Re: How do you stop outgoing spam?
Eliot Lear wrote: Please be aware that this could have unintended consequences, and should be used in very constrained ways. In particular, there are any number of applications, including VPN applications that use port 80. I would recommend that only specified destinations get such treatment, if you apply it at all. If somebody is ignorant enough to implement IP over HTTP, why should they be accommodated? There are numerous reasons why there are other port numbers to TCP than 80 and other protocol numbers to IP than 6. We could save a lot by eliminating unneccessary headers... Pete
Re: How do you stop outgoing spam?
## On 2002-09-10 10:02 +0300 Petri Helenius typed: PH PH If somebody is ignorant enough to implement IP over HTTP, why should PH they be accommodated? There are numerous reasons why there are other PH port numbers to TCP than 80 and other protocol numbers to IP than 6. Why do you think they're ignorant ? Isn't TCP over HTTP is normally used to attempt bypassing of firewalls ? IMHO Firewall/Security admins are ignorant if they don't take this into account AFAIK you can tunnel IP over(at least): 1) HTTP(not just use port 80 for non HTTP traffic) 2) ICMP ... 3) DNS queries(needs an external custom cooperating DNS) -- Rafi
Re: How do you stop outgoing spam?
On Tue, 10 Sep 2002 01:48:57 +0200 (CEST) Iljitsch van Beijnum [EMAIL PROTECTED] wrote: On Mon, 9 Sep 2002, Marshall Eubanks wrote: Ok, suppose someone can touch type. The world record is something like 600 key presses per minute, which is 10 41-byte TCP packets per second ~= 4 kbps. When I go to Internet cafe's (I like Global Gossip), I connect my Ti-book to the local ethernet if at all possible (that's why I like Global Gossip) and use high bit rates (i.e., file transfers) in both direction. Would the uploads be HTTP? That's the only thing I'd want to limit to a few kbps. (Well, and outgoing SMTP to 0 kbps.) When I am at a cafe I use a web based encrypted email program, and if I email a large attachment (say a pdf file), then it goes http outbound. The other major outbound bandwidth use is scp (very rarely, ftp or ssh). I do not really see what the touch typing limit is relevant to - whose primary Internet use is telnet /ssh now-a-days ? Again, when I go to a cafe in another city, I am generally there to get some work done, and frequently have a bunch of previously prepared files to send. I may not be a typical user... Regards Marshall If I was limited to 4 kbps outbound, I would want my money back. Just one customer viewpoint :) Understandable. On the other hand, spammers using internet cafes isn't good either.
Re: How do you stop outgoing spam?
If somebody is ignorant enough to implement IP over HTTP, why should they be accommodated? There are numerous reasons why there are other port numbers to TCP than 80 and other protocol numbers to IP than 6. Unlike some people that immediately jump to conclusions, that someone may be not arrogant, but bright - using port TCP 80 is an excellent way to bypass firewalls. If your firewall performs content analysis, one can simply encode the data in valid HTML code. Alex
Re: How do you stop outgoing spam?
Hi Eliot Maybe I'm missing something obvious but do how you get rate-limiting per TCP *flow* with Cisco IOS ? It is more trouble than its worth. SPAM is not a technical problem. It is a social problem. Using technical methods is not going to solve the problem. In the end, every time we come up with another method of detecting and blocking spam, another method is bypassing this defense is going to show up. Alex
Re: How do you stop outgoing spam?
Rafi Sadowsky wrote: AFAIK you can tunnel IP over(at least): 1) HTTP(not just use port 80 for non HTTP traffic) 2) ICMP ... 3) DNS queries(needs an external custom cooperating DNS) E-mail: http://detached.net/mailtunnel -- David
VU#210321
-BEGIN PGP SIGNED MESSAGE- Hello, The CERT/CC has recently seen discussions in a public forum detailing potential vulnerabilities in several TCP/IP implementations (Linux, OpenBSD, and FreeBSD). We are particularly concerned about these types of vulnerabilities because they have the potential to be exploited even if the target machine has no open ports. The messages can be found here: http://lists.netsys.com/pipermail/full-disclosure/2002-September/001667.html http://lists.netsys.com/pipermail/full-disclosure/2002-September/001668.html http://lists.netsys.com/pipermail/full-disclosure/2002-September/001664.html http://lists.netsys.com/pipermail/full-disclosure/2002-September/001643.html Note that one individual claims two exploits exist in the underground. At this point in time, we do not have any more information, nor have we been able to confirm the existence of these vulnerabilities. We would appreciate any feedback or insight you may have. We will continue to keep an eye out for further discussions regarding this topic. FYI, Ian Ian A. Finlay CERT (R) Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA USA 15213-3890 -BEGIN PGP SIGNATURE- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBPX3/VqCVPMXQI2HJAQFEqQQAr54e9c5SGgrIfmK5+EWqSOdvySKRtjwa 6dE4Z4DcoyHS57W5BEwW2OSXSGwrBL+mzippfTEnwAVT/otLYAADsnlPSQioRYNi qHVh8yRXgh3kBgx3cMdhe3NC6zaSWffOsc/EvhkCDo2xa8FQItOqE5MjOeASjt1L st5qq4mgM+E= =kHt1 -END PGP SIGNATURE-
RE: VU#210321
Ian, So right now this is a scary rumor floating around the security scene? Is there any particular trace, or any further details your aware of? Also, I think it may be safe to assume the Mac OS X/Jaguar may be vulnerable as well. AFAIK it runs of the BSD IP Stack, so it's more than likely that it is vulnerable if this exploit is in fact a reality. I'll keep an eye out for any suspicious traffic myself, as I'm sure will the rest of the list. Thanks for the warning, as if this is real, it could be be potentially very harmful. Any great C Coders out there start pouring over the code yet? Derek -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of CERT(R) Coordination Center Sent: Tuesday, September 10, 2002 10:16 AM To: [EMAIL PROTECTED] Cc: CERT(R) Coordination Center Subject: VU#210321 -BEGIN PGP SIGNED MESSAGE- Hello, The CERT/CC has recently seen discussions in a public forum detailing potential vulnerabilities in several TCP/IP implementations (Linux, OpenBSD, and FreeBSD). We are particularly concerned about these types of vulnerabilities because they have the potential to be exploited even if the target machine has no open ports. The messages can be found here: http://lists.netsys.com/pipermail/full-disclosure/2002- September/001667.html http://lists.netsys.com/pipermail/full-disclosure/2002- September/001668.html http://lists.netsys.com/pipermail/full-disclosure/2002- September/001664.html http://lists.netsys.com/pipermail/full-disclosure/2002- September/001643.html Note that one individual claims two exploits exist in the underground. At this point in time, we do not have any more information, nor have we been able to confirm the existence of these vulnerabilities. We would appreciate any feedback or insight you may have. We will continue to keep an eye out for further discussions regarding this topic. FYI, Ian Ian A. Finlay CERT (R) Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA USA 15213-3890 -BEGIN PGP SIGNATURE- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBPX3/VqCVPMXQI2HJAQFEqQQAr54e9c5SGgrIfmK5+EWqSOdvySKRtjwa 6dE4Z4DcoyHS57W5BEwW2OSXSGwrBL+mzippfTEnwAVT/otLYAADsnlPSQioRYNi qHVh8yRXgh3kBgx3cMdhe3NC6zaSWffOsc/EvhkCDo2xa8FQItOqE5MjOeASjt1L st5qq4mgM+E= =kHt1 -END PGP SIGNATURE-
RE: VU#210321
-BEGIN PGP SIGNED MESSAGE- Hi, Derek. So right now this is a scary rumor floating around the security scene? Right. Rumors for now... Is there any particular trace, or any further details your aware of? Not at this time. Also, I think it Amay be safe to assume the Mac OS X/Jaguar may be vulnerable as well. AFAIK it runs of the BSD IP Stack, so it's more than likely that it is vulnerable if this exploit is in fact a reality. I'll keep an eye out for any suspicious traffic myself, as I'm sure will the rest of the list. Thank you, we really appreciate it. Thanks for the warning, as if this is real, it could be be potentially very harmful. Any great C Coders out there start pouring over the code yet? Glad to be of help. I really appreciate the feedback we get from the NANOG community. Thanks again, Ian Ian A. Finlay CERT (R) Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA USA 15213-3890 -BEGIN PGP SIGNATURE- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBPX4I9aCVPMXQI2HJAQFabAQAnwkyxn2LZJ0VOv3L7RT5jwzGEy0pRL7A FRE920tu4ys8fuaoweFp1YaiUUlVPFuoPFgFWlsHJ7uUkUVcL0T6Kzm5bzp8C5hz QYdYjuumEj1thy/zxzzAJIsJqiLcXG0rW0iAlpaQ0X30JqH13OEHVr4Wuev0a2Pi efDOLkEzliQ= =dZDX -END PGP SIGNATURE-
Re: How do you stop outgoing spam?
