[Dshield] Idea for dealing with ISPs that ignore abusenotificatons was RE: The Art/Tao/Zen of Abuse e-mails (Was:[Fwd: WHY IS YOURCUSTOMER...])

Kenneth Coney superc at visuallink.com
Sat Aug 26 14:28:30 GMT 2006

I went through the block anything coming from IPNs from China, Brazil, 
Korea, etc. thing years ago.  Started writing my own firewall mods.  The 
process did work for awhile, but one problem I ran into is when IPs were 
reassigned and the new info was posted on ARIN quickly enough.  Back 
then the concept was blocking spam, but it also gave the benefit of 
blocking by non response to many probes.  The list of what needed to be 
blocked grew longer and longer as new hackers and spammers went on 
line.  I found myself blocking US based ISPs as well.  Figuring out who 
owned what IPN and how many #s to block at each ISP ate hours every 
day.  I finally got it down to about 5 to 10 spam emails a day (from 
about 300) accepted while still allowing legitimate mail, but doing so 
was taking 4 of 5 hours of my time each day researching and comparing 
logs and ARIN records, and adding new blocks and it just wasn't worth 
it.   The whole process became self defeating, and ate a lot of CPU 
time/power as well in that the machine would be crawling because each 
input had to be checked for a block.   A different approach I would like 
to see some one market as a firewall for stand alone computers is as 
follows.  There are a total of 9 ISPs containing maybe a total of 12 
IPNs which I actually need to maintain communication with business 
wise.  I really don't need, or want, my PC to even acknowledge the rest 
of the Universe.  Okay an exception or 5 exists for my amusement, let's 
add MS update (and the 10 or so IPNs it uses), an IPN providing a news 
feed, maybe Dshield, NIST time and or ebay/paypal.  Following this would 
leave us with a firewall into which a user can enter the specific IPNs 
he/she wants the computer to acknowledge or accept mail from, and it 
would be totally non-responsive to the rest of the universe and not even 
accept a mail which did not contain "Received: from (pre-approved IP) # 
".  Would it violate RFCs, probably, but when was the last time someone 
asked for our signature of approval on one of those?

More information about the list mailing list