[95887] in North American Network Operators' Group
Re: Abuse procedures... Reality Checks
daemon@ATHENA.MIT.EDU (Paul Vixie)
Mon Apr 9 00:12:07 2007
To: nanog@merit.edu
From: Paul Vixie <vixie@vix.com>
Date: 09 Apr 2007 04:03:46 +0000
In-Reply-To: <1176088253.15853.225.camel@dcore.sonic.net>
Errors-To: owner-nanog@merit.edu
dotis@mail-abuse.org (Douglas Otis) writes:
> Good advise. For various reasons, a majority of IP addresses within a
> CIDR of any size being abusive is likely to cause the CIDR to be blocked.
> While a majority could be considered as being half right, the existence
> of the "bad neighborhood" demonstrates a lack of oversight for the entire
> CIDR, which is also fairly predictive of future abuse.
that sounds like a continuum, but my experience requires more dimensions
than you're describing. for example, this weekend two /24's were hijacked
and used for spam spew. as my receivebot started blackholing /32's, the
sender started cycling to other addresses in the block. each address was
used continuously until it stopped working, then the next address came in.
while there were two /24's and two self-similar spam flows, there was not a
strict mapping of spam flow to packet flow -- both /24's emitted both kinds
of spam. "uniq -c" results are below. i've nominated both blocks to the
MAPS RBL, and i can't tell from whois whether it's worthwhile to complain
to the ISP's. would you say that i've learned anything of predictive value
concerning future spam from the containing /17 (CARI) or /15 (THEPLANET)?
or is this just another run of the mill BGP hijack due to some other ISP's
router having enable passwords still set to the factory default? (we all
owe randy bush a debt of gratitude for pushing on RPKI, by the way. anybody
can complain about the weather but very few people do something about it.)
7 67.18.239.66
2 67.18.239.67
1 67.18.239.68
1 67.18.239.69
2 67.18.239.70
5 67.18.239.71
1 67.18.239.82
1 67.18.239.83
2 67.18.239.85
2 67.18.239.87
1 67.18.239.88
3 67.18.239.89
2 67.18.239.91
2 67.18.239.92
3 67.18.239.93
4 67.18.239.94
1 71.6.213.103
1 71.6.213.105
1 71.6.213.108
4 71.6.213.159
1 71.6.213.16
5 71.6.213.160
1 71.6.213.161
7 71.6.213.162
8 71.6.213.163
6 71.6.213.166
1 71.6.213.168
6 71.6.213.170
6 71.6.213.171
2 71.6.213.172
6 71.6.213.176
5 71.6.213.179
6 71.6.213.180
2 71.6.213.181
3 71.6.213.182
3 71.6.213.19
3 71.6.213.190
1 71.6.213.191
1 71.6.213.193
1 71.6.213.202
2 71.6.213.23
5 71.6.213.26
3 71.6.213.32
5 71.6.213.65
4 71.6.213.75
6 71.6.213.8
1 71.6.213.80
1 71.6.213.87
1 71.6.213.94
1 71.6.213.96
--
Paul Vixie