This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] Re: Additional Layers for Economic Incentives to improve Internet Security
- Previous message (by thread): [anti-abuse-wg] Re: Additional Layers for Economic Incentives to improve Internet Security
- Next message (by thread): [anti-abuse-wg] Re: Additional Layers for Economic Incentives to improve Internet Security
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Joe St Sauver
joe at oregon.uoregon.edu
Mon Dec 27 19:09:08 CET 2010
jorgen at hovland.cx commented: #So a quick summary: #An ASN does not represent a single legal entity Actually, at least some ASNs do represent single legal entities. For example, AS25 is the University of California at Berkley and AS4983 is Intel, just to mention a couple of many examples. Other ASNs may represent ISPs which provide services to multiple downstream customers, but those ISPs are still "single legal entities" I think the point that you're trying to make is that blocking by ASN is overly broad, and might cause too much collateral damage in some cases. I would agree with you, for example, that folks likely wouldn't want to block AS701, for example, but in other cases blocking by ASN, or at least accumulating reputation by ASN, may be quite feasible. #Spam in general cannot be defined Sure it can, and many folks offer definitions, including folks such as Spamhaus, see http://www.spamhaus.org/definition.html Other entities, such as MAAWG, prefer to opt out of the whole "what is and what isn't spam" debate, simply referring to "abusive mail" for things like their quarterly email metrics reports (see http://www.maawg.org/email_metrics_report ) #It's not ranking the spam volume People can (and do) track spam volume by IP, by the netblock encompassing a spamming IP, by in-addr domain, and yes, by ASN. Some track actual spam volume by ASN, others may just track the number of observed spam sources (e.g., typically botted hosts) per ASN. Both can be interesting numbers, and the two are typically strongly correlated. And FWIW, ASNs do work just fine as an aggregation channel for network abuse sources, particularly since who's *using* (e.g., routing) a network block may be more important than the person to whom a given netblock may nominally be assigned or allocated (e.g., we know that number resources can and have been hijacked). There's also the pragmatic reality that you may not be allowed to do the sustained volume of whois queries you'd need to do to map all observed IPs to encompassing netblocks, but you can easily map IPs to ASNs at the rate that's required. (Besides, trying to work at the per-netblock level is pretty unwieldy when it comes to things like maintaining abuse point of contact information, while ASN point of contact information is far more stable). #Yes, I am really concerned that people might decide to blacklist ASNs #due to spam. It doesn't make any sense in almost all cases. I'd have to disagree with your assertion that "it doesn't make sense in almost all cases." There are some ASNs that may be routing only a small amount of space, and which seem to have an extremely strong correlation with badness. In those cases it may makes perfect sense for an ISP to decide that it doesn't want to exchange traffic with that provider. Heck, some people just tag their incoming email with the ASN of the handoff host, and then let selected anti-spam products automatically handle the hand-off host's ASN as added to the header as just another Bayesian message attribute -- if it is helpful when it comes to classifying spam and non-spam, it gets used; if it isn't, it doesn't. Shrug. See http://linuxmafia.com/~karsten/Download/procmail-asn-header for one recipe that some folks use for this purpose. In any event, if you elect to route a given network block, you're responsible for the unwanted traffic that may be emitted by that network block. #But we already have blocklists aggressively doing that with netblocks #(uceprotect, spamhaus etc). No serious mailprovider in my neighbourhood #use those blocklists You must be in an unusual neighborhood since Spamhaus is generally considered to protect about 1.4 billion mailboxes worldwide according to http://www.spamhaus.org/organization/index.lasso Regards, Joe St Sauver (joe at oregon.uoregon.edu) http://pages.uoregon.edu/joe/ Disclaimer: all opinions expressed are my own
- Previous message (by thread): [anti-abuse-wg] Re: Additional Layers for Economic Incentives to improve Internet Security
- Next message (by thread): [anti-abuse-wg] Re: Additional Layers for Economic Incentives to improve Internet Security
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]