Re: [anti-abuse-wg] Spam under protection. Believe it or not!
Let me introduce you to, say, fast flux botnets that skip from one IP to another in seconds IPs matter. So do domains. So do nameservers. So do [a bunch of other things] Registrars can’t abdicate their responsibility by claiming spam is entirely related to IP addresses.
On 28-Sep-2015, at 5:50 PM, andre@ox.co.za wrote:
Spam is not a domain thing, it is an IP thing.
So why are we focused on domain names? a name is nothing, it cannot route, a number routes.
Suresh I don’t think many registrars are trying to abdicate responsibility BUT The hosting provider for a domain name has a lot more control over things than the registrar. As a registrar of record for a domain name I only have the “nuclear option”. Compromised sites account for a lot of the spam we see coming from our network (or at least trying to). Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains http://www.blacknight.host/ http://blog.blacknight.com/ http://www.blacknight.press - get our latest news & media coverage http://www.technology.ie Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Social: http://mneylon.social Random Stuff: http://michele.irish ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 On 28/09/2015 13:42, "anti-abuse-wg on behalf of Suresh Ramasubramanian" <anti-abuse-wg-bounces@ripe.net on behalf of ops.lists@gmail.com> wrote:
Let me introduce you to, say, fast flux botnets that skip from one IP to another in seconds
IPs matter. So do domains. So do nameservers. So do [a bunch of other things]
Registrars can’t abdicate their responsibility by claiming spam is entirely related to IP addresses.
On 28-Sep-2015, at 5:50 PM, andre@ox.co.za wrote:
Spam is not a domain thing, it is an IP thing.
So why are we focused on domain names? a name is nothing, it cannot route, a number routes.
For the sort of domains I have to deal with - @ about a couple of hundred a day - 1. Registered using fake contact information and a freemail address 2. Hosting a live phish, or held in reserve by an individual who keeps creating more such domains to use in phish 3. The domain itself is a “cousin" Placing the domain on client-hold appears to be the only appropriate action here. These are not compromised sites These are not simply trademark infringement sites selling knockoff products They’re criminal, advertised in spam, frequently serving up malware where they’re not simply trying to steal user credentials. Unresponsive registrars with poor abuse controls (such as - take the domain down after days, and leave the registrant’s account up and running so the rest of his stockpiled domains are just fine, and new phish domains get registered by him every other day) seem to vastly outnumber the very few responsible registrars that I have had the pleasure of dealing with. Note - this is of course based on the subset of registrars that actually do get frequently abused to create phish domains. There are several that can go for days without seeing a single abusive registration. —srs
On 28-Sep-2015, at 6:22 PM, Michele Neylon - Blacknight <michele@blacknight.com> wrote:
Suresh
I don’t think many registrars are trying to abdicate responsibility BUT
The hosting provider for a domain name has a lot more control over things than the registrar.
As a registrar of record for a domain name I only have the “nuclear option”.
Compromised sites account for a lot of the spam we see coming from our network (or at least trying to).
Regards
Michele
-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains http://www.blacknight.host/ http://blog.blacknight.com/ http://www.blacknight.press - get our latest news & media coverage http://www.technology.ie Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Social: http://mneylon.social Random Stuff: http://michele.irish ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
On 28/09/2015 13:42, "anti-abuse-wg on behalf of Suresh Ramasubramanian" <anti-abuse-wg-bounces@ripe.net on behalf of ops.lists@gmail.com> wrote:
Let me introduce you to, say, fast flux botnets that skip from one IP to another in seconds
IPs matter. So do domains. So do nameservers. So do [a bunch of other things]
Registrars can’t abdicate their responsibility by claiming spam is entirely related to IP addresses.
On 28-Sep-2015, at 5:50 PM, andre@ox.co.za wrote:
Spam is not a domain thing, it is an IP thing.
So why are we focused on domain names? a name is nothing, it cannot route, a number routes.
In message <612D7C78-C9B8-4DA8-BAC4-D45989DDAEB1@gmail.com>, Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
Unresponsive registrars with poor abuse controls (such as - take the domain down after days, and leave the registrant's account up and running so the rest of his stockpiled domains are just fine, and new phish domains get registered by him every other day)...
Suresh, I think that you are being far too generous when you characterize such behavior... which I have also seen and documented, first-hand... as being merely a case of "poor abuse controls". I would instead call it concious, knowing duplicity. I mean really... How many brain cells does it take to understand that you've been asked, this week, to cancel registrations on 50 different domains, all registered by/to account X, and that you were likewise asked to cancel 50 domains last week also, and that these were also registered by/to account X, and likewise, the week before that, and the week before that. How many brain cells must the registrar have in order to grasp that maybe the real problem is account X? (I myself would say "Less than the number necessary to be able to reliably find the bathroom every day.") Regards, rfg
On 28 Sep 2015, at 5:52, Michele Neylon - Blacknight wrote:
As a registrar of record for a domain name I only have the “nuclear option”.
Same on the Registry side of things. I believe that ISPs/hosting providers should be the first to bat because most likely they are the closest to the resource that is being primarily used as an avenue for abuse. Then the Registrars and finally the Registries get their turn. As Suresh, I’ve been at this for more than a year or two and it’s depressingly frequent to watch ISPs and hosting companies do nothing. Best regards Luis Muñoz Director, Registry Operations ____________________________ http://www.uniregistry.link/ 2161 San Joaquin Hills Road Newport Beach, CA 92660 Office +1 949 706 2300 x 4242 lem@uniregistry.link
Someone has to, unfortunately. A “not in my backyard” attitude is just not going to help solve any of these problems.
On 28-Sep-2015, at 10:48 PM, Luis E. Muñoz <lem@uniregistry.link> wrote:
As Suresh, I’ve been at this for more than a year or two and it’s depressingly frequent to watch ISPs and hosting companies do nothing.
In message <44C4BAF8-F707-4A2C-816B-52096EF5E0EB@blacknight.com>, Michele Neylon - Blacknight <michele@blacknight.com> wrote:
I don't think many registrars are trying to abdicate responsibility
You are 100% correct sir. They are not. The word "abdicate" implies that they actually _had_ some responsibility in the first place. But the registrar community had lobbied long and hard to insure that they have never, and will never have any legal liability or responsibility for anything, ever, no matter how bad. So the correct applicable word in this case is not "abdication". It is "avoidance".
As a registrar of record....
Gee! And I was just about to compliment you for your selfless and vocal defence of the poor downtrodden and much msunderstood domain registrars, to which you yourself have no connection. Regards, rfg
On Mon, 28 Sep 2015 18:12:41 +0530 Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
Let me introduce you to, say, fast flux botnets that skip from one IP to another in seconds
Thank you for underscoring that my point is misunderstood :) imho one of the reasons why p2p ff and even dns proxy nets are so successful is because there is money :) If ISP's were forced to actually be responsible for IP ranges and to actually clean (like some services, spamcop, etc. forces them to) then the very definition of the fast flux botnet (of an ever-changing network of compromised hosts) would become mute :)
IPs matter. So do domains. So do nameservers. So do [a bunch of other things]
It all still starts and ends with a number... otherwise you would not be able to defend your own space Suresh :)
Registrars can’t abdicate their responsibility by claiming spam is entirely related to IP addresses.
Again, all spam starts and stops with a number - this is the bottom line If you want to send email - you need to be trustworthy and society needs to know that you will maintain your IP space Andre -- now i am not having lunch today :(
participants (5)
-
andre@ox.co.za -
Luis E. Muñoz -
Michele Neylon - Blacknight -
Ronald F. Guilmette -
Suresh Ramasubramanian