[103698] in North American Network Operators' Group
/24 blocking by ISPs - Re: Problems sending mail to yahoo?
daemon@ATHENA.MIT.EDU (Suresh Ramasubramanian)
Thu Apr 10 23:57:46 2008
Date: Fri, 11 Apr 2008 09:26:51 +0530
From: "Suresh Ramasubramanian" <ops.lists@gmail.com>
To: "Raymond L. Corbin" <rcorbin@hostmysite.com>
Cc: "Chris Stone" <cstone@axint.net>, "nanog@merit.edu" <nanog@merit.edu>
Errors-To: owner-nanog@merit.edu
On Fri, Apr 11, 2008 at 1:22 AM, Raymond L. Corbin
<rcorbin@hostmysite.com> wrote:
>
> Yeah, but without them saying which IP's are causing the problems you can't really tell
> which servers in a datacenter are forwarding their spam/abusing Yahoo. Once the /24
> block is in place then they claim to have no way of knowing who actually caused the block
> on the /24. The feedback loop would help depending on your network size.
Almost every large ISP does that kind of "complimentary upgrade"
There are enough networks around, like he.net, Yipes, PCCW Global /
Cais etc, that host huge amounts of "snowshoe" spammers -
http://www.spamhaus.org/faq/answers.lasso?section=Glossary#233 (you
know, randomly named / named after a pattern domains, with anonymous
whois or probably a PO box / UPS store in the whois contact, DNS
served by the usual suspects like Moniker..)
a /27 or /26 in a /24 might generate enough spam to drown the volume
of legitimate email from the rest of the /24, and that would cause
this kind of /24 block
In some cases, such as 63.217/16 on CAIS / PCCW, there is NOTHING
except spam coming from several /24s (and there's a /20 and a /21 out
of it in spamhaus), and practically zero traffic from the rest of the
/16.
Or there's Cogent with a similar infestation spread around 38.106/16
ISPs with virtual hosting farms full of hacked cgi/php scripts,
forwarders etc just dont trigger /24 blocks at the rate that ISPs
hosting snowshoe spammers do.
/24 blocks are simply a kind of motivation for large colo farms to try
choosing between hosting spammers and hosting legitimate customers.
srs ..
