On Fri, 13 Apr 2007, Rich Kulawiec wrote:
> Since when is it "punishment" to refuse to extend a privilege that's been
> repeatedly and systematically abused?
It IS punishment if it's in response to some sort of undesired behavior,
but it probably isn't UNJUSTIFIED punishment.
--
Steve Sobol,
On Sat, Apr 07, 2007 at 05:12:19PM -0500, Frank Bulk wrote:
> If they're properly SWIPed why punish the ISP for networks they don't even
"punish"?
Since when is it "punishment" to refuse to extend a privilege that's been
repeatedly and systematically abused? (You have of course, absolutely
no r
Last post for me on this thread... Dirty Networking 101
So the other morning I found a contact for a company who'll for
now remain unamed, this contact is on this group...Sent them
yet another message (3 this week):
To whom it may concern,
One of my servers has been heavily under attack for th
On Thursday 12 April 2007 06:14, Fernando André wrote:
> Citando Frank Bulk <[EMAIL PROTECTED]>:
> " but imagine how much work it
>
> > would save their abuse department in the long run"
>
> I think that Comcast trouble isn't has much has the company's affected I
> keep the idea that the best is t
Citando Frank Bulk <[EMAIL PROTECTED]>:
" but imagine how much work it
would save their abuse department in the long run"
I think that Comcast trouble isn't has much has the company's affected I keep
the idea that the best is to rate limit incoming connections and a lot of
filtering to preven
Mikael Abrahamsson wrote:
>
> On Wed, 11 Apr 2007, Frank Bulk wrote:
>
>> It truly is a wonder that Comcast doesn't apply DOCSIS config file
>> filters
>> on their consumer accounts, leaving just the IPs of their email servers
>> open. Yes, it would take an education campaign on their part for al
On Wed, 11 Apr 2007, Frank Bulk wrote:
It truly is a wonder that Comcast doesn't apply DOCSIS config file filters
on their consumer accounts, leaving just the IPs of their email servers
open. Yes, it would take an education campaign on their part for all the
consumers that do use alternate SMT
rk it
would save their abuse department in the long run.
Frank
-Original Message-
From: Frank Bulk
Sent: Wednesday, April 11, 2007 5:10 PM
To: 'nanog@merit.edu'
Subject: Re: Abuse procedures... Reality Checks
On Tue, Apr 10, 2007 at 07:44:59AM -0500, Frank Bulk wrote:
> C
--- [EMAIL PROTECTED] wrote:
On Wed, Apr 11, 2007 at 03:44:01PM -0400, Warren Kumari wrote:
> The same thing happens with things like abuse -- it is easy to deal
> with abuse on a small scale. It is somewhat harder on a medium scale
> and harder still on a large scale -- the progression fro
> > I know from experience this doesn't scale into the hundreds of
> > thousands of customers and can only imagine the big ass eyeball
> > network's scalability issues...
> Hear hear...
>
> Scaling process and procedures is often as hard or harder than
> scaling technical things...
It's t
> As for documentation on this... There is PLENTY of it. Why should
> I write another document no one would follow.
Because you might be a better writer than those other folks. You might
be able to present the right balance of technical detail and policy
goals to be understood by a larger number
On Wed, Apr 11, 2007 at 03:44:01PM -0400, Warren Kumari wrote:
> The same thing happens with things like abuse -- it is easy to deal
> with abuse on a small scale. It is somewhat harder on a medium scale
> and harder still on a large scale -- the progression from small to
> medium to large i
On Tue, Apr 10, 2007 at 07:44:59AM -0500, Frank Bulk wrote:
> Comcast is known to emit lots of abuse -- are you blocking all their
> networks today?
All? No. But I shouldn't find it necessary to block ANY, and wouldn't,
if Comcast wasn't so appallingly negligent.
( I'm blocking huge swaths of
On Apr 11, 2007, at 10:32 AM, Warren Kumari wrote:
Perhaps you could write a nice, simple, friendly guide explaining
how you ensure that your network is never the source of malicious
traffic?
