Re: dealing with bogon spam ?

[Jay Hennigan <jay () west net>]

Leslie wrote:
> First off, I'm not certain if unallocated space in blocks less than a /8 
> is properly called bogon, so pardon my terminology if I'm incorrect.

Bogon is probably the correct term for any IP space that doesn't belong 
on the public Internet because it is reserved, unallocated, etc.

> We're seeing a decent chunk of spam coming from an unallocated block of 
> address space.  We use CYMRU's great list of /8 bogon space to prevent 
> completely off the wall abuse, but the granularity stops at /8's. 
> Obviously, I've written the originating AS and its single upstream 
> provider (sadly without any response).  I'm not looking for a one time 
> solution for this issue however -- I'd like to permanently block (and 
> kick) anyone who's using unallocated space illegitimately.

Not too permanently, though.  That space is likely to become allocated, 
and the new legitimate user thereof shouldn't have to beg thousands of 
networks to unblock it.
so
> How have you dealt with this issue? Does anyone publish a more granular 
> listing of unallocated space? Does arin have this information somewhere 
> other than just probing any given ip via whois?

I'm not specifically aware of a more granular listing.  It would have to 
be dynamic as new allocations occur all the time.  The RIRs (ARIN, RIPE, 
APNIC, etc.) are the authoritative source for the space allocated to 
them, but I don't know if they have a real-time bogon list available.

In addition to the published list, Team Cymru has a BGP feed and other 
resources, but I don't know how granular it is with respect to 
unallocated space.  See here:

http://www.team-cymru.org/Services/Bogons/

--
Jay Hennigan - CCIE #7880 - Network Engineering - jay () impulse net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV