Re: Spamhaus flags any IP announced by our ASN as a criminal network

[Brandon Zhi]

Hello Barry,

Thanks for your blog.

I plan to block some ports on our router, which are shown in your blog.

> Step 1 on the list …. Deploy Exploitable Port Filtering on the edge of
> your network ….
>


Some of our routers use Linux as the operating system, so I plan to use
nftables to make some filtering rules.

Best,

*Brandon Zhi*
HUIZE LTD

www.huize.asia  | www.ixp.su | Twitter


This e-mail and any attachments or any reproduction of this e-mail in
whatever manner are confidential and for the use of the addressee(s) only.
HUIZE LTD can’t take any liability and guarantee of the text of the email
message and virus.


On Tue, 21 Mar 2023 at 00:11, Randy Bush  wrote:

> this company(s) is in the business of spam.  they're just trying to
> game nanog.  discussing further a waste of pixels.
>
> ranady
>

Re: Spamhaus flags any IP announced by our ASN as a criminal network

[August Yang via NANOG]

Firstly, it's worth noting that AS47158 was registered to 
ORG-IL649-RIPE, which was not a LIR.


Additionally, LIRs do not assign ASNs to end users whereas RIPE does. 
NIR in certain regions is another story.


End user may enter into a sponsorship agreement with LIR to receive ASN 
assignment, still directly from NCC.


It's important to note that ASNs and IP resources have quite different 
assignment policies, so the involvement of IP brokers is not relevant in 
this particular case.


On 2023-03-21 2:33 p.m., George Toma wrote:
Well that's for end users. The company in question seems to be a 
Telecom operator.
The RIPE model is a very strange and confusing one, where ISPs 
basically become LIRs and they themselves assign ASNs and IPs, and 
there are 23000 LIRs in ARIN. Basically any ISP , webhosting company, 
datacenter or even a trading company can become a LIR.


It's a very strange model which had just cost me 15 minutes of my time 
to just dig into and get some basic understanding of it. I would not 
put my hand in the fire that the OP is a LIR or not, but they are an 
ISP so I would assume they are LIR and as such can reassign the IPs,a 
nd if they are not LIR they can become one.


Anyway many of IP renting companies such as IPXO are RIPE-based, and 
those who are ARIN or APNIC based also have subnets from RIPE region. 
If RIPE was against subletting, the whole market would not exist with 
RIPE subnets.


Regards
George



On Tue, Mar 21, 2023 at 2:17 PM  wrote:

RIPE NCC Requirements: End User Assignment Agreement states:

“End User may not sub-assign resources to third parties.”

Best regards,
August Yang

On 2023-03-21 13:12, George Toma wrote:
> I do not believe ASN sharing is illegal or prohibited, it's not
> prohibited in LACNIC and in APNIC policy I also could not find
> anything about ASN sharing, only
>
> APNIC policy states:
> "2.3. Autonomous System (AS)An Autonomous System (AS) is a connected
> group of one or more IP prefixes run by one or more network
operators
> under a single and clearly defined routing policy.
> 2.3.1. Autonomous System Number (ASN)
> An Autonomous System Number (ASN) is a unique two- or four-byte
number
> associated with an AS. The ASN is used as an identifier to allow the
> AS to exchange dynamic routing information with other Autonomous
> Systems."
>
> Nothing prohibiting ASN sharing and 2.3 specifically states "run by
> one or more network operators... single routing policy"
>
> Regards
> George
>
> On Tue, Mar 21, 2023 at 8:00 AM  wrote:
>
>> Message: 19
>> Date: Mon, 20 Mar 2023 16:24:09 -0400
>> From: ay...@august.tw
>> To: Collider 
>> Cc: nanog@nanog.org
>> Subject: Re: Spamhaus flags any IP announced by our ASN as a
>> criminal
>> network
>> Message-ID: <5b7ed1b1fbff65dfc63d188c2e1f9...@august.tw>
>> Content-Type: text/plain; charset=UTF-8; format=flowed
>>
>> Several Huize ASNs, e.g. AS47158 and AS141011, were revoked due to
>> RIR
>> policy violations, which include prohibited sharing of ASNs with
>> third
>> parties, IP hijacking, and malicious path prepending.
>>
>> Given this history, it is not surprising that Spamhaus would
>> blacklist
>> IP addresses associated with their ASN. In my opinion, such action
>> is
>> well-justified.
>>
>> Best regards,
>> August Yang


--
Best regards
August Yang

smime.p7s
Description: S/MIME Cryptographic Signature

Re: Spamhaus flags any IP announced by our ASN as a criminal network

[George Toma]

Well that's for end users. The company in question seems to be a Telecom
operator.
The RIPE model is a very strange and confusing one, where ISPs basically
become LIRs and they themselves assign ASNs and IPs, and there are 23000
LIRs in ARIN. Basically any ISP , webhosting company, datacenter or even a
trading company can become a LIR.

It's a very strange model which had just cost me 15 minutes of my time to
just dig into and get some basic understanding of it. I would not put my
hand in the fire that the OP is a LIR or not, but they are an ISP so I
would assume they are LIR and as such can reassign the IPs,a nd if they are
not LIR they can become one.

Anyway many of IP renting companies such as IPXO are RIPE-based, and those
who are ARIN or APNIC based also have subnets from RIPE region. If RIPE was
against subletting, the whole market would not exist with RIPE subnets.

Regards
George



On Tue, Mar 21, 2023 at 2:17 PM  wrote:

> RIPE NCC Requirements: End User Assignment Agreement states:
>
> “End User may not sub-assign resources to third parties.”
>
> Best regards,
> August Yang
>
> On 2023-03-21 13:12, George Toma wrote:
> > I do not believe ASN sharing is illegal or prohibited, it's not
> > prohibited in LACNIC and in APNIC policy I also could not find
> > anything about ASN sharing, only
> >
> > APNIC policy states:
> > "2.3. Autonomous System (AS)An Autonomous System (AS) is a connected
> > group of one or more IP prefixes run by one or more network operators
> > under a single and clearly defined routing policy.
> > 2.3.1. Autonomous System Number (ASN)
> > An Autonomous System Number (ASN) is a unique two- or four-byte number
> > associated with an AS. The ASN is used as an identifier to allow the
> > AS to exchange dynamic routing information with other Autonomous
> > Systems."
> >
> > Nothing prohibiting ASN sharing and 2.3 specifically states "run by
> > one or more network operators... single routing policy"
> >
> > Regards
> > George
> >
> > On Tue, Mar 21, 2023 at 8:00 AM  wrote:
> >
> >> Message: 19
> >> Date: Mon, 20 Mar 2023 16:24:09 -0400
> >> From: ay...@august.tw
> >> To: Collider 
> >> Cc: nanog@nanog.org
> >> Subject: Re: Spamhaus flags any IP announced by our ASN as a
> >> criminal
> >> network
> >> Message-ID: <5b7ed1b1fbff65dfc63d188c2e1f9...@august.tw>
> >> Content-Type: text/plain; charset=UTF-8; format=flowed
> >>
> >> Several Huize ASNs, e.g. AS47158 and AS141011, were revoked due to
> >> RIR
> >> policy violations, which include prohibited sharing of ASNs with
> >> third
> >> parties, IP hijacking, and malicious path prepending.
> >>
> >> Given this history, it is not surprising that Spamhaus would
> >> blacklist
> >> IP addresses associated with their ASN. In my opinion, such action
> >> is
> >> well-justified.
> >>
> >> Best regards,
> >> August Yang
>

Re: Spamhaus flags any IP announced by our ASN as a criminal network

[August Yang via NANOG]

RIPE NCC Requirements: End User Assignment Agreement states:

“End User may not sub-assign resources to third parties.”

Best regards,
August Yang

On 2023-03-21 13:12, George Toma wrote:

I do not believe ASN sharing is illegal or prohibited, it's not
prohibited in LACNIC and in APNIC policy I also could not find
anything about ASN sharing, only

APNIC policy states:
"2.3. Autonomous System (AS)An Autonomous System (AS) is a connected
group of one or more IP prefixes run by one or more network operators
under a single and clearly defined routing policy.
2.3.1. Autonomous System Number (ASN)
An Autonomous System Number (ASN) is a unique two- or four-byte number
associated with an AS. The ASN is used as an identifier to allow the
AS to exchange dynamic routing information with other Autonomous
Systems."

Nothing prohibiting ASN sharing and 2.3 specifically states "run by
one or more network operators... single routing policy"

Regards
George

On Tue, Mar 21, 2023 at 8:00 AM  wrote:


Message: 19
Date: Mon, 20 Mar 2023 16:24:09 -0400
From: ay...@august.tw
To: Collider 
Cc: nanog@nanog.org
Subject: Re: Spamhaus flags any IP announced by our ASN as a
criminal
network
Message-ID: <5b7ed1b1fbff65dfc63d188c2e1f9...@august.tw>
Content-Type: text/plain; charset=UTF-8; format=flowed

Several Huize ASNs, e.g. AS47158 and AS141011, were revoked due to
RIR
policy violations, which include prohibited sharing of ASNs with
third
parties, IP hijacking, and malicious path prepending.

Given this history, it is not surprising that Spamhaus would
blacklist
IP addresses associated with their ASN. In my opinion, such action
is
well-justified.

Best regards,
August Yang

Re: Spamhaus flags any IP announced by our ASN as a criminal network

[George Toma]

I do not believe ASN sharing is illegal or prohibited, it's not prohibited
in LACNIC and in APNIC policy I also could not find anything about ASN
sharing, only

APNIC policy states:
"2.3. Autonomous System (AS)
An Autonomous System (AS) is a connected group of one or more IP prefixes
run by one or more network operators under a single and clearly defined
routing policy.
2.3.1. Autonomous System Number (ASN)
An Autonomous System Number (ASN) is a unique two- or four-byte number
associated with an AS. The ASN is used as an identifier to allow the AS to
exchange dynamic routing information with other Autonomous Systems."

Nothing prohibiting ASN sharing and 2.3 specifically states "run by one or
more network operators... single routing policy"


Regards
George


On Tue, Mar 21, 2023 at 8:00 AM  wrote:

> Message: 19
> Date: Mon, 20 Mar 2023 16:24:09 -0400
> From: ay...@august.tw
> To: Collider 
> Cc: nanog@nanog.org
> Subject: Re: Spamhaus flags any IP announced by our ASN as a criminal
> network
> Message-ID: <5b7ed1b1fbff65dfc63d188c2e1f9...@august.tw>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> Several Huize ASNs, e.g. AS47158 and AS141011, were revoked due to RIR
> policy violations, which include prohibited sharing of ASNs with third
> parties, IP hijacking, and malicious path prepending.
>
> Given this history, it is not surprising that Spamhaus would blacklist
> IP addresses associated with their ASN. In my opinion, such action is
> well-justified.
>
> Best regards,
> August Yang
>

Re: Spamhaus flags any IP announced by our ASN as a criminal

[Roberto Navarro]

Why not?

DUHL from sorbs is very similar to PBL from spamhaus.

A decade  ago, when I was working on a mid size hosting company we used
duhl from sorbs as a way to force residential customers to use submission
instead of smtp to connect to the server. It proved more useful than any
documentation or tutorial we could provide our new customers.

Obviously, it was not the only dnsbl list we were using. In fact, we paying
for multiple bl feeds that we were consolidating on our own list.

Regards,

El mar, 21 mar 2023 a las 13:55, Martin Hotze ()
escribió:

> > Date: Mon, 20 Mar 2023 14:15:08 -0700
> > From: Randy Bush 
> > Subject: Re: Spamhaus flags any IP announced by our ASN as a criminal
> network
> >
> (...)
> >
> > we reject automagically on spamhaus, mail-abuse.org, and sorbs.  really
> > appreciate their services.
> >
> > randy
> >
>
> Sorbs? Really? *doh*
>
> #m
>
>

-- 
 <http://www.ontecnia.com/>
Algunos de nuestros sites:
 
<https://www.malavida.com/es/>  <https://www.bonviveur.es/>  
<http://www.lecturalia.com/>
C/ San Vicente Mártir, 220 Oficina 1 - 46007 
Valencia
Tel 963 417 912 - www.ontecnia.com <http://www.ontecnia.com/>

 
De acuerdo con la normativa sobre protección de datos de carácter personal, 
le indicamos que los datos que nos ha facilitado y nos facilite en un 
futuro serán incluidos en nuestros ficheros, previamente inscritos en la 
Agencia Española de Protección de Datos, y utilizados para finalidades 
relacionadas con la prestación de nuestros servicios. Dichos datos serán 
tratados con la debida confidencialidad sin que, fuera de los casos 
legalmente previstos, vayan a ser cedidos a terceros sin su autorización. 
En cualquier caso, podrá ejercer los derechos de acceso, rectificación, 
oposición y cancelación, dirigiéndose por escrito a Ontecnia Media 
Networks, S.L., con domicilio en Valencia, calle San Vicente Mártir, 220, 
Oficina 1, CP 46007 o a través de la dirección h...@ontecnia.com 
<mailto:h...@ontecnia.com>.

Re: Spamhaus flags any IP announced by our ASN as a criminal network

[Barry Raveendran Greene]

Hi Brandon,Your next actions are to level up the security of your network, your organization, and your team. I’ll craft up a post with a checklist you can use. If you don’t do this, then people on your team, your company, and your customers will continue to be “danger do not go there” listed. Spamhaus is not the only one providing easy tools to help organizations deploy “danger do not go there” list. Step 1 on the list …. Deploy Exploitable Port Filtering on the edge of your network ….Filtering Exploitable Ports and Minimizing Risk from the Internet and from Your Customerssenki.orgThe other steps I’ll put into a blog post. BarryOn Mar 21, 2023, at 07:10, Brandon Zhi  wrote:Our person in charge has consulted with their previous person in charge, and their response is this."problem began long before February 18th.  The problem was that in 2022 they added our prefix 87.251.79.0/24 to the black list, and said that if there were no complaints for 30-60 days, the record would be deleted.  we agreed, almost a year has passed, the record has remained.  They tried several times to put pressure on our providers, but we always record any termination of the contract with large fines, not a single provider has done this, we pay a lot of money for the Internet, and no one wants to take risks, now spamhouse pressure on"Actually, I didn’t know what a spamhouse was before this month, until we announced the IP in vultr They claim they've been working on the issue, but I've found that they don't respond to emails very well (I can only judge from this). Usually though, I tell them to take down the content, and then the content gets a different provider.Also, it's not clear to me whether we need to reply to emails sent from the spamhouse system. They claim that they took care of the content, but I personally think it's because they didn't respond to the email that spamhouse thinks they're not doing itOn 2023年3月21日周二 上午5:15 Randy Bush  wrote:>> I don't think any ISP would reject an IP that is on the Spamhaus
>> list.
> you, clearly, have been living under several rocks for a very long
> time.

we reject automagically on spamhaus, mail-abuse.org, and sorbs.  really
appreciate their services.

randy

Re: Spamhaus flags any IP announced by our ASN as a criminal

[Martin Hotze]

> Date: Mon, 20 Mar 2023 14:15:08 -0700
> From: Randy Bush 
> Subject: Re: Spamhaus flags any IP announced by our ASN as a criminal network
>
(...)
>
> we reject automagically on spamhaus, mail-abuse.org, and sorbs.  really
> appreciate their services.
>
> randy
>

Sorbs? Really? *doh*

#m

Re: Spamhaus flags any IP announced by our ASN as a criminal network

[Randy Bush]

this company(s) is in the business of spam.  they're just trying to
game nanog.  discussing further a waste of pixels.

ranady

Re: Spamhaus flags any IP announced by our ASN as a criminal network

[Christopher Morrow]

On Mon, Mar 20, 2023 at 7:08 PM Brandon Zhi  wrote:
>
> Our person in charge has consulted with their previous person in charge, and 
> their response is this.



you are talking up the discussion with the wrong folks, really.
Please go see the spamhaus folk directly.

Re: Spamhaus flags any IP announced by our ASN as a criminal network

[Brandon Zhi]

Our person in charge has consulted with their previous person in charge,
and their response is this.

"problem began long before February 18th.  The problem was that in 2022
they added our prefix 87.251.79.0/24 to the black list, and said that if
there were no complaints for 30-60 days, the record would be deleted.  we
agreed, almost a year has passed, the record has remained.  They tried
several times to put pressure on our providers, but we always record any
termination of the contract with large fines, not a single provider has
done this, we pay a lot of money for the Internet, and no one wants to take
risks, now spamhouse pressure on"


Actually, I didn’t know what a spamhouse was before this month, until we
announced the IP in vultr

They claim they've been working on the issue, but I've found that they
don't respond to emails very well (I can only judge from this). Usually
though, I tell them to take down the content, and then the content gets a
different provider.

Also, it's not clear to me whether we need to reply to emails sent from the
spamhouse system. They claim that they took care of the content, but I
personally think it's because they didn't respond to the email that
spamhouse thinks they're not doing it




On 2023年3月21日周二 上午5:15 Randy Bush  wrote:

> >> I don't think any ISP would reject an IP that is on the Spamhaus
> >> list.
> > you, clearly, have been living under several rocks for a very long
> > time.
>
> we reject automagically on spamhaus, mail-abuse.org, and sorbs.  really
> appreciate their services.
>
> randy
>

Re: Spamhaus flags any IP announced by our ASN as a criminal network

[Randy Bush]

>> I don't think any ISP would reject an IP that is on the Spamhaus
>> list.
> you, clearly, have been living under several rocks for a very long
> time.

we reject automagically on spamhaus, mail-abuse.org, and sorbs.  really
appreciate their services.

randy

Re: Spamhaus flags any IP announced by our ASN as a criminal network

[Collider]

well that explains a lot.

For their own sake I hope they shape up - but I doubt they will.

