Address Assignment Question
Hello NANOG, I work for a medium-sized ISP with our own ARIN assignments (several /18 and /19 netblocks) and I've got a question about a possibly dubious customer request. I know a lot of you have experience on a much grander scale than myself, so I'm looking for some good advice. We have a customer who, over the years, has amassed several small subnet assignments from us for their colo. They are an email marketer. They have requested these assignments in as many discontiguous netblocks as we can manage. They are now asking for more addresses (a /24s worth) in even more discontiguous blocks. What I'd like to know is whether there is a legitimate use for so many addresses in discontiguous networks besides spam? I am trying my best to give them the benefit of the doubt here, because they do work directly with Spamhaus to not be listed (I realize reasons on both sides why this could be) and searches on Google and spam newsgroups for their highest traffic email domains yield next to nothing, given the amount of email they say they send out. I strongly believe that their given justification for so many addresses is not a good one (many addresses on an MTA, off-chance one gets blocked, etc), especially now that IPv4 addresses are becoming more of a scarce resource. However, if they *are* legitimate, which certainly is possible, are discontiguous networks a common practice for even legit operators, as it's quite likely that even legit email marketers will end up being blocked because someone accidentally hit 'Spam' instead of 'Delete' in their AOL software? Thanks, steve Note: I hate spammers as much as anyone out there, but I *do* know that not everyone who sends out massive amounts of email is a spammer. While it's possible they don't deserve it, I'm trying to give my customer the benefit of the doubt.
What I'd like to know is whether there is a legitimate use for so many addresses in discontiguous networks besides spam? I am trying my best to give them the benefit of the doubt here, because they do work directly with Spamhaus to not be listed (I realize reasons on both sides why this could be) and searches on Google and spam newsgroups for their highest traffic email domains yield next to nothing, given the amount of email they say they send out. Well, not so sure I would worry about legit or not legit use...while ISP's are looked at being the police, legally law enforcement are the ones to pursue illegal use. But it sounds like you've done you're home work and they sound legit. Have them fill out an IP Justification form (as ARIN requires i) and go from there. I wouldn't worry about providing
On 06/20/2011 08:13 AM, Steve Richardson wrote: them the /24. Personally I would charge them for the /24 too, makes users think twice about the need for a block that large. Bret
On Jun 20, 2011, at 8:30 AM, Bret Clark wrote:
Personally I would charge them for the /24 too, makes users think twice about the need for a block that large.
I would also give them a /64 per lan (alt: broadcast domain) as well to allow them to start working with IPv6 for their email. - Jared
Hi, On Mon, Jun 20, 2011 at 8:32 AM, Jared Mauch <jared@puck.nether.net> wrote:
On Jun 20, 2011, at 8:30 AM, Bret Clark wrote:
Personally I would charge them for the /24 too, makes users think twice about the need for a block that large.
We do charge them for addresses already and cost doesn't come into play. We charge for assignments shorter than /28 to discourage IP hogs.
I would also give them a /64 per lan (alt: broadcast domain) as well to allow them to start working with IPv6 for their email.
- Jared
They have inquired about IPv6 already, but it's only gone so far as that. I would gladly give them a /64 and be done with it, but my concern is that they are going to want several /64 subnets for the same reason and I don't really *think* it's a legitimate reason. Bear in mind that "legitimate" in this context is referring to the justification itself, not their business model. Thanks, steve
On 6/20/2011 7:44 AM, Steve Richardson wrote:
Hi,
On Jun 20, 2011, at 8:30 AM, Bret Clark wrote:
Personally I would charge them for the /24 too, makes users think twice about the need for a block that large. We do charge them for addresses already and cost doesn't come into
On Mon, Jun 20, 2011 at 8:32 AM, Jared Mauch<jared@puck.nether.net> wrote: play. We charge for assignments shorter than /28 to discourage IP hogs.
I would also give them a /64 per lan (alt: broadcast domain) as well to allow them to start working with IPv6 for their email.
- Jared They have inquired about IPv6 already, but it's only gone so far as that. I would gladly give them a /64 and be done with it, but my concern is that they are going to want several /64 subnets for the same reason and I don't really *think* it's a legitimate reason. Bear in mind that "legitimate" in this context is referring to the justification itself, not their business model.
Thanks, steve
Did everyone miss that the customer didn't request a /24, they requested a "/24s worth in even more dis-contiguous blocks". I can only think of one reason why a customer would specifically ask for that. They are concerned that they'll get blacklisted. They're hoping if they do, it will be a small block of many rather than one entire block. When customers make strange requests without giving a good explanation, I have to assume they're up to something. Jason
Let them submit the IP justification form, I would like to read how spammers justify their IP usage and I would really like to see how RIR would take it. *Interetesting* Regards, Aftab A. Siddiqui On Mon, Jun 20, 2011 at 6:06 PM, Jason Baugher <jason@thebaughers.com>wrote:
On 6/20/2011 7:44 AM, Steve Richardson wrote:
Hi,
On Mon, Jun 20, 2011 at 8:32 AM, Jared Mauch<jared@puck.nether.net> wrote:
On Jun 20, 2011, at 8:30 AM, Bret Clark wrote:
Personally I would charge them for the /24 too, makes users think twice
about the need for a block that large.