On Tue, 10 Sep 2002 09:45:19 EDT, [EMAIL PROTECTED] said: It is more trouble than its worth. SPAM is not a technical problem. It is a social problem. Using technical methods is not going to solve the problem. There are two saying that come to mind: You can't solve social problems with technical solutions There are very few inter-personal problems that can't be solved by the suitable application of high explosives Most spam-fighting efforts on the technical side make the basic assumption that spam has similar characteristics to a properly designed TCP stack - that dropped/discarded spam-grams will trigger backoff at the sender. Unfortunately, discarding a high percentage of the grams will trigger a retransmit multiple times. Spam is likely going to be a problem until we either hire some thug muscle from pick ethnic organized crime group, or the government does it for us... -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech msg05279/pgp0.pgp Description: PGP signature
Deja vu all over again
Pawlukiewicz Jane wrote: Quick Question, how much memory does the bgp tables actually take. I'm estimating 32 mb in my plan, but I'm worried that's not enough. Jane, nothing with you is ever quick. Rather than just searching google to find the answers to your silly questions, you have to waste all our time. I don't care what bet you have going with your boss, or how many full views you're attempting to cram into that 700 series ISDN router. Repeat after me, Jane: SEARCH FIRST, ASK QUESTIONS LATER. Sal Sabella Get your free encrypted email at https://www.hushmail.com
RE: How do you stop outgoing spam?
Okay, I'm going to break my promise, Can anyone document more than one isolated instance, if that, of spammers using North American Cyber Cafes? (This is NANOG) If so, wouldn't appropriate AUP with appropriate fines to the CC the user used for access be a more appropriate sniper rifle shot rather than just shot gunning all your users? As far as 'loading' spam software, any Cyber Café that has the cpu out where Joe User has access and/or hasn't set appropriate user rights preventing software installation or system access, won't be in business very long anyway. Best regards, _ Alan Rowland -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Iljitsch van Beijnum Sent: Monday, September 09, 2002 4:49 PM To: Marshall Eubanks Cc: [EMAIL PROTECTED] Subject: Re: How do you stop outgoing spam? On Mon, 9 Sep 2002, Marshall Eubanks wrote: Ok, suppose someone can touch type. The world record is something like 600 key presses per minute, which is 10 41-byte TCP packets per second ~= 4 kbps. When I go to Internet cafe's (I like Global Gossip), I connect my Ti-book to the local ethernet if at all possible (that's why I like Global Gossip) and use high bit rates (i.e., file transfers) in both direction. Would the uploads be HTTP? That's the only thing I'd want to limit to a few kbps. (Well, and outgoing SMTP to 0 kbps.) If I was limited to 4 kbps outbound, I would want my money back. Just one customer viewpoint :) Understandable. On the other hand, spammers using internet cafes isn't good either.
Re: How do you stop outgoing spam?
Marshall Eubanks wrote: When I am at a cafe I use a web based encrypted email program, and if I email a large attachment (say a pdf file), then it goes http outbound. When I am at a cafe, I eat, drink, and sometimes converse with others. Again, when I go to a cafe in another city, I am generally there to get some work done Again, when I go to a cafe in another city, I am generally there to eat, drink, converse, and soak in the local sights. I might be in Burbank next week on business. We should meet up then. Think you could get me tickets and a VIP backstage tour at the Tonight Show? I'd like to meet with NBC execs and weigh the pros and cons of multicasting your band's performance in PIM Dense vs. Sparse mode. You're a great musician BTW. Tell Jay I said hi. Sal Sabella Get your free encrypted email at https://www.hushmail.com
Re: How do you stop outgoing spam?
Susan, why do your rules not apply to Jane? I realize she's a larger-than-life figure here, but enough is enough. I won my bet with my boss that she would violate AUP at least five (5) times and not get removed from the list. Please read the NANOG FAQ at http://www.nanog.org/aup.html. If there are further hypocrisies on your part, I'll have to ask Brad Knowles for an AOL account to post from. Sal Please do not post personal messages on the NANOG mailing list, which focuses on Internet engineering and operations issues. In my la st message to you I pointed to our AUP: http://www.nanog.org/aup.html If there are further AUP violations on your part, we'll need to remove your posting privileges from the list. Susan Harris, Ph.D. Merit Network/Univ. of Mich. On Tue, 10 Sep 2002 [EMAIL PROTECTED] wrote: Marshall Eubanks wrote: When I am at a cafe I use a web based encrypted email progr am, and if I email a large attachment (say a pdf file), then it goe s http outbound. When I am at a cafe, I eat, drink, and sometimes converse wit h others. Again, when I go to a cafe in another city, I am generally there to get some work done Again, when I go to a cafe in another city, I am generally th ere to eat, drink, converse, and soak in the local sights. I might be in Burbank next week on business. We should meet up then. Think you could get me tickets and a VIP backstage tour at the Tonight Show? I'd like to meet with NBC execs and weigh the pros and cons of multicasting your band's performance in PIM Dense vs. Sparse mode. You're a great musician BTW. Tell Jay I said hi. Sal Sabella Get your free encrypted email at https://www.hushmail.com Get your free encrypted email at https://www.hushmail.com
Re: How do you stop outgoing spam?
On Tue, 10 Sep 2002 09:12:15 PDT, Joe St Sauver said: Actually, our experience *does* follow the backoff paradigm: if you block a particular source of spam, that rejection *does* seem to trigger message volume backoff at the source, with only periodic check probes apparently designed to see if the spam source is really still blocked (and of course it really still is). Yes - but since they need to have N replies to their spam to make it worth the effort, they will just pound on somebody ELSE. I saw one quote from a very unapologetic spammer who was complaining that with all these blocks he had to send a lot more spam and his costs were up 1000% as a result. Let's say a spammer needs 100 replies to turn a profit, and 1% of the things that make it into a mailbox get a reply. If nobody blocks spam, then the spammer only needs to send 10K messages before he profits. If 99% of spam is blocked, he has to send a million. That's why we're seeing statistics like receives 2 billion pieces of mail a day and 80% is spam. Think of it like a host with multiple A records - if one A goes down, they *do* stop trying that one, but they then fail to use backoff on the OTHER addresses ;) -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech msg05286/pgp0.pgp Description: PGP signature
Re: How do you stop outgoing spam?
