ASN-Blocklist

[concerto49]

We've missed Spamcop and abusesix.org in the past. Maybe a few others. These are being addressed so they send it to our correct abuse address etc.


It's just been a problem due to all the integrations / acquisitions.


Email volume is also going down on SenderBase so things are being worked on. Can't just kill people off, so abuse is definitely going down.


Senderbase is just email volume and not necessarily spam. Having said that, will take a closer look too.


As to Biloh. I'm happy they haven't banned us already

 

[Awmusic12635]

and while I am f'boming CC, I think it's shit naming your customer a spammer like Biloh just did supposedly in public and fingering QueryFoundry.


Fact is, I looked at QF recently, they have a lot of outgoing email (likely a legit customer). There have been some Spamhaus entries back to them (today I think 2+).


I am inclined to believe QF is running legit customer with outbound email or I would have papered them into a hole a month back.


I'll let the QueryFoundry folks defend themselves. Paging @concerto49.

Should have just one open. Created just today. We forward or deal with abuse the moment it comes in. The SBL is in the forwarded state awaiting response.

 

[DomainBop]

Senderbase is just email volume and not necessarily spam

They list both email volume and spam volume

The Senderbase charts show daily Spam/ Email volume.  To get a more accurate picture you should use that little search box at the top of the page AND give equal weight to both "Last Month Volume" and "Spam Sending Domains".  If both numbers are large then there is probably  a problem.

July / Monthly Volume / Spam Sending Domains

---------------------------------------------------------

ColoCrossing / 7.8 / 310  <-- high spam volume + high number of spammers = problem network

Query Foundry / 7.8 / 3 <-- high volume but  low number of spammers so my guess would be they probably had the bad luck of having a couple of bad customers signup and I wouldn't hold it against them

B2 Net / 7.3 / 74 <-- biloh should have mentioned his buddies who are single homed to him

 

[Kris]

B2 Net / 7.3 / 74 <-- biloh should have mentioned his buddies who are single homed to him

I can only imagine they're using that ASN now because they had more problems with ARIN and CC. 

Just watching the 138.x's mount up as they drain the internet of its last v4 resources. Since approval of future requests are based on previous allocation amounts, they're just stacking up the /22, /21, /20 and a /19. 

Fucking sickening, that's all.

http://bgp.he.net/AS55286#_prefixes

Plus they forgot to change a few net block descriptions from ColoCrossing -> B2 Net... Wouldn't surprise me if all Vial did was manage ARIN resource requests, create bogus subnet allocations for 'customers'

Must get hard keeping up with all of the bullshit allocations they're given! 

 

[Mun]

I added b2net as well.

 

[drmike]

I can only imagine they're using that ASN now because they had more problems with ARIN and CC. 

Just watching the 138.x's mount up as they drain the internet of its last v4 resources. Since approval of future requests are based on previous allocation amounts, they're just stacking up the /22, /21, /20 and a /19. 

Fucking sickening, that's all.

See the Thank you button on this one just isn't enough.

Remember we both know and are seeing the spam flow up and outwards.  B2Net for sure.   ServerCentral issued IPs on Spamhaus 2x in past 2 weeks.

I am certain there is more, a sliver at best we aren't catching.

CC better order more IPs and get some competent network person to shuffleboard their IPs around.  Like I've been dropping here and there, it's damn hard to impossible to get clean IPs from CC in Los Angeles or Dallas.  LAX CC is about to fall into a fault line.

 

[Mun]

https://cdn.content-network.net/tools/asn-blocklist/AS55286/ here they are now C=

 

[Awmusic12635]

https://cdn.content-network.net/tools/asn-blocklist/AS55286/ here they are now C=

So I guess that's a no to removing us?

https://cdn.content-network.net/tools/asn-blocklist/AS62638/

 

[drmike]

Query Foundry / 7.8 / 3 <-- high volume but  low number of spammers so my guess would be they probably had the bad luck of having a couple of bad customers signup and I wouldn't hold it against them

QF in Senderbase just shows high volume and some IPs with poor ranking.

When I asked the owner @concerto49 he said they likely have some email sending companies as customers.  It's none of my business and that's sufficient to explain volume, it is what it is.   I'd rather hear that than jump to saying GROWL YOU HAVE SPAMMERS.

I can go back through my half baked archive and see how many QF Spamhaus entries we had in CC's ASN since I started the logging. There were a couple recently (past 48 hours~).

But, it is my understanding that CC may have issues with bad behavior notices not being sent/forwarded.  Perhaps someone from QF who handles ABUSE matters can speak in public about it.

Frankly I am fine with being able to fetch a list for any provider and block.  But QF, like BuyVM doesn't deserve the spot attention at this point.

 

[Kris]

I am certain there is more, a sliver at best we aren't catching.

Of course. But subscribing to the ARIN list of newly issued IPs / scoping them out daily is the most time I have the interest, and just watch them load up on IPs. 

