headers
lucio | 10 Oct 2008 09:43
Picon

Partial service

Far from me to target my ISP specifically, I think the following
applies to each and every ISP, no matter their excuses:

I just got a very uninformative "This IP has been banned" when trying
to access a web site in Italy.

Now, I think I know why the "IP has been banned", no doubt some
SPAMming attempt was detected and action taken against it.  My beef is
that this should not happen: I feel like I'm playing russian roulette
if I can't be sure that the IP address assigned to my current
connection will in fact give me access to the services I need.

Crucially, I think

(a)	that all ISPs ought to try much harder to prevent users of
	their network facilities from abusing them and creating
	conditions such as those that led to the IP address I've been
	assigned being banned.  I believe indeed that ISPs ought to
	see themselves as liable for the reduced service caused by
	such abuse and in turn ought to be able to penalise their
	users when their behaviour can have a detrimental effect on
	later users.

(b)	It ought to be the duty of the ISP to rectify the situation as
	quickly as possible.  To this effect, there ought to be a
	generic report form that provides the essential details and
	considerable effort should be applied to automate the process
	as much as possible.

(c)	It ought to be accepted best practice for ISPs to communicate
(Continue reading)

Permalink | Reply | 13 comments |
headers
Mike Lawrie | 10 Oct 2008 12:05
Picon

Re: Partial service

Lucio has a very valid point, IMHO. I too don't like to play Russian 
roulette when selecting an ISP in order to have an IP address that is 
not on a blacklist somewhere.

However, I see two serious holes in the suggestions, viz

1. there is no public knowledge of whether or not, or to what degree, 
the banning site tried any of, all of or more than the remedies that 
Lucio suggested, and simply got no constructive reaction from the 
offending ISP;

2. ISPs have absolutely no motivation to spend effort on kicking or 
policing their customers, because that distracts from profits.

Perhaps a solution is to make the remedial efforts public? That way, 
a potential customer can see before signing up which ISPs have a 
blatant "couldn't give a damn" attitude towards their userbase 
abusing the network, and/or which ISP Associations seem more 
interested in protecting their own than protecting the public.

FWIW, http://216.8.179.23 on my PC responds with "invalid domain 
name: 216.8.179.23 -- invalid tld", and whois info on that number is 
sparse. This from my IP 41.244.18.218.

Mike

Lucio wrote:-

> Far from me to target my ISP specifically, I think the following
> applies to each and every ISP, no matter their excuses:
(Continue reading)

Permalink | Reply | 5 comments |
headers
Graham Leggett | 10 Oct 2008 12:02

Re: Partial service

lucio@... wrote:

> Far from me to target my ISP specifically, I think the following
> applies to each and every ISP, no matter their excuses:
> 
> I just got a very uninformative "This IP has been banned" when trying
> to access a web site in Italy.
> 
> Now, I think I know why the "IP has been banned", no doubt some
> SPAMming attempt was detected and action taken against it.  My beef is
> that this should not happen: I feel like I'm playing russian roulette
> if I can't be sure that the IP address assigned to my current
> connection will in fact give me access to the services I need.

Unfortunately there are a number of sites out there whose maintainers 
believe they could "roll their own" anti-abuse systems. Designing 
anti-abuse systems, like designing security systems, is hard, and 
ideally should follow some kind of widely accepted practice, rather than 
some custom cooked up stuff.

I had a case recently of a client whose mail was bouncing to somebody at 
an account hosted by some mail service hosted by Microsoft. Someone at 
Microsoft had explained in their blog how their home rolled anti-spam 
solution worked: If 90% of incoming mail was heuristically flagged as 
spam, that site would be banned. Sounds simple, right?

Turned out after some log file analysis that their network had received 
a total of 4 messages from the banned host over a month, and all four of 
those happened to have been out of office replies from someone on 
maternity leave. As all these messages tripped their heuristic "this
(Continue reading)

Permalink | Reply | 3 comments |
headers
Colin Alston | 10 Oct 2008 12:53

Re: Partial service

Mike Lawrie wrote:
> 2. ISPs have absolutely no motivation to spend effort on kicking or 
> policing their customers, because that distracts from profits.

