North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Spam. Again.. -- and blocking net blocks?

  • From: Scott Silzer
  • Date: Tue Dec 10 15:49:52 2002

I could understand if an ISP was allowing spam from a portion of there network. But in this case the only thing that the ISP did is host a website, the SPAM was sent from from a third party's network. The ISP did terminate the customer but in the meantime the entire NSP's network has been blacklisted, for a rouge webhosting account does sound a bit harsh.

At 12:08 -0800 12/10/2002, Lee, Hansel wrote:
Quick Comment as a NANOG lurker and SPEWS lurker
(  I'm not defending SPEWS, don't speak for
SPEWS but will describe what I understand happens:

SPEWS initially lists offending IP address blocks from non-repentant SPAM
sources.  If the upstream ISP does nothing about it, that block tends to
expand to neighboring blocks to gain the attention of the ISP.

High level concept:
	Block the SPAMMER
		- ISP Does nothing
	Block the SPAMMER's Neighboring Blocks (Collateral Damage)
		- Motivates neighbors to find new Upstream/Isp
		- Motivates neighbors to complain to upstream/ISP
		- Gains the attention of the Upstream/ISP
	Expand the Block
		- Ditto
	Block the ISP as a whole

The SPEWS concept prevents an ISP from allowing spammers on some blocks
while trying to service legitimate customers on others.  For an ISP - it is
either all or none over time, you support spammers and are blocked as a
whole (to include innocent customers).

If you do end up mistakenly on SPEWS or take care of your spamming customers
- you can appeal to them at, get flamed pretty
bad, and eventually fall off the list.

I do personally like the idea of holding the ISP as a whole accountable over
time.  An ISP can stay off spews, I've never had a block listed - though
when I'm in a decision making position, I've never tolerated a spammer.


-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Tuesday, December 10, 2002 08:36
To: [email protected]
Cc: [email protected]; [email protected]
Subject: Re: Spam. Again.. -- and blocking net blocks?

 For some reason, spews has decided to now block one of our /19.. Ie no
 server in the /19 can send mail.

 1) How do we smack some sense into spews?
Make it easy for them to identify the fact that your downstream ISP
customer has allocated that /32 to a separate organisation. This is what
referral whois was supposed to do but it never happened because
development of the tools fizzled out.

If SPEWS could plug guilty IP addresses into an automated tool and come up
with an accurate identification of which neighboring IP addresses were
tainted and which were not, then they wouldn't use such crude techniques.

Imagine a tool which queries the IANA root LDAP server for an IP address.
The IANA server refers them to ARIN's LDAP server because this comes from
a /8 that was allocated to ARIN. Now ARIN's server identifies that this
address is in your /19 so it refers SPEWS to your own LDAP server. Your
server identifies your customer ISP as the owner of the block, or if your
customer has been keeping the records up to date with a simple LDAP
client, your server would identify that the guilty party is indeed only on
one IP address.

Of course, this won't stop SPEWS from blacklisting you. But it enables
SPEWS to quickly identify the organization (your customer ISP) that has a
business relationship with the offender so that SPEWS is more likely to
focus their attentions on these two parties.

 2) Does anyone else see a HUGE problem with listing a /19 because there
 one /32 of a spam advertised website?  When did this start happening?
It's a free country, you can't stop people like the SPEWS group from
expressing their opinions. As long as people are satisfied with crude
tools for mapping IP address to owner, this kind of thing will continue to

--Michael Dillon
Scott A Silzer