Re: Purchased IPv4 Woes

[Rob McEwen <rob () invaluement com>]

On 3/12/2017 11:40 AM, valdis.kletnieks () vt edu wrote:
> How does Spamhaus find out the block has been resold?
> How do other DNS-based blacklist operators find out?

Spamhaus and other reasonable and well-run DNSBLs:

(1) have reasonable auto-expiration mechanisms (which cover the vast 
majority of these situations where a block gets a new and more ethical 
owner)

(2) and have all various different monitoring and feedback mechanisms - 
which may not be perfect and may not have God-like omniscience - but 
generally get things right before too long - they have overall very 
excellent telemetry and they don't get very much wrong at any one point 
in time.

In contrast, much of the cause of this problem described on this thread 
is caused by system admins relying less on well-run blacklists, and rely 
more on "set it and forget it" manual blocking of IPs and subnets at 
their perimeter.

(in contrast to well-run DNSBLs...) They then often have ZERO 
expirations happening - listing are basically permanent - until manually 
removed - and their telemetry/feedback is just horrific compared to a 
well-run DNSBL.

There also are not any public lookup forms in the world where a sender 
can determine which such manual blocks are found on which 
ISP/hosters/datacenters.

The good news here - is that this becomes further motivation for senders 
to be vigilant to protect their IPs reputation - knowing that a lack of 
such effort can quickly lead to their IP space becoming "damaged goods".

This motivation goes a LONG way towards countering the profit motives 
that hosters/ISPs/Datacenters/ESPs have in selling services to spammers 
- there is MUCH money to be made doing so. But the longer term 
repercussions of damaged IP reputation makes that a *bad* long-term 
investment (even if the short-term gains are lucrative).

Meanwhile, btw - moving all mail servers to IPv6 too fast... ELIMINATES 
that motivation. Almost everyone reading this paragraph on NANOG has no 
idea just (a) how much this incentive keeps email sane and manageable - 
and (b) just how bad things will get if this incentive is removed, via 
moving all MTAs to IPv6. (In an all-IPv6 world - if you ruin your IP 
reputation by making a ton of money selling to spammers - there are 
always vast amounts of new space to acquire)

I can tell you that, ultimately, this is the ONLY thing keeping 
hosters/ISPs/Datacenters/ESPs from selling services to spammers. Some 
who deny that this statement applies to them - will at least move the 
goalposts somewhat, now matter how good of intentions they may think 
they have. (human nature always dominates)

(but there is no problem moving all email *clients* to IPv6 - where 
their IPv6-sent mail then SMTP-authenticates to mail servers... which 
then send that message to other mail servers via IPv4 - at least for the 
foreseeable future)

--
Rob McEwen