Re: Repeated Blacklisting / IP reputation

[Jay Hennigan <jay () west net>]

John Curran wrote:
> Folks -
>
>    It appears that we have a real operational problem, in that ARIN
>    does indeed reissue space that has been reclaimed/returned after
>    a hold-down period, and but it appears that even once they are
>    removed from the actual source RBL's, there are still ISP's who
>    are manually updating these and hence block traffic much longer
>    than necessary.
>
>    I'm sure there's an excellent reason why these addresses stay
>    blocked, but am unable to fathom what exactly that is...
>    Could some folks from the appropriate networks explain why
>    this is such a problem and/or suggest additional steps that
>    ARIN or the receipts should be taking to avoid this situation?

I don't think there is an excellent reason, more likely inertia and no 
real incentive to put forth the effort to proactively remove addresses.

Many ISPs and organizations have their own private blocklists not 
associated with the widely known DNSBLs.  Typically during or 
immediately after a spam run the mail administrator will manually add 
offending addresses or netblocks.  Spamtrap hits may do this 
automatically.  There isn't any real incentive for people to go back and 
remove addresses unless they're notified by their own customers that 
legitimate mail coming from those addresses is being blocked.  Because 
these blocklists are individually maintained, there is no central 
registry or means to "clean them up" when an IP assignment changes.

To make matters worse, some organizations may simply ACL the IP space so 
that the TCP connection is never made in the first place (bad, looks 
like a network problem rather than deliberate filtering), some may drop 
it during SMTP with no clear indication as to the reason (less bad, as 
there is at least a hint that it could be filtering), and some may 
actually accept the mail and then silently discard it (worst).

In addition there are several DNSBLs with different policies regarding 
delisting.  Some just time out after a period of time since abuse was 
detected.  Some require action in the form of a delisting request.  Some 
require a delisting request and a time period with no abuse.  Some (the 
old SPEWS list) may not be easily reached or have well defined policies.

In meatspace, once a neighborhood winds up with a reputation of being 
rife with drive-by shootings, gang activity and drug dealing it may take 
a long time after the last of the graffiti is gone before some cab 
drivers will go there.

--
Jay Hennigan - CCIE #7880 - Network Engineering - jay () impulse net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV