Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Spamhaus Shows What's Next For Block Listing
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
User Rank: Apprentice
11/28/2013 | 7:14:57 AM
Needs more
  • Legitimate organizations and users will abandon providers with poor reputations and flock to those with better reputations.
  • Providers with poor reputations will take remedial actions to avoid or recover from customer attrition and continued erosion of their reputation.
  • Users or organizations that switch will get better services from their new provider.
  • Providers with poor reputations cannot inflict reputational harm on their industry segments.

    In a perfect world this sounds ideal, but it's really starting to feel like SMTP needs an overhaul from the ground up, it's too long in the tooth and doesnt cate for spam prevention among other things nearly enough
User Rank: Apprentice
11/26/2013 | 5:29:30 PM
Re: How can we trust them?
I work with folks from many of the reputation, block list, or "intervenor/responder" communities. My experience is that block listing relies heavily on information sharing and collaboration, and that these processes put a great deal of time and consideration to minimize false positives or collateral harm. 

I think these checks and balances make reputation scoring more reliable and much less prone to malice or retaliation or vigilantism than user submitted phish or web trust sites. 

User Rank: Apprentice
11/26/2013 | 3:31:56 PM
How can we trust them?
Hi Dave,

You mentioned that there was no public outcry or condemnation.  The question is:  are we allowed to publicly oppose Spamhaus?  Recently, a person had edited their Wikipedia article to mention the recent conflict with the group "Stophaus".  The edit was immediately reverted by someone from Spamhaus, and the editor's IP was added to Spamhaus' blocklist.  People in the ISP community walk on eggshells around Spamhaus out of fear of reprisal.

In regards to reptuation scores, have you ever had someone say they hate your favorite restaurant or sports team?  How can businesses be sure that they are receiving all their legitimate correspondence when they rely on the subjective opinions of a group of people that assumes no responsibility for their actions, and triggers blocking of email from entire swathes of the internet with impunity?

Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
11/25/2013 | 10:55:52 AM
Re: Malicious blacklisting is never acceptable> Or is it?
Thanks for calling attention to the Web index for 2013, Brian. I totally agree with your point relating economic development with freedom and human rights. It's good to see it quantified. 

As for the "gray area"  of block listing, I think Dave lays out a pretty good case about the reasons organizations may choose to blocklist. Those that do, (as he added on his comment) take those actions when they reach the point that  harm to their  users is at greater risk than not blocking. 

I'm not sure that the industry is at a point where it's necessary to codify those malicious behaviors into standards. But it's certainly a subject worth considering and discussing. 
User Rank: Apprentice
11/24/2013 | 2:48:11 PM
Re: Malicious blacklisting is never acceptable> Or is it?
Thank you for the links Dave, and yes I agree that blocking is an area where choosing sides are of no value, understanding motives and reacting according is where we can find value.

The World Wide Web Foundation has recently released a Web index for 2013 that measures development by evaluating universal access, relevant content, freedom, openness, impact and empowerment of different countries -- it is not surprising to see that the five countries at the bottom of this list also have low performing economies at the moment. I guess it means that blocking powers are being misused in those economies. In our global village we also have malware like i2ninja etc that is created with the exact intention to cause harm, I feel this is where a block can be justified.

Basically, it is all a gray areas until and unless we look deeply into the motives behind a block.
User Rank: Apprentice
11/23/2013 | 3:52:24 PM
Re: Malicious blacklisting is never acceptable> Or is it?
Good points, all Brian.

FWIW, I have also written columns that explain how blocking actions typically taken by private network admins have different affects - and can result in unacceptable collateral harm - when taken by public operators, ISPs, or governments. 

You can find a summary of these and links to three related articles at Making Sense of Shutdowns, Takedowns, Seizures and More...
User Rank: Apprentice
11/23/2013 | 3:45:17 PM
Re: Malicious blacklisting is never acceptable> Or is it?
Hi Marilyn,

I'm neither advocating or opposing block listing but as you say, positing a future direction that block listing may take if (or when) harm to an organization's own users vs collateral harm reaches a tipping point.

One answer to your question " Are there acceptable limits to malware blacklisting?" is answered nearly every day: risk tolerance dictates limits for private network admins, and risk from malware has become a largely untolerated risk.

