--On 28 June 2004 18:43 +0100 Simon Lockhart <simon.lockhart@bbc.co.uk> wrote:
It's wholy unfair to the innocent parties affected by the blacklisting. i.e. the collateral damage.
Say a phising site is "hosted" by geocities. Should geocities IP addresses be added to the blacklist?
What if it made it onto an akamaized service? Should all of akamai be blacklisted?
This is an issue wider than spam, phishing, etc. That would depend on whether your block by IP address (forget whether this is BGP black hole lists, DNSRBL for SMTP etc.) is of a) IP address that happen to have $nasty at one end of them; or b) IP address for whom no abuse desk even gives a response (even "we know, go away") when informed of $nasty. It also depends on whether your response is "drop all packets" (a la BGP blackhole) or "apply greater sanctions". Seems to me (b) is, in general, a lot more reasonable than (a) particularly where there is very likely >1 administrative zone per IP address (for example HTTP/1.1). It also better satisfies Paul's criterion of being more likely to engender better behaviour (read: responsibility of network work operators for downstream traffic) if behaviour of the reporter is proportionate & targeted. WRT "apply greater sanctions", it is possible of course, though perhaps neither desirable nor scalable, to filter at layer>3 all sites on given IPs to minimize collateral damage. See http://www.theregister.co.uk/2004/06/07/bt_cleanfeed_analysis/ This is effectively what tools like spamassassin do when taking RBL type feeds as a scoring input to filtering, in a mail context. Alex