Question re: privacy regulation (USA)
Dear Colleagues: Anyone have a pointer to a list of regulations, or know off the top of your head, related to data privacy at US ISP's? CALEA? CANSPAM? DMCA? et. al. Please reply off list and I will summarize responses back to the list at a later date. Best Regards, Martin
RE: GoDaddy's abuse procedures [was: ICANNs role [was: Re: On-going ...]]
While you have your friend's ear, ask him why they maintain a spam policy of blocking complete /24's when: a) the space has been divided into multiple sub-blocks and assigned to different companies, all well-documented and queryable in ARIN b) there have been repeated pleas to whitelist a certain IP in separate sub-block that is only being punished for the behavior of others in a different sub-block. Frank -Original Message- Sent: Tuesday, April 03, 2007 8:20 AM To: '[EMAIL PROTECTED]' Cc: '[EMAIL PROTECTED]' Subject: Re: ICANNs role [was: Re: On-going ...] I think the shutdown of seclists.org by GoDaddy is a perfect example of exactly why the registrars should NOT be making these decisions. I know the head abuse guy at Godaddy. He is a reasonable person. He turns off large numbers of domains but he is human and makes the occasional mistake. The fact that everyone cites the same mistake tells me that he doesn't make very many of them. If you demand that the shutdown process be perfect and never make any mistakes ever, even ones that involve peculiar e-mail failures are are fixed in a day or two, you're saying there can't be any shutdown process at all. If you want a really simple, and probably very effective first step- then stop domain tasting. It doesn't help anyone but the phishers. Actually, I have never seen any evidence that phishers use domain tasting. Phishers use stolen credit cards, so why would they bother asking for a refund? The motivation for tasting is typosquatting and monetization, parking web pages full of pay per click ads on them. Tasting is a bad idea that should go away, but phishing isn't the reason. R's, John
Abuse procedures... Reality Checks
On Sat, 07 Apr 2007, Frank Bulk wrote: While you have your friend's ear, ask him why they maintain a spam policy of blocking complete /24's when: a) the space has been divided into multiple sub-blocks and assigned to different companies, all well-documented and queryable in ARIN b) there have been repeated pleas to whitelist a certain IP in separate sub-block that is only being punished for the behavior of others in a different sub-block. Frank realitycheck You're complaining of blocked /24's. I block off up to /6's from reaching certain ports on my networks. Sound crazy? How many times should I contact the netblock owner and here the same generic well you have to open up a complaint with our abuse desk... golly gee Joseph. Only to have the same repeat attacks over and over and over. Sure, I'll start out blocking the offensive address, then shoot off an email here and there, even post to this or another list or search Jared's list for a contact and ask them politely Hey... I see X amount of attackers hitting me from your net But how long should I go on for before I could just say to hell with your users and network... They just won't connect. It's my own right to when it comes to my network. People complain? Sure, then I explain why, point out the fact that I HAVE made attempts at resolutions to no avail. So should the entire network be punished... No, but the engineers who now have to answer THEIR clients on why they've been blacklisted surely are punished aren't they. Now they have to hear X amount of clients moan about not being able to send either a client, vendor or relative email. They have to either find an alternative method to connect, or complain to their provider about connectivity issues. Is it fair? Yes it's fair to me, my clients, networks, etc., that I protect it. Is it fair to complain to deaf ears when those deaf ears are the ones actually clueful enough to fix? On a daily basis I have clients who should be calling customer service for issues contact me directly. Know what I do? ... My best to fix it, enter a ticket number on the issue and go about the day. One way or the other I'm going to see the ticket/problem so will it kill me to take a moment or two to fix something? Sure I will bitch moan and yell about it, a minute later AFTER THE FIX since things of this nature usually don't take that much time, guess what? Life returns to normal. http://www.infiltrated.net/bforcers/5thWeek-Organizations Have a look will you? These are constant offending networks with hosts that are repeatedly ssh'ing into servers I maintain. Is it unfair to block off their entire netblock from connecting via ssh to my servers. Hell no it isn't. If I have clients on this netblock, in all honesty tough. Let them contact their providers after I tell them their provider has been blocked because of the garbage on their network. Let their provider do something before I do because heaven knows how many times have I tried reaching someone diplomatically before I went ahead and blocked their entire /6 /7 /8 /9 /10 and so on from connecting to me via ssh or whatever other service they've intruded or attempted to intrude upon. Blocks? They usually last for 2 weeks then I take them off and start ALL over again. Of course I've automated this so its no sweat off shoulders. So you tell me in all honesty why someone should not escalate and block off entire blocks. /realitycheck -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo echo @infiltrated|sed 's/^/sil/g;s/$/.net/g' http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 How a man plays the game shows something of his character - how he loses shows all - Mr. Luckey
RE: Abuse procedures... Reality Checks
Joe: I understand your frustration and appreciate your efforts to contact the sources of abuse, but why indiscriminately block a larger range of IPs than what is necessary? Here's the /24 in question: Combined Systems Technologies NET-CST (NET-207-177-31-0-1) 207.177.31.0 - 207.177.31.7 Elkader Public Library NET-ELKRLIB (NET-207-177-31-8-1) 207.177.31.8 - 207.177.31.15 Plastech Grinnell Plant NET-PLASTECH (NET-207-177-31-16-1) 207.177.31.16 - 207.177.31.31 (dial-up, according to DNS) Griswold Telephone Co. NET-GRIS (NET-207-177-31-32-1) 207.177.31.32 - 207.177.31.63 Griswold Telephone Co. NET-GRIS2 (NET-207-177-31-64-1) 207.177.31.64 - 207.177.31.95 (dial-up, according to DNS) Jesco Electrical Supplies NET-JESCOELEC (NET-207-177-31-96-1) 207.177.31.96 - 207.177.31.103 American Equity Investment NET-AMREQUITY (NET-207-177-31-104-1) 207.177.31.104 - 207.177.31.111 ** open ** Butler County REC NET-BUTLERREC (NET-207-177-31-120-1) 207.177.31.120 - 207.177.31.127 Northeast Missouri Rural Telephone Co. NET-NEMR2 (NET-207-177-31-128-1) 207.177.31.128 - 207.177.31.191 Montezuma Mutual Telephone NET-MONTEZUMA (NET-207-177-31-192-1) 207.177.31.192 - 207.177.31.254 (dial-up, according to DNS) Block the /24 and you cause problems for potentially 8 other companies. Now the RBL maintainer, or in this case, GoDaddy, has to interact with 8 other companies -- what a lot of work and overhead! If they just dealt with the problem in a more surgical manger they wouldn't have to deal with the other companies asking for relief. Frank -Original Message- From: J. Oquendo [mailto:[EMAIL PROTECTED] Sent: Saturday, April 07, 2007 2:08 PM To: nanog@merit.edu Cc: Frank Bulk Subject: Abuse procedures... Reality Checks On Sat, 07 Apr 2007, Frank Bulk wrote: While you have your friend's ear, ask him why they maintain a spam policy of blocking complete /24's when: a) the space has been divided into multiple sub-blocks and assigned to different companies, all well-documented and queryable in ARIN b) there have been repeated pleas to whitelist a certain IP in separate sub-block that is only being punished for the behavior of others in a different sub-block. Frank realitycheck You're complaining of blocked /24's. I block off up to /6's from reaching certain ports on my networks. Sound crazy? How many times should I contact the netblock owner and here the same generic well you have to open up a complaint with our abuse desk... golly gee Joseph. Only