Question concerning authoritative bodies.
On Sun, Mar 09, 2003 at 10:58:18AM -0600, Jack Bates wrote:
And this is what makes DNSBLs a good deal. Mark is asking for trouble with his theories. If every ISP and business issues its own scans, we only succeed in making scanning traffic worse than spam itself at a server resource level. We also increase the administration factor when mistakes are made. Instead of contacting 3-5 DNSBLs, one must contact every ISP that happened to do a scan during the outage period. Centralizing scanning for security issues is a good thing in every way. It is the responsible
Here's the background: From: "Rich Kulawiec" on Spam-L mailing list thing to do.
I must reluctantly agree. (The reluctance stems from my desire not to intrude on others' networks. However, it's been overcome by the reluctance to be abused by those networks.)
Centralized, or quasi-centralized, scanning with appropriate safeguards (to minimize frequency) and appropriate assignment of responsibility, beats the heck out of having thousands of independent entities repeating the same scans and thus adding to the collective misery.
If we agree on this (and I don't know that we all do) then the debate shifts to "who?" and "how?".
So I'm curious what people think. We have semi centralized various things in the past such as IP assignments and our beloved DNS root servers. Would it not also make sense to handle common security checks in a similar manner? In creating an authority to handle this, we cut back on the amount of noise issued. I bring this up because the noise is getting louder. More and more networks are issuing their own relay and proxy checks. At this rate, in a few years, we'll see more damage done to server resources by scanners than we do from spam and those who would exploit such vulnerabilities. I know that this is more service level than network level, except for the arguments continue to escalate over the rights of people to scan a network. These arguments would be diminished if an authoritative body handled it in a proper manner. At what point do we as a community decide that something needs to be done? Would it not be better to have a single test suite run against a server once every six months than the constant bombardment we see now? -Jack
On Sun, 09 Mar 2003 11:50:04 CST, Jack Bates <jbates@brightok.net> said:
So I'm curious what people think. We have semi centralized various things in the past such as IP assignments and our beloved DNS root servers. Would it not also make sense to handle common security checks in a similar manner? In
IP assignments are factual things of record - AS1312 has 198.82/16 and 128.173/16, and no amount of value judgments will change that. And yet, there's scattered complaints about what it takes to get a /19 to multihome. DNS servers are similarly "things of record". This organization has this domain, and their servers are found where the NS entries point. And the dispute resolution process is, in a word, a total mess - how many *years* has the sex.com debacle dragged on now? So who do you trust to be objective enough about a centralized registry of security, especially given that there's no consensus on what a proper level of security is? And if there's a problem, what do you do? In our case, do you ban an entire /16 because one chucklehead sysadmin forgot to patch up IIS (or wasn't able to - I know of one case where one of our boxes got hacked while the primary sysadmin was recovering from a heart bypass). Dropping a note to our abuse@ address will probably get it fixed, but often we're legally not *ABLE* to say much more than "we got your note and we'll deal with the user" - Buckley Amendment is one of those laws that I'm glad is there, even if it does make life difficult sometimes.
needs to be done? Would it not be better to have a single test suite run against a server once every six months than the constant bombardment we see now?
I submit to you the thesis that in general, the sites that are able to tell the difference between these two situations are not the sites that either situation is trying to detect. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
----- Original Message ----- From: <Valdis.Kletnieks@vt.edu> To: "Jack Bates" <jbates@brightok.net> Cc: <nanog@merit.edu> Sent: Sunday, March 09, 2003 12:31 PM Subject: Re: Question concerning authoritative bodies.
So who do you trust to be objective enough about a centralized registry of security, especially given that there's no consensus on what a proper level of security is? And if there's a problem, what do you do? In our case, do you ban an entire /16 because one chucklehead sysadmin forgot to patch up IIS (or wasn't able to - I know of one case where one of our boxes
There are private systems in use today like NJABL which act as centralized resources. I believe that it is possible to come to an agreement on a standardized test suit that can be used and what the variables concerning # of scans and how frequent should be set to. I'm not suggesting a full security evaluation of networks, but a detection mechanism that can be used as a resource to recognized standard issues, primarily protecting email which is one of our most utilized resources.
