Vulnerabilities / Threats
11/22/2013
10:46 AM
Dave Piscitello
Dave Piscitello
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Spamhaus Shows What's Next For Block Listing

The broad, silent acceptance of a recent Spamhaus blocking action is a strong indicator that the rules have changed in the battle over spam and other kinds of email abuse.

Last month, Spamhaus placed an entire IP address block (113.96.0.0/12) of the Chinanet Guangdong province network, the data communication division of China Telecom, on the Spamhaus Block List (SBL).

This was no small or inconsequential act. SBL users began to block email traffic originating from addresses within the Chinanet-GD allocation. Unsurprisingly, Chinanet-GD quickly took notice and worked with Spamhaus to clear the listing.

But what I find most interesting about this rapid chain of events is that the blocking action seems to have been accepted without public outcry or condemnation. Instead, Internet users and private network operators using the SBL appear to be saying tacitly, "We are exhausted trying to deal with the problems providers create for us on an incident-by-incident basis. We are convinced by your inaction that you are unwilling to remedy the problems you create. We are unwilling to remain at risk through your inaction. And so we will no longer trust you or any party whom you serve."

Game change or business as usual?
Historically, large organizations have not hesitated to block addresses allocated to countries or top-level domains (TLDs). Today antispam gateways use sender scores to block spammy mail relays. Firewalls or PBXs can be configured to block address allocations or TLDs, or they can restrict VOIP calls associated with certain country codes. Configuring corporate firewalls to implement such policies is quite straightforward (in some cases, a single rule). In all cases, blocking measures are implemented in response to threats that pose risks too high to ignore.

A security policy that blocks at this level protects your users or services from what you perceive as a broad threat. The most obvious consequence is that your shield also prevents your users from accessing legitimate services hosted at blocked addresses or domain names. However, the broad, silent acceptance of this action may be a strong indicator that SBL subscribers and others have determined that the benefit outweighs the harm.

Reputation scores and safe destinations
Travelers use reputation scores in the physical world to decide where to dine, sleep, or take holiday. Such scores exist for individual establishments, but city and country travel advisories also help travelers make informed decisions about destinations.

Similarly, the Spamhaus action expands the reputation score focus in the virtual world from individual establishments to destinations. And if real-world behavior is a barometer, users or private network operators may be comfortable refusing to accept or relay email from any server assigned an IP address from a cetain address allocation if reputation scores convince them to do so.

What's next?
Hosting providers, registrars, and proxy/privacy Whois service providers may be next in line for blocking based on reputation scoring. Reputation data and scores for these exist today. For example, Jart Armin's HostExploit scores and lists malicious (e.g., malware) hosting by operator and country. Project Honey Pot maintains lists of IPs associated with malicious activities -- sortable by country, web host, etc. The APWG Global Phishing Surveys provide a phishing score for registrars and registries.

Reputation scores for domain privacy/proxy services could be computed by scoring the prevalence of malicious registrations that display such services as primary points of contact in Whois records. These or similar scores could be used as the basis for blocking domains or URLs.

Collateral damage
Some readers may object or cringe over the perceived collateral damage to legitimate individuals or organizations that have unfortunately chosen a provider unable or unwilling to manage malicious behavior among its customers. But unlike domain shutdowns, where multi-user sites (remember Jotform?) become unreachable to everyone, actions that an organization adopts voluntarily affect only users within its administrative domain. That's closer to a neighborhood boycott than a domain seizure.

There are many long-term benefits that organizations hope to achieve with these boycotts.

  • Legitimate organizations and users will abandon providers with poor reputations and flock to those with better reputations.
  • Providers with poor reputations will take remedial actions to avoid or recover from customer attrition and continued erosion of their reputation.
  • Users or organizations that switch will get better services from their new provider.
  • Providers with poor reputations cannot inflict reputational harm on their industry segments.