We do charge them for addresses already and cost doesn't come into play. We charge for assignments shorter than /28 to discourage IP hogs.
I would also give them a /64 per lan (alt: broadcast domain) as well to
allow them to start working with IPv6 for their email.
- Jared
They have inquired about IPv6 already, but it's only gone so far as that. I would gladly give them a /64 and be done with it, but my concern is that they are going to want several /64 subnets for the same reason and I don't really *think* it's a legitimate reason. Bear in mind that "legitimate" in this context is referring to the justification itself, not their business model.
Thanks, steve
Did everyone miss that the customer didn't request a /24, they requested a "/24s worth in even more dis-contiguous blocks". I can only think of one reason why a customer would specifically ask for that. They are concerned that they'll get blacklisted. They're hoping if they do, it will be a small block of many rather than one entire block.
When customers make strange requests without giving a good explanation, I have to assume they're up to something.
Jason
In a message written on Mon, Jun 20, 2011 at 08:06:44AM -0500, Jason Baugher wrote:
Did everyone miss that the customer didn't request a /24, they requested a "/24s worth in even more dis-contiguous blocks". I can only think of one reason why a customer would specifically ask for that. They are concerned that they'll get blacklisted. They're hoping if they do, it will be a small block of many rather than one entire block.
+1 Almost every customer I've dealt with who requested such a thing eventually ended up having their contract terminated for spamming. Many of the RBL's chose to increase the size of their blocks to put more pressure on ISP's. So if you give them /29's in 10 different blocks they will block the /24 in each, then a /23 in each, and so on. Basically this becomes a quick way for you to get 100% of your address space blocked, and make the rest of your customers really unhappy. When the RBL's see you gave them a bunch of small blocks in different supernets they assume you are spammer friendly. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
On 20/06/11 6:18 AM, Leo Bicknell wrote:
Almost every customer I've dealt with who requested such a thing eventually ended up having their contract terminated for spamming.
I would use this answer in reply to the customer, and ask them to (specifically) justify their request for the discontiguous blocks.
Many of the RBL's chose to increase the size of their blocks to put more pressure on ISP's. So if you give them /29's in 10 different blocks they will block the /24 in each, then a /23 in each, and so on. Basically this becomes a quick way for you to get 100% of your address space blocked, and make the rest of your customers really unhappy. When the RBL's see you gave them a bunch of small blocks in different supernets they assume you are spammer friendly.
And mention all of this as well. If you don't have a special fee you charge when you have to deal with cleaning up or recovering contaminated IPs, include one with this next allocation. Theory: Since their current userbase is not currently creating a spam problem, they are doing one of two things: 1) They are going after a more risky new userbase (e.g. looking at providing services for more spammy customers). 2) They are *concerned* about the possibility of accidentally acquiring a more risky new userbase, and proactively designing their network to have the least collateral damage (to themselves) if such a customer should appear on their network. This would be prudent, good business even. Except for how it prepares for a business shift to #1. The big risk it that they are going to try to sell you on theory #2 when their real business plan is theory #1. I would charge a significant extra fee for discontiguous address space, enough that you can afford to carefully assign the rest of the block to non-web-non-mail-server uses, to not put other customers at risk. jc
In a message written on Mon, Jun 20, 2011 at 08:01:24AM -0700, JC Dill wrote:
I would use this answer in reply to the customer, and ask them to (specifically) justify their request for the discontiguous blocks.
Or, just don't offer it. Make them fit in one block, giving them 3 months to renumber into a single, larger block if necessary. It sends a strong message you're willing to give them all the space they need, but won't help them evade RBL's. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
2011/6/20 Leo Bicknell <bicknell@ufp.org>:
In a message written on Mon, Jun 20, 2011 at 08:01:24AM -0700, JC Dill wrote:
I would use this answer in reply to the customer, and ask them to (specifically) justify their request for the discontiguous blocks.
That's like asking them to state the obvious...
Or, just don't offer it. Make them fit in one block, giving them 3 months to renumber into a single, larger block if necessary.
Well, forcing a periodic renumbering whenever adress gets freed and there's a potential agregation is a good thing. It should be stated in service agreements, IMHO.
It sends a strong message you're willing to give them all the space they need, but won't help them evade RBL's.
Unless many contiguous blocks are assigned as different objects : a RBL must NOT presume of one end-user's inetnum unless it has been cathed doing nasty things AND didn't comply to abuse@ requests. But most RBL managers are shitheads anyway, so help them evade, that'll be one more proof of spamhaus &co. uselessness and negative impact on the Internet's best practices. -- Jérôme Nicolle
On 20 Jun 2011, at 16:26, Jérôme Nicolle <jerome@ceriz.fr> wrote:
But most RBL managers are shitheads anyway, so help them evade, that'll be one more proof of spamhaus &co. uselessness and negative impact on the Internet's best practices.
An organization that blocks 90% of spam with no false positives is incredibly useful. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/
Op 20 jun 2011, om 23:24 heeft Tony Finch het volgende geschreven:
On 20 Jun 2011, at 16:26, Jérôme Nicolle <jerome@ceriz.fr> wrote:
But most RBL managers are shitheads anyway, so help them evade, that'll be one more proof of spamhaus &co. uselessness and negative impact on the Internet's best practices.
An organization that blocks 90% of spam with no false positives is incredibly useful.
Using a greylisting system is equally effective without the black list part. My milter-greylist installation is aimed at allowing as much mail through as it can, instead of the other way around. Milter-greylist has a nice urlcheck feature and/or ldap verification for users. In my case it's a PHP script. If I can verify the IP to be inside a /22 of the MX records, www records or domain records that is sufficient to bypass the greylisting. The timers are also quite lenient. Just 15 minutes of wait is enough, of they are persistent if we've seen them before by domain. We get the email regardless and phone calls are rare, and I never run the risk of never getting the email. This has turned out to be a really effective way to allow normal email through without much delay. After just 2 days at work it's whitelisted over 75% of the active domains we do business with. We have about 17 domains and I know what the poster is asking, we've been emailing our customers before, subscribed customers none the less. We've had our share of blacklisting before. And we even sent the emails with unsubscribe links. But some of them will click the "report this as spam" link in their favourite mail agent as a means to unsubscribe. I mean, clicking a link is hard. The end result is that we end up on various block lists. It's a good thing that the email servers at large isps are often sensible enough to let the email through. Some of the smaller ones had rather odd draconian limits set. This makes the situation for all of us worse. Regards, Seth
An organization that blocks 90% of spam with no false positives is incredibly useful.
Using a greylisting system is equally effective without the black list part.
Hi. I'm the guy who wrote the CEAS paper on greylisting. Greylisting is useful, but anyone who thinks it's a substitute for DNSBLs has never run a large mail system. R's, John
Op 20 jun 2011, om 23:55 heeft John Levine het volgende geschreven:
An organization that blocks 90% of spam with no false positives is incredibly useful.
Using a greylisting system is equally effective without the black list part.
Hi. I'm the guy who wrote the CEAS paper on greylisting.
Greylisting is useful, but anyone who thinks it's a substitute for DNSBLs has never run a large mail system.
We use the black lists for scoring spam messages, but we never outright block messages. I was not implying that blacklists are not useful at all. I just see things in shades of grey over black and white. Of the 17 domains we have with roughly 250 users it does well enough. Regards, Seth
Seth, 2011/6/21 Seth Mos <seth.mos@dds.nl>:
We use the black lists for scoring spam messages, but we never outright block messages. I was not implying that blacklists are not useful at all. I just see things in shades of grey over black and white.
Thanks for pointing this out : I was whining about amateurs using RBLs as a pre-processing hard filter. Using it with a scoring system isn't bad IMHO, depends on the weight you set to these rules. -- Jérôme Nicolle
2011/6/20 John Levine <johnl@iecc.com>:
Hi. I'm the guy who wrote the CEAS paper on greylisting.
URL ?
Greylisting is useful, but anyone who thinks it's a substitute for DNSBLs has never run a large mail system.
You're right, greylisting on a large system may not be efficient as it won't block everything and will eat-up quite a lot of system ressources. But it's a good start once basic protocol-checks have already eliminated the 80% amount of bullshit sent from botnets. My point is : combining server-side checks of different nature is often enough to avoid the use of RBLs and still provide a goode quality of service. It probably won't scale to comcast' or AOL' MXs but it's way better than relying on an external authority for your corporate or personnal mailserver. -- Jérôme Nicolle
Hi. I'm the guy who wrote the CEAS paper on greylisting.
URL ?
They don't have Google where you are, huh? http://www.ceas.cc/papers-2005/120.pdf
You're right, greylisting on a large system may not be efficient as it won't block everything and will eat-up quite a lot of system ressources. But it's a good start once basic protocol-checks have already eliminated the 80% amount of bullshit sent from botnets.
Most of us use DNSBLs like the CBL or Spamhaus XBL to catch the botnet mail. It's a lot easier to let them tune their protocol quirk checker than to do it myself. R's, John
2011/6/20 Tony Finch <dot@dotat.at>:
An organization that blocks 90% of spam with no false positives is incredibly useful.
Greylisting and reverse-DNS checks alone blocks 95-98% with no impact on mail sent from properly maintained mail servers. RBLs are only usefull for lazy mailadmins, and to save some network and CPU resources while avoiding greylisting and rDNS. But it implies you fully trust the RBL author, and some really ain't trustworthy. I'd rather loose some mails from poorly managed domains than rely on any external almighty authority, it looks to me like an incentive to consider SMTP administration seriously rather than using default settings from the package maintainer... -- Jérôme Nicolle
On 6/20/2011 11:26 AM, Jérôme Nicolle wrote:
< SNIP /> Unless many contiguous blocks are assigned as different objects : a RBL must NOT presume of one end-user's inetnum unless it has been cathed doing nasty things AND didn't comply to abuse@ requests.
An RBL *can* do whatever an RBL wants to do. An RBL *can* block an entire allocation for whatever reason they chose including - a single spam message with no requests sent to abuse@ or any contact of any kind with the group allocated the space. The only "control" over an RBL is their desire to remain relevant by preserving an opinion of accuracy in the minds of end users. If end users believe that an RBL is no longer meeting their needs, then they will stop using that RBL.
But most RBL managers are shitheads anyway, so help them evade, that'll be one more proof of spamhaus&co. uselessness and negative impact on the Internet's best practices.
OK. I'll bite. What particular "internet best practices" are Spamhaus trampling on? -DMM
2011/6/20 David Miller <dmiller@tiggee.com>:
OK. I'll bite. What particular "internet best practices" are Spamhaus trampling on?
RBL's are often seen as an "easy solution" to a quite complex problem. Most mail administrators are relying on them so blindly that some may forget to evaluate an RBL's pertinence regarding their particular needs. Providing such an "easy" way to avoid learning how to provide your mail service definitely has a bad influence for the overall quality of mail services. That's a first negative impact : letting noobs think they can manage a mail server because "the magic RBLs seems to solve my major issue" without looking to further side-effects. Next in line, RBL managers don't even try to contact abuse@ or postmaster@. So mail admins can't use them as a way to improve their setups. Well, of course, it probably started with large corporation routing ther abuse@bigestrmailserviceonearth.com to /dev/null, but that's not the point : if you pretend to improve mail services, do it right : use abuse@ and postmaster@ before blacklisting (note : botnets sending from forged domains have to be considered differently of course, but the rDNS check often fits that part quite well). Last but not least, some RBLs are extorsion scams requiring one to pay to get it's inetnum removed from any blacklist. It might be just an incentive to help a non-profit charity cause, it still smells like a mafia-related scam to me. Let the RBLs' maintainers clean up their front doors before asking for any legitimacy. Right now, relying on them is either stupidity or lazyness. But if you can point me to any serious organisation providing a real value-added service maintained by real professionals, those who performs thorough checks _before_ putting a legitimaite mail server in a blacklist, then i'd enjoy benchmarking it on a test domain. Just let me doubt it'll be of any good regarding how efficients is a properly managed mail server with just a few tech tricks. -- Jérôme Nicolle 06 19 31 27 14
On 20 Jun 2011, at 23:09, Jérôme Nicolle <jerome@ceriz.fr> wrote:
But if you can point me to any serious organisation providing a real value-added service maintained by real professionals, those who performs thorough checks _before_ putting a legitimaite mail server in a blacklist, then i'd enjoy benchmarking it on a test domain.
Spamhaus. And none of your complaints apply to them. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/
2011/6/21 Tony Finch <dot@dotat.at>:
Spamhaus. And none of your complaints apply to them.
Oh really ? So the blame is to throw at Google Docs administrators for beeing blacklisted (on the SBL, which should contain only "verified spam source", thus implying discussion with the service manager) ? And BTW, who is Spamhaus to claim any legitimacy about who can or can't register a domain ? (referal to the .at phishing campaign). Alright, those are probably exceptions, and _some_ lists may be usefull, but obviously noone can claim to have an efficient "zero false-positive" list. Blindly relying on those lists _will_ lead to false positives and are a comodity for mail server administrators that might lead to sloopy filtering and weaker control over their mail infrastructure. Also, such lists are _centralized_ systems that *might* (worst case scenario) be spotted for attacks. What would be your mail infrastructure load if you rely on a list that disapear overnight ? Yeah, right, anycasted DNS infrastructure, redundancy over 4 continents, that's fine for most of us ('til it fails). In my opinion, the use of RBLs as a first level filter for incoming mail, instead of greylisting, rDNS and strict protocol compliance (cluttered with some Exchange bug-compatibility perhaps), is less reliable, so it's against what I shall consider as a best practice. I hope that clarifies my point of view, and please excuse me for the previous insults, I just have a hard time reading "hey, my critical services are dependant of an external, centralized entity with no transparency and that's good for the Internet" without compulsive expressions including F. words. -- Jérôme Nicolle
On 6/20/11 9:26 AM, Jérôme Nicolle wrote:
But most RBL managers are shitheads anyway, so help them evade, that'll be one more proof of spamhaus&co. uselessness and negative impact on the Internet's best practices.
