Spam (un)blocking

Adam_Jacob_Muller · April 6, 2005, 6:54pm

Hi,
I'm a network operator at a small hosting company that has about a /20 slice of IP addresses. Recently we have suffered a few break-ins (and some fraud) which caused a large quantity of spam to find it's way onto the internet.
This has resulted in some of our network space being listed in several DNS blacklists, and being blacklisted by individual ISPs.
So my question is this.
Firstly, what is the best way to remove myself from each of these blacklists, if there is anything aside from going to each one individually and saying "i'm not spamming anymore".
Second, is there some way to mark my block of addresses is owned by responsible responsive system administrators.
We have tech support on duty 24/7 and abuse complaints are dealt with in a timely manner, so I am wondering if there is a way to communicate our willingness to help in the fight against spam.

Thanks,
Adam Jacob Muller

J.D_Falk4 · April 6, 2005, 7:09pm

Firstly, what is the best way to remove myself from each of these
blacklists, if there is anything aside from going to each one
individually and saying "i'm not spamming anymore".

  Right now, that's about it -- but many folks only do temporary
  blocking based on recent traffic patterns, so you can also just
  wait a few days and I bet some of the problem will go away.

Second, is there some way to mark my block of addresses is owned by
responsible responsive system administrators.

If there was, the spammers would be the first to adopt it.

We have tech support on duty 24/7 and abuse complaints are dealt with
in a timely manner, so I am wondering if there is a way to communicate
our willingness to help in the fight against spam.

http://www.maawg.org/ is probably the best industry group
focused on these issues right now.

Larry_Smith · April 6, 2005, 8:03pm

Adam,

As JD already mentioned, many will most probably go away within a few days
if there is not other "spam" from the IP space to keep the entry active.
Quite a few have web space, so if you know the BL that is blocking, you might
look and see if there are "remove" instructions/capability.

Only other thing I can think of would be to register your domain(s) with
abuse.net. Personally that is one of the first places I check domains
against (if they have a "valid" abuse address) then I report first and block
second or third. (meaning if the spam continues after reporting)...

JP_Velders · April 6, 2005, 10:10pm

Date: Wed, 6 Apr 2005 14:54:08 -0400
From: Adam Jacob Muller <adam@gotlinux.us>
Subject: Spam (un)blocking

[ ... ]
Second, is there some way to mark my block of addresses is owned by
responsible responsive system administrators.

Over here in "RIPE land" so to speak, several ISP's (most notably
FIRST members) have put a lot of effort in getting 'IRT' objects in
the RipeDB.

$ whois -h whois.ripe.net -r 194.171.31.0 | egrep '^(inetnum|remarks|mnt-irt):'
inetnum: 194.171.31.0 - 194.171.31.255
remarks: utilized by 802.1x authenticated guests utilizing EduRoam
remarks: see http://www.eduroam.nl/ for more information
remarks: in case of abuse: abuse@cwi.nl and cert@surfnet.nl
mnt-irt: irt-SURFnet-CERT

That IRT object (I believe there were efforts underway for a similar
system in the ARINdb, but I haven't followed it for over a year )
is an object to identify the "Incident Response Team" which can be
contacted regarding certain blocks of space.

$ whois -h whois.ripe.net -r irt-SURFnet-CERT | egrep '^(irt|signature|encryption|remarks|mnt-by):'
irt: irt-SURFNET-CERT
signature: PGPKEY-A6D57ECE
encryption: PGPKEY-A6D57ECE
remarks: SURFNET-CERT is the Computer Emergency
remarks: Response Team of SURFnet
remarks: This is a TI accredited CSIRT
remarks: (see http://www.ti.terena.nl/teams/level2.html)
mnt-by: TRUSTED-INTRODUCER-MNT

More information can be found in Google, or on the FAQ by Jan Meijer:
http://www.surfnetters.nl/meijer/tf-csirt/irt-object-faq.html

We have tech support on duty 24/7 and abuse complaints are dealt
with in a timely manner, so I am wondering if there is a way to
communicate our willingness to help in the fight against spam.

Replace spam with abuse and you have something like the IRT object. ;D

No doubt someone on NANOG knows what's happening with the ARIN version
(or if there will be one, if people want it, etc.)

Regards,
JP Velders

Daniel_Senie2 · April 6, 2005, 10:43pm

> Date: Wed, 6 Apr 2005 14:54:08 -0400
> From: Adam Jacob Muller <adam@gotlinux.us>
> Subject: Spam (un)blocking

> [ ... ]
> Second, is there some way to mark my block of addresses is owned by
> responsible responsive system administrators.

Over here in "RIPE land" so to speak, several ISP's (most notably
FIRST members) have put a lot of effort in getting 'IRT' objects in
the RipeDB.

$ whois -h whois.ripe.net -r 194.171.31.0 | egrep '^(inetnum|remarks|mnt-irt):'
inetnum: 194.171.31.0 - 194.171.31.255
remarks: utilized by 802.1x authenticated guests utilizing EduRoam
remarks: see http://www.eduroam.nl/ for more information
remarks: in case of abuse: abuse@cwi.nl and cert@surfnet.nl
mnt-irt: irt-SURFnet-CERT

And this is MUCH appreciated. When trying to figure out where to send spam complaints, a network that's taken the time to put their abuse address in their records certainly appears to at least care, and so gets better treatment.

That IRT object (I believe there were efforts underway for a similar
system in the ARINdb, but I haven't followed it for over a year )
is an object to identify the "Incident Response Team" which can be
contacted regarding certain blocks of space.

$ whois -h whois.ripe.net -r irt-SURFnet-CERT | egrep '^(irt|signature|encryption|remarks|mnt-by):'
irt: irt-SURFNET-CERT
signature: PGPKEY-A6D57ECE
encryption: PGPKEY-A6D57ECE
remarks: SURFNET-CERT is the Computer Emergency
remarks: Response Team of SURFnet
remarks: This is a TI accredited CSIRT
remarks: (see http://www.ti.terena.nl/teams/level2.html)
mnt-by: TRUSTED-INTRODUCER-MNT

More information can be found in Google, or on the FAQ by Jan Meijer:
http://www.surfnetters.nl/meijer/tf-csirt/irt-object-faq.html

> We have tech support on duty 24/7 and abuse complaints are dealt
> with in a timely manner, so I am wondering if there is a way to
> communicate our willingness to help in the fight against spam.

Replace spam with abuse and you have something like the IRT object. ;D

No doubt someone on NANOG knows what's happening with the ARIN version
(or if there will be one, if people want it, etc.)

SWIPs can hold abuse contact info. Again, this is a good thing for folks to do.

Hank_Nussbacher4 · April 7, 2005, 6:15am

Since the uptake on IRT has been slow, and after much internal discussion, RIPE has decided to add an "abuse-mailbox" attribute. For further details see:
https://www.ripe.net/ripe/maillists/archives/db-wg/2005/msg00015.html

-Hank

Florian_Weimer · April 7, 2005, 9:12am

* JP Velders:

Over here in "RIPE land" so to speak, several ISP's (most notably
FIRST members) have put a lot of effort in getting 'IRT' objects in
the RipeDB.

I think you mean "Terena/TI" instead of "FIRST", although there is
some overlap.

The IRT object is mostly useless because the way it was deployed, it
too often routes complaints *away* from the actual network operators
(even if they aren't completely clueless).

Richard_Jimmerson · April 7, 2005, 12:15pm

The ARIN DB allows many points of contact types, including the abuse
contact. ARIN WHOIS reflects those registrants who choose to designate an
abuse contact.

Richard Jimmerson
Director of External Relations
American Registry for Internet Numbers (ARIN)

Markus_Stumpf · April 11, 2005, 11:18pm

Isn't it funny, how everyone always takes a "lot of efforts" reinventing
things that are there for years ...