Maybe PHBs and “security professionals” will start to take notice…
July 8th, 2007 • web
Much of my day-to-day work duties include fending off spam and keeping blacklists at bay. For a few years now, I’ve known that spam blacklists are a pretty pathetic answer to the spam problem and they’re just as bad as so called whitelists. Sure, whitelists are very handy but they suffer from the same problems as blacklists: false information and impersonation. Whitelists work by denying all mail from anyone or any domain not on your list however, spammers can circumvent this with ease by simply spamming you until something makes it through and then they just use that one address/domain to spoof all the mail and now you’re getting hundreds of penis enlarging patch emails. Oh no, what to do?! Since you’ve previously trusted this domain and it’s a well respected domain in your eyes, do you add it to your deny list or just quarantine the bad mail? This is the same problem with blacklists and they work in the same manner. Blacklists are lists of who you don’t want mail from but are easily subverted. If you have a Hotmail account, you know all about receiving spam in your supposedly secure inbox. (Hotmail “requires” an SPF record for proper mail delivery and has a signature-based secondary engine. However, I haven’t used my Hotmail address in years and I still get nothing but spam in it and these domains do not have the SPF records required and are obvious spam yet they end up in my inbox. I’m told “they’re working on it”)
So I’m scanning the BinRev forums today and I see an aggregated feed from root-secure.net about blacklisting blacklists so I’m naturally intrigued given my job. The article from the Sunnet Beskerming talks about how useless blacklists are becoming and how antiquated of technology they are. It talks about how different information vectors are playing an important role in making blacklists obsolete and inaccurate. The determined spammer/hacker/”security expert” will use these failing technologies to their advantage since it’s trivial these days to spoof your identity and mask your origin or intent. The main focus of the article is about the new phishing/forgery recognition modules built into popular browsers such as Opera, Firefox, and Internet Explorer. Subjugating these banned website lists is as trivial as downloading pirated music today. Microsoft amazing acknowledges that it’s anti-phishing module (most likely based on or using the original code from Spoofstick IE) in IE7 is “not a security feature” but why don’t they disseminate that information past IT professionals? My mother wouldn’t know a Paypal phishing site from www.paypal.com itself and if the phishing site was subverting IE’s blocklist, she can kiss her information goodbye. These blacklists are now lacking in granularity and positive information.
Spam blacklists fall prey to the exact same problems except one: many people running RBLs have vendettas against other people, companies, and other RBLs. One such list is APEWS that’s recently sprung up out of nowhere. They seemingly block anything they want and never block singular IPs but almost always anything from a /15 to a /24. They’re even blocking other blacklists and spam prevention companies with their list because that’s how they operate. The /15 that your server resides on at your datacenter might be blocked by APEWS because of a single server spewing spam to their traps and now this is affecting thousands of customers and potentially, tens or hundreds of thousands of mail recipients. And how do you get off this blacklist? You don’t. The list is (almost) completely anonymous and the only way to “contact” the admins of the list is to post in newsgroups that only the most dedicated of reporters use. Now, I prefaced that with “almost” because there have been one or two posters to these groups that have slipped up and, in so many words, stated that they are behind APEWS. This is only one of such lists that unwitting “professionals” and “experts” use everyday to block your perfectly legit email.
How do RBLs and phishing block lists correlate? They’re falling prey to people working at a much faster pace than they are and are outwitting them everyday. Spammers subvert blacklists everyday with zombie botnets and vulnerable scripts that improperly handle input validation. Phishers are hopping right over phishing blacklists with ease by so closely mirroring legit sites and sometimes even using previously deemed “safe” companies to host their phishing scams. As defenders, our technology is always 2 steps behind than those of our attackers and the antiquated protocols that we use today are at the root of the problem. Things like full disclosure, partial disclosure, and full information dissemination via numerous media also help us stay behind trends instead of staying ahead of them. If so many people didn’t whine and complain about a not having full disclosure when a problem is found, many problems could be subverted from the beginning. Then again, lack of disclosure helps the attackers even more since they like to boast about their conquests only to have the vendor at the end of the attack develop a patchwork solution later on.
The last paragraph of the original article sums it up best in the fact that we, as systems and network admins and engineers, need to step up and recognize the huge failures of our current technology and do our damnedest to try and stay afloat.
It is also time that people became aware of the problems that these lists can cause when improperly developed and maintained (and even when they aren’t).