[Dshield] Cut Off China

Kenneth Coney superc at visuallink.com
Mon Jun 27 16:07:07 GMT 2005


Er, actually I added large ranges of the .ca world to my blocked list 
some time ago.  I suspect Adrien's complaint is being also voiced by 
spam recipients in China or Brazil or Korea.  If we all don't block, and 
we don't report, it makes perfect business sense for spam to originate 
from another country.  A complainant quickly learns there is very little 
LE or the courts in their own country can do about spam originating from 
across a border.  However, when the spam originates from within one's 
own country the courts and the law often provide recourse.  Here in VA, 
a state within the US, sending spam is an actual crime (as in jail time) 
and senders can also be sued for theft of computer time, lost hours, 
etc. so I am not in the least surprised that since those laws were 
passed I receive little spam originating within VA.  When spam 
originates in other states within the US the law still provides some 
recourse once the originators are identified and many IPs cooperate 
readily least they be caught up in any legal issues (i.e., co 
conspirator, etc.) resulting from their failure to do so. What little 
spam I do get from within the US seems when I take the hours to track 
down the originators to be an infected PC responding to commands from 
elsewhere, or a fly by night setup with bogus or no info in the Arin 
lists.  [Arin, RIPE, CRISNIC, etc. seem to be very slow to update and at 
least twice I have talked to company owners who advised that they 
haven't had the IP ranges being attributed to them by ARIN for some time 
(company dissolved, and similar situations).  I won't even discuss APNIC 
or the others reassigning blocks and not publishing it for months.]  
However, when the spam comes from a site in .kr or .de blocking the IP 
ranges becomes the only practical action for a US user.  Someone in 
Korea or Canada or Brazil may very well find it in their best interests 
to block communications from the US if that is the source of their spam 
or hostile probes. 

That doesn't mean you shouldn't share the info.  Non recipients may not 
have the legal standing to sue an alleged spammer, or hostile prober but 
that doesn't mean the IPs would not be very interested to learn of a 
specific spamming or acting maliciously IPN sitting within their range 
of IPNs.  The "fight back" concept and all that.


Subject:
Re: [Dshield] Cut Off China
From:
Adrien de Beaupre <adriendb at whitehats.ca>
Date:
Sun, 26 Jun 2005 17:27:54 -0400

To:
General DShield Discussion List <list at lists.dshield.org>


>> Greetings:
>> 
>> This is going to get lengthy, but I hope you'll bear with me because it might
>> explain to the "seasoned pro's" how the "newbie" (like me) mind works. I
>> totally agree with jayjwa and Ken Coney concerning the blocking of junk
>> traffic from China, and other Countries that don't play by the rules. In fact
>> - I'd go so far as to block ALL traffic from these Countries. I'll explain,
>> but first - a little about myself so you know where I'm coming from.
>  
>

Hmm, if we appled that logic, traffic from the US would be cut off
from entering Canada. The two countries who target Canadian IPs
on a regular basis are China and the US. 

 :) 

In fact, all spam does not trace back to China, nor any other
country. Spam traces back to, you guessed it, the US of A. 
That is where the targeted demographic is, and that is where 
money trail traces back to. Follow the money a little further
Mike, it doesn't end up where you think. 

I am not arguing for, or against blocking all traffic from 
any country, far from it. Your logic does not seem to bear
up under scrutiny. 

Cheers,
Adrien

<snip>



More information about the list mailing list