Home / Blogs

Resources for Cleaning Your Network

J.D. Falk

The first step (but certainly not the last) towards saving the internet from spam, malware, and other abuse is to keep your own network clean.

A friend of CAUCE, who wishes to remain anonymous, offers these tips and resources to help you identify problem traffic emanating from your network, and clean it up. Though primarily written for ISPs, many of the items below should apply equally well to any network owner.

Zero-point: Problems which aren't identified don't get fixed. So…

First and foremost, proper identification of the ISP's IPs in both RIR (APNIC) and rDNS. Along with that, working and properly processed Abuse e-mail contact for APNIC and "abuse@domain" for the generic rDNS primary domain. Correct domain whois goes hand-in-hand.

Then, in no particular order…

Block port 25 on dynamic ranges, as recommended by MAAWG.

Complaint Feedback Loops and other abuse reporting mechanisms: Spamhaus and Word To The Wise both have links to get started on those, and ISPs serious about cleaning up should subscribe all their IP ranges to as many of those FBLs as they can handle. (The best for spam detection would be subscribing to all of them but volume can get quite high so they may wish to pick and choose what fits their needs the best.)

That includes SpamCop, but it's worth its own mention. Unlike most other FBLs, SpamCop reports spamvertised URLs as well as spam source. Note that it has both direct spam reporting and "Summary" reports which provide IP-by-IP reporting for a subscribed range on an hourly or daily basis.

www.abuse.net can help them direct spam reports to the right place. SpamCop seems to look at Abuse.net, too.

CBL offers rsync of its data within terms of use posted on its website. An ISP with that data can use grepcidr across its IP ranges to identify currently active spam-bot IPs.

Spamhaus PBL provides participating ISPs with CBL's list bots in the respective ISP's IP ranges, so that's another easy way for ISPs to get that same data.

Botnet C&C and malware related IPs identified by the FIRE group can be
found by ASN with http://maliciousnetworks.org/ .

Senderbase.org, Trustedsource.org and Senderscore.org websites all have searchable reputational information which can help an ISP corroborate reports they get with a wider sample of traffic...very useful.

I'm sure there are more such resources, I'd be interested in them and I hope others will chime in, but for an ISP which is already overrun with spam issues, those websites should at least give them grist to start grinding away at the problems. I suspect the more difficult challenge will be to get them to actually back the effort.

Any ideas? Post them in the comments, and maybe our anonymous friend will join in too.

(This article was originally published on CAUCE.org.)

By J.D. Falk, Internet Standards and Governance
Follow CircleID on
Related topics: Access Providers, Malware, Networks, Spam
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

some more Carl Byington  –  May 03, 2010 11:48 AM PDT

Take your reverse dns zones, and periodically extract all the names and look them up on Surbl. Be sure to load limit that to avoid hammering the Surbl dns servers, and also use the proper number of name components.

Periodically scan your ip address space on port 25, extract any domain names from the SMTP banner, and look up those names on Surbl. With the same restrictions as above.

To post comments, please login or create an account.

Related

Topics

New TLDs

Sponsored byAfilias

DNS Security

Sponsored byAfilias

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

Whois

Sponsored byWhoisXML API

IP Addressing

Sponsored byAvenue4 LLC

Cybercrime

Sponsored byThreat Intelligence Platform