Seems they're so damn flooded with IPs (must be a lot of officer signing requests) they don't have the time to switch ColoCrossing -> B2 Net Solutions in the descriptions (or add anything)

This is how I originally caught on to them, a BlueVM customer got a Hudson Valley Host IP. Mentioned it on LET, and i knew ColoCrossing wasn't SWIP'ing our IPs in the description. Looked at BGP.he.net, after we requested a /25 for a single machine. There were (7) /24's under Hudson Valley Host...  :huh:

A few days after it was brought up on LET, they were swiftly cleaned and changed to the company IP description umbrella of 'ColoCrossing'

Weird, innit? 

 

[Awmusic12635]

But, it is my understanding that CC may have issues with bad behavior notices not being sent/forwarded.  Perhaps someone from QF who handles ABUSE matters can speak in public about it.

We only get the forwarded SBL once it has already happened. Nothing before that

 

[drmike]

So @Kris,   let's draw the point finer on this pencil.

HVH (when you were there) needed IPs (normal need).  CC probably asked for justification or info to BS the justification.  They then applied for and/or used HVH details to justify 7 /24's when all you asked for was ONE /25?

Fraud isn't it?

 

[drmike]

We only get the forwarded SBL once it has already happened. Nothing before that

But aren't there emails, warnings, etc. prior that other providers normally get?  Seems like CC is short circuiting the process with you.

 

[Awmusic12635]

But aren't there emails, warnings, etc. prior that other providers normally get?  Seems like CC is short circuiting the process with you.

My assumption is that it probably has to do with instances such as spamcop not even bothering to send them reports anymore because of them not acting on it. But yes you are correct, no warnings or reports before the SBL.

 

[Mun]

We only get the forwarded SBL once it has already happened. Nothing before that

The problem is that this service got turned into a "bad network providers list". This is one reason I added Frantech to the list, until it was made such a big deal of. The point is you should only block networks that you see the need to do so, and blocking networks for simply being their is idiotic and wrong.

This is one of the reasons why I am currently thinking about changing how I run the applet and making it possibly fully dynamic so anyone can build a list for any ASN.

 

[Awmusic12635]

The problem is that this service got turned into a "bad network providers list". This is one reason I added Frantech to the list, until it was made such a big deal of. The point is you should only block networks that you see the need to do so, and blocking networks for simply being their is idiotic and wrong.

This is one of the reasons why I am currently thinking about changing how I run the applet and making it possibly fully dynamic so anyone can build a list for any ASN.

In the case of our own network, the one you had in the block list, we get all notifications and reports of spam and deal with the very quickly. 99% of the time no SBL. In the previous case I was mentioning with what it is like at CC. Feel free to block them, I don't mind.

 

[Mun]

In the case of our own network, the one you had in the block list, we get all notifications and reports of spam and deal with the very quickly. 99% of the time no SBL. In the previous case I was mentioning with what it is like at CC. Feel free to block them, I don't mind.

The problem is I am being now put in the position of being a judge of whom should get listed on my list and if they should be taken off. This wasn't the goal at all.

Honestly I think I will whip up an app tonight that should allow people to make ASNs block lists for what ever ASN they want.

If anyone knows the ARIN rest interface and how to use it I would love a little how to. If not I will base the new app once again on bgp.he.net and I'll just cache the results from it for a day to prevent getting blocked.

Mun

 

[drmike]

The problem is I am being now put in the position of being a judge of whom should get listed on my list and if they should be taken off. This wasn't the goal at all.

Honestly I think I will whip up an app tonight that should allow people to make ASNs block lists for what ever ASN they want.

If anyone knows the ARIN rest interface and how to use it I would love a little how to. If not I will base the new app once again on bgp.he.net and I'll just cache the results from it for a day to prevent getting blocked.

Mun

I wouldn't be put in the role of having to decide these things.  Just create the README notices and the means to snag any ASN.

Straight ASN based blocks will be incomplete, but, warning on that also.

I will whip up an app tonight that should allow people to make ASNs block lists for what ever ASN they want.

+1 for that.  That's the approach I'd take.

 

[Aldryic C'boas]

The problem is I am being now put in the position of being a judge of whom should get listed on my list and if they should be taken off. This wasn't the goal at all.

That was a problem of your own creation. You made your intentions very clear posting that initial list, and tried very hard to backpedal out of it after being called on it.  "Joking with people" is one thing - but you're making a very clear statement that the ASNs your script blocks deserves to be blocked, by virtue of being included. If you have a legitimate reason to do so, then that's all fine and dandy. But when you add a company to an "ASN Blocklist" for the lulz, especially on a public thread, you're positing that you believe they should be blocked.  Yes, the companies you have wrongfully accused are going to take offense to this.


You really should stop trying to hide behind the "The point is you should only block networks that you see the need to do so, and blocking networks for simply being their is idiotic and wrong." excuse. Your attempts to bait me earlier made it very clear that Frantech was on that list to try and get a rise out of us - don't try to just play that off as a joke. Your actions have consequences, for you and others - have the fortitude to stand behind the things you do instead of trying to play it all just a joke card when you get scrutinized for it.

 

[Mun]

Why are you so insecure?