increasing number of blacklisted NZ public IP addresses - NZNOG - lists.nznog.org

newer
Loading of IRD.govt.nz taking...

increasing number of blacklisted NZ public IP addresses

older
ATS Switch for 1-3 Devices

Daniel Christie

18 Feb 2015 18 Feb '15

2:59 a.m.

Hello all, I'm working for a small web/mail hosting company. I've recently noticed a lot of blacklisted IP addresses from NZ based ISPs being dished out, part of our intrusion prevention methods involve denying connections from these addresses. How do these blacklisted IP addresses get unlisted? Is it the responsibility of the customers of these ISPs or it is the responsibility of the ISP? Daniel Christie

Reply

Sign in to reply online Use email software

Show replies by date

Barry Murphy

18 Feb 18 Feb

3:17 a.m.

Depends who owns the IP space, in the event the ISP has provided space it¹s in your best interest to unblock them so if they get re-assigned to someone else they work. Again depends on what the customer is doing to continually get blacklisted, I.e. Not fixing an issue they were told to fix, like open NTP or something. If the IP space belongs to your downstream customer, then it¹s their problem, but still good to try and assist for a quality of service. -- Kind regards, Barry Murphy / Chief Operating Officer On 19/02/15 10:59 am, "Daniel Christie" wrote:

Hello all, I'm working for a small web/mail hosting company. I've recently noticed a lot of blacklisted IP addresses from NZ based ISPs being dished out, part of our intrusion prevention methods involve denying connections from these addresses.

How do these blacklisted IP addresses get unlisted? Is it the responsibility of the customers of these ISPs or it is the responsibility of the ISP?

Daniel Christie _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Reply

Sign in to reply online Use email software

Daniel Christie

3:46 a.m.

The incident I had this morning was a Spark NZ broadband customer, they didn't have a static IP as I asked them to restart their router which gave them a different IP address. I wouldn't want to unblock them myself as this could cause them to get listed again and more permanently if they hadn't first resolved the cause of it themselves, like you have said. I imagine, as it was a dynamic address that it would have been blacklisted by another one of Sparks customers beforehand and then dished out to the user I was talking to last night after their office had a power outage. I've tried looking on the Spark NZ website but could not find any support article or help guide for this scenario. would anyone on this list (possibly from Spark broadband services) be able to help me with what should be done for this? ---------------------------------------------------------------------- Daniel Christie SYSTEMS ENGINEER/APPLICATION SPECIALIST Depends who owns the IP space, in the event the ISP has provided space it¹s in your best interest to unblock them so if they get re-assigned to someone else they work. Again depends on what the customer is doing to continually get blacklisted, I.e. Not fixing an issue they were told to fix, like open NTP or something. If the IP space belongs to your downstream customer, then it¹s their problem, but still good to try and assist for a quality of service. -- Kind regards, Barry Murphy / Chief Operating Officer On 19/02/15 10:59 am, "Daniel Christie" wrote:

Hello all, I'm working for a small web/mail hosting company. I've recently noticed a lot of blacklisted IP addresses from NZ based ISPs being dished out, part of our intrusion prevention methods involve denying connections from these addresses.

How do these blacklisted IP addresses get unlisted? Is it the responsibility of the customers of these ISPs or it is the responsibility of the ISP?

Daniel Christie _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Reply

Sign in to reply online Use email software

Mark Foster

4:20 a.m.

Well this explains a few things. What do you mean by 'blacklist' ? Are we talking about DNSBL's usually used to block spam sources? Or are we talking about something that more generically blocks IP's seen to originate 'malicious' behavior? Many 'blacklists' rigged to block spam as their primary function, will frequently or even by standard practice, block dynamic IP allocations. Clearly you can't attribute the behavior of one user who held a dynamic IP at some point, to the new holder of the same IP - but this also means that those of us in the real world shouldn't be trusting that our end-users will be on non-blacklisted IP's. Either don't operate the blacklist in question, live with it, or insist that your users have static IP's and whitelist those to get around it. If someone's using a spam-oriented blacklist to generate a list of IP's that should be treated as 'bad' for other purposes, is going to have a mixed success with this anyway, particularly if you're dealing with the big telco's that'll have a relatively large number of compromised or 'abusive' (for varying definitions of abusive) clients online at any one time, and proportionately small amount of resource dedicated to reputation-protection. Mark. On 19/02/2015 11:46 a.m., Daniel Christie wrote:

The incident I had this morning was a Spark NZ broadband customer, they didn't have a static IP as I asked them to restart their router which gave them a different IP address.

I wouldn't want to unblock them myself as this could cause them to get listed again and more permanently if they hadn't first resolved the cause of it themselves, like you have said.

I imagine, as it was a dynamic address that it would have been blacklisted by another one of Sparks customers beforehand and then dished out to the user I was talking to last night after their office had a power outage.

I've tried looking on the Spark NZ website but could not find any support article or help guide for this scenario. would anyone on this list (possibly from Spark broadband services) be able to help me with what should be done for this?

---------------------------------------------------------------------- Daniel Christie SYSTEMS ENGINEER/APPLICATION SPECIALIST

Depends who owns the IP space, in the event the ISP has provided space it¹s in your best interest to unblock them so if they get re-assigned to someone else they work. Again depends on what the customer is doing to continually get blacklisted, I.e. Not fixing an issue they were told to fix, like open NTP or something.

If the IP space belongs to your downstream customer, then it¹s their problem, but still good to try and assist for a quality of service.

-- Kind regards, Barry Murphy / Chief Operating Officer

On 19/02/15 10:59 am, "Daniel Christie" wrote:

...
Hello all, I'm working for a small web/mail hosting company. I've recently noticed a lot of blacklisted IP addresses from NZ based ISPs being dished out, part of our intrusion prevention methods involve denying connections from these addresses.

How do these blacklisted IP addresses get unlisted? Is it the responsibility of the customers of these ISPs or it is the responsibility of the ISP?

Daniel Christie _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Reply

Sign in to reply online Use email software

Bill Walker

4:47 a.m.

Hi Daniel, What lists do you use to block? as when I was at Snap I listed all our dynamic ranges in https://www.spamhaus.org/pbl/ which was good practice at the time. Cheers, Bill On 2015-02-19 11:46, Daniel Christie wrote:

The incident I had this morning was a Spark NZ broadband customer, they didn't have a static IP as I asked them to restart their router which gave them a different IP address.

I wouldn't want to unblock them myself as this could cause them to get listed again and more permanently if they hadn't first resolved the cause of it themselves, like you have said.

I imagine, as it was a dynamic address that it would have been blacklisted by another one of Sparks customers beforehand and then dished out to the user I was talking to last night after their office had a power outage.

I've tried looking on the Spark NZ website but could not find any support article or help guide for this scenario. would anyone on this list (possibly from Spark broadband services) be able to help me with what should be done for this?

---------------------------------------------------------------------- Daniel Christie SYSTEMS ENGINEER/APPLICATION SPECIALIST

Depends who owns the IP space, in the event the ISP has provided space it¹s in your best interest to unblock them so if they get re-assigned to someone else they work. Again depends on what the customer is doing to continually get blacklisted, I.e. Not fixing an issue they were told to fix, like open NTP or something.

If the IP space belongs to your downstream customer, then it¹s their problem, but still good to try and assist for a quality of service.

-- Kind regards, Barry Murphy / Chief Operating Officer

On 19/02/15 10:59 am, "Daniel Christie" wrote:

...
Hello all, I'm working for a small web/mail hosting company. I've recently noticed a lot of blacklisted IP addresses from NZ based ISPs being dished out, part of our intrusion prevention methods involve denying connections from these addresses.

How do these blacklisted IP addresses get unlisted? Is it the responsibility of the customers of these ISPs or it is the responsibility of the ISP?

Daniel Christie _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Reply

Sign in to reply online Use email software

Don Stokes

5:41 a.m.

Hi Daniel, Which side of the conversation is this? Is this a customer of yours (a) trying to send email to you as their designated smart host? Or are they (b) trying to send mail from their own mail smart host behind a dynamic address. If (b), tell them to stop doing that and use a commercial smart host. It's war out there, and people trying to do their own thing are going to get caught in the crossfire between the spammers and their robot armies, and all the various countermeasures deployed to stop them. Dynamic address blocklists exist for a reason, the vast majority of mail coming out of addresses known to be dynamic or end-user assigned (rather than sending via an ISP or mail provider's smart host) is spam, and lots of providers block or score it accordingly. If (a), I think you might have bitten off more than you can realised. You can't just run a mail server and outsource your spam filtering to a blacklist provider and expect not to get problems. At a minimum, you need to be separating your inbound and outbound mail and applying policies accordingly. For inbound, apply your normal spam filtering, greylisting, blocklists etc. For outbound mail, the policies need to be different. Authenticate every connection, and be prepared for compromised authentication information, botnetted end user hosts and so-on - when you get one of these, you're going to suddenly be subjected to a flood of spam that will get you into every blocklist on the planet, unless you have mechanisms in place to stem the flow automatically and quickly. Mostly, that's a matter of traffic analysis rather than filtering. You can't rely in blocklists for this, or you're going to get false positives - and false negatives. External blocklists won't react anywhere near as quickly as you need for this. The good news is that most blocklists have automatic de-listing when spam stops. Mostly, blocklist operators aren't like ORBS any more; they know that both spam flows and IP addresses are ephemeral things. (If your blocklist provider doesn't behave that way, drop it like a hot rock.) The days of just spinning up Sendmail or Exchange to handle mail in and out of your local user base and forgetting about it are long gone. Running a mail server isn't a job for amateurs; it requires an ongoing commitment of time and knowledge. -- don On 19/02/15 10:59, Daniel Christie wrote:

Hello all, I'm working for a small web/mail hosting company. I've recently noticed a lot of blacklisted IP addresses from NZ based ISPs being dished out, part of our intrusion prevention methods involve denying connections from these addresses.

How do these blacklisted IP addresses get unlisted? Is it the responsibility of the customers of these ISPs or it is the responsibility of the ISP?

Daniel Christie _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Reply

Sign in to reply online Use email software

3595

Age (days ago)

3595

Last active (days ago)

Download

5 comments

5 participants

tags

participants (5)

Barry Murphy
Bill Walker
Daniel Christie
Don Stokes
Mark Foster