Re: BGP list of phishing sites?

[Alex Bligh <alex () alex org uk>]

--On 28 June 2004 18:43 +0100 Simon Lockhart <simon.lockhart () bbc co uk> 
wrote:

> It's wholy unfair to the innocent parties affected by the blacklisting.
> i.e. the collateral damage.
>
> Say a phising site is "hosted" by geocities. Should geocities IP addresses
> be added to the blacklist?
>
> What if it made it onto an akamaized service? Should all of akamai be
> blacklisted?

This is an issue wider than spam, phishing, etc.

That would depend on whether your block by IP address (forget whether
this is BGP black hole lists, DNSRBL for SMTP etc.) is of
a) IP address that happen to have $nasty at one end of them; or
b) IP address for whom no abuse desk even gives a response (even
  "we know, go away") when informed of $nasty.

It also depends on whether your response is "drop all packets" (a la
BGP blackhole) or "apply greater sanctions".

Seems to me (b) is, in general, a lot more reasonable than (a) particularly
where there is very likely >1 administrative zone per IP address (for
example HTTP/1.1). It also better satisfies Paul's criterion of being more
likely to engender better behaviour (read: responsibility of network work
operators for downstream traffic) if behaviour of the reporter is
proportionate & targeted.

WRT "apply greater sanctions", it is possible of course, though perhaps
neither desirable nor scalable, to filter at layer>3 all sites on given IPs
to minimize collateral damage. See
http://www.theregister.co.uk/2004/06/07/bt_cleanfeed_analysis/

This is effectively what tools like spamassassin do when taking RBL type
feeds as a scoring input to filtering, in a mail context.

Alex