Re: Abuse response [Was: RE: Yahoo Mail Update]

[Steve Atkins]

On Apr 15, 2008, at 11:54 AM, William Herrin wrote:


On Tue, Apr 15, 2008 at 2:04 PM, Steve Atkins <[EMAIL PROTECTED]>  
wrote:
Unfortunately many of the skills required to be a competent abuse  
desk
worker are quite specific to an abuse desk, and are not typically  
possessed

by random technical staff.


Steve,

You don't, per chance, mean to suggest that random back-office
technical staff might not have the temper and disposition to remain
polite and helpful with the gentleman from the state capital so upset
about the interdiction of his political mailings that he's ready to
sic the regulators on you and wipe you off the map?

The problem is that the individual who -does- have those skills along
with the technical know-how to deal with the complaint itself usually
ALSO has the skills to be the customer contact for a multi-million
dollar contract. If you're a manager at a company that wants to, well,
make money, which chair will you ask that individual to sit in?


Not really.

IMO, with decent automation[1] and a reasonably close working
relationship between the abuse desk, the NOC and an internal
sysadmin/developer or two, there's not that much need for a high level
of technical know-how in the abuse desk staff.

Good people skills are certainly important, and it'd be good to
have at least one abuse desk staffer with a modicum of technical
knowledge to handle basic technical questions, and help channel
more complex ones to to NOC or developers efficiently, but the level of
technical know-how needed to be an extremely effective abuse
desk staffer is pretty low. The specific technical details they do
need to know they can pick up from their peers (both within
the abuse desk, in other groups of their company and, perhaps
most importantly, from their peer at other companies abuse desks).

It's closer to a customer support position, in skillset needed, than
anything deeply technical, though an innate ability to remain calm
under pressure is far more important in abuse than support. If you're
big enough that you need more than one person staffing your abuse
desk you can mix-n-match skills across the team too, of course.

Cheers,
  Steve

[1] Yeah, I develop abuse desk automation software, so I'm
both reasonably exposed to practices at a range of ISPs and
fairly biased in favor of good automation. :)

Re: Abuse response [Was: RE: Yahoo Mail Update]

[Steve Atkins]

On Apr 15, 2008, at 10:33 AM, Rich Kulawiec wrote:


On Tue, Apr 15, 2008 at 11:22:59AM -0400, William Herrin wrote:

There's a novel idea. Require incoming senior staff at an email
company to work a month at the abuse desk before they can assume the
duties for which they were hired.

My hunch says that's a non-starter. It also doesn't keep qualified
folks at the abuse desk; it shuffles them through.


Require all technical staff and their management to work at the abuse
desk on a rotating basis.  This should provide them with ample  
motivation

to develop effective methods for controlling abuse generation, thus
reducing the requirement for abuse mitigation, thus reducing the time
they have to spend doing it.


Unfortunately many of the skills required to be a competent abuse desk
worker are quite specific to an abuse desk, and are not typically  
possessed

by random technical staff.

So, to bring this closer to nanog territory, it's a bit like saying  
that all the
sales and customer support staff should be given enable access to your  
routers

and encouraged to run them on a rotating basis, so that they understand
the complexities of BGP and will better understand the impact their  
decisions

will have on your peering.

Cheers,
  Steve

Re: Abuse Reporting (non-SMTP Abuse)

[Steve Atkins]

On Apr 15, 2008, at 7:31 AM, Jim Popovitch wrote:


On Tue, Apr 15, 2008 at 3:39 AM,  <[EMAIL PROTECTED]> wrote:


http://xml.coverpages.org/iodef.html


SO, is it generally accepted to use IODEF to report non-SMTP abuse
(web/port scans, etc)?


Probably not, unless you're sending it to someone who has asked
for iodef format reports. Unlike ARF they're only machine readable.

Cheers,
  Steve

Re: Problems sending mail to yahoo?

[Steve Atkins]

On Apr 13, 2008, at 5:04 PM, Barry Shein wrote:



Massive quoting gets old fast so I'll try to summarize and if I
misrepresent your POV in any way my profuse apologies in advance.

First and foremost let me say that if we had a vote here tomorrow on
the spam problem I suspect you'd win but that's because most people,
even (especially) people who believe themselves to be technically
knowledgeable, hold a lot of misconceptions about spam. So much for
democracy.

I say the core problem in spam are the botnets capable of delivering
on the order of 100 billion msgs/day.

You say there are other kinds of spammers.

I'll agree but if we got rid of or incapacitated the massive botnets
that would be a trickle, manageable, and hardly be worth fussing
about, particularly on an operational list.



The reason is that without the botnets the spammers don't have address
mobility. You could just block their servers.


Address mobility doesn't buy you that much. It's relatively easy to  
mechanically
detect, and block, IP addresses that source mail solely from spam- 
related

botnets. (Not easy in the absolute sense, but easier than other problems
and, mostly, a solved one). Botnet sourced mail generally doesn't get
seen much by recipients at ISPs with competent spam filtering. It sure  
can

cause other operational problems, but in terms of being a "spam problem"
it's not the biggest one out there.