I do believe in this one paragraph, we know who the real shithead is. Noted and filed away for future use. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
Hi Jason, On Mon, Jun 20, 2011 at 9:06 AM, Jason Baugher <jason@thebaughers.com> wrote:
Did everyone miss that the customer didn't request a /24, they requested a "/24s worth in even more dis-contiguous blocks". I can only think of one reason why a customer would specifically ask for that. They are concerned that they'll get blacklisted. They're hoping if they do, it will be a small block of many rather than one entire block.
When customers make strange requests without giving a good explanation, I have to assume they're up to something.
Jason
They provided an explanation, describing how the IPs were going to be used. Yes, part of it does have to do with being blocked, which *definitely* concerns me. One thing they do say is that they need several IPs per block to assign to their MTAs to handle such a large amount of email (3 to 5 million per day). Being primarily focused on layers 1 through 4, I don't have an incredible amount of experience with high volume email server configuration, so I have no idea if they are feeding me a line of BS or not. My feeling is that (paraphrasing here) "we might get blocked occasionally" and "we need this many IPs on our MTAs because they can't handle the load" are *not* legitimate reasons for requesting so many addresses. Thanks, steve
On Mon, 20 Jun 2011 09:26:30 -0400 Steve Richardson <steverich.nanog@gmail.com> wrote:
Hi Jason,
On Mon, Jun 20, 2011 at 9:06 AM, Jason Baugher <jason@thebaughers.com> wrote:
Did everyone miss that the customer didn't request a /24, they requested a "/24s worth in even more dis-contiguous blocks". I can only think of one reason why a customer would specifically ask for that. They are concerned that they'll get blacklisted. They're hoping if they do, it will be a small block of many rather than one entire block.
When customers make strange requests without giving a good explanation, I have to assume they're up to something.
Jason
They provided an explanation, describing how the IPs were going to be used. Yes, part of it does have to do with being blocked, which *definitely* concerns me. One thing they do say is that they need several IPs per block to assign to their MTAs to handle such a large amount of email (3 to 5 million per day). Being primarily focused on layers 1 through 4, I don't have an incredible amount of experience with high volume email server configuration, so I have no idea if they are feeding me a line of BS or not.
My feeling is that (paraphrasing here) "we might get blocked occasionally" and "we need this many IPs on our MTAs because they can't handle the load" are *not* legitimate reasons for requesting so many addresses.
If it helps you make your mind up, please give us the ranges you are going to give them and we'll pre-emptively block them.....
On Mon, 20 Jun 2011 09:26:30 EDT, Steve Richardson said:
*definitely* concerns me. One thing they do say is that they need several IPs per block to assign to their MTAs to handle such a large amount of email (3 to 5 million per day). Being primarily focused on layers 1 through 4, I don't have an incredible amount of experience with high volume email server configuration, so I have no idea if they are feeding me a line of BS or not.
It's BS. 5M a day is only about 60 per second, not at all a problem for a single IP address running properly configured SMTP software. For comparison, in the mid-90s, I was moving 1M RCPT TO's a day (and probably half that number of envelopes) on a Listserv host using Sendmail on an IBM RS6000-220 - a whole whopping 66MZ Power 604E processor and something like 64M of RAM (The same basic firepower as an old Apple 6600 Mac, if you remember them...) Doing 10M messages a day on a single box is *easy* these days - the hardest part is getting a disk subsystem that survives all the fsync() beating most MTAs like to dish out....
On 6/20/2011 9:52 AM, Valdis.Kletnieks@vt.edu wrote:
On Mon, 20 Jun 2011 09:26:30 EDT, Steve Richardson said:
*definitely* concerns me. One thing they do say is that they need several IPs per block to assign to their MTAs to handle such a large amount of email (3 to 5 million per day). Being primarily focused on layers 1 through 4, I don't have an incredible amount of experience with high volume email server configuration, so I have no idea if they are feeding me a line of BS or not. It's BS. 5M a day is only about 60 per second, not at all a problem for a single IP address running properly configured SMTP software.
For comparison, in the mid-90s, I was moving 1M RCPT TO's a day (and probably half that number of envelopes) on a Listserv host using Sendmail on an IBM RS6000-220 - a whole whopping 66MZ Power 604E processor and something like 64M of RAM (The same basic firepower as an old Apple 6600 Mac, if you remember them...) Doing 10M messages a day on a single box is *easy* these days - the hardest part is getting a disk subsystem that survives all the fsync() beating most MTAs like to dish out....
