Re: dealing with bogon spam ?
Just in case anyone's curious - The prefix still hasn't been updated in ARIN and I am still seeing tons of spam (grrr spammers and grr transit providers who don't filter advertisements of smaller customers) I made a script which looks at our log files for ips that are unknown, double checks them against live database, and then reports the number of hits to me - that way I can at least take manual action against offenders. On the good side, the only offender I currently see is 40430, but I am still trying to remain vigilent for future spammers Leslie Leslie wrote: Just FYI the colo4jax guys got back to me and it is a stale ARIN db entry - I guess they don't update it as quickly as I thought. So this is now just a normal case of spam. Leslie Leslie wrote: Yes, unallocated (at least according to ARIN's whois db) but not unannounced - obviously our network can get to the space or else I wouldn't be having a spam problem with them! I'm actually seeing this /20 as advertised through Savvis from AS40430 It seems to me like the best solution might be a semi-hacky solution of asking arin (and other IRR's) if i can copy its DB and creating an internal peer which null routes unallocated blocks (updated nightly?) Has anyone seen an IRR's DB's not being updated for more than 30 days after allocations? I always assumed that they are quickly updated. Thanks again, Leslie Jon Lewis wrote: Unallocated doesn't mean non-routed. All a spammer needs is a willing/non-filtering provider doing BGP with them, and they can announce any space they like, send out some spam, and then pull the announcement. Next morning, when you see the spam and try to figure out who to send complaints to, you're either going to complain to the wrong people or find that whois is of no help. On Tue, 27 Oct 2009, Church, Charles wrote: This is puzzling me. If it's from non-announced space, at some point some router should report no route to it. How is the TCP handshake performed to allow a sync to turn into spam? Chuck Chuck Church Network Planning Engineer, CCIE #8776 Harris Information Technology Services DOD Programs 1210 N. Parker Rd. | Greenville, SC 29609 Office: 864-335-9473 | Cell: 864-266-3978 -- Sent using BlackBerry
Re: Re: dealing with bogon spam ?
Justin Shore wrote: Michiel Klaver wrote: I would suggest to report that netblock to SpamHaus to have it included at their DROP list, and also use that DROP list as extra filter in addition to your bogon filter setup at your border routers. The SpamHaus DROP (Don't Route Or Peer) list was specially designed for this kind of abuse of stolen 'hijacked' netblocks and netblocks controlled entirely by professional spammers. As a brief off-shoot of the original topic, has anyone scripted the use of Spamhaus's DROP list in a RTBH, ACLs, null-routes, etc? I'm not asking if people think it's safe; that's up to the network wanting to deploy it. I'm wondering if anyone has any scripts for pulling down the DROP list, parsing it into whatever you need (static routes on a RTBH trigger router or ACLs on a border router and then deployed the config change(s). I don't want to reinvent the wheel is someone else has already done this. Thanks Justin SpamHaus already provides a link to a nice script for Cisco gear at their FAQ page: http://www.spamhaus.org/faq/answers.lasso?section=DROP%20FAQ And this shell command shoud give you a Juniper style prefix-list to include at your filter terms: wget -q -O - http://www.spamhaus.org/drop/drop.lasso | sed -e s/;.*// -e '/^[0-9]/ !d' -e s/^/set policy-options prefix-list drop-lasso / Hope it's helpfull! With kind regards, Michiel Klaver IT Professional
Re: dealing with bogon spam ?
Avoid broken/slow servers: afrinic = ftp://ftp.afrinic.net/pub/stats/afrinic/delegated-afrinic-latest;, apnic = ftp://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest;, lacnic= ftp://ftp.lacnic.net/pub/stats/lacnic/delegated-lacnic-latest;, ); Yes, generally the latter three are broken, but as they are mirrored to RIPE anyway, you can just pull them off there. Having checked with Jeroen, I would like to observe that in the case of APNIC this is almost certainly IPv6 and pMTU problems. As he observes elsewhere in the email, we all shadow each others data in the FTP trees so you can very probably choose one RIR, and use it as a fetch-point for all of this data. BTW The last time this cropped up in any public eye facing NANOG type people it was the rfc editor. It can happen to anyone. Geoff wrote it up at: http://www.potaroo.net/ispcol/2009-01/mtu6.html So, this is not APNIC having broken FTP, its the innate problem of IPv6 in the wild. If you fall back to V4, the fetch works just fine. If tomorrow you have problems fetching the stats from ARIN or RIPE, you might want to look at your path.. -George
Re: dealing with bogon spam ?