That's because ISP's should be policing their customers at all, they
should be dealing with abuse correctly.

This is all made worse however thanks to transparent proxies and dynamic
IP addressing since by the time something bad happens, it's already the
problem of someone else.

Solution: Roll out IPv6.

> FWIW, http://216.8.179.23 on my PC responds with "invalid domain 
> name: 216.8.179.23 -- invalid tld", and whois info on that number is 
> sparse. This from my IP 41.244.18.218.

It's clearly a virtual host. Most web servers are.

_______________________________________________
IOZ mailing list
IOZ@...
http://lists.internet.org.za/mailman/listinfo/ioz
Permalink | Reply | 3 comments |
headers
lucio | 10 Oct 2008 13:03
Picon

Re: Partial service

> The moral of the story is that it often isn't your fault, or the ISPs 
> fault that you have been blacklisted, but rather the fault of a not so 
> clued up target site.

I can't argue with that, but the important bit is that (a) my ISP
ought to have a readily accessible mechansm to deal with it because,
at least in theory, I'm paying for the privilege and (b) it ought to
be best practice to consult between ISPs before introducing
retaliatory measures.

Specifically, I'm suggesting that the ISPs ought to take it upon
themselves to deal with abuse and persuade arbitrary users to leave it
in their hands, where, one hopes, it will be dealt according to sound
principles.

Of course, I'm not suggesting the dreaded "censorship" approach, I'm
suggesting that there are acceptable rules by which ISPs ought to be
willing to play.

++L

_______________________________________________
IOZ mailing list
IOZ@...
http://lists.internet.org.za/mailman/listinfo/ioz
Permalink | Reply | 0 comments |
headers
lucio | 10 Oct 2008 13:13
Picon

Re: Partial service

> 1. there is no public knowledge of whether or not, or to what degree, 
> the banning site tried any of, all of or more than the remedies that 
> Lucio suggested, and simply got no constructive reaction from the 
> offending ISP;
> 
Fair, my assumption is that the process will be much more transparent,
just as you suggest, if _embraced_ by significant ISPs.

> 2. ISPs have absolutely no motivation to spend effort on kicking or 
> policing their customers, because that distracts from profits.
> 
> Perhaps a solution is to make the remedial efforts public? That way, 
> a potential customer can see before signing up which ISPs have a 
> blatant "couldn't give a damn" attitude towards their userbase 
> abusing the network, and/or which ISP Associations seem more 
> interested in protecting their own than protecting the public.

I think there's a contradiction above: you cannot have both a critical
attitude to ISPs who do not give a damn and suggest that they cannot
justify policing their customers.

In my opinion (nothing humble there :-) there are profits in being
able to deliver an unfragmented view of the Internet to the customer,
even thoug sometimes the customer may not really understand the issues.

++L

_______________________________________________
IOZ mailing list
IOZ@...
(Continue reading)

Permalink | Reply | 0 comments |
headers
graham | 10 Oct 2008 14:06
Picon

Re: Partial service

> Mike Lawrie wrote:
>> 2. ISPs have absolutely no motivation to spend effort on kicking or
>> policing their customers, because that distracts from profits.
>
> That's because ISP's should be policing their customers at all, they
> should be dealing with abuse correctly.

I was informed by a senior network engineer at a large ZA ISP that their
policy was to only deal with abuse complaints if they became service
affecting. ie Your spam volumes through their customer relay had to reach
DoS levels before they would look into it.

> This is all made worse however thanks to transparent proxies and dynamic
> IP addressing since by the time something bad happens, it's already the
> problem of someone else.

It is highly likely that it is your provider's proxy that has been
blacklisted rather than your host. With the entire country's web traffic
going through 2 or 3 dozen proxies we regularly get black listed as
abuses/leeches/whatever.

