back to article Ad hoc malware police besiege net neutrality

Over the past couple of weeks, white hat netizens have scored two important victories in their tireless quest to clean up some of the internet's darkest recesses. While the events are encouraging, forgive us if we don't jump for joy. The first win came when Directi - a registrar criticized for making anonymous domain-name …

COMMENTS

This topic is closed for new posts.
Alert

Freedom to commit crime?

Freedom of speech has never granted the right to scam and defraud others, or to spread libel or child pornography.

Freedom of speech grants the right to speak of your political, religious and scientific opinions.

0
0
Unhappy

flawed analogies

Comparing the Internet to the phone company, and comparing asking ISPs to terminate malware sites to asking the phone company to disconnect drug dealers, doesn't work. The analogy would only work if the phone. Ompany were being asked to disconnect miscrea ts who were using their phone line to tap, bug, or mizdirect other people's phone calls... And were that the case, I beg the evildoers would indeed find their phone service terminated.

As for Intercage--I have indeed complained to them, on many occasions, about spam and malware sites. In my experience, expecting them to take action is about like dropping a rose petal in the Grand Canyon a d waiting to hear an echo.

0
0
Boffin

3 points

1. Historically, before we had our various national formal "justice system", we had community justice, what we now disparage as "vigilante justice".

Community justice only goes away when a formal justice system replaces it.

2. People can say what you want about the consequences of operating system vulnerabilities being the fault of their makers.

However, cars and houses are less complex than these operating systems, and cars and houses are vulnerable to break-ins and vandalism. If it wasn't for police, our cars and houses we be as damaged as our computers.

3. You can say what you want at Speakers Corner in Hyde Park, but you have to be there saying it. You can't anonymously send a sound system to speak it for you.

0
0
Anonymous Coward

So easy to kill a domain

As the author of MailScanner, I am one of the people who provide a list of known bad phishing sites. More than once, merely the presence of a domain name on my list has been used as the evidence for the removal of a website and its domain name, and the registrant being barred from registering similar domain names in future.

I find that quite scary.

Fortunately, all the domains in my list have been manually checked by a human being, but I could, if I so wished, put a domain on the list, write a letter of complaint to a Registrar and have the domain pulled.

I shouldn't be able to do that quite so easily.

0
0
Gold badge

Due process

...requires a legal system that both registrar and registree (?) are (or agree to be) subject to. We may be on the verge of a (voluntary) realignment of DNS names so that (eventually) you will be able to predict the applicable jurisdiction simply from the domain name. As it happens, that would be an excellent development for those opposed to the kinds of scams described in the article.

Of course it cuts right across ICANN's rather stupid notion of functional TLDs, but ICANN, by their own admission, are biased to technical issues rather than legal ones. That's why they've no been no use in the fight against spam.

0
0
Bronze badge
Pirate

Getting in front of the problem

Mostly I've been observing the problem from the ISP side, but the simple countermeasure that seems to work is to make it slower and more expensive to get accounts (or domains). What this means in practice is that the more responsible companies, the companies that are making it harder for the spammers, are put at a competitive disadvantage to other companies that can grab at customers based on more convenient registration processes.

The obvious solution is to agree on standards for registration processes, and cut off the ISPs or domain registrars who cheat on the rules. If the basic rule required all customers to put up $10 up front for a domain, and required that the domain could not become active for 24 hours after registration, then at least much of the current abuse would be stopped. Of course the scammers and spammers will continue looking for other creases, but the anti-spammer standards can also change.

0
0
Thumb Down

It's about time...

As long as the agreement states when you register a domain that your site can get cut off for any illegal activity then I approve it. It's about time that they cracked down on fraud site. When Hurricane Katrina hit New Orleans there were probably a few hundred sites that popped up out of no where looking for novices/idiots to take advantage of.

There were plenty of cases at for this past summer Olympics where people bought tickets from what they thought were legitimate sites only to get nothing or fake tickets.

Registers should be at least partially accountable for who they register. If some guy decides to register a site called hurrican-ike-relief-charity.com with no proof of any type of charity registration, who's at fault? Or maybe someone who registers vmwear.com, theregistrar.com, adobee.com, etc.

0
0
Anonymous Coward

More personal control

The abilty to block traffic should extend across the routers but only be applicable to the IP that requests it.

Sure, that means move to IPv6 and everyone onto static IP. But, I would prefer control to the dropping of traffic early and of my choosing, then have someone else make that decision for me.

For those who want others to make the decision then they can subscribe to the organisations they trust, get a list, a tool and update the blocks themselves.

