D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] OT: abusive IP address list processing or blocklist for web spam

 

On 17/01/13 15:23, Martijn Grooten wrote:
> 
> I think there are good (performance) reasons to proxy HTTP traffic
> from mobile devices, like there are good reasons to route SMTP traffic
> from home users through the ISP's MTA. I'm not saying it's always a
> good thing and I see your point about making filtering more difficult,
> but neither with comment spam, nor with email spam you're solely
> dependent on the IP address to make a decision.

Having lived in the Internet before ISPs routed SMTP traffic, and many
don't, the reason it was done was for trying to deal with the spam
problem. The trouble is no one stopped and asked "is this helping?"
after they did it in one place. Some ISPs did it differently, and
better, AOL springs to mind.

Do you know what the performance benefits from the proxies are?

I can imagine it reduces traffic to peers and transit providers
slightly. I can imagine many ways it could help, but in practice
switching between broadband (some with transparent proxies some without)
and data services, I don't experience anything compelling to convince me
it is helping.

The most likely area would be that the proxy could be tuned to handled
dropped packets slightly more elegantly, and the other vaguaries of
wireless, since the default for TCP weren't that clever, although most
of those apply to WI-FI as well. But I'd need hard data, I suspect my
HTTP traffic is proxied so O2 can exercise control over me (even though
I'm with gifgaf).

>> On a similar note some of this traffic is from Tor. I did wonder if all
>> of it is, but not sure how I would tell.
> 
> I was somewhat surprised that it exists, but there's a DNS-based list
> that lets you tell whether an IP address is a Tor exit node:
> 
> https://www.torproject.org/projects/tordnsel.html.en
> 
> (Strictly speaking, it doesn't tell you whether the traffic is coming
> from Tor. Someone may make a non-Tor request from the exist node.)

I'll look again, but I don't think any of these can guarantee to be
complete, even if run by tor. I seem to recall finding servers with tor
in the reverse DNS that are missing, and it seems implausible to put tor
in the rDNS to make folks love your traffic.

> No. But it interests me. And sometimes understanding the business
> model behind some rogue Internet activity can help fight it. (Though
> rarely ever at the level of a single organisation.)

There is a fair variety, a lot of link building, a lot of fake handbags
and boots and other big brand name rip-offs.

>> Although given the resources they are prepared to dedicate to it I
>> suspect it must be immensely profitable.
> 
> Perhaps. I wouldn't be surprised if there is a scheme where those
> running the commenting network simply convince 'advertisers' that
> there's money to be made. A lot of email spam isn't profitable for the
> advertiser; it may still be profitable for the spammer.

They are the ones that matter from my end.

On an individual basis this traffic is worthless to them, the resulting
abusive messages are no longer crawled or indexed by Google, but they
haven't noticed that yet I suspect.

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq