RE: GoDaddy's abuse procedures [was: ICANNs role [was: Re: On-going ...]]
While you have your friend's ear, ask him why they maintain a spam policy of blocking complete /24's when: a) the space has been divided into multiple sub-blocks and assigned to different companies, all well-documented and queryable in ARIN b) there have been repeated pleas to whitelist a certain IP in separate sub-block that is only being punished for the behavior of others in a different sub-block. Frank -----Original Message----- Sent: Tuesday, April 03, 2007 8:20 AM To: 'nanog@nanog.org' Cc: 'don@calis.blacksun.org' Subject: Re: ICANNs role [was: Re: On-going ...]
I think the shutdown of seclists.org by GoDaddy is a perfect example of exactly why the registrars should NOT be making these decisions.
I know the head abuse guy at Godaddy. He is a reasonable person. He turns off large numbers of domains but he is human and makes the occasional mistake. The fact that everyone cites the same mistake tells me that he doesn't make very many of them. If you demand that the shutdown process be perfect and never make any mistakes ever, even ones that involve peculiar e-mail failures are are fixed in a day or two, you're saying there can't be any shutdown process at all.
If you want a really simple, and probably very effective first step- then stop domain tasting. It doesn't help anyone but the phishers.
Actually, I have never seen any evidence that phishers use domain tasting. Phishers use stolen credit cards, so why would they bother asking for a refund? The motivation for tasting is typosquatting and "monetization", parking web pages full of pay per click ads on them. Tasting is a bad idea that should go away, but phishing isn't the reason. R's, John
On Sat, 07 Apr 2007, Frank Bulk wrote:
While you have your friend's ear, ask him why they maintain a spam policy of blocking complete /24's when: a) the space has been divided into multiple sub-blocks and assigned to different companies, all well-documented and queryable in ARIN b) there have been repeated pleas to whitelist a certain IP in separate sub-block that is only being punished for the behavior of others in a different sub-block.
Frank
<realitycheck> You're complaining of blocked /24's. I block off up to /6's from reaching certain ports on my networks. Sound crazy? How many times should I contact the netblock owner and here the same generic "well you have to open up a complaint with our abuse desk... golly gee Joseph." Only to have the same repeat attacks over and over and over. Sure, I'll start out blocking the offensive address, then shoot off an email here and there, even post to this or another list or search Jared's list for a contact and ask them politely "Hey... I see X amount of attackers hitting me from your net" But how long should I go on for before I could just say "to hell with your users and network... They just won't connect." It's my own right to when it comes to my network. People complain? Sure, then I explain why, point out the fact that I HAVE made attempts at resolutions to no avail. So should the entire network be punished... No, but the engineers who now have to answer THEIR clients on why they've been blacklisted surely are punished aren't they. Now they have to hear X amount of clients moan about not being able to send either a client, vendor or relative email. They have to either find an alternative method to connect, or complain to their provider about connectivity issues. Is it fair? Yes it's fair to me, my clients, networks, etc., that I protect it. Is it fair to complain to deaf ears when those deaf ears are the ones actually clueful enough to fix? On a daily basis I have clients who should be calling customer service for issues contact me directly. Know what I do? ... My best to fix it, enter a ticket number on the issue and go about the day. One way or the other I'm going to see the ticket/problem so will it kill me to take a moment or two to fix something? Sure I will bitch moan and yell about it, a minute later AFTER THE FIX since things of this nature usually don't take that much time, guess what? Life returns to normal. http://www.infiltrated.net/bforcers/5thWeek-Organizations Have a look will you? These are constant offending networks with hosts that are repeatedly ssh'ing into servers I maintain. Is it unfair to block off their entire netblock from connecting via ssh to my servers. Hell no it isn't. If I have clients on this netblock, in all honesty tough. Let them contact their providers after I tell them their provider has been blocked because of the garbage on their network. Let their provider do something before I do because heaven knows how many times have I tried reaching someone diplomatically before I went ahead and blocked their entire /6 /7 /8 /9 /10 and so on from connecting to me via ssh or whatever other service they've intruded or attempted to intrude upon. Blocks? They usually last for 2 weeks then I take them off and start ALL over again. Of course I've automated this so its no sweat off shoulders. So you tell me in all honesty why someone should not escalate and block off entire blocks. </realitycheck> -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo echo @infiltrated|sed 's/^/sil/g;s/$/.net/g' http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 "How a man plays the game shows something of his character - how he loses shows all" - Mr. Luckey
