On Thu, Dec 23, 2004 at 03:57:56PM +0000, Earle Martin wrote:
http://openguides.org/dev/?node=Wiki%20Greylisting
Dave, perhaps you might like to elucidate on the basics of BGP for those of us who aren't familiar with it.
Yes, and a correction to your image too :-)
BGP (Border Gateway Protocol) is what ISPs use to figure out how to route a packet from one host to another half way round the world. It works by ISPs "announcing" that they can route to (eg) all hosts in NETMASK/BITS. eg, 212.58.224.111 is a BBC web server. Auntie announces a route to 212.58.224.0/19. That notation means "the netblock which contains IP 212.58.224.0 and all other IPs which have the same first 19 bits". Obviously, the smaller the number of leading bits a block shares, the larger the block.
The idea is that when a wikiadmin sees some spam, they would look at a view of the routing table (I have a script which does this using route-views.org's very nice DNS-ish view of the routing table at the University of Oregon) to see what netblock was being announced that contained the spammer's IP, and would greylist the entire block [Earle - it might be bigger or smaller than a /20]. They would also BLACKlist the spammer's /24 or, if the netblockis smaller than /24, blacklist just that smaller block.
We blacklist a /24 as well as greylisting a larger block for reasons of route aggregation, ISPs being spam-friendly, and so on. I can explain in great detail and at great length over a beer ;-)
I have a script which I use for this sort of stuff, contact me off-list if you want a copy.
It's very important to note that no blacklisting or greylisting should happen without an admin's say-so. Although I would very strongly recommend blacklisting all the networks at: http://www.spamhaus.org/drop/drop.lasso (explanation at http://www.spamhaus.org/drop/) and at least greylisting (but preferably blacklisting) all of: http://www.okean.com/sinokoreacidr.txt (explanation at http://www.okean.com/asianspamblocks.html)
FWIW, I have all of those netblocks blacklisted (plus several others) in my mail sewer config, and there is no noticeable performance hit.