Re: [anti-spam-wg] Last call for update to ripe-206

  • To: Rodney Tillotson <R.Tillotson@localhost
  • From: furio ercolessi furio+as@localhost
  • Date: Sat, 18 Nov 2006 20:51:30 +0100
  • Cc: RIPE anti-spam WG anti-spam-wg@localhost

On Wed, Nov 15, 2006 at 06:09:56PM -0000, Rodney Tillotson wrote:
> 
> The RIPE BCP "Good Practice for Combating Unsolicited Bulk Email"
> is out of step with the LINX document on which it was based. A draft
> version which matches the current LINX BCP has been discussed on the
> WG mailing list and in sessions at RIPE meetings; I propose that it
> should become a new RIPE document obsoleting ripe-206 on 31st October
> 2006.
> 
> [..]
> Update draft:
> http://www.ripe.net/ripe/draft-documents/bcp-abuse.html

Thank you, nice modifications.

My only comment is that section 6 puts quite some emphasis on "web sites",
but very little -if anything at all- on DNS and registrars.  Now, in the 
past year we have seen a definite movement of professional spam operation 
toward the deployment of a hosting infrastructure based on trojans
acting as DNS and web reverse proxies, with the intent of concealing
the true location of the web site.

The working of these trojans is based on the concept that it is
nowadays possible to register a domain, and change its set of
authoritative nameservers (as known to the TLD servers) every 
five minutes or so, using TTLs also of the order of minutes or
sometimes even seconds.  Not only that, these "nameservers" are
typically consumer PCs whose rDNS definitely does not match
the nameserver hostname, and whose IP in a residential IP range
has never hosted other domains in the past.  

This development is shifting more and more the need for abuse-
handling action toward the hands of companies with businesses in the 
domain registration and DNS areas.  Yet, many of these companies
work with very high volumes and very low margins per domain,
and they are often very slow to respond, sometimes they do not
respond at all, sometimes they answer that "they do not host
the spam site" and therefore can not do anything.

I believe that explicitly mentioning the registration and DNS
services in the document along with the web sites could be of help
to convince the companies in this business area to handle abuse issues
more timely, and to implement some controls on what nameservers
people put in their NS fields and how often they change this
information and what TTL they indicate;  nameservers never seen 
before should be treated with suspicion.  

Thanks to all the people working on this document both on the
LINX and on the RIPE side.

furio