EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)

Steven Champeon schampeo at hesketh.com
Mon Jun 23 13:28:04 CDT 2008


on Sun, Jun 22, 2008 at 01:24:43PM -0500, Al Iverson wrote:
> I'm not going to pretend I manage inbound mail service for
> thousands-to-millions of users (as most of the participants of other
> lists like SPAM-L are fond of imagining themselves), but I know enough
> about how IP reputation systems work at ISPs to know that if I did
> manage inbound mail for such a userbase, the EC2 IPs would be blocked
> repeatedly and often, and there would come a point where the blocks
> escalate to /24s and larger, and there would come a point where the
> blocks are removed slower and less often.

I don't pretend to manage inbound mail service for more than dozens, but
I do provide a service via enemieslist that is indirectly used by
millions, and out of the over 32K rDNS naming conventions I've
catalogued and classified, in terms of their dynamicity/staticity/etc.,
only four are related to Amazon/EC2.

Now, if the entire 'Net moved to a cloud computing model, I could agree
with Paul that this would be the end of IP reputation. But I'm only
aware of two such services (Amazon EC2 and Media Temple's
gridserver.com) in widespread use, so I haven't bothered to come up with
a new classification for them, and treat them as essentially dynamic
(with gridserver.com also classified as 'webhost').

I moved away from the strictly IP-based reputation model several years
ago (though I still use DNSBLs as a practical tool), and instead treat
classes of IPs as a set about which certain reputation-ish qualities can
be asserted, which works very well in a scoring-style context.

Steve

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
antispam news, solutions for sendmail, exim, postfix: http://enemieslist.com/




More information about the NANOG mailing list