I thought ya'll might be interested to hear that yet another DNS blacklist has been taken down out of fear of the DDoS attacks that took down Osirusoft, Monkeys.com, and the OpenRBL. Blackholes.compu.net suffered a joe-job earlier this week. Apparently the joe-jobbing was enough to convince some extremely ignorant mail admins that Compu.net is spamming and blocked mail from compu.net. Compu.net has also seen the effects of DDoS attacks on other DNS blacklist maintainers. They've decided that the risk to their actual business is too great and they are pulling the plug on their DNS blacklist before they come under the gun by spammers. http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=3f70e839%241%40dimaggio.newszilla.com Ron Guilmette, maintainer of the Monkeys.com blacklists has posted a farewell from Monkeys.com to news.admin.net-abuse.email. Ron cites the total lack of interest in the attacks by both big network providers and law enforcement authorities as the ultimate reason he's pulling the plug. http://groups.google.com/groups?q=%22Now+retired+from+spam+fighting%22&hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=vn1lufn8h6r38%40corp.supernews.com&rnum=4 It's truely a sad day for spam fighters everywhere. So, my question for NANOG is how does one go about attracting the attention of law enforcement when your network is under attack? How does the target of such an attack get a large network provider who's customers are part of the attack to pay attention? Is media attention the only way to pressure a response from either group? These DDoS attacks have received some attention in mainstream media: http://www.msnbc.com/news/959094.asp?0cv=TB10 http://www.boston.com/news/nation/articles/2003/08/28/saboteurs_hit_spams_bl... Apparently it hasn't been enough. Legal remedies take too long and are cost prohibitive (unless you're the DoJ). Subpoenas and civil lawsuits take months if not years. Relief is needed in days if not hours. Justin
In a message written on Wed, Sep 24, 2003 at 11:28:39AM -0500, Justin Shore wrote:
So, my question for NANOG is how does one go about attracting the attention of law enforcement when your network is under attack? How does the target of such an attack get a large network provider who's customers are part of the attack to pay attention? Is media attention the only way to pressure a response from either group? These DDoS attacks have received some attention in mainstream media:
People will pay attention as soon as there is money in black lists. ISP's are businesses. If losing the customer is cheaper than helping them far too many will choose to lose the customer. Many black lists don't pay the ISP at all, indeed they are offered as free services for the good of the community. As a result they get the response that any freeloader would, none. For better or for worse you get to vote with your dollars, which really means no dollars, no vote, no support. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
On Wed, 24 Sep 2003, Leo Bicknell wrote:
In a message written on Wed, Sep 24, 2003 at 11:28:39AM -0500, Justin Shore wrote:
So, my question for NANOG is how does one go about attracting the attention of law enforcement when your network is under attack? How does the target of such an attack get a large network provider who's customers are part of the attack to pay attention? Is media attention the only way to pressure a response from either group? These DDoS attacks have received some attention in mainstream media:
People will pay attention as soon as there is money in black lists. ISP's are businesses. If losing the customer is cheaper than helping them far too many will choose to lose the customer. Many black lists don't pay the ISP at all, indeed they are offered as free services for the good of the community. As a result they get the response that any freeloader would, none.
RBLs Sounds like a great application for P2P. /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ Patrick Greenwell Asking the wrong questions is the leading cause of wrong answers \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
So, my question for NANOG is how does one go about attracting the attention of law enforcement when your network is under attack? How does the target of such an attack get a large network provider who's customers are part of the attack to pay attention? Is media attention the only way to pressure a response from either group? These DDoS attacks have received some attention in mainstream media:
People will pay attention as soon as there is money in black lists. ISP's are businesses. If losing the customer is cheaper than helping
them far too many will choose to lose the customer. Many black lists
don't pay the ISP at all, indeed they are offered as free services for the good of the community. As a result they get the response that any freeloader would, none.
RBLs Sounds like a great application for P2P.
Perhaps, but it also seems like moving an RBL onto a P2P network would making poisoning the RBL far too easy... Andrew
On Wed, 24 Sep 2003 andrew2@one.net wrote:
Perhaps, but it also seems like moving an RBL onto a P2P network would making poisoning the RBL far too easy...
That's what I was getting ready to suggest. As it stands now we have at least somewhat of an assurance that the zone we're working with isn't tainted. I only use DNSBLs that offer zone transfers. I only get an AXFR from authorized NSs for that DNSBL. Assuming that NS hasn't been compromised I feel fairly safe in assuming that the data I'm getting is valid. It might not be but I feel that it is. If a P2P system was devised for distributing RBL zones then some for of validation for the distributed zones will have to be created. That would most likely involve a central server. Now you have a server to DDoS again. *sigh* We should just educate spammers with clue-by-fours and make the world a better place. Justin
On Wed, 24 Sep 2003, Justin Shore wrote:
On Wed, 24 Sep 2003 andrew2@one.net wrote:
Perhaps, but it also seems like moving an RBL onto a P2P network would making poisoning the RBL far too easy...
That's what I was getting ready to suggest. As it stands now we have at least somewhat of an assurance that the zone we're working with isn't tainted.
Web of trust, yada yada. Still distributed, still resiliant. And/Or, encrypt the zones/updates. Admittedly this is all off-the-cuff and I haven't given it much thought(scalability and performance issues immediately come to mind,) but it might be an interesting enough problem to sit down and research/think about at some point. It certainly would be interesting to find some more "substantially non-infringing" uses for P2P. /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ Patrick Greenwell Asking the wrong questions is the leading cause of wrong answers \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
I realize that this is seriously off the wall. There is a pretty secure P2P system (Groove) that was developed by Ray Ozzie. Focus is on security on the wire, on the box, everywhere with serious authentication - Diffie-Hellman exchanges and all the right security toys. Admittedly when I run it at home the lights in the neighborhood dim. I am wondering, though if there might be a way to use its kind of services for some behind the scenes secure discovery - removing the hackability of most of the P2P systems. No I don't know how it scales, what it's throughput and licensing limitations are.. I just heard P2P and immediately went outside the box. Chris My vcard is attached.
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Vadim Antonov Sent: Wednesday, September 24, 2003 3:05 PM To: andrew2@one.net Cc: nanog@merit.edu Subject: RE: Another DNS blacklist is taken down
RBLs Sounds like a great application for P2P.
Perhaps, but it also seems like moving an RBL onto a P2P network would making poisoning the RBL far too easy...
Andrew
USENET, PGP-signed files, 20 lines in perl.
--vadim
On Wed, 24 Sep 2003, Justin Shore wrote: <snip>
joe-job earlier this week. Apparently the joe-jobbing was enough to convince some extremely ignorant mail admins that Compu.net is spamming and blocked mail from compu.net. Compu.net has also seen the effects of
