Vulnerabilities / Threats
11/22/2013
10:46 AM
Dave Piscitello
Dave Piscitello
Commentary
Connect Directly
Twitter
RSS
E-Mail

Spamhaus Shows What's Next For Block Listing

The broad, silent acceptance of a recent Spamhaus blocking action is a strong indicator that the rules have changed in the battle over spam and other kinds of email abuse.

(Source: The Spamhaus Project)
(Source: The Spamhaus Project)

Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Shepy
50%
50%
Shepy,
User Rank: Apprentice
11/28/2013 | 7:14:57 AM
Needs more
  • Legitimate organizations and users will abandon providers with poor reputations and flock to those with better reputations.
  • Providers with poor reputations will take remedial actions to avoid or recover from customer attrition and continued erosion of their reputation.
  • Users or organizations that switch will get better services from their new provider.
  • Providers with poor reputations cannot inflict reputational harm on their industry segments.

    In a perfect world this sounds ideal, but it's really starting to feel like SMTP needs an overhaul from the ground up, it's too long in the tooth and doesnt cate for spam prevention among other things nearly enough
davepiscitello
50%
50%
davepiscitello,
User Rank: Apprentice
11/26/2013 | 5:29:30 PM
Re: How can we trust them?
I work with folks from many of the reputation, block list, or "intervenor/responder" communities. My experience is that block listing relies heavily on information sharing and collaboration, and that these processes put a great deal of time and consideration to minimize false positives or collateral harm. 

I think these checks and balances make reputation scoring more reliable and much less prone to malice or retaliation or vigilantism than user submitted phish or web trust sites. 

 
a_synonymous
50%
50%
a_synonymous,
User Rank: Apprentice
11/26/2013 | 3:31:56 PM
How can we trust them?
Hi Dave,

You mentioned that there was no public outcry or condemnation.  The question is:  are we allowed to publicly oppose Spamhaus?  Recently, a person had edited their Wikipedia article to mention the recent conflict with the group "Stophaus".  The edit was immediately reverted by someone from Spamhaus, and the editor's IP was added to Spamhaus' blocklist.  People in the ISP community walk on eggshells around Spamhaus out of fear of reprisal.

In regards to reptuation scores, have you ever had someone say they hate your favorite restaurant or sports team?  How can businesses be sure that they are receiving all their legitimate correspondence when they rely on the subjective opinions of a group of people that assumes no responsibility for their actions, and triggers blocking of email from entire swathes of the internet with impunity?

Synonymous
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/25/2013 | 10:55:52 AM
Re: Malicious blacklisting is never acceptable> Or is it?
Thanks for calling attention to the Web index for 2013, Brian. I totally agree with your point relating economic development with freedom and human rights. It's good to see it quantified. 

As for the "gray area"  of block listing, I think Dave lays out a pretty good case about the reasons organizations may choose to blocklist. Those that do, (as he added on his comment) take those actions when they reach the point that  harm to their  users is at greater risk than not blocking. 

I'm not sure that the industry is at a point where it's necessary to codify those malicious behaviors into standards. But it's certainly a subject worth considering and discussing. 
Brian.Dean
100%
0%
Brian.Dean,
User Rank: Apprentice
11/24/2013 | 2:48:11 PM
Re: Malicious blacklisting is never acceptable> Or is it?
Thank you for the links Dave, and yes I agree that blocking is an area where choosing sides are of no value, understanding motives and reacting according is where we can find value.

The World Wide Web Foundation has recently released a Web index for 2013 that measures development by evaluating universal access, relevant content, freedom, openness, impact and empowerment of different countries -- it is not surprising to see that the five countries at the bottom of this list also have low performing economies at the moment. I guess it means that blocking powers are being misused in those economies. In our global village we also have malware like i2ninja etc that is created with the exact intention to cause harm, I feel this is where a block can be justified.

Basically, it is all a gray areas until and unless we look deeply into the motives behind a block.
davepiscitello
50%
50%
davepiscitello,
User Rank: Apprentice
11/23/2013 | 3:52:24 PM
Re: Malicious blacklisting is never acceptable> Or is it?
Good points, all Brian.

