[policy] When Tech Meets Policy...

Douglas Otis dotis at mail-abuse.org
Wed Aug 15 19:15:41 UTC 2007


On Aug 14, 2007, at 11:00 PM, Chris L. Morrow wrote:
>
> On Wed, 15 Aug 2007, Paul Ferguson wrote:
>>
>> More than ~85% of all spam is being generated by spambots.
>
> yes, that relates to my question how though? I asked: "Do spammers  
> monitor the domain system in order to spam from the domains in flux  
> as tastinng domains?" I asked this specifically because that  
> behavior was being used as a 'resaon to stop tasting', or to clamp  
> down on it atleast.

Links to pornography in spam could be used as an example of where use  
of throw-away domains for this purpose is obscured by millions of  
tasting domains.  A reference to pornography is a category of threat  
heavily blocked by domain in various products that extend beyond just  
email.  Most might not view pornography as a serious threat, but this  
endeavor benefits from domain tasting chaff.

>> Spammers are gaming the domain registry system, not for MX record  
>> manipulation, but to install their own nameservers on compromised  
>> hosts, round-robin and fast-flux their ability to avoid detection,  
>> and inevitably hide behind various layers of obfuscation.
>
> Sure, they are being bad, they are doing what akamai does (or other  
> CDNs) only for illegal end reasons... That's not relevant to my  
> question, but I agree it's a dirty trick still.

Blocking by domain name would be the response needed to dealing with  
a DNS abuse problem.  It can not be done by IP address.  When there  
are millions of domains continuously in flux, any database attempting  
to address this issue will be inundated with nonsense.  Over a few  
weeks, this nonsense represents more information than that used by  
all existing domains.

>> They are manipulating both the (legitimate) process of obtaining  
>> IP addresses, registering domain names (and all the cruft that it  
>> brings along with it, given the loopholes in the processes), and  
>> manipulating the ability to move their nameservers around at-will.
>
> That's not a manipulation so much as using the system as designed.

Agreed.  However, domain tasting makes any response to abuse of the  
domain system much slower and far more expensive.

>> It's pretty much a mess -- these guys use the system to succeed.
>
> agreed, they are a mess (spammers and their current business)

If this were just limited to spammers, it would be less of a concern.

>> Honestly, I don't have any answers -- only questions at this  
>> point. :-/
>
> me too, I just don't want to see the issue sidetracked on:
>
> 1) spammers using tasting to their benefit
> 2) phishers are tasters/use tasting to their benefit
>
> neither of which is, near as I can tell, true or real fears.  
> Tasting is, in and of itself, a completely different problem with a  
> completely different set of issues... Conflating the 3 (or parts of  
> the 2 sets) is just as wrong as saying that 'tasting lets the  
> terrorists win'.

This should be stated somewhat differently.

1) spammers benefit by domain tasting
2) phishers benefit by domain tasting

_Any_ protective measure to combat phishing, undesired or malicious  
links will need to be done by domain name.  Bots tend to thwart  
reliance upon IP addresses.  Assessment by domain name is made far  
less effective by the very large amount of noise generated by domain  
tasting.  Domain tasting provides cover for the abusive criminal  
activity.  While domain tasting itself is not criminal, the harm it  
permits could easily be seen as the result of a negligent policy.

-Doug








More information about the NANOG mailing list