Experiences with Spamhaus BGP DROP, EDROP and BGPCC BGP feeds

Mailman List Mirror (Read Only)
1

Hi,

I am wondering if anyone here has experiences with the Spamhaus DROP, EDROP and BGPCC BGP feeds, for null routing hijacked prefixes, and prefixes which contain (only) mallicious users.

http://www.spamhaus.org/bgpf/

We currently already use a Team Cymru feed for null routing bogons. Would you reckon that the Spamhaus lists offer many valid additions to the Team Cymru feeds? Did you have any disputes about prefixes that are announced as malicious use by Spamhaus with customers or other ISP's?

Any responses, on or off list are appreciated.

Thanks,

Dennis Hagens
Network Engineer
AS 24875

2

At a previous employer we used both the Team Cymru feed and the Spamhaus
DROP and EDROP lists to block badness and about twice a year at first we’d
see our own customers listed on the Team Cymru lists then we’d see none in
the year. I was at that place for over 10 years. The Team Cymru list was
enabled 8 years ago now and Spamhaus DROP and DROP lists were enabled about
3-4 years ago.

The Spamhaus DROP and EDROP lists never listed our own customers and just
seemed to list serious badness with no false positive issues that I can
recall. At first we used the /32’s on the DROP and EDROP lists only and
then later we started allowing the larger prefixes into our routing without
any disputes or false positives.

3

We're also interested in using their BGP feeds, but their website (
spamhaustech.com) doesn't give much confidence about their technical
prowess. Trying to get a simple quote for BGP feeds is...interesting.

-richard

4

Richard I would be more than happy to get you intouch with someone who can help you

Technically they are very good.

Tom

5

I would also like that contact, i've been trying to get the same quote for
feed only for months.

Thanks,
Bryan

6

Replied off list.

7

Hi TR,

This looks like a very promising service to me as well.

Could you hit me off list with the pricing contact?

The pricing on http://www.spamhaustech.com/datafeed/pricecalculator.lasso is
a little high ($9,223,372,036,854,780,000.00/yr).

:slight_smile:

Thanks,
Adam

8

Looks like a bug, if you stick a 1 in total email users:
Per Year: $504.00

9

Ah yes, indeed. Makes much more sense. Interesting that they price per email
accounts serviced. I guess that's how they determine your relative size.

Interesting the idea of using this service in conjunction with Team Cymru's
BOGON lists.

10

Probably not a bug, but par for their technical prowess. The SpamTeq
website includes your account number and password in every URI. I'm not
sure I'd trust a company that does something as terrible as that to
practice good coding elsewhere and not cause major damage with their data
feeds.

-richard

11

In article <030101cf0e0e$71088af0$5319a0d0$@truenet.com> you write:

Looks like a bug, if you stick a 1 in total email users:
Per Year: $504.00

No, that's right. If you're a tiny little network, you can
use the public DNS servers for the BL lookups, and you can
FTP the text version of DROP and turn in into firewall
rules or whatever. That's what I do (hack perl scripts
available on request.)

The BGP feed is intended for networks large enough to need BGP.

R's,
John

12

Here's working Bash script to sync the freely available DROP/EDROP lists
into a quagga/linux route server. https://gist.github.com/dotysan/8463112

I ran that awhile back without issue. But not anymore. Last year I added
the $250/yr BOTNETCC list which is BGP-only. And it was too convenient to
move the DROP/EDROP lists into BGP for an additional $250.

It works as advertized. The BOTNETCC list is only v4/32s and more dynamic
than the other lists. It's up to you to set it up correctly so an accident
doesn't blackhole your own prefixes...or favorite offshore gambling site.
:-p

../C