RE: How many backbones here are filtering the makelovenotspam scr eensaver site?

["Chad Skidmore" <cskidmore () go180 net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 
> -----Original Message-----
> From: Steven Champeon [mailto:schampeo () hesketh com] 
> Posted At: Thursday, December 02, 2004 1:09 PM
> Posted To: NANOG
> Conversation: How many backbones here are filtering the 
> makelovenotspam scr eensaver site?
> Subject: Re: How many backbones here are filtering the 
> makelovenotspam scr eensaver site?

> My point was to Martin's question about what would happen if 
> - god forbid - there were large botnets under the control of 
> spammers; a careful reading will suggest that my major point 
> was, duh, that there already are large botnets under the 
> control of spammers.

I realize that is the point you were trying to make.  I also realize
that Martin is pretty well aware of botnets and the threat they
create.  I suspect that most other readers on NANOG are also well
aware.

What doesn't seem to be as common knowledge as I would expect is that
botnets are a commodity.  As such they are traded, sold, purchased
and even stolen.  That last point is particularly important in this
case.  Lycos has created a large botnet (at least by most people's
definition) that is hidden in the guise of a screen saver claiming to
only go after the "bad guys". This botnet uses a command and control
server that is now well publicized, and uses a communication channel
that is not encrypted or obfuscated in any way.  That makes it a
botnet just asking to be stolen. Fortunately the C&C server is
blackholed by what seem to be a large number of providers and the
botnet is now fairly useless.

> Good point. Simply put, I can (and do) read my own mail server
> logs. And I can see that many ISPs - regardless of what they may be
> doing in onesy-twosy increments - simply aren't doing enough 
> to prevent new botnet infections from wasting my server's 
> cycles in futile attempts to deliver spam, outscatter, virus 
> warnings, etc. etc. ad infinitum.

It is certainly more than "onesy-twosy increments" but I agree that
the problem is large enough that it certainly feels like a weak
attempt from the average user/operator's point of view.  

> This costs me time and money, and many of the same ISPs 
> mentioned above are simply cost-shifting their own 
> responsibility onto me and everyone else, and I'm tired of it.

I encourage everyone to vote with their wallet when it comes to this
type of thing.  Buy your transit from organizations with dedicated
security teams that actively engage in SPAM/Bot/Worm/Viri fighting
efforts.  Those things cost money and take time and are usually
unacknowledged efforts.  Larger providers seem to make easier targets
when it comes to placing blame and saying that they aren't doing
enough to combat miscreant activity.  I don't believe that is the
case overall.  They just have a much larger customer base, higher
volumes of traffic to inspect, and more politics to work within.
 
> Not to say there aren't responsible ISPs, and I hope that 
> anyone who /is/ a part of the solution, rather than the 
> fertile substrate for the problem, is capable of recognizing 
> that and not taking offense when I point out there are others 
> who could do more.

I believe that EVERYONE could do more on this front.  It is a moving
battle that requires constant improvement just to stay afloat, let
alone get ahead. For those genuinely interested in improving what
they are doing on this front I strongly encourage you to attend the
NSP-Sec BOFs at NANOG. You might be surprised what you learn and who
you meet that can be helpful.

> As for go180.net, you don't show up much on my radar, but on 
> Nov 9th we were hit by a spammer from 
> SpokaneHotZone-63.go180.net [66.225.5.63].
> I trust this is not a legitimate mail server and I can block 
> it and any other host that looks like it within the same 
> domain, right? Thanks.
> Otherwise, you may want to do something to distinguish it 
> from the other generic hosts in the same range.

Glad you don't see much from us, must mean that the effort put forth
by some of our team is not going to waste.  You are correct, that is
not a legitimate mail server but is an IP from a City Wide wireless
network.  That network has since been secured to restrict TCP 25
outbound (along with other typical miscreant traffic) so you
shouldn't see anything again from that network on port 25. If we rise
up on your radar in the future feel free to make use of the typical
NOC and Abuse e-mail addresses, they do get answered and acted upon
here.

Regards,
Chad


- ----------------------------
Chad E Skidmore
One Eighty Networks, Inc.
http://www.go180.net
509-688-8180   


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQa+VUk2RUJ5udBnvEQJXPQCeMhYgS4vHzmjP2fpgVeEFySQWw4QAn1f/
g70E3QaL3VOcZvILXD80AqjF
=he0W
-----END PGP SIGNATURE-----