[governance] IGP Alert:

Suresh suresh at hserus.net
Fri Nov 9 21:13:35 EST 2007 

Adam Peake wrote:

> How much spam is filtered in transit?

Zero, these days.  ISPs may apply spam filters at the edge of *their* network,
router blocking packets from certain sources.	Certainly not transit.

Back in the old days, the original MAPS RBL got its name as a Realtime
Blackhole List - at least two tier 1 providers, Abovenet and Teleglobe - were
nullrouting IPs that appeared on the RBL.  That stopped a few years into the
life of MAPS, and after that MAPS gradually went into decline till it was sold
to Trend Micro and is currently part of yet another vendor spam filtering
solution.

Currently, the one example I can think of is ISPs filtering bogons / martians
(lists such as maintained by bogons.cymru.com) - that means IPs that are
reserved for special purposes as defined by IANA, as well as currently
unallocated netblocks - bogons.cymru.com is kept current.   But IANA reserved
and unallocated netblocks dont normally originate packets, and any you see are
likely to be random spoofed source address traffic - frequently malicious. 
Filtering these is sound network best practice.

For more active filtering, there are advisories such as those published by
spamhaus in their DROP list, that advise ISPs "Dont Route Or Peer" with certain
malicious ASNs / netblocks -  for example the DROP list lists currently known
netblocks announced by the Russian Business Network.  
http://www.spamhaus.org/drop/

However in most cases ISPs use that as an ACL on their border routers.	And the
DROP list contains a very small number of netblocks under the direct control of
spam gangs / malware operations (that is, they've got these allocated to them
direct from the RIR such as ARIN etc - and use them in interesting ways, such
as, as "ghost ASs" - get announced by some random ISP in eastern europe or
south asia, or announced in a way to take advantage of inadequate prefix
filtering - pump out spam / launch malware etc - and then simply disappear till
it pops up somewhere else).

The number of ASNs that do that and need such treatment is vanishingly small
compared to the number of entries in the main SBL list, which is intended as a
blocklist to be applied on mailservers.  Using blocklists such as SBL, or other
filters (HELO based etc), spam is blocked at the mailserver's edge.  

You can't push spam filtering onto users, trust me .. 

[1] It wont scale 
[2] Most users lack the capacity to do so
[3] Most users would rather you dont give them a completely unfiltered feed of
email and let them poke through the sludge to find valid mail.	

The flip side is that ISPs must have a mature false positive reporting and
handling process (which we do at any rate, and which is best practice as
advocated by MAAWG - www.maawg.org)

--srs
____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.cpsr.org
To be removed from the list, send any message to:
     governance-unsubscribe at lists.cpsr.org

For all list information and functions, see:
     http://lists.cpsr.org/lists/info/governance

More information about the Governance mailing list