Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of "anonymity" when domain exists, whois not updated yet)
Numerous (as in "at least hundreds, probably more") of spam gangs are purchasing domains and "burning through" them in spam runs. In many cases, there's a pattern to them; in others, if there's a pattern, it's not clear to me what it might be.
From my point of view, "pattern" is which registars are getting the buys, for which registries, where the ns's are hosted, and for domains used in the return value side, hosting details. The latter to reduce to RIR CIDRs.
There is more, but that is the first cut, localization of registrar(s) and registries and CIDRs.
This bunch prefers domains in .info -- no doubt motivated in part by things like the recent $1.95 sale on such domains.
OK. Now you've identified price as a significant control variable. There are registrars that don't sell .info. I don't. There are registars that don't sell to directly to registrants. I can think of half a dozen of us who only sell to corporations and bonafide people who buy reasonable names. Transcendental numbers in decimal character form are "reasonable". Your two example sets are not "reasonable".
The dirty little secret is that all this activity on the part of spammers is a gold mine for registrars.
This isn't going to make me think you can add or subtract.
It's gotten so bad that -- to a darn good first approximation -- if you find a domain in the .biz or .info TLDs
I agree, and don't sell .biz, .info or .name, or .cc or .tv or .bz or any of the obvious repurposed cctlds, with the exception of my friend Bill Semich's .nu, which actually means something in Sweden for local reasons. I do plan to sell .aero, .coop and .museum, however. In case it is inobvious, there is a possibility that part of _your_ problem (and a big part of my problems) can be placed at the figurative "door" of a 501(c)(3) located in California.
The answer? (1) no obfuscated registrations (2) mass, fast, permanent confiscation of spammer domains (3) requirement for reasonably correct domain registration info ... and (4) publication of all WHOIS data in a simple, easily parseable form ...
Nothing in this laundry list that makes the cost of bad business for my competitors rise, see add and subtract, above. Try the following: 1,$s/registrars/isp/g and 1,$s/registry/rir/g, and 1,$s/domain/ipv4_addr/. If you're still keen on your approach, then it might be a good one. I've replied after removing your personal identifiers back to NANOG. I appreciate the data, but I want the discourse to be multicast. Eric
on Wed, Jan 12, 2005 at 04:24:42PM +0000, Eric Brunner-Williams in Portland Maine wrote: (quoting Anonymous):
Numerous (as in "at least hundreds, probably more") of spam gangs are purchasing domains and "burning through" them in spam runs. In many cases, there's a pattern to them; in others, if there's a pattern, it's not clear to me what it might be.
From my point of view, "pattern" is which registars are getting the buys, for which registries, where the ns's are hosted, and for domains used in the return value side, hosting details. The latter to reduce to RIR CIDRs.
I provided the IPs to which all of the latter domains resolved at the time I checked. All went to four IPs, all in China, three in the same network. The nameservers exhibit similar behavior, though often also with Brazilian nameservers along with Chinese. Not in the last month, tho: nameservers: 16 ns1.anwoo.com 202.67.231.145 HKNET-HK 14 ns1.eslom.com 61.128.196.155 CHINANET-CQ 12 ns1.epoboy.com 222.51.91.226 CRTC 12 ns1.bomofo.com 221.5.250.122 CNCGROUP-CQ 4 ns1.lenpo.com 207.234.224.202 AFFINITY-207-234-128-0 4 ns1.boozt.com 218.7.120.81 JINDU-COMPUTER-NET-COM 2 ns1.mynameserver.ca 202.67.231.145 HKNET-HK registrars by whois server: 15 whois.afilias.info 3 whois.planetdomain.com 2 whois.godaddy.com 2 whois.domainzoo.com 1 whois.registrationtek.com 1 whois.joker.com So? Of course .info is handled by afilias. Sponsoring registrars for .info domains mentioned upthread: 9 R126-LRMS - Enom 4 R239-LRMS - Primus 2 R171-LRMS - GoDaddy There's your clustering. Feel free to somehow reduce these to CIDRs or ASNs; they're not used in the message headers anyway, so all you can do is block the redirection for your users, but not prevent them from being deluged with the spam itself, nor prevent me and others from being deluged with the bogus DSNs. So what? Eventually, better antispam techniques will lead to the ability to block messages from or referencing domains with banned nameservers. And then spammy will set things up so that he has a new nameserver for every run. And we'll still have insecure email, because he'll have continued to get away with it, because he can hide behind "private" whois for his domains registrations, he'll continue to burn through the net namespace leaving nothing but scorched earth, and none of the underlying conditions will have been addressed. It's no longer a simple matter of blocking the sender origin, botnets have taken care of that. It's no longer a matter of blocking known spammy domains in SMTP envelopes; they're forging them. It's not a matter of blocking mail with known spammy domains in it, as these are one-a-day throwaway redirectors. It's not a matter of blocking mail with domains that point to rogue nameservers, ASNs, or CIDRs, spammy can register new domains and use new ones every day. It's not a matter of any of these things, though I use them all, and with some effect. The problem is that spammy is getting away with this by modifying his tactics slightly and keeping a step ahead of the game, and because few understand or care about actually /fixing the underlying brokenness/ that lets him get away with it day after day.
