Repeated Blacklisting / IP reputation
Rich Kulawiec
rsk at gsp.org
Mon Sep 14 10:49:49 UTC 2009
On Tue, Sep 08, 2009 at 11:44:44AM -0700, Wayne E. Bouchard wrote:
> Best practices for the public or subscription RBLs should be to place
> a TTL on the entry of no more than, say, 90 days or thereabouts.
But there's no reason to do so, and a number of reasons not to, including
the very high probabilityXXXXXXXXXcertainty that spammers would use
this to rotate through multiple allocations at 91-day intervals.
Best practice is to identify blocks that are owned (or effectively owned)
by spammers and blacklist them until a need arises *on the receiving side*
to remove those blocks. Yes, this is unfortunate, and draconian, and
any number of other things, but the ISPs responsible for this situation
should probably have considered this inevitable result before they decided
to host well-known spammers that 60 seconds of due diligence would have
identified, and subsequently to turn a blind eye to the abuse emanating
from their networks.
For example: Ron Guilmette has recently pointed out that notorious spammer
Scott Richter has apparently hijacked *another* /16 block -- 150.230.0.0/16.
I've dropped that block into various local blacklists, and in some cases,
various local firewalls. The entry is essentially permanent, because
there's no reason for me to make it otherwise. Perhaps one day ARIN
will yank it back, along with all his other blocks, and blacklist him
for life; but (a) I doubt it and (b) I'm not willing to wait. The best
course of action for me is to just consider it scorched earth and move on.
---Rsk
More information about the NANOG
mailing list