Gang, I've tried to get the attention of senderbase, which is claiming activity from my address space which is in fact either un-routed or within dynamic subscriber blocks that have outbound smtp filtering in effect. Unfortunately, senderbase refuses to acknowledge the problem in their database nor back up their claims with any evidence to the contrary other than these ips are listed in their database and that's that. I realise this may not strictly be the domain of nanog but I would think that quality of services such like senderbase, as measured in both false positives as well as their abillity to act on them, would be, since many here use and depend on these services. I don't understand how or why senderbase would list unrouted address space and further give me grief over the reporting of it "Unless the daily volume magnitude shows something > 1, I would not be too worried", but accuracy counts and you won't have my business unless you can demonstrate some. Mike-
* Mike:
I've tried to get the attention of senderbase, which is claiming activity from my address space which is in fact either un-routed or within dynamic subscriber blocks that have outbound smtp filtering in effect.
Could you share technical details on your filters, please? If you only filter incoming TCP packets from your customers with destination port 25, these filters might well be insufficient.
I've tried to get the attention of senderbase, which is claiming activity from my address space which is in fact either un-routed or within dynamic subscriber blocks that have outbound smtp filtering in effect. Unfortunately, senderbase refuses to acknowledge the problem in their database nor back up their claims with any evidence to the contrary other than these ips are listed in their database and that's that. I realise this may not strictly be the domain of nanog but I would think that quality of services such like senderbase, as measured in both false positives as well as their abillity to act on them, would be, since many here use and depend on these services. I don't understand how or why senderbase would list unrouted address space and further give me grief over the reporting of it "Unless the daily volume magnitude shows something > 1, I would not be too worried", but accuracy counts and you won't have my business unless you can demonstrate some.
Mike-
On Fri, Apr 16, 2010 at 6:25 PM, Mike <mike-nanog@tiedyenetworks.com> wrote:
I've tried to get the attention of senderbase, which is claiming activity from my address space which is in fact either un-routed or within dynamic subscriber blocks that have outbound smtp filtering in effect.
Interesting; I see similar results for my address space. Two addresses, one of which hasn't been attached to a machine for a decade and the other a virtual IP on a web server where the particular IP never emits connections. Magnitude's only "0.48" for both but still, they shouldn't even appear. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
On Sat, 17 Apr 2010, William Herrin wrote:
On Fri, Apr 16, 2010 at 6:25 PM, Mike <mike-nanog@tiedyenetworks.com> wrote:
I've tried to get the attention of senderbase, which is claiming activity from my address space which is in fact either un-routed or within dynamic subscriber blocks that have outbound smtp filtering in effect.
Interesting; I see similar results for my address space. Two addresses, one of which hasn't been attached to a machine for a decade and the other a virtual IP on a web server where the particular IP never emits connections. Magnitude's only "0.48" for both but still, they shouldn't even appear.
I suspect a bug in their system. I checked a handful of unrouted blocks from our address space and eventually hit a /24 from which senderbase lists an IP with magnitude 0.48, but the space hasn't been routed for 13 months. They say they saw something from it on 2010-04-06...which I'd say is highly unlikely. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Sat, 2010-04-17 at 16:45 -0400, William Herrin wrote:
Interesting; I see similar results for my address space. Two addresses, one of which hasn't been attached to a machine for a decade and the other a virtual IP on a web server where the particular IP never emits connections. Magnitude's only "0.48" for both but still, they shouldn't even appear.
Yep, same here, at two seperate sites. It's in the "reserved for extreme emergencies" zone at the top of each assigned block. As per house practice it is tcpdumped 24/7, and has been for the last 4 years. Zero traffic from it at the perimiter. Go figure. Gord -- Order of Magnitude delayed due to lack of stock, please call Despatch
On Sun, Apr 18, 2010 at 10:15 AM, gordon b slater <gordslater@ieee.org> wrote:
On Sat, 2010-04-17 at 16:45 -0400, William Herrin wrote:
Interesting; I see similar results for my address space. Two addresses, one of which hasn't been attached to a machine for a decade and the other a virtual IP on a web server where the particular IP never emits connections. Magnitude's only "0.48" for both but still, they shouldn't even appear.
Yep, same here, at two seperate sites. It's in the "reserved for extreme emergencies" zone at the top of each assigned block. As per house practice it is tcpdumped 24/7, and has been for the last 4 years. Zero traffic from it at the perimiter.
Go figure.
Gord
Have you checked cyclops and other BGP announcement tracking systems to see if it might have been a short-lived whack-a-mole short prefix hijack (pop up, announce block, send burst of spam, remove announcement, disappear again)? Matt
On 4/18/2010 16:02, Matthew Petach wrote:
On Sun, Apr 18, 2010 at 10:15 AM, gordon b slater <gordslater@ieee.org> wrote:
On Sat, 2010-04-17 at 16:45 -0400, William Herrin wrote:
Interesting; I see similar results for my address space. Two addresses, one of which hasn't been attached to a machine for a decade and the other a virtual IP on a web server where the particular IP never emits connections. Magnitude's only "0.48" for both but still, they shouldn't even appear.
Yep, same here, at two seperate sites. It's in the "reserved for extreme emergencies" zone at the top of each assigned block. As per house practice it is tcpdumped 24/7, and has been for the last 4 years. Zero traffic from it at the perimiter.
Go figure.
Gord
Have you checked cyclops and other BGP announcement tracking systems to see if it might have been a short-lived whack-a-mole short prefix hijack (pop up, announce block, send burst of spam, remove announcement, disappear again)?
Maybe I'm just tired and cranky or too old to understand.....if the addresses in question never send traffic, who cares? And if senderbase is so bad, why use it? -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
On Sun, 18 Apr 2010, Larry Sheldon wrote:
Have you checked cyclops and other BGP announcement tracking systems to see if it might have been a short-lived whack-a-mole short prefix hijack (pop up, announce block, send burst of spam, remove announcement, disappear again)?
Maybe I'm just tired and cranky or too old to understand.....if the addresses in question never send traffic, who cares?
He's suggesting that maybe mail came from those IPs while someone else was using them without your knowledge. Given the available info, I think its far more likely senderbase has some glich causing bogus 0.48 scores for IPs that really haven't sent anything in recent history. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
participants (8)
-
Florian Weimer
-
gordon b slater
-
John Levine
-
Jon Lewis
-
Larry Sheldon
-
Matthew Petach
-
Mike
-
William Herrin