Blocking unwanted mail from sources that send a mixture of wanted
and unwanted mail, while still allowing the wanted mail through is
extremely difficult, and a much, much harder problem for spam
mitigation to solve. And those are primarily the non-botnet sources.

Spam filtering at real ISPs with real recipients has to deal with the
fact that recipients do want to read some of the mail they're sent
from Gmail, Yahoo Groups, Topica and suchlike.

Cheers,
  Steve

Re: NXDOMAIN data needed for survey

[Steve Atkins]

On Mar 20, 2008, at 12:04 PM, Martin Hannigan wrote:


On Thu, Mar 20, 2008 at 1:33 PM, Steve Atkins <[EMAIL PROTECTED]>  
wrote:




On Mar 20, 2008, at 9:56 AM, Martin Hannigan wrote:


On Thu, Mar 20, 2008 at 12:22 PM, Ray Demain wrote:

We are looking to purchase NXDOMAIN data for an internet survey.

We prefer to receive the data on an hourly basis so it is as  
fresh as

possible. Our system receives the data from you via ftp that you
provide.
Its hard to value the data until we have taken a look at it. As one
example,
we pay a current partner $4000 per month for 100,000 records per
day. If you
would like to setup a test so we can determine the value of your
data please
contact me at





What company would this be for?


A domain squatting company, presumably.



Thanks, I know. I wanted to stimulate a thread that was archived for
others historical reference.


Yeah, me too.

He's also apparently Mr Domain Investments LLC, Mr herbalclicks.com,
was typosquatting on a bunch of t-mobile domains until they took them
away from him -
http://www.wipo.int/amc/en/domains/decisions/html/2007/d2007-0919.html
- and was sued by Microsoft for sending CAN-SPAM violating spam to
hotmail users a couple of years back in the myauctionbiz.biz case -
http://spamkings.oreilly.com/MSFT-vs-Myauctionbizbiz.pdf .

I wonder who he's paying for his nxdomain data, and whether that
someone is authorized to sell it. It strikes me that it's just a small
step for someone with access to ISP internal data to go from selling
DNS logs to selling usernames too.

Cheers,
  Steve

Re: NXDOMAIN data needed for survey

[Steve Atkins]

On Mar 20, 2008, at 9:56 AM, Martin Hannigan wrote:


On Thu, Mar 20, 2008 at 12:22 PM, Ray Demain wrote:

We are looking to purchase NXDOMAIN data for an internet survey.

We prefer to receive the data on an hourly basis so it is as fresh as
possible. Our system receives the data from you via ftp that you  
provide.
Its hard to value the data until we have taken a look at it. As one  
example,
we pay a current partner $4000 per month for 100,000 records per  
day. If you
would like to setup a test so we can determine the value of your  
data please

contact me at





What company would this be for?


A domain squatting company, presumably. The same pseudonym has been
trolling web hosting forums to buy the same data today.

He's Marlon Phillips, [EMAIL PROTECTED], I'm pretty sure, though which
particular squatter company he represents, I've no idea.

Cheers,
  Steve

Re: houston.rr.com MX fubar?

[Steve Atkins]

On Jan 12, 2008, at 7:02 PM, Chris Boyd wrote:



We're bouncing email to houston.rr.com due to the MX being set to  
localhost.


[EMAIL PROTECTED]:~$ host -t mx houston.rr.com
houston.rr.com mail is handled by 10 localhost.

Setting the MX to 127.0.0.1 seems like an odd way to handle the  
switch.





houston.rr.com, amongst other domains, went away as part of the  
adelphia /

comcast / roadrunner customer swap.

http://blog.wordtothewise.com/index.php/2008/01/11/changes-at-roadrunner/

I tend to agree about the MX-localhost thing (MX 0 . would be better),  
but

the domain is dead, jim, as far as email is concerned.

Cheers,
  Steve

Re: Postmaster Operator List?

[Steve Atkins]

On Nov 16, 2007, at 10:50 AM, Jim Popovitch wrote:



On Fri, 2007-11-16 at 22:13 +0530, Suresh Ramasubramanian wrote:
On Nov 16, 2007 10:04 PM, Leigh Porter  
<[EMAIL PROTECTED]> wrote:




If there was, I sure would not join it. It'd be full of "I cannot  
send

mail to your domain blah blah"



Been to a MAAWG meeting yet?  Or been on one such list?

There's a lot more interesting and useful / operationally relevant
stuff that goes on.



From www.maawg.org:  "Your company must be a member of this  
organization

for you to gain access to the members area of this site"


Well, yes. That's why it's called the "members area". There's a bunch of
information there that is not in the "members area" (as well as some  
that

should be, but isn't, IMO but what can you do?).



