/24 blocking by ISPs - Re: Problems sending mail to yahoo?

Raymond L. Corbin rcorbin at hostmysite.com
Fri Apr 11 15:07:46 UTC 2008

It's not unusual to do /24 blocks, however Yahoo claims they do not keep any logs as to what causes the /24 block. If they kept logs and were able to tell us which IP address in the /24 sent abuse to their network we would then be able to investigate it. Their stance of 'it's coming from your network you should know' isn't really helpful in solving the problem. When an IP is blocked a lot of ISP's can tell you why. I would think when they block a /24 they would atleast be able to decipher who was sending the abuse to their network to cause the block and not simply say 'Were sorry our anti-spam measures do not conform with your business practices'. Logging into every server using a /24 is looking for needle in a haystack.

From: Suresh Ramasubramanian [ops.lists at gmail.com]
Sent: Thursday, April 10, 2008 11:56 PM
To: Raymond L. Corbin
Cc: Chris Stone; nanog at merit.edu
Subject: /24 blocking by ISPs - Re: Problems sending mail to yahoo?

On Fri, Apr 11, 2008 at 1:22 AM, Raymond L. Corbin
<rcorbin at hostmysite.com> wrote:
> Yeah, but without them saying which IP's are causing the problems you can't really tell
> which servers in a datacenter are forwarding their spam/abusing Yahoo. Once the /24
> block is in place then they claim to have no way of knowing who actually caused the block
> on the /24. The feedback loop would help depending on your network size.

Almost every large ISP does that kind of "complimentary upgrade"

There are enough networks around, like he.net, Yipes, PCCW Global /
Cais etc, that host huge amounts of "snowshoe" spammers -
http://www.spamhaus.org/faq/answers.lasso?section=Glossary#233 (you
know, randomly named / named after a pattern domains, with anonymous
whois or probably a PO box / UPS store in the whois contact, DNS
served by the usual suspects like Moniker..)

a /27 or /26 in a /24 might generate enough spam to drown the volume
of legitimate email from the rest of the /24, and that would cause
this kind of /24 block

In some cases, such as 63.217/16 on CAIS / PCCW, there is NOTHING
except spam coming from several /24s (and there's a /20 and a /21 out
of it in spamhaus), and practically zero traffic from the rest of the

Or there's Cogent with a similar infestation spread around 38.106/16

ISPs with virtual hosting farms full of hacked cgi/php scripts,
forwarders etc just dont trigger /24 blocks at the rate that ISPs
hosting snowshoe spammers do.

/24 blocks are simply a kind of motivation for large colo farms to try
choosing between hosting spammers and hosting legitimate customers.

srs ..

More information about the NANOG mailing list