Re: Lazy network operators - NOT
: : >Ok, you have eloquently described the problem, now, please be good enough to : >give your solution : : : There is no easy solution. That's why we still have problems with spam in : postal mail, and that's been around for how many centuries? I'd go so far : as to say there's no easy solution, either. If there's authentication, then : new worm/trojans will focus on breaking the auth scheme or the auth : servers. If there's a blackout on port 25, then they'll use other ports. If : there's a list of trusted hosts, that list will be attacked. : : The only chance in hell of making a dent in spam is making a dent in its : profitability. If the guy sending the spam gets hassled once in a while, he : probably thinks it's worth it considering the new house and stable of : sports cars he has. If he's getting hassled AND he's just as poor or rich : as when he started, then and only then will it not be worth the hassles to : the spammer. : : Honestly, I don't understand how the spammers make money at all, so I can't : comment on it. However, I'd definitely suggest any solution look at the : profitability of spam, not the feasibility. : : : Rob Nelson : ronelson@vt.edu : : : Cost transference. The cost of Spam via postal mail is borne by the sender. When sent via email, the cost is shouldered by the recipient. Spamming is pervasive mainly due to the inattention or failure to enforce acceptable use policies by the service provider. A response rate of .0001 is sufficient for the spammer to profit because of being able to take advantage of the recipient bearing the cost of delivery. There is no "only chance." What seems to be required is the blended approach. Educating that user who does respond to UCE is a monumental, if not impossible task, while the safety and protection of individual networks is a need which is far more immediate. That education task is beyond the resources and capability of the offended mail server administrator. There is a plethora of methodology, and suggestions as to how best to combat the spew, and most of us have accepted the risk of the occasional false positive, especially when your correspondent chooses to continue to do business with a black hat provider. We have resorted to trying to get the customer to bring his own pressure on his provider, we have tried to pressure providers to be more responsive, unfortunately with mixed results. Especially when legislation and rules are formulated that can be at odds with the advertising campaigns of the providers themselves. All in all though we are trying to fight the good fight, and believe in technology, not legislation. cheers. Doug ====================================== We can get rid of spam on your domain! , Anti-spam solutions http://www.clickdoug.com/mailfilter.cfm For hosting solutions http://www.clickdoug.com ======================================
At 9:42 PM -0500 4/17/04, Doug White wrote:
Spamming is pervasive mainly due to the inattention or failure to enforce acceptable use policies by the service provider.
It's pervasive because its profitable. It's been profitable because even a few weeks of a high-speed circuit can generate millions of messages which don't need much of a response rate to generate revenue. The problem now is that a growing percentage of spam is originating from distributed farms of broadband connected users (Commtouch says 80% in one article, but I'm not yet convinced its that high - <http://www.clickz.com/stats/big_picture/applications/article.php/3337751>) This would suggest that spam is pervasive largely because of the large number of insecure systems available for origination (via port 25 :-), not because of providers failing to close barn doors after the fact... /John
jcurran@istaff.org (John Curran) writes:
... This would suggest that spam is pervasive largely because of the large number of insecure systems available for origination (via port 25 :-), not because of providers failing to close barn doors after the fact...
I don't know why it's taken me so long to come to a conclusion about this, especially since VJS has been making noises like this for a long time and I know enough to pay attention. So-called "broadband" user populations (cable, dsl, fixed wireless, mobile wireless) are full time connected, or nearly so. They are technically unsophisticated, on average. The platforms they run trade convenience for security, and must do so in order to remain competitive/relevant. Margin pressure makes it impossible for most "broadband" service providers to even catalogue known-defect customer systems or process complaints about them. Those facts are not in dispute. And so, today, I began rejecting all e-mail from all roadrunner, attbi, interbusiness.it, comcast, and rogers customers. And as I discover the next several thousand /16's which contain this kind of user community I will reject their e-mail also. MAPS DUL doesn't go nearly far enough, nor do any of its lookalikes, not even SORBS DUHL. You are all going to have to do this also, because the cost to you of keeping a list of which /32 is running malware at any given moment is too high when the numbers get into the millions, and even if your bots assume the worst (that is, don't even bother probing for malware) you'll still have to handle exception processing on the first spam (or the first few dozen spams). IETF MARID could be a scalable way of performing this mass e-mail rejection, and it could be a way that legit e-mail servers can live inside "broadband" address blocks rather than having to tunnel to <www.vix.com/personalcolo> or other clue-dense address space where technical sophistication is the norm... but I can't imagine that happening at all, let alone happening in 2004/2005. I was blind, but now I see. These netblocks are like foreign airports without metal detectors, and I've been handling the occasional transferring passenger (who's armed with things they shouldn't be) on an exception basis, including all kinds of per-incident damage, where what I need to do is land those planes outside my security perimeter and make them go through local metal detectors before they're allowed to transfer onto planes I'm responsible for. MAPS or SORBS or somebody needs to set up a "BBL" (broad band list) which is just a list of "broadband" customer netblocks, with no moral/value judgement expressed or implied. If it's complete and updated frequently, I'd pay for a feed because of all the work it would save me personally and in my dayjob. (Apropos of JCurran's comments above, it wouldn't matter if netblocks on this "BBL" disabled outbound TCP/25, or not, so, they probably just wouldn't, but, they probably aren't going to, no matter whether a "BBL" exists or not.) The new motto here is: "Blackhole 'em all and let market forces sort 'em out." -- Paul Vixie
On Sun, 18 Apr 2004, Paul Vixie wrote:
MAPS or SORBS or somebody needs to set up a "BBL" (broad band list) which is just a list of "broadband" customer netblocks, with no moral/value judgement expressed or implied. If it's complete and updated frequently, I'd pay for a feed because of all the work it would save me personally and in my dayjob. (Apropos of JCurran's comments above, it wouldn't matter if netblocks on this "BBL" disabled outbound TCP/25, or not, so, they probably just wouldn't, but, they probably aren't going to, no matter whether a "BBL" exists or not.)
Third-party lists are not the way to go. As you point out, mixing moral judgements with other information causes a lot of side-effects. People constantly confusing a listing on DUL with being a "spam provider," which has the negative effect of some providers not going out of their way to add more addresses to various dialup lists. And the constant problem of multiple lists being out-of-date. Who is the "official" keeper of the bad list this year? Is every service provider expected to support every third-party list. The telephone network has the LIDB, which tells you which phone numbers belong to payphones, prisons, residential, busines, etc. It doesn't make a judgement about the callers. Providers supply information for other people to make a decision based on information about the lines, not the callers. I suggested using something like HINFO in the in-addr.arpa address zones for service providers to give similar information about IP addresses. Yes, I know, using DNS for yet something else. LDAP or RWHOIS or any other global mechanism could be used. HINFO PUB - Public address (unauthenticated user) DYN - Dynamic address (indeterminate user) K12 - School PRI - Prison/Jail UCT - University/College/Trade school HOI - Hotel/Inn RES - Residential BUS - Business ISP - Internet Service Provider If you don't want to accept connections from indeterminate or unauthenticated addresses, its your choice. If you are a porn vendor and don't want K12 users to accidently stumble on to your web site, its your choice. If you are a credit card vendor and don't want to accept credit card orders from prisons or jails, its your choice.