At 08:20 PM 9/9/2002 +, Paul Vixie wrote: outbound SMTP should be blocked for any dynamic or dialup source within One of the basic problems with discussions about spam control is that it focuses entirely on spam. Blocking output SMTP from individual dial-ups has a serious negative consequence: Laptop mobile users cannot use their home SMTP server. At best, they must reconfigure for each venue -- goodbye wireless hotspot convenience -- and that is IF they know the SMTP server address for the local access. In other words, by blocking output SMTP, mobile users are hurt badly. I know that *I* certainly am. Constantly and serously. d/ -- Dave Crocker mailto:[EMAIL PROTECTED] TribalWise, Inc. http://www.tribalwise.com tel +1.408.246.8253; fax +1.408.850.1850
Re: How do you stop outgoing spam?
On Tue, 10 Sep 2002 [EMAIL PROTECTED] wrote: It is more trouble than its worth. SPAM is not a technical problem. It is a social problem. Using technical methods is not going to solve the problem. There are two saying that come to mind: You can't solve social problems with technical solutions That's what happens when you hang around with software engineers too long. They think all problems are solvable. And most problems, especially social ones, aren't: they need to be managed. Sure, you can't stop spam entirely by technical (or other) means, but that's no reason to ignore the problem and run an open relay. There are very few inter-personal problems that can't be solved by the suitable application of high explosives Sounds like a technical solution to me... Spam is likely going to be a problem until we either hire some thug muscle from pick ethnic organized crime group, or the government does it for us... Or we throw out SMTP and adopt a mail protocol that requires the sender to provide some credentials that can't be faked. Then known spammers are easy to blacklist.
Re: How do you stop outgoing spam?
On Tue, 10 Sep 2002, Dave Crocker wrote: At 08:20 PM 9/9/2002 +, Paul Vixie wrote: outbound SMTP should be blocked for any dynamic or dialup source within One of the basic problems with discussions about spam control is that it focuses entirely on spam. Blocking output SMTP from individual dial-ups has a serious negative consequence: Laptop mobile users cannot use their home SMTP server. Why are mobile laptop users NOT using ssl/esmtp ? This uses port 587 or 425 or something like that... additionally, it provides authenitcation for the connection. Atleast in small scenarios it works beautifully.
Re: Internet connection secure from surveilance?
Here is my reply to Joe Your solution is good. In general, anyone worried about this kind of invasion of privacy should arrange to run their own root servers. The more the merrier. This is not neccessarily about having multiple roots with colliding TLDs, but about security from surveillance. A better solution would be to turn off recursion, this _may_ lead to partitioning away from the rest of the internet, just as running a local root may lead to partitioning away. The benefit, of course, is that you don't worry about someone tapping into any sub-domain dns server. Slightly better than that is to disconnect from the network entirely. This will help prevent someone from eavesdropping on other protocols as well. Again, this may lead to partitioning away from the rest of the network.
Re: How do you stop outgoing spam?
A twist we saw spammers using on dialup accounts in Miami could come to cyber cafes and could be ugly. They were dialing in and then using the IP address to send spam out some other connection elsewhere where RPF wasn't in use. The return packets all came back on their dialup into us, but bypassed our filters that were then only on outbound packets. Since these were wholesaled dial ports, we know there are no valid servers customers needed in RIPE annd APNIC blocks and in long ACLs blocking various MSN servers, AND we know the dialup user's account. In a free cafe, you know none of that. Having an inbound mirror image of the outbound ACL helped initially, and then a coworker crafted a reflexive access list that really stopped them. Inbound packets had to have matching outbound ones or were tossed. We had visions of their finding a $spam$ friendly ISP that would sell them a SPAM OC-3 as long as he got no spam complaints. It could have served many spam machines running with dynamic IPs from many different ISPs and many user accounts on each - all at once. In the free cyber cafe that does not NAT and that does not know who the users are, there is potential for similar abuse.
Re: How do you stop outgoing spam?
The best way to stop spam from going out of an ISP is to: A) Make a clear policy as part of the terms conditions, including a significant clean-up fee + direct charges (e.g., if they ask you or prompt a legal question they can pay the legal fee for you to get it answered.) B) KNOW WHO THE HELL YOU'RE GIVING ACCOUNTS TO so that (A) works. Get a credit card or verify the phone number and other info (e.g., call them back, insist on calling them back.) C) Use (B) to enforce (A). The problem in 99% of the cases is either (B) or ISPs who just don't care at all. I no longer believe it was a throwaway account is a reasonable excuse except in a rare case where something slipped through the cracks, I understand it can happen. But when a spammer is creating throwaway after throwaway the ISP needs to change their account creation procedures because this information is shared by spammers and they've become a target. -- -Barry Shein Software Tool Die| [EMAIL PROTECTED] | http://www.TheWorld.com Purveyors to the Trade | Voice: 617-739-0202| Login: 617-739-WRLD The World | Public Access Internet | Since 1989 *oo*
Re: How do you stop outgoing spam?
On September 9, 2002 at 14:47 [EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote: On Mon, 09 Sep 2002 10:37:35 PDT, Al Rowland [EMAIL PROTECTED] said: How many (more) protocols are we willing to cripple in the name of fighting spam? Crippling protocols won't help, in the long run. What will help is the use of a baseball bat, properly applied. Unfortunately, although it would probably be *cheaper* to hire insert ethnic organized crime group to simply whack the cluelessmailers.org list of top 100 offenders, network providers fall into two distinct classes: You've certainly gotten to the heart of the problem, Valdis. The problem is we're up against a new organized crime on the internet in the form of scams and spams. And, although some won't like me saying this, having the technical community deal with these new criminals is a bit like sending the boy scouts after Al-Qaida. Unfortunately it's going to take a much harsher view of reality than maybe this regexp will stop crime. -- -Barry Shein Software Tool Die| [EMAIL PROTECTED] | http://www.TheWorld.com Purveyors to the Trade | Voice: 617-739-0202| Login: 617-739-WRLD The World | Public Access Internet | Since 1989 *oo*
RE: How do you stop outgoing spam?
On Tue, 10 Sep 2002, Al Rowland wrote: Can anyone document more than one isolated instance, if that, of spammers using North American Cyber Cafes? (This is NANOG) They usually use copy places like kinko's, or public libraries. Cyber cafes tend to be too conspicuous. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: How do you stop outgoing spam?
On Tue, 10 Sep 2002, Dave Crocker wrote: At 08:20 PM 9/9/2002 +, Paul Vixie wrote: outbound SMTP should be blocked for any dynamic or dialup source within One of the basic problems with discussions about spam control is that it focuses entirely on spam. Blocking output SMTP from individual dial-ups has a serious negative consequence: Laptop mobile users cannot use their home SMTP server. I don't think Paul meant to say blocked as in 'connection refused', I think he meant that they should be redirected to a local machine that will happily send their mail (with reasonable limits on number of recipients per arbitrary time period, which all of your mail servers should have anyway). Andy Andy Dills 301-682-9972 Xecunet, LLCwww.xecu.net Dialup * Webhosting * E-Commerce * High-Speed Access
Re: How do you stop outgoing spam?
and bypassing firewalls is an excellent way to get into BIG trouble with whomever is running the firewall. It is irrelevant how ignorant that person might be about the traffic which passes through their firewall. I'm sure if they were only slightly less ignorant they'd run a strict HTTP gateway on port 80 of their firewall and then you'd be stuck wrappging everything up to look like proper HTTP in order to bypass their firewall. It is better that you learn to negotiate the access you need than to have to resort to using covert channels which could get you busted. Steno is a great thing, so it wont get anyone busted. Alex
Re: How do you stop outgoing spam?
