Repeated Blacklisting / IP reputation
jcdill.lists at gmail.com
Wed Sep 9 22:39:55 UTC 2009
Joe Greco wrote:
>> John Curran wrote:
>>> On Sep 8, 2009, at 2:18 PM, JC Dill wrote:
>>>> It seems simple and obvious that ARIN, RIPE, et. al. should
>>>> determine the blacklist state of a reclaimed IP group and ensure
>>>> that the IP group is usable before re-allocating it.
>>>> When IPs are reclaimed, first check to see if the reclaimed IPs are
>>>> on any readily checked RBL or private blacklist of major ISPs,
>>>> corporations, universities, etc. If so, work with those groups to
>>>> get the blocks removed *prior* to reissuing the IPs to a new
>>>> entity. Before releasing the IPs to a new entity, double check that
>>>> they are not being blocked (that any promises to remove them from
>>>> a blacklist were actually fulfilled). Hold the IPs until you have
>>>> determined that they aren't overly encumbered with prior blacklist
>>>> blocks due to poor behavior of the previous entity. (The same
>>>> should be done before allocating out of a new IP block, such as
>>>> when you release the first set of IPs in a new /8.)
>>> In this case, it's not the RBL's that are the issue; the address
>>> block in question isn't on them. It's the ISP's and other firms
>>> using manual copies rather than actually following best practices.
>> It's not that hard to make a list of the major ISPs, corporations,
>> universities (entities with a large number of users), find willing
>> contacts inside each organization (individual or role addresses you can
>> email, and see if the email bounces, and who will reply if the email is
>> received) and run some automated tests to see if the IPs are being
>> blocked. In your follow-up email to me, you said you check "dozens" of
>> RBLs - that is clearly insufficient - probably by an order of magnitude
>> - of the entities you should check with. The number should be
>> "hundreds". A reasonably cluefull intern can provide you with a
>> suitable list in short order, probably less than 1 day, and find
>> suitable contacts inside each organization in a similar time frame - it
>> might take a week total to build a list of ~500 entities and associated
>> email addresses. Because of employee turn-over the list will need to be
>> updated, ~1-10 old addresses purged and replaced with new ones on a
>> monthly basis.
> Really? And you expect all these organizations to do ... what? Hire an
> intern to be permanent liaison to ARIN?
I'm expecting ARIN to spend a few staff-hours (utilizing low-cost labor
such as an intern) to setup the list for ARIN to use to check the status
of returned IPs, and spend a few more staff hours setting up an
automated system to utilize the list prior to releasing reclaimed IPs
for reallocation. If, when using the list they discover out-dated
addresses, spend a moment to find an updated address for that sole
network. Most of this can easily be automated once setup - the only
things that need to be dealt with by hand would be purging the list of
outdated contacts and finding new ones, which shouldn't take much time
since it's not a very large list, and many of the contacts would (over
time) become role accounts that don't become outdated as often or as
easily as personal accounts. Most of this is done by ARIN, not by the
organizations they contact. All each organization has to do is permit
one employee or role account to be used for IP block testing, and reply
to test emails. The effort to setup a role account and autoresponder is
> Answer queries to whether or not
> IP space X is currently blocked (potentially at one of hundreds or
> thousands of points in their system, which corporate security may not
> wish to share, or even give "some random intern" access to)? Process
> reports of new ARIN delegations? What are you thinking they're going to
> do? And why should they care enough to do it?
Because if they don't, they are needlessly blocking re-allocated IP
addresses, potentially blocking their own users from receiving wanted
email. Organizations could (and should) setup a role account and
auto-responder for this purpose.
>>>> Why isn't this being done now?
>>>> Issuing reclaimed IPs is a lot like selling a used car, except that
>>>> the buyer has no way to "examine" the state of the IPs you will
>>>> issue them beforehand. Therefore it's up to you (ARIN, RIPE, et.
>>>> al.) to ensure that they are "just as good" as any other IP block.
>>>> It is shoddy business to take someone's money and then sneakily
>>>> give them tainted (used) goods and expect them to deal with
>>>> cleaning up the mess that the prior owner made, especially when you
>>>> charge the same rate for untainted goods!
>>> Not applicable in this case, as noted above.