Speaking of joe-jobs, what's the "proper" proceedure for dealing with such? The company I work for is currently undergoing an admitedly minor joe-job. (about 300 or so bounces that I've seen since mid last week or so.) Any suggestions for dealing with this? A current count and list of last-source IPs so far are listed below: 40 152.163.225.154 5 216.93.66.93 5 205.138.96.56 4 216.93.66.90 4 216.93.66.87 3 63.226.138.21 3 216.93.66.95 3 216.93.66.94 3 216.93.66.91 3 216.93.66.86 3 216.93.66.83 3 193.70.192.90 2 64.58.4.45 2 64.58.4.41 2 64.12.138.3 2 64.12.138.17 2 62.79.79.110 2 62.58.50.89 2 216.93.66.85 2 216.93.66.80 2 216.190.15.195 2 216.170.230.85 2 209.81.147.229 2 207.181.101.13 2 204.97.92.20 2 200.221.11.51 2 199.46.198.233 2 199.171.96.5 1 69.57.207.194 1 67.92.168.237 1 67.92.168.236 1 66.98.162.42 1 66.40.221.254 1 66.218.66.90 1 66.218.66.104 1 66.147.14.221 1 66.132.147.79 1 66.118.64.13 1 66.118.64.12 1 65.54.251.76 1 65.54.237.68 1 65.54.165.146 1 65.24.0.113 1 65.24.0.112 1 65.221.240.107 1 64.72.200.50 1 64.7.153.18 1 64.58.4.44 1 64.51.58.8 1 64.30.1.165 1 64.27.65.25 1 64.255.237.183 1 64.233.50.135 1 64.141.33.31 1 64.12.138.5 1 64.12.138.22 1 64.12.138.21 1 64.12.138.19 1 64.12.138.1 1 63.65.184.152 1 63.65.120.64 1 63.236.115.2 1 63.226.138.22 1 63.220.222.103 1 63.172.164.162 1 63.146.184.41 1 62.81.134.6 1 62.58.50.88 1 62.58.50.87 1 62.253.162.46 1 62.163.139.96 1 62.151.8.31 1 62.151.8.30 1 62.117.40.69 1 61.6.32.154 1 61.185.36.130 1 61.129.163.105 1 57.250.224.237 1 38.115.133.179 1 24.92.226.25 1 24.92.226.159 1 24.75.44.123 1 219.94.53.243 1 217.15.34.130 1 216.93.66.92 1 216.93.66.89 1 216.93.66.82 1 216.93.66.81 1 216.93.24.2 1 216.60.154.2 1 216.55.26.70 1 216.39.128.16 1 216.3.58.2 1 216.241.29.119 1 216.238.0.22 1 216.235.160.81 1 216.176.128.9 1 216.170.230.86 1 216.17.128.133 1 216.163.120.8 1 216.141.24.3 1 216.139.64.35 1 216.126.204.154 1 216.115.81.3 1 216.113.192.65 1 213.63.193.16 1 213.56.31.20 1 213.228.0.191 1 213.193.13.83 1 213.193.13.82 1 212.78.66.183 1 212.26.128.10 1 212.250.7.7 1 212.216.176.223 1 212.216.176.185 1 212.20.195.131 1 212.166.64.99 1 212.106.140.5 1 211.43.197.64 1 211.43.197.54 1 210.86.15.146 1 210.59.228.24 1 210.116.116.31 1 209.53.150.130 1 209.53.147.17 1 209.42.47.69 1 209.242.224.42 1 209.214.216.60 1 209.196.77.103 1 209.104.62.3 1 208.34.108.125 1 208.236.9.12 1 208.223.124.36 1 208.197.227.11 1 208.197.227.10 1 208.136.106.6 1 208.13.39.139 1 207.71.36.233 1 207.70.175.249 1 207.54.158.40 1 207.241.196.7 1 207.195.212.6 1 207.115.64.115 1 207.115.63.70 1 206.64.143.9 1 206.30.164.20 1 205.232.46.4 1 205.188.159.13 1 204.60.105.46 1 204.253.83.42 1 204.111.11.45 1 203.87.94.3 1 203.199.83.25 1 203.199.211.196 1 203.179.51.34 1 202.37.101.20 1 202.138.0.51 1 199.197.130.1 1 198.5.241.38 1 198.185.163.3 1 198.165.106.2 1 195.85.130.97 1 195.62.32.27 1 195.238.3.56 1 195.238.2.127 1 195.206.80.98 1 195.167.192.88 1 195.149.39.8 1 194.47.245.158 1 194.158.97.218 1 194.125.133.231 1 193.71.71.240 1 193.70.192.59 1 193.70.192.54 1 193.252.22.23 1 193.246.86.43 1 193.2.4.66 1 192.139.197.95 1 17.254.13.22 1 165.76.4.115 1 165.21.74.85 1 165.21.74.73 1 165.21.74.70 1 161.155.123.57 1 161.114.1.209 1 161.114.1.207 1 158.116.149.131 1 151.164.30.67 1 144.140.254.13 1 142.77.1.52 1 142.110.131.131 1 138.194.2.8 1 132.156.11.189 1 131.228.20.21 1 130.244.199.150 1 130.227.241.162 1 129.12.21.15 1 129.11.16.35 1 128.242.238.173 1 12.9.139.96 1 12.155.160.2 Total: 308 --- david raistrick drais@atlasta.net http://www.expita.com/nomime.html
Total: 308
Erps, I told my script to mis-count: Total: 284 --- david raistrick drais@atlasta.net http://www.expita.com/nomime.html
On Wed, 2003-09-24 at 12:48, David Raistrick wrote:
On Wed, 24 Sep 2003, Justin Shore wrote:
<snip>
joe-job earlier this week. Apparently the joe-jobbing was enough to convince some extremely ignorant mail admins that Compu.net is spamming and blocked mail from compu.net. Compu.net has also seen the effects of
Speaking of joe-jobs, what's the "proper" proceedure for dealing with such?
