Thursday, May 24, 2007

Reputations and Accountability

The internet is a wonderful tool, but the reality is that it's a hostile environment. There are a lot of bad actors out there trying to cause mischief and the internet provide them a vast playground.

In the spam arena we've had a lot of work put into RBL's (lists of naugty IP addresses) but I believe it's time we took this to the next level. All spam filtering companies collect IP based statistics, identifying the individual sending bad guys isn't terribly difficult - but we can do better.

All IP addresses are assigned from ARIN - and you can look this information up for any given IP. This ties the IP into a network that was assigned to a specific entity (and possible delegated) - what this represents is the chain of accountability for that IP space. It is time to start getting really serious about combining the ARIN data and our spam statistics and light a more serious fire under all network owners.

We need a new generation of publicly available tools for holding these organizations to account, my expertise is spam fighting, but this holds just as true for security threats - networks that originate hostile network attacks need to be held to account just as much as the spam networks do. ARIN gives us physical addresses and possible company names - add in some other databases, and let's start seriously applying reputation scores, and get these in the public eye. Some parts of the internet are always going to be cess pools - let's identify it and make a framework that responsible network administrators can use to start walling off the worst of it.

I would particularly like to see a reputation score like this prominently displayed in google search results for a company. Let those search results give the searcher fair warning that they are about to step into the internet slums.

1 comment:

bitmand said...

I like the idea, I really do. But there is a problem I can't imagine how to get past.

"Back in the days" spammers used open relays to send the spam. Those misconfigured servers was highly identifiable and easy to block.

But today, spammers use botnets (large volume of windows machines with some kind of back door installed) to send the spam. Collecting those ip's and "marking" the hostile networks would probably result and large amounts of DSL networks getting marked.
And because websites is rarely hosted on those networks it won't do much good warning about them :(

But I do like the idea of marking "bad" ISP's/networks .. on a large scale the information could definitely be used to fight spam and hostile actions.