Hi, I'm a network operator at a small hosting company that has about a /20 slice of IP addresses. Recently we have suffered a few break-ins (and some fraud) which caused a large quantity of spam to find it's way onto the internet. This has resulted in some of our network space being listed in several DNS blacklists, and being blacklisted by individual ISPs. So my question is this. Firstly, what is the best way to remove myself from each of these blacklists, if there is anything aside from going to each one individually and saying "i'm not spamming anymore". Second, is there some way to mark my block of addresses is owned by responsible responsive system administrators. We have tech support on duty 24/7 and abuse complaints are dealt with in a timely manner, so I am wondering if there is a way to communicate our willingness to help in the fight against spam. Thanks, Adam Jacob Muller
On 04/06/05, Adam Jacob Muller <adam@gotlinux.us> wrote:
Firstly, what is the best way to remove myself from each of these blacklists, if there is anything aside from going to each one individually and saying "i'm not spamming anymore".
Right now, that's about it -- but many folks only do temporary blocking based on recent traffic patterns, so you can also just wait a few days and I bet some of the problem will go away.
Second, is there some way to mark my block of addresses is owned by responsible responsive system administrators.
If there was, the spammers would be the first to adopt it.
We have tech support on duty 24/7 and abuse complaints are dealt with in a timely manner, so I am wondering if there is a way to communicate our willingness to help in the fight against spam.
http://www.maawg.org/ is probably the best industry group focused on these issues right now. -- J.D. Falk As a carpenter bends the seat of a chariot <jdfalk@cybernothing.org> I bend this frenzy round my heart.
On Wednesday 06 April 2005 13:54, Adam Jacob Muller wrote:
Hi, I'm a network operator at a small hosting company that has about a /20 slice of IP addresses. Recently we have suffered a few break-ins (and some fraud) which caused a large quantity of spam to find it's way onto the internet. This has resulted in some of our network space being listed in several DNS blacklists, and being blacklisted by individual ISPs. So my question is this. Firstly, what is the best way to remove myself from each of these blacklists, if there is anything aside from going to each one individually and saying "i'm not spamming anymore". Second, is there some way to mark my block of addresses is owned by responsible responsive system administrators. We have tech support on duty 24/7 and abuse complaints are dealt with in a timely manner, so I am wondering if there is a way to communicate our willingness to help in the fight against spam.
Thanks, Adam Jacob Muller
Adam, As JD already mentioned, many will most probably go away within a few days if there is not other "spam" from the IP space to keep the entry active. Quite a few have web space, so if you know the BL that is blocking, you might look and see if there are "remove" instructions/capability. Only other thing I can think of would be to register your domain(s) with abuse.net. Personally that is one of the first places I check domains against (if they have a "valid" abuse address) then I report first and block second or third. (meaning if the spam continues after reporting)... -- Larry Smith SysAd ECSIS.NET sysad@ecsis.net
Date: Wed, 6 Apr 2005 14:54:08 -0400 From: Adam Jacob Muller <adam@gotlinux.us> Subject: Spam (un)blocking
[ ... ] Second, is there some way to mark my block of addresses is owned by responsible responsive system administrators.
Over here in "RIPE land" so to speak, several ISP's (most notably FIRST members) have put a lot of effort in getting 'IRT' objects in the RipeDB. $ whois -h whois.ripe.net -r 194.171.31.0 | egrep '^(inetnum|remarks|mnt-irt):' inetnum: 194.171.31.0 - 194.171.31.255 remarks: utilized by 802.1x authenticated guests utilizing EduRoam remarks: see http://www.eduroam.nl/ for more information remarks: in case of abuse: abuse@cwi.nl and cert@surfnet.nl mnt-irt: irt-SURFnet-CERT That IRT object (I believe there were efforts underway for a similar system in the ARINdb, but I haven't followed it for over a year :( ) is an object to identify the "Incident Response Team" which can be contacted regarding certain blocks of space. $ whois -h whois.ripe.net -r irt-SURFnet-CERT | egrep '^(irt|signature|encryption|remarks|mnt-by):' irt: irt-SURFNET-CERT signature: PGPKEY-A6D57ECE encryption: PGPKEY-A6D57ECE remarks: SURFNET-CERT is the Computer Emergency remarks: Response Team of SURFnet remarks: This is a TI accredited CSIRT remarks: (see http://www.ti.terena.nl/teams/level2.html) mnt-by: TRUSTED-INTRODUCER-MNT More information can be found in Google, or on the FAQ by Jan Meijer: http://www.surfnetters.nl/meijer/tf-csirt/irt-object-faq.html
We have tech support on duty 24/7 and abuse complaints are dealt with in a timely manner, so I am wondering if there is a way to communicate our willingness to help in the fight against spam.