Please forgive my ignorance, but what is a "joe-job"? -- Stephen L Johnson stephen.johnson@mail.state.ar.us Unix Systems Administrator sjohnson@monsters.org Department of Information Systems State of Arkansas 501-682-4339
On Wed, 24 Sep 2003, Stephen L Johnson wrote:
Please forgive my ignorance, but what is a "joe-job"?
I dug up some links for you. http://www.spamfaq.net/terminology.shtml#joe_job http://www.techtv.com/news/culture/story/0,24195,3415219,00.html http://catb.org/~esr/jargon/html/J/joe-job.html http://www.everything2.com/index.pl?node=Joe%20Job (might be down?) Basically it's of spoofing the source of spam so as to appear to come from an innocent person. I've been on the receiving end of it a couple of times. Basically the innocent person gets flooded with bounces from poorly written MTAs and anti-spam scripts. Think email-based virus bounces. You didn't send the virus; you aren't even infected. However some machine somewhere is infected and spoofed your address as source of the infected email. You of course end up with the bounce and blame from uneducated people for being infected (which again you are not). Hope that helps Justin
On Wed, 24 Sep 2003 13:10:43 CDT, Stephen L Johnson <stephen.johnson@mail.state.ar.us> said:
Please forgive my ignorance, but what is a "joe-job"?
http://searchsecurity.techtarget.com/gDefinition/0,294236,sid14_gci917469,00... says it better than I can. Or google for +"joe job" +definition, it's your friend. ;)
On Wed, 24 Sep 2003 Valdis.Kletnieks@vt.edu wrote:
On Wed, 24 Sep 2003 13:10:43 CDT, Stephen L Johnson <stephen.johnson@mail.state.ar.us> said:
Please forgive my ignorance, but what is a "joe-job"?
http://searchsecurity.techtarget.com/gDefinition/0,294236,sid14_gci917469,00...
This is amusing because we hosted joes.com at that time (and still do) and the other day I heard the term and speculated as to whether it could have come from the attack on joes.com back then. The URL above is accurate. To correct a mistaken impression that the ensuing DOS attack was a result of the bounces, the bounces were easily handled. The email sent out was an example of effective social engineering designed to make the recipients mad enough to attack the perceived sender. Of the over a million angry recipients, some had the technical know how to lash out. Think of it as a smart weapon where the weapon used is borrowed minds engaged by use of a meme. Job jobbing is a layer 9 algorithm (the program is the message people read and what it causes them to do) that is made possible by the ability of a spammer to forge their identity as that of their intended victim. Mike. +----------------- H U R R I C A N E - E L E C T R I C -----------------+ | Mike Leber Direct Internet Connections Voice 510 580 4100 | | Hurricane Electric Web Hosting Colocation Fax 510 580 4151 | | mleber@he.net http://www.he.net | +-----------------------------------------------------------------------+
On Wed, 24 Sep 2003, Stephen L Johnson wrote:
Please forgive my ignorance, but what is a "joe-job"?