There is more, but that is the first cut, localization of registrar(s) and registries and CIDRs.
I fail to see how isolating registrations to a single registrar changes the facts on the ground - if anything, you're already showing that you are at least one step behind Spammy, by making this a requirement. Or, alternately, you're simply saying that those who care about net abuse are shackled by ICANN's bylaws and therefore we can do nothing. -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.html join us!
Taking your comment in reverse order.
Or, alternately, you're simply saying that those who care about net abuse are shackled by ICANN's bylaws and therefore we can do nothing.
I don't think you have a monopoly on "care" (or clue) about net abuse, but it is pretty clear that you're not tall enough to ride the ICANN roller coaster. Thus far, all you've done is recycle the policy claim of the trademarks interests, a highly effective "stakeholder" and rational entity within ICANN, and the policy claim of the law enforcement interests, typically American, and not an organic ICANN "stakeholder", and neither effective nor rational within ICANN (personal opinion, from the first FBI/LE UWHOIS meeting, March 2000 WDC if memory serves, to the present). Now why should that catch your attention? How about because neither of these policy authors (good, bad or simply ugly) care particularly about SMTP, in fact, the trademark policy author doesn't know that SMTP exists, because the use of trademarks in SMTP envelopes or bodies has not been argued (yet) to support a dilution claim. As the FBI/LE goal set isn't coherent or rational I'm going to assign it a protocol independent end point identifier goal, because I don't think the FBI/LE goal set is as limited as SMTP. This thread however is about SMTP, and some glop that might make it differently, or less "insecure". So, if your primary policy tool is the same policy tool used by actors seeking ends indifferent to yours, either you are lucky or you are wrong. Now, is ICANN part of the problem space? It is for me, but I'm trying to compete with entrenched monopoly in the registry space that has the single greatest control over domain name policy, and entrenched cartel in the registrar space, and no technical issue, not secure operation of the root zone servers, correctness of the gtld zone servers, SLA metrics for gtld registry systems, data escrow, etc., has displaced the trademark position on whois:43 for the most important policy or operational issue for that corporation. My competitors (measured by market share) are for the most part indifferent to spam, porn, and social policy generally. Is it for you? Apparently not. So just leaving the trademarks people in charge should solve your problem in finite time. That means you may have already won. Eric
on Wed, Jan 12, 2005 at 07:49:59PM +0000, Eric Brunner-Williams in Portland Maine wrote: <snip>
Thus far, all you've done is recycle the policy claim of the trademarks interests, a highly effective "stakeholder" and rational entity within ICANN, and the policy claim of the law enforcement interests, [...]
I'm sorry, but I'm not following. By asking for domain registrations to be transparent and monitored for accuracy, I'm echoing the "policy claim" of everyone who has ever tried to determine the registrant of a domain and found it to be laughably forged, incorrect, out of date, or "protected" by some other entity whose primary purpose seems to be to help spammers hide. Whether this group of interested parties includes the "trademarks interests" is irrelevant.
This thread however is about SMTP, and some glop that might make it differently, or less "insecure".
Clearly we need to change the Subject: then, as you seem bent on ignoring my statements about the underlying causes of net abuse via email with this dodge, and it's getting tiresome. Do you want to see whois records normalized and monitored for forgeries? Do you believe this could have an effect on the ability of spammers and others to abuse network resources? -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.html join us!
participants (2)
-
Eric Brunner-Williams in Portland Maine -
Steven Champeon