Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


ivmSIP/24 - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

ivmSIP/24

2

Comments

  • SpiritSpirit Member
    edited November 2014

    I am not talking about specific helpdesk issue and it's not just about you. The most common argument about organizations dedicated to track email spammers and spam-related activity is their lack of response and non-preparation to work with IP owners to resolve issue, not listings themself. And yet when someone come here, take your problem seriously, show preparation to work with you... this isn't appreciated either.
    Lack of this will be main thing which will piss you off in case spamhaus do the same blacklisting ;-)
    I hope you understand what i am trying to say. Discussion is good, but the most of the heat at LET usually take those who meet you halfway, willing to do the right thing, discuss, explain and improve things.
    You may not be entitled the same courtesy from lets say spamhaus. And that's part of the real problem often discussed at LET, isn't it?

    Thanked by 2vRozenSch00n k0nsl
  • @doughmanes said:
    I would take ivmsip/24 more seriously if they don't blacklist crap for a 12 months+ on really old IPs

    We have MUCH shorter expire times.

    Also, our online form reports the date that the IP was FIRST blacklisted... NOT the "last spam seen" date. So this can give the mistaken impression that our expire time is overly long. Therefore, we really do have spam on file that is MUCH more recent.

    The purpose of reporting the "spam 1st seen" date is to show those who are looking for a blacklist that will help them block spam other blacklists missed... that we OFTEN list spam emitting IPs hours/days before other lists catch them.

    But this sometimes backfires when those looking at the form are the ones wanting to be delisted. They think "what the hell? why am I STILL listed"... not realizing that this was the "1st seen" date, not the "last seen" date.

  • HostNunHostNun Member
    edited November 2014

    @Spirit said:
    I am not talking about specific helpdesk issue and it's not just about you. The most common argument about organizations dedicated to track email spammers and spam-related activity is their lack of response and non-preparation to work with IP owners to resolve issue, not listings themself. And yet when someone come here, take your problem seriously, show preparation to work with you... this isn't appreciated either.

    What isn't appreciated? If you read up, you'll see that my first remark to @invaluement was to thank him for responding here.

    As for 'taking my problem seriously', again, I have to ask, what problem? I agree that it's not just about me. In the same breath, it's not my problem because it doesn't effect my clients/myself. This is why I suggested the discussion should be abstract and conceptual rather than specific and expository.

    From my perspective, this thread is mostly an admonition regarding what could happen to innocent providers/people/whoever caught up in inefficient, broad-brush spam nets. To the extent that @invaluement's practices have no effect on my particular /26 and its respective IPs, the specifics are irrelevant.

    I hope you understand what i am trying to say. Discussion is good, but the most of the heat at LET usually take those who meet you halfway, willing to do the right thing, discuss, explain and improve things.

    I think it would be irresponsible to reveal the IPs on LET without asking for consent from those who are using them. I wouldn't be against it, but I see no need for exposition here, it would be superfluous.

    Lack of this will be main thing which will piss you off in case spamhaus do the same blacklisting ;-)

    I'm not sure what this is supposed to mean, but lol if you're foreshadowing more inexcusable behaviour from Spamhaus. They can point their tactics elsewhere, I'm not in control of enough IPs to make it worth their while anyway.

  • HostNun said: this thread is mostly an admonition regarding what could happen to innocent providers/people/whoever caught up in inefficient, broad-brush spam net

    Except, as I mentioned, SOME (of the MANY!) tactics ivmSIP/24 uses to narrow the ranges to a smaller than /24 block, in order to surgically target the spammer and avoid innocent bystanders... involve the mail sending reputation of actual sending IPs of legit senders... so your "test case" ended up not being very reflective of real world scenarios of ivmSIP/24 listings where spammers and actual legit e-mail senders share the same /24 block. (since your IPs you brought up are not mail senders)

  • @invaluement said:
    Except, as I mentioned, SOME (of the MANY!) tactics ivmSIP/24 uses to narrow the ranges to a smaller than /24 block, in order to surgically target the spammer and avoid innocent bystanders... involve the mail sending reputation of actual sending IPs of legit senders... so your "test case" ended up not being very reflective of real world scenarios of ivmSIP/24 listings where spammers and actual legit e-mail senders share the same /24 block. (since your IPs you brought up are not mail senders)

