dotis@mail-abuse.org (Douglas Otis) writes:
Good advise. For various reasons, a majority of IP addresses within a CIDR of any size being abusive is likely to cause the CIDR to be blocked. While a majority could be considered as being half right, the existence of the "bad neighborhood" demonstrates a lack of oversight for the entire CIDR, which is also fairly predictive of future abuse.
that sounds like a continuum, but my experience requires more dimensions than you're describing. for example, this weekend two /24's were hijacked and used for spam spew. as my receivebot started blackholing /32's, the sender started cycling to other addresses in the block. each address was used continuously until it stopped working, then the next address came in. while there were two /24's and two self-similar spam flows, there was not a strict mapping of spam flow to packet flow -- both /24's emitted both kinds of spam. "uniq -c" results are below. i've nominated both blocks to the MAPS RBL, and i can't tell from whois whether it's worthwhile to complain to the ISP's. would you say that i've learned anything of predictive value concerning future spam from the containing /17 (CARI) or /15 (THEPLANET)? or is this just another run of the mill BGP hijack due to some other ISP's router having enable passwords still set to the factory default? (we all owe randy bush a debt of gratitude for pushing on RPKI, by the way. anybody can complain about the weather but very few people do something about it.) 7 67.18.239.66 2 67.18.239.67 1 67.18.239.68 1 67.18.239.69 2 67.18.239.70 5 67.18.239.71 1 67.18.239.82 1 67.18.239.83 2 67.18.239.85 2 67.18.239.87 1 67.18.239.88 3 67.18.239.89 2 67.18.239.91 2 67.18.239.92 3 67.18.239.93 4 67.18.239.94 1 71.6.213.103 1 71.6.213.105 1 71.6.213.108 4 71.6.213.159 1 71.6.213.16 5 71.6.213.160 1 71.6.213.161 7 71.6.213.162 8 71.6.213.163 6 71.6.213.166 1 71.6.213.168 6 71.6.213.170 6 71.6.213.171 2 71.6.213.172 6 71.6.213.176 5 71.6.213.179 6 71.6.213.180 2 71.6.213.181 3 71.6.213.182 3 71.6.213.19 3 71.6.213.190 1 71.6.213.191 1 71.6.213.193 1 71.6.213.202 2 71.6.213.23 5 71.6.213.26 3 71.6.213.32 5 71.6.213.65 4 71.6.213.75 6 71.6.213.8 1 71.6.213.80 1 71.6.213.87 1 71.6.213.94 1 71.6.213.96 -- Paul Vixie