Ok, so it's still a good-ole-boys club.  Interestingly enough, a  
lot of

the names on the "approved" companies are some of the ones that can't
very effectively control inbound/outbound spam from their net blocks.
How long has MAAWG been in existence?  Has email Abuse gotten  
better or

worse?


All of which is covered on the maawg website, IIRC, should you want to
look, rather than rant.



Perhaps if they weren't so exclusive




It being slightly exclusive keeps the idiots out, and reduces the "I  
cannot send
mail to your domain blah blah" to a negligible level. It's only about  
$3k / year to be
a corporate member, so it's not that high a bar to any company that  
actually

cares about email.

If you want a forum solely about email operations that's open to any  
idiot with
a mail client, you risk attracting all sorts of nutjobs on all sides  
of the spam / filtering
issue. If you limit it to operators, you'll attract the subset of  
those nutjobs who also
claim to be operators. You'll certainly attract a lot of write-only  
traffic of the "I cannot

send mail to..." mentioned above too.

Cheers,
  Steve

Re: Hey, SiteFinder is back, again...

[Steve Atkins]

On Nov 6, 2007, at 12:20 PM, Robert Bonomi wrote:




From: Barry Shein <[EMAIL PROTECTED]>
Date: Tue, 6 Nov 2007 13:05:26 -0500
Subject: Re: Hey, SiteFinder is back, again...

Since this is verizon, one wonders why this has never been tried on
wrong, non-working phone numbers?

  Visit your local chevy dealer, no interest for 12 months! We're
  sorry, the number you have reached

is it illegal?


Before they could  do it, they'd have to file -- and get approved -- a
tariff with the public utilities commission in each state.

I'm not at all sure how well such a proposal would fly there.


There are already companies offering advertising funded
long distance service. And advertising funded VoIP dialtone.

It's not like this is a hypothetical that's bizarrely out there.

Cheers,
  Steve

Re: Researchers ping through first full 'Internet census' in 25 years

[Steve Atkins]

On Oct 12, 2007, at 5:08 PM, Mark Foster wrote:




(If some random dynamic IP host on the other side of the world  
started hitting my firewall for no apparent reason, i'd be raising  
my eyebrows too.  Of course, these days, I have a much better idea  
of what is genuinely threatening and what isn't.)


If there weren't a dynamic IP host on the other side of the world  
hitting my firewall I'd be calling my provider, 'cos I'd know my  
connection had gone down.


Cheers,
  Steve

Re: [policy] When Tech Meets Policy...

[Steve Atkins]

On Aug 13, 2007, at 11:03 AM, Chris L. Morrow wrote:





On Mon, 13 Aug 2007, John C. A. Bambenek wrote:



That's exactly the problem "the goal of tasting is to collect pay
per click ad revenue"...

Ten years ago the internet was for porn, now it's for
MLM/Affiliate/PPC scams.  As long as we put up with companies abusing
the Internet as long as they are making a buck, they'll keep doing  
it.


to be very clear, this 'domain tasting' (no matter if you like it  
or not)

is just using a 'loophole' in the policy/purchase that's there for the
safe guarding of normal folks. It just happens that you can decide  
within

5 days that you don't want a domain or 1 million domains...

So, to be clear folks want to make it much more difficult for
grandma-jones to return the typo'd: mygramdkids.com for  
mygrandkids.com

right?


If grandma-jones orders custom stationery and doesn't
manage to spell her name correctly, she'll end up with
misspelled stationery. The main difference is that
a misspelled domain name is likely to be a much cheaper
mistake than misspelled stationery.

A question to the registrars here: What fraction of legitimate
domain registrations are reversed because the customer
didn't know how to spell, and noticed that within the five
day "dictionary time"?

Cheers,
  Steve

Re: Gwd: crypted document

[Steve Atkins]

On Aug 2, 2007, at 7:22 PM, Chris Adams wrote:



Once upon a time, Hex Star <[EMAIL PROTECTED]> said:
Why would someone in the ISP industry try to spread a virus?  
Ironically I

suppose a ISP admin may have their own computer infected... :P


Why would someone assume that the sender in a virus email is valid?


A few, it's because the developers really are that stupid.

Mostly, though, it's that they think that if they pretend to be that  
stupid then they
can advertise their product via spam that's sent from a wide variety  
of places
that can't all be easily blocked. (Most of the developers I've talked  
to say that they
know it's stupid, but that's the product requirements they have to  
work with).


Cheers,
  Steve

Re: Questions about populating RIR with customer information.

[Steve Atkins]

On Aug 1, 2007, at 6:47 AM, Drew Weaver wrote:



Up until recently, we were only providing the RIR database  
with information about our larger allocations /24 or larger. We  
have noticed however that many anti-spam organizations such as  
Spamhaus, and Fiveten will use the lack of information regarding an  
IP allocation as a blank check to blacklist entire /24s when they  
are really targeting a single /30 or a /29. As such we are  
examining publishing information for all allocations in the RIR  
database (/30s, /29s, etc).


