On Mar 28, 2008, at 9:22 AM, Matt Sergeant wrote:
On 27-Mar-08, at 5:05 PM, Douglas Otis wrote:
On Mar 26, 2008, at 8:18 AM, Matt Sergeant wrote:
OK, so let me just clarify this - when you are listing a netblock
(and communicating with the owner or whatever you do), you NEVER
periodically re-check that netblock to make sure it hasn't changed
hands or gone quiet or anything? It's just listed permanently
until the heat death of the universe?
[snip]
Or is it temporary after all?
There is no pre-ordained maximums in terms of time (or CIDRs), as
suggested by this draft.
I'll take that as a "yes, it can be listed permanently until the
heat death of the universe", reading between your dancing around the
question. But see below for further input.
The following was authored by Dave Rand, who is not an active
participant in this mailing list, but was asked for comment on this
issue. He is available for additional questions, comments or
statistics at dlr_at_kelkea.com.
-----
Just before we go off on a tangent, let's remember what RBL listings
(and I'm using the MAPS trademarked RBL now owned by Trend Micro as a
very specific example) are for.
RBL listings are for addresses (or address ranges) which have sent
spam, and for which an RBL nomination has been processed. The RBL
nomination process includes contacting the responsible service
provider which is advertising that space on the Internet. The service
provider has had an opportunity to review the RBL listing prior to it
becoming active, and has chosen either not to respond, or has not
dealt with the issue in question. The RBL listing *WOULD NOT HAVE
BEEN MADE* if the service provider had delt with the issue.
Now, let's look at a few examples, live spam attempts in the last few
minutes. These three examples were not selected in any, other than a
tail of the current mail server log on my system, and happened to come
during the same second.
03/28/2008 16:51:30: SPAM aborted while talking with (200.121.80.112)
- "MAPS RBL".
03/28/2008 16:51:30: SPAM aborted while talking with (210.76.64.22) -
"MAPS RBL".
03/28/2008 16:51:30: SPAM aborted while talking with (88.249.244.18) -
"MAPS RBL".
As it happens, the first one came from an RBL listed address which has
been listed since 2006 - and is still spamming. The second, for more
than a year, and still spamming. The third, for more than a month,
and - you guessed it, still spamming.
I note, with interest, that these addreses are also listed on several
other blacklists, but that's not important for the purpose of this
issue.
In each case, the service provider was notified in advance of the
listing, and was given an opportunity to deal with it. In two out of
the three cases, I know this personally to be true, and the third I
know by documentation.
So, what's an appropriate listing policy? Until the problem is fixed,
and the service provider in question notifies (by replying to the
original nomination, for example) that the issue is corrected.
These are three examples, totally at random. Finding accurate contact
information for the end users of the addresses is essentially
impossible, and (in at least one country on this list) prohibited by
law. The one and only contact information which must be documented,
at least for the most part, is the ASN advertising the space on the
internet.
AS4134, AS6147 and AS9121 are responsible for these addresses. In at
least two of the three cases, I know that the adminstators are fully
aware of this, and have tried to bring effective abuse policies in
place. They have, so far, failed.
So, RBL(tm) listings get listed until the problem is fixed, and the
responsible party contacts the blacklisting provider. There has been
some suggestion that an automated removal process could be used if the
listing is no longer generating spam, for example. The only party
which could determine this with any accuracy would be service provider
for that address, as they are the only ones that have access to the
traffic to determine it. The blacklist operator can see but a very
small part of the internet, and has no way to determine with any
reasonable degree of assurance that the problem has indeed been fixed
- the absence of bad traffic on a small part of the internet in no way
can determine the "goodness" of an address. It *can* determine
badness, but not goodness. Goodness can only be determined by the guy
at the router - that's the service provider.
Here's some more numbers for you to consider:
During 2005, there were an average of 2.1 million unique IP addresses
per month sending spam. During 2006, 4.2 million. During 2007, 10.0
million. At this rate, somewhere between 20 million and 100 million
per month will be sending spam in 2008.
IP address reputation is the only way in which mail servers can keep
up today, and that reputation is persistant until corrected. IP
addresses, in general, don't "get better" with time. They get worse.
Once fixed, they tend to stay fixed *because* someone has gone to the
trouble of bringing it to the surface- but unchecked, the spam will
continue to flow.
I have detailed information on this trend going back as far as 1995 or
so.
The Service Providers *must* take a more pro-active stance in dealing
with the problem, and they must either make detailed contact
information available for the end users of the address space (which is
currently illegal in many countries), or they must promptly pass
complaints on to end users, and then monitor for compliance.
Automated removal (and for that matter, automated addition) to any
long term blacklist is bad. Active participation to prevent blackhole
listings by the service provider in question is the right way to do
things.
Stopping the spam in the first place, by effective port 25 blocking,
bot/infection detection, and proper monitoring is by far the best
way. This would quickly put all RBL services out of business,
forever. I favour this approach.
-----
-Doug
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/asrg