Re: BGP Hijack by ATT... was: Need Help Getting IP Unblocked by ATT
It appears that ATT started announcing a block of a former customer that we had reclaimed. ATT contacted me offline and let me know that the issue was resolved. Brian Raaen wrote: I have sent a complaint to the ATT abuse contact from my ARIN contact address asking them to stop announcing the route. -- - Brian Raaen Network Engineer email: /bra...@zcorum.com/ mailto:bra...@zcorum.com attachment: braaen.vcf
Re: Network Ring
Rod Beck wrote: What is EAPS? A joke of a standard and something to be avoided at all costs. I would echo the last part about Extreme switches too. Justin
RE: Network Ring
Since it was brought up - curious as we were recently approached by Extreme. Good/bad experiences? We're a Cisco shop and I plan to keep us that way but some powers to be are interested in them at this point.. Thanks, Paul -Original Message- From: Justin Shore [mailto:jus...@justinshore.com] Sent: September-08-09 7:29 AM To: Rod Beck Cc: nanog@nanog.org Subject: Re: Network Ring Rod Beck wrote: What is EAPS? A joke of a standard and something to be avoided at all costs. I would echo the last part about Extreme switches too. Justin The information transmitted is intended only for the person or entity to which it is addressed and contains confidential and/or privileged material. If you received this in error, please contact the sender immediately and then destroy this transmission, including all attachments, without copying, distributing or disclosing same. Thank you.
Colt outages?
Anyone have news on this? I understand Colt has fixed London and are working on Dublin, Bruxelles and Geneva... but that's all I have.
Repeated Blacklisting / IP reputation
Greetings, We obtained a direct assigned IP block 69.197.64.0/18 from ARIN in 2008. This block has been cursed (for lack of a better word) since we obtained it. It seems like every customer we have added has had repeated issues with being blacklisted by DUL and the cable carriers. (AOL, ATT, Charter, etc). I understand there is a process to getting removed, but it seems as if these IPs had been used and abused by the previous owner. We have done our best to ensure these blocks conform to RFC standards, including the proper use of reverse DNS pointers. I can resolve the issue very easily by moving these customers over to our other direct assigned 66.254.192.0/19 block. In the last year I have done this numerous times and have had no further issues with them. My question: Is there some way to clear the reputation of these blocks up, or start over to prevent the amount of time we are spending with each customer troubleshooting unnecessary RBL and reputation blacklisting? I have used every opportunity to use the automated removal links from the SMTP rejections, and worked with the RBL operators directly. Most of what I get are cynical responses and promises that it will be fixed. If there is any question, we perform inbound and outbound scanning of all e-mail, even though we know that this appears to be something more relating to the block itself. Does anyone have any suggestions as to how we can clear this issue up? Comments on or off list welcome. Thanks, --- Tom Pipes T6 Broadband/ Essex Telcom Inc tom.pi...@t6mail.com
Re: Repeated Blacklisting / IP reputation
Tom Pipes wrote: Greetings, We obtained a direct assigned IP block 69.197.64.0/18 from ARIN in 2008. This block has been cursed (for lack of a better word) since we obtained it. It seems like every customer we have added has had repeated issues with being blacklisted by DUL and the cable carriers. (AOL, ATT, Charter, etc). I understand there is a process to getting removed, but it seems as if these IPs had been used and abused by the previous owner. We have done our best to ensure these blocks conform to RFC standards, including the proper use of reverse DNS pointers. I can resolve the issue very easily by moving these customers over to our other direct assigned 66.254.192.0/19 block. In the last year I have done this numerous times and have had no further issues with them. My question: Is there some way to clear the reputation of these blocks up, or start over to prevent the amount of time we are spending with each customer troubleshooting unnecessary RBL and reputation blacklisting? I have used every opportunity to use the automated removal links from the SMTP rejections, and worked with the RBL operators directly. Most of what I get are cynical responses and promises that it will be fixed. If there is any question, we perform inbound and outbound scanning of all e-mail, even though we know that this appears to be something more relating to the block itself. Does anyone have any suggestions as to how we can clear this issue up? Comments on or off list welcome. Thanks, --- Tom Pipes T6 Broadband/ Essex Telcom Inc tom.pi...@t6mail.com Unfortunately, there is no real good way to get yourself completely delisted. We are experiencing that with a /18 we got from ARIN recently and it is basically the RBL's not updating or perhaps they are not checking the ownership of the ip's as compared to before. On some RBL's, we have IP addresses that have been listed since before the company I work for even existed. Amazing right?
[NANOG-announce] NANOG 47 dates of interest
Folks, Just a brief reminder of upcoming dates of interest - The NANOG PC will be posting an updated agenda for NANOG 47 after our 09/08/2009 call - The registration fee for NANOG 47 increases to US$525 on 09/14/2009 - Nominations for the NANOG PC open today, 09/08/2009 - Voting for the 2009/2010 NANOG SC closes at 13:00 EDT on 10-21-09. See http://www.nanog.org/governance/elections/2009elections/ for additional details - Last but not least, the hotel group rate expires in 09/30/2009. See http://www.nanog.org/meetings/nanog47/hotel.php See you all in Dearborn. Dave ___ NANOG-announce mailing list nanog-annou...@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog-announce
Re: Datacenter recommendations - China and Latin America
For Asia, I'd say Hong Kong (and personnaly Mega iAdvantage). Could be interesting thoughts on this previous thread: http://mailman.nanog.org/pipermail/nanog/2009-July/012161.html Mainland China may be fine for very special needs, but I'd advise to go to HK 95% of the time. Michael K. Smith - Adhost a écrit : Sorry to respond to my own message! Given the replies so far I think I should expand China to include Hong Kong. Regards, Mike -- Michael K. Smith - CISSP, GISP Chief Technical Officer - Adhost Internet LLC mksm...@adhost.com w: +1 (206) 404-9500 f: +1 (206) 404-9050 PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D) -Original Message- From: Michael K. Smith - Adhost [mailto:mksm...@adhost.com] Sent: Tuesday, September 08, 2009 8:41 AM To: nanog@nanog.org Subject: Datacenter recommendations - China and Latin America Hello Everyone: Does anyone have any recommendations for data centers in China (PRC) and Latin America? The Latin America site doesn't have to be in any particular country within the region, although facilities with good network connectivity are obviously preferred. Regards, Mike -- Michael K. Smith - CISSP, GISP Chief Technical Officer - Adhost Internet LLC mksm...@adhost.com w: +1 (206) 404-9500 f: +1 (206) 404-9050 PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D)
RE: Datacenter recommendations - China and Latin America
Sorry to respond to my own message! Given the replies so far I think I should expand China to include Hong Kong. Regards, Mike -- Michael K. Smith - CISSP, GISP Chief Technical Officer - Adhost Internet LLC mksm...@adhost.com w: +1 (206) 404-9500 f: +1 (206) 404-9050 PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D) -Original Message- From: Michael K. Smith - Adhost [mailto:mksm...@adhost.com] Sent: Tuesday, September 08, 2009 8:41 AM To: nanog@nanog.org Subject: Datacenter recommendations - China and Latin America Hello Everyone: Does anyone have any recommendations for data centers in China (PRC) and Latin America? The Latin America site doesn't have to be in any particular country within the region, although facilities with good network connectivity are obviously preferred. Regards, Mike -- Michael K. Smith - CISSP, GISP Chief Technical Officer - Adhost Internet LLC mksm...@adhost.com w: +1 (206) 404-9500 f: +1 (206) 404-9050 PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D)
Re: Datacenter recommendations - China and Latin America
