Re: Repeated Blacklisting / IP reputation

[Rich Kulawiec]

On Tue, Sep 15, 2009 at 09:22:02PM -0400, Christopher Morrow wrote:
> > build expertise on managing it. If you go to SpamHaus you will see a major
> > ISP and their netblocks listed and associated with known spammers. What is
> > this ISP doing about this? Nothing! ?My guess is that they look at their
> 
> 'nothing' that you can see? or nothing? or something you can't see or
> that's taking longer than you'd expect/like? There certainly are bad
> actors out there, but I think the majority are doing things to keep
> clean, perhaps not in the manner you would like (or the speed you
> would like or with as much public information as you'd like).

[ engage cynical mode] 

It's the responsibilty of all operations to ensure that they're not
persistent or egregious sources of abuse.  *Some* operations handle that
reasonably well, but unfortunately many do not -- which is why there
are now hundreds of blacklists (of varying intent, design, operation,
and so on).

If ISPs et.al. were doing their jobs properly, there would be no need
for any of these to exist.  But they're not, which is why so many people
have taken the time and trouble to create them.  Overall ISP performance
in re abuse handling is miserable and has been for many years, and that
includes everything from a lack of even perfunctory due diligence ("30
seconds with Google") to failure to handle the abuse role address properly
and promptly to alarming naivete' ("what did you THINK they were doing
with an entire /24 full of nonsense domain names?") to deployment of
"anti-spam" measures that make the problem worse and inflict abuse on
third parties to...

This is hardly surprising: there are few, if any, consequences for
doing so, and of course it's far more profitable to not just turn a
blind eye to abuse (which used to be common) but moreso these days to
actively assist in it with a smile and a wink and a hand extended for the
payoff, while simultaneously making a public show of "deep concern" and
issuing press releases that say "We take the X problem seriously..." and
participating in working groups that studiously avoid the actual problems
-- or better yet, which invite well-known/long-time abusers to have a
seat at the table.

---Rsk

RE: Repeated Blacklisting / IP reputation

[David Schwartz]

Shawn Somers wrote:

> Anyone that intentionally uses address space in a manner that they
> know will cause it to become contaminated should be denied on any
> further address space requests.

I couldn't disagree more with this kind of heckler's veto proposal. RBL
operators should not be permited to set registry policy, even indirectly.

The point of an RBL is that it operates consensually. I choose to use an RBL
to filter something because I agree with the RBL's policy decisions. There
is nothing inherently wrong with being added to an RBL, it simply indicates
that the RBL's operators felt you met their policy for inclusion.

If someone wants to make an RBL that lists people with "bad ideas", they are
welcome to. Those who agree with them can have a "bad idea"-free internet.
But it does not follow that there's any reason to punish those on the RBL,
even if they do so intentionally, and even if that RBL listen would burden
other owners of the block.

Of course, they should not be permitted to launder their blocks either. Just
as registries should not impose costs on people just for getting listed in
an RBL, they should not impose costs on RBL-operators by helping people
evade earned listings and forcing re-listings.

DS

RE: Repeated Blacklisting / IP reputation

[Lee Howard]

> > and it will be up to the receipient to trust/accept the resource for
what it
> > currently is or chose to reject it and find soliace elsewhere.
> >
> 
> 'solace elsewhere'... dude there is no 'elsewhere'.

"elsewhere" = "designated transfer"
https://www.arin.net/policy/nrpm.html#eight3

Do you get a premium for a "clean" /18?

Lee

Re: Repeated Blacklisting / IP reputation

[Christopher Morrow]

On Wed, Sep 16, 2009 at 12:08 AM, Joel Jaeggli  wrote:
> Christopher Morrow wrote:
>>
>> Spammers have a lot of variables to change in this equation, RIR's
>> dont always have the ability to see all of the variables, nor
>> correlate all of the changes they see :(
>
> Being a crimnal enterprise there are some tools in your kit that a
> legitimate business does not have. The problems  becomes,  how the

that was my point, yes.

> raising the legitimacy bar more effectively discriminates against
> legitimate entities then crimnal one's.
>
> If a discriminatory measure were for example to raise the bar for new
> entrants that, by it's nature represents an Internet scale tragedy.

I think we are in agreement on this issue, and the above actually.

-Chris

Re: Repeated Blacklisting / IP reputation

[Joel Jaeggli]

Christopher Morrow wrote:
>
> Spammers have a lot of variables to change in this equation, RIR's
> dont always have the ability to see all of the variables, nor
> correlate all of the changes they see :(

Being a crimnal enterprise there are some tools in your kit that a
legitimate business does not have. The problems  becomes,  how the
raising the legitimacy bar more effectively discriminates against
legitimate entities then crimnal one's.

If a discriminatory measure were for example to raise the bar for new
entrants that, by it's nature represents an Internet scale tragedy.

joel

> -Chris
> 

Re: Repeated Blacklisting / IP reputation

[Christopher Morrow]

On Tue, Sep 15, 2009 at 10:29 PM,   wrote:
> On Tue, Sep 15, 2009 at 09:34:14PM -0400, Christopher Morrow wrote:
>> On Tue, Sep 15, 2009 at 4:46 PM,   wrote:
>> >
>> > so... this thread has a couple of really interesting characteristics.
>> > a couple are worth mentioning more directly (they have been alluded to 
>> > elsewhere)...
>>
>> as always, despite your choice in floral patterned shirts :) good
>> comments/questions.
>
>        humph... at least I wear pants.

you have something against skirts? or dresses? always with the pants
with you!! 

>> >
>> >        Who gets to define "bad" - other than a blacklist operator?
>> >        Are the common, consistent defintions of "contamination"?
>>
>> nope, each BL (as near as I can tell) has their own criteria (with
>
>        trick question... each ISP gets to define good/bad on their
>        own merits or can outsource it to third parties.

sure... outsourcing in this case often happens without a real business
relationship.

>
>> 1) newly allocated from IANA netblocks show up to end customers and
>> reachability problems ensue. (route-filters and/or firewall filters)
>>
>> 2) newly re-allocated netblocks show up with RBL baggage (rbls and
>> smtp blocks at the application layer)
>
>        you forgot #3 ... a "clean" IANA block that was "borrowed"
>        for a while .. and already shows up in some filter lists.

ok... but we can't ever really know that Verizon uses 114/8 and 104/8
internally can we? (and has/may leak this to external parties on
occasion by mistake)

>
>> > So - I suspect that in the end, a registry (ARIN) or an ISP (COMCAST) is 
>> > only
>> > going to be able to tell you a few things about the prefix you have been 
>> > handed.
>> >
>> >        a) its virginal - never been used (that we know of)
>> >        b) its been used once.
>> >        c) it has a checkered past
>>
>> I actually don't think it's a help for ARIN to say anything here,
>> since they can never know all the RBL's and history for a netblock,
>> and they can't help in the virginal case since they don't run
>> network-wide filters.
>
>        not RBL specific ...
>
>        a) this block came directly from IANA and has never been previously 
> allocated
>           in/through the IANA/RIR process
>        b) this block has had one registered steward in recorded history
>        c) this block has been in/out of the RIR/registry system more than 
> once.

Ok, is this in the final email from hostmaster@ to 'enduser@'? or
somewhere else? what's the recourse when someone says: "But I don't
want a USED netblock, it my have the herp!"

I'm trying to see if ARIN can say something of use here without
raising its costs or causing extra/more confusion to the end-site(s).

>> A FAQ that says some of the above with some pointers to testing
>> harnesses to use may be useful. Some tools for network operators to
>> use in updating things in a timely fashion may be useful.
>> Better/wider/louder notification 'services' for new block allocations
>> from IANA -> RIR's may be useful.
>
>        indeed - I'd like to see the suite extended to the ISPs as well, esp
>        if such tricks will be used in v6land...
>
>> last announced APNIC block yahtzee.  Where else is this data
>> available? In a form that your avg enterprise network op may notice?
>
>        oh... I'd suggest some of the security lists might be a good
>        channel.
>

sure, most of those folks also read nanog-l, this won't also reach
enterprise folk... (admittedly it's hard to reach 'everyone', but
spammers seem to be able to...)

>> > and it will be up to the receipient to trust/accept the resource for what 
>> > it
>> > currently is or chose to reject it and find soliace elsewhere.
>>
>> 'solace elsewhere'... dude there is no 'elsewhere'.
>
>        and yet... Jimmy and Warren Buffet will tell you its always 1700 
> somewhere
>        and if that doesn't work,  whip out the NAT and reuse 10.0.0.0 
> -again- :)

ha... :(

-chris

>>
>> -Chris
>> (and yes, I'm yanking your chain about the shirts...)
>>
>> > --bill
>> >
>> >
>> > On Tue, Sep 15, 2009 at 04:31:04PM -0400, Christopher Morrow wrote:
>> >> On Tue, Sep 15, 2009 at 4:23 PM,   wrote:
>> >> > On Tue, 15 Sep 2009 08:01:48 PDT, Shawn Somers said:
>> >> >
>> >> >>   Anyone that intentionally uses address space in a manner that they
>> >> >> know will cause it to become contaminated should be denied on any
>> >> >> further address space requests.
>> >> >
>> >> > You *do* realize that the people you're directing that paragraph at are
>> >> > able to say with a totally straight face: "We're doing nothing wrong and
>> >> > we have *no* idea why we end up in so many local block lists"?
>> >>
>> >> Also, you can very well disable new allocations to Spammer-Bob, did
>> >> you also know his friend Sue is asking now for space? Sue is very
>> >> nice, she even has cookies... oh damn after we allocated to her we
>> >> found out she's spamming :(
>> >>
>> >> Spammers ha

Re: Repeated Blacklisting / IP reputation

[bmanning]

On Tue, Sep 15, 2009 at 09:34:14PM -0400, Christopher Morrow wrote:
> On Tue, Sep 15, 2009 at 4:46 PM,   wrote:
> >
> > so... this thread has a couple of really interesting characteristics.
> > a couple are worth mentioning more directly (they have been alluded to 
> > elsewhere)...
> 
> as always, despite your choice in floral patterned shirts :) good
> comments/questions.

humph... at least I wear pants.

> >
> >Who gets to define "bad" - other than a blacklist operator?
> >Are the common, consistent defintions of "contamination"?
> 
> nope, each BL (as near as I can tell) has their own criteria (with

trick question... each ISP gets to define good/bad on their
own merits or can outsource it to third parties.


> 1) newly allocated from IANA netblocks show up to end customers and
> reachability problems ensue. (route-filters and/or firewall filters)
> 
> 2) newly re-allocated netblocks show up with RBL baggage (rbls and
> smtp blocks at the application layer)

you forgot #3 ... a "clean" IANA block that was "borrowed"
for a while .. and already shows up in some filter lists.


> > So - I suspect that in the end, a registry (ARIN) or an ISP (COMCAST) is 
> > only
> > going to be able to tell you a few things about the prefix you have been 
> > handed.
> >
> >a) its virginal - never been used (that we know of)
> >b) its been used once.
> >c) it has a checkered past
> 
> I actually don't think it's a help for ARIN to say anything here,
> since they can never know all the RBL's and history for a netblock,
> and they can't help in the virginal case since they don't run
> network-wide filters.

not RBL specific ...  

a) this block came directly from IANA and has never been previously 
allocated
   in/through the IANA/RIR process
b) this block has had one registered steward in recorded history
c) this block has been in/out of the RIR/registry system more than once.

> A FAQ that says some of the above with some pointers to testing
> harnesses to use may be useful. Some tools for network operators to
> use in updating things in a timely fashion may be useful.
> Better/wider/louder notification 'services' for new block allocations
> from IANA -> RIR's may be useful.

indeed - I'd like to see the suite extended to the ISPs as well, esp
if such tricks will be used in v6land...

> last announced APNIC block yahtzee.  Where else is this data
> available? In a form that your avg enterprise network op may notice?

oh... I'd suggest some of the security lists might be a good
channel.

> > and it will be up to the receipient to trust/accept the resource for what it
> > currently is or chose to reject it and find soliace elsewhere.
> 
> 'solace elsewhere'... dude there is no 'elsewhere'.

and yet... Jimmy and Warren Buffet will tell you its always 1700 
somewhere
and if that doesn't work,  whip out the NAT and reuse 10.0.0.0 
-again- :)


> 
> -Chris
> (and yes, I'm yanking your chain about the shirts...)
> 
> > --bill
> >
> >
> > On Tue, Sep 15, 2009 at 04:31:04PM -0400, Christopher Morrow wrote:
> >> On Tue, Sep 15, 2009 at 4:23 PM,   wrote:
> >> > On Tue, 15 Sep 2009 08:01:48 PDT, Shawn Somers said:
> >> >
> >> >>   Anyone that intentionally uses address space in a manner that they
> >> >> know will cause it to become contaminated should be denied on any
> >> >> further address space requests.
> >> >
> >> > You *do* realize that the people you're directing that paragraph at are
> >> > able to say with a totally straight face: "We're doing nothing wrong and
> >> > we have *no* idea why we end up in so many local block lists"?
> >>
> >> Also, you can very well disable new allocations to Spammer-Bob, did
> >> you also know his friend Sue is asking now for space? Sue is very
> >> nice, she even has cookies... oh damn after we allocated to her we
> >> found out she's spamming :(
> >>
> >> Spammers have a lot of variables to change in this equation, RIR's
> >> dont always have the ability to see all of the variables, nor
> >> correlate all of the changes they see :(
> >>
> >> -Chris
> >>
> >

Re: Repeated Blacklisting / IP reputation

[Christopher Morrow]

On Tue, Sep 15, 2009 at 4:46 PM,   wrote:
>
> so... this thread has a couple of really interesting characteristics.
> a couple are worth mentioning more directly (they have been alluded to 
> elsewhere)...

as always, despite your choice in floral patterned shirts :) good
comments/questions.

>
>        Who gets to define "bad" - other than a blacklist operator?
>        Are the common, consistent defintions of "contamination"?
>

nope, each BL (as near as I can tell) has their own criteria (with
some overlaps to be certain) and they all have their own set of rules
that they either break at-will or change when it suits them. Their
incentives are not aligned with actually getting the problem resolved,
sadly... and they really don't have any power to resolve problems
anyway.

>        If these are social/political - recognise that while the ARIN
>        region is fairly consistent in its general use and interpretation
>        of law, there are known varients - based on soveriegn region.

Yup, you don't like my business how about I move to the caymans where
it's no longer illegal? :( The Internet brings with it some
interesting judicial/jurisdictional baggage.

> this whole debate/discussion seems based on the premise that there are well
> known, consistent, legally defendable choices for defining offensive 
> behaviours.
> and pretty much all of history shows us this is not the case.

There are really two discussions, I think somewhere along the path
they were conflated:

1) newly allocated from IANA netblocks show up to end customers and
reachability problems ensue. (route-filters and/or firewall filters)

2) newly re-allocated netblocks show up with RBL baggage (rbls and
smtp blocks at the application layer)

For #1 there was some work (rbush and prior to that Jon Lewis
69block.org?) showing that folks 'never' alter their 'bogon route
filters' or 'bogon access-list entries'.

For #2 ARIN may have a solution in place, if it were more publicly
known (rss feed of allocations, care of RS and marty hannigan
pointers) that RBL operators could use to clean out entries in their
lists providing a better service to their 'users' even, perish the
thought!

>        (is or is not a mother nursing her child in public pornographic?)

or SI Swinsuit edition depending on the part of the world you are in,
yes, or even YouTube videos, weee!

> So - I suspect that in the end, a registry (ARIN) or an ISP (COMCAST) is only
> going to be able to tell you a few things about the prefix you have been 
> handed.
>
>        a) its virginal - never been used (that we know of)
>        b) its been used once.
>        c) it has a checkered past

I actually don't think it's a help for ARIN to say anything here,
since they can never know all the RBL's and history for a netblock,
and they can't help in the virginal case since they don't run
network-wide filters.

A FAQ that says some of the above with some pointers to testing
harnesses to use may be useful. Some tools for network operators to
use in updating things in a timely fashion may be useful.
Better/wider/louder notification 'services' for new block allocations
from IANA -> RIR's may be useful.

Not everyone who runs a router reads their local 'nog' list... Leo
Vegoda does a great job tell us about RIPE allocations, Someone does
the same for ARIN (drc maybe??) and I'm not certain I recall who's
last announced APNIC block yahtzee.  Where else is this data
available? In a form that your avg enterprise network op may notice?

> and it will be up to the receipient to trust/accept the resource for what it
> currently is or chose to reject it and find soliace elsewhere.
>

'solace elsewhere'... dude there is no 'elsewhere'.

-Chris
(and yes, I'm yanking your chain about the shirts...)

> --bill
>
>
> On Tue, Sep 15, 2009 at 04:31:04PM -0400, Christopher Morrow wrote:
>> On Tue, Sep 15, 2009 at 4:23 PM,   wrote:
>> > On Tue, 15 Sep 2009 08:01:48 PDT, Shawn Somers said:
>> >
>> >>   Anyone that intentionally uses address space in a manner that they
>> >> know will cause it to become contaminated should be denied on any
>> >> further address space requests.
>> >
>> > You *do* realize that the people you're directing that paragraph at are
>> > able to say with a totally straight face: "We're doing nothing wrong and
>> > we have *no* idea why we end up in so many local block lists"?
>>
>> Also, you can very well disable new allocations to Spammer-Bob, did
>> you also know his friend Sue is asking now for space? Sue is very
>> nice, she even has cookies... oh damn after we allocated to her we
>> found out she's spamming :(
>>
>> Spammers have a lot of variables to change in this equation, RIR's
>> dont always have the ability to see all of the variables, nor
>> correlate all of the changes they see :(
>>
>> -Chris
>>
>

Re: Repeated Blacklisting / IP reputation

[Christopher Morrow]

On Tue, Sep 15, 2009 at 5:31 PM, Zaid Ali  wrote:
> I think costs of maintaining an abuse helpdesk is a big factor here. I don't
> see many ISP's putting money and resources into an abuse helpdesk and this
> is because it is low cost to obtain a Netblock so why should one employ and

have you ever had to re-number a customer, several customers, a
hundred?? 'getting a new netblock is low cost' is hardly an accurate
statement, especially if you keep in mind that you have to justify the
usage of old netblocks in order to obtain the new one.

> build expertise on managing it. If you go to SpamHaus you will see a major
> ISP and their netblocks listed and associated with known spammers. What is
> this ISP doing about this? Nothing!  My guess is that they look at their

'nothing' that you can see? or nothing? or something you can't see or
that's taking longer than you'd expect/like? There certainly are bad
actors out there, but I think the majority are doing things to keep
clean, perhaps not in the manner you would like (or the speed you
would like or with as much public information as you'd like).

>From the outside most ISP operations look quite opaque, proclaiming
'Nothing is being done' simply looks uneducated and shortsighted.

> bottom $$ and look at Spamming customer A and say "crap we will be spending
> $$$ on this customer just to get them off SpamHaus so just leave it, we are
> afterall in the bandwidth business". If ARIN were to say to this major ISP
> that they wont allocate more addresses to them until they adhere to an AUP
> then maybe the game will change but the bigger question here is should ARIN
> get into this kind of policy.

doubtful that: 1) arin would say this (not want to be net police), 2)
isp's couldn't show (for the vast majority of isps) that they are in
fact upholding their AUP.

-chris

> On Sep 15, 2009, at 1:31 PM, Christopher Morrow wrote:
>
>> On Tue, Sep 15, 2009 at 4:23 PM,   wrote:
>>>
>>> On Tue, 15 Sep 2009 08:01:48 PDT, Shawn Somers said:
>>>
  Anyone that intentionally uses address space in a manner that they
 know will cause it to become contaminated should be denied on any
 further address space requests.
>>>
>>> You *do* realize that the people you're directing that paragraph at are
>>> able to say with a totally straight face: "We're doing nothing wrong and
>>> we have *no* idea why we end up in so many local block lists"?
>>
>> Also, you can very well disable new allocations to Spammer-Bob, did
>> you also know his friend Sue is asking now for space? Sue is very
>> nice, she even has cookies... oh damn after we allocated to her we
>> found out she's spamming :(
>>
>> Spammers have a lot of variables to change in this equation, RIR's
>> dont always have the ability to see all of the variables, nor
>> correlate all of the changes they see :(
>>
>> -Chris
>>
>
>

on naming conventions (was: Re: Repeated Blacklisting / IP reputation)

[Steven Champeon]

on Tue, Sep 08, 2009 at 09:57:58AM -0500, Tom Pipes wrote:
> [...] We have done our best to ensure these blocks conform to RFC
> standards, including the proper use of reverse DNS pointers.

Sorry to jump in so late, been catching up from vacation. I'm checking
out the PTRs for the /18 you mention, and I see that you've used a few
different naming conventions, some of which are friendly to those who
block on dot-separated substrings, some of which are confusing, and some
of which are custom to specific clients. If I could speak on behalf of
the tens of thousands of mail admins out there for a minute, I'd ask
that instead of (e.g.)

  69.197.115.62: 69-197-115-62-dynamic.t6b.com

you instead use a dot to separate the 'dynamic' from the generated
IP-based hostname part, a la

  69.197.115.62: 69-197-115-62.dynamic.t6b.com

This allows admins of most FOSS MTAs to simply deny traffic from all
of those hosts on the grounds that they are dynamically assigned, for
example in sendmail's access.db:

Connect:dynamic.t6b.com ERROR:5.7.1:"550 Go away, dynamic user."

If you choose not to, it doesn't bother me; I've got a rather extensive
set of regular expressions that can handle those naming conventions, but
the rest of the mail admins may find it more friendly were you to do so.

Additionally, it may also be useful to indicate what sort of access is
being provided, so for dialups you might want to do

  69.197.115.62: 69-197-115-62.dialup.dynamic.t6b.com

(Note: not 'dynamic.dialup.t6b.com', most people care more about whether
a host is dynamic at least in the context of antispam operations).

I also note that the vast majority of the /18 simply lacks PTRs at all;
you also mix statics and dynamics (though on different /24s, eg
69.197.106, 69.197.107, 69.197.108 seem static where 69.197.110,
69.197.111, and 69.197.115 do not, with more statics seen in 69.197.117
and 69.197.118 ff.) and don't seem to SWIP the statics or indicate in
whois which are dynamic pools. All of these are likely to result in
unfunny errors by DNSBL operators if they decide that you're serious and
the whole /18 is dynamic based on a preponderance of hosts in some /24s
with dynamic-appearing names AND a lack of evidence otherwise in the
whois record.

Of course, if you follow MAAWG's port 25 blocking BCP, it's moot as
far as the dynamics go.

Ultimately, you'd want to make sure any static customer intending to
provide mail services have their own custom PTR(s) for those hosts,
in their domains (not yours). 

HTH,
Steve

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
antispam news and intelligence to help you stop spam: http://enemieslist.com/

Re: Repeated Blacklisting / IP reputation

[Zaid Ali]

I think costs of maintaining an abuse helpdesk is a big factor here. I  
don't see many ISP's putting money and resources into an abuse  
helpdesk and this is because it is low cost to obtain a Netblock so  
why should one employ and build expertise on managing it. If you go to  
SpamHaus you will see a major ISP and their netblocks listed and  
associated with known spammers. What is this ISP doing about this?  
Nothing!  My guess is that they look at their bottom $$ and look at  
Spamming customer A and say "crap we will be spending $$$ on this  
customer just to get them off SpamHaus so just leave it, we are  
afterall in the bandwidth business". If ARIN were to say to this major  
ISP that they wont allocate more addresses to them until they adhere  
to an AUP then maybe the game will change but the bigger question here  
is should ARIN get into this kind of policy.


Zaid


On Sep 15, 2009, at 1:31 PM, Christopher Morrow wrote:


On Tue, Sep 15, 2009 at 4:23 PM,   wrote:

On Tue, 15 Sep 2009 08:01:48 PDT, Shawn Somers said:


  Anyone that intentionally uses address space in a manner that they
know will cause it to become contaminated should be denied on any
further address space requests.


You *do* realize that the people you're directing that paragraph at  
are
able to say with a totally straight face: "We're doing nothing  
wrong and

we have *no* idea why we end up in so many local block lists"?


Also, you can very well disable new allocations to Spammer-Bob, did
you also know his friend Sue is asking now for space? Sue is very
nice, she even has cookies... oh damn after we allocated to her we
found out she's spamming :(

Spammers have a lot of variables to change in this equation, RIR's
dont always have the ability to see all of the variables, nor
correlate all of the changes they see :(

-Chris

Re: Repeated Blacklisting / IP reputation

[Brandon Lehmann]

I believe there is another side to that argument as well.

If I operate a regional ISP and request address space for dynamic  
address pools I am aware of a few things:


1) I am fully aware that there is a chance a customer's system could  
become infected and generate millions of malicious messages/packets/ 
traffic.
2) I am also aware that it is possible that that one machine could  
have any number of IP addresses during the course of the week;  
therefore, it would be possible that they could 'contaminate' an  
entire /24
3) I know that if I'm made aware of the zombified machine that I'll  
disable access to the customer quickly; however, the damage has  
usually already been done.
4) Do I actually care if one of my dynamic address blocks are in a  
DNSBL? Not at all. They should be using my mail server anyways.


Should I have to go through and make sure that every single IP  
address/block is 'clean' before returning the allocation to ARIN? I  
can say with utmost confidence "I don't care" because I no longer  
need them. If my ability to receive new allocations required that I  
clean up a dynamic address block before receiving a new one I would  
take better care of my blocks; however, it may be cheaper just to  
keep the old block (null route it) and ask for another one.


The question becomes: Where do you draw the 'contamination' line? A  
network may be using a block well within what we would consider  
'reasonable' usage; however, the block may become 'unusable' for  
certain purposes. Should they too be denied further address space? If  
thats the case every broadband provider out there should be cut off  
because they're customers keep getting infected and are used to DDOS/ 
SPAM/Exploit our networks.


What I'm trying to say in a long-winded and round about way is simple  
--- The contamination doesn't always happen 'on purpose' or with any  
foresight and it may not be an entire block that is bad. Everyone is  
guilty at some point of having a few 'dirty' IPs on their network...  
and I'm sure all of us have left many dirty because god only knows  
where all it is blocked.





On Sep 15, 2009, at 4:23 PM, valdis.kletni...@vt.edu wrote:


On Tue, 15 Sep 2009 08:01:48 PDT, Shawn Somers said:


  Anyone that intentionally uses address space in a manner that they
know will cause it to become contaminated should be denied on any
further address space requests.


You *do* realize that the people you're directing that paragraph at  
are
able to say with a totally straight face: "We're doing nothing  
wrong and

we have *no* idea why we end up in so many local block lists"?

Re: Repeated Blacklisting / IP reputation

[bmanning]

 
so... this thread has a couple of really interesting characteristics.
a couple are worth mentioning more directly (they have been alluded to 
elsewhere)...

Who gets to define "bad" - other than a blacklist operator?
Are the common, consistent defintions of "contamination"?

If these are social/political - recognise that while the ARIN
region is fairly consistent in its general use and interpretation
of law, there are known varients - based on soveriegn region.

this whole debate/discussion seems based on the premise that there are well
known, consistent, legally defendable choices for defining offensive behaviours.
and pretty much all of history shows us this is not the case.

(is or is not a mother nursing her child in public pornographic?)

So - I suspect that in the end, a registry (ARIN) or an ISP (COMCAST) is only
going to be able to tell you a few things about the prefix you have been handed.

a) its virginal - never been used (that we know of)
b) its been used once.
c) it has a checkered past

and it will be up to the receipient to trust/accept the resource for what it
currently is or chose to reject it and find soliace elsewhere.

--bill


On Tue, Sep 15, 2009 at 04:31:04PM -0400, Christopher Morrow wrote:
> On Tue, Sep 15, 2009 at 4:23 PM,   wrote:
> > On Tue, 15 Sep 2009 08:01:48 PDT, Shawn Somers said:
> >
> >>   Anyone that intentionally uses address space in a manner that they
> >> know will cause it to become contaminated should be denied on any
> >> further address space requests.
> >
> > You *do* realize that the people you're directing that paragraph at are
> > able to say with a totally straight face: "We're doing nothing wrong and
> > we have *no* idea why we end up in so many local block lists"?
> 
> Also, you can very well disable new allocations to Spammer-Bob, did
> you also know his friend Sue is asking now for space? Sue is very
> nice, she even has cookies... oh damn after we allocated to her we
> found out she's spamming :(
> 
> Spammers have a lot of variables to change in this equation, RIR's
> dont always have the ability to see all of the variables, nor
> correlate all of the changes they see :(
> 
> -Chris
> 

Re: Repeated Blacklisting / IP reputation

[Christopher Morrow]

On Tue, Sep 15, 2009 at 4:23 PM,   wrote:
> On Tue, 15 Sep 2009 08:01:48 PDT, Shawn Somers said:
>
>>   Anyone that intentionally uses address space in a manner that they
>> know will cause it to become contaminated should be denied on any
>> further address space requests.
>
> You *do* realize that the people you're directing that paragraph at are
> able to say with a totally straight face: "We're doing nothing wrong and
> we have *no* idea why we end up in so many local block lists"?

Also, you can very well disable new allocations to Spammer-Bob, did
you also know his friend Sue is asking now for space? Sue is very
nice, she even has cookies... oh damn after we allocated to her we
found out she's spamming :(

Spammers have a lot of variables to change in this equation, RIR's
dont always have the ability to see all of the variables, nor
correlate all of the changes they see :(

-Chris

Re: Repeated Blacklisting / IP reputation

[Valdis . Kletnieks]

On Tue, 15 Sep 2009 08:01:48 PDT, Shawn Somers said:

>   Anyone that intentionally uses address space in a manner that they 
> know will cause it to become contaminated should be denied on any 
> further address space requests.

You *do* realize that the people you're directing that paragraph at are
able to say with a totally straight face: "We're doing nothing wrong and
we have *no* idea why we end up in so many local block lists"?


pgpL8Pxlc5CTN.pgp
Description: PGP signature

RE: Repeated Blacklisting / IP reputation

[Aaron Wendel]

The mailing sent daily contains both.




-Original Message-
From: Justin Shore [mailto:jus...@justinshore.com] 
Sent: Tuesday, September 15, 2009 11:18 AM
To: Martin Hannigan
Cc: NANOG list
Subject: Re: Repeated Blacklisting / IP reputation

Martin Hannigan wrote:
> 
> Well, I haven't even had coffee yet and...
> 
> Get the removals:
> 
> curl -ls 
> http://lists.arin.net/pipermail/arin-issued/2009-September/000270.html | 
> grep Remove | grep -v ""
> 
> Get the additions:
> 
> mahannig$ curl -ls 
> http://lists.arin.net/pipermail/arin-issued/2009-September/000270.html | 
> grep Add | grep -v ""

That appears to be it.  I've also been told that there is a RSS feed of 
the same thing.  My understanding is that a posting is made to the 
mailing list or RSS feed when a new subnet is assigned.  I'd like to see 
them do something with the assignment is first returned to ARIN, not 
months later when the assignment is ready to be handed out again.  I 
think the extra time would help those people that download copies of the 
DNSBL zone files and manually import them once a week or less often.

Lots of place still use the zone files.  Personally I prefer to do so 
too, rather than tie my mail system reliability on an outside source 
that may or may not tell me when they have problems that affect my 
service.  GoDaddy and their hosted mail service would be a great example 
since they can't be bothered to update their DNSBL zone files.  Their 
mail admins are using a copy of SORBS that is 3 years old.  3 damn years 
old.  How do I know this?  3 years ago a mistake in a Squid 
configuration turned one of my services into an open proxy for about a 
week.  Even today mail from that server to a domain with mail hosted at 
GoDaddy results in a bounce citing the ancient SORBS listing as the reason.

Thanks for the pointer.  Looks like they've already thought of what I 
suggested and implemented a solution.  I still voice for announcing 
returned assignment instead of announcing when an old assignment gets 
reassigned.

Thanks
  Justin

Re: Repeated Blacklisting / IP reputation

[Justin Shore]

Martin Hannigan wrote:


Well, I haven't even had coffee yet and...

Get the removals:

curl -ls 
http://lists.arin.net/pipermail/arin-issued/2009-September/000270.html | 
grep Remove | grep -v ""


Get the additions:

mahannig$ curl -ls 
http://lists.arin.net/pipermail/arin-issued/2009-September/000270.html | 
grep Add | grep -v ""


That appears to be it.  I've also been told that there is a RSS feed of 
the same thing.  My understanding is that a posting is made to the 
mailing list or RSS feed when a new subnet is assigned.  I'd like to see 
them do something with the assignment is first returned to ARIN, not 
months later when the assignment is ready to be handed out again.  I 
think the extra time would help those people that download copies of the 
DNSBL zone files and manually import them once a week or less often.


Lots of place still use the zone files.  Personally I prefer to do so 
too, rather than tie my mail system reliability on an outside source 
that may or may not tell me when they have problems that affect my 
service.  GoDaddy and their hosted mail service would be a great example 
since they can't be bothered to update their DNSBL zone files.  Their 
mail admins are using a copy of SORBS that is 3 years old.  3 damn years 
old.  How do I know this?  3 years ago a mistake in a Squid 
configuration turned one of my services into an open proxy for about a 
week.  Even today mail from that server to a domain with mail hosted at 
GoDaddy results in a bounce citing the ancient SORBS listing as the reason.


Thanks for the pointer.  Looks like they've already thought of what I 
suggested and implemented a solution.  I still voice for announcing 
returned assignment instead of announcing when an old assignment gets 
reassigned.


Thanks
 Justin

Re: Repeated Blacklisting / IP reputation

[Joe Greco]

> I'd be more than happy to see this, with the added caveat that anyone 
> that returned address space to ARIN that was subsequently marked as 
> 'contaminated', should undergo a review process when attempting to 
> obtain new address space. Charge them for the review process
> 
>   Anyone that intentionally uses address space in a manner that they 
> know will cause it to become contaminated should be denied on any 
> further address space requests.
> 
> Another option, is to hit them where it matters. Assign fines and fees 
> for churning address space and returning it as contaminated. Set the 
> fee's on a sliding scale based on the amount of contamination and churn. 
> the more contamination, the higher the fee.

It would be problematic in some dimensions, but it seems that perhaps
allowing them to return space in exchange for a larger block is part of
the problem, and maybe part of the answer would be to make them retain
the block and only allocate an additional block.  Route table growth and
all that, of course.  An alternative could be to delegate them a larger
"contaminated" block and allow them to incur the expense of cleaning it
up(*).


* And I say that kind of tongue-in-cheek, since I don't really believe it
  to be easy to clean up a block once it is contaminated, due to the sheer
  number of local blocks, etc., which may exist.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

RE: Repeated Blacklisting / IP reputation

[Shawn Somers]

I'd be more than happy to see this, with the added caveat that anyone 
that returned address space to ARIN that was subsequently marked as 
'contaminated', should undergo a review process when attempting to 
obtain new address space. Charge them for the review process


 Anyone that intentionally uses address space in a manner that they 
know will cause it to become contaminated should be denied on any 
further address space requests.



Another option, is to hit them where it matters. Assign fines and fees 
for churning address space and returning it as contaminated. Set the 
fee's on a sliding scale based on the amount of contamination and churn. 
the more contamination, the higher the fee.


Shawn Somers

Michiel Klaver wrote:
-


Message: 3
Date: Tue, 15 Sep 2009 11:57:58 +0200
From: Michiel Klaver 
Subject: RE: Repeated Blacklisting / IP reputation, replaced by
registered use
To: "Azinger, Marla" ,  John Curran
, "nanog@nanog.org" 
Message-ID: <4aaf6526.9000...@klaver.it>
Content-Type: text/plain; charset=UTF-8; format=flowed

I think ARIN is no party to contact all RBL's and do any cleanup of 
'contaminated' address space. The only steps ARIN might do are:


- When requesting address space, one should be able to indicate whether 
receiving previous used address space would be unwanted or not.


- When assigning address space, ARIN should notify receivers if it's 
re-used or virgin address space.


- When address space got returned to ARIN and there is evidence of 
abuse, they have to mark that address space as 'contaminated' and only 
re-assign that space to new end-users who have indicated to have no 
problem with that.




With kind regards,

Michiel Klaver
IT Professional

Re: Repeated Blacklisting / IP reputation

[Martin Hannigan]

Well, I haven't even had coffee yet and...

Get the removals:

curl -ls
http://lists.arin.net/pipermail/arin-issued/2009-September/000270.html |
grep Remove | grep -v ""

Get the additions:

mahannig$ curl -ls
http://lists.arin.net/pipermail/arin-issued/2009-September/000270.html |
grep Add | grep -v ""


I'm sure someone else could write something far more elegant, but elegance
isn't always required. :-)

Best,

Marty


On Mon, Sep 14, 2009 at 10:21 PM, Martin Hannigan
wrote:

>
>
> On Mon, Sep 14, 2009 at 2:58 PM, Justin Shore wrote:
>
>> Frank Bulk wrote:
>>
>>> With scarcity of IPv4 addresses, organizations are more desperate than
>>> ever
>>> to receive an allocation.  If anything, there's more of a disincentive
>>> than
>>> ever before for ARIN to spend time on netblock sanitization.
>>>
>>> I do think that ARIN should inform the new netblock owner if it was
>>> previously owned or not.  But if ARIN tried to start cleaning up a
>>> netblock
>>> before releasing it, there would be no end to it.  How could they check
>>> against the probably hundreds of thousands private blocklist?
>>>
>>
>> They could implement a process by which they announce to a mailing list of
>> DNSBL providers that a given assignment has been returned to the RIR and
>> that it should be cleansed from all DNSBLs.
>>
>
>
> You mean like this?
>
> http://lists.arin.net/pipermail/arin-issued/2009-September/000270.html
>
>
>
> -M<
>
>
>



-- 
Martin Hannigan   mar...@theicelandguy.com
p: +16178216079
Power, Network, and Costs Consulting for Iceland Datacenters and Occupants

RE: Repeated Blacklisting / IP reputation, replaced by registered use

[Michiel Klaver]

I think ARIN is no party to contact all RBL's and do any cleanup of 
'contaminated' address space. The only steps ARIN might do are:


- When requesting address space, one should be able to indicate whether 
receiving previous used address space would be unwanted or not.


- When assigning address space, ARIN should notify receivers if it's 
re-used or virgin address space.


- When address space got returned to ARIN and there is evidence of 
abuse, they have to mark that address space as 'contaminated' and only 
re-assign that space to new end-users who have indicated to have no 
problem with that.




With kind regards,

Michiel Klaver
IT Professional

Re: Repeated Blacklisting / IP reputation

[Martin Hannigan]

On Mon, Sep 14, 2009 at 2:58 PM, Justin Shore wrote:

> Frank Bulk wrote:
>
>> With scarcity of IPv4 addresses, organizations are more desperate than
>> ever
>> to receive an allocation.  If anything, there's more of a disincentive
>> than
>> ever before for ARIN to spend time on netblock sanitization.
>>
>> I do think that ARIN should inform the new netblock owner if it was
>> previously owned or not.  But if ARIN tried to start cleaning up a
>> netblock
>> before releasing it, there would be no end to it.  How could they check
>> against the probably hundreds of thousands private blocklist?
>>
>
> They could implement a process by which they announce to a mailing list of
> DNSBL providers that a given assignment has been returned to the RIR and
> that it should be cleansed from all DNSBLs.
>


You mean like this?

http://lists.arin.net/pipermail/arin-issued/2009-September/000270.html



-M<

Re: Repeated Blacklisting / IP reputation

[Justin Shore]

Frank Bulk wrote:

With scarcity of IPv4 addresses, organizations are more desperate than ever
to receive an allocation.  If anything, there's more of a disincentive than
ever before for ARIN to spend time on netblock sanitization.

I do think that ARIN should inform the new netblock owner if it was
previously owned or not.  But if ARIN tried to start cleaning up a netblock
before releasing it, there would be no end to it.  How could they check
against the probably hundreds of thousands private blocklist?


They could implement a process by which they announce to a mailing list 
of DNSBL providers that a given assignment has been returned to the RIR 
and that it should be cleansed from all DNSBLs.  At this point the RIR 
has done their due diligence for notifying the blacklist community of 
the change and the onus is on the DNSBL maintainers to update their 
records.  Of course this does nothing to cleanse the assignment in the 
hundreds of thousands of MTAs around the world.  However this could be a 
good reason to not blacklist locally (or indefinitely at least) and to 
instead rely on a DNSBL maintained by people responsible for wiping 
returned assignments from their records when RIRs give the word.  I 
suppose the mailing list could even be expanded to include mailing list 
admins if need be so that they could also receive the info and wipe 
their own internal DNSBLs.


The list should be an announcement-only list with only the RIRs being 
able to post to it in a common and defined format.  The announcement 
should be made as soon as the assignment is returned to the RIR, 
allowing for the cool off period of time for personal blacklists to 
catch up to the official ones.


I would think that would be a fairly simple process to implement.  It's 
not fool-proof by any means but it's better than doing nothing.  It's a 
thought.


Justin

RE: Repeated Blacklisting / IP reputation, replaced by registered use

[Azinger, Marla]

Another one that could be discussed at the ARIN policy bof. 

Also, Im forwarding this to the ARIN ppml for any further discussion.

Cheers
Marla

-Original Message-
From: David Conrad [mailto:d...@virtualized.org] 
Sent: Monday, September 14, 2009 11:44 AM
To: Douglas Otis
Cc: NANOG list
Subject: Re: Repeated Blacklisting / IP reputation, replaced by registered use

On Sep 14, 2009, at 10:40 AM, Douglas Otis wrote:
> Perhaps ICANN could require registries establish a clearing-house, 
> where at no cost, those assigned a network would register their intent 
> to initiate bulk traffic, such as email, from specific addresses.

ICANN can't require the RIRs do anything outside of what is specifically 
mentioned in global addressing policies.  If you think this would be valuable 
and that it would make sense as a global addressing policy, then you should 
propose it in the RIR policy forums, get consensus amongst the five RIRs and 
have them forward it to ICANN as a global policy.

Regards,
-drc

Re: Repeated Blacklisting / IP reputation, replaced by registered use

[David Conrad]

On Sep 14, 2009, at 10:40 AM, Douglas Otis wrote:
Perhaps ICANN could require registries establish a clearing-house,  
where at no cost, those assigned a network would register their  
intent to initiate bulk traffic, such as email, from specific  
addresses.


ICANN can't require the RIRs do anything outside of what is  
specifically mentioned in global addressing policies.  If you think  
this would be valuable and that it would make sense as a global  
addressing policy, then you should propose it in the RIR policy  
forums, get consensus amongst the five RIRs and have them forward it  
to ICANN as a global policy.


Regards,
-drc

RE: Repeated Blacklisting / IP reputation, replaced by registered use

[Lee Howard]

> -Original Message-
> From: Douglas Otis [mailto:do...@mail-abuse.org]
> Sent: Monday, September 14, 2009 1:41 PM
> To: joel jaeggli
> Cc: NANOG list
> Subject: Re: Repeated Blacklisting / IP reputation, replaced by registered use
> 
> On 9/13/09 12:49 PM, joel jaeggli wrote:
> > Frank Bulk wrote:
> []
> >> If anything, there's more of a disincentive than ever before for
> >> ARIN to spend time on netblock sanitization.
> >
> > This whole thread seems to be about shifting (I.E. by externalizing)
> > the costs of remediation. presumably the entities responsible for the
> > poor reputation aren't likely to pay... So heck, why not ARIN?
> > perhaps because it's absurd on the face of it? how much do my fees go
> > up in order to indemnify ARIN against the cost of a possible future
> > cleanup? how many more staff do they need? Do I have to buy prefix
> > reputation insurance as contingent requirement for a new direct
> > assignm
> 
> Perhaps ICANN could require registries establish a clearing-house, where
> at no cost, those assigned a network would register their intent to
> initiate bulk traffic, such as email, from specific addresses.  Such a
> use registry would make dealing with compromised systems more tractable.

If they would just comply with RFC 3514, such a registry would be
unnecessary.

> 
> This registry would also supplant the guesswork involved with divining
> meaning of reverse DNS labels.

We could standardize a string to be used in rDNS of dynamic pools, if you
want.

Lee

Re: Repeated Blacklisting / IP reputation, replaced by registered use

[Douglas Otis]

On 9/13/09 12:49 PM, joel jaeggli wrote:

Frank Bulk wrote:

[]

If anything, there's more of a disincentive than ever before for
ARIN to spend time on netblock sanitization.


This whole thread seems to be about shifting (I.E. by externalizing)
the costs of remediation. presumably the entities responsible for the
poor reputation aren't likely to pay... So heck, why not ARIN?
perhaps because it's absurd on the face of it? how much do my fees go
up in order to indemnify ARIN against the cost of a possible future
cleanup? how many more staff do they need? Do I have to buy prefix
reputation insurance as contingent requirement for a new direct
assignm


Perhaps ICANN could require registries establish a clearing-house, where 
at no cost, those assigned a network would register their intent to 
initiate bulk traffic, such as email, from specific addresses.  Such a 
use registry would make dealing with compromised systems more tractable.



I do think that ARIN should inform the new netblock owner if it was
previously owned or not.


We've got high quality data extending back through a least 1997 on
what prefixes have been advertised in the DFZ, and of course from the
ip reputation standpoint it doesn't so much matter if something was
assigned, but rather whether it was ever used. one assumes moreover
that beyond a certain point in the not too distant future it all will
have been previously assigned (owned is the wrong word).


But if ARIN tried to start cleaning up a netblock before releasing
it, there would be no end to it.  How could they check against the
probably hundreds of thousands private blocklist?


Note that they can't insure routability either, though as a community
we've gotten used to testing for stale bogon filters.


The issues created by IPv4 space churn is likely to be dwarfed by 
eventual adoption of IPv6.  Registering intent to initiate bulk traffic, 
such as with SMTP, could help consolidate the administration of filters, 
since abuse is often from addresses that network administrators did not 
intend.  A clearing-house approach could reduce the costs of 
administering filters and better insure against unintentional impediments.


This approach should also prove more responsive than depending upon 
filters embedded within various types of network equipment.  By limiting 
registration to those controlling the network, this provides a low cost 
means to control use of address space without the need to impose 
expensive and problematic layer 7 filters that are better handled by the 
applications.  The size of the registered use list is likely to be 
several orders of magnitude smaller than the typical block list. 
Exceptions to the use list will be even smaller still.


This registry would also supplant the guesswork involved with divining 
meaning of reverse DNS labels.


-Doug

Re: Repeated Blacklisting / IP reputation

[Martin Hannigan]

On Sun, Sep 13, 2009 at 7:43 AM, John Curran  wrote:

> On Sep 11, 2009, at 6:52 PM, Martin Hannigan wrote:
> >
> > I honestly don't think that it's up to them to create a set-aside
> > either,
> > hence my comment about behind the scenes activities. I appreciate you
> > detailing that, but I honestly don't think it matters since as you
> > mentioned
> > you get accused of this all of the time. I would expect that ICANN
> > would not
> > only follow the rules, but safeguard them as well.
>
>
>
[ clip ]


> what would normally have been a behind the scenes implementation issue
> has now
> been publicly detailed, and I, for one, thank the IANA for their clear
> and
> timely communications on this matter.
>

I do as well. ICANN does good work in this area and I would not want to
appear as though I am saying otherwise.


>
> > Numbering policy usually goes to the members of each of the RIR
> > communities,
> > just as the IANA to RIR policy did. The algorithm itself is great. The
> > set-aside is the problem.
>
> This is not formation of global Internet numbering policy, it's
> implementation
> of the existing policy regarding IANA to RIR /8 block assignments.
> Regardless,
> the global nature of the Internet means that we'll all deal with
> connectivity
> issues with these blocks once they're allocated. Any and all efforts
> that the
> networking community can take now to get these blocks cleaned up now
> would be
> most helpful.
>
>

Well, ok then :-). I agree to disagree. Anything that affects the flow or
quality of IPv4 address space is a policy issue in my mind, especially when
a justification for an action is linked to a social issue. I know that it
was said that ICANN didn't really mean it when they said that they created
this action with "developing economies" in mind, at least not in the way
that it is defined[1], but it's hard to say after the fact.

Best Regards,

Marty


1. http://en.wikipedia.org/wiki/Developing_economies

Re: Hijacked Blocks (was: Repeated Blacklisting / IP reputation)

[Christopher Morrow]

On Mon, Sep 14, 2009 at 7:05 AM, John Curran  wrote:
> On Sep 14, 2009, at 6:49 AM, Rich Kulawiec wrote:
>> ...
>> For example: Ron Guilmette has recently pointed out that notorious
>> spammer
>> Scott Richter has apparently hijacked *another* /16 block --
>> 150.230.0.0/16.

oh lokoie, announced by mzima, wasn't mzima also announcing some /16
'shared' (or borrowed or rented or) from a community in Florida
until recently?

>> there's no reason for me to make it otherwise.  Perhaps one day ARIN
>> will yank it back, along with all his other blocks, and blacklist him

how is ARIN to know that there was some mischief going on here? (aside
from someone telling them, did you Rich?)

>> for life; but (a) I doubt it and (b) I'm not willing to wait.  The

I asked about this once, for another spammer. I think there was
discussion of 'how do we know that personX is a 'spammer'? or bad
enough to 'never allocate space to ever again'?  There was also the
normal ARIN comment about: "If the community supports this sort of
action, they ought to bring forth policy that says so."

The end of the discussion was along the lines of: "Yes, we know this
guy is bad news, but he always comes to us with the proper paperwork
and numbers, there's nothing in the current policy set to deny him
address resources. Happily though he never pays his bill after the
first 12 months so we just reclaim whatever resources are allocated
then."  (yes, comments about more address space ending up on BL's were
made, and that he probably doesn't pay because after the first 3
months the address space is 'worthless' to him...)

How should this get fixed? Is it possible to make policy to address
this sort of problem?

-chris

Re: Hijacked Blocks (was: Repeated Blacklisting / IP reputation)

[John Curran]

On Sep 14, 2009, at 6:49 AM, Rich Kulawiec wrote:
> ...
> For example: Ron Guilmette has recently pointed out that notorious  
> spammer
> Scott Richter has apparently hijacked *another* /16 block --  
> 150.230.0.0/16.
> I've dropped that block into various local blacklists, and in some  
> cases,
> various local firewalls.  The entry is essentially permanent, because
> there's no reason for me to make it otherwise.  Perhaps one day ARIN
> will yank it back, along with all his other blocks, and blacklist him
> for life; but (a) I doubt it and (b) I'm not willing to wait.  The  
> best
> course of action for me is to just consider it scorched earth and  
> move on.

To the extent that you're aware of a fraudulently transferred address  
block, please report it to .

Thanks!
/John

John Curran
President and CEO
ARIN

Re: Repeated Blacklisting / IP reputation

[Rich Kulawiec]

On Tue, Sep 08, 2009 at 11:44:44AM -0700, Wayne E. Bouchard wrote:
> Best practices for the public or subscription RBLs should be to place
> a TTL on the entry of no more than, say, 90 days or thereabouts. 

But there's no reason to do so, and a number of reasons not to, including
the very high probabilityXcertainty that spammers would use
this to rotate through multiple allocations at 91-day intervals.

Best practice is to identify blocks that are owned (or effectively owned)
by spammers and blacklist them until a need arises *on the receiving side*
to remove those blocks.  Yes, this is unfortunate, and draconian, and
any number of other things, but the ISPs responsible for this situation
should probably have considered this inevitable result before they decided
to host well-known spammers that 60 seconds of due diligence would have
identified, and subsequently to turn a blind eye to the abuse emanating
from their networks.

For example: Ron Guilmette has recently pointed out that notorious spammer
Scott Richter has apparently hijacked *another* /16 block -- 150.230.0.0/16.
I've dropped that block into various local blacklists, and in some cases,
various local firewalls.  The entry is essentially permanent, because
there's no reason for me to make it otherwise.  Perhaps one day ARIN
will yank it back, along with all his other blocks, and blacklist him
for life; but (a) I doubt it and (b) I'm not willing to wait.  The best
course of action for me is to just consider it scorched earth and move on.

---Rsk

Re: Repeated Blacklisting / IP reputation

[Tim Chown]

On Sun, Sep 13, 2009 at 12:45:03PM -0400, Christopher Morrow wrote:
> On Wed, Sep 9, 2009 at 11:48 PM, Mark Andrews  wrote:
> 
> 
> 
> > Note we all could start using IPv6 and avoid this problem altogether.
> > There is nothing stopping us using IPv6 especially for MTA's.
> 
> that'd solve the spam problem... for a while at least. (no ipv6
> traffic == no spam)

30% of our incoming IPv6 SMTP connections are spam.

-- 
Tim

Re: Repeated Blacklisting / IP reputation

[Andy Davidson]

On 9 Sep 2009, at 06:04, Peter Beckman wrote:

How about a trial period from ARIN?  You get your IP block, and you  
get 30 days to determine if it is "clean" or not.


The reuse issue is possibly decades away in v6 land.

The reuse issue can't really be solved for v4 in a year or two.

Sounds like a waste of time to develop this idea further IMO.

A

Re: Repeated Blacklisting / IP reputation

[Christopher Morrow]

On Wed, Sep 9, 2009 at 11:48 PM, Mark Andrews  wrote:



> Note we all could start using IPv6 and avoid this problem altogether.
> There is nothing stopping us using IPv6 especially for MTA's.

that'd solve the spam problem... for a while at least. (no ipv6
traffic == no spam)

-Chris
(yes, I'm yanking mark's chain some)

Re: Repeated Blacklisting / IP reputation

[Christopher Morrow]

On Wed, Sep 9, 2009 at 11:30 PM, Leo Vegoda  wrote:
> On Sep 9, 2009, at 7:18 PM, Alex Lanstein wrote:
>
>> Along the same lines, I noticed that the worst Actor in recent
>> memory (McColo - AS26780) stopped paying their bills to ARIN and
>> their addresses have been returned to the pool.
>>
>> It's my opinion that a very select number of CIDR blocks (another
>> example being the ones belonging to Cernel/InternetPath/Atrivo/etc,
>> if it were ever fully extinguished) are, and forever will be,
>> completely toxic and unusable to any legitimate enterprise.
>> Arguments could be made that industry blacklists can and should be
>> more flexible, but from the considerably more innocuous case in this
>> thread, that is apparently not the modus operandi
>
> Putting these addresses back into use does not mean that they have to
> be allocated to networks where they'll number mail servers. ARIN staff
> is doubtless aware of the history of these blocks and will presumably
> do their best to allocate them to networks that aren't intended to
> host mail servers.

to quote bmanning.. they may even be put into service on a network
that is not 'the internet'. Though I think Alex's idea isn't without
merit, perhaps as a stage between 'de-allocate from non-payer' and
'allocate to new payer'. (perhaps only for blocks meeting some set of
criteria, yet to be determined/discussed)

-Chris

Re: Repeated Blacklisting / IP reputation

[John Curran]

On Sep 11, 2009, at 6:52 PM, Martin Hannigan wrote:
>
> I honestly don't think that it's up to them to create a set-aside  
> either,
> hence my comment about behind the scenes activities. I appreciate you
> detailing that, but I honestly don't think it matters since as you  
> mentioned
> you get accused of this all of the time. I would expect that ICANN  
> would not
> only follow the rules, but safeguard them as well.

The RIR CEO's told the IANA to use their best judgement in making the /8
assignments. This is exactly what happens with each assignment today  
in any
case, and would have been the same result without that feedback to  
IANA, i.e.,
what would normally have been a behind the scenes implementation issue  
has now
been publicly detailed, and I, for one, thank the IANA for their clear  
and
timely communications on this matter.

> Numbering policy usually goes to the members of each of the RIR  
> communities,
> just as the IANA to RIR policy did. The algorithm itself is great. The
> set-aside is the problem.

This is not formation of global Internet numbering policy, it's  
implementation
of the existing policy regarding IANA to RIR /8 block assignments.  
Regardless,
the global nature of the Internet means that we'll all deal with  
connectivity
issues with these blocks once they're allocated. Any and all efforts  
that the
networking community can take now to get these blocks cleaned up now  
would be
most helpful.

/John

John Curran
President and CEO
ARIN

RE: Repeated Blacklisting / IP reputation

[Keith Medcalf]

> and then that's PART of the MTA.  Otherwise, it's an add-on
> of some sort.
> Given that the point I was making was about capabilities *included* in
> the MTA, and given that I *said* you could add on such functions, it's
> kind of silly to try to confuse the issue in this manner.

CommuniGate Pro supports time limited blacklisting, at least for Ips it 
blacklists itself based on protocol violations & c.

Re: Repeated Blacklisting / IP reputation

[joel jaeggli]

Frank Bulk wrote:
> With scarcity of IPv4 addresses, organizations are more desperate than ever
> to receive an allocation.

Factual evidence that pi allocation is in fact hard to obtain would be
required to support that statement. The fact of the matter is if you
have a legitimate application congruent with current policy you'll get
your addresses just like you would last year. Now if your business is
contingent on the availability of pi addressing resources obviously you
have a fiduciary responsibility to address that problem in short order.

>  If anything, there's more of a disincentive than
> ever before for ARIN to spend time on netblock sanitization.

This whole thread seems to be about shifting (I.E. by externalizing) the
costs of remediation. presumably the entities responsible for the poor
reputation aren't likely to pay... So heck, why not ARIN? perhaps
because it's absurd on the face of it? how much do my fees go up in
order to indemnify ARIN against the cost of a possible future cleanup?
how many more staff do they need? Do I have to buy prefix reputation
insurance as contingent requirement for a new direct assignment?

> I do think that ARIN should inform the new netblock owner if it was
> previously owned or not. 

We've got high quality data extending back through a least 1997 on what
prefixes have been advertised in the DFZ, and of course from the ip
reputation standpoint it doesn't so much matter if something was
assigned, but rather whether it was ever used. one assumes moreover that
beyond a certain point in the not too distant future it all will have
been previously assigned (owned is the wrong word).

> But if ARIN tried to start cleaning up a netblock
> before releasing it, there would be no end to it.  How could they check
> against the probably hundreds of thousands private blocklist?

Note that they can't insure routability either, though as a community
we've gotten used to testing for stale bogon filters.

> Frank
> 
> -Original Message-
> From: JC Dill [mailto:jcdill.li...@gmail.com] 
> Sent: Wednesday, September 09, 2009 5:40 PM
> To: NANOG list
> Subject: Re: Repeated Blacklisting / IP reputation
> 
> 
> 
> They can (and IMHO should) determine the state it is in before they 
> reallocate it.  What happens next is obviously unpredictable but in 
> reality an IP that isn't being blocked today and isn't being used (by 
> anyone) is highly unlikely to be widely blocked between today and the 
> day ARIN releases it for allocation to a new entity. 
> 
> They can hold IPs that are not suitable for re-allocation, or at least 
> make the status of the IPs known to the new entity before asking the 
> entity to take on the IP block, and perhaps offering a fee discount for 
> "tainted" addresses.  (Some users may not care if the IPs are "tainted", 
> if, for instance they plan to use the IPs for a DUL pool.  I have a 
> friend who gets $5 off his cell phone bill because he has a phone number 
> that starts with 666 - a number that many people prefer to avoid but 
> which works fine for his purposes and he's quite happy to get the 
> discount. :-)
> 
> 
> 
> 
> ARIN shouldn't allocate previously allocated IPs until they know the IPs 
> are not widely blocked.  Or to *at the very least* ARIN should disclose 
> what they know about the IP space before they make it someone else's 
> problem, and give the requesting entity an option to request a 
> new/clean/unused/unblocked IP block instead.
> 
> 
> 
> jc
> 
> 
> 
> 

RE: Repeated Blacklisting / IP reputation

[Frank Bulk]

With scarcity of IPv4 addresses, organizations are more desperate than ever
to receive an allocation.  If anything, there's more of a disincentive than
ever before for ARIN to spend time on netblock sanitization.

I do think that ARIN should inform the new netblock owner if it was
previously owned or not.  But if ARIN tried to start cleaning up a netblock
before releasing it, there would be no end to it.  How could they check
against the probably hundreds of thousands private blocklist?

Frank

-Original Message-
From: JC Dill [mailto:jcdill.li...@gmail.com] 
Sent: Wednesday, September 09, 2009 5:40 PM
To: NANOG list
Subject: Re: Repeated Blacklisting / IP reputation



They can (and IMHO should) determine the state it is in before they 
reallocate it.  What happens next is obviously unpredictable but in 
reality an IP that isn't being blocked today and isn't being used (by 
anyone) is highly unlikely to be widely blocked between today and the 
day ARIN releases it for allocation to a new entity. 

They can hold IPs that are not suitable for re-allocation, or at least 
make the status of the IPs known to the new entity before asking the 
entity to take on the IP block, and perhaps offering a fee discount for 
"tainted" addresses.  (Some users may not care if the IPs are "tainted", 
if, for instance they plan to use the IPs for a DUL pool.  I have a 
friend who gets $5 off his cell phone bill because he has a phone number 
that starts with 666 - a number that many people prefer to avoid but 
which works fine for his purposes and he's quite happy to get the 
discount. :-)




ARIN shouldn't allocate previously allocated IPs until they know the IPs 
are not widely blocked.  Or to *at the very least* ARIN should disclose 
what they know about the IP space before they make it someone else's 
problem, and give the requesting entity an option to request a 
new/clean/unused/unblocked IP block instead.



jc

Re: Repeated Blacklisting / IP reputation

[Joe Greco]

> > "Joe" == Joe Greco  writes:
> 
> Joe> So, you agree, MTA's do not implement this functionality.  It's
> Joe> obviously possible to make it happen through shell scripting,
> Joe> database tricks,
> 
> No, I do not agree.
> 
> The sql backend is part of the MTA; features added by offering a sql
> backend for tables of this sort (I'd use a cidr access restriction
> in postfix) are still features of the MTA.
> 
> And actually using the power of sql when using sql is not a trick;
> rather it is the /point/.
> 
> IOW, the MTA is the sum of its parts; when using sql lookups the db
> is part of the MTA.

By that argument, anything else that you install that augments the
functionality of your MTA in some manner is "part" of your MTA.  Since
DSPAM hooks into Postfix, clearly Postfix offers Bayesian filtering,
and since ClamAV hooks in, clearly Postfix offers spam filtering, and
since you can use LogReport to manage its logs, clearly Postfix offers
reporting via an HTTP interface, and since I find it convenient to have
a shell on a mail server, when I install tcsh or zsh, that's also an
offering by Postfix.

No.

You show me a line in Postfix's ACL code that reads to the effect of

if (expiryfield < time(NULL)) {
accept_message;
}

and then that's PART of the MTA.  Otherwise, it's an add-on of some sort.
Given that the point I was making was about capabilities *included* in
the MTA, and given that I *said* you could add on such functions, it's
kind of silly to try to confuse the issue in this manner.

In other words, if it doesn't compile out of the box with it, that's what
I was talking about, and that's the point.  No add-ons, no enhancements.

We already know that something can be *added* to help the MTA implement
such a feature; that's obvious to everyone.  However, it isn't commonly
done, and dlr posted stats indicating that a significant percentage of
spam-spewing IP addresses would continue to do so for *years*.  As a
result, mail admins typically throw IP's in ACL's for something that
approaches *forever*.

The point was that MTA's don't support anything else by default, that
such a feature isn't in demand, and that the spam database analysis
supports this as a not entirely unreasonable state of affairs.

Further, since it is relatively unlikely, statistically speaking, that
any particular IP address

I'm not interested in playing semantic games about "what constitutes 
an MTA."  I *am* interested in the general problem of outdated rules 
of any sort that block access to reallocated IP space; this is a real
operational problem, both to recipients of such space, and to sites who
have blocked such space.

My tentative conclusion is that there is no realistic solution to the
overall problem.  Even within a single autonomous system, there usually
isn't a comprehensive single unified method for denying access to
services; you might have separate lists for IP in general (bogons),
access to mail systems (DNSBL's and local rules derived from bad
experiences), rules for access to various devices and services, rules
added to block syn floods from/to, etc., etc., etc.  And all of the
systems to implement these rules are more or less disjoint.

The concept of "virgin" IPv4 space is going to be a memory soon.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

Re: Repeated Blacklisting / IP reputation

[James Cloos]

> "Joe" == Joe Greco  writes:

Joe> So, you agree, MTA's do not implement this functionality.  It's
Joe> obviously possible to make it happen through shell scripting,
Joe> database tricks,

No, I do not agree.

The sql backend is part of the MTA; features added by offering a sql
backend for tables of this sort (I'd use a cidr access restriction
in postfix) are still features of the MTA.

And actually using the power of sql when using sql is not a trick;
rather it is the /point/.

IOW, the MTA is the sum of its parts; when using sql lookups the db
is part of the MTA.

-JimC
-- 
James Cloos  OpenPGP: 1024D/ED7DAEA6

Re: Repeated Blacklisting / IP reputation

[Joe Greco]

> > "Joe" == Joe Greco  writes:
> Joe> Show me ONE major MTA which allows you to configure an expiration
> Joe> for an ACL entry.
> 
> Any MTA which supports using an sql db as its backend.  Postfix is a
> fine example.
> 
> You just define the table and the query to either have an until column,
> or have a column with the timestamp of when the entry was added and have
> the query ignore rows which are older than some given time.
> 
> And with postfix, using its sql proxy capability, using a sql backend is
> fully performant.

So, you agree, MTA's do not implement this functionality.  It's obviously
possible to make it happen through shell scripting, database tricks, etc.,
but the point was that if this was commonly desired, then MTA's would be
supporting it directly.  It isn't commonly desired, most people just block
"forever."

It never ceases to amaze me how technical people so often easily miss the
point.  :-)

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

Re: Repeated Blacklisting / IP reputation

[James Cloos]

> "Joe" == Joe Greco  writes:

Joe> Show me ONE major MTA which allows you to configure an expiration
Joe> for an ACL entry.

Any MTA which supports using an sql db as its backend.  Postfix is a
fine example.

You just define the table and the query to either have an until column,
or have a column with the timestamp of when the entry was added and have
the query ignore rows which are older than some given time.

And with postfix, using its sql proxy capability, using a sql backend is
fully performant.

-JimC
-- 
James Cloos  OpenPGP: 1024D/ED7DAEA6

Re: Repeated Blacklisting / IP reputation

[Martin Hannigan]

On Fri, Sep 11, 2009 at 4:23 PM, David Conrad  wrote:

> Marty,
>
>


> It's possible that not everything is above the table as well.
>>
>
> Actually, no.  The whole point in publishing the algorithm IANA is using in
> allocating /8s is to allow anyone to verify for themselves we are following
> that algorithm.
>

Sorry, poor wording on my part. See below.


>
>  I think that the perception is reality here though. ICANN has arbitrarily
>> created process that impacts RIR's unequally. To me, that's unfair.
>>
>
> As stated, we followed existing RIR practices regarding treatment of LACNIC
> and AfriNIC.  Oddly, the RIR CEOs were happy with the algorithm when we
> asked them about it.
>


I honestly don't think that it's up to them to create a set-aside either,
hence my comment about behind the scenes activities. I appreciate you
detailing that, but I honestly don't think it matters since as you mentioned
you get accused of this all of the time. I would expect that ICANN would not
only follow the rules, but safeguard them as well.

Numbering policy usually goes to the members of each of the RIR communities,
just as the IANA to RIR policy did. The algorithm itself is great. The
set-aside is the problem. I'd be happy with the algorithm and all of the
space. It would be more fair to us all and not appear as a cost shifting or
potential windfall.

Best,



-M<



-- 
Martin Hannigan   mar...@theicelandguy.com
p: +16178216079
Power, Network, and Costs Consulting for Iceland Datacenters and Occupants

Re: Repeated Blacklisting / IP reputation

[David Conrad]

Marty,

On Sep 10, 2009, at 2:45 PM, Martin Hannigan wrote:

Not sure when ICANN got into the business of economic bailouts,

??


The blog posting implies it:

"AfriNIC and LACNIC have fewest IPv4 /8s and service the regions  
with the most developing economies. We decided that those RIRs  
should have four of the easiest to use /8s reserved for them."


The "economies" term used here is essentially synonymous with  
"countries".  The decision IANA made (which is, of course, always  
reversible until the last /8s are allocated) is in keeping with RIR  
practices regarding treatment of LACNIC and AfriNIC in global  
allocation issues.


There is also a possible unintended consequence. If v4 address space  
markets do end up being legitimized (I do believe that they will  
FWIW)  ICANN is in effect declaring one class of space more valuable  
than another an arbitrarily assigning that value.


ICANN is not declaring value of anything.  All we are doing is trying  
to distribute the remaining /8s in a way that can be publicly verified  
that we have no bias in how /8s are allocated at the same time as  
trying to minimize the pain experienced by the recipients the /8s.


Or are you unhappy that LACNIC and AfriNIC have 2 /8s from the  
least tainted pools?
There is currently a global policy that the RIR's and ICANN agreed  
to that defines the allocation of /8's from IANA to RIR's. That  
policy doesnt include a set-aside and I think that arbitrarily  
adding one is not in the spirit of cooperation.


The global policy for IPv4 address allocation does not specify how  
IANA selects the addresses it assigns to the RIRs.  IANA has used  
different algorithms in the past.  What IANA is doing now is described  
in the blog posting I referenced.



It's possible that not everything is above the table as well.


Actually, no.  The whole point in publishing the algorithm IANA is  
using in allocating /8s is to allow anyone to verify for themselves we  
are following that algorithm.


I think that the perception is reality here though. ICANN has  
arbitrarily created process that impacts RIR's unequally. To me,  
that's unfair.


As stated, we followed existing RIR practices regarding treatment of  
LACNIC and AfriNIC.  Oddly, the RIR CEOs were happy with the algorithm  
when we asked them about it.



Question is -- do a few /8's really matter?


Sure.  An they'll matter more as the IPv4 pool approaches exhaustion.   
That's why IANA has published the algorithm by which allocations are  
made.  The goal is to forestall (or at least help defend from) the  
inevitable accusations of evil doing folks accuse ICANN of all the  
time (e.g., your message).


Regards,
-drc

Re: Repeated Blacklisting / IP reputation

[Joel Jaeggli]

Benjamin Billon wrote:
> 
>>  Why don't we just blacklist everything and only whitelist those we know
>>  are good?
>> 
>>> Note we all could start using IPv6 and avoid this problem altogether.
>> 
> Yeah. When ISP will start receiving SMTP traffic in IPv6, they could
> start to accept whitelisted senders only.

I've been reciveving smtp traffic including spam on ipv6 since 2001.

> "IPv6 emails == clean"
> 
> Utopian thought?
> 

Re: Repeated Blacklisting / IP reputation

[Joel Jaeggli]

Peter Beckman wrote:
> On Thu, 10 Sep 2009, Mark Andrews wrote:
> 
>> What a load of rubbish.  How is ARIN or any RIR/LIR supposed to
>> know the intent of use?
> 
>  Why don't we just blacklist everything and only whitelist those we know
>  are good?
> 
>  Because the cost of determining who is good and who is not has a great
>  cost.  If you buy an IP block, regardless of your intent, that IP block
>  should not have the ill-will of the previous owner passed on with it.

You don't buy ip blocks or at least not from ARIN. Among other things
that ARIN does not guarantee is routability.

>  If
>  the previous owner sucked, the new owner should have the chance to use
>  that IP block without restriction until they prove that they suck, at
>  which point it will be blocked again.  That system seems to work well
>  enough: blacklist blocks when they start do be evil, according to your own
>  (you being the neteng in charge) definition of evil.
> 
>  ARIN needs to be impartial.  If they are going to sell the block, they
>  should do their best to make a coordinated effort to make sure the block
>  is as unencumbered as possible.  I get that there is a sense that ARIN
>  needs to do more due dilligence to determine if the receiving party is
>  worthy of that block, but I'm not aware of the process, and from the
>  grumblings it doesn't seem like fun.
> 
>> Note we all could start using IPv6 and avoid this problem altogether.
> 
>  Because as we know IPv6 space is inexhaustable.  Just like IPv4 was when
>  it began its life. ;-)
> 
>  That won't avoid the problem, it will simply put the problem off until it
>  rears its head again.  I'm sure that IPv6 space will be more easily gotten
>  until problems arise, and in a few years (maybe decades, we can put this
>  problem on our children's shoulders), we'll be back where we are now --
>  getting recycled IP space that is blocked or encumbered due to bad
>  previous owners.
> 
> Beckman
> ---
> Peter Beckman  Internet Guy
> beck...@angryox.com http://www.angryox.com/
> ---
> 

Re: Repeated Blacklisting / IP reputation

[Scott Weeks]

--- leo.veg...@icann.org wrote:
In my limited experience, requesting address space from ARIN involved
describing what I would be doing with it. YMMV.
-


That's the easy part of the process.  Proof of what you did with what you 
already have assigned to you is the hard part.

scott

Re: Repeated Blacklisting / IP reputation

[Leo Vegoda]

On 09/09/2009 8:48, "Mark Andrews"  wrote:

[...]

> What a load of rubbish.  How is ARIN or any RIR/LIR supposed to
> know the intent of use?

In my limited experience, requesting address space from ARIN involved
describing what I would be doing with it. YMMV.

Leo 

Re: Repeated Blacklisting / IP reputation

[Martin Hannigan]

On Thu, Sep 10, 2009 at 4:21 PM, David Conrad  wrote:

> On Sep 9, 2009, at 8:41 PM, Martin Hannigan wrote:
>
>> Not sure when ICANN got into the business of economic bailouts,
>>
>
> ??
>

The blog posting implies it:


"AfriNIC and LACNIC have fewest IPv4 /8s and service the regions with the
most developing economies. We decided that those RIRs should have four of
the easiest to use /8s reserved for them."

There is also a possible unintended consequence. If v4 address space markets
do end up being legitimized (I do believe that they will FWIW)  ICANN is in
effect declaring one class of space more valuable than another an
arbitrarily assigning that value.


>  but the mechanism that ICANN has defined seems patently unfair.
>>
>
> RFC 2777 is unfair?  Or are you unhappy that LACNIC and AfriNIC have 2 /8s
> from the least tainted pools?
>



I don't have a comment on the RFC. There is currently a global policy that
the RIR's and ICANN agreed to that defines the allocation of /8's from IANA
to RIR's. That policy doesnt include a set-aside and I think that
arbitrarily adding one is not in the spirit of cooperation. I think that
it's "good" that ICANN is being proactive, but I also think that it's "bad"
that they chose this to be proactive about. It's possible that not
everything is above the table as well. I think that the perception is
reality here though. ICANN has arbitrarily created process that impacts
RIR's unequally. To me, that's unfair.

Question is -- do a few /8's really matter? In the end game, I think that
they do all considered.

Best,

Marty


-- 
Martin Hannigan   mar...@theicelandguy.com
p: +16178216079
Power, Network, and Costs Consulting for Iceland Datacenters and Occupants

Re: Repeated Blacklisting / IP reputation

[David Conrad]

On Sep 9, 2009, at 8:41 PM, Martin Hannigan wrote:

Not sure when ICANN got into the business of economic bailouts,


??


but the mechanism that ICANN has defined seems patently unfair.


RFC 2777 is unfair?  Or are you unhappy that LACNIC and AfriNIC have  
2 /8s from the least tainted pools?


Regards,
-drc

Re: Repeated Blacklisting / IP reputation

[Joe Greco]

>   Because the cost of determining who is good and who is not has a great
>   cost.  If you buy an IP block, regardless of your intent, that IP block
>   should not have the ill-will of the previous owner passed on with it. 

Might as well be the end of discussion, right there, then, because what
you're suggesting suggests no grasp of the real world.

>   If
>   the previous owner sucked, the new owner should have the chance to use
>   that IP block without restriction until they prove that they suck, at
>   which point it will be blocked again.  That system seems to work well
>   enough: blacklist blocks when they start do be evil, according to your own
>   (you being the neteng in charge) definition of evil.

What you just described doesn't implement what you claim, at all.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

Re: Repeated Blacklisting / IP reputation

[Valdis . Kletnieks]

On Wed, 09 Sep 2009 20:30:02 PDT, Leo Vegoda said:

> Putting these addresses back into use does not mean that they have to
> be allocated to networks where they'll number mail servers. ARIN staff
> is doubtless aware of the history of these blocks and will presumably
> do their best to allocate them to networks that aren't intended to
> host mail servers.

Those streaming video servers in that returned /24 are going to work *real*
well talking to a network that implemented the block as a null route rather
than a port-25 block.



pgpTDcdvozLS7.pgp
Description: PGP signature

Re: Repeated Blacklisting / IP reputation

[Benjamin Billon]

You're not Hotmail =)

Re: Repeated Blacklisting / IP reputation

[Peter Beckman]

On Thu, 10 Sep 2009, Benjamin Billon wrote:




 Why don't we just blacklist everything and only whitelist those we know
 are good?


Note we all could start using IPv6 and avoid this problem altogether.


Yeah. When ISP will start receiving SMTP traffic in IPv6, they could start to 
accept whitelisted senders only.


"IPv6 emails == clean"

Utopian thought?


 My statement about blacklisting everything was sarcastic.  Clearly
 blacklisting everything and whitelisting individual blocks is not a
 viable, reasonable nor cost-effective option.

 Clearly I also suck at conveying sarcasm via email. :-)

Beckman
---
Peter Beckman  Internet Guy
beck...@angryox.com http://www.angryox.com/
---

Re: Repeated Blacklisting / IP reputation

[Kevin Loch]

Benjamin Billon wrote:



 Why don't we just blacklist everything and only whitelist those we know
 are good?


Note we all could start using IPv6 and avoid this problem altogether.


Yeah. When ISP will start receiving SMTP traffic in IPv6, they could 
start to accept whitelisted senders only.


"IPv6 emails == clean"

Utopian thought?


Are you not receiving SMTP traffic via IPv6 yet?

Received: from s0.nanog.org ([IPv6:2001:48a8:6880:95::20])

- Kevin

Re: Repeated Blacklisting / IP reputation

[bmanning]

On Thu, Sep 10, 2009 at 04:42:13PM +0200, Benjamin Billon wrote:
> 
> > Why don't we just blacklist everything and only whitelist those we know
> > are good?
> >
> >>Note we all could start using IPv6 and avoid this problem altogether.
> >
> Yeah. When ISP will start receiving SMTP traffic in IPv6, they could 
> start to accept whitelisted senders only.
> 
> "IPv6 emails == clean"
> 
> Utopian thought?

abt 8 years too late...

--bill

Re: Repeated Blacklisting / IP reputation

[Benjamin Billon]

 Why don't we just blacklist everything and only whitelist those we know
 are good?


Note we all could start using IPv6 and avoid this problem altogether.


Yeah. When ISP will start receiving SMTP traffic in IPv6, they could 
start to accept whitelisted senders only.


"IPv6 emails == clean"

Utopian thought?

Re: Repeated Blacklisting / IP reputation

[Peter Beckman]

On Thu, 10 Sep 2009, Mark Andrews wrote:


What a load of rubbish.  How is ARIN or any RIR/LIR supposed to
know the intent of use?


 Why don't we just blacklist everything and only whitelist those we know
 are good?

 Because the cost of determining who is good and who is not has a great
 cost.  If you buy an IP block, regardless of your intent, that IP block
 should not have the ill-will of the previous owner passed on with it.  If
 the previous owner sucked, the new owner should have the chance to use
 that IP block without restriction until they prove that they suck, at
 which point it will be blocked again.  That system seems to work well
 enough: blacklist blocks when they start do be evil, according to your own
 (you being the neteng in charge) definition of evil.

 ARIN needs to be impartial.  If they are going to sell the block, they
 should do their best to make a coordinated effort to make sure the block
 is as unencumbered as possible.  I get that there is a sense that ARIN
 needs to do more due dilligence to determine if the receiving party is
 worthy of that block, but I'm not aware of the process, and from the
 grumblings it doesn't seem like fun.


Note we all could start using IPv6 and avoid this problem altogether.


 Because as we know IPv6 space is inexhaustable.  Just like IPv4 was when
 it began its life. ;-)

 That won't avoid the problem, it will simply put the problem off until it
 rears its head again.  I'm sure that IPv6 space will be more easily gotten
 until problems arise, and in a few years (maybe decades, we can put this
 problem on our children's shoulders), we'll be back where we are now --
 getting recycled IP space that is blocked or encumbered due to bad
 previous owners.

Beckman
---
Peter Beckman  Internet Guy
beck...@angryox.com http://www.angryox.com/
---

Re: Repeated Blacklisting / IP reputation

[Nick Feamster]

Hi Tom (and NANOG),

You may be interested in an alternative approach, motivated by the
very problem you are facing (see below).  Our system, SNARE, develops
IP reputation automatically based on a combination of network
features.  We'll discuss the pros and cons of this approach at MAAWG.
The additional information that SNARE provides might be helpful.

-Nick

Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic
Reputation Engine

Shuang Hao, Nadeem Ahmed Syed, Nick Feamster, Alexander Gray, Sven Krasser
Usenix Security '09, Montreal, Canada, August 2009

Users and network administrators need ways to filter email messages
based primarily on the reputation of the sender. Unfortunately,
conventional mechanisms for sender reputation -- notably, IP
blacklists -- are cumbersome to maintain and evadable. This paper
investigates ways to infer the reputation of an email sender based
solely on network-level features, without looking at the contents of a
message. First, we study first-order properties of network-level
features that may help distinguish spammers from legitimate senders.
We examine features that can be ascertained without ever looking at a
packet's contents, such as the distance in IP space to other email
senders or the geographic distance between sender and receiver. We
derive features that are lightweight, since they do not require seeing
a large amount of email from a single IP address and can be gleaned
without looking at an email's contents -- many such features are
apparent from even a single packet. Second, we incorporate these
features into a classification algorithm and evaluate the classifier's
ability to automatically classify email senders as spammers or
legitimate senders. We build an automated reputation engine, SNARE,
based on these features using labeled data from a deployed commercial
spam-filtering system. We demonstrate that SNARE can achieve
comparable accuracy to existing static IP blacklists: about a 70%
detection rate for less than a 0.3% false positive rate. Third, we
show how SNARE can be integrated into existing blacklists, essentially
as a first-pass filter.

http://gtnoise.net/pub/index.php?detail=14

On Tue, Sep 8, 2009 at 4:58 PM, Tom Pipes  wrote:
> I am amazed with the amount of thoughtful comments I have seen, both on and 
> off list. It really illustrates that people are willing to try to help out, 
> but there is an overall lack of clear direction on how to improve things.  
> Most of us seem to adopt that which has always just worked for us. Don't get 
> me wrong, I'm sure there are a lot of improvements/mods going on with RBL 
> operators in terms of the technology and how they choose who to block.  I'm 
> also certain that most of the carriers are doing their best to follow RFCs, 
> use e-mail filtering, and perform deep packet inspection to keep themselves 
> off of the lists. AND there seems to be some technologies that were meant to 
> work, and cause their own sets of problems (example:  allowing the end user 
> to choose what is considered spam and blacklisting based on that).  As was 
> said before, it's not the "WHY" but rather how can we fix it if it's broke.
>
> The large debate seems to revolve around responsibility, or lack thereof. In 
> our case, we are the small operator who sits in the sidelines hoping that 
> someone larger than us, or more influential has an opinion.  We participate 
> in lists, hoping to make a difference and contribute, knowing that in a lot 
> of cases, our opinion is just that:  an opinion.  I suppose that could spark 
> a debate about joining organizations (who shall go nameless here), power to 
> the people, etc.
>
> It seems as though a potential solution *may* revolve around ARIN/IANA having 
> the ability to communicate an authoritative list of reassigned IP blocks back 
> to the carriers.  This could serve as a signal to remove a block from the 
> RBL, but I'm sure there will be downfalls with doing this as well.
>
> In my specific case, I am left with a legacy block that I have to accept is 
> going to be problematic. Simply contacting RBL operators is just not doing 
> the trick. Most of the e-mails include links or at least an error code, but 
> some carriers just seem to be blocking without an error, or even worse, an 
> ACL...
>
> We will continue to remove these blocks as necessary, reassign IPs from other 
> blocks where absolutely necessary, and ultimately hope the problem resolves 
> itself over time.
>
> Thanks again for the very thoughtful and insightful comments, they are 
> greatly appreciated.
>
> Regards,
>
>
> ---
> Tom Pipes
> T6 Broadband/
> Essex Telcom Inc
> tom.pi...@t6mail.com
>
>
> - Original Message -
> From: "Tom Pipes" 
> To: nanog@nanog.org

Re: Repeated Blacklisting / IP reputation

[Dave Martin]

On Wed, Sep 09, 2009 at 04:13:18PM -0700, Jay Hennigan wrote:
> JC Dill wrote:
> As for a role account, there is "postmaster".  I would think that the  
> best hope in the real world, rather than an autoresponder would be an  
> RFC that clearly defines text accompanying an SMTP rejection notice  
> triggered by a blocklist, detailing the blocklist and contact for  
> removal.  Perhaps encouraging those who code MTAs and DNSBL hooks into  
> them to include such in the configuration files would be a good start.

That would be very useful.  Many of those small lists return 'Unknown
user' rather than an actual blacklist message.  A url where one could
get reason (meaning headers) for the block would be even better.  If
they don't admit that it's a block, it's hard to do much more than tell
the user to contact the recipient via some other channel and have *them*
contact their support system.


-- 
Dave
-
Nobody believed that I could build a space station here.  So I built it anyway.
It sank into the vortex.  So I built another one.  It sank into the vortex.  
The third station burned down, fell over then sank into the vortex.  The fourth
station just vanished.  And the fifth station, THAT stayed!

Re: Repeated Blacklisting / IP reputation

[Mark Andrews]

In message , Leo Vegoda writes:
> On Sep 9, 2009, at 7:18 PM, Alex Lanstein wrote:
> 
> > Along the same lines, I noticed that the worst Actor in recent =20
> > memory (McColo - AS26780) stopped paying their bills to ARIN and =20
> > their addresses have been returned to the pool.
> >
> > It's my opinion that a very select number of CIDR blocks (another =20
> > example being the ones belonging to Cernel/InternetPath/Atrivo/etc, =20
> > if it were ever fully extinguished) are, and forever will be, =20
> > completely toxic and unusable to any legitimate enterprise.  =20
> > Arguments could be made that industry blacklists can and should be =20
> > more flexible, but from the considerably more innocuous case in this =20
> > thread, that is apparently not the modus operandi
> 
> Putting these addresses back into use does not mean that they have to =20
> be allocated to networks where they'll number mail servers. ARIN staff =20
> is doubtless aware of the history of these blocks and will presumably =20
> do their best to allocate them to networks that aren't intended to =20
> host mail servers.
> 
> Regards,
> 
> Leo

What a load of rubbish.  How is ARIN or any RIR/LIR supposed to
know the intent of use?

Push has come to shove and those that have incorrectly treated
address assignment as immutable will need to correct their ways
(excluding legacy assignments).  This will be painful for some.

Note we all could start using IPv6 and avoid this problem altogether.
There is nothing stopping us using IPv6 especially for MTA's.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: Repeated Blacklisting / IP reputation

[Martin Hannigan]

On Wed, Sep 9, 2009 at 11:30 PM, Leo Vegoda  wrote:

> On Sep 9, 2009, at 7:18 PM, Alex Lanstein wrote:
>
> > Along the same lines, I noticed that the worst Actor in recent
> > memory (McColo - AS26780) stopped paying their bills to ARIN and
> > their addresses have been returned to the pool.
> >
> > It's my opinion that a very select number of CIDR blocks (another
> > example being the ones belonging to Cernel/InternetPath/Atrivo/etc,
> > if it were ever fully extinguished) are, and forever will be,
> > completely toxic and unusable to any legitimate enterprise.
> > Arguments could be made that industry blacklists can and should be
> > more flexible, but from the considerably more innocuous case in this
> > thread, that is apparently not the modus operandi
>
> Putting these addresses back into use does not mean that they have to
> be allocated to networks where they'll number mail servers. ARIN staff
> is doubtless aware of the history of these blocks and will presumably
> do their best to allocate them to networks that aren't intended to
> host mail servers.
>
> Regards,
>
> Leo
>
>

Not sure when ICANN got into the business of economic bailouts, but the
mechanism that ICANN has defined seems patently unfair. Determining who is
worthy of allocations based on a class without community input into a policy
debate is "bad".

ObOps: Chasing down all of this grunge ain't cheap or fair.

Best,

Martin


-- 
Martin Hannigan   mar...@theicelandguy.com
p: +16178216079
Power, Network, and Costs Consulting for Iceland Datacenters and Occupants

Re: Repeated Blacklisting / IP reputation

[Leo Vegoda]

On Sep 9, 2009, at 7:18 PM, Alex Lanstein wrote:

> Along the same lines, I noticed that the worst Actor in recent  
> memory (McColo - AS26780) stopped paying their bills to ARIN and  
> their addresses have been returned to the pool.
>
> It's my opinion that a very select number of CIDR blocks (another  
> example being the ones belonging to Cernel/InternetPath/Atrivo/etc,  
> if it were ever fully extinguished) are, and forever will be,  
> completely toxic and unusable to any legitimate enterprise.   
> Arguments could be made that industry blacklists can and should be  
> more flexible, but from the considerably more innocuous case in this  
> thread, that is apparently not the modus operandi

Putting these addresses back into use does not mean that they have to  
be allocated to networks where they'll number mail servers. ARIN staff  
is doubtless aware of the history of these blocks and will presumably  
do their best to allocate them to networks that aren't intended to  
host mail servers.

Regards,

Leo

Re: Repeated Blacklisting / IP reputation

[Paul Ferguson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Wed, Sep 9, 2009 at 7:18 PM, Alex Lanstein 
wrote:

> Along the same lines, I noticed that the worst Actor in recent memory
> (McColo - AS26780) stopped paying their bills to ARIN and their addresses
> have been returned to the pool.
>
> It's my opinion that a very select number of CIDR blocks (another example
> being the ones belonging to Cernel/InternetPath/Atrivo/etc, if it were
> ever fully extinguished) are, and forever will be, completely toxic and
> unusable to any legitimate enterprise.  Arguments could be made that
> industry blacklists can and should be more flexible, but from the
> considerably more innocuous case in this thread, that is apparently not
> the modus operandi
>

With regards to Cernel/Internet Path/UkrTelGrp, it needs to be
"extinguished" first. :-)

- - ferg

-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFKqGZIq1pz9mNUZTMRAnE3AKCL76mNabIzAf5FCWRfqci3YW5QKACgtLNJ
AXSIGuT1tIe0R+tm+VL/Flc=
=NYQS
-END PGP SIGNATURE-



-- 
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawgster(at)gmail.com
 ferg's tech blog: http://fergdawg.blogspot.com/

RE: Repeated Blacklisting / IP reputation

[Alex Lanstein]

Along the same lines, I noticed that the worst Actor in recent memory (McColo - 
AS26780) stopped paying their bills to ARIN and their addresses have been 
returned to the pool.

It's my opinion that a very select number of CIDR blocks (another example being 
the ones belonging to Cernel/InternetPath/Atrivo/etc, if it were ever fully 
extinguished) are, and forever will be, completely toxic and unusable to any 
legitimate enterprise.  Arguments could be made that industry blacklists can 
and should be more flexible, but from the considerably more innocuous case in 
this thread, that is apparently not the modus operandi

I'm curious to hear ARIN's thoughts, as well as the general NANOG populous, on 
whether you think it would be beneficial/possible to allocate the former blocks 
to $internetgoodguys (Shadowserver, Cymru, REN-ISAC, etc) for sinkholing and 
distribution of the data.  /Many/ infected bots remain stranded post-McColo; 
large amounts of infection intelligence could easily be generated by such a 
move, and seemingly, would hurt no one.

Although I'm in favor of revocation of allocations, similar to what happens in 
the DNS space for "bad guys", this sort of move could obviously only happen if 
appropriate AUP sections were added into to the contracts (which I don't see 
happening).  In the interm?  This seems like a golden opportunity to gather 
some serious intel.

Thoughts?

Regards,

Alex Lanstein



From: John Curran [jcur...@arin.net]
Sent: Tuesday, September 08, 2009 1:43 PM
To: nanog@nanog.org
Subject: Re: Repeated Blacklisting / IP reputation

Folks -

   It appears that we have a real operational problem, in that ARIN
   does indeed reissue space that has been reclaimed/returned after
   a hold-down period, and but it appears that even once they are
   removed from the actual source RBL's, there are still ISP's who
   are manually updating these and hence block traffic much longer
   than necessary.

   I'm sure there's an excellent reason why these addresses stay
   blocked, but am unable to fathom what exactly that is...
   Could some folks from the appropriate networks explain why
   this is such a problem and/or suggest additional steps that
   ARIN or the receipts should be taking to avoid this situation?

Thanks!
/John

John Curran
President and CEO
ARIN

On Sep 8, 2009, at 11:16 AM, Ronald Cotoni wrote:

> Tom Pipes wrote:
>> Greetings,
>>
>> We obtained a direct assigned IP block 69.197.64.0/18 from ARIN in
>> 2008. This block has been cursed (for lack of a better word) since
>> we obtained it.  It seems like every customer we have added has had
>> repeated issues with being blacklisted by DUL and the cable
>> carriers. (AOL, AT&T, Charter, etc).  I understand there is a
>> process to getting removed, but it seems as if these IPs had been
>> used and abused by the previous owner.  We have done our best to
>> ensure these blocks conform to RFC standards, including the proper
>> use of reverse DNS pointers.
>>
>> I can resolve the issue very easily by moving these customers over
>> to our other direct assigned 66.254.192.0/19 block.  In the last
>> year I have done this numerous times and have had no further issues
>> with them.
>>
>> My question:  Is there some way to clear the reputation of these
>> blocks up, or start over to prevent the amount of time we are
>> spending with each customer troubleshooting unnecessary RBL and
>> reputation blacklisting?
>> I have used every opportunity to use the automated removal links
>> from the SMTP rejections, and worked with the RBL operators
>> directly.  Most of what I get are cynical responses and promises
>> that it will be fixed.
>> If there is any question, we perform inbound and outbound scanning
>> of all e-mail, even though we know that this appears to be
>> something more relating to the block itself.
>>
>> Does anyone have any suggestions as to how we can clear this issue
>> up?  Comments on or off list welcome.
>>
>> Thanks,
>>
>> --- Tom Pipes T6 Broadband/ Essex Telcom Inc tom.pi...@t6mail.com
>>
>>
> Unfortunately, there is no real good way to get yourself completely
> delisted.  We are experiencing that with a /18 we got from ARIN
> recently and it is basically the RBL's not updating or perhaps they
> are not checking the ownership of the ip's as compared to before.
> On some RBL's, we have IP addresses that have been listed since
> before the company I work for even existed.  Amazing right?
>



--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: Repeated Blacklisting / IP reputation

[David Conrad]

On Sep 9, 2009, at 12:13 PM, Martin Hannigan wrote:
The problem of tainted ipv4 allocations probably grows from here  
since at
some point in the near future there isn't going to be much left in  
terms of
"clean" space to allocate. We're running out of v4 addresses in case  
anyone

forgot.


Somewhat apropos to this discussion:

http://blog.icann.org/2009/09/selecting-which-8-to-allocate-to-an-rir/

Regards,
-drc

Re: Repeated Blacklisting / IP reputation

[Jay Hennigan]

JC Dill wrote:

Joe Greco wrote:



 Answer queries to whether or not
IP space X is currently blocked (potentially at one of hundreds or
thousands of points in their system, which corporate security may not
wish to share, or even give "some random intern" access to)?  Process
reports of new ARIN delegations?  What are you thinking they're going to
do?  And why should they care enough to do it?
  


Because if they don't, they are needlessly blocking re-allocated IP 
addresses, potentially blocking their own users from receiving wanted 
email.  Organizations could (and should) setup a role account and 
auto-responder for this purpose.


Perhaps they should, but until there is sufficient pain from their own 
users complaining about it there is no financial motivation to do so, 
and therefore many will not.  I would guess that there are thousands of 
individual blocklists to this day blocking some of Sanford Wallace's and 
AGIS's old netblocks.


As for a role account, there is "postmaster".  I would think that the 
best hope in the real world, rather than an autoresponder would be an 
RFC that clearly defines text accompanying an SMTP rejection notice 
triggered by a blocklist, detailing the blocklist and contact for 
removal.  Perhaps encouraging those who code MTAs and DNSBL hooks into 
them to include such in the configuration files would be a good start.


This still puts the onus on the sender or inheritor of the tainted 
netblock, but makes the search less painful and perhaps even somewhat 
able to be scripted.


Note that this thread deals mostly with SMTP issues regarding DNSBLs, as 
those are the most common trouble point.  We should also consider other 
forms of blocking/filtering of networks reclaimed from former 
virus/malware/DoS sources.


--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

Re: Repeated Blacklisting / IP reputation

[JC Dill]

Joe Greco wrote:

John Curran wrote:


 On Sep 8, 2009, at 2:18 PM, JC Dill wrote:

  

It seems simple and obvious that ARIN, RIPE, et. al. should
determine the blacklist state of a reclaimed IP group and ensure
that the IP group is usable before re-allocating it.

When IPs are reclaimed, first check to see if the reclaimed IPs are
 on any readily checked RBL or private blacklist of major ISPs,
corporations, universities, etc.  If so, work with those groups to
get the blocks removed *prior* to reissuing the IPs to a new
entity. Before releasing the IPs to a new entity, double check that
 they are not being blocked (that any promises to remove them from
a blacklist were actually fulfilled).  Hold the IPs until you have
determined that they aren't overly encumbered with prior blacklist
blocks due to poor behavior of the previous entity.  (The same
should be done before allocating out of a new IP block, such as
when you release the first set of IPs in a new /8.)


 In this case, it's not the RBL's that are the issue; the address
 block in question isn't on them.  It's the ISP's and other firms
 using manual copies rather than actually following best practices.
  
It's not that hard to make a list of the major ISPs, corporations, 
universities (entities with a large number of users), find willing 
contacts inside each organization (individual or role addresses you can 
email, and see if the email bounces, and who will reply if the email is 
received) and run some automated tests to see if the IPs are being 
blocked.  In your follow-up email to me, you said you check "dozens" of 
RBLs - that is clearly insufficient - probably by an order of magnitude 
- of the entities you should check with.  The number should be 
"hundreds".  A reasonably cluefull intern can provide you with a 
suitable list in short order, probably less than 1 day, and find 
suitable contacts inside each organization in a similar time frame - it 
might take a week total to build a list of ~500 entities and associated 
email addresses.  Because of employee turn-over the list will need to be 
updated, ~1-10 old addresses purged and replaced with new ones on a 
monthly basis.



Really?  And you expect all these organizations to do ... what?  Hire an
intern to be permanent liaison to ARIN? 


I'm expecting ARIN to spend a few staff-hours (utilizing low-cost labor 
such as an intern) to setup the list for ARIN to use to check the status 
of returned IPs, and spend a few more staff hours setting up an 
automated system to utilize the list prior to releasing reclaimed IPs 
for reallocation.  If, when using the list they discover out-dated 
addresses, spend a moment to find an updated address for that sole 
network.  Most of this can easily be automated once setup - the only 
things that need to be dealt with by hand would be purging the list of 
outdated contacts and finding new ones, which shouldn't take much time 
since it's not a very large list, and many of the contacts would (over 
time) become role accounts that don't become outdated as often or as 
easily as personal accounts.  Most of this is done by ARIN, not by the 
organizations they contact.  All each organization has to do is permit 
one employee or role account to be used for IP block testing, and reply 
to test emails.  The effort to setup a role account and autoresponder is 
minimal.



 Answer queries to whether or not
IP space X is currently blocked (potentially at one of hundreds or
thousands of points in their system, which corporate security may not
wish to share, or even give "some random intern" access to)?  Process
reports of new ARIN delegations?  What are you thinking they're going to
do?  And why should they care enough to do it?
  


Because if they don't, they are needlessly blocking re-allocated IP 
addresses, potentially blocking their own users from receiving wanted 
email.  Organizations could (and should) setup a role account and 
auto-responder for this purpose.



Why isn't this being done now?

Issuing reclaimed IPs is a lot like selling a used car, except that
 the buyer has no way to "examine" the state of the IPs you will
issue them beforehand.  Therefore it's up to you (ARIN, RIPE, et.
al.) to ensure that they are "just as good" as any other IP block.
It is shoddy business to take someone's money and then sneakily
give them tainted (used) goods and expect them to deal with
cleaning up the mess that the prior owner made, especially when you
 charge the same rate for untainted goods!


 Not applicable in this case, as noted above.
  
What do you mean, "not applicable"?  You take the money and issue IPs.  
There is no way for the "buyer" to know before hand if the IPs are 
"tainted" (used) or new.  It is up to you (ARIN) to ensure that the 
goods (IPs) are suitable for the intended use.  My analogy is entirely 
applicable, and I'm amazed you think otherwise.

 
WOW.  That's a hell of a statement.  There is absolutely no

Re: Repeated Blacklisting / IP reputation

[Valdis . Kletnieks]

On Wed, 09 Sep 2009 15:13:44 EDT, Martin Hannigan said:
> Not sure that this is an ARIN problem more than an operational problem since
> RBL's are opt-in. An effort to identify RBL's that are behaving poorly is
> probably more interesting at this point, no?

I suspect the problem isn't poor RBLs, it's all the little one-off block lists
out there.  The NANOG lurker in the next cubicle informs me that we currently
carry an astounding 52,274 block entries (to be fair, a large portion is due to
our vendor's somewhat-lacking block list - if we decide a /24 is bad, but then
want to whitelist 1 IP, we have to de-aggregate to 254 black entries instead).
We get maybe 5-6 blocked e-mail complaints a day - which *still* represents
better performance for our end users than if we didn't carry around that many
blocks (for comparison, we get at least 3-4 times that many tickets a day for
people who forgot their e-mail password and need a reset).

And yes, it's *very* intentional that we have a business process in place
that makes it trivially easy for one of our users to open a "I can't get
e-mail from " and get it taken care of *very* quickly, but opening a
"We can't send e-mail to your users" is a lot more challenging and time
consuming (at least for the complaintant).

Now, if we didn't have a dedicated, hard-working, and skeptical lurker in the
next cubicle, our block list *would* be a mess.. ;)



pgpIKBr5Pxz3V.pgp
Description: PGP signature

Re: Repeated Blacklisting / IP reputation

[John Curran]

On Sep 8, 2009, at 5:20 PM, Joe Provo wrote:
>
> On Tue, Sep 08, 2009 at 01:43:39PM -0400, John Curran wrote:
> [snip]
>>  Could some folks from the appropriate networks explain why
>>  this is such a problem and/or suggest additional steps that
>>  ARIN or the receipts should be taking to avoid this situation?
>
> RSS feed of whois churn? Tighter whois:irr coupling headed toward
> the ripe model such that irr-oriented tools can be applied to the
> problem?

Joe -

   The RSS feed for "as-issued" blocks exists today, so RBL &
   private list operators can practice good hygiene as desired:
   Announcement: 

   Feed: 
   Note that this is post-issuance, not as reclaimed/recovered because
   we do allow non-payment blocks to be recovered by coming current
   on payment, and thus it's not safe to presume that they're always
   issued to a new organization.

   With respect to moving towards tighter whois:IRR coupling, is there
   community desire for such in this region, and does that address this
   problem?  e.g. Are blocks reissued in the RIPE region "cleaner" due
   to the tighter Whois:IRR linkage?

Thanks!
/John

John Curran
President and CEO
ARIN

Re: Repeated Blacklisting / IP reputation

[Martin Hannigan]

On Wed, Sep 9, 2009 at 1:15 PM, Seth Mattinen  wrote:

> Skywing wrote:
> > What's to stop spammers from doing this to cycle through blocks in
> rapid-fashion?
> >
> > This proposal seems easily abusable to me.
> >
>
> Oh, I don't know, maybe ARIN staff can say no? The process is heavy with
> human interaction, there is nothing "rapid" about it, and bears no
> comparison to the automated process of registering a domain name. You'd
> know that if you ever had to make a request for a number resource from
> ARIN.
>


The problem of tainted ipv4 allocations probably grows from here since at
some point in the near future there isn't going to be much left in terms of
"clean" space to allocate. We're running out of v4 addresses in case anyone
forgot.

Not sure that this is an ARIN problem more than an operational problem since
RBL's are opt-in. An effort to identify RBL's that are behaving poorly is
probably more interesting at this point, no?

Best Regards,

Marty



> ~Seth
>
>





-- 
Martin Hannigan   mar...@theicelandguy.com
p: +16178216079
Power, Network, and Costs Consulting for Iceland Datacenters and Occupants

Re: Repeated Blacklisting / IP reputation

[Seth Mattinen]

Skywing wrote:
> What's to stop spammers from doing this to cycle through blocks in 
> rapid-fashion?
> 
> This proposal seems easily abusable to me.
> 

Oh, I don't know, maybe ARIN staff can say no? The process is heavy with
human interaction, there is nothing "rapid" about it, and bears no
comparison to the automated process of registering a domain name. You'd
know that if you ever had to make a request for a number resource from ARIN.

~Seth

RE: Repeated Blacklisting / IP reputation

[Skywing]

What's to stop spammers from doing this to cycle through blocks in 
rapid-fashion?

This proposal seems easily abusable to me.

- S

From: Peter Beckman [beck...@angryox.com]
Sent: Tuesday, September 08, 2009 10:04 PM
To: Tom Pipes
Cc: nanog@nanog.org
Subject: Re: Repeated Blacklisting / IP reputation

How about a trial period from ARIN?  You get your IP block, and you get 30
days to determine if it is "clean" or not.  Do some testing, check the
blacklists, do some magic to see if there are network-specific blacklists
that might prevent your customers from sending or receiving email/web/other
connections with that new IP block.

If there are problems, go back to ARIN and show them your work and if they
can verify your work (or are simply lazy) you get a different block.  ARIN
puts the block into another quiet period.  Maybe they use the work you did
to clean up the block, maybe they don't.

Cleaning up a block of IPs previously used by shady characters has a real
cost, both in time and money.  The argument as I see it is who bears the
responsibility and cost of that cleanup.

Beckman
---
Peter Beckman  Internet Guy
beck...@angryox.com http://www.angryox.com/
---

RE: Repeated Blacklisting / IP reputation

[Frank Bulk]

Right on point -- we have a long list of manually entered netblocks in our
spam appliance's blacklist that we've accumulated over time.  Besides the
mistakes we've made, we've had to delist perhaps 5 over the last 2 years,
none due to ARIN reallocations.  Most times it's our customer calling our
helpdesk and saying "I can't get an e-mail from so-and-so".  There's a
strong (time resource) disincentive for us to review netblocks and then
delist them.  Ideally our spam appliance vendor would show us a top ten of
non-hit netblocks and we would remove them then (i.e. if no one has hit an
IP in that range for a month, the spammer has probably moved on), or as
another person suggested, just have the spam appliance age them out (change
the action applied from "blocked" to "do nothing".

One of the potential community-based approaches would be to have a hosted
RBL, with a 'view' for each SP or enterprise.  That is, each RBL would be
unique, but if I trusted organization B, I could request to use their RBL
entries, too.  Rather than managing a manual list, it would be managed on
the web with more management tools:
- search by date added, size of netblock, hits, etc.
- auto expiration/aging
- notification if netblock assigned to a new owner
- comparison against other RBLs (no use having it on my company's
RBL is Spamhaus has added it)
than an admin of a small operation would likely have.  Contact info could be
made available, mechanism to request delisting, etc.

Frank

-Original Message-
From: Jay Hennigan [mailto:j...@west.net] 
Sent: Tuesday, September 08, 2009 1:14 PM
To: John Curran
Cc: nanog@nanog.org
Subject: Re: Repeated Blacklisting / IP reputation

John Curran wrote:
> Folks -
> 
>It appears that we have a real operational problem, in that ARIN
>does indeed reissue space that has been reclaimed/returned after
>a hold-down period, and but it appears that even once they are
>removed from the actual source RBL's, there are still ISP's who
>are manually updating these and hence block traffic much longer
>than necessary.
> 
>I'm sure there's an excellent reason why these addresses stay
>blocked, but am unable to fathom what exactly that is...
>Could some folks from the appropriate networks explain why
>this is such a problem and/or suggest additional steps that
>ARIN or the receipts should be taking to avoid this situation?

I don't think there is an excellent reason, more likely inertia and no 
real incentive to put forth the effort to proactively remove addresses.

Many ISPs and organizations have their own private blocklists not 
associated with the widely known DNSBLs.  Typically during or 
immediately after a spam run the mail administrator will manually add 
offending addresses or netblocks.  Spamtrap hits may do this 
automatically.  There isn't any real incentive for people to go back and 
remove addresses unless they're notified by their own customers that 
legitimate mail coming from those addresses is being blocked.  Because 
these blocklists are individually maintained, there is no central 
registry or means to "clean them up" when an IP assignment changes.

To make matters worse, some organizations may simply ACL the IP space so 
that the TCP connection is never made in the first place (bad, looks 
like a network problem rather than deliberate filtering), some may drop 
it during SMTP with no clear indication as to the reason (less bad, as 
there is at least a hint that it could be filtering), and some may 
actually accept the mail and then silently discard it (worst).

In addition there are several DNSBLs with different policies regarding 
delisting.  Some just time out after a period of time since abuse was 
detected.  Some require action in the form of a delisting request.  Some 
require a delisting request and a time period with no abuse.  Some (the 
old SPEWS list) may not be easily reached or have well defined policies.

In meatspace, once a neighborhood winds up with a reputation of being 
rife with drive-by shootings, gang activity and drug dealing it may take 
a long time after the last of the graffiti is gone before some cab 
drivers will go there.

--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

Re: Repeated Blacklisting / IP reputation

[Joe Greco]

> John,
> 
> ARIN's role as the entity engaged in legal contractual relationship with 
> the previous owners of the space puts it in the position to insert 
> enforceable contract clauses to deter and/or mitigate "graffiti" in 
> allocations.

That's complicated.  How do you define "graffiti"?  Just for starters.
Given that even a whitehat network can generate occasional complaints,
and most commercial networks generate various levels of cruft, would
you consider it "graffiti" if a block of IP space assigned to a hotel
wifi network in Seattle got itself permanently ACL'ed by a college in
Miami, when someone inadvertently omitted the port 25 filter, and as a
result, the mail admins in Miami judged that the likelihood of ever 
receiving legitimate mail from there was about 0.0001%?  How would you
even know?

> Policy proposals probably are not required for this.
> 
> Space originally from outside ARIN, thats another kettle of fish.
> 
> ARIN is also in the position to refuse allocations for entities who dont 
> clean up after themselves. Policy likely required.

How exactly do you do that?  Spammers don't mind submitting fraudulent
applications.  How does ARIN tell that SpamNetA is actually the same
operation as FooIspB, even though they might be legally registered as
different companies?

> And finally, if this problem continues to worsen (as it likely will when 
> greenfield becomes scarce), a viable business opportunity should emerge 
> for reputable organizations to do cleanup on behalf of the new owners, 
> for a reasonable fee/retainer and after suitable financial/contractual 
> guarantees.
> 
> Cost of business, efficiency of scale and all that. Perhaps the bill 
> could even be sent to the previous owners.

That's likely to stand up in court.  Not.

> Operationally, I dont see how the problem can be mitigated solely by 
> those who are already informed.

I agree that it's problematic.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

Re: You're still not important, was Repeated Blacklisting / IP reputation

[John Levine]

>Cleaning up a block of IPs previously used by shady characters has a
>real cost, both in time and money.  The argument as I see it is who
>bears the responsibility and cost of that cleanup.

 ... and as we all know the fundamental axiom of Internet economics is
to foist of as many of your costs as possible on someone else.

If you get a new chunk of IP space, you find that it's listed in a lot
of private blacklists, and you're not able to get them to unlist you,
the reasonable conclusion is that they DO NOT CARE that you can't send
them mail.  A way to get them to care is to get their own customers,
i.e., the people to whom you are trying to send the mail, to complain
to their mail managers.  If that doesn't work, it either means that
the managers are incompetent, or that the recipients also DO NOT CARE
that you can't send them mail.  I would guess that the latter
situation occurs a lot more than the former.

Telling people to time out their listings automatically is a
non-starter, because they will find nearly all of them are still
spamming or sending no mail at all, and an infinitesimal trickle
switched to sending legit mail.  Who's going to do that?

Spam sucks, largely because spam is one of the most egregious cases of
foisting off costs on others.  If you get a toxic block, find a
creative lawyer and sue the former assignee for fraudulent transfer or
something.

Regards,
John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor
"More Wiener schnitzel, please", said Tom, revealingly.

Re: Repeated Blacklisting / IP reputation

[Joe Maimon]

John,

ARIN's role as the entity engaged in legal contractual relationship with 
the previous owners of the space puts it in the position to insert 
enforceable contract clauses to deter and/or mitigate "graffiti" in 
allocations.


Policy proposals probably are not required for this.

Space originally from outside ARIN, thats another kettle of fish.

ARIN is also in the position to refuse allocations for entities who dont 
clean up after themselves. Policy likely required.


And finally, if this problem continues to worsen (as it likely will when 
greenfield becomes scarce), a viable business opportunity should emerge 
for reputable organizations to do cleanup on behalf of the new owners, 
for a reasonable fee/retainer and after suitable financial/contractual 
guarantees.


Cost of business, efficiency of scale and all that. Perhaps the bill 
could even be sent to the previous owners.


Operationally, I dont see how the problem can be mitigated solely by 
those who are already informed.


Joe



John Curran wrote:

Folks -

   It appears that we have a real operational problem, in that ARIN
   does indeed reissue space that has been reclaimed/returned after
   a hold-down period, and but it appears that even once they are
   removed from the actual source RBL's, there are still ISP's who
   are manually updating these and hence block traffic much longer
   than necessary.

   I'm sure there's an excellent reason why these addresses stay
   blocked, but am unable to fathom what exactly that is...
   Could some folks from the appropriate networks explain why
   this is such a problem and/or suggest additional steps that
   ARIN or the receipts should be taking to avoid this situation?

Thanks!
/John

John Curran
President and CEO
ARIN

On Sep 8, 2009, at 11:16 AM, Ronald Cotoni wrote:


Tom Pipes wrote:

Greetings,

We obtained a direct assigned IP block 69.197.64.0/18 from ARIN in
2008. This block has been cursed (for lack of a better word) since
we obtained it.  It seems like every customer we have added has had
repeated issues with being blacklisted by DUL and the cable
carriers.

Re: Repeated Blacklisting / IP reputation

[Dave Rand]

[In the message entitled "Re: Repeated Blacklisting / IP reputation" on Sep  8, 
14:34, Joe Greco writes:]
> > there is a fundamental disconnect here.  the IP space is neutral.
> > it has no bias toward or against social behaviours.  its a tool.
> > the actual/real target here are the people who are using these tools
> > to be antisocial.  blacklisting IP space is always reactive and 
> > should only beused in emergency and as a -TEMPORARY- expedient.
> > 
> > IMHO of course., YMMV.
> 
> 
> If people were given an option to "block this IP for 30 minutes, 24 hours,
> 30 days, 12 months, 5 years, or forever" - I wonder how many people would
> just shrug and click "forever."
> 
> This may lead to the discovery of another fundamental disconnect - or two.
> 


IP address space is neutral, but the operators of the space either permit,
or deny, the social behaviour which comes from these spaces. 

For what it's worth, I just completed a study of about 5 years of data on
spam.  I looked at 100,000,000 IP addresses which had sent me spam.

The median duration of sending was 300 days.  There was a pronounced peak at
2-3 years of about 30%.  The vast majority was more than 30 days.

"forever" is pretty close to right, based on current behaviour.

-- 

Re: Repeated Blacklisting / IP reputation

[Joe Greco]

> bmann...@vacation.karoshi.com wrote:
> >  sounds like domain tasting to me.
> 
> Oops!  Oh yeah.  Spammer gets an allocation...
> 
> "Well, if that netblock was clean before, it sure isn't now!  May I 
> please have another?"
> 
> Lather, rinse, repeat.

THAT would probably be easy enough to detect; RIR simply checks to see 
if new DNSBL entries had appeared, and refuses to trade in the block if
any do.

You may need a few more refinements too.

I don't think it's technically unworkable, if tackled correctly.  But it
also leaves some questions, such as what ARIN is expected to do with the
toxic wastelands left behind by spammers.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

Re: Repeated Blacklisting / IP reputation

[Joe Greco]

> > Show me ONE major MTA which allows you to configure an expiration for
> > an ACL entry.
> >
> > The problem with your opinion, and it's a fine opinion, and it's even a
> > good opinion, is that it has very little relationship to the tools which
> > are given to people in order to accomplish blocking.  Kind of the question
> > I was contemplating in my other message of minutes ago.
> >
> > If people were given an option to "block this IP for 30 minutes, 24 hours,
> > 30 days, 12 months, 5 years, or forever" - I wonder how many people would
> > just shrug and click "forever."
> >
> > This may lead to the discovery of another fundamental disconnect - or two.
> >
> > Sigh.
> >
> > ... JG
>   
> A cron job/schedule task with a script that removes said line would most 
> likely do wonderous things for you.  I could see a comment before each 
> listing with a time/date that you use some regex fu on to figure out how 
> long it was there and how long it should be there for.  Simple!  You 
> could also automate it with a web frontend for noobs so they don't have 
> to manually edit configuration files. 

You /COMPLETELY/ missed the point.

If this was something that people felt was truly useful, then there would
be support for something like this.  I mean, we've only had about 15 years
of spam-as-a-real-problem on the Internet.  The perception by most admins
is that when you block someone, you want to block them for a Really Long
Time.  If this wasn't true, then there would likely be an automatic 
feature built in to MTA ACL entries to expire.

I didn't say you /couldn't/ do it.  The problem is that the average spam
spewer is a long-term thing, so when you ACL off a host, you've probably
deemed the sender to be of no significant value to you, and you're not
expecting that they're suddenly going to become whitehat in two weeks, or
even six months.

Therefore, there's no default support built into MTA's for this, because
it /doesn't/ do anything "wonderous" for you.

I would agree that in the best case, we would want a default behaviour of
ACL removal when an IP block is reallocated by the RIR, but I don't see
an easy way to get there as a default behaviour of an MTA.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

Re: Repeated Blacklisting / IP reputation

[Chris Hills]

On 08/09/09 21:34, Joe Greco wrote:

Show me ONE major MTA which allows you to configure an expiration for
an ACL entry.


This is fairly trivial to do with Exim by storing your acl entries in a 
database or directory with a field/attribute for expiry, and an 
appropriate router configuration. No doubt you could implement this 
using a small script for any MTA. The upside of using a db/ldap backend 
is that it makes it easy to inter-operate with other things like your nms.

Re: Repeated Blacklisting / IP reputation

[Jay Hennigan]

bmann...@vacation.karoshi.com wrote:

 sounds like domain tasting to me.


Oops!  Oh yeah.  Spammer gets an allocation...

"Well, if that netblock was clean before, it sure isn't now!  May I 
please have another?"


Lather, rinse, repeat.

--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

Re: Repeated Blacklisting / IP reputation

[bmanning]

 sounds like domain tasting to me.

--bill


On Wed, Sep 09, 2009 at 01:04:48AM -0400, Peter Beckman wrote:
> How about a trial period from ARIN?  You get your IP block, and you get 30
> days to determine if it is "clean" or not.  Do some testing, check the
> blacklists, do some magic to see if there are network-specific blacklists
> that might prevent your customers from sending or receiving email/web/other
> connections with that new IP block.
> 
> If there are problems, go back to ARIN and show them your work and if they
> can verify your work (or are simply lazy) you get a different block.  ARIN
> puts the block into another quiet period.  Maybe they use the work you did
> to clean up the block, maybe they don't.
> 
> Cleaning up a block of IPs previously used by shady characters has a real
> cost, both in time and money.  The argument as I see it is who bears the
> responsibility and cost of that cleanup.
> 
> Beckman
> ---
> Peter Beckman  Internet Guy
> beck...@angryox.com http://www.angryox.com/
> ---

Re: Repeated Blacklisting / IP reputation

[Seth Mattinen]

Peter Beckman wrote:
> How about a trial period from ARIN?  You get your IP block, and you get 30
> days to determine if it is "clean" or not.  Do some testing, check the
> blacklists, do some magic to see if there are network-specific blacklists
> that might prevent your customers from sending or receiving email/web/other
> connections with that new IP block.
> 
> If there are problems, go back to ARIN and show them your work and if they
> can verify your work (or are simply lazy) you get a different block.  ARIN
> puts the block into another quiet period.  Maybe they use the work you did
> to clean up the block, maybe they don't.
> 
> Cleaning up a block of IPs previously used by shady characters has a real
> cost, both in time and money.  The argument as I see it is who bears the
> responsibility and cost of that cleanup.
> 

I encourage someone to write a policy proposal; I'd support it. They
(the recipient) didn't have a darn thing to do with it becoming a
wasteland and shouldn't bear the cost. Unlike bying a (insert your
favorite object here), you can't inspect an IP block before purchase.

I fear that "we don't guarantee routability" will rear its ugly head
even if someone were to pen an awesome policy. I feel it's a poor
position for a registry to take, though. They still get the money even
if you can't use them, and uh oh, looks like you won't qualify for more
until you use the unusable.

Probably getting off topic for NANOG, like most threads that get this long.

~Seth

Re: Repeated Blacklisting / IP reputation

[Peter Beckman]

How about a trial period from ARIN?  You get your IP block, and you get 30
days to determine if it is "clean" or not.  Do some testing, check the
blacklists, do some magic to see if there are network-specific blacklists
that might prevent your customers from sending or receiving email/web/other
connections with that new IP block.

If there are problems, go back to ARIN and show them your work and if they
can verify your work (or are simply lazy) you get a different block.  ARIN
puts the block into another quiet period.  Maybe they use the work you did
to clean up the block, maybe they don't.

Cleaning up a block of IPs previously used by shady characters has a real
cost, both in time and money.  The argument as I see it is who bears the
responsibility and cost of that cleanup.

Beckman
---
Peter Beckman  Internet Guy
beck...@angryox.com http://www.angryox.com/
---

Re: Repeated Blacklisting / IP reputation

[William Astle]

O'Reirdan, Michael wrote:

MAAWG is has no size limitations as to members. Yes we do have a $4000 
supporter membership. This has not proved a barrier to many organisations.


Likely because for the ones for whom it is a barrier, they look at the 
cost and don't even bother considering an initial contact. Thus, you 
never hear about it.


Admittedly, most smaller organizations simply don't have the time to 
participate in even a handful of the $bignum industry organizations 
(whether they cost money or not) so that's likely a more substantial 
barrier.


To be completely clear, it's not clear to me that an organization that 
cannot afford $4000/year would actually have the resources to 
participate in a meaningful way anyway. Which is to say that I do not 
necessarily disagree with the fee structure, and that is speaking from 
under my "small organization for whom the $4k/year is an insurmountable 
barrier" hat.


All that said, I believe I have had my say sufficiently so I will not 
contribute further to the overall noise level on NANOG.




Mike O'Reirdan
Chairman, MAAWG
 


- Original Message -
From: Benjamin Billon 
To: nanog@nanog.org 
Sent: Tue Sep 08 17:17:58 2009
Subject: Re: Repeated Blacklisting / IP reputation

ISPs can be invited and there are specific meetings for them (closed to 
other members).

There're also whitepapers for ISP (and others).

But I agree, hoping ALL the ISPs join MAAWG or even hear about it is 
utopian.


--
Benjamin

William Astle a écrit :

J.D. Falk wrote:

Seth Mattinen wrote:


I was always under the impression that smaller orgs were not allowed to
join the MAAWG club.
I've heard that, too, but have no idea where it comes from.  It's not 
true; there's no size requirement or anything like that.


http://www.maawg.org/ has the membership application and other info.

The $4000/year minimum membership fee is a non-starter for small 
organizations who are already strapped for operating cash as it is. 
This is probably where the perception comes from.







--
William Astle
l...@l-w.ca

Re: Repeated Blacklisting / IP reputation

[O'Reirdan, Michael]

MAAWG is has no size limitations as to members. Yes we do have a $4000 
supporter membership. This has not proved a barrier to many organisations.

