On Tue, Apr 03, 2007, Joe Greco wrote:
Is there a difference between a decade-old domain with contact information where a web server got hacked, and a 1-day old domain with garbage for contact information that was set up explicitly for Bad Stuff? How do you tell?
Yup! One was registered a day ago and is now sending out loads of spaff.
It was a trick question. The next question is "how do you differentiate"? I took two obvious cases and compared them. In such a case, it should be reasonably obvious to the average person what the answer is. The problem is that it is rarely so clear. Take the example of what happened to seclists.org. Surely it looked like a legitimate complaint, didn't it? You have a big company like MySpace that has submitted a complaint claiming that a bunch of user passwords have been posted on the seclists.org web site. Go to web site, sure enough. Maybe look at registry info, see "insecure.com" mentioned, maybe think it is some hacker web site. So shut it down. The problem here is that any competent abuse department should have done more research and laughed this into the circular file. This is the costly bit that a domain registrar isn't going to be likely to do. First, analysis of the complaint itself. Passwords - on seclists.org web site. Okay. 1) Realize that the web site is an archival copy of a mailing list. This means that heavy distribution has already happened, and any ancillary distribution happening by the web site is incidental. 2) Because heavy distribution has already happened, the passwords in question are not in any way "protected" by removing them from the web page (or removing the web page). 3) Notice that the data has already been posted on *other* web sites. Conclusion #1 --> MySpace has a serious data breach on its hands. Distribution is wide on visible community resources. This implies much heavier distribution is likely on invisible blackhat resources. Appropriate mitigation steps involve disabling and re-passwording all accounts. Conclusion #2 --> Continued listing of the passwords on the web site is minimally harmful. Stand by for further processing. Answer #1 to MySpace --> "Disable these accounts, your password list has been widely distributed." Further analysis: visit http://www.seclists.org. Notice the words "security mailing list archive." Attempt to verify that it is what it appears to be. Conclusion #3 --> Given a security mailing list, one would expect that there would be some discussion of current security problems. The inclusion of an actual password list may have been in mildly poor taste, but it is not due to deliberate intent of the website's operator. Since the password list is already public and heavily distributed, it might be reasonable to request the web site owner to remove the archive page pending a response from MySpace that the passwords had been disabled. Answer #1 to seclists.org -> "Disable this web page pending further developments." This is one reasonable resolution to the issue. I won't pretend it is the only possible "whitehat" course of action, but there is no whitehat course of action that ends with "seclists, we're suspending your domain." If you do not have clear and obvious things to judge, analysis of a situation becomes even more difficult. The above is not going to be something that a first level support lackey is going to be able to work out on his own... so that implies paying people who are skilled (and who incidentally would probably have been on seclists mailing lists, haha) Right now, 1-day-old domains are a problem because nobody has a compelling reason to let abuse domains age prior to using them. If it becomes common policy for major providers to require domains to have existed for a certain amount of time before they accept mail (as one example) containing that domain name, then bad actors will simply register domains, allow them to age, and then use them later. I am not seeing easy solutions. I am seeing costly solutions that involve a lot more involvement on the part of registrars. The obvious flags of trouble (such as "1-day-old") are at best only useful in the short term, because the bad actors can and will adapt.
Best people to know which domains are involved in sending out spaff? Hotmail? Yahoo? AOL? Google? You know, those people who run millions and millions of email accounts and can do rather scary statistical analysis on email..
You trust Hotmail? One of our businesses here has a mail server running on a clean IP (an IP that had never before been used for mail in the history of the Internet, and had been inactive for several years in any case). It exclusively sends a very low volume of support replies and the occasional billing problem. All mail is text - not HTML. There are no images. There are no advertisements. Hotmail is silently dropping every one of those messages sent to them. Not junk folder. Dropping. Explain *that*. While Hotmail *could* be bothered to do what you suggest, and I am sure that it is an incredibly difficult task to handle a freemail system like theirs, they're not doing it. Surely they've learned a lot of neat stuff about dropping problematic e-mail, but they're also dropping legitimate mail, so let's be real. Their priority isn't accurately determining what domains are spamming. Their priority is running a heavily attacked freemail provider without a trillion dollar budget. There is some overlap, but only some. We take in several megabits of traffic to our spam traps here, and I bet we (and anyone like us, since there's a bunch of folks who do the same) could generate some stats. I don't have time for any more projects though.
I wonder if any of the above would be interested in reporting spam-sending hosts, URLs involved in spam/phish/scam/etc/ to a public group (or semi-public group - open to join, but not publicly published) who could start working on feeding these domains back to registrars?
If the registrars were interested in doing anything with the data, I believe there are already some groups doing the collection of such data. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.