Date: Wed, 29 Sep 2010 13:06:31 -0700 Subject: Re: AS11296 -- Hijacked? From: Scott Howard <scott@doc.net.au>
On Wed, Sep 29, 2010 at 9:26 AM, N. Yaakov Ziskind <awacs@ziskind.us> wrote:
Recommendations such as that are only as credible as the source they are coming from, and knowing that the person making the request also believes that blocking all mail from gmail.com is a valid anti-spam technique probably results in a "different" credibility level than one might otherwise have.
I have to ask one question -- who are _you_ to judge what is 'valid' for *HIS* situation? He's not running a 'provider' network, with any responsibility to others, it's his personal environment. On _my_ personal servers, I block *LARGE* swaths of the world -- because I _do_ get significant amounts of spam from those locales, and have *zero* expectation of any 'legitimate' mail therefrom. The service denial messages _do_ provide info on how to get past the blocks. I can state with authority that in close to a million messages so rejected, -not-a-single-one- has been from someone with a serious interest in communicationg with me. The web-page with the explanatory data has not had so much as a single hit in over 8 years. Now, on systems I manage for others, I do things very differently, according to -their- needs. The rationale for such decisions is straightforward, and easy to understand. It's called the 'cost-benefit' ratio. _How_much_ work does it take to let that 'rare' piece of 'useful' mail through from a source that generates almost exclusively spam, and _is_ getting that occasional piece of mail 'worth the effort'. Ron has decided 'not', with regard to gmail. To argue that decision, _you_ would have to know how much 'valid' traffic he can reasonably expect to get from gmail, and the amount of effort it would take in his existing environment to accomplish that end.
Robert, I dont think you quite get it. Don't worry, you don't seem to be alone. The point here is simple. If someone posts making a recommendation for every AS to filter some prefixes, not provide any references by default, its not helpful. When questioned about the rationale, if said person then declines to provide evidence, the picture starts to form. It is relatively easy to detect spam, it is easy to have enough honeypots & filters matching corresponding bgp lookups to find out path information. Immediately you have a technique which - regardless of the lists a spammer reads - will catch spammer. By working as a community, the accuracy and speed of detection increases. By sharing information, things improve. The problem is certainly not detection!! (in contrast to the clamed need to hide detection methods) Posting to a list like this telling everyone to block traffic might be in some people's eyes as ok, but there are a few problems: 1) No peer review. The data has not been checked, the prefixes might be incorrect. The methods might be completely wrong - who knows! This is certainly the #1 issue. 2) Length of time to implement. Most serious ASs would do sanity checking and even possibly a change window or atleast a signoff. 2) Post advertisment removal. What process to ASs have in place to check and remove these rules? More sanity checking and another change. 3) The comment about ARIN, as if to imply that they are supposed to somehow 'police' the internet. This shows a complete lack of understanding of the architecture of the internet. 4) A person who blocks gmail for their own - non customer affecting - mail server cannot be in a position to advise of real - customer affecting - changes, and shows a recklessness towards adhoc blocking of anything. As a hypothetical situation, say a new customer pops up on a network with a prefix and origin that haven't been seen before. This customer badly configured their mail server, its an open relay. Spammers being smart, watch new BGP advertisments knowing that this might be the case. Some kind sir sees the spam coming from the open relay and posts on here, telling everyone to block it, thus completely killling the new customer network before its even got off the ground properly. By the time it has come around, half the ISPs are blocking it and they are completely screwed all because of 1 mistake and someone not having their information peer reviewed and no action to notify or help out the isp. Posting ASs & prefixes for people to block without any questioning is just plain stupid and not the way to handle it. If the goal is to get rid of spam, then why not put brains together and come up with a much better system. IETF? Independant working group? I can think of a number of ideas as I am typing this that could be beneficial. I am happy of course to share with anyone interested. Sure, people can post pretty much what they want and people can choose to use or ignore, but we are a bit past that argument now. There has been (to use your method) *zero* technical reasons supporting the argument of blocking these prefixes. If you know of one, please voice it. ps. I have also received posts offline about the support for blocking gmail / hotmail / whatever. I can appreciate that it is your own personal infrastructure, you have your reasons, and if it works for you then good. I certainly wouldn't do it for my customers, otherwise they would constantly call. Phone spam :)
