Could you elaborate on what constitutes correct swip information?
Sure, you just opened the door to my opinions on this :) -- WRONG -- OrgName: FortressITX OrgID: FORTR-5 Address: 100 Delawanna Ave City: Clifton StateProv: NJ PostalCode: 07014 Country: US Found a referral to rwhois.fortressitx.com:4443. Timeout. -- ----------------- The argument that whois information should not be made public, is ridiculous. I here people saying that they don't publish whois information because they don't want the email's made public. Okay, at least the registered company name, or individual who presented the ID should be there. -- WRONG -- OrgName: Peer 1 Dedicated Hosting OrgID: P1DH-1 Address: 101 Marietta Street Address: Suite 500 City: Atlanta StateProv: GA PostalCode: 30303 Country: US NetRange: 216.150.0.0 - 216.150.31.255 CIDR: 216.150.0.0/19 ------------------------------ Okay, you REALLY want people to get tired of playing whack a mole? This is why many list operators block large ranges.. according to this listing, one responsible party for the whole list.. (oh, and don't get me started on reporting.. the quote i heard here was .. 'Oh, we don't do anything about spammers unless it affects other customers') So, how big a range should you block when you start seeing a pattern? Remember, organizations like UCE-PROTECT tend to base a reputation on /24 This is probably because in a lot of cases, you cannot tell does the person own the whole range, or just the top /25 -- RIGHT -- OrgName: Network Operations Center Inc. OrgID: NOC Address: PO Box 591 City: Scranton network:Network-Name:NET-96.9.145.224/28 network:IP-Network:96.9.145.224/28 network:Organization;I:org--6898 network:Org-Name:ServerPlaceNet c/o Network Operations Center, Inc. -------------- Simple, if the IP's reflect some behavior we don't like, we know exactly which ranges should be affected. Basically, if you absolve yourself of the responsibility for the conduct of part of your networks, to a 3rd party.. you should SWIP it. Some hosting companies are really good about this, even as far as SWIP'ing down to the /32. There is a chain of responsbilitly, and when a hosting company has a known offender using portion(s) of their space, it makes it much easier to decide how much of that space should be blocked. Should we block the whole /24 or only a portion? Say you see... 66.104.246.36: mail1.clubdelivery.net 66.104.246.37: mail1.deliverydirect.info 66.104.246.38: mail1.deliverymobile.net 66.104.246.39: mail1.deliveryonline.info 66.104.246.40: mail1.deliveryrama.net 66.104.246.41: mail1.deliveryusa.net 66.104.246.42: mail1.deliveryzilla.net 66.104.246.43: mail1.godelivery.info 66.104.246.44: mail1.instantdelivery.info 66.104.246.45: mail1.date-meet.net 66.104.246.46: mail1.uchatfree.net 66.104.246.47: mail1.secureeasypay.net 66.104.246.48: mail1.idevelopthings.com 66.104.246.49: mail1.whocanvote.com 66.104.246.50: mail1.freedvdz.net 66.104.246.51: mail1.freecybercam.com 66.104.246.53: mail2.clubdelivery.net 66.104.246.54: mail2.deliverydirect.info 66.104.246.55: mail2.deliverymobile.net 66.104.246.56: mail2.deliveryonline.info 66.104.246.57: mail2.deliveryrama.net 66.104.246.58: mail2.deliveryusa.net 66.104.246.59: mail2.deliveryzilla.net 66.104.246.60: mail2.godelivery.info 66.104.246.61: mail2.instantdelivery.info 66.104.246.62: mail2.date-meet.net It's listed as.. network:Organization;I:Precision Technology, Inc (286563-1) network:IP-Network:66.104.244.0/22 Well, we don't have to affect the whole XO block.. but who is the operator responsible for the activities of these servers? The SWIP should reflect that. Also, it makes it easier to see relevant activities from other ranges that the customer might own.. Like older IP Ranges... -- Precision Technology INC mycouponsavingsmailcom MYCOUPONSAVINGSMAILCOM 24.155.144.16 - 24.155.144.31 # 24.155.144.16/28 Guess business was good.. but now of course, with proper SWIP, we know that those IP's are no longer controlled by the same party . (we hope) Of course, it can still be abused.. if the hosting provider is in colusion.. changes the SWIP regularly to hide that it is the same operator.. but even then, we will see such patterns.. if a hosting company 'constantly' gets a new 'problem customer' <sic> then we can see that as well. -- -- "Catch the Magic of Linux..." ------------------------------------------------------------------------ Michael Peddemors - President/CEO - LinuxMagic Products, Services, Support and Development Visit us at http://www.linuxmagic.com ------------------------------------------------------------------------ A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" is a Registered TradeMark of Wizard Tower TechnoServices Ltd. ------------------------------------------------------------------------ 604-589-0037 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.