This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] Policy disallowing spam from RIPE blocks, was Use of RIPE region space by out-of-region users
- Previous message (by thread): [anti-abuse-wg] LIR membership
- Next message (by thread): [anti-abuse-wg] Policy disallowing spam from RIPE blocks
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ronald F. Guilmette
rfg at tristatelogic.com
Thu Mar 10 00:51:20 CET 2011
In message <1299680973.2210.72.camel at shane-desktop>, Shane Kerr <shane at time-travellers.org> wrote: >As far as I can tell, the desire is to make it against the policies to >send spam from RIPE NCC address space. I find it incredibly frustrating >that nobody will actually just say that. :) >... >If I'm missing the point and there is actually something else going on, >please someone clue me in! Be glad to. And I appreciate you asking. OK, here's what's really going on... As yu may have noticed, there's a LOT of spam on the Internet, and has been for several years now. but there are different flavors of it, and some are harder to combat (and some create some _separate_ and _additional_ problems) more than others. It is often the case that, for example, "Joe" of "Joe's Pizza Palace" happens to have an idiot nephew, and the idiot nephew, who believes everything he reads, believes that the way to instant riches is to have a web site and then spam *everybody* in the Universe, from Alaska to Zanzibar, telling them how swell Joe's pizza is. (This happens routinely _even though_ Joe's Pizza Palace has only one location, on the Interstate just outside of Lakewood, New Jersey, and nobody is likely to travel from Alaska to New jersey just to get a pizza.) So anyway, Joe, being an ordinary small businessman, has one web site and it has been assigned one single domain name and one single IP address. When Joe's idiot nephew sends out his massive spam run, that one domain name and that one IP address almost instantly end up on a whole slew of blacklists. (In particular, the IP address will end up very quickly on the Spamcop blacklist.) The bottom line is that these kinds of one-domain/one-IP spammers are actually not difficult at all to handle in a very complete and comprehensive manner, using existing tools (i.e. existing blacklists), and thus they don't create much in the way of problems for anyone. The problem of one-domain/one-IP spammers is virtually a non-problem. In contrast to this sort of sitiation, these days the net has lots and lots of what are called professional ``snowshoe'' spammers. These folks are astute. They know the score, and they know how existing spam blocking systems work. These people are *not* at all the same as Joe's idiot nephew. They are determined, and they educated, and like he Terminator, they WILL NOT STOP... at least not until they have managed to defeat all of the existing technical systems that have been put in place to block spam. The primary methodology of these folks... the way they get around traditional anti-spam blacklists, if to ``spread out'' (like a snowshoe) their activities, across big swaths of the domain name space and also across big swaths of the IP address space. Their approach is the same what the Soviets were planning (hoping?) to be able to use to overcome the U.S's "Star Wars" missle defense system... just build enough attack vehicles so that you can overwhelm the defenses with sheer numbers. In the case of showshoe spammers, their ``attack vehicles'' consist of domain names and IP addresses, and from their perspective, they can NEVER have too many of either one. As we speak, there are snowshoe spammers on the Internet who have well over 10,000 different second-level domain names and well over 10,000 different IPv4 addresses at their disposal, and they are using them all to overwhelm traditional spam defenses (like the Spamcop IP blacklist, and the URIBL and SURBL domain-based blacklists). The ``spam traps'' that are used gto drive these blacklists are never likely to see _all_ of the actual spam sources (IPs & domains) that comprise any given snowshoer's complete arsenal, so as with the Soviets, 20+ years ago, they can be assured that at least _some_ of their stuff will always get through. Is this whole escalation of the spam arms race bad for ``our side''... for the ``good guys'' who are fighting against spam? Yes. Certainly. But here, since not everybody on this list is even clearly convinced that spam itself is a Bad Thing, we can... abnd probably should... ignore that fact entire. Instead, just ask yourself if this specific escalation in the ongoing spam arms is good (or bad) for the Internet generally, and without even any regard for the acual spam flow which inevitably follows the setting up of any given snowshoe. When the issue is looked at even with these blinders on... ignoring totally the massive annoyance and massive costs that spam on the net creates for everyone... it can *still* be seen that ``snowshoeing'', at least with respect to IP address space, is a fundamentally and unequivocally Bad Thing. The reason is simple... IP address snowshoeing uses up vast quantities of IP address space... in particular, IPv4 address space... you know... the stuff that we are supposedly running out of, and that people soon won't be able to get any more of. Professional snowshoe spammers are rather like the all-consuming ``virus'' that was alluded to briefly in the first "Matrix" movie. It doesn't matter how much IPv4 space you give them. They will always want more and always consume as much as they were given (laying waste to it as they consume it). So in order to understand why the issue of snowshoe spammers might have relevance to RIPE, *even independent from the annoying and costly aspects of the spam they generate*, you only have to understand that IPv4 (and also IPv6) are finite resources, that we are rapidly running out of IPv4, and that snowshoe spam farms are almost certainly the absolutely LEAST effecient and/or cost effective way to make use of what remains. Think of it this way... You are among the remaining inhabitants of Easter Island. Your tribe has already chopped down and used up all of the trees on the island except one. Your friends are currently making plans to chop down that one last tree, and they plan to use the wood from it _not_ to build a canoe to get you and your tribe away from this dying island, but rather, your friends just want to use the wood from the last remaining tree to make toothpicks and earrings. Now they turn to you and ask you for YOUR opinion. What are you going to tell them? Using vast swaths of the remaining IPv4 address space for spammer snowshoe farms is simply THE most silly and wasteful use of what remains that you can possibly imagine, bar none. In summary: * Thwarting spam from single-point sources is easy. Thwarting it when it emmanates from ``snowshoe spam farms'' is exponentially harder. * Snowshoe spam farms are THE single most wasteful use of finite and limited Internet number resources imaginable. Some people here don't want RIPE involved in the business of regulating spam. OK. Fine. I understand that. But that's not the question before us. Rather, the dual questions before us are as follows: * Does RIPE _really_ have to operate under a set of policies (and/or lack-of-policies) that, it would seem, may actually be *encouraging* and *supporting* the practice of snowshoe spamming, which, as I have said, is the most difficult form of spamming to combat with existing technical measures? * Does RIPE and the RIPE community _really_ not grasp that fact that regardless of what you think of spam and spammers, the creation of IP address snowshoe spam farms is an unmitigated and colossal waste of the very resources that RIPE was created to be competent shepards over? Yes, I admit it. Guilty as charged. I don't like spam. And I'd love it if every spammer ever found using RIPE number resources was summarily shown the door. But that's clearly not going to happen, so just forget I even mentioned it, and a please turn your attention instead to the two bullet points just above. Just one last comment... I have no doubts whatsoever that some folks here in the U.S.A., and many folks in the RIPE geographical region, and probably even a few people on this specific mailing lists own stock in companies that manufacture and sell networking equipment, in particular, IPv6 gear. For all such folks, I fully expect my entreaties to fall on deaf ears. Anybody owning stock in the various network equipment manufacturers would, I suspect, like nothing better than the utter and final exhaustion of IPv4 at the earliest possible moment, as that event will almost certainly be the primary trigger for the next big equipment upgrade cycle. Notwithstanding these facts, the community as a whole... both stockholders and non-stockholders alike... would be ill-served, I think, by any deliberate efforts to engineer the early exhaustion of the IPv4 space, e.g. by using snowshoe spammers and their infinite appetities for IP space as convenient scapegoats. Regards, rfg
- Previous message (by thread): [anti-abuse-wg] LIR membership
- Next message (by thread): [anti-abuse-wg] Policy disallowing spam from RIPE blocks
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]