to have the same repeat attacks over and over and over. Sure, I'll start out blocking the offensive address, then shoot off an email here and there, even post to this or another list or search Jared's list for a contact and ask them politely Hey... I see X amount of attackers hitting me from your net But how long should I go on for before I could just say to hell with your users and network... They just won't connect. It's my own right to when it comes to my network. People complain? Sure, then I explain why, point out the fact that I HAVE made attempts at resolutions to no avail. So should the entire network be punished... No, but the engineers who now have to answer THEIR clients on why they've been blacklisted surely are punished aren't they. Now they have to hear X amount of clients moan about not being able to send either a client, vendor or relative email. They have to either find an alternative method to connect, or complain to their provider about connectivity issues. Is it fair? Yes it's fair to me, my clients, networks, etc., that I protect it. Is it fair to complain to deaf ears when those deaf ears are the ones actually clueful enough to fix? On a daily basis I have clients who should be calling customer service for issues contact me directly. Know what I do? ... My best to fix it, enter a ticket number on the issue and go about the day. One way or the other I'm going to see the ticket/problem so will it kill me to take a moment or two to fix something? Sure I will bitch moan and yell about it, a minute later AFTER THE FIX since things of this nature usually don't take that much time, guess what? Life returns to normal. http://www.infiltrated.net/bforcers/5thWeek-Organizations Have a look will you? These are constant offending networks with hosts that are repeatedly ssh'ing into servers I maintain. Is it unfair to block off their entire netblock from connecting via ssh to my servers. Hell no it isn't. If I have clients on this netblock, in all honesty tough. Let them contact their providers after I tell them their provider has been blocked because of the garbage on their network. Let their provider do something before I do because heaven knows how many times have I tried reaching someone diplomatically before I went ahead and blocked their entire /6 /7 /8 /9 /10 and so on from
Re: Abuse procedures... Reality Checks
On Sat, 07 Apr 2007, Frank Bulk wrote: Joe: I understand your frustration and appreciate your efforts to contact the sources of abuse, but why indiscriminately block a larger range of IPs than what is necessary? Far too many times I've tried to contact those who have the DIRECT ability to make things happen and the same constant whiny Contact our abuse desk reponse was given. What mainly happens here on out is the following, if someone on that subnet needs to do something on mine, many will contact me or others that work with me and state Why can't we connect?! The situation will be explained and they'll be told to contact their provider. This seems to be the only logical method I've personally found for some of the bigger provider to respond to incidents. Hit them where it hurts, let them have their own customers bitch and moan about their inability to get things done. Sure its not fair to single out an entire subnet. I've gone as far as blocking LACNIC, APNIC, RIPE, /8's on ARIN at a clip for days on end until someone from the offending provider contacted me. Then and only then was I able to get something done. So to answer your question about fairness... It's not fair by any means, but it is effective. I see it as follows... If someone on one of my networks is offending someone else, I'm nipping it in the bud to avoid the possibility of any legal repercussions. And although it may seem far fetched to look at things in such fashion, I'd rather be safe than sorry. I'd also like to be accountable since after all when it boils down to it, it is my job as a network engineer, security engineer to ensure nothing malicious comes into my network as well as exits my network. Its a two way street. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo echo @infiltrated|sed 's/^/sil/g;s/$/.net/g' http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 How a man plays the game shows something of his character - how he loses shows all - Mr. Luckey
Re: Blocking mail from bad places
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Here's what one of the messages my system produces: Apr 7 12:02:26 tongs postfix/smtpd[15229]: NOQUEUE: reject: RCPT from mail.middreut.com[208.61.243.195]: 454 Service unavailable; Client host [208.61.243.195] blocked using dnsbl.cagreens.org; Whoops! Please see http://greens.org/delist and note your sending address is -- 208.61.243.195 --. Sorry.; from= to=[EMAIL PROTECTED] proto=ESMTP helo=exchange.middreut.local This provides a reasonable explanation... as long as you can read English. If you want to talk about hard to understand: every time I post to nanog, I get a bounce message from someone in Germany, in German. About as much use as my bounce message is to someone who doesn't read English. ... and why aren't bounce messages standardized in content and formatting?!? Thomas James R. Cutler wrote: At 4/5/2007 08:38 AM -0700, Thomas Leavitt wrote: One problem with the bounce solution is that snip/ == So, I (Cutler) add: And, even the best-intentioned bounce messages often give lots of data, but no information, thus increasing the noise to signal ratio. For example, Paul most likely knows what the following means to him. To me it just means I can't send mail to Paul. This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: [EMAIL PROTECTED] SMTP error from remote mailer after RCPT TO:[EMAIL PROTECTED]: host sa.vix.com [204.152.187.1]: 553 5.7.1 Service unavailable; Client host [209.86.89.61] blocked using reject-all.vix.com; created / reason -- This is a copy of the message, including all the headers. -- - James R. Cutler [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org iD8DBQFGF+WyNEK1jn5bsMsRAi1pAKDCXnIBmY7wTybhNyJIPAntAUBvMgCfSDBV goClCVhxinIMW/yQ8gfR/Do= =+pbd -END PGP SIGNATURE-
RE: On-going Internet Emergency and Domain Names
One of the reasons that registrars are slow to take down sites that are paid with a credit card is because there is little financial incentive to do sothey've lost money it already, why have a department whose priority is speed if you can hire a person to do it at their own pace and minimize the loss? For almost all things prudent and effective there needs to be a financial incentive. For those registrars who take stolen credit cards, it's the rates and fees they are charged to process credit card transactions. It appears the rates that are charged and the penalties assessed aren't enough to dissuade them from these fraudulent transactions, which means that the monetary externalities of DNS registration abuse (spam, phishing sites, etc) are not fully assessed by financial institutions. We have a similar parallel in the cost of gasoline and the impact on the environment. Frank -Original Message- Sent: Monday, April 02, 2007 9:36 PM To: David Conrad Cc: Joseph S D Yao; nanog Subject: Re: On-going Internet Emergency and Domain Names On Mon, 2 Apr 2007, David Conrad wrote: On Apr 2, 2007, at 7:12 PM, Joseph S D Yao wrote: On Mon, Apr 02, 2007 at 05:33:08PM -0700, David Conrad wrote: I think this might be a bit in conflict with efforts registries have to reduce the turnaround in zone modification to the order of tens of minutes. Why is this necessary? Other than the cool factor. I think the question is why should the Internet be constrained to engineering decisions made in 1992? or victims of policy of that same 'vintage'... doing things faster isn't bad, doing it with less checks and balances and more people willing to abuse the lack of checks/balances seems like a bad idea. If you can get a domain added to the system fresh in 5min or less, why does it take +90 days to get it removed when all data about the domain is patently false and the CC used to purchase the domain was reported stolen 2+years ago? I don't mean to pick on anyone in particular, but wow, to me this seems like just a policy update requirement.
