RE: Schneier: ISPs should bear security burden
Unfortunately, a lot of static "business" DSL IP space is still on those lists and legitimate mail servers can get blocked. I usually use the DUL as a "white list" to negate hits on the traditional dnsbls since those are almost always stale. - Mark -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Dave Rand Sent: Friday, April 29, 2005 4:07 AM To: Steve Sobol; Mark Newton Cc: Owen DeLong; Bill Stewart; North American Networking and Offtopic Gripes List Subject: Re: Schneier: ISPs should bear security burden [In the message entitled "Re: Schneier: ISPs should bear security burden" on Apr 28, 10:20, "Steve Sobol" writes:]
There are some basic rules of thumb you can use. The problem is that they're not guaranteed to work. The best solution was created years ago (Gordon Fecyk's DUL, which lists IP ranges the ISPs specifically register as dynamic/not supposed to host servers) and eventually came under the purview of Kelkea/MAPS, but there wasn't a ton of ISP buy-in. If we could create a similar list and actually get ISPs to register the appropriate netblocks (and not mix in IPs where servers are allowed, and IPs where they aren't, in the same block), that'd be great.
Dunno what a ton of ISP buy-in is, but the MAPS DUL now contains about 190,000,000 entries. We've been working on it very hard for the last year or two. Most ISP-level subscribers figure it stops a pretty large percentage of the compromised-home-computer spam. --
On Fri, 29 Apr 2005, Miller, Mark wrote:
Unfortunately, a lot of static "business" DSL IP space is still on those lists and legitimate mail servers can get blocked. I usually use the DUL as a "white list" to negate hits on the traditional dnsbls since those are almost always stale.
<assertion type="applies to USA, don't know about other countries"> That's because the ILECs, especially, don't feel the need to separate IPs on which servers are allowed, and IPs on which they aren't. SBC is the worst in this regard. No separation, no custom reverse DNS for DSL customers, no way to be absolutely certain if sending mail from a specific IP is a violation of SBC's TOS. </assertion> I've noticed that you work for Qwest. If the people designing your network DO have enough clue to separate IPs, bravo... but my experience is that many ISPs, especially ILECs/RBOCs, don't. -- JustThe.net - Apple Valley, CA - http://JustThe.net/ - 888.480.4NET (4638) Steven J. Sobol, Geek In Charge / sjsobol@JustThe.net / PGP: 0xE3AE35ED "The wisdom of a fool won't set you free" --New Order, "Bizarre Love Triangle"
In article <Pine.LNX.4.44.0504291735310.2745-100000@amethyst.justthe.net> you write:
On Fri, 29 Apr 2005, Miller, Mark wrote:
Unfortunately, a lot of static "business" DSL IP space is still on those lists and legitimate mail servers can get blocked. I usually use the DUL as a "white list" to negate hits on the traditional dnsbls since those are almost always stale.
<assertion type="applies to USA, don't know about other countries"> That's because the ILECs, especially, don't feel the need to separate IPs on which servers are allowed, and IPs on which they aren't. SBC is the worst in this regard. No separation, no custom reverse DNS for DSL customers, no way to be absolutely certain if sending mail from a specific IP is a violation of SBC's TOS. </assertion>
I've noticed that you work for Qwest. If the people designing your network DO have enough clue to separate IPs, bravo... but my experience is that many ISPs, especially ILECs/RBOCs, don't.
-- JustThe.net - Apple Valley, CA - http://JustThe.net/ - 888.480.4NET (4638) Steven J. Sobol, Geek In Charge / sjsobol@JustThe.net / PGP: 0xE3AE35ED
"The wisdom of a fool won't set you free" --New Order, "Bizarre Love Triangle"
Well OptusNet's cable ranges are in the DUL despite OptusNet filtering outbound 25 by default. You can get port 25 outbound opened on request but it doesn't do you any good when you are listed in the DUL. It doesn't matter if the address belongs to a business or a residential user. Everyone has the right to send email directly. As far as I can see the only reason for DUL existing is that ISP's are too slow at reacting to abuse reports and / or fail to send messages to say what action they took. People got feed up with abuse@* being a blackhole from which they if they were lucky got an automatic acknowledgement of the messages. In the end people reacted the way you would expect them to react when that perceive that they are being ignored. They stopped reporting and turned to other means (DUL, SpamAssassin, etc.). Mark
participants (3)
-
Mark Andrews
-
Miller, Mark
-
Steven J. Sobol