I think some RBLs might get better responses from the ISPs when they stop taking "collateral damage gets the abuse department's attention" attitudes.. Some RBLs cause many providers a LOT of headaches, so it is not surprising that when it is their turn to complain, the ISPs will just say: post to abuse.ddos.isp.net and we might get around to fixing it. :). Regards, Mark -- Mark Segal Director, Network Planning FCI Broadband Tel: 905-284-4070 Fax: 416-987-4701 http://www.fcibroadband.com Futureway Communications Inc. is now FCI Broadband -----Original Message----- From: Justin Shore [mailto:listuser@numbnuts.net] Sent: September 24, 2003 12:29 PM To: nanog@merit.edu Subject: Another DNS blacklist is taken down I thought ya'll might be interested to hear that yet another DNS blacklist has been taken down out of fear of the DDoS attacks that took down Osirusoft, Monkeys.com, and the OpenRBL. Blackholes.compu.net suffered a joe-job earlier this week. Apparently the joe-jobbing was enough to convince some extremely ignorant mail admins that Compu.net is spamming and blocked mail from compu.net. Compu.net has also seen the effects of DDoS attacks on other DNS blacklist maintainers. They've decided that the risk to their actual business is too great and they are pulling the plug on their DNS blacklist before they come under the gun by spammers. http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=3f70e839%24 1%40dimaggio.newszilla.com Ron Guilmette, maintainer of the Monkeys.com blacklists has posted a farewell from Monkeys.com to news.admin.net-abuse.email. Ron cites the total lack of interest in the attacks by both big network providers and law enforcement authorities as the ultimate reason he's pulling the plug. http://groups.google.com/groups?q=%22Now+retired+from+spam+fighting%22&hl=en &lr=&ie=UTF-8&oe=UTF-8&selm=vn1lufn8h6r38%40corp.supernews.com&rnum=4 It's truely a sad day for spam fighters everywhere. So, my question for NANOG is how does one go about attracting the attention of law enforcement when your network is under attack? How does the target of such an attack get a large network provider who's customers are part of the attack to pay attention? Is media attention the only way to pressure a response from either group? These DDoS attacks have received some attention in mainstream media: http://www.msnbc.com/news/959094.asp?0cv=TB10 http://www.boston.com/news/nation/articles/2003/08/28/saboteurs_hit_spams_bl ockers Apparently it hasn't been enough. Legal remedies take too long and are cost prohibitive (unless you're the DoJ). Subpoenas and civil lawsuits take months if not years. Relief is needed in days if not hours. Justin
On Wed, 24 Sep 2003, Mark Segal wrote:
I think some RBLs might get better responses from the ISPs when they stop taking "collateral damage gets the abuse department's attention" attitudes.. Some RBLs cause many providers a LOT of headaches, so it is not surprising that when it is their turn to complain, the ISPs will just say: post to abuse.ddos.isp.net and we might get around to fixing it. :).