RE: On-going Internet Emergency and Domain Names
On Sat, 2007-04-07 at 14:43 -0500, Frank Bulk wrote: One of the reasons that registrars are slow to take down sites that are paid with a credit card is because there is little financial incentive to do so. Also there is the customer numbers affect, most often seen with public companies or those seeking VC funding. Those registrars compete heavily, none of them want to have negative numbers, not even one negative number. -Jim P.
Re: Abuse procedures... Reality Checks
On Sat, Apr 07, 2007 at 02:31:25PM -0500, Frank Bulk wrote: I understand your frustration and appreciate your efforts to contact the sources of abuse, but why indiscriminately block a larger range of IPs than what is necessary? 1. There's nothing indiscriminate about it. I often block /24's and larger because I'm holding the *network* operators responsible for what comes out of their operation. If they can't hold the outbound abuse down to a minimum, then I guess I'll have to make up for their negligence on my end. I don't care why it happens -- they should have thought through all this BEFORE plugging themselves in and planned accordingly. (Never build something you can't control.) Neither I nor J. Oquendo nor anyone else are required to spend our time, our money, and our resources figuring out which parts of X's network can be trusted and which can't. It is entirely X's responsibility to make sure that its _entire_ network can be permitted the privilege of access to ours. And (while I don't wish to speak for anyone else), I think we're prepared to live with a certain amount of low-level, transient, isolated noise. We are not prepared to live with persistent, systemic attacks that are not dealt with even *after* complaints are filed. (Which shouldn't be necessary anyway: if we can see inbound hostile traffic to our networks, surely X can see it outbound from theirs. Unless X is too stupid, cheap or lazy to look. Packets do not just fall out of the sky, y'know?) 2. necessary is a relative term. Example: I observed spam/spam attempts from 3,599 hosts on pldt's network during January alone. I've blocked everything they have, because I find it *necessary* to not wait for the other N hosts on their network to pull the same stunt. I've found it *necessary* to take many other similar measures as well because my time, money and resources are limited quantities, so I must expend them frugally while still protecting the operation from overty hostile networks. That requires pro-active measures and it requires ones that have been proven to be effective. If X, for some value of X, is unhappy about this, then X should have thought of that before permitting large amounts of abuse to escape its operation over an extended period of time. Had X done its job to a baseline level of professionalism, then this issue would not have arisen, and we'd all be better off for it. So. If you (generic you) can't keep your network from being a persistent and systemic abuse source, then unplug it. Now. If on other hand, you decide to stick around anyway while letting the crap flow: no whining when other people find it necessary to take steps to defend themselves from your incompetence. ---Rsk
RE: GoDaddy's abuse procedures [was: ICANNs role [was: Re: On-going ...]]
On Sat, 7 Apr 2007, Frank Bulk wrote: While you have your friend's ear, ask him why they maintain a spam policy of blocking complete /24's when: a) the space has been divided into multiple sub-blocks and assigned to different companies, all well-documented and queryable in ARIN b) there have been repeated pleas to whitelist a certain IP in separate sub-block that is only being punished for the behavior of others in a different sub-block. because it's go-daddy's policy not yours and their customers aren't upset enough about 'broken' email to force a change? If you are a go-daddy customer you ought to speak up if this policy really does affect you. -Chris
Re: Abuse procedures... Reality Checks
J. Oquendo wrote: ... So to answer your question about fairness... It's not fair by any means, but it is effective. I see it as follows... Well, that's the reason why I have a gmail account and all my customers have. I can send even from my dynamic ip-address and still they let me in. They can send to my dynamic ip-address. Important mails are sent host to host. For the records are sent via gmail. There is no need for any other mail provider. They are blocking mails most of the time only allowing spam to get through. Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
RE: Abuse procedures... Reality Checks
On Sat, Apr 07, 2007 at 02:31:25PM -0500, Frank Bulk wrote: I understand your frustration and appreciate your efforts to contact the sources of abuse, but why indiscriminately block a larger range of IPs than what is necessary? 1. There's nothing indiscriminate about it. I often block /24's and larger because I'm holding the *network* operators responsible for what comes out of their operation. Define network operator: the AS holder for that space or the operator of that smaller-than-slash-24 sub-block? If the problem consistently comes from /29 why not just leave the block in and be done with it? I guess this begs the question: Is it best to block with a /32, /24, or some other range? Sounds a lot like throwing something against the wall and seeing what sticks. Or vigilantism. If they can't hold the outbound abuse down to a minimum, then I guess I'll have to make up for their negligence on my end. Sure, block that /29, but why block the /24, /20, or even /8? Perhaps your (understandable) frustration is preventing you from agreeing with me on this specific case. Because what you usually see is an IP from a /20 or larger and the network operators aren't dealing with it. In the example I gave it's really the smaller /29 that's the culprit, it sounds like you want to punish a larger group, perhaps as large as an AS, for the fault of smaller network. I don't care why it happens -- they should have thought through all this BEFORE plugging themselves in and planned accordingly. (Never build something you can't control.) Agreed. Neither I nor J. Oquendo nor anyone else are required to spend our time, our money, and our resources figuring out which parts of X's network can be trusted and which can't. It's not that hard, the ARIN records are easy to look up. Figuring out that network operator has a /8 that you want to block based on 3 or 4 IPs in their range requires just as much work. It is entirely X's responsibility to make sure that its _entire_ network can be permitted the privilege of access to ours. And (while I don't wish to speak for anyone else), I think we're prepared to live with a certain amount of low-level, transient, isolated noise. Noise like that is inevitable part of the job. We are not prepared to live with persistent, systemic attacks that are not dealt with even *after* complaints are filed. (Which shouldn't be necessary anyway: if we can see inbound hostile traffic to our networks, surely X can see it outbound from theirs. Unless X is too stupid, cheap or lazy to look. Packets do not just fall out of the sky, y'know?) Smaller operators, like those that require just a /29, often don't have that infrastructure. Those costs, as I'm sure you aware, are passed on to companies like yourself that have to maintain their own network's security. Again, block them, I say, just don't swallow others up in the process. 