Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with OpenID
Advertise on LowEndTalk.com

In this Discussion

ivmSIP/24

ivmSIP/24

Does anyone have any experience with ivmSIP/24?

ivmSIP/24 is the invaluement /24 Sender’s IP DNSBL. Aka an “RBL”, this list includes those whole /24 blocks of IPs which only send spam. We recognize that the concept of /24 blacklists is not some amazing new idea we thought up. However, ivmSIP24 has two interesting distinctions:

  1. Unlike most other /24 DNSBLs, ivmSIP/24 is attempting to have the same extremely low false positive level as ivmSIP. In contrast, other /24 DNSBLs will admit that they are aggressive to a point where blocking legitimate e-mail is almost a given if used for outright blocking instead of scoring.

  2. Because all three invaluement DNSBLs are especially good at catching snowshoe spam, ivmSIP/24 is particularly useful for preemptively catching these same snowshoe spammers before a given IP is used to send spam the very first time. As a result, /24 blocks freshly allocated to snowshoe spammers will most likely get listed by ivmSIP/24 before getting listed by all other respected /24 DNSBLs.

I had not encountered them until today (a false positive on their part), although their website looks like it's from ~1998. The concept seems a bit flawed on first blush.

Tagged:
«1

Comments

  • I don't know, but by default (I think) if my anti-spam server gets an outrageous amount of spam or auth errors from a IP address it will block or delay the /24 block for a short time. It scores an IP based on the history of the /24 block that its in.

  • davidgestiondbidavidgestiondbi Member, Provider

    Yes we got some issue with them. But they unlist IP very fast.

    Gestion DBI | IT consulting | OpenVZ, KVM VDS, Shared Hosting, Dedicated Servers with 24/7 Technical Support
    DeepNet Solutions | Cheap and low cost VPS in 10 cities around the world! | Starting at $13CAD by year!

    Thanked by 1HostNun
  • For context, I made this thread because I discovered this organization had listed an entire /26 of mine today. I think it's a false positive because 1) the IPs they have listed are not in any other RBLs, they are the lone lister and 2) I use—and/or have used in the past—a fair amount of the listed IPs for various purposes, none of which were ever involved in sending any email at all!

    This is not a complaint as I haven't attempted to get the block delisted yet (the listing doesn't seem to matter or have any effect). Nonetheless, it's somewhat irritating... at the very least, the thought of IPs getting added to an RBL when they don't even send any email to begin with seems wrong.

    Right now I'm guessing the /26 I received from my upstream is part of a larger /24, the other three quarters of which are not mine. Maybe someone else's /25 was spamming?

    tl;dr another Spamhaus-like problem, but on a smaller scale, it seems. I thought it would be interesting to juxtapose with the recent Spamhaus/CC discussions.

  • HostNun:

    This is Rob McEwen the owner/operator of ivmSIP/24. I couldn't find any removal requests from any e-mail address containing "hostnun"... if you'll message me (on this forum) your /26 block, I'll take a look and let you know what I find. I'll ALSO report my findings to this thread too, but keeping your IPs confidential (assuming that is desired?).

    PS - I don't normally "stalk" discussions like this, but every few months, I take a look around to see what is being said about my blacklists... and then I try to engage in the discussion to see what perspectives/feedback I might learn from. It is a QOS-thing.

  • davidgestiondbidavidgestiondbi Member, Provider

    @invaluement said: HostNun:

    This is Rob McEwen the owner/operator of ivmSIP/24. I couldn't find any removal requests from any e-mail address containing "hostnun"... if you'll message me (on this forum) your /26 block, I'll take a look and let you know what I find. I'll ALSO report my findings to this thread too, but keeping your IPs confidential (assuming that is desired?).

    PS - I don't normally "stalk" discussions like this, but every few months, I take a look around to see what is being said about my blacklists... and then I try to engage in the discussion to see what perspectives/feedback I might learn from. It is a QOS-thing.

    If you accept suggestion, a new website design will be cool. ;)

    Gestion DBI | IT consulting | OpenVZ, KVM VDS, Shared Hosting, Dedicated Servers with 24/7 Technical Support
    DeepNet Solutions | Cheap and low cost VPS in 10 cities around the world! | Starting at $13CAD by year!

  • @davidgestiondbi said: If you accept suggestion, a new website design will be cool. ;)

    working on it. thanks!

  • HostNunHostNun Member
    edited November 2014

    @invaluement Hi, thanks for responding here. I don't see any need to make a removal request for the time being. The listing seems to be unrelated to my /26 and has no effect as far as I can tell. On the other hand, if a client complains, I'll take a closer look.

    I mostly thought it was amusing to see a bunch of IPs recently listed in a lone RBL despite having never been used for email (...or at least not for multiple months prior to the listing, and I don't recall how they were allocated at that time, but they weren't on any blacklists then either).

    For now, I think it's preferrable to remain listed without rhyme or reason as proof of concept, but if whoever is responsible for the rest of the /24 ends up getting it delisted, I wouldn't mind that either.

  • invaluementinvaluement Member
    edited November 2014

    Unlike how many conceive the /24 blacklist, ivmSIP/24 OFTEN lists only subranges of a /24 block, leaving innocent bystanders who occupy only parts of that /24 block... unlisted, even as egregious spammers who control OTHER parts... are blacklisted. In fact, currently 18% of all /24 blocks listed on ivmSIP/24 are parsed out into separate sublistings to avoid collateral damage. That is a lot when considering that the vast majority of ivmSIP/24 listings involve spammers who own the entire /24 block.

    This surgical targeting is often automated at the front end, but is most effective for bypassing IPs which (a) ALREADY have built up some amount of "good reputation", and/or (b) have their rDNSes (aka ptr records) set up correctly to convey proper identity. Since the vast majority of legit mail-sending IPs DO those things... that means that very little slips past ivmSIP/24's ability to surgically avoid innocent bystanders.

    We also use ARIN and other IP whois records to further refine that process.

    But no system is perfect and it is especially difficult to bypass IPs which haven't ever been used for e-mail and therefore have ZERO "good reputation" built up (and therefore whose listings do NOT cause FPs anyways).

    But if you, nevertheless, believe this is damaging your business, please do submit some removal requests and you'll most likely delist quickly off of ivmSIP/24.

    But we're not your MAIN problem. Your main problem is that... if you're as innocent as you claim, then you're very likely in the same "neighborhood" as some egregious spammers... and that will likely drag your reputation down for any IPs used to send e-mail. in such a case, even if you evade ivmSIP/24, Many of the largest ISPs have internal lists that operation similar to ivmSIP/24, but are not as good at preventing collateral damage (they just always list the whole /24 block)... and these don't participate on mxtoolbox.

    If you're not careful, those will catch up with you! I recommend moving to a cleaner /24 block, and not allowing yourself to be a "human shield" protecting the reputation of spammers that are hosed on your same /24 block--if that is the case.. I can't know for sure until I see what range you're talking about... but I strongly suspect that this range has many "poor" ratings on other IPs on this same /24 block... if you were to check on this /24 on senderbase DOT org.

    In the meantime, I'll be happy to research these IPs further, and carve them off of ivmSIP/24... once I can verify that your IPs are different from the nearby spammers' IPs on that same /24 block... and once you reveal your IP range.

  • HostNunHostNun Member
    edited November 2014

    @invaluement said:

    But if you, nevertheless, believe this is damaging your business, please do submit some removal requests and you'll most likely delist quickly off of ivmSIP/24.

    Oh, no, I thought I made it clear that I believed it wasn't damaging my business. That's why I would prefer to remain listed without cause! It's interesting to me to see how long the false positive will remain active, especially when it has no effect.

    I don't mean to say that your organization has no effect in general, but that it could not possibly have an effect on IPs that aren't even being used to send email.

    But we're not your MAIN problem. Your main problem is that... if you're as innocent as you claim, then you're very likely in the same "neighborhood" as some egregious spammers... and that will likely drag your reputation down for any IPs used to send e-mail. in such a case, even if you evade ivmSIP/24, Many of the largest ISPs have internal lists that operation similar to ivmSIP/24, but are not as good at preventing collateral damage (they just always list the whole /24 block)... and these don't participate on mxtoolbox.

    If you're not careful, those will catch up with you!

    Why? I don't send bulk email or spam. I am not 'evading' ivmSIP/24 either. On the contrary, I'm openly leaving the IPs in your database as false positives in order to test a theory.

    As far as I know, the bulk of the IPs aren't/weren't used to send email, nor are they listed anywhere else. The fact that they don't appear in any other blacklists would seem to suggest that they weren't being used to send spam. So, what difference will remaining incoherently listed in ivmSIP/24 make to me or my business? I don't think it will negatively effect the reputation of Host Nun at all... but what about the reputation of ivmSIP/24?

    Otherwise, I am not sure why 'spam blocking' organizations would 'catch up' with someone who doesn't spam for no other reason than the latter being arbitrarily allocated IP addresses—by their upstream provider, outside of their control—in the same 'neighborhood' (to use your word) as spammers. The whole point of this thread is that it would be ridiculous and pernicious for that to happen, so to see you suggesting it as a possibility if I'm "not careful" comes off as a bit bizarre, to say the least.

    I recommend moving to a cleaner /24 block, and not allowing yourself to be a "human shield" protecting the reputation of spammers that are hosed on your same /24 block

    & last but not least, the silly terrorism associations. By simply using IPs that reside within the same /24 as alleged spammers, and without even knowing it, I have suddenly become their human shield?

    I am not 'protecting' anyone. You say "your /24 block" but it is not 'my' /24, I was allocated a /26. I can't help that my upstream provider gave me a /26 that happens to be part of the larger /24. Host Nun is a smaller provider. I don't make any IP allocation decisions at this juncture, I simply accept what I am given.

    With that said, I think it's a bit loony and irresponsible for you to claim that I'm "protecting the reputation of spammers" on account of simply being given a /26 (again, allocated to me outside of my control) that is part of a /24, the larger portion of which was not allocated to me and does not belong to me in any sense at all.

    As you know, /24s are sometimes divvied up among multiple providers/individuals/whoever. The problem is your willingness to punish innocent people who end up getting 'caught in the crossfire', to quote @aglodek's thread from last July.

  • invaluementinvaluement Member
    edited November 2014

    It sounds like you want the problem more than the solution? ...just to try to prove a point? ...but any such point is undermined if (a) you're not willing to subject your own IPs to scrutiny and (b) you claim that the IPs are not even used to send e-mail, and (c) you claim that you're not impacted by the listing.

    I'm not worried about how your situation impacts ivmSIP/24's reputation because the bottom line is that this scenario you described puts my subscribers in a situation where this particular listing (a) blocks spam--(or I can safely assume so since you won't reveal the IPs), -AND- (b) doesn't block legit e-mail. That is all that my subscribers desire to happen, and would ever ask for.

