RE: Spam. Again.. -- and blocking net blocks?
Quick Comment as a NANOG lurker and SPEWS lurker (news.admin.net-abuse.email). I'm not defending SPEWS, don't speak for SPEWS but will describe what I understand happens: SPEWS initially lists offending IP address blocks from non-repentant SPAM sources. If the upstream ISP does nothing about it, that block tends to expand to neighboring blocks to gain the attention of the ISP. High level concept: Block the SPAMMER - ISP Does nothing Block the SPAMMER's Neighboring Blocks (Collateral Damage) - Motivates neighbors to find new Upstream/Isp - Motivates neighbors to complain to upstream/ISP - Gains the attention of the Upstream/ISP Expand the Block - Ditto Block the ISP as a whole The SPEWS concept prevents an ISP from allowing spammers on some blocks while trying to service legitimate customers on others. For an ISP - it is either all or none over time, you support spammers and are blocked as a whole (to include innocent customers). If you do end up mistakenly on SPEWS or take care of your spamming customers - you can appeal to them at news.admin.net-abuse.email, get flamed pretty bad, and eventually fall off the list. I do personally like the idea of holding the ISP as a whole accountable over time. An ISP can stay off spews, I've never had a block listed - though when I'm in a decision making position, I've never tolerated a spammer. Hansel -----Original Message----- From: Michael.Dillon@radianz.com [mailto:Michael.Dillon@radianz.com] Sent: Tuesday, December 10, 2002 08:36 To: MSegal@FUTUREWAY.CA Cc: nanog@nanog.org; owner-nanog@merit.edu Subject: Re: Spam. Again.. -- and blocking net blocks?
Problem: For some reason, spews has decided to now block one of our /19.. Ie no mail server in the /19 can send mail.
Questions: 1) How do we smack some sense into spews?
Make it easy for them to identify the fact that your downstream ISP customer has allocated that /32 to a separate organisation. This is what referral whois was supposed to do but it never happened because development of the tools fizzled out. If SPEWS could plug guilty IP addresses into an automated tool and come up with an accurate identification of which neighboring IP addresses were tainted and which were not, then they wouldn't use such crude techniques. Imagine a tool which queries the IANA root LDAP server for an IP address. The IANA server refers them to ARIN's LDAP server because this comes from a /8 that was allocated to ARIN. Now ARIN's server identifies that this address is in your /19 so it refers SPEWS to your own LDAP server. Your server identifies your customer ISP as the owner of the block, or if your customer has been keeping the records up to date with a simple LDAP client, your server would identify that the guilty party is indeed only on one IP address. Of course, this won't stop SPEWS from blacklisting you. But it enables SPEWS to quickly identify the organization (your customer ISP) that has a business relationship with the offender so that SPEWS is more likely to focus their attentions on these two parties.
2) Does anyone else see a HUGE problem with listing a /19 because there is one /32 of a spam advertised website? When did this start happening?
It's a free country, you can't stop people like the SPEWS group from expressing their opinions. As long as people are satisfied with crude tools for mapping IP address to owner, this kind of thing will continue to happen. --Michael Dillon
I could understand if an ISP was allowing spam from a portion of there network. But in this case the only thing that the ISP did is host a website, the SPAM was sent from from a third party's network. The ISP did terminate the customer but in the meantime the entire NSP's network has been blacklisted, for a rouge webhosting account does sound a bit harsh. At 12:08 -0800 12/10/2002, Lee, Hansel wrote:
Quick Comment as a NANOG lurker and SPEWS lurker (news.admin.net-abuse.email). I'm not defending SPEWS, don't speak for SPEWS but will describe what I understand happens:
SPEWS initially lists offending IP address blocks from non-repentant SPAM sources. If the upstream ISP does nothing about it, that block tends to expand to neighboring blocks to gain the attention of the ISP.
High level concept: Block the SPAMMER - ISP Does nothing Block the SPAMMER's Neighboring Blocks (Collateral Damage) - Motivates neighbors to find new Upstream/Isp - Motivates neighbors to complain to upstream/ISP - Gains the attention of the Upstream/ISP Expand the Block - Ditto Block the ISP as a whole
The SPEWS concept prevents an ISP from allowing spammers on some blocks while trying to service legitimate customers on others. For an ISP - it is either all or none over time, you support spammers and are blocked as a whole (to include innocent customers).
If you do end up mistakenly on SPEWS or take care of your spamming customers - you can appeal to them at news.admin.net-abuse.email, get flamed pretty bad, and eventually fall off the list.
I do personally like the idea of holding the ISP as a whole accountable over time. An ISP can stay off spews, I've never had a block listed - though when I'm in a decision making position, I've never tolerated a spammer.
