blocking unallocated subnets

["John S. Bucy" <bucy () gloop org>]

I work for a large email provider and we've run into trouble
delivering mail to certain sites after bringing up new servers in a
recently allocated subnet of 72/8.  Apparently, some folks decided it
would be a good policy to protect their nameservers from ddos attacks
to silently drop requests from unallocated subnets.  So they obtained
a list of subnets at some point in the past, deployed it and then
never updated it.

This manifests itsself in our system when the dns query repeatedly
times out on the smtp servers in that subnet while it works from
elsewhere.  In the instances we've run into this, it only seemed to
affect dns and not, say, smtp connections.

I just wanted to try to raise some awareness of this practice and the
trouble it may cause if the ruleset gets out-of-date.  This caused us
a pretty major headache the result of which is that we've given up for
now on trying to deliver mail out of that subnet.  



john