RE: How many backbones here are filtering the makelovenotspam scr eensaver site?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
-----Original Message----- From: Steven Champeon [mailto:schampeo@hesketh.com] Posted At: Thursday, December 02, 2004 1:09 PM Posted To: NANOG Conversation: How many backbones here are filtering the makelovenotspam scr eensaver site? Subject: Re: How many backbones here are filtering the makelovenotspam scr eensaver site?
My point was to Martin's question about what would happen if - god forbid - there were large botnets under the control of spammers; a careful reading will suggest that my major point was, duh, that there already are large botnets under the control of spammers.
I realize that is the point you were trying to make. I also realize that Martin is pretty well aware of botnets and the threat they create. I suspect that most other readers on NANOG are also well aware. What doesn't seem to be as common knowledge as I would expect is that botnets are a commodity. As such they are traded, sold, purchased and even stolen. That last point is particularly important in this case. Lycos has created a large botnet (at least by most people's definition) that is hidden in the guise of a screen saver claiming to only go after the "bad guys". This botnet uses a command and control server that is now well publicized, and uses a communication channel that is not encrypted or obfuscated in any way. That makes it a botnet just asking to be stolen. Fortunately the C&C server is blackholed by what seem to be a large number of providers and the botnet is now fairly useless.
Good point. Simply put, I can (and do) read my own mail server logs. And I can see that many ISPs - regardless of what they may be doing in onesy-twosy increments - simply aren't doing enough to prevent new botnet infections from wasting my server's cycles in futile attempts to deliver spam, outscatter, virus warnings, etc. etc. ad infinitum.
It is certainly more than "onesy-twosy increments" but I agree that the problem is large enough that it certainly feels like a weak attempt from the average user/operator's point of view.
This costs me time and money, and many of the same ISPs mentioned above are simply cost-shifting their own responsibility onto me and everyone else, and I'm tired of it.
I encourage everyone to vote with their wallet when it comes to this type of thing. Buy your transit from organizations with dedicated security teams that actively engage in SPAM/Bot/Worm/Viri fighting efforts. Those things cost money and take time and are usually unacknowledged efforts. Larger providers seem to make easier targets when it comes to placing blame and saying that they aren't doing enough to combat miscreant activity. I don't believe that is the case overall. They just have a much larger customer base, higher volumes of traffic to inspect, and more politics to work within.
Not to say there aren't responsible ISPs, and I hope that anyone who /is/ a part of the solution, rather than the fertile substrate for the problem, is capable of recognizing that and not taking offense when I point out there are others who could do more.
I believe that EVERYONE could do more on this front. It is a moving battle that requires constant improvement just to stay afloat, let alone get ahead. For those genuinely interested in improving what they are doing on this front I strongly encourage you to attend the NSP-Sec BOFs at NANOG. You might be surprised what you learn and who you meet that can be helpful.
As for go180.net, you don't show up much on my radar, but on Nov 9th we were hit by a spammer from SpokaneHotZone-63.go180.net [66.225.5.63]. I trust this is not a legitimate mail server and I can block it and any other host that looks like it within the same domain, right? Thanks. Otherwise, you may want to do something to distinguish it from the other generic hosts in the same range.
Glad you don't see much from us, must mean that the effort put forth by some of our team is not going to waste. You are correct, that is not a legitimate mail server but is an IP from a City Wide wireless network. That network has since been secured to restrict TCP 25 outbound (along with other typical miscreant traffic) so you shouldn't see anything again from that network on port 25. If we rise up on your radar in the future feel free to make use of the typical NOC and Abuse e-mail addresses, they do get answered and acted upon here. Regards, Chad - ---------------------------- Chad E Skidmore One Eighty Networks, Inc. http://www.go180.net 509-688-8180 -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBQa+VUk2RUJ5udBnvEQJXPQCeMhYgS4vHzmjP2fpgVeEFySQWw4QAn1f/ g70E3QaL3VOcZvILXD80AqjF =he0W -----END PGP SIGNATURE-----
Lycos has created a large botnet (at least by most people's definition) that is hidden in the guise of a screen saver claiming to only go after the "bad guys".