Do you run an rwhois server with the allocation information already?  
If so, you'd have good reason to be aggrieved at blacklists not doing  
some amount of due diligence (though I think that's the first time  
I've heard spamhaus and fiveten - the two extremes of professionalism  
- bundled together).


If not, then yes, if there's abusive traffic coming from hosts on  
your systems you're likely to find the smallest published allocation  
blocked (for reasons that are generally pretty good decisions  
operationally on the part of the people who don't want the bad traffic).


My question, mostly is related to the privacy of the customer whom  
the space is being allocated to. Has anyone ever had an issue where  
they have published a user's information and the user had an issue  
with it? Is there some way that we can 'proxy' the information so  
that it simply states that the /29 has been allocated to a customer  
but it doesn't provide their contact information?


If you get a reputation for "providing spammers with anonymous SWIPs"  
you're likely to have more problems with wider blocking, rather than  
less.




Most of our customers are co-location and dedicated hosting  
customers and we are simply unsure whether or not there are  
implications (legal or otherwise) in publishing our customer data  
in a public RIR database.


Does anyone have any thoughts on this? Sorry if this is the wrong  
place to ask.


You'd need to ask your contract lawyers about most of that.

Cheers,
  Steve

Re: Interesting new dns failures

[Steve Atkins]

On May 24, 2007, at 6:14 AM, Chris L. Morrow wrote:





On Thu, 24 May 2007, Kradorex Xeron wrote:


Very true - If this is going to work, it's goign to have to be on  
a global
scale, Not just one country of registrars can be made to correct  
the problem
as people who maliciously register domains will just do what the  
spyware
companies do, go to a country that doesn't care and do business  
there.


isn't that why we have ICANN? Shouldn't we ask for policy at the ICANN
level that penalizes registrys who can then penalize registrars for  
bad

behaviour? From the beginning of this discussion there's ben the point
made that without financial incentives this is all moot. That supposed
policy should include financial penalties it would seem.


How much more, per-domain registration or renewal, would you be
prepared to pay to cover the due-diligence requirements, the
additional skilled staff, the legal and PR costs when domains are
cancelled due to false accusations (or true ones) and so on?

(I'd be prepared to pay quite a bit more, if it were to actually work,
but I know it wouldn't).

Cheers,
  Steve

Re: On-going Internet Emergency and Domain Names (kill this thread)

[Steve Atkins]

On Mar 31, 2007, at 8:57 PM, Gadi Evron wrote:



On Sat, 31 Mar 2007, Patrick Giagnocavo wrote:


If the list feels otherwise, and that it is of interest and within
nanog guidelines, then I acquiesce, respecting the greater wisdom of
the list.


You do realize this post is not about Microsoft or IE 0days, right?



It's hard to say. By some standards (even if not local ones) I'd be
considered mildly knowledgable about DNS, and from what you've
posted I haven't a clue what the real underlying issue is that you're
wibbling on about, beyond botnets bad (OK) + short TTLs bad (uhm,
no) + getting domains without paying bad (OK) + registries won't
pull domains on my say so (seems reasonable).

I'm prepared to concede, despite your previous history, that there
may well be an actual issue (as there are an awful lot of hideously ugly
corners with both DNS the protocol and domain reigsitration the
policy), but you're being incredibly bad at communicating what
you actually think it is.

You may want to try again.

Cheers,
  Steve

Re: what happens when you put a typo in a DNSBL server?

[Steve Atkins]

On Jan 16, 2007, at 8:36 AM, Wes Hardaker wrote:




A number of ISPs use njabl.org as a DNS BL server.  However, starting
jan 2 a new domain exists "njalb.org" which is serving A records for
anything queried against it's DNS server.  (note the difference: njaBL
vs njaLB). Previous to this date a misconfigured ISP was just not
being protected by the BL.  Now, it's potentially dropping all mail
from anyone because of the typo.



If you screw up your mail configuration, you'll lose email.

I'm more concerned about the deluge of DNS queries caused
by people who randomly punch strings into their mailfilters
and cause quite a lot of traffic to third party DNS servers.

When I see people doing that to my DNS servers, I add
a wildcard record in the hope that they'll notice. The worst case is
when they're hitting the (non-existent) blacklist just to get
a value to feed into something like spamassassin that will
proceed to deliver the mail anyway.

There are de-facto standards that will prevent all this
happening, but the writers of spam filters are (as far
as I know, without exception) too stupid or too lazy
to take advantage of this.

Cheers,
  Steve

Re: Microsoft Corporate Postmaster Contact?

[Steve Atkins]

On Dec 18, 2006, at 3:39 PM, S. Ryan wrote:



I don't think it should ever be acceptable to have to 'sign up' to  
report a security/network problem.


You don't. That's not what SNDS is. It's a feedback loop
sort of thing, a la scomp (and not at all relevant to the
original posters question, I don't think, but without more
information, who can say?).