On Tue, 10 Sep 2002 19:18:59 +0200, Iljitsch van Beijnum said: Or we throw out SMTP and adopt a mail protocol that requires the sender to provide some credentials that can't be faked. Then known spammers are easy to blacklist. It's nice to say we make it easy to blacklist spammers. The problem is that those systems that *HAVE* made it easy to blacklist spammers are *ALWAYS* taking heat for making it easy - remember how ORBS was held in little high regard? And even the MAPS people have had their share of legal hassles. We don't even have to throw out SMTP - there's STARTTLS, AUTH, PGP, and so on. The problem is that we don't know how to do a PKI that will scale (note that the current SSL certificate scheme isn't sufficient, as it usually does a really poor job of handling CRLs - and the *lack* of ability to distribute a CRL (which is essentially a blacklist) is the crux of the problem. There's also the problem of distributing valid credentials to half a billion people - while still preventing spammers from getting any. The DMV hasn't learned how to keep *teenagers* from getting fake ID's, why should we expect to do any better in keeping a motivated criminal from getting a fake credential? It's not as easy as it looks. As Bruce Schneier talked about in Secrets and Lies, where he does a hypothetical threat analysis regarding getting dinner in a restaurant without paying, most of the attacks actually have nothing to do with the part of the transaction where money changes hands... -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech msg05297/pgp0.pgp Description: PGP signature
Re: How do you stop outgoing spam?
Point of information: Can you really distinguish all this intentionality vs. the spammer just changing which relay to rape? Perhaps because the raped relay was shut down or secured when the owner found out what was going on? Or the spammer just switching relays to rape for no specific reason other than they seem to go bad after a few hours so use one for a while (perhaps a batch of addresses to spam) and then switch to the next in the list? On September 10, 2002 at 09:12 [EMAIL PROTECTED] (Joe St Sauver) wrote: Actually, our experience *does* follow the backoff paradigm: if you block a particular source of spam, that rejection *does* seem to trigger message volume backoff at the source, with only periodic check probes apparently designed to see if the spam source is really still blocked (and of course it really still is). Now it is true that in many cases the spammer *will* do a set of probes in an effort to see just how broad a given block is (e.g., is it just a /32 that's being blocked? is it my entire netblock? is it a domain based filter? can I slide in via an open SMTP relay or an abusable proxy server?), but at least here at the U of O, we're NOT seeing spammers waste their time attempting delivery of hundreds or thousands of messages per day via hosts that have been identified and filtered. Regards, Joe -- -Barry Shein Software Tool Die| [EMAIL PROTECTED] | http://www.TheWorld.com Purveyors to the Trade | Voice: 617-739-0202| Login: 617-739-WRLD The World | Public Access Internet | Since 1989 *oo*
Re: How do you stop outgoing spam?
On September 10, 2002 at 10:16 [EMAIL PROTECTED] (Dave Crocker) wrote: At 08:20 PM 9/9/2002 +, Paul Vixie wrote: outbound SMTP should be blocked for any dynamic or dialup source within One of the basic problems with discussions about spam control is that it focuses entirely on spam. Blocking output SMTP from individual dial-ups has a serious negative consequence: Yeah, well, too late, that battle was fought and settled years ago. The spammers are driving the standards at this point, not reasonable people trying to make things work. Ultimately that's one of my big problems with spammers, they're like termites in the RFCs quietly chewing away at both the letter and intent. At this point your easy-to-agree-with point is kinda like saying I pay taxes, I damned well ought to be able to walk any street in any city at any time of the day or night and be safe! nice sentiment, but unfortunately no longer realistic, not where the criminals are in charge. -- -Barry Shein Software Tool Die| [EMAIL PROTECTED] | http://www.TheWorld.com Purveyors to the Trade | Voice: 617-739-0202| Login: 617-739-WRLD The World | Public Access Internet | Since 1989 *oo*
Re: How do you stop outgoing spam?
One of the basic problems with discussions about spam control is that it focuses entirely on spam. Blocking output SMTP from individual dial-ups has a serious negative consequence: Laptop mobile users cannot use their home SMTP server. in the business, we call this tough noogies. At best, they must reconfigure for each venue -- goodbye wireless hotspot convenience -- and that is IF they know the SMTP server address for the local access. i've gotten very good mileage out of ssl-smtp, and out of port forwarding so that my laptop uses 127.0.0.1:25 for outbound mail, which is actually a (ssh-borne) tunnel to my home smtp server. In other words, by blocking output SMTP, mobile users are hurt badly. I know that *I* certainly am. Constantly and serously. yes. let me take this opportunity to thank you for your significant contributions to smtp and of course rfc822. i'm sorry that you have to be hurt now. but the design calls for a polite population, and while that was true of the internet in 1983, it is absolutely not true today. the nonpolite nature of the overall population means that you will have to be hurt and you will have to change how you use mail in order to make the pain stop. there's a slight choice on the pain menu -- you can have (A) an unusable mail system clogged with unwanted traffic such as spam and viruses, or (B) a barely-usable mail system where everything you want to do is less convenient because you have to use ssl-smtp and ssh tunnels. either way you have to be hurt now. and that saddens me, it really does.
RE: How do you stop outgoing spam?
Steganography looked great in that hollywood movie Along Came a Spider with Morgan Freeman (or at least the 'screen friendly' version they portrayed) but a recent study of millions of graphics across USENET found zero steganographic images. Great theory, no examples found in the wild, other than in Hollywood scripts and some folk trading porn of the type not usually posted to the public Internet. Anyone interested my try: http://www.earthweb.com/article/0,,10456_624101,00.html Just my 2¢. Best regards, _ Alan Rowland -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, September 10, 2002 12:15 PM To: Greg A. Woods Cc: [EMAIL PROTECTED] Subject: Re: How do you stop outgoing spam? and bypassing firewalls is an excellent way to get into BIG trouble with whomever is running the firewall. It is irrelevant how ignorant that person might be about the traffic which passes through their firewall. I'm sure if they were only slightly less ignorant they'd run a strict HTTP gateway on port 80 of their firewall and then you'd be stuck wrappging everything up to look like proper HTTP in order to bypass their firewall. It is better that you learn to negotiate the access you need than to have to resort to using covert channels which could get you busted. Steno is a great thing, so it wont get anyone busted. Alex
RE: How do you stop outgoing spam?
Steganography looked great in that hollywood movie Along Came a Spider with Morgan Freeman (or at least the 'screen friendly' version they portrayed) but a recent study of millions of graphics across USENET found zero steganographic images. Great theory, no examples found in the wild, other than in Hollywood scripts and some folk trading porn of the type not usually posted to the public Internet. Steno principals are alive and well. Covert channel transmissions are alive and well. Both were used to bypass compartmentalization on a certain secure OS. If anyone needs to encode data in valid HTML to tunnel it through a firewall, it *will* be done. Several years ago, we had implementations of telnet over email, I am sure modifying it to do telnet over HTML would be a rather trivial task. Alex
Re: How do you stop outgoing spam?
[EMAIL PROTECTED] (Barton F Bruce) writes: A twist we saw spammers using on dialup accounts in Miami could come to cyber cafes and could be ugly. They were dialing in and then using the IP address to send spam out some other connection elsewhere where RPF wasn't in use. The return packets all came back on their dialup into us, but bypassed our filters that were then only on outbound packets. this has been going on for some time. the example you gave of an OC3 used for outbound-only tcp streams is noncontrived and has been seen more than twice. it's been a year or so, so i'll renew my question. is anybody, anywhere, including as a term of their peering agreement things like must have a responsive abuse@ mailbox and act credibly to prevent spammers from becoming or remaining customers or must filter both bgp advertisements and ip source addresses from all customers, and require them to do likewise? and if not, why not, and how long do you think it's going to take before we use economic methods to solve this scourge? -- Paul Vixie
Re: How do you stop outgoing spam?
