Re: Additional Layers for Economic Incentives to improve Internet Security
Dear colleagues, Following up from his earlier posts on RIPE Labs, John Quarterman is now looking at 'ASN Ranking Correlations Between Spam Blocklists': http://labs.ripe.net/Members/jsq/asn-ranking-correlations-between-spam-block... Kind Regards and Happy Holidays, Mirjam Kuehne RIPE NCC
In message <4D133394.9040008@ripe.net>, Mirjam Kuehne <mir@ripe.net> wrote:
Dear colleagues,
Following up from his earlier posts on RIPE Labs, John Quarterman is now looking at 'ASN Ranking Correlations Between Spam Blocklists':
http://labs.ripe.net/Members/jsq/asn-ranking-correlations-between-spam-block... st
I skimmed this document, and I'm still not 100% sure that I have grasped the ultimate point. It begins thus: "Comparing ASN rankings by spam volume from two different data sources... indicates there is enough correlation to have confidence in the rankings." Yes. And? This is a little like saying that the track records of multiple meterologists do indeed indicate that yes, by and large they generally seem to get it right. But then what is the functional value of that knowledge? Is the point here that I can leave my umbrella at home when two or more of them say that it's not going to rain today? Is the point of Mr. Quarterman's study that certain entire ASNs may be safely or reasonably blacklisted? Regards, rfg
Howdy, My response is inline below.
In message <4D133394.9040008@ripe.net>, Mirjam Kuehne <mir@ripe.net> wrote:
Dear colleagues,
Following up from his earlier posts on RIPE Labs, John Quarterman is now looking at 'ASN Ranking Correlations Between Spam Blocklists':
http://labs.ripe.net/Members/jsq/asn-ranking-correlations-between-spam-block...
I skimmed this document, and I'm still not 100% sure that I have grasped the ultimate point.
It begins thus:
"Comparing ASN rankings by spam volume from two different data sources... indicates there is enough correlation to have confidence in the rankings. "
Yes. And?
The point of this particular article is exactly what you quoted: there is enough correlation to have confidence in the rankings. Some people don't believe it is possible to build such a ranking system, so we have demonstrated that it is possible.
This is a little like saying that the track records of multiple meterologists do indeed indicate that yes, by and large they generally seem to get it right .
Thanks for the complimentary analogy.
But then what is the functional value of that knowledge? Is the point here that I can leave my umbrella at home when two or more of them say that it's not going to rain today?
Is the point of Mr. Quarterman's study that certain entire ASNs may be safely or reasonably blacklisted?
The purpose of the proposed ranking system is that the organizations that own the ASNs should be concerned that people might decide to blacklist them, or, for example if the organization is a bank, that people might not want to do business with a bank that has sufficiently bad Internet security that it is emitting spam. If an organization has that many vulnerabilities, some of them may also be exploitable for DDoS attacks or for password sniffing of customers or for other nefarious ends. Conversely, organizations that have good security should emit very little spam, and they could brag about their good rankings and thus retain and gain customers. See the other articles in this series (there are links at the end of the present article) for more about the proposed rankings and related certifications, SLA self-insurance, and insurance policies.
Regards, rfg
Thanks for your comment, -jsq
In message <1293396598.484327.23897@bolo.quarterman.com>, "John S. Quarterman" <jsq@quarterman.com> wrote:
The purpose of the proposed ranking system is that the organizations that own the ASNs should be concerned that people might decide to blacklist them,
Unfortunately, I rather doubt that any sort of ranking will have that effect, which is a pity, because in an ideal world, these kinds of ranking _should_ have the effect of generating concern among those ASNs that receive bad rankings. But the reality is that instances of entire ASNs being blacklisted by anybody and/or for anything are few and far between. Thus we have the current situation where certain ASes make a healthy business out of thumbing their noses at the rest of the Internet community as they continue to host rampant criminality, etc.
or, for example if the organization is a bank, that people might not want to do business with a bank that has sufficiently bad Internet security that it is emitting spam. If an organization has that many vulnerabilities, some of them may also be exploitable for DDoS attacks or for password sniffing of customers or for other nefarious ends.
Conversely, organizations that have good security should emit very little spam, and they could brag about their good rankings and thus retain and gain customers.
I only wish that the world operated in so simple a fashion. Unfortunately, because network operators the world over have been con- sistantly reluctant to do what is necessary to forcefully shun the criminal, and the merely irresponsible, from their midst, instead of a bad reputation causing loss of connectivity, it often seems to have the perverse effect of generating even more business for various well-known criminal-friendly ASNs. Regards, rfg
Hi, On 26/12/2010 21:49, John S. Quarterman wrote:
"Comparing ASN rankings by spam volume from two different data sources... indicates there is enough correlation to have confidence in the rankings. "
The point of this particular article is exactly what you quoted: there is enough correlation to have confidence in the rankings. Some people don't believe it is possible to build such a ranking system, so we have demonstrated that it is possible.
Strictly speaking it isn't ranking the spam volume. It indicates how many IP-addresses per ASN that is added to a certain blocklist. It doesn't indicate the amount of spam from the IP or the ASN measured by customer and/or mail volume.
But then what is the functional value of that knowledge? Is the point here that I can leave my umbrella at home when two or more of them say that it's not going to rain today?
Is the point of Mr. Quarterman's study that certain entire ASNs may be safely or reasonably blacklisted?
The purpose of the proposed ranking system is that the organizations that own the ASNs should be concerned that people might decide to blacklist them, or, for example if the organization is a bank, that people might not want to do business with a bank that has sufficiently bad Internet security that it is emitting spam. If an organization has that many vulnerabilities, some of them may also be exploitable for DDoS attacks or for password sniffing of customers or for other nefarious ends.
So a quick summary: An ASN does not represent a single legal entity Spam in general cannot be defined It's not ranking the spam volume Yes, I am really concerned that people might decide to blacklist ASNs due to spam. It doesn't make any sense in almost all cases. But we already have blocklists aggressively doing that with netblocks (uceprotect, spamhaus etc). No serious mailprovider in my neighbourhood use those blocklists and no serious mailprovider would ever use an asn-blocklist like that to block mail or anything else. The good thing here is that as long as this ASN-blocklist list AS-numbers in the same manner as uceprotect, "nobody" will use it because it is useless.
Conversely, organizations that have good security should emit very little spam, and they could brag about their good rankings and thus retain and gain customers.
Organizations that doesn't use mail at all will emit very little spam. Cheers,
On Dec 27, 2010, at 12:29 PM, Jørgen Hovland wrote:
Hi,
On 26/12/2010 21:49, John S. Quarterman wrote: <snip>
Organizations that doesn't use mail at all will emit very little spam.
Wrong. Organizations that don't use mail might still be spam-emitters if their security is bad. In fact organizations that don't understand security is likley to be victims of spambots.
Cheers,
participants (5)
-
John S. Quarterman -
Jørgen Hovland -
Mirjam Kuehne -
peter håkanson -
Ronald F. Guilmette