Re: Repeated Blacklisting / IP reputation

[Christopher Morrow <morrowc.lists () gmail com>]

On Tue, Sep 15, 2009 at 5:31 PM, Zaid Ali <zaid () zaidali com> wrote:
> I think costs of maintaining an abuse helpdesk is a big factor here. I don't
> see many ISP's putting money and resources into an abuse helpdesk and this
> is because it is low cost to obtain a Netblock so why should one employ and

have you ever had to re-number a customer, several customers, a
hundred?? 'getting a new netblock is low cost' is hardly an accurate
statement, especially if you keep in mind that you have to justify the
usage of old netblocks in order to obtain the new one.

> build expertise on managing it. If you go to SpamHaus you will see a major
> ISP and their netblocks listed and associated with known spammers. What is
> this ISP doing about this? Nothing!  My guess is that they look at their

'nothing' that you can see? or nothing? or something you can't see or
that's taking longer than you'd expect/like? There certainly are bad
actors out there, but I think the majority are doing things to keep
clean, perhaps not in the manner you would like (or the speed you
would like or with as much public information as you'd like).

> From the outside most ISP operations look quite opaque, proclaiming
'Nothing is being done' simply looks uneducated and shortsighted.

> bottom $$ and look at Spamming customer A and say "crap we will be spending
> $$$ on this customer just to get them off SpamHaus so just leave it, we are
> afterall in the bandwidth business". If ARIN were to say to this major ISP
> that they wont allocate more addresses to them until they adhere to an AUP
> then maybe the game will change but the bigger question here is should ARIN
> get into this kind of policy.

doubtful that: 1) arin would say this (not want to be net police), 2)
isp's couldn't show (for the vast majority of isps) that they are in
fact upholding their AUP.

-chris

> On Sep 15, 2009, at 1:31 PM, Christopher Morrow wrote:
>
> > On Tue, Sep 15, 2009 at 4:23 PM,  <Valdis.Kletnieks () vt edu> wrote:
> > > On Tue, 15 Sep 2009 08:01:48 PDT, Shawn Somers said:
> > >
> > > >  Anyone that intentionally uses address space in a manner that they
> > > > know will cause it to become contaminated should be denied on any
> > > > further address space requests.
> > >
> > > You *do* realize that the people you're directing that paragraph at are
> > > able to say with a totally straight face: "We're doing nothing wrong and
> > > we have *no* idea why we end up in so many local block lists"?
> >
> > Also, you can very well disable new allocations to Spammer-Bob, did
> > you also know his friend Sue is asking now for space? Sue is very
> > nice, she even has cookies... oh damn after we allocated to her we
> > found out she's spamming :(
> >
> > Spammers have a lot of variables to change in this equation, RIR's
> > dont always have the ability to see all of the variables, nor
> > correlate all of the changes they see :(
> >
> > -Chris