Repeated Blacklisting / IP reputation

Joe Greco jgreco at ns.sol.net
Tue Sep 8 18:52:35 UTC 2009


> On Tue, 8 Sep 2009, John Curran wrote:
> >   I'm sure there's an excellent reason why these addresses stay
> >   blocked, but am unable to fathom what exactly that is...
> >   Could some folks from the appropriate networks explain why
> >   this is such a problem and/or suggest additional steps that
> >   ARIN or the receipts should be taking to avoid this situation?
> 
> Most small to midsize networks probably have a "block it and forget it" 
> policy.  The facts that the spammer moved on, the IPs eventually got 
> returned to the RIR and reallocated to a different network go unnoticed 
> until the new LIR/ISP notifies those blocking the addresses that the 
> addresses have changed hands.  Ideally, the network doing the blocking 
> will know when they started blocking an IP, look at whois, and agree that 
> the block no longer makes sense.  I'm sure some will have no idea when or 
> why they started blocking an IP, and might be reluctant to unblock it. 
> This assumes you can actually get in touch with someone with the access 
> and understanding of the issues to have a conversation about their 
> blocking.  Some networks make that nearly impossible.  I ran into such 
> situations early on when trying to contact networks about their outdated 
> bogon filters when Atlantic.net got a slice of 69/8.
> 
> This blocking (or variations of it) has been a problem for about a decade.
> 
> http://www.michnet.net/mail.archives/nanog/2001-08/msg00448.html
> 
> I don't think there is any blanket solution to this issue.  Too many of 
> the networks doing the blocking likely don't participate in any forum 
> where the RIRs will be reach people who care and can do something.

It should be pretty clear that reused IP space is going to represent a
problem.  There is no mechanism for "LIR/ISP notif[cation to] those 
blocking the addresses that the addresses have changed hands."  Even if
there were, this would be subject to potential gaming by spammers, such
as SWIP of a block to SpammerXCo, followed by an automatic unblock when
the "ISP" unSWIP's it and SWIP's it to "EmailBlasterB" - of course, the
same company.

How do we manage this into the future?  IPv6 shows some promise in terms
of delegation of larger spaces, which could in turn suggest that reuse
policies that discourage rapid reuse would be a best practice.  However,
that is more or less just acknowledging the status quo; networks are
likely to continue blocking for various reasons and for random periods.

A remote site being unable to communicate with us is not particularly
important except to the extent that it ends up distressing users here;
however, for larger sites, the blocked list could end up being
significant.

It seems like it *could* be useful to have a system to notify of network
delegation changes, but it also seems like if this was particularly
important to anyone, then someone would have found a trivial way to
implement at least a poor man's version of it.  For example, record 
the ASN of a blocked IP address and remove the block when the ASN 
changes...

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.




More information about the NANOG mailing list