If I understand you correctly.

It sounds like you are making the assumption that SPAMHAUS policies actually contain the mapping for "all" or most ISPs versus home customers? And can be maintained as these ranges change? Since they depend on ISPs logging in and maintaining their own IP ranges, I don't think you can trust it enough, so any such mapping would likely be too unstable to use.

I think SPAMHAUS (and others blocking ranges of home-user IPs from sending email bypassing the ISP's servers) merely add a policy range after a specific problem has been seen, or when an ISP specifically add their home-user ranges to SPAMHAUS PBL, rather then configuring their own firewalls to handle it.

But here is one problem with that. ISP's that have configured their network "correctly", and are blocking home-users from connecting on port 25 unless to the ISP mail-servers, do not have to add themselves to SPAMHAUS.

For example, my home ISP is Suddenlink, and they block port 25 (even to my own outside mail-servers). They are not blocking using SPAMHAUS policy (I checked my IPs. Nothing is on the PBL lists.)

I connect to my own mail-servers from home email, but using secure ports (login + encryption), which is allowed.

It would seem that using PBL in reverse to verify home-user status would kind of require you to know the validity status on the SPAMHAUS PBL of all current and future ISPs. Impossible I think. :-)

The Spamhaus PBL is primarily populated by the ISPs supplying the data themselves, it's the ISPs policies on usage, not Spamhaus'.

That's why I think it'll work, for the most part, because the data is direct from the ISP and if it's not, you get a different result code saying it's not.

You said: "by the ISPs supplying the data themselves".

Thats exactly what I meant. But my point was that ISPs that have configured themselves to simply block outgoing mail except through their own mail-servers will never have home-users send direct mail (spam or otherwise) into the Internet. Outgoing emails are tracked, limited in count, and cannot reach a level useful to a spammer. Outgoing mail will always be from a main ISP mailserver and is tracked.

Hence no reason to log into SPAMHAUS to "report" the use of their IP ranges.

For those type ISPs, which I would assume are many of them, you cannot use the PBL to distinguish home-ranges from business-ranges, if that was what you were thinking, as none of them are tracking in PBL.

For Suddenlink as I mentioned, not being on the PBL does not mean that it is a business or mixed use IP.
It simply means that Suddenlink handle their own blocking and tackling, without SPAMHAUS reporting.

For many ISPs that add their home-ranges to the SPAMHAUS PBL, I think it is merely a defensive move. To protect the "reputation" of certain IP ranges. But thats merely my guess.

Sorry, Bill, I agree with DeeCee. PBL is useful as a secondary check where the IP range's purpose is in doubt - I sometimes use it (and blacklistalert in a slightly different way) for that.

Spamhaus allows ISPs to add their own ranges of "broadband" IPs but there is sadly no compulsion (obviously). Spamhaus also add known "bad" ranges into the PBL themselves.

Many far eastern providers (and east europeans, even ordinary europeans) do not put their IP ranges into spamhaus. When they do, it's often broken up into /22 or smaller blocks which makes it difficult to determine the full range of what is often a /16 or bigger block.

The likes of comcast users are, to a large extent, abusing their ISP, who do not add their IP ranges into spamhaus because they are "business" ranges - which is pretty much rubbish as it allows anyone to abuse mail systems and, as you're aware, web systems. Comcast itself is one of my biggest "bad" hitters, yet when you examine the individual IPs using (eg) umit they are often running open ports, either because they are compromised or because they think they "know what they're doing".

One of my primary checks for server/broadband ranges is robtex CNET - check to see the DNS distribution and apparent usage across one or more /24 groups. Doesn't pick up some clouds, but nothing's perfect. :)

If it comes to the worst, run umit scan checks on several IPs in the range - time consuming, though. :(

Please do not "scan" the ports on any of my IPs. :)

Getting caught poking "bad" ports will get the poking party added to DNSBL as a potential hacker, and will not actually accomplish much. I run access to "bad" ports purely by whitelist.

It might make a new pretty colored dot show up on my offenders maps, though. :) I do like colors.. :)

There are times when a quick scan is the only way of telling if a computer has open ports and which those are. Depending on the result, the computer on that IP can be classified as good, bad or evil. In many cases the machine is on a static DSL line: a bad result may indicate it's worth blocking the IP permanently.

There is a big difference between a quick port scan for security purposes and an extensive and persistent all-ports scan.

I don't disagree with that in principle, when viewed from the pokers perspective.

But from the point of view of the one being poked, if anyone starts trying to point sticks through SSH, Remote Desktop, RADMIN, WebSM, VNC, Mysql, Oracle, and similar ports they are in line for a block listing.

There is a large amount of that going on from China every day/night. As of right now, I am measuring 35.65% of attempts on system type ports coming from China, and 70.06% of all runs on database ports from China.
The only clearly red country on my maps. Second is the USA, with "only" 14.88%.

The US on the other hand winds clearly on web content/link spamming, at 18+ %. Taking over from email-spamming since CAN-SPAM.

I suppose the beauty of the way I scan is: I usually only scan a machine if it has already annoyed me (eg trying to hack/scrape/bot/virus my server) AND its DNS does not clarify its purpose in life.

So I really do not care if the same people ban me from scannnig: by the time they do I already have the basic information, since the first ports scanned are the "public" ones anyway (80, 25 etc). :)

Ha. Good strategy. :)

I'll try not to annoy you.. :)