Can someone from SORBS contact me offlist if they are on here.... My most recent allocation from ARIN turned out to be dirty IP's, and I'm having trouble getting them removed following the steps on their website (no action on tickets opened). 64.79.128.0/20 Brian Boles vegasnetman@gmail.com
We have the same problem. We are blacklisted and I filled out the webform. I got an email regarding ticket number and account/password to track the ticket. But it seems that nobody is working on it. Best Stefan On Monday 07 August 2006 20:54, Brian Boles wrote:
Can someone from SORBS contact me offlist if they are on here....
My most recent allocation from ARIN turned out to be dirty IP's, and I'm having trouble getting them removed following the steps on their website (no action on tickets opened).
64.79.128.0/20
Brian Boles vegasnetman@gmail.com
-- Stefan Hegger Internet System Engineer Stefan.Hegger@lycos-europe.com Tel: +49 5241 8071 334 Lycos Europe GmbH Carl-Bertelsmann Str. 29 Postfach 315 33311 Gütersloh
Sad state of affairs when looney people dictate which IPs are "good" and "bad". -Michael Brian Boles wrote:
Can someone from SORBS contact me offlist if they are on here....
My most recent allocation from ARIN turned out to be dirty IP's, and I'm having trouble getting them removed following the steps on their website (no action on tickets opened).
64.79.128.0/20 <http://64.79.128.0/20>
Brian Boles vegasnetman@gmail.com <mailto:vegasnetman@gmail.com>
-- Michael Nicks Network Engineer KanREN e: mtnicks@kanren.net o: +1-785-856-9800 x221 m: +1-913-378-6516
Even worse if your ISP uses it and demands you ask the 'offender' to get 'themselves' removed. Michael Nicks wroteth on 8/8/2006 7:27 AM:
Sad state of affairs when looney people dictate which IPs are "good" and "bad".
-Michael
Brian Boles wrote:
Can someone from SORBS contact me offlist if they are on here....
My most recent allocation from ARIN turned out to be dirty IP's, and I'm having trouble getting them removed following the steps on their website (no action on tickets opened).
64.79.128.0/20 <http://64.79.128.0/20>
Brian Boles vegasnetman@gmail.com <mailto:vegasnetman@gmail.com>
On Tue, 8 Aug 2006, S. Ryan wrote: I have recommended to every client in the past to drop any ISP that uses SORBS, but amazingly there are still plenty of clueless ISPs out there that use SORBS. Hank Nussbacher http://www.interall.co.il
Even worse if your ISP uses it and demands you ask the 'offender' to get 'themselves' removed.
Michael Nicks wroteth on 8/8/2006 7:27 AM:
Sad state of affairs when looney people dictate which IPs are "good" and "bad".
-Michael
Brian Boles wrote:
Can someone from SORBS contact me offlist if they are on here....
My most recent allocation from ARIN turned out to be dirty IP's, and I'm having trouble getting them removed following the steps on their website (no action on tickets opened).
64.79.128.0/20 <http://64.79.128.0/20>
Brian Boles vegasnetman@gmail.com <mailto:vegasnetman@gmail.com>
+++++++++++++++++++++++++++++++++++++++++++ This Mail Was Scanned By Mail-seCure System at the Tel-Aviv University CC.
Someone is providing you transit.. what gives? :) Matthew Sullivan wroteth on 8/8/2006 4:33 PM:
Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Sad state of affairs when looney people dictate which IPs are "good" and "bad". Sad state of affairs when ISPs are still taking money from spammers and
Michael Nicks wrote: providing transit to known criminal organisations.
/ Mat
On Wed, 9 Aug 2006, Matthew Sullivan wrote:
Sad state of affairs when ISPs are still taking money from spammers and providing transit to known criminal organisations.