On Tue, Sep 10, 2002 at 12:45:01PM -0700, Al Rowland wrote: Steganography looked great in that hollywood movie Along Came a Spider with Morgan Freeman (or at least the 'screen friendly' version they portrayed) but a recent study of millions of graphics across USENET found zero steganographic images. Great theory, no examples found in the wild, other than in Hollywood scripts and some folk trading porn of the type not usually posted to the public Internet. I was going to stay out of this one, but then this came along. It is trivially easy to encrypt, transpose, or otherwise bury the message inside an image, or what have you. If I use a PRNG, prearrangement, or some other selection method to decide which bytes, or which files, or some combination of both will receive a chunk of the data to be hidden, and then encrypt it with a decent enough algorithm, it will not be easy to determine there is something there at all, particularly in a medium like USENET where lots and lots of large binary postings are common. Just because someone ran through a pile of images using jpegv4 with the jsteg patches, or some similar commercial application, does not mean it wasn't there -- it just means it wasn't obviously there. I myself have encrypted my PGP key's revocation certificates and buried them in some images on a website as a fallback storage method. Is it widely used? Probably not. Is it safe to say it's not being used on the basis of a quick check with an off the shelf utility or two? No. --msa
Re: How do you stop outgoing spam?
On Tue, Sep 10, 2002 at 12:45:01PM -0700, Al Rowland wrote: Steganography looked great in that hollywood movie Along Came a Spider with Morgan Freeman (or at least the 'screen friendly' version they portrayed) but a recent study of millions of graphics across USENET found zero steganographic images. Great theory, no examples found in the wild, other than in Hollywood scripts and some folk trading porn of the type not usually posted to the public Internet. Well, I wouldn't say that. There is an EXTENSIVE trade of some unknown data going to and from Asia (primarily Japan and China) through various forms of steganography in jpg png and gif images on free web hosting services. I can personally account for over 5Gbps (every day) of this traffic just from people I know, which I would hardly consider to be everyone. I've managed to reconstruct the data from pieces of scripts they have accidentally left behind, and come up with encrypted .zip files. Left a zip cracker running on a 1GHz machine for a couple months and came up with no results. I'm not gonna take any guesses as to the content, but I can tell you that they are very diversified, very persistant (you filter one route or transit path and they'll have moved to another within hours), and very innovative in hiding the data so that you can't detect what they're doing short of looking at every picture. -- Richard A Steenbergen [EMAIL PROTECTED] http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
Re: How do you stop outgoing spam?
## On 2002-09-10 09:45 -0400 [EMAIL PROTECTED] typed: Hi Eliot Maybe I'm missing something obvious but do how you get rate-limiting per TCP *flow* with Cisco IOS ? It is more trouble than its worth. IMHO there are other problems beside SPAM that can use per flow shaping/rate-limiting SPAM is not a technical problem. It is a social problem. Using technical methods is not going to solve the problem. In the end, every time we come up with another method of detecting and blocking spam, another method is bypassing this defense is going to show up. How about using a combination of technical and social measures For example in a Cyber Cafe use passive technical measures to count the total number of outbound SMTP sessions and charge 1$ per Email over an average rate of 2 Emails/minute and 10$ per Email exceeding a rate of 10 per minute Alex -- Rafi
Re: How do you stop outgoing spam?
herecy Or unless we design a network which does not rely on good will of its users for proper operation. /herecy --vadim On Tue, 10 Sep 2002 [EMAIL PROTECTED] wrote: Most spam-fighting efforts on the technical side make the basic assumption that spam has similar characteristics to a properly designed TCP stack - that dropped/discarded spam-grams will trigger backoff at the sender. Unfortunately, discarding a high percentage of the grams will trigger a retransmit multiple times. Spam is likely going to be a problem until we either hire some thug muscle from pick ethnic organized crime group, or the government does it for us...
Re: How do you stop outgoing spam?
On Tue, 10 Sep 2002, Iljitsch van Beijnum wrote: Or we throw out SMTP and adopt a mail protocol that requires the sender to provide some credentials that can't be faked. Then known spammers are easy to blacklist. The credentials that can't be faked is a rather hard to implement concept. Simply because there's no way to impose a single authority on the entire world. The question is whom to trust to certify the sender's authenticity? I have correspondents in parts of the world where I'd be very reluctant to trust proper authorities. I'd be so very easy to silence anyone by _not_ issuing credentials. Besides, anonymous communication has its merits. So what's needed is zero-knowledge authentication and Web-of-trust model. And don't forget key revocation and detection of fake identity factories. Messy, messy, messy. --vadim
RE: How do you stop outgoing spam?
Rafi Sadowsky wrote: How about using a combination of technical and social measures For example in a Cyber Cafe use passive technical measures to count the total number of outbound SMTP sessions and charge 1$ per Email over an average rate of 2 Emails/minute and 10$ per Email exceeding a rate of 10 per minute So the person who connects after sitting on a plane for 5 hours gets charged extra because the laptop bursts 50 messages ... There is no automated technical approach to a social problem. Public executions would be much more effective than preventing legitimate customers from getting their job done. Tony
Re: How do you stop outgoing spam?
On Tue, 10 Sep 2002 [EMAIL PROTECTED] wrote: We don't even have to throw out SMTP - there's STARTTLS, AUTH, PGP, and so on. The problem is that we don't know how to do a PKI that will scale (note that the current SSL certificate scheme isn't sufficient, as it usually does a really poor job of handling CRLs - and the *lack* of ability to distribute a CRL (which is essentially a blacklist) is the crux of the problem. So let everyone have their own. If you want to send me email, create a certificate for yourself. Then before you can actually tranfser messages, your system asks permission to do so, my system sends back a challenge to yours so I'm sure you haven't faked your reply address and your certificate is whitelisted. If you spam me, I can blacklist your certificate, your email address or your domain. If I handle mail for many users, I can apply some heuristics: new certificates/domains only get to send a small number of messages per hour initially or something similar. It's not as easy as it looks. Granted, but it's also not so hard we can't improve on a 20 year old protocol. As (nearly) always, the problem is backward compatibility. That makes it next to impossible to get something useful off the ground.
Re: How do you stop outgoing spam?
On Tue, 10 Sep 2002, Barry Shein wrote: And, although some won't like me saying this, having the technical community deal with these new criminals is a bit like sending the boy scouts after Al-Qaida. Unfortunately it's going to take a much harsher view of reality than maybe this regexp will stop crime. Last time I checked policemen weren't designing door locks. Not even in business of selling them. What we have is a lot of open doors having prominent signs come in and take whatever you please on them. This can and should be fixed by the technical community. US is not going to send troops to Nigeria just to catch some spammers anyway. Consider that a harsher view of reality :) --vadim PS. Criminals are criminals because they are stupid. If they were smart they could make good living legally. Governments avoid competition, too.
Re: How do you stop outgoing spam?
Tony Hain wrote: Public executions would be much more effective than preventing legitimate customers from getting their job done. A proposed activity for Portland? Network engineer assisted homocide? ;-)
Re: Console Servers
Hello all, Here's what I've found out. It's a mix. If any one solution looks to be the winner it's the roll-your-own solution. This is what I'm going for since it's relatively cheap for low-density installs. The only problem I'm finding is that it's tough to get a 1U box that has 2 PCI slots open. 2U seems overkill. Since Compact Flash adapters are cheap (about $20) and the cards themselves can be had for $59 (128MB), I'm going to go diskless. I'll probably use conserver, but I'll be giving rtty a try as well. If anyone has pointers to cheap 1U or 2U's, I'm all ears. Just need a minimal box, don't need much CPU for this. With about 13 replies, I can report the following: Lantronix - http://www.lantronix.com/products/cs/scs820_scs1620/index.html 1 vote for, one against. The complaint was that the Lantronix has a very bad management interface. I also noted that BBC is using a mess of these at Telehouse... Cyclades - http://www.cyclades.com/products/ts_series.php 4 for. Under the covers, it's your average linux box with ttys0-ttys31. The portslave software is pretty nice, too. Offline data buffering and the ability to stick a hostname relationship with a serial port. [Ex: ssh2 bob:myserver@cyclades to connect to server myserver ] Another poster is using the cyclades and the digi, and if I'm reading him right, uses the Cyclades 48 port for smaller installations and the digi on larger. Digi - http://www.digi.com/solutions/devtermsrv/cm/index.shtml Looks to run about $1800 for 16 ports 1 for (kind of). The poster has a large installed base and it mostly works and has a very high density. Apparently it's a two-piece system where a cable fans out to boxes that further split it. But if one of the splitters locks up, everything dasiy-chained through it locks up. This person is now using Cyclades (please correct me if I'm wrong on this one). Equinox - 2 folks using these (cards). We use the Equinox SST-128P (theoretically expandable to 128 ports, comes in 16-port chunks) on Linux. Their linux drivers work well [...] It's aPCI card with a cable to an external plugboard with the 16 RJ-45s. I have had a bit of experience with Equinox (http://www.equinox.com/) gear and can recommend them. Their serial hubs will talk serial to almost anything out there and when plugged into cat5, tunnel those serial ports back to physical mappings on a host system. [...] Geared more towards industrial applications (what I'm using them for) but I have often considered slapping one in our telecomm rack to map serial ports on my local box to our various gear. Cisco - 2 suggestions to use a 2511 or a 3620 with 16 port async cards. The 2511 would probably be a bit too slow if you enable ssh though... Livingston - 2 for an old portmaster behind an ssh-able box (if you have the space) Arula Systems (www.arula.com)- 1 vote for this, apparently a new company. Build your own - 5 for this solution. Everyone is using FreeBSD, and the RocketPort cards seem to work better than the Cyclades cards under FreeBSD. 3 people are using conserver (www.conserver.com) to make it easier to manage. Paul Vixie shared the following (he gave permission to quote in full): We use RocketPort, FreeBSD, IronSystems, and ISC rtty. http://www.rocketport.com/products/specs/rack16_foto.asp http://www.rocketport.com/products/specs/specs.asp?product=rp_pci http://www.freebsd.org/ http://www.ironsystems.com/ ftp://ftp.vix.com/pub/vixie/rtty-4.0.shar.gz This puts a BSD box in every POP, which is very useful for many reasons. So there you are... Thanks for all the responses. Charles
ISPs who de-aggregate intentionally?
As part of the process of making the latest BGP draft an IETF standard, the IDR working group is in the process of reviewing how the current draft reflects deployed code. As part of this effort, if anyone is aware of ISPs who intentionally de-aggregate routes and could contact me to share some of the reasoning and their methodologies behind this, I would greatly appreciate it. Please note - no names will be named, unless you want to be. A summary of the results will be posted back to this list. -- Jeff Haas NextHop Technologies
Re: Console Servers
On Tue Sep 10, 2002 at 04:53:02PM -0400, Charles Sprickman wrote: Lantronix - http://www.lantronix.com/products/cs/scs820_scs1620/index.html 1 vote for, one against. The complaint was that the Lantronix has a very bad management interface. I also noted that BBC is using a mess of these at Telehouse... ...a mess... ? http://support.bbc.co.uk/support/standards/rack_top.jpg We do indeed use the Lantronix, have done since '97 or before. Not really had any reliability problems with them. The odd fan bearing has gone, but they keep running none-the-less. The CLI is very VMSish, but not bad when you get used to it, plenty of online help. Only minor niggle is that they changed the authentication procedure in a recent code version, without flagging it in big letters. Cisco - 2 suggestions to use a 2511 or a 3620 with 16 port async cards. The 2511 would probably be a bit too slow if you enable ssh though... I use a 2610 with the 16 port async card for personal colo, and it works well. Not noticed any performance problems for occasional use. Biggy niggle is that you can't easily setup ssh to a port with per-port passwords. Had to fudge it thus: username port1 noescape password 7 ** username port1 autocommand telnet 123.45.67.89 2033 interface Loopback0 ip address 123.45.67.89 255.255.255.255 access-list 1 permit 123.45.67.89 line 33 48 access-class 1 in no exec transport input telnet Simon -- Simon Lockhart | Tel: +44 (0)1737 839676 Internet Engineering Manager | Fax: +44 (0)1737 839516 BBC Internet Services| Email: [EMAIL PROTECTED] Kingswood Warren,Tadworth,Surrey,UK | URL: http://support.bbc.co.uk/
Re: How do you stop outgoing spam?
Well, it's clear that the real point I was trying to make was entirely missed by everyone, so let me try again. Dealing with problems, by focusing on absolute outbound port control, restricts legitimate use, as well as problematic use. For a group that is largely dominated by libertarian thinking, opting for blanket, outbound port control is odd. Very odd. Security mechanisms can choose between a default-yes or a default-no mode. Choosing to restrict outbound ports is a default-no. Think of this as the difference between democracy and totalitarianism. You get to do things until you try to do something wrong, versus you are not allowed to do anything until you first prove that it is ok. Spamming is a serious problem, and it needs serious responses, but we need to be very careful that dealing with the problem does not kill the net. At 03:34 PM 9/10/2002 -0400, Barry Shein wrote: On September 10, 2002 at 10:16 [EMAIL PROTECTED] (Dave Crocker) wrote: One of the basic problems with discussions about spam control is that it focuses entirely on spam. Blocking output SMTP from individual dial-ups has a serious negative consequence: Yeah, well, too late, that battle was fought and settled years ago. The spammers are driving the standards at this point, not reasonable people trying to make things work. There are no standards for these practises. There are component mechanisms, but no integrated solution that is documented in a standard. That's part of the problem. In reality what is being done is entirely ad hoc and inconsistent. Otherwise we could at least know what will work for all conforming sites. And we could migrate everyone over to it. And, again, let me stress that I am not saying spamming isn't a problem. But rather that dealing with spamming simplistically carries very serious side-effects. At this point your easy-to-agree-with point is kinda like saying I pay taxes, I damned well ought to be able to walk any street in any city at any time of the day or night and be safe! No. It is like saying that because there is some street crime, in some places, let's make it illegal to walk anywhere, ever. And it is like saying that because some people make obscene phone calls, all phone calls will now be monitored. That really is what these blanket outbound controls are like. At 07:40 PM 9/10/2002 +, Paul Vixie wrote: Laptop mobile users cannot use their home SMTP server. in the business, we call this tough noogies. I had hoped that my reference to wireless hot-spot implications would make the scale and import of this approach adequately clear. That it does not nicely demonstrates why techies must not be in charge of a business that makes any