nanog mailing list archives
RE: Abuse procedures... Reality Checks
From: "Frank Bulk" <frnkblk () iname com>
Date: Sat, 7 Apr 2007 22:56:18 -0500
I guess our upstream provider is a nobody because they have lots of small sub-allocated blocks less than a /24 that they route to different member ISPs. =) What is the point of blocking a /24 on the basis of a /32 if the ISP manages dozens of other /24 or larger blocks? If you're going to do it, block *all* the IPs associated to the 'bad' ISP. Then at least you're consistent, otherwise expanding to a /24 is just a half (or 1%) job or laziness. Frank -----Original Message----- From: Frank Bulk Sent: Saturday, April 07, 2007 10:45 PM To: nanog () nanog org Subject: Re: Abuse procedures... Reality Checks
Sure, block that /29, but why block the /24, /20, or even /8?
Since nobody will route less than a /24, you can be pretty sure that regardless of the SWIPs, everyone in a /24 is served by the same ISP. I run a tiny network with about 400 mail users, but even so, my semiautomated systems are sending off complaints about a thousand spams a day that land in traps and filters. (That doesn't count about 50,000/day that come from blacklisted sources that I package up and sell to people who use them to tune filters and look for phishes.) I log the sources, when a particular IP has more than 50 complaints in a month I usually block it, if I see a bunch of blocked IP's in a range I usually block the /24. Now and then I get complaints from users about blocked mail, but it's invariably from an individual IP at an ISP or hosting company that has both a legit correspondent and a spam-spewing worm or PHP script. It is quite rare for an expansion to a /24 to block any real mail. My goal is to keep the real users' mail flowing, to block as much spam as cheaply as I can, and to get some sleep. I can assure you from experience that any sort of automated RIR WHOIS lookups will quickly trip volume checks and get you blocked, so I do a certain number manually, typically to figure out how likely there is to be someone reading the spam reports. But on today's Internet, if you want to get your mail delivered, it would be a good idea not to live in a bad neighborhood, and if your ISP puts you in one, you need a better ISP. That's life. Regards, John Levine, johnl () iecc com, Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor "More Wiener schnitzel, please", said Tom, revealingly.
Current thread:
- Re: Abuse procedures... Reality Checks, (continued)
- Re: Abuse procedures... Reality Checks John L (Apr 09)
- Re: Abuse procedures... Reality Checks Chris Owen (Apr 09)
- Re: Abuse procedures... Reality Checks Pete Templin (Apr 09)
- RE: Abuse procedures... Reality Checks Frank Bulk (Apr 09)
- Re: Abuse procedures... Reality Checks Chris Owen (Apr 09)
- Re: Abuse procedures... Reality Checks Chris Owen (Apr 07)
- Re: Abuse procedures... Reality Checks Valdis . Kletnieks (Apr 09)
- RE: Abuse procedures... Reality Checks michael.dillon (Apr 10)
- Re: Abuse procedures... Reality Checks Joseph S D Yao (Apr 10)
- Re: Abuse procedures... Reality Checks Stephen Satchell (Apr 10)
- Re: Abuse procedures... Reality Checks J. Oquendo (Apr 11)
- RE: Abuse procedures... Reality Checks michael.dillon (Apr 11)
- Re: Abuse procedures... Reality Checks Valdis . Kletnieks (Apr 11)