Typically spam using forged source email addresses targeting a specific company/person/etc. http://www.everything2.com/index.pl?node=Joe%20Job http://www.spamfaq.net/terminology.shtml --- david raistrick drais@atlasta.net http://www.expita.com/nomime.html
On Wed, 24 Sep 2003, Stephen L Johnson wrote:
On Wed, 2003-09-24 at 12:48, David Raistrick wrote:
On Wed, 24 Sep 2003, Justin Shore wrote:
<snip>
joe-job earlier this week. Apparently the joe-jobbing was enough to convince some extremely ignorant mail admins that Compu.net is spamming and blocked mail from compu.net. Compu.net has also seen the effects of
Speaking of joe-jobs, what's the "proper" proceedure for dealing with such?
Please forgive my ignorance, but what is a "joe-job"?
Hmm probably something that isnt going to happen now that all domains are valid a la verisign Its when spammers take your domain name and use it as their from address, it *used* to get around sender verify in smtp which a lot of smtp servers implement. Basicalyl if you're being joe jobbed you will get the bounce messages from all the email addresses the spammers are sending to that dont exist. The one that they're doing on my own domain which I mentioned on list some months ago is still going strong with many Mbs of bounces per day.. I think its fair to say there is very little you can do as tracking the source is almost impossible.. Steve
On Wed, 24 Sep 2003, Stephen J. Wilcox wrote:
The one that they're doing on my own domain which I mentioned on list some months ago is still going strong with many Mbs of bounces per day.. I think its fair to say there is very little you can do as tracking the source is almost impossible..
That depends on how detailed the bounce is, to an extent. Many of the bounces actually contain a complete copy of the message that generated the bounce. Ie, the full spam and nothing but the spam. From that you can find the original source IP. Of course that source IP may very well be an open proxy. You're screwed if that's the case. However since you have a complete copy of the spam you can still follow the money trail. Spammers have to get their money somehow. The actual spam will give you many places to start. Of course once you have that you still have to convince a provider to take action against their customer. Justin
At 2:07 PM -0500 9/24/03, Justin Shore wrote:
open proxy. You're screwed if that's the case. However since you have a complete copy of the spam you can still follow the money trail. Spammers have to get their money somehow. The actual spam will give you many places to start. Of course once you have that you still have to convince
With the possible exception of the new California law, I've yet to see any case in which the benefit from nailing a spammer (in terms of damages, or even reduced attacks) comes even close to covering the amount of time it took to find and pursue them. I doubt even the big ISPs recover their cost--their goal seems to be deterrence. However I'd be happy to donate somewhere.com's bogus inbound traffic (we bounced ten million messages last year, definitely looking at more than twenty million this year) to the cause. -- Kee Hinckley http://www.messagefire.com/ Next Generation Spam Defense http://commons.somewhere.com/buzz/ Writings on Technology and Society I'm not sure which upsets me more: that people are so unwilling to accept responsibility for their own actions, or that they are so eager to regulate everyone else's.
On Wed, 24 Sep 2003, Kee Hinckley wrote:
With the possible exception of the new California law, I've yet to see any case in which the benefit from nailing a spammer (in terms of damages, or even reduced attacks) comes even close to covering the amount of time it took to find and pursue them. I doubt even the big ISPs recover their cost--their goal seems to be deterrence. However I'd be happy to donate somewhere.com's bogus inbound traffic (we bounced ten million messages last year, definitely looking at more than twenty million this year) to the cause.
How does $250,000 sound? :-) http://www.internetnews.com/IAR/article.php/3075271 Tracking them down can be time consuming. It's not impossible though and in many cases it's unbelievably easy. Getting a judgement is apparently the easy part. Getting your money seems to be the hard part. I've thought about using Kansas's anti-spam law myself but haven't yet. I know very little about the legal system. Even though my claim would be made in Small Claims Court, I'm leery about not going about the suit in the right way. Kansas's law allows providers to sue as well though. Receiving 25,000 copies of the same spam makes winning a court case quite profitable. We need more people that take this step IMHO. Justin
On Wed, 2003-09-24 at 13:10, Stephen L Johnson wrote:
Please forgive my ignorance, but what is a "joe-job"?
