IP reputation lookup (prefix not single IP)
Hello all, I’ve seen other folks asking the same/similar question in the past, but I don’t recall seeing more than a few options out there to *try* to suss this out. Use case is someone I’m working with looking to buy a v4 block from a broker. So far I’ve checked Talos and Sorbs (both allow a prefix lookup). Most of the other RBL/multi-RBL sites want a single IP (the use case being email of course). I won’t abuse their service by trying to lookup each single IP in the block... Could anyone share anything/anywhere else I might look to get crumbs of info on a given preifx ? Thanks.
If you are willing to pay, hetrixtools is an option. On Thu, Mar 25, 2021 at 12:26 PM vom513 <vom513@gmail.com> wrote:
Hello all,
I’ve seen other folks asking the same/similar question in the past, but I don’t recall seeing more than a few options out there to *try* to suss this out. Use case is someone I’m working with looking to buy a v4 block from a broker.
So far I’ve checked Talos and Sorbs (both allow a prefix lookup). Most of the other RBL/multi-RBL sites want a single IP (the use case being email of course). I won’t abuse their service by trying to lookup each single IP in the block...
Could anyone share anything/anywhere else I might look to get crumbs of info on a given preifx ?
Thanks.
I'll second Hetrix tools. We use them, they're great. On Thu, Mar 25, 2021, 10:13 Alex Wacker <alex@alexwacker.com> wrote:
If you are willing to pay, hetrixtools is an option.
On Thu, Mar 25, 2021 at 12:26 PM vom513 <vom513@gmail.com> wrote:
Hello all,
I’ve seen other folks asking the same/similar question in the past, but I don’t recall seeing more than a few options out there to *try* to suss this out. Use case is someone I’m working with looking to buy a v4 block from a broker.
So far I’ve checked Talos and Sorbs (both allow a prefix lookup). Most of the other RBL/multi-RBL sites want a single IP (the use case being email of course). I won’t abuse their service by trying to lookup each single IP in the block...
Could anyone share anything/anywhere else I might look to get crumbs of info on a given preifx ?
Thanks.
Hi, if you are interested to use our brokerage services, we offer (among other details - whois, whowas, geolocation, routing history) complete blacklist checks to all blocks added to our platform at www.v4escrow.com Feel free to contact me in private for more details. Elvis V4Escrow CEO Excuse the briefness of this mail, it was sent from a mobile device.
On Mar 25, 2021, at 10:14, Brendan Carlson <brendan@bcarlsonmedia.com> wrote:
I'll second Hetrix tools. We use them, they're great.
On Thu, Mar 25, 2021, 10:13 Alex Wacker <alex@alexwacker.com> wrote: If you are willing to pay, hetrixtools is an option.
On Thu, Mar 25, 2021 at 12:26 PM vom513 <vom513@gmail.com> wrote: Hello all,
I’ve seen other folks asking the same/similar question in the past, but I don’t recall seeing more than a few options out there to *try* to suss this out. Use case is someone I’m working with looking to buy a v4 block from a broker.
So far I’ve checked Talos and Sorbs (both allow a prefix lookup). Most of the other RBL/multi-RBL sites want a single IP (the use case being email of course). I won’t abuse their service by trying to lookup each single IP in the block...
Could anyone share anything/anywhere else I might look to get crumbs of info on a given preifx ?
Thanks.
I think you will find that most SMTP / anti-spam focused RBL tools give a very similar result for IP reputation on a per /24 block basis, for any randomly chosen IP in the block, particularly where the /24 in question has previously been used and announced by a dedicated server/VPS/virtual server hosting company. On Thu, Mar 25, 2021 at 9:26 AM vom513 <vom513@gmail.com> wrote:
Hello all,
I’ve seen other folks asking the same/similar question in the past, but I don’t recall seeing more than a few options out there to *try* to suss this out. Use case is someone I’m working with looking to buy a v4 block from a broker.
So far I’ve checked Talos and Sorbs (both allow a prefix lookup). Most of the other RBL/multi-RBL sites want a single IP (the use case being email of course). I won’t abuse their service by trying to lookup each single IP in the block...
Could anyone share anything/anywhere else I might look to get crumbs of info on a given preifx ?
Thanks.
