BGP list of phishing sites?

• Previous message (by thread): BGP list of phishing sites?
• Next message (by thread): BGP list of phishing sites?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--On 28 June 2004 18:43 +0100 Simon Lockhart <simon.lockhart at bbc.co.uk> 
wrote:

> It's wholy unfair to the innocent parties affected by the blacklisting.
> i.e. the collateral damage.
>
> Say a phising site is "hosted" by geocities. Should geocities IP addresses
> be added to the blacklist?
>
> What if it made it onto an akamaized service? Should all of akamai be
> blacklisted?

This is an issue wider than spam, phishing, etc.

That would depend on whether your block by IP address (forget whether
this is BGP black hole lists, DNSRBL for SMTP etc.) is of
a) IP address that happen to have $nasty at one end of them; or
b) IP address for whom no abuse desk even gives a response (even
   "we know, go away") when informed of $nasty.

It also depends on whether your response is "drop all packets" (a la
BGP blackhole) or "apply greater sanctions".

Seems to me (b) is, in general, a lot more reasonable than (a) particularly
where there is very likely >1 administrative zone per IP address (for
example HTTP/1.1). It also better satisfies Paul's criterion of being more
likely to engender better behaviour (read: responsibility of network work
operators for downstream traffic) if behaviour of the reporter is
proportionate & targeted.

WRT "apply greater sanctions", it is possible of course, though perhaps
neither desirable nor scalable, to filter at layer>3 all sites on given IPs
to minimize collateral damage. See
 http://www.theregister.co.uk/2004/06/07/bt_cleanfeed_analysis/

This is effectively what tools like spamassassin do when taking RBL type
feeds as a scoring input to filtering, in a mail context.

Alex

• Previous message (by thread): BGP list of phishing sites?
• Next message (by thread): BGP list of phishing sites?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]