Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
Ever heard of being null-routed for being on SBL?
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

Ever heard of being null-routed for being on SBL?

VPSSoldiersVPSSoldiers Member, Provider

So I had a /26 null-routed today for it getting listed on the SBL, though its been a while (up until a few months ago) since I have dealt with a DC directly, has this become normal practice at the DC level?

Connor | VPS Soldiers | Plans starting at $3.50/mo

«1

Comments

  • WilliamWilliam Member, Provider

    nah, your DC sucks and you should cancel your shit. (wow that feels surprisingly like /r/relationships lol)

  • VPSSoldiersVPSSoldiers Member, Provider

    @William the past two weeks have made me strongly re-consider my decision...

    Connor | VPS Soldiers | Plans starting at $3.50/mo

  • I get that the provider probably doesn't want their IP's tarnished in a blacklist, but null routing you... That's very extreme IMO..

  • VPSSoldiersVPSSoldiers Member, Provider

    @ATHK I completely agree, as soon as I see an IP listed (as I check blacklists every 2 hours) I do whatever it takes to clear it. This time it was null-routed quicker than I could do anything about it and now they won't re-route me until I clear the SBL.

    Connor | VPS Soldiers | Plans starting at $3.50/mo

  • IshaqIshaq Member, Provider

    Dacentec nulled you for having an IP range added to an SBL?

    [BudgetNode] DDoS Protected. 7 Locations (US/EU). Check out our latest offer!
  • VPSSoldiersVPSSoldiers Member, Provider

    @Ishaq said:
    Dacentec nulled you for having an IP range added to an SBL?

    Yes.

    Connor | VPS Soldiers | Plans starting at $3.50/mo

  • Awmusic12635Awmusic12635 Member, Provider

    I can see it happening if the issue that caused the SBL isn't addressed.

    Subnet Labs, LLC Contact Us Deploy to: Seattle, Dallas or NYC
    Impact VPS | Cloud Servers | Storage Servers | Impact Shared | Shared Hosting

  • IshaqIshaq Member, Provider

    @dacentec

    Explain yourself. Why does an SBL listing resort to you nullrouting the customer's entire range? Other innocent customers could be affected.

    Secondly, wouldn't dropping port 25 egress on the range suffice?

    [BudgetNode] DDoS Protected. 7 Locations (US/EU). Check out our latest offer!
  • IshaqIshaq Member, Provider

    Awmusic12635 said: I can see it happening if the issue that caused the SBL isn't addressed.

    VPSSoldiers said: This time it was null-routed quicker than I could do anything about it and now they won't re-route me until I clear the SBL.

    Is this the first SBL listing on that range?

    [BudgetNode] DDoS Protected. 7 Locations (US/EU). Check out our latest offer!
  • HBAndreiHBAndrei Member, Top Provider
    edited October 2015

    First time I ever hear about this being done... and it shouldn't be done.

    Did they at least warn you beforehand?

    Free Uptime Monitoring - minimize your downtime by being the first to know about it.
    Free Blacklist Monitoring - don't let a few bad clients ruin your network.

  • VPSSoldiersVPSSoldiers Member, Provider
    edited October 2015

    @Awmusic12635 said:
    I can see it happening if the issue that caused the SBL isn't addressed.

    I could see that as well,

    • 1331: Inital Abuse ticket created
    • 1426: My reply stating I terminated the customer
    • 1505: First status cake notification (for the looking glass on that subnet) as Zabbix is monitoring on a different subnet I didn't get any. And statuscake is usually delayed in notifying me anyways.

    Ishaq said: Is this the first SBL listing on that range?

    Its MY first SBL listing ever.

    Connor | VPS Soldiers | Plans starting at $3.50/mo

  • dacentecdacentec Member, Provider

    Depends on the case. PM me the ticket#.

    https://Dacentec.com - [email protected]
    Dedicated Servers, Cloud Services and Colo /SSAE16 SOC 2 / On site 24 hour support

  • VPSSoldiersVPSSoldiers Member, Provider

    I've had 7 abuse tickets with Dacentec (not saying I'm perfect but some customers have slipped through that shouldn't of, and I keep learning from each of the tickets) Its just this time it seems a little extreme to me.

    Connor | VPS Soldiers | Plans starting at $3.50/mo

  • jarjar Provider

    Have I ever heard of a /26 being null routed instantly for an RBL listing?

