Re: IP Black list?

[twells () ATG COM (Tabor J. Wells)]

On Tue, May 16, 2000 at 09:34:38AM -0700,
Ryan Russell <ryan () SECURITYFOCUS COM> is thought to have said:

> On Mon, 15 May 2000, Mike Shannon wrote:
>
> > What if a legitimate orginization shares the same address space as an
> > offender?  Should they pay for the actions of that offender even though they
> > are not even associated with them? For example, 50 people lodge a complaint
> > about 1.2.3.0/24 even though it is actually coming from something in the
> > 1.2.3.0/28 address space.  Not only that but finding a group of unbiased
> > people would be a tough thing to do.
>
> That somewhat mirrors the situation that SecurityFocus is in.  The folks
> we get our address space from apparantly have a few customers running open
> mail relays, spread throughout the address space.  The ORBS guys caught
> this, and added a couple of supernets for that space to their
> blacklist.  Meanwhile, the ISP in question has blocked the ORBS guys'
> ability to scan mail relays, so they can't verify if the problem have been
> fixed.  The ORBS answer to this is to keep the block in place.  Naturally,
> we don't run open relays, but the ORBS guys can't verify that.

Well it's a bit more than that. When the ISP in question decided to block
ORBS from scanning hosts in their network, ORBS choose to manually list
not just the IPs that had been verified as open relays but the entire
netspace of the ISP (which in this case was a major tier 1 provider). Of
the dozen or so lists that I regularly get mail from at least a third fall
within those address blocks.

I choose not to use ORBS because the collateral damage from their manual
listing choices is too high. Well actually it's pretty high for their
standard open relays list as well.

Tabor

--
------------------------------------------------------------------------
Tabor J. Wells                                            twells () atg com
Systems Administrator
Art Technology Group                                  http://www.atg.com