IP reputation lookup (prefix not single IP)

Hello all,

I’ve seen other folks asking the same/similar question in the past, but I don’t recall seeing more than a few options out there to *try* to suss this out. Use case is someone I’m working with looking to buy a v4 block from a broker.

So far I’ve checked Talos and Sorbs (both allow a prefix lookup). Most of the other RBL/multi-RBL sites want a single IP (the use case being email of course). I won’t abuse their service by trying to lookup each single IP in the block...

Could anyone share anything/anywhere else I might look to get crumbs of info on a given preifx ?

Thanks.

If you are willing to pay, hetrixtools is an option.

I’ll second Hetrix tools. We use them, they’re great.

Hi,

if you are interested to use our brokerage services, we offer (among other details - whois, whowas, geolocation, routing history) complete blacklist checks to all blocks added to our platform at www.v4escrow.com

Feel free to contact me in private for more details.

Elvis
V4Escrow CEO

Excuse the briefness of this mail, it was sent from a mobile device.

I think you will find that most SMTP / anti-spam focused RBL tools give a very similar result for IP reputation on a per /24 block basis, for any randomly chosen IP in the block, particularly where the /24 in question has previously been used and announced by a dedicated server/VPS/virtual server hosting company.

I think you will find that most SMTP / anti-spam focused RBL tools
give a very similar result for IP reputation on a per /24 block basis

got cites? this got me curious the other day.

randy

Nothing more than anecdotal evidence, when I last looked into the externally available network details on a number of low-budget VPS hosting companies… I would say that if anything, a person who really knows what they’re doing operating a properly MX, will face more difficulties today than they did 3, 5 or 7 years ago operating the system in the same netblocks as IPs which have been previously abused.

For obvious reasons the IP reputation systems and antispam tools at the biggest destinations (gsuite/gmail, office365, etc) are treated as closely guarded proprietary data.

My personal theory on a whole /24 acquiring a poor reputation, is that it does have some correlation with the density of random $5/mo VPS customers and the turnover of different customers between the same small group of IPs. And exactly how many misconfigured smtp sources have existed in that block within some previous range of time, how much spam has been reported/flagged, etc.

Hi,

I think you will find that most SMTP / anti-spam focused RBL tools
give a very similar result for IP reputation on a per /24 block basis

Since I started working as an IPv4 Broker I've done tens of thousands of scans (for blocks of IPs) in hundreds of blocklists.

There are a handful of blocklists that will list the whole block (that may be a /24 or even a /16) - Spamhaus is an example.

However, most blocklists will list only the IPs that have actually done spam. Barracuda, spamrats, etc.

got cites? this got me curious the other day.

randy

Randy, I can share our data with you if you want to do an analysis of the data, I may find a way to give you access to our historic blocklist checks database. We can discuss in private.

---
randy@psg.com
`gpg --locate-external-keys --auto-key-locate wkd randy@psg.com`
signatures are back, thanks to dmarc header butchery

cheers,

elvis

It appears that Elvis Daniel Velea <elvis@velea.eu> said:

There are a handful of blocklists that will list the whole block (that
may be a /24 or even a /16) - Spamhaus is an example.

No, they don't.

Spamhaus may expand a listing to a /24 or bigger when they see a
pattern of abuse from a network but the SBL starts by listing one IP
at a time. The XBL, which is run automatically, only lists individual
IPs.

They also have the PBL, Policy Block List, which lists ranges that the
network operators say shouldn't be sending mail in the first place.

Also keep in mind that "most blocklists" is meaningless. Any moron can
run a blocklist, any many morons do. The vast majority of blockists
are used by close to nobody, and only handful are widely enough used
to matter.

R's,
John

Hi,

Also keep in mind that "most blocklists" is meaningless. Any moron can
run a blocklist, any many morons do. The vast majority of blockists
are used by close to nobody, and only handful are widely enough used
to matter.

This moron ran a per-country/per-as blocklist in the early 2000s which
was based on a DFZ BGP feed. I closed it off more than 10 years ago.

I just checked and I'm still receiving ~5 queries per second.

As per my anecdotal evidence, there are some really clueless operators
out there as well. There is, of course, the temptation to just add
a wildcard A record... But nah, I don't like hot places.

The other side-effect is that spammers are still very eager to use my
domain in their from: headers, judging by the amount of undeliverables
I receive (in waves).

Thanks,

Sabri

Same here. I have not publicised or updated my korea.services.net DNSBL for over a decade and it's still getting over 100 qps.