[Dshield] DShield's Public Goals

M Cook dshieldlists at versateam.com
Fri Jan 6 02:10:40 GMT 2006

But you see, the more residential dynamic IP addresses are blocked, the 
fewer options the spammers have left, which I think is a Good Thing. I'm 
probably already blocking that open proxy in East Elbonia, so zombies 
can tunnel there all they want to. (I block the server in East Elbonia 
not because I disagree with their politics, but because I don't want 
their unwanted spam tying up my server to the exclusion of work I want 
it to do.) I think more and more admins in East Elbonia are figuring out 
that they need to play nice, else they won't be able to play at all. 
Which makes it harder for the spammers, and easier for the block lists.

If the ISP's SMTP server starts relaying spam, it will get added to a 
block list, and nobody wants that. Most of the good ISPs may not filter 
for viruses, but they at least throttle email from residential/dynamic 
customers, and usually require authentication of some sort, even if it 
is just identifying the customer by IP address. The owner of the server 
in East Elbonia won't care if her server is acting as an SMTP relay for 
a zombie in suburban Iowa, but that customer's ISP will if more and more 
other servers block it and its customers. It's about accountability. If 
the ISP is held accountable, and in turn holds the customer accountable, 
the customer will soon get the zombie disabled. We shouldn't just stand 
around while the spammers use home computers and ISP servers with 
impunity, essentially stealing services. We need to stop the spammer, to 
be sure, but we don't want innocent residential computers spreading that 
garbage either. We do want the owner of that residential computer to at 
least become aware that someone is stealing computer service from him, 
and preferably do something about it. The ISP is much more likely to let 
them know than the admin in East Elbonia. And yes I'm aware that it is 
not in the profitability model of ISPs to notify every customer who has 
been compromised by a spammer's crime syndicate. Tough. It needs to be.

The reason spammers use zombies and botnets is because the block lists 
are working! They can't use an open proxy server set up for that purpose 
or even SMTP servers which they legitmately pay for -- they get blocked 
too quickly and too throughly by those of us who just do not want them 
tying up our servers. So they MUST resort to criminal use of zombies and 
botnets if they want to stay in "business", to try to make it harder for 
us to block them. It's the same with the spam filters; they MUST find 
ways to trick the filters into letting their spam through, which means 
messages that are more and more fraudulent and/or comical.

Maybe you are talking about "decriminalizing" spam? Well, maybe there's 
something to that. If the spammers can buy a big server and put it on a 
big pipe in the US and everyone has to accept their spam, they wouldn't 
have any incentive to create zombie botnets, and maybe the crime 
syndicates would lose interest. I haven't thought that through 
completely, though I surely would not want to be forced to let them tie 
up my machine so I can't get any work done.

josh at theoubliette.net wrote:

>Such a blocking solution wouldn't solve the problem in the case of a
>compromised host running it's own mail server (i.e. reducing spam and
>spread of viruses)...I would *theoretically* just make a smarter mailbot
>virus that uses the ISP's mail service.  Very few ISPs block spam or scan
>for viruses.  Some of the larger ones do, but I would again defer to my
>previous point regarding ISP v. ASP.   They sometimes will respond to a
>report AUP violation, and more often than not won't, especially in the
>case of dial up.  Better yet, I engineer my mail bot to tunnel mail out
>port 80 to a zombie that I control in east Elbonia that simply forwards
>the mail normally, because everyone knows that the Elbonians don't believe
>that you can *dictate* such controls to them and simply won't follow
>*your* rules because they disagree with your country politically.
>...I could go on and on, but I still stand by my point (which is the same
>point that others have supported as well), that port filtering will not
>work at that level.  If, in a utopian world, everyone did it, it might
>work for about five minutes, until the bad guys came up with another
>scheme to get around it, or use a compromised host, or a non-RFC compliant
>mail server, or insecure php application that allows scripted commands as
>non-validated user input...

More information about the list mailing list