I submit to you the thesis that in general, the sites that are able to tell the difference between these two situations are not the sites that either situation is trying to detect.
I agree for the most part (excluding RoadRunner given recent events). However, the sites that are able to tell the difference suffer the costs of scans just the same while everyone tries to detect those unable to tell the difference. And as I mentioned, you always have situations like RoadRunner arise where a detection was needed, but they are able to detect the scans and issue complaints even when they were in fault. The goal is to provide a service that many require to limit the amount of noise currently generated. I do not think that we can necessarily scan and analyze every security problem. However, I do think that there are no-brainer security issues that can be detected which the public demands they be protected from. In particular open SMTP relay and unsecured proxy/socks servers. Detection, of say, the latest sendmail or saphire exploits is not as critical. We can passively detect these things from their own abuse. We cannot passively detect open proxies and smtp relays. -Jack
On Sun, 09 Mar 2003 13:09:14 CST, Jack Bates said:
There are private systems in use today like NJABL which act as centralized
private systems. Plural. Because..
resources. I believe that it is possible to come to an agreement on a standardized test suit that can be used and what the variables concerning # of scans and how frequent should be set to. I'm not suggesting a full
Forgive my cynicism, but... you're saying this on the same mailing list where it's possible to start a flame-fest by saying that ISP's should ingress-filter RFC1918 source addresses so they don't pollute the net at large? ;) I've been participating in the Center for Internet Security development of security benchmarks - it was hard enough to get me, Hal Pomeranz, and the reps from DISA and NSA to agree on standards for sites to apply *to themselves*. There's a lot of things that I think are good ideas that I don't want other sites checking for, no matter how well intentioned they are. I'd just *LOVE* to hear how you intend to avoid the same problems that the crew from ORBS ran into with one large provider who decided to block their probes. Failing to address that scenario will guarantee failure....
I'd just *LOVE* to hear how you intend to avoid the same problems that the crew from ORBS ran into with one large provider who decided to block their
From: Valdis.Kletnieks probes.
Failing to address that scenario will guarantee failure....
Run the probes from the DNS root servers. Problem solved. Go ahead and block them. haha. Seriously, I do understand that some networks would block the probes. This is to be expected. Many of these same networks block probes from current lists or issue "do not probe" statements. A network is more likely to concede to tests from a central authority that limits what is tested and how often if it means the reduction of scans from numerous sources for lists such as DSBL. The only way such a resource would work is if the largest networks back it. Blocking the scans at a TCP/IP level is easily detectable. Provider received email from said server, IP was submitted for testing, no connection can be established to said server. Place it in the "wouldn't allow scan list". Politely ask AOL to use the "wouldn't allow scan list" for all inbound smtp connections. People want the abuse of unsecured relays for smtp stopped. I'm afraid it is a choice of the lesser of two evils. The scans are going to happen no matter what. The question is, will administrators accept that a single run of a test suite on a server that has established connections to other servers is better than just having the entire 'net issuing their own scans? Am I wrong in assuming that a majority of networks use smtp and do not wish the abuse of their servers? -Jack
On Sun, 9 Mar 2003, Jack Bates wrote:
networks back it. Blocking the scans at a TCP/IP level is easily detectable. Provider received email from said server, IP was submitted for testing, no connection can be established to said server. Place it in the "wouldn't allow scan list". Politely ask AOL to use the "wouldn't allow scan list" for all inbound smtp connections.
Lots of people run outgoing mail servers that don't accept connections from the outside. A scarey number of people run "multihomed" mail servers where traffic comes in on one IP, leaves on another, and the output IP doesn't listen for SMTP connections.
