Discussion:
How to distinguish fixed from dynamic IP's ?
(too old to reply)
Markus Zingg
2004-02-28 23:44:44 UTC
Permalink
I'm thinking of blocking dynamic IP's. Not necesairly to block spam.
I'm more after blocking those fast mutating e-mail worms which
obviously almost always have their origin with infected PC's and
perform direct to MX connections.

I'm not using any standard e-mail server hence want/have to implement
this on my own. In other words I can't use script X or product Y.

I'm therefore wondering how technically a static IP can be
distinguished from a dynamic one. What comes to mind is

a) performing a reverse dns lookup and examining the resulting string
for parts of the IP address and or strings like dialup, dsl etc, but
I'm not sure if this is going to cut it.

b) using a blocklist - but then I wonder what criterias were/are used
to feed the blocklist

c) Is there some official database/registry where ISP's declare fixed
versus dynamic IP ranges? I never reserved IP space for myself - I'm a
software developper mainly - so please bear with me if this is a
stupid question...

Any pointers are welcome.

TIA

Markus
McWebber
2004-02-28 23:47:24 UTC
Permalink
Post by Markus Zingg
I'm thinking of blocking dynamic IP's. Not necesairly to block spam.
I'm more after blocking those fast mutating e-mail worms which
obviously almost always have their origin with infected PC's and
perform direct to MX connections.
I'm not using any standard e-mail server hence want/have to implement
this on my own. In other words I can't use script X or product Y.
I don't understand. Do you mean you just want to filter at your PC when
downloading mail by examining the headers? If so, I'd say just use some
anti-virus software instead if your ISP isn't blocking via one of the DNSBL
that list dynamic IPs.
--
McWebber
"Richter points to the lack of legal action against his company as proof
that he's operating appropriately."
Information Week, November 10, 2003
John Doherty
2004-02-29 03:59:05 UTC
Permalink
Post by Markus Zingg
I'm thinking of blocking dynamic IP's.
That's probably not exactly what you mean, but I think I get the idea.
Post by Markus Zingg
I'm therefore wondering how technically a static IP can be
distinguished from a dynamic one.
Technically, the two can't be distinguished. That is, when you are
presented with an IP packet from a given source address, there is no
way to know how that address was assigned to the host using it at the
moment, if all you have to go on is the packet itself.

(There's a sense in which the static/dynamic dichotomy isn't really
real, and in which all IP addresses are at least potentially dynamic
over the long term. There's never any guarantee that a given address
won't be assigned to a new machine, possibly one fulfilling a
different role or under the control of a different organization than
before.)

Probably, what you really want is not to block dynamic addresses per
se, but broadband residential networks (mostly cable, but some DSL),
which can be presumed to be populated with little but Windows PCs, a
significant fraction of which are compromised in one or more ways.

The problem with those machines is not that they acquire IP addresses
dynamically: it's that they're so likely to be compromised in one or
more ways and that they're on high-speed networks, which makes them
attractive to spammers and others looking for machines to abuse.
Post by Markus Zingg
performing a reverse dns lookup and examining the resulting
string for parts of the IP address and or strings like dialup, dsl
etc, but I'm not sure if this is going to cut it.
That can help, but there's at least one way to misuse reverse DNS as a
way to block mail. But if you want to get down to brass tacks, you'd
have to explain what software you want to use.
Post by Markus Zingg
Is there some official database/registry where ISP's declare fixed
versus dynamic IP ranges?
No, there isn't. There is <http://www.blackholes.us>, though, and it's
pretty useful.

--
Uncle StoatWarbler
2004-02-29 15:06:22 UTC
Permalink
Post by John Doherty
Probably, what you really want is not to block dynamic addresses per
se, but broadband residential networks (mostly cable, but some DSL),
Spammers aren't particularly fussy. There's a lot of spam coming from
compromised broadband boxes but there is still a significant fraction of
spam coming from compromised dialup boxes.

One of the reasons the control software uses IRC bots is so that the IP
address doesn't matter. A bot can be given a control sequence to fire off
a spam run and the spammer doesn't care if it takes 24-72 hours to run
through instead of 25 minutes. There are far more dialups out there than
broadband boxen, so all they have to do is spread the load among more
dialups.
Duncan McNiven
2004-02-29 15:17:25 UTC
Permalink
Post by John Doherty
there's at least one way to misuse reverse DNS as a
way to block mail
Could you spell out what you are hinting at here? I would be interested to know more.
--
Duncan
Vernon Schryver
2004-02-29 17:02:16 UTC
Permalink
Post by Duncan McNiven
Post by John Doherty
there's at least one way to misuse reverse DNS as a
way to block mail
Could you spell out what you are hinting at here? I would be interested to know more.
I suspect he his referring to the gross misunderstanding implicit
in these words:

] performing a reverse dns lookup and examining the resulting
] string for parts of the IP address and or strings like dialup, dsl
] etc, but I'm not sure if this is going to cut it.

Anyone who understands the nature of things is quite certain that won't
cut it. The strings "dialup" or "dsl" in a reverse DNS name do not
imply that the corresponding IP address is "dynamic" even if you make
the not exactly true assumption that there is such a thing as a dynamic
address. People put all kinds of strings in their reverse DNS names.
Sometimes "dsl" might be intended to indicate the nature of the link
to the IP address and other times it might be part of some word such
as "landslide." When "dsl" does correctly indicate that the IP address
is beyond a DSLAM, it does not necessarily indicate that the IP address
is more dyanmically assigned than 132.151.1.19 or 192.5.5.241. (Those
who've heard of "anycasting" know that last is tricky,)

Again,
- you want a list of IP addresses owned by ISPs that don't pay
attention to which of their customers are using which address.

