On 2021-11-26 1:25 a.m., Mary via mailop wrote:
Thinking out loud...
Yes Mary.. in a perfect world.. but..
Would it be possible for the two sides (blocklists and a cloud/hosting
providers) to come together and have some kind of automated notification?
Sample automated conversation via JSON API:
- The blocklist adds a block for X net block
Since many providers hide behind GDPR as a reason to not have SWIP or
'rwhois' for customers, it is hit in miss what 'block' is owned by the
threat actor, which is why sometimes there is collatoral damage.
- Resolves the owner of the net block (XYZ provider)
See item one.
- Submits a JSON report to XYZ provider (https://blocklist.api.provider.com)
Um.. yeah.. trouble is, many networks do not keep up their contact
information as it is, in spite of years of efforts via various RIR's.
And there is a whole business out there, just designed to create
automated abuse responses, or bots, or even worse no response mechanism
at all.. I am sure many of us have seen the dreaded 'Mailbox is full'
from a abuse or postmaster mail box.
And how do you prevent 'fake' reports?
- The provider takes an automated action (close port 25)
As pointed out on this list even, not an action even the good hosting
providers will take. For instance, once sent a malware report to
Microsoft, and got the response that since it was a reseller, they have
to give them seven (7) days before taking action.. But of course, say it
was a more critical system, eg responsible for sending life saving email
alerts, (something a hoster once told me as a reason they could not shut
the server down even after more than a week, 'just in case')
Of course, it could be other threats, not just email.
Business and Revenue come first to many operations, and they don't want
ANY policy that can risk that, unless they are eventually forced to.
- The provider takes manual action by getting in touch with their client
Who may have to get in touch with his client, who has to get in touch
with their clients...
- Client of the server takes action (clean server)
Many clients are not engineers, they might not know HOW to clean their
servers
- Client of the server requests delisting via a web form
Thus:
- the actual client of the server is notified of a security incident in a
timely manner
- spam is stopped as soon as possible!
Actually, in the real work it works MUCH simpler, RBL's list them, they
can't send mail, world is a safer place, and up to the operator, or the
hosting provider to subscribe to and act on alerts..
The key thing is threats NEED to be stopped! Fast!
And have to point out there are many very good hosters out there that
almost NEVER get on a RBL.. but if you start up a VPS service only
charging $.99/month, even with 10,000 of those, try paying for a
qualified engineer.
Do remember, it is the hoster and the operators fault, and the burden
should NOT be on the receiver of the attack to spend time/money on
reporting it, especially with such a long history of that not working..
even the most altruistic security people give up reporting soon enough.
And it REALLY isn't hard for a hoster to identify it BEFORE it is seen
on the internet.
Simply set up a TCP SYN alert for port 25 on egress at the edge routers,
which send a notification when an IP all of sudden starts sending lots
of volume.
Some hoster's don't allow rDNS changes for a few days, to stop driveby's
and malicous account setups, and other techniques..
Like I said Mary, nice thoughts tho.. in a perfect world.
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
