I am wondering if anyone here has experiences with the Spamhaus DROP, EDROP and BGPCC BGP feeds, for null routing hijacked prefixes, and prefixes which contain (only) mallicious users.
We currently already use a Team Cymru feed for null routing bogons. Would you reckon that the Spamhaus lists offer many valid additions to the Team Cymru feeds? Did you have any disputes about prefixes that are announced as malicious use by Spamhaus with customers or other ISP's?
At a previous employer we used both the Team Cymru feed and the Spamhaus
DROP and EDROP lists to block badness and about twice a year at first we’d
see our own customers listed on the Team Cymru lists then we’d see none in
the year. I was at that place for over 10 years. The Team Cymru list was
enabled 8 years ago now and Spamhaus DROP and DROP lists were enabled about
3-4 years ago.
The Spamhaus DROP and EDROP lists never listed our own customers and just
seemed to list serious badness with no false positive issues that I can
recall. At first we used the /32’s on the DROP and EDROP lists only and
then later we started allowing the larger prefixes into our routing without
any disputes or false positives.
We're also interested in using their BGP feeds, but their website ( spamhaustech.com) doesn't give much confidence about their technical
prowess. Trying to get a simple quote for BGP feeds is...interesting.
Probably not a bug, but par for their technical prowess. The SpamTeq
website includes your account number and password in every URI. I'm not
sure I'd trust a company that does something as terrible as that to
practice good coding elsewhere and not cause major damage with their data
feeds.
In article <030101cf0e0e$71088af0$5319a0d0$@truenet.com> you write:
Looks like a bug, if you stick a 1 in total email users:
Per Year: $504.00
No, that's right. If you're a tiny little network, you can
use the public DNS servers for the BL lookups, and you can
FTP the text version of DROP and turn in into firewall
rules or whatever. That's what I do (hack perl scripts
available on request.)
The BGP feed is intended for networks large enough to need BGP.
I ran that awhile back without issue. But not anymore. Last year I added
the $250/yr BOTNETCC list which is BGP-only. And it was too convenient to
move the DROP/EDROP lists into BGP for an additional $250.
It works as advertized. The BOTNETCC list is only v4/32s and more dynamic
than the other lists. It's up to you to set it up correctly so an accident
doesn't blackhole your own prefixes...or favorite offshore gambling site.
:-p