Hi All, Hopefully this is not taken in bad taste. Our organization purchased some IP space last year (163.182.192.0/18 to be specific), and it appears that this block must have been used for less-than-admirable purposes in the past. We have been trying to clean up the reputation where possible, and we do not appear to be on any blacklists, but we do appear to be blocked from a lot of networks across the US/Canada. I am noticing a lot of name servers blocking our requests, many web servers, gaming servers, mail etc. This is a transition block for us to move towards v6 everywhere, but we have many systems that will need to rely on this block of space for some time to come. We are a small rural co-op ISP in Ontario, and I am just writing this email as an extra plea so that if you happen to run a network that has this entire range on your naughty list, we would appreciate you giving it another chance. I can be contacted on or off list, thanks. -- ----- Pete Baldwin Tuckersmith Communications (P) 519-565-2400 (C) 519-441-7383
Out of curiosity, who were the previous owner(s), it seems that ARIN only shows the current owner with any history? If it was a Chinese/Russian block, you might be out of luck. On 03/10/2017 12:00 PM, Pete Baldwin wrote:
Hi All,
Hopefully this is not taken in bad taste. Our organization purchased some IP space last year (163.182.192.0/18 to be specific), and it appears that this block must have been used for less-than-admirable purposes in the past.
We have been trying to clean up the reputation where possible, and we do not appear to be on any blacklists, but we do appear to be blocked from a lot of networks across the US/Canada. I am noticing a lot of name servers blocking our requests, many web servers, gaming servers, mail etc.
This is a transition block for us to move towards v6 everywhere, but we have many systems that will need to rely on this block of space for some time to come.
We are a small rural co-op ISP in Ontario, and I am just writing this email as an extra plea so that if you happen to run a network that has this entire range on your naughty list, we would appreciate you giving it another chance. I can be contacted on or off list, thanks.
It looks like Spamhaus has your entire /16. https://stat.ripe.net/163.182.192.0%2F18#tabId=anti-abuse On Fri, Mar 10, 2017 at 10:01 PM, Laurent Dumont <admin@coldnorthadmin.com> wrote:
Out of curiosity, who were the previous owner(s), it seems that ARIN only shows the current owner with any history? If it was a Chinese/Russian block, you might be out of luck.
On 03/10/2017 12:00 PM, Pete Baldwin wrote:
Hi All,
Hopefully this is not taken in bad taste. Our organization purchased some IP space last year (163.182.192.0/18 to be specific), and it appears that this block must have been used for less-than-admirable purposes in the past.
We have been trying to clean up the reputation where possible, and we do not appear to be on any blacklists, but we do appear to be blocked from a lot of networks across the US/Canada. I am noticing a lot of name servers blocking our requests, many web servers, gaming servers, mail etc.
This is a transition block for us to move towards v6 everywhere, but we have many systems that will need to rely on this block of space for some time to come.
We are a small rural co-op ISP in Ontario, and I am just writing this email as an extra plea so that if you happen to run a network that has this entire range on your naughty list, we would appreciate you giving it another chance. I can be contacted on or off list, thanks.
-- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Looks like it was taken off the list in Sept 2016. I suppose this could be the reason why our block is still listed in various networks, even though it's not on a known 'official' list. Thanks for the tip Mike. ----- Pete Baldwin Tuckersmith Communications (P) 519-565-2400 (C) 519-441-7383 On 03/11/2017 01:53 AM, Mike Hale wrote:
It looks like Spamhaus has your entire /16.
https://stat.ripe.net/163.182.192.0%2F18#tabId=anti-abuse
On Fri, Mar 10, 2017 at 10:01 PM, Laurent Dumont <admin@coldnorthadmin.com> wrote:
Out of curiosity, who were the previous owner(s), it seems that ARIN only shows the current owner with any history? If it was a Chinese/Russian block, you might be out of luck.
On 03/10/2017 12:00 PM, Pete Baldwin wrote:
Hi All,
Hopefully this is not taken in bad taste. Our organization purchased some IP space last year (163.182.192.0/18 to be specific), and it appears that this block must have been used for less-than-admirable purposes in the past.
We have been trying to clean up the reputation where possible, and we do not appear to be on any blacklists, but we do appear to be blocked from a lot of networks across the US/Canada. I am noticing a lot of name servers blocking our requests, many web servers, gaming servers, mail etc.
This is a transition block for us to move towards v6 everywhere, but we have many systems that will need to rely on this block of space for some time to come.
We are a small rural co-op ISP in Ontario, and I am just writing this email as an extra plea so that if you happen to run a network that has this entire range on your naughty list, we would appreciate you giving it another chance. I can be contacted on or off list, thanks.
The previous owner was XELAS Software in Marina Del Ray, California. I still see it listed on some geoIP databases, but those have been cleaned for the most part. I'm not sure if someone had it before them and they just got rid of it because of these issues, so I don't want to point fingers at XELAS by any means. ----- Pete Baldwin Tuckersmith Communications (P) 519-565-2400 (C) 519-441-7383 On 03/11/2017 01:01 AM, Laurent Dumont wrote:
Out of curiosity, who were the previous owner(s), it seems that ARIN only shows the current owner with any history? If it was a Chinese/Russian block, you might be out of luck.
On 03/10/2017 12:00 PM, Pete Baldwin wrote:
Hi All,
Hopefully this is not taken in bad taste. Our organization purchased some IP space last year (163.182.192.0/18 to be specific), and it appears that this block must have been used for less-than-admirable purposes in the past.
We have been trying to clean up the reputation where possible, and we do not appear to be on any blacklists, but we do appear to be blocked from a lot of networks across the US/Canada. I am noticing a lot of name servers blocking our requests, many web servers, gaming servers, mail etc.
This is a transition block for us to move towards v6 everywhere, but we have many systems that will need to rely on this block of space for some time to come.
We are a small rural co-op ISP in Ontario, and I am just writing this email as an extra plea so that if you happen to run a network that has this entire range on your naughty list, we would appreciate you giving it another chance. I can be contacted on or off list, thanks.
Which broker did you use fot the transaction? Did you get a discount for knowingly accepting a dirty block or is this a surprise? Are folks asking for warranties on acquired addresses these days? Cheers, -M< Best, -M< On Fri, Mar 10, 2017 at 12:11 Pete Baldwin <pete@tccmail.ca> wrote:
Hi All,
Hopefully this is not taken in bad taste. Our organization purchased some IP space last year (163.182.192.0/18 to be specific), and it appears that this block must have been used for less-than-admirable purposes in the past.
We have been trying to clean up the reputation where possible, and we do not appear to be on any blacklists, but we do appear to be blocked from a lot of networks across the US/Canada. I am noticing a lot of name servers blocking our requests, many web servers, gaming servers, mail etc.
This is a transition block for us to move towards v6 everywhere, but we have many systems that will need to rely on this block of space for some time to come.
We are a small rural co-op ISP in Ontario, and I am just writing this email as an extra plea so that if you happen to run a network that has this entire range on your naughty list, we would appreciate you giving it another chance. I can be contacted on or off list, thanks.
--
-----
Pete Baldwin Tuckersmith Communications (P) 519-565-2400 (C) 519-441-7383
Indeed. Let this be a lesson: when purchasing blocks, one MUST do their due diligence. Check the RBLs, senderbase, previous owner reputation, etc. before buying. Caveat emptor. On 3/11/17 3:13 PM, Martin Hannigan wrote:
Which broker did you use fot the transaction?
Did you get a discount for knowingly accepting a dirty block or is this a surprise?
Are folks asking for warranties on acquired addresses these days?
Cheers,
-M<
Best,
-M<
On Fri, Mar 10, 2017 at 12:11 Pete Baldwin <pete@tccmail.ca> wrote:
Hi All,
Hopefully this is not taken in bad taste. Our organization purchased some IP space last year (163.182.192.0/18 to be specific), and it appears that this block must have been used for less-than-admirable purposes in the past.
We have been trying to clean up the reputation where possible, and we do not appear to be on any blacklists, but we do appear to be blocked from a lot of networks across the US/Canada. I am noticing a lot of name servers blocking our requests, many web servers, gaming servers, mail etc.