Identify your ownership, and ensure contact information is accurate
and well attended. Inconsi
TED]>
To: nanog@merit.edu
Cc: Warren Kumari <[EMAIL PROTECTED]>
Subject: Re: Abuse procedures... Reality Checks
Date: Wed, 11 Apr 2007 13:49:40 -0400
Warren Kumari wrote:
So, I have always wondered -- how do you customers really react when
they can no longer reach www.example.com, a site
27;t scale into the hundreds of thousands of
customers and can only imagine the big ass eyeball network's scalability
issues...
scott
--- [EMAIL PROTECTED] wrote:
From: "J. Oquendo" <[EMAIL PROTECTED]>
To: nanog@merit.edu
Cc: Warren Kumari <[EMAIL PROTECTED]>
Subje
Warren Kumari wrote:
So, I have always wondered -- how do you customers really react when
they can no longer reach www.example.com, a site hosted a few IPs away
from www.badevilphisher.net? And do you really think that you blocking
them is going to make example.com contact their provider to g
On Apr 11, 2007, at 11:28 AM, J. Oquendo wrote:
[EMAIL PROTECTED] wrote:
* PGP Signed by an unverified key: 04/11/07 at 11:21:15
On Wed, 11 Apr 2007 07:07:19 EDT, "J. Oquendo" said:
these so called rules? Many network operators are required to
do a lot of things, one of these things should
[EMAIL PROTECTED] wrote:
* PGP Signed by an unverified key: 04/11/07 at 11:21:15
On Wed, 11 Apr 2007 07:07:19 EDT, "J. Oquendo" said:
these so called rules? Many network operators are required to
do a lot of things, one of these things should be the
mitigation of malicious traffic from LEAVI
On Wed, 11 Apr 2007 07:07:19 EDT, "J. Oquendo" said:
> these so called rules? Many network operators are required to
> do a lot of things, one of these things should be the
> mitigation of malicious traffic from LEAVING their network.
And I want a pony.
We don't even do a (near) universal job of
> Maybe ARIN staff should start re-writing policies and
> implementing out punishments. Guarantee you if operators were
> penalized for not following rules, for allowing filth to leave
> their networks, I bet you many maladies on the net would be
> cut substantially.
Sorry, that's not their job
> "SWIP is a process used by organizations to submit information about
> downstream customer's address space reassignments to ARIN for
> inclusion
> in the WHOIS database. Its goal is to ensure the effective
> and efficient
> maintenance of records for IP address space.
Lovely language but i
Stephen Satchell wrote:
SWIPs are required for reallocations of /29 and larger if the
allocation owner does not operate a RWhoIs server.
Of course, SWIP is a ARIN thing, and you work for BRITISH
TELECOMMUNICATIONS PLC. As a US network operator, I was well aware of
the requirements for SWIP
[EMAIL PROTECTED] wrote:
I also find it curious that you claim to have people on staff at your
company who know what SWIP means. Perhaps you could ask them to share
that information with us since I have never seen this documented
anywhere. Do they really know what you claim they know?
--Michae
On Tue, Apr 10, 2007 at 10:30:32AM +0100, [EMAIL PROTECTED] wrote:
...
> I also find it curious that you claim to have people on staff at your
> company who know what SWIP means. Perhaps you could ask them to share
> that information with us since I have never seen this documented
> anywhere. Do t
On Tue, Apr 10, 2007 at 03:11:31PM +0100, [EMAIL PROTECTED] wrote:
...
> Yes there are. The current whois returns way more information on a query
> than you need for network operations. That's because the current whois
> was designed back in the 1970's so that ARPANET network managers could
> iden
> Because I haven't got unlimited WHOIS queries. (Although I
> and everyone
> else *should* have those. There are no valid reasons to
> rate-limit any
> form of WHOIS query.)
Yes there are. The current whois returns way more information on a query
than you need for network operations. That's
Comcast is known to emit lots of abuse -- are you blocking all their
networks today?
Frank
-Original Message-
From: Frank Bulk
Sent: Tuesday, April 10, 2007 7:43 AM
To: nanog@merit.edu
Subject: Re: Abuse procedures... Reality Checks
On Sat, Apr 07, 2007 at 09:50:34PM +, Fergie
On Sat, Apr 07, 2007 at 04:20:59PM -0500, Frank Bulk wrote:
> Define network operator: the AS holder for that space or the operator of
> that smaller-than-slash-24 sub-block? If the problem consistently comes
> from /29 why not just leave the block in and be done with it?
Because experience...
On Sat, Apr 07, 2007 at 09:50:34PM +, Fergie wrote:
> I would have to respectfully disagree with you. When network
> operators do due diligence and SWIP their sub-allocations, they
> (the sub-allocations) should be authoritative in regards to things
> like RBLs.
After thinking it over: I part
> I have to disagree. SWIP is not meaningless.
