Spam. Again.. -- and blocking net blocks?
MSegal at FUTUREWAY.CA
Tue Dec 10 20:33:33 UTC 2002
Problem was it was a downstream ISP.. This all comes down to, we warn them
since it is their customer, they don't deal with it, we black hole part of
But it take 3-4 days to do that to a large downstream.
Director, Data Services
Futureway Communications Inc.
> -----Original Message-----
> From: Lee, Hansel [mailto:Hansel.Lee at corp.winfirst.com]
> Sent: December 10, 2002 3:08 PM
> To: 'nanog at nanog.org'
> Cc: 'owner-nanog at merit.edu'
> Subject: RE: Spam. Again.. -- and blocking net blocks?
> Quick Comment as a NANOG lurker and SPEWS lurker
> (news.admin.net-abuse.email). I'm not defending SPEWS, don't
> speak for SPEWS but will describe what I understand happens:
> SPEWS initially lists offending IP address blocks from
> non-repentant SPAM sources. If the upstream ISP does nothing
> about it, that block tends to expand to neighboring blocks to
> gain the attention of the ISP.
> High level concept:
> Block the SPAMMER
> - ISP Does nothing
> Block the SPAMMER's Neighboring Blocks (Collateral Damage)
> - Motivates neighbors to find new Upstream/Isp
> - Motivates neighbors to complain to upstream/ISP
> - Gains the attention of the Upstream/ISP
> Expand the Block
> - Ditto
> Block the ISP as a whole
> The SPEWS concept prevents an ISP from allowing spammers on
> some blocks while trying to service legitimate customers on
> others. For an ISP - it is either all or none over time, you
> support spammers and are blocked as a whole (to include
> innocent customers).
> If you do end up mistakenly on SPEWS or take care of your
> spamming customers
> - you can appeal to them at news.admin.net-abuse.email, get
> flamed pretty bad, and eventually fall off the list.
> I do personally like the idea of holding the ISP as a whole
> accountable over time. An ISP can stay off spews, I've never
> had a block listed - though when I'm in a decision making
> position, I've never tolerated a spammer.
> -----Original Message-----
> From: Michael.Dillon at radianz.com [mailto:Michael.Dillon at radianz.com]
> Sent: Tuesday, December 10, 2002 08:36
> To: MSegal at FUTUREWAY.CA
> Cc: nanog at nanog.org; owner-nanog at merit.edu
> Subject: Re: Spam. Again.. -- and blocking net blocks?
> > Problem:
> > For some reason, spews has decided to now block one of our
> /19.. Ie no
> > server in the /19 can send mail.
> > Questions:
> > 1) How do we smack some sense into spews?
> Make it easy for them to identify the fact that your downstream ISP
> customer has allocated that /32 to a separate organisation.
> This is what
> referral whois was supposed to do but it never happened because
> development of the tools fizzled out.
> If SPEWS could plug guilty IP addresses into an automated
> tool and come up
> with an accurate identification of which neighboring IP
> addresses were
> tainted and which were not, then they wouldn't use such crude
> Imagine a tool which queries the IANA root LDAP server for an
> IP address.
> The IANA server refers them to ARIN's LDAP server because
> this comes from
> a /8 that was allocated to ARIN. Now ARIN's server identifies
> that this
> address is in your /19 so it refers SPEWS to your own LDAP
> server. Your
> server identifies your customer ISP as the owner of the
> block, or if your
> customer has been keeping the records up to date with a simple LDAP
> client, your server would identify that the guilty party is
> indeed only on
> one IP address.
> Of course, this won't stop SPEWS from blacklisting you. But
> it enables
> SPEWS to quickly identify the organization (your customer
> ISP) that has a
> business relationship with the offender so that SPEWS is more
> likely to
> focus their attentions on these two parties.
> > 2) Does anyone else see a HUGE problem with listing a /19 because
> > there
> > one /32 of a spam advertised website? When did this start
> It's a free country, you can't stop people like the SPEWS group from
> expressing their opinions. As long as people are satisfied with crude
> tools for mapping IP address to owner, this kind of thing
> will continue to
> --Michael Dillon
More information about the NANOG