    Take it away Lawrence:

    Thanked by 2HBAndrei Syed
  • VPSSoldiersVPSSoldiers Member, Provider

    dacentec said: Depends on the case. PM me the ticket#.

    PM Sent.

    Connor | VPS Soldiers | Plans starting at $3.50/mo

  • Which SBL?

  • VPSSoldiersVPSSoldiers Member, Provider

    Connor | VPS Soldiers | Plans starting at $3.50/mo

  • You're hosting a spammer by the look of it. They have a handful of other Spamhaus listings so they are probably just worried about an escalation. Spamhaus can be VERY jumpy.

    I thought they had some dubious port 25 interception going on anyway so they should be able to block outbound port 25 from your range

  • Ok, this thread definitely speaks to the "pros" of getting IP space other than provided by your DC.

    Thanked by 1vimalware
  • jarjar Provider
    edited October 2015
    From:  [email protected]
    Subj:   Xarelto Injury Case Evaluation ([email protected])
    Date:   Mon Oct 12 16:00:00 2015 ±15 min UTC
    
    From:   [email protected]
    Subj:   Get Cash for Your Structured Settlement or Annuity Payments [email protected]
    Date:   Mon Oct 12 17:00:00 2015 ±15 min UTC
    
    From:   [email protected]
    Subj:   Refinance your home now before rates rise ([email protected])
    Date:   Mon Oct 12 18:00:00 2015 ±15 min UTC

    This is why .review and .faith are blocked entirely on my servers right now. Why do spammers love these TLDs so much?

    Thanked by 1vimalware
  • singsing said: Ok, this thread definitely speaks to the "pros" of getting IP space other than provided by your DC.

    A DC can still null route IPs announced via its upstreams. It can also filter them on its routers or simply shutdown the ports to the affected server. Or go as far as dropping the advertisements of the IP space.

  • VPSSoldiersVPSSoldiers Member, Provider

    MarkTurner said: I thought they had some dubious port 25 interception going on anyway so they should be able to block outbound port 25 from your range

    I would of much rather had that then the current method...

    MarkTurner said: You're hosting a spammer by the look of it. They have a handful of other Spamhaus listings so they are probably just worried about an escalation. Spamhaus can be VERY jumpy.

    And I understand that, and terminated this person as soon as I saw the notice (and reviewed the information of course) I fight spammers on a weekly basis but its never gone this far.

    My biggest thing is getting the rage back online so I can appease the "good" customers who are complaining I did start a connection limit ti port 25 late last week, I'm thinking I need to review my methods there...

    Connor | VPS Soldiers | Plans starting at $3.50/mo

  • jarjar Provider

    VPSSoldiers said: I fight spammers on a weekly basis but its never gone this far.

    Time to start blocking port 25 by default, or if you use OpenVZ use nodewatch to kill most spammers. Someone knows they can get away with using you, you need to make the environment inhospitable for them.

  • VPSSoldiersVPSSoldiers Member, Provider

    Jar said: Time to start blocking port 25 by default

    I did, for a long while but they were still getting around it either by lying, or by relaying through another server (which still resulted in abuse tickets from Dacentec) and since its KVM I'm still trying to figure out the best method... I have been working on a script that checks every so often and if there are too many connections in an hour then it blocks the port but its still in testing but shows promise... I was just looking for a better method.

    Connor | VPS Soldiers | Plans starting at $3.50/mo

  • MarkTurner said: A DC can still null route IPs announced via its upstreams. It can also filter them on its routers or simply shutdown the ports to the affected server. Or go as far as dropping the advertisements of the IP space.

    Well, they can, but the incentives are much lower if it's not their IP space that is getting spamhoused.

  • singsing said: Well, they can, but the incentives are much lower if it's not their IP space that is getting spamhoused.

    Any responsible DC would take action against spammers just as a responsible transit provider would take action against someone using their infrastructure for spamming.

    Its not just about getting your IPs blacklisted, you don't want your AS blacklisted or ending up on the DNP list.

    No responsible person wants to be the conduit for spammers. From the what the OP is posting now, he has been receiving abuse tickets from Dacentec. Clearly this is just an escalation from that.

    Thanked by 1k0nsl
  • 28Tom28Tom Disabled

    ColoCrossing have done the same to a range on our VPS node in the past

  • VPSSoldiersVPSSoldiers Member, Provider

    MarkTurner said: No responsible person wants to be the conduit for spammers. From the what the OP is posting now, he has been receiving abuse tickets from Dacentec. Clearly this is just an escalation from that.

