Karl Denninger <karl@Denninger.Net> writes:
On Thu, Nov 19, 1998 at 12:51:05PM -0800, George Herbert wrote:
Karl Denninger <karl@Denninger.Net> writes:
[...] The collusive aspect of this is downright scary, especially when coupled with threats of depeering, active denial of service attacks, etc.
Let's put two scenarios forwards. [...] In the first case, there is clearly a connection between the spamming and the website that gets RBLed; it was directly advertised by the spams. That direct link is sufficient under current RBL rules and meets my definition of terminatable customer. In the second case, one of the sites meets the above definition, but the sites at U and V (which may be for completely unrelated subsidiaries or groups within B) don't necessarily. This might begin to approach an illegal blacklist. The question is, are any cases similar to scenario 2 actually happening? As far as I know, no. Companies that have many websites that are having all their ISPs pressed to nuke them generally are spamming to advertise most or all of them, not just one or a few.
Ok, let's put another scenario out there, one which IS somewhat likely: Company A has a web site hosted at ISP Z, and a bunch of throw-away dial-up accounts on ISPs P, Q, R and S. They spam through P, Q, R and S, advertising the site hosted at ISP Z and giving a "freemail" (ie: hotmail, juno, etc) reply EMAIL address. All four of those dial providers cut *THE SPAMMER* off. The spammed people also complain to ISP Z, and ISP Z tells the complainers to stuff it, because (1) there is no PROOF that Company "A" actually did the spamming, and (2) no offensive data was emitted by ISP Zs machines. ISP Z gets RBLd, even though *ISP Z* was not a party to the spamming, and ISP Z *never touched or emitted the spam*. Worse, what gets RBLd is ISP Zs mail server, which (if Company A is web hosting there ONLY) was not only uninvolved, but is irrelavent to the offense (since ISP Z only sold Company "A" web service). ISP Z has just had its business policies dictated by unrelated people and NOT because they committed (either directly or through a customer acting on their system) an offense - further, OTHER customers of ISP Z (who buy mail service from them) have been harmed, even though (1) ISP Z wasn't involved in the infraction, (2) Company "A" didn't do anything objectionable *ON* ISP Z, or THROUGH ISP Zs equipment, and (3) the sanction is not in any way related to the offense (ISP Zs mail service is damaged, although their mail server was not abused, and in fact Company A doesn't get their mail through ISP Z).
While your scenario is a distinct possible problem with a RBL-like list, I don't think it's possible under the existing RBL rules and procedures that exist. [Please keep in mind in the following that I am not an RBL volounteer, so I may be getting details wrong... Dave and Paul are on nanog and can correct anything I misstate, though, I assume] RBL policy is that they won't block anything more general than is warranted by particular spam complaints and the subsequent actions in response to those complaints or to a pattern of complaints. For example, a bunch of complaints come in reporting that various dialups spammed ads for www.biteme.com, a masochist oriented porn site, which is hosted on an IP address which is part of wehost.net . The proper procedure is that people complaining to RBL have to have contacted wehost.net and not gotten appropriate responses. RBL people will (always?) contact wehost.net for a final warning and status check prior to the block, and will only block the /32 corresponding to www.biteme.com's actual IP address. Thus, no wehost.net customer other than biteme will be inconvenienced. What begins to approach your scenario is the situation where wehost.net has had a really significant number of customers who did the same thing and refused to act appropriately about any of them. At that point, (that point being defined somewht nebulously here, but bear with me), it changes from an innocent ISP scenario to one where the ISP is acting as a knowledgeable and culpable host to multiple spamming sites. At that point, the ISP may be acted against as a whole, under current RBL rules. But not before. So yes, under (as I understand them) existing RBL rules, it is possible for purely innocent parties to get bitten (other non-spam related customers of wehost.net) if the ISP fails to respond properly for a significant length of time and number of incidents. I feel that's fair; if the ISP becomes the problem, then they should feel some heat. As long as the criteria for the ISp being RBled as a whole are sufficiently demanding so ISPs that are merely slow or not-entirely-cooperative don't get unnecessarily RBLed, that makes sense to me. -george william herbert gherbert@crl.com I neither speak for nor work for CRL at this time.
On Thu, Nov 19, 1998 at 01:58:40PM -0800, George Herbert wrote:
RBL policy is that they won't block anything more general than is warranted by particular spam complaints and the subsequent actions in response to those complaints or to a pattern of complaints. For example, a bunch of complaints come in reporting that various dialups spammed ads for www.biteme.com, a masochist oriented porn site, which is hosted on an IP address which is part of wehost.net . The proper procedure is that people complaining to RBL have to have contacted wehost.net and not gotten appropriate responses. RBL people will (always?) contact wehost.net for a final warning and status check prior to the block, and will only block the /32 corresponding to www.biteme.com's actual IP address. Thus, no wehost.net customer other than biteme will be inconvenienced.
That does nothing at all, since the only listener on www.biteme.com's address is a web server.
So yes, under (as I understand them) existing RBL rules, it is possible for purely innocent parties to get bitten (other non-spam related customers of wehost.net) if the ISP fails to respond properly for a significant length of time and number of incidents. I feel that's fair; if the ISP becomes the problem, then they should feel some heat. As long as the criteria for the ISp being RBled as a whole are sufficiently demanding so ISPs that are merely slow or not-entirely-cooperative don't get unnecessarily RBLed, that makes sense to me.
That's not the scenario that was postulated and led to the latest threat. -- -- Karl Denninger (karl@denninger.net) http://www.mcs.net/~karl I ain't even *authorized* to speak for anyone other than myself, so give up now on trying to associate my words with any particular organization.
participants (2)
-
George Herbert
-
Karl Denninger