- that list of abusively managed IP addresses is only vaguely
coorelated to the list of addresses using DHCP or PPP IPCP.

- the list of IP addresses with reverse DNS names containing "dial,"
"modem," "dorm," or "dsl" is only vaguely connected with the other
two lists.

You're better off just blacklisting all of Comcast's and similar ISPs'
addresses with some whitelist entries for their smarthosts. You might
approximate that list by using some of the lists that claim to be about
"dynamic addresses." Be clear about what you are doing in your own
mind, even if the people compiling those lists are confused or lying
to themselves.


Vernon Schryver ***@rhyolite.com
John Doherty
2004-02-29 20:08:33 UTC
Permalink
On Sat, 28 Feb 2004 21:59:05 -0600, John Doherty
Post by John Doherty
there's at least one way to misuse reverse DNS as a
way to block mail
Could you spell out what you are hinting at here? I would be
interested to know more.
Sure. There are some people who reject mail from hosts whose forward
and reverse DNS don't match, although both exist.

For example, let's say that the name mail.example.com resolves to
12.34.56.78, and reverse-resolves to something else, say,
cpe5678.bigtimeisp.com.

There are those who will reject mail on that basis, but it's not wise.
There are ISPs who don't set up reverse DNS for their customers even
when asked: there's little the customer can do about that other than
switch to a different ISP or other things that aren't always
practical, and it's not really a valid basis for rejecting mail.

There are other reasons that the forward and reverse DNS may not match
as well, for example, if a single host is sending and receiving mail
for more than one domain.

If the IP address has no reverse DNS at all, that's one thing. But
rejecting mail because the forward and reverse DNS don't match is not
a good practice.

--
Markus Zingg
2004-02-29 10:08:30 UTC
Permalink
Ok

Looks like I was not clear enough - sorry for that.

I wrote my own SMTP / POP3 server from scratch. There's a whole lot
more to it but I don't want to delve into further details at this
point in time or burn your time reading things you may are not
interested in. To better understand my question it's however important
to understand that it's NOT linux nor Windows based and not at all
related to any existing server code.

I do already have a IMHO quite nicely working spam filtering in place,
but I would like to further improve it mostly to catch all those worms
that are sent from infected machines all over the place. I already can
rename dangerous atachements based on the extension used in the
filename or reject mail based on this etc. However, I would like to be
able to block all mail from SMTP sources which are part of a
"broadband residential network" as John described in his post.

As mentioned, I see that I could perform a reverse DNS lookup with the
remote IP that connects to the server, then examine the string. I
simply wonder if there is a better way to do it, or if it's the way to
do what exactly to look for in the string.

As far as I understand AOL is doing this and I figure others are doing
it also. I figure many admins of such hosts/systems lurk around here
and may can give me a pointer on how to achive this the best possible
way.

I hope this made it more clear. English is not my native language so
bear with me if this sounds/reads odd in any ways.

Markus
Jem Berkes
2004-02-29 18:29:29 UTC
Permalink
Post by Markus Zingg
I'm therefore wondering how technically a static IP can be
distinguished from a dynamic one. What comes to mind is
There is no reliable way to do this short of consulting a database (i.e.
DNS). All IP hosts look, rather, ARE equivalent on the Internet.

The reverse DNS etc. you talk of will probably work. You can hack yourself
together a list of regex patterns to look for in host names. On top of that
you can consult one of the many dynamic list databases that are maintained.
--
Jem Berkes
http://www.sysdesign.ca/
Jem Berkes
2004-02-29 18:35:03 UTC
Permalink
Post by Jem Berkes
Post by Markus Zingg
I'm therefore wondering how technically a static IP can be
distinguished from a dynamic one. What comes to mind is
There is no reliable way to do this short of consulting a database
(i.e. DNS). All IP hosts look, rather, ARE equivalent on the Internet.
Oops, I didn't mean to imply that consulting someone else's database is
inherently reliable (can't be -- you're trusting someone else :)
Post by Jem Berkes
The reverse DNS etc. you talk of will probably work. You can hack
yourself together a list of regex patterns to look for
Keyword there is "hack", this is an ugly method, and will on occasion catch
hosts that you don't intend to. Consulting a trusted DNSBL is better.
John Elsbury
2004-03-01 09:46:37 UTC
Permalink
Post by Jem Berkes
Post by Markus Zingg
I'm therefore wondering how technically a static IP can be
distinguished from a dynamic one. What comes to mind is
There is no reliable way to do this short of consulting a database (i.e.
DNS). All IP hosts look, rather, ARE equivalent on the Internet.
If you really feel you need the exercise, you should be able to
automate the process:

Check own blocking list, block mail from listed /16s.
Detect worm / virus arriving, look up originating IP, add entire /16
to list. Sort list.
Repeat.
If you have the time and inclination, you could try doing it in
smaller increments, i.e. /24s.
If there are any legitimate static IPs belonging to "good" MTAs in
that range then you will take them out as well, whether you want to
live with that is up to you.

I surmise that soooner or later the world will be divided into ISPs
who don't allow e-mail traffic from their dialup / ADSL IP customers
to pass through unless it is going to their own MTA, and those that
do: and that those that don't will stop accepting smtp traffic from
those that do. If you were to publish your list it would be a very
useful addition to the dynamic IP space lists. Perhaps you could call
it "VIEWS". Given the very large number of infected PCs right now,
this is a very good time to start.

Please remove "nospam" from mailto address
when replying

Continue reading on narkive:
Loading...