Vulnerabilities / Threats

10:46 AM
Dave Piscitello
Dave Piscitello
Connect Directly

Spamhaus Shows What's Next For Block Listing

The broad, silent acceptance of a recent Spamhaus blocking action is a strong indicator that the rules have changed in the battle over spam and other kinds of email abuse.

Last month, Spamhaus placed an entire IP address block ( of the Chinanet Guangdong province network, the data communication division of China Telecom, on the Spamhaus Block List (SBL).

This was no small or inconsequential act. SBL users began to block email traffic originating from addresses within the Chinanet-GD allocation. Unsurprisingly, Chinanet-GD quickly took notice and worked with Spamhaus to clear the listing.

But what I find most interesting about this rapid chain of events is that the blocking action seems to have been accepted without public outcry or condemnation. Instead, Internet users and private network operators using the SBL appear to be saying tacitly, "We are exhausted trying to deal with the problems providers create for us on an incident-by-incident basis. We are convinced by your inaction that you are unwilling to remedy the problems you create. We are unwilling to remain at risk through your inaction. And so we will no longer trust you or any party whom you serve."

Game change or business as usual?
Historically, large organizations have not hesitated to block addresses allocated to countries or top-level domains (TLDs). Today antispam gateways use sender scores to block spammy mail relays. Firewalls or PBXs can be configured to block address allocations or TLDs, or they can restrict VOIP calls associated with certain country codes. Configuring corporate firewalls to implement such policies is quite straightforward (in some cases, a single rule). In all cases, blocking measures are implemented in response to threats that pose risks too high to ignore.

A security policy that blocks at this level protects your users or services from what you perceive as a broad threat. The most obvious consequence is that your shield also prevents your users from accessing legitimate services hosted at blocked addresses or domain names. However, the broad, silent acceptance of this action may be a strong indicator that SBL subscribers and others have determined that the benefit outweighs the harm.

Reputation scores and safe destinations
Travelers use reputation scores in the physical world to decide where to dine, sleep, or take holiday. Such scores exist for individual establishments, but city and country travel advisories also help travelers make informed decisions about destinations.

Similarly, the Spamhaus action expands the reputation score focus in the virtual world from individual establishments to destinations. And if real-world behavior is a barometer, users or private network operators may be comfortable refusing to accept or relay email from any server assigned an IP address from a cetain address allocation if reputation scores convince them to do so.

What's next?
Hosting providers, registrars, and proxy/privacy Whois service providers may be next in line for blocking based on reputation scoring. Reputation data and scores for these exist today. For example, Jart Armin's HostExploit scores and lists malicious (e.g., malware) hosting by operator and country. Project Honey Pot maintains lists of IPs associated with malicious activities -- sortable by country, web host, etc. The APWG Global Phishing Surveys provide a phishing score for registrars and registries.

Reputation scores for domain privacy/proxy services could be computed by scoring the prevalence of malicious registrations that display such services as primary points of contact in Whois records. These or similar scores could be used as the basis for blocking domains or URLs.

Collateral damage
Some readers may object or cringe over the perceived collateral damage to legitimate individuals or organizations that have unfortunately chosen a provider unable or unwilling to manage malicious behavior among its customers. But unlike domain shutdowns, where multi-user sites (remember Jotform?) become unreachable to everyone, actions that an organization adopts voluntarily affect only users within its administrative domain. That's closer to a neighborhood boycott than a domain seizure.

There are many long-term benefits that organizations hope to achieve with these boycotts.

  • Legitimate organizations and users will abandon providers with poor reputations and flock to those with better reputations.
  • Providers with poor reputations will take remedial actions to avoid or recover from customer attrition and continued erosion of their reputation.
  • Users or organizations that switch will get better services from their new provider.
  • Providers with poor reputations cannot inflict reputational harm on their industry segments.

(Source: The Spamhaus Project)
(Source: The Spamhaus Project)

Though the Spamhaus action feels radical, the reality is that private network operators block on this scale today. The operators may do so without the benefit of an external block list that is compiled with considerable attention to accuracy and subjected to public scrutiny. They do so because they are first and foremost responsible and accountable for their organization's security. It's not harsh or unreasonable for organizations to insist on similar, reasonable, and timely responses to abuse from service providers.

What Spamhaus did isn't revolutionary, but it may be a signal that the game has changed.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Andrew J Scoville
Andrew J Scoville,
User Rank: Apprentice
11/22/2013 | 8:26:11 PM
Re: Malicious blacklisting is never acceptable
Hello idiot,

From the graphic posted above, it looks like Spamhaus contacted them over 80 times about the problem but were ignored, and THEN they were listed.

Spamhaus is not an American company and not subject to "Amerincan legal actaion".

Spamhaus does block millions of botnet IPs with their XBL, and blocks their command & control servers with it's BGPf list.

Your post is a complete waste of time, because you don't bother to educate yourself before running your mouth.  It's embarassing.

User Rank: Apprentice
11/22/2013 | 3:44:23 PM
Malicious blacklisting is never acceptable
So thousands of innocent victims suffered collateral damage for an unspecific length of time, in what appears to be a completely unnecessary act.

That the company quickly repsonded proves that if Spamhaus had actually contacted them about the problem, it would have been solved - as indeed it was.

When's the last time a chinese company had success in legal actaion in Amerincan courts against an American company?

Of course they didn't react - they know full well that the corruption of the US legal system and anti-china bias in their Juries would have been a total time and moneywaster.

Spamhaus is basically a complete waste of time.  Almost all spam is sent via botnets, which Spamhaus can't stop, so the only good they serve is to perpetuate the extortion of money by whitelist providers and blacklist consumers, on the back of providing an increasingly irrelevant and alarmingly cavileer and dangers blocking service.

What is more important to you: skipping the occasional junk message, or not having your important emails trashed by over zealous operators using collateral damage extortion techniques to further their agenda?
<<   <   Page 2 / 2
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-05-22
In Wireshark 2.6.0, the IEEE 1905.1a dissector could crash. This was addressed in epan/dissectors/packet-ieee1905.c by making a certain correction to string handling.
PUBLISHED: 2018-05-22
In Wireshark 2.6.0, the RTCP dissector could crash. This was addressed in epan/dissectors/packet-rtcp.c by avoiding a buffer overflow for packet status chunks.
PUBLISHED: 2018-05-22
In Wireshark 2.6.0, 2.4.0 to 2.4.6, and 2.2.0 to 2.2.14, the DNS dissector could crash. This was addressed in epan/dissectors/packet-dns.c by avoiding a NULL pointer dereference for an empty name in an SRV record.
PUBLISHED: 2018-05-22
In Wireshark 2.6.0, 2.4.0 to 2.4.6, and 2.2.0 to 2.2.14, the LTP dissector and other dissectors could consume excessive memory. This was addressed in epan/tvbuff.c by rejecting negative lengths.
PUBLISHED: 2018-05-22
In Wireshark 2.6.0, 2.4.0 to 2.4.6, and 2.2.0 to 2.2.14, the Q.931 dissector could crash. This was addressed in epan/dissectors/packet-q931.c by avoiding a use-after-free after a malformed packet prevented certain cleanup.