Repairing IP Address Reputations

By Leo Vegoda
September 26, 2022

Some descriptions cool the enthusiasm of any potential buyer. For instance, “as is” or “unrestored” generally raise red flags. “Fixer upper” is less than neutral, signaling the need for repair. In that sense, address blocks can be like houses: the need for immediate repair can lower their value, and along with it the price of the asset. IP address “reputation” is a key characteristic in this regard. Buyers consider the time and money required to update an address block’s reputation when bidding to buy it.

What is IP Address Reputation?

The IP addresses we use for ordinary internet services look like they are interchangeable. But they often are not. Many internet users give each IP address a reputation based on different characteristics, including the history of the IP address’ use. Changing reputations – especially repairing them – can take time and effort. Address conditions or histories that impact value include the following considerations:

  • Mail service providers care about spam and an address’ prior use in sending it
  • Access providers – including enterprise networks – care about the kind of content served
  • Content providers care about the location of the users of IP addresses

Each kind of organization cares about one or more different characteristics of an address. The characteristics they care about – qualities they approve or disapprove – impact whether they’ll accept mail from or serve content to a specific address. And the history of an IP address’ use can greatly influence the utility of its sending and receiving content.

One example of reputation damage is the use of an IP address to send spam or some other form of malicious email. Often, this email is sent using IP addresses properly registered to someone else. Spammers use purloined IPs for as long as they can and move on to newly-stolen IP addresses when the first one is effectively blocked. Other IP hijackers send server malware that infects computers to cause all sorts of damage and/or extort hard cash. Eventually, they stop and leave the legitimate user of the IP addresses with a damaged asset: the IP address.

Many organizations track the behavior of each IP address connecting to their network. They use this information to decide whether they want to accept mail or web traffic from those IP addresses again. Other organizations rely on blocklists compiled by monitors of this bad behavior. It can be time consuming to be removed from one of these blocklists.

The process of email delivery is always changing. Responsible companies work to make sure that they only send email that people want to read.

Their processes change as the nature of the email ecosystem adapts. ISP Feedback Loops played an important role for years. These are a way for mailbox hosts to let senders know when readers report they don’t want a message. These loops balanced the blocklist signals used by email reputation organizations.

The Email Sender & Provider Coalition curates a selection of resources to advise industry participants.

Why Care About Reputation?

It is important to know how much effort it can take to update the reputation for a block of addresses. Some blocklists expire entries if they have not seen any abuse for a while. But where a current blocklist includes an address, the new owner of it or its seller must  contact the operators of the lists in question. A third kind of blocking list doesn’t publish a list and an owner will only find out about the negative listing status when reports from customers appear.

How Can You Detect a Bad Reputation?

One sign of possible abuse is an address block – or parts of it – being routed from multiple networks. This is especially likely if the unusual routing happened for a short time. Pakistan Telecom’s hijacking of YouTube in 2008 is a classic example of this.

IP owners can see this kind of behavior when looking at the routing history in RIPEstat. This is the RIPE NCC’s “one-stop shop” for internet-related information. RIPEstat also gives you information about the location of addresses. But while it is one source of data there are many. The ones that matter will depend on what the intended use of the addresses in question is.

For instance, an access provider will want to make sure the geolocation data is accurate so users can shop and stream as they’d expect. In contrast, a mail services provider would not want their addresses on lists used to record sources of spam, phishing and other mail abuse.

How Can You Change (Repair) a Bad Reputation?

The organizations that maintain reputation lists do so to serve their customers’ needs. Those needs vary and so do the processes they use to update their lists.

The first step in any IP remediation is to make sure the information published in the Regional Internet Registry’s (RIR’s) or National Internet Registry’s (NIR’s) database is correct. Next, signing resources with RPKI will make it harder for other networks to use your addresses.

The RIRs and NIRs want owners to keep their records accurate so they make it easy to update them. Anyone can write or speak to them for help.

There are two main approaches to removal from blocklists: time-based and self-service removal.

  • Some blocklists automatically remove IP addresses that are only detected briefly. The time it takes for an address to be removed increases as the operator detects more negative events. One example from this category is
  • Self-service removal lists will publish a request process on their website. While the essentials are similar the specifics change from list to list. As long as the underlying problem is resolved little effort is required. Spamhaus has moved to a structured process for this, with a fallback to a manual process when it doesn’t work.

The key to both is that any abuse that was detected has stopped. As transferred addresses will be deployed on new infrastructure, this should not be an issue.

Updating geolocation data is often the most time-consuming process. Automated approaches to sharing this data are available but Each network will make a decision based on what is most important to them. Some networks consider the time it takes to get data to your network as most important. Other networks need to consider if their content is licensed for the users of your network. This is because different services have different needs. For example, a VoIP provider cares about latency while a streaming provider might care about distribution rights. One might be happy and legally able to provide cross border services while the other might not.

Many geolocation data providers treat their evaluations as proprietary and do not publish them. But there are publicly available services. These give an indication of at least the country where the addresses are thought to be.