fixing insecure email infrastructure (was: Re: [eweek article] Window of "anonymity" when domain exists, whois not updated yet)

Numerous (as in "at least hundreds, probably more") of spam gangs are
purchasing domains and "burning through" them in spam runs. In many
cases, there's a pattern to them; in others, if there's a pattern,
it's not clear to me what it might be.

From my point of view, "pattern" is which registars are getting the buys,

for which registries, where the ns's are hosted, and for domains used in
the return value side, hosting details. The latter to reduce to RIR CIDRs.

There is more, but that is the first cut, localization of registrar(s) and
registries and CIDRs.

This bunch prefers domains in .info -- no doubt motivated in part by things
like the recent $1.95 sale on such domains.

OK. Now you've identified price as a significant control variable. There are
registrars that don't sell .info. I don't. There are registars that don't
sell to directly to registrants. I can think of half a dozen of us who only
sell to corporations and bonafide people who buy reasonable names.

Transcendental numbers in decimal character form are "reasonable". Your
two example sets are not "reasonable".

The dirty little secret is that all this activity on the part of spammers
is a gold mine for registrars.

This isn't going to make me think you can add or subtract.

It's gotten so bad that -- to a darn good first approximation -- if you
find a domain in the .biz or .info TLDs

I agree, and don't sell .biz, .info or .name, or .cc or .tv or .bz or any
of the obvious repurposed cctlds, with the exception of my friend Bill
Semich's .nu, which actually means something in Sweden for local reasons.
I do plan to sell .aero, .coop and .museum, however.

In case it is inobvious, there is a possibility that part of _your_
problem (and a big part of my problems) can be placed at the figurative
"door" of a 501(c)(3) located in California.

The answer? (1) no obfuscated registrations (2) mass, fast, permanent
confiscation of spammer domains (3) requirement for reasonably correct
domain registration info ... and (4) publication of all WHOIS data in
a simple, easily parseable form ...

Nothing in this laundry list that makes the cost of bad business for my
competitors rise, see add and subtract, above.

Try the following: 1,$s/registrars/isp/g and 1,$s/registry/rir/g, and
1,$s/domain/ipv4_addr/. If you're still keen on your approach, then it
might be a good one.

I've replied after removing your personal identifiers back to NANOG.
I appreciate the data, but I want the discourse to be multicast.

Eric

(quoting Anonymous):

> Numerous (as in "at least hundreds, probably more") of spam gangs are
> purchasing domains and "burning through" them in spam runs. In many
> cases, there's a pattern to them; in others, if there's a pattern,
> it's not clear to me what it might be.

>From my point of view, "pattern" is which registars are getting the buys,
for which registries, where the ns's are hosted, and for domains used in
the return value side, hosting details. The latter to reduce to RIR CIDRs.

I provided the IPs to which all of the latter domains resolved at the
time I checked. All went to four IPs, all in China, three in the same
network. The nameservers exhibit similar behavior, though often also
with Brazilian nameservers along with Chinese. Not in the last month, tho:

nameservers:
   16 ns1.anwoo.com 202.67.231.145 HKNET-HK
   14 ns1.eslom.com 61.128.196.155 CHINANET-CQ
   12 ns1.epoboy.com 222.51.91.226 CRTC
   12 ns1.bomofo.com 221.5.250.122 CNCGROUP-CQ
    4 ns1.lenpo.com 207.234.224.202 AFFINITY-207-234-128-0
    4 ns1.boozt.com 218.7.120.81 JINDU-COMPUTER-NET-COM
    2 ns1.mynameserver.ca 202.67.231.145 HKNET-HK

registrars by whois server:
   15 whois.afilias.info
    3 whois.planetdomain.com
    2 whois.godaddy.com
    2 whois.domainzoo.com
    1 whois.registrationtek.com
    1 whois.joker.com

So? Of course .info is handled by afilias. Sponsoring registrars for
.info domains mentioned upthread:
    9 R126-LRMS - Enom
    4 R239-LRMS - Primus
    2 R171-LRMS - GoDaddy

There's your clustering. Feel free to somehow reduce these to CIDRs or
ASNs; they're not used in the message headers anyway, so all you can do
is block the redirection for your users, but not prevent them from being
deluged with the spam itself, nor prevent me and others from being deluged
with the bogus DSNs.

So what? Eventually, better antispam techniques will lead to the ability
to block messages from or referencing domains with banned nameservers.

And then spammy will set things up so that he has a new nameserver for
every run. And we'll still have insecure email, because he'll have
continued to get away with it, because he can hide behind "private"
whois for his domains registrations, he'll continue to burn through the
net namespace leaving nothing but scorched earth, and none of the
underlying conditions will have been addressed.

It's no longer a simple matter of blocking the sender origin, botnets
have taken care of that. It's no longer a matter of blocking known spammy
domains in SMTP envelopes; they're forging them. It's not a matter of
blocking mail with known spammy domains in it, as these are one-a-day
throwaway redirectors. It's not a matter of blocking mail with domains
that point to rogue nameservers, ASNs, or CIDRs, spammy can register new
domains and use new ones every day. It's not a matter of any of these
things, though I use them all, and with some effect.

The problem is that spammy is getting away with this by modifying his
tactics slightly and keeping a step ahead of the game, and because few
understand or care about actually /fixing the underlying brokenness/
that lets him get away with it day after day.

There is more, but that is the first cut, localization of registrar(s) and
registries and CIDRs.

I fail to see how isolating registrations to a single registrar changes
the facts on the ground - if anything, you're already showing that you
are at least one step behind Spammy, by making this a requirement. Or,
alternately, you're simply saying that those who care about net abuse are
shackled by ICANN's bylaws and therefore we can do nothing.

<snip>

Thus far, all you've done is recycle the policy claim of the trademarks
interests, a highly effective "stakeholder" and rational entity within
ICANN, and the policy claim of the law enforcement interests, [...]

I'm sorry, but I'm not following. By asking for domain registrations to
be transparent and monitored for accuracy, I'm echoing the "policy
claim" of everyone who has ever tried to determine the registrant of a
domain and found it to be laughably forged, incorrect, out of date, or
"protected" by some other entity whose primary purpose seems to be to
help spammers hide. Whether this group of interested parties includes
the "trademarks interests" is irrelevant.

This thread however is about SMTP, and some glop that might make it
differently, or less "insecure".

Clearly we need to change the Subject: then, as you seem bent on ignoring
my statements about the underlying causes of net abuse via email with this
dodge, and it's getting tiresome.

Do you want to see whois records normalized and monitored for forgeries?

Do you believe this could have an effect on the ability of spammers and
others to abuse network resources?