On Thu, 5 Apr 2012, Landon Stewart wrote:
If the purpose of blacklist is to block spam for recipients using that blacklist then a /32 works. If the purpose of a blacklist is to annoy providers then a /24 works. The most reputable and useful blacklists IMHO are Spamhaus and Spamcop - they don't block /24s. Spamhaus sometimes does if your rwhois shows that a large amount of the /24 is owned by the offending party but generally they don't.
Spamhaus may not default to doing /24 listings for a /32 spam emitter, but they certainly do list /24s or shorter subnets when they feel it's appropriate. They even do "escalations" to corporate mail servers on rare occasions when a provider appears to be complicit with spammers and ignoring their SBLs. The purpose thing is an interesting question though. Is the purpose of DNSBLs simply to help admins avoid accepting spam from spammers or to attempt to prevent spammers from operating on the internet? For most of the DNSBLs I'm familiar with, I'd say they're trying to do both.
Spamhaus encourages companies to resolve all the issues while only blocking /32s by showing all the listings under your responsibility and making nice to see that list empty. Pretty simple. Incidentally SORBS usually blocks /24s and, as far as I know, provides no way for you to lookup all listings under a providers responsibility (by AS or otherwise).
That's really either not true or an oversimplification. Spamhaus blocks shorter than /32 pretty frequently. You could maybe argue that Spamhaus works harder to avoid innocent collateral damage. Having not used SORBS for many years, I couldn't say if that's true or not. The vast majority of my recent years interactions with SORBS have been trying to get inappropriately listed IPs removed from their DUHL. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________