Abuse procedures... Reality Checks

• Previous message (by thread): Abuse procedures... Reality Checks
• Next message (by thread): Abuse procedures... Reality Checks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I guess our upstream provider is a nobody because they have lots of small
sub-allocated blocks less than a /24 that they route to different member
ISPs. =)

What is the point of blocking a /24 on the basis of a /32 if the ISP manages
dozens of other /24 or larger blocks?  If you're going to do it, block *all*
the IPs associated to the 'bad' ISP.  Then at least you're consistent,
otherwise expanding to a /24 is just a half (or 1%) job or laziness.

Frank

-----Original Message-----
From: Frank Bulk 
Sent: Saturday, April 07, 2007 10:45 PM
To: nanog at nanog.org
Subject: Re: Abuse procedures... Reality Checks


>> Sure, block that /29, but why block the /24, /20, or even /8?

Since nobody will route less than a /24, you can be pretty sure that
regardless of the SWIPs, everyone in a /24 is served by the same ISP.

I run a tiny network with about 400 mail users, but even so, my
semiautomated systems are sending off complaints about a thousand
spams a day that land in traps and filters.  (That doesn't count about
50,000/day that come from blacklisted sources that I package up and
sell to people who use them to tune filters and look for phishes.)  I
log the sources, when a particular IP has more than 50 complaints in a
month I usually block it, if I see a bunch of blocked IP's in a range
I usually block the /24.  Now and then I get complaints from users
about blocked mail, but it's invariably from an individual IP at an
ISP or hosting company that has both a legit correspondent and a
spam-spewing worm or PHP script.  It is quite rare for an expansion to
a /24 to block any real mail.

My goal is to keep the real users' mail flowing, to block as much spam
as cheaply as I can, and to get some sleep.  I can assure you from
experience that any sort of automated RIR WHOIS lookups will quickly
trip volume checks and get you blocked, so I do a certain number
manually, typically to figure out how likely there is to be someone
reading the spam reports.  But on today's Internet, if you want to get
your mail delivered, it would be a good idea not to live in a bad
neighborhood, and if your ISP puts you in one, you need a better ISP.
That's life.

Regards,
John Levine, johnl at iecc.com, Primary Perpetrator of "The Internet for
Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor
"More Wiener schnitzel, please", said Tom, revealingly.

• Previous message (by thread): Abuse procedures... Reality Checks
• Next message (by thread): Abuse procedures... Reality Checks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]