[Asrg] Re: Asrg Digest, DNSBL BCP v.2.0

gep2 at terabites.com gep2 at terabites.com
Fri Mar 2 19:01:16 EST 2007 

As you know, in a recent thread I commented on what a 
LOUSY solution IP-address-based blacklists are, in 
general.

Part of the problem is that it is a VERY blunt instrument, 
especially for companies which operate a large network 
from behind a NAT router.

Well, I've recently been personally involved in trying to 
put out just such a fire at one of my consulting clients.

The client company is an oil and gasoline distributor. 
 Each evening the software system I built and maintain for 
them sends E-mails and fax-by-e-mail price updates to 
their customers.  It also automatically generates and 
routes invoices, credit memos (for example, the amounts of 
the 'pay at the pump' credit card transactions they 
handled the day before) to their customers.  They probably 
send something approaching a thousand such 
business-critical E-mails and fax-by-E-mails per day.

All works well until about a week and a half ago, one of 
their computers managed to get infected by some kind of 
exploit (despite every machine in the company having and 
running Symantec Antivirus software which is updated 
daily).  We found the problem within 24 hours and managed 
to clean it all up, (hopefully!) but meanwhile at least 
one or two E-mail blacklists (including XBL) flagged the 
IP address of the company's router, and starting on the 
21st some of their E-mails stopped getting delivered due 
to the blacklisting.  By Saturday, as more ISPs picked up 
on the new list, E-fax (who processes and delivers their 
fax-by-e-mail transmissions) suddenly started bouncing 
even their outgoing fax attempts (even though their 
systems had been clean, as best we can tell) for at least 
two or three days already.

Businesses which count on reliable AND TIMELY e-mail 
transmissions simply cannot have their E-mail 
transmissions blocked "en masse" like this.

Not being able to issue credits, deliver invoices, and 
send price updates (and in the oil and gas business, 
prices change daily) is a monumental burden on a company 
which is guilty of nothing more than being a victim, just 
like so many other companies and individuals have been 
(and, doubtless, will continue to be).

Worse, from a Internet strategic standpoint, the dangers 
of this kind of blunt-instrument blocking of E-mails for 
AN ENTIRE COMPANY just because ANY ONE computer within 
their network is infected (and it could even be an 
infected notebook computer carried in from home and 
connecting to the office wireless LAN) will force more 
companies to insist on MORE DANGEROUS separate, routable 
IP addresses for each machine in their company.... so that 
blocking will affect JUST ONE of their machines and not 
put the whole company out of business.  Ultimately, this 
"solution" just puts dramatically more (and very unwanted) 
pressure on the limited IP address space, and INCREASES 
the likelihood of getting the company's machines infected 
since now their machines each have a real, routable IP 
address that can be attacked by scanners and other 
exploits originating from outside the company.

It has taken me personally much of the last week to try to 
mitigate the problems for my consulting client... managing 
communications with the blacklisting organizations (since 
nobody at the client speaks their technical language), 
making numerous and ongoing system configuration changes 
to reroute outgoing mails, establishing new message 
handling paths, and then going back and regenerating and 
retransmitting thousands of backlogged invoices and 
credits notices that could not be delivered in the normal 
way.  I can't overemphasize what a huge disruption this is 
to a company (and again, one which DOES make a serious 
effort to be responsible!)

Not to mention the huge disruption to their "ordinary" 
NON-system-generated e-mails with their clients and 
suppliers.

So, again, I will EMPHASIZE that the question should NOT 
revolve around the finer points of how to implement 
IP-address-based blacklists, who should maintain them, how 
to distribute them, how to phase them out eventually, and 
such CRAP!!  We are arguing the finer points about what is 
INHERENTLY a VERY flawed approach, rotten to its very core 
AS A CONCEPT, where what we OUGHT to be doing instead is 
to figure out better and more effective ways to 
efficiently and accurately DIFFERENTIATE good mail from 
bad.

As I have pointed out, such an approach would (in the 
example I gave) efficiently perform such triage on the 
messages coming from dear old Aunt Gertie's machine, 
allowing her legitimate mail to continue to be delivered 
while effectively guaranteeing that the spambot-generated 
garbage running on her same machine and transiting the 
same server(s) would be T-canned and never seen by a human 
(and therefore, hopefully, not be worth injecting into the 
Net in the first place).

Key to this triage, I believe is:

    1) denying spammers and abusers (in a robust way!) the 
ability to conceal or obfuscate malicious or spam content 
by ruses based on HTML, text-as-image, scripting and the 
like;

    2) forcing at least initial-contact e-mails (those by 
which a sender establishes a trust relationship with the 
intended recipient) be sent in plain text so that they can 
be analyzed effectively by a SpamAssassin-style analysis 
program;

    3) allowing a recipient to control just exactly what 
sort of more advanced content they are ready and willing 
to accept from each specific sender, and (ideally) how 
they wish to additionally establish the legitimacy of that 
sender's messages.  (Prearranged masthead on a newsletter, 
personal SIG file for mail from an individual, 
characteristic keywords in the message or subject line, 
etc etc).

Here on this list, we keep falling back into this nasty 
business of arguing about how an INHERENTLY FLAWED scheme 
(and I'm talking about IP-address-based blacklisting) 
should be done, rather than recognizing ONCE AND FOR ALL 
that it is simply a ROTTEN IDEA FROM THE BEGINNING and 
that we OUGHT to be working on finding a BETTER solution 
which is better long term both from the standpoint of 
CONTROLLING spam, of encouraging (in a practical way) 
responsible computing, and which isn't just encouraging 
these costly, ineffective, and ultimately 
COUNTERPRODUCTIVE games of after-the-fact "whack-a-mole".

We OUGHT to be working on preventing spam (and viruses) 
from getting delivered THE FIRST TIME, rather than 
worrying about locking the barn door after the horse has 
already gotten out...!

Dammit, people, we keep going back to what color fabric 
we're going to use to upholster the "whack-a-mole" mallet, 
rather than coming up with a real SOLUTION for this 
problem...!!!  :-((

Gordon Peterson
http://personal.terabites.com
1977-2007  Thirty year anniversary of local area 
networking

More information about the Asrg mailing list