop, for all the criticism it gets, DOES report abused proxies quickly and with great reliability - far more reliably in the case of proxies than, say, the human victims of the abuse. It might pay to set up a special process with Spamcop to get those reports at an unpublished box, and put them through an automated process to spot any with the "proxy" keywords.
Pity that spamcop spams people.
Christopher J. Wolff wrote:
The spamcop complaints that really set me off are the "spamvertised website" complaints. Just the mere fact that you host a site that was advertised by spam enjoins you in the spamcop chain of causation, even if the spam mail did not originate from your network.
With the exception of Joe-Jobs, spamvertised websites should be terminated. The theory is that the spammer should not be making money from the spam. Take away their money and perhaps they'll learn not to send spam. Of course, perhaps you enjoy the extra money you make because the customer sent spam to someone and the website generated traffic that directly or indirectly made you money. Also, SpamCop works with people concerning the reports. If I'm not mistaken, they'll turn off specific types of reports if you ask. Personally, I like to be aware of what my customers are doing when it can cause me problems in the long run. -Jack
At 08:17 AM 4/25/2003, you wrote:
Christopher J. Wolff wrote:
The spamcop complaints that really set me off are the "spamvertised website" complaints. Just the mere fact that you host a site that was advertised by spam enjoins you in the spamcop chain of causation, even if the spam mail did not originate from your network.
With the exception of Joe-Jobs, spamvertised websites should be terminated.
If a spammer is spamming about stocks, and includes a link to look up that stock via cnnfn.com, there's now a spamvertisement issue. Where do you draw the line? How do you, reading the spam, know with certainty that any domain name mentioned in that spam is in fact there with the permission of the domain holder?
The theory is that the spammer should not be making money from the spam. Take away their money and perhaps they'll learn not to send spam. Of course, perhaps you enjoy the extra money you make because the customer sent spam to someone and the website generated traffic that directly or indirectly made you money.
Also, SpamCop works with people concerning the reports. If I'm not mistaken, they'll turn off specific types of reports if you ask. Personally, I like to be aware of what my customers are doing when it can cause me problems in the long run.
If you have them turn off address munging, the spamcop user will then accuse you of helping your customers "list wash" when what you really wanted to do is get to the bottom of spam reports. Just a single spamcop report last week cost me about 4 hours of work. Turned out the spamcop user had given his email address to the company (a resort, in this case) in person, in writing. The resort had sent a note ASKING if the person would like to be on a mailing list. Didn't subscribe them, just asked if they'd like to subscribe. Oh, and the guy blocked our entire netblock at the same time as putting in the spamcop report, making it impossible for our abuse desk to respond once we uncovered the facts. For all I know, they still have us blocked. This kind of nonsense is at least as expensive as dealing with actual spam. And possibly does more damage to legitimate flow of traffic. Dan
Jack, Let me draw an inference from your reply. For example, in parts of our community, there are ordinances against putting up A-Frame signs. (the tin signs placed in or near intersections, generally used to advertise real estate) Each weekend the local P.D. confiscates these signs and stores them in a holding pen. Therefore, am I just as 'guilty' if I host A.B.C. Homes website, if they choose to advertise new homes in this clearly illegal manner? The A-Frame signs are a nuisance and use up professional time to remove, just like spam. There has to be a line drawn somewhere, wouldn't you think? Regards, Christopher J. Wolff, VP CIO Broadband Laboratories, Inc. http://www.bblabs.com -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Jack Bates Sent: Friday, April 25, 2003 5:18 AM To: Christopher J. Wolff Cc: nanog@merit.edu Subject: Re: Open relays and open proxies Christopher J. Wolff wrote:
The spamcop complaints that really set me off are the "spamvertised website" complaints. Just the mere fact that you host a site that was advertised by spam enjoins you in the spamcop chain of causation, even if the spam mail did not originate from your network.
With the exception of Joe-Jobs, spamvertised websites should be terminated. The theory is that the spammer should not be making money from the spam. Take away their money and perhaps they'll learn not to send spam. Of course, perhaps you enjoy the extra money you make because the customer sent spam to someone and the website generated traffic that directly or indirectly made you money. Also, SpamCop works with people concerning the reports. If I'm not mistaken, they'll turn off specific types of reports if you ask. Personally, I like to be aware of what my customers are doing when it can cause me problems in the long run. -Jack
Christopher J. Wolff wrote:
Therefore, am I just as 'guilty' if I host A.B.C. Homes website, if they choose to advertise new homes in this clearly illegal manner? The A-Frame signs are a nuisance and use up professional time to remove, just like spam.
