Great,
Just Great. Wasn't there a post a while back that listed what providers
are SPAM friendly? My fingers are getting tired trying to create ACL's
lists to block ranges of IP's without compromising my service. I wish
the power's up above would buy the right software to try and curb the
SPAM but that is not to be according to them.
So back to my ACL's I go!
This is one of the most likely things to happen. DNS RBLs are effective.
Otherwise spammers wouldn't be targeting them for abuse. Mail admins will
eventually start running their own RBLs or rejecting mail by other means
locally. This distributed method creates hundreds and eventually
thousands of separate points of contact for getting yourself off a RBL.
I ran my own domain and netblock list in the past and I can say from
experience that it is a very time consuming process. At the time it was
also extremely effective. I didn't list open relays/proxies/formmail.cgi
IPs. I did however list spamming domains and providers. It caught a
surprising amount of spam. It also left me with little time to do
anything else. There's got to be a better way.
Justin
What evidence is there that spammers are the ones doing the DDoS?
There is likely some conjecture here, but aside from the DNS RBLs
that cause collateral damage (ie: blacklisting large chunks
of address space to cause behaviour change) who has something to gain
from these dnsbl's going down?
- Jared
Jared Mauch wrote:
Presently I beg to differ. (I do encourage you to prove me wrong 
A lot of small-time people have created their own dnsbl's
after MAPS(tm) closed down public access to their system, and there
have been a lot of these smaller lists that could handle the query-load
of people that wanted to use them without problems, but once they
were hit with medium to large sized DoS attacks have decided that
it's not worth the effort. I am waiting to see what happens if people
move against those that are doing this as part of their business
model, such as MAPS, spamcop, etc..
These people will be quite happy to call and get some of the
law enforcement people to actually move as it does pose a legitimate
threat to their entire cash flow and business model. They will also
be able to easily go to the media instead of some small time people that
run the list on machines in their basements or shared-colo environments.
Their providers just don't want to deal with the headache, similar as to
how some IRC networks have been fighting to stay alive as well.
The problem here is end-to-end accountability. It all relates
back to the constant issue of patching your systems and being a good
net.citizen with your upstreams, peers, etc.. Security incidents
continue to be on the rise and unless people start to actually do
something about them (which I know is dificult due to financial constraints
that we face in the US currently at least) and are responsive at all
hours to them, things aren't going to get any better. We need the ability
to trace back attacks over the course of an hour at most to be able
to mitigate the risks that are posed, and filter out the true attacks
from the "noise" that people generate who think because they're seeing
p2p traffic to their machine they think they're being attacked..
I encourage people to start profiling their traffic. not by
looking at netflow or other data, but by quite simple heuristics. Look
at your typical bitrate, and pps rates that you see on your internal
and external (peering, upstream, exchange-point) links. Watch for any
abnormal events, large bursts in either bps or pps.
Do this not only on your routers but on any layer-2 switches
you may have as well and you may be able to find attacks on your
network or attacks sourced from your network/customers that would have
not been otherwise noted. If you can find these and isolate the compromised
machines sooner rather than later you will be helping the entire internet
as a whole.
- Jared
- Jared
Especially in the case of SPAMHAUS, they were no XRBL. What networks were really listed as collateral damage ? I dont see how willtel was an innocent bystander either in the previous case.
---Mike
Jared Mauch wrote:
>
> Jared Mauch wrote:
>
> > > >
> > > >>So back to my ACL's I go!
> > > >
> > > >This is one of the most likely things to happen. DNS RBLs are effective.
> > > > Otherwise spammers wouldn't be targeting them for abuse.
> > >
> > > What evidence is there that spammers are the ones doing the DDoS?
> >
> > There is likely some conjecture here, but aside from the DNS RBLs
> > that cause collateral damage (ie: blacklisting large chunks
> > of address space to cause behaviour change) who has something to gain
> > from these dnsbl's going down?
>
> Isn't that collateral damage issue enough to have angered hundreds of ISPs
> & end users to the point of not necessarily organizing a DDoS, but ignoring
> it? I think it is far _more_ likely that the DDoS came from the innocent
> victims fighting back rather than the spammers.Presently I beg to differ. (I do encourage you to prove me wrong
A lot of small-time people have created their own dnsbl's
after MAPS(tm) closed down public access to their system, and there
have been a lot of these smaller lists that could handle the query-load
of people that wanted to use them without problems, but once they
were hit with medium to large sized DoS attacks have decided that
it's not worth the effort. I am waiting to see what happens if people
move against those that are doing this as part of their business
model, such as MAPS, spamcop, etc..These people will be quite happy to call and get some of the
law enforcement people to actually move as it does pose a legitimate
threat to their entire cash flow and business model. They will also
be able to easily go to the media instead of some small time people that
run the list on machines in their basements or shared-colo environments.