Replace spam with abuse and you have something like the IRT object. ;D No doubt someone on NANOG knows what's happening with the ARIN version ;) (or if there will be one, if people want it, etc.) Regards, JP Velders
At 06:10 PM 4/6/2005, JP Velders wrote:
Date: Wed, 6 Apr 2005 14:54:08 -0400 From: Adam Jacob Muller <adam@gotlinux.us> Subject: Spam (un)blocking
[ ... ] Second, is there some way to mark my block of addresses is owned by responsible responsive system administrators.
Over here in "RIPE land" so to speak, several ISP's (most notably FIRST members) have put a lot of effort in getting 'IRT' objects in the RipeDB.
$ whois -h whois.ripe.net -r 194.171.31.0 | egrep '^(inetnum|remarks|mnt-irt):' inetnum: 194.171.31.0 - 194.171.31.255 remarks: utilized by 802.1x authenticated guests utilizing EduRoam remarks: see http://www.eduroam.nl/ for more information remarks: in case of abuse: abuse@cwi.nl and cert@surfnet.nl mnt-irt: irt-SURFnet-CERT
And this is MUCH appreciated. When trying to figure out where to send spam complaints, a network that's taken the time to put their abuse address in their records certainly appears to at least care, and so gets better treatment.
That IRT object (I believe there were efforts underway for a similar system in the ARINdb, but I haven't followed it for over a year :( ) is an object to identify the "Incident Response Team" which can be contacted regarding certain blocks of space.
$ whois -h whois.ripe.net -r irt-SURFnet-CERT | egrep '^(irt|signature|encryption|remarks|mnt-by):' irt: irt-SURFNET-CERT signature: PGPKEY-A6D57ECE encryption: PGPKEY-A6D57ECE remarks: SURFNET-CERT is the Computer Emergency remarks: Response Team of SURFnet remarks: This is a TI accredited CSIRT remarks: (see http://www.ti.terena.nl/teams/level2.html) mnt-by: TRUSTED-INTRODUCER-MNT
More information can be found in Google, or on the FAQ by Jan Meijer: http://www.surfnetters.nl/meijer/tf-csirt/irt-object-faq.html
We have tech support on duty 24/7 and abuse complaints are dealt with in a timely manner, so I am wondering if there is a way to communicate our willingness to help in the fight against spam.
Replace spam with abuse and you have something like the IRT object. ;D
No doubt someone on NANOG knows what's happening with the ARIN version ;) (or if there will be one, if people want it, etc.)
SWIPs can hold abuse contact info. Again, this is a good thing for folks to do.
At 06:43 PM 06-04-05 -0400, Daniel Senie wrote: Since the uptake on IRT has been slow, and after much internal discussion, RIPE has decided to add an "abuse-mailbox" attribute. For further details see: https://www.ripe.net/ripe/maillists/archives/db-wg/2005/msg00015.html -Hank
At 06:10 PM 4/6/2005, JP Velders wrote:
Date: Wed, 6 Apr 2005 14:54:08 -0400 From: Adam Jacob Muller <adam@gotlinux.us> Subject: Spam (un)blocking
[ ... ] Second, is there some way to mark my block of addresses is owned by responsible responsive system administrators.
Over here in "RIPE land" so to speak, several ISP's (most notably FIRST members) have put a lot of effort in getting 'IRT' objects in the RipeDB.
$ whois -h whois.ripe.net -r 194.171.31.0 | egrep '^(inetnum|remarks|mnt-irt):' inetnum: 194.171.31.0 - 194.171.31.255 remarks: utilized by 802.1x authenticated guests utilizing EduRoam remarks: see http://www.eduroam.nl/ for more information remarks: in case of abuse: abuse@cwi.nl and cert@surfnet.nl mnt-irt: irt-SURFnet-CERT
And this is MUCH appreciated. When trying to figure out where to send spam complaints, a network that's taken the time to put their abuse address in their records certainly appears to at least care, and so gets better treatment.