On 20 March 2023 20:24:09 UTC, ay...@august.tw wrote:
>Several Huize ASNs, e.g. AS47158 and AS141011, were revoked due to RIR policy 
>violations, which include prohibited sharing of ASNs with third parties, IP 
>hijacking, and malicious path prepending.
>
>Given this history, it is not surprising that Spamhaus would blacklist IP 
>addresses associated with their ASN. In my opinion, such action is 
>well-justified.
>
>Best regards,
>August Yang
>
>On 2023-03-20 15:32, Collider wrote:
>> Why do two different companies with what should be independent
>> networks share an AS number?
>> 
>> On 20 March 2023 18:20:08 UTC, Aaron Wendel
>>  wrote:
>> 
>>> The solution to your problem is to terminate the customer causing
>>> the abuse, in this case 62yun.com.  Once you do that I'm sure
>>> Spamhaus will stop listing all your IPs.
>>> 
>>> Aaron
>>> 
>>> On 3/20/2023 6:54 AM, Brandon Zhi wrote:
>>> 
>>> It seems you've reached the point that they ignore specific
>>> prefixes and set every prefix you are advertising as criminal.
>>> 
>>> *
>>> *
>>> Our sponsor (LIR) 62yun.com , they have 2 prefixes
>>> for VPS/Dedicated Server using our ASN.*
>>> *
>>> 62yun did receive a lot of complaints, but as far as I know they
>>> have been handling them (their head said their team is not good at
>>> English and so they did not reply emails)
>>> For me, I cannot reply to all emails for them, since I don't have
>>> that much time. I also need to work for my company.
>>> 
>>> As I understand it, most things at Spamhaus are manual
>>> determinations.
>>> You click on "show details" and they give you a list of timestamped
>>> report IDs, each with a 1-line description of the reviewer's
>>> assessment of the fault.
>>> 
>>> I checked https://check.spamhaus.org/listed/?searchterm=46.23.100.0
>>> and the reason they gave us was simple, saying our not willing to
>>> handle abuse. but we stressed with them many times that we are 2
>>> different companies. We also do not have the authority to handle
>>> these complaints, but we will alert 62yun.com .
>>> 
>>> But they still intend to blacklist all the prefixes under our ORG
>>> ID, even if the user is not us.
>>> 
>>> Based on my past experiences, Spamhaus is rather gracious at
>>> first, but if you ignore them, they will start blocking you en
>>> masse. About 10 years ago, I worked for a datacenter/NSP and
>>> personally handled all Spamhaus complaints, and as soon as I left
>>> to go to another company (and the company stopped taking care of
>>> the complaints), Spamhaus blocked every single one of their IPs
>>> until they committed to actually handling the complaints again.
>>> 
>>> This has little impact on 62yun.com 's VPS
>>> business, and my feeling is that if someone uses their VPS to build
>>> a mail server those emails that are sent from this server may be
>>> rejected.
>>> 
>>> However, we are recently building a CDN for one of our partners (a
>>> social media company), and we need to use a provider like vultr,
>>> which is not really an IP Transit provider, to announce prefixes,
>>> however, they reject prefixes on the Spamhaus list.
>>> 
>>> I don't think any ISP would reject an IP that is on the Spamhaus
>>> list.
>>> 
>>> *Brandon Zhi*
>>> HUIZE LTD
>>> 
>>> www.huize.asia | www.ixp.su
>>>  | Twitter
>>> 
>>> This e-mail and any attachments or any reproduction of this e-mail
>>> in whatever manner are confidential and for the use of the
>>> addressee(s) only. HUIZE LTD can’t take any liability and
>>> guarantee of the text of the email message and virus.
>>> 
>>> On Mon, 20 Mar 2023 at 02:29, Tim Burke  wrote:
>>> 
>>> Have you received complaints from Spamhaus in the past? If so,
>>> have you acted on them in a timely manner?
>>> 
>>> Based on my past experiences, Spamhaus is rather gracious at
>>> first, but if you ignore them, they will start blocking you en
>>> masse. About 10 years ago, I worked for a datacenter/NSP and
>>> personally handled all Spamhaus complaints, and as soon as I left
>>> to go to another company (and the company stopped taking care of
>>> the complaints), Spamhaus blocked every single one of their IPs
>>> until they committed to actually handling the complaints again.
>>> 
>>> V/r
>>> Tim
>>> 
>>> On Mar 18, 2023, at 8:57 AM, Brandon Zhi 
>>> wrote:
>>> 
>>> Hello guy,
>>> 
>>> We recently discovered that any IP address announced by our ASN
>>> is blacklisted by Spamhaus, even if we only announced it but not
>>> use it.
>>> 
>>> I would like to ask if this is manually set by Spamhaus or is the
>>> system misjudgment? Has anyone encountered the same situation as us?
>>> 
>>> Best,
>>> 
>>> *Brandon Zhi*
>>> HUIZE LTD
>>> 
>>> www.huize.asia | www.ixp.su
>>>  | Twitter
>>> 
>>> This e-mail and any attachments or any 

Re: Spamhaus flags any IP announced by our ASN as a criminal network

[August Yang via NANOG]

Several Huize ASNs, e.g. AS47158 and AS141011, were revoked due to RIR 
policy violations, which include prohibited sharing of ASNs with third 
parties, IP hijacking, and malicious path prepending.


Given this history, it is not surprising that Spamhaus would blacklist 
IP addresses associated with their ASN. In my opinion, such action is 
well-justified.


Best regards,
August Yang

On 2023-03-20 15:32, Collider wrote:

Why do two different companies with what should be independent
networks share an AS number?

On 20 March 2023 18:20:08 UTC, Aaron Wendel
 wrote:


The solution to your problem is to terminate the customer causing
the abuse, in this case 62yun.com.  Once you do that I'm sure
Spamhaus will stop listing all your IPs.

Aaron

On 3/20/2023 6:54 AM, Brandon Zhi wrote:

It seems you've reached the point that they ignore specific
prefixes and set every prefix you are advertising as criminal.

*
*
Our sponsor (LIR) 62yun.com , they have 2 prefixes
for VPS/Dedicated Server using our ASN.*
*
62yun did receive a lot of complaints, but as far as I know they
have been handling them (their head said their team is not good at
English and so they did not reply emails)
For me, I cannot reply to all emails for them, since I don't have
that much time. I also need to work for my company.

As I understand it, most things at Spamhaus are manual
determinations.
You click on "show details" and they give you a list of timestamped
report IDs, each with a 1-line description of the reviewer's
assessment of the fault.

I checked https://check.spamhaus.org/listed/?searchterm=46.23.100.0
and the reason they gave us was simple, saying our not willing to
handle abuse. but we stressed with them many times that we are 2
different companies. We also do not have the authority to handle
these complaints, but we will alert 62yun.com .

But they still intend to blacklist all the prefixes under our ORG
ID, even if the user is not us.

Based on my past experiences, Spamhaus is rather gracious at
first, but if you ignore them, they will start blocking you en
masse. About 10 years ago, I worked for a datacenter/NSP and
personally handled all Spamhaus complaints, and as soon as I left
to go to another company (and the company stopped taking care of
the complaints), Spamhaus blocked every single one of their IPs
until they committed to actually handling the complaints again.

This has little impact on 62yun.com 's VPS
business, and my feeling is that if someone uses their VPS to build
a mail server those emails that are sent from this server may be
rejected.

However, we are recently building a CDN for one of our partners (a
social media company), and we need to use a provider like vultr,
which is not really an IP Transit provider, to announce prefixes,
however, they reject prefixes on the Spamhaus list.

I don't think any ISP would reject an IP that is on the Spamhaus
list.

*Brandon Zhi*
HUIZE LTD

www.huize.asia | www.ixp.su
 | Twitter

This e-mail and any attachments or any reproduction of this e-mail
in whatever manner are confidential and for the use of the
addressee(s) only. HUIZE LTD can’t take any liability and
guarantee of the text of the email message and virus.

On Mon, 20 Mar 2023 at 02:29, Tim Burke  wrote:

Have you received complaints from Spamhaus in the past? If so,
have you acted on them in a timely manner?

Based on my past experiences, Spamhaus is rather gracious at
first, but if you ignore them, they will start blocking you en
masse. About 10 years ago, I worked for a datacenter/NSP and
personally handled all Spamhaus complaints, and as soon as I left
to go to another company (and the company stopped taking care of
the complaints), Spamhaus blocked every single one of their IPs
until they committed to actually handling the complaints again.

V/r
Tim

On Mar 18, 2023, at 8:57 AM, Brandon Zhi 
wrote:

Hello guy,

We recently discovered that any IP address announced by our ASN
is blacklisted by Spamhaus, even if we only announced it but not
use it.

I would like to ask if this is manually set by Spamhaus or is the
system misjudgment? Has anyone encountered the same situation as us?

Best,

*Brandon Zhi*
HUIZE LTD

www.huize.asia | www.ixp.su
 | Twitter

This e-mail and any attachments or any reproduction of this
e-mail in whatever manner are confidential and for the use of the
addressee(s) only. HUIZE LTD can’t take any liability and
guarantee of the text of the email message and virus.


--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Spamhaus flags any IP announced by our ASN as a criminal network

[Collider]

Why do two different companies with what should be independent networks share 
an AS number?

On 20 March 2023 18:20:08 UTC, Aaron Wendel  wrote:
>The solution to your problem is to terminate the customer causing the abuse, 
>in this case 62yun.com.  Once you do that I'm sure Spamhaus will stop listing 
>all your IPs.
>
>Aaron
>
>
>On 3/20/2023 6:54 AM, Brandon Zhi wrote:
>> 
>> 
>> It seems you've reached the point that they ignore specific
>> prefixes and set every prefix you are advertising as criminal.
>> 
>> *
>> *
>> Our sponsor (LIR) 62yun.com , they have 2 prefixes for 
>> VPS/Dedicated Server using our ASN.*
>> *
>> 62yun did receive a lot of complaints, but as far as I know they have been 
>> handling them (their head said their team is not good at English and so they 
>> did not reply emails)
>> For me, I cannot reply to all emails for them, since I don't have that much 
>> time. I also need to work for my company.
>> 
>> 
>> As I understand it, most things at Spamhaus are manual determinations.
>> You click on "show details" and they give you a list of timestamped
>> report IDs, each with a 1-line description of the reviewer's
>> assessment of the fault.
>> 
>> 
>> I checked https://check.spamhaus.org/listed/?searchterm=46.23.100.0 and the 
>> reason they gave us was simple, saying our not willing to handle abuse. but 
>> we stressed with them many times that we are 2 different companies. We also 
>> do not have the authority to handle these complaints, but we will alert 
>> 62yun.com .
>> 
>> But they still intend to blacklist all the prefixes under our ORG ID, even 
>> if the user is not us.
>> 
>> 
>> Based on my past experiences, Spamhaus is rather gracious at
>> first, but if you ignore them, they will start blocking you en
>> masse. About 10 years ago, I worked for a datacenter/NSP and
>> personally handled all Spamhaus complaints, and as soon as I left
>> to go to another company (and the company stopped taking care of
>> the complaints), Spamhaus blocked every single one of their IPs
>> until they committed to actually handling the complaints again.
>> 
>> 
>> 
>> This has little impact on 62yun.com 's VPS business, and 
>> my feeling is that if someone uses their VPS to build a mail server those 
>> emails that are sent from this server may be rejected.
>> 
>> However, we are recently building a CDN for one of our partners (a social 
>> media company), and we need to use a provider like vultr, which is not 
>> really an IP Transit provider, to announce prefixes, however, they reject 
>> prefixes on the Spamhaus list.
>> 
>> I don't think any ISP would reject an IP that is on the Spamhaus list.
>> 
>> 
>> *Brandon Zhi*
>> HUIZE LTD
>> 
>> www.huize.asia | www.ixp.su  | 
>> Twitter
>> 
>> 
>> This e-mail and any attachments or any reproduction of this e-mail in 
>> whatever manner are confidential and for the use of the addressee(s) only. 
>> HUIZE LTD can’t take any liability and guarantee of the text of the email 
>> message and virus.
>> 
>> 
>> 
>> On Mon, 20 Mar 2023 at 02:29, Tim Burke  wrote:
>> 
>> Have you received complaints from Spamhaus in the past? If so,
>> have you acted on them in a timely manner?
>> 
>> Based on my past experiences, Spamhaus is rather gracious at
>> first, but if you ignore them, they will start blocking you en
>> masse. About 10 years ago, I worked for a datacenter/NSP and
>> personally handled all Spamhaus complaints, and as soon as I left
>> to go to another company (and the company stopped taking care of
>> the complaints), Spamhaus blocked every single one of their IPs
>> until they committed to actually handling the complaints again.
>> 
>> V/r
>> Tim
>> 
>> 
>>> On Mar 18, 2023, at 8:57 AM, Brandon Zhi  wrote:
>>> 
>>> Hello guy,
>>> 
>>> We recently discovered that any IP address announced by our ASN
>>> is blacklisted by Spamhaus, even if we only announced it but not
>>> use it.
>>> 
>>> I would like to ask if this is manually set by Spamhaus or is the
>>> system misjudgment? Has anyone encountered the same situation as us?
>>> 
>>> 
>>> Best,
>>> 
>>> *Brandon Zhi*
>>> HUIZE LTD
>>> 
>>> www.huize.asia | www.ixp.su
>>>  | Twitter
>>> 
>>> 
>>> This e-mail and any attachments or any reproduction of this
>>> e-mail in whatever manner are confidential and for the use of the
>>> addressee(s) only. HUIZE LTD can’t take any liability and
>>> guarantee of the text of the email message and virus.
>>> 
>> 
>
>-- 
>
>Aaron Wendel
>Chief Technical Officer
>Wholesale Internet, Inc. (AS 32097)
>(816)550-9030
>http://www.wholesaleinternet.com

Re: Spamhaus flags any IP announced by our ASN as a criminal network

[Aaron Wendel]

The solution to your problem is to terminate the customer causing the 
abuse, in this case 62yun.com.  Once you do that I'm sure Spamhaus will 
stop listing all your IPs.


Aaron


On 3/20/2023 6:54 AM, Brandon Zhi wrote:



It seems you've reached the point that they ignore specific
prefixes and set every prefix you are advertising as criminal.

*
*
Our sponsor (LIR) 62yun.com , they have 2 prefixes 
for VPS/Dedicated Server using our ASN.*

*
62yun did receive a lot of complaints, but as far as I know they have 
been handling them (their head said their team is not good at English 
and so they did not reply emails)
For me, I cannot reply to all emails for them, since I don't have that 
much time. I also need to work for my company.



As I understand it, most things at Spamhaus are manual determinations.
You click on "show details" and they give you a list of timestamped
report IDs, each with a 1-line description of the reviewer's
assessment of the fault.


I checked https://check.spamhaus.org/listed/?searchterm=46.23.100.0 
and the reason they gave us was simple, saying our not willing to 
handle abuse. but we stressed with them many times that we are 2 
different companies. We also do not have the authority to handle these 
complaints, but we will alert 62yun.com .


But they still intend to blacklist all the prefixes under our ORG ID, 
even if the user is not us.



Based on my past experiences, Spamhaus is rather gracious at
first, but if you ignore them, they will start blocking you en
masse. About 10 years ago, I worked for a datacenter/NSP and
personally handled all Spamhaus complaints, and as soon as I left
to go to another company (and the company stopped taking care of
the complaints), Spamhaus blocked every single one of their IPs
until they committed to actually handling the complaints again.



This has little impact on 62yun.com 's VPS business, 
and my feeling is that if someone uses their VPS to build a mail 
server those emails that are sent from this server may be rejected.


However, we are recently building a CDN for one of our partners (a 
social media company), and we need to use a provider like vultr, which 
is not really an IP Transit provider, to announce prefixes, however, 
they reject prefixes on the Spamhaus list.


I don't think any ISP would reject an IP that is on the Spamhaus list.


*Brandon Zhi*
HUIZE LTD

www.huize.asia | www.ixp.su 
 | Twitter



This e-mail and any attachments or any reproduction of this e-mail in 
whatever manner are confidential and for the use of the addressee(s) 
only. HUIZE LTD can’t take any liability and guarantee of the text of 
the email message and virus.




On Mon, 20 Mar 2023 at 02:29, Tim Burke  wrote:

Have you received complaints from Spamhaus in the past? If so,
have you acted on them in a timely manner?

Based on my past experiences, Spamhaus is rather gracious at
first, but if you ignore them, they will start blocking you en
masse. About 10 years ago, I worked for a datacenter/NSP and
personally handled all Spamhaus complaints, and as soon as I left
to go to another company (and the company stopped taking care of
the complaints), Spamhaus blocked every single one of their IPs
until they committed to actually handling the complaints again.

V/r
Tim



On Mar 18, 2023, at 8:57 AM, Brandon Zhi  wrote:

Hello guy,

We recently discovered that any IP address announced by our ASN
is blacklisted by Spamhaus, even if we only announced it but not
use it.

I would like to ask if this is manually set by Spamhaus or is the
system misjudgment? Has anyone encountered the same situation as us?


Best,

*Brandon Zhi*
HUIZE LTD

www.huize.asia | www.ixp.su
 | Twitter


This e-mail and any attachments or any reproduction of this
e-mail in whatever manner are confidential and for the use of the
addressee(s) only. HUIZE LTD can’t take any liability and
guarantee of the text of the email message and virus.





--

Aaron Wendel
Chief Technical Officer
Wholesale Internet, Inc. (AS 32097)
(816)550-9030
http://www.wholesaleinternet.com

Re: Spamhaus flags any IP announced by our ASN as a criminal network

[Bjørn Mork]

Brandon Zhi  writes:

> Well, those prefixes are not for their VPS hosting service (which cause a
> lot of complaint). Just like there are many IP addresses under the
> telecommunication company, the entire ASN cannot be "blocked" just because
> there is a complaint on one IP address

April came early this year.