Yes, unallocated (at least according to ARIN's whois db) but not unannounced - obviously our network can get to the space or else I wouldn't be having a spam problem with them! I'm actually seeing this /20 as advertised through Savvis from AS40430 It seems to me like the best solution might be a semi-hacky solution of asking arin (and other IRR's) if i can copy its DB and creating an internal peer which null routes unallocated blocks (updated nightly?) Has anyone seen an IRR's DB's not being updated for more than 30 days after allocations? I always assumed that they are quickly updated. Thanks again, Leslie Jon Lewis wrote: Unallocated doesn't mean non-routed. All a spammer needs is a willing/non-filtering provider doing BGP with them, and they can announce any space they like, send out some spam, and then pull the announcement. Next morning, when you see the spam and try to figure out who to send complaints to, you're either going to complain to the wrong people or find that whois is of no help. On Tue, 27 Oct 2009, Church, Charles wrote: This is puzzling me. If it's from non-announced space, at some point some router should report no route to it. How is the TCP handshake performed to allow a sync to turn into spam? Chuck Chuck Church Network Planning Engineer, CCIE #8776 Harris Information Technology Services DOD Programs 1210 N. Parker Rd. | Greenville, SC 29609 Office: 864-335-9473 | Cell: 864-266-3978 -- Sent using BlackBerry
Re: dealing with bogon spam ?
Ah, colo4jax I see. Jacksonville, Florida. 68.234.16.0/20 shows up as unallocated but as these guys own the previous /20 its probably a stale arin db and a brand new allocation Prefix AS Path Aggregation Suggestion 68.234.0.0/204777 2497 25973 40430 68.234.16.0/20 4608 1221 4637 3561 40430 69.174.96.0/21 4777 2497 25973 40430 173.205.80.0/20 4777 2497 25973 40430 204.237.184.0/21 4777 2497 25973 40430 204.237.192.0/22 4777 2497 25973 40430 208.153.96.0/22 4777 2497 25973 40430 208.169.228.0/22 4777 2497 25973 40430 On Wed, Oct 28, 2009 at 12:14 PM, Leslie les...@craigslist.org wrote: Yes, unallocated (at least according to ARIN's whois db) but not unannounced - obviously our network can get to the space or else I wouldn't be having a spam problem with them! I'm actually seeing this /20 as advertised through Savvis from AS40430 It seems to me like the best solution might be a semi-hacky solution of asking arin (and other IRR's) if i can copy its DB and creating an internal peer which null routes unallocated blocks (updated nightly?) Has anyone seen an IRR's DB's not being updated for more than 30 days after allocations? I always assumed that they are quickly updated. Thanks again, Leslie Jon Lewis wrote: Unallocated doesn't mean non-routed. All a spammer needs is a willing/non-filtering provider doing BGP with them, and they can announce any space they like, send out some spam, and then pull the announcement. Next morning, when you see the spam and try to figure out who to send complaints to, you're either going to complain to the wrong people or find that whois is of no help. On Tue, 27 Oct 2009, Church, Charles wrote: This is puzzling me. If it's from non-announced space, at some point some router should report no route to it. How is the TCP handshake performed to allow a sync to turn into spam? Chuck Chuck Church Network Planning Engineer, CCIE #8776 Harris Information Technology Services DOD Programs 1210 N. Parker Rd. | Greenville, SC 29609 Office: 864-335-9473 | Cell: 864-266-3978 -- Sent using BlackBerry -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: dealing with bogon spam ?
