Re: 95% of User Generated Content is spam or malicious

[Rich Kulawiec <rsk () gsp org>]

[ I read funsec, there is no need to send a superfluous second copy
of messages to my address. ]

On Mon, Feb 15, 2010 at 09:28:08AM -0800, Tomas L. Byrnes wrote:
> If you're not using Bogons, DShield, Shadowserver, and the SRI MTC,
> you're missing the recon bots, new malware drive-by seeds, and the C&Cs.

I have my own methods, tyvm, that largely alleviate the need for me to
care about such things.   Oh, yes, I know that they exist and I have
a fair understanding of how they work, what they can do, etc., but as
I move more and more toward a default-deny model, it really doesn't matter.
(e.g., I'm sure that there are hosts that fit these descriptions in,
let's say, China.  Doesn't matter, as I've bidirectionally blocked
all traffic to every known allocated network assigned there.  Lather,
rinse, repeat for a lot of other locales.)

We are well past the time when default-permit policies are workable.
The question that everyone should be asking is "Do I *need* to accept
or send traffic to country A or network B?  And if I do, on what ports
does this need exist?  And should I rate-limit it?"  The answers are
increasingly "no, no, only a few, and yes" for nearly all operations.

So rather than using a default-permit policy and trying to list
the exceptions, we should be working in the opposite direction.

It's sad that we've reached this point, but as Ranum points out,
"enumerating badness" is a failed strategy.  And thanks to the
negligent, incompetent, cheap, lazy, stupid network operators out
there who permit abuse to escape their operations on a systemic
and chronic basis, we really have very little choice.  It's simply
not worth trying to winnow tiny amounts of wheat from enormous
amount of chaff.

---Rsk
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.