Mike O'Reirdan
Chairman, MAAWG
 

- Original Message -
From: Benjamin Billon 
To: nanog@nanog.org 
Sent: Tue Sep 08 17:17:58 2009
Subject: Re: Repeated Blacklisting / IP reputation

ISPs can be invited and there are specific meetings for them (closed to 
other members).
There're also whitepapers for ISP (and others).

But I agree, hoping ALL the ISPs join MAAWG or even hear about it is 
utopian.

--
Benjamin

William Astle a écrit :
> J.D. Falk wrote:
>> Seth Mattinen wrote:
>>
>>> I was always under the impression that smaller orgs were not allowed to
>>> join the MAAWG club.
>>
>> I've heard that, too, but have no idea where it comes from.  It's not 
>> true; there's no size requirement or anything like that.
>>
>> http://www.maawg.org/ has the membership application and other info.
>>
>
> The $4000/year minimum membership fee is a non-starter for small 
> organizations who are already strapped for operating cash as it is. 
> This is probably where the perception comes from.
>

Re: Repeated Blacklisting / IP reputation

[Benjamin Billon]

ISPs can be invited and there are specific meetings for them (closed to 
other members).

There're also whitepapers for ISP (and others).

But I agree, hoping ALL the ISPs join MAAWG or even hear about it is 
utopian.


--
Benjamin

William Astle a écrit :

J.D. Falk wrote:

Seth Mattinen wrote:


I was always under the impression that smaller orgs were not allowed to
join the MAAWG club.


I've heard that, too, but have no idea where it comes from.  It's not 
true; there's no size requirement or anything like that.


http://www.maawg.org/ has the membership application and other info.



The $4000/year minimum membership fee is a non-starter for small 
organizations who are already strapped for operating cash as it is. 
This is probably where the perception comes from.

Re: Repeated Blacklisting / IP reputation

[Justin Shore]

Jay Hennigan wrote:

By the way, among the members...

Experian CheetahMail
ExactTarget, Inc
Responsys, Inc.
Vertical Response, Inc
Yesmail


Have you been reading from my blacklist again, Jay?

Justin

Re: Repeated Blacklisting / IP reputation

[Tom Pipes]

I am amazed with the amount of thoughtful comments I have seen, both on and off 
list. It really illustrates that people are willing to try to help out, but 
there is an overall lack of clear direction on how to improve things.  Most of 
us seem to adopt that which has always just worked for us. Don't get me wrong, 
I'm sure there are a lot of improvements/mods going on with RBL operators in 
terms of the technology and how they choose who to block.  I'm also certain 
that most of the carriers are doing their best to follow RFCs, use e-mail 
filtering, and perform deep packet inspection to keep themselves off of the 
lists. AND there seems to be some technologies that were meant to work, and 
cause their own sets of problems (example:  allowing the end user to choose 
what is considered spam and blacklisting based on that).  As was said before, 
it's not the "WHY" but rather how can we fix it if it's broke.

The large debate seems to revolve around responsibility, or lack thereof. In 
our case, we are the small operator who sits in the sidelines hoping that 
someone larger than us, or more influential has an opinion.  We participate in 
lists, hoping to make a difference and contribute, knowing that in a lot of 
cases, our opinion is just that:  an opinion.  I suppose that could spark a 
debate about joining organizations (who shall go nameless here), power to the 
people, etc.

It seems as though a potential solution *may* revolve around ARIN/IANA having 
the ability to communicate an authoritative list of reassigned IP blocks back 
to the carriers.  This could serve as a signal to remove a block from the RBL, 
but I'm sure there will be downfalls with doing this as well.

In my specific case, I am left with a legacy block that I have to accept is 
going to be problematic. Simply contacting RBL operators is just not doing the 
trick. Most of the e-mails include links or at least an error code, but some 
carriers just seem to be blocking without an error, or even worse, an ACL... 

We will continue to remove these blocks as necessary, reassign IPs from other 
blocks where absolutely necessary, and ultimately hope the problem resolves 
itself over time.

Thanks again for the very thoughtful and insightful comments, they are greatly 
appreciated.

Regards,


--- 
Tom Pipes 
T6 Broadband/ 
Essex Telcom Inc 
tom.pi...@t6mail.com 


- Original Message - 
From: "Tom Pipes"  
To: nanog@nanog.org 
Sent: Tuesday, September 8, 2009 9:57:58 AM GMT -06:00 US/Canada Central 
Subject: Repeated Blacklisting / IP reputation 

Greetings, 


We obtained a direct assigned IP block 69.197.64.0/18 from ARIN in 2008. This 
block has been cursed (for lack of a better word) since we obtained it. It 
seems like every customer we have added has had repeated issues with being 
blacklisted by DUL and the cable carriers. (AOL, AT&T, Charter, etc). I 
understand there is a process to getting removed, but it seems as if these IPs 
had been used and abused by the previous owner. We have done our best to ensure 
these blocks conform to RFC standards, including the proper use of reverse DNS 
pointers. 

I can resolve the issue very easily by moving these customers over to our other 
direct assigned 66.254.192.0/19 block. In the last year I have done this 
numerous times and have had no further issues with them. 

My question: Is there some way to clear the reputation of these blocks up, or 
start over to prevent the amount of time we are spending with each customer 
troubleshooting unnecessary RBL and reputation blacklisting? 

I have used every opportunity to use the automated removal links from the SMTP 
rejections, and worked with the RBL operators directly. Most of what I get are 
cynical responses and promises that it will be fixed. 

If there is any question, we perform inbound and outbound scanning of all 
e-mail, even though we know that this appears to be something more relating to 
the block itself. 

Does anyone have any suggestions as to how we can clear this issue up? Comments 
on or off list welcome. 

Thanks, 

--- 
Tom Pipes 
T6 Broadband/ 
Essex Telcom Inc 
tom.pi...@t6mail.com 

Re: Repeated Blacklisting / IP reputation

[William Astle]

J.D. Falk wrote:

Seth Mattinen wrote:


I was always under the impression that smaller orgs were not allowed to
join the MAAWG club.


I've heard that, too, but have no idea where it comes from.  It's not 
true; there's no size requirement or anything like that.


http://www.maawg.org/ has the membership application and other info.



The $4000/year minimum membership fee is a non-starter for small 
organizations who are already strapped for operating cash as it is. This 
is probably where the perception comes from.


--
William Astle
l...@l-w.ca

Re: Repeated Blacklisting / IP reputation

[J.D. Falk]

Seth Mattinen wrote:


I was always under the impression that smaller orgs were not allowed to
join the MAAWG club.


I've heard that, too, but have no idea where it comes from.  It's not true; 
there's no size requirement or anything like that.


http://www.maawg.org/ has the membership application and other info.

--
J.D. Falk
Co-Chair, Program Committee
Messaging Anti-Abuse Working Group

Re: Repeated Blacklisting / IP reputation

[Alex Balashov]

Joe Greco wrote:


I'm sorry, I agree that there's a problem, but this just sounds like it
isn't feasible.


Some people suffer from the culturally ingrained inability to understand 
that certain kinds of problems just can't.  Be.  Solved.


And/or they aren't worth solving under present circumstances.

--
Alex Balashov - Principal
Evariste Systems
Web : http://www.evaristesys.com/
Tel : (+1) (678) 954-0670
Direct  : (+1) (678) 954-0671

Re: Repeated Blacklisting / IP reputation

[Ronald Cotoni]

Joe Greco wrote:

there is a fundamental disconnect here.  the IP space is neutral.
it has no bias toward or against social behaviours.  its a tool.
the actual/real target here are the people who are using these tools
to be antisocial.  blacklisting IP space is always reactive and 
should only beused in emergency and as a -TEMPORARY- expedient.


IMHO of course., YMMV.



Show me ONE major MTA which allows you to configure an expiration for
an ACL entry.

The problem with your opinion, and it's a fine opinion, and it's even a
good opinion, is that it has very little relationship to the tools which
are given to people in order to accomplish blocking.  Kind of the question
I was contemplating in my other message of minutes ago.

If people were given an option to "block this IP for 30 minutes, 24 hours,
30 days, 12 months, 5 years, or forever" - I wonder how many people would
just shrug and click "forever."

This may lead to the discovery of another fundamental disconnect - or two.

Sigh.

... JG
  
A cron job/schedule task with a script that removes said line would most 
likely do wonderous things for you.  I could see a comment before each 
listing with a time/date that you use some regex fu on to figure out how 
long it was there and how long it should be there for.  Simple!  You 
could also automate it with a web frontend for noobs so they don't have 
to manually edit configuration files. 

Re: Repeated Blacklisting / IP reputation

[Justin Shore]

Wayne E. Bouchard wrote:

Best practices for the public or subscription RBLs should be to place
a TTL on the entry of no more than, say, 90 days or thereabouts. Best
practices for manual entry should be to either keep a list of what and
when or periodically to simply blow the whole list away and start anew
to get rid of stale entries. Of course, that is probably an unreal
expectation.


I've had to implement something similar for my RTBH trigger router. 
After manually-adding nearly 20,000 static routes of hosts that scanned 
for open proxies or attacked SSH daemons on my network I had to trim the 
block list considerably because many of my older PEs couldn't handle 
that many routes without problems.  I already named each static with a 
reason for the block(SSH, Telnet, Proxy-scan, etc) but ended up 
prepending a date to that string as well:  20090908-SSH-Scan.  That way 
I can parse the config later on and create config to negate everything 
that's older than 3-4 months.  If one of those old IPs is still trying 
to get to me after 4 months then it will get readded the next time I 
process my logs entries.  If they aren't trying to hit me then they'll 
no longer be consuming space in my RIB.


Justin

Re: Repeated Blacklisting / IP reputation

[Joe Greco]

> John Curran wrote:
> >  On Sep 8, 2009, at 2:18 PM, JC Dill wrote:
> >
> > > It seems simple and obvious that ARIN, RIPE, et. al. should
> > > determine the blacklist state of a reclaimed IP group and ensure
> > > that the IP group is usable before re-allocating it.
> > >
> > > When IPs are reclaimed, first check to see if the reclaimed IPs are
> > >  on any readily checked RBL or private blacklist of major ISPs,
> > > corporations, universities, etc.  If so, work with those groups to
> > > get the blocks removed *prior* to reissuing the IPs to a new
> > > entity. Before releasing the IPs to a new entity, double check that
> > >  they are not being blocked (that any promises to remove them from
> > > a blacklist were actually fulfilled).  Hold the IPs until you have
> > > determined that they aren't overly encumbered with prior blacklist
> > > blocks due to poor behavior of the previous entity.  (The same
> > > should be done before allocating out of a new IP block, such as
> > > when you release the first set of IPs in a new /8.)
> >
> >  In this case, it's not the RBL's that are the issue; the address
> >  block in question isn't on them.  It's the ISP's and other firms
> >  using manual copies rather than actually following best practices.
> 
> It's not that hard to make a list of the major ISPs, corporations, 
> universities (entities with a large number of users), find willing 
> contacts inside each organization (individual or role addresses you can 
> email, and see if the email bounces, and who will reply if the email is 
> received) and run some automated tests to see if the IPs are being 
> blocked.  In your follow-up email to me, you said you check "dozens" of 
> RBLs - that is clearly insufficient - probably by an order of magnitude 
> - of the entities you should check with.  The number should be 
> "hundreds".  A reasonably cluefull intern can provide you with a 
> suitable list in short order, probably less than 1 day, and find 
> suitable contacts inside each organization in a similar time frame - it 
> might take a week total to build a list of ~500 entities and associated 
> email addresses.  Because of employee turn-over the list will need to be 
> updated, ~1-10 old addresses purged and replaced with new ones on a 
> monthly basis.

Really?  And you expect all these organizations to do ... what?  Hire an
intern to be permanent liaison to ARIN?  Answer queries to whether or not
IP space X is currently blocked (potentially at one of hundreds or
thousands of points in their system, which corporate security may not
wish to share, or even give "some random intern" access to)?  Process
reports of new ARIN delegations?  What are you thinking they're going to
do?  And why should they care enough to do it?

> > > Why isn't this being done now?
> > >
> > > Issuing reclaimed IPs is a lot like selling a used car, except that
> > >  the buyer has no way to "examine" the state of the IPs you will
> > > issue them beforehand.  Therefore it's up to you (ARIN, RIPE, et.
> > > al.) to ensure that they are "just as good" as any other IP block.
> > > It is shoddy business to take someone's money and then sneakily
> > > give them tainted (used) goods and expect them to deal with
> > > cleaning up the mess that the prior owner made, especially when you
> > >  charge the same rate for untainted goods!
> >
> >  Not applicable in this case, as noted above.
> 
> What do you mean, "not applicable"?  You take the money and issue IPs.  
> There is no way for the "buyer" to know before hand if the IPs are 
> "tainted" (used) or new.  It is up to you (ARIN) to ensure that the 
> goods (IPs) are suitable for the intended use.  My analogy is entirely 
> applicable, and I'm amazed you think otherwise.
 
WOW.  That's a hell of a statement.  There is absolutely nothing that
ARIN can do if I decide I'm going to have our servers block connections
from networks ending in an odd bit.  Nobody is in a position to ensure
that ANY Internet connection or IP space is "suitable for the intended
use."  Welcome to the Internet.

> >  So, back to the question:  could someone explain why they've got
> >  copies of the RBL's in their network which don't get updated on any
> >  reasonable refresh interval? (weekly? monthly?)
> 
> The "why" really isn't at issue - it happens and it's going to keep 
> happening.  The question is what are you (ARIN) going to do about it? 
> 
> Give me the serenity to accept the things I cannot change,
> The courage to change the things I can,
> And the wisdom to know the difference.
> 
> You (ARIN et. al.) don't have any ability to change the why.  What you 
> can change is how you go about determining if an IP block is suitable 
> for reallocation or not, and what steps you take to repair IP blocks 
> that aren't suitable for reallocation.

So, in addition to just registering IP space, it's also their job to clean
it up?

I'm sorry, I agree that there's a problem, but this just sounds like it
isn't feasib

Re: Repeated Blacklisting / IP reputation

[Justin Shore]

Jason Bertoch wrote:

Suresh Ramasubramanian wrote:

That said most of the larger players already attend MAAWG - that
leaves rural ISPs, small universities, corporate mailservers etc etc
that dont have full time postmasters, and where you're more likely to
run into this issue.
  
I've found the opposite to hold true more often.  Smaller organizations 
can use public blacklists for free, due to their low volume, and so have 
little incentive to run their own local blacklist.  I've typically seen 
the larger organizations run their own blacklists and are much more 
difficult to contact for removal.


Take for example GoDaddy's hosted email service.  They are using a 
local, outdated copy of SORBS that has one of my personal servers listed 
in it.  It was an open proxy for about week nearly 3 years ago and still 
they have it listed.  The upside is that I've demonstrated GoDaddy's 
email incompetence to potential customers and gotten them to switch to 
our own mail services.  Their loss, my gain.


Justin

Re: Repeated Blacklisting / IP reputation

[bmanning]

On Tue, Sep 08, 2009 at 02:34:10PM -0500, Joe Greco wrote:
> > there is a fundamental disconnect here.  the IP space is neutral.
> > it has no bias toward or against social behaviours.  its a tool.
> > the actual/real target here are the people who are using these tools
> > to be antisocial.  blacklisting IP space is always reactive and 
> > should only beused in emergency and as a -TEMPORARY- expedient.
> > 
> > IMHO of course., YMMV.
> 
> Show me ONE major MTA which allows you to configure an expiration for
> an ACL entry.

call me old skool...  VI works a treat and I'm told there
is this thing called emacs ... but i remain dubious.

> 
> The problem with your opinion, and it's a fine opinion, and it's even a
> good opinion, is that it has very little relationship to the tools which
> are given to people in order to accomplish blocking.  Kind of the question
> I was contemplating in my other message of minutes ago.

if all you have is a hammer...
folks need better tools.

> If people were given an option to "block this IP for 30 minutes, 24 hours,
> 30 days, 12 months, 5 years, or forever" - I wonder how many people would
> just shrug and click "forever."

which is their choice.  please show me the mandate for accepting
routes/packets from any/everywhere?

me, i'd want the option to "block 192.0.2.0/24 as long as it
is announced by AS 0 and the whois data points to RIAA as the
registered contact" e.g. not just a temporal block.

or - if traffic from 192.0.2.80 increases more than 65% in a 150
second interval, block the IP for 27 minutes.

or - allow any/all traffic from 192.0.2.42 - regardless of the
blocking on 192.0.2.0/24

the mind boggles.

> This may lead to the discovery of another fundamental disconnect - or two.

such is the course of human nature.

> 
> Sigh.
> 
> ... JG
> -- 
> Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
> "We call it the 'one bite at the apple' rule. Give me one chance [and] then I
> won't contact you again." - Direct Marketing Ass'n position on e-mail 
> spam(CNN)
> With 24 million small businesses in the US alone, that's way too many apples.

Re: Repeated Blacklisting / IP reputation

[Joe Greco]

> there is a fundamental disconnect here.  the IP space is neutral.
> it has no bias toward or against social behaviours.  its a tool.
> the actual/real target here are the people who are using these tools
> to be antisocial.  blacklisting IP space is always reactive and 
> should only beused in emergency and as a -TEMPORARY- expedient.
> 
> IMHO of course., YMMV.

Show me ONE major MTA which allows you to configure an expiration for
an ACL entry.

The problem with your opinion, and it's a fine opinion, and it's even a
good opinion, is that it has very little relationship to the tools which
are given to people in order to accomplish blocking.  Kind of the question
I was contemplating in my other message of minutes ago.

If people were given an option to "block this IP for 30 minutes, 24 hours,
30 days, 12 months, 5 years, or forever" - I wonder how many people would
just shrug and click "forever."

This may lead to the discovery of another fundamental disconnect - or two.

Sigh.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.