--On 18 April 2004 02:56 -0400 Sean Donelan <sean@donelan.com> wrote:
If you don't want to accept connections from indeterminate or unauthenticated addresses, its your choice.
Whilst that may gave you some heuristic help, I'm not sure about the language. HINFO used that way neither /authenticates/ the address (in any meaningful manner as the reverse DNS holder can put in whatever they like), nor does it /authenticate/ the user (which some might characterize as the problem). Given it is a widely held view (IMHO correct) that using network layer addressing for authentication is broken, I think your suggestion would probably be better received if you described this as a heuristic mechanism. Speaking of which, we gets lots proposed heuristic solutions suggested. Has anyone actually done any formal evaluation of the statistics behind this. For instance looked at a statistical correlation between DUL listed entries and spam, extrapolated to determine what would be the effect if all dialup blocks were listed, and done proper significance testing etc.? Ditto any of the other techniques Paul's greylisting paper refer to. If not, sounds like a useful academic research paper. Hardly like we are short of data points. Alex
On Sun, 18 Apr 2004, Alex Bligh wrote:
Whilst that may gave you some heuristic help, I'm not sure about the language. HINFO used that way neither /authenticates/ the address (in any meaningful manner as the reverse DNS holder can put in whatever they like), nor does it /authenticate/ the user (which some might characterize as the problem). Given it is a widely held view (IMHO correct) that using network layer addressing for authentication is broken, I think your suggestion would probably be better received if you described this as a heuristic mechanism.
Actually its neither an "authentication" nor a heuristic method. Its purpose is to provide better information so you can make a decision. Its similar to using SPF to provide information about addresses used to send mail containing particular domain names. For example if VIX.COM had SPF records for its domain, other people could check the SPF records and not send anti-virus bounce messages when mail didn't originate from VIX.COM SPF listed systems. HINFO (or RWHOIS or LDAP or whatever) provides more general information from the network operator about addresses. There are more network protocols than just e-mail. Some people try to infer information from the host name, e.g. does it contain the letters ppp or dsl or cable. Or they try looking up addresses in various third-party lists which may be out of date or difficult to correct; and doesn't fix the other third-party list which copied portions of the someone else's list. Yes, I'm aware of the limitations. But my goal is to split the problem up, and give each party some benefit to doing their part. The current practice of blaming one party for all the worlds problems isn't working.
Speaking of which, we gets lots proposed heuristic solutions suggested. Has anyone actually done any formal evaluation of the statistics behind this. For instance looked at a statistical correlation between DUL listed entries and spam, extrapolated to determine what would be the effect if all dialup blocks were listed, and done proper significance testing etc.? Ditto any of the other techniques Paul's greylisting paper refer to. If not, sounds like a useful academic research paper. Hardly like we are short of data points.
Yes, but not complete. The longest on-going analysis is published at http://www.sdsc.edu/~jeff/spam/Blacklists_Compared.html He lists how many messages would be blocked by each type of blacklist. He doesn't look at false positives. There are also various whitepapers published by vendors. Be careful about the slice and dice effect. Depending on how you divide up the numbers you can make any thing come out on top. In some sense the problem is a lot worse. Its not just spam, worms, viruses. Its not just residential broadband users. Its not even just Microsoft Windows.
On Sun, 18 Apr 2004 20:03:04 EDT, Sean Donelan said:
For example if VIX.COM had SPF records for its domain, other people could check the SPF records and not send anti-virus bounce messages when mail didn't originate from VIX.COM SPF listed systems.
Yeah. They could. Let me know when Beelzebub is spotted ordering parkas from Land's End.
On Sun, 18 Apr 2004, Sean Donelan wrote:
I suggested using something like HINFO in the in-addr.arpa address zones for service providers to give similar information about IP addresses. Yes, I know, using DNS for yet something else. LDAP or RWHOIS or any other global mechanism could be used.
HINFO PUB - Public address (unauthenticated user) DYN - Dynamic address (indeterminate user) K12 - School PRI - Prison/Jail UCT - University/College/Trade school HOI - Hotel/Inn RES - Residential BUS - Business ISP - Internet Service Provider
Not a bad idea, but dont abuse HINFO, use a TEXT record or have a new record type defined for it. regards, -- Paul Jakma paul@clubi.ie paul@jakma.org Key ID: 64A2FF6A warning: do not ever send email to spam@dishone.st Fortune: "There is nothing new under the sun, but there are lots of old things we don't know yet." -Ambrose Bierce
So-called "broadband" user populations (cable, dsl, fixed wireless, mobile wireless) are full time connected, or nearly so. They are technically unsophisticated, on average. The platforms they run trade convenience for security, and must do so in order to remain competitive/relevant. Margin pressure makes it impossible for most "broadband" service providers to even catalogue known-defect customer systems or process complaints about them.
Those facts are not in dispute. And so, today, I began rejecting all e-mail from all roadrunner, attbi, interbusiness.it, comcast, and rogers customers. And as I discover the next several thousand /16's which contain this kind of user community I will reject their e-mail also. MAPS DUL doesn't go nearly far enough, nor do any of its lookalikes, not even SORBS DUHL.
MAPS or SORBS or somebody needs to set up a "BBL" (broad band list) which is just a list of "broadband" customer netblocks, with no moral/value judgement expressed or implied. If it's complete and updated frequently, I'd pay for a feed because of all the work it would save me personally and in my dayjob. (Apropos of JCurran's comments above, it wouldn't matter if netblocks on this "BBL" disabled outbound TCP/25, or not, so, they probably just wouldn't, but, they probably aren't going to, no matter whether a "BBL" exists or not.)