Their providers just don't want to deal with the headache, similar as to
how some IRC networks have been fighting to stay alive as well.The problem here is end-to-end accountability. It all relates
back to the constant issue of patching your systems and being a good
net.citizen with your upstreams, peers, etc.. Security incidents
continue to be on the rise and unless people start to actually do
something about them (which I know is dificult due to financial constraints
that we face in the US currently at least) and are responsive at all
hours to them, things aren't going to get any better. We need the ability
to trace back attacks over the course of an hour at most to be able
to mitigate the risks that are posed, and filter out the true attacks
from the "noise" that people generate who think because they're seeing
p2p traffic to their machine they think they're being attacked..I encourage people to start profiling their traffic. not by
looking at netflow or other data, but by quite simple heuristics. Look
at your typical bitrate, and pps rates that you see on your internal
and external (peering, upstream, exchange-point) links. Watch for any
abnormal events, large bursts in either bps or pps.Do this not only on your routers but on any layer-2 switches
you may have as well and you may be able to find attacks on your
network or attacks sourced from your network/customers that would have
not been otherwise noted. If you can find these and isolate the compromised
machines sooner rather than later you will be helping the entire internet
as a whole.
I agree with you whole heatedly. Malicious attacks deserve severe consequences,
and all ISPs need to set themselves up to be able to deal with them more quickly
and effectively. We have had problems with these sort of things in the past. We
have done all sorts of neat stuff including sending alarms if traffic trends change
drastically, blackhole routing, etc. etc. That's a whole separate discussion, in my
opinion.
These BLs that leveraged their "wild west" style, unaccountable vigilante justice
by inflicting "collateral damage" to thousands of innocent victims got their karma
back. I think it's a cop out to think that it was the spammers themselves who did
this. Spammers are not smart enough to do things like that...... They are just
money grubbing sleeze bags that play the numbers game. It is un-economic for them
to use resources to organize a DDoS. A DDoS is an act of passion, not an act of
dollars and cents, which is how the spammers work.
Dan.
:s wrap 80-columns
I agree with you whole heatedly. Malicious attacks deserve severe consequences,
and all ISPs need to set themselves up to be able to deal with them more quickly
and effectively. We have had problems with these sort of things in the past. We
have done all sorts of neat stuff including sending alarms if traffic trends change
drastically, blackhole routing, etc. etc. That's a whole separate discussion, in my
opinion.These BLs that leveraged their "wild west" style, unaccountable vigilante justice
by inflicting "collateral damage" to thousands of innocent victims got their karma
back. I think it's a cop out to think that it was the spammers themselves who did
this. Spammers are not smart enough to do things like that...... They are just
money grubbing sleeze bags that play the numbers game. It is un-economic for them
to use resources to organize a DDoS. A DDoS is an act of passion, not an act of
dollars and cents, which is how the spammers work.
I think you misjudge the skill of the spammers. The fact that
they are taking such actions as compromising machines, using wireless
links to do their spamming from, and finding other interesting ways
to leak their spam out on the networks is something that requires
more skill than the average computer user out there. The NYT had
a good article over the weekend that describes the techniques and
skills of some of these spammers. See here: (free reg, or find the
news.google link ...)
You're making a clear mistake in underestimating the skills of these
people. While they may not be able to do it, these are people who have
been fighting the dnsbl, filtering, SpamAssassin, bayesian filters and
other such systems for years that are attempting to mitigate the loss of
number of deliveries they can perform on a daily basis.
There is some skill required for these people to realize that
there are minor ways to tweak your text to get past filters, and
to understand how these filters work...
- Jared
[at the risk of angering the moderator, quite rightly since this thread is bordering on OT - apologies moderator!]
These BLs that leveraged their "wild west" style, unaccountable
[rant probably directed at 'spews' snipped]
I think it's a cop out to think that it was the spammers themselves
who did this. Spammers are not smart enough to do things like that...
Ehm, we actually have proof the spammers are doing the dDoS, at least against Spamhaus. We can even see the spammer doing it on his IRC channel, we know how many zombies he's controlling, where they are, where he's connected from and even his aliases and account names, we have enough on him to put the Feds at his door ...should the Feds ever get interested.
MessageLabs have also compared the long list of servers participating in the dDoS against Spamhaus, with their database of known virus-infected hosts. The test came back today showing that almost all the hosts attacking Spamhaus have all been recently identified by MessageLabs as being infected with the Fizzer worm.
We had in fact also been wondering if, as well as being responsible for sending SoBig the spammers might be responsible for other viruses as well. In particular we wondered how so many spammers were now hosting their spamvertised web sites on rapidly-appearing zombies all over the net, that answered that too, since the summary of Fizzer (one of the most widespread viruses in the world) is:
Fizzer is a complex e-mail worm that appeared on May 8,
2003. The worm can spread itself in e-mails and in the
Kazaa P2P (peer-to-peer) file-sharing network. The
Fizzer worm contains a built-in IRC backdoor, a DoS
(Denial of Service) attack tool, a data-stealing Trojan
(uses external keylogger DLL), an HTTP server and other
components. The worm has the functionality to kill the
tasks of certain anti-virus programs. Additionally, the
worm has automatic updating capabilities.
The world has to wake up to the fact that spammers are no longer stupid, there's a lot of money to be made spamming so crackers and script kiddies have joined them. We've had open relays, we've had open proxies, the future of mass spamming is by way of ever-more-powerful viruses.