I'd recommend Equinix which has a site in Hong Kong which I would recommend over mainland China. http://www.equinix.com/locations/map/asiapacific/hongkong/ Shane On Sep 8, 2009, at 12:02 PM, Benjamin Billon wrote: For Asia, I'd say Hong Kong (and personnaly Mega iAdvantage). Could be interesting thoughts on this previous thread: http://mailman.nanog.org/pipermail/nanog/2009-July/012161.html Mainland China may be fine for very special needs, but I'd advise to go to HK 95% of the time. Michael K. Smith - Adhost a écrit : Sorry to respond to my own message! Given the replies so far I think I should expand China to include Hong Kong. Regards, Mike -- Michael K. Smith - CISSP, GISP Chief Technical Officer - Adhost Internet LLC mksm...@adhost.com w: +1 (206) 404-9500 f: +1 (206) 404-9050 PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D) -Original Message- From: Michael K. Smith - Adhost [mailto:mksm...@adhost.com] Sent: Tuesday, September 08, 2009 8:41 AM To: nanog@nanog.org Subject: Datacenter recommendations - China and Latin America Hello Everyone: Does anyone have any recommendations for data centers in China (PRC) and Latin America? The Latin America site doesn't have to be in any particular country within the region, although facilities with good network connectivity are obviously preferred. Regards, Mike -- Michael K. Smith - CISSP, GISP Chief Technical Officer - Adhost Internet LLC mksm...@adhost.com w: +1 (206) 404-9500 f: +1 (206) 404-9050 PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D)
Re: Datacenter recommendations - China and Latin America
Shane Ronan wrote: I'd recommend Equinix which has a site in Hong Kong which I would recommend over mainland China. http://www.equinix.com/locations/map/asiapacific/hongkong/ What is the Great Firewall relationship between Hong Kong and the mainland PRC, as compared to the mainland PRC vs. the rest of the world? -- Alex Balashov - Principal Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671
Datacenter recommendations - China and Latin America
Hello Everyone: Does anyone have any recommendations for data centers in China (PRC) and Latin America? The Latin America site doesn't have to be in any particular country within the region, although facilities with good network connectivity are obviously preferred. Regards, Mike -- Michael K. Smith - CISSP, GISP Chief Technical Officer - Adhost Internet LLC mksm...@adhost.com w: +1 (206) 404-9500 f: +1 (206) 404-9050 PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D)
Re: Repeated Blacklisting / IP reputation
Folks - It appears that we have a real operational problem, in that ARIN does indeed reissue space that has been reclaimed/returned after a hold-down period, and but it appears that even once they are removed from the actual source RBL's, there are still ISP's who are manually updating these and hence block traffic much longer than necessary. I'm sure there's an excellent reason why these addresses stay blocked, but am unable to fathom what exactly that is... Could some folks from the appropriate networks explain why this is such a problem and/or suggest additional steps that ARIN or the receipts should be taking to avoid this situation? Thanks! /John John Curran President and CEO ARIN On Sep 8, 2009, at 11:16 AM, Ronald Cotoni wrote: Tom Pipes wrote: Greetings, We obtained a direct assigned IP block 69.197.64.0/18 from ARIN in 2008. This block has been cursed (for lack of a better word) since we obtained it. It seems like every customer we have added has had repeated issues with being blacklisted by DUL and the cable carriers. (AOL, ATT, Charter, etc). I understand there is a process to getting removed, but it seems as if these IPs had been used and abused by the previous owner. We have done our best to ensure these blocks conform to RFC standards, including the proper use of reverse DNS pointers. I can resolve the issue very easily by moving these customers over to our other direct assigned 66.254.192.0/19 block. In the last year I have done this numerous times and have had no further issues with them. My question: Is there some way to clear the reputation of these blocks up, or start over to prevent the amount of time we are spending with each customer troubleshooting unnecessary RBL and reputation blacklisting? I have used every opportunity to use the automated removal links from the SMTP rejections, and worked with the RBL operators directly. Most of what I get are cynical responses and promises that it will be fixed. If there is any question, we perform inbound and outbound scanning of all e-mail, even though we know that this appears to be something more relating to the block itself. Does anyone have any suggestions as to how we can clear this issue up? Comments on or off list welcome. Thanks, --- Tom Pipes T6 Broadband/ Essex Telcom Inc tom.pi...@t6mail.com Unfortunately, there is no real good way to get yourself completely delisted. We are experiencing that with a /18 we got from ARIN recently and it is basically the RBL's not updating or perhaps they are not checking the ownership of the ip's as compared to before. On some RBL's, we have IP addresses that have been listed since before the company I work for even existed. Amazing right?
Re: Repeated Blacklisting / IP reputation
John, its about the same situation you get when people use manually updated bogon filters. A much larger problem, I must admit .. having ISPs follow the maawg best practices might help, that - and attending MAAWG sessions (www.maawg.org - Published Documents) That said most of the larger players already attend MAAWG - that leaves rural ISPs, small universities, corporate mailservers etc etc that dont have full time postmasters, and where you're more likely to run into this issue. If you see actual large carriers with outdated blocklist entries after they're removed from (say) the spamhaus pbl, then maybe MAAWG needs to come to nanog / arin meetings .. plenty of maawg types attend those that all that needs to be done is to free up a presentation slot or two. --srs On Tue, Sep 8, 2009 at 11:13 PM, John Curranjcur...@arin.net wrote: Folks - It appears that we have a real operational problem, in that ARIN does indeed reissue space that has been reclaimed/returned after a hold-down period, and but it appears that even once they are removed from the actual source RBL's, there are still ISP's who are manually updating these and hence block traffic much longer than necessary. I'm sure there's an excellent reason why these addresses stay blocked, but am unable to fathom what exactly that is... Could some folks from the appropriate networks explain why this is such a problem and/or suggest additional steps that ARIN or the receipts should be taking to avoid this situation? Thanks! /John John Curran President and CEO ARIN On Sep 8, 2009, at 11:16 AM, Ronald Cotoni wrote: Tom Pipes wrote: Greetings, We obtained a direct assigned IP block 69.197.64.0/18 from ARIN in 2008. This block has been cursed (for lack of a better word) since we obtained it. It seems like every customer we have added has had repeated issues with being blacklisted by DUL and the cable carriers. (AOL, ATT, Charter, etc). I understand there is a process to getting removed, but it seems as if these IPs had been used and abused by the previous owner. We have done our best to ensure these blocks conform to RFC standards, including the proper use of reverse DNS pointers. I can resolve the issue very easily by moving these customers over to our other direct assigned 66.254.192.0/19 block. In the last year I have done this numerous times and have had no further issues with them. My question: Is there some way to clear the reputation of these blocks up, or start over to prevent the amount of time we are spending with each customer troubleshooting unnecessary RBL and reputation blacklisting? I have used every opportunity to use the automated removal links from the SMTP rejections, and worked with the RBL operators directly. Most of what I get are cynical responses and promises that it will be fixed. If there is any question, we perform inbound and outbound scanning of all e-mail, even though we know that this appears to be something more relating to the block itself. Does anyone have any suggestions as to how we can clear this issue up? Comments on or off list welcome. Thanks, --- Tom Pipes T6 Broadband/ Essex Telcom Inc tom.pi...@t6mail.com Unfortunately, there is no real good way to get yourself completely delisted. We are experiencing that with a /18 we got from ARIN recently and it is basically the RBL's not updating or perhaps they are not checking the ownership of the ip's as compared to before. On some RBL's, we have IP addresses that have been listed since before the company I work for even existed. Amazing right? -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Repeated Blacklisting / IP reputation
Suresh Ramasubramanian wrote: That said most of the larger players already attend MAAWG - that leaves rural ISPs, small universities, corporate mailservers etc etc that dont have full time postmasters, and where you're more likely to run into this issue. I've found the opposite to hold true more often. Smaller organizations can use public blacklists for free, due to their low volume, and so have little incentive to run their own local blacklist. I've typically seen the larger organizations run their own blacklists and are much more difficult to contact for removal.