The new motto here is: "Blackhole 'em all and let market forces sort 'em out." -- Paul Vixie
As a current subscriber of Road Runner (not by choice - only other option is DSL from Screwed By Cowboys) - I think blame is being placed in the wrong area. These zombies are all what OS?? Oh yes the group of idiots based in Redmond, WA. That is where the true problem lies. Fix the damned operating system Micro$haft. If there was a blackhole list to block all Windows lUsers it would be more effective - granted that would also reduce email down to about 10% of the computing population. No zombies on my Macintosh regards..... -- Michael Jezierski BOFH - Chief LARTer - Slayer of Spam[mers] Master of the Clue-By-Four
<late-night-humor> I was amused at this and decided to look real quick.. OpenBSD's pf can block on OS fingerprints.. effectively doing exactly what you are kidding about (at least I'd hope so.. well, maybe) even in the man page example they put: # Do not allow Windows 9x SMTP connections since they are typically # a viral worm. Alternately we could limit these OSes to 1 connection each. block in on $ext_if proto tcp from any os {"Windows 95", "Windows 98"} \ to any port smtp The OS fingerprint list they have is rather extensive.. </late-night-humor> :) Mike Jezierski - BOFH wrote: {sniped}
the damned operating system Micro$haft. If there was a blackhole list to block all Windows lUsers it would be more effective - granted that would also reduce email down to about 10% of the computing population.
No zombies on my Macintosh regards.....
Yes I was being mostly facetious. But as others pointed out- Micro$not is as much to blame for the spam problem as Road Runner and CommieCast with their extremely shoddy software. Open proxies, worms, relays, spyware ad nauseum.
<late-night-humor> I was amused at this and decided to look real quick.. OpenBSD's pf can block on OS fingerprints.. effectively doing exactly what you are kidding about (at least I'd hope so.. well, maybe) even in the man page example they put:
# Do not allow Windows 9x SMTP connections since they are typically # a viral worm. Alternately we could limit these OSes to 1 connection each. block in on $ext_if proto tcp from any os {"Windows 95", "Windows 98"} \ to any port smtp
The OS fingerprint list they have is rather extensive.. </late-night-humor>
:)
Mike Jezierski - BOFH wrote:
{sniped}
the damned operating system Micro$haft. If there was a blackhole list to block all Windows lUsers it would be more effective - granted that would also reduce email down to about 10% of the computing population.
No zombies on my Macintosh regards.....
On Apr 18, 2004, at 11:40 PM, Matt Hess wrote:
<late-night-humor> I was amused at this and decided to look real quick.. OpenBSD's pf can block on OS fingerprints.. effectively doing exactly what you are kidding about (at least I'd hope so.. well, maybe) even in the man page example they put:
# Do not allow Windows 9x SMTP connections since they are typically # a viral worm. Alternately we could limit these OSes to 1 connection each. block in on $ext_if proto tcp from any os {"Windows 95", "Windows 98"} \ to any port smtp
The OS fingerprint list they have is rather extensive.. </late-night-humor>
Ya know, I do not think that is such a bad idea. Does anyone have any stats on the number of "real" MTAs that use Win9x? Or of the "real" MTAs that show up as Win9x on this fingerprint? -- TTFN, patrick
I think something like this would be best (safest?) used on collection mx hosts.. hosts that clients would not connect with to send mail.. just other servers delivering mail inward.. I personally can't imagine why someone would want to use a win95/98/Me system as a mta.. so this probably would be a rather interesting idea worth testing out. If nothing else the collateral in the above scenario would probably be very low. And of course the fingerprint list they have has a quite a few systems from aix to zaurus. Patrick W.Gilmore wrote:
On Apr 18, 2004, at 11:40 PM, Matt Hess wrote:
<late-night-humor> I was amused at this and decided to look real quick.. OpenBSD's pf can block on OS fingerprints.. effectively doing exactly what you are kidding about (at least I'd hope so.. well, maybe) even in the man page example they put:
# Do not allow Windows 9x SMTP connections since they are typically # a viral worm. Alternately we could limit these OSes to 1 connection each. block in on $ext_if proto tcp from any os {"Windows 95", "Windows 98"} \ to any port smtp
The OS fingerprint list they have is rather extensive.. </late-night-humor>
Ya know, I do not think that is such a bad idea.
Does anyone have any stats on the number of "real" MTAs that use Win9x? Or of the "real" MTAs that show up as Win9x on this fingerprint?
On Sun, 18 Apr 2004, Matt Hess wrote:
<late-night-humor> # Do not allow Windows 9x SMTP connections since they are typically # a viral worm. Alternately we could limit these OSes to 1 connection each. block in on $ext_if proto tcp from any os {"Windows 95", "Windows 98"} \ to any port smtp
The OS fingerprint list they have is rather extensive.. </late-night-humor>
This has been suggested before. Remember Windows 9x is essentially a single-user operating system. Once a machine has been compromised, lots of things can be altered by the intruder. Some of the modifications are trivial, such as registry entries. Others changes can get more interesting. Fingerprints work best if the adversary isn't actively trying to munge them. It doesn't always look like another operating system, but it ceases to look like a Windows 9x box. The arms race continues. Figuring out what the intruder changed, and cleaning it up continues to get more complicated. Last year running a major anti-virus program was usually enough. Now it can take hours, and sometimes its faster to re-install the operating system, assuming the user still has their original CD's and various Microsoft anti-piracy keys and then downloads all the patches they were missing. http://www.washingtonpost.com/wp-dyn/articles/A22514-2004Apr18.html The Federal Trade Commission today is hosting a daylong workshop in Washington to discuss the effects of hidden software that may be used to control or spy on a computer without its user's knowledge. So far most "spyware" and "adware" programs, often placed on Windows PCs by such downloaded programs as file-sharing programs, appear to have been used for the relatively benign purpose of tracking consumer preferences, said Howard Beales, director of the FTC's consumer protection division. The FTC is watching to see if criminals start making widespread use of this technology to steal credit-card and Social Security numbers of unwitting computer users, he said.
Paul Vixie wrote:
So-called "broadband" user populations (cable, dsl, fixed wireless, mobile wireless) are full time connected, or nearly so. They are technically unsophisticated, on average. The platforms they run trade convenience for security, and must do so in order to remain competitive/relevant. Margin pressure makes it impossible for most "broadband" service providers to even catalogue known-defect customer systems or process complaints about them.
What is the estimated cost per subscriber of such an operation in your opinion and where should it be to make it feasible? Off-the-shelf automation can accomplish this for pennies per subscriber per month, keeping the catalogs up to date and informing users automatically. After deployment there is a smallish support burst, but after the levels of infection plummet and stay at levels two orders of magnitude lower than prior situation, queues will shorten and customers will be significantly more happy.
MAPS or SORBS or somebody needs to set up a "BBL" (broad band list) which is just a list of "broadband" customer netblocks, with no moral/value judgement expressed or implied. If it's complete and updated frequently, I'd pay for a feed because of all the work it would save me personally and in my dayjob. (Apropos of JCurran's comments above, it wouldn't matter if netblocks on this "BBL" disabled outbound TCP/25, or not, so, they probably just wouldn't, but, they probably aren't going to, no matter whether a "BBL" exists or not.)
The new motto here is: "Blackhole 'em all and let market forces sort 'em out."
