Re: [policy] When Tech Meets Policy...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -- "Chris L. Morrow" <christopher.morrow@verizonbusiness.com> wrote:
On Tue, 14 Aug 2007, Douglas Otis wrote:
That point forward, spammers would be less able to take advantage of domains in flux, and policy schemes would be far less perilous for
are spammers really doing this? do they mine the domain system for changes and utilze those for their purposes? I ask because i don't see that in my data, which is small admittedly... I see lots of existing well known domains in the 'from'. Unless you have some data showing otherwise (or someone else has data to share) I think this is a specious arguement.
More than ~85% of all spam is being generated by spambots. Spammers are gaming the domain registry system, not for MX record manipulation, but to install their own nameservers on compromised hosts, round-robin and fast-flux their ability to avoid detection, and inevitably hide behind various layers of obfuscation. They are manipulating both the (legitimate) process of obtaining IP addresses, registering domain names (and all the cruft that it brings along with it, given the loopholes in the processes), and manipulating the ability to move their nameservers around at-will. It's pretty much a mess -- these guys use the system to succeed. Honestly, I don't have any answers -- only questions at this point. :-/ - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) wj8DBQFGwpOtq1pz9mNUZTMRAgwMAJ9tANe2A4jlH5rx9WG+RddhHJwHcgCgrO2B dVaFMZF1Lp87F0vygsvbvJM= =qyM6 -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
On Wed, 15 Aug 2007, Paul Ferguson wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
- -- "Chris L. Morrow" <christopher.morrow@verizonbusiness.com> wrote:
On Tue, 14 Aug 2007, Douglas Otis wrote:
That point forward, spammers would be less able to take advantage of domains in flux, and policy schemes would be far less perilous for
are spammers really doing this? do they mine the domain system for changes and utilze those for their purposes? I ask because i don't see that in my data, which is small admittedly... I see lots of existing well known domains in the 'from'. Unless you have some data showing otherwise (or someone else has data to share) I think this is a specious arguement.
More than ~85% of all spam is being generated by spambots.
yes, that relates to my question how though? I asked: "Do spammers monitor the domain system in order to spam from the domains in flux as tastinng domains?" I asked this specifically because that behavior was being used as a 'resaon to stop tasting', or to clamp down on it atleast.
Spammers are gaming the domain registry system, not for MX record manipulation, but to install their own nameservers on compromised hosts, round-robin and fast-flux their ability to avoid detection, and inevitably hide behind various layers of obfuscation.
Sure, they are being bad, they are doing what akamai does (or other CDNs) only for illegal end reasons... That's not relevant to my question, but I agree it's a dirty trick stil.
They are manipulating both the (legitimate) process of obtaining IP addresses, registering domain names (and all the cruft that it brings along with it, given the loopholes in the processes), and manipulating the ability to move their nameservers around at-will.
That's not a manipulation so much as using the system as designed.
It's pretty much a mess -- these guys use the system to succeed.
agreed, they are a mess (spammers and their current business)
Honestly, I don't have any answers -- only questions at this point. :-/
me too, I just don't want to see the issue sidetracked on: 1) spammers using tasting to their benefit 2) phishers are tasters/use tasting to their benefit neither of which is, near as I can tell, true or real fears. Tasting is, in and of itself, a completely different problem with a completely different set of issues... Conflating the 3 (or parts of the 2 sets) is just as wrong as saying that 'tasting lets the terrorists win'. -Chris
On Aug 14, 2007, at 11:00 PM, Chris L. Morrow wrote:
On Wed, 15 Aug 2007, Paul Ferguson wrote:
More than ~85% of all spam is being generated by spambots.
yes, that relates to my question how though? I asked: "Do spammers monitor the domain system in order to spam from the domains in flux as tastinng domains?" I asked this specifically because that behavior was being used as a 'resaon to stop tasting', or to clamp down on it atleast.
Links to pornography in spam could be used as an example of where use of throw-away domains for this purpose is obscured by millions of tasting domains. A reference to pornography is a category of threat heavily blocked by domain in various products that extend beyond just email. Most might not view pornography as a serious threat, but this endeavor benefits from domain tasting chaff.
Spammers are gaming the domain registry system, not for MX record manipulation, but to install their own nameservers on compromised hosts, round-robin and fast-flux their ability to avoid detection, and inevitably hide behind various layers of obfuscation.
Sure, they are being bad, they are doing what akamai does (or other CDNs) only for illegal end reasons... That's not relevant to my question, but I agree it's a dirty trick still.
Blocking by domain name would be the response needed to dealing with a DNS abuse problem. It can not be done by IP address. When there are millions of domains continuously in flux, any database attempting to address this issue will be inundated with nonsense. Over a few weeks, this nonsense represents more information than that used by all existing domains.
They are manipulating both the (legitimate) process of obtaining IP addresses, registering domain names (and all the cruft that it brings along with it, given the loopholes in the processes), and manipulating the ability to move their nameservers around at-will.
That's not a manipulation so much as using the system as designed.
Agreed. However, domain tasting makes any response to abuse of the domain system much slower and far more expensive.
It's pretty much a mess -- these guys use the system to succeed.
agreed, they are a mess (spammers and their current business)
If this were just limited to spammers, it would be less of a concern.
Honestly, I don't have any answers -- only questions at this point. :-/
me too, I just don't want to see the issue sidetracked on:
1) spammers using tasting to their benefit 2) phishers are tasters/use tasting to their benefit
neither of which is, near as I can tell, true or real fears. Tasting is, in and of itself, a completely different problem with a completely different set of issues... Conflating the 3 (or parts of the 2 sets) is just as wrong as saying that 'tasting lets the terrorists win'.
This should be stated somewhat differently. 1) spammers benefit by domain tasting 2) phishers benefit by domain tasting _Any_ protective measure to combat phishing, undesired or malicious links will need to be done by domain name. Bots tend to thwart reliance upon IP addresses. Assessment by domain name is made far less effective by the very large amount of noise generated by domain tasting. Domain tasting provides cover for the abusive criminal activity. While domain tasting itself is not criminal, the harm it permits could easily be seen as the result of a negligent policy. -Doug
participants (3)
-
Chris L. Morrow
-
Douglas Otis
-
Paul Ferguson