    This was to test a theory, certainly not a 'case'. I understand what you're saying here, though. I think you said it more directly earlier in the thread:

    NOTE: Also, recall that I previously stated that IF your IPs WERE used to send legitimate e-mail, then some of the metrics we use to narrow ivmSIP/24 listings, to bypass innocent bystanders... WOULD possibly be in play...but are NOT available since your /26 block is not used to send mail

    So what you're saying is that since the IPs weren't being used to send email to begin with, there was no way for your algorithms to consider them, right? If so, that would make sense, but at the same time, doesn't it only further prove the inefficiency of your broad-brush method? (i.e. IPs that aren't used to send email as a blind spot that you have no way of analyzing or accounting for).

  • HostNun said: I think it would be irresponsible to reveal the IPs on LET without asking for consent from those who are using them. I wouldn't be against it, but I see no need for exposition here, it would be superfluous.

    I never said to reveal them here. You were asked by him. The most I can get from your writings is "I like to talk about this problem which actually isn't problem. I am here just for the lulz, and because he's too small to really hurt me, I can safely ignore his requests to clarify situation although he's willing to work with me".
    You also "think" it's false positive with the silly terrorism associations connotation. If you open thread about this and the other side come here to clarify this with you that's simply not good enough.

    invaluement said: I couldn't find any removal requests from any e-mail address containing "hostnun"... if you'll message me (on this forum) your /26 block, I'll take a look and let you know what I find. I'll ALSO report my findings to this thread too, but keeping your IPs confidential (assuming that is desired?).

    @HostNun that's important part to me in thread like this. After you threw down the gauntlet pursuing own agenda (for the lulz, guess?) ignoring this part simply don't make you like like a serious discussion partner. You may enjoy in reading you own arguments but please take into consideration also others.

    HostNun said: This is why I suggested the discussion should remain abstract and conceptual rather than specific and expository.

    But YOU are specific and expository. That's the whole point of my writings in this thread. Give to others the same courtesy.

    Thanked by 2iKeyZ ricardo
  • HostNunHostNun Member
    edited November 2014

    @invaluement said:
    Also, our online form reports the date that the IP was FIRST blacklisted... NOT the "last spam seen" date.

    Speaking of which, that was another interesting thing about this situation. I hadn't remembered until now, but when I was initially looking up IPs via http://dnsbl.invaluement.com/lookup/ on the 24th, there was no content in the '*DATE LISTED' column for any of the results. I found it quite fascinating to learn that my IPs had been 'listed' outside of the constraints of space-time!

    I'm guessing that the invariant absence of a date is a direct result of what you were saying re: certain metrics being unavailable for IPs that were not being used to send email?

  • @Spirit said:
    But YOU are specific and expository. That's the whole point of my writings in this thread. Give to others the same courtesy.

    In not revealing the IPs without the consent of those using them, no, I wasn't being specific and expository. Certain people are trying to create an expository narrative where there needn't be one, I am refusing it. I do not feel that any superfluous exposition is owed as a 'courtesy' to the readership of LET, but anyone is welcome to PM or email me if they think they're entitled to it. I can put you in touch with my clients, you can ask them yourself. I will not post any of their information here without their consent.

    @invaluement said:
    I'll ALSO report my findings to this thread too, but keeping your IPs confidential (assuming that is desired?).

    @Spirit said:
    @HostNun that's important part to me in thread like this.

    Right, that is you seeking an expository narrative, which is what I see as superfluous. I have no interest in @invaluement's 'report' at this time, and if I did, it would definitely not be in the context of him posting his findings here without the consent of my clients.

    'I am here just for the lulz'

    This is not true. I do find some of this to be amusing, but I have been speaking calmly and reasonably throughout the thread.

    The most I can get from your writings is "I like to talk about this problem which actually isn't problem.

    Not at all. I think the methods being used are problematic in an abstract sense (see what I said re: admonition above). I think they also may become a problem for others in the future. However, again, it isn't my problem because my IPs weren't/aren't even being used to send email... (lol) they literally aren't being blocked or filtered in any sense, regardless of appearing as false positives in an RBL outside of space-time.

  • So, no cause, and no effect?

