Repeated Blacklisting / IP reputation

• Previous message (by thread): Repeated Blacklisting / IP reputation
• Next message (by thread): Repeated Blacklisting / IP reputation
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Sep 15, 2009 at 4:46 PM,  <bmanning at vacation.karoshi.com> wrote:
>
> so... this thread has a couple of really interesting characteristics.
> a couple are worth mentioning more directly (they have been alluded to elsewhere)...

as always, despite your choice in floral patterned shirts :) good
comments/questions.

>
>        Who gets to define "bad" - other than a blacklist operator?
>        Are the common, consistent defintions of "contamination"?
>

nope, each BL (as near as I can tell) has their own criteria (with
some overlaps to be certain) and they all have their own set of rules
that they either break at-will or change when it suits them. Their
incentives are not aligned with actually getting the problem resolved,
sadly... and they really don't have any power to resolve problems
anyway.

>        If these are social/political - recognise that while the ARIN
>        region is fairly consistent in its general use and interpretation
>        of law, there are known varients - based on soveriegn region.

Yup, you don't like my business how about I move to the caymans where
it's no longer illegal? :( The Internet brings with it some
interesting judicial/jurisdictional baggage.

> this whole debate/discussion seems based on the premise that there are well
> known, consistent, legally defendable choices for defining offensive behaviours.
> and pretty much all of history shows us this is not the case.

There are really two discussions, I think somewhere along the path
they were conflated:

1) newly allocated from IANA netblocks show up to end customers and
reachability problems ensue. (route-filters and/or firewall filters)

2) newly re-allocated netblocks show up with RBL baggage (rbls and
smtp blocks at the application layer)

For #1 there was some work (rbush and prior to that Jon Lewis
69block.org?) showing that folks 'never' alter their 'bogon route
filters' or 'bogon access-list entries'.

For #2 ARIN may have a solution in place, if it were more publicly
known (rss feed of allocations, care of RS and marty hannigan
pointers) that RBL operators could use to clean out entries in their
lists providing a better service to their 'users' even, perish the
thought!

>        (is or is not a mother nursing her child in public pornographic?)

or SI Swinsuit edition depending on the part of the world you are in,
yes, or even YouTube videos, weee!

> So - I suspect that in the end, a registry (ARIN) or an ISP (COMCAST) is only
> going to be able to tell you a few things about the prefix you have been handed.
>
>        a) its virginal - never been used (that we know of)
>        b) its been used once.
>        c) it has a checkered past

I actually don't think it's a help for ARIN to say anything here,
since they can never know all the RBL's and history for a netblock,
and they can't help in the virginal case since they don't run
network-wide filters.

A FAQ that says some of the above with some pointers to testing
harnesses to use may be useful. Some tools for network operators to
use in updating things in a timely fashion may be useful.
Better/wider/louder notification 'services' for new block allocations
from IANA -> RIR's may be useful.

Not everyone who runs a router reads their local 'nog' list... Leo
Vegoda does a great job tell us about RIPE allocations, Someone does
the same for ARIN (drc maybe??) and I'm not certain I recall who's
last announced APNIC block yahtzee.  Where else is this data
available? In a form that your avg enterprise network op may notice?

> and it will be up to the receipient to trust/accept the resource for what it
> currently is or chose to reject it and find soliace elsewhere.
>

'solace elsewhere'... dude there is no 'elsewhere'.

-Chris
(and yes, I'm yanking your chain about the shirts...)

> --bill
>
>
> On Tue, Sep 15, 2009 at 04:31:04PM -0400, Christopher Morrow wrote:
>> On Tue, Sep 15, 2009 at 4:23 PM,  <Valdis.Kletnieks at vt.edu> wrote:
>> > On Tue, 15 Sep 2009 08:01:48 PDT, Shawn Somers said:
>> >
>> >>   Anyone that intentionally uses address space in a manner that they
>> >> know will cause it to become contaminated should be denied on any
>> >> further address space requests.
>> >
>> > You *do* realize that the people you're directing that paragraph at are
>> > able to say with a totally straight face: "We're doing nothing wrong and
>> > we have *no* idea why we end up in so many local block lists"?
>>
>> Also, you can very well disable new allocations to Spammer-Bob, did
>> you also know his friend Sue is asking now for space? Sue is very
>> nice, she even has cookies... oh damn after we allocated to her we
>> found out she's spamming :(
>>
>> Spammers have a lot of variables to change in this equation, RIR's
>> dont always have the ability to see all of the variables, nor
>> correlate all of the changes they see :(
>>
>> -Chris
>>
>

• Previous message (by thread): Repeated Blacklisting / IP reputation
• Next message (by thread): Repeated Blacklisting / IP reputation
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]