I think the late developments have been more geared towards "go fix the world in far and remote places also". :-) I would expect the community who uses similar blackhole criteria as you to be fairly insignificant to the spammers revenue stream. So the stream must be cut at the source, not just fending off the 1% somewhere. Pete
Cost transference. The cost of Spam via postal mail is borne by the sender. When sent via email, the cost is shouldered by the recipient. It is not perfect comparation. For both, e-mail and post-mail, recipient
There is a plethora of methodology, and suggestions as to how best to combat the spew, and most of us have accepted the risk of the occasional false
pays the same cost for sorting mail , mail box etc. But, for e-mail, sender pays nothing, so he has not natural limitations. positive, Don't talk for others. For most people I ever know, such risk is unacceptable. Any sale person said you _risk of missing e-mail must be 0_. For me personal, risk of delaying e-mail due to false positive is OK (I read spam folder once a few days), risk of missing e-mail is unacceptable. Moreover, spam have useful information _simetimes_ , so - yes, spammers get their profits, it is well known.
We have resorted to trying to get the customer to bring his own pressure
provider, we have tried to pressure providers to be more responsive, unfortunately with mixed results. Especially when legislation and rules are formulated that can be at odds with the advertising campaigns of the
on his providers Rules helps a little - now I have more spam from sources, which are not subjected by this rule (Russian spam, for example). Rules can help if they are applied to those, who order spam, not those who sends it (I can always find spamming company which is not regulated by this legislation, not any problem). On the othere hand, I am not sure, if I want to have 0 level of spam. In reality, I'd like to limit it to 10 - 20 messages / day, and have this messages separated from normal messages.
themselves.
All in all though we are trying to fight the good fight, and believe in technology, not legislation.
cheers.
Doug
====================================== We can get rid of spam on your domain! , Anti-spam solutions http://www.clickdoug.com/mailfilter.cfm For hosting solutions http://www.clickdoug.com ======================================
Spamming is pervasive mainly due to the inattention or failure to enforce acceptable use policies by the service provider.
I must point out that this statement is just flat wrong. Spamming exists because spamming works. Why do spammers send out millions of emails? Because thousands of people click, look at, and subscribe to services and products being spewed by the spammers. If spamming didn't sell products, spamming would die off. We must educate the users to not do anything with spam but delete it. As from the sucess of infomercials on television shows, that won't happen anytime soon. Jerry
On Sun, Apr 18, 2004 at 02:01:45PM -0400, Jerry Eyers wrote:
Spamming is pervasive mainly due to the inattention or failure to enforce acceptable use policies by the service provider.
I must point out that this statement is just flat wrong.
Spamming exists because spamming works. Why do spammers send out millions of emails? Because thousands of people click, look at, and subscribe to services and products being spewed by the spammers.
If spamming didn't sell products, spamming would die off. We must educate the users to not do anything with spam but delete it. As from the sucess of infomercials on television shows, that won't happen anytime soon.
I think you are 'right on'. I offer this observation, first triggered by a third-hand report from some sociologists: A while back, I was getting frequent spams for breast enlargement and the like, along with some penis-related products. The breast related spam has totally vanished today, but viagra/penis spam is arriving continuously. The sociologist had noted that some societal trends and indicators could be read by looking at what is being offered. Apparently the market for breast-related products in the world of spam-receivers just wasn't there, so spamming for breasts seems to have ceased.
Jerry -- -=[L]=-
Lou Katz wrote:
On Sun, Apr 18, 2004 at 02:01:45PM -0400, Jerry Eyers wrote:
Spamming is pervasive mainly due to the inattention or failure to enforce acceptable use policies by the service provider.
I must point out that this statement is just flat wrong.
Spamming exists because spamming works. Why do spammers send out millions of emails? Because thousands of people click, look at, and subscribe to services and products being spewed by the spammers.
If spamming didn't sell products, spamming would die off. We must educate the users to not do anything with spam but delete it. As from the sucess of infomercials on television shows, that won't happen anytime soon.
I think you are 'right on'. I offer this observation, first triggered by a third-hand report from some sociologists:
Perhaps you'd both care to provide a methodology whereby the same fools who respond to anatomical enlargement/improvement potions could be successfully educated as to the foibles of responding to spam? All 150 million plus of them? And then perhaps compare that required effort and potential success to that of applying consistent global pressure on the 100 or so networks that host the compromised machines that are the unwitting gateways for almost all of today's spam. Unfortunately, in many cases, the networks do put enormous effort into disconnecting compromised boxes, but the numbers are overwhelming (240,000 on one network alone in the last 2 weeks). That does not appear to be good enough any more. I'm with Paul. As Steve Bellovin has so frequently bleated: "Push the responsibility to the edges, where it belongs". -- Rodney Joffe CenterGate Research Group, LLC. http://www.centergate.com "Technology so advanced, even we don't understand it!"(R)
: : : : Lou Katz wrote: : > : > On Sun, Apr 18, 2004 at 02:01:45PM -0400, Jerry Eyers wrote: : > > : > > >Spamming is pervasive mainly due to the inattention or failure to enforce : > > >acceptable use policies by the service provider. : > > : > > I must point out that this statement is just flat wrong. : > > : > > Spamming exists because spamming works. Why do spammers send : > > out millions of emails? Because thousands of people click, look at, and : > > subscribe to services and products being spewed by the spammers. : > > : > > If spamming didn't sell products, spamming would die off. We must : > > educate the users to not do anything with spam but delete it. As from : > > the sucess of infomercials on television shows, that won't happen : > > anytime soon. : > > : > : > I think you are 'right on'. I offer this observation, first : > triggered by a third-hand report from some sociologists: : : Perhaps you'd both care to provide a methodology whereby the same fools : who respond to anatomical enlargement/improvement potions could be : successfully educated as to the foibles of responding to spam? All 150 : million plus of them? : : And then perhaps compare that required effort and potential success to : that of applying consistent global pressure on the 100 or so networks : that host the compromised machines that are the unwitting gateways for : almost all of today's spam. Unfortunately, in many cases, the networks : do put enormous effort into disconnecting compromised boxes, but the : numbers are overwhelming (240,000 on one network alone in the last 2 : weeks). That does not appear to be good enough any more. : : I'm with Paul. : : As Steve Bellovin has so frequently bleated: "Push the responsibility to : the edges, where it belongs". : : -- Well, Paul did advance a methodology - blackhole them all <grin> I prefer to send a 550 IP blocked for USE - for resolution contact your service provider. Educating the masses who feel anatomically lacking, would be an impossible task for a server admin. Blocking the provider will hit them in the pocketbook, and usually gets attention at the highest executive level, when enough of their customers quit them. Remember it took AOL the loss of nearly 10 million subscribers to make them move against spam at all. Of course, we don't all agree with their methodology, but they are making the attempt. If just a few admins block Comcast (At&T) they will likely be ignored. If thousands of them block Comcast - they will become more pro-active, I submit. SBC-Yahoo has silently implemented spam filters that add X headers which the recipient can filter against. For instance I filter against X-overseas source blah blah As for doing something from a provider standpoint against those who will not install an a/v solution because it slows down their machine - or interferes with their MP3 files, or graphics editors, is another mountain to climb, but climb it they must. The individual mail server admin is a very small part of the big picture, but is responsible for his users, and must do as needed to re-capture the users' inbox for their legitimate use. The job becomes even more difficult when not everyone can agree on what is spam and what is legitimate. Maybe more rejects like : 550 postage due for commercial message delivery. :-)