claim to serving their customers. Broad-sweep, large-scale crippling of legitimate activity is not a realistic way to deal with a problem, even one as serious as spam. At best, they must reconfigure for each venue -- goodbye wireless hotspot convenience -- and that is IF they know the SMTP server address for the local access. i've gotten very good mileage out of ssl-smtp, and out of port forwarding so that my laptop uses 127.0.0.1:25 for outbound mail, which is actually a (ssh-borne) tunnel to my home smtp server. There are always technical solutions that techies can follow. A more relevant question is what it will take for 100 million average users. As everyone on this list knows, the Internet is about scaling. So it is entirely irrelevant what any one of the people on this list can do to make things work. It is ONLY relevant what the impact is on 100 million other folks. Folks who are not sysadmins. Folks who cannot constantly reconfigure their systems. And ultimately it does not matter that a particular hack can be propagated, such as mapping 25 to a local ssl redirect. What matters is that the model that leads to that hack is broken even worse than spamming, because it says that the way to respond to a problem by some folks is to block all folks. Today, port 25. Tomorrow -- and in some places, today -- all ports except a precious few and even those are mediated. be hurt now. but the design calls for a polite population, and while that was true of the internet in 1983, it is absolutely not true today. Since I never said anything against adding security mechanisms, I'll just assume that you missed my point. In order not to bog down too far on that point, let me just ask: And the BCP that specifies the correct set of technologies, configurations, and use is...? However the danger of going down this path is to miss the larger point about the problem with wholesale outbound port blocking. d/ -- Dave Crocker mailto:[EMAIL PROTECTED] TribalWise, Inc. http://www.tribalwise.com tel +1.408.246.8253; fax +1.408.850.1850
Re: Console Servers
Date: Tue, 10 Sep 2002 16:53:02 -0400 (EDT) From: Charles Sprickman [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Hello all, Here's what I've found out. It's a mix. If any one solution looks to be the winner it's the roll-your-own solution. This is what I'm going for since it's relatively cheap for low-density installs. The only problem I'm finding is that it's tough to get a 1U box that has 2 PCI slots open. 2U seems overkill. Since Compact Flash adapters are cheap (about $20) and the cards themselves can be had for $59 (128MB), I'm going to go diskless. I'll probably use conserver, but I'll be giving rtty a try as well. If anyone has pointers to cheap 1U or 2U's, I'm all ears. Just need a minimal box, don't need much CPU for this. With about 13 replies, I can report the following: Lantronix - http://www.lantronix.com/products/cs/scs820_scs1620/index.html 1 vote for, one against. The complaint was that the Lantronix has a very bad management interface. One issue is that there are two very different Lantronix boxes, the SCSx00 and the SCSx20. The SCSx20 boxes were designed by Lightwave Communications before they were bought out by Lantronix. They are Linux boxes that reportedly have a very different management interface from the 800/1600. I have used only the 1620 and, other than the high price, I have been very pleased with them. Despite the similarity of model numbers, the two product lines are totally different. I found a review of console servers from Network Computing that reviewed quite a number of boxes at: http://www.lantronix.com/news/news/network_computing.html R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: [EMAIL PROTECTED] Phone: +1 510 486-8634
Re: How do you stop outgoing spam?
On Tue, 10 Sep 2002, Barry Shein wrote: A problem with spam is not only aren't you likely to get caught, it's not even generally agreed to be illegal. Worse yet, even in cases of clear criminal violations (eg relay rape, forgery, scams, death threats), it goes unprosecuted -- even when its trivial to track down the offenders. And you would not BELIEVE the effort it takes to get the US military to close their open relays (not to mention close their smurf amps and shut down their rooted boxes). Fully half the fault and responsibility for the current state of affairs lies with providers who are unwilling to take any action to shut down well known spammers and abusers. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: How do you stop outgoing spam?
Rafi Sadowsky [EMAIL PROTECTED] wrote: How about using a combination of technical and social measures. How about nuking their DNS (providing they use DNS and not a URL with an IP address) from the face of the planet making sure they can't re-register it with any registrar? I know it gives them another hoop to jump through, but the jumping will keep them from spamming for a bit. Tim
Re: ISPs who de-aggregate intentionally?
As a quick followup to my request: On Tue, Sep 10, 2002 at 05:06:51PM -0400, Jeffrey Haas wrote: As part of this effort, if anyone is aware of ISPs who intentionally de-aggregate routes and could contact me to share some of the reasoning and their methodologies behind this, I would greatly appreciate it. Explicit de-aggregation, in this case, is taking an existing announcement and creating more specific announcements from it. For example, taking 10/8 and creating (where it didn't exist before) 10/9 and 10.128/9. The leaking of more specific routes that actually exist in your network is more a case of failing to aggregate, even if the assiged internal networks are a result of taking your assigned block and breaking it into several subnets. Thanks for all the responses thus far. -- Jeff Haas NextHop Technologies
Re: How do you stop outgoing spam?
On September 10, 2002 at 14:20 [EMAIL PROTECTED] (Dave Crocker) wrote: Well, it's clear that the real point I was trying to make was entirely missed by everyone, so let me try again. Dealing with problems, by focusing on absolute outbound port control, restricts legitimate use, as well as problematic use. For a group that is largely dominated by libertarian thinking, opting for blanket, outbound port control is odd. Very odd. I think we do understand very well. In a nutshell: We're hosed. Everyone is running around willy-nilly doing things like blocking outbound port servers, analyzing mail headers which were never meant to be analyzed, doing full body text searching against hundreds of regexp patterns, blocking hundreds if not thousands of IP addresses and entire (CIDR forgive me) nets, etc. At this point your easy-to-agree-with point is kinda like saying I pay taxes, I damned well ought to be able to walk any street in any city at any time of the day or night and be safe! No. It is like saying that because there is some street crime, in some places, let's make it illegal to walk anywhere, ever. The word for this is curfew and it's not unusual in troubled areas. And it is like saying that because some people make obscene phone calls, all phone calls will now be monitored. All phone calls are potentially monitorable because of problems like this. etc etc etc let's not quibble the analogies too much. My point is that we are now in a high crime zone, and what the laws (standards) say are becoming less and less influential versus frantic attempts to stop crime (spam.) You can't have law without order. Put another way, if no one will (or can) enforce the law such that order prevails people will just do what they have to. This often results in chaos. 1. Outlaws running crazy in the streets, drunk, raping, looting, tipping badly, etc. 2. Citizens meet in the church, yell at the sheriff, sheriff shrugs shoulders, bunch of men grab rifles and march out to confront outlaws themselves. 3. Massacre, vigilantes shoot each other, other honest townspeople, criminals laugh hysterically and vow to get drunker and have more fun (Dave, you've come in just about here.) 4. New sheriff comes into town, scares the crap out of everyone because he's so mean. Threatens to hang any citizen who takes law into own hands, etc. 5. New sheriff cleverly thwarts criminals while citizenry cowers behind closed doors and drawn curtains. 6. Law and order is restored, townspeople tearfully beg new sheriff to stay. Sheriff sneers, rides into sunset, next time you have to do it for yourselves. 7. Haunting tune whistled, credits roll. -- -Barry Shein Software Tool Die| [EMAIL PROTECTED] | http://www.TheWorld.com Purveyors to the Trade | Voice: 617-739-0202| Login: 617-739-WRLD The World | Public Access Internet | Since 1989 *oo*
Re: How do you stop outgoing spam?