Steve Sobol wroteth on 12/18/2006 3:10 PM:

On Mon, 18 Dec 2006, Jay Stewart wrote:
This may not be much of a help, but can be a good resource for  
data when

dealing with mail issues regarding MS.

https://postmaster.live.com/snds/index.aspx

Of course, you need a Valid MSN "passport" for  
registration. . . . . sigh. .

sigh...? Sign up for a free Windows Live Mail (Hotmail) account, and
bingo, you have a Passport login. Hardly a show-stopper.


Cheers,
  Steve

Re: advise on network security report

[Steve Atkins]

On Oct 30, 2006, at 9:44 AM, Randy Bush wrote:

 o being put on a major DNS black list (spamcop, spamhaus, ahbl  
etc.)

 o hosting malware or phishing sites, open proxies
 o sending LOTS of SPAM, virus
 o IRC abuse
 o Botnet C&C
 o hoping glue/fast flux
 o abusive, vulnerable web servers


Some of those are clearly ludicrous to count as "incidents" at all


oh?  which?

i can see some not being clearly incidents, but rather operational
states, e.g. a vulnerable server/service.  but ludicrous?


Well, the data sources that have a significant false positive rate are
going to count many things as "incidents" that are anything but.
If sending closed-loop, opt-in email is considered equivalent to
hosting a botnet command and control network... the data is
meaningless.

In the hope of not pulling the blacklist trolls out of the woodwork
I'm not going to be more specific as to which of those data sources
have noticeable false positive issues, but I'm sure you get my point.

Cheers,
  Steve

Re: advise on network security report

[Steve Atkins]

On Oct 30, 2006, at 9:23 AM, Rick Wesson wrote:



Fergie wrote:

Rick,
It would interesting to know how you classify "incidents" in the
table below


any one of the following:

 o being put on a major DNS black list (spamcop, spamhaus, ahbl etc.)
 o hosting malware or phishing sites, open proxies
 o sending LOTS of SPAM, virus
 o IRC abuse
 o Botnet C&C
 o hoping glue/fast flux
 o abusive, vulnerable web servers


Some of those are clearly ludicrous to count as "incidents" at all,  
and some
of them aren't obviously a single incident, by any reasonable measure  
so if you're

planning to aggregate them all together into a single count the end
result is also going to be worthless. Some other way of aggregating
the data might be more useful.

(I also suspect that a subjective popularity contest list of  
providers is

not likely to be viewed as operational by many on nanog, though I
think some of the underlying data might be).

Cheers,
  Steve

Re: AOL Lameness

[Steve Atkins]

On Oct 2, 2006, at 11:06 AM, Mike Lyon wrote:



OK, I should clarify this. The description that is on that link I put
in my original e-mail doesn't actually describe what is happening, but
that is the error they spit back at me.

What really is happening is that the url that is in my e-mail and when
you reolve it to an IP, if you do a reverse lookup on that IP, it
comes back with a generic DNS entry that my colo provider has assigned
to it. So the issue seems to be that the reverse DNS entry and the
domain name don't match. But this isn't really an issue, a lot of
providers do it this way.

But why is AOL being lame with this?


If that's the behaviour you're seeing, and your theory is really the  
reason

for it... odds are that it's a bug. Happens occasionally.

The folks at AOL are usually pretty helpful - I'd suggest calling their
postmaster group and asking them for help (there's a link for that on
the URL you posted). They're the only ones who can help you diagnose
what's going on further, I suspect.

Cheers,
  Steve

Re: AOL Lameness

[Steve Atkins]

On Oct 2, 2006, at 10:35 AM, Mike Lyon wrote:



Is anyone else noticing new AOL lameness that when you send an e-mail
to an AOL user and if the e-mail has a URL in it but the reverse
lookup of that url doesn't come back to that domain name that AOL's
postmaster rejects it and gives you this URL:
http://postmaster.info.aol.com/errors/554hvuip.html

This has to be new policty for them because it never rejected them  
before...


That seems pretty unlikely (as it would break every email mentioning a
virtual hosted website), and the URL you link to says nothing of
the sort (it says "Don't use dotted-quads in URLs unless you want to
look like Atriks, doofus.").

Do you have some data suggesting that this is actually happening?

Cheers,
  Steve

Re: SORBS Contact

[Steve Atkins]

On Aug 9, 2006, at 8:29 PM, Robert J. Hantson wrote:



So with all this talk of Blacklists...  does anyone have any  
suggestions

that would be helpful to curb the onslaught of email, without being an
adminidictator?

Right now, the ONLY list we are using is that which is provided  
through

spamcop. They seem to have a list that is dynamic and only blacklists
during periods of high reports, then takes them off the list after a
short time...

Or am I just a little naive?


Fairly naive. Spamcop blacklists a lot of IP addresses that send
a lot of email that isn't spam. And some that send zero spam, by
any sane definition.