This is a transition block for us to move towards v6 everywhere, but we have many systems that will need to rely on this block of space for some time to come.
We are a small rural co-op ISP in Ontario, and I am just writing this email as an extra plea so that if you happen to run a network that has this entire range on your naughty list, we would appreciate you giving it another chance. I can be contacted on or off list, thanks.
--
-----
Pete Baldwin Tuckersmith Communications (P) 519-565-2400 (C) 519-441-7383
Validating is a lot of work, but you have to do it. I know there are lots of blocks with RBL problems. Some spammers make so much money, they easily afford to buy small blocks , abuse them to make money, buy more blocks and put the olds up for sale. Careful price is rarely a tell about a bad block. Only the cost of their first block is their initial sunk cost, as they cycle through blocks. Thank You Bob Evans CTO
Indeed.
Let this be a lesson: when purchasing blocks, one MUST do their due diligence. Check the RBLs, senderbase, previous owner reputation, etc. before buying.
Caveat emptor.
On 3/11/17 3:13 PM, Martin Hannigan wrote:
Which broker did you use fot the transaction?
Did you get a discount for knowingly accepting a dirty block or is this a surprise?
Are folks asking for warranties on acquired addresses these days?
Cheers,
-M<
Best,
-M<
On Fri, Mar 10, 2017 at 12:11 Pete Baldwin <pete@tccmail.ca> wrote:
Hi All,
Hopefully this is not taken in bad taste. Our organization purchased some IP space last year (163.182.192.0/18 to be specific), and it appears that this block must have been used for less-than-admirable purposes in the past.
We have been trying to clean up the reputation where possible, and we do not appear to be on any blacklists, but we do appear to be blocked from a lot of networks across the US/Canada. I am noticing a lot of name servers blocking our requests, many web servers, gaming servers, mail etc.
This is a transition block for us to move towards v6 everywhere, but we have many systems that will need to rely on this block of space for some time to come.
We are a small rural co-op ISP in Ontario, and I am just writing this email as an extra plea so that if you happen to run a network that has this entire range on your naughty list, we would appreciate you giving it another chance. I can be contacted on or off list, thanks.
--
-----
Pete Baldwin Tuckersmith Communications (P) 519-565-2400 (C) 519-441-7383
We used giglinx. There was a third party that was validating the blocks, and they/we caught a lot of issues with the first block for offer. This was the second block offered, and it looked decent, but I never personally checked the /16 parent. I was only looking at the /18. The reason I made this post is to try and catch the things I couldn't see. We don't appear to be on any lists (RBLs, senderbase look good), but obviously we are still in peoples filtering rules. The big one was Spamhaus DROP but that was removed before we purchased the block. The previous owner looked fine too, it was actually the owner before the last that seemed to have been the cause of a lot of the bad rep, but again that was cleaned up before we ever even made the request to buy. ----- Pete Baldwin Tuckersmith Communications (P) 519-565-2400 (C) 519-441-7383 On 03/11/2017 11:27 PM, Bryan Holloway wrote:
Indeed.
Let this be a lesson: when purchasing blocks, one MUST do their due diligence. Check the RBLs, senderbase, previous owner reputation, etc. before buying.
Caveat emptor.
On 3/11/17 3:13 PM, Martin Hannigan wrote:
Which broker did you use fot the transaction?
Did you get a discount for knowingly accepting a dirty block or is this a surprise?
Are folks asking for warranties on acquired addresses these days?
Cheers,
-M<
Best,
-M<
On Fri, Mar 10, 2017 at 12:11 Pete Baldwin <pete@tccmail.ca> wrote:
Hi All,
Hopefully this is not taken in bad taste. Our organization purchased some IP space last year (163.182.192.0/18 to be specific), and it appears that this block must have been used for less-than-admirable purposes in the past.
We have been trying to clean up the reputation where possible, and we do not appear to be on any blacklists, but we do appear to be blocked from a lot of networks across the US/Canada. I am noticing a lot of name servers blocking our requests, many web servers, gaming servers, mail etc.
This is a transition block for us to move towards v6 everywhere, but we have many systems that will need to rely on this block of space for some time to come.
We are a small rural co-op ISP in Ontario, and I am just writing this email as an extra plea so that if you happen to run a network that has this entire range on your naughty list, we would appreciate you giving it another chance. I can be contacted on or off list, thanks.
--
-----
Pete Baldwin Tuckersmith Communications (P) 519-565-2400 (C) 519-441-7383
I am interested in what broker you used as well. We have used a few that do a little due diligence on their end, but we still do our own. We have seen an auction pulled due to the space having a bad reputation, but we were the ones who had to step up and say something. Justin Wilson j2sw@mtin.net --- http://www.mtin.net Owner/CEO xISP Solutions- Consulting – Data Centers - Bandwidth http://www.midwest-ix.com COO/Chairman Internet Exchange - Peering - Distributed Fabric
On Mar 10, 2017, at 12:00 PM, Pete Baldwin <pete@tccmail.ca> wrote:
Hi All,
Hopefully this is not taken in bad taste. Our organization purchased some IP space last year (163.182.192.0/18 to be specific), and it appears that this block must have been used for less-than-admirable purposes in the past.
We have been trying to clean up the reputation where possible, and we do not appear to be on any blacklists, but we do appear to be blocked from a lot of networks across the US/Canada. I am noticing a lot of name servers blocking our requests, many web servers, gaming servers, mail etc.
This is a transition block for us to move towards v6 everywhere, but we have many systems that will need to rely on this block of space for some time to come.
We are a small rural co-op ISP in Ontario, and I am just writing this email as an extra plea so that if you happen to run a network that has this entire range on your naughty list, we would appreciate you giving it another chance. I can be contacted on or off list, thanks.
--
-----
Pete Baldwin Tuckersmith Communications (P) 519-565-2400 (C) 519-441-7383
Maybe a silly idea, but shouldn't the sale of a block of addresses (RIR ownership change) trigger a removal of that block from all reputation list databases? If I buy a car from a police auction, I'm fairly sure the FBI doesn't start tailing me, because the car was once used for less than legal purposes. New owner, clean slate. Chuck -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Justin Wilson Sent: Sunday, March 12, 2017 10:51 AM To: NANOG <nanog@nanog.org> Subject: Re: Purchased IPv4 Woes I am interested in what broker you used as well. We have used a few that do a little due diligence on their end, but we still do our own. We have seen an auction pulled due to the space having a bad reputation, but we were the ones who had to step up and say something. Justin Wilson j2sw@mtin.net --- http://www.mtin.net Owner/CEO xISP Solutions- Consulting – Data Centers - Bandwidth http://www.midwest-ix.com COO/Chairman Internet Exchange - Peering - Distributed Fabric
On Mar 10, 2017, at 12:00 PM, Pete Baldwin <pete@tccmail.ca> wrote:
Hi All,
Hopefully this is not taken in bad taste. Our organization purchased some IP space last year (163.182.192.0/18 to be specific), and it appears that this block must have been used for less-than-admirable purposes in the past.
We have been trying to clean up the reputation where possible, and we do not appear to be on any blacklists, but we do appear to be blocked from a lot of networks across the US/Canada. I am noticing a lot of name servers blocking our requests, many web servers, gaming servers, mail etc.
This is a transition block for us to move towards v6 everywhere, but we have many systems that will need to rely on this block of space for some time to come.
We are a small rural co-op ISP in Ontario, and I am just writing this email as an extra plea so that if you happen to run a network that has this entire range on your naughty list, we would appreciate you giving it another chance. I can be contacted on or off list, thanks.
--
-----
Pete Baldwin Tuckersmith Communications (P) 519-565-2400 (C) 519-441-7383
What should and does happen are two different things. The reputation lists aren't a regulated entity. The FBI is. At 11:11 AM 12/03/2017, Chuck Church wrote:
Maybe a silly idea, but shouldn't the sale of a block of addresses (RIR ownership change) trigger a removal of that block from all reputation list databases? If I buy a car from a police auction, I'm fairly sure the FBI doesn't start tailing me, because the car was once used for less than legal purposes. New owner, clean slate.
