Vulnerabilities / Threats
11/22/2013
10:46 AM
Dave Piscitello
Dave Piscitello
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Spamhaus Shows What's Next For Block Listing

The broad, silent acceptance of a recent Spamhaus blocking action is a strong indicator that the rules have changed in the battle over spam and other kinds of email abuse.

Last month, Spamhaus placed an entire IP address block (113.96.0.0/12) of the Chinanet Guangdong province network, the data communication division of China Telecom, on the Spamhaus Block List (SBL).

This was no small or inconsequential act. SBL users began to block email traffic originating from addresses within the Chinanet-GD allocation. Unsurprisingly, Chinanet-GD quickly took notice and worked with Spamhaus to clear the listing.

But what I find most interesting about this rapid chain of events is that the blocking action seems to have been accepted without public outcry or condemnation. Instead, Internet users and private network operators using the SBL appear to be saying tacitly, "We are exhausted trying to deal with the problems providers create for us on an incident-by-incident basis. We are convinced by your inaction that you are unwilling to remedy the problems you create. We are unwilling to remain at risk through your inaction. And so we will no longer trust you or any party whom you serve."

Game change or business as usual?
Historically, large organizations have not hesitated to block addresses allocated to countries or top-level domains (TLDs). Today antispam gateways use sender scores to block spammy mail relays. Firewalls or PBXs can be configured to block address allocations or TLDs, or they can restrict VOIP calls associated with certain country codes. Configuring corporate firewalls to implement such policies is quite straightforward (in some cases, a single rule). In all cases, blocking measures are implemented in response to threats that pose risks too high to ignore.

A security policy that blocks at this level protects your users or services from what you perceive as a broad threat. The most obvious consequence is that your shield also prevents your users from accessing legitimate services hosted at blocked addresses or domain names. However, the broad, silent acceptance of this action may be a strong indicator that SBL subscribers and others have determined that the benefit outweighs the harm.

Reputation scores and safe destinations
Travelers use reputation scores in the physical world to decide where to dine, sleep, or take holiday. Such scores exist for individual establishments, but city and country travel advisories also help travelers make informed decisions about destinations.

Similarly, the Spamhaus action expands the reputation score focus in the virtual world from individual establishments to destinations. And if real-world behavior is a barometer, users or private network operators may be comfortable refusing to accept or relay email from any server assigned an IP address from a cetain address allocation if reputation scores convince them to do so.

What's next?
Hosting providers, registrars, and proxy/privacy Whois service providers may be next in line for blocking based on reputation scoring. Reputation data and scores for these exist today. For example, Jart Armin's HostExploit scores and lists malicious (e.g., malware) hosting by operator and country. Project Honey Pot maintains lists of IPs associated with malicious activities -- sortable by country, web host, etc. The APWG Global Phishing Surveys provide a phishing score for registrars and registries.

Reputation scores for domain privacy/proxy services could be computed by scoring the prevalence of malicious registrations that display such services as primary points of contact in Whois records. These or similar scores could be used as the basis for blocking domains or URLs.

Collateral damage
Some readers may object or cringe over the perceived collateral damage to legitimate individuals or organizations that have unfortunately chosen a provider unable or unwilling to manage malicious behavior among its customers. But unlike domain shutdowns, where multi-user sites (remember Jotform?) become unreachable to everyone, actions that an organization adopts voluntarily affect only users within its administrative domain. That's closer to a neighborhood boycott than a domain seizure.

There are many long-term benefits that organizations hope to achieve with these boycotts.

  • Legitimate organizations and users will abandon providers with poor reputations and flock to those with better reputations.
  • Providers with poor reputations will take remedial actions to avoid or recover from customer attrition and continued erosion of their reputation.
  • Users or organizations that switch will get better services from their new provider.
  • Providers with poor reputations cannot inflict reputational harm on their industry segments.

(Source: The Spamhaus Project)
(Source: The Spamhaus Project)

Though the Spamhaus action feels radical, the reality is that private network operators block on this scale today. The operators may do so without the benefit of an external block list that is compiled with considerable attention to accuracy and subjected to public scrutiny. They do so because they are first and foremost responsible and accountable for their organization's security. It's not harsh or unreasonable for organizations to insist on similar, reasonable, and timely responses to abuse from service providers.

What Spamhaus did isn't revolutionary, but it may be a signal that the game has changed.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Andrew J Scoville
33%
67%
Andrew J Scoville,
User Rank: Apprentice
11/22/2013 | 8:26:11 PM
Re: Malicious blacklisting is never acceptable
Hello idiot,

From the graphic posted above, it looks like Spamhaus contacted them over 80 times about the problem but were ignored, and THEN they were listed.

Spamhaus is not an American company and not subject to "Amerincan legal actaion".

Spamhaus does block millions of botnet IPs with their XBL, and blocks their command & control servers with it's BGPf list.

Your post is a complete waste of time, because you don't bother to educate yourself before running your mouth.  It's embarassing.

 
0id
50%
50%
0id,
User Rank: Apprentice
11/22/2013 | 3:44:23 PM
Malicious blacklisting is never acceptable
So thousands of innocent victims suffered collateral damage for an unspecific length of time, in what appears to be a completely unnecessary act.

That the company quickly repsonded proves that if Spamhaus had actually contacted them about the problem, it would have been solved - as indeed it was.

When's the last time a chinese company had success in legal actaion in Amerincan courts against an American company?

Of course they didn't react - they know full well that the corruption of the US legal system and anti-china bias in their Juries would have been a total time and moneywaster.

Spamhaus is basically a complete waste of time.  Almost all spam is sent via botnets, which Spamhaus can't stop, so the only good they serve is to perpetuate the extortion of money by whitelist providers and blacklist consumers, on the back of providing an increasingly irrelevant and alarmingly cavileer and dangers blocking service.

What is more important to you: skipping the occasional junk message, or not having your important emails trashed by over zealous operators using collateral damage extortion techniques to further their agenda?
<<   <   Page 2 / 2
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-6651
Published: 2014-07-31
Multiple directory traversal vulnerabilities in the Vitamin plugin before 1.1.0 for WordPress allow remote attackers to access arbitrary files via a .. (dot dot) in the path parameter to (1) add_headers.php or (2) minify.php.

CVE-2014-2970
Published: 2014-07-31
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-5139. Reason: This candidate is a duplicate of CVE-2014-5139, and has also been used to refer to an unrelated topic that is currently outside the scope of CVE. This unrelated topic is a LibreSSL code change adding functionality ...

CVE-2014-3488
Published: 2014-07-31
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.

CVE-2014-3554
Published: 2014-07-31
Buffer overflow in the ndp_msg_opt_dnssl_domain function in libndp allows remote routers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS Search List (DNSSL) in an IPv6 router advertisement.

CVE-2014-5171
Published: 2014-07-31
SAP HANA Extend Application Services (XS) does not encrypt transmissions for applications that enable form based authentication using SSL, which allows remote attackers to obtain credentials and other sensitive information by sniffing the network.

Best of the Web
Dark Reading Radio