Joe: I understand your frustration and appreciate your efforts to contact the sources of abuse, but why indiscriminately block a larger range of IPs than what is necessary? Here's the /24 in question: Combined Systems Technologies NET-CST (NET-207-177-31-0-1) 207.177.31.0 - 207.177.31.7 Elkader Public Library NET-ELKRLIB (NET-207-177-31-8-1) 207.177.31.8 - 207.177.31.15 Plastech Grinnell Plant NET-PLASTECH (NET-207-177-31-16-1) 207.177.31.16 - 207.177.31.31 (dial-up, according to DNS) Griswold Telephone Co. NET-GRIS (NET-207-177-31-32-1) 207.177.31.32 - 207.177.31.63 Griswold Telephone Co. NET-GRIS2 (NET-207-177-31-64-1) 207.177.31.64 - 207.177.31.95 (dial-up, according to DNS) Jesco Electrical Supplies NET-JESCOELEC (NET-207-177-31-96-1) 207.177.31.96 - 207.177.31.103 American Equity Investment NET-AMREQUITY (NET-207-177-31-104-1) 207.177.31.104 - 207.177.31.111 ** open ** Butler County REC NET-BUTLERREC (NET-207-177-31-120-1) 207.177.31.120 - 207.177.31.127 Northeast Missouri Rural Telephone Co. NET-NEMR2 (NET-207-177-31-128-1) 207.177.31.128 - 207.177.31.191 Montezuma Mutual Telephone NET-MONTEZUMA (NET-207-177-31-192-1) 207.177.31.192 - 207.177.31.254 (dial-up, according to DNS) Block the /24 and you cause problems for potentially 8 other companies. Now the RBL maintainer, or in this case, GoDaddy, has to interact with 8 other companies -- what a lot of work and overhead! If they just dealt with the problem in a more surgical manger they wouldn't have to deal with the other companies asking for relief. Frank -----Original Message----- From: J. Oquendo [mailto:sil@infiltrated.net] Sent: Saturday, April 07, 2007 2:08 PM To: nanog@merit.edu Cc: Frank Bulk Subject: Abuse procedures... Reality Checks On Sat, 07 Apr 2007, Frank Bulk wrote:
While you have your friend's ear, ask him why they maintain a spam policy
of
blocking complete /24's when: a) the space has been divided into multiple sub-blocks and assigned to different companies, all well-documented and queryable in ARIN b) there have been repeated pleas to whitelist a certain IP in separate sub-block that is only being punished for the behavior of others in a different sub-block.
Frank
<realitycheck> You're complaining of blocked /24's. I block off up to /6's from reaching certain ports on my networks. Sound crazy? How many times should I contact the netblock owner and here the same generic "well you have to open up a complaint with our abuse desk... golly gee Joseph." Only to have the same repeat attacks over and over and over. Sure, I'll start out blocking the offensive address, then shoot off an email here and there, even post to this or another list or search Jared's list for a contact and ask them politely "Hey... I see X amount of attackers hitting me from your net" But how long should I go on for before I could just say "to hell with your users and network... They just won't connect." It's my own right to when it comes to my network. People complain? Sure, then I explain why, point out the fact that I HAVE made attempts at resolutions to no avail. So should the entire network be punished... No, but the engineers who now have to answer THEIR clients on why they've been blacklisted surely are punished aren't they. Now they have to hear X amount of clients moan about not being able to send either a client, vendor or relative email. They have to either find an alternative method to connect, or complain to their provider about connectivity issues. Is it fair? Yes it's fair to me, my clients, networks, etc., that I protect it. Is it fair to complain to deaf ears when those deaf ears are the ones actually clueful enough to fix? On a daily basis I have clients who should be calling customer service for issues contact me directly. Know what I do? ... My best to fix it, enter a ticket number on the issue and go about the day. One way or the other I'm going to see the ticket/problem so will it kill me to take a moment or two to fix something? Sure I will bitch moan and yell about it, a minute later AFTER THE FIX since things of this nature usually don't take that much time, guess what? Life returns to normal. http://www.infiltrated.net/bforcers/5thWeek-Organizations Have a look will you? These are constant offending networks with hosts that are repeatedly ssh'ing into servers I maintain. Is it unfair to block off their entire netblock from connecting via ssh to my servers. Hell no it isn't. If I have clients on this netblock, in all honesty tough. Let them contact their providers after I tell them their provider has been blocked because of the garbage on their network. Let their provider do something before I do because heaven knows how many times have I tried reaching someone diplomatically before I went ahead and blocked their entire /6 /7 /8 /9 /10 and so on from connecting to me via ssh or whatever other service they've intruded or attempted to intrude upon. Blocks? They usually last for 2 weeks then I take them off and start ALL over again. Of course I've automated this so its no sweat off shoulders. So you tell me in all honesty why someone should not escalate and block off entire blocks. </realitycheck> -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo echo @infiltrated|sed 's/^/sil/g;s/$/.net/g' http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 "How a man plays the game shows something of his character - how he loses shows all" - Mr. Luckey
On Sat, 07 Apr 2007, Frank Bulk wrote:
Joe:
I understand your frustration and appreciate your efforts to contact the sources of abuse, but why indiscriminately block a larger range of IPs than what is necessary?