There has to be a line drawn somewhere, wouldn't you think?
A) many spam emails use html links to pull graphics from the spamvertised site. By continuing to let the site run, even more bandwidth is being utilized (especially with todays broken MUAs). B) most spammers make their money using their websites and not the spam itself. So long as the website exists, there will be a way for the spammer to propogate spam. Remember, it doesn't matter if the emailing account gets cancelled. Once the damage is done, the spammer can sit back and collect revenue via the website that was just adverted. However, if you cancel the website, the company ceases to generate revenue from the spam and is effectly shut down until they can bring the website back up *and* generate another spam run. C) there are rarely good real world analogies for problems that exist on the 'net. Not only does the 'net afford us speed and convenience in our ability to communicate, it also allows for abuse to be at increased speeds, volume and convenience. If different A-frame signs showed up each and every day in large quantities throughout the city, the city would not just confiscate the signs. They would file charges, and if the owner of the real estate is aware of such activity, the owner would be held liable, or city ordinances would be changed to allow the owner to be held liable. -Jack
On Fri, 25 Apr 2003, Jack Bates wrote: : :Christopher J. Wolff wrote: :> :> Therefore, am I just as 'guilty' if I host A.B.C. Homes website, if they :> choose to advertise new homes in this clearly illegal manner? The :> A-Frame signs are a nuisance and use up professional time to remove, :> just like spam. :> :> There has to be a line drawn somewhere, wouldn't you think? :> : :A) many spam emails use html links to pull graphics from the :spamvertised site. By continuing to let the site run, even more :bandwidth is being utilized (especially with todays broken MUAs). : :B) most spammers make their money using their websites and not the spam :itself. So long as the website exists, there will be a way for the :spammer to propogate spam. Remember, it doesn't matter if the emailing :account gets cancelled. Once the damage is done, the spammer can sit :back and collect revenue via the website that was just adverted. :However, if you cancel the website, the company ceases to generate :revenue from the spam and is effectly shut down until they can bring the :website back up *and* generate another spam run. : :C) there are rarely good real world analogies for problems that exist on :the 'net. Not only does the 'net afford us speed and convenience in our :ability to communicate, it also allows for abuse to be at increased :speeds, volume and convenience. If different A-frame signs showed up :each and every day in large quantities throughout the city, the city :would not just confiscate the signs. They would file charges, and if the :owner of the real estate is aware of such activity, the owner would be :held liable, or city ordinances would be changed to allow the owner to :be held liable. As much as I'd normally hate to append an example, the following is a real gem.
From abuse-noverbose@ssc.net Fri Apr 25 10:16:21 2003 Date: Wed, 23 Apr 2003 00:19:14 +0200 From: SSC Networks / Abusedesk <abuse-noverbose@ssc.net> To: Brian Wallingford <brian@meganet.net> Cc: abuse-noverbose@ssc.net Subject: Re: Wow!, I added 3+ |nches mjlxd31k69 (fwd)
Dear Sir We are sorry to hear that your company recieves UCE. We are unable to help very much in your case, as we are only hosting the website mentioned in the UCE. Do whatever you feel you need to do, but it will not stop the spam which are not caused, originated or relayed thru us. On the other hand, it might cause many complaints from your end-users. We are not exactly happy for these (vanity)filterings because of the third party complaints we recieve when they cannot reach the website. Please make sure your users knows that they need to contact Meganet to solve the issue and not us if you are really going to do this. Sincerly, SSC Internet Security Operator #14 ----- Original Message ----- From: "Brian Wallingford" <brian@meganet.net> To: <abuse@rr.com> Cc: <abuse@ssc.net> Sent: Tuesday, April 22, 2003 11:33 PM Subject: Wow!, I added 3+ |nches mjlxd31k69 (fwd)
This is my 5th complaint in less than 24 hours about a site on ssc's netblock. Additional messages will result in the filtering of 193.231.248.0/24 at our borders.
-- ___________________________________ Brian Wallingford Director, Network Operations MegaNet Communications, TCIX, Inc. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On Friday, Apr 25, 2003, at 08:17 Canada/Eastern, Jack Bates wrote:
With the exception of Joe-Jobs, spamvertised websites should be terminated.
