Spamhaus Shows What's Next For Block ListingThe broad, silent acceptance of a recent Spamhaus blocking action is a strong indicator that the rules have changed in the battle over spam and other kinds of email abuse.
Last month, Spamhaus placed an entire IP address block (126.96.36.199/12) of the Chinanet Guangdong province network, the data communication division of China Telecom, on the Spamhaus Block List (SBL).
This was no small or inconsequential act. SBL users began to block email traffic originating from addresses within the Chinanet-GD allocation. Unsurprisingly, Chinanet-GD quickly took notice and worked with Spamhaus to clear the listing.
But what I find most interesting about this rapid chain of events is that the blocking action seems to have been accepted without public outcry or condemnation. Instead, Internet users and private network operators using the SBL appear to be saying tacitly, "We are exhausted trying to deal with the problems providers create for us on an incident-by-incident basis. We are convinced by your inaction that you are unwilling to remedy the problems you create. We are unwilling to remain at risk through your inaction. And so we will no longer trust you or any party whom you serve."
Game change or business as usual?
Historically, large organizations have not hesitated to block addresses allocated to countries or top-level domains (TLDs). Today antispam gateways use sender scores to block spammy mail relays. Firewalls or PBXs can be configured to block address allocations or TLDs, or they can restrict VOIP calls associated with certain country codes. Configuring corporate firewalls to implement such policies is quite straightforward (in some cases, a single rule). In all cases, blocking measures are implemented in response to threats that pose risks too high to ignore.
A security policy that blocks at this level protects your users or services from what you perceive as a broad threat. The most obvious consequence is that your shield also prevents your users from accessing legitimate services hosted at blocked addresses or domain names. However, the broad, silent acceptance of this action may be a strong indicator that SBL subscribers and others have determined that the benefit outweighs the harm.
Reputation scores and safe destinations
Travelers use reputation scores in the physical world to decide where to dine, sleep, or take holiday. Such scores exist for individual establishments, but city and country travel advisories also help travelers make informed decisions about destinations.
Similarly, the Spamhaus action expands the reputation score focus in the virtual world from individual establishments to destinations. And if real-world behavior is a barometer, users or private network operators may be comfortable refusing to accept or relay email from any server assigned an IP address from a cetain address allocation if reputation scores convince them to do so.
Hosting providers, registrars, and proxy/privacy Whois service providers may be next in line for blocking based on reputation scoring. Reputation data and scores for these exist today. For example, Jart Armin's HostExploit scores and lists malicious (e.g., malware) hosting by operator and country. Project Honey Pot maintains lists of IPs associated with malicious activities -- sortable by country, web host, etc. The APWG Global Phishing Surveys provide a phishing score for registrars and registries.
Reputation scores for domain privacy/proxy services could be computed by scoring the prevalence of malicious registrations that display such services as primary points of contact in Whois records. These or similar scores could be used as the basis for blocking domains or URLs.
Some readers may object or cringe over the perceived collateral damage to legitimate individuals or organizations that have unfortunately chosen a provider unable or unwilling to manage malicious behavior among its customers. But unlike domain shutdowns, where multi-user sites (remember Jotform?) become unreachable to everyone, actions that an organization adopts voluntarily affect only users within its administrative domain. That's closer to a neighborhood boycott than a domain seizure.
There are many long-term benefits that organizations hope to achieve with these boycotts.
- Legitimate organizations and users will abandon providers with poor reputations and flock to those with better reputations.
- Providers with poor reputations will take remedial actions to avoid or recover from customer attrition and continued erosion of their reputation.
- Users or organizations that switch will get better services from their new provider.
- Providers with poor reputations cannot inflict reputational harm on their industry segments.
(Source: The Spamhaus Project)
Though the Spamhaus action feels radical, the reality is that private network operators block on this scale today. The operators may do so without the benefit of an external block list that is compiled with considerable attention to accuracy and subjected to public scrutiny. They do so because they are first and foremost responsible and accountable for their organization's security. It's not harsh or unreasonable for organizations to insist on similar, reasonable, and timely responses to abuse from service providers.
What Spamhaus did isn't revolutionary, but it may be a signal that the game has changed.