Bjørn

Re: Spamhaus flags any IP announced by our ASN as a criminal network

[William Herrin]

On Mon, Mar 20, 2023 at 7:56 AM Brandon Zhi  wrote:
> Well, those prefixes are not for their VPS hosting service
> (which cause a lot of complaint). Just like there are many IP
> addresses under the telecommunication company, the entire
> ASN cannot be "blocked" just because there is a complaint
> on one IP address

And yet they have. And it was due to complaints with more than one IP addresses.

Bottom line: your service provider is a bad network citizen with a
reputation deep in the toilet. Find another service provider. And this
time, do the research before you spend the money.

Regards,
Bill Herrin


-- 
For hire. https://bill.herrin.us/resume/

Re: Spamhaus flags any IP announced by our ASN as a criminal network

[Tom Beecher]

>
> Well, those prefixes are not for their VPS hosting service (which cause a
> lot of complaint). Just like there are many IP addresses under the
> telecommunication company, the entire ASN cannot be "blocked" just because
> there is a complaint on one IP address
>

I can drop all prefixes from any ASN at any time and for any reason. Maybe
I don't like the color scheme of their logo, or how the CEO spells their
first name.  That may or may not be a smart business decision for me, but I
could do it.

For most of the internet , it DOES make good business sense to restrict
access to ASNs that are known to harbor bad actors , either directly, or by
providing connectivity. It sounds like your organization has made a
business choice that the revenue from such customers is more important than
shutting them off, and learning about the consequences of that decision.

It sounds like an unfortunate situation for you who may just trying to do
your job, but that's the reality it seems you are facing right now.

On Mon, Mar 20, 2023 at 10:58 AM Brandon Zhi  wrote:

> Well, those prefixes are not for their VPS hosting service (which cause a
> lot of complaint). Just like there are many IP addresses under the
> telecommunication company, the entire ASN cannot be "blocked" just because
> there is a complaint on one IP address
>
> On 2023年3月20日周一 下午10:50 Mike Hammett  wrote:
>
>> If someone tries to break into my house over and over, I won't act any
>> different if they show up wearing different clothes.
>>
>>
>>
>> -
>> Mike Hammett
>> Intelligent Computing Solutions <http://www.ics-il.com/>
>> <https://www.facebook.com/ICSIL>
>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
>> <https://www.linkedin.com/company/intelligent-computing-solutions>
>> <https://twitter.com/ICSIL>
>> Midwest Internet Exchange <http://www.midwest-ix.com/>
>> <https://www.facebook.com/mdwestix>
>> <https://www.linkedin.com/company/midwest-internet-exchange>
>> <https://twitter.com/mdwestix>
>> The Brothers WISP <http://www.thebrotherswisp.com/>
>> <https://www.facebook.com/thebrotherswisp>
>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
>> --
>> *From: *"Brandon Zhi" 
>> *To: *"Christopher Morrow" 
>> *Cc: *nanog@nanog.org
>> *Sent: *Monday, March 20, 2023 9:43:19 AM
>> *Subject: *Re: Spamhaus flags any IP announced by our ASN as a criminal
>> network
>>
>> Yes, for those prefixes are used to hosting service have been listed for
>> a long time. However, for those new prefixes that we rented.. We just
>> announced it.. even though it's unreachable... They just listed to this
>> list.
>>
>> On 2023年3月20日周一 下午10:34 Christopher Morrow 
>> wrote:
>>
>>> On Mon, Mar 20, 2023 at 9:51 AM Brandon Zhi  wrote:
>>>
>>> > I don't think any ISP would reject an IP that is on the Spamhaus list.
>>>
>>> you, clearly, have been living under several rocks for a very long time.
>>>
>>
>>

Re: Spamhaus flags any IP announced by our ASN as a criminal network

[Alexander Neilson]

Hi Brandon

“ the entire ASN cannot be "blocked" just because there is a complaint on
one IP address”

Why not? They are being advertised by the same ASN so at least nominally
they are under common administrative control. Therefore if that
administrative control is not taking responsibility for complaints they may
be treated as a bad actor on the internet.

Also people chose to block / rate limit / etc things on their networks for
whatever reason makes sense to them.

I think if you have a customer or partner who doesn’t look after scams or
worse coming from their network you may need to consider disconnecting them
if you are not willing to be marked as the same bad actor for at least
passively enabling them.

This could still happen if they had their own ASN with their own netblocks
because if you are still providing transit to them and take no action you
may again be flagged as a bad actor.

We all have a role to play keeping our networks clean and positive members
of the internet community.

Might be time to have your customer / partner clean up their actions in
response to complaints or ensure that you don’t need a good reputation with
spamhaus to operate.

Regards
Alexander

On Tue, 21 Mar 2023 at 04:00, Brandon Zhi  wrote:

> Well, those prefixes are not for their VPS hosting service (which cause a
> lot of complaint). Just like there are many IP addresses under the
> telecommunication company, the entire ASN cannot be "blocked" just because
> there is a complaint on one IP address
>
> On 2023年3月20日周一 下午10:50 Mike Hammett  wrote:
>
>> If someone tries to break into my house over and over, I won't act any
>> different if they show up wearing different clothes.
>>
>>
>>
>> -
>> Mike Hammett
>> Intelligent Computing Solutions <http://www.ics-il.com/>
>> <https://www.facebook.com/ICSIL>
>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
>> <https://www.linkedin.com/company/intelligent-computing-solutions>
>> <https://twitter.com/ICSIL>
>> Midwest Internet Exchange <http://www.midwest-ix.com/>
>> <https://www.facebook.com/mdwestix>
>> <https://www.linkedin.com/company/midwest-internet-exchange>
>> <https://twitter.com/mdwestix>
>> The Brothers WISP <http://www.thebrotherswisp.com/>
>> <https://www.facebook.com/thebrotherswisp>
>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
>> --
>> *From: *"Brandon Zhi" 
>> *To: *"Christopher Morrow" 
>> *Cc: *nanog@nanog.org
>> *Sent: *Monday, March 20, 2023 9:43:19 AM
>> *Subject: *Re: Spamhaus flags any IP announced by our ASN as a criminal
>> network
>>
>> Yes, for those prefixes are used to hosting service have been listed for
>> a long time. However, for those new prefixes that we rented.. We just
>> announced it.. even though it's unreachable... They just listed to this
>> list.
>>
>> On 2023年3月20日周一 下午10:34 Christopher Morrow 
>> wrote:
>>
>>> On Mon, Mar 20, 2023 at 9:51 AM Brandon Zhi  wrote:
>>>
>>> > I don't think any ISP would reject an IP that is on the Spamhaus list.
>>>
>>> you, clearly, have been living under several rocks for a very long time.
>>>
>>
>> --
Regards
Alexander

Alexander Neilson
Neilson Productions Limited

alexan...@neilson.net.nz
021 329 681
022 456 2326

Re: Spamhaus flags any IP announced by our ASN as a criminal network

[Brandon Zhi]

Well, those prefixes are not for their VPS hosting service (which cause a
lot of complaint). Just like there are many IP addresses under the
telecommunication company, the entire ASN cannot be "blocked" just because
there is a complaint on one IP address

On 2023年3月20日周一 下午10:50 Mike Hammett  wrote:

> If someone tries to break into my house over and over, I won't act any
> different if they show up wearing different clothes.
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions <http://www.ics-il.com/>
> <https://www.facebook.com/ICSIL>
> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
> <https://www.linkedin.com/company/intelligent-computing-solutions>
> <https://twitter.com/ICSIL>
> Midwest Internet Exchange <http://www.midwest-ix.com/>
> <https://www.facebook.com/mdwestix>
> <https://www.linkedin.com/company/midwest-internet-exchange>
> <https://twitter.com/mdwestix>
> The Brothers WISP <http://www.thebrotherswisp.com/>
> <https://www.facebook.com/thebrotherswisp>
> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
> ------
> *From: *"Brandon Zhi" 
> *To: *"Christopher Morrow" 
> *Cc: *nanog@nanog.org
> *Sent: *Monday, March 20, 2023 9:43:19 AM
> *Subject: *Re: Spamhaus flags any IP announced by our ASN as a criminal
> network
>
> Yes, for those prefixes are used to hosting service have been listed for a
> long time. However, for those new prefixes that we rented.. We just
> announced it.. even though it's unreachable... They just listed to this
> list.
>
> On 2023年3月20日周一 下午10:34 Christopher Morrow 
> wrote:
>
>> On Mon, Mar 20, 2023 at 9:51 AM Brandon Zhi  wrote:
>>
>> > I don't think any ISP would reject an IP that is on the Spamhaus list.
>>
>> you, clearly, have been living under several rocks for a very long time.
>>
>
>

Re: Spamhaus flags any IP announced by our ASN as a criminal network

[Mike Hammett]

If someone tries to break into my house over and over, I won't act any 
different if they show up wearing different clothes. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

- Original Message -

From: "Brandon Zhi"  
To: "Christopher Morrow"  
Cc: nanog@nanog.org 
Sent: Monday, March 20, 2023 9:43:19 AM 
Subject: Re: Spamhaus flags any IP announced by our ASN as a criminal network 


Yes, for those prefixes are used to hosting service have been listed for a long 
time. However, for those new prefixes that we rented.. We just announced 
it.. even though it's unreachable... They just listed to this list. 


On 2023年3月20日周一 下午10:34 Christopher Morrow < morrowc.li...@gmail.com > wrote: 


On Mon, Mar 20, 2023 at 9:51 AM Brandon Zhi < bran...@huize.asia > wrote: 

> I don't think any ISP would reject an IP that is on the Spamhaus list. 

you, clearly, have been living under several rocks for a very long time. 

Re: Spamhaus flags any IP announced by our ASN as a criminal network

[Brandon Zhi]

Yes, for those prefixes are used to hosting service have been listed for a
long time. However, for those new prefixes that we rented.. We just
announced it.. even though it's unreachable... They just listed to this
list.

On 2023年3月20日周一 下午10:34 Christopher Morrow  wrote:

> On Mon, Mar 20, 2023 at 9:51 AM Brandon Zhi  wrote:
>
> > I don't think any ISP would reject an IP that is on the Spamhaus list.
>
> you, clearly, have been living under several rocks for a very long time.
>

Re: Spamhaus flags any IP announced by our ASN as a criminal network

[Christopher Morrow]

On Mon, Mar 20, 2023 at 9:51 AM Brandon Zhi  wrote:

> I don't think any ISP would reject an IP that is on the Spamhaus list.

you, clearly, have been living under several rocks for a very long time.

Re: Spamhaus flags any IP announced by our ASN as a criminal network

[Mike Hammett]

Ignoring abuse complaints doesn't shield one from the responsibility of acting 
upon those complaints. If someone under your control isn't doing their job, you 
need to cut them off. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

- Original Message -

From: "Brandon Zhi"  
To: "Tim Burke"  
Cc: nanog@nanog.org 
Sent: Monday, March 20, 2023 6:54:41 AM 
Subject: Re: Spamhaus flags any IP announced by our ASN as a criminal network 








It seems you've reached the point that they ignore specific prefixes and set 
every prefix you are advertising as criminal. 







Our sponsor (LIR) 62yun.com , they have 2 prefixes for VPS/Dedicated Server 
using our ASN. 

62yun did receive a lot of complaints, but as far as I know they have been 
handling them (their head said their team is not good at English and so they 
did not reply emails) 

For me, I cannot reply to all emails for them, since I don't have that much 
time. I also need to work for my company. 





As I understand it, most things at Spamhaus are manual determinations. 
You click on "show details" and they give you a list of timestamped 
report IDs, each with a 1-line description of the reviewer's 
assessment of the fault. 





I checked https://check.spamhaus.org/listed/?searchterm=46.23.100.0 and the 
reason they gave us was simple, saying our not willing to handle abuse. but we 
stressed with them many times that we are 2 different companies. We also do not 
have the authority to handle these complaints, but we will alert 62yun.com . 


But they still intend to blacklist all the prefixes under our ORG ID, even if 
the user is not us. 





Based on my past experiences, Spamhaus is rather gracious at first, but if you 
ignore them, they will start blocking you en masse. About 10 years ago, I 
worked for a datacenter/NSP and personally handled all Spamhaus complaints, and 
as soon as I left to go to another company (and the company stopped taking care 
of the complaints), Spamhaus blocked every single one of their IPs until they 
committed to actually handling the complaints again. 






This has little impact on 62yun.com 's VPS business, and my feeling is that if 
someone uses their VPS to build a mail server those emails that are sent from 
this server may be rejected. 

However, we are recently building a CDN for one of our partners (a social media 
company), and we need to use a provider like vultr, which is not really an IP 
Transit provider, to announce prefixes, however, they reject prefixes on the 
Spamhaus list. 



I don't think any ISP would reject an IP that is on the Spamhaus list. 







Brandon Zhi 
HUIZE LTD 

www.huize.asia | www.ixp.su | Twitter 


This e-mail and any attachments or any reproduction of this e-mail in whatever 
manner are confidential and for the use of the addressee(s) only. HUIZE LTD 
can’t take any liability and guarantee of the text of the email message and 
virus. 



On Mon, 20 Mar 2023 at 02:29, Tim Burke < t...@mid.net > wrote: 



Have you received complaints from Spamhaus in the past? If so, have you acted 
on them in a timely manner? 


Based on my past experiences, Spamhaus is rather gracious at first, but if you 
ignore them, they will start blocking you en masse. About 10 years ago, I 
worked for a datacenter/NSP and personally handled all Spamhaus complaints, and 
as soon as I left to go to another company (and the company stopped taking care 
of the complaints), Spamhaus blocked every single one of their IPs until they 
committed to actually handling the complaints again. 


V/r 
Tim 







On Mar 18, 2023, at 8:57 AM, Brandon Zhi < bran...@huize.asia > wrote: 


Hello guy, 


We recently discovered that any IP address announced by our ASN is blacklisted 
by Spamhaus, even if we only announced it but not use it. 

I would like to ask if this is manually set by Spamhaus or is the system 
misjudgment? Has anyone encountered the same situation as us? 






Best, 





Brandon Zhi 
HUIZE LTD 

www.huize.asia | www.ixp.su | Twitter 


This e-mail and any attachments or any reproduction of this e-mail in whatever 
manner are confidential and for the use of the addressee(s) only. HUIZE LTD 
can’t take any liability and guarantee of the text of the email message and 
virus. 

Re: Spamhaus flags any IP announced by our ASN as a criminal network

[Brandon Zhi]

>
>
> It seems you've reached the point that they ignore specific prefixes and
> set every prefix you are advertising as criminal.


Our sponsor (LIR) 62yun.com, they have 2 prefixes for VPS/Dedicated Server
using our ASN.
62yun did receive a lot of complaints, but as far as I know they have been
handling them (their head said their team is not good at English and so
they did not reply emails)
For me, I cannot reply to all emails for them, since I don't have that much
time. I also need to work for my company.


> As I understand it, most things at Spamhaus are manual determinations.
> You click on "show details" and they give you a list of timestamped
> report IDs, each with a 1-line description of the reviewer's
> assessment of the fault.


I checked https://check.spamhaus.org/listed/?searchterm=46.23.100.0 and the
reason they gave us was simple, saying our not willing to handle abuse. but
we stressed with them many times that we are 2 different companies. We also
do not have the authority to handle these complaints, but we will alert
62yun.com.

But they still intend to blacklist all the prefixes under our ORG ID, even
if the user is not us.


Based on my past experiences, Spamhaus is rather gracious at first, but if
> you ignore them, they will start blocking you en masse. About 10 years ago,
> I worked for a datacenter/NSP and personally handled all Spamhaus
> complaints, and as soon as I left to go to another company (and the company
> stopped taking care of the complaints), Spamhaus blocked every single one
> of their IPs until they committed to actually handling the complaints again.



This has little impact on 62yun.com's VPS business, and my feeling is that
if someone uses their VPS to build a mail server those emails that are sent
from this server may be rejected.

However, we are recently building a CDN for one of our partners (a social
media company), and we need to use a provider like vultr, which is not
really an IP Transit provider, to announce prefixes, however, they reject
prefixes on the Spamhaus list.

I don't think any ISP would reject an IP that is on the Spamhaus list.



*Brandon Zhi*
HUIZE LTD

www.huize.asia  | www.ixp.su | Twitter


This e-mail and any attachments or any reproduction of this e-mail in
whatever manner are confidential and for the use of the addressee(s) only.
HUIZE LTD can’t take any liability and guarantee of the text of the email
message and virus.


On Mon, 20 Mar 2023 at 02:29, Tim Burke  wrote:

> Have you received complaints from Spamhaus in the past? If so, have you
> acted on them in a timely manner?
>
> Based on my past experiences, Spamhaus is rather gracious at first, but if
> you ignore them, they will start blocking you en masse. About 10 years ago,
> I worked for a datacenter/NSP and personally handled all Spamhaus
> complaints, and as soon as I left to go to another company (and the company
> stopped taking care of the complaints), Spamhaus blocked every single one
> of their IPs until they committed to actually handling the complaints again.
>
> V/r
> Tim
>
>
> On Mar 18, 2023, at 8:57 AM, Brandon Zhi  wrote:
>
> Hello guy,
>
> We recently discovered that any IP address announced by our ASN is
> blacklisted by Spamhaus, even if we only announced it but not use it.
>
> I would like to ask if this is manually set by Spamhaus or is the system
> misjudgment? Has anyone encountered the same situation as us?
>
>
> Best,
>
> *Brandon Zhi*
> HUIZE LTD
>
> www.huize.asia  | www.ixp.su | Twitter
>
>
> This e-mail and any attachments or any reproduction of this e-mail in
> whatever manner are confidential and for the use of the addressee(s) only.
> HUIZE LTD can’t take any liability and guarantee of the text of the email
> message and virus.
>
>
>

Re: Spamhaus flags any IP announced by our ASN as a criminal network

[Tim Burke]

Have you received complaints from Spamhaus in the past? If so, have you acted 
on them in a timely manner?

