I'm posing this question on this list as it is about policies and routing at the NAP level (and is not asking if it is technically possible).
With providers such as AGIS who refuse to address the issue (spam) with their customers it is clear that leaving it up to the provider to squelch spamming doesn't always work.
I just read an article about bulk mailing where Cyberpromo has tools and access to allow sending approx. 100 messages per second with spoofing etc. so we know that the bulk mailers are continuing to work on new and better tools for their "service".
Routing by TCP domain or host doesn't work because the spammers hijack other sites sendmail resulting in constantly changing source hops, plus the spammers spoof sender domain IDs in the mail headers. The IP addresses change less frequently and would seem a little more difficult to fake.
During the NSF days there were acceptable use policies that governed activities that were considered inappropriate to NSF and which could result in denial of access across their wires.
Since that seemed to hold up over the years, would it be possible (or legal) for the NAPs etc. to have similar policies about SPAM which could result in traffic from non-compliant sites not being routed?
[Quoted message reformatted to wrap at 80 columns]
During the NSF days there were acceptable use policies that governed
activities that were considered inappropriate to NSF and which could result
in denial of access across their wires.
Since that seemed to hold up over the years, would it be possible (or legal)
for the NAPs etc. to have similar policies about SPAM which could result in
traffic from non-compliant sites not being routed?
Personally, I'd rather not see the NAP operators take this much
of an active stance on anything. They're the closest thing the
Internet is ever gonna have to a "common carrier" that actually
/does/ carry anybody's traffic. Next, they'd find themselves
called in to resolve peering disputes, and it'd be a big mess.
But if more sites -- especially larger ones -- were to drop
peering with companies that blatantly ignore reports of abuse and
attacks from within their networks, that would have a very similar
impact.
This has happened in the past from time to time, when incorrect
routes were being mistaknely propogated, or to help stop
syn-flooding and similar denial of service attacks.
I've been wondering for quite a while why AGIS is unwilling to
realize that mail server hijacking /is/ a denial of service
attack to most providers, and deal with it accordingly.
---------========== J.D. Falk <jdfalk@cybernothing.org> =========---------
> "A straight line may be the shortest distance between two points... |
> but it is by no means the most interesting." |
> -- Jon Pertwee as Doctor Who in "Doctor Who and |
> the Time Warrior" by Robert Holmes (BBC, 1974) |
----========== http://www.cybernothing.org/jdfalk/home.html ==========----
==> I've been wondering for quite a while why AGIS is unwilling to
==> realize that mail server hijacking /is/ a denial of service
==> attack to most providers, and deal with it accordingly.
Phil Lawlor only sees the money in the spam business. He could care less
if it bothers anyone.
/cah
[Quoted message reformatted to wrap at 80 columns]
During the NSF days there were acceptable use policies that governed
activities that were considered inappropriate to NSF and which could result
in denial of access across their wires.
Since that seemed to hold up over the years, would it be possible (or
legal)
for the NAPs etc. to have similar policies about SPAM which could result in
traffic from non-compliant sites not being routed?
Personally, I'd rather not see the NAP operators take this much
of an active stance on anything. They're the closest thing the
Internet is ever gonna have to a "common carrier" that actually
/does/ carry anybody's traffic. Next, they'd find themselves
called in to resolve peering disputes, and it'd be a big mess.
Let's start small then, and have everyone do ingress filtering on packets
from their customers, ensuring the IP addresses on arriving packets are
correct. We've been hit several times recently with floods of packets from
RFC1918 addresses, for example. I also frequently see reply packets with
bogus addresses that are the apparent spray from a web server under attack
with random source addresses.
The ISPs who have T1 and below customer links should be able to do
filtering with the routing equipment they have. If not, then specify
routers that CAN handle the load when you do buy upgrades.
The backbone providers should also be able to do ingress filtering IF the
routers they buy are specified to do it. The complaint to date I've heard
is that the routers they have can't keep up. Fine. Getting everyone to
filter isn't going to happen overnight, but it MUST happen sooner rather
than later. It has to happen before anyone attempts to charge per-packet
for transit, I would think.
Daniel Senie mailto:dts@openroute.com
Sr. Staff Engineer http://www.openroute.com/
OpenROUTE Networks, Inc. (a wholly owned subsidiary of
Proteon, Inc.)