Repeated Blacklisting / IP reputation

Joe_Greco · September 8, 2009, 7:34pm

there is a fundamental disconnect here. the IP space is neutral.
it has no bias toward or against social behaviours. its a tool.
the actual/real target here are the people who are using these tools
to be antisocial. blacklisting IP space is always reactive and
should only beused in emergency and as a -TEMPORARY- expedient.

IMHO of course., YMMV.

Show me ONE major MTA which allows you to configure an expiration for
an ACL entry.

The problem with your opinion, and it's a fine opinion, and it's even a
good opinion, is that it has very little relationship to the tools which
are given to people in order to accomplish blocking. Kind of the question
I was contemplating in my other message of minutes ago.

If people were given an option to "block this IP for 30 minutes, 24 hours,
30 days, 12 months, 5 years, or forever" - I wonder how many people would
just shrug and click "forever."

This may lead to the discovery of another fundamental disconnect - or two.

Sigh.

... JG

bill3 · September 8, 2009, 7:44pm

> there is a fundamental disconnect here. the IP space is neutral.
> it has no bias toward or against social behaviours. its a tool.
> the actual/real target here are the people who are using these tools
> to be antisocial. blacklisting IP space is always reactive and
> should only beused in emergency and as a -TEMPORARY- expedient.
>
> IMHO of course., YMMV.

Show me ONE major MTA which allows you to configure an expiration for
an ACL entry.

call me old skool... VI works a treat and I'm told there
is this thing called emacs ... but i remain dubious.

The problem with your opinion, and it's a fine opinion, and it's even a
good opinion, is that it has very little relationship to the tools which
are given to people in order to accomplish blocking. Kind of the question
I was contemplating in my other message of minutes ago.

if all you have is a hammer...
folks need better tools.

If people were given an option to "block this IP for 30 minutes, 24 hours,
30 days, 12 months, 5 years, or forever" - I wonder how many people would
just shrug and click "forever."

which is their choice. please show me the mandate for accepting
routes/packets from any/everywhere?

  me, i'd want the option to "block 192.0.2.0/24 as long as it
  is announced by AS 0 and the whois data points to RIAA as the
  registered contact" e.g. not just a temporal block.

or - if traffic from 192.0.2.80 increases more than 65% in a 150
second interval, block the IP for 27 minutes.

or - allow any/all traffic from 192.0.2.42 - regardless of the
blocking on 192.0.2.0/24

the mind boggles.

This may lead to the discovery of another fundamental disconnect - or two.

such is the course of human nature.

Ronald_Cotoni · September 8, 2009, 8:00pm

Joe Greco wrote:

there is a fundamental disconnect here. the IP space is neutral.
it has no bias toward or against social behaviours. its a tool.
the actual/real target here are the people who are using these tools
to be antisocial. blacklisting IP space is always reactive and should only beused in emergency and as a -TEMPORARY- expedient.

IMHO of course., YMMV.

Show me ONE major MTA which allows you to configure an expiration for
an ACL entry.

The problem with your opinion, and it's a fine opinion, and it's even a
good opinion, is that it has very little relationship to the tools which
are given to people in order to accomplish blocking. Kind of the question
I was contemplating in my other message of minutes ago.

If people were given an option to "block this IP for 30 minutes, 24 hours,
30 days, 12 months, 5 years, or forever" - I wonder how many people would
just shrug and click "forever."

This may lead to the discovery of another fundamental disconnect - or two.

Sigh.

... JG

A cron job/schedule task with a script that removes said line would most likely do wonderous things for you. I could see a comment before each listing with a time/date that you use some regex fu on to figure out how long it was there and how long it should be there for. Simple! You could also automate it with a web frontend for noobs so they don't have to manually edit configuration files.

Chris_Hills · September 9, 2009, 8:38am

This is fairly trivial to do with Exim by storing your acl entries in a database or directory with a field/attribute for expiry, and an appropriate router configuration. No doubt you could implement this using a small script for any MTA. The upside of using a db/ldap backend is that it makes it easy to inter-operate with other things like your nms.

James_Cloos · September 12, 2009, 9:05pm

Show me ONE major MTA which allows you to configure an expiration
for an ACL entry.

Any MTA which supports using an sql db as its backend. Postfix is a
fine example.

You just define the table and the query to either have an until column,
or have a column with the timestamp of when the entry was added and have
the query ignore rows which are older than some given time.

And with postfix, using its sql proxy capability, using a sql backend is
fully performant.

-JimC