Hey Mat. You aren't wrong, but that doesn't absolve you of the responsibility to de-list in an efficient manner when you have made a mistake, or if the listing is no longer accurate (i.e. if all the spammers have been kicked off the netblock in question.) $DAYJOB lists spam filtering amongst the services we offer to our clients. I know we're using you to block IPs at the firewall, and we're probably also doing so at the server level. I am going to talk to my boss and co-workers about the impact of removing SORBS from our DNSBL list, because your replies lately have been snarky and completely unprofessional, including the reply quoted above. (Yes. It sucks that spammers are still spamming. So what?) I don't know what your problem is, but you're not making things any better by refusing to fix listings that aren't incorrect or, in some cases, never were. -- Steve Sobol, Professional Geek ** Java/VB/VC/PHP/Perl ** Linux/*BSD/Windows Apple Valley, California PGP:0xE3AE35ED It's all fun and games until someone starts a bonfire in the living room.
On Wed, 9 Aug 2006, Steve Sobol wrote:
I don't know what your problem is, but you're not making things any better by refusing to fix listings that aren't incorrect or, in some cases, never were.
Feh. Listings that are NO LONGER CORRECT, or in some cases, never were. Make sure brain is running before engaging fingers. :) -- Steve Sobol, Professional Geek ** Java/VB/VC/PHP/Perl ** Linux/*BSD/Windows Apple Valley, California PGP:0xE3AE35ED It's all fun and games until someone starts a bonfire in the living room.
I don't know what your problem is, but you're not making things any better by refusing to fix listings that aren't incorrect or, in some cases, never were.
IMHO, it's not about making things 'better' - we don't expect NANOG'ers to be any more altruistic than other folk. It's about consumer protection, as the anti-spammers always say; if $BLACKLIST does a good job, we keep it. If it screws up too much, we go elsewhere. So Matt has an incentive to be correct, I should think. -- _________________________________________ Nachman Yaakov Ziskind, FSPA, LLM awacs@ziskind.us Attorney and Counselor-at-Law http://ziskind.us Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants
owner-nanog@merit.edu wrote:
I don't know what your problem is, but you're not making things any better by refusing to fix listings that aren't incorrect or, in some cases, never were.
IMHO, it's not about making things 'better' - we don't expect NANOG'ers to be any more altruistic than other folk. It's about consumer protection, as the anti-spammers always say; if $BLACKLIST does a good job, we keep it. If it screws up too much, we go elsewhere. So Matt has an incentive to be correct, I should think.
I fear we're veering off topic, but the problem with the "If $BLACKLIST does a job, we'll keep using it" axiom is that it makes the assumption that the majority of mail admins who use blacklists as part of their antispam arsenal are keeping close tabs on the efficacy and accuracy of the blacklists they use. Unfortunately I don't believe that is generally the case. In my experience, most use blacklists as a "set and forget" kind of weapon, and the only method they use to judge the reliability of a list is how many spams it blocks, regardless of accuracy. Too often you find admins that, when presented with an example of a false-positive caused by an inaccurate blacklist, cop the, "Don't talk to me, talk to the blacklist operators" attitude. And it isn't entirely a lazy admin problem. There really seems to be no *good* way to judge the relative accuracy of different blacklists. You can read thier policies and procedures, but how do you know if they actually follow them? Keeping an eye on mailing lists and newsgroups can help some, but how do you separate the net.kooks complaining about a valid listing from people with legitimate gripes? Especially when the blacklist admins often come off as bigger net.kooks than their detractors? It winds up looking like a big catch-22 to me. Blacklist operators essentially punt all responsibility for incorrectly blocked emails on the mail admins, and the mail admins punt all responsibility for incorrect listings back at the blacklist operators. And that leaves us with *no one* taking responsibility, which makes me seriously question the wisdom of using blacklists at all anymore. Personally, I think completely automated systems with very short listing times may be the way to go. It removes the human element from the listing and delisting process in order to avoid the personality-conflict/vendetta listings that seem to poison a number of popular blacklists. In the long run, though, I think the spammers have won the DNS blacklist war already and our time is better spent developing better content filters to worry with the actual content of the email than where it came from. Andrew Cruse
Steve Sobol wrote:
On Wed, 9 Aug 2006, Matthew Sullivan wrote:
Sad state of affairs when ISPs are still taking money from spammers and providing transit to known criminal organisations.
