North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: BGP list of phishing sites?
- From: Alex Bligh
- Date: Mon Jun 28 16:22:20 2004
--On 28 June 2004 18:43 +0100 Simon Lockhart <simon.lockhart@bbc.co.uk>
wrote:
It's wholy unfair to the innocent parties affected by the blacklisting.
i.e. the collateral damage.
Say a phising site is "hosted" by geocities. Should geocities IP addresses
be added to the blacklist?
What if it made it onto an akamaized service? Should all of akamai be
blacklisted?
This is an issue wider than spam, phishing, etc.
That would depend on whether your block by IP address (forget whether
this is BGP black hole lists, DNSRBL for SMTP etc.) is of
a) IP address that happen to have $nasty at one end of them; or
b) IP address for whom no abuse desk even gives a response (even
"we know, go away") when informed of $nasty.
It also depends on whether your response is "drop all packets" (a la
BGP blackhole) or "apply greater sanctions".
Seems to me (b) is, in general, a lot more reasonable than (a) particularly
where there is very likely >1 administrative zone per IP address (for
example HTTP/1.1). It also better satisfies Paul's criterion of being more
likely to engender better behaviour (read: responsibility of network work
operators for downstream traffic) if behaviour of the reporter is
proportionate & targeted.
WRT "apply greater sanctions", it is possible of course, though perhaps
neither desirable nor scalable, to filter at layer>3 all sites on given IPs
to minimize collateral damage. See
http://www.theregister.co.uk/2004/06/07/bt_cleanfeed_analysis/
This is effectively what tools like spamassassin do when taking RBL type
feeds as a scoring input to filtering, in a mail context.
Alex
|