  • HostNunHostNun Member
    edited November 2014

    I don't really understand why some people are so fixated on having me contact @invaluement.

    The 'bottom line' is that the listing has no effect on me because I've never used any of the spuriously listed IPs for email. As for my clients, I don't know if they use their accounts for email or not, but in the absence of any complaints, I can only imagine that the listing has no effect on them either. It is also not backed up by any other RBL, not a single one. Why go any further, then? Why make a mountain out of a mole hill?

    @ricardo said:
    So, no cause, and no effect?

    Is it problematic that the IPs were 'listed' with no regard for the space-time continuum? Honestly, I don't know. I guess that is for @invaluement to decide. Spukhafte Fernwirkung?

  • More like Occam's Razor. Seems like invaluement lacks the the information to answer your question, and you lack the information to decide whether he's running a legitimate and accurate service. The only breakthrough would perhaps be someone else's experience of what kind of gravity a listing on there would entail... which hasn't happened.

    I had to Google that as I don't speak German. If you believe in a deterministic outcome then not to worry.........................

  • MaouniqueMaounique Host Rep, Veteran
    edited November 2014

    I think I already proved his list is only for little providers. I went to check GoDaddy known spam ranges and they were not listed. Furthermore individual IPs used to send spam in last week, listed in uceprotect's list were not present in iwmSIP any other list.
    q.e.d.
    BTW, what is the expiration time if an IP stops sending spam @invaluement? We only read that is way shorted than one year, but not exactly how long. Or does it vary depending on how big is the provider and how fast you get THAT phone call?
    @doughmanes : uceprotect does delist in 7 days, but they survive from delisting money. Long ago it costed 50 to delist, now the prices have gone up, which means fewer and fewer people pay.
    "The fee for this is 109 USD per IP address. Payments are only accepted by Paypal or Moneybookers."
    More fun: https://groups.google.com/forum/#!topic/news.admin.net-abuse.email/kyjxt8jTauc[1-25-false]
    And, no, we are not listed by UCEPROTECT, go look for ASN 34971 here:
    http://www.uceprotect.net/en/rblcheck.php
    Most of the time we have 0 IPs listed out of 10k
    My bias against them is because they list whole romanian providers, I would have nothing against home ranges which should be listed anyway as dynamic, but also the business ranges "benefit" from home ranges of infected computers absolutely impossible to police.

  • invaluementinvaluement Member
    edited November 2014

    HostNun said: Right now I'm guessing the /26 I received from my upstream is part of a larger /24

    HostNun,

    Is your /26 properly delegated in IpWhois data (arin.net, etc)? In other words, if someone looked up an IP in this block in the proper IpWhois database, would they see a record of your /26, showing that this is delegated to you, separate from any larger block delegation?

  • MaouniqueMaounique Host Rep, Veteran

    @invaluement I am still waiting to see proof of GoDaddy being listed, then we go to other big providers. Until then, I proved you are only targeting small providers, more likely to pay the ransom.

  • @Maounique said:
    invaluement I am still waiting to see proof of GoDaddy being listed, then we go to other big providers. Until then, I proved you are only targeting small providers, more likely to pay the ransom.

    Maounique,

    It doesn't seem like you read a word I had said in my previous explanations about the Godaddy listings or the YesMail/InfoUSA listings. And judging from your previous comments, which are full of ad hominem attacks which often included making shit up about invaluement out of thin air... I can only conclude that you're not discussing "in good faith". Therefore, I am happy to continue this discussion in general... but I don't think YOU are actually listening to what I'm saying... so my only response at this point is to ask you to re-read my previous posts about your question... and then please use your brain. Anyone curious about your question should be fully satisfied with my previous answers regarding Godaddy and YesMail/InfoUSA.

    And you haven't "proved" anything. And your standards of what constitute proof are laughable. here is how you sound: "Rob never said he didn't shovel unicore manure for a living... I guess that proves it is true."

