Security Incidents mailing list archives
Re: IP Black list?
From: twells () ATG COM (Tabor J. Wells)
Date: Tue, 16 May 2000 17:14:04 -0400
On Tue, May 16, 2000 at 09:34:38AM -0700, Ryan Russell <ryan () SECURITYFOCUS COM> is thought to have said:
On Mon, 15 May 2000, Mike Shannon wrote:What if a legitimate orginization shares the same address space as an offender? Should they pay for the actions of that offender even though they are not even associated with them? For example, 50 people lodge a complaint about 1.2.3.0/24 even though it is actually coming from something in the 1.2.3.0/28 address space. Not only that but finding a group of unbiased people would be a tough thing to do.That somewhat mirrors the situation that SecurityFocus is in. The folks we get our address space from apparantly have a few customers running open mail relays, spread throughout the address space. The ORBS guys caught this, and added a couple of supernets for that space to their blacklist. Meanwhile, the ISP in question has blocked the ORBS guys' ability to scan mail relays, so they can't verify if the problem have been fixed. The ORBS answer to this is to keep the block in place. Naturally, we don't run open relays, but the ORBS guys can't verify that.
Well it's a bit more than that. When the ISP in question decided to block ORBS from scanning hosts in their network, ORBS choose to manually list not just the IPs that had been verified as open relays but the entire netspace of the ISP (which in this case was a major tier 1 provider). Of the dozen or so lists that I regularly get mail from at least a third fall within those address blocks. I choose not to use ORBS because the collateral damage from their manual listing choices is too high. Well actually it's pretty high for their standard open relays list as well. Tabor -- ------------------------------------------------------------------------ Tabor J. Wells twells () atg com Systems Administrator Art Technology Group http://www.atg.com
Current thread:
- LJK2 rootkit?, (continued)
- LJK2 rootkit? Felix Schueren (May 16)
- Re: LJK2 rootkit? Jose Nazario (May 16)
- IP blacklists phi-incident () EXORSUS NET (May 16)
- Re: LJK2 rootkit? Omachonu Ogali (May 16)
- Re: LJK2 rootkit? Jose Nazario (May 18)
- Re: LJK2 rootkit? Omachonu Ogali (May 18)
- LJK2 rootkit? Felix Schueren (May 16)
- Re: LJK2 rootkit? Jens Hektor (May 17)
- Re: LJK2 rootkit? Egon Barfuß jun. (May 17)
- Korea Damian Gerow (May 17)
- Re: IP Black list? Ryan Russell (May 16)
- Re: IP Black list? Tabor J. Wells (May 16)
- Re: IP Black list? Michael Damm (May 15)
- Re: IP Black list? jms (May 15)
- TCP/IP options flags? Matt Beck (May 16)
- unapproved update from [166.93.60.5].61946 James Ankenbrandt (May 17)
- Re: unapproved update from [166.93.60.5].61946 Jon Lewis (May 18)
- Sniffer files Wozz (May 16)
- Re: Sniffer files Randy Janinda (May 18)