Chuck
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Justin Wilson Sent: Sunday, March 12, 2017 10:51 AM To: NANOG <nanog@nanog.org> Subject: Re: Purchased IPv4 Woes
I am interested in what broker you used as well. We have used a few that do a little due diligence on their end, but we still do our own. We have seen an auction pulled due to the space having a bad reputation, but we were the ones who had to step up and say something.
Justin Wilson j2sw@mtin.net
--- http://www.mtin.net Owner/CEO xISP Solutions- Consulting Data Centers - Bandwidth http://www.midwest-ix.com COO/Chairman Internet Exchange - Peering - Distributed Fabric
On Mar 10, 2017, at 12:00 PM, Pete Baldwin <pete@tccmail.ca> wrote:
Hi All,
Hopefully this is not taken in bad taste. Our organization purchased some IP space last year (163.182.192.0/18 to be specific), and it appears that this block must have been used for less-than-admirable purposes in the past.
We have been trying to clean up the reputation where possible, and we do not appear to be on any blacklists, but we do appear to be blocked from a lot of networks across the US/Canada. I am noticing a lot of name servers blocking our requests, many web servers, gaming servers, mail etc.
This is a transition block for us to move towards v6 everywhere, but we have many systems that will need to rely on this block of space for some time to come.
We are a small rural co-op ISP in Ontario, and I am just writing this email as an extra plea so that if you happen to run a network that has this entire range on your naughty list, we would appreciate you giving it another chance. I can be contacted on or off list, thanks.
--
-----
Pete Baldwin Tuckersmith Communications (P) 519-565-2400 (C) 519-441-7383
-- Clayton Zekelman Managed Network Systems Inc. (MNSi) 3363 Tecumseh Rd. E Windsor, Ontario N8W 1H4 tel. 519-985-8410 fax. 519-985-8409
Chuck, * Chuck Church (chuckchurch@gmail.com) wrote:
Maybe a silly idea, but shouldn't the sale of a block of addresses (RIR ownership change) trigger a removal of that block from all reputation list databases? If I buy a car from a police auction, I'm fairly sure the FBI doesn't start tailing me, because the car was once used for less than legal purposes. New owner, clean slate.
That would be an awful easy way to allow people to game the entire reputation list system by simply creating more companies and passing ownership around. This could work if the system "knows" that the buyer isn't going to use the netblock for spamming, but that's next to impossible to do in any kind of automated fashion. Thanks! Stephen
On Sun, 12 Mar 2017 11:11:41 -0400, "Chuck Church" said:
Maybe a silly idea, but shouldn't the sale of a block of addresses (RIR ownership change) trigger a removal of that block from all reputation list databases? If I buy a car from a police auction, I'm fairly sure the FBI doesn't start tailing me, because the car was once used for less than legal purposes. New owner, clean slate.
How does Spamhaus find out the block has been resold? How do other DNS-based blacklist operators find out? How do all the AS's that have their own internal blacklists find out that they should fix their old listings? (Note that this is the exact same problem as "We got blacklisted because of a bad customer, we axed the customer, but we're still blacklisted", which has been a an unsolved problem for decades now). And it's awfully easy to game the system by just reselling the block between a group of shell companies run by bad actors.
They could watch the routing table and notice which ASN is actually using the address space. In fact ASN reputation might work better than IP space reputation. Fact is that the current approach does nothing to stop spammers from swapping space when they are done abusing one space. The argument that clearing the slate for sold space would make it easy to game the system does not hold. It is already trivial. The sad fact is that entities like Spamhaus simply do not care. Not even though they are not succeeding in hurting actual spammers. Not even though they are making their own service less useful. Regards Baldur Den 12. mar. 2017 16.41 skrev <valdis.kletnieks@vt.edu>: On Sun, 12 Mar 2017 11:11:41 -0400, "Chuck Church" said:
Maybe a silly idea, but shouldn't the sale of a block of addresses (RIR ownership change) trigger a removal of that block from all reputation list databases? If I buy a car from a police auction, I'm fairly sure the FBI doesn't start tailing me, because the car was once used for less than legal purposes. New owner, clean slate.
How does Spamhaus find out the block has been resold? How do other DNS-based blacklist operators find out? How do all the AS's that have their own internal blacklists find out that they should fix their old listings? (Note that this is the exact same problem as "We got blacklisted because of a bad customer, we axed the customer, but we're still blacklisted", which has been a an unsolved problem for decades now). And it's awfully easy to game the system by just reselling the block between a group of shell companies run by bad actors.
On Sun, Mar 12, 2017 at 5:59 PM, Baldur Norddahl <baldur.norddahl@gmail.com> wrote:
They could watch the routing table and notice which ASN is actually using the address space. In fact ASN reputation might work better than IP space reputation.
+1 And not only the originating ASN, but to a lesser extend, adjacent ASNs too
On Sun, Mar 12, 2017 at 5:40 PM, <valdis.kletnieks@vt.edu> wrote:
How does Spamhaus find out the block has been resold?
How do other DNS-based blacklist operators find out?
From the REGISTRY as the ultimate custodian of the IP block.
How do all the AS's that have their own internal blacklists find out that they should fix their old listings? (Note that this is the exact same problem as "We got blacklisted because of a bad customer, we axed the customer, but we're still blacklisted", which has been a an unsolved problem for decades now).
From the REGISTRY as the ultimate custodian of the IP block.
"We got blacklisted because of a bad customer, we axed the customer, but we're still blacklisted" is a FAR call from what this discussion is about. "I got blacklisted because someone else that has NO relevance to me what so ever was stupid" is more accurate. You can't punish the purchaser of an IP block, because of what previous owners of the IP block did. If I receive a dynamic IP from my ISP on dialup, and the previous user using that IP hacked the FBI... Am I now to blame because the FBI got hacked? NO! The previous user of the IP is responsible!
And it's awfully easy to game the system by just reselling the block between a group of shell companies run by bad actors.
Yes - just like we're playing ping pong with NetFlix (and others) and VPN providers because of geo restricted content too :-) It's a loosing battle, and a failed system. Don't blame the purchaser, it's a lack of oversight on the part of who ever does the blacklisting. And that, should form part of being RESPONSIBLE when you DO decide to blacklist / unblacklist IP blocks. There are FAR to many companies on the Internet that simply does what they want, when they want. I (or anyone else - I haven't purchased IP space from any other source other than registries, yet), can't be held liable for what others have done. Whether it's IP space, whether it's breaking an entering, whether it's fraud, it doesn't matter. I did not commit the act, and I can't be held liable. Your punishing the wrong person, for the wrong reason. The fact that there's companies out there, CAMPING on /8s which they do not use and yet refuse to return, is exactly why the internet is sitting in this predicament.
On Sun, 12 Mar 2017 17:59:59 +0200, Chris Knipe said:
How do all the AS's that have their own internal blacklists find out that they should fix their old listings? (Note that this is the exact same problem as "We got blacklisted because of a bad customer, we axed the customer, but we're still blacklisted", which has been a an unsolved problem for decades now).
From the REGISTRY as the ultimate custodian of the IP block.
From Friday's routing table report.
BGP routing table entries examined: 639225 Prefixes after maximum aggregation (per Origin AS): 248678 Deaggregation factor: 2.57 Unique aggregates announced (without unneeded subnets): 307752 Total ASes present in the Internet Routing Table: 56403 As 56,000 AS's all start querying each of the registries (ARIN, RIPE, APnic, LACNIC, and AfriNic) for all 639,000 objects once a day, to see which dozen of those got sold yesterday. Sure, that will work. (And no, the problem isn't the number of http hits on the registries. 35,840,000,000 hits per day is the easy part...)
On Sun, Mar 12, 2017 at 6:17 PM, <valdis.kletnieks@vt.edu> wrote:
On Sun, 12 Mar 2017 17:59:59 +0200, Chris Knipe said:
Sure, that will work. (And no, the problem isn't the number of http hits on the registries. 35,840,000,000 hits per day is the easy part...)
