Re: IP Black list?

[ryan () SECURITYFOCUS COM (Ryan Russell)]

On Mon, 15 May 2000, Mike Shannon wrote:

> What if a legitimate orginization shares the same address space as an
> offender?  Should they pay for the actions of that offender even though they
> are not even associated with them? For example, 50 people lodge a complaint
> about 1.2.3.0/24 even though it is actually coming from something in the
> 1.2.3.0/28 address space.  Not only that but finding a group of unbiased
> people would be a tough thing to do.

That somewhat mirrors the situation that SecurityFocus is in.  The folks
we get our address space from apparantly have a few customers running open
mail relays, spread throughout the address space.  The ORBS guys caught
this, and added a couple of supernets for that space to their
blacklist.  Meanwhile, the ISP in question has blocked the ORBS guys'
ability to scan mail relays, so they can't verify if the problem have been
fixed.  The ORBS answer to this is to keep the block in place.  Naturally,
we don't run open relays, but the ORBS guys can't verify that.

This means that a few places won't accept mail from us, and the ISP
and ORBS are at an impasse.  The only thing I could do at present as a
customer is change providers, which is part of the point of a blacklist.

The end result is a mild annoyance, because the ORBS list isn't in wide
enough use to cause any real change yet.

I don't think there is a real solution to "bad guys" on the
Internet.  Even with authenticated traffic, some of the bad guys will
control their own authentication/PKI servers.  In addition, they'll still
be able to bounce off other servers out there, and will authenticate as
them.

                                        Ryan