>
> In my company some functions related to sending a SWIP are
> automated, but my company has people on staff who know that
> it is happening and what it means.
>
> And I talk with plenty of other companies that fall into the
> same boat.
>
On Mon, 9 Apr 2007, Paul Vixie wrote:
>
> than you're describing. for example, this weekend two /24's were hijacked
> and used for spam spew. as my receivebot started blackholing /32's, the
Why do you think they were hijacked ? At least for your second block:
>1 71.6.213.103
>
I'v
On Apr 8, 2007, at 9:03 PM, Paul Vixie wrote:
[EMAIL PROTECTED] (Douglas Otis) writes:
Good advise. For various reasons, a majority of IP addresses
within a CIDR of any size being abusive is likely to cause the
CIDR to be blocked. While a majority could be considered as being
half right
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Apr 9, 2007, at 3:41 PM, Pete Templin wrote:
Chris Owen wrote:
Well, "well managed" to me would mean that allocations from that /
20 were SWIPed or a rwhois server was running so that if any of
On Mon, 09 Apr 2007 17:11:28 EDT, "Azinger, Marla" said:
> In my company some functions related to sending a SWIP are automated,
> but my company has people on staff who know that it is happening and
> what it means.
Just because *your* site has enough clue to get it right doesn't mean that
the *a
procedures... Reality Checks
> I would have to respectfully disagree with you. When network
> operators do due diligence and SWIP their sub-allocations, they
> (the sub-allocations) should be authoritative in regards to things
> like RBLs.
How do you tell when they have actually done &q
ssage-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete
Templin
Sent: Monday, April 09, 2007 3:42 PM
To: Chris Owen
Cc: nanog@merit.edu
Subject: Re: Abuse procedures... Reality Checks
Chris Owen wrote:
> Well, "well managed" to me would mean that allocations from
On Mon, 9 Apr 2007 [EMAIL PROTECTED] wrote:
>
> > If they're properly SWIPed why punish the ISP for networks
> > they don't even
> > operate, that obviously belong to their business customers?
>
> How can you tell that they don't operate a network from SWIP records?
>
> Seems to me that lots of
t. It sounds like a good idea, but I'm guessing few network operators
do that for their customer networks, whether that's due to lack of
centralization or cost.
Frank
-Original Message-
From: Frank Bulk
Sent: Monday, April 09, 2007 3:49 PM
To: 'nanog@merit.edu'
Subject
Chris Owen wrote:
Well, "well managed" to me would mean that allocations from that /20
were SWIPed or a rwhois server was running so that if any of those 4,000
IP addresses does something bad you don't get caught in the middle.
Due diligence with SWIP/rwhois only means that one customer is we
> If they're properly SWIPed why punish the ISP for networks
> they don't even
> operate, that obviously belong to their business customers?
How can you tell that they don't operate a network from SWIP records?
Seems to me that lots of network operators sell "managed services" to
businesses
> I would have to respectfully disagree with you. When network
> operators do due diligence and SWIP their sub-allocations, they
> (the sub-allocations) should be authoritative in regards to things
> like RBLs.
How do you tell when they have actually done "due diligence".
Existence of a SWIP rec
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Apr 9, 2007, at 1:49 PM, John L wrote:
I don't have PI space, but I do have a competent ISP so I've
never had any
mail problems due to adjacent addresses.
Having a competent ISP isn't a guarantee of exemption...only a
contributor. As evi
I don't have PI space, but I do have a competent ISP so I've never had any
mail problems due to adjacent addresses.
Having a competent ISP isn't a guarantee of exemption...only a contributor.
As evidenced by the discussion, some people choose the scope of their wrath
arbitrarily.
Nothing i
Pete Templin wrote:
John R Levine wrote:
I don't have PI space, but I do have a competent ISP so I've never
had any
mail problems due to adjacent addresses.
Having a competent ISP isn't a guarantee of exemption...only a
contributor. As evidenced by the discussion, some people choose the
[EMAIL PROTECTED] (Douglas Otis) writes:
> Good advise. For various reasons, a majority of IP addresses within a
> CIDR of any size being abusive is likely to cause the CIDR to be blocked.
> While a majority could be considered as being half right, the existence
> of the "bad neighborhood" demon
> From: "Frank Bulk" <[EMAIL PROTECTED]>
> > Subject: RE: Abuse procedures... Reality Checks
> > Date: Sat, 7 Apr 2007 16:20:59 -0500
> >
> > > If they can't hold the outbound abuse down to a minimum, then
> > > I guess I'll h
On Apr 7, 2007, at 11:27 PM, John Levine wrote:
[...]