(Source: The Spamhaus Project)
(Source: The Spamhaus Project)

Though the Spamhaus action feels radical, the reality is that private network operators block on this scale today. The operators may do so without the benefit of an external block list that is compiled with considerable attention to accuracy and subjected to public scrutiny. They do so because they are first and foremost responsible and accountable for their organization's security. It's not harsh or unreasonable for organizations to insist on similar, reasonable, and timely responses to abuse from service providers.

What Spamhaus did isn't revolutionary, but it may be a signal that the game has changed.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Shepy
50%
50%
Shepy,
User Rank: Apprentice
11/28/2013 | 7:14:57 AM
Needs more
  • Legitimate organizations and users will abandon providers with poor reputations and flock to those with better reputations.
  • Providers with poor reputations will take remedial actions to avoid or recover from customer attrition and continued erosion of their reputation.
  • Users or organizations that switch will get better services from their new provider.
  • Providers with poor reputations cannot inflict reputational harm on their industry segments.

    In a perfect world this sounds ideal, but it's really starting to feel like SMTP needs an overhaul from the ground up, it's too long in the tooth and doesnt cate for spam prevention among other things nearly enough
davepiscitello
50%
50%
davepiscitello,
User Rank: Apprentice
11/26/2013 | 5:29:30 PM
Re: How can we trust them?
I work with folks from many of the reputation, block list, or "intervenor/responder" communities. My experience is that block listing relies heavily on information sharing and collaboration, and that these processes put a great deal of time and consideration to minimize false positives or collateral harm. 

I think these checks and balances make reputation scoring more reliable and much less prone to malice or retaliation or vigilantism than user submitted phish or web trust sites. 

 
a_synonymous
50%
50%
a_synonymous,
User Rank: Apprentice
11/26/2013 | 3:31:56 PM
How can we trust them?
Hi Dave,

You mentioned that there was no public outcry or condemnation.  The question is:  are we allowed to publicly oppose Spamhaus?  Recently, a person had edited their Wikipedia article to mention the recent conflict with the group "Stophaus".  The edit was immediately reverted by someone from Spamhaus, and the editor's IP was added to Spamhaus' blocklist.  People in the ISP community walk on eggshells around Spamhaus out of fear of reprisal.

In regards to reptuation scores, have you ever had someone say they hate your favorite restaurant or sports team?  How can businesses be sure that they are receiving all their legitimate correspondence when they rely on the subjective opinions of a group of people that assumes no responsibility for their actions, and triggers blocking of email from entire swathes of the internet with impunity?

Synonymous
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/25/2013 | 10:55:52 AM
Re: Malicious blacklisting is never acceptable> Or is it?
Thanks for calling attention to the Web index for 2013, Brian. I totally agree with your point relating economic development with freedom and human rights. It's good to see it quantified. 

As for the "gray area"  of block listing, I think Dave lays out a pretty good case about the reasons organizations may choose to blocklist. Those that do, (as he added on his comment) take those actions when they reach the point that  harm to their  users is at greater risk than not blocking. 

I'm not sure that the industry is at a point where it's necessary to codify those malicious behaviors into standards. But it's certainly a subject worth considering and discussing. 
Brian.Dean
100%
0%
Brian.Dean,
User Rank: Apprentice
11/24/2013 | 2:48:11 PM
Re: Malicious blacklisting is never acceptable> Or is it?
Thank you for the links Dave, and yes I agree that blocking is an area where choosing sides are of no value, understanding motives and reacting according is where we can find value.

The World Wide Web Foundation has recently released a Web index for 2013 that measures development by evaluating universal access, relevant content, freedom, openness, impact and empowerment of different countries -- it is not surprising to see that the five countries at the bottom of this list also have low performing economies at the moment. I guess it means that blocking powers are being misused in those economies. In our global village we also have malware like i2ninja etc that is created with the exact intention to cause harm, I feel this is where a block can be justified.

Basically, it is all a gray areas until and unless we look deeply into the motives behind a block.
davepiscitello
50%
50%
davepiscitello,
User Rank: Apprentice
11/23/2013 | 3:52:24 PM
Re: Malicious blacklisting is never acceptable> Or is it?
Good points, all Brian.

