Repeated Blacklisting / IP reputation
frnkblk at iname.com
Wed Sep 9 14:43:57 UTC 2009
Right on point -- we have a long list of manually entered netblocks in our
spam appliance's blacklist that we've accumulated over time. Besides the
mistakes we've made, we've had to delist perhaps 5 over the last 2 years,
none due to ARIN reallocations. Most times it's our customer calling our
helpdesk and saying "I can't get an e-mail from so-and-so". There's a
strong (time resource) disincentive for us to review netblocks and then
delist them. Ideally our spam appliance vendor would show us a top ten of
non-hit netblocks and we would remove them then (i.e. if no one has hit an
IP in that range for a month, the spammer has probably moved on), or as
another person suggested, just have the spam appliance age them out (change
the action applied from "blocked" to "do nothing".
One of the potential community-based approaches would be to have a hosted
RBL, with a 'view' for each SP or enterprise. That is, each RBL would be
unique, but if I trusted organization B, I could request to use their RBL
entries, too. Rather than managing a manual list, it would be managed on
the web with more management tools:
- search by date added, size of netblock, hits, etc.
- auto expiration/aging
- notification if netblock assigned to a new owner
- comparison against other RBLs (no use having it on my company's
RBL is Spamhaus has added it)
than an admin of a small operation would likely have. Contact info could be
made available, mechanism to request delisting, etc.
From: Jay Hennigan [mailto:jay at west.net]
Sent: Tuesday, September 08, 2009 1:14 PM
To: John Curran
Cc: nanog at nanog.org
Subject: Re: Repeated Blacklisting / IP reputation
John Curran wrote:
> Folks -
> It appears that we have a real operational problem, in that ARIN
> does indeed reissue space that has been reclaimed/returned after
> a hold-down period, and but it appears that even once they are
> removed from the actual source RBL's, there are still ISP's who
> are manually updating these and hence block traffic much longer
> than necessary.
> I'm sure there's an excellent reason why these addresses stay
> blocked, but am unable to fathom what exactly that is...
> Could some folks from the appropriate networks explain why
> this is such a problem and/or suggest additional steps that
> ARIN or the receipts should be taking to avoid this situation?
I don't think there is an excellent reason, more likely inertia and no
real incentive to put forth the effort to proactively remove addresses.
Many ISPs and organizations have their own private blocklists not
associated with the widely known DNSBLs. Typically during or
immediately after a spam run the mail administrator will manually add
offending addresses or netblocks. Spamtrap hits may do this
automatically. There isn't any real incentive for people to go back and
remove addresses unless they're notified by their own customers that
legitimate mail coming from those addresses is being blocked. Because
these blocklists are individually maintained, there is no central
registry or means to "clean them up" when an IP assignment changes.
To make matters worse, some organizations may simply ACL the IP space so
that the TCP connection is never made in the first place (bad, looks
like a network problem rather than deliberate filtering), some may drop
it during SMTP with no clear indication as to the reason (less bad, as
there is at least a hint that it could be filtering), and some may
actually accept the mail and then silently discard it (worst).
In addition there are several DNSBLs with different policies regarding
delisting. Some just time out after a period of time since abuse was
detected. Some require action in the form of a delisting request. Some
require a delisting request and a time period with no abuse. Some (the
old SPEWS list) may not be easily reached or have well defined policies.
In meatspace, once a neighborhood winds up with a reputation of being
rife with drive-by shootings, gang activity and drug dealing it may take
a long time after the last of the graffiti is gone before some cab
drivers will go there.
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service - http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV
More information about the NANOG