I can assure you from
experience that any sort of automated RIR WHOIS lookups will quickly
trip volume checks and get you blocked,
Does this happen when you only query for the network information and
not the full contact information?
> >> Neither I nor J. Oquendo nor anyone else are required to spend our
> >> time, our money, and our resources figuring out which parts of X's
> >> network can be trusted and which can't.
you should only spend resources on activities which will benefit you, of
course. research into a /N to find
On Sat, 7 Apr 2007, Chris Owen wrote:
And how do you know the difference? The Cox IP address is SWIPed. Its
even sub-allocated. The allocation is just a /19.
Exactly, so why not just block whatever the suballocation is? Would mean
that companies that properly SWIP their IP-blocks and put
do it, block *all*
the IPs associated to the 'bad' ISP. Then at least you're consistent,
otherwise expanding to a /24 is just a half (or 1%) job or laziness.
Frank
-Original Message-
From: Frank Bulk
Sent: Saturday, April 07, 2007 10:45 PM
To: [EMAIL PROTECTED]
Subject:
On Sat, 7 Apr 2007 20:41:19 -0500 (CDT)
Robert Bonomi <[EMAIL PROTECTED]> wrote:
BLUNT QUESTIONS: *WHO* pays me to figure out 'which parts' of a
provider's
network are riddled with problems and 'which parts' are _not_? *WHO* pays
me to do the research to find out where the end-user boundari
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -- Chris Owen <[EMAIL PROTECTED]> wrote:
>On Apr 8, 2007, at 2:51 AM, Fergie wrote:
>
>> Again, a simple recursive WHOIS will show you sub-allocations if they
>> are properly SWIP'ed.
>
>Define "properly". The Cox addresses in my example are SWIPe
>> Sure, block that /29, but why block the /24, /20, or even /8?
Since nobody will route less than a /24, you can be pretty sure that
regardless of the SWIPs, everyone in a /24 is served by the same ISP.
I run a tiny network with about 400 mail users, but even so, my
semiautomated systems are se
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Apr 8, 2007, at 2:51 AM, Fergie wrote:
Again, a simple recursive WHOIS will show you sub-allocations if they
are properly SWIP'ed.
Define "properly". The Cox addresses in my example are SWIPed. Are
they "properly" SWIPed? How could you te
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -- Chris Owen <[EMAIL PROTECTED]> wrote:
>On Apr 7, 2007, at 11:41 PM, Fergie wrote:
>
>> Please read what I wrote:
>>
>> "I would think that it's actually very easy to do when
>> sub-allocations are SWIP'ed."
>>
>> I cannot, and will not, presuppo
7, 2007 8:41 PM
To: nanog@merit.edu
Subject: RE: Abuse procedures... Reality Checks
> From: "Frank Bulk" <[EMAIL PROTECTED]>
> Subject: RE: Abuse procedures... Reality Checks
> Date: Sat, 7 Apr 2007 16:20:59 -0500
>
> > If they can't hold the outbound abu
> BLUNT QUESTIONS: *WHO* pays me to figure out 'which parts' of a provider's
> network are riddled with problems and 'which parts' are _not_?
I don't know the answer in your case, but in my case the answer is my
employer. More specifically, my employer pays me to block junk and let good
traffic
> From: "Frank Bulk" <[EMAIL PROTECTED]>
> Subject: RE: Abuse procedures... Reality Checks
> Date: Sat, 7 Apr 2007 16:20:59 -0500
>
> > If they can't hold the outbound abuse down to a minimum, then
> > I guess I'll have to make up for their neg
@merit.edu
Subject: RE: Abuse procedures... Reality Checks
On Sat, 7 Apr 2007, Frank Bulk wrote:
> If they're properly SWIPed why punish the ISP for networks they don't even
> operate, that obviously belong to their business customers?
All ISPs have AUPs that prohibit spam (or at least I
om: Stephen Satchell [mailto:[EMAIL PROTECTED]
Sent: Saturday, April 07, 2007 5:44 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: Abuse procedures... Reality Checks
Frank Bulk wrote:
> [[Attribution deleted by Frank Bulk]]
>> Neither I nor J. Oquendo nor anyone else are r
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Apr 7, 2007, at 11:41 PM, Fergie wrote:
Please read what I wrote:
"I would think that it's actually very easy to do when
sub-allocations are SWIP'ed."