FWIW, I have also written columns that explain how blocking actions typically taken by private network admins have different affects - and can result in unacceptable collateral harm - when taken by public operators, ISPs, or governments. 

You can find a summary of these and links to three related articles at Making Sense of Shutdowns, Takedowns, Seizures and More...
davepiscitello
50%
50%
davepiscitello,
User Rank: Apprentice
11/23/2013 | 3:45:17 PM
Re: Malicious blacklisting is never acceptable> Or is it?
Hi Marilyn,

I'm neither advocating or opposing block listing but as you say, positing a future direction that block listing may take if (or when) harm to an organization's own users vs collateral harm reaches a tipping point.

One answer to your question " Are there acceptable limits to malware blacklisting?" is answered nearly every day: risk tolerance dictates limits for private network admins, and risk from malware has become a largely untolerated risk.

I, too, welcome public outcry.

Especially when it takes the form of informed, reasoned debate. 
davepiscitello
50%
50%
davepiscitello,
User Rank: Apprentice
11/23/2013 | 3:35:48 PM
Re: Malicious blacklisting is never acceptable
Thanks for your post. Let me set some facts before you, since you may not have found time to look at the chronology of events leading to Spamhaus' action.
  1. Spamhaus had identified 92 violations as far back as 2010. These went unresolved. They were listed at http://www.spamhaus.org/sbl/query/SBL201751 but you now have to go into the archives.
  2. The violations included botnet spam hosting, malware hosting, malware dropper hosting, DDoS botnet controllers and more. Using the SBL does more for an organization than block occasional junk messages: it protects users against the very botnets that you claim generate spam.
  3. They did not act zealously or without care, they did give CHINANET-GD time to resolve.

I'm most disappointed that you appear to have missed the important point that the use of SBL is a voluntary act by organizations who made the decision to protect their own users against malware distribution, spam, or DDoS at the expense of not processing mail from addresses on the block list.

 

 
Brian.Dean
100%
0%
Brian.Dean,
User Rank: Apprentice
11/23/2013 | 1:44:26 PM
Re: Malicious blacklisting is never acceptable> Or is it?
Marilyn, excellent point as debates are good. From a business standpoint that wants to protect its customers from spam, I think blocking an ISP is a very small matter as any business that truly respects its customers would even get their own domain blocked, if they suspected their own domain to be spamming customers. From an economic perspective things are different, blocking anything becomes a mathematical equation that will eventually reduce or limit productivity on both ends, and roads etc were blocked in the past when roads were our main source of commerce. Today in this information age, information highways are blocked. As for customers, well I think every customer would like to open their spam folder and get the message "Hooray, no spam here!", and their main inbox would be no exception.

Definitely, it is a complex topic and it is extremely interesting to know about the "rapid chain of events" and moreover that it was "accepted without public outcry or condemnation", changing times I guess.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/23/2013 | 11:25:10 AM
Re: Malicious blacklisting is never acceptable> Or is it?
Andrew, I really appreciate your passionate opposition to malicious malware blacklisting and for taking the time to share your strongly-held views with InformationWeelk . While the author, Dave Piscitello, VP Security at ICANN, posits an opposing -- and apparently controversial --  point of view, I can assure you that he is no idiot and is very well-informed about the issues he raises in this column. 

I'll let Dave respond to the specific points in your post, but one thing in his column that stood out when I read it was his observation that the "rapid chain of events'" that lead to the Spamhaus blacklisting was "accepted without public outcry or condemnation." 

I can see by your comment, and another by 0id, that the public outcry has arrived at InformationWeek -- and we're delighted to have it. Let's have a thoughtful debate on the merits. Are there acceptable limits to malware blacklisting? If so, what are they? If not, why not. 

 
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

CVE-2014-2716
Published: 2014-12-19
Ekahau B4 staff badge tag 5.7 with firmware 1.4.52, Real-Time Location System (RTLS) Controller 6.0.5-FINAL, and Activator 3 reuses the RC4 cipher stream, which makes it easier for remote attackers to obtain plaintext messages via an XOR operation on two ciphertexts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.