[103706] in North American Network Operators' Group
RE: /24 blocking by ISPs - Re: Problems sending mail to yahoo?
daemon@ATHENA.MIT.EDU (Raymond L. Corbin)
Fri Apr 11 11:11:20 2008
From: "Raymond L. Corbin" <rcorbin@hostmysite.com>
To: Suresh Ramasubramanian <ops.lists@gmail.com>
CC: Chris Stone <cstone@axint.net>, "nanog@merit.edu" <nanog@merit.edu>
Date: Fri, 11 Apr 2008 11:07:46 -0400
In-Reply-To: <bb0e440a0804102056o43229611h5abb8f3f623616b@mail.gmail.com>
Errors-To: owner-nanog@merit.edu
It's not unusual to do /24 blocks, however Yahoo claims they do not keep an=
y logs as to what causes the /24 block. If they kept logs and were able to =
tell us which IP address in the /24 sent abuse to their network we would th=
en be able to investigate it. Their stance of 'it's coming from your networ=
k you should know' isn't really helpful in solving the problem. When an IP =
is blocked a lot of ISP's can tell you why. I would think when they block a=
/24 they would atleast be able to decipher who was sending the abuse to th=
eir network to cause the block and not simply say 'Were sorry our anti-spam=
measures do not conform with your business practices'. Logging into every =
server using a /24 is looking for needle in a haystack.
-Ray
________________________________________
From: Suresh Ramasubramanian [ops.lists@gmail.com]
Sent: Thursday, April 10, 2008 11:56 PM
To: Raymond L. Corbin
Cc: Chris Stone; nanog@merit.edu
Subject: /24 blocking by ISPs - Re: Problems sending mail to yahoo?
On Fri, Apr 11, 2008 at 1:22 AM, Raymond L. Corbin
<rcorbin@hostmysite.com> wrote:
>
> Yeah, but without them saying which IP's are causing the problems you can=
't really tell
> which servers in a datacenter are forwarding their spam/abusing Yahoo. On=
ce the /24
> block is in place then they claim to have no way of knowing who actually =
caused the block
> on the /24. The feedback loop would help depending on your network size.
Almost every large ISP does that kind of "complimentary upgrade"
There are enough networks around, like he.net, Yipes, PCCW Global /
Cais etc, that host huge amounts of "snowshoe" spammers -
http://www.spamhaus.org/faq/answers.lasso?section=3DGlossary#233 (you
know, randomly named / named after a pattern domains, with anonymous
whois or probably a PO box / UPS store in the whois contact, DNS
served by the usual suspects like Moniker..)
a /27 or /26 in a /24 might generate enough spam to drown the volume
of legitimate email from the rest of the /24, and that would cause
this kind of /24 block
In some cases, such as 63.217/16 on CAIS / PCCW, there is NOTHING
except spam coming from several /24s (and there's a /20 and a /21 out
of it in spamhaus), and practically zero traffic from the rest of the
/16.
Or there's Cogent with a similar infestation spread around 38.106/16
ISPs with virtual hosting farms full of hacked cgi/php scripts,
forwarders etc just dont trigger /24 blocks at the rate that ISPs
hosting snowshoe spammers do.
/24 blocks are simply a kind of motivation for large colo farms to try
choosing between hosting spammers and hosting legitimate customers.
srs ..
