I work for a large email provider and we've run into trouble delivering mail to certain sites after bringing up new servers in a recently allocated subnet of 72/8. Apparently, some folks decided it would be a good policy to protect their nameservers from ddos attacks to silently drop requests from unallocated subnets. So they obtained a list of subnets at some point in the past, deployed it and then never updated it. This manifests itsself in our system when the dns query repeatedly times out on the smtp servers in that subnet while it works from elsewhere. In the instances we've run into this, it only seemed to affect dns and not, say, smtp connections. I just wanted to try to raise some awareness of this practice and the trouble it may cause if the ruleset gets out-of-date. This caused us a pretty major headache the result of which is that we've given up for now on trying to deliver mail out of that subnet. john