Spam. Again.. -- and blocking net blocks?

Mark Segal MSegal at FUTUREWAY.CA
Tue Dec 10 20:33:33 UTC 2002

I agree.. 

Problem was it was a downstream ISP.. This all comes down to, we warn them
since it is their customer, they don't deal with it, we black hole part of
their network.. 

But it take 3-4 days to do that to a large downstream.


Mark Segal
Director, Data Services
Futureway Communications Inc.
Tel: (905)326-1570

> -----Original Message-----
> From: Lee, Hansel [mailto:Hansel.Lee at] 
> Sent: December 10, 2002 3:08 PM
> To: 'nanog at'
> Cc: 'owner-nanog at'
> Subject: RE: Spam. Again.. -- and blocking net blocks?
> Quick Comment as a NANOG lurker and SPEWS lurker 
> (  I'm not defending SPEWS, don't 
> speak for SPEWS but will describe what I understand happens: 
> SPEWS initially lists offending IP address blocks from 
> non-repentant SPAM sources.  If the upstream ISP does nothing 
> about it, that block tends to expand to neighboring blocks to 
> gain the attention of the ISP.
> High level concept:
> 	Block the SPAMMER
> 		- ISP Does nothing
> 	Block the SPAMMER's Neighboring Blocks (Collateral Damage)
> 		- Motivates neighbors to find new Upstream/Isp
> 		- Motivates neighbors to complain to upstream/ISP
> 		- Gains the attention of the Upstream/ISP
> 	Expand the Block
> 		- Ditto
> 	Block the ISP as a whole
> The SPEWS concept prevents an ISP from allowing spammers on 
> some blocks while trying to service legitimate customers on 
> others.  For an ISP - it is either all or none over time, you 
> support spammers and are blocked as a whole (to include 
> innocent customers). 
> If you do end up mistakenly on SPEWS or take care of your 
> spamming customers
> - you can appeal to them at, get 
> flamed pretty bad, and eventually fall off the list. 
> I do personally like the idea of holding the ISP as a whole 
> accountable over time.  An ISP can stay off spews, I've never 
> had a block listed - though when I'm in a decision making 
> position, I've never tolerated a spammer. 
> Hansel
> -----Original Message-----
> From: Michael.Dillon at [mailto:Michael.Dillon at] 
> Sent: Tuesday, December 10, 2002 08:36
> To: MSegal at FUTUREWAY.CA
> Cc: nanog at; owner-nanog at
> Subject: Re: Spam. Again.. -- and blocking net blocks?
> > Problem:
> > For some reason, spews has decided to now block one of our 
> /19.. Ie no
> mail
> > server in the /19 can send mail.
> > Questions:
> > 1) How do we smack some sense into spews?
> Make it easy for them to identify the fact that your downstream ISP 
> customer has allocated that /32 to a separate organisation. 
> This is what 
> referral whois was supposed to do but it never happened because 
> development of the tools fizzled out. 
> If SPEWS could plug guilty IP addresses into an automated 
> tool and come up 
> with an accurate identification of which neighboring IP 
> addresses were 
> tainted and which were not, then they wouldn't use such crude 
> techniques. 
> Imagine a tool which queries the IANA root LDAP server for an 
> IP address. 
> The IANA server refers them to ARIN's LDAP server because 
> this comes from 
> a /8 that was allocated to ARIN. Now ARIN's server identifies 
> that this 
> address is in your /19 so it refers SPEWS to your own LDAP 
> server. Your 
> server identifies your customer ISP as the owner of the 
> block, or if your 
> customer has been keeping the records up to date with a simple LDAP 
> client, your server would identify that the guilty party is 
> indeed only on 
> one IP address. 
> Of course, this won't stop SPEWS from blacklisting you. But 
> it enables 
> SPEWS to quickly identify the organization (your customer 
> ISP) that has a 
> business relationship with the offender so that SPEWS is more 
> likely to 
> focus their attentions on these two parties.
> > 2) Does anyone else see a HUGE problem with listing a /19 because 
> > there
> is
> > one /32 of a spam advertised website?  When did this start 
> happening?
> It's a free country, you can't stop people like the SPEWS group from 
> expressing their opinions. As long as people are satisfied with crude 
> tools for mapping IP address to owner, this kind of thing 
> will continue to 
> happen.
> --Michael Dillon

More information about the NANOG mailing list