I think you will find that most SMTP / anti-spam focused RBL tools give a very similar result for IP reputation on a per /24 block basis
got cites? this got me curious the other day. randy --- randy@psg.com `gpg --locate-external-keys --auto-key-locate wkd randy@psg.com` signatures are back, thanks to dmarc header butchery
Nothing more than anecdotal evidence, when I last looked into the externally available network details on a number of low-budget VPS hosting companies... I would say that if anything, a person who really knows what they're doing operating a properly MX, will face more difficulties today than they did 3, 5 or 7 years ago operating the system in the same netblocks as IPs which have been previously abused. For obvious reasons the IP reputation systems and antispam tools at the biggest destinations (gsuite/gmail, office365, etc) are treated as closely guarded proprietary data. My personal theory on a whole /24 acquiring a poor reputation, is that it does have some correlation with the density of random $5/mo VPS customers and the turnover of different customers between the same small group of IPs. And exactly how many misconfigured smtp sources have existed in that block within some previous range of time, how much spam has been reported/flagged, etc. On Thu, Mar 25, 2021 at 8:28 PM Randy Bush <randy@psg.com> wrote:
I think you will find that most SMTP / anti-spam focused RBL tools give a very similar result for IP reputation on a per /24 block basis
got cites? this got me curious the other day.
randy
--- randy@psg.com `gpg --locate-external-keys --auto-key-locate wkd randy@psg.com` signatures are back, thanks to dmarc header butchery
Hi, On 3/25/21 8:28 PM, Randy Bush wrote:
I think you will find that most SMTP / anti-spam focused RBL tools give a very similar result for IP reputation on a per /24 block basis
got cites? this got me curious the other day.
randy Randy, I can share our data with you if you want to do an analysis of
Since I started working as an IPv4 Broker I've done tens of thousands of scans (for blocks of IPs) in hundreds of blocklists. There are a handful of blocklists that will list the whole block (that may be a /24 or even a /16) - Spamhaus is an example. However, most blocklists will list only the IPs that have actually done spam. Barracuda, spamrats, etc. the data, I may find a way to give you access to our historic blocklist checks database. We can discuss in private.
--- randy@psg.com `gpg --locate-external-keys --auto-key-locate wkd randy@psg.com` signatures are back, thanks to dmarc header butchery
cheers, elvis
It appears that Elvis Daniel Velea <elvis@velea.eu> said:
There are a handful of blocklists that will list the whole block (that may be a /24 or even a /16) - Spamhaus is an example.
No, they don't. Spamhaus may expand a listing to a /24 or bigger when they see a pattern of abuse from a network but the SBL starts by listing one IP at a time. The XBL, which is run automatically, only lists individual IPs. They also have the PBL, Policy Block List, which lists ranges that the network operators say shouldn't be sending mail in the first place. Also keep in mind that "most blocklists" is meaningless. Any moron can run a blocklist, any many morons do. The vast majority of blockists are used by close to nobody, and only handful are widely enough used to matter. R's, John
----- On Mar 26, 2021, at 8:20 PM, John Levine johnl@iecc.com wrote: Hi,
Also keep in mind that "most blocklists" is meaningless. Any moron can run a blocklist, any many morons do. The vast majority of blockists are used by close to nobody, and only handful are widely enough used to matter.
This moron ran a per-country/per-as blocklist in the early 2000s which was based on a DFZ BGP feed. I closed it off more than 10 years ago. I just checked and I'm still receiving ~5 queries per second. As per my anecdotal evidence, there are some really clueless operators out there as well. There is, of course, the temptation to just add a wildcard A record... But nah, I don't like hot places. The other side-effect is that spammers are still very eager to use my domain in their from: headers, judging by the amount of undeliverables I receive (in waves). Thanks, Sabri
Same here. I have not publicised or updated my korea.services.net DNSBL for over a decade and it's still getting over 100 qps. On Fri, 26 Mar 2021, Sabri Berisha wrote:
----- On Mar 26, 2021, at 8:20 PM, John Levine johnl@iecc.com wrote:
Hi,
Also keep in mind that "most blocklists" is meaningless. Any moron can run a blocklist, and many morons do. The vast majority of blockists are used by close to nobody, and only a handful are widely enough used to matter.
This moron ran a per-country/per-as blocklist in the early 2000s which was based on a DFZ BGP feed. I closed it off more than 10 years ago.
I just checked and I'm still receiving ~5 queries per second.
As per my anecdotal evidence, there are some really clueless operators out there as well. There is, of course, the temptation to just add a wildcard A record... But nah, I don't like hot places.
The other side-effect is that spammers are still very eager to use my domain in their from: headers, judging by the amount of undeliverables I receive (in waves).
That's generally because they pick the To and From addresses in the spam from the same dusty spam lists. Regards, John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly
participants (9)
-
Alex Wacker
-
Brendan Carlson
-
Elvis Daniel Velea
-
Eric Kuhnke
-
John Levine
-
John R. Levine
-
Randy Bush
-
Sabri Berisha
-
vom513