I think some RBLs might get better responses from the ISPs when they stop
taking "collateral damage gets the abuse department's attention" attitudes..
Some RBLs cause many providers a LOT of headaches, so it is not surprising
that when it is their turn to complain, the ISPs will just say: post to
abuse.ddos.isp.net and we might get around to fixing it. :).
Regards,
Mark
True. However I also subsribe those beliefs. When an ISP knowingly
allows a spammer to sign up for network service, knowing full well what
they are planning to do with it (read: pink contracts), and ignores abuse
complaints then what other form of action is there than to use collateral
damage at that ISP? Providers more often than not intentionally put
non-spamming customers' networks within spitting distance of their
spamming customers in the hopes that RBLs won't blacklist the provider's
networks around the spammers. I don't want to start an off-topic flame
thread on NANOG but the merits of collateral damage have been discussed
numerous times in numerous places. Many people won't use it. Most don't
like it. No one has offered another plausible alternative. Anyhow, this
is getting OT. Back to the topic at hand, DNS RBLs coming under the gun.
Justin
Mark Segal wrote:
I think some RBLs might get better responses from the ISPs when they stop
taking "collateral damage gets the abuse department's attention" attitudes..
Some RBLs cause many providers a LOT of headaches, so it is not surprising
that when it is their turn to complain, the ISPs will just say: post to
abuse.ddos.isp.net and we might get around to fixing it. :).
monkey's had no collateral damage issues until PHL was released due to non-response from ISP's.
openrbl.org does not host a blacklist and thus cannot have collateral damage.
SBL is famous for it's lack of collateral damage.
ordb is specialized and has had no collateral damage issues.
-Jack
In a message written on Wed, Sep 24, 2003 at 01:28:19PM -0500, Justin Shore wrote:
True. However I also subsribe those beliefs. When an ISP knowingly
allows a spammer to sign up for network service, knowing full well what
they are planning to do with it (read: pink contracts), and ignores abuse
complaints then what other form of action is there than to use collateral
damage at that ISP? Providers more often than not intentionally put
The answer is to take the high road and just list the spammer.
If, as you suggest, the ISP knowingly signs up the spammer then
they already expect the collateral damage, are probably, in general
ok with it, and you're not going to have any effect in getting them
to change.
However, by listing larger and larger blocks of unrelated customers
you piss off random end users, and more importantly the mail admins
that use -- and could support your RBL. I know more than a few
mail admins who gave up on various RBL's after they "went off the
deep end", blocking more legitimate mail under the guise of trying
to force ISP's to do something than spam.
I suspect a well run RBL that was able to take the high road, and
offered good responce time would find mail admins would pay a small
subscription fee, they could buy bandwidth from a provider, and
more importantly since they were a paying customer and not a kook
they would get excellent support from ISP's in tracking DDOS attacks.
That said, I don't think the RBL users often understand the complexity
of the issue, which further annoys ISP's. I know I've been involved
in several issues where a reputable e-commerce site buys service
quite above board. They then have an affiliate program, where
people can sign up online and get goods. A number of spammers then
sign up, joe-job the e-commerce company and make off with a few
hundred dollars in goods. In the cases I've been involved with the
e-commerce company immediately terminates them for violating the
terms of the affiliates agreement, but it only takes two or three
of these instances for the RBL's to start blocking the company,
screaming "pink contracts" and blocking the ISP's other users. So,
while the RBL's hurt the ISP's, and the ISP's tie up the RBL's time
with an issue they aren't going to be able to solve the real spammer
gets away scott free, and the ISP has to deal with other customers
who have been caught in the collateral damage of the RBL.
Just once I'd like to see an RBL come to my employer saying "we've
found this spam we think transited your servers and would like to
work with you to find the real source and block it". Insted they
all seem to send an e-mail to the effect of "You pathetic worthless
$*&@&@#&$#$. Stop sending this crap and terminate your customer
in the next 10 minutes, or else" and then proceed 10 minutes later
to list every IP ever affiliate with the ISP. No wonder the same
abuse people aren't eager to help when the RBL comes back and asks
for help.
Jack Bates wrote:
Mark Segal wrote:
I think some RBLs might get better responses from the ISPs when they stop
taking "collateral damage gets the abuse department's attention" attitudes..
Some RBLs cause many providers a LOT of headaches, so it is not surprising
that when it is their turn to complain, the ISPs will just say: post to
abuse.ddos.isp.net and we might get around to fixing it. :).
It's useful to be careful in how we define collateral damage here. Collateral damage can include, for example, non-spam email coming from a spammer's site.
In this context, we're talking about _escalation_ of listings outside of the demonstrated spamming/abusive/insecure IPs.
monkey's had no collateral damage issues until PHL was released due to non-response from ISP's.
The PHL is the escalation.
openrbl.org does not host a blacklist and thus cannot have collateral damage.
SBL is famous for it's lack of collateral damage.
SBL does escalation, but rarely. (WCG, Chinanet for example).
ordb is specialized and has had no collateral damage issues.
ORDB does not escalate. Has it been DDOS'd? Pointless, open relay blacklists are virtually useless these days.
SPEWS escalates (obviously).
The DDOS's have been against SPEWS, SBL and Monkeys. Most of the other targets were re-publishers/distributors of SPEWS (ie: SORBS, Osirus, openrbl.org). Each of the three are _very_ public targets and generate lots of chatter/discussion on NANAE. Monkeys of course has RFG behind it and all that denotes.