Well... 10M messages per day on a single box today would be fine for hardware power, if most messages are accepted remotely on the first try, but not necessarily doable in the SMTP environment of today. Mail servers that send a lot of email have to hold a lot higher percentage of messages in queue for longer today due to greylisting and other deferrals - particularly from freemail sites. Your customer should only need X addresses per block for SMTP load sharing if they are going to have X number of physical servers. If they are not going to have that many physical servers, then multiple addresses in the same block per server provides no additional throughput and could only be for block avoidance. SMTP servers do most of their work managing mail queues - accepting new messages into queue, keeping track of messages in flight (those that failed and need to be retried), spoon feeding messages out to broken MTAs, etc... more IPs per box doesn't help this. Someone who expects to be "blocked occasionally" would only need two (or a few...) address blocks. Someone who expects to be "blocked all the time" would need *many* different discontiguous address blocks. Are you getting spam complaints for their current blocks at an unreasonable (to you) rate? Are they doing all the right things with SPF, DK/DKIM (not an invitation for a holy war on whether or not these are good or useful)? If I put my tin foil hat on for a moment, I might suspect that your email marketer may be feeling the pinch of the economic downturn and might be considering implementing less scrupulous practices than they have followed in the past. Even with my tin foil hat blocking out external voices... most internal voices agree that this sounds spammy. -DMM
On Mon, Jun 20, 2011 at 09:26:30AM -0400, Steve Richardson wrote:
Hi Jason,
On Mon, Jun 20, 2011 at 9:06 AM, Jason Baugher <jason@thebaughers.com> wrote:
Did everyone miss that the customer didn't request a /24, they requested a "/24s worth in even more dis-contiguous blocks". I can only think of one reason why a customer would specifically ask for that. They are concerned that they'll get blacklisted. They're hoping if they do, it will be a small block of many rather than one entire block.
When customers make strange requests without giving a good explanation, I have to assume they're up to something.
Jason
They provided an explanation, describing how the IPs were going to be used. Yes, part of it does have to do with being blocked, which *definitely* concerns me. One thing they do say is that they need several IPs per block to assign to their MTAs to handle such a large amount of email (3 to 5 million per day). Being primarily focused on layers 1 through 4, I don't have an incredible amount of experience with high volume email server configuration, so I have no idea if they are feeding me a line of BS or not.
I've worked at a company that did managed services (including the pipe and address range) of a "legitimate" bulk mailer[1], and the logic provided to you is "legit", as far as it goes -- that is to say, what they're saying is probably why they really want the space (whether it's a legitimate justification for the allocation of IP space as per current policies is a different matter). Basically, what your customer wants is to evade big e-mail providers' anti-spam measures. From their perspective, of course, I'm sure they think they're doing the "right thing", and the people they're delivering to really, really want this e-mail, and it's just the nasty e-mail provider getting in the way. As I understand it, a common technique at these big providers is to have reputation for IP addresses by spamminess, as an element of the overall determination of whether a particular e-mail is spam. If an address doesn't have a reputation (yet), then it's rate limited, to limit the damage that a new spammer can do before the e-mail provider gets feedback (from users) about whether the e-mail they're getting is spam or not. This reputation score (presumably) extends to the /24 (and probably, to a lesser extent, the WHOIS block, but I'm not as confident about that bit). What makes me think you're being scammed is that, for all the troubles we had with our customer, they never needed more address space once they'd gotten a good reputation for their initial allocation. Maybe my customer just didn't grow as much as yours did, so their spamcannon didn't need any more barrels. Still, I'm led to believe that once an IP address has good reputation, it should be effectively unlimited, so if they need more addresses it's because the current ones don't have real good rep...
My feeling is that (paraphrasing here) "we might get blocked occasionally" and "we need this many IPs on our MTAs because they can't handle the load" are *not* legitimate reasons for requesting so many addresses.
You are correct; as far as I know ARIN doesn't take those as valid justifications if you need to go back to them for more space, so you can't either. At this point they've admitted to you that they're shitting on your good name, and setting you up for headaches down the line (dealing with complaints from people who don't like their spam, having to clean up the IP addresses they discard when they're useless (or they leave). In techie utopia, you'd be able to sting them a fairly hefty surety to cover the costs associated with cleaning up their shit -- and then tell them that the IP addresses they've already got are enough, and if they need more capacity, they should clean up the addresses they've got. In reality, though, unless you've got management with a far more cavalier attitude to revenue than mine did, they won't do anything to piss off a customer who is, in their eyes, quite the cash cow. I'm mildly surprised that you got to evaluate their address request to the degree you have; I predict that any attempts to actually deny them more space (let alone extract additional compensation for their destruction of your resources) will be overridden by management. - Matt [1] I use scare quotes because as far as I'm concerned, if your business model is based on sending lots of e-mail, sooner or later you're going to be sending spam because that's what makes you the money. If you didn't personally collect the addresses, you're in for a world of hurt, and if you don't know that, you don't deserve to be in the business of bulk e-mail, and if you do know that, then at best you're a spammer-by-proxy. -- Q: Why do Marxists only drink herbal tea? A: Because proper tea is theft. -- Chris Suslowicz, in the Monastery
My feeling is that (paraphrasing here) "we might get blocked occasionally" and "we need this many IPs on our MTAs because they can't handle the load" are *not* legitimate reasons for requesting so many addresses.