2. necessary is a relative term. Example: I observed spam/spam attempts from 3,599 hosts on pldt's network during January alone. I've blocked everything they have, because I find it *necessary* to not wait for the other N hosts on their network to pull the same stunt. I've found it *necessary* to take many other similar measures as well because my time, money and resources are limited quantities, so I must expend them frugally while still protecting the operation from overtly hostile networks. That's my point: you want to spend time dealing with the other 8 networks because you blacked them, out, too? That requires pro-active measures and it requires ones that have been proven to be effective. If X, for some value of X, is unhappy about this, then X should have thought of that before permitting large amounts of abuse to escape its operation over an extended period of time. Had X done its job to a baseline level of professionalism, then this issue would not have arisen, and we'd all be better off for it. Agreed, but economics usually dictate otherwise. So. If you (generic you) can't keep your network from being a persistent and systemic abuse source, then unplug it. Now. They want to run a business, too. So when you blacklist they will end up calling you asking for mercy, telling you that it's been cleaned up. Inevitably something/someone gets infected, you black them out, rinse, repeat. If on other hand, you decide to stick around anyway while letting the crap flow: no whining when other people find it necessary to take steps to defend themselves from your incompetence. ---Rsk
Re: Abuse procedures... Reality Checks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Apr 7, 2007, at 4:20 PM, Frank Bulk wrote: Sure, block that /29, but why block the /24, /20, or even /8? Perhaps your (understandable) frustration is preventing you from agreeing with me on this specific case. Because what you usually see is an IP from a /20 or larger and the network operators aren't dealing with it. In the example I gave it's really the smaller /29 that's the culprit, it sounds like you want to punish a larger group, perhaps as large as an AS, for the fault of smaller network. Well it sounds like the original poster is trying to punish the network operator by intentionally blocking innocent bystanders and therefore causing them grief so if that is your goal then a /24 seems like a decent arbitrary size. You are mostly sure you won't block across providers that way at least. However, even if this isn't your goal it can be really hard sometimes to have any clue how big a netblock is for a particular IP address. ARIN may make small folks like us jump through hoops but apparently this isn't true for larger providers. We often run into abuse from IP addresses (or a range of addresses) where there is no rwhois sever and the entire /19 or larger is SWIPed as a single netblock. I've seen some really, really large blocks with absolutely no sub- delegation when clearly the addresses are sub-delegated. We will often temporary block a /24 on email blacklists for instance. When you're getting pounded from a range of 30 or 50 IP addresses and can't get any response from the upstream then it is farily obvious they are less than white hat so we're willing to live with the collateral damage. Chris Chris Owen ~ Garden City (620) 275-1900 ~ Lottery (noun): President ~ Wichita (316) 858-3000 ~A stupidity tax Hubris Communications Inc www.hubris.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) iD8DBQFGGA6nElUlCLUT2d0RAkWzAJ4mjXT5gwB0psG7e/YhmzUcFXhksgCgyx2g 5VDgB0KMLyMFIdVzrPaPGJI= =E5xl -END PGP SIGNATURE-
Re: Abuse procedures... Reality Checks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Rich Kulawiec [EMAIL PROTECTED] wrote: 1. There's nothing indiscriminate about it. I often block /24's and larger because I'm holding the *network* operators responsible for what comes out of their operation. If they can't hold the outbound abuse down to a minimum, then I guess I'll have to make up for their negligence on my end. I don't care why it happens -- they should have thought through all this BEFORE plugging themselves in and planned accordingly. (Never build something you can't control.) I would have to respectfully disagree with you. When network operators do due diligence and SWIP their sub-allocations, they (the sub-allocations) should be authoritative in regards to things like RBLs. $.02, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGGBIlq1pz9mNUZTMRAkLuAJ4sjBnZ1IF4FBjFvMn4NlgK7lZysgCg3gT2 8e9PswhChgNhDHnCsY+Yf9M= =oJaW -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Abuse procedures... Reality Checks
On Sat, 7 Apr 2007, Fergie wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Rich Kulawiec [EMAIL PROTECTED] wrote: 1. There's nothing indiscriminate about it. I often block /24's and larger because I'm holding the *network* operators responsible for what comes out of their operation. If they can't hold the outbound abuse down to a minimum, then I guess I'll have to make up for their negligence on my end. I don't care why it happens -- they should have thought through all this BEFORE plugging themselves in and planned accordingly. (Never build something you can't control.) I would have to respectfully disagree with you. When network operators do due diligence and SWIP their sub-allocations, they (the sub-allocations) should be authoritative in regards to things like RBLs. $.02, Yes. But the answer is that it also depends how many other cases like this exist from same operator. If they have 16 suballocations in /24 but say 5 of them are spewing, I'd block /24 (or larger) ISP block. The exact % of bad blocks (i.e. when to start blocking ISP) depends on your point of view and history with that ISP but most in fact do held ISPs partially responsible. -- William Leibzon Elan Networks [EMAIL PROTECTED]
RE: Abuse procedures... Reality Checks