Hansel
-----Original Message----- From: Michael.Dillon@radianz.com [mailto:Michael.Dillon@radianz.com] Sent: Tuesday, December 10, 2002 08:36 To: MSegal@FUTUREWAY.CA Cc: nanog@nanog.org; owner-nanog@merit.edu Subject: Re: Spam. Again.. -- and blocking net blocks?
Problem: For some reason, spews has decided to now block one of our /19.. Ie no mail server in the /19 can send mail.
Questions: 1) How do we smack some sense into spews?
Make it easy for them to identify the fact that your downstream ISP customer has allocated that /32 to a separate organisation. This is what referral whois was supposed to do but it never happened because development of the tools fizzled out.
If SPEWS could plug guilty IP addresses into an automated tool and come up with an accurate identification of which neighboring IP addresses were tainted and which were not, then they wouldn't use such crude techniques.
Imagine a tool which queries the IANA root LDAP server for an IP address. The IANA server refers them to ARIN's LDAP server because this comes from a /8 that was allocated to ARIN. Now ARIN's server identifies that this address is in your /19 so it refers SPEWS to your own LDAP server. Your server identifies your customer ISP as the owner of the block, or if your customer has been keeping the records up to date with a simple LDAP client, your server would identify that the guilty party is indeed only on one IP address.
Of course, this won't stop SPEWS from blacklisting you. But it enables SPEWS to quickly identify the organization (your customer ISP) that has a business relationship with the offender so that SPEWS is more likely to focus their attentions on these two parties.
2) Does anyone else see a HUGE problem with listing a /19 because there is one /32 of a spam advertised website? When did this start happening?
It's a free country, you can't stop people like the SPEWS group from expressing their opinions. As long as people are satisfied with crude tools for mapping IP address to owner, this kind of thing will continue to happen.
--Michael Dillon
-- Scott A Silzer
On Tue, 10 Dec 2002 15:45:29 -0500, Scott Silzer wrote:
I could understand if an ISP was allowing spam from a portion of there network. But in this case the only thing that the ISP did is host a website, the SPAM was sent from from a third party's network. The ISP did terminate the customer but in the meantime the entire NSP's network has been blacklisted, for a rouge webhosting account does sound a bit harsh.
A spam blocking service that worked that way would be useless. Anyone could get any site they didn't like blacklisted simply by spamvertising it. Anyone who uses a spam blocking list that works that way is DoSing themselves. DS
I'm not taking sides here, but do want to mention some other aspects: Unnamed Administration sources reported that Scott Silzer said:
I could understand if an ISP was allowing spam from a portion of there (sic) network. But in this case the only thing that the ISP did is host a website, the SPAM was sent from from a third party's network. The ISP did terminate the customer but in the meantime the entire NSP's network has been blacklisted, for a rouge webhosting account does sound a bit harsh.
Excuse me, the ONLY thing? I don't think it's quite fair to condemn a whole program because of a single slip-up. General "Buck" Turgidson Since 90% of the spam I get is relay-raped off of some .kr/cn site, It'd say the gonads^H^Hweb address is exactly the correct target. It's the asset in place. What's missing in your report is timeframes. How long was the spamsite up? When did the first report hit .sightings? Were there responses from abuse@, postmaster@ etc? For the record, my view on SPEWS is this.... 0) I'm less than comfortable with it but... 1) It would not exist if there was not a demand for it; after all, it's powerless if no mail host looks at it. 2) The fact there is so much heat over it is proving its impact. 3) Past, more moderate approaches proved very ineffective, for reasons of policy or getting sued into silence. 4) Like it or not, it IS waking up large carriers who have previously turned a blind eye. 5) No one has offered a better solution so far. As Perot said - "I'm all ears.." -- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
Hello Hansel, Tuesday, December 10, 2002, 3:08:20 PM, you wrote: LH> The SPEWS concept prevents an ISP from allowing spammers on some blocks LH> while trying to service legitimate customers on others. For an ISP - it is LH> either all or none over time, you support spammers and are blocked as a LH> whole (to include innocent customers). Not speaking for or against SPEWS, but couldn't this eventually work against people using the list? If I were a spammer I would keep signing up for accounts, and getting larger and larger blocks of IP Addresses added to the SPEWS list. Eventually, so many blocks would be added to the list, that it would make SPEWS worthless. Once SPEWS is worthless, people will stop using it, and the spammers win. allan -- Allan Liska allan@allan.org http://www.allan.org
participants (5)
-
Allan Liska -
David Lesher -
David Schwartz -
Lee, Hansel -
Scott Silzer