[BC] ANI Faking --and-- IP address blocking

[Craig Healy]

> >  What if you simply don't care about anything that comes from China?
For
> >  example, 210.xxx.xxx.xxx 211.xxx.xxx.xxx 219.xxx.xxx.xxx
220.xxx.xxx.xxx and
> >  221.xxx.xxx.xxx all seem to be assigned to China.  If I block those,
why
> >  would I care?  Dynamic addresses still are included within assigned
blocks.
> >  All the more reason to block groups instead of individual addresses.
>
>  The more reason for an effective and properly implemented filtering
system,
>  which will not include on-line black lists, nor IP blocking of any kind.
( with
>  incredibly few exceptions )
>  Until such time as one can point to an official IANA or ICANN document
stating
>  that ANY IP is always assigned to some country, your premis is based
entirely
>  on that one word "seems" which is a VERY dangerous assumption.
>  A better assumption would be that your assumption has already failed, but
>  you have blocked any attempt to let you know about it.

While there may not be anything carved in ICANN stone, as a practical matter
all those IP addresses are from China.  Blacklists that are as well
maintained as other filters should be equally as good.  Maybe I will have
blocked some attempt to notify me of some incorrect block, but it has
*never* been an issue.  On balance the complaints about incorrectly blocked
email vs. the kudos for spam reduction have been zero to many.  Consequences
have been zero.  It's been all good.

> >  Right now at another place I block any incoming email to two domains
from
> >  those IP addresses, plus some other questionable ones.  In the several
years
> >  I've done that, not once has there been a problem.
>
>  Again flawed logic.
>  It would be acceptable to state "Not once have we been made aware of a
>  problem" with the understanding that you have also blocked ALL
>  attempts to notify you of a problem, perhaps a serious one.

It can't be flawed if it's worked.  If there were a real issue, I am sure
that there would have been repercussions.  So far, nada!  No lost business,
no gripes forwarded by other means.  When someone shows me a better way that
doesn't cost huge dollars, I'm in.

> >  What would be good would be to set the router to do that instead of two
> >  steps later on an email filter.  And it would also block a good
percentage
> >  of hack attacks.
> >
> >  To be honest, this client would prefer to just whitelist US and
probably
> >  Canadian addresses, and some Europeans and Australians as well.  Block
the
> >  rest of the world.
> >
> >  Why is it flawed to block a range of addresses from which most of the
spam
> >  and attacks originate?  Seriously, if there is some plausible reason
I'll
> >  bring it to this client and try to convince them.
>
>  Let's see......
>  Nearly all terrorists, are male and between the ages of 18 and 40.
>  Therefore, we assume that ALL males between the ages of 18 and 40 are
>  terrorists, and execute them on sight.

Oh come on.  Apples, oranges.  Blocked email vs. killing someone?  Sheesh.
While I get your intent, it doesn't match the real world.  While those IP
addresses all originate from China, they will be blocked if possible.  As I
said, there is *zero* interest in any communication from China or other
Asian nations at this client.  They aren't racially motivated, they just
have no need for communications from there.  China has a very bad reputation
for hacking and spam.  Heck, years ago I was just messing around with an IIS
server to test something.  Came in the next day and it was hacked.  The news
reported that large number of web sites were hacked, and it was traced to
China.  It's simple.  There will be zero problems compared to leaving that
door open.

>  This is called "inductive reasoning" and was taught to be a bad idea
>  about second or third grade, and why.

The example you put forward would be a very bad idea.  In this case they
simple don't want communication ability and the spam, hacking or DDoS
attacks that come along with it.

Why do you lock your doors?  To keep out dangerous critters.  A great number
of dangerous critters come from specific IP ranges, so we lock that door.

> >  For what it's worth, the particular SMTP server I use at one location
> >  requires all email addresses to be configured.  If an address isn't
found,
> >  it refuses the mail.  Approximately 98% of the incoming mail is
blocked,
> >  according to the logs.  All spam.
>
>  This was tried by some of the major ISP's for a while, and was such a
miserable
>  failure I pretty sure no one of any repute uses it today.

When you are dealing with a broad brush collection of users, yes.  When you
have a narrow focused group that don't want Chinese mail or communications,
it's not an issue.

>  With my above example, it should be painfully obvious why this is
>  a really bad idea. It can get worse. Some will again assume that merely
>  adding a bit more criteria will suffice.

(snip)
(sigh)
In this case, the owner of the place has decided he doesn't want Chinese
communications under any condition.  Email, web, whatever.  His choice, and
he's perfectly happy to accept the consequences, and none are expected.  Any
filter list will eventually resolve down to a list of blocked IPs.  In this
case we simply eliminate the DNS and dynamics by blocking the assigned
address spectrum.  We also don't have to accept an input and then block it.
Proactive vs. reactive.

>  OK.
(snip)
>  Can you see where this is going ?

Yes, off the track by changing the whole discussion.  We aren't discussing
something that has serious human consequences such as flying airplanes into
buildings or blowing up innocent people.  Just preventing all unwanted
traffic from an undesired country.  No serious consequences there.

>  I merely point out that the basis for this kind of logic is flawed.
>  Until you can fix the basis, you can not fix the outcome.
>  There is no good way to implement a bad idea.

I think that the overreaction to preventing a country with known bad habits
is also flawed.  Dunno about you, but having lead-tainted email can't be
healthy. </humor>

Reply if you want, but it will be the last word.  As far as this client is
concerned, blocking Chinese IP traffic is a desirable idea with the good
far, far outweighing the bad.  My question was if anyone has successfully
implemented it, and if so, how.  The decision to do that has been made.  And
so far I've seen no specifics on how it can be done otherwise.

Craig Healy
Providence, RI