Based on my past experiences, Spamhaus is rather gracious at first, but if you 
ignore them, they will start blocking you en masse. About 10 years ago, I 
worked for a datacenter/NSP and personally handled all Spamhaus complaints, and 
as soon as I left to go to another company (and the company stopped taking care 
of the complaints), Spamhaus blocked every single one of their IPs until they 
committed to actually handling the complaints again.

V/r
Tim


On Mar 18, 2023, at 8:57 AM, Brandon Zhi  wrote:

Hello guy,

We recently discovered that any IP address announced by our ASN is blacklisted 
by Spamhaus, even if we only announced it but not use it.

I would like to ask if this is manually set by Spamhaus or is the system 
misjudgment? Has anyone encountered the same situation as us?


Best,

Brandon Zhi
HUIZE LTD
www.huize.asia  | www.ixp.su | Twitter

This e-mail and any attachments or any reproduction of this e-mail in whatever 
manner are confidential and for the use of the addressee(s) only. HUIZE LTD 
can’t take any liability and guarantee of the text of the email message and 
virus.

Re: Spamhaus flags any IP announced by our ASN as a criminal network

[William Herrin]

On Sat, Mar 18, 2023 at 10:35 PM Brandon Zhi  wrote:
> We even haven't started to use, we just announced that... They marked it's a 
> criminal network

They do that once they decide you've been broadly inattentive to abuse
reports. It stops folks from shuffling IP addresses to evade
filtering.

>>> I would like to ask if this is manually set by Spamhaus or is the system 
>>> misjudgment? Has anyone encountered the same situation as us?

As I understand it, most things at Spamhaus are manual determinations.
You click on "show details" and they give you a list of timestamped
report IDs, each with a 1-line description of the reviewer's
assessment of the fault.

Re: Spamhaus flags any IP announced by our ASN as a criminal network

[Karsten Thomann via NANOG]

afaik, spamhaus starts to mark a whole AS as criminal, if there is to 
much abuse.
It seems you've reached the point that they ignore specific prefixes and 
set every prefix you are advertising as criminal.


Am 19.03.2023 um 06:35 schrieb Brandon Zhi:

However, for those prefixes

https://www.spamhaus.org/sbl/listings/azeronline.net

We even haven't started to use, we just announced that... They marked 
it's a criminal network



On 2023年3月19日周日 上午4:26 Tom Beecher  wrote:

Given the list of things on these two prefixes alone, I would
venture to guess it's not a misjudgement.

https://check.spamhaus.org/listed/?searchterm=5.178.2.1
https://check.spamhaus.org/listed/?searchterm=80.66.64.1



On Sat, Mar 18, 2023 at 3:47 PM Brandon Zhi 
wrote:

Hello guy,

We recently discovered that any IP address announced by our
ASN is blacklisted by Spamhaus, even if we only announced it
but not use it.

I would like to ask if this is manually set by Spamhaus or is
the system misjudgment? Has anyone encountered the same
situation as us?


Best,

*Brandon Zhi*
HUIZE LTD

www.huize.asia | www.ixp.su
 | Twitter


This e-mail and any attachments or any reproduction of this
e-mail in whatever manner are confidential and for the use of
the addressee(s) only. HUIZE LTD can’t take any liability and
guarantee of the text of the email message and virus.

Re: Spamhaus flags any IP announced by our ASN as a criminal network

[Brandon Zhi]

However, for those prefixes

https://www.spamhaus.org/sbl/listings/azeronline.net

We even haven't started to use, we just announced that... They marked it's
a criminal network


On 2023年3月19日周日 上午4:26 Tom Beecher  wrote:

> Given the list of things on these two prefixes alone, I would venture to
> guess it's not a misjudgement.
>
> https://check.spamhaus.org/listed/?searchterm=5.178.2.1
> https://check.spamhaus.org/listed/?searchterm=80.66.64.1
>
>
>
> On Sat, Mar 18, 2023 at 3:47 PM Brandon Zhi  wrote:
>
>> Hello guy,
>>
>> We recently discovered that any IP address announced by our ASN is
>> blacklisted by Spamhaus, even if we only announced it but not use it.
>>
>> I would like to ask if this is manually set by Spamhaus or is the system
>> misjudgment? Has anyone encountered the same situation as us?
>>
>>
>> Best,
>>
>> *Brandon Zhi*
>> HUIZE LTD
>>
>> www.huize.asia  | www.ixp.su | Twitter
>>
>>
>> This e-mail and any attachments or any reproduction of this e-mail in
>> whatever manner are confidential and for the use of the addressee(s) only.
>> HUIZE LTD can’t take any liability and guarantee of the text of the email
>> message and virus.
>>
>

Re: Spamhaus flags any IP announced by our ASN as a criminal network

[Tom Beecher]

Given the list of things on these two prefixes alone, I would venture to
guess it's not a misjudgement.

https://check.spamhaus.org/listed/?searchterm=5.178.2.1
https://check.spamhaus.org/listed/?searchterm=80.66.64.1



On Sat, Mar 18, 2023 at 3:47 PM Brandon Zhi  wrote:

> Hello guy,
>
> We recently discovered that any IP address announced by our ASN is
> blacklisted by Spamhaus, even if we only announced it but not use it.
>
> I would like to ask if this is manually set by Spamhaus or is the system
> misjudgment? Has anyone encountered the same situation as us?
>
>
> Best,
>
> *Brandon Zhi*
> HUIZE LTD
>
> www.huize.asia  | www.ixp.su | Twitter
>
>
> This e-mail and any attachments or any reproduction of this e-mail in
> whatever manner are confidential and for the use of the addressee(s) only.
> HUIZE LTD can’t take any liability and guarantee of the text of the email
> message and virus.
>

Re: Spamhaus ASN-DROP list

[Steve Linford]

Hi,

Contact the SBL team via the Lookup form at https://check.spamhaus.org/

The form says 'IP or Domain' but it will also look up ASNs so just put your ASN 
in. That will allow you to create a ticket with the right team and the issue 
should then get dealt with fairly quickly.

Regards,

  Steve Linford
  The Spamhaus Project
  https://www.spamhaus.org
  

> On 23 Jul 2021, at 09:08, Siyuan Miao  wrote:
> 
> Hi All,
> 
> One of our ASNs has been listed in the Spamhaus ASN-DROP list before it was 
> assigned to us. 
> 
> We emailed them last year but didn't get a response. Could anyone from 
> Spamhaus contact us off the list?
> 
> Best Regards,
> Siyuan
> 

Re: Spamhaus ASN-DROP list

[Siyuan Miao]

It's not.

The ASN was assigned by RIPE in Sep 2019.

On Fri, Jul 23, 2021 at 3:20 PM Suresh Ramasubramanian 
wrote:

> This is probably an ex afrinic stolen block?
>
> In which case it’s for afrinic to sort out and reclaim
>
> --srs
> --
> *From:* NANOG  on behalf of
> Siyuan Miao 
> *Sent:* Friday, July 23, 2021 12:38:16 PM
> *To:* North American Network Operators' Group 
> *Subject:* Spamhaus ASN-DROP list
>
> Hi All,
>
> One of our ASNs has been listed in the Spamhaus ASN-DROP list before it
> was assigned to us.
>
> We emailed them last year but didn't get a response. Could anyone from
> Spamhaus contact us off the list?
>
> Best Regards,
> Siyuan
>
>

RE: Spamhaus ASN-DROP list

[David Guo via NANOG]

It's ASN, not IPv4 prefix.

From: NANOG  On Behalf Of Suresh 
Ramasubramanian
Sent: Friday, July 23, 2021 3:21 PM
To: Siyuan Miao ; North American Network Operators' Group 

Subject: Re: Spamhaus ASN-DROP list

This is probably an ex afrinic stolen block?

In which case it's for afrinic to sort out and reclaim

--srs

From: NANOG 
mailto:nanog-bounces+ops.lists=gmail@nanog.org>>
 on behalf of Siyuan Miao mailto:avel...@misaka.io>>
Sent: Friday, July 23, 2021 12:38:16 PM
To: North American Network Operators' Group 
mailto:nanog@nanog.org>>
Subject: Spamhaus ASN-DROP list

Hi All,

One of our ASNs has been listed in the Spamhaus ASN-DROP list before it was 
assigned to us.

We emailed them last year but didn't get a response. Could anyone from Spamhaus 
contact us off the list?

Best Regards,
Siyuan

Re: Spamhaus ASN-DROP list

[Suresh Ramasubramanian]

This is probably an ex afrinic stolen block?

In which case it’s for afrinic to sort out and reclaim

--srs

From: NANOG  on behalf of Siyuan 
Miao 
Sent: Friday, July 23, 2021 12:38:16 PM
To: North American Network Operators' Group 
Subject: Spamhaus ASN-DROP list

Hi All,

One of our ASNs has been listed in the Spamhaus ASN-DROP list before it was 
assigned to us.

We emailed them last year but didn't get a response. Could anyone from Spamhaus 
contact us off the list?

Best Regards,
Siyuan

Re: Spamhaus contact needed

[Eliezer Croitoru]

On 16/10/2015 22:07, Jason Baugher wrote:

I felt I should mention, Spamhaus was quick to respond to my email and gave
me excellent information on what was triggering the blacklisting.


Can you please share about it?

Eliezer

Re: Spamhaus contact needed

[John Levine]

>WAIT A MINUTE!  "CBL" is not "Spamhaus", is it?!
>
>http://www.abuseat.org/

Yes, it is.  Informally it was for a very long time via the Spamhaus
XBL.  Now it's explicit.

There's not much practical difference, and the same people are running
it.

R's,
John

Re: Spamhaus contact needed

[Jason Baugher]

I felt I should mention, Spamhaus was quick to respond to my email and gave
me excellent information on what was triggering the blacklisting.


On Thu, Oct 15, 2015 at 1:29 PM, Larry Sheldon  wrote:

> On 10/15/2015 13:27, Larry Sheldon wrote:
>
>> On 10/15/2015 12:32, Larry Sheldon wrote:
>>
>>> On 10/15/2015 00:27, Jason Baugher wrote:
>>>
 Sorry to clutter up this list with an email issue, but hopefully
 someone is
 here from Spamhaus that can contact me off-list. I have a customer
 whose IP
 keeps getting listed in the CBL, and even after doing packet captures of
 everything in and out of their network, I still can't find a reason
 for it.

>>>
>>> I have been off the line for quite a while, but as I recollect there is
>>> no "Spamhaus contact" aside from the search engine they provide for
>>> their database.
>>>
>>> You look-up your IP, they tell you what the problem is, you fix it, and
>>> the block goes away.
>>>
>>> It always used to work.  Every time.
>>>
>>
>> WAIT A MINUTE!  "CBL" is not "Spamhaus", is it?!
>>
>> http://www.abuseat.org/
>>
>
>
> MY BAD!  Yes, it is "spamhaus".
>
> Sorry.
>
>
>
> --
> sed quis custodiet ipsos custodes? (Juvenal)
>

Re: Spamhaus contact needed

[Larry Sheldon]

On 10/15/2015 00:27, Jason Baugher wrote:

Sorry to clutter up this list with an email issue, but hopefully someone is
here from Spamhaus that can contact me off-list. I have a customer whose IP
keeps getting listed in the CBL, and even after doing packet captures of
everything in and out of their network, I still can't find a reason for it.


I have been off the line for quite a while, but as I recollect there is 
no "Spamhaus contact" aside from the search engine they provide for 
their database.


You look-up you IP, they tell you what the problem is, you fix it, and 
the block goes away.


It always used to work.  Every time.


--
sed quis custodiet ipsos custodes? (Juvenal)

Re: Spamhaus contact needed

[Larry Sheldon]

On 10/15/2015 12:32, Larry Sheldon wrote:

On 10/15/2015 00:27, Jason Baugher wrote:

Sorry to clutter up this list with an email issue, but hopefully
someone is
here from Spamhaus that can contact me off-list. I have a customer
whose IP
keeps getting listed in the CBL, and even after doing packet captures of
everything in and out of their network, I still can't find a reason
for it.


I have been off the line for quite a while, but as I recollect there is
no "Spamhaus contact" aside from the search engine they provide for
their database.

You look-up your IP, they tell you what the problem is, you fix it, and
the block goes away.

It always used to work.  Every time.


WAIT A MINUTE!  "CBL" is not "Spamhaus", is it?!

http://www.abuseat.org/

--
sed quis custodiet ipsos custodes? (Juvenal)

Re: Spamhaus contact needed

[Larry Sheldon]

On 10/15/2015 13:27, Larry Sheldon wrote:

On 10/15/2015 12:32, Larry Sheldon wrote:

On 10/15/2015 00:27, Jason Baugher wrote:

Sorry to clutter up this list with an email issue, but hopefully
someone is
here from Spamhaus that can contact me off-list. I have a customer
whose IP
keeps getting listed in the CBL, and even after doing packet captures of
everything in and out of their network, I still can't find a reason
for it.


I have been off the line for quite a while, but as I recollect there is
no "Spamhaus contact" aside from the search engine they provide for
their database.

You look-up your IP, they tell you what the problem is, you fix it, and
the block goes away.

It always used to work.  Every time.


WAIT A MINUTE!  "CBL" is not "Spamhaus", is it?!

http://www.abuseat.org/



MY BAD!  Yes, it is "spamhaus".

Sorry.


--
sed quis custodiet ipsos custodes? (Juvenal)

Re: Spamhaus contact needed

[Jason Baugher]

When all it says is, "spam-sending trojan, malicious link, or some type of
botnet", it's not a lot to go on. I've seen examples where their lookup
tool provides more details, but in this case, the response is generic.

In fact, usually when this happens to a customer, they're able to figure
out the problem without a lot of fuss and keep it from happening again.
Sometimes we have to help them, but it's always something fairly obvious.
It's only in this one case that we're struggling to identify the cause.

Thank you to those that pointed out their email address on the FAQ page.
How I managed to read through there and miss it, I'll never know.






On Thu, Oct 15, 2015 at 12:32 PM, Larry Sheldon 
wrote:

> On 10/15/2015 00:27, Jason Baugher wrote:
>
>> Sorry to clutter up this list with an email issue, but hopefully someone
>> is
>> here from Spamhaus that can contact me off-list. I have a customer whose
>> IP
>> keeps getting listed in the CBL, and even after doing packet captures of
>> everything in and out of their network, I still can't find a reason for
>> it.
>>
>
> I have been off the line for quite a while, but as I recollect there is no
> "Spamhaus contact" aside from the search engine they provide for their
> database.
>
> You look-up you IP, they tell you what the problem is, you fix it, and the
> block goes away.
>
> It always used to work.  Every time.
>
>
> --
> sed quis custodiet ipsos custodes? (Juvenal)
>

Re: Spamhaus BGP feed experiences?

[Matthias Leisi]

At dnswl.org http://dnswl.org/ we check our data against the DROP list every 
once in a while. The overlap of DROP with legitimate sources of SMTP traffic is 
very, very small: a low single-digit number, and most of them are crappy to 
start with (so we don’t publish them, but only keep them in our database for 
reference purposes). 

— Matthias

 Am 19.05.2015 um 20:38 schrieb Max Tulyev max...@netassist.ua:
 
 How much false positives (i.e. blackholing traffic users want to reach)?
 
 On 18.05.15 21:04, Marco d'Itri wrote:
 On May 17, Mike Lyon mike.l...@gmail.com wrote:
 
 Any ISPs out there (big or small) ever used the Spamhaus BGP feed to
 prevent against botnet, spam, etc? If so, how has your experience been? Is
 it worthwhile? Has it helped? On / off list responses are appreciated in
 advance.
 We use Spamhaus DROP (not the BGP version: our software asks a human to 
 review each change).
 The benefits are not obvious since we do not have access customers, but 
 it will blackhole some networks you obviously do not want to talk to,
 and it has not caused any troubles either.
 
 



smime.p7s
Description: S/MIME cryptographic signature

Re: Spamhaus BGP feed experiences?

[Frederik Kriewitz]

On Sun, May 17, 2015 at 7:50 AM, Mike Lyon mike.l...@gmail.com wrote:
 Any ISPs out there (big or small) ever used the Spamhaus BGP feed to
 prevent against botnet, spam, etc? If so, how has your experience been? Is
 it worthwhile? Has it helped? On / off list responses are appreciated in
 advance.

We've been using the BGP feed for a little over a year now.
We had some problems with malware infected end user PCs causing
upstream congestion resulting in slow internet complains.
The spamhouse feed definitely helped a little with our problem but
it's not the magic super tool to completely stop malware in your
network.
On the other hand there was no complain due to a false positive (a
couple of years ago we had one complain due to a false positive on the
EDROP list).

Best Regards,
Frederik Kriewitz

Re: Spamhaus BGP feed experiences?

[Max Tulyev]

How much false positives (i.e. blackholing traffic users want to reach)?

On 18.05.15 21:04, Marco d'Itri wrote:
 On May 17, Mike Lyon mike.l...@gmail.com wrote:
 
 Any ISPs out there (big or small) ever used the Spamhaus BGP feed to
 prevent against botnet, spam, etc? If so, how has your experience been? Is
 it worthwhile? Has it helped? On / off list responses are appreciated in
 advance.
 We use Spamhaus DROP (not the BGP version: our software asks a human to 
 review each change).
 The benefits are not obvious since we do not have access customers, but 
 it will blackhole some networks you obviously do not want to talk to,
 and it has not caused any troubles either.
 

