North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Lazy network operators - NOT

  • From: Paul Vixie
  • Date: Sun Apr 18 02:16:01 2004

[email protected] (John Curran) writes:
> ...
> This would suggest that spam is pervasive largely because of the large
> number of insecure systems available for origination (via port 25 :-),
> not because of providers failing to close barn doors after the fact...

I don't know why it's taken me so long to come to a conclusion about this,
especially since VJS has been making noises like this for a long time and
I know enough to pay attention.

So-called "broadband" user populations (cable, dsl, fixed wireless, mobile
wireless) are full time connected, or nearly so.  They are technically
unsophisticated, on average.  The platforms they run trade convenience for
security, and must do so in order to remain competitive/relevant.  Margin
pressure makes it impossible for most "broadband" service providers to even
catalogue known-defect customer systems or process complaints about them.

Those facts are not in dispute.  And so, today, I began rejecting all e-mail
from all roadrunner, attbi, interbusiness.it, comcast, and rogers customers.
And as I discover the next several thousand /16's which contain this kind
of user community I will reject their e-mail also.  MAPS DUL doesn't go
nearly far enough, nor do any of its lookalikes, not even SORBS DUHL.

You are all going to have to do this also, because the cost to you of keeping
a list of which /32 is running malware at any given moment is too high when
the numbers get into the millions, and even if your bots assume the worst
(that is, don't even bother probing for malware) you'll still have to handle
exception processing on the first spam (or the first few dozen spams).

IETF MARID could be a scalable way of performing this mass e-mail rejection,
and it could be a way that legit e-mail servers can live inside "broadband"
address blocks rather than having to tunnel to <www.vix.com/personalcolo> or
other clue-dense address space where technical sophistication is the norm...
but I can't imagine that happening at all, let alone happening in 2004/2005.

I was blind, but now I see.  These netblocks are like foreign airports without
metal detectors, and I've been handling the occasional transferring passenger
(who's armed with things they shouldn't be) on an exception basis, including
all kinds of per-incident damage, where what I need to do is land those planes
outside my security perimeter and make them go through local metal detectors
before they're allowed to transfer onto planes I'm responsible for.

MAPS or SORBS or somebody needs to set up a "BBL" (broad band list) which is
just a list of "broadband" customer netblocks, with no moral/value judgement
expressed or implied.  If it's complete and updated frequently, I'd pay for
a feed because of all the work it would save me personally and in my dayjob.
(Apropos of JCurran's comments above, it wouldn't matter if netblocks on this
"BBL" disabled outbound TCP/25, or not, so, they probably just wouldn't, but,
they probably aren't going to, no matter whether a "BBL" exists or not.)

The new motto here is: "Blackhole 'em all and let market forces sort 'em out."
-- 
Paul Vixie