That ultimately is the answer, let people decide for themselves, otherwise it is to open to abuse, and is actually a security hole.

0
0

Re: Freedom to commit crime?

@Keith T:

Nobody is stating that criminals should be allowed to do harm, nor that freedom of speech should give license for criminal activity. However, the basis to determine that an actual crime has been committed is usually a legally nuanced one, and should not be arbitrarily made by the service provider. As Julian Field mentioned, a Domain Name Registrar should not be allowed to cancell service indiscriminately--which can result in financial losses--by the mere fact that someone complaint, or that your name appears in some arbitrary list presumed to be official, but compiled by (possibly anonymous) volunteers.

@Franklyn:

The analogy stands when you consider the fact that the telephone company will not discontinue service on the basis of a single complaint of one of those charges you mentioned. If considered serious, the telephone company would indeed investigate, and if a crime is suspected, the appropriate law enforcement agencies will be involved.

By contrast, as noted in the article, sometimes all it takes is a complaint or inclusion on a third party list for a domain registrar to cancel service unconditionally. As Julian Field mentioned, it is indeed scary that their lists assert such influence

-dZ.

0
0
Bronze badge
Thumb Down

Just require valid registrations

Registrars should NOT police content. They're not equipped for that. They just need to keep the registrations legitimate.

Providing accurate personal information or using a legitimate proxy manager is tough when you're a wanted criminal. ICANN has a process to deal with these fakes but it's operating a thousand times too slowly for an environment where everything is instant. ICANN needs to terminate registrars that will not put in place reasonable validation measures. You'd be surprised at how many domains are registered to a person named, "asdf, asdf." There's also a handful of crime-friendly domain proxy businesses that openly admit that they can't be contacted. Nuke 'em all and most of the spam goes away. What's left can be dealt with using proper legal procedures.

0
0
Silver badge

Intercage? Who is that?

The companies I consult for happily allow me to drop large swaths of the net at the routers. Packets to or from 69.50.160.0/19 are dropped on the floor. Makes life easier if "our side" can't even see "their side".

Network balkanization? Perhaps. But quite honestly, is ANYTHING useful hosted on IP space governed by outfits that allow 419 scams, pump&dump, pill pushers, kitty pR0n, malware, and the like? If there is, I haven't found it.

Before anyone suggests it, no it's NOT censorship. These are company owned computers, doing company business. My company, my rules. Don't like it? Go find another job.

Have intercage cleaned up their act? Frankly, I don't care. After a third of a century in this business, I've learned that once an outfit has broken basic netiquette in search of the almighty dollar, they will do it again. Once anti social, always anti social.

If (and I stress the "if") an employee requests an IP address or range be removed from the list, I'll look into it ... but after 10 years of aggressive blocking, it hasn't happened yet.

Result? Happy clients, with fewer computer problems. Win-win.

0
0
Silver badge

Now let's be serious

I'm as annoyed by spam and malware as anyone (that is, a bit less than Joe Bloggs as I have a fast bayesian filtering software, a rather stringent firewall and reasonably safe machines -yes, it means that MS went, well, through the window).

BUT

I would laugh at all these "illegal this" and "unlawful that". Whose laws are we going to enforce? Should we pull the plug on all, herm, "extreme porn" domains, illegal in the UK but most likely perfectly lawful in most other western countries? I'm pretty sure that a few middle-eastern countries would like to shut a few domains down, too, based on laws that we judeo-christian westerners would find ridiculous. I'm almost sure that China have a few laws that some major "legit" websites in Europe or North America fail to comply with. The domains should be axed, surely?

So, yes scams and spam /et al./ are pains in the neck, but pulling the plug on the domains on behalf of self-serving flashmobs (with the best intentions, as always) is a very, very, very bad idea. And a bit overkill, too. After all, if it didn't work, no-one would bother sending spam or crafting "you've got a virus" websites. It takes one thing: education. And LARTing. Especially LARTing. A lot of it. And, if you ask, wiping MS crap from the face of the earth would probably help, too (alternatively, they could try and stop producing sleazy, exploit-friendly software that teaches lusers to just click OK to everything)

0
0
Silver badge
Flame

How do you deal with rogue providers in Western-hostile countries?

Please take a look at the question I posted. This is part of the problem. If the provider is located in a country hostile to Western interests, then they'll *want* to keep the service running, since they are hostile to the services of the West who would be complaining about it (think Baidu). Also, disreputable providers aren't going to follow the rules and will be stationed in locations not subject to ICANN. It's like the phrase, "If guns are outlawed, then only outlaws will have guns."

