nanog mailing list archives
Re: Repeated Blacklisting / IP reputation
From: Rich Kulawiec <rsk () gsp org>
Date: Mon, 14 Sep 2009 06:49:49 -0400
On Tue, Sep 08, 2009 at 11:44:44AM -0700, Wayne E. Bouchard wrote:
Best practices for the public or subscription RBLs should be to place a TTL on the entry of no more than, say, 90 days or thereabouts.
But there's no reason to do so, and a number of reasons not to, including the very high probabilityXXXXXXXXXcertainty that spammers would use this to rotate through multiple allocations at 91-day intervals. Best practice is to identify blocks that are owned (or effectively owned) by spammers and blacklist them until a need arises *on the receiving side* to remove those blocks. Yes, this is unfortunate, and draconian, and any number of other things, but the ISPs responsible for this situation should probably have considered this inevitable result before they decided to host well-known spammers that 60 seconds of due diligence would have identified, and subsequently to turn a blind eye to the abuse emanating from their networks. For example: Ron Guilmette has recently pointed out that notorious spammer Scott Richter has apparently hijacked *another* /16 block -- 150.230.0.0/16. I've dropped that block into various local blacklists, and in some cases, various local firewalls. The entry is essentially permanent, because there's no reason for me to make it otherwise. Perhaps one day ARIN will yank it back, along with all his other blocks, and blacklist him for life; but (a) I doubt it and (b) I'm not willing to wait. The best course of action for me is to just consider it scorched earth and move on. ---Rsk
Current thread:
- Re: Repeated Blacklisting / IP reputation, (continued)
- Re: Repeated Blacklisting / IP reputation Joe Greco (Sep 10)
- Re: Repeated Blacklisting / IP reputation Joel Jaeggli (Sep 11)
- Re: Repeated Blacklisting / IP reputation Leo Vegoda (Sep 10)
- Re: Repeated Blacklisting / IP reputation Christopher Morrow (Sep 13)
- Message not available
- Re: Repeated Blacklisting / IP reputation Tim Chown (Sep 14)
- Re: Repeated Blacklisting / IP reputation Valdis . Kletnieks (Sep 10)
- Re: Repeated Blacklisting / IP reputation Christopher Morrow (Sep 13)
- Re: Repeated Blacklisting / IP reputation Wayne E. Bouchard (Sep 08)
- Re: Repeated Blacklisting / IP reputation Jon Lewis (Sep 08)
- Re: Repeated Blacklisting / IP reputation Justin Shore (Sep 08)
- Re: Repeated Blacklisting / IP reputation Rich Kulawiec (Sep 14)
- Re: Hijacked Blocks (was: Repeated Blacklisting / IP reputation) John Curran (Sep 14)
- Re: Hijacked Blocks (was: Repeated Blacklisting / IP reputation) Christopher Morrow (Sep 14)
- Re: Hijacked Blocks Chris Marlatt (Sep 14)
- Re: Hijacked Blocks Christopher Morrow (Sep 14)
- RE: Hijacked Blocks Azinger, Marla (Sep 14)
- RE: Hijacked Blocks Azinger, Marla (Sep 14)
- RE: Repeated Blacklisting / IP reputation, replaced by registered use Michiel Klaver (Sep 15)
- Re: Hijacked Blocks Randy Bush (Sep 14)
- Re: Hijacked Blocks Christopher Morrow (Sep 14)
- Re: Hijacked Blocks Randy Bush (Sep 14)