If this were rigorously enforced, it would provide a mechanism for anybody with an axe to grind to take out any web site on the planet. Once all the commercial web sites had been taken off the air, the commercial web hosters would go out of business. Once all the web hosters were off the air, the access providers would go out of business (since there would be no interweb left for their customers to look at). Billions of people stumble, blinking, out into the sunlight, deprived of their only usual means of communication with friends, and discover that they have neighbours... ... and then all die of SARS from the resulting unnatural proximity to other humans. I say, do it. Let's take the humans out of the picture, and give the insects a chance to run the planet. Joe
Joe Abley wrote:
If this were rigorously enforced, it would provide a mechanism for anybody with an axe to grind to take out any web site on the planet. Once all the commercial web sites had been taken off the air, the commercial web hosters would go out of business. Once all the web hosters were off the air, the access providers would go out of business (since there would be no interweb left for their customers to look at).
When dealing with any account, common sense is required. If a company is being advertised via spam without approval, they have good legal standing to go after the spammer. After all, sending out spam doesn't exactly help their business image. Yet how many spams are sent out advertising pr0n and the websites never cancelled? How many get rich schemes? The last I checked, no-more-viruses.com was still at it and wasting my time by sending their filth to every role account I have. -Jack
--On Friday, April 25, 2003 11:17 AM -0400 Joe Abley <jabley@isc.org> wrote:
On Friday, Apr 25, 2003, at 08:17 Canada/Eastern, Jack Bates wrote:
With the exception of Joe-Jobs, spamvertised websites should be terminated.
If this were rigorously enforced, it would provide a mechanism for anybody with an axe to grind to take out any web site on the planet. Once all the commercial web sites had been taken off the air, the commercial web hosters would go out of business. Once all the web hosters were off the air, the access providers would go out of business (since there would be no interweb left for their customers to look at).
Tired old argument that completely misses the "with the exception of joe jobs" clause.
On Friday, Apr 25, 2003, at 11:57 Canada/Eastern, John Payne wrote:
Tired old argument that completely misses the "with the exception of joe jobs" clause.
Yes, maybe I'm the only person here who has no idea what that means (in which case a private mail explanation would be fine). Joe
On Fri, 25 Apr 2003, Joe Abley wrote:
On Friday, Apr 25, 2003, at 11:57 Canada/Eastern, John Payne wrote:
Tired old argument that completely misses the "with the exception of joe jobs" clause.
Yes, maybe I'm the only person here who has no idea what that means (in which case a private mail explanation would be fine).
Since there are probably others who don't know - http://www.spamfaq.net/terminology.shtml#joe_job will enlighten you. And the rest of that page explains lots of other spam jargon as well. Tim Wilde -- Tim Wilde twilde@dyndns.org Systems Administrator Dynamic DNS Network Services http://www.dyndns.org/
--On Friday, April 25, 2003 12:00 PM -0400 Joe Abley <jabley@isc.org> wrote:
On Friday, Apr 25, 2003, at 11:57 Canada/Eastern, John Payne wrote:
Tired old argument that completely misses the "with the exception of joe jobs" clause.
Yes, maybe I'm the only person here who has no idea what that means (in which case a private mail explanation would be fine).
Multiple other people have asked... one line URL response. <http://www.spamfaq.net/terminology.shtml#joe_job>
Joe Abley wrote:
On Friday, Apr 25, 2003, at 11:57 Canada/Eastern, John Payne wrote:
Tired old argument that completely misses the "with the exception of joe jobs" clause.
Yes, maybe I'm the only person here who has no idea what that means (in which case a private mail explanation would be fine).
Translation: "I'm willing to make a fool of myself on NANOG by posting in reply to a post (that uses a term I am too lazy to find the definition of), completely misunderstanding the term, and then I'll post another reply, asking for private replies (to hopefully avoid the public larting that is surely coming), educating me on this term. All because it's easier to click "reply" and type an uneducated answer than it is to fire up a browser and google for the information and educate myself." <http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22joe+job%22+spam&btnG=Google+Search> jc
On Friday, Apr 25, 2003, at 11:57 Canada/Eastern, John Payne wrote:
Tired old argument that completely misses the "with the exception of joe jobs" clause.
I don't need to forge my spam as being from any legitimate mailbox in order to promote a web site, and start off on the rapid spiral descent into insect nationhood.
On Friday, Apr 25, 2003, at 11:57 Canada/Eastern, John Payne wrote:
Tired old argument that completely misses the "with the exception of joe jobs" clause.
* jabley@isc.org (Joe Abley) [Fri 25 Apr 2003, 18:13 CEST]:
I don't need to forge my spam as being from any legitimate mailbox in order to promote a web site, and start off on the rapid spiral descent into insect nationhood.
You have been led to the water but still refuse to drink. A "Joe Job" is when bulk mail is sent out in your name in order to make you look bad. No services by the spammer are advertised, all he hopes to achieve is to get you a bad reputation or even disconnected. See Paul Wouters' recent mail to this august forum for a recent example of a joe job. -- Niels.
I think the most basic thing that any xSP could do to prevent relays and other basic address spoofing would be to disable source ip routing in every router that's installed. I would prevent a lot of abuse. Curt On Friday 25 April 2003 11:57, John Payne wrote:
--On Friday, April 25, 2003 11:17 AM -0400 Joe Abley <jabley@isc.org> wrote:
On Friday, Apr 25, 2003, at 08:17 Canada/Eastern, Jack Bates wrote:
With the exception of Joe-Jobs, spamvertised websites should be terminated.
If this were rigorously enforced, it would provide a mechanism for anybody with an axe to grind to take out any web site on the planet. Once all the commercial web sites had been taken off the air, the commercial web hosters would go out of business. Once all the web hosters were off the air, the access providers would go out of business (since there would be no interweb left for their customers to look at).
Tired old argument that completely misses the "with the exception of joe jobs" clause.
[CC list cleaned up]
I think the most basic thing that any xSP could do to prevent relays and other basic address spoofing would be to disable source ip routing in every router that's installed. I would prevent a lot of abuse.
Curt
Can you support with data either: 1) IP source routing is used for "lots of abuse" 2) disabling IP source routing would prevent "lots of abuse" LSRR is a tool utilized to verify network topology and investigate such things as pointing default, etc. Several SP's require LSRR at minimum on border routers for this reason.
It was explained to me by one of the kind folks at isc.org that my assertions were incorrect and why. I now stand corrected. my humblest apologies for the use of the bandwidth. Curtis On Saturday 26 April 2003 16:34, bdragon@gweep.net wrote:
[CC list cleaned up]
I think the most basic thing that any xSP could do to prevent relays and other basic address spoofing would be to disable source ip routing in every router that's installed. I would prevent a lot of abuse.
Curt
Can you support with data either: 1) IP source routing is used for "lots of abuse" 2) disabling IP source routing would prevent "lots of abuse"
LSRR is a tool utilized to verify network topology and investigate such things as pointing default, etc. Several SP's require LSRR at minimum on border routers for this reason.
On Fri, Apr 25, 2003 at 07:59:00AM +0100, Neil J. McRae wrote:
SpamCop, for all the criticism it gets, DOES report abused proxies quickly and with great reliability - far more reliably in the case of proxies than, say, the human victims of the abuse.
Pity that spamcop spams people.
Perhaps you could be more vague here? There have been a number of spam threatening to be from SpamCop: http://spamcop.net/fom-serve/cache/124.html These emails are pretty clearly not from SpamCop. If you're talking about the actual reports sent by SpamCop, they are not unsolicited, because they're going to abuse and / or role accounts (and are thus solicited implicitly). If you don't want to receive SpamCop reports, I'm almost certain you can ask them not to send you reports. On Fri, Apr 25, 2003 at 12:17:19AM -0700, Christopher J. Wolff wrote:
The spamcop complaints that really set me off are the "spamvertised website" complaints. Just the mere fact that you host a site that was advertised by spam enjoins you in the spamcop chain of causation, even if the spam mail did not originate from your network.
Not sure if you're trolling here, but spamvertised sites are against most providers' AUPs, and should be terminated -- spammers don't care if the account used to send UBE is disabled, but they do care about keeping the site up long enough to make some money. Obviously there are *some* cases that SpamCop reports incorrectly (for instance, Traffic Magnet type spam where the customer's site is mentioned in the spam), but these are *usually* due to user error. While I may take some SpamCop complaints with a grain of salt (due to past complaints that have proved to be false and / or accidental), for the most part, SpamCop's logic is better than any other automated reporting tool, and better than a human that doesn't know much about email headers. Compared to the other false / accidental reports, spam, viruses and other crap that hits our abuse and role accounts, SpamCop isn't that bad - at least it lets you ask to receive no further reports (if you're an innocent bystander or if you've already taken action), and comes in a consistent, easy to identify and read, format. I've seen a few cases where SpamCop misidentified the origin of a message, but they were usually due to some sort of temporary glitch - for the most part, their system works surprisingly well. -- "Since when is skepticism un-American? Dissent's not treason but they talk like it's the same..." (Sleater-Kinney - "Combat Rock")
In a message written on Fri, Apr 25, 2003 at 11:35:16AM -0700, Will Yardley wrote:
If you're talking about the actual reports sent by SpamCop, they are not unsolicited, because they're going to abuse and / or role accounts (and are thus solicited implicitly). If you don't want to receive SpamCop reports, I'm almost certain you can ask them not to send you reports.