    NOTE: Also, recall that I previously stated that IF your IPs WERE used to send legitimate e-mail, then some of the metrics we use to narrow ivmSIP/24 listings, to bypass innocent bystanders... WOULD possibly be in play...but are NOT available since your /26 block is not used to send mail, according to you.

    Whatever you think you've proved, one thing is for sure... anyone reading your initial post would have had the mistaken impression that you had caught ivmSIP/24 blocking legitimate desired mail. But by the end of this thread, it became clear that such was NOT the case. (even as you continue to use the "false positive" label... I find that, and your bothering to start a thread on something you LATER claim doesn't actually effect you... to be very, very interesting... hmmmm)

    But if I could show you that egregious spammers were using other parts of your same /24 block, and you were to decide to continue to stay on your /26 block after knowing that... then hell yes... you then WOULD be allowing yourself to be a "human shield" for the spammers. Why? Because (a) you'd then be financially supporting a spam-friendly org, and (b) you'd be making it more difficult for such a spammer org to be preemptively blacklisted... such as getting broad SpamHaus SBL record.

    In the real world of fighting spam, this is a serious issue that I deal with often... where a purposely spam-friendly hoster will have 99.9% spammy clients, but then will gain 0.1% legit clients (mostly through those legit clients' ignorance).. and then they try to use the 0.1% legit clients as human shields to prevent WELL DESERVED!!!! large scale blacklistings, such as SpamHaus SBL records or having their domain listed on SURBL... I get to see these situations first hand. Whether the uninformed legit client knows it or now, his business with the spammer (or spam friendly host)... is allowing himself to be used as a human shield for the spammer... just as a terrorist who fires a missile from a neighborhood is using the civilians in that neighborhood as "human shields"... (notice that in this analogy, the terrorist is the deliberate spammer, NOT you.. so please note that I have NOT equated YOU with being a terrorist anywhere on this thread!). Ethical people may at some point in time be used as human shields without their knowledge. But ethical people would never allow themselves to be used as human shields (either by a terrorist, or by a spammer) if given the choice!

    But I suppose you could claim "ignorance" in the meantime... or for now? To be clear, I never meant that you had intentionally allowed yourself to be used as a "human shield"... but hopefully you now have more insight into this situation!

    Thanked by 2iKeyZ k0nsl
  • invaluementinvaluement Member
    edited November 2014

    I forgot to mention... my wording "even if you evade ivmSIP/24" didn't come across as intended... I should have said:

    "even if a spammer evades ivmSIP/24 OR even if an innocent bystander is NOT listed on ivmSIP/24--which OFTEN happens since ivmSIP/24 OFTEN carves out exception ranges, listing only the spammer's subranges"

    Sorry, I didn't mean to imply that you were trying to "evade" ivmSIP/24.

    But, again, even when these things happen.. internal blacklists used by the large ISPs, which do NOT participate in MX Toolbox, or Valli.org ... will OFTEN start causing legit mail to be blocked, even if those IPs are not listed on ivmSIP/24. (if the /24 is split between spammers and legit senders)

    This is sort of like what happens if you move to a house sandwiched between a "crack house" and a "prostitution ring"... occasional stray bullets fly through your windows! Likewise, even if someone is NOT listed on ivmSIP/24, but they host mail on the same /24 block as spammers... they will OFTEN find that their mail to the large ISPs OFTEN gets blocked.

    Fortunately, such a person's complaints to their hoster (and/or voting with their feet to leave their hoster)... create a MUCH NEEDED economic incentive for hosters to keep their networks spam-free. Again, this is a fact-of-life even for situations where ivmSIP/24 did NOT list the innocent bystander's IPs.

  • MaouniqueMaounique Member
    edited November 2014

    @invaluement this sounds suspiciously close to spamhaus/uceprotect rhetoric. Just that escalation is done automatically and does not matter the allocation at all. From what I can tell, even uceprotect which asks for money for delisting, i.e. are pure ransomware, cares for ASN allocations and would not list the whole /24 if part of it belongs to someone else and did not send spam. I cannot test this theory, but since they do list on ASN, it would be logical to assume it.
    In the end, these schemes will fade away, even established ones are losing credibility when doing politics and holding innocents to ransom, not to mention the new ones. The whole concept is flawed, the only thing we use is to look up these lists to find spammers in our networks, some are sending emails to notify us, so I highly appreciate spamcop for this reason as well as blocklist.de, those are useful for hacked wordpress or other php installations which are sending low levels of spam not triggering our filters or are hacked VMs used to spampost/autoregister or look for vulnerabilities. If you really wish to fight spam, you set up a similar scheme, if you are in it to make money from ransom or collect from some spammers or big hosts to eliminate their competition like most people, well, good luck, it wont work, times changed.

    I remember when spamhaus listed a whole /23 for 2 incidents, for a few months we enjoyed much fewer spammers trying to sign up with customers learning to use mandrill or similar free schemes for their limited needs, it was not unpleasant, I really hoped they will list all our AS as promised, but didnt in the end. many of the spammers we catch with the help of serious lists such as barracuda or senderbase are not in the ransomware ones which proves how efficient they are int he first place.

    If privacy is outlawed, only outlaws will have privacy. Romanian Protests

  • I'd consider ivmsip/24 as the terrorist - destroying a entire /24 range with potentially innocent people in them just because of a grudge against a hosting provider. You can write all you want but that's not justifiable.

