Internet ghost-towns: the blocked IPs where the bad guys used to live

When a block of IP addresses or a collection of domain names becomes associated with bad action -- spamming, jabbering, denial-of-servicing -- various ad-hoc Internet groups will add it to a blacklist of "rogue IPs" or "badware domains" that are blocked at a very low level in the network.

The problem is that there doesn't seem to be any way to readily diffuse an "all clear" signal to everyone who follows along with this block, which means that gradually, the net is acquiring "slums" -- blocks of useful space that can't be occupied by legitimate users because someone bad once lived there and now no one will accept their traffic.

The Washington Post's Security Fix visits this question -- it's a compelling problem when you think of it. Bad actors will continue to move from blocked IPs to fresh ones, and if we never release the blocked sections, eventually we'll have shut down a very large chunk of IP space indeed.

"The problem is once an address block gets so polluted and absorbed into all these blocklists, it's difficult to get off all of them because there is no central blocking authority," said Paul Ferguson, an advanced threat researcher at Trend Micro. "That space won't be toxic for all time to come, but certainly it is going to be tainted for whoever ends up with it..."

"What you'll find is some blacklists out there are derivatives of other lists, and it's hard to get those cleaned up," Bertier said, recalling a case last year in which a customer was given a swath of Internet addresses, only to find it was impossible to send e-mail from that space. "Typically in those cases, we'll work with the customers to get them new space and mark that allocation as something that really shouldn't be used for e-mail."

A year later: A look back at McColo (via /.)


      1. Just quantity. Yeah, eventually you’d run into the same problem – but it’ll be the next generation’s problem. ;-)

  1. shouldn’t be blocking IP addresses anyway… they should be blocking domain names and do a DNS lookup every day to get the latest IP for the domain…

    simple really… when you get an active spammer, then reverse DNS to get the domain, then add that domain to the blocklist… then everyday, repopulate a temporary IP list using DNS lookups of the blocked domains…

    I’m convinced some admins are just to lazy to write a simple script to run every day…

  2. #5: the problem is that DNS lookups are per-address or per-host, not per-domain. Certainly I can go from the address of the spamming host to it’s DNS name, and I can probably trim that to get just the domain, but from that there’s no way to reliably translate that into an IP address block. There’s in principle a way, if the spammer’s set up some special records correctly and accurately, but they probably didn’t. And it’s fairly easy for them to make the domain name resolve to an address that’s got nothing to do with the IP range they’re really coming from. So the only thing I’ve really got that I can use is the IP block containing the IP address of the host they used.

  3. With services like Ring Central and Google Voice, the same thing will happen with phone numbers. I’ve blocked a number of telemarketing phone numbers — years from now, when someone legit has the number, they will not be able to call me.

  4. I’ve even seen this happen on a more short-term basis: A hosting company has several clients who try running spambots. Within a day, the spammers’ accounts have already been cancelled by the host. But by that time, the IP block has already been added to several blacklists. It’s particularly bad when you’re dealing with a single SMTP server that’s shared between several web sites, as some hosting companies tend to do.

    1. Spam blacklists fail in one very specific way, and thats that spam scores need to reflect the user population density of a netblock. As there is no way of telling how many physical discrete people use a specific netblock to send email, there is no way of coming up with accurite spam scores and metrics.

      This is why webhosts, esp. ones with large mail clusters, get very very badly dinged as far as mail delivery. A webhost with 10,000 customers using it’s mail servers is most likely going to have worse of a spam score than a spam producing business with it’s own netblock (spam producing business != buisness of producing spam).

  5. @manicbassman: … and what happens when there is no reverse DNS? Nobody is under any obligation to set up an IP to name mapping.

  6. They should block those IP addresses, then unblock them, then block them again, then unblock them… pretty much at random.

    That way, they’ll be providing about the same level of service as my local ISP…sigh…

  7. I ran into this when I went with a low cost colo provider. It took a year to get my IP unblacklisted. and Many many attempts. Its like anti virus, the companys that run blacklists have better credence if there databases are larger. So they have little motivation to de-list an IP once they have it.

  8. I’ve been gray-listed within the last two years, as have Xeni and David. And probably more of us that I don’t know about. I think that anyone who does a fair amount of online business will be accidentally (or vengefully) tagged enough times to have the occasional problem.

Comments are closed.