This is not what the Team Cymru Bogons list for? http://www.team-cymru.org/Services/Bogons/ List bad ASNs after proper investigation? It then depends if you trust Team Cymru or not, like you would trust or not Spamhaus... ----- Original Message ----- From: "Heath Jones" <hj1980@gmail.com> To: "Robert Bonomi" <bonomi@mail.r-bonomi.com> Cc: nanog@nanog.org Sent: Wednesday, 29 September, 2010 4:38:12 PM Subject: Re: AS11296 -- Hijacked? Robert, I dont think you quite get it. Don't worry, you don't seem to be alone. The point here is simple. If someone posts making a recommendation for every AS to filter some prefixes, not provide any references by default, its not helpful. When questioned about the rationale, if said person then declines to provide evidence, the picture starts to form. It is relatively easy to detect spam, it is easy to have enough honeypots & filters matching corresponding bgp lookups to find out path information. Immediately you have a technique which - regardless of the lists a spammer reads - will catch spammer. By working as a community, the accuracy and speed of detection increases. By sharing information, things improve. The problem is certainly not detection!! (in contrast to the clamed need to hide detection methods) Posting to a list like this telling everyone to block traffic might be in some people's eyes as ok, but there are a few problems: 1) No peer review. The data has not been checked, the prefixes might be incorrect. The methods might be completely wrong - who knows! This is certainly the #1 issue. 2) Length of time to implement. Most serious ASs would do sanity checking and even possibly a change window or atleast a signoff. 2) Post advertisment removal. What process to ASs have in place to check and remove these rules? More sanity checking and another change. 3) The comment about ARIN, as if to imply that they are supposed to somehow 'police' the internet. This shows a complete lack of understanding of the architecture of the internet. 4) A person who blocks gmail for their own - non customer affecting - mail server cannot be in a position to advise of real - customer affecting - changes, and shows a recklessness towards adhoc blocking of anything. As a hypothetical situation, say a new customer pops up on a network with a prefix and origin that haven't been seen before. This customer badly configured their mail server, its an open relay. Spammers being smart, watch new BGP advertisments knowing that this might be the case. Some kind sir sees the spam coming from the open relay and posts on here, telling everyone to block it, thus completely killling the new customer network before its even got off the ground properly. By the time it has come around, half the ISPs are blocking it and they are completely screwed all because of 1 mistake and someone not having their information peer reviewed and no action to notify or help out the isp. Posting ASs & prefixes for people to block without any questioning is just plain stupid and not the way to handle it. If the goal is to get rid of spam, then why not put brains together and come up with a much better system. IETF? Independant working group? I can think of a number of ideas as I am typing this that could be beneficial. I am happy of course to share with anyone interested. Sure, people can post pretty much what they want and people can choose to use or ignore, but we are a bit past that argument now. There has been (to use your method) *zero* technical reasons supporting the argument of blocking these prefixes. If you know of one, please voice it. ps. I have also received posts offline about the support for blocking gmail / hotmail / whatever. I can appreciate that it is your own personal infrastructure, you have your reasons, and if it works for you then good. I certainly wouldn't do it for my customers, otherwise they would constantly call. Phone spam :)
This is not what the Team Cymru Bogons list for? http://www.team-cymru.org/Services/Bogons/ I just had a very quick look at that site and it seems at first glance to just be providing information on unallocated prefixes/ASs.. They are prefixes/ASs that spammers can and do use, but if you have a look at cidr report or potaroo then you will see that an ISP who filters based on that will cause some issues (allocation records are not always up to date).
List bad ASNs after proper investigation? Not really, just based on registry information as far as I can see. For instance, if a known and stable AS suddenly started originating spam, it doesnt look like that would appear on the site.
It then depends if you trust Team Cymru or not, like you would trust or not Spamhaus... Trust will always be the issue. Peer review and communication is one way of building trust.
Then you have: http://www.uceprotect.net/en/rblcheck.php Which has a level to identify IPs belonging to an ASN which has been reported as spewing spam... The only issue here, is that this site has listed whole countries... Yes, some countries are behind one ASN only... ----- Original Message ----- From: "Heath Jones" <hj1980@gmail.com> To: "Franck Martin" <franck@genius.com> Cc: nanog@nanog.org Sent: Wednesday, 29 September, 2010 5:22:02 PM Subject: Re: AS11296 -- Hijacked?
This is not what the Team Cymru Bogons list for? http://www.team-cymru.org/Services/Bogons/ I just had a very quick look at that site and it seems at first glance to just be providing information on unallocated prefixes/ASs.. They are prefixes/ASs that spammers can and do use, but if you have a look at cidr report or potaroo then you will see that an ISP who filters based on that will cause some issues (allocation records are not always up to date).
List bad ASNs after proper investigation? Not really, just based on registry information as far as I can see. For instance, if a known and stable AS suddenly started originating spam, it doesnt look like that would appear on the site.
It then depends if you trust Team Cymru or not, like you would trust or not Spamhaus... Trust will always be the issue. Peer review and communication is one way of building trust.
participants (3)
-
Franck Martin
-
Heath Jones
-
Robert Bonomi