Hey Mat.
You aren't wrong, but that doesn't absolve you of the responsibility to de-list in an efficient manner when you have made a mistake, or if the listing is no longer accurate (i.e. if all the spammers have been kicked off the netblock in question.)
If you checked with the original complainant you would find that both the zombie and DUHL listings are cleared. If you knew the ticket numbers and where they sit in the SORBS RT Support system you would know that there were multiple tickets logged the oldest now being 10 days, the most recent being 5 days - and under published policy the earliest was pushed into the more recent. You'll also note that the original complaint was about a single IP address as part of a /27 within a /19 listing.
$DAYJOB lists spam filtering amongst the services we offer to our clients. I know we're using you to block IPs at the firewall, and we're probably also doing so at the server level. I am going to talk to my boss and co-workers about the impact of removing SORBS from our DNSBL list, because your replies lately have been snarky and completely unprofessional, including the reply quoted above. (Yes. It sucks that spammers are still spamming. So what?)
The quoted text above is intended for a few that might still be on this list, non of which posted to this thread. The fact remains some ISPs provide transit to known criminal organisations for hijacked netblocks which are used for nothing but abuse (hosting trojans and viruses). Money talks.
I don't know what your problem is, but you're not making things any better by refusing to fix listings that aren't incorrect or, in some cases, never were.
Where do you get that from...? We fix incorrect listings as soon as notified and with no deliberate delay. If you are refering to listings like Dean Anderson's stolen netblock these are not delisted until such time as proof is obtained that our information is incorrect. We have been informed that Dean picked up that portable /16 (and 2 other networks - one of which was a non-portable UUNET block) when he parted company with OSF in 1998. I have been contacted on a few occasions by Dean demanding delisting, each time I have asked for proof that he did not steal the netblock from the OSFs creditors (taking without permission even from a company folding is still stealing) - his response was a lot of bluster followed by the creation of the IADL.org site. A few people (including myself) have attempted to contact 'The Open Group' who are the new owners of the old OSF organisation. I am not aware of a reply that has been received from anyone other than Dean indicating that Dean is the legitimate owner of the said netblock. You will also note that at least one of the netblocks that Dean has indicated that he was a legitimate owner of have been taken back and are reallocated. To date no-one has backed Dean up in his assertion that he did not steal the netblock, all that we have seen is a short time after the listing suddenly Dean started providing services to 'opengroup.org' and cited that as proof he owns the block - considering the OpenGroup is in the UK now and are now unlikely to be able to prove to a court that they are the legitimate owners of the netblock I don't see that as reason to consider Dean the legitimate owner. A verifiable document from the OSF/OpenGroup indicating that Dean Anderson is the legitimate owner of their /16 and it was transfered to him with their knowledge and permission is all that is required for delisting... however it seems Dean cannot obtain that adding weight to the view that he did indeed steal the netblocks. Something to consider before replying: is this on or off topic for NANOG? (personally I think part of this is on topic, other parts of the thread are definitely off topic) Regards, Mat
Matthew Sullivan wrote:
If you checked with the original complainant you would find that both the zombie and DUHL listings are cleared. If you knew the ticket numbers and where they sit in the SORBS RT Support system you would know that there were multiple tickets logged the oldest now being 10 days, the most recent being 5 days - and under published policy the earliest was pushed into the more recent. You'll also note that the original complaint was about a single IP address as part of a /27 within a /19 listing.
OK. I have no problem with that. I want you to understand that my observation comes from seeing *many* people complain about a lack of response. If it was just a couple, that'd be a horse of another color. And frankly, it's not like you try to hide. You're a public figure here and on several other discussion forums. So I don't think it's unreasonable to assume that if people are having trouble reaching SORBS, it's not because the contacts aren't published. In fact, I've seen a number of complaints that people *have* contacted SORBS and have failed to get a response.
The quoted text above is intended for a few that might still be on this list, non of which posted to this thread. The fact remains some ISPs provide transit to known criminal organisations for hijacked netblocks which are used for nothing but abuse (hosting trojans and viruses).