    Thanked by 2aglodek foetti
  • invaluementinvaluement Member
    edited November 2014

    @Maounique said: and does not matter the allocation at all.

    @Mark_R said: destroying a entire /24 range with potentially innocent people in them just because of a grudge against a hosting provider.

    NOT true. We DO use ip-whois data to narrow listings to ranges smaller than a /24 when spammers and legit senders are allocated different parts of the same /24 block.

    And we use a number of other techniques to narrow the ranges to avoid collateral damage as well.

    I have already stated this. Nothing stated in my previous 2 comments, or anywhere else, contradicts this.

    You are both spewing fiction to create the problems you WANT to complain about... but they have zero basis in fact with regards to ivmSIP/24.

  • Then the host nun incident did not happen, you checked everything and found no spam from hose IPs, therefore you did not blacklist them, right?
    This is a place where we call BS, go to godaddy and explain how good you are against the smaller providers, they might give you a bone.

    If privacy is outlawed, only outlaws will have privacy. Romanian Protests

  • Looks like Mao found some friends for wall of text contest.

    I'm here to collect your heart

  • Mao is a good friend to chat and argue :) he sometimes has extreme unthinkable opinion that different from the main stream but most of them are quite refreshing.

    The more I learn stuff, the more I realize how bloody f*****ng stupid I am ...

  • @Maounique said: Then the host nun incident did not happen, you checked everything and found no spam from hose IPs, therefore you did not blacklist them, right?

    So far, nobody on this thread, including host nun, has been willing to share example IPs. You CONTINUE to spew fiction.

    This is a place where we call BS, go to godaddy and explain how good you are against the smaller providers, they might give you a bone.

    Actually, I'm on public record, via twitter, lashing out at Godaddy for their poor practices: horrific PTR records that don't convey proper identity, high outbound spam rates, slow reactions to abuse of their network by spammers, etc. Your "against the smaller providers" is MORE fiction.

    I'm happy to take criticism and I'm willing/able to make adjustments to my practices to improve my services... but I can't fix what isn't actually happening... and I can't react to speculation that has no basis in reality.

    At this point, I suggest those on this thread who desire to criticize invalument "put up or shut up" and stop lying about my blacklists.

    Thanked by 1vRozenSch00n
  • MaouniqueMaounique Member
    edited November 2014

    invaluement said: Actually, I'm on public record, via twitter, lashing out at Godaddy for their poor practices: horrific PTR records that don't convey proper identity, high outbound spam rates, slow reactions to abuse of their network by spammers, etc. Your "against the smaller providers" is MORE fiction.

    OK, so you go first, show us the /24s blacklisted from godaddy.

    I am checking at uceprotect, another ransomware: http://mxtoolbox.com/SuperTool.aspx?action=blacklist:50.62.161.10&run=toolpage They list the /24 because of 17 occurrences in the past week. It should certainly make your blocklists, right?
    That particular IP is blacklisted per se, including by a serious list such as barracuda, if you are indeed not just another hunter for small providers money, you should certainly blocklist that too? Not to mention the /24, with so many occurrences, 17 out of 256, that is a spammerheaven where the spammers use the innocent bystanders to hide, but you will bust their ass, and force the innocent people move and vote with their feet, right? Show your might, go for real spammers, no matter the size and stop pretending you are doing something on twitter where you only help spreading the GoDaddy word and those like it.

    P.S. OT, but not really, spamhaus does NOT list it either so does everyone understand what I mean here?

    If privacy is outlawed, only outlaws will have privacy. Romanian Protests

  • invaluementinvaluement Member
    edited November 2014

    @Maounique said: OK, so you go first, show us the /24s blacklisted from godaddy.

    This past year, I eventually had to delist many of the Godaddy IPs (those that I was aware of... and this is generally speaking)... because the complaints about False Positives was too high. Remember, I try to run a low-collateral-damage blacklist. So seeing that some spam was still spewing... pissed me off... and my only recourse was to tar and feather Godaddy on twitter. But I don't recall ever doing any large-scale whitelisting of them... so I think their IPs are subject to getting relisted.

    Ironic that you would be so protecting of hosters who sell IP space to spammers.. NOT wanting their other innocent customers to be harmed by a blacklisting. But yet you think that Godaddy's innocent bystander customers are "fair game"... hmmmmm? That sounds hypocritical to me.

    But I can safely say that we avoid "collateral damage" (in BOTH situations) unless the ham/spam ratios are insanely bad... and/or malicious intent to support spammers can be established. (I have to draw a line SOMEWHERE... or the abuse gets ridiculous)

    PS - take your ransomeware complaints elsewhere... we don't accept "pay for removal"

  • invaluementinvaluement Member
    edited November 2014

    To be clear, the invaluement lists attempt to prevent collateral damage BOTH by (a) NOT listing legit IPs on the same /24 block as spammers, AND (b) NOT listing shared IPs that have legit uses. (but, again, when the ham/spam ratios get ridiculous, then we gladly blacklist those shared IPs... in contrast, some of the other non-spamhaus blacklists you mention are too aggressive with shared IPs and cause rather high collateral damage)

    Regarding "large ISPs"... here is a better example... just in the past year or so, the EXTREMELY large ESP YesMail (a division of InfoUSA... which is HUGE!!)... started having lots of problems with sending spam. I became aware of this due to abuse I was seeing first-hand... complaints about spam from my own users... AND from the mainslease blog. more info on this is found here:

    http://mainsleaze.spambouncer.org/?s=yesmail

    In response, I did a MASSIVE... UNwhitelisting of YesMail IPs in our invaluement whitelist. Sure enough, YesMail IPs started getting on our ivmSIP and ivmSIP/24 blacklists.