    Thanked by 1doughmanes
  • MaouniqueMaounique Host Rep, Veteran
    edited November 2014

    Not really. I took a known spamming range, then checked the individual IPs in your database and came negative while they were listed in reputable lists such sa baracuda so were not an uceprotect invention. And I did take one range with many spammy IPs, one they did not even accept money for delisting being three times over their threshold.
    Yet, that is not listed in your lists, not only the /24 is "clean", but also the currently spamming (in the last 7 days) IPs.
    This is not a proof? Then what is?
    If we were to take your word for it that you try to minimize collateral damage, then the same should be applied to smaller providers AND listing /24 is rendering all that point moot in the first place, isn't it? This targets providers specifically, NOT spammers. And I generally do not take the interested party's word as such, I do check it and the checks failed completely.
    The only bright spot here is that your list is not used. As I said, who uses anything else than big reputable lists deserves their fate and empowers bullies and extortionists.

  • invaluementinvaluement Member
    edited November 2014

    Maounique said: more likely to pay the ransom

    btw - that is libel. It is patently false. And you have zero evidence to support this statement. Even the evidence you claim to have is at best extremely circumstantial. And there is no "mechanism" available for this. (I guess you think that I must psychically communicate to others about how to pay to get off my blacklists?... because there certainly is no published procedure in existence!) By making such a statement, you further undermine your credibility. invaluement does NOT provide "pay for removal"... never has, never will.

  • invaluementinvaluement Member
    edited November 2014

    These are all waste-of-time side shows. The MOST relevant question on the table right now is my last question to Host Nun about whether his /26 delegation is clearly delineated in IP-Whois data.

  • MaouniqueMaounique Host Rep, Veteran
    edited November 2014

    invaluement said: btw - that is libel.

    If you were having the money to pay the lawyers, you would have listed GD too, so, I am not worried about your threats. As it looks now, you are only hopeful to join the table with spamhaus and uceprotect (which, in turn are not doing great lately either), far from being taken seriously, at least not yet. And, trust me, listing /24s will not help in this regard, especially if you are doing it selectively, targeting only small providers.
    And, I agree, this is about hostnun mostly, but the general context and your practices especially are VERY relevant. You do admit you target smaller providers to force their customers to "vote with their feet". After this admission of guilt, then the discussion should have been over, but you did continue it which forced me to present the proof. And my proof shows you DO NOT list GoDaddy, not even the heavily spamming /24s, which other reputable lists as well as extortionists are listing. You admitted you HAD TO delist GoDaddy with the shoddy reason that you try to avoid collateral damage while having no issue to list /24 of smaller providers because, you know, there is no collateral damage there, everyone on those is a spammer just because the provider cannot afford the lawyers to send after you.

  • Maounique said: I took a known spamming range

    You have it ALL wrong... the invalument lists purposely pass on "low hanging fruit"... for example, we go out of our way too NOT even bother processing spam that is ALREADY on SpamHaus' XBL list. We ignore much spam that is on other parts of SpamHaus's ZEN list. Instead, invaluement is trying to catch the more sneaky spam that SpamHaus either misses, or doesn't list for some minutes/hours/days later. if that were not true, the invaluement data files would be 10-20 times as large.

    There is a large percentage chance that the range you checked as your "proof".. was more of that low-hanging-fruit that invaluement purposely ignores. I'd bet that barraccuda-listed range...was ALREADY listed on XBL or CBL. Hmmmm?

    And even if it wasn't so, your "evidence" is STILL anecdotal, and we get signups all the time from people frustrated by the spam that slipped by their filter.. then they start checking MX ToolBox and noticing that invaluement consistently blocked those sneakier spams FIRST.

    PS - please DO keep believing that nobody uses our lists. I prefer that the darker corners of the Internet believe that.

  • invaluementinvaluement Member
    edited November 2014

    Maounique said: with the shoddy reason that you try to avoid collateral damage

    really?... you really think that a blacklist can list Godaddy IPs... without large amounts of legit mail from innocent bystanders not being blocked? really?

    Let me make one thing clear... yes there is a bias favoring large ISPs ONLY in the sense that SHARED IPs from large ISPs will ALWAYS have MUCH collateral damage, due to the large amount of hand-typed legit messages sent from large ISPs.

    THAT bias is sort of an unfortunate "given". Do I like that? No. I hate that this is true.

    But I've NEVER lifted a finger to go out of my way to give large providers a free pass outside of ONLY doing whatever was needed to prevent false positives (collateral damage). Likewise, I've never lifted a finger to punish smaller providers, as you keep falsely attributing to me.

