Re: [anti-abuse-wg] Re: Additional Layers for Economic Incentives to improve Internet Security
jorgen@hovland.cx commented: #So a quick summary: #An ASN does not represent a single legal entity Actually, at least some ASNs do represent single legal entities. For example, AS25 is the University of California at Berkley and AS4983 is Intel, just to mention a couple of many examples. Other ASNs may represent ISPs which provide services to multiple downstream customers, but those ISPs are still "single legal entities" I think the point that you're trying to make is that blocking by ASN is overly broad, and might cause too much collateral damage in some cases. I would agree with you, for example, that folks likely wouldn't want to block AS701, for example, but in other cases blocking by ASN, or at least accumulating reputation by ASN, may be quite feasible. #Spam in general cannot be defined Sure it can, and many folks offer definitions, including folks such as Spamhaus, see http://www.spamhaus.org/definition.html Other entities, such as MAAWG, prefer to opt out of the whole "what is and what isn't spam" debate, simply referring to "abusive mail" for things like their quarterly email metrics reports (see http://www.maawg.org/email_metrics_report ) #It's not ranking the spam volume People can (and do) track spam volume by IP, by the netblock encompassing a spamming IP, by in-addr domain, and yes, by ASN. Some track actual spam volume by ASN, others may just track the number of observed spam sources (e.g., typically botted hosts) per ASN. Both can be interesting numbers, and the two are typically strongly correlated. And FWIW, ASNs do work just fine as an aggregation channel for network abuse sources, particularly since who's *using* (e.g., routing) a network block may be more important than the person to whom a given netblock may nominally be assigned or allocated (e.g., we know that number resources can and have been hijacked). There's also the pragmatic reality that you may not be allowed to do the sustained volume of whois queries you'd need to do to map all observed IPs to encompassing netblocks, but you can easily map IPs to ASNs at the rate that's required. (Besides, trying to work at the per-netblock level is pretty unwieldy when it comes to things like maintaining abuse point of contact information, while ASN point of contact information is far more stable). #Yes, I am really concerned that people might decide to blacklist ASNs #due to spam. It doesn't make any sense in almost all cases. I'd have to disagree with your assertion that "it doesn't make sense in almost all cases." There are some ASNs that may be routing only a small amount of space, and which seem to have an extremely strong correlation with badness. In those cases it may makes perfect sense for an ISP to decide that it doesn't want to exchange traffic with that provider. Heck, some people just tag their incoming email with the ASN of the handoff host, and then let selected anti-spam products automatically handle the hand-off host's ASN as added to the header as just another Bayesian message attribute -- if it is helpful when it comes to classifying spam and non-spam, it gets used; if it isn't, it doesn't. Shrug. See http://linuxmafia.com/~karsten/Download/procmail-asn-header for one recipe that some folks use for this purpose. In any event, if you elect to route a given network block, you're responsible for the unwanted traffic that may be emitted by that network block. #But we already have blocklists aggressively doing that with netblocks #(uceprotect, spamhaus etc). No serious mailprovider in my neighbourhood #use those blocklists You must be in an unusual neighborhood since Spamhaus is generally considered to protect about 1.4 billion mailboxes worldwide according to http://www.spamhaus.org/organization/index.lasso Regards, Joe St Sauver (joe@oregon.uoregon.edu) http://pages.uoregon.edu/joe/ Disclaimer: all opinions expressed are my own
Hello, On 27/12/2010 19:09, Joe St Sauver wrote:
jorgen@hovland.cx commented:
#So a quick summary: #An ASN does not represent a single legal entity
Actually, at least some ASNs do represent single legal entities. For example, AS25 is the University of California at Berkley and AS4983 is Intel, just to mention a couple of many examples.
Maybe or maybe not. You have probably no way of knowing that one day to another unless you work for those companies.
#Spam in general cannot be defined
Sure it can, and many folks offer definitions, including folks such as Spamhaus, see http://www.spamhaus.org/definition.html
Other entities, such as MAAWG, prefer to opt out of the whole "what is and what isn't spam" debate, simply referring to "abusive mail" for things like their quarterly email metrics reports (see http://www.maawg.org/email_metrics_report )
Didn't you just show me that it in fact cannot be defined in general? :)
#It's not ranking the spam volume
People can (and do) track spam volume by IP, by the netblock encompassing a spamming IP, by in-addr domain, and yes, by ASN.
There are several ways to attempt to measure spam. The method used on that website is however bad, but I guess Quarterman was just making a point. A site that does measure real mail volume is senderbase.
There's also the pragmatic reality that you may not be allowed to do the sustained volume of whois queries you'd need to do to map all observed IPs to encompassing netblocks, but you can easily map IPs to ASNs at the rate that's required. (Besides, trying to work at the per-netblock level is pretty unwieldy when it comes to things like maintaining abuse point of contact information, while ASN point of contact information is far more stable).
