I have some really sad news. I just got off the telephone with Ron
Guilmette who runs the monkeys.com Unsecured Proxies List DNSBL. I hate to
say it, but monkeys.com has been killed. It has been DDOSed to death.
Ron says that every aspect of his network is undergoing a massive DDOS
attack from thousands of IPs -- apparently many/all spoofed. He has tried
to get law enforcement to investigate, but to no avail. He indicated that
this is probably the end of his service.
This makes two DNSBLs that have been DDOSed to death recently. Which one
is next? NJABL? ORDB?
The computer security industry really needs to figure out how to get law
enforcement to take these attacks seriously. It would only take a few good
prosecutions to put an end to these types of attacks. Any
thoughts/suggestions?
This is really a dark day for those of us fighting spam. I looks like the
spammers have won a BIG battle. The only question now is who will be the
causality in this war?
[Mimedefang] monkeys.dom UPL being DDOSed to death Jon R. Kibler mimedefang@lists.roaringpenguin.com Tue Sep 23 14:15:01 2003 The computer security industry really needs to figure out how to get law enforcement to take these attacks seriously. It would only take a few good prosecutions to put an end to these types of attacks. Any thoughts/suggestions?
This is really a dark day for those of us fighting spam. I looks like the spammers have won a BIG battle. The only question now is who will be the causality in this war?
This goes beyond spam and the resources that many mail servers are using. These attacks are being directed at anti-spam organizations today. Where will they point tomorrow? Many forms of breaking through network security require that a system be DOS'd while the crime is being committed. These machines won't quiet down after the blacklists are shut down. They will keep attacking hosts. For the US market, this is a national security issue. These systems will be exploited to cause havoc among networks of all types and sizes; governmental and commercial.
Windows Update may be protected for now, but it still has limitations. It can be killed to the point of non use. Then how will system get patched to protect themselves from new exploits? The problem will escalate. There are many financial institutions online. Does anyone doubt that their security can be penetrated? What about DoD networks?
There are a lot of social aspects to internetworking. Changes need to be made. Power needs to be allocated appropriately. A reconing needs to occur. All the businesses that make and spend mass amount of money due to the Internet need to strongly consider that there won't be a product if the social ramifications are solved.
Users don't want to be online and check email just to find hundreds of advertisements, pornography, and illegal material in their inbox. Users don't want to hear that they've been infected with the latest virus and can no longer be online until they fix the problem; usually resulting in money. Users don't want to hear that they can't reach site X because of some change in architecture. If the general masses get fed up with the Internet, there won't be an Internet. Millions of dollars are easily being lost because of malicious activity on the Internet. Millions more are being lost due to differences of opinion in the governing bodies of the Internet.
Is everyone so short sighted and greedy as to not recognize that they are dying a slow financial death?
It's somewhat funny. Quite some time ago, us IRC server operators warned
about this same thing, and were mostly just told to "not run IRC servers."
The anti-spammers will likely just get told to "not run DNSBL's." This
only works up until the point that it's YOUR service thats getting hit and
people tell you to stop running it.
For several years now I've noticed a trend of technologies being used to
attack IRC servers being later abused to send SPAM. First it was the open
wingates, then the misconfigured Cisco's, then the HTTP Proxies. It looks
like the large botnets are now being harvested by spammers to fight the
Anti spammers. This is something we IRC server admins, and other high
profile services like it which draw such attacks have been dealing with
for some time.
Ron, good luck with it. You're stuck between a rock and a hard place. If
you down it the kiddies win again, and will feel they can bully the next
guy. If you don't your network is crippled. It's a no win situation.
It's somewhat funny. Quite some time ago, us IRC server operators warned
about this same thing, and were mostly just told to "not run IRC servers."
A private IRC server with one user isn't much fun.
The anti-spammers will likely just get told to "not run DNSBL's." This
only works up until the point that it's YOUR service thats getting hit and
people tell you to stop running it.
A private DNSBL with one user works just fine.
If whoever is behind this succeeds in "driving all the DNSBLs off the net"
what they'll really do is drive them all underground. In the short term,
lots of networks will lose access to the public DNSBLs they've been using.
