On Tue, Sep 15, 2009 at 10:29 PM, <bmann...@vacation.karoshi.com> wrote: > On Tue, Sep 15, 2009 at 09:34:14PM -0400, Christopher Morrow wrote: >> On Tue, Sep 15, 2009 at 4:46 PM, <bmann...@vacation.karoshi.com> wrote: >> > >> > so... this thread has a couple of really interesting characteristics. >> > a couple are worth mentioning more directly (they have been alluded to >> > elsewhere)... >> >> as always, despite your choice in floral patterned shirts :) good >> comments/questions. > > humph... at least I wear pants.
you have something against skirts? or dresses? always with the pants with you!! <shakey fist> >> > >> > Who gets to define "bad" - other than a blacklist operator? >> > Are the common, consistent defintions of "contamination"? >> >> nope, each BL (as near as I can tell) has their own criteria (with > > trick question... each ISP gets to define good/bad on their > own merits or can outsource it to third parties. sure... outsourcing in this case often happens without a real business relationship. > >> 1) newly allocated from IANA netblocks show up to end customers and >> reachability problems ensue. (route-filters and/or firewall filters) >> >> 2) newly re-allocated netblocks show up with RBL baggage (rbls and >> smtp blocks at the application layer) > > you forgot #3 ... a "clean" IANA block that was "borrowed" > for a while .. and already shows up in some filter lists. ok... but we can't ever really know that Verizon uses 114/8 and 104/8 internally can we? (and has/may leak this to external parties on occasion by mistake) > >> > So - I suspect that in the end, a registry (ARIN) or an ISP (COMCAST) is >> > only >> > going to be able to tell you a few things about the prefix you have been >> > handed. >> > >> > a) its virginal - never been used (that we know of) >> > b) its been used once. >> > c) it has a checkered past >> >> I actually don't think it's a help for ARIN to say anything here, >> since they can never know all the RBL's and history for a netblock, >> and they can't help in the virginal case since they don't run >> network-wide filters. > > not RBL specific ... > > a) this block came directly from IANA and has never been previously > allocated > in/through the IANA/RIR process > b) this block has had one registered steward in recorded history > c) this block has been in/out of the RIR/registry system more than > once. Ok, is this in the final email from hostmaster@ to 'enduser@'? or somewhere else? what's the recourse when someone says: "But I don't want a USED netblock, it my have the herp!" I'm trying to see if ARIN can say something of use here without raising its costs or causing extra/more confusion to the end-site(s). >> A FAQ that says some of the above with some pointers to testing >> harnesses to use may be useful. Some tools for network operators to >> use in updating things in a timely fashion may be useful. >> Better/wider/louder notification 'services' for new block allocations >> from IANA -> RIR's may be useful. > > indeed - I'd like to see the suite extended to the ISPs as well, esp > if such tricks will be used in v6land... > >> last announced APNIC block yahtzee. Where else is this data >> available? In a form that your avg enterprise network op may notice? > > oh... I'd suggest some of the security lists might be a good > channel. > sure, most of those folks also read nanog-l, this won't also reach enterprise folk... (admittedly it's hard to reach 'everyone', but spammers seem to be able to...) >> > and it will be up to the receipient to trust/accept the resource for what >> > it >> > currently is or chose to reject it and find soliace elsewhere. >> >> 'solace elsewhere'... dude there is no 'elsewhere'. > > and yet... Jimmy and Warren Buffet will tell you its always 1700 > somewhere.... > and if that doesn't work, whip out the NAT and reuse 10.0.0.0 > -again-.... :) ha... :( -chris >> >> -Chris >> (and yes, I'm yanking your chain about the shirts...) >> >> > --bill >> > >> > >> > On Tue, Sep 15, 2009 at 04:31:04PM -0400, Christopher Morrow wrote: >> >> On Tue, Sep 15, 2009 at 4:23 PM, <valdis.kletni...@vt.edu> wrote: >> >> > On Tue, 15 Sep 2009 08:01:48 PDT, Shawn Somers said: >> >> > >> >> >> Anyone that intentionally uses address space in a manner that they >> >> >> know will cause it to become contaminated should be denied on any >> >> >> further address space requests. >> >> > >> >> > You *do* realize that the people you're directing that paragraph at are >> >> > able to say with a totally straight face: "We're doing nothing wrong and >> >> > we have *no* idea why we end up in so many local block lists"? >> >> >> >> Also, you can very well disable new allocations to Spammer-Bob, did >> >> you also know his friend Sue is asking now for space? Sue is very >> >> nice, she even has cookies... oh damn after we allocated to her we >> >> found out she's spamming :( >> >> >> >> Spammers have a lot of variables to change in this equation, RIR's >> >> dont always have the ability to see all of the variables, nor >> >> correlate all of the changes they see :( >> >> >> >> -Chris >> >> >> > >
