CircleID

The first step (but certainly not the last) towards saving the internet from spam, malware, and other abuse is to keep your own network clean.

A friend of CAUCE, who wishes to remain anonymous, offers these tips and resources to help you identify problem traffic emanating from your network, and clean it up. Though primarily written for ISPs, many of the items below should apply equally well to any network owner.

Zero-point: Problems which aren't identified don't get fixed. So…

First and foremost, proper identification of the ISP's IPs in both RIR (APNIC) and rDNS. Along with that, working and properly processed Abuse e-mail contact for APNIC and "abuse@domain" for the generic rDNS primary domain. Correct domain whois goes hand-in-hand.

Then, in no particular order…

Block port 25 on dynamic ranges, as recommended by MAAWG.

Complaint Feedback Loops and other abuse reporting mechanisms: Spamhaus and Word To The Wise both have links to get started on those, and ISPs serious about cleaning up should subscribe all their IP ranges to as many of those FBLs as they can handle. (The best for spam detection would be subscribing to all of them but volume can get quite high so they may wish to pick and choose what fits their needs the best.)

That includes SpamCop, but it's worth its own mention. Unlike most other FBLs, SpamCop reports spamvertised URLs as well as spam source. Note that it has both direct spam reporting and "Summary" reports which provide IP-by-IP reporting for a subscribed range on an hourly or daily basis.

www.abuse.net can help them direct spam reports to the right place. SpamCop seems to look at Abuse.net, too.

CBL offers rsync of its data within terms of use posted on its website. An ISP with that data can use grepcidr across its IP ranges to identify currently active spam-bot IPs.

Spamhaus PBL provides participating ISPs with CBL's list bots in the respective ISP's IP ranges, so that's another easy way for ISPs to get that same data.

Botnet C&C and malware related IPs identified by the FIRE group can be
found by ASN with http://maliciousnetworks.org/ .

Senderbase.org, Trustedsource.org and Senderscore.org websites all have searchable reputational information which can help an ISP corroborate reports they get with a wider sample of traffic...very useful.

I'm sure there are more such resources, I'd be interested in them and I hope others will chime in, but for an ISP which is already overrun with spam issues, those websites should at least give them grist to start grinding away at the problems. I suspect the more difficult challenge will be to get them to actually back the effort.

Any ideas? Post them in the comments, and maybe our anonymous friend will join in too.

(This article was originally published on CAUCE.org.)

By J.D. Falk, Internet Standards and Governance. Visit the blog maintained by J.D. Falk here.

Related topics: Access Providers, Malware, Spam