I haven't seen it mentioned yet but I believe that some may be looking for something like the lists at: http://www.blackholes.us/ and if it has been mentioned already I apologize for the duplicate. Doug White wrote:
: : : : Lou Katz wrote: : > : > On Sun, Apr 18, 2004 at 02:01:45PM -0400, Jerry Eyers wrote: : > > : > > >Spamming is pervasive mainly due to the inattention or failure to enforce : > > >acceptable use policies by the service provider. : > > : > > I must point out that this statement is just flat wrong. : > > : > > Spamming exists because spamming works. Why do spammers send : > > out millions of emails? Because thousands of people click, look at, and : > > subscribe to services and products being spewed by the spammers. : > > : > > If spamming didn't sell products, spamming would die off. We must : > > educate the users to not do anything with spam but delete it. As from : > > the sucess of infomercials on television shows, that won't happen : > > anytime soon. : > > : > : > I think you are 'right on'. I offer this observation, first : > triggered by a third-hand report from some sociologists: : : Perhaps you'd both care to provide a methodology whereby the same fools : who respond to anatomical enlargement/improvement potions could be : successfully educated as to the foibles of responding to spam? All 150 : million plus of them? : : And then perhaps compare that required effort and potential success to : that of applying consistent global pressure on the 100 or so networks : that host the compromised machines that are the unwitting gateways for : almost all of today's spam. Unfortunately, in many cases, the networks : do put enormous effort into disconnecting compromised boxes, but the : numbers are overwhelming (240,000 on one network alone in the last 2 : weeks). That does not appear to be good enough any more. : : I'm with Paul. : : As Steve Bellovin has so frequently bleated: "Push the responsibility to : the edges, where it belongs". : : -- Well, Paul did advance a methodology - blackhole them all <grin>
I prefer to send a
550 IP blocked for USE - for resolution contact your service provider.
Educating the masses who feel anatomically lacking, would be an impossible task for a server admin.
Blocking the provider will hit them in the pocketbook, and usually gets attention at the highest executive level, when enough of their customers quit them.
Remember it took AOL the loss of nearly 10 million subscribers to make them move against spam at all. Of course, we don't all agree with their methodology, but they are making the attempt.
If just a few admins block Comcast (At&T) they will likely be ignored. If thousands of them block Comcast - they will become more pro-active, I submit.
SBC-Yahoo has silently implemented spam filters that add X headers which the recipient can filter against. For instance I filter against X-overseas source blah blah
As for doing something from a provider standpoint against those who will not install an a/v solution because it slows down their machine - or interferes with their MP3 files, or graphics editors, is another mountain to climb, but climb it they must.
The individual mail server admin is a very small part of the big picture, but is responsible for his users, and must do as needed to re-capture the users' inbox for their legitimate use.
The job becomes even more difficult when not everyone can agree on what is spam and what is legitimate.
Maybe more rejects like : 550 postage due for commercial message delivery. :-)
On Sun, 18 Apr 2004, Doug White wrote:
Well, Paul did advance a methodology - blackhole them all <grin>
If Paul came up with a practical way to fix millions of compromised computers which didn't involve hiring entire second-world countries to talk grandma through the process, I think many people would be interested in talking to him. On the other hand, repeately shocking the rat regardless of what it does, just results in the rat sitting in the cage afraid to do anything.
I prefer to send a
550 IP blocked for USE - for resolution contact your service provider.
If you haven't noticed, the infected user doesn't notice this. However many other people with legitimate uses are frequently caught up in the collateral damage. That's why I keep advocating better ways to identify the specific sources of the unwanted traffic, even if they change IP addresses. That way you could positively block the infected computers from not only mail but anything else you don't want to supply (no more GOOGLE/YAHOO/CNN for you), without massive collateral damage. Then the cost-benefit equation would be closer. If you annoy a lot of people, lots of people can completely and positively ignore you. With better identification, you directly receive the benefit of keeping your computer clean. You eliminate the third-party dependency of needing to fix other's peoples mistakes in order to do your work. It also makes it easier for other people to take action, because the collateral damage is less.
The job becomes even more difficult when not everyone can agree on what is spam and what is legitimate.
Stop requiring people to agree on it. If you want to force third-parties to do stuff, you must define exactly what you want them to do or not do. On the other hand, if you have the power to make the decision yourself, you don't need to convince a third-party the activity was a violation.
: : That's why I keep advocating better ways to identify the specific sources : of the unwanted traffic, even if they change IP addresses. That way you : could positively block the infected computers from not only mail but : anything else you don't want to supply (no more GOOGLE/YAHOO/CNN for you), : without massive collateral damage. Then the cost-benefit equation would : be closer. If you annoy a lot of people, lots of people can completely : and positively ignore you. : : With better identification, you directly receive the benefit of keeping : your computer clean. You eliminate the third-party dependency of needing : to fix other's peoples mistakes in order to do your work. It also makes : it easier for other people to take action, because the collateral damage : is less. : I likewise would like to see a better way - but changing the whole internet is completely illogical. Educating the masses is the same. As soon as I see a solution that will work, I will probably try to implement it on my system.
On Sun, 18 Apr 2004, Doug White wrote:
I likewise would like to see a better way - but changing the whole internet is completely illogical. Educating the masses is the same. As soon as I see a solution that will work, I will probably try to implement it on my system.
Abbot and Costello do Internet security. Who's on first, what's on second, I don't know is on third base. When the Morris worm was release, there wasn't a patch available. Since then essentially every compromised computer has been via a vulnerability with a patch available or misconfiguration (or usually lack of configuration). As far as improvements go, Microsoft's XP SP2 is a great improvement. If you have a Window's machine, implementing XP SP2 could help with a lot of the stupid vulnerabilities. Unfortunately less than 50% of Internet users have XP. Should ISPs start requiring their users to install Windows XP SP2?
On Sun, 18 Apr 2004 23:16:36 -0400 (EDT) Sean Donelan <sean@donelan.com> wrote:
Should ISPs start requiring their users to install Windows XP SP2?
