Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Ever heard of being null-routed for being on SBL?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Ever heard of being null-routed for being on SBL?

So I had a /26 null-routed today for it getting listed on the SBL, though its been a while (up until a few months ago) since I have dealt with a DC directly, has this become normal practice at the DC level?

«13

Comments

  • nah, your DC sucks and you should cancel your shit. (wow that feels surprisingly like /r/relationships lol)

  • @William the past two weeks have made me strongly re-consider my decision...

  • I get that the provider probably doesn't want their IP's tarnished in a blacklist, but null routing you... That's very extreme IMO..

  • @ATHK I completely agree, as soon as I see an IP listed (as I check blacklists every 2 hours) I do whatever it takes to clear it. This time it was null-routed quicker than I could do anything about it and now they won't re-route me until I clear the SBL.

  • Dacentec nulled you for having an IP range added to an SBL?

  • @Ishaq said:
    Dacentec nulled you for having an IP range added to an SBL?

    Yes.

  • Awmusic12635Awmusic12635 Member, Host Rep

    I can see it happening if the issue that caused the SBL isn't addressed.

  • @dacentec

    Explain yourself. Why does an SBL listing resort to you nullrouting the customer's entire range? Other innocent customers could be affected.

    Secondly, wouldn't dropping port 25 egress on the range suffice?

  • Awmusic12635 said: I can see it happening if the issue that caused the SBL isn't addressed.

    VPSSoldiers said: This time it was null-routed quicker than I could do anything about it and now they won't re-route me until I clear the SBL.

    Is this the first SBL listing on that range?

  • HBAndreiHBAndrei Member, Top Host, Host Rep
    edited October 2015

    First time I ever hear about this being done... and it shouldn't be done.

    Did they at least warn you beforehand?

  • VPSSoldiersVPSSoldiers Member
    edited October 2015

    @Awmusic12635 said:
    I can see it happening if the issue that caused the SBL isn't addressed.

    I could see that as well,

    • 1331: Inital Abuse ticket created
    • 1426: My reply stating I terminated the customer
    • 1505: First status cake notification (for the looking glass on that subnet) as Zabbix is monitoring on a different subnet I didn't get any. And statuscake is usually delayed in notifying me anyways.

    Ishaq said: Is this the first SBL listing on that range?

    Its MY first SBL listing ever.

  • dacentecdacentec Member, Host Rep

    Depends on the case. PM me the ticket#.

  • I've had 7 abuse tickets with Dacentec (not saying I'm perfect but some customers have slipped through that shouldn't of, and I keep learning from each of the tickets) Its just this time it seems a little extreme to me.

  • jarjar Patron Provider, Top Host, Veteran

    Have I ever heard of a /26 being null routed instantly for an RBL listing?

    Take it away Lawrence:

    Thanked by 2HBAndrei Syed
  • dacentec said: Depends on the case. PM me the ticket#.

    PM Sent.

  • Which SBL?

  • You're hosting a spammer by the look of it. They have a handful of other Spamhaus listings so they are probably just worried about an escalation. Spamhaus can be VERY jumpy.

    I thought they had some dubious port 25 interception going on anyway so they should be able to block outbound port 25 from your range

  • Ok, this thread definitely speaks to the "pros" of getting IP space other than provided by your DC.

    Thanked by 1vimalware
  • jarjar Patron Provider, Top Host, Veteran
    edited October 2015
    From:  [email protected]
    Subj:   Xarelto Injury Case Evaluation (REDACTED@REDACTED)
    Date:   Mon Oct 12 16:00:00 2015 ±15 min UTC
    
    From:   [email protected]
    Subj:   Get Cash for Your Structured Settlement or Annuity Payments REDACTED@REDACTED
    Date:   Mon Oct 12 17:00:00 2015 ±15 min UTC
    
    From:   [email protected]
    Subj:   Refinance your home now before rates rise (REDACTED@REDACTED)
    Date:   Mon Oct 12 18:00:00 2015 ±15 min UTC

    This is why .review and .faith are blocked entirely on my servers right now. Why do spammers love these TLDs so much?

