[anti-abuse-wg] Re: Additional Layers for Economic Incentives to improve Internet Security

On 27/Dec/10 19:09, Joe St Sauver wrote:
> jorgen at hovland.cx commented:
> 
> #Spam in general cannot be defined
> 
> Sure it can, and many folks offer definitions, including folks such as
> Spamhaus, see http://www.spamhaus.org/definition.html

Although I mostly agree with that definition, it is not quite applicable:

* "bulk" is ill defined (by induction), and
* "unsolicited" cannot be verified (no opt-in acknowledge protocol).

Possibly, reputation ranking should be based on (verified and
verifiable) spam reports...

> There's also the pragmatic reality that you may not be allowed to do 
> the sustained volume of whois queries you'd need [...]

Getting the abuse@ address should be an exception to such limit.

> #Yes, I am really concerned that people might decide to blacklist ASNs 
> #due to spam. It doesn't make any sense in almost all cases.
> 
> I'd have to disagree with your assertion that "it doesn't make sense
> in almost all cases."

May I ask how blocking by ASN is different than by IP?  I consider the
latter somewhat anti-historical, in view of IPv6.  It is also
counter-productive as it tends to favor those who change addresses and
names more often (spammers).  Does block-by-ASN hinge on intrinsic
difficulties in setting up an AS?

> There are some ASNs that may be routing only a small amount of space,
> and which seem to have an extremely strong correlation with badness.
> In those cases it may makes perfect sense for an ISP to decide that 
> it doesn't want to exchange traffic with that provider.

I would block ranges from Spamhaus' DROP list.  It has already defined
a file format.  Thus, it may be more practical for an host to convert
an ASN into the corresponding ranges, and then block those.

> In any event, if you elect to route a given network block, you're 
> responsible for the unwanted traffic that may be emitted by that
> network block. 

This statement makes lots of sense!  It paves the way for resolving
network issues inside the network, rather than resorting to
unspecified legal resources.

> #But we already have blocklists aggressively doing that with netblocks 
> #(uceprotect, spamhaus etc). No serious mailprovider in my neighbourhood 
> #use those blocklists 
> 
> You must be in an unusual neighborhood since Spamhaus is generally
> considered to protect about 1.4 billion mailboxes worldwide according
> to http://www.spamhaus.org/organization/index.lasso

Spamhaus is Spamhaus.  However, small mailbox providers will always
have difficulties at blocking huge senders.  For example, I had to
whitelist TelecomItalia when it was blacklisted.

Possibly, block-by-ASN should be done by the other AS's, directly and
unconditionally.  For example, block port 25 after an AS has been
proved to blatantly ignore abuse reports...  We'd probably need some
sort of recognized authority to issue such sentences, though.