Joe: I understand your frustration and appreciate your efforts to contact the sources of abuse, but why indiscriminately block a larger range of IPs than what is necessary? Here's the /24 in question: Combined Systems Technologies NET-CST (NET-207-177-31-0-1) 207.177.31.0 - 207.177.31.7 Elkader Public Library NET-ELKRLIB (NET-207-177-31-8-1) 207.177.31.8 - 207.177.31.15 Plastech Grinnell Plant NET-PLASTECH (NET-207-177-31-16-1) 207.177.31.16 - 207.177.31.31 (dial-up, according to DNS) Griswold Telephone Co. NET-GRIS (NET-207-177-31-32-1) 207.177.31.32 - 207.177.31.63 Griswold Telephone Co. NET-GRIS2 (NET-207-177-31-64-1) 207.177.31.64 - 207.177.31.95 (dial-up, according to DNS) Jesco Electrical Supplies NET-JESCOELEC (NET-207-177-31-96-1) 207.177.31.96 - 207.177.31.103 American Equity Investment NET-AMREQUITY (NET-207-177-31-104-1) 207.177.31.104 - 207.177.31.111 ** open ** Butler County REC NET-BUTLERREC (NET-207-177-31-120-1) 207.177.31.120 - 207.177.31.127 Northeast Missouri Rural Telephone Co. NET-NEMR2 (NET-207-177-31-128-1) 207.177.31.128 - 207.177.31.191 Montezuma Mutual Telephone NET-MONTEZUMA (NET-207-177-31-192-1) 207.177.31.192 - 207.177.31.254 (dial-up, according to DNS) Block the /24 and you cause problems for potentially 8 other companies. Now the RBL maintainer, or in this case, GoDaddy, has to interact with 8 other companies -- what a lot of work and overhead! If they just dealt with the problem in a more surgical manger they wouldn't have to deal with the other companies asking for relief. Frank -----Original Message----- From: J. Oquendo [mailto:sil@infiltrated.net] Sent: Saturday, April 07, 2007 2:08 PM To: nanog@merit.edu Cc: Frank Bulk Subject: Abuse procedures... Reality Checks On Sat, 07 Apr 2007, Frank Bulk wrote:
While you have your friend's ear, ask him why they maintain a spam policy
of
blocking complete /24's when: a) the space has been divided into multiple sub-blocks and assigned to different companies, all well-documented and queryable in ARIN b) there have been repeated pleas to whitelist a certain IP in separate sub-block that is only being punished for the behavior of others in a different sub-block.
Frank
<realitycheck> You're complaining of blocked /24's. I block off up to /6's from reaching certain ports on my networks. Sound crazy? How many times should I contact the netblock owner and here the same generic "well you have to open up a complaint with our abuse desk... golly gee Joseph." Only to have the same repeat attacks over and over and over. Sure, I'll start out blocking the offensive address, then shoot off an email here and there, even post to this or another list or search Jared's list for a contact and ask them politely "Hey... I see X amount of attackers hitting me from your net" But how long should I go on for before I could just say "to hell with your users and network... They just won't connect." It's my own right to when it comes to my network. People complain? Sure, then I explain why, point out the fact that I HAVE made attempts at resolutions to no avail. So should the entire network be punished... No, but the engineers who now have to answer THEIR clients on why they've been blacklisted surely are punished aren't they. Now they have to hear X amount of clients moan about not being able to send either a client, vendor or relative email. They have to either find an alternative method to connect, or complain to their provider about connectivity issues. Is it fair? Yes it's fair to me, my clients, networks, etc., that I protect it. Is it fair to complain to deaf ears when those deaf ears are the ones actually clueful enough to fix? On a daily basis I have clients who should be calling customer service for issues contact me directly. Know what I do? ... My best to fix it, enter a ticket number on the issue and go about the day. One way or the other I'm going to see the ticket/problem so will it kill me to take a moment or two to fix something? Sure I will bitch moan and yell about it, a minute later AFTER THE FIX since things of this nature usually don't take that much time, guess what? Life returns to normal. http://www.infiltrated.net/bforcers/5thWeek-Organizations Have a look will you? These are constant offending networks with hosts that are repeatedly ssh'ing into servers I maintain. Is it unfair to block off their entire netblock from connecting via ssh to my servers. Hell no it isn't. If I have clients on this netblock, in all honesty tough. Let them contact their providers after I tell them their provider has been blocked because of the garbage on their network. Let their provider do something before I do because heaven knows how many times have I tried reaching someone diplomatically before I went ahead and blocked their entire /6 /7 /8 /9 /10 and so on from connecting to me via ssh or whatever other service they've intruded or attempted to intrude upon. Blocks? They usually last for 2 weeks then I take them off and start ALL over again. Of course I've automated this so its no sweat off shoulders. So you tell me in all honesty why someone should not escalate and block off entire blocks. </realitycheck> -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo echo @infiltrated|sed 's/^/sil/g;s/$/.net/g' http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 "How a man plays the game shows something of his character - how he loses shows all" - Mr. Luckey