Greetings, My name is Nick, and I have inherited admin duties for tacid.org. For an un-known amount of time (A month or more?) mail.tacid.org has been an open-relay, and sending out large amounts of spam. This should now be fixed. If anyone is having issues with this domain still, please contact me off list. Thank you, Nick
Nick: Leaving a domain and IP fallow for such a long time will end up looking like my garden did this year when I did the same thing -- overrun with weeds. Sending a blanket e-mail to NANOG is not going to get the attention of those who manage the e-mail flow (unless you domain belonged to a Fortune 100). Just like I should have with my garden, rather than replant among the weed seeds and spend 99% of my time pulling weeds, I would recommend sowing a new field by moving your outbound e-mail server(s) to some fresh address space (different /24 to be sure, ideally another section of SWIPed space) and start monitoring your outgoing servers logs. You'll need to work with each MTA that blocks your e-mail and ask them to delist you from whatever block (domain or domain reputation) that they have. At the same time, systematically go to every RBL that tracks by domain name and check the status of your domain and request delisting as necessary. Regards, Frank -----Original Message----- From: Nick Shank [mailto:nick@laststop.net] Sent: Thursday, July 03, 2008 5:51 AM To: nanog@nanog.org Subject: tacid.org Greetings, My name is Nick, and I have inherited admin duties for tacid.org. For an un-known amount of time (A month or more?) mail.tacid.org has been an open-relay, and sending out large amounts of spam. This should now be fixed. If anyone is having issues with this domain still, please contact me off list. Thank you, Nick
Just like I should have with my garden, rather than replant among the weed seeds and spend 99% of my time pulling weeds, I would recommend sowing a new field by moving your outbound e-mail server(s) to some fresh address space (different /24 to be sure, ideally another section of SWIPed space) and start monitoring your outgoing servers logs. You'll need to work with each MTA that blocks your e-mail and ask them to delist you from whatever block (domain or domain reputation) that they have. At the same time, systematically go to every RBL that tracks by domain name and check the status of your domain and request delisting as necessary.
if the ipv4 free pool run-out produces a lot of address shifting and recycling of old address space, will there be a market in clean-up services such as the above. give them your newly-acquired address space for two months before you need to use it, and they will test and scrub and write and beg and whine on nanog? it could be that one or two reputable clean-up folk could develop history with the various blockers and be able to get the job done better than we could do it ourselves. randy
Randy Bush wrote:
[snip weeding one's garden theory]
if the ipv4 free pool run-out produces a lot of address shifting and recycling of old address space, will there be a market in clean-up services such as the above. give them your newly-acquired address space for two months before you need to use it, and they will test and scrub and write and beg and whine on nanog? it could be that one or two reputable clean-up folk could develop history with the various blockers and be able to get the job done better than we could do it ourselves.
Actually, that's not a bad idea. Of course, there's the larger problem; verifying that the address space previously sullied is now worthy of being cleaned up. In Nick Shank's case (and Bravo! to Nick), I would say that he's off doing the right thing. It would seem that some serious investigation would be necessary before acting as a third party for others in a similar boat, of course. I certainly have the time, skills, and inclination. -- In April 1951, Galaxy published C.M. Kornbluth's "The Marching Morons". The intervening years have proven Kornbluth right. --Valdis Kletnieks
On Sun, Jul 6, 2008 at 3:25 AM, Lynda <shrdlu@deaddrop.org> wrote:
Actually, that's not a bad idea. Of course, there's the larger problem; verifying that the address space previously sullied is now worthy of being cleaned up. In Nick Shank's case (and Bravo! to Nick), I would say that he's off doing the right thing. It would seem that some serious investigation would be necessary before acting as a third party for others in a similar boat, of course.
There's already a bunch of companies that have built up a business model on this.. they call it "deliverability"
On Sun, 6 Jul 2008, Suresh Ramasubramanian wrote:
On Sun, Jul 6, 2008 at 3:25 AM, Lynda <shrdlu@deaddrop.org> wrote:
Actually, that's not a bad idea. Of course, there's the larger problem; verifying that the address space previously sullied is now worthy of being cleaned up. In Nick Shank's case (and Bravo! to Nick), I would say that he's off doing the right thing. It would seem that some serious investigation would be necessary before acting as a third party for others in a similar boat, of course.
There's already a bunch of companies that have built up a business model on this.. they call it "deliverability"
There's a big difference though between trying to clean up the reputation of newly acquired IP space a previous "owner" abused and trying to explain away an ESP's prior spamming. My limited experience with deliverability consulting companies recently has largely been the latter. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
randy@psg.com (Randy Bush) writes:
if the ipv4 free pool run-out produces a lot of address shifting and recycling of old address space, will there be a market in clean-up services such as the above. give them your newly-acquired address space for two months before you need to use it, and they will test and scrub and write and beg and whine on nanog? it could be that one or two reputable clean-up folk could develop history with the various blockers and be able to get the job done better than we could do it ourselves.
reputation-washing is an inherently nonscalable business. dirty blocks that go back to the washer will be harder and harder to re-clean once the victims harken to the repeat-business aspects of the activity. dirty users will go on incorporating a new LLC every week so as to appear to be a new and different entity as often as they need to, to avoid regulations linked to one's past reputation. now, a business whereby small discontugous blocks could be traded in (with some cash perhaps) for a contiguous block of the same total size, that'd be interesting. -- Paul Vixie -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
The real solution to the scorched earth problem is for aging from blacklists to be dynamic. If a given IP hasn't spammed or otherwise been naughty in some period of time, and the RP contact information for that netblock exists and responds, then the benefit of the doubt should go to the neblock owner/operator, and the IP(s) delisted. There's been some work done @ SRI on using a weighting algorithm that includes things like prevalence, persistence, and "badness", with a Gaussian decay function as to time, to establish cut levels for what should be blocked. Look at Phil Porras work, and Usenix presentations.
-----Original Message----- From: Paul Vixie [mailto:vixie@isc.org] Sent: Saturday, July 05, 2008 2:57 PM To: nanog@merit.edu Subject: Re: a business opportunity?
randy@psg.com (Randy Bush) writes:
if the ipv4 free pool run-out produces a lot of address shifting and recycling of old address space, will there be a market in clean-up services such as the above. give them your newly-acquired address space for two months before you need to use it, and they will test and scrub and write and beg and whine on nanog? it could be that one or two reputable clean-up folk could develop history with the various blockers and be able to get the job done better than we could do it ourselves.
reputation-washing is an inherently nonscalable business. dirty blocks that go back to the washer will be harder and harder to re-clean once the victims harken to the repeat-business aspects of the activity. dirty users will go on incorporating a new LLC every week so as to appear to be a new and different entity as often as they need to, to avoid regulations linked to one's past reputation.
now, a business whereby small discontugous blocks could be traded in (with some cash perhaps) for a contiguous block of the same total size, that'd be interesting. -- Paul Vixie
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
The real solution to the scorched earth problem is for aging from blacklists to be dynamic.
if we were designing a full internet system with reputation as a feature, then no doubt it would be like you're describing. however, reputation systems are a private action by private right of action and each one will have its own cost:benefit considerations. this means while it might be a good design overall, blacklist aging has to be in the interests of particular blacklist operators and subscribers, or it won't happen. it generally does not happen, since it costs more value than it produces from the point of view of a given blacklist operator or subscriber. i think there's an argument to be made that this is inevitable. every time any ISP has enforced any kind of numerical limits on abuse by one of its customers (like first hit's free, three strikes and you're out, and so on) the abusers have either rotated through providers or through identities fast enough to make their business run in spite of the limits, or they have merely counted these slaps on the wrist as part of the cost of doing business. this means if blacklist entries all aged out, then abusers and their ISPs would simply rotate through a long chain of address blocks, and we'd see a lot of address space consumed on the "waiting for reprieve" list but it would not change the overall abuse growth rate at all. that's not in the interests of individual blacklist operators or subscribers, who want to control abuse growth rate.
There's been some work done @ SRI on using a weighting algorithm that includes things like prevalence, persistence, and "badness", with a Gaussian decay function as to time, to establish cut levels for what should be blocked.=20
Look at Phil Porras work, and Usenix presentations.
can you tell me, before i invest my own time in it, whether this work accounts for the inevitable rebalancing and planning adjustments that the abusers will make if each proposed policy were rolled out? i fear that most studies in this area treat abuse like it was a natural phenomena and not the self-organized well-motivated thievery that it is. abusers aren't going to sit still while we wrap them in a gaussian decay function. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
paul, in another universe, the inhabitants are attempting to find some policy for dealing with what i'll call a temporally inconsistent name to address mapping, at a single, and also a second level of indirection. of course, just about everything that's ever been written (and re-written) on nanog about reputation and partition, whether w.r.t. port 25, or ports 53 and 80, appears to me to be relevant in this other universe. eric Paul Vixie wrote:
The real solution to the scorched earth problem is for aging from blacklists to be dynamic.