0
0
Silver badge

@jake

A common strategy of some disreputable providers is to slip themselves into the same web servers as perfectly-legitimate services. That way, if the IP is blocked, then so is the legitimate service. It's been reported here before IIRC. This is one reason for drive-by attacks--it works on the same principle of slipping the malware into genuine websites that cannot be filtered without undue consequences (such as say blocking CNN or the BBC).

0
0
Bronze badge

The problem is simple

As soon as a single spammer uses an ISP's mail servers, one of these spam blacklisters will blacklist the entire ISP until said ISP ponies up some cash for administrative costs and proves they've kicked off the spammer.

I've had my isp blocked before. I've worked for ISPs that were blocked. It's racketeering and it harms the little people most of all.

0
0
Silver badge

Hey Charles

"If the provider is located in a country hostile to Western interests".

I'm sure some bloke in China is posting exactly the same comment on ElReg.cn. Only the other way round. That's why, not only is it impossible, but also fundamentally wrong (in the moral sense) to think that one is entitled to rule something like teh Intarwub according to one's best loved laws (especially as in this case it's not law-based but flashmob-based). I dislike spam and scams, but I don't want Team America to play vigilante on "my" intertubes either.

"It's like the phrase, "If guns are outlawed, then only outlaws will have guns." "

I won't follow you there, because I believe that a bit more of control over gun carrying could save lots of lives in the US. And presumably relieve stressed cops a bit. Which would mean less abuse and less "regrettable" shooting of innocent passerbys. It doesn't have to be an interdiction, and I don't pretend that I have a solution (not my job), but in some areas in the US every other person you come by in the street have a gun in their glove box, their purse, or both. Which is certainly a huge liability, for no visible (to me) benefit. Actually, requiring a license (as in "driver licence") and making it illegal to carry a gun while drunk or stoned would be a good start (Guns are not less letal than cars, are they?)

Sadly (or not), these things are not enforceable for computers (permit? Are you kidding? And if you make it illegal to use a computer while drunk or stoned, it's the whole IT sector that disappears!).

0
0
Silver badge

@Charles

>A common strategy of some disreputable providers is to slip themselves

>into the same web servers as perfectly-legitimate services.

The legit services clean up their act and put measures into place to see that that line of attack isn't possible anymore. Not an issue. But I thought we were talking email, not WWW.

>That way, if the IP is blocked, then so is the legitimate service.

>It's been reported here before IIRC.

::shrugs:: I'm protecting the computers I'm paid to protect. If the legit services continue to host antisocial services, my userbase doesn't need to access their IP space. Makes life easier for everybody.

>This is one reason for drive-by attacks--it works on the same principle

>of slipping the malware into genuine websites that cant be filtered

>without undue consequences

I use a different block list for the Web (and Gopher!). And another one for FTP. Etc.

>(such as say blocking CNN or the BBC).

Who? You mean my users should be reading the entertainment press whilst at WORK? What color is the sky in your world? And again, how did we manage to change the subject from email to the Web?

0
0
Thumb Down

WOW!!! Just Poor Logic

So I assume simple examples as Google's efforts to prevent surfers going to exploit web sites, Open DNS preventing phishing web sites........ these break Net Neutrality.

Hang on do no not stop there:

- my anti-virus stops someone from stealing my ID, I must take it off my PC?

- Dan's latest article warns about an SQL injection, he is restricting some hackers rights to screw me and everyone else?

At last, some of the community (ad-hoc's) successfully persuade a few providers to be good 'netizens' or Atrivo / Intercage is isolated by the community after many years of unrestricted thievery. This is bad?

0
0
Paris Hilton

Don't worry about Anti Western

Western nations have destroyed their own culture long time ago, what we have now is a rootless generations doing as they are told by the media and entertainment industry.

As for "hostile nations" aka Arabs, Muslims; they are not interested in destroying us, and for very good reason. Our "way of life" is annihilating us, our future, while we blame our victims simply because they are not white, or European. Sabotaging our media & entertainment industry would be like saving us -- no sane enemy would want to do that.

PS: Western leaders have banned guns for public -- save for America so your example "If guns are outlawed, then only outlaws will have guns" is very misleading.

0
0

This post has been deleted by a moderator

Bronze badge

@jake

If intercage hadn't found an 11th hour lifeline, their IP block would have been reassigned to someone else. What then? I understand why you're blocking an entire subnet at your end but it leads to problems in cases like this.

We've had our IP for years hosted with a perfectly respectable firm in the US, yet for a while two years ago we were having trouble getting our mail out. Turns out SORBS had decided our IP might be dynamic because the DNS TTL (which we had no control over) was under some arbitrary minimum they'd just decided on. That one only took me a week to fix, thanks to a responsive ISP getting in touch with them.