Re: Datacenter recommendations - China and Latin America
On Sep 8, 2009, at 12:35 PM, Alex Balashov wrote: Shane Ronan wrote: I'd recommend Equinix which has a site in Hong Kong which I would recommend over mainland China. http://www.equinix.com/locations/map/asiapacific/hongkong/ What is the Great Firewall relationship between Hong Kong and the mainland PRC, as compared to the mainland PRC vs. the rest of the world? Broadly speaking, the relationships are identical -- otherwise many/ most things that are currently in China would be in HK. TV -- Alex Balashov - Principal Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671
Re: Repeated Blacklisting / IP reputation
Suresh Ramasubramanian wrote: John, its about the same situation you get when people use manually updated bogon filters. A much larger problem, I must admit .. having ISPs follow the maawg best practices might help, that - and attending MAAWG sessions (www.maawg.org - Published Documents) That said most of the larger players already attend MAAWG - that leaves rural ISPs, small universities, corporate mailservers etc etc that dont have full time postmasters, and where you're more likely to run into this issue. I was always under the impression that smaller orgs were not allowed to join the MAAWG club. ~Seth
Re: Repeated Blacklisting / IP reputation
John Curran wrote: Folks - It appears that we have a real operational problem, in that ARIN does indeed reissue space that has been reclaimed/returned after a hold-down period, and but it appears that even once they are removed from the actual source RBL's, there are still ISP's who are manually updating these and hence block traffic much longer than necessary. I'm sure there's an excellent reason why these addresses stay blocked, but am unable to fathom what exactly that is... Could some folks from the appropriate networks explain why this is such a problem and/or suggest additional steps that ARIN or the receipts should be taking to avoid this situation? I don't think there is an excellent reason, more likely inertia and no real incentive to put forth the effort to proactively remove addresses. Many ISPs and organizations have their own private blocklists not associated with the widely known DNSBLs. Typically during or immediately after a spam run the mail administrator will manually add offending addresses or netblocks. Spamtrap hits may do this automatically. There isn't any real incentive for people to go back and remove addresses unless they're notified by their own customers that legitimate mail coming from those addresses is being blocked. Because these blocklists are individually maintained, there is no central registry or means to clean them up when an IP assignment changes. To make matters worse, some organizations may simply ACL the IP space so that the TCP connection is never made in the first place (bad, looks like a network problem rather than deliberate filtering), some may drop it during SMTP with no clear indication as to the reason (less bad, as there is at least a hint that it could be filtering), and some may actually accept the mail and then silently discard it (worst). In addition there are several DNSBLs with different policies regarding delisting. Some just time out after a period of time since abuse was detected. Some require action in the form of a delisting request. Some require a delisting request and a time period with no abuse. Some (the old SPEWS list) may not be easily reached or have well defined policies. In meatspace, once a neighborhood winds up with a reputation of being rife with drive-by shootings, gang activity and drug dealing it may take a long time after the last of the graffiti is gone before some cab drivers will go there. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: Repeated Blacklisting / IP reputation
On Tue, 8 Sep 2009, John Curran wrote: I'm sure there's an excellent reason why these addresses stay blocked, but am unable to fathom what exactly that is... Could some folks from the appropriate networks explain why this is such a problem and/or suggest additional steps that ARIN or the receipts should be taking to avoid this situation? Most small to midsize networks probably have a block it and forget it policy. The facts that the spammer moved on, the IPs eventually got returned to the RIR and reallocated to a different network go unnoticed until the new LIR/ISP notifies those blocking the addresses that the addresses have changed hands. Ideally, the network doing the blocking will know when they started blocking an IP, look at whois, and agree that the block no longer makes sense. I'm sure some will have no idea when or why they started blocking an IP, and might be reluctant to unblock it. This assumes you can actually get in touch with someone with the access and understanding of the issues to have a conversation about their blocking. Some networks make that nearly impossible. I ran into such situations early on when trying to contact networks about their outdated bogon filters when Atlantic.net got a slice of 69/8. This blocking (or variations of it) has been a problem for about a decade. http://www.michnet.net/mail.archives/nanog/2001-08/msg00448.html I don't think there is any blanket solution to this issue. Too many of the networks doing the blocking likely don't participate in any forum where the RIRs will be reach people who care and can do something. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Repeated Blacklisting / IP reputation
On Sep 8, 2009, at 11:13 AM, Jay Hennigan wrote: John Curran wrote: snip I'm sure there's an excellent reason why these addresses stay blocked, but am unable to fathom what exactly that is... Could some folks from the appropriate networks explain why this is such a problem and/or suggest additional steps that ARIN or the receipts should be taking to avoid this situation? I don't think there is an excellent reason, more likely inertia and no real incentive to put forth the effort to proactively remove addresses. snip In addition there are several DNSBLs with different policies regarding delisting. Some just time out after a period of time since abuse was detected. Some require action in the form of a delisting request. Some require a delisting request and a time period with no abuse. Some (the old SPEWS list) may not be easily reached or have well defined policies. In meatspace, once a neighborhood winds up with a reputation of being rife with drive-by shootings, gang activity and drug dealing it may take a long time after the last of the graffiti is gone before some cab drivers will go there. -- Jay Hennigan - CCIE #7880 snip I think this most accurately reflects the reality I see dealing with mostly enterprises and mid-to-large xSPs. A lot of mid-range enterprises out there have legacy free (often meaning subscriptions aren't enforced) DNSBLs in place that were configured years ago as a desperate attempt to reduce e-mail load, before there were well-maintained alternatives. The problem is that these services usually don't have the resources to put a lot of advanced automation and sophisticated logic into place, so delisting is a huge hassle (and some times resembles extortion). There are some quality free services, such as Spamhaus (speaking personally), but they're few and far between. I've had better luck convincing customers (or customers of customers) to stop using the poorly-maintained legacy DNSBLs than I've had getting customers delisted from such services. YMMV. Brian Keefer Sr. Solutions Architect Defend email. Protect data.