Thank for all of the off-line reponses. I was aware of the tactic. But It was the first time I've heard it called a "joe job". (Stephen has learn his one new thing for the day) -- Stephen L Johnson stephen.johnson@mail.state.ar.us Unix Systems Administrator sjohnson@monsters.org Department of Information Systems State of Arkansas 501-682-4339
It has been mentioned in other places on the net (ok, yammerings on slashdot, but this made a bit of sense) that blacklisting is a perfect P2P application. Each mailserver could keep a cryptographically verified list, the list is distributed via some P2P mechanism, and DoS directed at the 'source' of the service only interrupts updates, and only does so until the source slips an updated copy of the list to a few peers, and then the update spreads. Spam is an economic activity and they won't DoS a source if they know it won't help their situation. I'm not an expert in DNS, email server configuration, or routing, but it seems to me that the whole thing requires a distributed solution to harden it against spammers, and that the logical place for this is the SMTP daemon itself, possibly coupled with some global registry that sells digital certs for a reasonable annual fee, much how domain names are handled now (Verisign excluded, of course). -- mailto:neal@lists.rauhauser.net phone:402-301-9555 "After all that I've been through, you're the only one who matters, you never left me in the dark here on my own" - Widespread Panic
Each mailserver could keep a cryptographically verified list, the list is distributed via some P2P mechanism, and DoS directed at the 'source' of the service only interrupts updates, and only does so until the source slips an updated copy of the list to a few peers, and then the update spreads. Spam is an economic activity and they won't DoS a source if they know it won't help their situation.
If anyone who attempts to distribute such a list is DoSed to oblivion, people will stop being willing to distribute such a list. Yes, spam is an economic activity, but spammers may engage in long-term planning. You can't keep the list of distributors secret. I'd be very interested in techiques that overcome this problem. I've been looking into tricking existing widely-deployed infrastructures into acting a distributors, but this raises both ethical and technical questions. DS
On Wed, 24 Sep 2003, David Schwartz wrote:
Each mailserver could keep a cryptographically verified list, the list is distributed via some P2P mechanism, and DoS directed at the 'source' of the service only interrupts updates, and only does so until the source slips an updated copy of the list to a few peers, and then the update spreads. Spam is an economic activity and they won't DoS a source if they know it won't help their situation.
If anyone who attempts to distribute such a list is DoSed to oblivion, people will stop being willing to distribute such a list. Yes, spam is an economic activity, but spammers may engage in long-term planning. You can't keep the list of distributors secret. I'd be very interested in techiques that overcome this problem. I've been looking into tricking existing widely-deployed infrastructures into acting a distributors, but this raises both ethical and technical questions.
DS
Thus spake David Schwartz (davids@webmaster.com) [24/09/03 17:39]:
If anyone who attempts to distribute such a list is DoSed to oblivion, people will stop being willing to distribute such a list. Yes, spam is an economic activity, but spammers may engage in long-term planning. You can't keep the list of distributors secret. I'd be very interested in techiques that overcome this problem. I've been looking into tricking existing widely-deployed infrastructures into acting a distributors, but this raises both ethical and technical questions.
P2P has been suggested, and while I make no comments about P2P itself... What about Freenet? It hides the origin of the file(s), it's truly distributed, it's encrypted, it's authenticated, and it will do your dishes. Okay, so it won't actually do your dishes. But it seems to do everything that most other people have suggested. It's incredibly difficult to DoS a Freenet node, and it's incredibly easy to set one up (just requires some hefty CPU).
participants (16)
-
andrew2@one.net
-
Christopher Bird
-
Damian Gerow
-
Dan Hollis
-
David Raistrick
-
David Schwartz
-
Justin Shore
-
Kee Hinckley
-
Leo Bicknell
-
Mike Leber
-
neal rauhauser
-
Patrick
-
Stephen J. Wilcox
-
Stephen L Johnson
-
Vadim Antonov
-
Valdis.Kletnieks@vt.edu