If they're properly SWIPed why punish the ISP for networks they don't even operate, that obviously belong to their business customers? And if the granular blocking is effectively shutting down the abuse from that sub-allocated block, didn't the network operator succeed in protecting themselves? Or is the netop looking to the ISP to push back on their customers to clean up their act? Or is the netop trying to teach the ISP a lesson? Of course, it doesn't hurt to copy the ISP or AS owner for abuse issues from a sub-allocated block -- you would hope that ISPs and AS owners would want to have clean customers. Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of william(at)elan.net Sent: Saturday, April 07, 2007 5:58 PM To: Fergie Cc: [EMAIL PROTECTED]; nanog@merit.edu Subject: Re: Abuse procedures... Reality Checks On Sat, 7 Apr 2007, Fergie wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Rich Kulawiec [EMAIL PROTECTED] wrote: 1. There's nothing indiscriminate about it. I often block /24's and larger because I'm holding the *network* operators responsible for what comes out of their operation. If they can't hold the outbound abuse down to a minimum, then I guess I'll have to make up for their negligence on my end. I don't care why it happens -- they should have thought through all this BEFORE plugging themselves in and planned accordingly. (Never build something you can't control.) I would have to respectfully disagree with you. When network operators do due diligence and SWIP their sub-allocations, they (the sub-allocations) should be authoritative in regards to things like RBLs. $.02, Yes. But the answer is that it also depends how many other cases like this exist from same operator. If they have 16 suballocations in /24 but say 5 of them are spewing, I'd block /24 (or larger) ISP block. The exact % of bad blocks (i.e. when to start blocking ISP) depends on your point of view and history with that ISP but most in fact do held ISPs partially responsible. -- William Leibzon Elan Networks [EMAIL PROTECTED]
RE: Abuse procedures... Reality Checks
On Sat, 7 Apr 2007, Frank Bulk wrote: If they're properly SWIPed why punish the ISP for networks they don't even operate, that obviously belong to their business customers? All ISPs have AUPs that prohibit spam (or at least I hope all of you do) though are enforced at some places better then at others... But the point is that each and every customer ISP is responsible for following that AUP and is responsible for making sure their customers follow it as well. So to answer you the view is that even if ISP do not operate the network by providing services and ip addresses they in fact basically do operate in on higher level and are partially directly responsible for what happens there including enforcing its AUP on its sub-ISP or business customer (and making sure they enforce same AUP provisions on their customers). Chain of responsibility if you like to think of it that way... And if the granular blocking is effectively shutting down the abuse from that sub-allocated block, didn't the network operator succeed in protecting themselves? Or is the netop looking to the ISP to push back on their customers to clean up their act? Or is the netop trying to teach the ISP a lesson? Of course, it doesn't hurt to copy the ISP or AS owner for abuse issues from a sub-allocated block -- you would hope that ISPs and AS owners would want to have clean customers. Yes, of course blocking of larger ISP block would happen only after trying to notify ISP of the problem for each of every one of those subblocks did not lead to any results. Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of william(at)elan.net Sent: Saturday, April 07, 2007 5:58 PM To: Fergie Cc: [EMAIL PROTECTED]; nanog@merit.edu Subject: Re: Abuse procedures... Reality Checks On Sat, 7 Apr 2007, Fergie wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Rich Kulawiec [EMAIL PROTECTED] wrote: 1. There's nothing indiscriminate about it. I often block /24's and larger because I'm holding the *network* operators responsible for what comes out of their operation. If they can't hold the outbound abuse down to a minimum, then I guess I'll have to make up for their negligence on my end. I don't care why it happens -- they should have thought through all this BEFORE plugging themselves in and planned accordingly. (Never build something you can't control.) I would have to respectfully disagree with you. When network operators do due diligence and SWIP their sub-allocations, they (the sub-allocations) should be authoritative in regards to things like RBLs. $.02, Yes. But the answer is that it also depends how many other cases like this exist from same operator. If they have 16 suballocations in /24 but say 5 of them are spewing, I'd block /24 (or larger) ISP block. The exact % of bad blocks (i.e. when to start blocking ISP) depends on your point of view and history with that ISP but most in fact do held ISPs partially responsible. -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: Blocking mail from bad places
On Sat, 07 Apr 2007 11:40:50 PDT, Thomas Leavitt said: ... and why aren't bounce messages standardized in content and formatting?!? Jiminy creepers, why can't people run software that implements standards from the last frikking *millenium*??!? 1891 SMTP Service Extension for Delivery Status Notifications. K. Moore. January 1996. (Format: TXT=65192 bytes) (Obsoleted by RFC3461) (Status: PROPOSED STANDARD) 1892 The Multipart/Report Content Type for the Reporting of Mail System Administrative Messages. G. Vaudreuil. January 1996. (Format: TXT=7800 bytes) (Obsoleted by RFC3462) (Status: PROPOSED STANDARD) 1893 Enhanced Mail System Status Codes. G. Vaudreuil. January 1996. (Format: TXT=28218 bytes) (Obsoleted by RFC3463) (Status: PROPOSED STANDARD) 1894 An Extensible Message Format for Delivery Status Notifications. K. Moore, G. Vaudreuil. January 1996. (Format: TXT=77462 bytes) (Obsoleted by RFC3464) (Updated by RFC2852) (Status: PROPOSED STANDARD) pgpup96CUBB65.pgp Description: PGP signature
Re: Abuse procedures... Reality Checks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- william(at)elan.net [EMAIL PROTECTED] wrote: On Sat, 7 Apr 2007, Fergie wrote: I would have to respectfully disagree with you. When network operators do due diligence and SWIP their sub-allocations, they (the sub-allocations) should be authoritative in regards to things like RBLs. Yes. But the answer is that it also depends how many other cases like this exist from same operator. If they have 16 suballocations in /24 but say 5 of them are spewing, I'd block /24 (or larger) ISP block. Why? When you can block on more specific prefixes? This just doesn't make sense to me. The exact % of bad blocks (i.e. when to start blocking ISP) depends on your point of view and history with that ISP but most in fact do held ISPs partially responsible. Indeed -- your point of view. Which I would argue is unfair and not due diligence. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGGBv8q1pz9mNUZTMRAuufAKC+/0DwFmrVA15UZaNib02GgR25MgCdFlu3 45XhfZTvgE+Oaiij4LoLNh0= =MO1u -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Abuse procedures... Reality Checks
Frank Bulk wrote: [[Attribution deleted by Frank Bulk]] Neither I nor J. Oquendo nor anyone else are required to spend our time, our money, and our resources figuring out which parts of X's network can be trusted and which can't. It's not that hard, the ARIN records are easy to look up. Figuring out that network operator has a /8 that you want to block based on 3 or 4 IPs in their range requires just as much work. It's *very* hard to do it with an automated system, as such automated look-ups are against the Terms of Service for every single RIR out there. Please play the bonus round: try again.