I, too, welcome public outcry.

Especially when it takes the form of informed, reasoned debate. 
User Rank: Apprentice
11/23/2013 | 3:35:48 PM
Re: Malicious blacklisting is never acceptable
Thanks for your post. Let me set some facts before you, since you may not have found time to look at the chronology of events leading to Spamhaus' action.
  1. Spamhaus had identified 92 violations as far back as 2010. These went unresolved. They were listed at http://www.spamhaus.org/sbl/query/SBL201751 but you now have to go into the archives.
  2. The violations included botnet spam hosting, malware hosting, malware dropper hosting, DDoS botnet controllers and more. Using the SBL does more for an organization than block occasional junk messages: it protects users against the very botnets that you claim generate spam.
  3. They did not act zealously or without care, they did give CHINANET-GD time to resolve.

I'm most disappointed that you appear to have missed the important point that the use of SBL is a voluntary act by organizations who made the decision to protect their own users against malware distribution, spam, or DDoS at the expense of not processing mail from addresses on the block list.


User Rank: Apprentice
11/23/2013 | 1:44:26 PM
Re: Malicious blacklisting is never acceptable> Or is it?
Marilyn, excellent point as debates are good. From a business standpoint that wants to protect its customers from spam, I think blocking an ISP is a very small matter as any business that truly respects its customers would even get their own domain blocked, if they suspected their own domain to be spamming customers. From an economic perspective things are different, blocking anything becomes a mathematical equation that will eventually reduce or limit productivity on both ends, and roads etc were blocked in the past when roads were our main source of commerce. Today in this information age, information highways are blocked. As for customers, well I think every customer would like to open their spam folder and get the message "Hooray, no spam here!", and their main inbox would be no exception.

Definitely, it is a complex topic and it is extremely interesting to know about the "rapid chain of events" and moreover that it was "accepted without public outcry or condemnation", changing times I guess.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
11/23/2013 | 11:25:10 AM
Re: Malicious blacklisting is never acceptable> Or is it?
Andrew, I really appreciate your passionate opposition to malicious malware blacklisting and for taking the time to share your strongly-held views with InformationWeelk . While the author, Dave Piscitello, VP Security at ICANN, posits an opposing -- and apparently controversial --  point of view, I can assure you that he is no idiot and is very well-informed about the issues he raises in this column. 

I'll let Dave respond to the specific points in your post, but one thing in his column that stood out when I read it was his observation that the "rapid chain of events'" that lead to the Spamhaus blacklisting was "accepted without public outcry or condemnation." 

I can see by your comment, and another by 0id, that the public outcry has arrived at InformationWeek -- and we're delighted to have it. Let's have a thoughtful debate on the merits. Are there acceptable limits to malware blacklisting? If so, what are they? If not, why not. 

Page 1 / 2   >   >>

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Incorporating a Prevention Mindset into Threat Detection and Response
Threat detection and response systems, by definition, are reactive because they have to wait for damage to be done before finding the attack. With a prevention-mindset, security teams can proactively anticipate the attacker's next move, rather than reacting to specific threats or trying to detect the latest techniques in real-time. The report covers areas enterprises should focus on: What positive response looks like. Improving security hygiene. Combining preventive actions with red team efforts.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-05-22
OS Command Injection in GitHub repository yogeshojha/rengine prior to 1.2.0.
PUBLISHED: 2022-05-21
Access of Uninitialized Pointer in GitHub repository radareorg/radare2 prior to 5.7.0.
PUBLISHED: 2022-05-21
Gitblit 1.9.2 allows privilege escalation via the Config User Service: a control character can be placed in a profile data field, such as an emailAddress%3Atext '[email protected]\n\trole = "#admin"' value.
PUBLISHED: 2022-05-21
A Path Traversal vulnerability in Gitblit 1.9.3 can lead to reading website files via /resources//../ (e.g., followed by a WEB-INF or META-INF pathname).
PUBLISHED: 2022-05-21
Solana solana_rbpf before 0.2.29 has an addition integer overflow via invalid ELF program headers. elf.rs has a panic via a malformed eBPF program.