>> What do you mean, "not applicable"? You take the money and issue IPs.
>> There is no way for the "buyer" to know before hand if the IPs are
>> "tainted" (used) or new. It is up to you (ARIN) to ensure that the
>> goods (IPs) are suitable for the intended use. My analogy is entirely
>> applicable, and I'm amazed you think otherwise.
> WOW. That's a hell of a statement. There is absolutely nothing that
> ARIN can do if I decide I'm going to have our servers block connections
> from networks ending in an odd bit.
What they *can* do is determine IF the address is currently being
blocked *before* they issue it to a new entity.
> Nobody is in a position to ensure
> that ANY Internet connection or IP space is "suitable for the intended
> use." Welcome to the Internet.
They can (and IMHO should) determine the state it is in before they
reallocate it. What happens next is obviously unpredictable but in
reality an IP that isn't being blocked today and isn't being used (by
anyone) is highly unlikely to be widely blocked between today and the
day ARIN releases it for allocation to a new entity.
They can hold IPs that are not suitable for re-allocation, or at least
make the status of the IPs known to the new entity before asking the
entity to take on the IP block, and perhaps offering a fee discount for
"tainted" addresses. (Some users may not care if the IPs are "tainted",
if, for instance they plan to use the IPs for a DUL pool. I have a
friend who gets $5 off his cell phone bill because he has a phone number
that starts with 666 - a number that many people prefer to avoid but
which works fine for his purposes and he's quite happy to get the
>>> So, back to the question: could someone explain why they've got
>>> copies of the RBL's in their network which don't get updated on any
>>> reasonable refresh interval? (weekly? monthly?)
>> The "why" really isn't at issue - it happens and it's going to keep
>> happening. The question is what are you (ARIN) going to do about it?
>> Give me the serenity to accept the things I cannot change,
>> The courage to change the things I can,
>> And the wisdom to know the difference.
>> You (ARIN et. al.) don't have any ability to change the why. What you
>> can change is how you go about determining if an IP block is suitable
>> for reallocation or not, and what steps you take to repair IP blocks
>> that aren't suitable for reallocation.
> So, in addition to just registering IP space, it's also their job to clean
> it up?
Who do you propose clean up the mess? The people who made the mess
(spammers) won't clean it up. Someone has to clean it up. The IPs are
in ARIN's possession now. Why should it become someone else's problem
(the entity they allocate it to) to clean it up? They didn't do
anything to taint the space, and they request (and expect) to get clean
and usable IPs, not tainted IPs.
ARIN shouldn't allocate previously allocated IPs until they know the IPs
are not widely blocked. Or to *at the very least* ARIN should disclose
what they know about the IP space before they make it someone else's
problem, and give the requesting entity an option to request a
new/clean/unused/unblocked IP block instead.
> I'm sorry, I agree that there's a problem, but this just sounds like it
> isn't feasible.
IMHO passing the problem on to someone else is just plain wrong. It
punishes an innocent party, and it doesn't scale. There are other
options, better options.
In commerce it is a violation of the UCC to knowingly or negligently
sell the customer something that the seller knows (or should have known)
doesn't serve the customer's stated purpose, and that the customer has
no way of knowing (no way to do "due diligence" before completing the
sale) is unsuitable for their needs. ARIN's IP registry probably
doesn't fall under the aegis of the UCC, but that doesn't excuse the
I am not a lawyer, but it doesn't take a law degree to be able to tell
right from wrong. Issuing previously-issued and tainted IPs to an
entity that requested and is expecting untainted and usable IPs is
clearly wrong. How ARIN plans to resolve this can be debated, but NOT
solving this and just expecting someone else (the unlucky entity who is
issued the tainted IPs) to solve it for them is not an honorable
approach. Similarly, asking on NANOG "why do tainted IPs linger on
blocklists" isn't going to solve the problem. ARIN can't change the why
- what they can change is what ARIN does about it. There are better
options - they can make an effort to clean up the IPs prior to
reallocation; they can disclose the IP status before reallocation and
give an option for a new IP block; or they can simply declare the IPs
"toxic" and hold them rather than reallocate them. Giving the customer
a dead parrot when they expected a live one (Beautiful Plumage!) is
funny only in a Monty Python skit.
More information about the NANOG