First off, I'm not certain if unallocated space in blocks less than a /8 is properly called bogon, so pardon my terminology if I'm incorrect. We're seeing a decent chunk of spam coming from an unallocated block of address space. We use CYMRU's great list of /8 bogon space to prevent completely off the wall abuse, but the granularity stops at /8's. Obviously, I've written the originating AS and its single upstream provider (sadly without any response). I'm not looking for a one time solution for this issue however -- I'd like to permanently block (and kick) anyone who's using unallocated space illegitimately. How have you dealt with this issue? Does anyone publish a more granular listing of unallocated space? Does arin have this information somewhere other than just probing any given ip via whois? Thanks! Leslie Craigslist Spam Hater
I failed to mention we're seeing this from an unallocated /20 whose parent /8 is allocated to ARIN (and is partially in use) Leslie Leslie wrote:
First off, I'm not certain if unallocated space in blocks less than a /8 is properly called bogon, so pardon my terminology if I'm incorrect.
We're seeing a decent chunk of spam coming from an unallocated block of address space. We use CYMRU's great list of /8 bogon space to prevent completely off the wall abuse, but the granularity stops at /8's. Obviously, I've written the originating AS and its single upstream provider (sadly without any response). I'm not looking for a one time solution for this issue however -- I'd like to permanently block (and kick) anyone who's using unallocated space illegitimately.
How have you dealt with this issue? Does anyone publish a more granular listing of unallocated space? Does arin have this information somewhere other than just probing any given ip via whois?
Thanks! Leslie Craigslist Spam Hater
What /20 would this be, and can you blame an out of date whois client or whois db for it? If the /20 is being routed, and announced - chances are it IS allocated. On Wed, Oct 28, 2009 at 5:40 AM, Leslie <leslie@craigslist.org> wrote:
I failed to mention we're seeing this from an unallocated /20 whose parent /8 is allocated to ARIN (and is partially in use)
Leslie
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Suresh Ramasubramanian wrote:
If the /20 is being routed, and announced - chances are it IS allocated.
Don't bet on it. This is one of the oldest spammer tricks in the book. I worked with ISPs as far back as the late 90s trying to track down poachers who temporarily squat on an unallocated block and announce it to the world. Jon Kibler - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-813-2924 s: 843-564-4224 s: JonRKibler e: Jon.Kibler@aset.com e: Jon.R.Kibler@gmail.com http://www.linkedin.com/in/jonrkibler My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrnlokACgkQUVxQRc85QlOVgwCffnJ4nAYNypXOW4TlgNCO1CFo IjEAn3UGgf/aIgBAESg9oDzvJoTKvaCk =fqu/ -----END PGP SIGNATURE----- ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
Having been postmastering at various places for about a decade, I have seen that too - yes. But cymru style filtering means its kind of out of fashion now. Though - a lot of the cases I've seen have been 1. Out of date whois client and the IP's been allocated after the whois client came out (with a hardcoded list of unallocated IPs) 2. Whois db is out of date - comparatively rarer but known to occur Especially if you see a mainstream carrier routing it instead of some small outfit in Eastern Europe .. chances are its stale db somewhere rather than totally unallocated block and phantom routing On Wed, Oct 28, 2009 at 6:25 AM, Jon Kibler <Jon.Kibler@aset.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Suresh Ramasubramanian wrote:
If the /20 is being routed, and announced - chances are it IS allocated.
Don't bet on it. This is one of the oldest spammer tricks in the book. I worked with ISPs as far back as the late 90s trying to track down poachers who temporarily squat on an unallocated block and announce it to the world.
On 28/10/2009, at 2:00 PM, Suresh Ramasubramanian wrote:
Having been postmastering at various places for about a decade, I have seen that too - yes. But cymru style filtering means its kind of out of fashion now.
Sure, if the prefix is within something that cymru call a bogon. If it's within a current RIR pool, not so much. -- Nathan Ward
On Tue, 27 Oct 2009, Leslie wrote:
I failed to mention we're seeing this from an unallocated /20 whose parent /8 is allocated to ARIN (and is partially in use)
What /20 would that be? If you're sure it's unallocated, and see nothing but spam from it, block it at your border. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On 28/10/2009, at 12:57 PM, Leslie wrote:
First off, I'm not certain if unallocated space in blocks less than a /8 is properly called bogon, so pardon my terminology if I'm incorrect.
We're seeing a decent chunk of spam coming from an unallocated block of address space. We use CYMRU's great list of /8 bogon space to prevent completely off the wall abuse, but the granularity stops at / 8's. Obviously, I've written the originating AS and its single upstream provider (sadly without any response). I'm not looking for a one time solution for this issue however -- I'd like to permanently block (and kick) anyone who's using unallocated space illegitimately.