I cannot, and will not, presuppose that in cases when they are
not SWIP'ed that some kind of
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -- Chris Owen <[EMAIL PROTECTED]> wrote:
>On Apr 7, 2007, at 11:00 PM, Fergie wrote:
>
>> I would think that it's actually very easy to do when
>> sub-allocations are SWIP'ed.
>
>Not that I'm really defending this policy, but sub-allocations are
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Apr 7, 2007, at 11:00 PM, Fergie wrote:
I would think that it's actually very easy to do when
sub-allocations are SWIP'ed.
Not that I'm really defending this policy, but sub-allocations are
very often not SWIPed. I'd say 75% or more of the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -- Stephen Satchell <[EMAIL PROTECTED]> wrote:
>It's *very* hard to do it with an automated system, as such automated
look-ups are against the Terms of Service for every single RIR out there.
>
Exactly why is this hard to do?
I would think that
Frank Bulk wrote:
> [[Attribution deleted by Frank Bulk]]
Neither I nor J. Oquendo nor anyone else are required to
spend our time, our money, and our resources figuring out which
parts of X's network can be trusted and which can't.
It's not that hard, the ARIN records are easy to look up.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -- "william(at)elan.net" <[EMAIL PROTECTED]> wrote:
>On Sat, 7 Apr 2007, Fergie wrote:
>
>> I would have to respectfully disagree with you. When network
>> operators do due diligence and SWIP their sub-allocations, they
>> (the sub-allocations) sho
problem for each of every one of those subblocks did
not lead to any results.
Frank
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
william(at)elan.net
Sent: Saturday, April 07, 2007 5:58 PM
To: Fergie
Cc: [EMAIL PROTECTED]; nanog@merit.edu
Subject:
owners would want
to have clean customers.
Frank
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
william(at)elan.net
Sent: Saturday, April 07, 2007 5:58 PM
To: Fergie
Cc: [EMAIL PROTECTED]; nanog@merit.edu
Subject: Re: Abuse procedures... Reality Checks
On Sat, 7 Apr 2007, Fergie wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -- Rich Kulawiec <[EMAIL PROTECTED]> wrote:
1. There's nothing "indiscriminate" about it.
I often block /24's and larger because I'm holding the *network* operators
responsible for what comes out of their ope
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -- Rich Kulawiec <[EMAIL PROTECTED]> wrote:
1. There's nothing "indiscriminate" about it.
>I often block /24's and larger because I'm holding the *network* operators
>responsible for what comes out of their operation. If they can't hold
>the outb
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Apr 7, 2007, at 4:20 PM, Frank Bulk wrote:
Sure, block that /29, but why block the /24, /20, or even /8?
Perhaps your
(understandable) frustration is preventing you from agreeing with
me on this
specific case. Because what you usually see i
> On Sat, Apr 07, 2007 at 02:31:25PM -0500, Frank Bulk wrote:
> > I understand your frustration and appreciate your efforts to contact the
> > sources of abuse, but why indiscriminately block a larger range of IPs
than
> > what is necessary?
>
> 1. There's nothing "indiscriminate" about it.
>
J. Oquendo wrote:
...
So to answer your question about fairness... It's not fair by any
means, but it is effective. I see it as follows...
Well, that's the reason why I have a gmail account and all my
customers have.
I can send even from my dynamic ip-address and still they
let me in.
They c
On Sat, Apr 07, 2007 at 02:31:25PM -0500, Frank Bulk wrote:
> I understand your frustration and appreciate your efforts to contact the
> sources of abuse, but why indiscriminately block a larger range of IPs than
> what is necessary?
1. There's nothing "indiscriminate" about it.
I often block
On Sat, 07 Apr 2007, Frank Bulk wrote:
> Joe:
>
> I understand your frustration and appreciate your efforts to contact the
> sources of abuse, but why indiscriminately block a larger range of IPs than
> what is necessary?
>
Far too many times I've tried to contact those who have the DIRECT a
Joe:
I understand your frustration and appreciate your efforts to contact the
sources of abuse, but why indiscriminately block a larger range of IPs than
what is necessary?
Here's the /24 in question:
Combined Systems Technologies NET-CST (NET-207-177-31-0-1)
207.177.31.0 - 207
77 matches
Mail list logo