> Solution: Roll out IPv6.

YES!!!!!!!

Give everyone their own STATIC IPv6 address (or /64 for home LANs). Let
them have all the wonderful benefits of fixed IP. Included in that they
can take responsibility for the addresses that they abuse and get
blacklisted.
(Continue reading)

Permalink | Reply | 2 comments |
headers
Colin Alston | 10 Oct 2008 14:50

Re: Partial service


graham-ml@... wrote:
> I was informed by a senior network engineer at a large ZA ISP that their
> policy was to only deal with abuse complaints if they became service
> affecting. ie Your spam volumes through their customer relay had to reach
> DoS levels before they would look into it.

Sorry what I meant to write was "abuse complaints". I think our ISP's do
deal with abuse (except Telkom who don't care), but they have a tendency
not to keep the complainant in the loop which makes them think their
request was ignored.

This is an unfortunate consequence of bureaucracy mixing with internet
ops, since it's most ISP's policies not to engage with anyone that isn't
on their financial books. This hurts them, but that's their own problem.

> 
> I'll be very interested to see the arguments in favour of dynamic IPv6
> addresses for the consumer market in the coming years. No doubt they will
> occur.

Even dynamic space is bound to hardware identifiers, ie your cellphone
spams someone - no more internet for that /device/.
I can't see spammers buying a new ADSL router every time they get
blacklisted - some might get savy and change the MAC but that's an
extreme case and providers could just register MAC's too to prevent
rogue CPE on a well designed network...

Currently we have the great fun on our little IRC network of abusers
deliberately taking advantage of cellular operators NAT and web
(Continue reading)

Permalink | Reply | 0 comments |
headers
Stefano Rivera | 10 Oct 2008 15:57

IRC over SAIX Shaped

A few of us #clug-gers have been noticing serious problems with
international IRC servers (the most obvious example being freenode.net)

I think I can lay this clearly at the door of SAIX's Shaping. When IRC is
unuseable on a normal SAIX shaped account, their unshaped accounts work
fine, as do verizon accounts.

I assume we aren't the only people being driven mad by it (and being
threatened with bans from channel admins getting tired of the constant
join/parts).

Can anyone who knows someone at SAIX please beat them over the head
with a large wooden stick? :-)

SR

--

-- 
Stefano Rivera
  http://rivera.za.net/
  H: +27 21 794 7937   C: +27 72 419 8559

_______________________________________________
IOZ mailing list
IOZ@...
http://lists.internet.org.za/mailman/listinfo/ioz
Permalink | Reply | 5 comments |
headers
Graham Leggett | 10 Oct 2008 16:23

Re: IRC over SAIX Shaped

Stefano Rivera wrote:

> A few of us #clug-gers have been noticing serious problems with
> international IRC servers (the most obvious example being freenode.net)
> 
> I think I can lay this clearly at the door of SAIX's Shaping. When IRC is
> unuseable on a normal SAIX shaped account, their unshaped accounts work
> fine, as do verizon accounts.
> 
> I assume we aren't the only people being driven mad by it (and being
> threatened with bans from channel admins getting tired of the constant
> join/parts).
> 
> Can anyone who knows someone at SAIX please beat them over the head
> with a large wooden stick? :-)

Lay a complaint with SAIX.

Unfortunately, "shaped" usually means "web and insecure email only". If 
you don't complain to SAIX, they won't know or care to fix it.

Common ports that people have problems on include 465 (SMTP+SSL, very 
useful for secure authenticated SMTP relay to avoid having to 
reconfigure your SMTP server every time you change networks), 993 and 
995 (Secure IMAP and secure POP).

The symptoms usually show up as small emails working fine, but as the 
socket is traffic shaped to zero, the data transfer slows down, stops, 
and then times out.
(Continue reading)

Permalink | Reply | 1 comment |

Gmane