FWIW, I have also written columns that explain how blocking actions typically taken by private network admins have different affects - and can result in unacceptable collateral harm - when taken by public operators, ISPs, or governments. 

You can find a summary of these and links to three related articles at Making Sense of Shutdowns, Takedowns, Seizures and More...
davepiscitello
50%
50%
davepiscitello,
User Rank: Apprentice
11/23/2013 | 3:45:17 PM
Re: Malicious blacklisting is never acceptable> Or is it?
Hi Marilyn,

I'm neither advocating or opposing block listing but as you say, positing a future direction that block listing may take if (or when) harm to an organization's own users vs collateral harm reaches a tipping point.

One answer to your question " Are there acceptable limits to malware blacklisting?" is answered nearly every day: risk tolerance dictates limits for private network admins, and risk from malware has become a largely untolerated risk.

I, too, welcome public outcry.

Especially when it takes the form of informed, reasoned debate. 
davepiscitello
50%
50%
davepiscitello,
User Rank: Apprentice
11/23/2013 | 3:35:48 PM
Re: Malicious blacklisting is never acceptable
Thanks for your post. Let me set some facts before you, since you may not have found time to look at the chronology of events leading to Spamhaus' action.
  1. Spamhaus had identified 92 violations as far back as 2010. These went unresolved. They were listed at http://www.spamhaus.org/sbl/query/SBL201751 but you now have to go into the archives.
  2. The violations included botnet spam hosting, malware hosting, malware dropper hosting, DDoS botnet controllers and more. Using the SBL does more for an organization than block occasional junk messages: it protects users against the very botnets that you claim generate spam.
  3. They did not act zealously or without care, they did give CHINANET-GD time to resolve.

I'm most disappointed that you appear to have missed the important point that the use of SBL is a voluntary act by organizations who made the decision to protect their own users against malware distribution, spam, or DDoS at the expense of not processing mail from addresses on the block list.

 

 
Brian.Dean
100%
0%
Brian.Dean,
User Rank: Apprentice
11/23/2013 | 1:44:26 PM
Re: Malicious blacklisting is never acceptable> Or is it?
Marilyn, excellent point as debates are good. From a business standpoint that wants to protect its customers from spam, I think blocking an ISP is a very small matter as any business that truly respects its customers would even get their own domain blocked, if they suspected their own domain to be spamming customers. From an economic perspective things are different, blocking anything becomes a mathematical equation that will eventually reduce or limit productivity on both ends, and roads etc were blocked in the past when roads were our main source of commerce. Today in this information age, information highways are blocked. As for customers, well I think every customer would like to open their spam folder and get the message "Hooray, no spam here!", and their main inbox would be no exception.

Definitely, it is a complex topic and it is extremely interesting to know about the "rapid chain of events" and moreover that it was "accepted without public outcry or condemnation", changing times I guess.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/23/2013 | 11:25:10 AM
Re: Malicious blacklisting is never acceptable> Or is it?
Andrew, I really appreciate your passionate opposition to malicious malware blacklisting and for taking the time to share your strongly-held views with InformationWeelk . While the author, Dave Piscitello, VP Security at ICANN, posits an opposing -- and apparently controversial --  point of view, I can assure you that he is no idiot and is very well-informed about the issues he raises in this column. 

I'll let Dave respond to the specific points in your post, but one thing in his column that stood out when I read it was his observation that the "rapid chain of events'" that lead to the Spamhaus blacklisting was "accepted without public outcry or condemnation." 

I can see by your comment, and another by 0id, that the public outcry has arrived at InformationWeek -- and we're delighted to have it. Let's have a thoughtful debate on the merits. Are there acceptable limits to malware blacklisting? If so, what are they? If not, why not. 

 
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4594
Published: 2014-10-25
The Payment for Webform module 7.x-1.x before 7.x-1.5 for Drupal does not restrict access by anonymous users, which allows remote anonymous users to use the payment of other anonymous users when submitting a form that requires payment.

CVE-2014-0476
Published: 2014-10-25
The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerability when /tmp is not mounted with the noexec option.

CVE-2014-1927
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928....

CVE-2014-1928
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulner...

CVE-2014-1929
Published: 2014-10-25
python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.