How have you dealt with this issue? Does anyone publish a more granular listing of unallocated space? Does arin have this information somewhere other than just probing any given ip via whois?
You *might* be able to get a copy of the whois database as an optimisation so you don't have to hit their servers all the time - does that help? I wouldn't rely on that though, but I don't see any other good options. Perhaps you can only accept stuff from networks that you first saw an announcement for greater than 7 days ago, to prevent people popping up with a network for a day, spamming, and then disappearing? Likely to get lots of false positives in that though, and as soon as someone figures out your technique it's not going to work. Religious war alert: does SIDR solve this? I guess only if you only accept signed advertisements.. I don't know if that is the intended default mode or not.. Need to do some reading I guess. -- Nathan Ward
Leslie wrote:
First off, I'm not certain if unallocated space in blocks less than a /8 is properly called bogon, so pardon my terminology if I'm incorrect.
Bogon is probably the correct term for any IP space that doesn't belong on the public Internet because it is reserved, unallocated, etc.
We're seeing a decent chunk of spam coming from an unallocated block of address space. We use CYMRU's great list of /8 bogon space to prevent completely off the wall abuse, but the granularity stops at /8's. Obviously, I've written the originating AS and its single upstream provider (sadly without any response). I'm not looking for a one time solution for this issue however -- I'd like to permanently block (and kick) anyone who's using unallocated space illegitimately.
Not too permanently, though. That space is likely to become allocated, and the new legitimate user thereof shouldn't have to beg thousands of networks to unblock it. so
How have you dealt with this issue? Does anyone publish a more granular listing of unallocated space? Does arin have this information somewhere other than just probing any given ip via whois?
I'm not specifically aware of a more granular listing. It would have to be dynamic as new allocations occur all the time. The RIRs (ARIN, RIPE, APNIC, etc.) are the authoritative source for the space allocated to them, but I don't know if they have a real-time bogon list available. In addition to the published list, Team Cymru has a BGP feed and other resources, but I don't know how granular it is with respect to unallocated space. See here: http://www.team-cymru.org/Services/Bogons/ -- Jay Hennigan - CCIE #7880 - Network Engineering - jay@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
I would suggest to report that netblock to SpamHaus to have it included at their DROP list, and also use that DROP list as extra filter in addition to your bogon filter setup at your border routers. The SpamHaus DROP (Don't Route Or Peer) list was specially designed for this kind of abuse of stolen 'hijacked' netblocks and netblocks controlled entirely by professional spammers. http://www.spamhaus.org/drop/ With kind regards, Michiel Klaver IT Professional
Michiel Klaver wrote:
I would suggest to report that netblock to SpamHaus to have it included at their DROP list, and also use that DROP list as extra filter in addition to your bogon filter setup at your border routers.
The SpamHaus DROP (Don't Route Or Peer) list was specially designed for this kind of abuse of stolen 'hijacked' netblocks and netblocks controlled entirely by professional spammers.
As a brief off-shoot of the original topic, has anyone scripted the use of Spamhaus's DROP list in a RTBH, ACLs, null-routes, etc? I'm not asking if people think it's safe; that's up to the network wanting to deploy it. I'm wondering if anyone has any scripts for pulling down the DROP list, parsing it into whatever you need (static routes on a RTBH trigger router or ACLs on a border router and then deployed the config change(s). I don't want to reinvent the wheel is someone else has already done this. Thanks Justin
Justin Shore wrote:
Michiel Klaver wrote:
I would suggest to report that netblock to SpamHaus to have it included at their DROP list, and also use that DROP list as extra filter in addition to your bogon filter setup at your border routers.
The SpamHaus DROP (Don't Route Or Peer) list was specially designed for this kind of abuse of stolen 'hijacked' netblocks and netblocks controlled entirely by professional spammers.
As a brief off-shoot of the original topic, has anyone scripted the use of Spamhaus's DROP list in a RTBH, ACLs, null-routes, etc? I'm not asking if people think it's safe; that's up to the network wanting to deploy it. I'm wondering if anyone has any scripts for pulling down the DROP list, parsing it into whatever you need (static routes on a RTBH trigger router or ACLs on a border router and then deployed the config change(s). I don't want to reinvent the wheel is someone else has already done this. Downloading and parsing is easy. I used to drop it into the config for a small dns server, rbldnsd I believe, that understands CIDR and used it as a local blacklist. It did very little to stop spam and I was never brave enough to script an automatic update to BGP.