On Tue, 27 Oct 2009 23:44:40 -0700 Leslie les...@craigslist.org wrote: It seems to me like the best solution might be a semi-hacky solution of asking arin (and other IRR's) if i can copy its DB and creating an internal peer which null routes unallocated blocks (updated nightly?) Has anyone seen an IRR's DB's not being updated for more than 30 days after allocations? I always assumed that they are quickly updated. Note, ARIN is an RIR, a regional internet registry, which is what I presume you meant there. Nevertheless, while it might be worth a try from a research perspective, it may be a bit risky in a production environment. In addition, someone may announce a more specific so keep that scenario in mind. The CIDR Report monitors RIR allocation data. This may be of interest to you: http://www.cidr-report.org/bogons/rir-data.html You can get access to that allocation data as noted here: https://www.arin.net/knowledge/statistics/rir.html John
Re: dealing with bogon spam ?
I would suggest to report that netblock to SpamHaus to have it included at their DROP list, and also use that DROP list as extra filter in addition to your bogon filter setup at your border routers. The SpamHaus DROP (Don't Route Or Peer) list was specially designed for this kind of abuse of stolen 'hijacked' netblocks and netblocks controlled entirely by professional spammers. http://www.spamhaus.org/drop/ With kind regards, Michiel Klaver IT Professional
Re: dealing with bogon spam ?
Leslie wrote: [..] It seems to me like the best solution might be a semi-hacky solution of asking arin (and other IRR's) if i can copy its DB and creating an internal peer which null routes unallocated blocks (updated nightly?) What you want to take is: $rirs = array( afrinic = ftp://ftp.ripe.net/pub/stats/afrinic/delegated-afrinic-latest;, apnic = ftp://ftp.ripe.net/pub/stats/apnic/delegated-apnic-latest;, arin = ftp://ftp.arin.net/pub/stats/arin/delegated-arin-latest;, lacnic= ftp://ftp.ripe.net/pub/stats/lacnic/delegated-lacnic-latest;, ripe = ftp://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-latest;, brnic = ftp://ftp.registro.br/pub/stats/delegated-ipv6-nicbr-latest;, Avoid broken/slow servers: afrinic = ftp://ftp.afrinic.net/pub/stats/afrinic/delegated-afrinic-latest;, apnic = ftp://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest;, lacnic= ftp://ftp.lacnic.net/pub/stats/lacnic/delegated-lacnic-latest;, ); Yes, generally the latter three are broken, but as they are mirrored to RIPE anyway, you can just pull them off there. Then you have all IPv4 and IPv6 delegated blocks. If it is not in there, it is a bogon. Yes, those are updated only once in a day or so, thus if some one is going to start using the block before it is published in those files you will get some false-positives, but then ask the question why they get a block up so quickly and start spamming you in the first place. Those /stats/ dirs contain other useful things btw. Greets, Jeroen signature.asc Description: OpenPGP digital signature
Re: dealing with bogon spam ?
On Tue, 27 Oct 2009 16:57:17 PDT, Leslie said: We're seeing a decent chunk of spam coming from an unallocated block of address space. Fear not, this will end when we run out of IPv4 space not too many months down the road :) I admit to remaining confused as to why we still keep seeing providers who fail to do basic due-diligence like BCP38 filtering of packets, or asking a new BGP peer what they expect to announce and then filter based on that. I mean, come on guys - sure they may be 6 cents a meg cheaper, but do you really want to buy connectivity from a provider that can't run their network in a proper fashion? Don't answer that. ;) pgp54lYixDdIl.pgp Description: PGP signature
Re: dealing with bogon spam ?
On Oct 28, 2009, at 2:44 AM, Leslie wrote: Yes, unallocated (at least according to ARIN's whois db) but not unannounced - obviously our network can get to the space or else I wouldn't be having a spam problem with them! I'm actually seeing this /20 as advertised through Savvis from AS40430 It seems to me like the best solution might be a semi-hacky solution of asking arin (and other IRR's) if i can copy its DB and creating an internal peer which null routes unallocated blocks (updated nightly?) Has anyone seen an IRR's DB's not being updated for more than 30 days after allocations? I always assumed that they are quickly updated. Thanks again, Leslie You may want to take a look at what is going on in the SIDR working group if you want something similar to this. - Jared
Re: dealing with bogon spam ?