I'm not arguing that fact. Whether or not it was an appropriate response is another matter.
I don't know what your problem is, but you're not making things any better by refusing to fix listings that aren't incorrect or, in some cases, never were.
Where do you get that from...? We fix incorrect listings as soon as notified and with no deliberate delay. If you are refering to listings like Dean Anderson's stolen netblock these are not delisted until such time as proof is obtained that our information is incorrect.
Perhaps "refusal" is not the proper word, and I apologize for using it. It does imply intent. "failure" may be a more accurate description.
permission even from a company folding is still stealing) - his response was a lot of bluster followed by the creation of the IADL.org site.
Yup, I know. I'm there too. I am one of Dean's most vocal detractors.
Something to consider before replying: is this on or off topic for NANOG? (personally I think part of this is on topic, other parts of the thread are definitely off topic)
It has been agreed that spam is offtopic, although the issue of hijacked netblocks certainly isn't. So I probably should have replied to you off-list (apologies to everyone else for lowering the S:N ratio). I don't know what the official word is on whether DNSBL operations in general are on-topic for this list. I would appreciate if the people in charge of deciding such things could tell me whether DNSBLs are on-topic or not... -- Steve Sobol, Professional Geek ** Java/VB/VC/PHP/Perl ** Linux/*BSD/Windows Apple Valley, California PGP:0xE3AE35ED It's all fun and games until someone starts a bonfire in the living room.
Steve Sobol wrote:
Matthew Sullivan wrote:
<replied off list>
Something to consider before replying: is this on or off topic for NANOG? (personally I think part of this is on topic, other parts of the thread are definitely off topic)
It has been agreed that spam is offtopic, although the issue of hijacked netblocks certainly isn't. So I probably should have replied to you off-list (apologies to everyone else for lowering the S:N ratio).
I don't know what the official word is on whether DNSBL operations in general are on-topic for this list. I would appreciate if the people in charge of deciding such things could tell me whether DNSBLs are on-topic or not...
List maintainers, would you please rule on whether: 1/ DNSbl operations are on or off topic. 2/ Hijacked netblocks are on/off topic (I suspect on topic, but would like to see an official word). Regards, Mat
Brian Boles wrote:
Can someone from SORBS contact me offlist if they are on here....
My most recent allocation from ARIN turned out to be dirty IP's, and I'm having trouble getting them removed following the steps on their website (no action on tickets opened).
64.79.128.0/20 <http://64.79.128.0/20>
If course checking this we find that SORBS is not the only problem you have... http://www.completewhois.com/hijacked/files/64.79.128.0.txt Regards, Mat
On Wed, 9 Aug 2006, Matthew Sullivan wrote:
Brian Boles wrote:
Can someone from SORBS contact me offlist if they are on here....
My most recent allocation from ARIN turned out to be dirty IP's, and I'm having trouble getting them removed following the steps on their website (no action on tickets opened).
64.79.128.0/20 <http://64.79.128.0/20>
If course checking this we find that SORBS is not the only problem you have...
That was old user of that ip block. The block has been deleted and ARIN now reassigned/reallocated it to somebody else. The file you need to watch (which gets updated when ip block previously hijacked is no longer an issue) is: http://www.completewhois.com/hijacked/hijacked_flist.txt (though a few more legacy blocks listed there got deleted in last months, so it does need to be updated again) -- William Leibzon Elan Networks william@elan.net
william(at)elan.net wrote:
That was old user of that ip block. The block has been deleted and ARIN now reassigned/reallocated it to somebody else.
The file you need to watch (which gets updated when ip block previously hijacked is no longer an issue) is: http://www.completewhois.com/hijacked/hijacked_flist.txt
(though a few more legacy blocks listed there got deleted in last months, so it does need to be updated again)
Ta, missed that link previously. Regards, Mat
participants (10)
-
andrew2@one.net
-
Brian Boles
-
Hank Nussbacher
-
Matthew Sullivan
-
Michael Nicks
-
Nachman Yaakov Ziskind
-
S. Ryan
-
Stefan Hegger
-
Steve Sobol
-
william(at)elan.net