RE: How many backbones here are filtering the makelovenotspam scr eensaver site?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----Original Message-----
Posted At: Thursday, December 02, 2004 12:22 PM
Posted To: NANOG
Conversation: How many backbones here are filtering the
makelovenotspam scr eensaver site?
makelovenotspam scr eensaver site?

Possibly. What will happen if the Lycos botnet gets hijacked?

The conversations between the clients and the servers don't appear
to be keyed. If a million clients got owned, it would be the
equivalent of an electronic Bubonic Plague with no antidote.

You mean, like the existing botnets we already know exist but are
already under the control of spammers?

What's the difference? Why is everyone so upset about Lycos and
nobody seems to be doing much of anything about the /existing
botnets/, which conservative estimates[1] already put at anywhere
from 1-3K per botnet to upwards of 1-5M hosts total[2]?

Well, the primary difference is that Lycos is trying to market what
they are doing as a "good" thing in a fairly public manner. If their
vigilante efforts become accepted as "OK" then it further opens the
door for others to take the next step towards making dDOS attacks ok
as long as you feel your motivations are pure. As network operators
we all need to make sure that we enforce our AUPs and make it known
that breaking those AUPs is not ok just because you feel your motives
are pure. Most AUPs have some language that basically states that
dDOS and simlar activities are "bad" and we will take action if you
engage in said "bad" activities.

To your other point, how do you know that other botnets are not being
identified and taken down every day by network operators? I know for
a fact that they are, they just are not nearly as public as this one
so those activities go largely unacknowledged.

Regards,
Chad

- ----------------------------
Chad E Skidmore
One Eighty Networks, Inc.
http://www.go180.net
509-688-8180

quoting me:

>What's the difference? Why is everyone so upset about Lycos and
>nobody seems to be doing much of anything about the /existing
>botnets/, which conservative estimates[1] already put at anywhere
>from 1-3K per botnet to upwards of 1-5M hosts total[2]?

Well, the primary difference is that Lycos is trying to market what
they are doing as a "good" thing in a fairly public manner. If their
vigilante efforts become accepted as "OK" then it further opens the
door for others to take the next step towards making dDOS attacks ok
as long as you feel your motivations are pure. As network operators
we all need to make sure that we enforce our AUPs and make it known
that breaking those AUPs is not ok just because you feel your motives
are pure. Most AUPs have some language that basically states that
dDOS and simlar activities are "bad" and we will take action if you
engage in said "bad" activities.

My point was to Martin's question about what would happen if - god
forbid - there were large botnets under the control of spammers; a
careful reading will suggest that my major point was, duh, that there
already are large botnets under the control of spammers.

To your other point, how do you know that other botnets are not being
identified and taken down every day by network operators? I know for
a fact that they are, they just are not nearly as public as this one
so those activities go largely unacknowledged.

Good point. Simply put, I can (and do) read my own mail server logs.
And I can see that many ISPs - regardless of what they may be doing in
onesy-twosy increments - simply aren't doing enough to prevent new
botnet infections from wasting my server's cycles in futile attempts
to deliver spam, outscatter, virus warnings, etc. etc. ad infinitum.

This costs me time and money, and many of the same ISPs mentioned above
are simply cost-shifting their own responsibility onto me and everyone
else, and I'm tired of it.

Not to say there aren't responsible ISPs, and I hope that anyone who
/is/ a part of the solution, rather than the fertile substrate for the
problem, is capable of recognizing that and not taking offense when I
point out there are others who could do more.

As for go180.net, you don't show up much on my radar, but on Nov 9th
we were hit by a spammer from SpokaneHotZone-63.go180.net [66.225.5.63].
I trust this is not a legitimate mail server and I can block it and any
other host that looks like it within the same domain, right? Thanks.
Otherwise, you may want to do something to distinguish it from the other
generic hosts in the same range.