Internet security & antispam
« Links Roundup | Main | new pats posted - 20090710 (maintenance pats release) »
In my kick-off post in this series, I said:
Web hosting and colo providers should already be forcing low-end customers' mail through their own carefully monitored smarthosts, to reduce the amount of spam and other abuse coming from oft-compromised hosting control panel platforms such as cPanel. I used to be disgusted by the folks who named their webhosting PTRs things like "hosted.by.example.net" or "2gbamonth.for.just.7.95.example.net", but now I love them. They're just the most perfect indicators of super cheap mass virtual Web hosting, from whom I almost never want any mail unless sent through a smarthost.
I'd like to take some time to expand on that a bit. As always, this is my viewpoint as formed in the crucible of trying to create regular expressions to help classify hosts by type, so take it with that caveat.
In short, mass virtual Web hosting sucks. It's a game where only the very largest, with huge economies of scale, can hope to win, and where much of that potential profit is driven by incompetent affiliates and resellers. The race to the bottom is made clear by the sheer existence of Web hosting companies that will host your basic Web site for under ten bucks a month, or even as low as two bucks a month including free domain registration. It's the IT equivalent of selling health club memberships, but the problem is that if your host is compromised with a virus at a health club, the effects tend to be fairly localized. If your host at a Web hosting provider is compromised with a rockphish kit, you're potentially affecting the entire Internet, and enabling criminal fraud to occur through your server, so it's serious stuff we're talking about here.
That said, it's wise for us to know where the mass virtual Web hosting service providers (WSPs) are, so that we can assess the risks of accepting traffic from them. But whereas with end-user dynamic space, this tends to be easy because the hostnames are so often generated (or $GENERATEd), with webhosts we face a slightly different problem: administrator creativity.
For example, Pair is one of the oldest WSPs that I know of that is still around. We've used them for hosting our own clients, they are reasonably priced, and they have their own homegrown control panel software (as opposed to the ubiquitous, and often unpatched and vulnerable, cPanel, Ensim, Sphera, Plesk, and so on). And their servers have some of the weirdest names I can think of. We had a client on one server named kodh, and another served from a box called inyo. The former, as it turns out, is a city in India. The latter is a National Forest in the wilds of California's Sierra Mountains. Neither is immediately identifiable to the uninitiated as a mass virtual Web hosting server.
Pair wins high marks for creativity, especially compared to the pedestrian efforts of others who choose simpler themes - cities and geographical locations (pair.com, dattaweb.com, hostforweb.net, server4free.de, serverenred.com, worldispnetwork.com) easily trump the use of elements (webfusion.co.uk), deities (lunarservers.com, plusserver.de), colors (fastwebserver.de), cars (websitewelcome.com), short nouns (securenet-server.net), famous ships and spaceships (acetech-inc.net), the NATO phonetic alphabet (server4you.de), astronomical entities (lunarservers.com, websiteactive.com), peppers (my personal favorite, as well as that used by mein-webperoni.de), and, of course, the "hosted-by" or "powered-by" so popular in the Netherlands and Luxembourg. Though I will confess it's difficult to imagine the qualitative difference between being "hosted-by" and "powered-by", one can easily imagine the quantitative.
Then there's first names (asmallorange.com, mchost.ru, zonepro-serveurs.net), trees (e3linux.com), possibly U.S. Presidents (genwebhost.com), and even one host who uses Latin (not merely Roman, but Latin) numbers (eCircle AG). nocdirect.com seems to have trouble making its mind up between Lord of the Rings characters, stars and places. mschosting.com seems to be using Polynesian or South Asian names. liquidweb.com appears to favor comic book superheroes, while lunarmania.com seems to like cool-sounding names, whether from Welsh royalty, Greek mythology, or that word they use for a whole-face tattoo. Hostasaurus.com appears to let its customers choose their name, though it's still in the hostasaurus.com domain, so it's a perfect muddle of randomness as far as we're concerned. Dotcomhost? Why, Dilbert and Simpsons characters, of course. Dreamhost? Again, not sure - possibly all customer chosen.
My favorite "advertising" PTR, though, has to be this one from saol.com:
134.25.177.41-get-allinone-adsl-and-free-webhosting-for-only-r189.saol.com
If the late Billy Mays had been a web hosting admin, he couldn't have done it better. (Though he probably would have thrown in a few more PTRs just to ensure blanket, or slanket, coverage.)
So, why do we care that some admins are creative, while others seem stuck in a rut, when it comes to naming all these mass virtual Web hosting servers? Frankly, we don't, at least not much. It's a pain in the neck for us to collect all of these new names, but not that big a deal if you like long regular expressions composed of pipes. The only real issue with that choice of naming convention for EL is that it doesn't "look generic" to some, but it obviously is.
That said, the vast majority of WSPs use sensible, direct naming that indicates the servers' status and role as a virtual server, some even using the control panel package (cpanel, plesk) and/or platform (win, linux, mac) in the name. It's just that the more we look, the more we find compromised WSP servers hosting, and spewing, phishing scams. And this makes us wish that it wasn't so easy for someone paying ten bucks a month to fail utterly to prevent it from happening again, and again. It would make our job easier if they all had names like "vps24" or "plesk16" or "7.win.cpanel", but that's not likely to happen soon, if ever.
So, what's the takeaway? If you're starting up a new WSP service, and heaven help you if you are, please try to put as much significance as you can in the names you choose for your servers. Distinguish between mass virtual hosting and dedicated colocation boxes. Please try to indicate whether a server is running as a nameserver, webhosting box, or mail relay, because we've seen many that cram all of these into one, and then give it the least useful name possible in our opinion (one guess: yep, it's just a nameserver - that just happens to also be their outbound relay and a mass virtual hosting box). Make sure that if you do indicate how much per month you're charging, that you also indicate the currency, so we can calculate how likely it is that you have a functioning abuse desk. If you give default names to your PTRs and allow customers to choose custom ones as soon as they've been assigned a new IP, please distinguish between unassigned and assigned default hostnames (we're looking at you, thePlanet). If you give your servers names in the root zone of your domain, use a subdomain for mail or smarthosts or name service, so we can block the "generic" web hosting boxes. Of course, it's better if you put those under their own subdomain, too, but hey.
Of course, if wishes were horses, there'd be flies everywhere, as the old saying goes, so I may as well throw a few more gadfly requests in while I'm warmed up. Ideally, control panel software should disable - via packet level filters - outbound port 25 by default. At best, if that's not possible or desirable, it should route outbound traffic through a rate limiter or rate monitoring system in order to detect compromises quickly, before they get to the children. Non-rate-limited boxes should have their outbound SMTP traffic monitored for spikes, with administrative notification enabled. At the very least, default configurations should use a specified outbound smarthost, so that the reputation of the responsible party (the WSP) is affected by their failure to keep their customers' machines properly secured. If the customer wants to pay to have their own dedicated IPs and servers, and therefore their own reputation, give them their own domain name or at the very least their own delegated DNS subdomain. Don't let them hide in and around the generic default naming, or it will all suffer.
And, for Pete's sake, pick something better than "exotic peppers" for your clever server naming scheme.
Posted by schampeo at July 10, 2009 11:52 AM