BGP list of phishing sites?

> It's wholy unfair to the innocent parties affected by the blacklisting.
> i.e. the collateral damage.

maybe so. but it'll happen anyway, because victims often have no recourse
that won't inflict collateral damage. the aggregate microscopic damage of
this kind is becoming measurable and "statistically interesting".

> Say a phising site is "hosted" by geocities. Should geocities IP
> addresses be added to the blacklist?
> What if it made it onto an akamaized service? Should all of akamai
> be blacklisted?

you're using terms like "unfair" and "innocent" and "should" in ways
that lead me to wonder if we're having two different conversations here.
the internet has no government, no constitution, no laws, no rights, no
police, no courts. don't talk about fairness or innocence, and don't
talk about what should be done. instead, talk about what is being done
and what will be done by the amorphous unreachable undefinable blob
called "the internet user base."

if the cost:benefit is right for an endsystem to blackhole akamai or
geocities then they will do it, no matter how unfair anybody else thinks
it is, or how innocent other people think akamai/geocities might be, and
no matter how much you or anybody may think that something different
"should" be done. welcome to the "dog-eat-dog phase." spammers and
phishers don't care about what's fair or who's innocent. sean's and
chris's employers certainly don't want to be lectured to about what
others think "should" be done. the end result is that victims are
caring less and less about false positives or collateral damage --
nobody wants to be the last one to stop caring, since the other name for
that person is "rube" (or sometimes "dupe".)

while i've been keen to criticize sean's and chris's employers here, i
do it for entertainment value (my own, and the lurkers who occasionally
tell me i owe them a new keyboard because i was unexpectedly funny) and
not because i think sean or chris or their employers are wondering what
i think they "should" do.

a) IP address that happen to have $nasty at one end of them; or
b) IP address for whom no abuse desk even gives a response (even
   "we know, go away") when informed of $nasty.
Seems to me (b) is, in general, a lot more reasonable than (a)
particularly where there is very likely >1 administrative zone per IP
address (for example HTTP/1.1). It also better satisfies Paul's
criterion of being more likely to engender better behaviour (read:
responsibility of network work operators for downstream traffic) if
behaviour of the reporter is proportionate & targeted.

my sister called me last night to tell me that she was unable to receive
mail from southwest airlines, and that her e-ticket was in limbo for some
flight somewhere. i checked and sure enough southwest airlines has sent
me three or messages per day that i don't want, for most days out of the
last six months. since neither southwest nor their ISP was willing to
take any responsibility for this unwanted e-mail, i blackholed them, and
i guess that means they'll have to fax that e-ticket. or something. it's
not my problem. as a victim, i can't let it be my problem. if someone
wants their traffic to be accepted then they'll have to maintain a good
reputation, which will in the future be automated in various ways including
webs of trust/guaranty, forfeitable deposits, micropayments, and "living
in better neighborhoods". in that way e-space will catch up to meat-space.

WRT "apply greater sanctions", it is possible of course, though perhaps
neither desirable nor scalable, to filter at layer>3 all sites on given IPs
to minimize collateral damage. See
BT's modest plan to clean up the Net • The Register

collateral damage is irrelevant now. minimizing it makes the problem worse,
maximizing it just costs you in lawyer payments, it's every endsystem for
itself now. john gilmore warned me that i was hastening this day when i
started the first RBL. i didn't consider it avoidable, then or now. we
were both right.