RE: Abuse procedures... Reality Checks
I guess our upstream provider is a nobody because they have lots of small sub-allocated blocks less than a /24 that they route to different member ISPs. =) What is the point of blocking a /24 on the basis of a /32 if the ISP manages dozens of other /24 or larger blocks? If you're going to do it, block *all* the IPs associated to the 'bad' ISP. Then at least you're consistent, otherwise expanding to a /24 is just a half (or 1%) job or laziness. Frank -----Original Message----- From: Frank Bulk Sent: Saturday, April 07, 2007 10:45 PM To: nanog@nanog.org Subject: Re: Abuse procedures... Reality Checks
Sure, block that /29, but why block the /24, /20, or even /8?
Since nobody will route less than a /24, you can be pretty sure that regardless of the SWIPs, everyone in a /24 is served by the same ISP. I run a tiny network with about 400 mail users, but even so, my semiautomated systems are sending off complaints about a thousand spams a day that land in traps and filters. (That doesn't count about 50,000/day that come from blacklisted sources that I package up and sell to people who use them to tune filters and look for phishes.) I log the sources, when a particular IP has more than 50 complaints in a month I usually block it, if I see a bunch of blocked IP's in a range I usually block the /24. Now and then I get complaints from users about blocked mail, but it's invariably from an individual IP at an ISP or hosting company that has both a legit correspondent and a spam-spewing worm or PHP script. It is quite rare for an expansion to a /24 to block any real mail. My goal is to keep the real users' mail flowing, to block as much spam as cheaply as I can, and to get some sleep. I can assure you from experience that any sort of automated RIR WHOIS lookups will quickly trip volume checks and get you blocked, so I do a certain number manually, typically to figure out how likely there is to be someone reading the spam reports. But on today's Internet, if you want to get your mail delivered, it would be a good idea not to live in a bad neighborhood, and if your ISP puts you in one, you need a better ISP. That's life. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor "More Wiener schnitzel, please", said Tom, revealingly.
participants (1)
-
Frank Bulk