best practices for PTR naming and whois (was, sadly, Re: Arrogant RBL list maintainers)

Steven Champeon schampeo at hesketh.com
Thu Dec 10 16:29:25 UTC 2009


on Thu, Dec 10, 2009 at 08:11:18AM -0800, Michael Thomas wrote:
> I'd say that Mikael Abrahamsson's sentiment (or at least the way I read
> it) would be a better start: take a step back and ask what the problem is.

Well, as I see it, the problem is a widespread and systemic failure to
prevent massive abuses from being perpetrated by unauthorized software
in the control of entities other than the administrators of those networks
and servers in question, resulting in a near-total breakdown of trust in
any given unknown host's reputation, resulting in desparate attempts to
gain insight into which hosts might be trusted and which not, using what
means may be available (naming, whois, DNSBLs, etc.)

> Naming conventions blah, blah, blah all started from the _lack_ of a
> standard and trying to educe knowledge from chaos. In other words, a
> bunch of hacks. Which doesn't work especially well, especially when
> every RBL has its own hack.

Well, I'd like to think my approach (name-based, rather than IP-based)
works fairly well, going as it does in the names you give your IPs and
whatever other public information may be available, but I understand
your frustration with the various approaches used by IP-based DULs; I
can also understand the lack of patience on the side of the DUL operators.
The situation is a mess.

> If IETF can do something here, which seems plausible, it would be to
> actually define the problem and _then_ write a protocol to fit the
> needs of the problem. Maybe it's using DNS, maybe it's not. Maybe it
> uses naming conventions (ick), probably it does not. But if it were
> standardized, it would at least be predictable which the current
> situation manifestly is not.

Like it or not, naming conventions are useful and powerful and widespread.
Would you rather have to deal with inbound mail from

 134.25.177.41-get-allinone-adsl-and-free-webhosting-for-only-r189.saol.com

or

 196-200-118.isnigeria

or

 one-of-hosts-our-net.dn.cv.ua [194.146.136.24]

or

 dressless-debate.volia.net [77.123.181.13]

or

 dont-blame-admin-its-a-dsl-pool-251-41.wobline.de

or

 cable-66-103-40-69.clarenville.dyn.personainc.net [66.103.40.69]

or

 200.72.157.254: pcdibujante2.eiser.local

?

> To Crocker's point though: if IETF came up with a way to publish your
> network's dynamic space (assuming that's The Problem!), would
> operators do that? Or is this another case where the energy barrier is
> too high?

It's not just dynamics, either. Static generic IPs also emit spam and
abuse. Finding all the dynamics on the Net would only stop from half
to maybe two thirds of the traffic we see, for example.

 http://enemieslist.com/news/archives/2009/07/why_we_suspect.html

Steve

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
antispam news and intelligence to help you stop spam: http://enemieslist.com/




More information about the NANOG mailing list