On Mar 31, 2008, at 4:22 PM, Seth wrote:
Douglas Otis <dotis(_at_)mail-abuse(_dot_)org> wrote:
On Mar 31, 2008, at 11:44 AM, Seth wrote:
Douglas Otis <dotis(_at_)mail-abuse(_dot_)org> wrote:
Will information be added related to warnings regarding network
provider associated address space about to be list?
I hope not.
Why do you keep assuming that only things that _have_ network
providers can be listed? Who is the "network provider" for a
"Mailer-agent" header DNSBL?
Any IP address used by bad actors for sending UCEs or other types
of abuse is being routed by a network provider.
Which network provider would you recommend notifying about an entry
that says "X-Mailer: CloakedSender" is a spam indication?
Most black-hole/block lists are based upon the IP address where the
octets are in reverse order. The network provider can be noted by who
advertised the address space.
See:
http://www.team-cymru.org
This technique depends upon ASNs observed in BGP announcements. This
information is often processed with a program like zebra, for example.
Some might be based upon domain names used in abuse, but a necessity
to inform the owner of the domain is less, but could be done using
abuse@<example.com>.
Determining the network provider helps establish their reputation,
which should represent a significant factor in whether their
advertised space can be trusted. It will become apparent by a high
percentage of their addresses abusing the network, the network provide
does not have or enforce AUPs prohibiting abuse. A draft about best
practices should include a section on this topic. This allows
notifying the network provider to allow them to pass on timely
information to owners of likely compromised systems.
If you want to notify the providers for the emitters of all the spam
you get, feel free. But you aren't going to get others to believe
that doing so is a requirement on them.
Defining a function essential for creating a warning when a system
becomes compromised, but may not normally be sending email is not
required. Not implementing this function could not be defined as a
best practice either.
In addition, the network provider is in the unique position of
being able to curtail the abuse immediately.
Tell me again, which provider can curtail the use of "X-Mailer:
CloakedSender" immediately?
Only the network provider knows who owns the equipment, as they
receive payment for the network access they provide. Their response
might be to notify these owners. If the abuse represents criminal
activity, such as distribution of malware, the network provider may
also block access. Either way, the owner of the system become aware
of the issue. Since much email abuse is being emitted from
compromised systems, black-hole/block-list operators coordinating with
network providers do play a critical role in abating this problem.
While performing this function is not required, not performing this
function can not be described as a best practice.
How can a BL operator establish relationships with millions of a
network providers' customers, without expecting network providers
to intercede?
How do you define "establish relationships"? If I publish
dnsbl.noprimes.org, have I established relationships with all users
of prime-number IP addresses?
When the goal of the black-hole/black list is to enumerate addresses
emitting abuse, then offering notification to the associated network
provider dramatically changes the scope of what is being rated, form
billions of users, to thousands of providers. Rating providers and
excluding the worst is often effective.
Only network provider can establish AUPs,
Anybody can establish an AUP for his own property. Lots of web
boards have AUPs without being network providers.
Access to the Internet is granted by network providers. Their
customers can run any number of services that should constrain their
activities to comply with that of their network provider.
While few black-hole/block list operators are able to coordinate
with network providers and thereby prevent abuse at the source,
_no_ other approach is as effective or as robust.
So you claim; but so what? Why should there be any obligation on
anybody based on your claim (even if true) that something is the
most effective or robust approach?
Ignoring the role of the network provider can not be seen as a best
practice when rating IP address space.
A level of trust is required between the BL operator and the
network provider to be both effective and to improve safely.
Since many network providers are quite untrustworthy, that alone is
reason to avoid notifying those you don't know.
The level of detail within notifications would be where trust would be
demonstrated.
Defining a BL mode of operation that asks the least of the network
operator, also does the least in terms of curbing abuse.
Nobody else is obligated to act according to your beliefs about what
is the most effective.
When asking about the BL being gamed, a fair amount of hand waving
commenced. Of course anyone can pretend to be doing something about
email abuse. Being effective requires at least which network provider
is permitting the abuse.
Currently, few BLs rate domain names.
So? This isn't a democracy with each BL having one vote.
This draft is attempting to establish guidelines, where currently the
vast majority of BL operators pertain to IP addresses emitting email
abuse. Rather than ignoring these issues, separate sections could
enumerate how these other types of lists can "best" server their
function.
IP addresses resolved by the name or used by the name server may
serve as a reference identifier.
Especially for those domains hosted on zombies with 60 second TTLs.
Be careful. This may occur occasionally when using a provider's
resolvers.
In many cases, only the network provider can be identified as
being associated with the address space in question.
In many cases, nobody can be.
This is simply not true, or the packet could not be routed.
What is the address space for "X-Mailer: CloakedSender"?
The IP address used by the SMTP client, the IP address being queried,
represents the provider. See above. This information must be
included in this draft, or it is lacking essential inforamtion.
Will there be any recommendation regarding the notification of
listings?
The listing is its own notification.
No. The goal is to stop the abuse at its source.
Whose goal? Nobody else is required to act according to your goals.
A best practice should offer this as a goal, of course.
My goal is to identify prime numbers.
Why would you describe this as a black-hole/block list?
As such, prior notification of a listing given the network provider
can then be directed to their customer.
Lots of things "can be". The fact that something "can be" does not
suffice to create obligations.
Network providers are the only entities able to assert governance.
Rather than attempting to rate billions of individual users, rating a
few thousand network providers dramatically reduces the scale of the
the assessment. BL operators efforts in notifying the network
providers is not an obligation, but without such notification, BL
operators will not be as effective in abating abuse. Abating abuse
should the goal of a best practice.
-Doug
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/asrg