Jeffrey F. Bloss said:
How can sanctioning someone for being the victim of a computer
break in *not* be viewed as re-victimizing that person??
Would you place a home owner under house arrest if burglars
busted through their window?
Anyone that is operating a server (HTTP, NNTP, SMTP, etc) for business
or recreation, and who's domain has not been identified as one that
historically hosts or support spam/UCE/phishing/fraud/identity theft,
will never get their domain included in a blocking list (such as a
hosts file, or Adaware, or Spybot, etc) if their servers get
"trojanized" or infected or comprimized with mal-ware. - UNLESS the
operators of said servers do nothing to remove the mal-ware.
The idea of applying the same blocking on a DNS server applies
similarly. It would not be effective or logical [you call it
"victimizing them"] to apply such blocking to someone's domain if
their machines were victimized by mal-ware. [But read this: Blocking
their domain WHILE THEY ARE INFECTED is actually a good thing. It
would prevent the distribution of secondary payloads if their machines
were unwittingly hosting them, and more than likely their site would
crash because of the unwanted traffic being directed to them].
One of Mom and Pop's home
based business machines gets compromised, some miscreant uses it
to send out 1000 phishing emails and sets up a cute little page
to collect the data, and Mom and Pop loose the ability to sell
their WhizBang 3000 coffee mugs to the 25 or so people who might
want to buy one this week.
Again, unless Mom and Pop don't fix their server (assuming they even
run their own server, which is rare because most small business
hosting is done by third parties) Mom and Pop have absolutely nothing
to fear from coordinated DNS blocking - unless mom and pop are in the
SPAM/phishing/UCE business anyways.
There have been (few? many?) server farms that have been comprimized
over the past year or two. They are usually cleaned up within 24
hours. None of those domains (I'm sure) have ever made it into
Spybot's or AdAware's blocking or immunization data base. I would
expect the same to happen in a DNS-based domain blocking strategy. I
don't know why you can't understand that.
Same same with your suggestion that new domains be put on some
sort of administrative "hold". You're penalizing people who
have just paid their pesos for the right to do business or
merely express themselves, before you have any clue what so
ever that they're doing anything wrong.
If I run a small business, I might want to point my machines to a DNS
server (operated by myself, or a third party, maybe for free, maybe on
a subscription basis) that blocks all new domains until they are 2
months old (in addition to blocking known-bad domains). I think
that's a highly effective way to stop any trouble that my employees
might get themselves into by clicking on the wrong link, or by some
network-based malware that takes advantage of an OS-based vulnerabilty
and at some point tries to access the internet looking for secondary
payloads on newly-registered domains.
If I'm a big ISP, I might get lots of support calls if I block
newly-registered domains for 2 months. But not necessarily 2 days or
2 weeks. Or maybe I won't block domains based on
date-of-registration, but still block known-bad domains. You do
realize that any customer of the ISP can still point their computer to
any DNS on the internet they want to (that will allow connections from
them that is).
Presupposition of guilt. Never a good thing.
Item (1) above is presupposition. Item (2) is not.
I'd suggest that the stigma of being a known abuse promoter
would cut into profits at least as much as disallowing
transient scumbags from trying to register "sounds like"
domains.
You've got to be kidding. Domain registrars have no public profile or
exposure.
Look at someone like Go Daddy. They take money from all sorts of
bad-guys that register domains for the sole purpose of being used for
phishing scams or spam campaigns. I would love to be able to block
domains based on the registrar, but I can't see any way to execute a
mechanism that does that. If you could, THEN registrars would have an
interest to take business only from "clean" customers. Until then,
they suffer no real repercussions from registering any domain from any
customer - good or bad. Negative stigma in usenet discussions has no
connection to negative revenue.
It doesn't work that way. Blocking traffic originating from port
25 would accomplish nothing. SMTP connections are made from
arbitrary source ports TO port 25. If you block traffic destined
for port 25 you instantly break the ability for any user to buy
and/or use any perfectly legitimate third party email providers.
By blocking out-bound port-25 packets, you prevent users from setting
their out-going SMTP server to point to a machine outside the ISP's
network. You can still set the in-coming SMTP server to point to any
(external) machine anywhere on the internet, and you set your
out-going server to that of your ISP's server. You can send all the
e-mail you want, and it will appear to recipients as if it came from
the external server.
You still haven't explained why such a configuration wouldn't work in
your case. (you may not like to use your ISP's SMTP server to relay
your out-going e-mail, but you haven't explained technically why it
wouldn't work in your case).
And by the way, your ISP could easily block your ability to operate an
SMTP server if it violates the terms of your contract (and yes, you
could switch ISP's if they did, and they may or may not care if you
leave them, and you may or may not have to buy a business or
commercial account from someone else if you really really must operate
your own SMTP server).
The internet at large has paid a heavy price (in terms of spam, in
terms of trojanized machines that send/relay spam) by not blocking
out-bound port-25 packets from dynamic or residential IP space. The
"benefit" of allowing a precious few people to be able to send e-mail
to outside machines (or operate SMTP servers at home) is FAR
outweighed by the spam problem that has resulted because of it.
Blocking port 25 wouldn't prevent this.
Of course it would.
If ISP's had port-25 blocking in place on day 1, as a normal setting
for their network, (or if they had put it in place 3 or 4 years ago),
and if many ISP's had done this, then why would spammers/hackers be
writing viral or back-door code that would allow them to use home PC's
to act as spam relays if those machines actually couldn't relay the
spam anyways because of port-25 blocking?
I am for one. Yes, I realize that 101 compared to a bazillion or
so total internet users is insignificant, but that's not the
issue.
Yes it is. There are ways for you to operate your own server - ways
that probably involve paying an extra $10 a month for a business or
commercial connection. You and your 10 buddies are getting a free
ride at the expense of having a (residential) network infrastructure
that allows spam from infected machines.
It's not that I'd like to see ISP's block port-25 just to trash your
party. It's that the spam that comes with it comes at an absurd price
that everyone has to deal with at some level, and there's really no
justification for it.
Why should *I* be penalized
because someone else refuses to play by the rules?
Because blocking port-25 is the most effective way to stop spam.
Period. And it has been since late 2002/early 2003 (when
trojan-infected Windows XP machines connected to cable and DSL
residential networks started to appear).
And you are not being penalized. The work-arounds are trivial and
don't impact you in the slightest. That's the really galling part of
this situation.
But routine offenders aren't the bulk of the problem, and in