Hi, [apologies for this being so far off-topic]
On Thu, 25 Sep 2003, Peter P. Benac wrote: > And this lack of response is due to what??? Lazy, stupid, apathetic, incompetent, or ambivalent members of the law enforcement and ISP community? Insufficient network diagnostic and security tools, making effective response difficult, assuming the best of intentions on the part of the ISPs and law enforcement? > When I worked for Cisco one of Cisco's customers detected a potential hacker > to his system. That customer called the TAC and with-in minutes the FBI was > notified and that hacker was dealt with. This customer was a small mom and > pop business in the middle of Arizona. This does not seem to be the typical response to abuse and security issues, not from the posts I've read on SPAM-L, spamtools, and the like. Unless you have connections, you're not going to get a direct line to a provider's NOC no matter how badly your system is being attacked. Regardless, dealing with thousands of compromised hosts is much, much more difficult than handling a single intruder. Nobody was trying to break into monkeys.com; they were trying to bury it under forged traffic. Unfortunately, they succeeded. > Interesting thing about DoS attacks is the attackers get away with it > because the people they attack do exactly what these two Black Listers did. > They rolled over and shut down. Please don't blame the victim. This is not the first DDoS that Ron has ridden out; the scale of the recent attacks on Osirusoft and monkeys.com were massive and sustained. FWIW, sorbs is under attack; I don't expect they'll survive much longer. The attackers get away with it because law enforcement won't act unless there's over $10-50,000 in damages or some political capital to be made, you can't get an ISP's attention without renting a backhoe and digging up their OC-48s, and (less sarcastically) when 10-50,000 compromised hosts are involved in the attack, each contributing 0.01% or less to the attack, identifying and stopping it is difficult. I don't know how much background information you have about RFG and monkeys.com; Ron was operating an open-proxy honeynet, pulling in great volumes of hard data on the source and magnitude of proxy server abuse. He not only published this information on a regular basis but called the security departments of each ISP involved. Sometimes he got a spammer shut down; more often than not he got a shrug or a "oh, we got rid of them" while the abuse continued. Apparently he was effective at getting spammers shut down because they DDoS'd him off the net. I can't imagine Ron just sitting in his basement moping that he was being attacked. One of two things happened: either Ron couldn't get the time of day from anyone with enough clue and authority to stop the attacks or the attacks were large enough to overwhelm whatever response the ISPs could muster to stop them. That should give you pause because it has serious national security implications, no matter what nation you're in. Of course, it's well known that ISPs have signed 'pink contracts' with spammers (Topica is still on the net, for example; Ralsky, Scelson, Marin, and Bevelander keep getting connectivity somehow) and providers collect charges on all that bandwidth, abusive or no. Not to suggest that ISPs are in on the attacks, just pointing out other factors besides overwork, spite, incompetence, and technical difficulty that could explain why ISPs might not respond to security incidents in a prompt and effective manner. One doesn't run a DNSBL without making enemies, especially at ISPs knowingly taking spammer money and getting called out for it. > In doing so they black list the whole world. Huh? monkeys.com just pulled the plug; they didn't blacklist the world. And even if they had done so, nobody would have known since the attacks prevented legitimate queries from getting through. [aside on bounce spam, viruses, virus notifications and other non-traditional forms of spam (UBE) deleted] Spam has nothing to do with junk in your individual mailbox; it has everything to do with interfering with legitimate mail service on a global scale. Spam has nothing to do with content; it's all about behavior. Maybe this week will drive home the point that spam is a serious security issue, a denial of service attack (often but not always low intensity as dictionary attacks show) against mail systems, increasing to DDoS attacks against effective anti-spam resources. SA keeps mailboxes mostly useful but does absolutely nothing to stop networks from being choked with "noise" email. Even if you reject mail at the SMTP level, you still have to accept the DATA phase of the message to run header and body analysis with SA. You've accepted the traffic and hence have lost; as mail operator, you've paid to receive the mail regardless if it gets delivered or routed to /dev/null. I think that SA is a great program, the most effective means of preserving the usability of one's personal inbox. But make no mistake, it does almost nothing to stop spam. > We should encourage these blacklisters to report these DoS attacks and even > if possible assist them in identifying the attacker. And if we report attacks to ISPs and law enforcement who in turn can't or won't lift a finger to help us, then what? > If we don't, we are going to find them going away one by one. Then what > is next - the spammers attacking anyone using SPAM blocking software. Believe it. There's a war on. -- Bob ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
