[Dshield] RBL deaths OT?

Jon R. Kibler Jon.Kibler at aset.com
Thu Sep 25 20:13:04 GMT 2003

Patrick Andry wrote:
> The big problem with RBL's is not that there is no funding, but that they have
> come under attack by DDoS recently.  Two smaller RBL's shut down this week,
> and there has been talk that SPEWS has been targetted as well.  Small sites do
> not have the money to spend on mutliple internet feeds, redundant systems and
> major load balancing.  Even if they had something in place, targetting the
> authoritative nameservers would not be that hard to do.
> To set up a commercial RBL, you're going to have to do some major load
> balancing, have support from your upstream provider, and a lot of luck.
> One benefit of being a commercial site would be that you could actually claim
> damages, thereby having the FBI investigate.

I agree completely (except for being able to get the FBI to investigate). The problem is not money. How the RBLs were attacked is the problem. The massiveness of the attack would not be survivable by ANY service. Period. There is a limit to the number of authoritative name servers a domain can have (25?) which would be the weak link in any RBL's survivability.

Another issue you have to look at: Why were these particular RBLs attacked? 

I would argue the reason they were attacked had nothing to do with small size. Rather, it was how effective the RBL was in blocking spam.

OSIRUSOFT was effective for two reasons: It had a large number of zones and it was WIDELY deployed. (I am sad to say that the owner's attitude probably also made it a target.)

MONKEYS was targeted for an entirely different set of reasons: It was EXTREMELY effective in blocking CRIMINAL spammers most widely deployed exploit: open proxy servers. MONKEYS accepted submissions of open proxy servers from known reliable sources. MONKEYS also had (has?) a very widely deployed honeynet that has been extremely effective in identifying the actual source of spam and systems managing open proxy servers. MONKEYS provided (provides?) tools for preventing the harvesting of email addresses from web pages. MONKEYS was not as widely deployed as many other RBLs (IMHO they were the best kept secret onn the Internet), but they were without question the most effective at doing their job. MONKEYS was clearly targeted because it was doing the best job of preventing spammers from delivering their junk of anyone on the net -- especially criminal spammers. So, it was no surprise that a criminal attack shut them down.

If I had to guess, NJABL is probably the next RBL to be targeted. Why? Of the remaining RBLs they are the most effective and have the most zones covering the widest number of possible spam sources. They are also fairly widely deployed. 

After that, it is kind of a toss up who would be the next to get whacked.

SPAMHAUS is an RBL of known spam sources. They target the 'semi-legitimate' spammers that at least use their own mail systems to spam and do not hijack other's computers to do so. They are very effective. However, since the demise of OSIRUSOFT, they are no longer as widely deployed. Also, since they do not block that much spam that originates from the clearly criminal spammers, they would be less likely to experience a criminal attack.

ORDB is an RBL of open relays. They target the criminal spammer. A few years ago, they would have been the number one target for attack. However, since there are relative few open relays, and spammers in general do not control the open relays, they are today a less likely target for attack.

SPEWS is an RBL that, IMHO, takes the hatchet approach to identifying and blocking spammers. They block an entire netblock if spam consistently originates from a single IP in that netblock. They have been known to (allegedly) block entire hosting services or ISPs if they were judged to be too slow in their response to spamming complaints. There are confirmed reports of some DDOS attacks against SPEWS. Like SPAMHAUS, since the demise of OSIRUSOFT, they are not as widely deployed as many other RBLs. However, their blocking policy has created many foes that make them a tempting target. But, the loss of SPEWS would not have the impact that the loss of MONKEYS has had.

SPAMCOP makes a very tempting target. Their wide spread use by SpamAssassin makes them an even more tempting target. In fact, I am quite surprised that there has not been any credible reports of their being attacked. They are probably the most widely deployed of the remaining RBLs (wish I had some hard stats). They block on based on 'proven spam.' Their definition of 'spam', and what I personally feel is a 'shoot first, ask questions later' blacklisting policy, IMHO makes them less effective in blocking spam sources than the other RBLs. (In the short time we used SPAMCOP, I found their false positive rate to be too high for our standards.) 

Yes, there are other RBLs, but the above are the ones that I think are the most tempting targets at present.

If I had to guess where the spam wars are heading, I would predict:
1) A few more of the highly effective RBLs will be whacked next -- especially the ones blocking criminal spammers (NJABL, ORDB, and SPAMCOP).
2) Some of the providers of Anti-Spam software will also be attacked -- especially SpamAssassin, and maybe shut down completely.
3) The smaller email filtering services will be hit next.
4) Finally, the big filtering services will be hit.

I hope that I am wrong, but I see little chance that I will be. The only thing that will prevent this type of scenario from being carried to its conclusion is for law enforcement to shut down some of the biggest spamming criminals. Personally, I believe that means hitting several of the more vicious organized international crime gangs and similar groups that profit from these illegal activities. Unfortunately,  I don't see that happening any time soon.

Jon R. Kibler
A.S.E.T., Inc.
Charleston, SC  USA

Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.

More information about the list mailing list