On Oct 28, 2009, at 7:14 AM, valdis.kletni...@vt.edu wrote: On Tue, 27 Oct 2009 16:57:17 PDT, Leslie said: We're seeing a decent chunk of spam coming from an unallocated block of address space. Fear not, this will end when we run out of IPv4 space not too many months down the road :) I admit to remaining confused as to why we still keep seeing providers who fail to do basic due-diligence like BCP38 filtering of packets, or asking a new BGP peer what they expect to announce and then filter based on that. I mean, come on guys - sure they may be 6 cents a meg cheaper, but do you really want to buy connectivity from a provider that can't run their network in a proper fashion? Don't answer that. ;) I can answer the above question regarding BCP38: Vendor software defects and architecture limitations make it challenging to deploy a solution whereby BCP38 can be universally deployed. Customers that are unwilling to announce all their space also make uRPF problematic. I'd like to see 'loose-rpf' universally deployed myself. There is no reason for unrouted space to have packets sourced from it. This makes up a fair percentage of traffic that root/gtld nameservers see (based on conversations i've had with operators over the years). If you configure CPE devices and don't utilize anti-spoofing capabilities on the CPE-Lan, please add that to your templates. It is helpful to the internet as a whole, while you may not personally see return on your investment, others will. - Jared
Re: dealing with bogon spam ?
It seems to me like the best solution might be a semi-hacky solution of asking arin (and other IRR's) if i can copy its DB and creating an internal peer which null routes unallocated blocks (updated nightly?) What you want to take is: $rirs = array( afrinic = ftp://ftp.ripe.net/pub/stats/afrinic/delegated-afrinic-latest;, apnic = ftp://ftp.ripe.net/pub/stats/apnic/delegated-apnic-latest;, arin = ftp://ftp.arin.net/pub/stats/arin/delegated-arin-latest;, lacnic= ftp://ftp.ripe.net/pub/stats/lacnic/delegated-lacnic-latest;, ripe = ftp://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-latest;, brnic = ftp://ftp.registro.br/pub/stats/delegated-ipv6-nicbr-latest;, Avoid broken/slow servers: afrinic = ftp://ftp.afrinic.net/pub/stats/afrinic/delegated-afrinic-latest;, apnic = ftp://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest;, lacnic= ftp://ftp.lacnic.net/pub/stats/lacnic/delegated-lacnic-latest;, ); this is brilliant. maybe we should form an org to do this and distribute via bgp? shall we have a contest for the name of the org? my bid is cymru randy
Re: dealing with bogon spam ?
Randy Bush wrote: It seems to me like the best solution might be a semi-hacky solution of asking arin (and other IRR's) if i can copy its DB and creating an internal peer which null routes unallocated blocks (updated nightly?) What you want to take is: $rirs = array( afrinic = ftp://ftp.ripe.net/pub/stats/afrinic/delegated-afrinic-latest;, [..] this is brilliant. maybe we should form an org to do this and distribute via bgp? shall we have a contest for the name of the org? my bid is cymru Who have it already indeed for a long long time and have a proven track record. I noted the above for the people who want to get their own copy from the IRRs, like what was asked above. For instance for the few who want to build their own setups, want to integrate it in their own systems etc. Greets, Jeroen signature.asc Description: OpenPGP digital signature
Re: dealing with bogon spam ?
On 29/10/2009, at 2:52 AM, Jeroen Massar wrote: Randy Bush wrote: It seems to me like the best solution might be a semi-hacky solution of asking arin (and other IRR's) if i can copy its DB and creating an internal peer which null routes unallocated blocks (updated nightly?) What you want to take is: $rirs = array( afrinic = ftp://ftp.ripe.net/pub/stats/afrinic/delegated-afrinic-latest;, [..] this is brilliant. maybe we should form an org to do this and distribute via bgp? shall we have a contest for the name of the org? my bid is cymru Who have it already indeed for a long long time and have a proven track record. I noted the above for the people who want to get their own copy from the IRRs, like what was asked above. For instance for the few who want to build their own setups, want to integrate it in their own systems etc. I can't see anything on their site that provides a BGP feed of prefixes allocated by RIRs, which I think is what we're talking about here. -- Nathan Ward
Re: dealing with bogon spam ?