My point is overzealous sysadmins can and do cause problems - so tread lightly. Yes, it will increase your spam marginally, but you're filtering it already right? Overshoot the mark and your users will just work around you by using hotmail etc.

0
0
Thumb Down

Stop the problem at the source

While this could go around in circles for days, we tend to overlook the fact that the domain name registration process has been made as simple as possible. No real checks are done if you wish to register a domain, in fact some "resellers" advertise they will never ask your name so that it could never end up in the hands of law enforcement.

I could use a gift credit card to register a domain right now using the name Margaret Thatcher of some fake UK address while I am sitting in anywhere but the UK, shop on the internet for a telephone number and register using a free Gmail account as a point of contact. Then I abuse the free privacy provided in the competitive registrar market or simply use MelbourneIT with their bastardized whois showing a name you supply and their address. While I am at it I use a proxy. Now I am set to go phishing/scamming/herding. Total cost less than $10.00, however free domains do exist as well (MS Online). Free hosting with email facilities is to be had as well.

Fact: criminal domains are hardly ever registered with valid registration details.

I has never been easier to register a domain, real checks simply do not exist for most registrars.

So why should we then use excuses as to why a domain should be holy? In fact the difficulty with which domains are normally canceled is exactly what I would count on in my registrar selection process if I wish to use it for criminal actions.

To turn this picture around, law enforcement have their hands full. International LEA cooperation simply does not exist for the bulk of the victims. The UDRP is not the answer for criminal websites that sprout up faster than mushrooms. Once I have been conned the chance of recovering my money is virtually nil. If my identity is stolen I have forever lost my privacy. In fact I would have to spend more money, much more than $10.00 to get back on track and undo the damage done to me. People lose their livelihoods, privacy etc via malicious domains.

There are groups that specialize in certain abuse type. Domains are not canceled merely based on suspicion as was implied, it is not a free for all, registrars do not accept "hey - joeblogs.com is bad , terminate the domain" statements. Registrars are not stupid. In fact it takes time for them to know they can trust you and that trust is based on detailed abuse reports with evidence and a lot of hard work after ensuring a site has not been hacked and then abused. You only have to get it wrong once to destroy that trust.

We also need define unacceptable. Pornography may be acceptable, child pornography is not. Political sites are acceptable, phishing is not, 419 scams is not, malware is not, money mule domains not, escrow/couriers scams not. Especially unacceptable are those domains that are used to entrap an unsuspecting victim at home via email or in drive by infections.

We can draw a clear line between criminal and geographic/social undesirability. Registrars dare not touch the second group, but it is and should be open season on the first group.

0
0
Silver badge

@ A. Cowherd

" If intercage hadn't found an 11th hour lifeline, their IP block would have been reassigned to someone else. What then? I understand why you're blocking an entire subnet at your end but it leads to problems in cases like this."

IF it gets reassigned, and IF an employee requests that I open up that block, and IF I decide that the employee's request is valid, then I'll open the block. That's a lot of ifs. Hasn't happened yet, and I've been aggressively blocking for ten+ years.

Yes, the employees of the various companies know they can call me if they have issues mailing or accessing j-random.site. I get about one call a week, it's always either "no, you can't do that with the company's computers" or PBKAC.

" We've had our IP for years hosted with a perfectly respectable firm in the US, yet for a while two years ago we were having trouble getting our mail out. Turns out SORBS had decided our IP might be dynamic because the DNS TTL (which we had no control over) was under some arbitrary minimum they'd just decided on. That one only took me a week to fix, thanks to a responsive ISP getting in touch with them."

You don't have control of your own DNS? There's your problem ... I understand that email is not guaranteed to be delivered (read the RFCs if you don't believe me), but if an organization is making extensive use of email, it should at least stack the deck in its own favo(u)r ...

" My point is overzealous sysadmins can and do cause problems - so tread lightly. Yes, it will increase your spam marginally, but you're filtering it already right? Overshoot the mark and your users will just work around you by using hotmail etc."

I don't find blocking access to and from malware, kitty pR0n, pumpndump, 419 scams, pill pushers and the like "overzealous". As for spam, what's that? Hotmail? No. It's blocked. If if the employees (not users, employees!) try to work around the blocks using proxies (I have an ever growing block list of proxies ...) they get a warning. Strike two, they are fired. These are COMPANY computers. We do work with them, we don't play on them.

0
0

This post has been deleted by a moderator

This topic is closed for new posts.

Forums