That IRT object (I believe there were efforts underway for a similar system in the ARINdb, but I haven't followed it for over a year :( ) is an object to identify the "Incident Response Team" which can be contacted regarding certain blocks of space.
$ whois -h whois.ripe.net -r irt-SURFnet-CERT | egrep '^(irt|signature|encryption|remarks|mnt-by):' irt: irt-SURFNET-CERT signature: PGPKEY-A6D57ECE encryption: PGPKEY-A6D57ECE remarks: SURFNET-CERT is the Computer Emergency remarks: Response Team of SURFnet remarks: This is a TI accredited CSIRT remarks: (see http://www.ti.terena.nl/teams/level2.html) mnt-by: TRUSTED-INTRODUCER-MNT
More information can be found in Google, or on the FAQ by Jan Meijer: http://www.surfnetters.nl/meijer/tf-csirt/irt-object-faq.html
We have tech support on duty 24/7 and abuse complaints are dealt with in a timely manner, so I am wondering if there is a way to communicate our willingness to help in the fight against spam.
Replace spam with abuse and you have something like the IRT object. ;D
No doubt someone on NANOG knows what's happening with the ARIN version ;) (or if there will be one, if people want it, etc.)
SWIPs can hold abuse contact info. Again, this is a good thing for folks to do.
+++++++++++++++++++++++++++++++++++++++++++ This Mail Was Scanned By Mail-seCure System at the Tel-Aviv University CC.
* JP Velders:
Over here in "RIPE land" so to speak, several ISP's (most notably FIRST members) have put a lot of effort in getting 'IRT' objects in the RipeDB.
I think you mean "Terena/TI" instead of "FIRST", although there is some overlap. The IRT object is mostly useless because the way it was deployed, it too often routes complaints *away* from the actual network operators (even if they aren't completely clueless).
The ARIN DB allows many points of contact types, including the abuse contact. ARIN WHOIS reflects those registrants who choose to designate an abuse contact. Richard Jimmerson Director of External Relations American Registry for Internet Numbers (ARIN)
We have tech support on duty 24/7 and abuse complaints are dealt with in a timely manner, so I am wondering if there is a way to communicate our willingness to help in the fight against spam.
Replace spam with abuse and you have something like the IRT object. ;D
No doubt someone on NANOG knows what's happening with the ARIN version ;) (or if there will be one, if people want it, etc.)
Regards, JP Velders
On Thu, Apr 07, 2005 at 12:10:43AM +0200, JP Velders wrote:
Over here in "RIPE land" so to speak, several ISP's (most notably FIRST members) have put a lot of effort in getting 'IRT' objects in the RipeDB.
Isn't it funny, how everyone always takes a "lot of efforts" reinventing things that are there for years ... ------------------------------------------------------------------------ RFC 1183 - New DNS RR Definitions (October 1990) 2. Responsible Person The purpose of this section is to provide a standard method for associating responsible person identification to any name in the DNS. The domain name system functions as a distributed database which contains many different form of information. For a particular name or host, you can discover it's Internet address, mail forwarding information, hardware type and operating system among others. A key aspect of the DNS is that the tree-structured namespace can be divided into pieces, called zones, for purposes of distributing control and responsibility. The responsible person for zone database purposes is named in the SOA RR for that zone. This section describes an extension which allows different responsible persons to be specified for different names in a zone. ------------------------------------------------------------------------ networks $ dig -x 195.30 rp 30.195.in-addr.arpa. IN RP abuse.space.net. . or even hostnames $ dig -x 195.30.0.8 rp 8.0.30.195.in-addr.arpa. IN RP abuse.space.net. . It's as easy as that. (Or better would be ... if most of the software used for managing DNS space wouldn't be broken, but would support RR types that are nearly 15 years old). Yeah, I know about the urban legend about the revDNS zone being dead. And the whois databases are broken, too, and have dangling referrals and outdates or wrong information and no common agreed upon format. And I often have to talk to some upstream provider to get information fixed in the whois database I could change myself with existing revDNS delegation. \Maex -- SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0 Research & Development | D-80807 Muenchen | Fax: +49 (89) 32356-299 "The security, stability and reliability of a computer system is reciprocally proportional to the amount of vacuity between the ears of the admin"
participants (9)
-
Adam Jacob Muller
-
Daniel Senie
-
Florian Weimer
-
Hank Nussbacher
-
J.D. Falk
-
JP Velders
-
Larry Smith
-
Markus Stumpf
-
Richard Jimmerson