Re: [Asrg] Re: Asrg Digest, DNSBL BCP v.2.0
2007-03-03 01:03:20
On Fri, 02 Mar 2007 23:19:03 -0500
Stephanie Erin Daugherty <stephanie(_at_)ahbl(_dot_)org> wrote:
Ok... I'm putting on my Nomex suit for this reply.
Posted and mailed:
gep2(_at_)terabites(_dot_)com wrote:
Worse, from a Internet strategic standpoint, the dangers
of this kind
of blunt-instrument blocking of E-mails for AN ENTIRE
COMPANY just
because ANY ONE computer within their network is
infected (and it
could even be an infected notebook computer carried in
from home and
connecting to the office wireless LAN) will force more
companies to
insist on MORE DANGEROUS separate, routable IP addresses
for each
machine in their company.... so that blocking will
affect JUST ONE of
their machines and not put the whole company out of
business.
Ultimately, this "solution" just puts dramatically more
(and very
unwanted) pressure on the limited IP address space, and
INCREASES the
likelihood of getting the company's machines infected
since now their
machines each have a real, routable IP address that can
be attacked by
scanners and other exploits originating from outside the
company.
Routeable addresses are not inherently less secure. NAT
is not the only way, or even a good way to secure hosts.
Securing the hosts is not the issue here. Nor, in fact,
securing clients! The fact is however that typical user
desktop machines are SAFER if just anyone anywhere on the
Internet can't reach out and poke them directly.
It may work for that in some situations, but it's less
that optimal, and was never intended to provide security.
(and in fact, there are countless tricks to break through
NAT anyway these days).
Again, client security isn't really the issue, although
that IS a benefit, FWIW, of NAT.
NAT was created to deal with a perceived shortage in
IPv4 addresses. It's not a magic bullet, and in fact,
it's actually harmful in many ways:
http://www.cs.utk.edu/~moore/what-nats-break.html
http://www.faqs.org/rfcs/rfc1627.html
If you choose to present your entire network to the
world as being a single machine, then, it and any abuse
from it will be treated as such, that's just a chance you
take. In this respect NAT is actually more dangerous, as
the ability to account for what's happening stops at your
network's border,
Exactly. And THAT is a HUGE issue.
and NAT is often substituted for proper
security and network design - which includes use of
application layer firewalls, intrusion detection, and
application proxies to create and enforce a strong
security policy.
That's fine for companies like General Motors or Ebay or
Amazon. What you're suggesting is arguably inappropriate
for a 15-person company with NO inhouse IT staff at all
(say, a doctor's office). We're talking about a company
here that uses ONE single Novell server running the whole
company.
Put your servers in a real DMZ, with real IPs, and a
properly constructed firewall. Consider putting your
users behind proxy servers instead of or in addition to
NAT, so that they have exactly the access they require,
no more, no less. Machines that don't send mail directly
out to the internet shouldn't have the ability to do so.
This is common sense.
Ironically, the solution we (at least initially) had to go
to involved us moving AWAY from our inhouse outgoing MTAs,
and having to ENABLE the applications at individual user
desktops to route their e-mails directly to out-of-house
servers. This is neither safer, but also is MUCH slower
as viewed by the users than allowing their inhouse mail
servers to buffer such operations.
Intrusion detection would have let you catch this
earlier, probably before you were listed on DNSBLs.
Again, it's miraculous we caught it as fast as we did,
given that the company in question really has no inhouse
IT staff. I provide their system support, remotely from
halfway across the country.
Note that the blacklisting taking effect at E-fax,
specifically (and which suddenly prevented the company
from sending out more than 500 faxes a day) happened at
least three days after (TTBOMK) the infection HAD been
cleared up. (Of course, who can be sure? The
blacklisting company doesn't tell us EXACTLY what they
were blacklisting us for).
So, again, I will EMPHASIZE that the question should NOT
revolve
around the finer points of how to implement
IP-address-based
blacklists, who should maintain them, how to distribute
them, how to
phase them out eventually, and such CRAP!! We are
arguing the finer
points about what is INHERENTLY a VERY flawed approach,
rotten to its
very core AS A CONCEPT, where what we OUGHT to be doing
instead is to
figure out better and more effective ways to efficiently
and
accurately DIFFERENTIATE good mail from bad.
There are also ethical implications which would suggest
that any content-based approach is just as flawed,
because it creates an infrastructure for censorship just
as easily as it creates an infrastructure for stopping
spam.
That would be true if the "censorship" were imposed by an
ISP or some centralized authority. It's far less of an
issue if the routing and acceptance criteria is controlled
by THE RECIPIENT THEMSELVES, who have the ABSOLUTE right
to determine what does and doesn't go into their inbox, or
(at a minimum) what they do (routing, reading, discarding
read-or-unread, etc) regarding the incoming messages they
receive.
