RE: Spam. Again.. -- and blocking net blocks?

[Mark Segal <MSegal () FUTUREWAY CA>]

I agree.. 

Problem was it was a downstream ISP.. This all comes down to, we warn them
since it is their customer, they don't deal with it, we black hole part of
their network.. 

But it take 3-4 days to do that to a large downstream.

Mark


--
Mark Segal
Director, Data Services
Futureway Communications Inc.
Tel: (905)326-1570


> -----Original Message-----
> From: Lee, Hansel [mailto:Hansel.Lee () corp winfirst com] 
> Sent: December 10, 2002 3:08 PM
> To: 'nanog () nanog org'
> Cc: 'owner-nanog () merit edu'
> Subject: RE: Spam. Again.. -- and blocking net blocks?
>
>
>
> Quick Comment as a NANOG lurker and SPEWS lurker 
> (news.admin.net-abuse.email).  I'm not defending SPEWS, don't 
> speak for SPEWS but will describe what I understand happens: 
>
> SPEWS initially lists offending IP address blocks from 
> non-repentant SPAM sources.  If the upstream ISP does nothing 
> about it, that block tends to expand to neighboring blocks to 
> gain the attention of the ISP.
>
> High level concept:
>       Block the SPAMMER
>               - ISP Does nothing
>       Block the SPAMMER's Neighboring Blocks (Collateral Damage)
>               - Motivates neighbors to find new Upstream/Isp
>               - Motivates neighbors to complain to upstream/ISP
>               - Gains the attention of the Upstream/ISP
>       Expand the Block
>               - Ditto
>       Block the ISP as a whole
>
> The SPEWS concept prevents an ISP from allowing spammers on 
> some blocks while trying to service legitimate customers on 
> others.  For an ISP - it is either all or none over time, you 
> support spammers and are blocked as a whole (to include 
> innocent customers). 
>
> If you do end up mistakenly on SPEWS or take care of your 
> spamming customers
> - you can appeal to them at news.admin.net-abuse.email, get 
> flamed pretty bad, and eventually fall off the list. 
>
> I do personally like the idea of holding the ISP as a whole 
> accountable over time.  An ISP can stay off spews, I've never 
> had a block listed - though when I'm in a decision making 
> position, I've never tolerated a spammer. 
>
> Hansel
>
>
> -----Original Message-----
> From: Michael.Dillon () radianz com [mailto:Michael.Dillon () radianz com] 
> Sent: Tuesday, December 10, 2002 08:36
> To: MSegal () FUTUREWAY CA
> Cc: nanog () nanog org; owner-nanog () merit edu
> Subject: Re: Spam. Again.. -- and blocking net blocks?
>
>
>
> > Problem:
> > For some reason, spews has decided to now block one of our 
> /19.. Ie no
> mail
> > server in the /19 can send mail.
>
> > Questions:
> > 1) How do we smack some sense into spews?
>
> Make it easy for them to identify the fact that your downstream ISP 
> customer has allocated that /32 to a separate organisation. 
> This is what 
> referral whois was supposed to do but it never happened because 
> development of the tools fizzled out. 
>
> If SPEWS could plug guilty IP addresses into an automated 
> tool and come up 
> with an accurate identification of which neighboring IP 
> addresses were 
> tainted and which were not, then they wouldn't use such crude 
> techniques. 
>
> Imagine a tool which queries the IANA root LDAP server for an 
> IP address. 
> The IANA server refers them to ARIN's LDAP server because 
> this comes from 
> a /8 that was allocated to ARIN. Now ARIN's server identifies 
> that this 
> address is in your /19 so it refers SPEWS to your own LDAP 
> server. Your 
> server identifies your customer ISP as the owner of the 
> block, or if your 
> customer has been keeping the records up to date with a simple LDAP 
> client, your server would identify that the guilty party is 
> indeed only on 
> one IP address. 
>
> Of course, this won't stop SPEWS from blacklisting you. But 
> it enables 
> SPEWS to quickly identify the organization (your customer 
> ISP) that has a 
> business relationship with the offender so that SPEWS is more 
> likely to 
> focus their attentions on these two parties.
>
> > 2) Does anyone else see a HUGE problem with listing a /19 because 
> > there
> is
> > one /32 of a spam advertised website?  When did this start 
> happening?
>
> It's a free country, you can't stop people like the SPEWS group from 
> expressing their opinions. As long as people are satisfied with crude 
> tools for mapping IP address to owner, this kind of thing 
> will continue to 
> happen.
>
> --Michael Dillon