    InfoUSA responded with removal requests... LOTS of them.

    We responded back explaining that the amount of messages sent to addresses which had never subscribed.. was too high to justify a removal. Furthermore, there was an ongoing issue because their parent company, infoUSA... advertised the selling of e-mail lists on their web sites. That is a HUGE mark against infoUSA/YesMail..

    Therefore, as I mentioned, they stayed blacklisted for many many months.

    Eventually, I found sincere willingness on their end to make some changes... improve their processes. They also explained that they were functionally separate from infoUSA, and thus shouldn't have the "selling lists" counting against them. (though that is still a VERY debatable argument).

    So eventually I made adjustments for them to make it a little harder for their IPs to blacklist (but without whitelisting them). I sort of met them half way.

    But it took some willingness for them to crack down on abuse, along with me seeing some of the legit uses of their IP space.

    I try to with work with senders who are trying in good faith to stop their abuse. But if we had a pro-large-ISP bias that was somehow personal, infoUSA wouldn't have been blacklisted.

  • MaouniqueMaounique Member
    edited November 2014

    invaluement said: But yet you think that Godaddy's innocent bystander customers are "fair game"... hmmmmm? That sounds hypocritical to me.

    So, I see. I did not say you SHOULD blacklist godaddy, but, since youa re ok with collateral damage from small providers, you should treat the big ones the same. I mean the big ones are fair game TOO.
    You defend your right to force people to vote with their feet because they cannot pay the big prices and get the bad service GD offers and so go to smaller providers which are then, fair game because they should have known better go to big providers with lawyers and all (you "had to" delist GD) and go for small people which are more likely to pay you off. And don't give me that crap about not accepting payment for removal, probably not int he open, to pay taxes for it, but nobody can stop you from receiving gifts from your "good behaving" hosts. This is how it works... once you have sufficient traction. For now, nobody gives a s**t.
    Guess what, you wont be able to get a nice slice of the pie, after spamhaus will discredit themselves and uceprotect will run out of money because less and less people pay them up, for example, there will not be others to take their place big providers will use own lists and algorythms and the little ones will at most do a weighted list and serious ones such as barracuda, senderbase, even spamcop, will weight way more than a lone shark who is the only lister of some /24 in order to "avoid collateral damage".
    Whom do you think you are fooling? You will see it will not work people are getting smart, who uses your lists, well, they deserve their fate.

    If privacy is outlawed, only outlaws will have privacy. Romanian Protests

  • the fate of my subscribers is... hosters/orgs/isps with happy end users... where more mail NOT desired by end users goes into the spam folder... and LESS mail desired by end users goes into the spam folder. I am economically incentivised to work toward that goal. I simply don't have the time, motivation, or incentive... to play all the junior high school-ish games you describe. And the process isn't so... personal.

    Thanked by 1vRozenSch00n
  • Mark_RMark_R Member
    edited November 2014

    We all should use properly configured anti-spam software instead of some random shitlist that's being maintained by a grudge holding dickhead.

    Thanked by 2doughmanes MartinD
  • Maounique said: From what I can tell, even uceprotect which asks for money for delisting, i.e. are pure ransomware, cares for ASN allocations and would not list the whole /24 if part of it belongs to someone else and did not send spam.

    Incorrect. UCEPROTECT will delist after 7 days if the issue goes away. You neckbeards see that they offer delisting for money then start flipping out. Spamhaus is and will continue to be the worst blacklist extortion scheme ever. I hope Steve Linford sees this and his little sidekick Rob Schultz who will state something, not honor what he said and ignore you for upwards of 48 hours.

    "Stop quoting laws, we carry weapons!" - Pompey the Great | Vultr aff link

    @gapper said: I don't like you.

  • I would take ivmsip/24 more seriously if they don't blacklist crap for a 12 months+ on really old IPs but if somebody contacts support about blacklists then is overly worried about ivmsip/24, most likely you've got a spammer on your hands.

    "Stop quoting laws, we carry weapons!" - Pompey the Great | Vultr aff link

    @gapper said: I don't like you.

  • doughmanesdoughmanes Member
    edited November 2014

    @invaluement ignore Maounique. [Offensive content removed. S.]

    "Stop quoting laws, we carry weapons!" - Pompey the Great | Vultr aff link

    @gapper said: I don't like you.

  • invaluement said: So far, nobody on this thread, including host nun, has been willing to share example IPs.

    That's exactly my thought too.

    @HostNun - What's about to simply ask what's going on with specific range of IPs to get some more specific answers?
    You may not have the same chance with some bigger more known blacklist organization, but maintainer of this one is here, obviously willing to give some more detailed explanation and work with you.

  • @invaluement said: It sounds like you want the problem more than the solution?

    There is no problem. As I've said multiple times now, the listing has no effect. None of my clients have complained. If it starts effecting clients, I will contact you to get the IPs delisted.

    I'm not disputing the truthfulness of whether the other 75% of the IPs in the /24 belong to spammers or not, it's very possible that they do. I'm only calling into question your broad brush approach. Hopefully you can appreciate the opportunity I've given you to explain your methods to the public.