That doesn't mean to say it doesn't work for you, but don't mistake
a list that'll block a mailserver for a week on the basis of one or
two unsubstantiated reports as _safe_ solely because it will only
block it for a week.

Depending on your demographics SpamCop may have an acceptable
false positive level, but it's not a list I advise most users to use  
as it

regularly lists sources of large amounts of non-spam (such as, for
example, mailservers used solely for closed-loop opt-in email).
Despite that, though, it's quite effective if you're prepared to accept
the false positive rate.

You may want to look at the CBL or XBL if you're interested in a
very effective IP based blacklist with a very low level of false
positives. Not zero, but really pretty low.

Pretty much all the others have levels of false positives that are
bad enough that I wouldn't use them myself, though depending
on the demographics of your recipients they may be acceptable
to you. Using them to block mail to all recipients is likely to be
problematic in most cases. Some recipients who choose to use
it? Sure. As part of a scoring system? Perhaps. Blocking across
all users? Probably a bad idea in most cases.

Cheers,
  Steve

Re: Tor and network security/administration

[Steve Atkins]

On Jun 21, 2006, at 2:53 PM, Jeremy Chadwick wrote:



On Wed, Jun 21, 2006 at 05:02:47PM -0400, Todd Vierling wrote:

If the point of the technology is to add a degree of anonymity, you
can be pretty sure that a marker expressly designed to state the
message "Hi, I'm anonymous!" will never be a standard feature of said
technology.  That's a pretty obvious non-starter.


Which begs the original question of this thread which I started: with
that said, how exactly does one filter this technology?


Why bother?

If the traffic is abusive, why do you care it comes from Tor? If there's
a pattern of abusive traffic from a few hundred IP addresses, block
those addresses. If you're particularly prone to idiots from Tor (IRC,
say) then preemptively blocking them might be nice, but I doubt the
number of new Tor nodes increases at a fast enough rate for it to be
terribly interesting.

If you want to take legal action you know exactly who is responsible
for the traffic, so whether it's coming from a Tor exit node or not  
isn't

terribly interesting in that case either.

If you still do want to then there are some very obvious ways to do
so, combining a Tor client and a server you run.

(And this is from the perspective of someone who does not believe
there is any legitimate use for Tor at all.)

Cheers,
  Steve

Re: Tor and network security/administration

[Steve Atkins]

On Jun 17, 2006, at 6:29 AM, Jeremy Chadwick wrote:



Apologies if this has been brought up before.

Being as I'm not a network administrator myself (although I do filter
some stuff using pf and ipfw on my severs), I'm curious what NAs
think of the following technology:

http://tor.eff.org/overview.html.en

The problem I see is that this technology will be used (literally,
not ideally) solely for harassment (especially via IRC).  I do not
see any other practical use for this technology other than that.
The whole "right to privacy/anonymity" argument is legitimate, but I
do not see people using* Tor for legitimate purposes.

A colleague of mine stated his opinion of my opinion: "Your problem
with Tor is that you can't control it, isn't it?"  And he's right --
that's the exact problem I have with it.

Comments/concerns?


It's a proxy botnet, created by social engineering, rather than  
compromised

machines, but apart from that it's indistinguishable from any other.

The approaches you're using for abuse from other open proxies and
botnets should work fine for tor. If you've not dealt with the general
case then fixating on tor is pretty much a waste of time (unless you're
running an IRC network, perhaps).

Cheers,
  Steve

Re: Ongoing DDoS helped by non responsive abuse desks

[Steve Atkins]

On Mar 23, 2006, at 7:54 AM, Martin Lathoud wrote:



Hi,

One of our web servers got hammered by ~5K req/s for hours from
browsers with the following referer:


[snip]


target[0]="http://weerona.com/ph/order.php?%rand%";
target[1]="http://fabutons.info/aw/001/?%rand%";
target[2]="http://movi96.dayaugusta.com/aspx/search.asp?t=%rand%";
target[3]="http://www.fakeidonline.com/store.php?%rand%";
target[4]="http://ccebak.bestti.info/p/?%rand%";
target[5]="http://www.zpgo.net/pweb7/texpo/?%rand%";
target[6]="http://www.tex-win.com/productshow.asp?id=1808&%rand%=% 
rand%"

target[7]="http://7eklp9g3.tagsully.net/p/?%rand%&zz=lowcost";



Which of these is your website?

Cheers,
  Steve

Re: The dissention grows towards AOL and pay per message

[Steve Atkins]

On Feb 22, 2006, at 3:30 PM, Nicole wrote:





 This was sent to me on another mailing list. I am on a number of
smaller and or community mailing lists who feel very threatend by  
this.




Only because they don't understand it.

Pretty much of all that you included is simply untrue. Whether it's
because the folks behind it are illiterate, don't understand the issue,
or are putting FUD out for their own reasons I'll let you judge.

But it's pretty much all simply false.