if we were designing a full internet system with reputation as a feature, then no doubt it would be like you're describing. however, reputation systems are a private action by private right of action and each one will have its own cost:benefit considerations. this means while it might be a good design overall, blacklist aging has to be in the interests of particular blacklist operators and subscribers, or it won't happen. it generally does not happen, since it costs more value than it produces from the point of view of a given blacklist operator or subscriber.
i think there's an argument to be made that this is inevitable. every time any ISP has enforced any kind of numerical limits on abuse by one of its customers (like first hit's free, three strikes and you're out, and so on) the abusers have either rotated through providers or through identities fast enough to make their business run in spite of the limits, or they have merely counted these slaps on the wrist as part of the cost of doing business. this means if blacklist entries all aged out, then abusers and their ISPs would simply rotate through a long chain of address blocks, and we'd see a lot of address space consumed on the "waiting for reprieve" list but it would not change the overall abuse growth rate at all.
that's not in the interests of individual blacklist operators or subscribers, who want to control abuse growth rate.
There's been some work done @ SRI on using a weighting algorithm that includes things like prevalence, persistence, and "badness", with a Gaussian decay function as to time, to establish cut levels for what should be blocked.=20
Look at Phil Porras work, and Usenix presentations.
can you tell me, before i invest my own time in it, whether this work accounts for the inevitable rebalancing and planning adjustments that the abusers will make if each proposed policy were rolled out? i fear that most studies in this area treat abuse like it was a natural phenomena and not the self-organized well-motivated thievery that it is. abusers aren't going to sit still while we wrap them in a gaussian decay function.
The real solution to the scorched earth problem is for aging from blacklists to be dynamic.
Um, this isn't exactly a revolutionary idea. Almost without exception* the blacklists that are widely used have some sort of age-out so that the remove addresses that don't continue to show bad behavior. The problem is that there's a zillion little networks with their own private blacklists, where the policy tends to be to add a block when someone complains, and then forget about it, removing blocks only when there are counter-complaints. Talk about not scaling. R's, John * - some of the for-pay MAPS lists don't seem to have an aging policy
1) I hate plants. 2) I hate analogies involving plants even more. 3) You're suggesting abandonment of "perfectly good" IP space, and that he employ stealthy and gray-hat thinking to obtain an easy out. Way to pad ARIN's wallet, btw. When I saw his e-mail, I thought, how proper of him. He's taking ownership of his problem. He wasnt asking for anything specific; infact, it seemed to me more like an offer of help ("hey, firefighter joe on the scene. i think i've pretty much pwned this fire, so, lemme know if you still see crap burning! kthx"). I think he knows the drill on what he needs to do. Don't give him evil thoughts... he'll end up just like the rest of us. :-) -j On Sat, Jul 5, 2008 at 3:21 PM, Frank Bulk - iNAME <frnkblk@iname.com> wrote:
Nick:
Leaving a domain and IP fallow for such a long time will end up looking like my garden did this year when I did the same thing -- overrun with weeds.
Sending a blanket e-mail to NANOG is not going to get the attention of those who manage the e-mail flow (unless you domain belonged to a Fortune 100).
Just like I should have with my garden, rather than replant among the weed seeds and spend 99% of my time pulling weeds, I would recommend sowing a new field by moving your outbound e-mail server(s) to some fresh address space (different /24 to be sure, ideally another section of SWIPed space) and start monitoring your outgoing servers logs. You'll need to work with each MTA that blocks your e-mail and ask them to delist you from whatever block (domain or domain reputation) that they have. At the same time, systematically go to every RBL that tracks by domain name and check the status of your domain and request delisting as necessary.
Regards,
Frank
-----Original Message----- From: Nick Shank [mailto:nick@laststop.net] Sent: Thursday, July 03, 2008 5:51 AM To: nanog@nanog.org Subject: tacid.org
Greetings, My name is Nick, and I have inherited admin duties for tacid.org. For an un-known amount of time (A month or more?) mail.tacid.org has been an open-relay, and sending out large amounts of spam. This should now be fixed. If anyone is having issues with this domain still, please contact me off list. Thank you, Nick
-- Would you like a little bit of legal advice? NEVER let a scientist use the words "unanticipated" and "immediate" in the same sentence. Okay? Okay.
participants (12)
-
Eric Brunner-Williams
-
Frank Bulk - iNAME
-
jamie
-
John Levine
-
Jon Lewis
-
Lynda
-
Michael Painter
-
Nick Shank
-
Paul Vixie
-
Randy Bush
-
Suresh Ramasubramanian
-
Tomas L. Byrnes