  • @Spirit you're right, but LET isn't ivmSIP/24's help desk as far as I know. :) I will contact them privately about specific IPs if I need to, this thread is for abstract/conceptual discussion.

  • SpiritSpirit Disabled
    edited November 2014

    I am not talking about specific helpdesk issue and it's not just about you. The most common argument about organizations dedicated to track email spammers and spam-related activity is their lack of response and non-preparation to work with IP owners to resolve issue, not listings themself. And yet when someone come here, take your problem seriously, show preparation to work with you... this isn't appreciated either.
    Lack of this will be main thing which will piss you off in case spamhaus do the same blacklisting ;-)
    I hope you understand what i am trying to say. Discussion is good, but the most of the heat at LET usually take those who meet you halfway, willing to do the right thing, discuss, explain and improve things.
    You may not be entitled the same courtesy from lets say spamhaus. And that's part of the real problem often discussed at LET, isn't it?

    Thanked by 2vRozenSch00n k0nsl
  • @doughmanes said: I would take ivmsip/24 more seriously if they don't blacklist crap for a 12 months+ on really old IPs

    We have MUCH shorter expire times.

    Also, our online form reports the date that the IP was FIRST blacklisted... NOT the "last spam seen" date. So this can give the mistaken impression that our expire time is overly long. Therefore, we really do have spam on file that is MUCH more recent.

    The purpose of reporting the "spam 1st seen" date is to show those who are looking for a blacklist that will help them block spam other blacklists missed... that we OFTEN list spam emitting IPs hours/days before other lists catch them.

    But this sometimes backfires when those looking at the form are the ones wanting to be delisted. They think "what the hell? why am I STILL listed"... not realizing that this was the "1st seen" date, not the "last seen" date.

  • HostNunHostNun Member
    edited November 2014

    @Spirit said: I am not talking about specific helpdesk issue and it's not just about you. The most common argument about organizations dedicated to track email spammers and spam-related activity is their lack of response and non-preparation to work with IP owners to resolve issue, not listings themself. And yet when someone come here, take your problem seriously, show preparation to work with you... this isn't appreciated either.

    What isn't appreciated? If you read up, you'll see that my first remark to @invaluement was to thank him for responding here.

    As for 'taking my problem seriously', again, I have to ask, what problem? I agree that it's not just about me. In the same breath, it's not my problem because it doesn't effect my clients/myself. This is why I suggested the discussion should be abstract and conceptual rather than specific and expository.

    From my perspective, this thread is mostly an admonition regarding what could happen to innocent providers/people/whoever caught up in inefficient, broad-brush spam nets. To the extent that @invaluement's practices have no effect on my particular /26 and its respective IPs, the specifics are irrelevant.

    I hope you understand what i am trying to say. Discussion is good, but the most of the heat at LET usually take those who meet you halfway, willing to do the right thing, discuss, explain and improve things.

    I think it would be irresponsible to reveal the IPs on LET without asking for consent from those who are using them. I wouldn't be against it, but I see no need for exposition here, it would be superfluous.

    Lack of this will be main thing which will piss you off in case spamhaus do the same blacklisting ;-)

    I'm not sure what this is supposed to mean, but lol if you're foreshadowing more inexcusable behaviour from Spamhaus. They can point their tactics elsewhere, I'm not in control of enough IPs to make it worth their while anyway.

  • HostNun said: this thread is mostly an admonition regarding what could happen to innocent providers/people/whoever caught up in inefficient, broad-brush spam net

    Except, as I mentioned, SOME (of the MANY!) tactics ivmSIP/24 uses to narrow the ranges to a smaller than /24 block, in order to surgically target the spammer and avoid innocent bystanders... involve the mail sending reputation of actual sending IPs of legit senders... so your "test case" ended up not being very reflective of real world scenarios of ivmSIP/24 listings where spammers and actual legit e-mail senders share the same /24 block. (since your IPs you brought up are not mail senders)

  • @invaluement said: Except, as I mentioned, SOME (of the MANY!) tactics ivmSIP/24 uses to narrow the ranges to a smaller than /24 block, in order to surgically target the spammer and avoid innocent bystanders... involve the mail sending reputation of actual sending IPs of legit senders... so your "test case" ended up not being very reflective of real world scenarios of ivmSIP/24 listings where spammers and actual legit e-mail senders share the same /24 block. (since your IPs you brought up are not mail senders)

    This was to test a theory, certainly not a 'case'. I understand what you're saying here, though. I think you said it more directly earlier in the thread:

    NOTE: Also, recall that I previously stated that IF your IPs WERE used to send legitimate e-mail, then some of the metrics we use to narrow ivmSIP/24 listings, to bypass innocent bystanders... WOULD possibly be in play...but are NOT available since your /26 block is not used to send mail

    So what you're saying is that since the IPs weren't being used to send email to begin with, there was no way for your algorithms to consider them, right? If so, that would make sense, but at the same time, doesn't it only further prove the inefficiency of your broad-brush method? (i.e. IPs that aren't used to send email as a blind spot that you have no way of analyzing or accounting for).

  • HostNun said: I think it would be irresponsible to reveal the IPs on LET without asking for consent from those who are using them. I wouldn't be against it, but I see no need for exposition here, it would be superfluous.

