RE: [Bulk] [gnso-ff-pdp-may08] Mike R's "24/7 abuse queue" proposal

[Joe St Sauver <joe@xxxxxxxxxxxxxxxxxx>]

Paul asked:

#It's too soon to say whether there will be incremental
#costs once the web reporting and analysis form is built, but this begs
#the question: who will develop and/or maintain the capability?  

Something like a perl CGI to accept a domain name and do a dig (or series 
of digs) to compute a Mannheim score doesn't (at least at first glance)
appear overwhelmingly complex. If that's the show stopper, I can certainly
see about getting some running and easily maintained code written/donated.

#It took them a long time to come up with the WDPRS, and people still
#complain about that system.  

I'll concede that I'm one of thse complainers, at least with the current
apparent "tarpitting" mods (which basically render it effectively 
unusuable for folks who have material numbers of hosts which need to be
reported, IMHO, although the really high volume folks will just automate
and employ parallel streams to overcome those mods, I suspect)

#Even if we use that model, I believe it will be very important to know
#who points the finger.  

assume it is jsmith@xxxxxxxxxxx

what do we now know? is jsmith@xxxxxxxxxxx better or worse than 
jsmith2@xxxxxxxxxxx? over time you might develop an opinion, but given
that there are an infinite number of potential email addresses, there will
always be some new email addresses which are effectively "unknown", and 
in that case we're right back to basically accepting FQDNs "blind" (at
least from those new submitters). 

Or look at the other end of the spectrum. Assume that a submission is 
confirmed as coming from susan_q@xxxxxxxxxxx, a hypothetical well-regarded 
fastflux researcher.

If the domain she supplied does NOT exhibit fastflux characteristics,
would you recommend "HOLD"'ing it nonetheless, solely on the basis of
her reputation? I'd expect not -- in a case like that, I'd be looking
for typos or some other explanation, but I wouldn't hold the domain
w/o empirical supporting evidence simply because the darn thing doesn't
look fastflux-ish. 

#WDPRS has been overloaded in the past.  Without
#some sort of confirmation requirement (and the ability to block any
#senders who abuse the resource), it's not hard imagining fastfluxers
#bombarding a web form-based system with bogus reports to frustrate any
#enforcement efforts.  

But notice the beauty of FF detection processes: initial tests are
lightweight and automated, and if the domain fails those tests, well,
who cares? No one pays per DNS query, right?

If the bad guys wanted to attack any reporting service, remember that
the population of known compromised hosts at any given time is at *least*
five million hosts (e.g., the size of the CBL zone file). Thus, attempting
to limit the number of submissions of domain names per IP address doesn't 
really hurt the determined bad guy -- he's got plenty of hosts over which
to spread his hypothetical bogus submissions. Likewise, many spammers
have access to automatically created free email accounts, so attempting
to tie reports to email accounts also doesn't buy you much.

You might as well just accept the nominated domain names, check it, and 
not worry about any domains that don't check out as fastflux -- they can
just be set aside at that initial screening.

Regards,

Joe

Disclaimer: all opinions strictly my own