Re: Spamhaus BGP feed experiences?

[John Levine]

In article 555b8313.5080...@netassist.ua you write:
How much false positives (i.e. blackholing traffic users want to reach)?

Very little.  The DROP list, which is what's in the BGP feed, is a
small subset of the SBL, and only includes blocks that send no
legitimate traffic at all.



On 18.05.15 21:04, Marco d'Itri wrote:
 On May 17, Mike Lyon mike.l...@gmail.com wrote:
 
 Any ISPs out there (big or small) ever used the Spamhaus BGP feed to
 prevent against botnet, spam, etc? If so, how has your experience been? Is
 it worthwhile? Has it helped? On / off list responses are appreciated in
 advance.
 We use Spamhaus DROP (not the BGP version: our software asks a human to 
 review each change).
 The benefits are not obvious since we do not have access customers, but 
 it will blackhole some networks you obviously do not want to talk to,
 and it has not caused any troubles either.
 

Re: Spamhaus BGP feed experiences?

[Marco d'Itri]

On May 17, Mike Lyon mike.l...@gmail.com wrote:

 Any ISPs out there (big or small) ever used the Spamhaus BGP feed to
 prevent against botnet, spam, etc? If so, how has your experience been? Is
 it worthwhile? Has it helped? On / off list responses are appreciated in
 advance.
We use Spamhaus DROP (not the BGP version: our software asks a human to 
review each change).
The benefits are not obvious since we do not have access customers, but 
it will blackhole some networks you obviously do not want to talk to,
and it has not caused any troubles either.

-- 
ciao,
Marco


pgpmTTGBVM_1W.pgp
Description: PGP signature

Re: Spamhaus under DDOS from AnonOps (Wikileaks.info)

[Joe Greco]

 On 12/18/2010 5:15 PM, Marshall Eubanks wrote:
 
  I get nothing from wikileaks.org, although the DNS is active :
 
 
 $ host wikileaks.org
 wikileaks.org has address 64.64.12.170

Doesn't it seem vaguely suspicious that whois was just updated?

Domain ID:D130035267-LROR
Domain Name:WIKILEAKS.ORG
Created On:04-Oct-2006 05:54:19 UTC
Last Updated On:17-Dec-2010 01:57:59 UTC
Expiration Date:04-Oct-2018 05:54:19 UTC

It seems like it'd be reasonable to be cautious.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

RE: Spamhaus under DDOS from AnonOps (Wikileaks.info)

[Frank Bulk - iName.com]

The wikileaks.info press release points to Google's Safe Browsing page for
wikileaks.info
(http://www.google.com/safebrowsing/diagnostic?site=wikileaks.info), which
comes up clean.

While I tend to trust Steve and Spamhaus because of their built up
reputation, it would be helpful if some concrete facts were published about
the more than 40 criminal-run sites operating on the same IP address as
wikileaks.info, including carder-elite.biz, h4ck3rz.biz, elite-crew.net, and
bank phishes paypal-securitycenter.com and postbank-kontodirekt.com.  Any
chance that will be done, so wikileaks.info's claims can be publicly
refuted?

Kind regards,

Frank

-Original Message-
From: Jack Bates [mailto:jba...@brightok.net] 
Sent: Saturday, December 18, 2010 3:00 PM
To: nanog@nanog.org
Subject: Re: Spamhaus under DDOS from AnonOps (Wikileaks.info)

On 12/18/2010 6:58 AM, Steve Linford wrote:
 For trying to warn about the crime gangs located at the wikileaks.info
mirror IP, Spamhaus is now under ddos by AnonOps. The criminals there do not
like our free speech at all.


It appears that wikileaks.org is operational again and redirecting to 
mirros.wikileaks.info, which draws concern of who now controls 
wikileaks.org. .info definitely isn't the same layout as all the mirrors.


Jack

Re: Spamhaus under DDOS from AnonOps (Wikileaks.info)

[Paul Ferguson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Not for nothing, but Spamhaus wasn't the only organization to warn about
Heihachi:

http://blog.trendmicro.com/wikileaks-in-a-dangerous-internet-neighborhood/

FYI,

- - ferg

On Sun, Dec 19, 2010 at 10:46 AM, Frank Bulk - iName.com
frnk...@iname.com wrote:

 The wikileaks.info press release points to Google's Safe Browsing page
 for wikileaks.info
 (http://www.google.com/safebrowsing/diagnostic?site=wikileaks.info),
 which comes up clean.

 While I tend to trust Steve and Spamhaus because of their built up
 reputation, it would be helpful if some concrete facts were published
 about the more than 40 criminal-run sites operating on the same IP
 address as wikileaks.info, including carder-elite.biz, h4ck3rz.biz,
 elite-crew.net, and bank phishes paypal-securitycenter.com and
 postbank-kontodirekt.com.  Any chance that will be done, so
 wikileaks.info's claims can be publicly
 refuted?

 Kind regards,

 Frank

 -Original Message-
 From: Jack Bates [mailto:jba...@brightok.net]
 Sent: Saturday, December 18, 2010 3:00 PM
 To: nanog@nanog.org
 Subject: Re: Spamhaus under DDOS from AnonOps (Wikileaks.info)

 On 12/18/2010 6:58 AM, Steve Linford wrote:
 For trying to warn about the crime gangs located at the wikileaks.info
 mirror IP, Spamhaus is now under ddos by AnonOps. The criminals there do
 not like our free speech at all.


 It appears that wikileaks.org is operational again and redirecting to
 mirros.wikileaks.info, which draws concern of who now controls
 wikileaks.org. .info definitely isn't the same layout as all the mirrors.


 Jack





-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFNDlQ5q1pz9mNUZTMRAn5XAKC0O3ZNO51bnAX7D99SRRqR04QIQQCfZDwH
dQN8fG2TYk6RUFYplRAiHDE=
=em1c
-END PGP SIGNATURE-



-- 
Fergie, a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawgster(at)gmail.com
 ferg's tech blog: http://fergdawg.blogspot.com/

Re: Spamhaus under DDOS from AnonOps (Wikileaks.info)

[Marshall Eubanks]

On Dec 19, 2010, at 8:06 AM, Joe Greco wrote:

 On 12/18/2010 5:15 PM, Marshall Eubanks wrote:
 
 I get nothing from wikileaks.org, although the DNS is active :
 
 
 $ host wikileaks.org
 wikileaks.org has address 64.64.12.170
 
 Doesn't it seem vaguely suspicious that whois was just updated?
 
 Domain ID:D130035267-LROR
 Domain Name:WIKILEAKS.ORG
 Created On:04-Oct-2006 05:54:19 UTC
 Last Updated On:17-Dec-2010 01:57:59 UTC
 Expiration Date:04-Oct-2018 05:54:19 UTC
 
 It seems like it'd be reasonable to be cautious.

Yes. Now, for me, wikileaks.org does alias to wikileaks.info

wget -r wikileaks.org
--13:49:00--  http://wikileaks.org/
   = `wikileaks.org/index.html'
Resolving wikileaks.org... done.
Connecting to wikileaks.org[64.64.12.170]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://mirror.wikileaks.info/ [following]
--13:49:00--  http://mirror.wikileaks.info/
   = `mirror.wikileaks.info/index.html'
Resolving mirror.wikileaks.info... done.
Connecting to mirror.wikileaks.info[92.241.190.202]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 90,059 [text/html]

Which, according to RIPE is assigned to Russia, but with a contact in Panama

% Information related to '92.241.190.0 - 92.241.190.255'

inetnum:92.241.190.0 - 92.241.190.255
netname:HEIHACHI
descr:  Heihachi Ltd
country:RU
admin-c:HEI668-RIPE
tech-c: HEI668-RIPE
status: ASSIGNED PA
mnt-by: RU-WEBALTA-MNT
source: RIPE # Filtered

person: Andreas Mueller
address:Bella Vista, Calle 53, Marbella
address:Ciudad de Panama, Panama
remarks:Visit us under gigalinknetwork.com
remarks:ICQ 7979970
remarks:Dedicated Servers, Webspace, VPS, DDOS protected Webspace
remarks:Send abuse ONLY to: ab...@gigalinknetwork.com
remarks:Technical and sales info: supp...@gigalinknetwork.com
phone:  +5078321458
abuse-mailbox:  ab...@gigalinknetwork.com
nic-hdl:hei668-RIPE
mnt-by: WEBALTA-MNT
source: RIPE # Filtered


neither of which would give me confidence.

Regards
Marshall



 
 ... JG
 -- 
 Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
 We call it the 'one bite at the apple' rule. Give me one chance [and] then I
 won't contact you again. - Direct Marketing Ass'n position on e-mail 
 spam(CNN)
 With 24 million small businesses in the US alone, that's way too many apples.
 

Re: Spamhaus under DDOS from AnonOps (Wikileaks.info)

[Rich Kulawiec]

On Sun, Dec 19, 2010 at 12:46:33PM -0600, Frank Bulk - iName.com wrote:
 While I tend to trust Steve and Spamhaus because of their built up
 reputation, it would be helpful if some concrete facts were published about
 the more than 40 criminal-run sites operating on the same IP address as
 wikileaks.info, including carder-elite.biz, h4ck3rz.biz, elite-crew.net, and
 bank phishes paypal-securitycenter.com and postbank-kontodirekt.com.  

I found this:

http://www.spamhaus.org/sbl/listings.lasso?isp=webalta.ru

(as well as the SBL records those reference) quite interesting.

---rsk

Re: Spamhaus under DDOS from AnonOps (Wikileaks.info)

[Ned Moran]

additional evidence

http://www.malwaredomainlist.com/mdl.php?search=41947colsearch=Allquantity=50inactive=on

On Sun, Dec 19, 2010 at 2:25 PM, Rich Kulawiec r...@gsp.org wrote:

 On Sun, Dec 19, 2010 at 12:46:33PM -0600, Frank Bulk - iName.com wrote:
  While I tend to trust Steve and Spamhaus because of their built up
  reputation, it would be helpful if some concrete facts were published
 about
  the more than 40 criminal-run sites operating on the same IP address as
  wikileaks.info, including carder-elite.biz, h4ck3rz.biz, elite-crew.net,
 and
  bank phishes paypal-securitycenter.com and postbank-kontodirekt.com.

 I found this:

http://www.spamhaus.org/sbl/listings.lasso?isp=webalta.ru

 (as well as the SBL records those reference) quite interesting.

 ---rsk

Re: Spamhaus under DDOS from AnonOps (Wikileaks.info)

[Simon Waters]

On 19/12/10 18:51, Paul Ferguson wrote:
 Not for nothing, but Spamhaus wasn't the only organization to warn about
 Heihachi:

 http://blog.trendmicro.com/wikileaks-in-a-dangerous-internet-neighborhood/

All the domains listed by Trend Micro as neighbours appear to be down.

Have to say as someone whose employer will buy and host a domain name if
you fill in the credit card details and the credit card company accept
them, if you listed only the sites we've cancelled first thing on a
Monday morning (or as soon as we are notified) we'd look pretty poor.

From the many adverse comments about the hosting services in use they
look as bad as they come, but on the other hand this weakens the
usefulness of the Trend statement (well to people who check what they
are told).

Were the sites up when the announcement was made?

Re: Spamhaus under DDOS from AnonOps (Wikileaks.info)

[Paul Ferguson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Sun, Dec 19, 2010 at 12:29 PM, Simon Waters sim...@zynet.net wrote:

 On 19/12/10 18:51, Paul Ferguson wrote:
 Not for nothing, but Spamhaus wasn't the only organization to warn about
 Heihachi:

 http://blog.trendmicro.com/wikileaks-in-a-dangerous-internet-neighborhoo
 d/

 All the domains listed by Trend Micro as neighbours appear to be down.

 Have to say as someone whose employer will buy and host a domain name if
 you fill in the credit card details and the credit card company accept
 them, if you listed only the sites we've cancelled first thing on a
 Monday morning (or as soon as we are notified) we'd look pretty poor.

 From the many adverse comments about the hosting services in use they
 look as bad as they come, but on the other hand this weakens the
 usefulness of the Trend statement (well to people who check what they
 are told).

 Were the sites up when the announcement was made?



The sites that were listed are just a few examples of the hundreds of
domains located there that are engaged in criminal activity. The fact that
they are down now really doesn't factor into the equation -- the history of
criminal activity within that prefix speaks for itself.

- - ferg

-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFNDnKvq1pz9mNUZTMRAt1oAKDUBfzjaxV2EfXZk5jHvfDew9doRACbBEtw
kgzjPTjszG03KdQT+XJakUA=
=v2QK
-END PGP SIGNATURE-


-- 
Fergie, a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawgster(at)gmail.com
 ferg's tech blog: http://fergdawg.blogspot.com/

Re: Spamhaus under DDOS from AnonOps (Wikileaks.info)

[foks]

On 12/19/2010 08:33 PM, Ned Moran wrote:
 additional evidence

 http://www.malwaredomainlist.com/mdl.php?search=41947colsearch=Allquantity=50inactive=on

 On Sun, Dec 19, 2010 at 2:25 PM, Rich Kulawiec r...@gsp.org wrote:

 On Sun, Dec 19, 2010 at 12:46:33PM -0600, Frank Bulk - iName.com wrote:
 While I tend to trust Steve and Spamhaus because of their built up
 reputation, it would be helpful if some concrete facts were published
 about
 the more than 40 criminal-run sites operating on the same IP address as
 wikileaks.info, including carder-elite.biz, h4ck3rz.biz, elite-crew.net,
 and
 bank phishes paypal-securitycenter.com and postbank-kontodirekt.com.
 I found this:

http://www.spamhaus.org/sbl/listings.lasso?isp=webalta.ru

 (as well as the SBL records those reference) quite interesting.

 ---rsk



The evidence is for Webalta, which hosts Heihachi (which hosts
wikileaks.info). I spent some minutes checking Heihachis IP block
92.241.190.0 – 92.241.190.255.

I found 255 .com/.net domains which use this IP block and Heihachis DNS
servers. Google reports that none of them is used to serve malware. Two
of them, dhl24-servicecenter.com and pixel-banner.com, are reported as
phishing sites. Both are down at the moment.

http://support.clean-mx.de/clean-mx/rss?scope=virusesas=AS41947 reports
4 addresses on this IP block, all seems to be up.

http://www.malwaredomainlist.com/mdl.php?search=92.241.190colsearch=Allquantity=50
reports 3 addresses on underground-infosource.info. This site is not
online at the moment.

If Heihachi hasn't cleaned up very good the last days I would say that
they behave much better than Webaltas customers in general.

RE: Spamhaus under DDOS from AnonOps (Wikileaks.info)

[Frank Bulk - iName.com]

Thanks for your note and the many others.  I think it could have been stated
more clearly that wikileaks.info, while in a bad neighborhood, and set up to
suggest it is Wikileaks or part of the Wikileaks organization, does not (at
this time) host or facilitate distribution of malware.  The Spamhaus
announcement was not so clear.

Frank

-Original Message-
From: Paul Ferguson [mailto:fergdawgs...@gmail.com] 
Sent: Sunday, December 19, 2010 12:52 PM
To: frnk...@iname.com
Cc: Jack Bates; nanog@nanog.org
Subject: Re: Spamhaus under DDOS from AnonOps (Wikileaks.info)

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Not for nothing, but Spamhaus wasn't the only organization to warn about
Heihachi:

http://blog.trendmicro.com/wikileaks-in-a-dangerous-internet-neighborhood/

FYI,

- - ferg

On Sun, Dec 19, 2010 at 10:46 AM, Frank Bulk - iName.com
frnk...@iname.com wrote:

 The wikileaks.info press release points to Google's Safe Browsing page
 for wikileaks.info
 (http://www.google.com/safebrowsing/diagnostic?site=wikileaks.info),
 which comes up clean.

 While I tend to trust Steve and Spamhaus because of their built up
 reputation, it would be helpful if some concrete facts were published
 about the more than 40 criminal-run sites operating on the same IP
 address as wikileaks.info, including carder-elite.biz, h4ck3rz.biz,
 elite-crew.net, and bank phishes paypal-securitycenter.com and
 postbank-kontodirekt.com.  Any chance that will be done, so
 wikileaks.info's claims can be publicly
 refuted?

 Kind regards,

 Frank

 -Original Message-
 From: Jack Bates [mailto:jba...@brightok.net]
 Sent: Saturday, December 18, 2010 3:00 PM
 To: nanog@nanog.org
 Subject: Re: Spamhaus under DDOS from AnonOps (Wikileaks.info)

 On 12/18/2010 6:58 AM, Steve Linford wrote:
 For trying to warn about the crime gangs located at the wikileaks.info
 mirror IP, Spamhaus is now under ddos by AnonOps. The criminals there do
 not like our free speech at all.


 It appears that wikileaks.org is operational again and redirecting to
 mirros.wikileaks.info, which draws concern of who now controls
 wikileaks.org. .info definitely isn't the same layout as all the mirrors.


 Jack





-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFNDlQ5q1pz9mNUZTMRAn5XAKC0O3ZNO51bnAX7D99SRRqR04QIQQCfZDwH
dQN8fG2TYk6RUFYplRAiHDE=
=em1c
-END PGP SIGNATURE-



-- 
Fergie, a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawgster(at)gmail.com
 ferg's tech blog: http://fergdawg.blogspot.com/

Re: Spamhaus under DDOS from AnonOps (Wikileaks.info)

[Jack Bates]

On 12/18/2010 6:58 AM, Steve Linford wrote:

For trying to warn about the crime gangs located at the wikileaks.info mirror 
IP, Spamhaus is now under ddos by AnonOps. The criminals there do not like our 
free speech at all.



It appears that wikileaks.org is operational again and redirecting to 
mirros.wikileaks.info, which draws concern of who now controls 
wikileaks.org. .info definitely isn't the same layout as all the mirrors.