The problem is you can be spammed and blocked by proxy. A company, who will remain nameless, configured their mail server to report "spam" to "spamcop". One of their users was on a mailing list I run. They reported a completely legitimate e-mail to SpamCop, which SpamCop took as a Spam report. SpamCop then added my mailer to their DNS black list. This is in fact how I noticed, I received mail refused from list deliveries before I ever got a SpamCop report (which I did receive a few hours later). To their credit, when I pointed out this was legitimate mail they did remove the offending entry quickly. Only to have it reappear 6 hours later when the next mailing list mail was reported in the same way. :( So, a bogus reporter was able to: 1) Waste my time and resources by having spamcop send me mail I did not ask for, want, or deserve. 2) Tarnish my reputation which I had to defend. 3) Make several of my users unable to receive e-mail from my legitimate lists because their ISP's/Companies use SpamCop's list. I used to be a fan of various services that "listed spammers", including SpamCop, and the RBL. No more. Both seem to use the nuclear weapon to take out an ant method, which given those tools is probably the only way they have any chance of working. If you have a hammer, everything looks like a nail. They also both assume mail is "normal", that is one end user to one mail server to another mail server to an end user. Add mailing lists, relaying services, and other things and legitimate e-mail gets classified as spam, or worse, spam that passed through a legitimate gateway gets the gateway listed. The tools inside spam assassin, baysean(sp?) filtering, fingerprint checks of known spam messages, filtering of known spam identifiers is both more effective at actually catching the spam, and it's also much better at not wacking legitimate messages. Listing services are yesterday's technology, and frankly, have failed in their end goal. The community needs to push forward with more advanced tools, like the fingerprinting software. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
--On Friday, April 25, 2003 3:00 PM -0400 Leo Bicknell <bicknell@ufp.org> wrote:
The tools inside spam assassin, baysean(sp?) filtering, fingerprint checks of known spam messages, filtering of known spam identifiers is both more effective at actually catching the spam, and it's also much better at not wacking legitimate messages. Listing services are yesterday's technology, and frankly, have failed in their end goal. The community needs to push forward with more advanced tools, like the fingerprinting software.
I agree in general, but don't tar all dnsbl's with the spamcop and other subjective-list 's brush
## On 2003-04-25 00:17 -0700 Christopher J. Wolff typed: CJW> CJW> Yes Neil, it is a shame. Is there any known way to opt out of spamcop? CJW> I'm sure I could ACL out all SMTP traffic coming from their netspace. CJW> Or better yet, set up an IDS rule that emails their upstream provider. CJW> If a few of us did this I'm sure the spamcop folks would find a way to CJW> make their spam engine a bit more selective. CJW> CJW> The spamcop complaints that really set me off are the "spamvertised CJW> website" complaints. Just the mere fact that you host a site that was CJW> advertised by spam enjoins you in the spamcop chain of causation, even CJW> if the spam mail did not originate from your network. CJW> When logged in to <http://members.spamcop.net/> from your (auto-generated) "ISP account" click "preferences" in the first line below the logo then click "General Settings" you should be able to stop getting any of the below types by choosing "refuse" the one you certainly want is "www" Report Type selection If you are bothered by reports which reference your network without authorization, you may disable some report types while ensuring that relevant reports still reach you. * source (Administrator of network where email originates) Accept Refuse * www (Administrator of network hosting website referenced in spam) Accept Refuse * email (Administrator of network hosting email address referenced in spam) Accept Refuse * relay (Administrator of network with open relays) Accept Refuse * notify (User defined recipient) Accept Refuse -- HTH, Rafi
In the immortal words of Christopher J. Wolff (chris@bblabs.com):
The spamcop complaints that really set me off are the "spamvertised website" complaints. Just the mere fact that you host a site that was advertised by spam enjoins you in the spamcop chain of causation, even if the spam mail did not originate from your network.