    I never said to reveal them here. You were asked by him. The most I can get from your writings is "I like to talk about this problem which actually isn't problem. I am here just for the lulz, and because he's too small to really hurt me, I can safely ignore his requests to clarify situation although he's willing to work with me".
    You also "think" it's false positive with the silly terrorism associations connotation. If you open thread about this and the other side come here to clarify this with you that's simply not good enough.

    invaluement said: I couldn't find any removal requests from any e-mail address containing "hostnun"... if you'll message me (on this forum) your /26 block, I'll take a look and let you know what I find. I'll ALSO report my findings to this thread too, but keeping your IPs confidential (assuming that is desired?).

    @HostNun that's important part to me in thread like this. After you threw down the gauntlet pursuing own agenda (for the lulz, guess?) ignoring this part simply don't make you like like a serious discussion partner. You may enjoy in reading you own arguments but please take into consideration also others.

    HostNun said: This is why I suggested the discussion should remain abstract and conceptual rather than specific and expository.

    But YOU are specific and expository. That's the whole point of my writings in this thread. Give to others the same courtesy.

    Thanked by 2iKeyZ ricardo
  • HostNunHostNun Member
    edited November 2014

    @invaluement said: Also, our online form reports the date that the IP was FIRST blacklisted... NOT the "last spam seen" date.

    Speaking of which, that was another interesting thing about this situation. I hadn't remembered until now, but when I was initially looking up IPs via http://dnsbl.invaluement.com/lookup/ on the 24th, there was no content in the '*DATE LISTED' column for any of the results. I found it quite fascinating to learn that my IPs had been 'listed' outside of the constraints of space-time!

    I'm guessing that the invariant absence of a date is a direct result of what you were saying re: certain metrics being unavailable for IPs that were not being used to send email?

  • @Spirit said: But YOU are specific and expository. That's the whole point of my writings in this thread. Give to others the same courtesy.

    In not revealing the IPs without the consent of those using them, no, I wasn't being specific and expository. Certain people are trying to create an expository narrative where there needn't be one, I am refusing it. I do not feel that any superfluous exposition is owed as a 'courtesy' to the readership of LET, but anyone is welcome to PM or email me if they think they're entitled to it. I can put you in touch with my clients, you can ask them yourself. I will not post any of their information here without their consent.

    @invaluement said: I'll ALSO report my findings to this thread too, but keeping your IPs confidential (assuming that is desired?).

    @Spirit said: @HostNun that's important part to me in thread like this.

    Right, that is you seeking an expository narrative, which is what I see as superfluous. I have no interest in @invaluement's 'report' at this time, and if I did, it would definitely not be in the context of him posting his findings here without the consent of my clients.

    'I am here just for the lulz'

    This is not true. I do find some of this to be amusing, but I have been speaking calmly and reasonably throughout the thread.

    The most I can get from your writings is "I like to talk about this problem which actually isn't problem.

    Not at all. I think the methods being used are problematic in an abstract sense (see what I said re: admonition above). I think they also may become a problem for others in the future. However, again, it isn't my problem because my IPs weren't/aren't even being used to send email... (lol) they literally aren't being blocked or filtered in any sense, regardless of appearing as false positives in an RBL outside of space-time.

  • So, no cause, and no effect?

  • HostNunHostNun Member
    edited November 2014

    I don't really understand why some people are so fixated on having me contact @invaluement.

    The 'bottom line' is that the listing has no effect on me because I've never used any of the spuriously listed IPs for email. As for my clients, I don't know if they use their accounts for email or not, but in the absence of any complaints, I can only imagine that the listing has no effect on them either. It is also not backed up by any other RBL, not a single one. Why go any further, then? Why make a mountain out of a mole hill?

    @ricardo said: So, no cause, and no effect?

    Is it problematic that the IPs were 'listed' with no regard for the space-time continuum? Honestly, I don't know. I guess that is for @invaluement to decide. Spukhafte Fernwirkung?

  • More like Occam's Razor. Seems like invaluement lacks the the information to answer your question, and you lack the information to decide whether he's running a legitimate and accurate service. The only breakthrough would perhaps be someone else's experience of what kind of gravity a listing on there would entail... which hasn't happened.

    I had to Google that as I don't speak German. If you believe in a deterministic outcome then not to worry.........................

  • MaouniqueMaounique Member
    edited November 2014

    I think I already proved his list is only for little providers. I went to check GoDaddy known spam ranges and they were not listed. Furthermore individual IPs used to send spam in last week, listed in uceprotect's list were not present in iwmSIP any other list.
    q.e.d.
    BTW, what is the expiration time if an IP stops sending spam @invaluement? We only read that is way shorted than one year, but not exactly how long. Or does it vary depending on how big is the provider and how fast you get THAT phone call?
    @doughmanes : uceprotect does delist in 7 days, but they survive from delisting money. Long ago it costed 50 to delist, now the prices have gone up, which means fewer and fewer people pay.
    "The fee for this is 109 USD per IP address. Payments are only accepted by Paypal or Moneybookers."
    More fun: https://groups.google.com/forum/#!topic/news.admin.net-abuse.email/kyjxt8jTauc[1-25-false]
    And, no, we are not listed by UCEPROTECT, go look for ASN 34971 here:
    http://www.uceprotect.net/en/rblcheck.php
    Most of the time we have 0 IPs listed out of 10k My bias against them is because they list whole romanian providers, I would have nothing against home ranges which should be listed anyway as dynamic, but also the business ranges "benefit" from home ranges of infected computers absolutely impossible to police.

