any reason not to block every Softlayer allocation?

[Jo Rhett <jr...@netconsonance.com>]

Looking at my spam block statistics, not a single IP I’ve reported to SoftLayer over the last two years has been shut down. Is there any reason I shouldn’t just block all their allocations and save myself some effort?

-- 
Jo Rhett
Net Consonance : net philanthropy to improve open source and internet projects.

Re: any reason not to block every Softlayer allocation?

[Philip Prindeville <ph...@redfish-solutions.com>]

On Oct 5, 2015, at 10:57 PM, Noel Butler <no...@ausics.net> wrote:

> On 06/10/2015 12:39, Jo Rhett wrote:
> 
>> Sorry, let me restate: I know consequences of blocking large
>> providers. I’m asking if others have found the same to be true, or if
>> there is any reason to give SoftLayer benefit of the doubt?
>> Once in a great while this kind of query generates clueful contact
>> with said provider to get off their tail...
> 
> 
> softlayer is turning into the U.S.'s version of Europe's OVH - many ranges of both are blocked, though the report rate has dropped significantly in months gone by for both, so if you block, leave yourself a note to unblock in 30 days or so and see how it pans out.
> 
> Alternatively, if you have a lot of users you provide for that gets legit softlayer mail, just score them high so they always end up in spam folder.


We’ve had issues with softlayer/the planet.  I don’t remember ever seeing a response to a single complaint.  Not one.

And some of them are really blatant, like impersonating the FBI.

On thing I’ve noticed is that long-term, legitimate softlayer customers end up changing their rDNS (PTR) records, since they don’t have to jump from lily pad to lily pad.

The spammers, on the other hand, often don’t go through the trouble because they’re not going to be there long enough.

In that case, blocking something like:

X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}-static.reverse.softlayer.com /
X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=\[0-9a-f]{2}\.[0-9a-f]{2}\.[0-9a-f]{4}\.static\.theplanet\.com /


might be the solution.

We found that most of the spam we got from softlayer either included a URL that resolved to 104.148.103.2 — which was easy to block with check_url_local_bl() — or else contained a message-id which had an email address in it followed by:

[a-z0-9\-\.]{1,6}>$

for instance.

-Philip

Re: any reason not to block every Softlayer allocation?

[Noel Butler <no...@ausics.net>]

On 06/10/2015 12:39, Jo Rhett wrote:

> 
> Sorry, let me restate: I know consequences of blocking large
> providers. I’m asking if others have found the same to be true, or if
> there is any reason to give SoftLayer benefit of the doubt?
> 
> Once in a great while this kind of query generates clueful contact
> with said provider to get off their tail...


softlayer is turning into the U.S.'s version of Europe's OVH - many 
ranges of both are blocked, though the report rate has dropped 
significantly in months gone by for both, so if you block, leave 
yourself a note to unblock in 30 days or so and see how it pans out.

Alternatively, if you have a lot of users you provide for that gets 
legit softlayer mail, just score them high so they always end up in spam 
folder.

Re: any reason not to block every Softlayer allocation?

[Reindl Harald <h....@thelounge.net>]

Am 06.10.2015 um 04:39 schrieb Jo Rhett:
> On Oct 5, 2015, at 7:36 PM, Reindl Harald <h....@thelounge.net> wrote:
>> Am 06.10.2015 um 04:33 schrieb Jo Rhett:
>>> Looking at my spam block statistics, not a single IP I’ve reported to
>>> SoftLayer over the last two years has been shut down. Is there any
>>> reason I shouldn’t just block all their allocations and save myself some
>>> effort?
>>
>> if it's your personal mail only - go ahead
>> if you are responsible for others mail - be careful
>
> Sorry, let me restate: I know consequences of blocking large providers. I’m asking if others have found the same to be true, or if there is any reason to give SoftLayer benefit of the doubt?
>
> Once in a great while this kind of query generates clueful contact with said provider to get off their tail...

they don't care about abuse, the same is true for many other large 
providers, my first answer keep unchanged anyways

Re: any reason not to block every Softlayer allocation?

[Jo Rhett <jr...@netconsonance.com>]

On Oct 5, 2015, at 7:36 PM, Reindl Harald <h....@thelounge.net> wrote:
> Am 06.10.2015 um 04:33 schrieb Jo Rhett:
>> Looking at my spam block statistics, not a single IP I’ve reported to
>> SoftLayer over the last two years has been shut down. Is there any
>> reason I shouldn’t just block all their allocations and save myself some
>> effort?
> 
> if it's your personal mail only - go ahead
> if you are responsible for others mail - be careful

Sorry, let me restate: I know consequences of blocking large providers. I’m asking if others have found the same to be true, or if there is any reason to give SoftLayer benefit of the doubt?

Once in a great while this kind of query generates clueful contact with said provider to get off their tail...

-- 
Jo Rhett
Net Consonance : net philanthropy to improve open source and internet projects.

Re: any reason not to block every Softlayer allocation?

[Reindl Harald <h....@thelounge.net>]

Am 06.10.2015 um 04:33 schrieb Jo Rhett:
> Looking at my spam block statistics, not a single IP I’ve reported to
> SoftLayer over the last two years has been shut down. Is there any
> reason I shouldn’t just block all their allocations and save myself some
> effort?

if it's your personal mail only - go ahead
if you are responsible for others mail - be careful

Re: any reason not to block every Softlayer allocation?

["Gibbs, David" <da...@midrange.com>]

On 10/5/2015 9:33 PM, Jo Rhett wrote:
> Looking at my spam block statistics, not a single IP I’ve reported to
> SoftLayer over the last two years has been shut down. Is there any
> reason I shouldn’t just block all their allocations and save myself
> some effort?

Maybe just add a rule to increase the score for mail from their IP blocks?




-- 
IBM i on Power Systems: For when you can't afford to be out of business!

I'm riding 100 miles (a full century) in the American Diabetes Association's Tour de Cure to raise money for diabetes research, education, advocacy, and awareness.  You can make a tax deductible donation to my ride by visiting http://gmanesig.diabetessucks.net.  My goal is $6000 but any amount is appreciated.

See where I get my donations from ... visit http://gmanesig.diabetessucks.net/map for an interactive map (it's a geeky thing).

Re: any reason not to block every Softlayer allocation?

[Matthias Leisi <ma...@leisi.net>]

> Am 06.10.2015 um 04:33 schrieb Jo Rhett <jr...@netconsonance.com>:
> 
> Looking at my spam block statistics, not a single IP I’ve reported to SoftLayer over the last two years has been shut down. Is there any reason I shouldn’t just block all their allocations and save myself some effort?

If there are any not yet listed at Spamhaus…

https://www.spamhaus.org/sbl/listings/softlayer.com <https://www.spamhaus.org/sbl/listings/softlayer.com>

And:

https://www.spamhaus.org/news/article/727/brazilian-internet-users-suffer-softlayers-security-fail <https://www.spamhaus.org/news/article/727/brazilian-internet-users-suffer-softlayers-security-fail>

— Matthias