Cheers,
  Steve

(No, I've no connection with the goodmail folks, but I've actually
looked at the details of the system).

Re: djbdns: An alternative to BIND

[Steve Atkins]

On Fri, Apr 08, 2005 at 03:55:15PM -0700, Vicky Rode wrote:

> Just wondering how many have transitioned to djbdns from bind and if so
> any feedback.

djbdns has lower performance, both as an authoritative and recursive
resolver, than bind.

It's less flexible than bind9. But it's data files and log files are
easier to machine generate / parse.

dnscache seems marginally less prone to bloating memory usage than
bind. I've not compared it with recent binds.

tinydns isn't blindingly fast, but it doesn't nap while new zones are
loaded. With a decent DNS architecture that needn't be a problem with
bind, but it does need more hardware to work around.

I still wouldn't suggest tinydns for anything other than a small,
low-traffic requirement.

I quite like dnscache, and would consider it as one option for
recursive resolution (but if you're doing authoritative using bind
then you have bind clue onsite, and one of the stronger reasons for
using dnscache over bind goes away). In some unusual cases dnscache
can return data that is incorrect, but it's doing so as documented
and it's seldom a problem in practice.

djbdns has appallingly bad and often misleading, but entirely accurate
documentation.  Bind does not.

The only unequivocally bad thing about the djbdns suite is the lack of
technical and social savvy in some of it's more vocal proponents.

I use both tinydns and dnscache, but I recommend bind to clients
I consult for.

Cheers,
  Steve

Re: Proposed list charter/AUP change?

[Steve Atkins]

On Tue, Jan 04, 2005 at 10:36:03AM -0800, JC Dill wrote:

> 1)  A list already exists (spam-l) where these topics are discussed 
> regularly and that list is a better place to discuss them due to the 
> large number of people who have in-depth knowledge and regularly 
> contribute on those topics.

But there's a lack of operational expertise there. Lots of people
fascinated by email headers and so on, but far fewer with experience
deploying large systems or handling security related issues.

> 2)  It is very hard to start talking about "spam" and limit the breadth 
> of the replies to those that are on-topic for a network-operations 
> focused list.  Spam makes people angry, and angry people want to rant 
> about how much they hate spammers and the various things "we" or "they" 
> should do to solve the problem at the source.  Angry people don't 
> usually pay adequate attention to list policies so they blow over the 
> policy line, time and time again.

That sounds like the problem is people who can't treat a mailing list
professionally and maintain enough personal restraint to keep the S/N
above water rather than an issue with one partcular subject of
conversation.

> For that reason, I believe that spam-related topics should be discussed 
> on spam-l first, and then the topic should be raised on this list only 
> if you can't find the info or contacts you need on the spam-specific 
> list first.

For people who want to bemoan spam and and hunt spammers, sure. For people
looking for answers to operational problems that just happen to have some
relationship to bulk email... I'm less convinced.

Cheers,
  Steve

Re: [OT] Good Anti-Spam Boilerplate

[Steve Atkins]

On Mon, Oct 11, 2004 at 10:51:42AM +0100, [EMAIL PROTECTED] wrote:
> 
> > After some senseless Googling, I'm at a loss.  I'm looking for a very
> > comprehensive, up-to-date example of an AUP that covers spam. 
> 
> You might want to ask this question at a place like
> http://www.groklaw.net/
> 
> First of all, it's a legal problem and the above blog
> is a place where lawyers hang out, but they seem to focus
> on the boundaries of technology and law which is where 
> the SPAM AUP issue sits.

I'm not sure I'd agree. Having an AUP that is enforcable in the way in
which you want to enforce it is very much an operational and policy
issue. You should have a lawyer check it over, as with any contract,
to ensure that you are defended legally should that ever be an issue,
but it's primarily a tool for your abuse staff to use.

Because of that, it's also unlikely that copying someone elses AUP
wholesale is going to be terribly appropriate, unless their business
model is fairly similar to yours (end-user vs web host vs bandwidth
provider vs colo...). It's well worth looking at others for concepts
and phrases to steal, but be very cautious of copying one that may
not be appropriate for the issues your abuse desk needs to handle.

You also need an internal, unpublished, policy document. It's pretty
much impossible to create an AUP that is specific enough to forbid
what you want forbidden and yet allow all legitimate use. The best
AUPs state your "philosophy" on acceptable use and your policies in
broad terms that don't try to be too specific and are overbroad in
that they forbid too much. Then selective enforcement by the abuse
staff allows you to implement the policy you actually need. That needs
a fairly competent abuse staff, and to provide some consistency in
handling issues they need their own policies and procedures. Writing
the first version of those down up-front gives you a good framework
to both make it clear what your intent is in drafting the AUP to
existing abuse staff and to help in bringing someone new in to
help with abuse work.