Re: Abuse procedures... Reality Checks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Stephen Satchell [EMAIL PROTECTED] wrote: It's *very* hard to do it with an automated system, as such automated look-ups are against the Terms of Service for every single RIR out there. Exactly why is this hard to do? I would think that it's actually very easy to do when sub-allocations are SWIP'ed. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGGCKUq1pz9mNUZTMRAq6gAJ4ve8lc4IBU9nt0C5BEQDOfcPYZUgCgxExW Nio0yTd77qAjI10oOsv2Vh4= =d5Jd -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Abuse procedures... Reality Checks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Apr 7, 2007, at 11:00 PM, Fergie wrote: I would think that it's actually very easy to do when sub-allocations are SWIP'ed. Not that I'm really defending this policy, but sub-allocations are very often not SWIPed. I'd say 75% or more of the time I'm looking a problem IP address it is part of a /19 or larger block with no sub- allocation. For example, I know for a fact that 70.167.38.132 is part of a netblock assigned to a business (I believe it is a /28 or /27). It is routed to them over a DS1 or similar cable equivalent. They run a handful of servers behind including public hosting a half dozen corporate web sites and a mail server. Clearly these addresses have been assigned to this business. Yet: [EMAIL PROTECTED]:~$ whois 70.167.38.132Cox Communications Inc. NETBLK-COX- ATLANTA-10 (NET-70-160-0-0-1) 70.160.0.0 - 70.191.255.255 Cox Communications Inc. NETBLK-WI-OHFC-70-167-32-0 (NET-70-167-32-0-1) 70.167.32.0 - 70.167.63.255 No rwhois server available. And Cox is actually better than some. That's only a /19. I've seen much larger blocks than this. Somehow I doubt if we pulled that with our /20 I doubt we'd have a /19 now. Chris Chris Owen ~ Garden City (620) 275-1900 ~ Lottery (noun): President ~ Wichita (316) 858-3000 ~A stupidity tax Hubris Communications Inc www.hubris.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) iD8DBQFGGCmzElUlCLUT2d0RAo2fAJwPXyy6LldTs7hEwHH+KkJ9fF9EewCfTyIf 0BHI2gDJX/s3FuZlLWkWwiM= =l33X -END PGP SIGNATURE-
Re: Abuse procedures... Reality Checks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Chris Owen [EMAIL PROTECTED] wrote: On Apr 7, 2007, at 11:00 PM, Fergie wrote: I would think that it's actually very easy to do when sub-allocations are SWIP'ed. Not that I'm really defending this policy, but sub-allocations are very often not SWIPed. I'd say 75% or more of the time I'm looking a problem IP address it is part of a /19 or larger block with no sub- allocation. Please read what I wrote: I would think that it's actually very easy to do when sub-allocations are SWIP'ed. I cannot, and will not, presuppose that in cases when they are not SWIP'ed that some kind of magic happens. :-) - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGGCw4q1pz9mNUZTMRAgEDAKCB4eiFluFcXcYlSj4EjleHpxy8PgCg26ei sZW4CKfCOm5H3KOGQsxYd8w= =ZoDl -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Abuse procedures... Reality Checks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Apr 7, 2007, at 11:41 PM, Fergie wrote: Please read what I wrote: I would think that it's actually very easy to do when sub-allocations are SWIP'ed. I cannot, and will not, presuppose that in cases when they are not SWIP'ed that some kind of magic happens. :-) And how do you know the difference? The Cox IP address is SWIPed. Its even sub-allocated. The allocation is just a /19. Chris Chris Owen ~ Garden City (620) 275-1900 ~ Lottery (noun): President ~ Wichita (316) 858-3000 ~A stupidity tax Hubris Communications Inc www.hubris.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) iD8DBQFGGC0QElUlCLUT2d0RAsmbAJ4i/YNj7vypKJ0Zv/7ajWIGdpwvbgCdECZB v+FoC+s1TRkdkSBZMzEYU94= =6CPl -END PGP SIGNATURE-
RE: Abuse procedures... Reality Checks
Stephen: Are you saying that if there's nefarious IP out there let's automatically blacklist the /24 of that IP? J. Oquendo was describing his own methods and they sounded quite manual, manual enough that he's getting down to a /8 as necessary to blacklist a non-responsive operator. My point is that if you're going to block something, either block the /32 or do the research to justify blocking a larger group. And despite ToS, I think many operators are running automated lookups, and there are lots of examples out there for ARIN. Frank -Original Message- From: Stephen Satchell [mailto:[EMAIL PROTECTED] Sent: Saturday, April 07, 2007 5:44 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Abuse procedures... Reality Checks Frank Bulk wrote: [[Attribution deleted by Frank Bulk]] Neither I nor J. Oquendo nor anyone else are required to spend our time, our money, and our resources figuring out which parts of X's network can be trusted and which can't. It's not that hard, the ARIN records are easy to look up. Figuring out that network operator has a /8 that you want to block based on 3 or 4 IPs in their range requires just as much work. It's *very* hard to do it with an automated system, as such automated look-ups are against the Terms of Service for every single RIR out there. Please play the bonus round: try again.
RE: Abuse procedures... Reality Checks
That sounds like a very reasonable perspective and generally the route I follow both as a operator and as someone who works with others. Frank -Original Message- From: william(at)elan.net [mailto:[EMAIL PROTECTED] Sent: Saturday, April 07, 2007 6:23 PM To: Frank Bulk Cc: nanog@merit.edu Subject: RE: Abuse procedures... Reality Checks On Sat, 7 Apr 2007, Frank Bulk wrote: If they're properly SWIPed why punish the ISP for networks they don't even operate, that obviously belong to their business customers? All ISPs have AUPs that prohibit spam (or at least I hope all of you do) though are enforced at some places better then at others... But the point is that each and every customer ISP is responsible for following that AUP and is responsible for making sure their customers follow it as well. So to answer you the view is that even if ISP do not operate the network by providing services and ip addresses they in fact basically do operate in on higher level and are partially directly responsible for what happens there including enforcing its AUP on its sub-ISP or business customer (and making sure they enforce same AUP provisions on their customers). Chain of responsibility if you like to think of it that way... And if the granular blocking is effectively shutting down the abuse from that sub-allocated block, didn't the network operator succeed in protecting themselves? Or is the netop looking to the ISP to push back on their customers to clean up their act? Or is the netop trying to teach the ISP a lesson? Of course, it doesn't hurt to copy the ISP or AS owner for abuse issues from a sub-allocated block -- you would hope that ISPs and AS owners would want to have clean customers. Yes, of course blocking of larger ISP block would happen only after trying to notify ISP of the problem for each of every one of those subblocks did not lead to any results. Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of william(at)elan.net Sent: Saturday, April 07, 2007 5:58 PM To: Fergie Cc: [EMAIL PROTECTED]; nanog@merit.edu Subject: Re: Abuse procedures... Reality Checks On Sat, 7 Apr 2007, Fergie wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Rich Kulawiec [EMAIL PROTECTED] wrote: 1. There's nothing indiscriminate about it. I often block /24's and larger because I'm holding the *network* operators responsible for what comes out of their operation. If they can't hold the outbound abuse down to a minimum, then I guess I'll have to make up for their negligence on my end. I don't care why it happens -- they should have thought through all this BEFORE plugging themselves in and planned accordingly. (Never build something you can't control.) I would have to respectfully disagree with you. When network operators do due diligence and SWIP their sub-allocations, they (the sub-allocations) should be authoritative in regards to things like RBLs. $.02, Yes. But the answer is that it also depends how many other cases like this exist from same operator. If they have 16 suballocations in /24 but say 5 of them are spewing, I'd block /24 (or larger) ISP block. The exact % of bad blocks (i.e. when to start blocking ISP) depends on your point of view and history with that ISP but most in fact do held ISPs partially responsible. -- William Leibzon Elan Networks [EMAIL PROTECTED]
RE: Abuse procedures... Reality Checks
From: Frank Bulk [EMAIL PROTECTED] Subject: RE: Abuse procedures... Reality Checks Date: Sat, 7 Apr 2007 16:20:59 -0500 If they can't hold the outbound abuse down to a minimum, then I guess I'll have to make up for their negligence on my end. Sure, block that /29, but why block the /24, /20, or even /8? Perhaps your (understandable) frustration is preventing you from agreeing with me on this specific case. Because what you usually see is an IP from a /20 or larger and the network operators aren't dealing with it. In the example I gave it's really the smaller /29 that's the culprit, it sounds like you want to punish a larger group, perhaps as large as an AS, for the fault of smaller network. BLUNT QUESTIONS: *WHO* pays me to figure out 'which parts' of a provider's network are riddled with problems and 'which parts' are _not_? *WHO* pays me to do the research to find out where the end-user boundaries are? *WHY* should _I_ have to do that work -- If the 'upstream provider' is incapable of keeping _their_own_house_ clean, why should I spend the time trying to figure out which of their customers are 'bad guys' and which are not? A provider *IS* responsible for the 'customers it _keeps_'. And, unfortunately, a customer is 'tarred by the brush' of the reputation of it's provider. Smaller operators, like those that require just a /29, often don't have that infrastructure. Those costs, as I'm sure you aware, are passed on to companies like yourself that have to maintain their own network's security. Again, block them, I say, just don't swallow others up in the process. If the _UPSTREAM_ of that 'small operator' cannot 'police' its own customers, Why should _I_ absorb the costs that _they_ are unwilling to internalize? If they want to sell 'cheap' service, but not 'doing what is necessary', I see no reason to 'facilitate' their cut-rate operations. Those who buy service from such a provider, 'based on cost', *deserve* what they get, when their service doesn't work as well as that provided by the full-price competition. _YOUR_ connectivity is only as good as the 'reputation' of whomever it is that you buy connectivity from. You might want to consider _why_ the provider *keeps* that 'offensive' customer. There would seem to be only a few possible explanations: (1) they are 'asleep at the switch', (2) that customer pays enough that they can 'afford' to have multiple other customers who are 'dis-satisfied', or who may even leave that provider, (3) they aren't willing to 'spend the money' to run a clean operation. (_None_ of those seems like a good reason for _me_ to spend extra money 'on behalf of' _their_ clients.)
