Re: dealing with bogon spam ?

[Nathan Ward <nanog () daork net>]

On 28/10/2009, at 12:57 PM, Leslie wrote:

> First off, I'm not certain if unallocated space in blocks less than  
> a /8 is properly called bogon, so pardon my terminology if I'm  
> incorrect.
>
> We're seeing a decent chunk of spam coming from an unallocated block  
> of address space.  We use CYMRU's great list of /8 bogon space to  
> prevent completely off the wall abuse, but the granularity stops at / 
> 8's. Obviously, I've written the originating AS and its single  
> upstream provider (sadly without any response).  I'm not looking for  
> a one time solution for this issue however -- I'd like to  
> permanently block (and kick) anyone who's using unallocated space  
> illegitimately.
>
> How have you dealt with this issue? Does anyone publish a more  
> granular listing of unallocated space? Does arin have this  
> information somewhere other than just probing any given ip via whois?


You *might* be able to get a copy of the whois database as an  
optimisation so you don't have to hit their servers all the time -  
does that help?
I wouldn't rely on that though, but I don't see any other good options.
Perhaps you can only accept stuff from networks that you first saw an  
announcement for greater than 7 days ago, to prevent people popping up  
with a network for a day, spamming, and then disappearing? Likely to  
get lots of false positives in that though, and as soon as someone  
figures out your technique it's not going to work.

Religious war alert: does SIDR solve this? I guess only if you only  
accept signed advertisements.. I don't know if that is the intended  
default mode or not.. Need to do some reading I guess.

--
Nathan Ward