Far too many times I've tried to contact those who have the DIRECT ability to make things happen and the same constant whiny "Contact our abuse desk" reponse was given. What mainly happens here on out is the following, if someone on that subnet needs to do something on mine, many will contact me or others that work with me and state "Why can't we connect?!" The situation will be explained and they'll be told to contact their provider. This seems to be the only logical method I've personally found for some of the bigger provider to respond to incidents. Hit them where it hurts, let them have their own customers bitch and moan about their inability to get things done. Sure its not fair to single out an entire subnet. I've gone as far as blocking LACNIC, APNIC, RIPE, /8's on ARIN at a clip for days on end until someone from the offending provider contacted me. Then and only then was I able to get something done. So to answer your question about fairness... It's not fair by any means, but it is effective. I see it as follows... If someone on one of my networks is offending someone else, I'm nipping it in the bud to avoid the possibility of any legal repercussions. And although it may seem far fetched to look at things in such fashion, I'd rather be safe than sorry. I'd also like to be accountable since after all when it boils down to it, it is my job as a network engineer, security engineer to ensure nothing malicious comes into my network as well as exits my network. Its a two way street. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo echo @infiltrated|sed 's/^/sil/g;s/$/.net/g' http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 "How a man plays the game shows something of his character - how he loses shows all" - Mr. Luckey
J. Oquendo wrote: ...
So to answer your question about fairness... It's not fair by any means, but it is effective. I see it as follows...
Well, that's the reason why I have a gmail account and all my customers have. I can send even from my dynamic ip-address and still they let me in. They can send to my dynamic ip-address. Important mails are sent host to host. For the records are sent via gmail. There is no need for any other mail provider. They are blocking mails most of the time only allowing spam to get through. Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: peter@peter-dambier.de mail: peter@echnaton.arl.pirates http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
On Sat, Apr 07, 2007 at 02:31:25PM -0500, Frank Bulk wrote:
I understand your frustration and appreciate your efforts to contact the sources of abuse, but why indiscriminately block a larger range of IPs than what is necessary?
1. There's nothing "indiscriminate" about it. I often block /24's and larger because I'm holding the *network* operators responsible for what comes out of their operation. If they can't hold the outbound abuse down to a minimum, then I guess I'll have to make up for their negligence on my end. I don't care why it happens -- they should have thought through all this BEFORE plugging themselves in and planned accordingly. ("Never build something you can't control.") Neither I nor J. Oquendo nor anyone else are required to spend our time, our money, and our resources figuring out which parts of X's network can be trusted and which can't. It is entirely X's responsibility to make sure that its _entire_ network can be permitted the privilege of access to ours. And (while I don't wish to speak for anyone else), I think we're prepared to live with a certain amount of low-level, transient, isolated noise. We are not prepared to live with persistent, systemic attacks that are not dealt with even *after* complaints are filed. (Which shouldn't be necessary anyway: if we can see inbound hostile traffic to our networks, surely X can see it outbound from theirs. Unless X is too stupid, cheap or lazy to look. Packets do not just fall out of the sky, y'know?) 2. "necessary" is a relative term. Example: I observed spam/spam attempts from 3,599 hosts on pldt's network during January alone. I've blocked everything they have, because I find it *necessary* to not wait for the other N hosts on their network to pull the same stunt. I've found it *necessary* to take many other similar measures as well because my time, money and resources are limited quantities, so I must expend them frugally while still protecting the operation from overty hostile networks. That requires pro-active measures and it requires ones that have been proven to be effective. If X, for some value of X, is unhappy about this, then X should have thought of that before permitting large amounts of abuse to escape its operation over an extended period of time. Had X done its job to a baseline level of professionalism, then this issue would not have arisen, and we'd all be better off for it. So. If you (generic you) can't keep your network from being a persistent and systemic abuse source, then unplug it. Now. If on other hand, you decide to stick around anyway while letting the crap flow: no whining when other people find it necessary to take steps to defend themselves from your incompetence. ---Rsk
On Sat, 7 Apr 2007, Frank Bulk wrote:
While you have your friend's ear, ask him why they maintain a spam policy of blocking complete /24's when: a) the space has been divided into multiple sub-blocks and assigned to different companies, all well-documented and queryable in ARIN b) there have been repeated pleas to whitelist a certain IP in separate sub-block that is only being punished for the behavior of others in a different sub-block.
because it's go-daddy's policy not yours and their customers aren't upset enough about 'broken' email to force a change? If you are a go-daddy customer you ought to speak up if this policy really does affect you. -Chris
participants (5)
-
Chris L. Morrow
-
Frank Bulk
-
J. Oquendo
-
Peter Dambier
-
Rich Kulawiec