On Thu, 29 Oct 2009 03:24:17 +1300 Nathan Ward na...@daork.net wrote: I can't see anything on their site that provides a BGP feed of prefixes allocated by RIRs, which I think is what we're talking about here. We currently provide A BGP bogon route server feed for the asking, which are routes of 'well known' aggregate prefixes published by IANA as well as special and reserved netblocks documented by a IETF that should not be seen on the public net. Providing a feed of allocations would be the opposite approach of course. I suppose if there is interest and a need we could do this. Shoot myself or the team (i...@cymru.com) a note off list if you have thoughts on the matter or simply want to provide some feedback into such a service and how it might best be used. We're always on the look out for things we can do to help. John
Re: dealing with bogon spam ?
Just FYI the colo4jax guys got back to me and it is a stale ARIN db entry - I guess they don't update it as quickly as I thought. So this is now just a normal case of spam. Leslie Leslie wrote: Yes, unallocated (at least according to ARIN's whois db) but not unannounced - obviously our network can get to the space or else I wouldn't be having a spam problem with them! I'm actually seeing this /20 as advertised through Savvis from AS40430 It seems to me like the best solution might be a semi-hacky solution of asking arin (and other IRR's) if i can copy its DB and creating an internal peer which null routes unallocated blocks (updated nightly?) Has anyone seen an IRR's DB's not being updated for more than 30 days after allocations? I always assumed that they are quickly updated. Thanks again, Leslie Jon Lewis wrote: Unallocated doesn't mean non-routed. All a spammer needs is a willing/non-filtering provider doing BGP with them, and they can announce any space they like, send out some spam, and then pull the announcement. Next morning, when you see the spam and try to figure out who to send complaints to, you're either going to complain to the wrong people or find that whois is of no help. On Tue, 27 Oct 2009, Church, Charles wrote: This is puzzling me. If it's from non-announced space, at some point some router should report no route to it. How is the TCP handshake performed to allow a sync to turn into spam? Chuck Chuck Church Network Planning Engineer, CCIE #8776 Harris Information Technology Services DOD Programs 1210 N. Parker Rd. | Greenville, SC 29609 Office: 864-335-9473 | Cell: 864-266-3978 -- Sent using BlackBerry
Re: dealing with bogon spam ?
On 28/10/09 00:57, Leslie wrote: How have you dealt with this issue? Does anyone publish a more granular listing of unallocated space? Does arin have this information somewhere other than just probing any given ip via whois? You can at least get a list of all the allocated blocks. Presumably anything not allocated is unallocated and is a candidate for blocking. for rir in afrinic apnic arin lacnic ripencc; do wget ftp://ftp.ripe.net/pub/stats/$rir/delegated-$rir-latest; done These are updated daily and include both IPv4 and IPv6 allocations. Now, what I would really like is an arin version of ripe.db.inetnum.gz :-)
Re: dealing with bogon spam ?
Michiel Klaver wrote: I would suggest to report that netblock to SpamHaus to have it included at their DROP list, and also use that DROP list as extra filter in addition to your bogon filter setup at your border routers. The SpamHaus DROP (Don't Route Or Peer) list was specially designed for this kind of abuse of stolen 'hijacked' netblocks and netblocks controlled entirely by professional spammers. As a brief off-shoot of the original topic, has anyone scripted the use of Spamhaus's DROP list in a RTBH, ACLs, null-routes, etc? I'm not asking if people think it's safe; that's up to the network wanting to deploy it. I'm wondering if anyone has any scripts for pulling down the DROP list, parsing it into whatever you need (static routes on a RTBH trigger router or ACLs on a border router and then deployed the config change(s). I don't want to reinvent the wheel is someone else has already done this. Thanks Justin
Re: dealing with bogon spam ?
Justin Shore wrote: Michiel Klaver wrote: I would suggest to report that netblock to SpamHaus to have it included at their DROP list, and also use that DROP list as extra filter in addition to your bogon filter setup at your border routers. The SpamHaus DROP (Don't Route Or Peer) list was specially designed for this kind of abuse of stolen 'hijacked' netblocks and netblocks controlled entirely by professional spammers. As a brief off-shoot of the original topic, has anyone scripted the use of Spamhaus's DROP list in a RTBH, ACLs, null-routes, etc? I'm not asking if people think it's safe; that's up to the network wanting to deploy it. I'm wondering if anyone has any scripts for pulling down the DROP list, parsing it into whatever you need (static routes on a RTBH trigger router or ACLs on a border router and then deployed the config change(s). I don't want to reinvent the wheel is someone else has already done this. Downloading and parsing is easy. I used to drop it into the config for a small dns server, rbldnsd I believe, that understands CIDR and used it as a local blacklist. It did very little to stop spam and I was never brave enough to script an automatic update to BGP.