    From blacklists like USGOAbuse, Grays Harbor College, Some guy that sent a ticket to Dacentec (at least I hope its not an Employee)

    "This crap is coming at us from something within your infrastructure,
    indicating at least one compromise going on. Please come up with
    some PERMANENT way to slap a lid on this garbage and keep better
    track of where edge users are [perhaps unknowingly] sending mail.
    It is getting sent to large mailing LISTS, thus compounding the recipiency
    problem. [The lists are hosted through Dreamhost, so ignore everything
    about 208.97.132.* as that's just the relay point.] We're talking about
    origin point 172.XX.XXX."

    and another guy who has an earthlink email just stating that he didn't sign up for the email. Each were dealt with in a timely manner. I still don't see this being cause for null-routing an entire subnet.

    Connor | VPS Soldiers | Plans starting at $3.50/mo

  • MarkTurner said: No responsible person wants to be the conduit for spammers. From the what the OP is posting now, he has been receiving abuse tickets from Dacentec. Clearly this is just an escalation from that.

    Well, I agree that we don't know everything that happened between OP and Dacentec to date. But it sounds like OP wasn't given much of a warning that the "next step" would be null-routing.

  • VPSSoldiersVPSSoldiers Member, Provider

    @dacentec has re-routed the range back to me. I'm still working to get clarification on the cause of the null route, though initial statement was

    the block was removed because this is the second escalation we have gotten on this /26, the last escalation we got a month (Sept 21) ago was also for 'annuities', the same as the current one

    I did receive two tickets that day one was the guy from the earthlink address and the other was the one quoted in my last post.

    Connor | VPS Soldiers | Plans starting at $3.50/mo

  • VPSSoldiers said: I still don't see this being cause for null-routing an entire subnet.

    If this has been an ongoing issue, then this seems like a normal escalation. It wasn't just one IP. That Spamhaus listing shows 3 IPs so 5% of your IP space was affected.

    I don't know the whole story, so I am not taking sides. But from a DC perspective, these spam complaints cause no end of headaches especially when you get whole blocks listed. Part of being a VPS provider is to actively monitor your server for abuse, its going to happen and its going to happen regularly. So you need to find a way to detect excessive outbound SMTP and either block the IP or shutdown the VM.

  • VPSSoldiers said: Please come up with some PERMANENT way to slap a lid on this garbage

    Well, mission accomplished for whoever wrote that.

  • VPSSoldiersVPSSoldiers Member, Provider

    And typically I do, within 5 mins of notification. But in this case I didn't even really get the chance. I'm not knocking Dacentec, my initial post was just wondering if this was a normal way to go about things. As the last DC I actively worked with was Liquid Web several years ago, so I was curious if this was normal practice now a days... I'm starting to think the only way to keep spam from happening is to require photo ID before opening ports, though I don't like limiting people in that way.

    I was also just corrected, I was on ZEN and XBL but I caught that one before an abuse ticket was created. ( I think that was the guy that was sending out all of those Chase emails (that Chase didn't care about) )

    Any-who I think I will be making some changes to how someone gets port 25 opened, again. I appreciate all of your guy's help

    Connor | VPS Soldiers | Plans starting at $3.50/mo

  • WilliamWilliam Member, Provider

    if my DC/Upstream starts to null my own IP range(s) i will go batshit insane and run them down, while minimally excuseable for their own ranges sub-allocated/assigned to a customer i see absolutely zero reason to ever touch my own space. Even more so if i run my own BGP with them. They can cancel the contract (within the written timeframe), sure, but not simply go around nulling shit - if this is in the contract i simply don't sign it (Atrato for example has such a clause).

    Today you have to be extra careful on such things, you never know who wants to fuck around with you (and with some contacts it is very simple to get a fake SBL up as Spamhaus relies majorly on external "sources") - i rather be "safer" by using a "criminal" upstream than waking up and having a /24 filtered/ACLd/nulled due to a spamhaus listing for 5% of it.

    Thanked by 2singsing vimalware
  • I have seen this happen, but with due notice and warning.
    One incident a month ago about the same spammer might trigger some nerve twitching.
    It is a bit bizarre this was done for the customer's space, but not unheard of, no.

    Extremist conservative user, I wish to preserve human and civil rights, free speech, freedom of the press and worship, rule of law, democracy, peace and prosperity, social mobility, etc. Now you can draw your guns.

