dealing with bogon spam ?
Nathan Ward
nanog at daork.net
Wed Oct 28 00:13:51 UTC 2009
On 28/10/2009, at 12:57 PM, Leslie wrote:
> First off, I'm not certain if unallocated space in blocks less than
> a /8 is properly called bogon, so pardon my terminology if I'm
> incorrect.
>
> We're seeing a decent chunk of spam coming from an unallocated block
> of address space. We use CYMRU's great list of /8 bogon space to
> prevent completely off the wall abuse, but the granularity stops at /
> 8's. Obviously, I've written the originating AS and its single
> upstream provider (sadly without any response). I'm not looking for
> a one time solution for this issue however -- I'd like to
> permanently block (and kick) anyone who's using unallocated space
> illegitimately.
>
> How have you dealt with this issue? Does anyone publish a more
> granular listing of unallocated space? Does arin have this
> information somewhere other than just probing any given ip via whois?
You *might* be able to get a copy of the whois database as an
optimisation so you don't have to hit their servers all the time -
does that help?
I wouldn't rely on that though, but I don't see any other good options.
Perhaps you can only accept stuff from networks that you first saw an
announcement for greater than 7 days ago, to prevent people popping up
with a network for a day, spamming, and then disappearing? Likely to
get lots of false positives in that though, and as soon as someone
figures out your technique it's not going to work.
Religious war alert: does SIDR solve this? I guess only if you only
accept signed advertisements.. I don't know if that is the intended
default mode or not.. Need to do some reading I guess.
--
Nathan Ward
More information about the NANOG
mailing list