AS11296 -- Hijacked?

Robert_Bonomi · September 29, 2010, 10:37pm

Date: Wed, 29 Sep 2010 13:06:31 -0700
Subject: Re: AS11296 -- Hijacked?
From: Scott Howard <scott@doc.net.au>

Recommendations such as that are only as credible as the source they are
coming from, and knowing that the person making the request also believes
that blocking all mail from gmail.com is a valid anti-spam technique
probably results in a "different" credibility level than one might otherwise
have.

I have to ask one question -- who are _you_ to judge what is 'valid' for
*HIS* situation?

He's not running a 'provider' network, with any responsibility to others,
it's his personal environment.

On _my_ personal servers, I block *LARGE* swaths of the world -- because
I _do_ get significant amounts of spam from those locales, and have *zero*
expectation of any 'legitimate' mail therefrom. The service denial messages
_do_ provide info on how to get past the blocks. I can state with authority
that in close to a million messages so rejected, -not-a-single-one- has been
from someone with a serious interest in communicationg with me. The web-page
with the explanatory data has not had so much as a single hit in over 8 years.
Now, on systems I manage for others, I do things very differently, according
to -their- needs.

The rationale for such decisions is straightforward, and easy to understand.
It's called the 'cost-benefit' ratio. _How_much_ work does it take to let
that 'rare' piece of 'useful' mail through from a source that generates
almost exclusively spam, and _is_ getting that occasional piece of mail
'worth the effort'. Ron has decided 'not', with regard to gmail. To
argue that decision, _you_ would have to know how much 'valid' traffic
he can reasonably expect to get from gmail, and the amount of effort it
would take in his existing environment to accomplish that end.

Heath_Jones · September 29, 2010, 11:38pm

Robert,

I dont think you quite get it. Don't worry, you don't seem to be alone.

The point here is simple. If someone posts making a recommendation for
every AS to filter some prefixes, not provide any references by
default, its not helpful.
When questioned about the rationale, if said person then declines to
provide evidence, the picture starts to form.

It is relatively easy to detect spam, it is easy to have enough
honeypots & filters matching corresponding bgp lookups to find out
path information. Immediately you have a technique which - regardless
of the lists a spammer reads - will catch spammer. By working as a
community, the accuracy and speed of detection increases. By sharing
information, things improve.

The problem is certainly not detection!! (in contrast to the clamed
need to hide detection methods)

Posting to a list like this telling everyone to block traffic might be
in some people's eyes as ok, but there are a few problems:
1) No peer review. The data has not been checked, the prefixes might
be incorrect. The methods might be completely wrong - who knows! This
is certainly the #1 issue.
2) Length of time to implement. Most serious ASs would do sanity
checking and even possibly a change window or atleast a signoff.
2) Post advertisment removal. What process to ASs have in place to
check and remove these rules? More sanity checking and another change.
3) The comment about ARIN, as if to imply that they are supposed to
somehow 'police' the internet. This shows a complete lack of
understanding of the architecture of the internet.
4) A person who blocks gmail for their own - non customer affecting -
mail server cannot be in a position to advise of real - customer
affecting - changes, and shows a recklessness towards adhoc blocking
of anything.

As a hypothetical situation, say a new customer pops up on a network
with a prefix and origin that haven't been seen before.
This customer badly configured their mail server, its an open relay.
Spammers being smart, watch new BGP advertisments knowing that this
might be the case.
Some kind sir sees the spam coming from the open relay and posts on
here, telling everyone to block it, thus completely killling the new
customer network before its even got off the ground properly.
By the time it has come around, half the ISPs are blocking it and they
are completely screwed all because of 1 mistake and someone not having
their information peer reviewed and no action to notify or help out
the isp.

Posting ASs & prefixes for people to block without any questioning is
just plain stupid and not the way to handle it.
If the goal is to get rid of spam, then why not put brains together
and come up with a much better system. IETF? Independant working
group?
I can think of a number of ideas as I am typing this that could be
beneficial. I am happy of course to share with anyone interested.

Sure, people can post pretty much what they want and people can choose
to use or ignore, but we are a bit past that argument now.
There has been (to use your method) *zero* technical reasons
supporting the argument of blocking these prefixes. If you know of
one, please voice it.

ps. I have also received posts offline about the support for blocking
gmail / hotmail / whatever. I can appreciate that it is your own
personal infrastructure, you have your reasons, and if it works for
you then good. I certainly wouldn't do it for my customers, otherwise
they would constantly call. Phone spam

Franck_Martin1 · September 30, 2010, 12:04am

This is not what the Team Cymru Bogons list for? http://www.team-cymru.org/Services/Bogons/

List bad ASNs after proper investigation?

It then depends if you trust Team Cymru or not, like you would trust or not Spamhaus...

Heath_Jones · September 30, 2010, 12:22am

This is not what the Team Cymru Bogons list for? http://www.team-cymru.org/Services/Bogons/

I just had a very quick look at that site and it seems at first glance
to just be providing information on unallocated prefixes/ASs..
They are prefixes/ASs that spammers can and do use, but if you have a
look at cidr report or potaroo then you will see that an ISP who
filters based on that will cause some issues (allocation records are
not always up to date).

List bad ASNs after proper investigation?

Not really, just based on registry information as far as I can see.
For instance, if a known and stable AS suddenly started originating
spam, it doesnt look like that would appear on the site.

It then depends if you trust Team Cymru or not, like you would trust or not Spamhaus...

Trust will always be the issue. Peer review and communication is one
way of building trust.

Franck_Martin1 · September 30, 2010, 12:47am

Then you have:
http://www.uceprotect.net/en/rblcheck.php

Which has a level to identify IPs belonging to an ASN which has been reported as spewing spam...

The only issue here, is that this site has listed whole countries... Yes, some countries are behind one ASN only...