North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: SPAM Level Status - And why not stop the peering with lame ISPs

  • From: Charles Cala
  • Date: Thu Feb 09 21:36:41 2006
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=SRYBTdH94EXEEoCaLHrzkPuS4oQENvCseuPNTAFBd7nGtS1nSjYVO06UeipvQXDSK6KQm/boZsDc57aSYyIzhQoKT4oHTbXpMY5rAh9bCFyAbCg/We4J+INmYnhnuiXgFcdR1loDRt5XsfMAHLhQrlMt1A2xH2drA/hXRFyy34Y= ;


--- Alain Hebert <[email protected]> wrote:

> 
>     Is it just me or the level of spam coming from ASIA (region) has 
> just increased 10 fold in the past week?
(snip)
it comes and goes like the wind, and the tides.


>      I could see Peer stopping annoncement of the routes of ISP's that 
> do not comply with abuse (I mean high volume of abuse here) after 12h...

Much as I would like to see an ISP level response about security 
issues/spam/foo pollution on the internet, I am not in favor for the 
balkanization of the internet.

We know that those people with OWNED boxes (via virus,bot, or layer 8) 
take up a large  amount of bandwidth (relative to revinue), and therefore 
add expenses to an isp. Smart people know this. The people on the list 
know this. Stopping inbound packets except for Common Well Known Services,
might be a good option for an isp to add, BUT that takes up a lot 
of  router CPU. 

That does not do the rest of us any good at this point, people
will pollute until trashing the environment 
 _ becomes inconvenient _  for them.

A way to make things inconvenient, is to not allocate any more 
ip addresses to historical polluters (or ipv6 only). If this is done 
at the arin/ripe/apnic/etc level, I believe that problem children 
will find it in their best interest to start putting outbound 
filters in place, and getting rid of people who can not be 
bothered to manage their own machines.

The data is in place right now http://isc.incidents.org/source_report.php
You can drill down to an ip address, such as 
http://www.dshield.org/ipinfo.php?ip=024.000.003.075
http://www.dshield.org/ipinfo.php?ip=221.004.061.168

increasing the level of reporting so that common pollution, 
such as  port 1025-1030, 135,445, etc would be pretty easy.

Perhaps a BOF at NANOG Dallas might be in order.


>     Or why not having the registrar blackhole the domain if the abuse 
> level gets too high?
Then you only have no DNS, that does not stop a port scan/spam spew.


This is not a problem limited to a region of the world, 
stupidity is a planet wide illness.
( and I am guilty of being ill from time to time)

-charles

Pick two: good, fast, or cheap.
(fixed scope,fixed timeframe,or fixed budget)
(Elegant, documented, on time)(Privacy, accuracy, security)
(Have fun, do good, stay out of trouble)(Study, socialize,
sleep)(Diverse, free, equal)(Fast, efficient, useful)
(Cheap, healthy, tasty)(Secure, usable, affordable)
(Short, memorable, unique)(Cheap, light, strong)