People want the abuse of unsecured relays for smtp stopped. I'm afraid it is
Some do. Some see absolutely nothing wrong with their running open relays. You're going to need a serious authority figure with some effective means of backing up their policy to change these minds. BTW...these topics have been discussed before. Before we all get warnings from the nanog list police, have a look at the thread I started back in 8-2001 http://www.cctec.com/maillists/nanog/historical/0108/msg00448.html ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Sun, 9 Mar 2003, Jack Bates wrote:
made. Instead of contacting 3-5 DNSBLs, one must contact every ISP that happened to do a scan during the outage period. Centralizing scanning for security issues is a good thing in every way. It is the responsible thing to do.
This, IMO, is where the real headache lies. If every provider (or just every large provider) has their own private DNSBL, and worse, doesn't do much to document how it works...i.e. how to check if IPs are in it, how to get IPs out of it, then it becomes a major PITA to deal with these providers when one of your servers gets into their list. I've personally dealt with this several times over the past couple years with Earthlink and more recently with AOL. In each case, there was no way (other than 5xx errors or even connections refused) to tell an IP was listed. In each case, there was no documented procedure for getting delisted. In AOL's case, they couldn't even tell us why our mail was being rejected or our connections to their MX's blocked and I had to wait a week for their postmaster dept. to get to my ticket and return my call to fill me in on what was going on.
networks are issuing their own relay and proxy checks. At this rate, in a few years, we'll see more damage done to server resources by scanners than we do from spam and those who would exploit such vulnerabilities.
I doubt that's possible. If an average sized ISP mail server receives messages from, say, a few thousand unique IPs/day, and if that ISP wanted to test every one of those IPs (with some sane frequency limiting of no more than once per X days/weeks/months) then it doesn't take long at all to get through the list. Suppose every one of those servers decided to test you back. Now you're looking at a few thousand tests/day (really a fraction of that if they do any frequency limiting). I've got servers that each reject several hundred thousand (sometimes >1 million) messages/day using a single DNSBL. Also, I suspect consensus on a central authority and testing methods is highly unlikely. People can't agree on "what is spam?" or how to deal with providers who turn a blind eye to spammer customers (spews). How will a single central DNSBL bring all these people with opposing views together? Two obvious reasons for the existence of dozens of DNSBLs are: 1) not agreeing with the policies of existing ones...thus you start your own 2) not trusting existing ones (not being willing to give up control over what you block to some 3rd party), so you start your own I suspect AOL and Earthlink run their own DNSBLs primarily for the second reason. How would you convince them to trust and give up control to a central authority? Even if IANA were to create or bless some existing DNSBL and decree that all IP address holders will submit to testing or have their space revoked (yeah, that'll happen) there would still be those who weren't happy with the central DNSBL thus creating demand for additional ones.
network. These arguments would be diminished if an authoritative body handled it in a proper manner. At what point do we as a community decide that something needs to be done? Would it not be better to have a single test suite run against a server once every six months than the constant bombardment we see now?
Parts of the community have already decided and have helped to create central quasi-authoratative DNSBLs. If nobody uses a DNSBL, who care's what's in it? If a sufficient number of systems use a DNSBL, that creates authority. ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Date: Sun, 9 Mar 2003 14:59:05 -0500 (EST) From: jlewis
In AOL's case, they couldn't even tell us why our mail was being rejected or our connections to their MX's blocked and I had to wait a week for their postmaster dept. to get to my ticket and return my call to fill me in on what was going on.
Ewwww. Much better to put a semi-descriptive code in the 5.x.x and give a contact phone number and/or off-net email box.
Parts of the community have already decided and have helped to create central quasi-authoratative DNSBLs. If nobody uses a DNSBL, who care's what's in it? If a sufficient number of
True. It cracks me up when someone complains about being on Selwerd XBL. Eddy -- Brotsman & Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 (785) 865-5885 Lawrence and [inter]national Phone: +1 (316) 794-8922 Wichita ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <blacklist@brics.com> To: blacklist@brics.com Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <blacklist@brics.com>, or you are likely to be blocked.