    If privacy is outlawed, only outlaws will have privacy. Romanian Protests

  • invaluementinvaluement Member
    edited November 2014

    HostNun said: Right now I'm guessing the /26 I received from my upstream is part of a larger /24

    HostNun,

    Is your /26 properly delegated in IpWhois data (arin.net, etc)? In other words, if someone looked up an IP in this block in the proper IpWhois database, would they see a record of your /26, showing that this is delegated to you, separate from any larger block delegation?

  • @invaluement I am still waiting to see proof of GoDaddy being listed, then we go to other big providers. Until then, I proved you are only targeting small providers, more likely to pay the ransom.

    If privacy is outlawed, only outlaws will have privacy. Romanian Protests

  • @Maounique said: invaluement I am still waiting to see proof of GoDaddy being listed, then we go to other big providers. Until then, I proved you are only targeting small providers, more likely to pay the ransom.

    Maounique,

    It doesn't seem like you read a word I had said in my previous explanations about the Godaddy listings or the YesMail/InfoUSA listings. And judging from your previous comments, which are full of ad hominem attacks which often included making shit up about invaluement out of thin air... I can only conclude that you're not discussing "in good faith". Therefore, I am happy to continue this discussion in general... but I don't think YOU are actually listening to what I'm saying... so my only response at this point is to ask you to re-read my previous posts about your question... and then please use your brain. Anyone curious about your question should be fully satisfied with my previous answers regarding Godaddy and YesMail/InfoUSA.

    And you haven't "proved" anything. And your standards of what constitute proof are laughable. here is how you sound: "Rob never said he didn't shovel unicore manure for a living... I guess that proves it is true."

    Thanked by 1doughmanes
  • MaouniqueMaounique Member
    edited November 2014

    Not really. I took a known spamming range, then checked the individual IPs in your database and came negative while they were listed in reputable lists such sa baracuda so were not an uceprotect invention. And I did take one range with many spammy IPs, one they did not even accept money for delisting being three times over their threshold.
    Yet, that is not listed in your lists, not only the /24 is "clean", but also the currently spamming (in the last 7 days) IPs.
    This is not a proof? Then what is?
    If we were to take your word for it that you try to minimize collateral damage, then the same should be applied to smaller providers AND listing /24 is rendering all that point moot in the first place, isn't it? This targets providers specifically, NOT spammers. And I generally do not take the interested party's word as such, I do check it and the checks failed completely.
    The only bright spot here is that your list is not used. As I said, who uses anything else than big reputable lists deserves their fate and empowers bullies and extortionists.

    If privacy is outlawed, only outlaws will have privacy. Romanian Protests

  • invaluementinvaluement Member
    edited November 2014

    Maounique said: more likely to pay the ransom

    btw - that is libel. It is patently false. And you have zero evidence to support this statement. Even the evidence you claim to have is at best extremely circumstantial. And there is no "mechanism" available for this. (I guess you think that I must psychically communicate to others about how to pay to get off my blacklists?... because there certainly is no published procedure in existence!) By making such a statement, you further undermine your credibility. invaluement does NOT provide "pay for removal"... never has, never will.

  • invaluementinvaluement Member
    edited November 2014

    These are all waste-of-time side shows. The MOST relevant question on the table right now is my last question to Host Nun about whether his /26 delegation is clearly delineated in IP-Whois data.

  • MaouniqueMaounique Member
    edited November 2014

    invaluement said: btw - that is libel.

    If you were having the money to pay the lawyers, you would have listed GD too, so, I am not worried about your threats. As it looks now, you are only hopeful to join the table with spamhaus and uceprotect (which, in turn are not doing great lately either), far from being taken seriously, at least not yet. And, trust me, listing /24s will not help in this regard, especially if you are doing it selectively, targeting only small providers.
    And, I agree, this is about hostnun mostly, but the general context and your practices especially are VERY relevant. You do admit you target smaller providers to force their customers to "vote with their feet". After this admission of guilt, then the discussion should have been over, but you did continue it which forced me to present the proof. And my proof shows you DO NOT list GoDaddy, not even the heavily spamming /24s, which other reputable lists as well as extortionists are listing. You admitted you HAD TO delist GoDaddy with the shoddy reason that you try to avoid collateral damage while having no issue to list /24 of smaller providers because, you know, there is no collateral damage there, everyone on those is a spammer just because the provider cannot afford the lawyers to send after you.

    If privacy is outlawed, only outlaws will have privacy. Romanian Protests

  • Maounique said: I took a known spamming range

    You have it ALL wrong... the invalument lists purposely pass on "low hanging fruit"... for example, we go out of our way too NOT even bother processing spam that is ALREADY on SpamHaus' XBL list. We ignore much spam that is on other parts of SpamHaus's ZEN list. Instead, invaluement is trying to catch the more sneaky spam that SpamHaus either misses, or doesn't list for some minutes/hours/days later. if that were not true, the invaluement data files would be 10-20 times as large.

    There is a large percentage chance that the range you checked as your "proof".. was more of that low-hanging-fruit that invaluement purposely ignores. I'd bet that barraccuda-listed range...was ALREADY listed on XBL or CBL. Hmmmm?

    And even if it wasn't so, your "evidence" is STILL anecdotal, and we get signups all the time from people frustrated by the spam that slipped by their filter.. then they start checking MX ToolBox and noticing that invaluement consistently blocked those sneakier spams FIRST.

    PS - please DO keep believing that nobody uses our lists. I prefer that the darker corners of the Internet believe that.

Sign In or Register to comment.