Why yes, yes it does. Why exactly should you be able to profit from spamming without hassle or reproach? If you dislike being complained to because your customers are spamming, your options are clear: ignore the complaints (in which case the issue will certainly be taken up with your upstream providers), or stop taking the spammers' money. Spam does not exist in a vacuum. It's an economy like any other, and someone who hosts the spammers' sites is very much an active participant. As Joe-Bob Briggs says, "I'm surprised I have to explain this." -n ------------------------------------------------------<memory@blank.org> "What's the difference between a regular actuary and a Chicago actuary? A regular actuary can tell you how many people will die in the next year. The Chicago actuary can tell you their names." --Chuck McClenahan <http://blank.org/memory/>----------------------------------------------
In the immortal words of Nathan J. Mehl (memory-nanog@blank.org):
[nothing of any actual consequence]
Bah, teach me to respond to an intresting-looking thread without looking carefully at the date header. Apologies to all, and please don't consider this an invitation to re-open the discussion. -n ------------------------------------------------------------<memory@blank.org> Outside of a dog, heroin is a man's best friend. Inside a dog, it's too dark for Lou Reed. <http://blank.org/memory/>----------------------------------------------------
I am seeing an increasing number of hosts on our network become an open proxy. So far the response to this has been reactive, once I receive complaints from spam victims I deal with the source of the problem.
Is there an accepted way of blocking open proxy and open relay traffic at the network edge?
Educate your customers. Seriously. The details depend upon which type of problem you need to solve: 1) Customers are being tricked into installing open proxies, say by downloading executable from file sharing services. 2) Customers are trying to set up proxies to allow them to share their Internet connection with family members, but aren't securing them properly. 3) Customers are deliberately setting up open proxies as anonymizers. Perhaps you have some other variation on these themes, but if you look at all of these, you should be able to see that education is the best solution. The possible exception is 3, in which case threats may be more appropriate. DS
-----BEGIN PGP SIGNED MESSAGE----- On Thu, 24 Apr 2003, Adi Linden wrote:
I am seeing an increasing number of hosts on our network become an open proxy. So far the response to this has been reactive, once I receive complaints from spam victims I deal with the source of the problem.
I see an increased number of proxy's being abused too. Unfortunately, I am seeing them feeding mail servers to forge spams in my name. Most of them are in argentina and brasil, but I also see crap from chinanet, taiwan, norway and even just around the corner here in the NL. However, do not mistake these machines for the funny small DDoS'es that might happen on your server. Those are likely generated by silly spammers taking it out on people who actually care about the state of the net by sending out forged spam with 100+ embedded IFRAME's to your website. I've been under attack for over two weeks now. Details have been put up at http://www.xtdnet.nl/paul/spam/ If anyone is the traget of similar abuse, please contact me offlist and I'll try to combine the data to see if we can pinpoint this to some person or group. Paul - -- Lawyer: "Now sir, I'm sure you are an intelligent and honest man--" Witness: "Thank you. If I weren't under oath, I'd return the compliment." http://www.rinkworks.com/said/courtroom.shtml -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Comment: Made with pgp4pine 1.75-6 Charset: noconv iQCVAwUBPqhnbOwK68kOXjFBAQHcRQP/XJv1NmcU1wPhoXcb67gu0fPSlaM8tCkX U0ZVXa9k6MTwLiUHTvA/ypQodhbJ6tJ4LoqaXtBjFfFyNi137JYFnhiU3W8z8eIv D1l+5IoxCuigHIbCbZocWHVE2WsEZvmMe58NwqFK56Fl0QgtW6EYkZJRbYjRoQ6f mKJE33cVq/4= =K8BW -----END PGP SIGNATURE-----
participants (22)
-
Adi Linden -
bdragon@gweep.net -
Brian Wallingford -
Christopher J. Wolff -
Curtis Maurand -
Daniel Senie -
David Schwartz -
Jack Bates -
JC Dill -
Joe Abley -
John Payne -
Leo Bicknell -
Nathan J. Mehl -
neil@DOMINO.ORG -
Niels Bakker -
Paul Vixie -
Paul Wouters -
Rafi Sadowsky -
Richard Cox -
Roland Verlander -
Tim Wilde -
william+nanog@hq.dreamhost.com