(I'm starting to guess I'd finish sending these out faster if I stopped falling asleep on my keyboard so often... --Matt) 2006.06.07 Welcome to Wednesday morning http://www.nanog.org/ click on Evaluation Form Let us know how the M-W vs S-Tu format; next time will be S-Tu due to ARIN joint meeting, but need more feedback! Bill Woodcock, been on program committee And lightning talk people need to send their slides to Steve Feldman!! Elliot Gilliam, ISP community, notifications to Smart Network Data Services [slides are at http://www.nanog.org/mtg-0606/pdf/eliot-gillum.pdf AGENDA postmaster services SNDS problem goal today tomorrow motivation feedback/dialog questions/discussion Postmaster--starting point for any issues you have sending mail into Hotmail/MSN Live. It's like AOL skunkfeed, you can do junk mail reporting. Lets you see what bad stuff is coming from your domain. SenderID Site is at: http://postmaster.msn.com/snds/ Problem: bad stuff on the internet (spam, phishing, zombies, ID theft, DDoS) makes customers unhappy. Solution #1 -- try to stop it before it hits customers doesn't really *solve* the problem Solution #2 -- take what we learn, apply it upstream, get more bang for buck #2: #1 is too low ISP-centric efficiency solution #1, n ISPs have n-1 problems, total is O(n^2) n ISPs have 1 problem (themselves), total is O(n) reduces work of the overall system. Crux today people and ISPs are measured by how much BAD stuff they *receive* Not judged by what they send out. similar to healthcare industry no tight feedback loop to ISP behaviour nice quotes on slides http://www.circleid.com/posts/how_to_stop_spam 7 step program (like 12 step, but shorter) 1: recognize the problem: SNDS 2: believe that someone can help you : Me 3: Decide to do something : You 8: Make an inventory of those harmed : SNDS 9: Make amends to them : Tools 10: Continue to inventory : SNDS 12: Tell others about the program : You What is SNDS Website that offers free, instant access to MSN data on activity coming from your IP space data that correlates with "internet evils" informs ISP to enable local policy decisions Automated authorization mechanism uses WHOIS and rDNS users are people not companies A force multiplier attempt. You can do it on your own, no need to sign up your company officially as long as you're an rWHOIS/WHOIS contact. SNDS goal: provide info which allows ISPs to detect and fix any undesired activity. qualitative and quantitative data "No ISP left behind" stop problems upstream of the destination Bring total cost of remediation to absolute minimum keep service free Make internet a better place. We have data! Windows Live Mail/MSN Hotmail is a spam and spoofing target. 4 billion inbound mails/day 90/10 spam/ham by filtering technologies User reports on spam, fraud, etc. Inbound mail system slide--ugly to read, too dark. SNDS website slide shown. You can see daily aggregated traffic from your network; activity periods, IPs, commands and messages seen on port 25, samples of exchanges. Filter results on your mail rate at which users press "this is junk" on your mail. Trap counts for when IPs hit their junk filters. comments column is catch-all for anything else they might put in; like open proxies, when tested positive. "export to CSV" button, so you can feed the data in to your own systems if you want. Today's Scenario Illustrate magnitude and evidence of a problem. additional resources monitoring infrastructure SNDS Stats 2500 users mostly senders 67 million IPs 10-20% of inbound mail and complaints Output drops by 57% on /24+ when monitored by SNDS SNDS tomorrow Usability signup by ASN better support for upstream providers access transfer Utility programmatic access Data virus-infected emails phishing honeymonkey sample messages Expand the the coverage, try to hit more of the problems on the net. Provide sample messages, compelling evidence when facing customers This hasn't shipped yet, it's what he's hoping to have in a month or two. Tomorrow's Scenarios Lowered barrier to entry recurring "cost" ISP types end-user tier 1/2 monitoring, tier 2/3 directly attack more than just spam virus emails -> infected PCs, outbound virus filters phishing/malware hosting -> takedowns. Is asymmetric routing a sign of people trying to launch hidden abuses of the net? Looking to hit more issues, like spotting virus-laden messages; either infected, or an open relay. Hoping that automation speeds response. Safety Tools Stinger: http://vil.nai.com/vil/stinger Nessus: http://www.nessus.org/ [oy, read the list from his slide, it's long.] green items on the list are free, others are pay-for products. Pay-for isn't necessarily a bad thing if you get benefit! Safety tool breakdown from MSN on next slide. Motivation: Hypothesis: everyone benefits Customers: infected uses get fixed safer, cheaper, better internet experience ISPs solution #1 isn't solving the problem altruistic is the "new" selfish Microsoft only benefits if everyone else does make business case why they're doing this. They need to stop paying costs of trying to deal with spam. Wants to get benefit of being one of the people seeing a cleaner internet ISP Motivation Customers they're unhappy, unsafe they like people who fix that be the hero retain customers win new ones fixing has more benefits than bandaging [bandaging is just sticking fingers in the dike, it doesn't scale, eventually we run out of fingers to stick in the holes] cost reductions bandwidth--slow growth demands support--fewer complaints to your help desk. Community NANOG Motivation alternatives Industry scorecard public recognition public shame Logo ISP program--how clean are you? Business case Some nice quotes from different people around the business case needed here. appeal to cost reduction and revenue generation this is starting to happen. let your sales and marketing people know about this. Boston university business case, students arriving with computers presented danger/load to their help desk. Qwest provides windows/one software to their users. Feedback: usability--how easily can you work with it? utility--what can you do? what's missing tools to aid customer remediation need IPv6 support at some point how do ISPs see cost vs benfits costs, benefits, NANOG aggregation how do we get critical mass? msn-snds@microsoft.com Discussion: How does SNDS fit into the larger ecosystem relationship to senderBase.org SCOMP/JMRP REACT adam, rick at support intelligence Yahoo is working on a system like this, Irene Lai is here to work on that, email her if you're interested. Should/how do other ISPs provide this? common schema, authorization, authentication federation, delegation, aggregation Forum bof/track? NANOG/MAAWG? Mailing list: upstream@mipassoc.org Conclusion: http://postmaster.msn.com/ http://postmaster.msn.com/snds/ Try it! tell people about it! Q: Matt asks whether Microsoft will point their own systems at it, since Nick Feamster's presentation showed on slide 12 that Microsoft was #10 on the list of spam *sources* that his honeypots saw? A: Yes, he is connecting the systems that track mail sending from Hotmail to this as well, so that they can start making sure they're cleaning their own house as well. on to next talk.