You are using it the wrong way .. most of the drop list is directly spammer controlled space used as, for example, C&C for botnets. You'd see tons of abuse and little or no smtp traffic from a lot of those hosts. On Thu, Oct 29, 2009 at 12:26 AM, Jason Bertoch <jason@i6ix.com> wrote:
Justin Shore wrote:
As a brief off-shoot of the original topic, has anyone scripted the use of Spamhaus's DROP list in a RTBH, ACLs, null-routes, etc? I'm not asking if people think it's safe; that's up to the network wanting to deploy it. I'm
Downloading and parsing is easy. I used to drop it into the config for a small dns server, rbldnsd I believe, that understands CIDR and used it as a local blacklist. It did very little to stop spam and I was never brave enough to script an automatic update to BGP.
Justin Shore wrote:
Michiel Klaver wrote:
I would suggest to report that netblock to SpamHaus to have it included at their DROP list, and also use that DROP list as extra filter in addition to your bogon filter setup at your border routers.
The SpamHaus DROP (Don't Route Or Peer) list was specially designed for this kind of abuse of stolen 'hijacked' netblocks and netblocks controlled entirely by professional spammers.
As a brief off-shoot of the original topic, has anyone scripted the use of Spamhaus's DROP list in a RTBH, ACLs, null-routes, etc? I'm not asking if people think it's safe; that's up to the network wanting to deploy it. I'm wondering if anyone has any scripts for pulling down the DROP list, parsing it into whatever you need (static routes on a RTBH trigger router or ACLs on a border router and then deployed the config change(s). I don't want to reinvent the wheel is someone else has already done this.
Thanks Justin
SpamHaus already provides a link to a nice script for Cisco gear at their FAQ page: http://www.spamhaus.org/faq/answers.lasso?section=DROP%20FAQ And this shell command shoud give you a Juniper style prefix-list to include at your filter terms: wget -q -O - http://www.spamhaus.org/drop/drop.lasso | sed -e "s/;.*//" -e '/^[0-9]/ !d' -e "s/^/set policy-options prefix-list drop-lasso /" Hope it's helpfull! With kind regards, Michiel Klaver IT Professional
On Tue, 27 Oct 2009 16:57:17 PDT, Leslie said:
We're seeing a decent chunk of spam coming from an unallocated block of address space.
Fear not, this will end when we run out of IPv4 space not too many months down the road :) I admit to remaining confused as to why we still keep seeing providers who fail to do basic due-diligence like BCP38 filtering of packets, or asking a new BGP peer what they expect to announce and then filter based on that. I mean, come on guys - sure they may be 6 cents a meg cheaper, but do you really want to buy connectivity from a provider that can't run their network in a proper fashion? Don't answer that. ;)
On Oct 28, 2009, at 7:14 AM, Valdis.Kletnieks@vt.edu wrote:
On Tue, 27 Oct 2009 16:57:17 PDT, Leslie said:
We're seeing a decent chunk of spam coming from an unallocated block of address space.
Fear not, this will end when we run out of IPv4 space not too many months down the road :)
I admit to remaining confused as to why we still keep seeing providers who fail to do basic due-diligence like BCP38 filtering of packets, or asking a new BGP peer what they expect to announce and then filter based on that. I mean, come on guys - sure they may be 6 cents a meg cheaper, but do you really want to buy connectivity from a provider that can't run their network in a proper fashion?
Don't answer that. ;)
I can answer the above question regarding BCP38: Vendor software defects and architecture limitations make it challenging to deploy a solution whereby BCP38 can be universally deployed. Customers that are unwilling to announce all their space also make uRPF problematic. I'd like to see 'loose-rpf' universally deployed myself. There is no reason for unrouted space to have packets sourced from it. This makes up a fair percentage of traffic that root/gtld nameservers see (based on conversations i've had with operators over the years). If you configure CPE devices and don't utilize anti-spoofing capabilities on the CPE-Lan, please add that to your templates. It is helpful to the internet as a whole, while you may not personally see return on your investment, others will. - Jared
On 28/10/09 00:57, Leslie wrote:
How have you dealt with this issue? Does anyone publish a more granular listing of unallocated space? Does arin have this information somewhere other than just probing any given ip via whois?
You can at least get a list of all the allocated blocks. Presumably anything not allocated is unallocated and is a candidate for blocking. for rir in afrinic apnic arin lacnic ripencc; do wget ftp://ftp.ripe.net/pub/stats/$rir/delegated-$rir-latest; done These are updated daily and include both IPv4 and IPv6 allocations. Now, what I would really like is an arin version of ripe.db.inetnum.gz :-)
participants (12)
-
Chris Hills -
Jared Mauch -
Jason Bertoch -
Jay Hennigan -
Jon Kibler -
Jon Lewis -
Justin Shore -
Leslie -
Michiel Klaver -
Nathan Ward -
Suresh Ramasubramanian -
Valdis.Kletnieks@vt.edu