Because something is easier doesn't mean it is better (the opposite also applies).
#Yes, I am really concerned that people might decide to blacklist ASNs #due to spam. It doesn't make any sense in almost all cases.
I'd have to disagree with your assertion that "it doesn't make sense in almost all cases."
There are some ASNs that may be routing only a small amount of space, and which seem to have an extremely strong correlation with badness.
I believe you are saying the same thing as I.
#But we already have blocklists aggressively doing that with netblocks #(uceprotect, spamhaus etc). No serious mailprovider in my neighbourhood #use those blocklists to block mail or anything else.
You must be in an unusual neighborhood since Spamhaus is generally considered to protect about 1.4 billion mailboxes worldwide according to http://www.spamhaus.org/organization/index.lasso
Certain blocklists have lost their credibility because of their ways of creating collateral damage instead of dealing with the real problem: Spam. The number 1.4 billion becomes interesting when some people believe there are only 1.3 billion mailboxes in the world. None of it is probably true. http://wiki.answers.com/Q/How_many_email_accounts_are_there_in_the_world Blocking entire ASNs is quite feasibly when you are incapable of filtering spam. Cheers,
In message <10122710090862_81BC@oregon.uoregon.edu>, "Joe St Sauver" <joe@oregon.uoregon.edu> wrote:
#But we already have blocklists aggressively doing that with netblocks #(uceprotect, spamhaus etc). No serious mailprovider in my neighbourhood #use those blocklists
You must be in an unusual neighborhood since Spamhaus is generally considered to protect about 1.4 billion mailboxes worldwide according to http://www.spamhaus.org/organization/index.lasso
Well, that's what the marketing department @ Spamhaus tells everybody anyway. I for one have never seen a single shread of proof to back up their rather exhorbitant claims in this regard however. But to return to the point at hand, no, generally Spamhaus _doesn't_ block big swaths of IP space... a fact for which I, at least, have criticised them repeatedly. They bend over backwards to be far far too lenient, in my opinion. Regards, rfg
On 27/Dec/10 19:09, Joe St Sauver wrote:
jorgen@hovland.cx commented:
#Spam in general cannot be defined
Sure it can, and many folks offer definitions, including folks such as Spamhaus, see http://www.spamhaus.org/definition.html
Although I mostly agree with that definition, it is not quite applicable: * "bulk" is ill defined (by induction), and * "unsolicited" cannot be verified (no opt-in acknowledge protocol). Possibly, reputation ranking should be based on (verified and verifiable) spam reports...
There's also the pragmatic reality that you may not be allowed to do the sustained volume of whois queries you'd need [...]
Getting the abuse@ address should be an exception to such limit.
#Yes, I am really concerned that people might decide to blacklist ASNs #due to spam. It doesn't make any sense in almost all cases.
I'd have to disagree with your assertion that "it doesn't make sense in almost all cases."
May I ask how blocking by ASN is different than by IP? I consider the latter somewhat anti-historical, in view of IPv6. It is also counter-productive as it tends to favor those who change addresses and names more often (spammers). Does block-by-ASN hinge on intrinsic difficulties in setting up an AS?
There are some ASNs that may be routing only a small amount of space, and which seem to have an extremely strong correlation with badness. In those cases it may makes perfect sense for an ISP to decide that it doesn't want to exchange traffic with that provider.
I would block ranges from Spamhaus' DROP list. It has already defined a file format. Thus, it may be more practical for an host to convert an ASN into the corresponding ranges, and then block those.
In any event, if you elect to route a given network block, you're responsible for the unwanted traffic that may be emitted by that network block.
This statement makes lots of sense! It paves the way for resolving network issues inside the network, rather than resorting to unspecified legal resources.
#But we already have blocklists aggressively doing that with netblocks #(uceprotect, spamhaus etc). No serious mailprovider in my neighbourhood #use those blocklists
You must be in an unusual neighborhood since Spamhaus is generally considered to protect about 1.4 billion mailboxes worldwide according to http://www.spamhaus.org/organization/index.lasso
Spamhaus is Spamhaus. However, small mailbox providers will always have difficulties at blocking huge senders. For example, I had to whitelist TelecomItalia when it was blacklisted. Possibly, block-by-ASN should be done by the other AS's, directly and unconditionally. For example, block port 25 after an AS has been proved to blatantly ignore abuse reports... We'd probably need some sort of recognized authority to issue such sentences, though.
participants (4)
-
Alessandro Vesely -
Joe St Sauver -
Jørgen Hovland -
Ronald F. Guilmette