Abuse procedures... Reality Checks

John Levine johnl at iecc.com
Sun Apr 8 03:27:07 UTC 2007


>> Sure, block that /29, but why block the /24, /20, or even /8?

Since nobody will route less than a /24, you can be pretty sure that
regardless of the SWIPs, everyone in a /24 is served by the same ISP.

I run a tiny network with about 400 mail users, but even so, my
semiautomated systems are sending off complaints about a thousand
spams a day that land in traps and filters.  (That doesn't count about
50,000/day that come from blacklisted sources that I package up and
sell to people who use them to tune filters and look for phishes.)  I
log the sources, when a particular IP has more than 50 complaints in a
month I usually block it, if I see a bunch of blocked IP's in a range
I usually block the /24.  Now and then I get complaints from users
about blocked mail, but it's invariably from an individual IP at an
ISP or hosting company that has both a legit correspondent and a
spam-spewing worm or PHP script.  It is quite rare for an expansion to
a /24 to block any real mail.

My goal is to keep the real users' mail flowing, to block as much spam
as cheaply as I can, and to get some sleep.  I can assure you from
experience that any sort of automated RIR WHOIS lookups will quickly
trip volume checks and get you blocked, so I do a certain number
manually, typically to figure out how likely there is to be someone
reading the spam reports.  But on today's Internet, if you want to get
your mail delivered, it would be a good idea not to live in a bad
neighborhood, and if your ISP puts you in one, you need a better ISP.
That's life.

Regards,
John Levine, johnl at iecc.com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor
"More Wiener schnitzel, please", said Tom, revealingly.




More information about the NANOG mailing list