Jack

Re: Spamhaus under DDOS from AnonOps (Wikileaks.info)

[Marshall Eubanks]

On Dec 18, 2010, at 4:00 PM, Jack Bates wrote:

 On 12/18/2010 6:58 AM, Steve Linford wrote:
 For trying to warn about the crime gangs located at the wikileaks.info 
 mirror IP, Spamhaus is now under ddos by AnonOps. The criminals there do not 
 like our free speech at all.
 
 
 It appears that wikileaks.org is operational again and redirecting to 
 mirros.wikileaks.info, which draws concern of who now controls wikileaks.org. 
 .info definitely isn't the same layout as all the mirrors.
 
 

I get nothing from wikileaks.org, although the DNS is active :

dig wikileaks.org

;; ANSWER SECTION:
wikileaks.org.  4774IN  A   64.64.12.170

;; AUTHORITY SECTION:
wikileaks.org.  61470   IN  NS  ns100.dynadot.com.
wikileaks.org.  61470   IN  NS  ns101.dynadot.com.

64.64.12.170 is
NetRange:   64.64.0.0 - 64.64.31.255
CIDR:   64.64.0.0/19
OriginAS:   AS25847
NetName:SERVINT

and, at least here, a traceroute disappears into servint
snip
 8  64.125.195.222.t00883-02.above.net (64.125.195.222)  15.905 ms  12.172 ms  
12.072 ms
 9  sc-smv1766.servint.net (216.22.61.86)  15.879 ms  11.974 ms  13.761 ms
10  * * *

According to this

http://nanozen.info/2010/12/spamhaus-under-ddos-from-anonops-wikileaks-info/

wikileaks.info is being hosted by bad guys :

The site data, disks, connections and visitor traffic, are all under the 
control of the Heihachi cybercrime gang. There are more than 40 criminal-run 
sites operating on the same IP address as wikileaks.info, including 
carder-elite.biz, h4ck3rz.biz, elite-crew.net, and bank phishes 
paypal-securitycenter.com and postbank-kontodirekt.com.

However, at least for me here in Virginia, wikileaks.org is not aliasing to 
anywhere, but instead simply times out.

Regards
Marshall


 Jack
 
 

Re: Spamhaus under DDOS from AnonOps (Wikileaks.info)

[Jack Bates]

On 12/18/2010 5:15 PM, Marshall Eubanks wrote:


I get nothing from wikileaks.org, although the DNS is active :



$ host wikileaks.org
wikileaks.org has address 64.64.12.170
$ telnet 64.64.12.170 80
Trying 64.64.12.170...
Connected to 64.64.12.170.
Escape character is '^]'.
GET / HTTP/1.1
Host: wikileaks.org

HTTP/1.1 302 Found
Date: Sun, 19 Dec 2010 04:56:23 GMT
Server: Apache
Location: http://mirror.wikileaks.info/
Content-Length: 213
Content-Type: text/html; charset=iso-8859-1

!DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN
htmlhead
title302 Found/title
/headbody
h1Found/h1
pThe document has moved a 
href=http://mirror.wikileaks.info/;here/a./p

/body/html
Connection to 64.64.12.170 closed by foreign host.


and, at least here, a traceroute disappears into servint
snip
  8  64.125.195.222.t00883-02.above.net (64.125.195.222)  15.905 ms  12.172 ms  
12.072 ms
  9  sc-smv1766.servint.net (216.22.61.86)  15.879 ms  11.974 ms  13.761 ms
10  * * *


I see same timeouts, but tcp/80 is going through. Filtering, I suspect.


Jack

Re: Spamhaus...

[Rich Kulawiec]

On Sun, Feb 21, 2010 at 10:59:08PM -0600, James Hess wrote:
 But if the origin domain has not provided SPF records,  there are some
 unusual cases left open,  where a bounce to a potentially fake address
 may still be required.

Third time: SPF plays no role in mitigating this.  Nothing stops an
attacker from using a throwaway domain to send traffic to known
backscatterers, who will then backscatter it to $throwawaydomain,
whose MX's are set to $victim's MX's.  This is not a hypothetical, BTW,
and there are a number of more interesting attack scenarios that I'll leave
as an exercise for the reader.  (Some of these have been discussed in
detail on spam-l, and may be found in the archives.)

However, even if SPF is in play, a surprising (and perhaps disturbing)
number of mail operations authenticate users but then do not require
that the sender match the authenticated user.  This permits the attacker
to use j...@example.com to target s...@example.com with backscatter, if
the user-part can be set independently.  (Even if s...@example.com does
not exist, it still permits targeting of example.com.)  And if the domain-part
can be set independently, then obviously third parties can be targeted.
(Again, see the archives of spam-l where all of this has been analyzed
and discussed in great depth.)

Yes, yes, yes, we can argue that some of this is bad mail system practice
on the part of example.com, and we can argue that this is bad security
practice on the part of joe, and both of these arguments have merit,
but it's one the first principles of abuse control that abuse should
always be squelched where possible, never passed on, reflected or even
worse, amplified.   A little transient schadenfreude might feel good,
but it's poor operational practice -- it's never appropriate to respond
to abuse with abuse.

---Rsk

Re: Spamhaus...

[William Herrin]

On Wed, Feb 24, 2010 at 8:21 AM, Rich Kulawiec r...@gsp.org wrote:
 On Sun, Feb 21, 2010 at 10:59:08PM -0600, James Hess wrote:
 But if the origin domain has not provided SPF records,  there are some
 unusual cases left open,  where a bounce to a potentially fake address
 may still be required.

 Nothing stops an
 attacker from using a throwaway domain to send traffic to known
 backscatterers, who will then backscatter it to $throwawaydomain,
 whose MX's are set to $victim's MX's.

So? You, I and everyone else these days are no longer running open
relays. You don't host $throwawaydomain so the session will end at the
rcpt command. If someone merely wants to DDOS your server there are
far easier ways.

Regards,
Bill Herrin




  it's never appropriate to respond
 to abuse with abuse.

 ---Rsk





-- 
William D. Herrin  her...@dirtside.com  b...@herrin.us
3005 Crane Dr. .. Web: http://bill.herrin.us/
Falls Church, VA 22042-3004

Re: Spamhaus and Barracuda Networks BRBL

[Dave Sparro]

On 2/22/2010 12:40 AM, Suresh Ramasubramanian wrote:


Is it your position that, as a vendor of antispam services, nobody
else should offer their services for a fee?

That would be strange indeed


Actually I can sympathize with Barracuda on this one:
Bob's Widgets is running thier own mail server for their 25 employees. 
They decide the need better spam filters.
They can hire Bob's nephew to drop in a Linux server running Postfix and 
SpamAssassan.   In this situation it's OK for Little Bobby to configure 
the Spamhaus RBLs for use on this solution.
They could also hire Barracuda to do essentially the same thing 
(assumption based on source code published at 
http://source.barracuda.com/source/ ).  In this case Bob's Widgets is 
not allowed to use Spamhaus.


Their list, their rules; but it is indeed strange to me.

--
Dave

Re: Spamhaus...

[Valdis . Kletnieks]

On Sun, 21 Feb 2010 14:57:31 GMT, Paul Vixie said:
 Rich Kulawiec r...@gsp.org writes:
  We're well past that.  Every minimally-competent postmaster on this
  planet knows that clause became operationally obsolete years ago [1], and
  has configured their mail systems to always reject, never bounce. [2]
 
 for smtp, i agree.  yet, uucp and other non-smtp last miles are not dead.

In exactly the same sense, and for the same reasons, that 36-bit machines
are not dead yet.


pgpX18Y2eYFBu.pgp
Description: PGP signature

Re: Spamhaus and Barracuda Networks BRBL

[Larry Sheldon]

On 2/22/2010 1:40 PM, Dave Sparro wrote:
 On 2/22/2010 12:40 AM, Suresh Ramasubramanian wrote:

 Is it your position that, as a vendor of antispam services, nobody
 else should offer their services for a fee?

 That would be strange indeed
 
 Actually I can sympathize with Barracuda on this one:
 Bob's Widgets is running thier own mail server for their 25 employees. 
 They decide the need better spam filters.
 They can hire Bob's nephew to drop in a Linux server running Postfix and 
 SpamAssassan.   In this situation it's OK for Little Bobby to configure 
 the Spamhaus RBLs for use on this solution.
 They could also hire Barracuda to do essentially the same thing 
 (assumption based on source code published at 
 http://source.barracuda.com/source/ ).  In this case Bob's Widgets is 
 not allowed to use Spamhaus.

The issue is not whether Bob's can use the list to turn a profit, but
whether Barracuda can.

 Their list, their rules; but it is indeed strange to me.
 


-- 
Government big enough to supply everything you need is big enough to
take everything you have.

Remember:  The Ark was built by amateurs, the Titanic by professionals.

Requiescas in pace o email
Ex turpi causa non oritur actio
Eppure si rinfresca

ICBM Targeting Information:  http://tinyurl.com/4sqczs
http://tinyurl.com/7tp8ml

Re: Spamhaus and Barracuda Networks BRBL

[Graeme Fowler]

On Mon, 2010-02-22 at 14:40 -0500, Dave Sparro wrote:
 Their list, their rules; but it is indeed strange to me.

Not too strange: Little Bobby probably does one or two jobs and goes
away, leaving the system to run by itself. the SpamAssassin people
receive nothing from his choice of software.
If Bob decides he wants to buy a commercial appliance from a
profit-making company (presumption being made here) who are in turn
making significant use of a free resource such as the SpamHaus lists
in their appliance's configuration, and those appliances become very
popular (as I understand they might be), then the infrastructure costs
associated with the appliance are shifted away from both the vendor and
the end-user onto the provider.

If said provider gets a bit shirty about this and decides that they're
going to analyse and block traffic from those appliances if they haven't
paid for a service...

If you stand back and look at this dispassionately then I would expect a
large majority of this list would probably act in a similar way (or
their companies or employers would) given a similar situation with their
services.

TANSTAAFL. Really. Someone has to pay for the meal; why should it be the
chef?

Graeme

Re: Spamhaus and Barracuda Networks BRBL

[Jay Hennigan]

On 2/22/10 11:40 AM, Dave Sparro wrote:

 Actually I can sympathize with Barracuda on this one:
 Bob's Widgets is running thier own mail server for their 25 employees.
 They decide the need better spam filters.
 They can hire Bob's nephew to drop in a Linux server running Postfix and
 SpamAssassan.   In this situation it's OK for Little Bobby to configure
 the Spamhaus RBLs for use on this solution.
 They could also hire Barracuda to do essentially the same thing
 (assumption based on source code published at
 http://source.barracuda.com/source/ ).  In this case Bob's Widgets is
 not allowed to use Spamhaus.
 
 Their list, their rules; but it is indeed strange to me.

Bob is in the widget business, he profits from selling widgets.  He
doesn't profit from the spam-filtering business.  Spamhaus is, out of
sheer niceness to the community, willing to accommodate one-off widget
makers with some freebies.  Thank you. Spamhaus.  We appreciate it.

Barracuda is in the spam-filtering business, they profit directly from
it.  Spamhaus isn't willing to allow a for-profit entity to deploy their
filters on thousands of machines at substantial cost to Spamhaus in
terms of bandwidth and server load without being compensated for it.
This seems reasonable to me.

If Bob's Widgets' nephew syncs Bob's machine to the University of
Wisconsin's NTP server, it isn't a big deal.  When Netgear hard-codes
UoW's NTP server's IP into a gazillion consumer boxes, it is.  That's
the difference.

http://pages.cs.wisc.edu/~plonka/netgear-sntp/

--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

Re: Spamhaus...

[Graeme Fowler]

On Sun, 2010-02-21 at 06:27 +, John Levine wrote:
 In my experience, they're pretty reasonable.  I would talk to them (or
 one of their datafeed sales agents) before assuming that they won't
 sell you the service you need.

They are indeed. In my day job, a large group of related members of
different institutions approached our umbrella networking organisation
to speak to Spamhaus for the specific reason that we were concerned
that;

a) between us we were making millions (if not billions) of queries a day
to the mirror servers, and
b) collective negotiation would make a service available for all of us
for far less than individual orgs paying for their own.

We now have a private mirror, which is accessible only from within the
same AS in which we all sit. The load is therefore not on the Spamhaus
servers or public mirrors, and we're collectively paying for the service
so the service is supported. Everyone wins.

Unfortunately (for this discussion) I don't know how much it cost, but I
would assume it wasn't much because the lead time between request and
service implementation was pretty short.

Personally I think Spamhaus are entirely correct to identify and block,
or request payment, from heavy users of their _free_ service. A little
like the organisations paying many other members of this list will do
for heavy data users in a residential or mobile context, in fact - but
that's far too controversial an issue to be conflated with this one (oh
dear).

Graeme

Re: Spamhaus...

[Michelle Sullivan]

Jon Lewis wrote:

 The original question, what do you do (or have you done) when DNSBL-X
 approaches you saying that your network is hitting their public NS's
 too hard and wants you to pay for continued access? is something I'd
 like to see some answers to.  Despite the Subject:, Spamhaus is
 neither the only DNSBL currently doing this nor the first to watch
 statistics on their public NS's and approach networks asking for money
 and/or cutting off access if you don't pay.


As a matter of interest, who are the other current DNSBL's to do it?


Michelle

Re: Spamhaus...

[Rich Kulawiec]

[ This discussion really needs to move to spam-l. ]

On Sat, Feb 20, 2010 at 03:53:55PM -0500, William Herrin wrote:
 I don't know what your spam intake looks like but in mine, 5% to 10%
 can't be ranked high confidence until checked by an eyeball mark 1.
 In my system, that fraction is a candidate for a bounce... unless your
 SPF records have told me that the message has a forged sender. I honor
 whatever instructions you've made the effort to give me via the sender
 policy framework.

So, drink the SPF koolaid or I'll abuse your mail system?  No thanks.

 That's the part that really galls me. Instructing my system not to
 bounce questionable messages related to yours is entirely within your
 control. You don't even have to know I exist; you just put a simple
 well-standardized line in your DNS. The instruction you choose to
 offer, I'll do all the processing necessary to honor it.

This is wrong.  Use of SPF, as I pointed out previously, *does not stop
backscatter spam*. [1]  This is very old news to everyone who's been
paying attention on spam-l for the past however-many-years.  I suggest
a thorough reading of the relevant traffic archived there, where any
number of nasty attack scenarios -- some of which are history,
not speculation -- have been discussed.

Hint: nothing stops the spammers from pointing the MX records for their
throwaway domains at somebody else's mail servers.  Among other things.
MANY other things, unfortunately.

The only thing that stops backscatter spam is not sending bounces. [2]
Period.  Full stop.  And sending rejects (that is: issuing 5xx responses
during the SMTP conversation) fully complies with the applicable RFCs,
so there's no issue there.  That's why it's a BCP.  And that's why
people who don't do it often get (correctly) blacklisted for the spam
they will inevitably emit.

The days of bounces are over.  Gone.  Buh-bye.  Thanks to 100M+ zombies
and all the other factors I previously listed, they are NOT coming back. [3]
We could lament it ad infinitum and argue about letter/spirit of the RFCs
twice as long, but the immediate operational goal is to reduce the amount
of abuse on the 'net, not sustain or amplify it.  Given that *at least*
95% of the mail traversing the 'net is junk/abusive (more like 98-99%, but
let's be a little conservative) the very last thing any operation
should be doing is passing it on or generating more of it.


Aside: this is part of a more general principle of SMTP abuse control:
do not allow attackers to cause *your* operation to generate outbound
traffic to arbitrary destinations of *their* choosing.  It's unlikely
that they will be kind enough to do so for your benefit or for that
of your victims.

---Rsk

[1] Neither does DKIM or SenderID or anything similar. 

[2] As before, not sending bounces unless the sender is an
authenticated user.  And also as before, modulo the occasional
edge cases.

[3] I'm starting to think 200M may be a more realistic current
estimate, but the exact number really doesn't matter that much.
However large the number is, it's still increasing monotonically
and there is at present no reason on the table to think that this
trend will reverse.  And this is only one of several related problems
of large scale and scope that we face.  My crystal ball is murky,
but I see no reason whatsoever to think that ANY of these problems
will be fixed, let alone ALL of them.

Re: Spamhaus...

[Paul Vixie]

Rich Kulawiec r...@gsp.org writes:

 On Fri, Feb 19, 2010 at 08:20:36PM -0500, William Herrin wrote:
 Whine all you want about backscatter but until you propose a
 comprehensive solution that's still reasonably compatible with RFC
 2821's section 3.7 you're just talking trash.

 We're well past that.  Every minimally-competent postmaster on this
 planet knows that clause became operationally obsolete years ago [1], and
 has configured their mail systems to always reject, never bounce. [2]

for smtp, i agree.  yet, uucp and other non-smtp last miles are not dead.

 [2] Yes, there are occasionally some edge cases of limited scope and
 duration that can be tough to handle.  ...  The key points here are
 limited scope and limited duration.  There is never any reason or
 need in any mail environment to permit these problems to grow beyond
 those boundaries.

so, a uucp-only site should have upgraded to real smtp by now, and by not
doing it they and their internet gateway are a joint menace to society?

that seems overly harsh.  there was a time (1986 or so?) when most of the
MX RR's in DNS were smtp gateways for uucp-connected (or decnet-connected,
etc) nodes.  it was never possible to reject nonexist...@uucpconnected at
their gateway since the gateway didn't know what existed or not.  i'm not
ready to declare that era dead.

william herrin had a pretty good list of suggested tests to avoid sending
useless bounce messages:

No bounce if the message claimed to be from a mailing list.
No bounce if the spam scored higher than 8 in spamassassin
No bounce if the server which you received the spam from doesn't match
my domain's published SPF records evaluated as if ~all and ?all
are -all

i think if RFC 2821 is to be updated to address the backscatter problem, it
ought to be along those lines, rather than everything must be synchronous.
-- 
Paul Vixie
KI6YSY

Re: Spamhaus...

