[Asrg] Re: Asrg Digest, DNSBL BCP v.2.0
2007-03-02 17:13:39
As you know, in a recent thread I commented on what a
LOUSY solution IP-address-based blacklists are, in
general.
Part of the problem is that it is a VERY blunt instrument,
especially for companies which operate a large network
from behind a NAT router.
Well, I've recently been personally involved in trying to
put out just such a fire at one of my consulting clients.
The client company is an oil and gasoline distributor.
Each evening the software system I built and maintain for
them sends E-mails and fax-by-e-mail price updates to
their customers. It also automatically generates and
routes invoices, credit memos (for example, the amounts of
the 'pay at the pump' credit card transactions they
handled the day before) to their customers. They probably
send something approaching a thousand such
business-critical E-mails and fax-by-E-mails per day.
All works well until about a week and a half ago, one of
their computers managed to get infected by some kind of
exploit (despite every machine in the company having and
running Symantec Antivirus software which is updated
daily). We found the problem within 24 hours and managed
to clean it all up, (hopefully!) but meanwhile at least
one or two E-mail blacklists (including XBL) flagged the
IP address of the company's router, and starting on the
21st some of their E-mails stopped getting delivered due
to the blacklisting. By Saturday, as more ISPs picked up
on the new list, E-fax (who processes and delivers their
fax-by-e-mail transmissions) suddenly started bouncing
even their outgoing fax attempts (even though their
systems had been clean, as best we can tell) for at least
two or three days already.
Businesses which count on reliable AND TIMELY e-mail
transmissions simply cannot have their E-mail
transmissions blocked "en masse" like this.
Not being able to issue credits, deliver invoices, and
send price updates (and in the oil and gas business,
prices change daily) is a monumental burden on a company
which is guilty of nothing more than being a victim, just
like so many other companies and individuals have been
(and, doubtless, will continue to be).
Worse, from a Internet strategic standpoint, the dangers
of this kind of blunt-instrument blocking of E-mails for
AN ENTIRE COMPANY just because ANY ONE computer within
their network is infected (and it could even be an
infected notebook computer carried in from home and
connecting to the office wireless LAN) will force more
companies to insist on MORE DANGEROUS separate, routable
IP addresses for each machine in their company.... so that
blocking will affect JUST ONE of their machines and not
put the whole company out of business. Ultimately, this
"solution" just puts dramatically more (and very unwanted)
pressure on the limited IP address space, and INCREASES
the likelihood of getting the company's machines infected
since now their machines each have a real, routable IP
address that can be attacked by scanners and other
exploits originating from outside the company.
It has taken me personally much of the last week to try to
mitigate the problems for my consulting client... managing
communications with the blacklisting organizations (since
nobody at the client speaks their technical language),
making numerous and ongoing system configuration changes
to reroute outgoing mails, establishing new message
handling paths, and then going back and regenerating and
retransmitting thousands of backlogged invoices and
credits notices that could not be delivered in the normal
way. I can't overemphasize what a huge disruption this is
to a company (and again, one which DOES make a serious
effort to be responsible!)
Not to mention the huge disruption to their "ordinary"
NON-system-generated e-mails with their clients and
suppliers.
So, again, I will EMPHASIZE that the question should NOT
revolve around the finer points of how to implement
IP-address-based blacklists, who should maintain them, how
to distribute them, how to phase them out eventually, and
such CRAP!! We are arguing the finer points about what is
INHERENTLY a VERY flawed approach, rotten to its very core
AS A CONCEPT, where what we OUGHT to be doing instead is
to figure out better and more effective ways to
efficiently and accurately DIFFERENTIATE good mail from
bad.
As I have pointed out, such an approach would (in the
example I gave) efficiently perform such triage on the
messages coming from dear old Aunt Gertie's machine,
allowing her legitimate mail to continue to be delivered
while effectively guaranteeing that the spambot-generated
garbage running on her same machine and transiting the
same server(s) would be T-canned and never seen by a human
(and therefore, hopefully, not be worth injecting into the
Net in the first place).
Key to this triage, I believe is:
1) denying spammers and abusers (in a robust way!) the
ability to conceal or obfuscate malicious or spam content
by ruses based on HTML, text-as-image, scripting and the
like;
2) forcing at least initial-contact e-mails (those by
which a sender establishes a trust relationship with the
intended recipient) be sent in plain text so that they can
be analyzed effectively by a SpamAssassin-style analysis
program;
3) allowing a recipient to control just exactly what
sort of more advanced content they are ready and willing
to accept from each specific sender, and (ideally) how
they wish to additionally establish the legitimacy of that
sender's messages. (Prearranged masthead on a newsletter,
personal SIG file for mail from an individual,
characteristic keywords in the message or subject line,
etc etc).
Here on this list, we keep falling back into this nasty
business of arguing about how an INHERENTLY FLAWED scheme
(and I'm talking about IP-address-based blacklisting)
should be done, rather than recognizing ONCE AND FOR ALL
that it is simply a ROTTEN IDEA FROM THE BEGINNING and
that we OUGHT to be working on finding a BETTER solution
which is better long term both from the standpoint of
CONTROLLING spam, of encouraging (in a practical way)
responsible computing, and which isn't just encouraging
these costly, ineffective, and ultimately
COUNTERPRODUCTIVE games of after-the-fact "whack-a-mole".
We OUGHT to be working on preventing spam (and viruses)
from getting delivered THE FIRST TIME, rather than
worrying about locking the barn door after the horse has
already gotten out...!
Dammit, people, we keep going back to what color fabric
we're going to use to upholster the "whack-a-mole" mallet,
rather than coming up with a real SOLUTION for this
problem...!!! :-((
Gordon Peterson
http://personal.terabites.com
1977-2007 Thirty year anniversary of local area
networking
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- [Asrg] Re: Asrg Digest, DNSBL BCP v.2.0,
gep2 <=
- Re: [Asrg] Re: Asrg Digest, DNSBL BCP v.2.0, Steve Atkins
- Re: [Asrg] Re: Asrg Digest, DNSBL BCP v.2.0, Daniel Feenberg
- Re: [Asrg] Re: Asrg Digest, DNSBL BCP v.2.0, der Mouse
- Re: [Asrg] Re: Asrg Digest, DNSBL BCP v.2.0, Seth Breidbart
- Re: [Asrg] Re: Asrg Digest, DNSBL BCP v.2.0, Al Iverson
|
|
|