IMHO: Not if they want to stay in business. Our customer base is probably 80%Win 9x users. I can't speak for everybody else, but I would be willing to bet that a majority of ISP's have a good chunk of their customer base running Win 9x-based operating systems. If the ISP I work for was to make a minimum system requirement like that, we'd go out of business overnight. We don't even use Windows XP on our corporate LAN yet -- we're still running Win2K SP4. Let's face it -- this shouldn't have to be the ISP's problem. Microsoft needs to quit rushing out new OS releases without properly straining them and stress testing to find as many holes as they can. They need to start cracking down on themselves and really start worrying about securing their OS and patching it as much as possible before throwing it to market. I understand that they won't find EVERY possible hole, but the last few years, as far as bugs in their software goes, they have an extremely poor track record. Since about the NT4 days, it's been horrible. Service pack after service pack, etc. We have our machines setup to autotmatically tell us when new updates are available. It's pretty disheartening when you install 4 patches one day, and then 2 days later you have to go through installing another 3 - 4 patches just to ensure your machine is keeping updated with patches to fix their shoddy software. --Brandon
Brandon Shiers wrote:
Let's face it -- this shouldn't have to be the ISP's problem. Microsoft needs to quit rushing out new OS releases without properly straining them and stress testing to find as many holes as they can. They need to start cracking down on themselves and really start worrying about securing their OS and patching it as much as possible before throwing it to market.
It´s very challenging to say that the world´s most profitable company should do anything significantly different. Putting out releases and letting marketing to address security concerns brings in billions. Not putting out release will make less money. This is not that they would not be "trying their best". There is just a very justifiable business decision between what we would like the best to be and what it needs to be to keep their money machine running. It´s another instance of the reason why ISP´s supposedly cannot afford to take out both backdoored and legit abusers at source but the Internet is in "defensive" mode of operation. Pete
On Mon, Apr 19, 2004 at 08:50:34AM +0300, Petri Helenius wrote:
Let's face it -- this shouldn't have to be the ISP's problem. Microsoft needs to quit rushing out new OS releases without properly straining them and stress testing to find as many holes as they can. They need to start cracking down on themselves and really start worrying about securing their OS and patching it as much as possible before throwing it to market.
It´s very challenging to say that the world´s most profitable company should do anything significantly different.
s/most profitable company/convicted (and continuing) OS\&browser monopolist/ Still feel the same?
Putting out releases and letting marketing to address security concerns brings in billions. Not putting out release will make less money.
Forcing OEM pre-loads is where they get most of their money. Maybe if they spent less on money-losing ventures like X-Box and WebTV, and maybe if they spent their R&D $Billions more wisely, and further if they spent less time and money knifing others' babies and put more genuine effort into it...
This is not that they would not be "trying their best". There is just a very justifiable business decision between what we would like the best to be and what it needs to be to keep their money machine running.
Well, if they would just admit as such ("Keep the Money Machine Running!"), instead of offering endless platitudes and excuses (and FUD) and press releases about how much $money they are donating (yeah, right) to libraries and schools and ... -- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York
Henry Yen wrote:
s/most profitable company/convicted (and continuing) OS\&browser monopolist/
Sadly the two are not incompatible it appears. If the "rewards" of breaking the law were normally so good, then most of us would be down at the localbank with a shotgun... actually, given the audience, no physical attendance would be expected. Peter
First time user of the "net" in '87 when CompuServe announced it to its denizens. Thank [deity] for Micro$oft or we'd have to get a real job. ----- Original Message ----- From: "Henry Yen" <henry@AegisInfoSys.com> To: <nanog@nanog.org> Sent: Sunday, April 18, 2004 8:14 PM Subject: Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
On Mon, Apr 19, 2004 at 08:50:34AM +0300, Petri Helenius wrote:
Let's face it -- this shouldn't have to be the ISP's problem. Microsoft needs to quit rushing out new OS releases without properly straining them and stress testing to find as many holes as they can. They need to start cracking down on themselves and really start worrying about securing their OS and patching it as much as possible before throwing it to market.
It´s very challenging to say that the world´s most profitable company should do anything significantly different.
s/most profitable company/convicted (and continuing) OS\&browser monopolist/
Still feel the same?
Putting out releases and letting marketing to address security concerns brings in billions. Not putting out release will make less money.
Forcing OEM pre-loads is where they get most of their money. Maybe if they spent less on money-losing ventures like X-Box and WebTV, and maybe if they spent their R&D $Billions more wisely, and further if they spent less time and money knifing others' babies and put more genuine effort into it...
This is not that they would not be "trying their best". There is just a very justifiable business decision between what we would like the best to be and what it needs to be to keep their money machine running.
Well, if they would just admit as such ("Keep the Money Machine Running!"), instead of offering endless platitudes and excuses (and FUD) and press releases about how much $money they are donating (yeah, right) to libraries and schools and ...
-- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York
On Apr 19, 2004, at 4:10 AM, Michael Painter wrote:
First time user of the "net" in '87 when CompuServe announced it to its denizens. Thank [deity] for Micro$oft or we'd have to get a real job.
I hear this a lot and it is such BS. Does anyone here HONESTLY believe the "computer revolution" was caused by MS alone and would never have happened without them? Microsoft *might* have made it happen slightly faster than without them, but a good argument can be made that MS actually set back the software industry in many ways, from stifling competition & innovation to the current mess with uneducated users and a homogeneous OS. The truth is, we will not know if things are better or worse because of MS. But it is no _no way_ a slam dunk one way or the other. -- TTFN, patrick
Should ISPs start requiring their users to install Windows XP SP2?
nope. especially since, according to bill gates, linux would have the same reputation if it was a popular a platform (and therefore a target of more virii.) now, you could go further, and say "if you emit streams of wierd(*) looking traffic we'll shut your line down and wait for you to call us and give us an explaination" but then you're just going to be on the phone all the time and that's no good for anybody -- especially since cleanup costs are high, and reinfection "costs" are low, and phone time is really expensive. so why not just disallow all that bad junk all the time, instead of waiting for it to be seen in flight? [(*) "wierd" could mean streams of tcp/syn or tcp/rst, or forged source addresses, or streams of unanswered udp, or streams of ourbound tcp/25, or udp/137..139, or who knows what it'll be by this time next month?]
Let's face it -- this shouldn't have to be the ISP's problem.
you're right, and it won't be for very much longer. access isp's cannot take responsibility for the health of their customers' computers, they just need to work harder to ensure that access is all they provide, and that servers don't work, udp/137..139 doesn't work, and outbound e-mail is via tunnel or proxy. since access isp's aren't able to do even that much (for fear of their customers wraith, or due to lack of technology inside the headend, or whatever), it's going to get done by the dreaded giant merciless monster known as "market forces". -- Paul Vixie
On 19 Apr 2004 22:16:58 +0000 Paul Vixie <vixie@vix.com> wrote:
[(*) "wierd" could mean streams of tcp/syn or tcp/rst, or forged source addresses, or streams of unanswered udp, or streams of ourbound tcp/25, or udp/137..139, or who knows what it'll be by this time next month?]
