Educause Security Discussion mailing list archives

Re: Not so Nice Net

From: Joe St Sauver <joe () OREGON UOREGON EDU>
Date: Fri, 10 Feb 2012 14:03:55 -0800

In a followup, my colleague and friend Michael Sinatra commented:

#I don't feel that "91.x.x.x" is very 
#precise for the same reasons Marty outlined.  It may be a useful 
#shortcut for some, but just as I should be cognizant of how others will 
#interpret my admittedly-too-emphatic message, so should everyone here. 
#It is very easy to misinterpret what was being said on this thread with 
#respect to the exact netblocks and providers that are at issue and that 
#is of concern to me.

There are some pretty large bad blocks out there these days, but the
biggest thing I'm currently seeing on the Spamhaus DROP list (see
http://www.spamhaus.org/drop/drop.lasso ) is currently "just" a /14,
(still, dang! a /*14*?)

#The use of capitalization was intended for emphasis and not to make 
#others look or feel bad, and it was definitely not to simulate 
#yelling--I apologize for that; 

Speaking personally, I've never minded all caps. They reminds me of my 
carefree ASR33 TTY and IBM 26/29 cardpunch-using days, when case was 
somehow a non-issue. :-) I still remember the "loss of innocence" I
felt when I transitioned onto a Televideo 910, and it actually had a 
shift key. Wow! But boy, did that thing scream right along compared 
to a 110 baud TTY! :-)

#You're correct on that one.  I did misread your message.  I now see that 
#you were saying that all of the traffic you have seen in 91.0.0.0/8 has 
#been bad.  I sincerely apologize for that.  Given that, it would be 
#useful to have more information as to exactly which providers in that 
#block seem to be especially problematic, or which IP addresses (or 
#classless ranges) appear to be the biggest problem.  

Spam is not the only measure of badness, obviously, but just by way of
example, if you go to:

http://www.senderbase.org/senderbase_queries/detailip?search_string=91.1.0.0%2F16

I *am* seeing an awful lot of red ink (in fairness, note that there are 
multiple pages per /16 and if you page through, you *will* see some IPs 
that are green in there, too).

That pattern continues, e.g.:

http://www.senderbase.org/senderbase_queries/detailip?search_string=91.2.0.0%2F16
http://www.senderbase.org/senderbase_queries/detailip?search_string=91.3.0.0%2F16
[etc]

(I'll let others have the funny of doing an exhaustive search of all the
/16's in that /8). In fairness, http://www.spamhaus.org/pbl/query/PBL681430 
(covering DTAG's /12) mentions that

  "Deutsche Telekom advises against accepting e-mail from dialup IPs. We 
  provide these IP addresses dynamically to our customers for internet 
  access. Proper e-mail delivery should use dedicated servers, which is 
  why attempts of e-mail delivery from dialup-ranges generally can be 
  traced to compromised computers or other misuse."
  
Of course, that begs the question of whether DTAG might not want to just
actively manage port 25, themselves, given that philsophy/point of view,
but let's not go there. We need to save some fisticuffs for the future. 
:-) Have a good weekend folks...

Regards,

Joe

Disclaimer: all opinions my own.

Current thread:

Re: Not so Nice Net, (continued)
- Re: Not so Nice Net Martin Manjak (Feb 08)
  - Re: Not so Nice Net Jeff Moore (Feb 08)
- Re: Not so Nice Net David Gillett (Feb 08)
- Re: Not so Nice Net Heath Barnhart (Feb 09)
  - Re: Not so Nice Net Brian Helman (Feb 10)
    - Re: Not so Nice Net Michael Sinatra (Feb 10)
    - Re: Not so Nice Net Jeff Moore (Feb 10)
    - Re: Not so Nice Net Michael Sinatra (Feb 10)
    - Message not available
    - Not so Nice Net Jeff Moore (Feb 10)
    - Re: Not so Nice Net Mike Lococo (Feb 10)
- Re: Not so Nice Net Joe St Sauver (Feb 10)