Spam. Again.. -- and blocking net blocks?

Scott Silzer scotts at
Tue Dec 10 20:45:29 UTC 2002

I could understand if an ISP was allowing spam from a portion of 
there network.  But in this case the only thing that the ISP did is 
host a website, the SPAM was sent from from a third party's network. 
The ISP did terminate the customer but in the meantime the entire 
NSP's network has been blacklisted, for a rouge webhosting account 
does sound a bit harsh.

At 12:08 -0800 12/10/2002, Lee, Hansel wrote:
>Quick Comment as a NANOG lurker and SPEWS lurker
>(  I'm not defending SPEWS, don't speak for
>SPEWS but will describe what I understand happens:
>SPEWS initially lists offending IP address blocks from non-repentant SPAM
>sources.  If the upstream ISP does nothing about it, that block tends to
>expand to neighboring blocks to gain the attention of the ISP.
>High level concept:
>	Block the SPAMMER
>		- ISP Does nothing
>	Block the SPAMMER's Neighboring Blocks (Collateral Damage)
>		- Motivates neighbors to find new Upstream/Isp
>		- Motivates neighbors to complain to upstream/ISP
>		- Gains the attention of the Upstream/ISP
>	Expand the Block
>		- Ditto
>	Block the ISP as a whole
>The SPEWS concept prevents an ISP from allowing spammers on some blocks
>while trying to service legitimate customers on others.  For an ISP - it is
>either all or none over time, you support spammers and are blocked as a
>whole (to include innocent customers).
>If you do end up mistakenly on SPEWS or take care of your spamming customers
>- you can appeal to them at, get flamed pretty
>bad, and eventually fall off the list.
>I do personally like the idea of holding the ISP as a whole accountable over
>time.  An ISP can stay off spews, I've never had a block listed - though
>when I'm in a decision making position, I've never tolerated a spammer.
>-----Original Message-----
>From: Michael.Dillon at [mailto:Michael.Dillon at]
>Sent: Tuesday, December 10, 2002 08:36
>Cc: nanog at; owner-nanog at
>Subject: Re: Spam. Again.. -- and blocking net blocks?
>>  Problem:
>>  For some reason, spews has decided to now block one of our /19.. Ie no
>>  server in the /19 can send mail.
>>  Questions:
>>  1) How do we smack some sense into spews?
>Make it easy for them to identify the fact that your downstream ISP
>customer has allocated that /32 to a separate organisation. This is what
>referral whois was supposed to do but it never happened because
>development of the tools fizzled out.
>If SPEWS could plug guilty IP addresses into an automated tool and come up
>with an accurate identification of which neighboring IP addresses were
>tainted and which were not, then they wouldn't use such crude techniques.
>Imagine a tool which queries the IANA root LDAP server for an IP address.
>The IANA server refers them to ARIN's LDAP server because this comes from
>a /8 that was allocated to ARIN. Now ARIN's server identifies that this
>address is in your /19 so it refers SPEWS to your own LDAP server. Your
>server identifies your customer ISP as the owner of the block, or if your
>customer has been keeping the records up to date with a simple LDAP
>client, your server would identify that the guilty party is indeed only on
>one IP address.
>Of course, this won't stop SPEWS from blacklisting you. But it enables
>SPEWS to quickly identify the organization (your customer ISP) that has a
>business relationship with the offender so that SPEWS is more likely to
>focus their attentions on these two parties.
>>  2) Does anyone else see a HUGE problem with listing a /19 because there
>>  one /32 of a spam advertised website?  When did this start happening?
>It's a free country, you can't stop people like the SPEWS group from
>expressing their opinions. As long as people are satisfied with crude
>tools for mapping IP address to owner, this kind of thing will continue to
>--Michael Dillon

Scott A Silzer

More information about the NANOG mailing list