Re: dealing with bogon spam ?
Leslie wrote: John Kristoff wrote: I suppose if there is interest and a need we could do this. Shoot myself or the team (i...@cymru.com) a note off list if you have thoughts on the matter or simply want to provide some feedback into such a service and how it might best be used. We're always on the look out for things we can do to help. My big issue isn't the larger blocks, it's the smaller unallocated blocks - which anyone with a not-too-strict transit provider could easily steal and abuse. Getting the allocated space is just another way of finding the smaller unallocated blocks (with a bit of extra work) The problem though with BGP is that when you have say a NonAllocatedFeed containing 10.0.0.0/8 then when somebody else announced 10.1.2.0/24 (or any other more specific) it will perfectly work. Unless you are able to pull of some tricks in hardware based routers (software based ones you can of course modify to do whatever you want but might not be the right thing to run in some scenarios). As such, pulling the delegated files and generating prefix filters yourself, which you most likely have anyway for things like blackholing prefixes you otherwise also don't want to talk too And don't forget to source-filter those prefixes too :) Greets, Jeroen signature.asc Description: OpenPGP digital signature
Re: dealing with bogon spam ?
You are using it the wrong way .. most of the drop list is directly spammer controlled space used as, for example, CC for botnets. You'd see tons of abuse and little or no smtp traffic from a lot of those hosts. On Thu, Oct 29, 2009 at 12:26 AM, Jason Bertoch ja...@i6ix.com wrote: Justin Shore wrote: As a brief off-shoot of the original topic, has anyone scripted the use of Spamhaus's DROP list in a RTBH, ACLs, null-routes, etc? I'm not asking if people think it's safe; that's up to the network wanting to deploy it. I'm Downloading and parsing is easy. I used to drop it into the config for a small dns server, rbldnsd I believe, that understands CIDR and used it as a local blacklist. It did very little to stop spam and I was never brave enough to script an automatic update to BGP.
dealing with bogon spam ?
First off, I'm not certain if unallocated space in blocks less than a /8 is properly called bogon, so pardon my terminology if I'm incorrect. We're seeing a decent chunk of spam coming from an unallocated block of address space. We use CYMRU's great list of /8 bogon space to prevent completely off the wall abuse, but the granularity stops at /8's. Obviously, I've written the originating AS and its single upstream provider (sadly without any response). I'm not looking for a one time solution for this issue however -- I'd like to permanently block (and kick) anyone who's using unallocated space illegitimately. How have you dealt with this issue? Does anyone publish a more granular listing of unallocated space? Does arin have this information somewhere other than just probing any given ip via whois? Thanks! Leslie Craigslist Spam Hater
Re: dealing with bogon spam ?
I failed to mention we're seeing this from an unallocated /20 whose parent /8 is allocated to ARIN (and is partially in use) Leslie Leslie wrote: First off, I'm not certain if unallocated space in blocks less than a /8 is properly called bogon, so pardon my terminology if I'm incorrect. We're seeing a decent chunk of spam coming from an unallocated block of address space. We use CYMRU's great list of /8 bogon space to prevent completely off the wall abuse, but the granularity stops at /8's. Obviously, I've written the originating AS and its single upstream provider (sadly without any response). I'm not looking for a one time solution for this issue however -- I'd like to permanently block (and kick) anyone who's using unallocated space illegitimately. How have you dealt with this issue? Does anyone publish a more granular listing of unallocated space? Does arin have this information somewhere other than just probing any given ip via whois? Thanks! Leslie Craigslist Spam Hater
Re: dealing with bogon spam ?