    If the legal issues where such a big deal, I wouldn't have listed YesMail/InfoUSA... that I did... GREATLY undercuts your arguments about not ever going after large providers. Perhaps even destroys that argument. The reason I could blacklist MANY YesMail/InfoUSA IPs blacklisted for many many months (as they were continuing to spew UBE)... is because no credible FPs could be established during that period of time.. unlike GoDaddy.

    As I already said, it comes across as hypocritical when you are so concerned about some types of False Positives, but don't care about Godaddy's legit customers getting their legit messages blocked--and LOTS of that stuff involves small businesses!

  • MaouniqueMaounique Host Rep, Veteran
    edited November 2014

    What i checked was not listed in spamhaus either, so GD does have ways to "manage" them too.
    It would be great if that was true but it does not even make sense.
    You say you try to list what others do not. Fine, but then how you explain the /24 which is the issue here? It is true those are very likely to not be listed by other lists, because few honest people even consider it in the first place, but this does not mean you should list all other IPs which big lists dont, this way being the only sure way so no spam is "missed".
    Sure, if the same mail or same spamvertized site comes from, say 3-5 IPs in a /24 and they are not within the same /28, say, then it is a reasonable assumption that the whole /24 is allocated to a spammer but this is not the case.

    And, you did not tell us how long until the listing expires I mean, how long after the last spam email came until the IP is removed? You only said that is lower than 1 year. I think this is relevant, today IPs are changing hands very often in the VPS business, we have tens of new customers a day and with thousands of VMs it is impossible to make sure none are hijacked, especially in the case of unmanaged services. 90% of our cases are hijacked boxes.

    And, I am glad you show your true colors here with threats, you call me a part of the darker corners of the internet, even though I proved even extortionist lists do not have us on them. I am glad we will be on yours, only spammers check carefully before, so will not really matter for regular customers, but will reduce the work on me to screen up people.

  • invaluementinvaluement Member
    edited November 2014

    ignore this... I didn't see the "page 2" link... so I was repeating myself.

  • barracuda has a lower standard than invaluement for keeping collateral damage FPs to a minimum. They are simply more aggressive in their quest to punish spam emitting IPs.. in ways that lead to MORE innocent bystanders having their legit mail blocked... in comparison to invaluement. Not different by a wide margin... but more like we draw our tolerance lines somewhat differently. That would explain why you can find a Godaddy range listed on barracuda right now, but can't find that same range on invaluement. (if I had known you were talking about GoDaddy IPs, I would NOT have asked that SpamHaus question, since this would NOT be XBL material!)

    This doesn't mean that barracuda is bad... it means that they might be more appropriate as a high scoring list, but not an outright blocking list.

    Regarding expire dates... there you go again... assuming the worst about invaluement when not given every tiny detail. Our expire dates are dynamic... they can be as short as not much more than 24 hours for one-off security problems... but lengthen exponentially when longer term patterns of abuse are clearly found in the evidence.

    Part of the reason I prefer to not reveal every single tiny detail--is because spammers would LOVE that information in order to game the system.

    When I asked earlier to "put up for shut up".. the "putting up" part is thus far pathetic... for example... can you spot a single example where an IP is currently blacklisted on invaluement, but yet the abuse was fixed months ago? No, you can't. you speculate much, giving invaluement the EXTREME LACK of "benefit of the doubt"... but your evidence against invaluement is speculative... not based on credible evidence.

  • invaluementinvaluement Member
    edited November 2014

    invaluement said: they can be as short as not much more than 24 hours for one-off security problems

    And sometimes even shorter-sometimes just a few hours. And the vast majority of the time that a one-off security problems legit sender fixes their problem and submits a removal request... their listing INSTANTLY delists. (thus not having to wait for it to expire based on time listed and not having to wait for other mechanisms that trigger delistings, such as manual review of their request)

  • MaouniqueMaounique Host Rep, Veteran

    invaluement said: When I asked earlier to "put up for shut up".. the "putting up" part is thus far pathetic... for example... can you spot a single example where an IP is currently blacklisted on invaluement, but yet the abuse was fixed months ago? No, you can't.