[Michelle Sullivan]

Paul Vixie wrote:
 so, a uucp-only site should have upgraded to real smtp by now, and by not
 doing it they and their internet gateway are a joint menace to society?

 that seems overly harsh.  there was a time (1986 or so?) when most of the
 MX RR's in DNS were smtp gateways for uucp-connected (or decnet-connected,
 etc) nodes.  it was never possible to reject nonexist...@uucpconnected at
 their gateway since the gateway didn't know what existed or not.  i'm not
 ready to declare that era dead.
   


I was running a UUCP gateway not so long ago, and might revive it in the
future (got an old school BBS with a UUCP gateway and no SMTP still.)

The front end still knew the back end valid addresses though and that's
going from a PCBoards BBS to a Postfix SMTP gateway via UUCP.


That said there are many out there that refuse on the grounds I don't
have the time to fix it .. and of course one could retort with I don't
have the time to receive mail from you.

I'm on the fence, if it's SMTP there *should* be no reason for the front
end not to know valid users at the back end...  Something will know the
valid list of email addresses, so you *should* be able to get that
information to the front end. 

Michelle


* should because there will be edge cases where you can't get the
information, but then are there that many emails behind that gateway
that couldn't be updated manually?

Re: Spamhaus...

[Tony Finch]

On Sun, 21 Feb 2010, Jon Lewis wrote:
 On Sun, 21 Feb 2010, Michelle Sullivan wrote:

  As a matter of interest, who are the other current DNSBL's to do it?

 To the best of my knowledge, MAPS was the first to do it.  Uribl.com currently
 does it

And SURBL.org.

Tony.
-- 
f.anthony.n.finch  d...@dotat.at  http://dotat.at/
GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY SHOWERS.
MODERATE OR GOOD.

Re: Spamhaus...

[William Herrin]

On Sun, Feb 21, 2010 at 9:10 AM, Rich Kulawiec r...@gsp.org wrote:
 Hint: nothing stops the spammers from pointing the MX records for their
 throwaway domains at somebody else's mail servers.  Among other things.
 MANY other things, unfortunately.

Rich,

Clearly I shouldn't respond to any packets at all. After all, a bad
actor can originate packets with a forged source address and I
wouldn't want to abuse your network with unwanted echo-replies,
syn-acks and rejs.

Regards,
Bill Herrin





-- 
William D. Herrin  her...@dirtside.com  b...@herrin.us
3005 Crane Dr. .. Web: http://bill.herrin.us/
Falls Church, VA 22042-3004

Re: Spamhaus...

[William Herrin]

On Sat, Feb 20, 2010 at 7:10 PM, Joel Jaeggli joe...@bogus.com wrote:
 s/mime detached signatures rooted in some ca that you trust are actually
 a rather good way of identifying the sender.

Joel,

Unfortunately signatures are more effective at confirming authenticity
than they are at refuting it. Even more unfortunately, refuting
authenticity is vastly more useful in solving the backscatter problem.

The nice thing about SPF is that it offers a practical way to *refute*
the authenticity of claimed senders even when its use is less than
universal.


On Sat, Feb 20, 2010 at 5:57 PM, James Hess mysi...@gmail.com wrote:
 Spurious DSNs can
 be discarded easily by the mail server that knows it didn't pass that
 message.

James,

Unfortunately, that's not true. Mailing list software has to use VERP
or similar encodings in the from address to successfully map bounces
back to the message that caused them. For general-purpose email use,
programmaticly mapping bounces back to the original message isn't
reliable.


On Sat, Feb 20, 2010 at 7:25 PM, Jon Lewis jle...@lewis.org wrote:
 IMO, the original question in this thread was on-topic, but unfortunately it
 got very little discussion

I like spamhaus, they run a quality list, but they want between $1900
and $19000 per year for their rsync service and you have to tell them
how many email customers you're supporting in order to pay less than
the max. That would be an acceptable price to pay for antispam efforts
overall, but I couldn't afford to pay that for *each* of the dozens of
services spamassassin consults while analyzing a message.

Regards,
Bill Herrin




-- 
William D. Herrin  her...@dirtside.com  b...@herrin.us
3005 Crane Dr. .. Web: http://bill.herrin.us/
Falls Church, VA 22042-3004

Re: Spamhaus...

[Michelle Sullivan]

Jon Lewis wrote:
 On Sun, 21 Feb 2010, Michelle Sullivan wrote:

 As a matter of interest, who are the other current DNSBL's to do it?

 To the best of my knowledge, MAPS was the first to do it.  Uribl.com
 currently does it (and does the sort of query aggregation across your
 entire? network) that I mentioned.

Can you access MAPS without a subscription at all?

As far as SORBS goes, we monitor the individual DNS servers for
excessive queries and ask any provider causing excessive queries to run
their own local copy.  We don't charge for any of it, we don't require
them to run a public mirror (though sometimes we ask.)

Regards,

Michelle

Re: Spamhaus...

[Matthias Leisi]

Am 21.02.10 10:25, schrieb Michelle Sullivan:

 As a matter of interest, who are the other current DNSBL's to do it?

dnswl.org currently does not do it, but bandwidth suckers are a pain.

The work is considerable: log aggregation, log review, trying to find a
responsible for the IPs and following up until they finally implement a
local copy. We losely define 100k queries/24h to be acceptable. Above
that, you should set up your local (private) mirror (and hey, rsync is
free!).

And there are some entities that do not even acknowledge that a problem
exists -- most likely until you turn access off for them. Yes, I can
completely understand Spamhaus  Co for limiting access to their public
mirrors.

(OTOH, blocking access to these abusers is hard since our infrastructure
partly relies on donated, shared public DNSBL mirrors.)

-- Matthias

Re: Spamhaus...

[Jon Lewis]

On Sun, 21 Feb 2010, Michelle Sullivan wrote:


To the best of my knowledge, MAPS was the first to do it.  Uribl.com
currently does it (and does the sort of query aggregation across your
entire? network) that I mentioned.


Can you access MAPS without a subscription at all?


At this point, I have no idea.  Originally, yes.  Even after they went 
commercial, IIRC, they were still going to provide free access for 
hobbyists but not for business users.  The quality and coverage of their 
service compared to others that were available became such that I stopped 
using it and didn't miss it.


--
 Jon Lewis   |  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

RE: Spamhaus

[Joel M Snyder]

On Sat, Feb 20, 2010 at 7:25 PM, Jon Lewis jle...@lewis.org wrote:
  IMO, the original question in this thread was on-topic, but 
unfortunately it

  got very little discussion

I like spamhaus, they run a quality list, but they want between $1900
and $19000 per year for their rsync service and you have to tell them
how many email customers you're supporting in order to pay less than
the max. That would be an acceptable price to pay for antispam efforts
overall, but I couldn't afford to pay that for *each* of the dozens of
services spamassassin consults while analyzing a message.

I wonder if the pricing you've got is old.  I just did a test of a 
product and got pricing of $420/year for 600 users when I queried them. 
   Essentially, less than $1/user/user.


I understand that you are querying dozens of services with SpamAssassin, 
but I can guarantee you're not getting value for all that traffic you're 
generating.  In our research, we've found very little value to stacking 
reputation services.  And even stacking content filters can cause more 
problems than it solves if you don't pick them VERY carefully.


Just as an example, last month one of the content filters (think of it 
as an anti-spam product like SpamAssassin, but NOT including any 
reputation component) I tested ran with approximately an 81% catch rate. 
 Add in a single reputation filter, and that jumps up to 92.36%.  Add 
in three reputation filters, and the new rate is 92.99%.  Add in every 
single reputation filter I'm testing (that was 32 of them last month) 
and the rate barely jumped to 93.02%---but the false positive count 
jumped by 112 messages per 10,000 (because APEWS was somehow having a 
lousy month).


In general, the more reputation services you include, the more likely it 
is you're going to have false positives.


jms

--
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One   Phone: +1 520 324 0494
j...@opus1.comhttp://www.opus1.com/jms

Re: Spamhaus...

[Larry Sheldon]

On 2/21/2010 12:32 PM, Jon Lewis wrote:
 On Sun, 21 Feb 2010, Michelle Sullivan wrote:
 
 To the best of my knowledge, MAPS was the first to do it.  Uribl.com
 currently does it (and does the sort of query aggregation across your
 entire? network) that I mentioned.

 Can you access MAPS without a subscription at all?
 
 At this point, I have no idea.  Originally, yes.  Even after they went 
 commercial, IIRC, they were still going to provide free access for 
 hobbyists but not for business users.  The quality and coverage of their 
 service compared to others that were available became such that I stopped 
 using it and didn't miss it.

I also have no current information (except personal surprise that they
were still around), but I got into anti-spam groups and lists, and
learning sendmail when our mail started failing left and right.

Long story short somebody (HP, our vendor? the previous secretive
admin? I never did figure out who) had configured all of our sendmail
instances to use MAPS, and MAPS had shut off the service--no warning
that I know of, no alternative that I know of.  I do recall that when we
started developing our own tools (in the pre-Postini days) our catch
rate went up and our FP rate plummeted.

-- 
Government big enough to supply everything you need is big enough to
take everything you have.

Remember:  The Ark was built by amateurs, the Titanic by professionals.

Requiescas in pace o email
Ex turpi causa non oritur actio
Eppure si rinfresca

ICBM Targeting Information:  http://tinyurl.com/4sqczs
http://tinyurl.com/7tp8ml

Re: Spamhaus...

[Patrick W. Gilmore]

On Feb 21, 2010, at 1:01 PM, William Herrin wrote:
 On Sun, Feb 21, 2010 at 9:10 AM, Rich Kulawiec r...@gsp.org wrote:
 Hint: nothing stops the spammers from pointing the MX records for their
 throwaway domains at somebody else's mail servers.  Among other things.
 MANY other things, unfortunately.

 Clearly I shouldn't respond to any packets at all. After all, a bad
 actor can originate packets with a forged source address and I
 wouldn't want to abuse your network with unwanted echo-replies,
 syn-acks and rejs.

Bill:

That is actually somewhat correct.

You should not randomly respond to packets at arbitrary rates.  If you do, you 
are being a bad Netizen for exactly this reason.  See things like amplification 
attacks for why.

Of course, if you can get proper responses, say TCP sequence numbers, proving 
the other side really is talking to you, then that limitation is removed.

-- 
TTFN,
patrick

Re: Spamhaus

[Suresh Ramasubramanian]

On Mon, Feb 22, 2010 at 12:08 AM, Joel M Snyder joel.sny...@opus1.com wrote:
 but the false positive count jumped by 112 messages per 10,000 (because
 APEWS was somehow having a lousy month).

 In general, the more reputation services you include, the more likely it is
 you're going to have false positives.

Christ.  You pick APEWS as a reputation filter.. and then even bother
to *count* the false positives?

That's not a list that's particularly designed to minimize FPs, to put
it very mildly.

-- 
Suresh Ramasubramanian (ops.li...@gmail.com)

Re: Spamhaus...

[James Hess]

On Sun, Feb 21, 2010 at 1:16 PM, Patrick W. Gilmore patr...@ianai.net wrote:
 You should not randomly respond to packets at arbitrary rates.  If you do, 
 you are being a bad Netizen for exactly this reason.  See things like 
 amplification attacks for why.   ...
 --

Whether it's  SMTP,  TCP,  or ICMP spam involved the  reflection
attack result is still the same, and still a DoS, even if there aren't
  arbitrary rates of transmission  from any player.  Sure,  _your_
host A's  TCP stack  may  only respond at a  maximum rate of   1
packet per second  to ICMP queries  from all sources,  but there are
hosts B, C, D, E, and F, too.

Just like mail servers  block single IP addresses  that hit more than
X invalid recipients  or graylist on more than  Y  SMTP
transactions/recipients  in Z minutes.

But the  spammer  is  sending  out massive  forged ICMP ECHOs or TCP
SYNs  with 1,000,000+  different spoofed source addresses that
correspond to operational internet hosts,  with semi-randomized TTL
values.

No  one host   creates a problem,  you have an emergent  property,
where the attacker abused all the hosts put together.The result is
very much from the attacker,  not the hosts involved,   they have
simply  propagated the attack.

Backscatter  is  spam from the person who created the fake origin,
not spam from the fooled mail servers.  Obviously  SMTP servers
should try to do the best they can to stop it.

But if the origin domain has not provided SPF records,  there are some
unusual cases left open,  where a bounce to a potentially fake address
may still be required.

E.g.   The  recipient was  valid at the time the message was accepted,
BUT  while the message was still queued,  their account got deleted,
now the  user is gone, and the message cannot be delivered to
something that no longer exists.

Or they ran out of disk quota  allocated to their mailbox.
This is impossible to know in advance,  since  they haven't run out
until several other queued messages are delivered to them.

 TTFN,
 patrick
--
-J

RE: Spamhaus...

[Tomas L. Byrnes]

 -Original Message-
 From: William Herrin [mailto:b...@herrin.us]
 Sent: Sunday, February 21, 2010 10:02 AM
 To: Rich Kulawiec
 Cc: nanog@nanog.org
 Subject: Re: Spamhaus...
 
 On Sun, Feb 21, 2010 at 9:10 AM, Rich Kulawiec r...@gsp.org wrote:
  Hint: nothing stops the spammers from pointing the MX records for
 their
  throwaway domains at somebody else's mail servers.  Among other
 things.
  MANY other things, unfortunately.
 
 Rich,
 
 Clearly I shouldn't respond to any packets at all. After all, a bad
 actor can originate packets with a forged source address and I
 wouldn't want to abuse your network with unwanted echo-replies,
 syn-acks and rejs.
 
 Regards,
 Bill Herrin
[Tomas L. Byrnes] 
Maybe he should avoid any traffic on any non Point to Point only link with no 
repeaters, as there's always the possibility of a beaconing station or someone 
with SQE turned on.

Reductio ad absurdam; which, btw, is never a valid argument for, or against.

P.S. I once wrote code to change line idle code on Multi-drop X.25 from 7E to 
FF, because ATT ignored DTR and had all their MJUs run wide open, thereby 
destroying a NRZI multidrop 56kbps digital circuit, so the above scenario is 
not fictitious. Needless to say, pulling the plug was not an option.

RE: Spamhaus...

[Tomas L. Byrnes]

 -Original Message-
 From: Patrick W. Gilmore [mailto:patr...@ianai.net]
 Sent: Sunday, February 21, 2010 11:17 AM
 To: NANOG list
 Subject: Re: Spamhaus...
 
 On Feb 21, 2010, at 1:01 PM, William Herrin wrote:
  On Sun, Feb 21, 2010 at 9:10 AM, Rich Kulawiec r...@gsp.org wrote:
  Hint: nothing stops the spammers from pointing the MX records for
 their
  throwaway domains at somebody else's mail servers.  Among other
 things.
  MANY other things, unfortunately.
 
  Clearly I shouldn't respond to any packets at all. After all, a bad
  actor can originate packets with a forged source address and I
  wouldn't want to abuse your network with unwanted echo-replies,
  syn-acks and rejs.
 
 Bill:
 
 That is actually somewhat correct.
 
 You should not randomly respond to packets at arbitrary rates.  If you
 do, you are being a bad Netizen for exactly this reason.  See things
 like amplification attacks for why.
 
 Of course, if you can get proper responses, say TCP sequence numbers,
 proving the other side really is talking to you, then that limitation
 is removed.
 

[Tomas L. Byrnes] Ok, so now we can agree on something: You should have
a POLICY about how you handle packets. Now, while trying very hard to
hold my powder since that is what the ThreatSTOP patent is about, how do
you propose to define, and implement, that policy efficiently across
multiple devices, from multiple vendors, in real time?

Re: Spamhaus and Barracuda Networks BRBL

[Suresh Ramasubramanian]

Is it your position that, as a vendor of antispam services, nobody
else should offer their services for a fee?

That would be strange indeed.

On Fri, Feb 19, 2010 at 5:41 AM, Dean Drako dr...@barracuda.com wrote:

 With respect to Barracuda Networks and Spamhaus.

 I expect, but I do not know, that Spamhaus probes on port 25
 in order to identify Barracuda Spam and Virus Firewalls and then block
 their access to their RBL.  Many Barracuda customers have been
 cut off without warning causing them trouble and pain.

 Barracuda attempted to find a deal that would work for licensing
 Spamhaus for our products, however, spamhaus's desire for money
 could not be met without significantly increasing the price to
 each of our customers.    They wanted us to charge the
 spamhaus feed price to each of our customers.
 We tried to find an arrangement for a long time.   I personally
 love the work that spamhaus has done. I was disappointed that we could
 not find an arrangement once they changed into a commercial entity and
 started charging customers.  When they were providing a free
 service we promoted them strongly, but when they started charging
 the customers that really used it, we had to part ways.
 It is a pity.

 We recommend customers use only Barracuda's Free RBL:  BRBL
 and this is now built into the Barracuda Spam and Virus Firewall.
 http://www.barracudacentral.org/rbl

 The BRBL is provided at no charge to anyone who wants to use it (even
 non barracuda customers).
 The BRBL has a full time staff that answers phone and email
 to correct any false positives and handle removal requests -- unlike competing
 services that charge money and who do not provide a staff.   We will consider
 providing data feeds if anyone has interest.  We currently provide
 the BRBL as a free service.  We make no claims about it being better
 or worse than any other RBL.   It does use a massive amount of data in
 order to determine which IP's should be on the list. Others have made claims
 about its accuracy and say great things about it.  Others complain that
 we unjustly block them, however, 99.9% of the people who are blocked and who 
 contact
 us find a BOT in their network.


