Re: Abuse procedures... Reality Checks

• From: Paul Vixie
• Date: Mon Apr 09 00:15:32 2007

[email protected] (Douglas Otis) writes:

> Good advise.  For various reasons, a majority of IP addresses within a
> CIDR of any size being abusive is likely to cause the CIDR to be blocked.
> While a majority could be considered as being half right, the existence
> of the "bad neighborhood" demonstrates a lack of oversight for the entire
> CIDR, which is also fairly predictive of future abuse.

that sounds like a continuum, but my experience requires more dimensions
than you're describing.  for example, this weekend two /24's were hijacked
and used for spam spew.  as my receivebot started blackholing /32's, the
sender started cycling to other addresses in the block.  each address was
used continuously until it stopped working, then the next address came in.
while there were two /24's and two self-similar spam flows, there was not a
strict mapping of spam flow to packet flow -- both /24's emitted both kinds
of spam.  "uniq -c" results are below.  i've nominated both blocks to the
MAPS RBL, and i can't tell from whois whether it's worthwhile to complain
to the ISP's.  would you say that i've learned anything of predictive value
concerning future spam from the containing /17 (CARI) or /15 (THEPLANET)?
or is this just another run of the mill BGP hijack due to some other ISP's
router having enable passwords still set to the factory default?  (we all
owe randy bush a debt of gratitude for pushing on RPKI, by the way.  anybody
can complain about the weather but very few people do something about it.)

   7 67.18.239.66
   2 67.18.239.67
   1 67.18.239.68
   1 67.18.239.69
   2 67.18.239.70
   5 67.18.239.71
   1 67.18.239.82
   1 67.18.239.83
   2 67.18.239.85
   2 67.18.239.87
   1 67.18.239.88
   3 67.18.239.89
   2 67.18.239.91
   2 67.18.239.92
   3 67.18.239.93
   4 67.18.239.94
   1 71.6.213.103
   1 71.6.213.105
   1 71.6.213.108
   4 71.6.213.159
   1 71.6.213.16
   5 71.6.213.160
   1 71.6.213.161
   7 71.6.213.162
   8 71.6.213.163
   6 71.6.213.166
   1 71.6.213.168
   6 71.6.213.170
   6 71.6.213.171
   2 71.6.213.172
   6 71.6.213.176
   5 71.6.213.179
   6 71.6.213.180
   2 71.6.213.181
   3 71.6.213.182
   3 71.6.213.19
   3 71.6.213.190
   1 71.6.213.191
   1 71.6.213.193
   1 71.6.213.202
   2 71.6.213.23
   5 71.6.213.26
   3 71.6.213.32
   5 71.6.213.65
   4 71.6.213.75
   6 71.6.213.8
   1 71.6.213.80
   1 71.6.213.87
   1 71.6.213.94
   1 71.6.213.96
-- 
Paul Vixie

• Follow-Ups:
  • Re: Abuse procedures... Reality Checks Christopher X. Candreva
  • Re: Abuse procedures... Reality Checks Douglas Otis

• References:
  • Re: Abuse procedures... Reality Checks Douglas Otis

• Prev by Date: Re: Slightly OT: Looking for an old domain for spam collection
• Next by Date: Re: IPv6 Finally gets off the ground
• Date Index
• Thread Index
• Author Index
• Historical