North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: Spam. Again.. -- and blocking net blocks?
I agree.. Problem was it was a downstream ISP.. This all comes down to, we warn them since it is their customer, they don't deal with it, we black hole part of their network.. But it take 3-4 days to do that to a large downstream. Mark -- Mark Segal Director, Data Services Futureway Communications Inc. Tel: (905)326-1570 > -----Original Message----- > From: Lee, Hansel [mailto:[email protected]] > Sent: December 10, 2002 3:08 PM > To: '[email protected]' > Cc: '[email protected]' > Subject: RE: Spam. Again.. -- and blocking net blocks? > > > > Quick Comment as a NANOG lurker and SPEWS lurker > (news.admin.net-abuse.email). I'm not defending SPEWS, don't > speak for SPEWS but will describe what I understand happens: > > SPEWS initially lists offending IP address blocks from > non-repentant SPAM sources. If the upstream ISP does nothing > about it, that block tends to expand to neighboring blocks to > gain the attention of the ISP. > > High level concept: > Block the SPAMMER > - ISP Does nothing > Block the SPAMMER's Neighboring Blocks (Collateral Damage) > - Motivates neighbors to find new Upstream/Isp > - Motivates neighbors to complain to upstream/ISP > - Gains the attention of the Upstream/ISP > Expand the Block > - Ditto > Block the ISP as a whole > > The SPEWS concept prevents an ISP from allowing spammers on > some blocks while trying to service legitimate customers on > others. For an ISP - it is either all or none over time, you > support spammers and are blocked as a whole (to include > innocent customers). > > If you do end up mistakenly on SPEWS or take care of your > spamming customers > - you can appeal to them at news.admin.net-abuse.email, get > flamed pretty bad, and eventually fall off the list. > > I do personally like the idea of holding the ISP as a whole > accountable over time. An ISP can stay off spews, I've never > had a block listed - though when I'm in a decision making > position, I've never tolerated a spammer. > > Hansel > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > Sent: Tuesday, December 10, 2002 08:36 > To: [email protected] > Cc: [email protected]; [email protected] > Subject: Re: Spam. Again.. -- and blocking net blocks? > > > > > Problem: > > For some reason, spews has decided to now block one of our > /19.. Ie no > mail > > server in the /19 can send mail. > > > Questions: > > 1) How do we smack some sense into spews? > > Make it easy for them to identify the fact that your downstream ISP > customer has allocated that /32 to a separate organisation. > This is what > referral whois was supposed to do but it never happened because > development of the tools fizzled out. > > If SPEWS could plug guilty IP addresses into an automated > tool and come up > with an accurate identification of which neighboring IP > addresses were > tainted and which were not, then they wouldn't use such crude > techniques. > > Imagine a tool which queries the IANA root LDAP server for an > IP address. > The IANA server refers them to ARIN's LDAP server because > this comes from > a /8 that was allocated to ARIN. Now ARIN's server identifies > that this > address is in your /19 so it refers SPEWS to your own LDAP > server. Your > server identifies your customer ISP as the owner of the > block, or if your > customer has been keeping the records up to date with a simple LDAP > client, your server would identify that the guilty party is > indeed only on > one IP address. > > Of course, this won't stop SPEWS from blacklisting you. But > it enables > SPEWS to quickly identify the organization (your customer > ISP) that has a > business relationship with the offender so that SPEWS is more > likely to > focus their attentions on these two parties. > > > 2) Does anyone else see a HUGE problem with listing a /19 because > > there > is > > one /32 of a spam advertised website? When did this start > happening? > > It's a free country, you can't stop people like the SPEWS group from > expressing their opinions. As long as people are satisfied with crude > tools for mapping IP address to owner, this kind of thing > will continue to > happen. > > --Michael Dillon >
|