At 09:33 AM 4/7/2003 -0700, you wrote:
On Monday, April 7, 2003, at 09:15 AM, Brad Spencer wrote:
rules require cooperation or policemen. What's your policeman here?
Right now the policeman is the spammer's ISP - give the ISP evidence of
abuse by the spammer and the ISP just about has to act. The honeypot
operators tell the ISPs of the abuse - the ISPs act.
If that were true, would the blackhole sites that exist today exist? why
couldn't the blackhole sites simply report this to the ISP and expect the
ISP to act? If this were true, any time we found an open relay, we could
report it to an ISP and it'd be blocked at the ISPs firewall, right?
The blackholes have open relay sites listed or have spam sources
listed. Neither, according to you, is an regarded as illegal or as an
abuse by the ISP. The honeypot is the abused IP - the spammers is trying
to steal service form an open relay and getting reported. that is
something the ISP should act on - it is abuse.
I'm comfortable in principle with blocking all open relays - the problems
come in the details. Better yet, block spam sources - don't worry why they
are spam sources. Again, the problems are in the details. I'd favor a
fairly rapid aging off of listed IPs - if they continue to be spam sources
they'll get listed again real soon. the detail is the identification of
spam sources - it's labor intensive for many blocklists so they can't
afford to have short listing lifetimes (if they wanted.)
except it doesn't happen. So how does adding honeypots to the system make
the ISP react to the data?
Spam isn't illegal, except in very limited ways in limited jurisdictions.
And in reality, spam (like porn) is seen as a lucrative business by some
companies. They've already decided to turn a deaf ear to complaints. How
does this change that?
That's partly my point. spam may not be illegal (the ISPs can convince
themselves of this even though spam is illegal in several states) but the
abuse used to send the spam is illegal. I get ISPs to act on the basis of
the abuse, not on the basis that the abuse sends spam. That may not appeal
to purists (who want the ISPs to act strictly against spam) but it gets the
job done. For me it does happen. uu.net acted on my information (as far
as I can tell) way back when they were accused of ignoring
complaints. Maybe the complaints are accurate: I send powerful enough
complaints that they can't be ignored. Same with Michael Tokarev's Moscow
honeypot (which had an associated web page.) uu.net had to be told more
than once but as soon as they _got_ the message there were hits on the web
page from a great many uu.net IPs, probably corporate ones. Ultimately
uu.net acted on the complaints. They did learn to just do a refresh and
find for themselves the uu.net IPs that appeared to be sending spam
to/through the honeypot. (It's "appeared to be" because Ralsky used an
asymmetrical routing scheme so that the apparent spam sources were
throwaway dialup IPs rather than the actual IP of the spam source. That
worked for Ralsky while the complaints were based on the spam after it
reached a user. It failed when the complaint was from a honeypot that had
a live log on a web page. He ran out of throwaway accounts on three
different ISPs in one weekend.)
As to the security world, they seem to emphasize making a system immune
to being rooted (as opposed to making those that try to root systems feel
pain.)
could that be because trying to "cause pain" (as in reporting them to ISPs
and having the ISP react in some way) doesn't work?
Sure could. I have no data; this is a topic for a different IETF group. I
have sometimes reported suspicious connection attempts to the ISPs and have
sometimes gotten responses indicating they have acted. I doubt that the
regular practice is to report suspicious attempts - most just ignore them,
I think. Mostly I ignore them, for that mater.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg