I agree..
Problem was it was a downstream ISP.. This all comes down to, we warn them
since it is their customer, they don't deal with it, we black hole part of
their network..
But it take 3-4 days to do that to a large downstream.
Mark
--
Mark Segal
Director, Data Services
Futureway Communications Inc.
Tel: (905)326-1570
-----Original Message-----
From: Lee, Hansel [mailto:Hansel.Lee@corp.winfirst.com]
Sent: December 10, 2002 3:08 PM
To: 'nanog@nanog.org'
Cc: 'owner-nanog@merit.edu'
Subject: RE: Spam. Again.. -- and blocking net blocks?
Quick Comment as a NANOG lurker and SPEWS lurker
(news.admin.net-abuse.email). I'm not defending SPEWS, don't
speak for SPEWS but will describe what I understand happens:
SPEWS initially lists offending IP address blocks from
non-repentant SPAM sources. If the upstream ISP does nothing
about it, that block tends to expand to neighboring blocks to
gain the attention of the ISP.
High level concept:
Block the SPAMMER
- ISP Does nothing
Block the SPAMMER's Neighboring Blocks (Collateral Damage)
- Motivates neighbors to find new Upstream/Isp
- Motivates neighbors to complain to upstream/ISP
- Gains the attention of the Upstream/ISP
Expand the Block
- Ditto
Block the ISP as a whole
The SPEWS concept prevents an ISP from allowing spammers on
some blocks while trying to service legitimate customers on
others. For an ISP - it is either all or none over time, you
support spammers and are blocked as a whole (to include
innocent customers).
If you do end up mistakenly on SPEWS or take care of your
spamming customers
- you can appeal to them at news.admin.net-abuse.email, get
flamed pretty bad, and eventually fall off the list.
I do personally like the idea of holding the ISP as a whole
accountable over time. An ISP can stay off spews, I've never
had a block listed - though when I'm in a decision making
position, I've never tolerated a spammer.
Hansel
-----Original Message-----
From: Michael.Dillon@radianz.com [mailto:Michael.Dillon@radianz.com]
Sent: Tuesday, December 10, 2002 08:36
To: MSegal@FUTUREWAY.CA
Cc: nanog@nanog.org; owner-nanog@merit.edu
Subject: Re: Spam. Again.. -- and blocking net blocks?
Problem:
For some reason, spews has decided to now block one of our
/19.. Ie no
mail
server in the /19 can send mail.
Questions:
1) How do we smack some sense into spews?
Make it easy for them to identify the fact that your downstream ISP
customer has allocated that /32 to a separate organisation.
This is what
referral whois was supposed to do but it never happened because
development of the tools fizzled out.
If SPEWS could plug guilty IP addresses into an automated
tool and come up
with an accurate identification of which neighboring IP
addresses were
tainted and which were not, then they wouldn't use such crude
techniques.
Imagine a tool which queries the IANA root LDAP server for an
IP address.
The IANA server refers them to ARIN's LDAP server because
this comes from
a /8 that was allocated to ARIN. Now ARIN's server identifies
that this
address is in your /19 so it refers SPEWS to your own LDAP
server. Your
server identifies your customer ISP as the owner of the
block, or if your
customer has been keeping the records up to date with a simple LDAP
client, your server would identify that the guilty party is
indeed only on
one IP address.
Of course, this won't stop SPEWS from blacklisting you. But
it enables
SPEWS to quickly identify the organization (your customer
ISP) that has a
business relationship with the offender so that SPEWS is more
likely to
focus their attentions on these two parties.
2) Does anyone else see a HUGE problem with listing a /19 because
there
is
one /32 of a spam advertised website? When did this start
happening?
It's a free country, you can't stop people like the SPEWS group from
expressing their opinions. As long as people are satisfied with crude
tools for mapping IP address to owner, this kind of thing
will continue to
happen.
--Michael Dillon