Re: Repeated Blacklisting / IP reputation
On Tue, 08 Sep 2009 13:43:39 EDT, John Curran said: I'm sure there's an excellent reason why these addresses stay blocked, but am unable to fathom what exactly that is... If I'm a smaller shop with limited clue, there's 3 likely colloraries: 1) Even a smallish spam blast is big enough to cause me operational difficulties, so I'm tempted to throw in a block to fix it. 2) Once the spammers have moved on, it's unlikely that I have enough customers trying to reach the blocked address space and complaining for me to fix it, and the people *in* that address space can't successfully complain because I've blocked it. 3) The damage to traffic is of consequence to the remote site, but isn't a revenue-impacting issue for *ME*. The third point is the biggie here. pgpSZgeKu8pfq.pgp Description: PGP signature
Re: Repeated Blacklisting / IP reputation
On Tue, Sep 08, 2009 at 10:16:33AM -0500, Ronald Cotoni wrote: Tom Pipes wrote: Greetings, We obtained a direct assigned IP block 69.197.64.0/18 from ARIN in 2008. This block has been cursed (for lack of a better word) since we obtained it. It seems like every customer we have added has had repeated issues with being blacklisted by DUL and the cable carriers. (AOL, ATT, Charter, etc). I understand there is a process to getting removed, but it seems as if these IPs had been used and abused by the previous owner. We have done our best to ensure these blocks conform to RFC standards, including the proper use of reverse DNS pointers. I can resolve the issue very easily by moving these customers over to our other direct assigned 66.254.192.0/19 block. In the last year I have done this numerous times and have had no further issues with them. My question: Is there some way to clear the reputation of these blocks up, or start over to prevent the amount of time we are spending with each customer troubleshooting unnecessary RBL and reputation blacklisting? I have used every opportunity to use the automated removal links from the SMTP rejections, and worked with the RBL operators directly. Most of what I get are cynical responses and promises that it will be fixed. If there is any question, we perform inbound and outbound scanning of all e-mail, even though we know that this appears to be something more relating to the block itself. Does anyone have any suggestions as to how we can clear this issue up? Comments on or off list welcome. Thanks, --- Tom Pipes T6 Broadband/ Essex Telcom Inc tom.pi...@t6mail.com Unfortunately, there is no real good way to get yourself completely delisted. We are experiencing that with a /18 we got from ARIN recently and it is basically the RBL's not updating or perhaps they are not checking the ownership of the ip's as compared to before. On some RBL's, we have IP addresses that have been listed since before the company I work for even existed. Amazing right? This is not actually a new problem. ISPs have been fighting this for some time. When a dud customer spams from a given IP range and gets it placed in various RBLs, when that customer is booted or otherwise removed, that block will probably get reissued. The new customer then calls up and says, my email isn't getting through. All it takes is a little investigation and the cause becomes clear. In my experience, there is absolutely no way to deal with this other than contacting the companies your customer is trying to email one by one. Not all of them will respond to you but when they are slow or do not act at all, quite often if the recipient on the other end calls them up and says, WTF? it generates more action. Sadly, I do not foresee this problem getting any easier. Best practices for the public or subscription RBLs should be to place a TTL on the entry of no more than, say, 90 days or thereabouts. Best practices for manual entry should be to either keep a list of what and when or periodically to simply blow the whole list away and start anew to get rid of stale entries. Of course, that is probably an unreal expectation. -Wayne --- Wayne Bouchard w...@typo.org Network Dude http://www.typo.org/~web/
Re: Repeated Blacklisting / IP reputation
On Tue, 8 Sep 2009, John Curran wrote: I'm sure there's an excellent reason why these addresses stay blocked, but am unable to fathom what exactly that is... Could some folks from the appropriate networks explain why this is such a problem and/or suggest additional steps that ARIN or the receipts should be taking to avoid this situation? Most small to midsize networks probably have a block it and forget it policy. The facts that the spammer moved on, the IPs eventually got returned to the RIR and reallocated to a different network go unnoticed until the new LIR/ISP notifies those blocking the addresses that the addresses have changed hands. Ideally, the network doing the blocking will know when they started blocking an IP, look at whois, and agree that the block no longer makes sense. I'm sure some will have no idea when or why they started blocking an IP, and might be reluctant to unblock it. This assumes you can actually get in touch with someone with the access and understanding of the issues to have a conversation about their blocking. Some networks make that nearly impossible. I ran into such situations early on when trying to contact networks about their outdated bogon filters when Atlantic.net got a slice of 69/8. This blocking (or variations of it) has been a problem for about a decade. http://www.michnet.net/mail.archives/nanog/2001-08/msg00448.html I don't think there is any blanket solution to this issue. Too many of the networks doing the blocking likely don't participate in any forum where the RIRs will be reach people who care and can do something. It should be pretty clear that reused IP space is going to represent a problem. There is no mechanism for LIR/ISP notif[cation to] those blocking the addresses that the addresses have changed hands. Even if there were, this would be subject to potential gaming by spammers, such as SWIP of a block to SpammerXCo, followed by an automatic unblock when the ISP unSWIP's it and SWIP's it to EmailBlasterB - of course, the same company. How do we manage this into the future? IPv6 shows some promise in terms of delegation of larger spaces, which could in turn suggest that reuse policies that discourage rapid reuse would be a best practice. However, that is more or less just acknowledging the status quo; networks are likely to continue blocking for various reasons and for random periods. A remote site being unable to communicate with us is not particularly important except to the extent that it ends up distressing users here; however, for larger sites, the blocked list could end up being significant. It seems like it *could* be useful to have a system to notify of network delegation changes, but it also seems like if this was particularly important to anyone, then someone would have found a trivial way to implement at least a poor man's version of it. For example, record the ASN of a blocked IP address and remove the block when the ASN changes... ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: Repeated Blacklisting / IP reputation
On Tue, 8 Sep 2009, Joe Greco wrote: It seems like it *could* be useful to have a system to notify of network delegation changes, but it also seems like if this was particularly important to anyone, then someone would have found a trivial way to implement at least a poor man's version of it. For example, record the ASN of a blocked IP address and remove the block when the ASN changes... That too, would be easily gamed by spammers. Just get multiple ASN's and bounce your dirty IPs around between them to clean them. The IP space being a direct (RIR-LIR) allocation having been made after the blocking was initiated is a pretty clear sign that the space has actually changed hands, and seems like it would be fairly difficult (if at all possible) to game. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Network Ring
Rod Beck wrote: What is EAPS? A joke of a standard and something to be avoided at all costs. I would echo the last part about Extreme switches too. Disagree. I don't believe anybody would claim EAPS is a standard just because an RFC has been published. In any case, EAPS is working quite well for us, with rapid L2 rerouting in ring based structures. And *much* simpler than RSTP/MST. Or VPLS, for that matter. As for Extreme switches - they have their strengths and weaknesses, just like any other product. We use lots of Summit X450/X450a, for L2 only, and have been generally reasonably happy with them. If I could buy a similarly featured product from Cisco, for a similar price, I might well choose Cisco. But at least in our case Cisco *doesn't* have a competitive product (case in point: ME3400 - too few ports, too few MAC addresses, funky licensing even if you just want to do simple QinQ). Steinar Haug, Nethelp consulting, sth...@nethelp.no
Re: Repeated Blacklisting / IP reputation
On Tue, 8 Sep 2009, Wayne E. Bouchard wrote: This is not actually a new problem. ISPs have been fighting this for some time. When a dud customer spams from a given IP range and gets it placed in various RBLs, when that customer is booted or otherwise removed, that block will probably get reissued. The new customer then calls up and says, my email isn't getting through. All it takes is a The difference/issue here is that it's easy for you when turning down or turning up a customer to check the IP space being revoked/assigned in the various popular public DNSBLs, sparing your customers the headache of being assigned blacklisted IPs. Until your next customer starts using the space and can't send us email, you have no way of knowing that we null routed the subnet on our MX cluster. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Repeated Blacklisting / IP reputation
