nanog mailing list archives
Re: Repeated Blacklisting / IP reputation
From: Jay Hennigan <jay () west net>
Date: Tue, 08 Sep 2009 11:13:51 -0700
John Curran wrote:
Folks - It appears that we have a real operational problem, in that ARIN does indeed reissue space that has been reclaimed/returned after a hold-down period, and but it appears that even once they are removed from the actual source RBL's, there are still ISP's who are manually updating these and hence block traffic much longer than necessary. I'm sure there's an excellent reason why these addresses stay blocked, but am unable to fathom what exactly that is... Could some folks from the appropriate networks explain why this is such a problem and/or suggest additional steps that ARIN or the receipts should be taking to avoid this situation?
I don't think there is an excellent reason, more likely inertia and no real incentive to put forth the effort to proactively remove addresses.
Many ISPs and organizations have their own private blocklists not associated with the widely known DNSBLs. Typically during or immediately after a spam run the mail administrator will manually add offending addresses or netblocks. Spamtrap hits may do this automatically. There isn't any real incentive for people to go back and remove addresses unless they're notified by their own customers that legitimate mail coming from those addresses is being blocked. Because these blocklists are individually maintained, there is no central registry or means to "clean them up" when an IP assignment changes.
To make matters worse, some organizations may simply ACL the IP space so that the TCP connection is never made in the first place (bad, looks like a network problem rather than deliberate filtering), some may drop it during SMTP with no clear indication as to the reason (less bad, as there is at least a hint that it could be filtering), and some may actually accept the mail and then silently discard it (worst).
In addition there are several DNSBLs with different policies regarding delisting. Some just time out after a period of time since abuse was detected. Some require action in the form of a delisting request. Some require a delisting request and a time period with no abuse. Some (the old SPEWS list) may not be easily reached or have well defined policies.
In meatspace, once a neighborhood winds up with a reputation of being rife with drive-by shootings, gang activity and drug dealing it may take a long time after the last of the graffiti is gone before some cab drivers will go there.
-- Jay Hennigan - CCIE #7880 - Network Engineering - jay () impulse net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Current thread:
- Re: Repeated Blacklisting / IP reputation, (continued)
- Re: Repeated Blacklisting / IP reputation Suresh Ramasubramanian (Sep 08)
- Re: Repeated Blacklisting / IP reputation Jason Bertoch (Sep 08)
- Re: Repeated Blacklisting / IP reputation Suresh Ramasubramanian (Sep 08)
- Re: Repeated Blacklisting / IP reputation Justin Shore (Sep 08)
- Re: Repeated Blacklisting / IP reputation Seth Mattinen (Sep 08)
- Re: Repeated Blacklisting / IP reputation Jay Hennigan (Sep 08)
- Re: Repeated Blacklisting / IP reputation Justin Shore (Sep 08)
- Re: Repeated Blacklisting / IP reputation J.D. Falk (Sep 08)
- Re: Repeated Blacklisting / IP reputation William Astle (Sep 08)
- Re: Repeated Blacklisting / IP reputation Benjamin Billon (Sep 08)
- Re: Repeated Blacklisting / IP reputation Jay Hennigan (Sep 08)
- Re: Repeated Blacklisting / IP reputation Brian Keefer (Sep 08)
- RE: Repeated Blacklisting / IP reputation Frank Bulk (Sep 09)
- Re: Repeated Blacklisting / IP reputation Jon Lewis (Sep 08)
- Re: Repeated Blacklisting / IP reputation Joe Greco (Sep 08)
- Re: Repeated Blacklisting / IP reputation Jon Lewis (Sep 08)
- Re: Repeated Blacklisting / IP reputation Joe Greco (Sep 08)
- Re: Repeated Blacklisting / IP reputation Valdis . Kletnieks (Sep 08)
- Re: Repeated Blacklisting / IP reputation bmanning (Sep 08)
- Re: Repeated Blacklisting / IP reputation Joe Greco (Sep 08)
- Re: Repeated Blacklisting / IP reputation bmanning (Sep 08)