    Hahahah! You know that i get a list of IPs sending email from our range and I check it almost every day? Do you know how often I see and ignore your list there because is the only one listing? On the same IPs? And that nobody ever complained their email is blocked due to this listing? Wait a few minutes, of course I do not remember the IP(s) from the top of my head but I go to check the list of today again and see what comes up, chances are again your lone list will pop up some place and not where there are real spammers. I will present all cases here.

  • MaouniqueMaounique Host Rep, Veteran
    edited November 2014

    Here they are:
    http://mxtoolbox.com/SuperTool.aspx?action=blacklist:188.164.131.39&run=toolpage#
    Hijacked box, NOT listed by you.

    erhm... This is all n the top 40 by packets on port 25 today, but we do have many hundreds of IPs sending email, any spammer makes the list because there are really few which send high legit volumes.
    But lets reverse it, I gave you the AS 34971, give me the listings for it and we will see how many are in other lists as well. If you are not so afraid of transparency (uceprotect is very open with their listing policy and are making way more money, I believe), you can also put the last time you received a spam email from the IP.
    Since, of course we are the black sheep of the internet, or at least dark sheep, you must have tons of examples, enough to blacklist the whole AS. I could not find a way to check the AS against your list.

  • invaluementinvaluement Member
    edited November 2014

    Maounique said: Hijacked box, NOT listed by you.

    This argument was totally refuted by my previous comment about how we skip even trying to list the low hanging fruit... and focus on spammy ips that are NOT listed on XBL. For example, the following statement is included at the end of our setup instructions:

    NOTE: Regarding ivmSIP (in particular)... If you judge ivmSIP based on percentage or numbers of hits compared to all incoming spam or incoming connections, prepare to be very disappointed. But if you rate ivmSIP based on (1) the number of spams which would have otherwise gotten completely past your spam filtering and into your users mailboxes (that is, reduction of the spam slipping past your filter), (2) low FPs, and (3) The number of spams that your filtering would have caught, but only after more 'expensive' content filtering... where ivmSIP is the ONLY RBL to block the spam (this can even be helpful in a pure scoring environment because of 'early exiting' from the filter once a particular score is achieved.) --rate ivmSIP on all three of those factors and you should be very pleased!

    (and that applies to ivmSIP/24 too)

  • Maounique said: nobody ever complained their email is blocked due to this listing?

    being a commercial anti spam list that does NOT have a gazzillion free users does significantly limit our market share. the percent of outbound messages which get spam filter checked against our lists is rather small. But that has zero relevance regarding the quality of our data. And that doesn't change the fact that some very large and highly respected technology companies are very impressed with the quality of our data and renew their invaluement subscription each year... their expertise about spam filtering and their 1st hand "hands on" knowledge of our data are both vast.

    no amount of trash talk from Maounique will change that.

  • MaouniqueMaounique Host Rep, Veteran
    edited November 2014

    I am still waiting for the listings from our AS and the number of reputable lists which are listing that as well.
    Otherwise, the argument that "we blacklist around at every shadow and the whole /24 for one incident and then we catch more than others" is stupid. You could blocklist the whole internet and you will block ALL possible spam except the IPv6 one (BTW you do have an IPv6 list too, right? Where you block /24s too, correct?).
    You say corporations use your list to catch the spam others dont. That is possible if the cost of false positives is very low and they only receive valuable mail from the big providers you are whitelisting to prevent your overreaching techniques to block all their mail. Your "recipe" is "block everything EXCEPT big providers and leave the other lists handle them".
    So, now we have the explanation: you do not block small providers to take their money, you block everything except the big ones because you have only customers which receive mail only from big providers.
    That is perfectly fine, but your list will not be needed then, every admin will whitelist the providers they receive legit mail from and set default policy to block. If he pays for your list, that is only his company's loss, in this case, the company deserves their admin :)
    You may manage to fool some admins and they will throw some corporate money at you no harm done, there is space under the sun for this tactic too and those admins and companies deserve it. There is a tax for being stupid or lazy everywhere.
    Steal from the stupid corporations? Fine with me, go on, please.
    I am sorry I misunderstood you, you should have explained it in the first place, it only takes a few sentences, small providers will not care about your list like before.

Sign In or Register to comment.