[anti-abuse-wg] Re: Additional Layers for Economic Incentives to improve Internet Security
Alessandro Vesely vesely at tana.it
Tue Dec 28 18:57:21 CET 2010
On 27/Dec/10 19:09, Joe St Sauver wrote: > jorgen at hovland.cx commented: > > #Spam in general cannot be defined > > Sure it can, and many folks offer definitions, including folks such as > Spamhaus, see http://www.spamhaus.org/definition.html Although I mostly agree with that definition, it is not quite applicable: * "bulk" is ill defined (by induction), and * "unsolicited" cannot be verified (no opt-in acknowledge protocol). Possibly, reputation ranking should be based on (verified and verifiable) spam reports... > There's also the pragmatic reality that you may not be allowed to do > the sustained volume of whois queries you'd need [...] Getting the abuse@ address should be an exception to such limit. > #Yes, I am really concerned that people might decide to blacklist ASNs > #due to spam. It doesn't make any sense in almost all cases. > > I'd have to disagree with your assertion that "it doesn't make sense > in almost all cases." May I ask how blocking by ASN is different than by IP? I consider the latter somewhat anti-historical, in view of IPv6. It is also counter-productive as it tends to favor those who change addresses and names more often (spammers). Does block-by-ASN hinge on intrinsic difficulties in setting up an AS? > There are some ASNs that may be routing only a small amount of space, > and which seem to have an extremely strong correlation with badness. > In those cases it may makes perfect sense for an ISP to decide that > it doesn't want to exchange traffic with that provider. I would block ranges from Spamhaus' DROP list. It has already defined a file format. Thus, it may be more practical for an host to convert an ASN into the corresponding ranges, and then block those. > In any event, if you elect to route a given network block, you're > responsible for the unwanted traffic that may be emitted by that > network block. This statement makes lots of sense! It paves the way for resolving network issues inside the network, rather than resorting to unspecified legal resources. > #But we already have blocklists aggressively doing that with netblocks > #(uceprotect, spamhaus etc). No serious mailprovider in my neighbourhood > #use those blocklists > > You must be in an unusual neighborhood since Spamhaus is generally > considered to protect about 1.4 billion mailboxes worldwide according > to http://www.spamhaus.org/organization/index.lasso Spamhaus is Spamhaus. However, small mailbox providers will always have difficulties at blocking huge senders. For example, I had to whitelist TelecomItalia when it was blacklisted. Possibly, block-by-ASN should be done by the other AS's, directly and unconditionally. For example, block port 25 after an AS has been proved to blatantly ignore abuse reports... We'd probably need some sort of recognized authority to issue such sentences, though.