Precisely. It could be most anything and likely will be eventually. Why not stop the hacks that are filtering, whitelists and rate limiting and just replace end hosts with dumb terminals, the links with fixed rate channels and in the network place all the controls and content? Instead of network service providers we would mostly be a collection of systems operators.
inside the headend, or whatever), it's going to get done by the dreaded giant merciless monster known as "market forces".
This and the installed base is probably why the above won't occur over night, but things are veering in that direction. While end users will resist many attempts to remove their freedom of bits, freedom of cpu and freedom of connectivity, what is being designed, or better, re-designed is a network with a very fragile infrastructure. This is good for no one. The ideas about tussle (D. Clark, et al) are a way to think about the problems and solutions, but still the difficulty, because of market forces and installed base, is how to get there from here. John
On Sun, 2004-04-18 at 23:16, Sean Donelan wrote:
When the Morris worm was release, there wasn't a patch available. Since then essentially every compromised computer has been via a vulnerability with a patch available or misconfiguration (or usually lack of configuration).
Key word here is "essentially". I've been involved with about a half dozen compromises that have been true zero days. Granted that's less than ground noise compared to what we are seeing today.
As far as improvements go, Microsoft's XP SP2 is a great improvement. If you have a Window's machine, implementing XP SP2 could help with a lot of the stupid vulnerabilities. Unfortunately less than 50% of Internet users have XP.
This ends up being a catch 22 all the way around. Since MS has focused on locking down XP, they have ended up focusing on a minimal market share of the problem. With this in mind, I don't think we are going to see things getting any better now that SP2 is out. For the end user running 2000 or less, it ends up sounding like "we screwed up and sold you an insecure product so now we want you to to give us more money in order to fix the problem". A fix that addressed the problem in a more universal fashion would have been cool.
Should ISPs start requiring their users to install Windows XP SP2?
Many folk have already commented on the economics of trying to require this. I think technically it would be hard to implement as well. I've done a lot of work with passive fingerprinting and from my observations you don't see enough of a difference in the packet creation to tell the difference between patched and unpatched systems. This leaves you with active fingerprinting which may fail if a personal firewall is active, or loading software on their system which is now a whole other support nightmare. Lots of overhead for little gain in my opinion. Also, don't underestimate a person's ability to shoot themselves in the foot. Windows 2003 server, out of the box, is technically one of the most secure operating systems out there because it ships with no open listening ports. Based on the auditing I've done however, it ends up being deployed even less secure than 2000 because a lot of admins end up doing the "turn everything on to get it working" thing. An uneducated end user is not something you can fix with a service pack. Chris
At Mon, Apr 19, 2004 at 06:12:16AM -0400, Chris Brenton wrote:
Key word here is "essentially". I've been involved with about a half dozen compromises that have been true zero days. Granted that's less than ground noise compared to what we are seeing today.
There're a lot more 0-days than that. They just tend to remain within a smaller community (typically the ones who discover it) and are used carefully/intelligently for compromises, often for a very long time. Then it gets leaked by someone and released into the wild/script kiddie community or someone else discovers it... (more for benefit of others than a response to you)
Also, don't underestimate a person's ability to shoot themselves in the foot. Windows 2003 server, out of the box, is technically one of the most secure operating systems out there because it ships with no open listening ports. Based on the auditing I've done however, it ends up being deployed even less secure than 2000 because a lot of admins end up doing the "turn everything on to get it working" thing. An uneducated end user is not something you can fix with a service pack.
Agreed, and even conscientious users screw up. I did this some months ago when installing MS SQL Server Desktop Engine from a third-party CD (packaged with software). This was well after the whole Slammer affair, memories fade and I didn't stop to realize they used the same codebase.... (oops) - bri
On Mon, 2004-04-19 at 06:27, Brian Russo wrote:
There're a lot more 0-days than that.
Agreed. My ego has not grown so large as to think I've seen every 0-day. ;-) As I said however, the true number of 0-day is less than ground noise compared to the number of systems that *could* have remained safe with proper patching or configuring.
They just tend to remain within a smaller community (typically the ones who discover it) and are used carefully/intelligently for compromises, often for a very long time.
Agreed. I think part of what makes 0-day easier to hide *is* the raw quantity of preventable exploits that are taking place. In many ways we have become numb to compromises so that the first response ends up being "format and start over". If 0-day was a higher percentage, it would be easier to catch them when they occur and do a proper forensic analysis.
Agreed, and even conscientious users screw up. I did this some months ago when installing MS SQL Server Desktop Engine from a third-party CD (packaged with software).
<RANT> I guess I have a hard time blaming this type of thing on the end user. Part of the fall out from making computers easier to use, is making it easier for end users to shoot themselves in the foot. One of the benefits of complexity is that it forces end user education. I'm guessing that if you had to load SQL as a dependency you would have caught your mistake before you made it. Let me give you an example of the easy to use interface thing. Back in 2000 I made it a personal goal to try and get the top 5 SMURF amplifier sites shut down. I did some research to figure out what net blocks were being used and started contacting the admins. Imagine my surprise when I found out that 3 of the 5 _had_ a firewall. They had clicked their way though configuring Firewall-1, didn't know they needed to tweak the default property settings, and were letting through all ICMP unrestricted and unlogged. IMHO its only getting worse. I teach a lot of perimeter security folks and it seems like more and more of them are moving up the ranks without ever seeing a command prompt. I actually had one guy argue that everything in Windows is point and click and if you could not use a mouse to do something, it was not worth doing. Again, I don't see this as an end user problem because as an industry we've tried to make security seem easier than it actually is. We want to make it like driving a car when its more like flying an airplane. </RANT> Cheers, Chris
At Mon, Apr 19, 2004 at 08:22:48AM -0400, Chris Brenton wrote:
Agreed. I think part of what makes 0-day easier to hide *is* the raw quantity of preventable exploits that are taking place. In many ways we have become numb to compromises so that the first response ends up being "format and start over". If 0-day was a higher percentage, it would be easier to catch them when they occur and do a proper forensic analysis.
Right, they fit in with the noise.
<RANT> I guess I have a hard time blaming this type of thing on the end user. Part of the fall out from making computers easier to use, is making it easier for end users to shoot themselves in the foot. One of the benefits of complexity is that it forces end user education. I'm guessing that if you had to load SQL as a dependency you would have caught your mistake before you made it.
