[Dshield] Where should you start - I'll wrap it myself

John Draper lists at webcrunchers.com
Tue Mar 23 01:13:57 GMT 2004


On Mar 21, 2004, at 9:07 AM, John Sage wrote:

> You seem to be stuck on one of the most common points regarding all of
> this "criminal" activity.
>
> On Sun, Mar 21, 2004 at 02:48:49PM -0000, Roger Gelder wrote:
>> From: "Roger Gelder" <roger.gelder at ntlworld.com>
>> To: <list at dshield.org>
>> Date: Sun, 21 Mar 2004 14:48:49 -0000
>> Subject: [Dshield] Where should you start - I'll wrap it myself
>>
>> OK, most responses have been, reasonably so from the point of view of
>> this being 'Dshield', concerned with the defensive approach. I was
>> more interested in the offensive - rooting out the writers and
>> distributors of the rubbish -difficult but not impossible. Only one of
>> the replies seemed to feel that that was appropriate, which is
>> surprising, given the damage.
>
> ah, yes: "Why isn't someone *doing* something about all this!?!"

I know WE are....  and getting pretty encouraging results I might add,
as a technical solution.  Now if we can start getting ISP's to consider
using our solution,  it might be possible to 'shut down' infected hosts
thus preventing nasty things like spam bots to operate.  It's just
really hard for us 'small fry' to be accepted in the industry without
names like 'Cisco' and 'checkpoint'   :-(

>
>> However, I would have thought that with all the tracing and tracking
>> effort put in place by the many subscribers to this list, that some
>> reporting of these activities would have been possible. Whether such
>> efforts result in reports to those with the legal authority to bring
>> criminal proceedings - and thus 'terminate with prejudice' - take away
>> their PCs and heavily fine/jail or whatever, does not seem to be
>> happening. The result is the continuance of damage.
>
> Many of the perpetrators are located offshore from the legal
> boundaries of the United States - and here, note that I'm assuming
> that *you* are an American and you speak in the context of American
> laws and legal remedies.

And that presents another problem.   Export restrictions....  
unfortunately
our solution uses strong encryption.

But with all the spam people are getting,  most are unaware that for 
each spam
they get,  some infected host out there is identifying itself.   So 
reporting
spam is very important,  because a lot of it comes from infected hosts, 
  and
SOME (but unfortunately not all) ISP's DO act on these complaints and 
shut
them down.

It also helps to send these reports in the language spoken (or written) 
by
the people who maintain the foreign ISP's.

I'm getting some very encouraging results when I sent my spam reports in
Chinese,  and the biggest problem in communication with these foreign 
ISP's
is that few people working there can speak or read English.

>
> The entire world is not subject to American legal constraints.

Nor do they all speak English.

> Add to this the fact that the sources - particularly spam email - are
> obfuscated and impossible to determine with any accuracy, or, worse,
> are using hijacked systems such that the actual owner is arguably
> innocent of any conscious wrongdoing.

That's why it's VERY important to report your spam.  ISP's are never
going to shut down an infected trojan if they don't know where they are,
unless you report it,  or your report is not understood by the person(s)
reading the report.

> Add to this the fact that a lot of the web sites involved with
> phishing scams, etc etc, are located offshore and hosted by ISPs with
> a less than active interest in shutting down web sites that are:
>
> 1) paying customers;

Definitely true - Unfortunately,  'money talks and bullshit walks'

> 2) may have been set up fraudulently in the first place;

Which is usually shut down if they (foreign ISP) know about it.

>
> 3) and, add that said ISP's have technical support staffs that are
> underpaid and overworked anyway;

And more importantly,  don't understand English....  Unfortunately,
Americans (Yes,  I'm American - but travel a lot) are 'language 
challanged'
and are clueless to the fact there are a LOT of foreign ISP workers who
can speak or write English...  It's no WONDER they don't respond to spam
complaints.

> 4) and, again, are offshore and not subject to American laws

Well - that also....   :-(

> The net answer is that it is not anywhere so simple as you would like
> to think.

Yes - unfortunately so - so we need to try and make things simpler.

>> So, whenever I get a scam, attempted "Fill in your bank account
>> details here" message , I DO report it to the cover name such as Ebay
>> or my local bank, whose-ever name has been abused.

Horray for you....  keep up the good work.


>> I don't know enough
>> about tracking and tracing to be competent in that field, so I am
>> grateful for your efforts on my behalf.
>>
>> BUT, do you report the 'criminals' and end their activities, or, at
>> least, make life difficult for them?
>
> It all depends on where you want to spend your time.

yes - reporting spam is unfortunately time consuming,  which is why
we are making a very big effort to rectify this problem.  But automated 
spam
reporting is 'very dangerous',  and all too easy to permit reporting of 
non-spam
and getting your friend's internet service disconnected,  and again,  we
are addressing these issues by developing really good filters (although 
very
slow - like 25 messages per minute),  but so far after 4 weeks we are 
getting
zero false positives (zero ham in spam).

John




More information about the list mailing list