Vulnerabilities / Threats
11/22/2013
10:46 AM
Dave Piscitello
Dave Piscitello
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Spamhaus Shows What's Next For Block Listing

The broad, silent acceptance of a recent Spamhaus blocking action is a strong indicator that the rules have changed in the battle over spam and other kinds of email abuse.

Last month, Spamhaus placed an entire IP address block (113.96.0.0/12) of the Chinanet Guangdong province network, the data communication division of China Telecom, on the Spamhaus Block List (SBL).

This was no small or inconsequential act. SBL users began to block email traffic originating from addresses within the Chinanet-GD allocation. Unsurprisingly, Chinanet-GD quickly took notice and worked with Spamhaus to clear the listing.

But what I find most interesting about this rapid chain of events is that the blocking action seems to have been accepted without public outcry or condemnation. Instead, Internet users and private network operators using the SBL appear to be saying tacitly, "We are exhausted trying to deal with the problems providers create for us on an incident-by-incident basis. We are convinced by your inaction that you are unwilling to remedy the problems you create. We are unwilling to remain at risk through your inaction. And so we will no longer trust you or any party whom you serve."

Game change or business as usual?
Historically, large organizations have not hesitated to block addresses allocated to countries or top-level domains (TLDs). Today antispam gateways use sender scores to block spammy mail relays. Firewalls or PBXs can be configured to block address allocations or TLDs, or they can restrict VOIP calls associated with certain country codes. Configuring corporate firewalls to implement such policies is quite straightforward (in some cases, a single rule). In all cases, blocking measures are implemented in response to threats that pose risks too high to ignore.

A security policy that blocks at this level protects your users or services from what you perceive as a broad threat. The most obvious consequence is that your shield also prevents your users from accessing legitimate services hosted at blocked addresses or domain names. However, the broad, silent acceptance of this action may be a strong indicator that SBL subscribers and others have determined that the benefit outweighs the harm.

Reputation scores and safe destinations
Travelers use reputation scores in the physical world to decide where to dine, sleep, or take holiday. Such scores exist for individual establishments, but city and country travel advisories also help travelers make informed decisions about destinations.

Similarly, the Spamhaus action expands the reputation score focus in the virtual world from individual establishments to destinations. And if real-world behavior is a barometer, users or private network operators may be comfortable refusing to accept or relay email from any server assigned an IP address from a cetain address allocation if reputation scores convince them to do so.

What's next?
Hosting providers, registrars, and proxy/privacy Whois service providers may be next in line for blocking based on reputation scoring. Reputation data and scores for these exist today. For example, Jart Armin's HostExploit scores and lists malicious (e.g., malware) hosting by operator and country. Project Honey Pot maintains lists of IPs associated with malicious activities -- sortable by country, web host, etc. The APWG Global Phishing Surveys provide a phishing score for registrars and registries.

Reputation scores for domain privacy/proxy services could be computed by scoring the prevalence of malicious registrations that display such services as primary points of contact in Whois records. These or similar scores could be used as the basis for blocking domains or URLs.

Collateral damage
Some readers may object or cringe over the perceived collateral damage to legitimate individuals or organizations that have unfortunately chosen a provider unable or unwilling to manage malicious behavior among its customers. But unlike domain shutdowns, where multi-user sites (remember Jotform?) become unreachable to everyone, actions that an organization adopts voluntarily affect only users within its administrative domain. That's closer to a neighborhood boycott than a domain seizure.

There are many long-term benefits that organizations hope to achieve with these boycotts.

  • Legitimate organizations and users will abandon providers with poor reputations and flock to those with better reputations.
  • Providers with poor reputations will take remedial actions to avoid or recover from customer attrition and continued erosion of their reputation.
  • Users or organizations that switch will get better services from their new provider.
  • Providers with poor reputations cannot inflict reputational harm on their industry segments.

(Source: The Spamhaus Project)
(Source: The Spamhaus Project)

Though the Spamhaus action feels radical, the reality is that private network operators block on this scale today. The operators may do so without the benefit of an external block list that is compiled with considerable attention to accuracy and subjected to public scrutiny. They do so because they are first and foremost responsible and accountable for their organization's security. It's not harsh or unreasonable for organizations to insist on similar, reasonable, and timely responses to abuse from service providers.

What Spamhaus did isn't revolutionary, but it may be a signal that the game has changed.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Andrew J Scoville
33%
67%
Andrew J Scoville,
User Rank: Apprentice
11/22/2013 | 8:26:11 PM
Re: Malicious blacklisting is never acceptable
Hello idiot,

From the graphic posted above, it looks like Spamhaus contacted them over 80 times about the problem but were ignored, and THEN they were listed.

Spamhaus is not an American company and not subject to "Amerincan legal actaion".

Spamhaus does block millions of botnet IPs with their XBL, and blocks their command & control servers with it's BGPf list.

Your post is a complete waste of time, because you don't bother to educate yourself before running your mouth.  It's embarassing.

 
0id
50%
50%
0id,
User Rank: Apprentice
11/22/2013 | 3:44:23 PM
Malicious blacklisting is never acceptable
So thousands of innocent victims suffered collateral damage for an unspecific length of time, in what appears to be a completely unnecessary act.

That the company quickly repsonded proves that if Spamhaus had actually contacted them about the problem, it would have been solved - as indeed it was.

When's the last time a chinese company had success in legal actaion in Amerincan courts against an American company?

Of course they didn't react - they know full well that the corruption of the US legal system and anti-china bias in their Juries would have been a total time and moneywaster.

Spamhaus is basically a complete waste of time.  Almost all spam is sent via botnets, which Spamhaus can't stop, so the only good they serve is to perpetuate the extortion of money by whitelist providers and blacklist consumers, on the back of providing an increasingly irrelevant and alarmingly cavileer and dangers blocking service.

What is more important to you: skipping the occasional junk message, or not having your important emails trashed by over zealous operators using collateral damage extortion techniques to further their agenda?
<<   <   Page 2 / 2
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.