Re: Repeated Blacklisting / IP reputation

["Wayne E. Bouchard" <web () typo org>]

On Tue, Sep 08, 2009 at 10:16:33AM -0500, Ronald Cotoni wrote:
> Tom Pipes wrote:
> > Greetings, 
> >
> >
> > We obtained a direct assigned IP block 69.197.64.0/18 from ARIN in 2008. 
> > This block has been cursed (for lack of a better word) since we obtained 
> > it.  It seems like every customer we have added has had repeated issues 
> > with being blacklisted by DUL and the cable carriers. (AOL, AT&T, Charter, 
> > etc).  I understand there is a process to getting removed, but it seems as 
> > if these IPs had been used and abused by the previous owner.  We have done 
> > our best to ensure these blocks conform to RFC standards, including the 
> > proper use of reverse DNS pointers.
> >
> > I can resolve the issue very easily by moving these customers over to our 
> > other direct assigned 66.254.192.0/19 block.  In the last year I have done 
> > this numerous times and have had no further issues with them.
> >
> > My question:  Is there some way to clear the reputation of these blocks 
> > up, or start over to prevent the amount of time we are spending with each 
> > customer troubleshooting unnecessary RBL and reputation blacklisting? 
> > I have used every opportunity to use the automated removal links from the 
> > SMTP rejections, and worked with the RBL operators directly.  Most of what 
> > I get are cynical responses and promises that it will be fixed.  
> > If there is any question, we perform inbound and outbound scanning of all 
> > e-mail, even though we know that this appears to be something more 
> > relating to the block itself.
> >
> > Does anyone have any suggestions as to how we can clear this issue up?  
> > Comments on or off list welcome.
> >
> > Thanks,
> >
> > --- 
> > Tom Pipes 
> > T6 Broadband/ 
> > Essex Telcom Inc 
> > tom.pipes () t6mail com 
> >
> >
> >
> >  
> Unfortunately, there is no real good way to get yourself completely 
> delisted.  We are experiencing that with a /18 we got from ARIN recently 
> and it is basically the RBL's not updating or perhaps they are not 
> checking the ownership of the ip's as compared to before.  On some 
> RBL's, we have IP addresses that have been listed since before the 
> company I work for even existed.  Amazing right?

This is not actually a new problem. ISPs have been fighting this for
some time. When a dud customer spams from a given IP range and gets it
placed in various RBLs, when that customer is booted or otherwise
removed, that block will probably get reissued. The new customer then
calls up and says, "my email isn't getting through." All it takes is a
little investigation and the cause becomes clear. In my experience,
there is absolutely no way to deal with this other than contacting the
companies your customer is trying to email one by one. Not all of them
will respond to you but when they are slow or do not act at all, quite
often if the recipient on the other end calls them up and says, "WTF?"
it generates more action.

Sadly, I do not foresee this problem getting any easier.

Best practices for the public or subscription RBLs should be to place
a TTL on the entry of no more than, say, 90 days or thereabouts. Best
practices for manual entry should be to either keep a list of what and
when or periodically to simply blow the whole list away and start anew
to get rid of stale entries. Of course, that is probably an unreal
expectation.

-Wayne

---
Wayne Bouchard
web () typo org
Network Dude
http://www.typo.org/~web/