RE: Abuse procedures... Reality Checks

From: "Frank Bulk" <frnkblk@iname.com>
Subject: RE: Abuse procedures... Reality Checks
Date: Sat, 7 Apr 2007 16:20:59 -0500

> If they can't hold the outbound abuse down to a minimum, then
> I guess I'll have to make up for their negligence on my end.

Sure, block that /29, but why block the /24, /20, or even /8? Perhaps your
(understandable) frustration is preventing you from agreeing with me on this
specific case. Because what you usually see is an IP from a /20 or larger
and the network operators aren't dealing with it. In the example I gave
it's really the smaller /29 that's the culprit, it sounds like you want to
punish a larger group, perhaps as large as an AS, for the fault of smaller
network.

BLUNT QUESTIONS: *WHO* pays me to figure out 'which parts' of a provider's
network are riddled with problems and 'which parts' are _not_? *WHO* pays
me to do the research to find out where the end-user boundaries are? *WHY*
should _I_ have to do that work -- If the 'upstream provider' is incapable of
keeping _their_own_house_ clean, why should I spend the time trying to figure
out which of their customers are 'bad guys' and which are not?

A provider *IS* responsible for the 'customers it _keeps_'.

And, unfortunately, a customer is 'tarred by the brush' of the reputation
of it's provider.

Smaller operators, like those that require just a /29, often don't have that
infrastructure. Those costs, as I'm sure you aware, are passed on to
companies like yourself that have to maintain their own network's security.
Again, block them, I say, just don't swallow others up in the process.

If the _UPSTREAM_ of that 'small operator' cannot 'police' its own customers,
Why should _I_ absorb the costs that _they_ are unwilling to internalize?

If they want to sell 'cheap' service, but not 'doing what is necessary', I
see no reason to 'facilitate' their cut-rate operations.

Those who buy service from such a provider, 'based on cost', *deserve* what
they get, when their service "doesn't work as well" as that provided by the
full-price competition.

_YOUR_ connectivity is only as good as the 'reputation' of whomever it is
that you buy connectivity from.

You might want to consider _why_ the provider *keeps* that 'offensive'
customer. There would seem to be only a few possible explanations: (1) they
are 'asleep at the switch', (2) that customer pays enough that they can
'afford' to have multiple other customers who are 'dis-satisfied', or who
may even leave that provider, (3) they aren't willing to 'spend the money'
to run a clean operation. (_None_ of those seems like a good reason for _me_
to spend extra money 'on behalf of' _their_ clients.)

BLUNT QUESTIONS: *WHO* pays me to figure out 'which parts' of a provider's
network are riddled with problems and 'which parts' are _not_?

I don't know the answer in your case, but in my case the answer is my
employer. More specifically, my employer pays me to block junk and let good
traffic* through; that mandate does not include "block networks that we have
no reason to believe are junk in hopes of inflicting enough collateral
damage to force the spammers' upstream to clean up its act."

If your customers/employer/whomever understand they may miss data they
wanted to receive in order to help you put pressure on
lazy/abusive/incompetent ISPs, and they're okay with that, more power to
'em. I think probably more people are in my boat-- I can't afford to launch
a crusade, I just have to keep the bits flowing.

*On the other hand, in a corporate network "good traffic" can be more
strictly defined; for example I block most of APNIC, half of RIPE, most of
LACNIC and all of AFRINIC not because I think they're all spammy but because
we get no legitimate business traffic from those regions which makes their
signal-to-noise ratio effectively 0:infinite. So if you know a provider will
never** send you legit messages, go ahead and block. Otherwise,

**My sweeping xenoemailphobia has blocked 4 legit messages (3 of which were
personal non-work-related messages) in the past 6 years, and since my reject
message gives a workaround to reach me all 4 reached their intended
recipient. Compared to the 5-15k messages blocked per day over that span,
close enough to never for me-- and more importantly, for my boss.

Robert:

You still haven't answered the question: how wide do you block? You got an
IP address that you know is offensive. Is your default policy to blacklist
just that one, do the /24, go to ARIN and find out the size of that block
and do the whole thing, or identify the AS and block traffic from the dozen
if not hundreds of allocations they have? In only the first two cases is no
research required, but I would hope that the network who wants to blacklist
(i.e. GoDaddy) would do a little bit of (automated) legwork to focus their
abuse control.

You also have too dim and narrow a view of customer relationships. In my
case the upstream ISP is a member-owned cooperative of which the
sub-allocated space is either a member or a customer of a member. 1, 2, and
3 don't apply, rather, the coop works with their members to identify the
source of the abuse and shut it down. It's not adversarial as you paint it
to be. BTW, do you think the member-owned coop should be monitoring the
outflow of dozens of member companies and hundreds of sub-allocations they
have?

And it's not *riddled* with abuse, it's just one abuser, probably a dial-up
customer who is unwittingly infected, who while connected for an hour or two
sends out junk. GoDaddy takes that and blacklists the whole /24, affecting
both large and small businesses alike who are in other sub-allocated blocks
in that /24. Ideally, of course, each sub-allocated customer would have
their own /24 so that when abuse protection policies kick in and that
automatically blacks out a /24 only they are affected, but for address
conservation reasons that did not occur.

Frank

Sure, block that /29, but why block the /24, /20, or even /8?

Since nobody will route less than a /24, you can be pretty sure that
regardless of the SWIPs, everyone in a /24 is served by the same ISP.

I run a tiny network with about 400 mail users, but even so, my
semiautomated systems are sending off complaints about a thousand
spams a day that land in traps and filters. (That doesn't count about
50,000/day that come from blacklisted sources that I package up and
sell to people who use them to tune filters and look for phishes.) I
log the sources, when a particular IP has more than 50 complaints in a
month I usually block it, if I see a bunch of blocked IP's in a range
I usually block the /24. Now and then I get complaints from users
about blocked mail, but it's invariably from an individual IP at an
ISP or hosting company that has both a legit correspondent and a
spam-spewing worm or PHP script. It is quite rare for an expansion to
a /24 to block any real mail.

My goal is to keep the real users' mail flowing, to block as much spam
as cheaply as I can, and to get some sleep. I can assure you from
experience that any sort of automated RIR WHOIS lookups will quickly
trip volume checks and get you blocked, so I do a certain number
manually, typically to figure out how likely there is to be someone
reading the spam reports. But on today's Internet, if you want to get
your mail delivered, it would be a good idea not to live in a bad
neighborhood, and if your ISP puts you in one, you need a better ISP.
That's life.

Regards,
John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor
"More Wiener schnitzel, please", said Tom, revealingly.

Um, with that reasoning, why not just block the whole /0 and
be done with it?

Seriously, I used to share your frustration and would block large
swaths of the Internet for rather minor offenses. I finally realized
this practice didn't help. Why not get yourself some sort of intrusion
detection/prevention system or fully firewall your hosts. If you have
a spam problem, get an e-mail security appliance which uses reputation
filtering to reject connections?

matthew black
california state university, long beach

[...]

I can assure you from
experience that any sort of automated RIR WHOIS lookups will quickly
trip volume checks and get you blocked,

Does this happen when you only query for the network information and not the full contact information?

Regards,

Bingo. Read the note below again, it is the path to enlightenment,

Shein's law of resources:

  Needs, no matter how dire or just, do not alone create the
  resources necessary to fulfill.

Good advise. For various reasons, a majority of IP addresses within a
CIDR of any size being abusive is likely to cause the CIDR to be
blocked. While a majority could be considered as being half right, the
existence of the "bad neighborhood" demonstrates a lack of oversight for
the entire CIDR, which is also fairly predictive of future abuse.

-Doug

dotis@mail-abuse.org (Douglas Otis) writes:

Good advise. For various reasons, a majority of IP addresses within a
CIDR of any size being abusive is likely to cause the CIDR to be blocked.
While a majority could be considered as being half right, the existence
of the "bad neighborhood" demonstrates a lack of oversight for the entire
CIDR, which is also fairly predictive of future abuse.

that sounds like a continuum, but my experience requires more dimensions
than you're describing. for example, this weekend two /24's were hijacked
and used for spam spew. as my receivebot started blackholing /32's, the
sender started cycling to other addresses in the block. each address was
used continuously until it stopped working, then the next address came in.
while there were two /24's and two self-similar spam flows, there was not a
strict mapping of spam flow to packet flow -- both /24's emitted both kinds
of spam. "uniq -c" results are below. i've nominated both blocks to the
MAPS RBL, and i can't tell from whois whether it's worthwhile to complain
to the ISP's. would you say that i've learned anything of predictive value
concerning future spam from the containing /17 (CARI) or /15 (THEPLANET)?
or is this just another run of the mill BGP hijack due to some other ISP's
router having enable passwords still set to the factory default? (we all
owe randy bush a debt of gratitude for pushing on RPKI, by the way. anybody
can complain about the weather but very few people do something about it.)

   7 67.18.239.66
   2 67.18.239.67
   1 67.18.239.68
   1 67.18.239.69
   2 67.18.239.70
   5 67.18.239.71
   1 67.18.239.82
   1 67.18.239.83
   2 67.18.239.85
   2 67.18.239.87
   1 67.18.239.88
   3 67.18.239.89
   2 67.18.239.91
   2 67.18.239.92
   3 67.18.239.93
   4 67.18.239.94
   1 71.6.213.103
   1 71.6.213.105
   1 71.6.213.108
   4 71.6.213.159
   1 71.6.213.16
   5 71.6.213.160
   1 71.6.213.161
   7 71.6.213.162
   8 71.6.213.163
   6 71.6.213.166
   1 71.6.213.168
   6 71.6.213.170
   6 71.6.213.171
   2 71.6.213.172
   6 71.6.213.176
   5 71.6.213.179
   6 71.6.213.180
   2 71.6.213.181
   3 71.6.213.182
   3 71.6.213.19
   3 71.6.213.190
   1 71.6.213.191
   1 71.6.213.193
   1 71.6.213.202
   2 71.6.213.23
   5 71.6.213.26
   3 71.6.213.32
   5 71.6.213.65
   4 71.6.213.75
   6 71.6.213.8
   1 71.6.213.80
   1 71.6.213.87
   1 71.6.213.94
   1 71.6.213.96

* Douglas Otis:

Florian Weimer wrote:

* Douglas Otis:

But on today's Internet, if you want to get your mail delivered, it
would be a good idea not to live in a bad neighborhood, and if your
ISP puts you in one, you need a better ISP.
That's life.

Good advise.

Yeah, it's a damn good reason to get PI space. Unfortunately, that
isn't without cost for everyone else.

IF you have a business critical need for PI v4 space, now is probably a
better time to decide that than in 5 years.

It's better of course if you choose not to deagregate to /24s.

Yeah, it's a damn good reason to get PI space. Unfortunately, that
isn't without cost for everyone else.

I don't have PI space, but I do have a competent ISP so I've never had any
mail problems due to adjacent addresses.

Regards,
John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor
"A book is a sneeze." - E.B. White, on the writing of Charlotte's Web

John R Levine wrote:

I don't have PI space, but I do have a competent ISP so I've never had any
mail problems due to adjacent addresses.

Having a competent ISP isn't a guarantee of exemption...only a contributor. As evidenced by the discussion, some people choose the scope of their wrath arbitrarily.

pt

I don't have PI space, but I do have a competent ISP so I've never had any
mail problems due to adjacent addresses.

Having a competent ISP isn't a guarantee of exemption...only a contributor. As evidenced by the discussion, some people choose the scope of their wrath arbitrarily.

Nothing is a guarantee of exemption from a sufficiently perverse or hostile email administrator, but being in the middle of a well managed /20 works pretty well for me.

R's,
John

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris Owen wrote:

Well, "well managed" to me would mean that allocations from that /20 were SWIPed or a rwhois server was running so that if any of those 4,000 IP addresses does something bad you don't get caught in the middle.

Due diligence with SWIP/rwhois only means that one customer is well documented apart from another. As this thread has highlighted, some people filter/block based on random variables: the covering /24, the covering aggregate announcement, and/or arbitrary bit lengths. If a particular server is within the scope of what someone decides to filter/block, it gets filtered or blocked. Good SWIPs/rwhois entries don't mean jack to those admins.

pt

That's been my entire point. Network operators who properly SWIP don't get
credit for going through the legwork by other networks that apply
quasi-arbitrary bit masks to their blocks.

As I said before, if you're going to block a /24, why not do it right and
block *all* the IPs in their ASN? My DSL and cable modem subscribers are
spread across a dozen non-contiguous /24s. If the bothered network is upset
with one of my cable modem subs and blocks just one /24 they will open
themselves up when that CPE obtains a new IP in a different /24.

Frank

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris Owen wrote:

Well, "well managed" to me would mean that allocations from that /20 were SWIPed or a rwhois server was running so that if any of those 4,000 IP addresses does something bad you don't get caught in the middle.

Due diligence with SWIP/rwhois only means that one customer is well documented apart from another. As this thread has highlighted, some people filter/block based on random variables: the covering /24, the covering aggregate announcement, and/or arbitrary bit lengths. If a particular server is within the scope of what someone decides to filter/block, it gets filtered or blocked. Good SWIPs/rwhois entries don't mean jack to those admins.

Well it means something to me. I'm not one for widely cast blacklists but for something like a series of IP addresses all spewing spam from I will often put temporary /24 filters in place if I'm unable to determine exactly where the actual block boundaries are. If the addresses are SWIPed/rwhois then that is much easier and there is no need for such a wide net.

Chris

Agreed.

This was expressed recently as well.

http://www.merit.edu/mail.archives/nanog/msg05351.html

CIDRs should also conform with ASN boundaries and reputation tracks with announcements.

Unfortunately an effort to create a black-hole operator's BCP failed to consider these issues. Many building their own reputation histories will also likely ignore this concern. This means John's advice remains valid, whether fair or not. Adopting transient tracking methods cope with this problem.

-Doug

than you're describing. for example, this weekend two /24's were hijacked
and used for spam spew. as my receivebot started blackholing /32's, the

Why do you think they were hijacked ? At least for your second block:

   1 71.6.213.103
....

I've had that /24 blocked since 4/4/07. I have spam attempts for that domain
going back to Feb 13 2007, but it didn't have reverse DNS set up until 4/4
so nothing got through.