As I have pointed out, such an approach would (in the
example I gave)
efficiently perform such triage on the messages coming
from dear old
Aunt Gertie's machine, allowing her legitimate mail to
continue to be
delivered while effectively guaranteeing that the
spambot-generated
garbage running on her same machine and transiting the
same server(s)
would be T-canned and never seen by a human (and
therefore, hopefully,
not be worth injecting into the Net in the first place).
If dear old aunt gertie is leaving her machine on the
internet after it's been compromised by a virus, she
either doesn't care, or doesn't know better, and in
either case, is doing harm to others by her refusal or
inability to deal with the problem, so she's arguably
just as big of a problem as the virus itself.
The point is that SHE PROBABLY DOESN'T KNOW. And probably
wouldn't understand what it all meant, even if told.
I'm not suggesting that we ought to leave infected spambot
zombie armies operating freely all over the net. Indeed,
my proposals are intended to virtually eliminate (at
least) E-mail as a (direct) recruitment vector for that.
But if you shut down a user because they had been
infected, eventually you'll shut down nearly everybody.
Key to this triage, I believe is:
1) denying spammers and abusers (in a robust way!)
the ability to
conceal or obfuscate malicious or spam content by ruses
based on HTML,
text-as-image, scripting and the like;
2) forcing at least initial-contact e-mails (those by
which a
sender establishes a trust relationship with the
intended recipient)
be sent in plain text so that they can be analyzed
effectively by a
SpamAssassin-style analysis program;
3) allowing a recipient to control just exactly what
sort of more
advanced content they are ready and willing to accept
from each
specific sender, and (ideally) how they wish to
additionally establish
the legitimacy of that sender's messages. (Prearranged
masthead on a
newsletter, personal SIG file for mail from an
individual,
characteristic keywords in the message or subject line,
etc etc).
These would help, but they are not enough -
I agree. Content analysis is key, too. But without in
the first stage denying the spammers the use of evasion
techniques based on text-as-image, scripting (decryption
etc), HTML, linked images, attachments, and so forth,
content analysis can NEVER be nearly as effective as it
can be otherwise.
and without
extensive cooperation will never be effective.
Agreed that spammers KNOWING that their spam has a
negligible chance of being delivered and read will make
them less likely to still try to send it. But meanwhile,
even just a SINGLE recipient no longer feeling plagued by
spam and worms is probably worthwhile, at least as
experienced by THAT user.
I want to
see better solutions, but barring making some solutions
mandatory (and I shudder to think of how you could do
that without gov't involvement, which will never happen
on a global level anyway), you aren't going to do enough
from a content standpoint.
I think you can do FAR BETTER from a content standpoint
(content analysis, such as Spam Assassin, following "a
priori" blocking of mail from unknown/untrusted senders
containing HTML or attachments) than you can using any
kind of IP-based blacklisting or other "reputation"
scheme.
Here on this list, we keep falling back into this nasty
business of
arguing about how an INHERENTLY FLAWED scheme (and I'm
talking about
IP-address-based blacklisting) should be done, rather
than recognizing
ONCE AND FOR ALL that it is simply a ROTTEN IDEA FROM
THE BEGINNING
and that we OUGHT to be working on finding a BETTER
solution which is
better long term both from the standpoint of CONTROLLING
spam, of
encouraging (in a practical way) responsible computing,
and which
isn't just encouraging these costly, ineffective, and
ultimately
COUNTERPRODUCTIVE games of after-the-fact
"whack-a-mole".
I'll agree that its a horrible idea.
I'm glad we at least agree on THAT point.
At one point, a
DNSBL could effectively stop a lot of spam. Now, most
DNSBL operators and DNSBL users have realized that the
technology long ago ceased to be useful in stopping all
but the most persistent and long-lived spam sources, and
compromised hosts.
And, the other point is that you have FAR too much
collateral damage.
So, you might ask, what are DNSBL's still useful for?
Mainly, four things:
* Keeping track of compromised hosts, because they
present a threat to the internet as a whole.
"Keeping track of" is probably less of interest to anybody
as a third party than it would be to establish a mechanism
for robustly alerting someone technically responsible at a
given sender... IF one could reliably establish WHO the
actual infected computer or other spammer really was. It
would be nice, for example, if one could REALLY notify
(say) Gertie's ISP so that they could (in theory, anyhow)
try to contact her to let her know about the problem.
* Keeping track of hosts that shouldn't be sending mail
- machines on networks where servers aren't allowed for
instance.
