tacid.org

Greetings,
My name is Nick, and I have inherited admin duties for tacid.org. For an un-known amount of time (A month or more?) mail.tacid.org has been an open-relay, and sending out large amounts of spam. This should now be fixed. If anyone is having issues with this domain still, please contact me off list.
Thank you,
Nick

Just like I should have with my garden, rather than replant among the weed
seeds and spend 99% of my time pulling weeds, I would recommend sowing a new
field by moving your outbound e-mail server(s) to some fresh address space
(different /24 to be sure, ideally another section of SWIPed space) and
start monitoring your outgoing servers logs. You'll need to work with each
MTA that blocks your e-mail and ask them to delist you from whatever block
(domain or domain reputation) that they have. At the same time,
systematically go to every RBL that tracks by domain name and check the
status of your domain and request delisting as necessary.

if the ipv4 free pool run-out produces a lot of address shifting and
recycling of old address space, will there be a market in clean-up
services such as the above. give them your newly-acquired address space
for two months before you need to use it, and they will test and scrub
and write and beg and whine on nanog? it could be that one or two
reputable clean-up folk could develop history with the various blockers
and be able to get the job done better than we could do it ourselves.

randy

Randy Bush wrote:

>[snip weeding one's garden theory]

if the ipv4 free pool run-out produces a lot of address shifting and
recycling of old address space, will there be a market in clean-up
services such as the above. give them your newly-acquired address space
for two months before you need to use it, and they will test and scrub
and write and beg and whine on nanog? it could be that one or two
reputable clean-up folk could develop history with the various blockers
and be able to get the job done better than we could do it ourselves.

Actually, that's not a bad idea. course, there's the larger problem;
verifying that the address space previously sullied is now worthy of
being cleaned up. In Nick Shank's case (and Bravo! to Nick), I would say
that he's off doing the right thing. It would seem that some serious
investigation would be necessary before acting as a third party for
others in a similar boat, of course.

I certainly have the time, skills, and inclination.

--
In April 1951, Galaxy published C.M. Kornbluth's "The Marching Morons".
The intervening years have proven Kornbluth right.
Kletnieks

The real solution to the scorched earth problem is for aging from
blacklists to be dynamic.

if we were designing a full internet system with reputation as a feature,
then no doubt it would be like you're describing. however, reputation
systems are a private action by private right of action and each one will
have its own cost:benefit considerations. this means while it might be a
good design overall, blacklist aging has to be in the interests of
particular blacklist operators and subscribers, or it won't happen. it
generally does not happen, since it costs more value than it produces from
the point of view of a given blacklist operator or subscriber.

i think there's an argument to be made that this is inevitable. every time
any ISP has enforced any kind of numerical limits on abuse by one of its
customers (like first hit's free, three strikes and you're out, and so on)
the abusers have either rotated through providers or through identities
fast enough to make their business run in spite of the limits, or they have
merely counted these slaps on the wrist as part of the cost of doing
business. this means if blacklist entries all aged out, then abusers and
their ISPs would simply rotate through a long chain of address blocks, and
we'd see a lot of address space consumed on the "waiting for reprieve" list
but it would not change the overall abuse growth rate at all.

that's not in the interests of individual blacklist operators or subscribers,
who want to control abuse growth rate.

There's been some work done @ SRI on using a weighting algorithm that
includes things like prevalence, persistence, and "badness", with a
Gaussian decay function as to time, to establish cut levels for what
should be blocked.=20

Look at Phil Porras work, and Usenix presentations.

can you tell me, before i invest my own time in it, whether this work
accounts for the inevitable rebalancing and planning adjustments that the
abusers will make if each proposed policy were rolled out? i fear that
most studies in this area treat abuse like it was a natural phenomena and
not the self-organized well-motivated thievery that it is. abusers aren't
going to sit still while we wrap them in a gaussian decay function.


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

paul,

in another universe, the inhabitants are attempting to find some policy
for dealing with what i'll call a temporally inconsistent name to
address mapping, at a single, and also a second level of indirection. of
course, just about everything that's ever been written (and re-written)
on nanog about reputation and partition, whether w.r.t. port 25, or
ports 53 and 80, appears to me to be relevant in this other universe.

eric


Paul Vixie wrote:
>The real solution to the scorched earth problem is for aging from
>blacklists to be dynamic.
>
>
if we were designing a full internet system with reputation as a feature,
then no doubt it would be like you're describing. however, reputation
systems are a private action by private right of action and each one will
have its own cost:benefit considerations. this means while it might be a
good design overall, blacklist aging has to be in the interests of
particular blacklist operators and subscribers, or it won't happen. it
generally does not happen, since it costs more value than it produces from
the point of view of a given blacklist operator or subscriber.
>
i think there's an argument to be made that this is inevitable. every time
any ISP has enforced any kind of numerical limits on abuse by one of its
customers (like first hit's free, three strikes and you're out, and so on)
the abusers have either rotated through providers or through identities
fast enough to make their business run in spite of the limits, or they have
merely counted these slaps on the wrist as part of the cost of doing
business. this means if blacklist entries all aged out, then abusers and
their ISPs would simply rotate through a long chain of address blocks, and
we'd see a lot of address space consumed on the "waiting for reprieve" list
but it would not change the overall abuse growth rate at all.
>
that's not in the interests of individual blacklist operators or subscribers,
who want to control abuse growth rate.
>

>There's been some work done @ SRI on using a weighting algorithm that
>includes things like prevalence, persistence, and "badness", with a
>Gaussian decay function as to time, to establish cut levels for what
>should be blocked.=20
>>
>Look at Phil Porras work, and Usenix presentations.
>
>
can you tell me, before i invest my own time in it, whether this work
accounts for the inevitable rebalancing and planning adjustments that the
abusers will make if each proposed policy were rolled out? i fear that
most studies in this area treat abuse like it was a natural phenomena and
not the self-organized well-motivated thievery that it is. abusers aren't
going to sit still while we wrap them in a gaussian decay function.
>
>
>