Regards, Mark
True. However I also subsribe those beliefs. When an ISP knowingly allows a spammer to sign up for network service, knowing full well what they are planning to do with it (read: pink contracts), and ignores abuse complaints then what other form of action is there than to use collateral damage at that ISP? Providers more often than not intentionally put non-spamming customers' networks within spitting distance of their spamming customers in the hopes that RBLs won't blacklist the provider's networks around the spammers. I don't want to start an off-topic flame thread on NANOG but the merits of collateral damage have been discussed numerous times in numerous places. Many people won't use it. Most don't like it. No one has offered another plausible alternative. Anyhow, this is getting OT. Back to the topic at hand, DNS RBLs coming under the gun. :-( Justin
In a message written on Wed, Sep 24, 2003 at 01:28:19PM -0500, Justin Shore wrote:
True. However I also subsribe those beliefs. When an ISP knowingly allows a spammer to sign up for network service, knowing full well what they are planning to do with it (read: pink contracts), and ignores abuse complaints then what other form of action is there than to use collateral damage at that ISP? Providers more often than not intentionally put
The answer is to take the high road and just list the spammer. If, as you suggest, the ISP knowingly signs up the spammer then they already expect the collateral damage, are probably, in general ok with it, and you're not going to have any effect in getting them to change. However, by listing larger and larger blocks of unrelated customers you piss off random end users, and more importantly the mail admins that use -- and could support your RBL. I know more than a few mail admins who gave up on various RBL's after they "went off the deep end", blocking more legitimate mail under the guise of trying to force ISP's to do something than spam. I suspect a well run RBL that was able to take the high road, and offered good responce time would find mail admins would pay a small subscription fee, they could buy bandwidth from a provider, and more importantly since they were a paying customer and not a kook they would get excellent support from ISP's in tracking DDOS attacks. That said, I don't think the RBL users often understand the complexity of the issue, which further annoys ISP's. I know I've been involved in several issues where a reputable e-commerce site buys service quite above board. They then have an affiliate program, where people can sign up online and get goods. A number of spammers then sign up, joe-job the e-commerce company and make off with a few hundred dollars in goods. In the cases I've been involved with the e-commerce company immediately terminates them for violating the terms of the affiliates agreement, but it only takes two or three of these instances for the RBL's to start blocking the company, screaming "pink contracts" and blocking the ISP's other users. So, while the RBL's hurt the ISP's, and the ISP's tie up the RBL's time with an issue they aren't going to be able to solve the real spammer gets away scott free, and the ISP has to deal with other customers who have been caught in the collateral damage of the RBL. Just once I'd like to see an RBL come to my employer saying "we've found this spam we think transited your servers and would like to work with you to find the real source and block it". Insted they all seem to send an e-mail to the effect of "You pathetic worthless $*&@&@#&$#$. Stop sending this crap and terminate your customer in the next 10 minutes, or else" and then proceed 10 minutes later to list every IP ever affiliate with the ISP. No wonder the same abuse people aren't eager to help when the RBL comes back and asks for help. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
Mark Segal wrote:
I think some RBLs might get better responses from the ISPs when they stop taking "collateral damage gets the abuse department's attention" attitudes.. Some RBLs cause many providers a LOT of headaches, so it is not surprising that when it is their turn to complain, the ISPs will just say: post to abuse.ddos.isp.net and we might get around to fixing it. :).
monkey's had no collateral damage issues until PHL was released due to non-response from ISP's. openrbl.org does not host a blacklist and thus cannot have collateral damage. SBL is famous for it's lack of collateral damage. ordb is specialized and has had no collateral damage issues. -Jack
Jack Bates wrote:
Mark Segal wrote:
I think some RBLs might get better responses from the ISPs when they stop taking "collateral damage gets the abuse department's attention" attitudes.. Some RBLs cause many providers a LOT of headaches, so it is not surprising that when it is their turn to complain, the ISPs will just say: post to abuse.ddos.isp.net and we might get around to fixing it. :).
It's useful to be careful in how we define collateral damage here. Collateral damage can include, for example, non-spam email coming from a spammer's site. In this context, we're talking about _escalation_ of listings outside of the demonstrated spamming/abusive/insecure IPs.
monkey's had no collateral damage issues until PHL was released due to non-response from ISP's.
The PHL is the escalation.
openrbl.org does not host a blacklist and thus cannot have collateral damage.
SBL is famous for it's lack of collateral damage.
SBL does escalation, but rarely. (WCG, Chinanet for example).
ordb is specialized and has had no collateral damage issues.
ORDB does not escalate. Has it been DDOS'd? Pointless, open relay blacklists are virtually useless these days. SPEWS escalates (obviously). The DDOS's have been against SPEWS, SBL and Monkeys. Most of the other targets were re-publishers/distributors of SPEWS (ie: SORBS, Osirus, openrbl.org). Each of the three are _very_ public targets and generate lots of chatter/discussion on NANAE. Monkeys of course has RFG behind it and all that denotes.
participants (5)
-
Chris Lewis -
Jack Bates -
Justin Shore -
Leo Bicknell -
Mark Segal