Purchased IPv4 Woes

Hi All,

     Hopefully this is not taken in bad taste. Our organization purchased some IP space last year (163.182.192.0/18 to be specific), and it appears that this block must have been used for less-than-admirable purposes in the past.

We have been trying to clean up the reputation where possible, and we do not appear to be on any blacklists, but we do appear to be blocked from a lot of networks across the US/Canada. I am noticing a lot of name servers blocking our requests, many web servers, gaming servers, mail etc.

This is a transition block for us to move towards v6 everywhere, but we have many systems that will need to rely on this block of space for some time to come.

We are a small rural co-op ISP in Ontario, and I am just writing this email as an extra plea so that if you happen to run a network that has this entire range on your naughty list, we would appreciate you giving it another chance. I can be contacted on or off list, thanks.

Out of curiosity, who were the previous owner(s), it seems that ARIN only shows the current owner with any history? If it was a Chinese/Russian block, you might be out of luck.

It looks like Spamhaus has your entire /16.

https://stat.ripe.net/163.182.192.0%2F18#tabId=anti-abuse

Which broker did you use fot the transaction?

Did you get a discount for knowingly accepting a dirty block or is this a
surprise?

Are folks asking for warranties on acquired addresses these days?

Cheers,

-M<

Best,

-M<

The previous owner was XELAS Software in Marina Del Ray, California. I still see it listed on some geoIP databases, but those have been cleaned for the most part.

I'm not sure if someone had it before them and they just got rid of it because of these issues, so I don't want to point fingers at XELAS by any means.

Looks like it was taken off the list in Sept 2016. I suppose this could be the reason why our block is still listed in various networks, even though it's not on a known 'official' list.

Thanks for the tip Mike.

Indeed.

Let this be a lesson: when purchasing blocks, one MUST do their due diligence. Check the RBLs, senderbase, previous owner reputation, etc. before buying.

Caveat emptor.

Validating is a lot of work, but you have to do it. I know there are lots
of blocks with RBL problems. Some spammers make so much money, they easily
afford to buy small blocks , abuse them to make money, buy more blocks and
put the olds up for sale. Careful price is rarely a tell about a bad
block. Only the cost of their first block is their initial sunk cost, as
they cycle through blocks.

Thank You
Bob Evans
CTO

We used giglinx. There was a third party that was validating the blocks, and they/we caught a lot of issues with the first block for offer.

This was the second block offered, and it looked decent, but I never personally checked the /16 parent. I was only looking at the /18. The reason I made this post is to try and catch the things I couldn't see. We don't appear to be on any lists (RBLs, senderbase look good), but obviously we are still in peoples filtering rules. The big one was Spamhaus DROP but that was removed before we purchased the block.

The previous owner looked fine too, it was actually the owner before the last that seemed to have been the cause of a lot of the bad rep, but again that was cleaned up before we ever even made the request to buy.

I am interested in what broker you used as well. We have used a few that do a little due diligence on their end, but we still do our own. We have seen an auction pulled due to the space having a bad reputation, but we were the ones who had to step up and say something.

Justin Wilson
j2sw@mtin.net

Maybe a silly idea, but shouldn't the sale of a block of addresses (RIR ownership change) trigger a removal of that block from all reputation list databases? If I buy a car from a police auction, I'm fairly sure the FBI doesn't start tailing me, because the car was once used for less than legal purposes. New owner, clean slate.

Chuck

What should and does happen are two different things. The reputation lists aren't a regulated entity. The FBI is.

Chuck,

Maybe a silly idea, but shouldn't the sale of a block of addresses (RIR ownership change) trigger a removal of that block from all reputation list databases? If I buy a car from a police auction, I'm fairly sure the FBI doesn't start tailing me, because the car was once used for less than legal purposes. New owner, clean slate.

That would be an awful easy way to allow people to game the entire
reputation list system by simply creating more companies and passing
ownership around.

This could work if the system "knows" that the buyer isn't going to
use the netblock for spamming, but that's next to impossible to do in
any kind of automated fashion.

Thanks!

Stephen

How does Spamhaus find out the block has been resold?

How do other DNS-based blacklist operators find out?

How do all the AS's that have their own internal blacklists find out that
they should fix their old listings? (Note that this is the exact same problem
as "We got blacklisted because of a bad customer, we axed the customer, but
we're still blacklisted", which has been a an unsolved problem for decades now).

And it's awfully easy to game the system by just reselling the block between
a group of shell companies run by bad actors.

If we'd not seen many, MANY instances where this was done as a ruse
to present the appearance of an ownership change while a block was
actually still controlled by the same entity (or their partners or
similar) then yes, maybe this might be a viable approach.

--rsk

They could watch the routing table and notice which ASN is actually using
the address space. In fact ASN reputation might work better than IP space
reputation.

Fact is that the current approach does nothing to stop spammers from
swapping space when they are done abusing one space. The argument that
clearing the slate for sold space would make it easy to game the system
does not hold. It is already trivial.

The sad fact is that entities like Spamhaus simply do not care. Not even
though they are not succeeding in hurting actual spammers. Not even though
they are making their own service less useful.

Regards

Baldur

Maybe a silly idea, but shouldn't the sale of a block of addresses (RIR
ownership change) trigger a removal of that block from all reputation list
databases? If I buy a car from a police auction, I'm fairly sure the FBI
doesn't start tailing me, because the car was once used for less than

legal

purposes. New owner, clean slate.

How does Spamhaus find out the block has been resold?

How do other DNS-based blacklist operators find out?

How do all the AS's that have their own internal blacklists find out that
they should fix their old listings? (Note that this is the exact same
problem
as "We got blacklisted because of a bad customer, we axed the customer, but
we're still blacklisted", which has been a an unsolved problem for decades
now).

And it's awfully easy to game the system by just reselling the block between
a group of shell companies run by bad actors.

How does Spamhaus find out the block has been resold?

How do other DNS-based blacklist operators find out?

From the REGISTRY as the ultimate custodian of the IP block.

How do all the AS's that have their own internal blacklists find out that
they should fix their old listings? (Note that this is the exact same
problem
as "We got blacklisted because of a bad customer, we axed the customer, but
we're still blacklisted", which has been a an unsolved problem for decades
now).

From the REGISTRY as the ultimate custodian of the IP block.

"We got blacklisted because of a bad customer, we axed the customer, but
we're still blacklisted" is a FAR call from what this discussion is about.
"I got blacklisted because someone else that has NO relevance to me what
so ever was stupid" is more accurate. You can't punish the purchaser of an
IP block, because of what previous owners of the IP block did.

If I receive a dynamic IP from my ISP on dialup, and the previous user
using that IP hacked the FBI... Am I now to blame because the FBI got
hacked? NO! The previous user of the IP is responsible!

And it's awfully easy to game the system by just reselling the block
between
a group of shell companies run by bad actors.

Yes - just like we're playing ping pong with NetFlix (and others) and VPN
providers because of geo restricted content too

It's a loosing battle, and a failed system. Don't blame the purchaser,
it's a lack of oversight on the part of who ever does the blacklisting.
And that, should form part of being RESPONSIBLE when you DO decide to
blacklist / unblacklist IP blocks. There are FAR to many companies on the
Internet that simply does what they want, when they want.

I (or anyone else - I haven't purchased IP space from any other source
other than registries, yet), can't be held liable for what others have
done. Whether it's IP space, whether it's breaking an entering, whether
it's fraud, it doesn't matter. I did not commit the act, and I can't be
held liable. Your punishing the wrong person, for the wrong reason.

The fact that there's companies out there, CAMPING on /8s which they do not
use and yet refuse to return, is exactly why the internet is sitting in
this predicament.

+1

And not only the originating ASN, but to a lesser extend, adjacent ASNs too

BGP routing table entries examined: 639225
    Prefixes after maximum aggregation (per Origin AS): 248678
    Deaggregation factor: 2.57
    Unique aggregates announced (without unneeded subnets): 307752
Total ASes present in the Internet Routing Table: 56403

As 56,000 AS's all start querying each of the registries (ARIN, RIPE, APnic,
LACNIC, and AfriNic) for all 639,000 objects once a day, to see which dozen of
those got sold yesterday.

Sure, that will work. (And no, the problem isn't the number of http hits
on the registries. 35,840,000,000 hits per day is the easy part...)

And yet, there's no problems of BILLIONS of queries against RBL DNS servers?