And yet, there's no problems of BILLIONS of queries against RBL DNS servers? -- Regards, Chris Knipe
On Sun, 12 Mar 2017 18:38:21 +0200, Chris Knipe said:
On Sun, Mar 12, 2017 at 6:17 PM, <valdis.kletnieks@vt.edu> wrote:
on the registries. 35,840,000,000 hits per day is the easy part...)
And yet, there's no problems of BILLIONS of queries against RBL DNS servers?
As I said, that's not the problem.
On 3/12/17 10:38 AM, Chris Knipe wrote:
On Sun, Mar 12, 2017 at 6:17 PM, <valdis.kletnieks@vt.edu> wrote:
On Sun, 12 Mar 2017 17:59:59 +0200, Chris Knipe said:
Sure, that will work. (And no, the problem isn't the number of http hits on the registries. 35,840,000,000 hits per day is the easy part...)
And yet, there's no problems of BILLIONS of queries against RBL DNS servers?
http == TCP DNS == (usually) UDP Big difference here. One requires a three way handshake tearup/teardown, the other does not. It is not an apples to apples comparison. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
Den 12/03/2017 kl. 18.14 skrev Brielle Bruns:
http == TCP DNS == (usually) UDP
Big difference here. One requires a three way handshake tearup/teardown, the other does not.
It is not an apples to apples comparison.
You can replicate (download) the whole WHOIS if you need to. There is also no requirement that removal from reputation lists is instant. We would be good if it happened just within a month or even half a year. The situation now is however that you will never have it removed and many reputation services will ignore you if try to contact them for manual removal. At least in the RIPE managed space there IS a reliable way to know for sure who owns a block. Can you know that the new owner is any better than the old? Of course not, but that is true even for "fresh" address space. I am not a fan of reputation services that blacklist forever. It is just wrong and open for abuse of power. But not much I can do about that other than not using their service. Regards, Baldur
On Sun, Mar 12, 2017 at 7:53 PM, Baldur Norddahl <baldur.norddahl@gmail.com> wrote:
Den 12/03/2017 kl. 18.14 skrev Brielle Bruns:
http == TCP DNS == (usually) UDP
Big difference here. One requires a three way handshake tearup/teardown, the other does not.
It is not an apples to apples comparison.
You can replicate (download) the whole WHOIS if you need to. There is also no requirement that removal from reputation lists is instant. We would be good if it happened just within a month or even half a year. The situation now is however that you will never have it removed and many reputation services will ignore you if try to contact them for manual removal.
At least in the RIPE managed space there IS a reliable way to know for sure who owns a block. Can you know that the new owner is any better than the old? Of course not, but that is true even for "fresh" address space.
I am not a fan of reputation services that blacklist forever. It is just wrong and open for abuse of power. But not much I can do about that other than not using their service.
Also, no reason why a UDP (or DNS based even) query can't be implemented to facilitate reputation lookups for ASNs, or even ownership. -- Regards, Chris Knipe
On Sun, Mar 12, 2017 at 05:59:59PM +0200, Chris Knipe wrote:
It's a loosing battle, and a failed system. Don't blame the purchaser, it's a lack of oversight on the part of who ever does the blacklisting.
You bought damaged goods which aren't fit for the purpose you have in mind. If you had performed due diligence research before finalizing the purchase, perhaps you would have chosen not to do so. If the seller had done their due diligence research, perhaps they could have more accurately described what they were selling to you. There's certainly a lack of "oversight" here, but it's not on the part of the various blacklists which have *correctly* noted the dubious history of the allocation in question. And which, I might add, are not in possession of proof that it doesn't still belong to the same people who generated that dubious history. In other words, everything said here thus far might be precisely the truth, or it might be the 14,273th iteration of a ruse designed to get the block unlisted so that it can be once again utilized for abuse. ---rsk
So just to be clear here, the reason I made this post isn't to have some help with removing our block from 'official' blacklists around the world. We checked the lists and we weren't on them. The last (known) list this block was on was in September 2016, so just over 6 months ago now, and before we purchased it. I made this post because it appears that various networks use/used some sort of black list at some point, but haven't checked the lists in quite some time, or the block behaviour was so bad that admins blocked it manually. I'm here to say that we now own it and we plan on taking care of it in a responsible manner. I'm not blaming blacklists for holding our block hostage, as I don't see our block IN any blacklists. This thread was for me to say "hey, whoever had this thing in the past must have messed with your network enough to block it for a long time, but now I own it and plan on keeping it clean, so if you could remove us it would be better for everyone." My contact information has been in each email, so it's easily verifiable. We had limited time with which to acquire space, and we back-checked the space as well as we could. I was not expecting so many networks to have it blocked when it isn't actually listed anywhere, and I didn't have a method to verify that. That being said, I like where the thread is going as far as discussing AS rep vs CIDR rep, and other ways with which to verify whether a block has been transferred to a 'safe' entity vs a 'potentially hostile' entity or same entity under a new name. ----- Pete Baldwin Tuckersmith Communications (P) 519-565-2400 (C) 519-441-7383 On 03/12/2017 01:33 PM, Rich Kulawiec wrote:
On Sun, Mar 12, 2017 at 05:59:59PM +0200, Chris Knipe wrote:
It's a loosing battle, and a failed system. Don't blame the purchaser, it's a lack of oversight on the part of who ever does the blacklisting. You bought damaged goods which aren't fit for the purpose you have in mind.
If you had performed due diligence research before finalizing the purchase, perhaps you would have chosen not to do so.
If the seller had done their due diligence research, perhaps they could have more accurately described what they were selling to you.
There's certainly a lack of "oversight" here, but it's not on the part of the various blacklists which have *correctly* noted the dubious history of the allocation in question. And which, I might add, are not in possession of proof that it doesn't still belong to the same people who generated that dubious history. In other words, everything said here thus far might be precisely the truth, or it might be the 14,273th iteration of a ruse designed to get the block unlisted so that it can be once again utilized for abuse.
---rsk
On 3/12/2017 11:40 AM, valdis.kletnieks@vt.edu wrote:
How does Spamhaus find out the block has been resold? How do other DNS-based blacklist operators find out?
Spamhaus and other reasonable and well-run DNSBLs: (1) have reasonable auto-expiration mechanisms (which cover the vast majority of these situations where a block gets a new and more ethical owner) (2) and have all various different monitoring and feedback mechanisms - which may not be perfect and may not have God-like omniscience - but generally get things right before too long - they have overall very excellent telemetry and they don't get very much wrong at any one point in time. In contrast, much of the cause of this problem described on this thread is caused by system admins relying less on well-run blacklists, and rely more on "set it and forget it" manual blocking of IPs and subnets at their perimeter. (in contrast to well-run DNSBLs...) They then often have ZERO expirations happening - listing are basically permanent - until manually removed - and their telemetry/feedback is just horrific compared to a well-run DNSBL. There also are not any public lookup forms in the world where a sender can determine which such manual blocks are found on which ISP/hosters/datacenters. The good news here - is that this becomes further motivation for senders to be vigilant to protect their IPs reputation - knowing that a lack of such effort can quickly lead to their IP space becoming "damaged goods". This motivation goes a LONG way towards countering the profit motives that hosters/ISPs/Datacenters/ESPs have in selling services to spammers - there is MUCH money to be made doing so. But the longer term repercussions of damaged IP reputation makes that a *bad* long-term investment (even if the short-term gains are lucrative). Meanwhile, btw - moving all mail servers to IPv6 too fast... ELIMINATES that motivation. Almost everyone reading this paragraph on NANOG has no idea just (a) how much this incentive keeps email sane and manageable - and (b) just how bad things will get if this incentive is removed, via moving all MTAs to IPv6. (In an all-IPv6 world - if you ruin your IP reputation by making a ton of money selling to spammers - there are always vast amounts of new space to acquire) I can tell you that, ultimately, this is the ONLY thing keeping hosters/ISPs/Datacenters/ESPs from selling services to spammers. Some who deny that this statement applies to them - will at least move the goalposts somewhat, now matter how good of intentions they may think they have. (human nature always dominates) (but there is no problem moving all email *clients* to IPv6 - where their IPv6-sent mail then SMTP-authenticates to mail servers... which then send that message to other mail servers via IPv4 - at least for the foreseeable future) -- Rob McEwen
Den 12/03/2017 kl. 18.49 skrev Rob McEwen:
This motivation goes a LONG way towards countering the profit motives that hosters/ISPs/Datacenters/ESPs have in selling services to spammers - there is MUCH money to be made doing so. But the longer term repercussions of damaged IP reputation makes that a *bad* long-term investment (even if the short-term gains are lucrative).
Sorry but this is not true. The address space does not lose that much in value and in fact most address space that has been used for end users is already tainted in the same way (due to botnets etc).
On 3/12/2017 2:00 PM, Baldur Norddahl wrote:
Den 12/03/2017 kl. 18.49 skrev Rob McEwen:
This motivation goes a LONG way towards countering the profit motives that hosters/ISPs/Datacenters/ESPs have in selling services to spammers - there is MUCH money to be made doing so. But the longer term repercussions of damaged IP reputation makes that a *bad* long-term investment (even if the short-term gains are lucrative).
Sorry but this is not true. The address space does not lose that much in value and in fact most address space that has been used for end users is already tainted in the same way (due to botnets etc).
First, I'm on the front lines of this particular fight - and my conversations I have with mail senders (of all various types) gives me constant 1st-hand confirmation of these facts you deny. But don't take my word for it - consider the following article written by Brian Krebs: https://krebsonsecurity.com/2015/08/like-cutting-off-a-limb-to-save-the-body... If what you said is true, then Hostwinds wouldn't have ever seen a need to reform - and they wouldn't have ever reformed. And many of the hosters who had more foresight and never had to learn this less the hard way - would have likewise followed hostwinds footsteps (except without the the reform part) Also, if any good hosting company just let their guard down and started allowing just any spammer to purchase services - their IP space reputation would nosedive across-the-board to the lowest of depths... that occasional random botnets on a residential dynamic IPs - could never get to. -- Rob McEwen
Den 12/03/2017 kl. 19.24 skrev Rob McEwen:
On 3/12/2017 2:00 PM, Baldur Norddahl wrote:
Den 12/03/2017 kl. 18.49 skrev Rob McEwen:
This motivation goes a LONG way towards countering the profit motives that hosters/ISPs/Datacenters/ESPs have in selling services to spammers - there is MUCH money to be made doing so. But the longer term repercussions of damaged IP reputation makes that a *bad* long-term investment (even if the short-term gains are lucrative).
Sorry but this is not true. The address space does not lose that much in value and in fact most address space that has been used for end users is already tainted in the same way (due to botnets etc).
First, I'm on the front lines of this particular fight - and my conversations I have with mail senders (of all various types) gives me constant 1st-hand confirmation of these facts you deny.
But don't take my word for it - consider the following article written by Brian Krebs:
How much IP address space have you bought or sold in the last year? Me? About 5k IP addresses, which might not be a lot but still more than most. The article says nothing about the pricing of selling or buying IP address space. Yes it is a fact that tainted address space is slightly cheaper than "pristine" address space. Slightly. And we will happily buy it because we are not using it for sending emails anyway. And so will a lot of other eyeball ISPs and that keeps the price up. I am not complaining about the space we got. Some of it is tainted. We just assign users that complain about that some address space from untainted space. Most users never notice. But I can see the pain on a smaller hosting provider just starting out and he got unlucky with his first buy. Having a spammer abuse your address space is very expensive, but NOT because the address space can not be sold. It can. But if you have to do that, you will have to tell all your other customers to change addresses and they will not be happy campers about that. Plus it is a lot of bother and I will bet you that spammers are generally not good paying customers. The assertion that refusing to unblock address space that got sold somehow influences spammers is wrong. Regards, Baldur
On 3/12/2017 2:00 PM, Baldur Norddahl wrote:
Sorry but this is not true. The address space does not lose that much in value and in fact most address space that has been used for end users is already tainted in the same way (due to botnets etc).
Also, you're comparing apples-to-oranges. Dynamically allocated IPs for "end users" are not suppose to host mail and web servers - at least not professional and high-quality hosting services. This is why their outbound speed is almost always governed down to a trickle (often order of magnitudes slower then the download speeds), and port 25 is often blocked (when not headed to the mail server hosted by the particular ISP which controls that space). Such IPs are OFTEN preemptively blacklisted by Spamhaus's PBL list: https://www.spamhaus.org/pbl/ If someone wants to run a mail server (or even a web server) from such space - then they have a whole bunch of OTHER problems besides who/what damaged the space before they acquired it. Their first problem is that they are trying to tow a boat with their bicycle. -- Rob McEwen
Den 12/03/2017 kl. 19.40 skrev Rob McEwen:
On 3/12/2017 2:00 PM, Baldur Norddahl wrote:
Sorry but this is not true. The address space does not lose that much in value and in fact most address space that has been used for end users is already tainted in the same way (due to botnets etc).
Also, you're comparing apples-to-oranges. Dynamically allocated IPs for "end users" are not suppose to host mail and web servers - at least not professional and high-quality hosting services. This is why their outbound speed is almost always governed down to a trickle (often order of magnitudes slower then the download speeds), and port 25 is often blocked (when not headed to the mail server hosted by the particular ISP which controls that space).
We are talking about address space that got sold. It might have been used for dynamically allocated IPs in some previous live. Now some poor hosting provider took over and is trying to use it for his new enterprise. By the way we sell 1000 Mbps downstream, 1000 Mbps upstream and no ports are blocked. And we are not the only FTTH provider here doing that. We will not decide what our users are supposed to host in a closet in their homes. Regards, Baldur
So this is is really the question I had, and this is why I was wanting to start a dialog here, hoping that it wasn't out of line for the list. I don't know of a way to let a bunch of operators know that they should remove something without using something like this mailing list. Blacklists are supposed to fill this role so that one operator doesn't have to try and contact thousands of other operators individually, he/she just has to appeal to the blacklist and once delisted all should be well in short order. In cases where companies have their own internal lists, or only update them a couple of times a year from the major lists, I don't know of another way to notify everyone. I get why people are more cautious and filter entire blocks when just a few hosts are attacking/spamming them, and everyone has a choice on how they want to handle these situations. As an ISP, I want to do as little filtering as possible. I want all of my customers to have access to everything possible. If a netblock changes hands, I want to give the new owner the benefit of the doubt and only filter traffic if it repeats the same old behaviour. We're all using this finite space and I don't want to let the hostile minority slowly ruin what's left of the ipv4 assignments. ----- Pete Baldwin Tuckersmith Communications (P) 519-565-2400 (C) 519-441-7383 On 03/12/2017 11:40 AM, valdis.kletnieks@vt.edu wrote:
How do all the AS's that have their own internal blacklists find out that they should fix their old listings?
Hi, This is why I moved away from static black lists years ago. When the 68/8 and 24/8 blocks were released and tons of networks had it blocked since it was "reserved" I observed and felt the pain. My networks are small, and I rely on things such as fail2ban which auto remove the blocks. I would be willing to bet that many of the network operators/admins that blocked your range are either not in the job any more or even dead. No one in the company knows the blocks exist... -Harry On 03/12/2017 04:51 PM, Pete Baldwin wrote:
So this is is really the question I had, and this is why I was wanting to start a dialog here, hoping that it wasn't out of line for the list. I don't know of a way to let a bunch of operators know that they should remove something without using something like this mailing list. Blacklists are supposed to fill this role so that one operator doesn't have to try and contact thousands of other operators individually, he/she just has to appeal to the blacklist and once delisted all should be well in short order.
In cases where companies have their own internal lists, or only update them a couple of times a year from the major lists, I don't know of another way to notify everyone.
I get why people are more cautious and filter entire blocks when just a few hosts are attacking/spamming them, and everyone has a choice on how they want to handle these situations. As an ISP, I want to do as little filtering as possible. I want all of my customers to have access to everything possible. If a netblock changes hands, I want to give the new owner the benefit of the doubt and only filter traffic if it repeats the same old behaviour. We're all using this finite space and I don't want to let the hostile minority slowly ruin what's left of the ipv4 assignments.
-----
Pete Baldwin Tuckersmith Communications (P) 519-565-2400 (C) 519-441-7383
On 03/12/2017 11:40 AM, valdis.kletnieks@vt.edu wrote:
How do all the AS's that have their own internal blacklists find out that they should fix their old listings?
On Sun, 12 Mar 2017, Pete Baldwin wrote:
So this is is really the question I had, and this is why I was wanting to start a dialog here, hoping that it wasn't out of line for the list. I don't know of a way to let a bunch of operators know that they should remove something without using something like this mailing list. Blacklists are supposed to fill this role so that one operator doesn't have to try and contact thousands of other operators individually, he/she just has to appeal to the blacklist and once delisted all should be well in short order.
In cases where companies have their own internal lists, or only update them a couple of times a year from the major lists, I don't know of another way to notify everyone.
I suspect you'll find many of the private "blacklistings" are hand maintained (added to as needed, never removed from unless requested) and you'll need to play whack-a-mole, reaching out to each network as you find they have the space blocked on their mail servers or null routed on their networks. I doubt your message here will be seen by many of the "right people." How many company mail server admins read NANOG? How many companies even do email in-house and have mail server admins anymore? :) Back when my [at that time] employer was issued some of 69/8, I found it useful to setup a host with IPs in 69/8 and in one of our older IP blocks, and then do both automated reachability testing and allow anyone to do a traceroute from both source IPs simultaneously, keeping the results in a DB. If you find there are many networks actually null routing your purchased space, you might setup something similar. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Pete's right about how IPs get put on the lists. In fact, let us not forget that these lists were mostly created with volunteers - some still today. Many are very old lists. Enterprise networks select lists by some sort of popularity / fame - etc.. Like how they decide to install 8.8.8.8 as first - its easy and they think its better than their local ISP they pay.... yet they always call the ISP about slowness when 8.8.8.8 is for consumers and doesn't always resolve quickly. It's a tough sale. Once had a customer's employee abuse their mail server - it made some lists. Customer complained our network is hosting spammers and sticking them in the middle of a problem that is our networks. Hard win. Took us months to get that IP off lists. That was one single IP. We did not allow them to renew their contract once the term was over. Now, they suffer with comcast for business. ;-) Thank You Bob Evans CTO
On Sun, 12 Mar 2017, Pete Baldwin wrote:
So this is is really the question I had, and this is why I was wanting to start a dialog here, hoping that it wasn't out of line for the list. I don't know of a way to let a bunch of operators know that they should remove something without using something like this mailing list. Blacklists are supposed to fill this role so that one operator doesn't have to try and contact thousands of other operators individually, he/she just has to appeal to the blacklist and once delisted all should be well in short order.
In cases where companies have their own internal lists, or only update them a couple of times a year from the major lists, I don't know of another way to notify everyone.
I suspect you'll find many of the private "blacklistings" are hand maintained (added to as needed, never removed from unless requested) and you'll need to play whack-a-mole, reaching out to each network as you find they have the space blocked on their mail servers or null routed on their networks. I doubt your message here will be seen by many of the "right people." How many company mail server admins read NANOG? How many companies even do email in-house and have mail server admins anymore? :)
Back when my [at that time] employer was issued some of 69/8, I found it useful to setup a host with IPs in 69/8 and in one of our older IP blocks, and then do both automated reachability testing and allow anyone to do a traceroute from both source IPs simultaneously, keeping the results in a DB. If you find there are many networks actually null routing your purchased space, you might setup something similar.
---------------------------------------------------------------------- Jon Lewis, MCP :) | I route | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Then you have the lists which want money to be removed. I have an IP that was blacklisted by hotmail. Just a single IP. I have gone through the procedures that are referenced in the return e-mails. No response. My next step says something about a $2500 fee to have it investigated. I know several blacklists which are this way. Luckily, many admins do not use such lists. Justin Wilson j2sw@mtin.net --- http://www.mtin.net Owner/CEO xISP Solutions- Consulting – Data Centers - Bandwidth http://www.midwest-ix.com COO/Chairman Internet Exchange - Peering - Distributed Fabric
On Mar 12, 2017, at 9:10 PM, Bob Evans <bob@FiberInternetCenter.com> wrote:
Pete's right about how IPs get put on the lists. In fact, let us not forget that these lists were mostly created with volunteers - some still today. Many are very old lists. Enterprise networks select lists by some sort of popularity / fame - etc.. Like how they decide to install 8.8.8.8 as first - its easy and they think its better than their local ISP they pay.... yet they always call the ISP about slowness when 8.8.8.8 is for consumers and doesn't always resolve quickly. It's a tough sale.
Once had a customer's employee abuse their mail server - it made some lists. Customer complained our network is hosting spammers and sticking them in the middle of a problem that is our networks. Hard win. Took us months to get that IP off lists. That was one single IP. We did not allow them to renew their contract once the term was over. Now, they suffer with comcast for business. ;-)
Thank You Bob Evans CTO
On Sun, 12 Mar 2017, Pete Baldwin wrote:
So this is is really the question I had, and this is why I was wanting to start a dialog here, hoping that it wasn't out of line for the list. I don't know of a way to let a bunch of operators know that they should remove something without using something like this mailing list. Blacklists are supposed to fill this role so that one operator doesn't have to try and contact thousands of other operators individually, he/she just has to appeal to the blacklist and once delisted all should be well in short order.
In cases where companies have their own internal lists, or only update them a couple of times a year from the major lists, I don't know of another way to notify everyone.
I suspect you'll find many of the private "blacklistings" are hand maintained (added to as needed, never removed from unless requested) and you'll need to play whack-a-mole, reaching out to each network as you find they have the space blocked on their mail servers or null routed on their networks. I doubt your message here will be seen by many of the "right people." How many company mail server admins read NANOG? How many companies even do email in-house and have mail server admins anymore? :)
Back when my [at that time] employer was issued some of 69/8, I found it useful to setup a host with IPs in 69/8 and in one of our older IP blocks, and then do both automated reachability testing and allow anyone to do a traceroute from both source IPs simultaneously, keeping the results in a DB. If you find there are many networks actually null routing your purchased space, you might setup something similar.
---------------------------------------------------------------------- Jon Lewis, MCP :) | I route | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Which one was it that demanded 2500? There's only one reasonably well known pay for whitelisting type of blocklist but I'd have thought they're a lot cheaper. --srs
On 20-Mar-2017, at 9:02 AM, Justin Wilson <lists@mtin.net> wrote:
Then you have the lists which want money to be removed. I have an IP that was blacklisted by hotmail. Just a single IP. I have gone through the procedures that are referenced in the return e-mails. No response. My next step says something about a $2500 fee to have it investigated. I know several blacklists which are this way. Luckily, many admins do not use such lists.
Would you mind naming the company so that they can be publicly shamed? That is nothing sort of extortion. On Mar 19, 2017 10:36 PM, "Justin Wilson" <lists@mtin.net> wrote:
Then you have the lists which want money to be removed. I have an IP that was blacklisted by hotmail. Just a single IP. I have gone through the procedures that are referenced in the return e-mails. No response. My next step says something about a $2500 fee to have it investigated. I know several blacklists which are this way. Luckily, many admins do not use such lists.
Justin Wilson j2sw@mtin.net
--- http://www.mtin.net Owner/CEO xISP Solutions- Consulting – Data Centers - Bandwidth
http://www.midwest-ix.com COO/Chairman Internet Exchange - Peering - Distributed Fabric
On Mar 12, 2017, at 9:10 PM, Bob Evans <bob@FiberInternetCenter.com> wrote:
Pete's right about how IPs get put on the lists. In fact, let us not forget that these lists were mostly created with volunteers - some still today. Many are very old lists. Enterprise networks select lists by some sort of popularity / fame - etc.. Like how they decide to install 8.8.8.8 as first - its easy and they think its better than their local ISP they pay.... yet they always call the ISP about slowness when 8.8.8.8 is for consumers and doesn't always resolve quickly. It's a tough sale.
Once had a customer's employee abuse their mail server - it made some lists. Customer complained our network is hosting spammers and sticking them in the middle of a problem that is our networks. Hard win. Took us months to get that IP off lists. That was one single IP. We did not allow them to renew their contract once the term was over. Now, they suffer with comcast for business. ;-)
Thank You Bob Evans CTO
On Sun, 12 Mar 2017, Pete Baldwin wrote:
So this is is really the question I had, and this is why I was wanting to start a dialog here, hoping that it wasn't out of line for the list. I don't know of a way to let a bunch of operators know that they should remove something without using something like this mailing list. Blacklists are supposed to fill this role so that one operator doesn't have to try and contact thousands of other operators individually, he/she just has to appeal to the blacklist and once delisted all should be well in short order.
In cases where companies have their own internal lists, or only update them a couple of times a year from the major lists, I don't know of another way to notify everyone.
I suspect you'll find many of the private "blacklistings" are hand maintained (added to as needed, never removed from unless requested) and you'll need to play whack-a-mole, reaching out to each network as you find they have the space blocked on their mail servers or null routed on their networks. I doubt your message here will be seen by many of the "right people." How many company mail server admins read NANOG? How many companies even do email in-house and have mail server admins anymore? :)
Back when my [at that time] employer was issued some of 69/8, I found it useful to setup a host with IPs in 69/8 and in one of our older IP blocks, and then do both automated reachability testing and allow anyone to do a traceroute from both source IPs simultaneously, keeping the results in a DB. If you find there are many networks actually null routing your purchased space, you might setup something similar.
---------------------------------------------------------------------- Jon Lewis, MCP :) | I route | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
He did mention Hotmail. ----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP ----- Original Message ----- From: "Josh Reynolds" <josh@kyneticwifi.com> To: "Justin Wilson" <lists@mtin.net> Cc: "NANOG" <nanog@nanog.org> Sent: Monday, March 20, 2017 9:06:00 AM Subject: Re: Purchased IPv4 Woes Would you mind naming the company so that they can be publicly shamed? That is nothing sort of extortion. On Mar 19, 2017 10:36 PM, "Justin Wilson" <lists@mtin.net> wrote:
Then you have the lists which want money to be removed. I have an IP that was blacklisted by hotmail. Just a single IP. I have gone through the procedures that are referenced in the return e-mails. No response. My next step says something about a $2500 fee to have it investigated. I know several blacklists which are this way. Luckily, many admins do not use such lists.
Justin Wilson j2sw@mtin.net
--- http://www.mtin.net Owner/CEO xISP Solutions- Consulting – Data Centers - Bandwidth
http://www.midwest-ix.com COO/Chairman Internet Exchange - Peering - Distributed Fabric
On Mar 12, 2017, at 9:10 PM, Bob Evans <bob@FiberInternetCenter.com> wrote:
Pete's right about how IPs get put on the lists. In fact, let us not forget that these lists were mostly created with volunteers - some still today. Many are very old lists. Enterprise networks select lists by some sort of popularity / fame - etc.. Like how they decide to install 8.8.8.8 as first - its easy and they think its better than their local ISP they pay.... yet they always call the ISP about slowness when 8.8.8.8 is for consumers and doesn't always resolve quickly. It's a tough sale.
Once had a customer's employee abuse their mail server - it made some lists. Customer complained our network is hosting spammers and sticking them in the middle of a problem that is our networks. Hard win. Took us months to get that IP off lists. That was one single IP. We did not allow them to renew their contract once the term was over. Now, they suffer with comcast for business. ;-)
Thank You Bob Evans CTO
On Sun, 12 Mar 2017, Pete Baldwin wrote:
So this is is really the question I had, and this is why I was wanting to start a dialog here, hoping that it wasn't out of line for the list. I don't know of a way to let a bunch of operators know that they should remove something without using something like this mailing list. Blacklists are supposed to fill this role so that one operator doesn't have to try and contact thousands of other operators individually, he/she just has to appeal to the blacklist and once delisted all should be well in short order.
In cases where companies have their own internal lists, or only update them a couple of times a year from the major lists, I don't know of another way to notify everyone.
I suspect you'll find many of the private "blacklistings" are hand maintained (added to as needed, never removed from unless requested) and you'll need to play whack-a-mole, reaching out to each network as you find they have the space blocked on their mail servers or null routed on their networks. I doubt your message here will be seen by many of the "right people." How many company mail server admins read NANOG? How many companies even do email in-house and have mail server admins anymore? :)
Back when my [at that time] employer was issued some of 69/8, I found it useful to setup a host with IPs in 69/8 and in one of our older IP blocks, and then do both automated reachability testing and allow anyone to do a traceroute from both source IPs simultaneously, keeping the results in a DB. If you find there are many networks actually null routing your purchased space, you might setup something similar.
---------------------------------------------------------------------- Jon Lewis, MCP :) | I route | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Just because he choose poorly with his email provider doesn't mean he should be allowed to be exploited Mike, although a friendly ribbing is still justified IMO ;) On Mar 20, 2017 9:27 AM, "Mike Hammett" <nanog@ics-il.net> wrote:
He did mention Hotmail.
----- Mike Hammett Intelligent Computing Solutions
Midwest Internet Exchange
The Brothers WISP
----- Original Message -----
From: "Josh Reynolds" <josh@kyneticwifi.com> To: "Justin Wilson" <lists@mtin.net> Cc: "NANOG" <nanog@nanog.org> Sent: Monday, March 20, 2017 9:06:00 AM Subject: Re: Purchased IPv4 Woes
Would you mind naming the company so that they can be publicly shamed? That is nothing sort of extortion.
On Mar 19, 2017 10:36 PM, "Justin Wilson" <lists@mtin.net> wrote:
Then you have the lists which want money to be removed. I have an IP that was blacklisted by hotmail. Just a single IP. I have gone through the procedures that are referenced in the return e-mails. No response. My next step says something about a $2500 fee to have it investigated. I
know
several blacklists which are this way. Luckily, many admins do not use such lists.
Justin Wilson j2sw@mtin.net
--- http://www.mtin.net Owner/CEO xISP Solutions- Consulting – Data Centers - Bandwidth
http://www.midwest-ix.com COO/Chairman Internet Exchange - Peering - Distributed Fabric
On Mar 12, 2017, at 9:10 PM, Bob Evans <bob@FiberInternetCenter.com> wrote:
Pete's right about how IPs get put on the lists. In fact, let us not forget that these lists were mostly created with volunteers - some still today. Many are very old lists. Enterprise networks select lists by some sort of popularity / fame - etc.. Like how they decide to install 8.8.8.8 as first - its easy and they think its better than their local ISP they pay.... yet they always call the ISP about slowness when 8.8.8.8 is for consumers and doesn't always resolve quickly. It's a tough sale.
Once had a customer's employee abuse their mail server - it made some lists. Customer complained our network is hosting spammers and sticking them in the middle of a problem that is our networks. Hard win. Took us months to get that IP off lists. That was one single IP. We did not allow them to renew their contract once the term was over. Now, they suffer with comcast for business. ;-)
Thank You Bob Evans CTO
On Sun, 12 Mar 2017, Pete Baldwin wrote:
So this is is really the question I had, and this is why I was wanting to start a dialog here, hoping that it wasn't out of line for the list. I don't know of a way to let a bunch of operators know that they should remove something without using something like this mailing list. Blacklists are supposed to fill this role so that one operator doesn't have to try and contact thousands of other operators individually, he/she just has to appeal to the blacklist and once delisted all should be well in short order.
In cases where companies have their own internal lists, or only update them a couple of times a year from the major lists, I don't know of another way to notify everyone.
I suspect you'll find many of the private "blacklistings" are hand maintained (added to as needed, never removed from unless requested) and you'll need to play whack-a-mole, reaching out to each network as you find they have the space blocked on their mail servers or null routed on their networks. I doubt your message here will be seen by many of the "right people." How many company mail server admins read NANOG? How many companies even do email in-house and have mail server admins anymore? :)
Back when my [at that time] employer was issued some of 69/8, I found it useful to setup a host with IPs in 69/8 and in one of our older IP blocks, and then do both automated reachability testing and allow anyone to do a traceroute from both source IPs simultaneously, keeping the results in a DB. If you find there are many networks actually null routing your purchased space, you might setup something similar.
