[SpamCop-List] Re: Stupid Question
John E. Malmberg
wb8tyw at qsl.network
Thu Feb 12 10:29:09 EST 2004
In article <c0fq8o$1nu$1 at news.spamcop.net>,
"Miss Betsy" <nobody at spamcop.net> writes:
> Perhaps part of connecting to a cable modem would be to install a
> firewall (router?). When the person connects, the ISP checks it
> and if it isn't secure, then no connection happens. (and possibly
> random checks to make sure everything is still secure).
You are giving a dial-up model, not a broadband model.
With broadband, the time of a connection can be measured in time between
network / power failures. It is generally always on.
Sweeps for vulnerabilites for a large network could take quite a bit of
time to find anything. If you speed it up, you need more scanning CPU power,
and more network bandwidth.
> This is where government regulation could come in. ISP's could be
> fined for not using preventative measures and they could pass the
> cost on to the customer the way the phone company does.
What is reasonable for any medium to large ISP to do is use a robot to
screen abuse reports, and check them for headers that indicate a relay or
origin on their networks.
At that point they can run a security scan on the I.P. address involved,
and if it fails, they can lock that I.P. address from changing on the DHCP
server, and block it from sending e-mail.
The robot can put an e-mail address on the ISP's mail server notifying
the customer of the action so that they can fix their equipment. It still
allows them access to download patches. They just can not send e-mail.
And of course the robot would set a flag on the account for when the
owner called in on it.
Then what the robot could not handle would be queued to humans.
And even if the robot can not find a vulnerability, it could keep
statistics to give a flag that an I.P. address is generating a lot of
abuse reports, so someone should give a priority to investigate.
This procedure both saves the ISP money and improves it's operational
efficiencies. And one ISP posted last year that they use a system like
this for spamcop.net reports as it helps keep the system clean.
> If foreign
> countries don't pass such laws or ISP's don't voluntarily follow
> such regulations, then ISP's can block them. Then people asking
> "why am I blocked?" would not be told that they are spamming, but
> that they are using an insecure ISP where people can get trojans.
If ISPs took the attitude of refusing all traffic from networks that
permitted abuse, the internet would get cleaned up real quick.
Instead they seem to try to be "nice" and tolerate a very high threshold of
sewage before the hit a cutoff.
Of course it is hard to find any large group that agrees what levels of
abuse should be tolerated, and how extensive the blocking should be in
I also think that ISPs should run spamtraps and honeypots. Any network probing
a honeypot for an open proxy gets cut off at the router for that /24 until
the abuse address for the remote network responds properly to an e-mail
Any I.P. address that sends to a spamtrap e-mail address would also get a 24
hour automatic blocking or unitl the remote abuse address responds properly to
the e-mail notification.
The ISPs could monitor those hits to see if the sending network is learning
to be nice, or is trying to get around blocks.
When e-mail is being rejected because of a local spamtrap hit or repeated abuse,
it would have the text message be something like:
550 - Adminitrative block by abuse at example.com (sending domain)
550 - E-mail blocked until abuse at example.com confirms
550 - they have corrected abuse problem on their network.
To be even better, it can contain the date/time that the problem was reported
so that the sender will know how long their ISP has been ignoring the
550 - Abuse problem(s) were reported to abuse at example.com on Jan 1, 2002
550 - and have not yet been reported to be corrected by abuse at example.com
wb8tyw at qsl.network
Personal Opinion Only
More information about the SpamCop-List