[anti-abuse-wg] Re: Additional Layers for Economic Incentives to improve Internet Security

jorgen at hovland.cx commented:

#So a quick summary:
#An ASN does not represent a single legal entity

Actually, at least some ASNs do represent single legal entities. For example,
AS25 is the University of California at Berkley and AS4983 is Intel, just to 
mention a couple of many examples. 

Other ASNs may represent ISPs which provide services to multiple 
downstream customers, but those ISPs are still "single legal entities"

I think the point that you're trying to make is that blocking by ASN is
overly broad, and might cause too much collateral damage in some cases.
I would agree with you, for example, that folks likely wouldn't want to 
block AS701, for example, but in other cases blocking by ASN, or at 
least accumulating reputation by ASN, may be quite feasible.

#Spam in general cannot be defined

Sure it can, and many folks offer definitions, including folks such as
Spamhaus, see http://www.spamhaus.org/definition.html

Other entities, such as MAAWG, prefer to opt out of the whole "what is
and what isn't spam" debate, simply referring to "abusive mail" for 
things like their quarterly email metrics reports (see
http://www.maawg.org/email_metrics_report )

#It's not ranking the spam volume

People can (and do) track spam volume by IP, by the netblock encompassing
a spamming IP, by in-addr domain, and yes, by ASN.

Some track actual spam volume by ASN, others may just track the number
of observed spam sources (e.g., typically botted hosts) per ASN. Both can
be interesting numbers, and the two are typically strongly correlated.

And FWIW, ASNs do work just fine as an aggregation channel for network abuse 
sources, particularly since who's *using* (e.g., routing) a network block 
may be more important than the person to whom a given netblock may nominally
be assigned or allocated (e.g., we know that number resources can and 
have been hijacked). 

There's also the pragmatic reality that you may not be allowed to do 
the sustained volume of whois queries you'd need to do to map all observed
IPs to encompassing netblocks, but you can easily map IPs to ASNs at the
rate that's required. (Besides, trying to work at the per-netblock level
is pretty unwieldy when it comes to things like maintaining abuse point 
of contact information, while ASN point of contact information is far more 
stable).

#Yes, I am really concerned that people might decide to blacklist ASNs 
#due to spam. It doesn't make any sense in almost all cases.

I'd have to disagree with your assertion that "it doesn't make sense
in almost all cases."

There are some ASNs that may be routing only a small amount of space,
and which seem to have an extremely strong correlation with badness.
In those cases it may makes perfect sense for an ISP to decide that 
it doesn't want to exchange traffic with that provider.

Heck, some people just tag their incoming email with the ASN of the 
handoff host, and then let selected anti-spam products automatically handle 
the hand-off host's ASN as added to the header as just another Bayesian 
message attribute -- if it is helpful when it comes to classifying spam 
and non-spam, it gets used; if it isn't, it doesn't. Shrug. See 
http://linuxmafia.com/~karsten/Download/procmail-asn-header
for one recipe that some folks use for this purpose.

In any event, if you elect to route a given network block, you're 
responsible for the unwanted traffic that may be emitted by that
network block. 

#But we already have blocklists aggressively doing that with netblocks 
#(uceprotect, spamhaus etc). No serious mailprovider in my neighbourhood 
#use those blocklists 

You must be in an unusual neighborhood since Spamhaus is generally
considered to protect about 1.4 billion mailboxes worldwide according
to http://www.spamhaus.org/organization/index.lasso

Regards,

Joe St Sauver (joe at oregon.uoregon.edu)
http://pages.uoregon.edu/joe/
Disclaimer: all opinions expressed are my own