------------------------------------------------------------
Jon Lewis, MCP :) | I route | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On 3/20/2017 10:25 AM, Mike Hammett wrote:
He did mention Hotmail.
I have no idea which blacklist is allegedly charging $2500 for investigating a listing. (I wonder if he meant to type $25.00?) Either way, I don't know who that is. But I will say that, in general, many requesting a delisting from a blacklist OFTEN assume that a particular hoster that is blocking their messages MUST therefore be caused by the particular "known" blacklist they found themselves to be on. But, in many such cases, the host had their own internal blacklist or was using some OTHER 3rd party blacklist - that was possibly responding to the same "root cause" that the other "known" blacklist was reacting to as well, but where that particular "known" blacklist wasn't actually the direct reason that this hoster was blocking that sender. So (absent more specific info proving such) this "known" blacklist that is allegedly charging a fee for research... could easily NOT be related to hotmail. (and probably isn't!) -- Rob McEwen
I am for naming the companies that extort for via RBLs. Spamming is so wide spread even the domain name company Godaddy leveraged it as a profit center. Godaddy, in it's early beginnings. Years ago. I know from experience that this happens....Godaddy demanded money from me for spamming. I had to pay $150 or $250 ? I had several domains with them that were not even being used, beyond a webpage placeholder and I ran my own DNS server for my domains. After paying, they released my domain to function again. They claimed and promised they would provide the proof "after I paid"... employees and all kinds of lines about why they could not show you until after you paid. I paid and Godaddy suddenly lost the proof. I am sure it was part of a profit center as I know others that had this happen with Godaddy. Think about it Godaddy didnt even provide me a service using an IP address of theirs. It was the domain they held hostage with their DNS server. There should be a class action against them - just to expose it - (people never get the real money the lawyers do in a class action). Now that they are public some lawyer should look into the records and find all the extortion money gathered years ago. Contact those domain owners at the time. Would surprise me if the RBL owners were ex Godaddy employees that saw this leverage opportunity. Thank You Bob Evans CTO
Would you mind naming the company so that they can be publicly shamed? That is nothing sort of extortion.
On Mar 19, 2017 10:36 PM, "Justin Wilson" <lists@mtin.net> wrote:
Then you have the lists which want money to be removed. I have an IP that was blacklisted by hotmail. Just a single IP. I have gone through the procedures that are referenced in the return e-mails. No response. My next step says something about a $2500 fee to have it investigated. I know several blacklists which are this way. Luckily, many admins do not use such lists.
Justin Wilson j2sw@mtin.net
--- http://www.mtin.net Owner/CEO xISP Solutions- Consulting â Data Centers - Bandwidth
http://www.midwest-ix.com COO/Chairman Internet Exchange - Peering - Distributed Fabric
On Mar 12, 2017, at 9:10 PM, Bob Evans <bob@FiberInternetCenter.com> wrote:
Pete's right about how IPs get put on the lists. In fact, let us not forget that these lists were mostly created with volunteers - some still today. Many are very old lists. Enterprise networks select lists by some sort of popularity / fame - etc.. Like how they decide to install 8.8.8.8 as first - its easy and they think its better than their local ISP they pay.... yet they always call the ISP about slowness when 8.8.8.8 is for consumers and doesn't always resolve quickly. It's a tough sale.
Once had a customer's employee abuse their mail server - it made some lists. Customer complained our network is hosting spammers and sticking them in the middle of a problem that is our networks. Hard win. Took us months to get that IP off lists. That was one single IP. We did not allow them to renew their contract once the term was over. Now, they suffer with comcast for business. ;-)
Thank You Bob Evans CTO
On Sun, 12 Mar 2017, Pete Baldwin wrote:
So this is is really the question I had, and this is why I was wanting to start a dialog here, hoping that it wasn't out of line for the list. I don't know of a way to let a bunch of operators know that they should remove something without using something like this mailing list. Blacklists are supposed to fill this role so that one operator doesn't have to try and contact thousands of other operators individually, he/she just has to appeal to the blacklist and once delisted all should be well in short order.
In cases where companies have their own internal lists, or only update them a couple of times a year from the major lists, I don't know of another way to notify everyone.
I suspect you'll find many of the private "blacklistings" are hand maintained (added to as needed, never removed from unless requested) and you'll need to play whack-a-mole, reaching out to each network as you find they have the space blocked on their mail servers or null routed on their networks. I doubt your message here will be seen by many of the "right people." How many company mail server admins read NANOG? How many companies even do email in-house and have mail server admins anymore? :)
Back when my [at that time] employer was issued some of 69/8, I found it useful to setup a host with IPs in 69/8 and in one of our older IP blocks, and then do both automated reachability testing and allow anyone to do a traceroute from both source IPs simultaneously, keeping the results in a DB. If you find there are many networks actually null routing your purchased space, you might setup something similar.
---------------------------------------------------------------------- Jon Lewis, MCP :) | I route | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Mar 19, 2017, at 8:32 PM, Justin Wilson <lists@mtin.net> wrote:
Then you have the lists which want money to be removed. I have an IP that was blacklisted by hotmail. Just a single IP. I have gone through the procedures that are referenced in the return e-mails. No response. My next step says something about a $2500 fee to have it investigated. I know several blacklists which are this way. Luckily, many admins do not use such lists.
This reads like you're leaving out some critical details of the story. Cheers, Steve
On Sun, Mar 12, 2017 at 11:11:41AM -0400, Chuck Church wrote:
Maybe a silly idea, but shouldn't the sale of a block of addresses (RIR ownership change) trigger a removal of that block from all reputation list databases?
If we'd not seen many, MANY instances where this was done as a ruse to present the appearance of an ownership change while a block was actually still controlled by the same entity (or their partners or similar) then yes, maybe this might be a viable approach. --rsk
On 3/12/17 9:11 AM, Chuck Church wrote:
Maybe a silly idea, but shouldn't the sale of a block of addresses (RIR ownership change) trigger a removal of that block from all reputation list databases? If I buy a car from a police auction, I'm fairly sure the FBI doesn't start tailing me, because the car was once used for less than legal purposes. New owner, clean slate.
No. No verifiable way to confirm that a block has actually changed hands, and not just had its user/POC renamed, sold to 'new' owner to dodge bankruptcy/creditors, etc. And just because a car was bought at police auction doesn't mean it has no bad things associated with it anymore - such as drugs in the walls of the passenger doors, or the FBI tracking device under the front driver wheel well. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
On Sun, Mar 12, 2017 at 11:11 AM, Chuck Church <chuckchurch@gmail.com> wrote:
Maybe a silly idea, but shouldn't the sale of a block of addresses (RIR ownership change) trigger a removal of that block from all reputation list databases?
Hi Chuck, You're talking about 50+ database operators half of which don't identify their principals and offer no way contact staff or interact with them except, sometimes, through narrowly defined reporting tools. Google is a prime example of the problem. They write great algorithms but their confidence in those algorithms far exceeds their greatness. The current catastrophic mess with Recaptcha should offer a cautionary tale for all.
If I buy a car from a police auction, I'm fairly sure the FBI doesn't start tailing me, because the car was once used for less than legal purposes.
You would think so, but I have a friend who is visited by police every few months because the prior owner of his house is a petty criminal still committing crimes and their database shows the house as his last known residence. Regards, Bill Herrin -- William Herrin ................ herrin@dirtside.com bill@herrin.us Dirtside Systems ......... Web: <http://www.dirtside.com/>
participants (24)
-
Baldur Norddahl -
Bob Evans -
Brielle Bruns -
Bryan Holloway -
Ca By -
Chris Knipe -
Chuck Church -
Clayton Zekelman -
Harry McGregor -
Jon Lewis -
Josh Reynolds -
Justin Wilson -
Laurent Dumont -
Martin Hannigan -
Mike Hale -
Mike Hammett -
Pete Baldwin -
Rich Kulawiec -
Rob McEwen -
Stephen Frost -
Steve Atkins -
Suresh Ramasubramanian -
valdis.kletnieks@vt.edu -
William Herrin