This is not what the Team Cymru Bogons list for? http://www.team-cymru.org/Services/Bogons/ List bad ASNs after proper investigation? It then depends if you trust Team Cymru or not, like you would trust or not Spamhaus... ----- Original Message ----- From: "Heath Jones" <hj1980@gmail.com> To: "Robert Bonomi" <bonomi@mail.r-bonomi.com> Cc: nanog@nanog.org Sent: Wednesday, 29 September, 2010 4:38:12 PM Subject: Re: AS11296 -- Hijacked? Robert, I dont think you quite get it. Don't worry, you don't seem to be alone. The point here is simple. If someone posts making a recommendation for every AS to filter some prefixes, not provide any references by default, its not helpful. When questioned about the rationale, if said person then declines to provide evidence, the picture starts to form. It is relatively easy to detect spam, it is easy to have enough honeypots & filters matching corresponding bgp lookups to find out path information. Immediately you have a technique which - regardless of the lists a spammer reads - will catch spammer. By working as a community, the accuracy and speed of detection increases. By sharing information, things improve. The problem is certainly not detection!! (in contrast to the clamed need to hide detection methods) Posting to a list like this telling everyone to block traffic might be in some people's eyes as ok, but there are a few problems: 1) No peer review. The data has not been checked, the prefixes might be incorrect. The methods might be completely wrong - who knows! This is certainly the #1 issue. 2) Length of time to implement. Most serious ASs would do sanity checking and even possibly a change window or atleast a signoff. 2) Post advertisment removal. What process to ASs have in place to check and remove these rules? More sanity checking and another change. 3) The comment about ARIN, as if to imply that they are supposed to somehow 'police' the internet. This shows a complete lack of understanding of the architecture of the internet. 4) A person who blocks gmail for their own - non customer affecting - mail server cannot be in a position to advise of real - customer affecting - changes, and shows a recklessness towards adhoc blocking of anything. As a hypothetical situation, say a new customer pops up on a network with a prefix and origin that haven't been seen before. This customer badly configured their mail server, its an open relay. Spammers being smart, watch new BGP advertisments knowing that this might be the case. Some kind sir sees the spam coming from the open relay and posts on here, telling everyone to block it, thus completely killling the new customer network before its even got off the ground properly. By the time it has come around, half the ISPs are blocking it and they are completely screwed all because of 1 mistake and someone not having their information peer reviewed and no action to notify or help out the isp. Posting ASs & prefixes for people to block without any questioning is just plain stupid and not the way to handle it. If the goal is to get rid of spam, then why not put brains together and come up with a much better system. IETF? Independant working group? I can think of a number of ideas as I am typing this that could be beneficial. I am happy of course to share with anyone interested. Sure, people can post pretty much what they want and people can choose to use or ignore, but we are a bit past that argument now. There has been (to use your method) *zero* technical reasons supporting the argument of blocking these prefixes. If you know of one, please voice it. ps. I have also received posts offline about the support for blocking gmail / hotmail / whatever. I can appreciate that it is your own personal infrastructure, you have your reasons, and if it works for you then good. I certainly wouldn't do it for my customers, otherwise they would constantly call. Phone spam :)