Let me give you an example of the easy to use interface thing. Back in 2000 I made it a personal goal to try and get the top 5 SMURF amplifier sites shut down. I did some research to figure out what net blocks were being used and started contacting the admins. Imagine my surprise when I found out that 3 of the 5 _had_ a firewall. They had clicked their way though configuring Firewall-1, didn't know they needed to tweak the default property settings, and were letting through all ICMP unrestricted and unlogged.
IMHO its only getting worse. I teach a lot of perimeter security folks and it seems like more and more of them are moving up the ranks without ever seeing a command prompt. I actually had one guy argue that everything in Windows is point and click and if you could not use a mouse to do something, it was not worth doing. Again, I don't see this as an end user problem because as an industry we've tried to make security seem easier than it actually is. We want to make it like driving a car when its more like flying an airplane.
That's pretty sad, I can forgive users, but nobody doing 'security' should be living in a pure GUI world, to extend your analogy it would be like only knowing how to configure the autopilot and getting a pilot's license. As far as mainstream users.. * Software needs to patch itself, users aren't going to do it. * Software needs to be intuitive, people interact with computers as if they were doing 'real' things. Things like cut and paste are easy because they make sense... * Software patches need to WORK and not screw up Joe User's system, believe me they won't "understand" that software is never bug-free, they'll instead swear off installing patches in future. * Software needs reasonable defaults.. this doesn't necessarily mean turning every feature off. * Wizards and/or a choice of 'starter' confs can be great.
** Reply to message from Brian Russo <brian@entropy.net> on Mon, 19 Apr 2004 10:51:18 -0400
As far as mainstream users.. * Software needs to patch itself, users aren't going to do it. * Software needs to be intuitive, people interact with computers as if they were doing 'real' things. Things like cut and paste are easy because they make sense... * Software patches need to WORK and not screw up Joe User's system, believe me they won't "understand" that software is never bug-free, they'll instead swear off installing patches in future. * Software needs reasonable defaults.. this doesn't necessarily mean turning every feature off. * Wizards and/or a choice of 'starter' confs can be great.
Patches either need to be of a size that a dialup user doesn't have to be dialed in for 24 hours to download and install them. Or .iso's should be available for ISP's to download, turn into CD's and distribute as appropriate. Wouldn't that be nice for a dialup user - getting Windows Update on a CD-ROM from their ISP? -- Jeff Shultz Network Technician Willamette Valley Internet
Patches either need to be of a size that a dialup user doesn't have to be dialed in for 24 hours to download and install them. Or .iso's should be available for ISP's to download, turn into CD's and distribute as appropriate. Wouldn't that be nice for a dialup user - getting Windows Update on a CD-ROM from their ISP? <<
It shouldn't be just windows update which of course doesn't patch office etc., it should be a fully automated cd that the user pops in and it autoupdates ALL MICROSOFT PRODUCTS that are installed and it should do it without asking for the stupid office CDs.. Geo.
Yes. Unfortunately, one day 1,000,000 users will find in their mail boxes fully automated CD with 'Microsoft Update' on the label and 1,000 viruses / trojans inside. -:)
Patches either need to be of a size that a dialup user doesn't have to be dialed in for 24 hours to download and install them. Or .iso's should be available for ISP's to download, turn into CD's and distribute as appropriate. Wouldn't that be nice for a dialup user - getting Windows Update on a CD-ROM from their ISP? <<
It shouldn't be just windows update which of course doesn't patch office etc., it should be a fully automated cd that the user pops in and it autoupdates ALL MICROSOFT PRODUCTS that are installed and it should do it without asking for the stupid office CDs..
Geo.
Well, Paul did advance a methodology - blackhole them all <grin>
If Paul came up with a practical way to fix millions of compromised computers which didn't involve hiring entire second-world countries to talk grandma through the process, I think many people would be interested in talking to him.
two things, though: (1) you'll never get those things fixed and (we both know it), (2) so you'd better prepare for the inevitability of widespread filtering against your DSL/Cable blocks (whether you talk to me or not.)
550 IP blocked for USE - for resolution contact your service provider.
If you haven't noticed, the infected user doesn't notice this. However many other people with legitimate uses are frequently caught up in the collateral damage.
sadly, those "other people" have had their expectations falsely set, and they are going to find their way to <http://www.vix.com/personalcolo/> or an SMTP AUTH provider because market forces are completely without mercy. DSL/Cable is a fine access product, it's better than a phone line & modem because it allows faster web surfing, movies/mp3/etc on demand, and soon VoIP. but no e-mail server anywhere can afford the risk of accepting e-mail or any other push-data from them. risk management, in this case, is going to come in the form of widespread e-mail rejection from all DSL/ Cable blocks. "talk to the hand."
That's why I keep advocating better ways to identify the specific sources of the unwanted traffic, even if they change IP addresses.
my informal survey says the bad guys are better at this stuff than we are, and they're getting better every day, and we're not. the trend isn't good.
With better identification, you directly receive the benefit of keeping your computer clean. You eliminate the third-party dependency of needing to fix other's peoples mistakes in order to do your work. It also makes it easier for other people to take action, because the collateral damage is less.
you sound like a man with a vision. care to pass that bong over this way? -- Paul Vixie
On Mon, 19 Apr 2004, Paul Vixie wrote:
two things, though: (1) you'll never get those things fixed and (we both know it), (2) so you'd better prepare for the inevitability of widespread filtering against your DSL/Cable blocks (whether you talk to me or not.)
Paul, where have you been? There is already widespread filtering of DSL/Cable/Dialup blocks. Some DSL/Cable/Dialup providers even provide daily/weekly feeds to various third-party list operators and other service providers so they can more accurately mantain lists of dynamic addresses. Accurate lists of dynamic addresses are encouraged. Or are you suggesting the SPEWS approach of blacklisting everything. DSL/Cable/Dialup users won't be able to send e-mail directly from those addresses, and in addition, do you intend to go further and also black list all the provider's e-mail servers and static addresses and dedicated addresses so any provider which has DSL/Cable/Dialup pools can't have any e-mail servers on any address block registered to the same provider.
participants (24)
-
Alex Bligh
-
Alexei Roudnev
-
Brandon Shiers
-
Brian Russo
-
Chris Brenton
-
Doug White
-
Geo.
-
Henry Yen
-
Jeff Shultz, WIllamette Valley Internet
-
Jerry Eyers
-
John Curran
-
John Kristoff
-
Lou Katz
-
Matt Hess
-
Michael Painter
-
Mike Jezierski - BOFH
-
Patrick W.Gilmore
-
Paul Jakma
-
Paul Vixie
-
Peter Galbavy
-
Petri Helenius
-
Rodney Joffe
-
Sean Donelan
-
Valdis.Kletnieks@vt.edu