|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of "anonymity" when domain exists, whois not updated yet)
on Wed, Jan 12, 2005 at 04:24:42PM +0000, Eric Brunner-Williams in Portland Maine wrote:
(quoting Anonymous):
> > Numerous (as in "at least hundreds, probably more") of spam gangs are
> > purchasing domains and "burning through" them in spam runs. In many
> > cases, there's a pattern to them; in others, if there's a pattern,
> > it's not clear to me what it might be.
>
> >From my point of view, "pattern" is which registars are getting the buys,
> for which registries, where the ns's are hosted, and for domains used in
> the return value side, hosting details. The latter to reduce to RIR CIDRs.
I provided the IPs to which all of the latter domains resolved at the
time I checked. All went to four IPs, all in China, three in the same
network. The nameservers exhibit similar behavior, though often also
with Brazilian nameservers along with Chinese. Not in the last month, tho:
nameservers:
16 ns1.anwoo.com 202.67.231.145 HKNET-HK
14 ns1.eslom.com 61.128.196.155 CHINANET-CQ
12 ns1.epoboy.com 222.51.91.226 CRTC
12 ns1.bomofo.com 221.5.250.122 CNCGROUP-CQ
4 ns1.lenpo.com 207.234.224.202 AFFINITY-207-234-128-0
4 ns1.boozt.com 218.7.120.81 JINDU-COMPUTER-NET-COM
2 ns1.mynameserver.ca 202.67.231.145 HKNET-HK
registrars by whois server:
15 whois.afilias.info
3 whois.planetdomain.com
2 whois.godaddy.com
2 whois.domainzoo.com
1 whois.registrationtek.com
1 whois.joker.com
So? Of course .info is handled by afilias. Sponsoring registrars for
.info domains mentioned upthread:
9 R126-LRMS - Enom
4 R239-LRMS - Primus
2 R171-LRMS - GoDaddy
There's your clustering. Feel free to somehow reduce these to CIDRs or
ASNs; they're not used in the message headers anyway, so all you can do
is block the redirection for your users, but not prevent them from being
deluged with the spam itself, nor prevent me and others from being deluged
with the bogus DSNs.
So what? Eventually, better antispam techniques will lead to the ability
to block messages from or referencing domains with banned nameservers.
And then spammy will set things up so that he has a new nameserver for
every run. And we'll still have insecure email, because he'll have
continued to get away with it, because he can hide behind "private"
whois for his domains registrations, he'll continue to burn through the
net namespace leaving nothing but scorched earth, and none of the
underlying conditions will have been addressed.
It's no longer a simple matter of blocking the sender origin, botnets
have taken care of that. It's no longer a matter of blocking known spammy
domains in SMTP envelopes; they're forging them. It's not a matter of
blocking mail with known spammy domains in it, as these are one-a-day
throwaway redirectors. It's not a matter of blocking mail with domains
that point to rogue nameservers, ASNs, or CIDRs, spammy can register new
domains and use new ones every day. It's not a matter of any of these
things, though I use them all, and with some effect.
The problem is that spammy is getting away with this by modifying his
tactics slightly and keeping a step ahead of the game, and because few
understand or care about actually /fixing the underlying brokenness/
that lets him get away with it day after day.
> There is more, but that is the first cut, localization of registrar(s) and
> registries and CIDRs.
I fail to see how isolating registrations to a single registrar changes
the facts on the ground - if anything, you're already showing that you
are at least one step behind Spammy, by making this a requirement. Or,
alternately, you're simply saying that those who care about net abuse are
shackled by ICANN's bylaws and therefore we can do nothing.
--
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com
join us! http://hesketh.com/about/careers/account_manager.html join us!
|