    Thanked by 1vimalware
  • singsing said: Ok, this thread definitely speaks to the "pros" of getting IP space other than provided by your DC.

    A DC can still null route IPs announced via its upstreams. It can also filter them on its routers or simply shutdown the ports to the affected server. Or go as far as dropping the advertisements of the IP space.

  • MarkTurner said: I thought they had some dubious port 25 interception going on anyway so they should be able to block outbound port 25 from your range

    I would of much rather had that then the current method...

    MarkTurner said: You're hosting a spammer by the look of it. They have a handful of other Spamhaus listings so they are probably just worried about an escalation. Spamhaus can be VERY jumpy.

    And I understand that, and terminated this person as soon as I saw the notice (and reviewed the information of course) I fight spammers on a weekly basis but its never gone this far.

    My biggest thing is getting the rage back online so I can appease the "good" customers who are complaining I did start a connection limit ti port 25 late last week, I'm thinking I need to review my methods there...

  • jarjar Patron Provider, Top Host, Veteran

    VPSSoldiers said: I fight spammers on a weekly basis but its never gone this far.

    Time to start blocking port 25 by default, or if you use OpenVZ use nodewatch to kill most spammers. Someone knows they can get away with using you, you need to make the environment inhospitable for them.

  • Jar said: Time to start blocking port 25 by default

    I did, for a long while but they were still getting around it either by lying, or by relaying through another server (which still resulted in abuse tickets from Dacentec) and since its KVM I'm still trying to figure out the best method... I have been working on a script that checks every so often and if there are too many connections in an hour then it blocks the port but its still in testing but shows promise... I was just looking for a better method.

  • MarkTurner said: A DC can still null route IPs announced via its upstreams. It can also filter them on its routers or simply shutdown the ports to the affected server. Or go as far as dropping the advertisements of the IP space.

    Well, they can, but the incentives are much lower if it's not their IP space that is getting spamhoused.

  • singsing said: Well, they can, but the incentives are much lower if it's not their IP space that is getting spamhoused.

    Any responsible DC would take action against spammers just as a responsible transit provider would take action against someone using their infrastructure for spamming.

    Its not just about getting your IPs blacklisted, you don't want your AS blacklisted or ending up on the DNP list.

    No responsible person wants to be the conduit for spammers. From the what the OP is posting now, he has been receiving abuse tickets from Dacentec. Clearly this is just an escalation from that.

    Thanked by 1k0nsl
  • ColoCrossing have done the same to a range on our VPS node in the past

  • MarkTurner said: No responsible person wants to be the conduit for spammers. From the what the OP is posting now, he has been receiving abuse tickets from Dacentec. Clearly this is just an escalation from that.

    From blacklists like USGOAbuse, Grays Harbor College, Some guy that sent a ticket to Dacentec (at least I hope its not an Employee)

    "This crap is coming at us from something within your infrastructure,
    indicating at least one compromise going on. Please come up with
    some PERMANENT way to slap a lid on this garbage and keep better
    track of where edge users are [perhaps unknowingly] sending mail.
    It is getting sent to large mailing LISTS, thus compounding the recipiency
    problem. [The lists are hosted through Dreamhost, so ignore everything
    about 208.97.132.* as that's just the relay point.] We're talking about
    origin point 172.XX.XXX."

    and another guy who has an earthlink email just stating that he didn't sign up for the email. Each were dealt with in a timely manner. I still don't see this being cause for null-routing an entire subnet.

  • MarkTurner said: No responsible person wants to be the conduit for spammers. From the what the OP is posting now, he has been receiving abuse tickets from Dacentec. Clearly this is just an escalation from that.

    Well, I agree that we don't know everything that happened between OP and Dacentec to date. But it sounds like OP wasn't given much of a warning that the "next step" would be null-routing.

  • @dacentec has re-routed the range back to me. I'm still working to get clarification on the cause of the null route, though initial statement was

    the block was removed because this is the second escalation we have gotten on this /26, the last escalation we got a month (Sept 21) ago was also for 'annuities', the same as the current one

    I did receive two tickets that day one was the guy from the earthlink address and the other was the one quoted in my last post.

Sign In or Register to comment.