The spammers will rejoice, but that will only fuel the creation of
hundreds (maybe thousands) of new private DNSBLs. Necessity is the mother
of invention. Those with clue, will run their own. Alot of those without
will too. Some will likely even latch onto the "last snapshot" they got
before the DNSBLs they were syncing went offline/private. These will, of
course, get out of date and out of sync almost immediately.
Once you host a customer who turns out to be a spammer, good luck getting
those IPs removed from 10000 private DNSBLs. E-mail abuse management may
be the next field to really open up with job opportunities as networks
will have to contact a large portion of the internet to try to get IPs
cleared from everyone's private DNSBL...most of which will be poorly
documented if at all.
Just over 2 years ago, I posted a message titled "Affects of the
balkanization of mail blacklisting" about how ex-MAPS users were using
out-of-sync copies of the MAPS DUL after MAPS went commercial and those
networks presumably lost access to the data. I guess that was just the
tip of the iceberg.
one wonders how many private blocking lists still have the old aegis
netblocks in them.
i make it a point to date entries in my lists and periodically purge older
entries that don't seem to be active spam sources anymore, but most do not,
i'm afraid.
if the well run BLs are run underground or shutdown, this will ultimately
lead to exactly what jon fears -- an IP space full of random, unusable
"superfund sites".
Ron, good luck with it. You're stuck between a rock and a hard place. If
you down it the kiddies win again, and will feel they can bully the next
guy. If you don't your network is crippled. It's a no win situation.
If any of the dos'ed to death rbls really want's to get back at the spammers
it's easy. Write software that allows any ISP or business to use their mail
servers and their customers/employees (via a foward to address) to maintain
their own highly dynamic blacklist.
Blacklists are just one kind of filter. If we could load software that
allowed us to forward spams caught by other filters into it and it
maintained a DNS blacklist we could have our servers use, we wouldn't need
big public rbl's, everyone doing any kind of mail volume could easily run
their own IF THE SOFTWARE WAS AVAILABLE. A distributed solution for a
distributed problem.
Blacklists are just one kind of filter. If we could load software that
allowed us to forward spams caught by other filters into it and it
maintained a DNS blacklist we could have our servers use, we wouldn't need
big public rbl's, everyone doing any kind of mail volume could easily run
their own IF THE SOFTWARE WAS AVAILABLE. A distributed solution for a
distributed problem.
The benefit of using a blacklist like monkeys or ordb is that there is only one removal process for all the mail servers. The issue is that when the webserver is dDOS'd, it is very hard for people to get removed.
Running local blacklists on common themes (such as open proxy/open relay) has the same issue. Yes, one can blacklist the site, but how do you get it delisted once the problem is fixed?
I had openrbl.org in my rejections for awhile so that people could find all the blacklists that they were on. Since the dDOS of openrbl, I've had to change it to my local scripts which don't cover near what openrbl did.
The benefit of using a blacklist like monkeys or ordb is that there is
only one removal process for all the mail servers. The issue is that
when the webserver is dDOS'd, it is very hard for people to get removed.<<
There shouldn't be a need for any removal process. A server should be listed
for as long as the spam continues to come from it. Once the spam stops the
blacklisting should stop as well. That is how a dynamic list SHOULD work.
There shouldn't be a need for any removal process. A server should be listed
for as long as the spam continues to come from it. Once the spam stops the
blacklisting should stop as well. That is how a dynamic list SHOULD work.
Depends on the type of listing. Open proxies and open relays are best removed by request of owner once they are fixed or staled out after a retest at a later time, although retests should be far and few between (many use anything from 1-6 months). Just because spam is not temporarily coming from an insecure host does not mean that the host has been secured.
Direct Spam is difficult to automatically detect, and reports are not always accurate (see SpamCop). It tends to be a very manual process. A lot of work goes into maintaining a list like SBL or SPEWS.
Spam is also very transient which makes local detection of a spammer's activities difficult. They may just be focusing on someone else for a week or two before plastering your servers again. If you removed them, they will do considerable damage before they get relisted via the manual process (delay between first email received and first recipient reporting can easily exceed hours).
The other issue with shared listings is what one considers acceptable or unacceptable. Easynet, for example, lists a lot of mail senders which I accept mail for due to user demand. They consider the email spam or resource abuse (broken mailers) while I am meeting the demands of my customers who are paying to receive the email. This isn't a collateral damage issue. It is an issue of where a network decides to draw the line on accepting or rejecting email.