I've tried to get the attention of senderbase, which is claiming activity from my address space which is in fact either un-routed or within dynamic subscriber blocks that have outbound smtp filtering in effect. Unfortunately, senderbase refuses to acknowledge the problem in their database nor back up their claims with any evidence to the contrary other than these ips are listed in their database and that's that. I realise this may not strictly be the domain of nanog but I would think that quality of services such like senderbase, as measured in both false positives as well as their abillity to act on them, would be, since many here use and depend on these services. I don't understand how or why senderbase would list unrouted address space and further give me grief over the reporting of it "Unless the daily volume magnitude shows something > 1, I would not be too worried", but accuracy counts and you won't have my business unless you can demonstrate some.
I've tried to get the attention of senderbase, which is claiming
activity from my address space which is in fact either un-routed or
within dynamic subscriber blocks that have outbound smtp filtering in
effect.
Could you share technical details on your filters, please?
If you only filter incoming TCP packets from your customers with
destination port 25, these filters might well be insufficient.
Interesting; I see similar results for my address space. Two
addresses, one of which hasn't been attached to a machine for a decade
and the other a virtual IP on a web server where the particular IP
never emits connections. Magnitude's only "0.48" for both but still,
they shouldn't even appear.
I suspect a bug in their system. I checked a handful of unrouted blocks from our address space and eventually hit a /24 from which senderbase lists an IP with magnitude 0.48, but the space hasn't been routed for 13 months. They say they saw something from it on 2010-04-06...which I'd say is highly unlikely.
Yep, same here, at two seperate sites. It's in the "reserved for extreme
emergencies" zone at the top of each assigned block. As per house
practice it is tcpdumped 24/7, and has been for the last 4 years. Zero
traffic from it at the perimiter.
Have you checked cyclops and other BGP announcement tracking systems
to see if it might have been a short-lived whack-a-mole short prefix hijack
(pop up, announce block, send burst of spam, remove announcement, disappear
again)?
He's suggesting that maybe mail came from those IPs while someone else was using them without your knowledge. Given the available info, I think its far more likely senderbase has some glich causing bogus 0.48 scores for IPs that really haven't sent anything in recent history.