On Sun, 9 Mar 2003, E.B. Dreger wrote:
True. It cracks me up when someone complains about being on Selwerd XBL.
You may find it funny, but I do not. I get literally dozens, possibly hundreds of calls a year about that moron. He costs us real money in lost cycles. His inclusion in the various "master lists" also hurts the validity of those lists (which I've often wondered over. Is it possible that Selwerd is actually trying to point out the lunacy of [many] lists? -- Yours, J.A. Terranson sysadmin@mfn.org
On Sun, 9 Mar 2003, E.B. Dreger wrote:
In AOL's case, they couldn't even tell us why our mail was being rejected or our connections to their MX's blocked and I had to wait a week for their postmaster dept. to get to my ticket and return my call to fill me in on what was going on.
Ewwww. Much better to put a semi-descriptive code in the 5.x.x and give a contact phone number and/or off-net email box.
There was a multiline message (when our connections weren't just refused or immediately closed). 550-The information presently available to AOL indicates that your server 550-is being used to transmit unsolicited bulk e-mail to AOL. Based on AOL's 550-Unsolicited Bulk E-mail policy at http://www.aol.com/info/bulkemail.html 550-AOL cannot accept further e-mail transactions from your server or your 550-domain. Please have your ISP/ASP contact AOL to resolve the issue at 550 703.265.4670. Trouble was, the people at 703.265.4670 can't help you. They just take your name, number, and some other basic info, and open a ticket that the postmaster group will "get to eventually". On the affected system, I ended up changing the source IP for talking to AOL's servers.
True. It cracks me up when someone complains about being on Selwerd XBL.
xbl.selwerd.cx might be useful for a few points in a spamassassin setup. I don't use it. measl@mfn.org implied that some of the other DNSBLs include selwerd. I'm not aware of any, but I'm sure there are lots of DNSBLs I've never heard of and know nothing about. ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
We just had this same exact thing happen to us, but not by AOL, by Comcast. We have alot of aliases pointing to Comcast email addresses, so my best guess is that one or more of them had enough spam or spam bounces going to them to trigger something. Nobody there could tell me exactly what happened, but after a bunch of calls, the delisted our mail server about 3 days later. In the mean time, we just routed the mail going to comcast through another server. On Sun, 9 Mar 2003 jlewis@lewis.org wrote:
On Sun, 9 Mar 2003, E.B. Dreger wrote:
In AOL's case, they couldn't even tell us why our mail was being rejected or our connections to their MX's blocked and I had to wait a week for their postmaster dept. to get to my ticket and return my call to fill me in on what was going on.
Ewwww. Much better to put a semi-descriptive code in the 5.x.x and give a contact phone number and/or off-net email box.
There was a multiline message (when our connections weren't just refused or immediately closed).
550-The information presently available to AOL indicates that your server 550-is being used to transmit unsolicited bulk e-mail to AOL. Based on AOL's 550-Unsolicited Bulk E-mail policy at http://www.aol.com/info/bulkemail.html 550-AOL cannot accept further e-mail transactions from your server or your 550-domain. Please have your ISP/ASP contact AOL to resolve the issue at 550 703.265.4670.
Trouble was, the people at 703.265.4670 can't help you. They just take your name, number, and some other basic info, and open a ticket that the postmaster group will "get to eventually".
On the affected system, I ended up changing the source IP for talking to AOL's servers.
True. It cracks me up when someone complains about being on Selwerd XBL.
xbl.selwerd.cx might be useful for a few points in a spamassassin setup. I don't use it.
measl@mfn.org implied that some of the other DNSBLs include selwerd. I'm not aware of any, but I'm sure there are lots of DNSBLs I've never heard of and know nothing about.
