[Nanog-futures] blacklists getting out of hand?

[Gadi Evron]

Another point to this good list is:

Without blacklists such as the SBL we would no longer have email today. 
That's not sensationalism, it's fact.

Two main reasons:
1. Spam over-whelms servers incoming.
2. Spam over-whelms server outgoing.

Thank you,

 	Gadi.


On Sun, 2 Dec 2007, Rich Kulawiec wrote:

> On Wed, Nov 28, 2007 at 05:14:05PM -0800, Lynda wrote:
>> Yeah, no surprise from me. Personally, I don't much care for blacklists.
>> I find them a bit heavy handed, and I think they aren't effective.
>
> Well...if I may, let me mumble about a few things.  ('Cause it beats
> going for a run in the sleet. ;-) )
>
> First, nobody would go through the trouble of compiling a blacklist
> if there weren't motivation for doing so.  The fact that so many people
> have done so (there are 500-1000 public blacklists plus an unknown but
> likely very much larger number of private ones) indicates that said
> motivation really does exist.  See below for why.
>
> Second, some of them are quite accurate.  The Spamhaus "Zen" DNSBL
> zone, for example, is very good, as are the zones maintained by NJABL
> and DSBL, and most of the zones run by SORBS.  On the other hand,
> the zones run by APEWS are of poor quality.   And "effectiveness" is
> hard thing to measure globally because everyone's spam/not-spam mix
> is different.  I'll go so far as to say it's impossible to measure
> globally, not only because it can't reduced to a single number of set
> of numbers, but because part of measuring "effectiveness" has to
> do with measuring how well it implements policy -- and policies
> vary widely.
>
> Third, use of blacklists (for blocking, as opposed to for scoring) is
> one of the most resource-frugal ways to stop spam.  After all: why should
> I expend my bandwidth, my memory, my CPU, etc. accepting the entire body
> of a mail message and then analyzing it...when it is already known
> (by virtue of the connecting IP address) that it originates with
> a spammer?  It's not *my* problem to sort whether it's spam or not:
> if it's from a spammer, then I don't want it, no matter what it is.
>
> Fourth, if an IP address is emitting spam, then at least one of these
> two things is true:
>
> 	1. It is broken (e.g., open SMTP relay).
> 	2. It is 0wned by spammers.
>
> I see no reason to accept mail from broken or 0wned systems.  It is
> the responsibility of their caretakers to either (1) fix them or
> (2) un-0wn them.  Those who can't or won't do this are a menace to the
> rest of the Internet.  (I could say the same thing about IP addresses
> emitting viruses, or participating in DoS attacks, or other abuse.
> We're all responsible for making sure that everything we run is not
> an operational hazard to the rest of the Internet.  Or, "don't build
> it if you can't run it properly".)
>
> Fifth, I suppose I have this view in part because of my views on
> proper network operation.  To illustrate using a header fragment
> from a spam sample that arrived this morning:
>
> 	Received: from adsl-67-126-134-137.dsl.irvnca.pacbell.net
> 		(adsl-67-126-134-137.dsl.irvnca.pacbell.net [67.126.134.137])
>
> Whose spam is that?  It's Pacbell's.  It came from THEIR network,
> on THEIR watch, adn THEY allowed it to get out.  Therefore they
> have responsibility for it.  (Oh, I'm not letting the owner of
> the compromised system off the hook, nor am I letting the spammer
> off either.  They're also responsible.)   But were Pacbell staff
> doing their jobs properly, then I would not received this, neither
> would a *lot* of other people, and thus we would not find:
>
> 	*.dsl.irvnca.pacbell.net
>
> in quite a few blacklists, because it wouldn't be necessary.  But it's
> there, and it's there because of the long-term incompetence and
> negligence of Pacbell.
>
> 	s/Pacbell/Comcast/
> 	s/Pacbell/Verizon/
> 	s/Pacbell/just about every other ISP/
>
> Pacbell has no right to complain about this, of course: it's their
> own fault.  And Pacbell customers impacted by it need to take 100% of
> their complaints solely to Pacbell, again, because it's Pacbell's fault.
>
> To put it another way: it is everyone's job to control abuse outbound
> from their operation, or supported by their operation (i.e., DNS provided
> to spammers, web site hosting for spyware, etc.).  Anyone who can't
> do that simply isn't good enough to operate any portion of the Internet.
>
> Of course, this isn't how things actually work.  Apparently my view is
> an archaic relic of .ARPA days, when "allowing your network to be a
> problem for others" implied "you will soon have your connection yanked".
> So -- because nobody's going to yank Pacbell's, or Verizon's, or Comcast's
> connection(s) any time soon, one of the few available methods for achieving
> an equivalent result is pervasive blacklisting.  To put it another
> way, we can't remove them from the Internet, but we can certainly
> remove the Internet from them, albeit one piece at a time.
>
> The bottom line is that many of the problems we currently face could be
> mitigated in large part by selectively blacklisting problem hosts/networks
> and refusing to un-blacklist them until they're fixed.  Yes, that's
> draconian and inflexible, but (a) it works, because it forces the cost
> of fixing the problem back on the entity responsible for it and
> (b) nothing else works.
>
> 	"If you give people the means to hurt you, and they do it, and
> 	you take no action except to continue giving them the means to
> 	hurt you, and they take no action except to keep hurting you,
> 	then one of the ways you can describe the situation is "it isn't
> 	scaling well".
> 		--- Paul Vixie on NANOG
>
> ---Rsk
>
> _______________________________________________
> Nanog-futures mailing list
> Nanog-futures at nanog.org
> http://mailman.nanog.org/mailman/listinfo/nanog-futures
>