On 28/10/2009, at 12:57 PM, Leslie wrote: First off, I'm not certain if unallocated space in blocks less than a /8 is properly called bogon, so pardon my terminology if I'm incorrect. We're seeing a decent chunk of spam coming from an unallocated block of address space. We use CYMRU's great list of /8 bogon space to prevent completely off the wall abuse, but the granularity stops at / 8's. Obviously, I've written the originating AS and its single upstream provider (sadly without any response). I'm not looking for a one time solution for this issue however -- I'd like to permanently block (and kick) anyone who's using unallocated space illegitimately. How have you dealt with this issue? Does anyone publish a more granular listing of unallocated space? Does arin have this information somewhere other than just probing any given ip via whois? You *might* be able to get a copy of the whois database as an optimisation so you don't have to hit their servers all the time - does that help? I wouldn't rely on that though, but I don't see any other good options. Perhaps you can only accept stuff from networks that you first saw an announcement for greater than 7 days ago, to prevent people popping up with a network for a day, spamming, and then disappearing? Likely to get lots of false positives in that though, and as soon as someone figures out your technique it's not going to work. Religious war alert: does SIDR solve this? I guess only if you only accept signed advertisements.. I don't know if that is the intended default mode or not.. Need to do some reading I guess. -- Nathan Ward
Re: dealing with bogon spam ?
Leslie wrote: First off, I'm not certain if unallocated space in blocks less than a /8 is properly called bogon, so pardon my terminology if I'm incorrect. Bogon is probably the correct term for any IP space that doesn't belong on the public Internet because it is reserved, unallocated, etc. We're seeing a decent chunk of spam coming from an unallocated block of address space. We use CYMRU's great list of /8 bogon space to prevent completely off the wall abuse, but the granularity stops at /8's. Obviously, I've written the originating AS and its single upstream provider (sadly without any response). I'm not looking for a one time solution for this issue however -- I'd like to permanently block (and kick) anyone who's using unallocated space illegitimately. Not too permanently, though. That space is likely to become allocated, and the new legitimate user thereof shouldn't have to beg thousands of networks to unblock it. so How have you dealt with this issue? Does anyone publish a more granular listing of unallocated space? Does arin have this information somewhere other than just probing any given ip via whois? I'm not specifically aware of a more granular listing. It would have to be dynamic as new allocations occur all the time. The RIRs (ARIN, RIPE, APNIC, etc.) are the authoritative source for the space allocated to them, but I don't know if they have a real-time bogon list available. In addition to the published list, Team Cymru has a BGP feed and other resources, but I don't know how granular it is with respect to unallocated space. See here: http://www.team-cymru.org/Services/Bogons/ -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: dealing with bogon spam ?
What /20 would this be, and can you blame an out of date whois client or whois db for it? If the /20 is being routed, and announced - chances are it IS allocated. On Wed, Oct 28, 2009 at 5:40 AM, Leslie les...@craigslist.org wrote: I failed to mention we're seeing this from an unallocated /20 whose parent /8 is allocated to ARIN (and is partially in use) Leslie
Re: dealing with bogon spam ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Suresh Ramasubramanian wrote: If the /20 is being routed, and announced - chances are it IS allocated. Don't bet on it. This is one of the oldest spammer tricks in the book. I worked with ISPs as far back as the late 90s trying to track down poachers who temporarily squat on an unallocated block and announce it to the world. Jon Kibler - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-813-2924 s: 843-564-4224 s: JonRKibler e: jon.kib...@aset.com e: jon.r.kib...@gmail.com http://www.linkedin.com/in/jonrkibler My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrnlokACgkQUVxQRc85QlOVgwCffnJ4nAYNypXOW4TlgNCO1CFo IjEAn3UGgf/aIgBAESg9oDzvJoTKvaCk =fqu/ -END PGP SIGNATURE- == Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
Re: dealing with bogon spam ?
Having been postmastering at various places for about a decade, I have seen that too - yes. But cymru style filtering means its kind of out of fashion now. Though - a lot of the cases I've seen have been 1. Out of date whois client and the IP's been allocated after the whois client came out (with a hardcoded list of unallocated IPs) 2. Whois db is out of date - comparatively rarer but known to occur Especially if you see a mainstream carrier routing it instead of some small outfit in Eastern Europe .. chances are its stale db somewhere rather than totally unallocated block and phantom routing On Wed, Oct 28, 2009 at 6:25 AM, Jon Kibler jon.kib...@aset.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Suresh Ramasubramanian wrote: If the /20 is being routed, and announced - chances are it IS allocated. Don't bet on it. This is one of the oldest spammer tricks in the book. I worked with ISPs as far back as the late 90s trying to track down poachers who temporarily squat on an unallocated block and announce it to the world.