Re: Abuse procedures... Reality Checks
BLUNT QUESTIONS: *WHO* pays me to figure out 'which parts' of a provider's network are riddled with problems and 'which parts' are _not_? I don't know the answer in your case, but in my case the answer is my employer. More specifically, my employer pays me to block junk and let good traffic* through; that mandate does not include block networks that we have no reason to believe are junk in hopes of inflicting enough collateral damage to force the spammers' upstream to clean up its act. If your customers/employer/whomever understand they may miss data they wanted to receive in order to help you put pressure on lazy/abusive/incompetent ISPs, and they're okay with that, more power to 'em. I think probably more people are in my boat-- I can't afford to launch a crusade, I just have to keep the bits flowing. *On the other hand, in a corporate network good traffic can be more strictly defined; for example I block most of APNIC, half of RIPE, most of LACNIC and all of AFRINIC not because I think they're all spammy but because we get no legitimate business traffic from those regions which makes their signal-to-noise ratio effectively 0:infinite. So if you know a provider will never** send you legit messages, go ahead and block. Otherwise, **My sweeping xenoemailphobia has blocked 4 legit messages (3 of which were personal non-work-related messages) in the past 6 years, and since my reject message gives a workaround to reach me all 4 reached their intended recipient. Compared to the 5-15k messages blocked per day over that span, close enough to never for me-- and more importantly, for my boss. -- Dave Pooser, ACSA Manager of Information Services Alford Media http://www.alfordmedia.com
RE: Abuse procedures... Reality Checks
Robert: You still haven't answered the question: how wide do you block? You got an IP address that you know is offensive. Is your default policy to blacklist just that one, do the /24, go to ARIN and find out the size of that block and do the whole thing, or identify the AS and block traffic from the dozen if not hundreds of allocations they have? In only the first two cases is no research required, but I would hope that the network who wants to blacklist (i.e. GoDaddy) would do a little bit of (automated) legwork to focus their abuse control. You also have too dim and narrow a view of customer relationships. In my case the upstream ISP is a member-owned cooperative of which the sub-allocated space is either a member or a customer of a member. 1, 2, and 3 don't apply, rather, the coop works with their members to identify the source of the abuse and shut it down. It's not adversarial as you paint it to be. BTW, do you think the member-owned coop should be monitoring the outflow of dozens of member companies and hundreds of sub-allocations they have? And it's not *riddled* with abuse, it's just one abuser, probably a dial-up customer who is unwittingly infected, who while connected for an hour or two sends out junk. GoDaddy takes that and blacklists the whole /24, affecting both large and small businesses alike who are in other sub-allocated blocks in that /24. Ideally, of course, each sub-allocated customer would have their own /24 so that when abuse protection policies kick in and that automatically blacks out a /24 only they are affected, but for address conservation reasons that did not occur. Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Bonomi Sent: Saturday, April 07, 2007 8:41 PM To: nanog@merit.edu Subject: RE: Abuse procedures... Reality Checks From: Frank Bulk [EMAIL PROTECTED] Subject: RE: Abuse procedures... Reality Checks Date: Sat, 7 Apr 2007 16:20:59 -0500 If they can't hold the outbound abuse down to a minimum, then I guess I'll have to make up for their negligence on my end. Sure, block that /29, but why block the /24, /20, or even /8? Perhaps your (understandable) frustration is preventing you from agreeing with me on this specific case. Because what you usually see is an IP from a /20 or larger and the network operators aren't dealing with it. In the example I gave it's really the smaller /29 that's the culprit, it sounds like you want to punish a larger group, perhaps as large as an AS, for the fault of smaller network. BLUNT QUESTIONS: *WHO* pays me to figure out 'which parts' of a provider's network are riddled with problems and 'which parts' are _not_? *WHO* pays me to do the research to find out where the end-user boundaries are? *WHY* should _I_ have to do that work -- If the 'upstream provider' is incapable of keeping _their_own_house_ clean, why should I spend the time trying to figure out which of their customers are 'bad guys' and which are not? A provider *IS* responsible for the 'customers it _keeps_'. And, unfortunately, a customer is 'tarred by the brush' of the reputation of it's provider. Smaller operators, like those that require just a /29, often don't have that infrastructure. Those costs, as I'm sure you aware, are passed on to companies like yourself that have to maintain their own network's security. Again, block them, I say, just don't swallow others up in the process. If the _UPSTREAM_ of that 'small operator' cannot 'police' its own customers, Why should _I_ absorb the costs that _they_ are unwilling to internalize? If they want to sell 'cheap' service, but not 'doing what is necessary', I see no reason to 'facilitate' their cut-rate operations. Those who buy service from such a provider, 'based on cost', *deserve* what they get, when their service doesn't work as well as that provided by the full-price competition. _YOUR_ connectivity is only as good as the 'reputation' of whomever it is that you buy connectivity from. You might want to consider _why_ the provider *keeps* that 'offensive' customer. There would seem to be only a few possible explanations: (1) they are 'asleep at the switch', (2) that customer pays enough that they can 'afford' to have multiple other customers who are 'dis-satisfied', or who may even leave that provider, (3) they aren't willing to 'spend the money' to run a clean operation. (_None_ of those seems like a good reason for _me_ to spend extra money 'on behalf of' _their_ clients.)