 Sincerely,

 Dean Drako
 CEO Barracuda Networks















-- 
Suresh Ramasubramanian (ops.li...@gmail.com)

Re: Spamhaus...

[Rich Kulawiec]

On Fri, Feb 19, 2010 at 08:20:36PM -0500, William Herrin wrote:
 Whine all you want about backscatter but until you propose a
 comprehensive solution that's still reasonably compatible with RFC
 2821's section 3.7 you're just talking trash.

We're well past that.  Every minimally-competent postmaster on this
planet knows that clause became operationally obsolete years ago [1], and
has configured their mail systems to always reject, never bounce. [2]

For the rest, that are still sending backscatter/outscatter spam on 
a chronic/systemic basis, we have spammer blacklists, since
of course they *are* spamming.

It should be obvious on inspection to everyone that one of the very
last things we should be doing when we are drowning in useless/junk
SMTP traffic is to generate more of it.

Doubly so when, as we have seen, abusers have demonstrated the ability
to repurpose it as a formidable weapon.

---Rsk

[1] Thanks in part to the rise of the zombies, to the ready availability
of cheap/free domains in bulk, to anonyous/obfuscated registration, to
fast-flux DNS, and to a number of other factors.  And no, SPF does not
in any way mitigate this problem.  Neither does DKIM.  Neither does
SenderID.  Neither does *anything* except not sending it.

[2] Yes, there are occasionally some edge cases of limited scope and
duration that can be tough to handle.  However, well-known methods exist
for minimizing these in various mail environments (e.g., front-end/back-end,
multiple MX, etc.), and these have been elucidated and discussed at length
on the relevant mailing lists, such as spam-l.  The key points here
are limited scope and limited duration.  There is never any reason
or need in any mail environment to permit these problems to grow beyond
those boundaries.

Re: Spamhaus...

[John Peach]

On Fri, 19 Feb 2010 21:28:41 -0800
Scott Howard sc...@doc.net.au wrote:

 On Fri, Feb 19, 2010 at 5:20 PM, William Herrin b...@herrin.us wrote:
  On Fri, Feb 19, 2010 at 3:30 PM, Rich Kulawiec r...@gsp.org wrote:
  Barracuda's engineers apparently think
  that using SPF stops backscatter -- and it most emphatically does not.
 
  Reject good, bounce baaad. [1]
 
  Whine all you want about backscatter but until you propose a
  comprehensive solution that's still reasonably compatible with RFC
  2821's section 3.7 you're just talking trash.
 
 In the case of Barracuda's long history of Backscatter the solution is
 simple, and is implemented by most other mail vendors - it's called
 Don't accept incoming mail to an invalid recipient.
 
 Barracudas used to have no way of doing address validation for
 incoming mail, so they would accept it and then bounce it when the
 next hop (eg, the Exchange server) rejected the recipient address.
 They finally fixed this a few years ago, and can not integrate with
 LDAP (and possibly others) for address validation. Of course, it's
 still down to the admin to implement it...

FUD

I had a couple of these when they first came out; it was a much cheaper
alternative than the self-maintained postfix/spamassassin combination
we were using at that point and proved to be just as efficient.
Recipient validation was trivial, it was just not switched on by
default. LDAP integration was also trivial. IIRC it was called exchange
accelerator.



-- 
John

Re: Spamhaus...

[Daniel Senie]

On Feb 20, 2010, at 12:28 AM, Scott Howard wrote:

 On Fri, Feb 19, 2010 at 5:20 PM, William Herrin b...@herrin.us wrote:
 On Fri, Feb 19, 2010 at 3:30 PM, Rich Kulawiec r...@gsp.org wrote:
 Barracuda's engineers apparently think
 that using SPF stops backscatter -- and it most emphatically does not.
 
 Reject good, bounce baaad. [1]
 
 Whine all you want about backscatter but until you propose a
 comprehensive solution that's still reasonably compatible with RFC
 2821's section 3.7 you're just talking trash.
 
 In the case of Barracuda's long history of Backscatter the solution is
 simple, and is implemented by most other mail vendors - it's called
 Don't accept incoming mail to an invalid recipient.
 
 Barracudas used to have no way of doing address validation for
 incoming mail, so they would accept it and then bounce it when the
 next hop (eg, the Exchange server) rejected the recipient address.
 They finally fixed this a few years ago, and can not integrate with
 LDAP (and possibly others) for address validation. Of course, it's
 still down to the admin to implement it...

I don't know when this was that they didn't do validation. As long as I've 
worked with their stuff, the boxes can connect to your mail server via SMTP and 
verify. Many people would put Exchange servers behind the Barracuda, and those 
Exchange servers would say sure, that's valid to any request for validation, 
so adding LDAP support helped with Exchange server issues (though apparently 
it's now possible to do verification via SMTP if you set up your Exchange 
right). Point is, it's unclear what you complain about was entirely the making 
of the vendor you are complaining about.

The Barracuda boxes will accept mail for domains they know about but without 
validating the email address in the event the target mail server is down. And 
yes, it'd be nice if they instead sent back a 421 and let the email queue at 
the point of origination in such cases. So if a mail server is down and comes 
back up, some emails will likely be present in the queues that shouldn't have 
been accepted.

Re: Spamhaus...

[Daniel Senie]

On Feb 20, 2010, at 8:08 AM, Rich Kulawiec wrote:

 On Fri, Feb 19, 2010 at 08:20:36PM -0500, William Herrin wrote:
 Whine all you want about backscatter but until you propose a
 comprehensive solution that's still reasonably compatible with RFC
 2821's section 3.7 you're just talking trash.
 
 We're well past that.  Every minimally-competent postmaster on this
 planet knows that clause became operationally obsolete years ago [1], and
 has configured their mail systems to always reject, never bounce. [2]

So write a BCP that amends RFC2821. This HAS been done before. When directed 
broadcasts were the hot new way to cause damage, RFC 2644 was born (a.k.a. 
BCP34). It simply said that since the original document was written, it had 
been determined that a required default setting was found to damage the 
Internet and that henceforth, the default value MUST be the opposite. The 
option is still there for those cases when needed, but damage is avoided. Those 
coding up new router stacks hopefully heeded the advice. Certainly two of the 
leading vendors at the time did so.

Instead of saying well, it's obvious to everyone, do something about it.

Re: Spamhaus...

[Marc Powell]

I don't know WTH is up with your large Cc: list but I've removed it to keep the 
conversation here, where it started. More below --

On Feb 19, 2010, at 12:53 PM, Dean Anderson wrote:

 So you should think that its ok for blacklists to charge money for
 things they got for free?

In the case of Spamhaus, yes, I find it acceptable to pay them for the service 
they are providing me because I find it very useful, and with the understanding 
that they are non-profit, have costs related to providing the service and 
provide a free service for people with less volume than me. With regards to 
other lists, I would say that it depends on infrastructure costs they incur to 
provide that service, regardless of whether the content is community provided 
or not. The information may have been obtained freely but there are costs to 
disseminate it. Do you think that they should absorb all the costs of providing 
it as a free service?

--
Marc

Re: Spamhaus...

[Valdis . Kletnieks]

On Sat, 20 Feb 2010 09:51:33 EST, Daniel Senie said:

 Instead of saying well, it's obvious to everyone, do something about it.

*brrring... bring...brrriiing...*

Cluephone. It's for you.

5321 Simple Mail Transfer Protocol. J. Klensin. October 2008. (Format:
 TXT=225929 bytes) (Obsoletes RFC2821) (Updates RFC1123) (Status:
 DRAFT STANDARD)

It's been done already. It's been quoted in this thread even. There's no
sense in Rick re-inventing the wheel when John Klensin and friends already
fixed the flat and rebalanced it a year and a half ago.



pgpgvEnjeI0IK.pgp
Description: PGP signature

Re: Spamhaus...

[Valdis . Kletnieks]

On Sat, 20 Feb 2010 09:46:21 EST, Daniel Senie said:

 I don't know when this was that they didn't do validation.

So they validate...

 The Barracuda boxes will accept mail for domains they know about but
 without validating the email address in the event the target mail server
 is down. And yes, it'd be nice if they instead sent back a 421 and let
 the email queue at the point of origination in such cases. So if a mail
 server is down and comes back up, some emails will likely be present in
 the queues that shouldn't have been accepted.

Except for when they don't, and instead of 421'ing they backscatter.

Gotcha.
 
 
 



pgp8J4obj3EKk.pgp
Description: PGP signature

Re: Spamhaus...

[Patrick W. Gilmore]

On Feb 20, 2010, at 10:01 AM, Marc Powell wrote:
 On Feb 19, 2010, at 12:53 PM, Dean Anderson wrote:
 
 So you should think that its ok for blacklists to charge money for
 things they got for free?
 
 In the case of Spamhaus, yes, I find it acceptable to pay them for the 
 service they are providing me because I find it very useful, and with the 
 understanding that they are non-profit, have costs related to providing the 
 service and provide a free service for people with less volume than me. With 
 regards to other lists, I would say that it depends on infrastructure costs 
 they incur to provide that service, regardless of whether the content is 
 community provided or not. The information may have been obtained freely but 
 there are costs to disseminate it. Do you think that they should absorb all 
 the costs of providing it as a free service?

I would go a lot farther and Just Say Yes.

How many of us here got something for 'free'?  Do you feel guilty selling ISP 
services where the mail server is running FreeBSD or Postfix?  Or the name 
server in BIND on Linux?  Should we all just stop and go home now?

Spamhaus has gotten things for free, yes.  I don't have a problem with them 
selling it, and I don't see why you should - unless you are one of the people 
providing such free services.  And that doesn't even consider the huge value 
Spamhaus adds to that free stuff they got.

Do you honestly think those providing service for Spamhaus do not know this is 
happening?  (Careful how you answer, as I used to be authoritative for 
spamhaus.org, I know a little bit about this.)  If nothing else, they got the 
service for free!  (When I ran one of the authorities, I could query it as 
often as I liked for $0. :)

-- 
TTFN,
patrick

RE: Spamhaus...

[Frank Bulk]

They also can use SMTP AUTH for what they call Recipient Verification.

Barracuda has done some work in the past few years to improve its out of
the box configuration, but its poor start has permanently tarnished its
reputation in the eyes of some in the mail community, especially those who
are able to build their own spam filtering solution.  

As I found in a previous e-mail I wrote in September 2008, Barracuda's next
release, as documented in their release notes, will, without asking, turn
off all settings that cause backscatter.  Customers will have to
specifically re-activate those features if they want them.
The Send Bounce'' option will be SET TO NO on all systems, 
regardless of your previous setting. If you wish 
notifications to go out to any sender whose email was 
blocked, you can re-enable this option from the 
BASIC-Spam Scoring'' page, in the Spam Bounce (NDR) 
Configuration section.

Frank

-Original Message-
From: Scott Howard [mailto:sc...@doc.net.au] 
Sent: Friday, February 19, 2010 11:54 PM
To: William Herrin
Cc: nanog@nanog.org
Subject: Re: Spamhaus...

On Fri, Feb 19, 2010 at 9:28 PM, Scott Howard sc...@doc.net.au wrote:
 They finally fixed this a few years ago, and can not integrate with
 LDAP (and possibly others) for address validation. Of course, it's
 still down to the admin to implement it...

... can NOW integrate...   even.

  Scott.

Re: Spamhaus...

[William Herrin]

On Sat, Feb 20, 2010 at 8:08 AM, Rich Kulawiec r...@gsp.org wrote:
 On Fri, Feb 19, 2010 at 08:20:36PM -0500, William Herrin wrote:
 Whine all you want about backscatter but until you propose a
 comprehensive solution that's still reasonably compatible with RFC
 2821's section 3.7 you're just talking trash.

 We're well past that.  Every minimally-competent postmaster on this
 planet knows that clause became operationally obsolete years
 ago [1], and has configured their mail systems to always reject,
 never bounce. [2]

Rich,

Indeed, and the ones who are more than minimally competent have
considered the protocol as a whole and come to understand that at a
technical level the reject don't bounce theory has more holes in it
than you can shake a stick at. Find me a comprehensive solution and
I'll help you write the I-D but mere trash-talk about the people who
respect SMTP's architecture is unhelpful.


On Sat, Feb 20, 2010 at 10:06 AM,  valdis.kletni...@vt.edu wrote:
 5321 Simple Mail Transfer Protocol. J. Klensin. October 2008. (Format:
 TXT=225929 bytes) (Obsoletes RFC2821) (Updates RFC1123) (Status:
 DRAFT STANDARD)

 It's been done already. It's been quoted in this thread even.
 There's no sense in Rick re-inventing the wheel when
 John Klensin and friends already
 fixed the flat and rebalanced it a year and a half ago.

They didn't exactly fix it. What they did is reinforce the importance
of generating a bounce message by keeping the existing must language
from 2821 but adding:

A server MAY attempt to verify the return path before using its
address for delivery notifications

Regards,
Bill Herrin


-- 
William D. Herrin  her...@dirtside.com  b...@herrin.us
3005 Crane Dr. .. Web: http://bill.herrin.us/
Falls Church, VA 22042-3004

Mail Best Practices and Documentation (was Re: Spamhaus...)

[Larry Sheldon]

On 2/20/2010 9:06 AM, valdis.kletni...@vt.edu wrote:
 On Sat, 20 Feb 2010 09:51:33 EST, Daniel Senie said:
 
 Instead of saying well, it's obvious to everyone, do something about it.
 
 *brrring... bring...brrriiing...*
 
 Cluephone. It's for you.
 
 5321 Simple Mail Transfer Protocol. J. Klensin. October 2008. (Format:
  TXT=225929 bytes) (Obsoletes RFC2821) (Updates RFC1123) (Status:
  DRAFT STANDARD)
 
 It's been done already. It's been quoted in this thread even. There's no
 sense in Rick re-inventing the wheel when John Klensin and friends already
 fixed the flat and rebalanced it a year and a half ago.

I've never been part of the process, but as an observer,it appears to me
that unlike the old days where it seems, from the histories, that an RFC
could get approved in a matter of days or weeks, the hard part now is
not the writing, but the getting approved.

So (agreeing with Valdis) it seems unfair to chide people for not
writing one when there is a backlog of unapproved ones in the mill (some
of them as we see on topic).

-- 
Government big enough to supply everything you need is big enough to
take everything you have.

Remember:  The Ark was built by amateurs, the Titanic by professionals.

Requiescas in pace o email
Ex turpi causa non oritur actio
Eppure si rinfresca

ICBM Targeting Information:  http://tinyurl.com/4sqczs
http://tinyurl.com/7tp8ml

Re: Spamhaus...

[Larry Sheldon]

On 2/20/2010 10:36 AM, William Herrin wrote:
 They didn't exactly fix it. What they did is reinforce the importance
 of generating a bounce message by keeping the existing must language
 from 2821 but adding:
 
 A server MAY attempt to verify the return path before using its
 address for delivery notifications

So, if you don't mind having your realm being blocked to stop the spam
(unsolicited bulk email) it emits, bounce away.

And feel very pompous and correct while you are at it.

In my day, the focus was on what my customers needed and wanted and that
included the elimination of unsolicited email (they were not even big on
the bulk qualifier).

As long as the spammers and others that love the bounce are part of the
RFC process, it isn't going to get better.

We don't send email over facilities consisting of cables as big as your
wrist--the world has changed.

We don't expose our selves with finger and .plan and a number of other
things that work in a world of friends and neighbors--the world has changed

We don't send notifications and such which depend on people being honest
and trust-worthy--the world has changed.

RFCs describe protocols that, if followed, will allow the described
interoperability.  If you don't do everything listed, some stuff won't
work as described.  But it isn't Holy Writ.  If you don't do something
you don't need (or nobody you care about needs) you won't burn.  And
some people may thank you and allow you to be part of their community.

-- 
Government big enough to supply everything you need is big enough to
take everything you have.

Remember:  The Ark was built by amateurs, the Titanic by professionals.

Requiescas in pace o email
Ex turpi causa non oritur actio
Eppure si rinfresca

ICBM Targeting Information:  http://tinyurl.com/4sqczs
http://tinyurl.com/7tp8ml

Re: Spamhaus...

[Michelle Sullivan]

Scott Howard wrote:
 On Fri, Feb 19, 2010 at 5:20 PM, William Herrin b...@herrin.us wrote:
   
 On Fri, Feb 19, 2010 at 3:30 PM, Rich Kulawiec r...@gsp.org wrote:
 
 Barracuda's engineers apparently think
 that using SPF stops backscatter -- and it most emphatically does not.

 Reject good, bounce baaad. [1]
   
 Whine all you want about backscatter but until you propose a
 comprehensive solution that's still reasonably compatible with RFC
 2821's section 3.7 you're just talking trash.
 

 In the case of Barracuda's long history of Backscatter the solution is
 simple, and is implemented by most other mail vendors - it's called
 Don't accept incoming mail to an invalid recipient.

 Barracudas used to have no way of doing address validation for
 incoming mail, so they would accept it and then bounce it when the
 next hop (eg, the Exchange server) rejected the recipient address.
 They finally fixed this a few years ago, and can not integrate with
 LDAP (and possibly others) for address validation. Of course, it's
 still down to the admin to implement it...

   

Actually they do (did?), as they run postfix, they should be
configurable to use LDAP and a whole host of other methods.


Michelle

Re: Spamhaus...

[Michael Dillon]

 We don't expose our selves with finger and .plan and a number of other
 things that work in a world of friends and neighbors--the world has changed

It's changed all right. Finger is now called IM presence, and .plan is
called Facebook.

Given that the world now has dozens of alternate channels of
communication over the Internet
I'm on the side of folks who break the RFCs in order to keep things in
some semblance
of operational. And maybe someday, email will be known under another
name as well.

--Michael Dillon