Re: [Asrg] Too Big to Block?

"Chris Lewis" <> Wed, 08 July 2009 21:26 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C475828C10C for <>; Wed, 8 Jul 2009 14:26:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Y4E5zOYX8+7K for <>; Wed, 8 Jul 2009 14:26:28 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id D5C203A6A65 for <>; Wed, 8 Jul 2009 14:26:27 -0700 (PDT)
Received: from ( []) by (Switch-2.2.6/Switch-2.2.0) with ESMTP id n68LQoX23954 for <>; Wed, 8 Jul 2009 21:26:50 GMT
Received: from ([]) by with Microsoft SMTPSVC(6.0.3790.3959); Wed, 8 Jul 2009 17:26:49 -0400
Received: from [] ( by ( with Microsoft SMTP Server (TLS) id 8.1.340.0; Wed, 8 Jul 2009 17:26:47 -0400
Message-ID: <>
Date: Wed, 8 Jul 2009 17:26:46 -0400
From: "Chris Lewis" <>
Organization: Nortel
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20090605 Lightning/0.9 Thunderbird/ Mnenhy/
MIME-Version: 1.0
To: Anti-Spam Research Group - IRTF <>
References: <> <> <> <> <> <> <> <> <20090708155704.GN15652@verdi> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 08 Jul 2009 21:26:49.0051 (UTC) FILETIME=[CD7E7AB0:01CA0012]
Subject: Re: [Asrg] Too Big to Block?
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <>
List-Id: Anti-Spam Research Group - IRTF <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 08 Jul 2009 21:26:29 -0000

Dotzero wrote:
> On Wed, Jul 8, 2009 at 2:25 PM, Chris Lewis<> wrote:

>> Then we make a big public & private noise.  And sometimes things get better.

> Sometimes they do. I believe der mouse commented about the big ISPs
> not caring. I think they do but are having to deal with aggressive
> attacks abusing their systems. On the other hand, life isn't fair <G>.

 From experience, the people working with the technology care, but they 
sometimes can't get management (especially upper) to take it seriously 
and invest/authorize effort to deal with it.

This is particularly apparent with some ISPs where there are several 
"abusable" services under different management/business units.  Some 
doing fine, others (especially "new" ones) being large-scale abused with 
_no_ effort to deal with any of it.

Nortel's a good size, but yeah, we're still not big enough on our own 
that "just blocking them" will get noticed [+].

The trick is amplifying your apparent size.  PR work.  Make public noise 
where you'll be heard, and getting others (especially moderate voices of 
infrastructures as large or larger) to at least indicate that they see a 
significant problem too and/or have implemented/contemplated 
implementing similar measures.  Blog postings.  Media reports (got a VP 
to contact me once).  Whatever you can pull off.

I'm not so egotistical to think that it was "just me", nor that I was 
even the first in the campaigns where I've applied this, but most of the 
times I've made a serious effort along those lines, the problem _has_ 
gotten better.

It can be a longish term effort.  Sometimes months, not days.  Be 
patient.  It does work often enough to be worth persevering at.  Without 
acting like a loon.  In which case it's just a waste.

[+] Well, once we were contacted by Yahoo about a /24 blocking - they do 
listen to their user's complaints.  Then I explained why.  Got a 
reluctant/embarrassed "I guess that's best".