Re: Abuse procedures... Reality Checks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Chris Owen [EMAIL PROTECTED] wrote: On Apr 7, 2007, at 11:41 PM, Fergie wrote: Please read what I wrote: I would think that it's actually very easy to do when sub-allocations are SWIP'ed. I cannot, and will not, presuppose that in cases when they are not SWIP'ed that some kind of magic happens. :-) And how do you know the difference? The Cox IP address is SWIPed. Its even sub-allocated. The allocation is just a /19. Again, a simple recursive WHOIS will show you sub-allocations if they are properly SWIP'ed. Not a big deal, really. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGGFiiq1pz9mNUZTMRArfSAJ9X5CMo0M+Tg0Tf1vN2UWytF3oB8gCg/TEH fP3GwH7aW3J7DeNpH3m/aeY= =VQ9W -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Abuse procedures... Reality Checks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Apr 8, 2007, at 2:51 AM, Fergie wrote: Again, a simple recursive WHOIS will show you sub-allocations if they are properly SWIP'ed. Define properly. The Cox addresses in my example are SWIPed. Are they properly SWIPed? How could you tell from whois? Chris Chris Owen ~ Garden City (620) 275-1900 ~ Lottery (noun): President ~ Wichita (316) 858-3000 ~A stupidity tax Hubris Communications Inc www.hubris.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) iD8DBQFGGFnSElUlCLUT2d0RAgfPAJsFe0V9tA67MDWwD3kcrNoVgNZF6wCdHdXT 5R0SMgRJdH176EvlkhIqNZE= =ZYal -END PGP SIGNATURE-
Re: Abuse procedures... Reality Checks
Sure, block that /29, but why block the /24, /20, or even /8? Since nobody will route less than a /24, you can be pretty sure that regardless of the SWIPs, everyone in a /24 is served by the same ISP. I run a tiny network with about 400 mail users, but even so, my semiautomated systems are sending off complaints about a thousand spams a day that land in traps and filters. (That doesn't count about 50,000/day that come from blacklisted sources that I package up and sell to people who use them to tune filters and look for phishes.) I log the sources, when a particular IP has more than 50 complaints in a month I usually block it, if I see a bunch of blocked IP's in a range I usually block the /24. Now and then I get complaints from users about blocked mail, but it's invariably from an individual IP at an ISP or hosting company that has both a legit correspondent and a spam-spewing worm or PHP script. It is quite rare for an expansion to a /24 to block any real mail. My goal is to keep the real users' mail flowing, to block as much spam as cheaply as I can, and to get some sleep. I can assure you from experience that any sort of automated RIR WHOIS lookups will quickly trip volume checks and get you blocked, so I do a certain number manually, typically to figure out how likely there is to be someone reading the spam reports. But on today's Internet, if you want to get your mail delivered, it would be a good idea not to live in a bad neighborhood, and if your ISP puts you in one, you need a better ISP. That's life. Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of The Internet for Dummies, Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor More Wiener schnitzel, please, said Tom, revealingly.
Re: Abuse procedures... Reality Checks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Chris Owen [EMAIL PROTECTED] wrote: On Apr 8, 2007, at 2:51 AM, Fergie wrote: Again, a simple recursive WHOIS will show you sub-allocations if they are properly SWIP'ed. Define properly. The Cox addresses in my example are SWIPed. Are they properly SWIPed? How could you tell from whois? Are is/are the exact prefix(es) in question? - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGGGJtq1pz9mNUZTMRAqEvAKDc2heZ5tTCZPkJXP1BkKiCQbjpwACg5+kA aMVT4/A79/VEZR8rKVv+AcY= =KafZ -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Abuse procedures... Reality Checks
On Sat, 7 Apr 2007 20:41:19 -0500 (CDT) Robert Bonomi [EMAIL PROTECTED] wrote: BLUNT QUESTIONS: *WHO* pays me to figure out 'which parts' of a provider's network are riddled with problems and 'which parts' are _not_? *WHO* pays me to do the research to find out where the end-user boundaries are? *WHY* should _I_ have to do that work -- If the 'upstream provider' is incapable of keeping _their_own_house_ clean, why should I spend the time trying to figure out which of their customers are 'bad guys' and which are not? A provider *IS* responsible for the 'customers it _keeps_'. And, unfortunately, a customer is 'tarred by the brush' of the reputation of it's provider. Um, with that reasoning, why not just block the whole /0 and be done with it? Seriously, I used to share your frustration and would block large swaths of the Internet for rather minor offenses. I finally realized this practice didn't help. Why not get yourself some sort of intrusion detection/prevention system or fully firewall your hosts. If you have a spam problem, get an e-mail security appliance which uses reputation filtering to reject connections? matthew black california state university, long beach
RE: Abuse procedures... Reality Checks
I guess our upstream provider is a nobody because they have lots of small sub-allocated blocks less than a /24 that they route to different member ISPs. =) What is the point of blocking a /24 on the basis of a /32 if the ISP manages dozens of other /24 or larger blocks? If you're going to do it, block *all* the IPs associated to the 'bad' ISP. Then at least you're consistent, otherwise expanding to a /24 is just a half (or 1%) job or laziness. Frank -Original Message- From: Frank Bulk Sent: Saturday, April 07, 2007 10:45 PM To: [EMAIL PROTECTED] Subject: Re: Abuse procedures... Reality Checks Sure, block that /29, but why block the /24, /20, or even /8? Since nobody will route less than a /24, you can be pretty sure that regardless of the SWIPs, everyone in a /24 is served by the same ISP. I run a tiny network with about 400 mail users, but even so, my semiautomated systems are sending off complaints about a thousand spams a day that land in traps and filters. (That doesn't count about 50,000/day that come from blacklisted sources that I package up and sell to people who use them to tune filters and look for phishes.) I log the sources, when a particular IP has more than 50 complaints in a month I usually block it, if I see a bunch of blocked IP's in a range I usually block the /24. Now and then I get complaints from users about blocked mail, but it's invariably from an individual IP at an ISP or hosting company that has both a legit correspondent and a spam-spewing worm or PHP script. It is quite rare for an expansion to a /24 to block any real mail. My goal is to keep the real users' mail flowing, to block as much spam as cheaply as I can, and to get some sleep. I can assure you from experience that any sort of automated RIR WHOIS lookups will quickly trip volume checks and get you blocked, so I do a certain number manually, typically to figure out how likely there is to be someone reading the spam reports. But on today's Internet, if you want to get your mail delivered, it would be a good idea not to live in a bad neighborhood, and if your ISP puts you in one, you need a better ISP. That's life. Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of The Internet for Dummies, Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor More Wiener schnitzel, please, said Tom, revealingly.
Re: Abuse procedures... Reality Checks
On Sat, 7 Apr 2007, Chris Owen wrote: And how do you know the difference? The Cox IP address is SWIPed. Its even sub-allocated. The allocation is just a /19. Exactly, so why not just block whatever the suballocation is? Would mean that companies that properly SWIP their IP-blocks and put in the effort to maintain them, are given an advantage to companies that do not. -- Mikael Abrahamssonemail: [EMAIL PROTECTED]