---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am =========================================================================
On Sun, Mar 09, 2003 at 02:59:05PM -0500, jlewis@lewis.org wrote:
I suspect AOL and Earthlink run their own DNSBLs primarily for the second reason. How would you convince them to trust and give up control to a central authority?
Even if IANA were to create or bless some existing DNSBL and decree that all IP address holders will submit to testing or have their space revoked (yeah, that'll happen) there would still be those who weren't happy with the central DNSBL thus creating demand for additional ones.
Hmm...I would argue that every operator needs to run their own DNSBL. Some operators will simply mirror a central authority, others will ignore some or all of the data in the central authority and the simple case for some operators is to have an empty set. It would be very difficult to convince any operator to give up control of defining their own DNSBL (or even not having one at all). -ron
On Tue, 11 Mar 2003, Ron da Silva wrote:
Hmm...I would argue that every operator needs to run their own DNSBL.
Can you elaborate on why? IMO, there are definite benefits to centralized, shared DNSBLs, especially if testing is involved. Many can benefit from the work done by a few and not have to duplicate the work. If you only DNSBL IPs after you receive spam from them, you have to get spammed by every IP before it's blocked. Why not reject mail from IPs that have spammed others before they spam you and your customers? Though I have problems with the way it's been run, I think that's the idea behind bl.spamcop.net. If they could just restrict nominations to a more clueful group of users, such a system could be very effective for blocking spam everywhere as soon as one system gets hit. For spam from open relays and proxies, a centralized DNSBL that tests the IPs that talk to servers using it can be just as, if not more, effective.
It would be very difficult to convince any operator to give up control of defining their own DNSBL (or even not having one at all).
You can use a central DNSBL without giving up total control. Shortly after I configured servers to use a DNSBL for the first time, I recognized the need for a local DNSWL and have continued to use one ever since. When I setup other people's servers to use DNSBLs, I help them setup a DNSWL and explain how to maintain it. ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Tue, 11 Mar 2003 jlewis@lewis.org wrote:
On Tue, 11 Mar 2003, Ron da Silva wrote:
Hmm...I would argue that every operator needs to run their own DNSBL.
If you only DNSBL IPs after you receive spam from them, you have to get spammed by every IP before it's blocked. Why not reject mail from IPs that have spammed others before they spam you and your customers? Though
I expect this is different in Ron's case since in a single day he gets enough spam to be equivlent to every IP address once. :) So whats an extra day right.. Now if AOL would allow their DNSBL to be mirrored... andy -- PGP Key Available at http://www.tigerteam.net/andy/pgp
On Tue, Mar 11, 2003 at 11:07:18AM -0500, jlewis@lewis.org wrote:
Can you elaborate on why?
You can use a central DNSBL without giving up total control. Shortly after I configured servers to use a DNSBL for the first time, I recognized the need for a local DNSWL and have continued to use one ever since. When I setup other people's servers to use DNSBLs, I help them setup a DNSWL and explain how to maintain it.
Hmm...copy of centralized DNSBL + local DNSWL = local DNSBL ? I guess the point is that centralized data is good in some sense, but utimately mirroring, copying, editing, or selective copy of that data will be done by operators in effect to create their own local DNSBL. -ron
On Wed, 12 Mar 2003, Ron da Silva wrote:
Hmm...copy of centralized DNSBL + local DNSWL = local DNSBL ? I guess the point is that centralized data is good in some sense, but utimately mirroring, copying, editing, or selective copy of that data will be done by operators in effect to create their own local DNSBL.
So where can we get copies of the AOL DNSBL? :) I wonder how many MB the zone file is. ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
participants (8)
-
Andy Walden
-
E.B. Dreger
-
J.A. Terranson
-
Jack Bates
-
jlewis@lewis.org
-
Ron da Silva
-
up@3.am
-
Valdis.Kletnieks@vt.edu