Re: dealing with bogon spam ?
On Tue, 27 Oct 2009, Leslie wrote: I failed to mention we're seeing this from an unallocated /20 whose parent /8 is allocated to ARIN (and is partially in use) What /20 would that be? If you're sure it's unallocated, and see nothing but spam from it, block it at your border. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: dealing with bogon spam ?
On 28/10/2009, at 2:00 PM, Suresh Ramasubramanian wrote: Having been postmastering at various places for about a decade, I have seen that too - yes. But cymru style filtering means its kind of out of fashion now. Sure, if the prefix is within something that cymru call a bogon. If it's within a current RIR pool, not so much. -- Nathan Ward
Re: dealing with bogon spam ?
This is puzzling me. If it's from non-announced space, at some point some router should report no route to it. How is the TCP handshake performed to allow a sync to turn into spam? Chuck Chuck Church Network Planning Engineer, CCIE #8776 Harris Information Technology Services DOD Programs 1210 N. Parker Rd. | Greenville, SC 29609 Office: 864-335-9473 | Cell: 864-266-3978 -- Sent using BlackBerry - Original Message - From: Jon Lewis jle...@lewis.org To: Leslie les...@craigslist.org Cc: NANOG nanog@nanog.org Sent: Tue Oct 27 21:08:12 2009 Subject: Re: dealing with bogon spam ? On Tue, 27 Oct 2009, Leslie wrote: I failed to mention we're seeing this from an unallocated /20 whose parent /8 is allocated to ARIN (and is partially in use) What /20 would that be? If you're sure it's unallocated, and see nothing but spam from it, block it at your border. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: dealing with bogon spam ?
On 28/10/2009, at 2:20 PM, Church, Charles wrote: This is puzzling me. If it's from non-announced space, at some point some router should report no route to it. How is the TCP handshake performed to allow a sync to turn into spam? Unallocated is not the same as unannounced.
Re: dealing with bogon spam ?
Unallocated doesn't mean non-routed. All a spammer needs is a willing/non-filtering provider doing BGP with them, and they can announce any space they like, send out some spam, and then pull the announcement. Next morning, when you see the spam and try to figure out who to send complaints to, you're either going to complain to the wrong people or find that whois is of no help. On Tue, 27 Oct 2009, Church, Charles wrote: This is puzzling me. If it's from non-announced space, at some point some router should report no route to it. How is the TCP handshake performed to allow a sync to turn into spam? Chuck Chuck Church Network Planning Engineer, CCIE #8776 Harris Information Technology Services DOD Programs 1210 N. Parker Rd. | Greenville, SC 29609 Office: 864-335-9473 | Cell: 864-266-3978 -- Sent using BlackBerry - Original Message - From: Jon Lewis jle...@lewis.org To: Leslie les...@craigslist.org Cc: NANOG nanog@nanog.org Sent: Tue Oct 27 21:08:12 2009 Subject: Re: dealing with bogon spam ? On Tue, 27 Oct 2009, Leslie wrote: I failed to mention we're seeing this from an unallocated /20 whose parent /8 is allocated to ARIN (and is partially in use) What /20 would that be? If you're sure it's unallocated, and see nothing but spam from it, block it at your border. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_ -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: dealing with bogon spam ?
Seen it before - but mostly for malware rather than for spam. And certainly not long enough / persistent enough for a full fledged spam campaign (4..5 days rather than a day or two at the most when people start noticing and dropping the bogus announcement) On Wed, Oct 28, 2009 at 6:57 AM, Jon Lewis jle...@lewis.org wrote: Unallocated doesn't mean non-routed. All a spammer needs is a willing/non-filtering provider doing BGP with them, and they can announce any space they like, send out some spam, and then pull the announcement. Next morning, when you see the spam and try to figure out who to send complaints to, you're either going to complain to the wrong people or find that whois is of no help.