On September 10, 2002 at 14:41 [EMAIL PROTECTED] (Dan Hollis) wrote: On Tue, 10 Sep 2002, Barry Shein wrote: A problem with spam is not only aren't you likely to get caught, it's not even generally agreed to be illegal. ...some stuff snipped... Fully half the fault and responsibility for the current state of affairs lies with providers who are unwilling to take any action to shut down well known spammers and abusers. But much of that goes back to spamming not being clearly illegal, in two ways: 1. Some just take the attitude that if it's not illegal then it's ok, ignorable even if obnoxious behavior. No doubt the fact that it's paying customers doing the spamming in some cases colors this view. For others it's probably just overworked, yet another distraction. 2. Some others take the attitude that if it's not illegal they're taking a chance (of lawsuit etc) if they shut someone down. Unless of course they have clear TC's, but no matter how you write them some obnoxious, agressive, pond-scum can try to dispute that it applies to them. Been there, done that. Unless you do something nice and transparent like you get 5 complaints per month free, the rest cost you $100/each. -- -Barry Shein Software Tool Die| [EMAIL PROTECTED] | http://www.TheWorld.com Purveyors to the Trade | Voice: 617-739-0202| Login: 617-739-WRLD The World | Public Access Internet | Since 1989 *oo*
Drive-by spam hits wireless LANs
And you think the terresterial sources are hard to shut down Drive-by spam hits wireless LANs By Graeme Wearden Special to CNET News.com September 6, 2002, 10:14 AM PT http://news.com.com/2100-1033-956911.html LONDON--The proliferation of insecure corporate wireless networks is fueling the growth of drive-by spamming, a security expert warned on Thursday.
Re: Drive-by spam hits wireless LANs
It always figures, that when you create a commons, virtual or actual that someone will come along and mess it up. joelja On Tue, 10 Sep 2002, blitz wrote: And you think the terresterial sources are hard to shut down Drive-by spam hits wireless LANs By Graeme Wearden Special to CNET News.com September 6, 2002, 10:14 AM PT http://news.com.com/2100-1033-956911.html LONDON--The proliferation of insecure corporate wireless networks is fueling the growth of drive-by spamming, a security expert warned on Thursday. -- -- Joel Jaeggli Academic User Services [EMAIL PROTECTED] --PGP Key Fingerprint: 1DE9 8FCA 51FB 4195 B42A 9C32 A30D 121E -- In Dr. Johnson's famous dictionary patriotism is defined as the last resort of the scoundrel. With all due respect to an enlightened but inferior lexicographer I beg to submit that it is the first. -- Ambrose Bierce, The Devil's Dictionary
Re: How do you stop outgoing spam?
On Tue, 10 Sep 2002, Barry Shein wrote: 2. Some others take the attitude that if it's not illegal they're taking a chance (of lawsuit etc) if they shut someone down. But they often dont shut abusers down even when the activity IS illegal (eg flooding attacks, rooting boxes, scanning and dictionary attacks, criminal trespass relay rape, etc.) Unless of course they have clear TC's, but no matter how you write them some obnoxious, agressive, pond-scum can try to dispute that it applies to them. Been there, done that. Or companies which dont enforce them (eg exodus) even when its criminal trespass... -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
RE: ISPs who de-aggregate intentionally?
As part of the process of making the latest BGP draft an IETF standard, the IDR working group is in the process of reviewing how the current draft reflects deployed code. As part of this effort, if anyone is aware of ISPs who intentionally de-aggregate routes and could contact me to share some of the reasoning and their methodologies behind this, I would greatly appreciate it. It's great for traffic engineering. We have two different upstreams in two different cirites, and use it to avoid traffic on our core. We wanted to offer static IP dialups for roaming users, but had troubles with /32 prefixes being filtered by the big players. -Dalph Get your free encrypted email at https://www.hushmail.com
Re: Console Servers
On Tue, 10 Sep 2002, Simon Lockhart wrote: I also noted that BBC is using a mess of these at Telehouse... ...a mess... ? Just to be clear, when I say mess I don't mean messy, but a lot, bunches, oodles, etc. You have a very nice neat setup there, one of the better organized open cabinets I saw in the facility. I was working about 3 cabinets down. I also was wondering where that Axis cam was displayed, now I know. I did see on major carrier there with a bunch of Juniper equipment and about 3 OC-48, 2 OC-12 and 2 or 3 OC-3 interfaces. No door on the cabinet. Very frightening given the recent security thread. It was so messy I'd be worried someone walking by could accidentally take out a few OC-48 lines... Charles http://support.bbc.co.uk/support/standards/rack_top.jpg We do indeed use the Lantronix, have done since '97 or before. Not really had any reliability problems with them. The odd fan bearing has gone, but they keep running none-the-less. The CLI is very VMSish, but not bad when you get used to it, plenty of online help. Only minor niggle is that they changed the authentication procedure in a recent code version, without flagging it in big letters. Cisco - 2 suggestions to use a 2511 or a 3620 with 16 port async cards. The 2511 would probably be a bit too slow if you enable ssh though... I use a 2610 with the 16 port async card for personal colo, and it works well. Not noticed any performance problems for occasional use. Biggy niggle is that you can't easily setup ssh to a port with per-port passwords. Had to fudge it thus: username port1 noescape password 7 ** username port1 autocommand telnet 123.45.67.89 2033 interface Loopback0 ip address 123.45.67.89 255.255.255.255 access-list 1 permit 123.45.67.89 line 33 48 access-class 1 in no exec transport input telnet Simon -- Simon Lockhart | Tel: +44 (0)1737 839676 Internet Engineering Manager | Fax: +44 (0)1737 839516 BBC Internet Services| Email: [EMAIL PROTECTED] Kingswood Warren,Tadworth,Surrey,UK | URL: http://support.bbc.co.uk/
Re: How do you stop outgoing spam?
Ya know Vadim, with all due respect, some people choose to live on their knees, one govt after another. You do know what happened to HUAC et al don't you? They got their butts thrown out of congress. Sen Joe McCarthy died a lonely, bitter, drunk. Meanwhile, civilization demands of us to use a govt or govt-like entity to run a legal system, not vigilantism. -b On September 10, 2002 at 18:29 [EMAIL PROTECTED] (Vadim Antonov) wrote: Some of us came from places where the new sheriff came and stayed. And because just scaring didn't work after some time, he proceeded to hang and hang and hang, murdering millions just to keep the rest properly scared. When someone gets power he's quite unlikely to part with it on his own. Harsher view of the reality, if you wish. Or, rather, real life experience. Calling on government to come and fix problems which can conceivably be fixed without it is a surefire way to get more sheriffs on your neck. HUAC[*] reading your e-mail to determine if it contains loathed un-american terrorist-sponsoring spam. With Ashcroft being in charge of grilling spammers. Or whomever he declared an enemy today. Be careful with what you wish. Your wish may be granted. --vadim [*] House Un-American Activities Commitee.
Re: How do you stop outgoing spam?
At 09:53 PM 9/10/2002 -0400, Barry Shein wrote: You do know what happened to HUAC et al don't you? They got their butts thrown out of congress. Sen Joe McCarthy died a lonely, bitter, drunk. barry, look around and what's been happening over the last year. he's popular again. d/ -- Dave Crocker mailto:[EMAIL PROTECTED] TribalWise, Inc. http://www.tribalwise.com tel +1.408.246.8253; fax +1.408.850.1850
Just another day on the Internet
Experts predicted that Wednesday is likely to be just another day on the Internet, and if anything a quiet day for cybercriminals. http://story.news.yahoo.com/news?tmpl=storyncid=581e=7cid=581u=/nm/20020911/tc_nm/attack_tech_cyberthreat_dc What is a normal day on the Internet? http://www.caida.org/outreach/papers/2001/BackScatter/ Measured 12,000 attacks over a three week period, or 570 attacks a day. http://www.fcc.gov/Bureaus/Engineering_Technology/Filings/Network_Outage/ There is a significant outage on average every 2-3 days.