This is what scares me. Who determines the "bad guys?" I don't know anyone over at Lycos so I have no trust (or lack there of) in Lycos. Who is to say that Lycos won't decide next month that Yahoo, Google, MSN, _insert your own network here_ are "bad guys" and point the screen saver at them. Are they likely to do it? Probably not; it would be a PR nightmare for them. But who is to stop them? What if they don't go so extreme and just point the screen saver at "gray hat" hosts who are open relays or something? My opinion (not that anyone asked) is retaliation is childish and unprofessional. I remember the Internet before Spam, botnets, DDOS, etc. and dream of a day when these are "under control" again just as much as the next geek. However, stooping to the level of the miscreant is not the answer to the problem in my opinion. Justin Ryburn justin@ryburn.org "Dance like nobody's watching; love like you've never been hurt. Sing like nobody's listening; live like it's heaven on earth." -- Mark Twain ----- Original Message ----- From: "Chad Skidmore" <cskidmore@go180.net> To: <nanog@merit.edu> Sent: Thursday, December 02, 2004 4:21 PM Subject: RE: How many backbones here are filtering the makelovenotspam scr eensaver site? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
-----Original Message----- From: Steven Champeon [mailto:schampeo@hesketh.com] Posted At: Thursday, December 02, 2004 1:09 PM Posted To: NANOG Conversation: How many backbones here are filtering the makelovenotspam scr eensaver site? Subject: Re: How many backbones here are filtering the makelovenotspam scr eensaver site?
My point was to Martin's question about what would happen if - god forbid - there were large botnets under the control of spammers; a careful reading will suggest that my major point was, duh, that there already are large botnets under the control of spammers.
I realize that is the point you were trying to make. I also realize that Martin is pretty well aware of botnets and the threat they create. I suspect that most other readers on NANOG are also well aware. What doesn't seem to be as common knowledge as I would expect is that botnets are a commodity. As such they are traded, sold, purchased and even stolen. That last point is particularly important in this case. Lycos has created a large botnet (at least by most people's definition) that is hidden in the guise of a screen saver claiming to only go after the "bad guys". This botnet uses a command and control server that is now well publicized, and uses a communication channel that is not encrypted or obfuscated in any way. That makes it a botnet just asking to be stolen. Fortunately the C&C server is blackholed by what seem to be a large number of providers and the botnet is now fairly useless.
Good point. Simply put, I can (and do) read my own mail server logs. And I can see that many ISPs - regardless of what they may be doing in onesy-twosy increments - simply aren't doing enough to prevent new botnet infections from wasting my server's cycles in futile attempts to deliver spam, outscatter, virus warnings, etc. etc. ad infinitum.
It is certainly more than "onesy-twosy increments" but I agree that the problem is large enough that it certainly feels like a weak attempt from the average user/operator's point of view.
This costs me time and money, and many of the same ISPs mentioned above are simply cost-shifting their own responsibility onto me and everyone else, and I'm tired of it.
I encourage everyone to vote with their wallet when it comes to this type of thing. Buy your transit from organizations with dedicated security teams that actively engage in SPAM/Bot/Worm/Viri fighting efforts. Those things cost money and take time and are usually unacknowledged efforts. Larger providers seem to make easier targets when it comes to placing blame and saying that they aren't doing enough to combat miscreant activity. I don't believe that is the case overall. They just have a much larger customer base, higher volumes of traffic to inspect, and more politics to work within.
Not to say there aren't responsible ISPs, and I hope that anyone who /is/ a part of the solution, rather than the fertile substrate for the problem, is capable of recognizing that and not taking offense when I point out there are others who could do more.
I believe that EVERYONE could do more on this front. It is a moving battle that requires constant improvement just to stay afloat, let alone get ahead. For those genuinely interested in improving what they are doing on this front I strongly encourage you to attend the NSP-Sec BOFs at NANOG. You might be surprised what you learn and who you meet that can be helpful.
As for go180.net, you don't show up much on my radar, but on Nov 9th we were hit by a spammer from SpokaneHotZone-63.go180.net [66.225.5.63]. I trust this is not a legitimate mail server and I can block it and any other host that looks like it within the same domain, right? Thanks. Otherwise, you may want to do something to distinguish it from the other generic hosts in the same range.
Glad you don't see much from us, must mean that the effort put forth by some of our team is not going to waste. You are correct, that is not a legitimate mail server but is an IP from a City Wide wireless network. That network has since been secured to restrict TCP 25 outbound (along with other typical miscreant traffic) so you shouldn't see anything again from that network on port 25. If we rise up on your radar in the future feel free to make use of the typical NOC and Abuse e-mail addresses, they do get answered and acted upon here. Regards, Chad - ---------------------------- Chad E Skidmore One Eighty Networks, Inc. http://www.go180.net 509-688-8180 -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBQa+VUk2RUJ5udBnvEQJXPQCeMhYgS4vHzmjP2fpgVeEFySQWw4QAn1f/ g70E3QaL3VOcZvILXD80AqjF =he0W -----END PGP SIGNATURE-----
On Thu, 2 Dec 2004, Justin Ryburn wrote:
This is what scares me. Who determines the "bad guys?" I don't know anyone over at Lycos so I have no trust (or lack there of) in Lycos. Who is to say that Lycos won't decide next month that Yahoo, Google, MSN, _insert your own network here_ are "bad guys" and point the screen saver at them.
Common sense?
participants (3)
-
Chad Skidmore
-
Justin Ryburn
-
Patrick