Personally, I think that is still a violation of "net
neutrality". While I accept that kind of crap (for
example, arbitrary restrictions that people have to pay
dramatically more for a "business account" for their home
offices since "residential accounts" 'are not allowed to
run servers') I think that the Net as a whole would be a
far, far better place if individual users COULD have their
own Web servers online, rather than having to pay premium
prices to third-party Web hosting companies. I would far
rather have, for example, a Web-based subdirectory on my
local hard drive where I could place documents (contracts,
photos, other files) where other authorized users could
just come by and get them at their convenience. (For
example, some years ago I helped a guy who was writing a
thesis about the early days of the microprocessor and
personal computing, and I've got a copy of his paper
online through my personal Web site... which probably
doesn't get accessed five times a year, and is painfully
big to store in my ISP-provided "personal Web space"....
but OUGHT to be available online SOMEWHERE, and certainly
don't mind having it occupying disk space on my home LAN
here.)
* Brute-force education of end users and server
administrators about community standards of security and
acceptable behavior on the internet.
That's fine for the users technically savvy enough to
understand that. Aunt Gertrude is barely able to power up
her machine and enter an E-mail message. And there are
tens of millions of users just like that, Net-wide.
* Bringing the problems that allow spam and other
network abuse to the wallets of those who can do
something about it.
Worse, also to those who CANNOT. :-(
It's that last one that's the big one.
Unfortunately, there are some providers who wouldn't
kick spammers off their network, if not for the fact that
DNSBLs would soon force them out of business.
DNSBLs are unfortunately very good at this one thing -
making "not my problem" a big enough issue that ignoring
security, permitting abusive behavior, or ignoring the
basic principles of the internet becomes costly enough to
become a problem worth fixing.
Agreed that it gets people's attention. (So would setting
fire to their building, though). I'm not convinced that
it is an appropriately measured, limited response.
As a DNSBL operator, I don't like this aspect of it, but
it's the same principle as behind things like the
infamous UDP (http://www.stopspam.org/faqs/udp.html).
Ultimately, a DNSBL does not stop spam. A DNSBL brings
the problem to the wallet of someone who can, by
providing mail admins that care about the problem the
tools to block mail from those that don't care, or are
contributing to the problem through ignorance or malice.
True, but (again) at what I consider to be an unacceptably
high cost, compared to less abusive methods.
We OUGHT to be working on preventing spam (and viruses)
from getting
delivered THE FIRST TIME, rather than worrying about
locking the barn
door after the horse has already gotten out...!
Dammit, people, we keep going back to what color fabric
we're going to
use to upholster the "whack-a-mole" mallet, rather than
coming up with
a real SOLUTION for this problem...!!! :-((
I'm open to solutions, but just because the one's we
have suck, we shouldn't abandon them until such time that
we do have something better, and have it working. Spam is
ultimately both a security problem and a financial
problem though.
Well, I've posted here repeatedly what *I* think is a
major step forward towards an INTELLIGENT solution for the
problem... selectively blocking HTML and attachments via a
fine-grained whitelist, on a sender-by-sender basis as set
by each recipient, as a first-step prior to passing
incoming E-mails through a content analysis system.
Solutions have to come from all levels, and at the most
basic level, the critical work is in detecting and
preventing intrusions so that abuse can only come
directly from the abusers themselves.
Eliminating the practicality of delivering viruses and
worms by E-mail is a major step in the direction of
reducing the ability of spammers to recruit spambot zombie
armies.
-Stephanie
Gordon Peterson
http://personal.terabites.com
1977-2007 Thirty year anniversary of local area
networking
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: [Asrg] Re: Asrg Digest, DNSBL BCP v.2.0, (continued)
- Re: [Asrg] Re: Asrg Digest, DNSBL BCP v.2.0, Stephanie Erin Daugherty
- Re: [Asrg] Re: Asrg Digest, DNSBL BCP v.2.0,
gep2 <=
- Re: [Asrg] Re: Asrg Digest, DNSBL BCP v.2.0, Chris Lewis
- Re: [Asrg] Re: Asrg Digest, DNSBL BCP v.2.0, Al Iverson
- Re: [Asrg] Re: Asrg Digest, DNSBL BCP v.2.0, Bill Cole
- Re: [Asrg] Re: Asrg Digest, DNSBL BCP v.2.0, Al Iverson
- Re: [Asrg] Re: Asrg Digest, DNSBL BCP v.2.0, Bill Cole
[Asrg] Re: Asrg Digest, DNSBL BCP v.2.0, Bill Cole
Re: [Asrg] Re: Asrg Digest, DNSBL BCP v.2.0, Martin Hannigan
Re: [Asrg] Re: Asrg Digest, DNSBL BCP v.2.0, Dan Oetting
|
|
|