Seth Mattinen wrote: I was always under the impression that smaller orgs were not allowed to join the MAAWG club. They're allowed. At $4k/year minimum, up to $25K/year. By the way, among the members... Experian CheetahMail ExactTarget, Inc Responsys, Inc. Vertical Response, Inc Yesmail -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: Repeated Blacklisting / IP reputation
On Tue, 8 Sep 2009, Joe Greco wrote: It seems like it *could* be useful to have a system to notify of network delegation changes, but it also seems like if this was particularly important to anyone, then someone would have found a trivial way to implement at least a poor man's version of it. For example, record the ASN of a blocked IP address and remove the block when the ASN changes... That too, would be easily gamed by spammers. Just get multiple ASN's and bounce your dirty IPs around between them to clean them. The IP space being a direct (RIR-LIR) allocation having been made after the blocking was initiated is a pretty clear sign that the space has actually changed hands, and seems like it would be fairly difficult (if at all possible) to game. Right, but they'll only do that if they're aware of such a system and it is significant enough to make a dent in them. Further, it would be a mistake to assume that *just* changing ASN's would be sufficient. The act of changing ASN's could act as a trigger to re-whois ARIN for an update of ownership, for example. The fact is that the information to trigger a re-query of ownership upon a redelegation sort-of already exists, though it is clearly imperfect. My point was that if it was actually useful to notice when an IP delegation moved, someone would already have made up a system to do this somehow. So my best guess is that there isn't a really strong incentive to pursue some sort of notification system, because you could pretty much do it as it stands. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: Repeated Blacklisting / IP reputation
John Curran wrote: On Sep 8, 2009, at 2:18 PM, JC Dill wrote: It seems simple and obvious that ARIN, RIPE, et. al. should determine the blacklist state of a reclaimed IP group and ensure that the IP group is usable before re-allocating it. When IPs are reclaimed, first check to see if the reclaimed IPs are on any readily checked RBL or private blacklist of major ISPs, corporations, universities, etc. If so, work with those groups to get the blocks removed *prior* to reissuing the IPs to a new entity. Before releasing the IPs to a new entity, double check that they are not being blocked (that any promises to remove them from a blacklist were actually fulfilled). Hold the IPs until you have determined that they aren't overly encumbered with prior blacklist blocks due to poor behavior of the previous entity. (The same should be done before allocating out of a new IP block, such as when you release the first set of IPs in a new /8.) In this case, it's not the RBL's that are the issue; the address block in question isn't on them. It's the ISP's and other firms using manual copies rather than actually following best practices. It's not that hard to make a list of the major ISPs, corporations, universities (entities with a large number of users), find willing contacts inside each organization (individual or role addresses you can email, and see if the email bounces, and who will reply if the email is received) and run some automated tests to see if the IPs are being blocked. In your follow-up email to me, you said you check dozens of RBLs - that is clearly insufficient - probably by an order of magnitude - of the entities you should check with. The number should be hundreds. A reasonably cluefull intern can provide you with a suitable list in short order, probably less than 1 day, and find suitable contacts inside each organization in a similar time frame - it might take a week total to build a list of ~500 entities and associated email addresses. Because of employee turn-over the list will need to be updated, ~1-10 old addresses purged and replaced with new ones on a monthly basis. Why isn't this being done now? Issuing reclaimed IPs is a lot like selling a used car, except that the buyer has no way to examine the state of the IPs you will issue them beforehand. Therefore it's up to you (ARIN, RIPE, et. al.) to ensure that they are just as good as any other IP block. It is shoddy business to take someone's money and then sneakily give them tainted (used) goods and expect them to deal with cleaning up the mess that the prior owner made, especially when you charge the same rate for untainted goods! Not applicable in this case, as noted above. What do you mean, not applicable? You take the money and issue IPs. There is no way for the buyer to know before hand if the IPs are tainted (used) or new. It is up to you (ARIN) to ensure that the goods (IPs) are suitable for the intended use. My analogy is entirely applicable, and I'm amazed you think otherwise. So, back to the question: could someone explain why they've got copies of the RBL's in their network which don't get updated on any reasonable refresh interval? (weekly? monthly?) The why really isn't at issue - it happens and it's going to keep happening. The question is what are you (ARIN) going to do about it? Give me the serenity to accept the things I cannot change, The courage to change the things I can, And the wisdom to know the difference. You (ARIN et. al.) don't have any ability to change the why. What you can change is how you go about determining if an IP block is suitable for reallocation or not, and what steps you take to repair IP blocks that aren't suitable for reallocation. jc - posted to NANOG since John indicated that he thought his reply to me was going to NANOG as well.
Re: Repeated Blacklisting / IP reputation
On Tue, Sep 08, 2009 at 02:34:10PM -0500, Joe Greco wrote: there is a fundamental disconnect here. the IP space is neutral. it has no bias toward or against social behaviours. its a tool. the actual/real target here are the people who are using these tools to be antisocial. blacklisting IP space is always reactive and should only beused in emergency and as a -TEMPORARY- expedient. IMHO of course., YMMV. Show me ONE major MTA which allows you to configure an expiration for an ACL entry. call me old skool... VI works a treat and I'm told there is this thing called emacs ... but i remain dubious. The problem with your opinion, and it's a fine opinion, and it's even a good opinion, is that it has very little relationship to the tools which are given to people in order to accomplish blocking. Kind of the question I was contemplating in my other message of minutes ago. if all you have is a hammer... folks need better tools. If people were given an option to block this IP for 30 minutes, 24 hours, 30 days, 12 months, 5 years, or forever - I wonder how many people would just shrug and click forever. which is their choice. please show me the mandate for accepting routes/packets from any/everywhere? me, i'd want the option to block 192.0.2.0/24 as long as it is announced by AS 0 and the whois data points to RIAA as the registered contact e.g. not just a temporal block. or - if traffic from 192.0.2.80 increases more than 65% in a 150 second interval, block the IP for 27 minutes. or - allow any/all traffic from 192.0.2.42 - regardless of the blocking on 192.0.2.0/24 the mind boggles. This may lead to the discovery of another fundamental disconnect - or two. such is the course of human nature. Sigh. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: Repeated Blacklisting / IP reputation
Jason Bertoch wrote: Suresh Ramasubramanian wrote: That said most of the larger players already attend MAAWG - that leaves rural ISPs, small universities, corporate mailservers etc etc that dont have full time postmasters, and where you're more likely to run into this issue. I've found the opposite to hold true more often. Smaller organizations can use public blacklists for free, due to their low volume, and so have little incentive to run their own local blacklist. I've typically seen the larger organizations run their own blacklists and are much more difficult to contact for removal. Take for example GoDaddy's hosted email service. They are using a local, outdated copy of SORBS that has one of my personal servers listed in it. It was an open proxy for about week nearly 3 years ago and still they have it listed. The upside is that I've demonstrated GoDaddy's email incompetence to potential customers and gotten them to switch to our own mail services. Their loss, my gain. Justin
Re: Repeated Blacklisting / IP reputation
John Curran wrote: On Sep 8, 2009, at 2:18 PM, JC Dill wrote: It seems simple and obvious that ARIN, RIPE, et. al. should determine the blacklist state of a reclaimed IP group and ensure that the IP group is usable before re-allocating it. When IPs are reclaimed, first check to see if the reclaimed IPs are on any readily checked RBL or private blacklist of major ISPs, corporations, universities, etc. If so, work with those groups to get the blocks removed *prior* to reissuing the IPs to a new entity. Before releasing the IPs to a new entity, double check that they are not being blocked (that any promises to remove them from a blacklist were actually fulfilled). Hold the IPs until you have determined that they aren't overly encumbered with prior blacklist blocks due to poor behavior of the previous entity. (The same should be done before allocating out of a new IP block, such as when you release the first set of IPs in a new /8.) In this case, it's not the RBL's that are the issue; the address block in question isn't on them. It's the ISP's and other firms using manual copies rather than actually following best practices. It's not that hard to make a list of the major ISPs, corporations, universities (entities with a large number of users), find willing contacts inside each organization (individual or role addresses you can email, and see if the email bounces, and who will reply if the email is received) and run some automated tests to see if the IPs are being blocked. In your follow-up email to me, you said you check dozens of RBLs - that is clearly insufficient - probably by an order of magnitude - of the entities you should check with. The number should be hundreds. A reasonably cluefull intern can provide you with a suitable list in short order, probably less than 1 day, and find suitable contacts inside each organization in a similar time frame - it might take a week total to build a list of ~500 entities and associated email addresses. Because of employee turn-over the list will need to be updated, ~1-10 old addresses purged and replaced with new ones on a monthly basis. Really? And you expect all these organizations to do ... what? Hire an intern to be permanent liaison to ARIN? Answer queries to whether or not IP space X is currently blocked (potentially at one of hundreds or thousands of points in their system, which corporate security may not wish to share, or even give some random intern access to)? Process reports of new ARIN delegations? What are you thinking they're going to do? And why should they care enough to do it? Why isn't this being done now? Issuing reclaimed IPs is a lot like selling a used car, except that the buyer has no way to examine the state of the IPs you will issue them beforehand. Therefore it's up to you (ARIN, RIPE, et. al.) to ensure that they are just as good as any other IP block. It is shoddy business to take someone's money and then sneakily give them tainted (used) goods and expect them to deal with cleaning up the mess that the prior owner made, especially when you charge the same rate for untainted goods! Not applicable in this case, as noted above. What do you mean, not applicable? You take the money and issue IPs. There is no way for the buyer to know before hand if the IPs are tainted (used) or new. It is up to you (ARIN) to ensure that the goods (IPs) are suitable for the intended use. My analogy is entirely applicable, and I'm amazed you think otherwise. WOW. That's a hell of a statement. There is absolutely nothing that ARIN can do if I decide I'm going to have our servers block connections from networks ending in an odd bit. Nobody is in a position to ensure that ANY Internet connection or IP space is suitable for the intended use. Welcome to the Internet. So, back to the question: could someone explain why they've got copies of the RBL's in their network which don't get updated on any reasonable refresh interval? (weekly? monthly?) The why really isn't at issue - it happens and it's going to keep happening. The question is what are you (ARIN) going to do about it? Give me the serenity to accept the things I cannot change, The courage to change the things I can, And the wisdom to know the difference. You (ARIN et. al.) don't have any ability to change the why. What you can change is how you go about determining if an IP block is suitable for reallocation or not, and what steps you take to repair IP blocks that aren't suitable for reallocation. So, in addition to just registering IP space, it's also their job to clean it up? I'm sorry, I agree that there's a problem, but this just sounds like it isn't feasible. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one
Re: Repeated Blacklisting / IP reputation
Seth Mattinen wrote: I was always under the impression that smaller orgs were not allowed to join the MAAWG club. I've heard that, too, but have no idea where it comes from. It's not true; there's no size requirement or anything like that. http://www.maawg.org/ has the membership application and other info. -- J.D. Falk Co-Chair, Program Committee Messaging Anti-Abuse Working Group
Re: Repeated Blacklisting / IP reputation
J.D. Falk wrote: Seth Mattinen wrote: I was always under the impression that smaller orgs were not allowed to join the MAAWG club. I've heard that, too, but have no idea where it comes from. It's not true; there's no size requirement or anything like that. http://www.maawg.org/ has the membership application and other info. The $4000/year minimum membership fee is a non-starter for small organizations who are already strapped for operating cash as it is. This is probably where the perception comes from. -- William Astle l...@l-w.ca
Re: Repeated Blacklisting / IP reputation
there is a fundamental disconnect here. the IP space is neutral. it has no bias toward or against social behaviours. its a tool. the actual/real target here are the people who are using these tools to be antisocial. blacklisting IP space is always reactive and should only beused in emergency and as a -TEMPORARY- expedient. IMHO of course., YMMV. Show me ONE major MTA which allows you to configure an expiration for an ACL entry. The problem with your opinion, and it's a fine opinion, and it's even a good opinion, is that it has very little relationship to the tools which are given to people in order to accomplish blocking. Kind of the question I was contemplating in my other message of minutes ago. If people were given an option to block this IP for 30 minutes, 24 hours, 30 days, 12 months, 5 years, or forever - I wonder how many people would just shrug and click forever. This may lead to the discovery of another fundamental disconnect - or two. Sigh. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: Repeated Blacklisting / IP reputation
MAAWG is has no size limitations as to members. Yes we do have a $4000 supporter membership. This has not proved a barrier to many organisations. Mike O'Reirdan Chairman, MAAWG - Original Message - From: Benjamin Billon bbillon...@splio.fr To: nanog@nanog.org nanog@nanog.org Sent: Tue Sep 08 17:17:58 2009 Subject: Re: Repeated Blacklisting / IP reputation ISPs can be invited and there are specific meetings for them (closed to other members). There're also whitepapers for ISP (and others). But I agree, hoping ALL the ISPs join MAAWG or even hear about it is utopian. -- Benjamin William Astle a écrit : J.D. Falk wrote: Seth Mattinen wrote: I was always under the impression that smaller orgs were not allowed to join the MAAWG club. I've heard that, too, but have no idea where it comes from. It's not true; there's no size requirement or anything like that. http://www.maawg.org/ has the membership application and other info. The $4000/year minimum membership fee is a non-starter for small organizations who are already strapped for operating cash as it is. This is probably where the perception comes from.
Re: Datacenter recommendations - China and Latin America [SUMMARY]
For those who have a real need for both hosting within the Chinese autonomous routing domain *and* good, English-friendly remote hands support, I would also recommend considering the Silk Road Technologies data center in Hangzhou: http://www.srt.com.cn/en/ TV On Sep 8, 2009, at 3:57 PM, Michael K. Smith - Adhost wrote: Hello: Thank you to everyone that provided off-list recommendations. I've compiled the list of providers in no particular order. Regards, Mike Latin America - Securehost - http://www.securehost.com - Triara (Telmex) - http://www.triara.com/Datacenter.htm - KIO Networks - Xertix - Hortolandia - CyDC (Brazil Telecom) - http://www.cydc.com.br - ALOG - http://www.alog.com.br - Terremark - http://www.terremark.com.br - Locaweb (Brazil) China/Hong Kong - Telehouse Beijing - http://www.telehouse.com/globalfacilities.php#asia - Vianet - http://www.21vianet.com/en/index.jsp - Mega-Iadvantage - http://www.iadvantage.net/facilities/facilities_megai_main.html - Dailan - InterNAP (partnering with Equinix) - Equinix - http://www.equinix.com/locations/map/asiapacific/hongkong/ -- Michael K. Smith - CISSP, GISP Chief Technical Officer - Adhost Internet LLC mksm...@adhost.com w: +1 (206) 404-9500 f: +1 (206) 404-9050 PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D)
Re: Repeated Blacklisting / IP reputation
Joe Greco wrote: I'm sorry, I agree that there's a problem, but this just sounds like it isn't feasible. Some people suffer from the culturally ingrained inability to understand that certain kinds of problems just can't. Be. Solved. And/or they aren't worth solving under present circumstances. -- Alex Balashov - Principal Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671
Re: Repeated Blacklisting / IP reputation
I am amazed with the amount of thoughtful comments I have seen, both on and off list. It really illustrates that people are willing to try to help out, but there is an overall lack of clear direction on how to improve things. Most of us seem to adopt that which has always just worked for us. Don't get me wrong, I'm sure there are a lot of improvements/mods going on with RBL operators in terms of the technology and how they choose who to block. I'm also certain that most of the carriers are doing their best to follow RFCs, use e-mail filtering, and perform deep packet inspection to keep themselves off of the lists. AND there seems to be some technologies that were meant to work, and cause their own sets of problems (example: allowing the end user to choose what is considered spam and blacklisting based on that). As was said before, it's not the WHY but rather how can we fix it if it's broke. The large debate seems to revolve around responsibility, or lack thereof. In our case, we are the small operator who sits in the sidelines hoping that someone larger than us, or more influential has an opinion. We participate in lists, hoping to make a difference and contribute, knowing that in a lot of cases, our opinion is just that: an opinion. I suppose that could spark a debate about joining organizations (who shall go nameless here), power to the people, etc. It seems as though a potential solution *may* revolve around ARIN/IANA having the ability to communicate an authoritative list of reassigned IP blocks back to the carriers. This could serve as a signal to remove a block from the RBL, but I'm sure there will be downfalls with doing this as well. In my specific case, I am left with a legacy block that I have to accept is going to be problematic. Simply contacting RBL operators is just not doing the trick. Most of the e-mails include links or at least an error code, but some carriers just seem to be blocking without an error, or even worse, an ACL... We will continue to remove these blocks as necessary, reassign IPs from other blocks where absolutely necessary, and ultimately hope the problem resolves itself over time. Thanks again for the very thoughtful and insightful comments, they are greatly appreciated. Regards, --- Tom Pipes T6 Broadband/ Essex Telcom Inc tom.pi...@t6mail.com - Original Message - From: Tom Pipes tom.pi...@t6mail.com To: nanog@nanog.org Sent: Tuesday, September 8, 2009 9:57:58 AM GMT -06:00 US/Canada Central Subject: Repeated Blacklisting / IP reputation Greetings, We obtained a direct assigned IP block 69.197.64.0/18 from ARIN in 2008. This block has been cursed (for lack of a better word) since we obtained it. It seems like every customer we have added has had repeated issues with being blacklisted by DUL and the cable carriers. (AOL, ATT, Charter, etc). I understand there is a process to getting removed, but it seems as if these IPs had been used and abused by the previous owner. We have done our best to ensure these blocks conform to RFC standards, including the proper use of reverse DNS pointers. I can resolve the issue very easily by moving these customers over to our other direct assigned 66.254.192.0/19 block. In the last year I have done this numerous times and have had no further issues with them. My question: Is there some way to clear the reputation of these blocks up, or start over to prevent the amount of time we are spending with each customer troubleshooting unnecessary RBL and reputation blacklisting? I have used every opportunity to use the automated removal links from the SMTP rejections, and worked with the RBL operators directly. Most of what I get are cynical responses and promises that it will be fixed. If there is any question, we perform inbound and outbound scanning of all e-mail, even though we know that this appears to be something more relating to the block itself. Does anyone have any suggestions as to how we can clear this issue up? Comments on or off list welcome. Thanks, --- Tom Pipes T6 Broadband/ Essex Telcom Inc tom.pi...@t6mail.com
Re: Repeated Blacklisting / IP reputation
Wayne E. Bouchard wrote: Best practices for the public or subscription RBLs should be to place a TTL on the entry of no more than, say, 90 days or thereabouts. Best practices for manual entry should be to either keep a list of what and when or periodically to simply blow the whole list away and start anew to get rid of stale entries. Of course, that is probably an unreal expectation. I've had to implement something similar for my RTBH trigger router. After manually-adding nearly 20,000 static routes of hosts that scanned for open proxies or attacked SSH daemons on my network I had to trim the block list considerably because many of my older PEs couldn't handle that many routes without problems. I already named each static with a reason for the block(SSH, Telnet, Proxy-scan, etc) but ended up prepending a date to that string as well: 20090908-SSH-Scan. That way I can parse the config later on and create config to negate everything that's older than 3-4 months. If one of those old IPs is still trying to get to me after 4 months then it will get readded the next time I process my logs entries. If they aren't trying to hit me then they'll no longer be consuming space in my RIB. Justin
Datacenter recommendations - China and Latin America [SUMMARY]
Hello: Thank you to everyone that provided off-list recommendations. I've compiled the list of providers in no particular order. Regards, Mike Latin America - Securehost - http://www.securehost.com - Triara (Telmex) - http://www.triara.com/Datacenter.htm - KIO Networks - Xertix - Hortolandia - CyDC (Brazil Telecom) - http://www.cydc.com.br - ALOG - http://www.alog.com.br - Terremark - http://www.terremark.com.br - Locaweb (Brazil) China/Hong Kong - Telehouse Beijing - http://www.telehouse.com/globalfacilities.php#asia - Vianet - http://www.21vianet.com/en/index.jsp - Mega-Iadvantage - http://www.iadvantage.net/facilities/facilities_megai_main.html - Dailan - InterNAP (partnering with Equinix) - Equinix - http://www.equinix.com/locations/map/asiapacific/hongkong/ -- Michael K. Smith - CISSP, GISP Chief Technical Officer - Adhost Internet LLC mksm...@adhost.com w: +1 (206) 404-9500 f: +1 (206) 404-9050 PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D)
Re: Repeated Blacklisting / IP reputation
ISPs can be invited and there are specific meetings for them (closed to other members). There're also whitepapers for ISP (and others). But I agree, hoping ALL the ISPs join MAAWG or even hear about it is utopian. -- Benjamin William Astle a écrit : J.D. Falk wrote: Seth Mattinen wrote: I was always under the impression that smaller orgs were not allowed to join the MAAWG club. I've heard that, too, but have no idea where it comes from. It's not true; there's no size requirement or anything like that. http://www.maawg.org/ has the membership application and other info. The $4000/year minimum membership fee is a non-starter for small organizations who are already strapped for operating cash as it is. This is probably where the perception comes from.
Re: Network Ring
sth...@nethelp.no wrote: Rod Beck wrote: What is EAPS? A joke of a standard and something to be avoided at all costs. I would echo the last part about Extreme switches too. Disagree. I don't believe anybody would claim EAPS is a standard just because an RFC has been published. Pannaway does. That was one of the very arguments I used against their product when they were brought in. They claimed that it was a standard because it had a RFC. I tried to explain the difference between an Information RFC and a Standards Track to no avail. Of course this also came from the Pannaway SE that gave me 3 quotes I repeat as often as possible to as many people as possible. He said: 1) that we didn't need to run an IGP across our network because we weren't big enough to need one. This was in response to my query about their lack of support for IS-IS. He said that he'd seen SP networks many times our size get by perfectly well with static routes. 2) that we didn't need QoS on our network if our links weren't saturated. I won't get into the holy war over serialization delay, micro bursts, and queuing here. It's been hashed out many times before on NANOG I'm sure. 3) that IPv6 was just a fad and that it would never be implemented in the US. I got our /32 in 2008 and am working on the deployment now. I'm certainly not breaking new ground here either. It may not be the most common thing in the US but it is picking up steam for everyone not running Pannaway products since they don't support IPv6 (the BASs and BARs that we ended up buying at least). As for Extreme switches - they have their strengths and weaknesses, just like any other product. We use lots of Summit X450/X450a, for L2 only, and have been generally reasonably happy with them. If I could buy a similarly featured product from Cisco, for a similar price, I might well choose Cisco. But at least in our case Cisco *doesn't* have a competitive product (case in point: ME3400 - too few ports, too few MAC addresses, funky licensing even if you just want to do simple QinQ). I don't have any experience with the ME3400 unfortunately. A mix of vendors isn't a bad thing if you have the knowledge, depth and time to keep up with each of them so you can support the device adequately (adequate staffing is involved here too). When one buys a budget switch just to save a few bucks they tend to get what they paid for and none of what they didn't (training, experience for their staff, printed third-party references, reliable online support groups for example). I'm in a situation right now where a vendor has proposed a basic L2 switch solution to redundantly connect 2 of our sites. They come in cheaper than the Cisco equivalent (4 4948-10GEs) but we also have absolutely no experience with that vendor. That means interopt testing, future finger pointing in the heat of an outage, double training staff, inevitable config errors and typos thanks to the differences between the vendor we're used to and the one that is being proposed for this one-off connection. The better fool-proof solution costs a bit more and I have to convince management not to save a short-term buck which costs of many long-term bucks. Sometimes you really do get what you pay for. Justin
Re: Repeated Blacklisting / IP reputation
Jay Hennigan wrote: By the way, among the members... Experian CheetahMail ExactTarget, Inc Responsys, Inc. Vertical Response, Inc Yesmail Have you been reading from my blacklist again, Jay? Justin
Re: Datacenter recommendations - China and Latin America
You could get a China Telecom link in HK as well as many others: sit astride the Great Firewall! What is the Great Firewall relationship between Hong Kong and the mainland PRC, as compared to the mainland PRC vs. the rest of the world?
Re: Repeated Blacklisting / IP reputation
Joe Greco wrote: there is a fundamental disconnect here. the IP space is neutral. it has no bias toward or against social behaviours. its a tool. the actual/real target here are the people who are using these tools to be antisocial. blacklisting IP space is always reactive and should only beused in emergency and as a -TEMPORARY- expedient. IMHO of course., YMMV. Show me ONE major MTA which allows you to configure an expiration for an ACL entry. The problem with your opinion, and it's a fine opinion, and it's even a good opinion, is that it has very little relationship to the tools which are given to people in order to accomplish blocking. Kind of the question I was contemplating in my other message of minutes ago. If people were given an option to block this IP for 30 minutes, 24 hours, 30 days, 12 months, 5 years, or forever - I wonder how many people would just shrug and click forever. This may lead to the discovery of another fundamental disconnect - or two. Sigh. ... JG A cron job/schedule task with a script that removes said line would most likely do wonderous things for you. I could see a comment before each listing with a time/date that you use some regex fu on to figure out how long it was there and how long it should be there for. Simple! You could also automate it with a web frontend for noobs so they don't have to manually edit configuration files.
Block of AS Numbers allocated to APNIC
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, The IANA AS Numbers registry has been updated to reflect the allocation of a block of AS Numbers to APNIC. 55296-56319Assigned by APNICwhois.apnic.net2009-09-02 The registry can be found at: http://www.iana.org/assignments/as-numbers/as-numbers.xml http://www.iana.org/assignments/as-numbers/as-numbers.xhtml http://www.iana.org/assignments/as-numbers/as-numbers.txt Regards, Leo Vegoda Number Resources Manager, IANA -BEGIN PGP SIGNATURE- Version: 9.10.0.500 wj4DBQFKpohJvBLymJnAzRwRAncHAJiRWENmmK+qwpvAZIaPrs/urIa/AJ9f1A05 PM9TJWxzbAxpSiXyIgzvfA== =MGZ2 -END PGP SIGNATURE-
Re: Colt outages?
On 08 Sep 2009, at 16:41, Eric Brunner-Williams wrote: Anyone have news on this? I understand Colt has fixed London and are working on Dublin, Bruxelles and Geneva... but that's all I have. The only interesting news and comments I found about this outage were on TheRegister.co.uk website: http://www.theregister.co.uk/2009/09/08/colt_telecom_outage/ http://www.theregister.co.uk/2009/09/08/colt_telecom_outage/comments/
Re: Repeated Blacklisting / IP reputation
O'Reirdan, Michael wrote: MAAWG is has no size limitations as to members. Yes we do have a $4000 supporter membership. This has not proved a barrier to many organisations. Likely because for the ones for whom it is a barrier, they look at the cost and don't even bother considering an initial contact. Thus, you never hear about it. Admittedly, most smaller organizations simply don't have the time to participate in even a handful of the $bignum industry organizations (whether they cost money or not) so that's likely a more substantial barrier. To be completely clear, it's not clear to me that an organization that cannot afford $4000/year would actually have the resources to participate in a meaningful way anyway. Which is to say that I do not necessarily disagree with the fee structure, and that is speaking from under my small organization for whom the $4k/year is an insurmountable barrier hat. All that said, I believe I have had my say sufficiently so I will not contribute further to the overall noise level on NANOG. Mike O'Reirdan Chairman, MAAWG - Original Message - From: Benjamin Billon bbillon...@splio.fr To: nanog@nanog.org nanog@nanog.org Sent: Tue Sep 08 17:17:58 2009 Subject: Re: Repeated Blacklisting / IP reputation ISPs can be invited and there are specific meetings for them (closed to other members). There're also whitepapers for ISP (and others). But I agree, hoping ALL the ISPs join MAAWG or even hear about it is utopian. -- Benjamin William Astle a écrit : J.D. Falk wrote: Seth Mattinen wrote: I was always under the impression that smaller orgs were not allowed to join the MAAWG club. I've heard that, too, but have no idea where it comes from. It's not true; there's no size requirement or anything like that. http://www.maawg.org/ has the membership application and other info. The $4000/year minimum membership fee is a non-starter for small organizations who are already strapped for operating cash as it is. This is probably where the perception comes from. -- William Astle l...@l-w.ca
Cable and Wireless Antigua
Hi there, I have gone through all normal channels to try to get through to someone in Cable and Wireless Antigua (LIME). It seems difficult to get a fast response through normal channels (it can take up to 48 hours some times to get a response to a network down situation). Is there any senior admins who deal directly with the transit end on NANOG? I am having some difficulty getting a security issue dealt with. Thanks! Ken
Re: Datacenter recommendations - China and Latin America
On Sep 8, 2009, at 5:20 PM, Benjamin Billon wrote: You could get a China Telecom link in HK as well as many others: sit astride the Great Firewall! From a cost, operational, and routing perspective, the same would be true if you got a CT link in Los Angeles or San Francisco. Since CT and CNC control all routes between China and everywhere else in the world-- including HK -- and the outsideCN-to-insideCN segment is going to be the most expensive and complicated element of any path between China and anywhere else, the choice of interconnect location with your preferred China-side service provider provider is largely going to be a matter of personal taste/local convenience. Don't get me wrong, I like Hong Kong too -- just trying to make sure that everyone understands the situation clearly... TV What is the Great Firewall relationship between Hong Kong and the mainland PRC, as compared to the mainland PRC vs. the rest of the world?
Re: Repeated Blacklisting / IP reputation
How about a trial period from ARIN? You get your IP block, and you get 30 days to determine if it is clean or not. Do some testing, check the blacklists, do some magic to see if there are network-specific blacklists that might prevent your customers from sending or receiving email/web/other connections with that new IP block. If there are problems, go back to ARIN and show them your work and if they can verify your work (or are simply lazy) you get a different block. ARIN puts the block into another quiet period. Maybe they use the work you did to clean up the block, maybe they don't. Cleaning up a block of IPs previously used by shady characters has a real cost, both in time and money. The argument as I see it is who bears the responsibility and cost of that cleanup. Beckman --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Repeated Blacklisting / IP reputation
Peter Beckman wrote: How about a trial period from ARIN? You get your IP block, and you get 30 days to determine if it is clean or not. Do some testing, check the blacklists, do some magic to see if there are network-specific blacklists that might prevent your customers from sending or receiving email/web/other connections with that new IP block. If there are problems, go back to ARIN and show them your work and if they can verify your work (or are simply lazy) you get a different block. ARIN puts the block into another quiet period. Maybe they use the work you did to clean up the block, maybe they don't. Cleaning up a block of IPs previously used by shady characters has a real cost, both in time and money. The argument as I see it is who bears the responsibility and cost of that cleanup. I encourage someone to write a policy proposal; I'd support it. They (the recipient) didn't have a darn thing to do with it becoming a wasteland and shouldn't bear the cost. Unlike bying a (insert your favorite object here), you can't inspect an IP block before purchase. I fear that we don't guarantee routability will rear its ugly head even if someone were to pen an awesome policy. I feel it's a poor position for a registry to take, though. They still get the money even if you can't use them, and uh oh, looks like you won't qualify for more until you use the unusable. Probably getting off topic for NANOG, like most threads that get this long. ~Seth
Re: Repeated Blacklisting / IP reputation
sounds like domain tasting to me. --bill On Wed, Sep 09, 2009 at 01:04:48AM -0400, Peter Beckman wrote: How about a trial period from ARIN? You get your IP block, and you get 30 days to determine if it is clean or not. Do some testing, check the blacklists, do some magic to see if there are network-specific blacklists that might prevent your customers from sending or receiving email/web/other connections with that new IP block. If there are problems, go back to ARIN and show them your work and if they can verify your work (or are simply lazy) you get a different block. ARIN puts the block into another quiet period. Maybe they use the work you did to clean up the block, maybe they don't. Cleaning up a block of IPs previously used by shady characters has a real cost, both in time and money. The argument as I see it is who bears the responsibility and cost of that cleanup. Beckman --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---