  • VPSSoldiersVPSSoldiers Member, Provider

    Ok, let me ask you guys another question, what do you see as being "due notice" for an incident like this, just out of curiosity?

    Connor | VPS Soldiers | Plans starting at $3.50/mo

  • Only ever been nulled once, and the DC had just gotten a call from the FBI that the guy was hosting child porn. Of course, that's not including ColoCrossing's trigger happy SMTP null routing and DDoS attacks.

  • IshaqIshaq Member, Provider

    @VPSSoldiers said:
    Ok, let me ask you guys another question, what do you see as being "due notice" for an incident like this, just out of curiosity?

    Null or drop outbound 25 on the offending IPs only + 24 hours notice to remove the spamming customer.

    [BudgetNode] DDoS Protected. 7 Locations (US/EU). Check out our latest offer!
  • dacentecdacentec Member, Provider

    VPSSoldiers said: Ok, let me ask you guys another question, what do you see as being "due notice" for an incident like this, just out of curiosity?

    It depends on how many notices, the severity of the notices, account history.

    If a customer signed up for a server and large block of IPs and started getting SBLs right away we might terminate the entire account.

    Thanked by 1vpsGOD

    https://Dacentec.com - [email protected]
    Dedicated Servers, Cloud Services and Colo /SSAE16 SOC 2 / On site 24 hour support

  • Steven_F said: Only ever been nulled once, and the DC had just gotten a call from the FBI

    Now that actually sounds like a good reason for nulling without warning.

    Thanked by 1VPSSoldiers
  • WilliamWilliam Member, Provider

    Steven_F said: Only ever been nulled once, and the DC had just gotten a call from the FBI that the guy was hosting child porn. Of course, that's not including ColoCrossing's trigger happy SMTP null routing and DDoS attacks.

    In US you don't have much choice on that - Though if the FBI calls (yes, i had this before, also secret service and something called "National Cyber Security Division" which seems to be some homeland security thing) and have a nice story (or even proof) i still can't touch the servers, i simply cannot follow laws from other countries or i risk legal problems myself. They should go the usual way and call my local police (or a higher up instance like the government or federal police) and send me a local court order (depending on crime, for CP a mail or fax is enough, but i need that or i cannot open and verify the content without incriminating myself), then i will happily comply.

    Thanked by 1Ole_Juul
  • @singsing said:
    Now that actually sounds like a good reason for nulling without warning.

    It was (and is) a perfectly good reason, except the DC told me to go look at the content to verify. I was like, nope. No thank you, the FBI calling is proof enough.

    @William said:

    I was told to just terminate the client. They didn't ask for his info or anything, which I found a bit weird.

  • @VPSSoldiers said:
    (as I check blacklists every 2 hours)

    So you don't get much sleep do you?

  • VPSSoldiersVPSSoldiers Member, Provider

    Actually no, but I check it with a script which emails me what IP's are on what blacklists, manually checking would suck, lol.

    https://github.com/ConnorStr/blacklist_checker

    Connor | VPS Soldiers | Plans starting at $3.50/mo

  • jarjar Provider

    Part of growing, finding that sweet spot where people who want to abuse your services no longer feel welcome, while everyone else does.

    Here's something I made that you can copy:

    https://catalysthost.com/refund-request-form/

  • Steven_F said: They didn't ask for his info or anything, which I found a bit weird.

    That actually makes a lot of sense. The contact info you have on file in these cases is either complete baloney, or doesn't belong to the true perpetrator.

  • VPSSoldiersVPSSoldiers Member, Provider

    @Jar you actually have people ask for a refund? The people I have just chargeback...

    Connor | VPS Soldiers | Plans starting at $3.50/mo

  • So... can I get that refund then? I only sent 500,000 viagra emails to people who definitely subscribed to it.

    Thanked by 1jar
  • jarjar Provider

    @VPSSoldiers said:
    Jar you actually have people ask for a refund? The people I have just chargeback...

    I dunno I don't really handle that anymore, only thing I do for Catalyst is manage shared hosting email under the roof of MXroute. But...I like to joke too ;)

  • dacentecdacentec Member, Provider

    VPSSoldiers said: I check it with a script which emails me what IP's are on what blacklists

    This usually isn't enough. As others have mentioned you need some blocking or active countermeasures.

    https://Dacentec.com - [email protected]
    Dedicated Servers, Cloud Services and Colo /SSAE16 SOC 2 / On site 24 hour support

Sign In or Register to comment.