It is definitely not your job to help spammers evade blocking. If someone's blocking their mail, that's a message to stop sending it, not to try to sneak it in the back door. The valid scenarios for spreading out IPs are so rare (and generally involve guys with guns) that you can ignore them. Legitimate bulk senders want their IPs in a compact block so they can set up feedback loops from ISPs and stop sending mail that people don't want. As other people have noted, you can send vast amounts of mail from a small number of IPs, and anyone big enough to have a valid need for a lot of address space is also big enough that you have already heard of them. Friendly threat: around here, if we know that an ISP is hands out IP ranges for snowshoe spamming, we often block their entire address range preemptively to avoid the tedium of blocking it one little chunk at a time. R's, John
On 6/20/11 5:44 AM, Steve Richardson wrote:
They have inquired about IPv6 already, but it's only gone so far as that. I would gladly give them a /64 and be done with it, but my concern is that they are going to want several /64 subnets for the same reason and I don't really *think* it's a legitimate reason. Bear in mind that "legitimate" in this context is referring to the justification itself, not their business model.
Then just give them /64s randomly from under a single /48. ;) ~Seth
They have inquired about IPv6 already, but it's only gone so far as that. I would gladly give them a /64 and be done with it, but my concern is that they are going to want several /64 subnets for the same reason and I don't really *think* it's a legitimate reason.
No legitimate mailer needs more than one /64 per physical network. Same reason. R's, John
On Jun 20, 2011, at 5:52 27PM, John Levine wrote:
They have inquired about IPv6 already, but it's only gone so far as that. I would gladly give them a /64 and be done with it, but my concern is that they are going to want several /64 subnets for the same reason and I don't really *think* it's a legitimate reason.
No legitimate mailer needs more than one /64 per physical network. Same reason.
Note that the OP spoke of assigning them one /64, rather than one per physical net. I also note that ARIN, at least, suggests "/56 for small sites, those expected to need only a few subnets over the next 5 years", which would seem to include this site even without their justification. All they need -- or, I suspect, need to assert -- is to have multiple physical networks. They can claim a production net, a DMZ, a management net, a back-end net for their databases, a developer net, and no one would question an architecture like that.... --Steve Bellovin, https://www.cs.columbia.edu/~smb
All they need -- or, I suspect, need to assert -- is to have multiple physical networks. They can claim a production net, a DMZ, a management net, a back-end net for their databases, a developer net, and no one would question an architecture like that....
My impression is that this is about a client whose stuff is all hosted in a single data center. R's, John
On Jun 20, 2011, at 10:22 45PM, John R. Levine wrote:
All they need -- or, I suspect, need to assert -- is to have multiple physical networks. They can claim a production net, a DMZ, a management net, a back-end net for their databases, a developer net, and no one would question an architecture like that....
My impression is that this is about a client whose stuff is all hosted in a single data center.
Then take out the developer net (or make it a VPN) but the rest remains. --Steve Bellovin, https://www.cs.columbia.edu/~smb
Meant to send this to the list. On Mon, Jun 20, 2011 at 5:52 PM, John Levine <johnl@iecc.com> wrote:
They have inquired about IPv6 already, but it's only gone so far as that. I would gladly give them a /64 and be done with it, but my concern is that they are going to want several /64 subnets for the same reason and I don't really *think* it's a legitimate reason.
No legitimate mailer needs more than one /64 per physical network. Same reason.
R's, John
This is my feeling exactly. The unfortunate part is, they seem to be close with another customer of ours with whom we've had a very good professional and non-shady working relationship for a number of years. My feeling is that they simply do not fully know what they are doing. I believe that they think they are doing things in a technically clever way, but in reality, it just makes them look incredibly shady. As I said, they've been a customer for about 7 years now and for the amount of email that they send, the complaints are at a bare minimum. I've seen much worse much quicker when a customer's box becomes an open spam relay. That said, the decision has been made to not provide them the addresses. In addition, we are going to force them to renumber into a much smaller block of contiguous IPs. I am of the firm belief of many others on here that for customers whose business deals primarily in email, there is no legitimate reason to have multiple discontiguous blocks. We've dished out assignments like this before, but I've only seen it requested by companies that do *legal* security vulnerability scans. Thanks, steve
On Mon, Jun 20, 2011 at 5:30 PM, Bret Clark <bclark@spectraaccess.com>wrote:
On 06/20/2011 08:13 AM, Steve Richardson wrote:
What I'd like to know is whether there is a legitimate use for so many addresses in discontiguous networks besides spam? I am trying my best to give them the benefit of the doubt here, because they do work directly with Spamhaus to not be listed (I realize reasons on both sides why this could be) and searches on Google and spam newsgroups for their highest traffic email domains yield next to nothing, given the amount of email they say they send out.
Well, not so sure I would worry about legit or not legit use...while ISP's are looked at being the police, legally law enforcement are the ones to pursue illegal use. But it sounds like you've done you're home work and they sound legit. Have them fill out an IP Justification form (as ARIN requires i) and go from there. I wouldn't worry about providing them the /24. Personally I would charge them for the /24 too, makes users think twice about the need for a block that large.
Well its my responsbility (being an ISP) to know whether it is legit or not, because if it is legitimate than it will take My ASN to pollute the internet because I don't see if the customer has its own ASN. My reputation will be at stake because I failed to recognize the difference between policing or doing my business the right way.. Best Wishes, Aftab A. Siddiqui
That behavior is usually a warning sign of "snowshoe" bulk mailing, especially when coupled with randomly named domains / hostnames As for working directly with spamhaus .. did they specify how they do that? You might find http://www.spamhaus.org/news.lasso?article=641 worth reading On Mon, Jun 20, 2011 at 5:43 PM, Steve Richardson <steverich.nanog@gmail.com> wrote:
assignments from us for their colo. They are an email marketer. They have requested these assignments in as many discontiguous netblocks as we can manage. They are now asking for more addresses (a /24s worth) in even more discontiguous blocks. What I'd like to know is whether there is a
-- Suresh Ramasubramanian (ops.lists@gmail.com)
On Mon, 20 Jun 2011, Steve Richardson wrote:
We have a customer who, over the years, has amassed several small subnet assignments from us for their colo. They are an email marketer. They have requested these assignments in as many discontiguous netblocks as we can manage. They are now asking for more addresses (a /24s worth) in even more discontiguous blocks. What I'd like to know is whether there is a legitimate use for so many addresses in discontiguous networks besides spam?
The most common uses for such IP assignments are SEO and snowshoe spamming. It may seem a crazy idea, but have you asked them why they need a bunch of subnets from as many different /24s as possible rather than just a /24? What was their justification for the /24 (regardless of contiguity)?
IPv4 addresses are becoming more of a scarce resource. However, if they *are* legitimate, which certainly is possible, are discontiguous networks a common practice for even legit operators, as it's quite likely that even legit email marketers will end up being blocked because someone accidentally hit 'Spam' instead of 'Delete' in their AOL software?
No...and I'd say asking for that is a gamble which suggests they're not legit. A legit mailer should have no objection (or even prefer) to have all their IPs contiguous, so as not to be mixed up with and confused for another customer (one that might be a worse spammer than they are). ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Mon, Jun 20, 2011 at 8:13 AM, Steve Richardson <steverich.nanog@gmail.com> wrote:
We have a customer who, over the years, has amassed several small subnet assignments from us for their colo. They are an email marketer. They have requested these assignments in as many discontiguous netblocks as we can manage. They are now asking for more addresses (a /24s worth) in even more discontiguous blocks. What I'd like to know is whether there is a legitimate use for so many addresses in discontiguous networks besides spam?
Hi Steve, Best case scenario: they're using lists from their customers who claimed they followed proper practices when building the lists but didn't... because nobody who farms out bulk email builds a list via "confirmed opt in" as expected by best practices. When one of the lists gets filtered, they want the others to be protected. Worst case scenario they are deliberately spamming and trying to hide under the radar by spreading it out.
I am trying my best to give them the benefit of the doubt here, because they do work directly with Spamhaus to not be listed (I realize reasons on both sides why this could be) and searches on Google and spam newsgroups for their highest traffic email domains yield next to nothing, given the amount of email they say they send out.
Try tools like http://www.mxtoolbox.com/blacklists.aspx and http://www.anti-abuse.org/multi-rbl-check/ and run through their existing address space. When you're skirting the gray zone, Spamhaus is generally the last one to list you. Find out what the other RBLs think.
However, if they *are* legitimate, which certainly is possible, are discontiguous networks a common practice for even legit operators, as it's quite likely that even legit email marketers will end up being blocked because someone accidentally hit 'Spam' instead of 'Delete' in their AOL software?
If this was a brand new customer, I'd say hell no: they're obviously a spammer. Since they've been with you for years and haven't tripped the filters yet, I wouldn't be inclined to send them packing. As a contingency to receiving the spread-out assignments, however, I would ask them to sign a document to the effect that they only use email lists built with confirmed opt-in with a stiff and escalating dollar penalty clause should your abuse department receive convincing and voluminous complaints that they didn't. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
participants (22)
-
Aftab Siddiqui
-
Bret Clark
-
Brielle Bruns
-
David Miller
-
Jared Mauch
-
Jason Baugher
-
JC Dill
-
John Levine
-
John Peach
-
John R. Levine
-
Jon Lewis
-
Jérôme Nicolle
-
Leo Bicknell
-
Matthew Palmer
-
Seth Mattinen
-
Seth Mos
-
Steve Richardson
-
Steven Bellovin
-
Suresh Ramasubramanian
-
Tony Finch
-
Valdis.Kletnieks@vt.edu
-
William Herrin