Cheers,
  Steve

Re: Research - Valid Data Gathering vs. Annoying Other

[Steve Atkins]

On Fri, Aug 06, 2004 at 05:37:55PM -0400, Daniel Reed wrote:

> To the original poster and others: Do host a web server on port 80 of the
> machines involved in the probe. Name the machines after your project (do not
> call them "www" or else people might indeed think it is a compromised
> machine!). If your testing involves HTTP requests, or any other protocol
> that allows for "referer" or other human-visible information, provide a URL
> and/or project name. If your testing involves packets with unused content,
> use URLs or free-form text instead of zeroes or random bytes.
> 
> Above all, follow common sense. Make it as easy as possible for most people
> to figure out what you are doing, and have templated responses describing
> your project, what network resources it will use, and what general benefit
> you hope to provide ready for when Robert Bonomi complains.

And, especially, make sure that your provider is aware of what you're
doing. Specifically that whoever answers abuse/[EMAIL PROTECTED],
and abuse/[EMAIL PROTECTED] knows what you're doing. There will
always be GWFs[1] who send frivolous complaints to you or your provider,
regardless of how benign the traffic is. You ideally want to be in
the situation where your providers abuse desk blows them off, rather
than anyone expending any more time than it takes to hit delete in
the ticketing system.

Also be very sure that you understand what you're doing, and that it
will not cause others operational problems. Be prepared to apologize,
grovel and possibly offer financial compensation when your screwup
actually does inflict significant costs on someone else. If you're not
convinced enough that you're not going to break other peoples systems
that the idea of financial compensation scares you, you shouldn't be
sending the traffic in the first place.

While I can't imagine how any of the legitimate surveys would cause
anyone real operational costs (as opposed to the oversensitive IDS or
anal log reader problems) I have seen systems knocked offline in the
past by a postgrad "research project" that was run with more naive
enthusiasm than technical talent. Heck, the googlebot fell into a lot
of infinite trees and made webservers fall over before they got it
right, back when it was an academic research project.

Cheers,
  Steve

[1] Goober With Firewall. Originally from internal jargon at
[EMAIL PROTECTED] - a complaint, for example, that "ns1.above.net
is hackoring my port 53!" would be, and should still be, closed
with the sole annotation being "GWF".

Re: Abuse mail boxese (was Re: Lazy network operators)

[Steve Atkins]

On Mon, Apr 12, 2004 at 11:49:36PM +0200, Raymond Dijkxhoorn wrote:
> > > Presumably the 6.8m figure is how many users click the 'spam' button in the AOL 
> > > mail client and not how many abuse complaints are sent in?
> > 
> > Probably, yes.
> > 
> > AOL isn't a huge source of abuse compared to most DSL/cable providers,
> > so probably aren't seeing a huge number of incoming legitimate abuse
> > complaints. Their users are a great source of complaints, via the
> > "this is spam" button, though, many of which are legitimate and most
> > of which are well targeted.
> 
> But AOL is target of a lot of virusses and spam runs, and i must say, they 
> do a pretty good job with managing al of that. Compliments to Carl and his 
> team. They bring _fast_ responses and replys on SPAL-L and do a lot of 
> work to downsize the impact of new stuff.

Absolutely. That's one of the reasons that they're not a large source
of abuse, far smaller than you'd expect from the size of their
customer base. Their team is competent, well-equipped and (compared
with other places) well-funded.

Another reason is that they're not really an ISP, in the traditional
sense. They have far more visibility of and direct control over what
their users do, and the software their users run, than almost any
other ISP. That makes many things possible for them that would be
extremely difficult for a typical PPP provider.

Cheers,
  Steve
-- 
-- Abuse desk automation: http://word-to-the-wise.com/abacus/

Re: Abuse mail boxese (was Re: Lazy network operators)

[Steve Atkins]

On Mon, Apr 12, 2004 at 09:03:38PM +0100, Stephen J. Wilcox wrote:

> > According to the Washington Post
> > 
> >America Online says it has seen a dramatic decline in spam over the
> >past month, due to improved filtering techniques and fear of
> >litigation under a new U.S. law. In a one-month period ending March
> >20, customer complaints about spam nearly halved to 6.8 million per
> >day, the Time Warner Inc. unit said.
> > 
> > http://www.washingtonpost.com/wp-dyn/articles/A3300-2004Apr11.html
> 
> Presumably the 6.8m figure is how many users click the 'spam' button in the AOL 
> mail client and not how many abuse complaints are sent in?

Probably, yes.

AOL isn't a huge source of abuse compared to most DSL/cable providers,
so probably aren't seeing a huge number of incoming legitimate abuse
complaints. Their users are a great source of complaints, via the
"this is spam" button, though, many of which are legitimate and most
of which are well targeted.

> I'd assume the former would be mostly automated and the latter ought to be 
> looked at some how as it will include compromised host reports, spam sending etc

High four figures / day is as high as we usually see at big broadband
ISPs, though it can spike to five or ten times that occasionally.

Cheers,
  Steve
--
-- Abuse desk automation: http://word-to-the-wise.com/abacus/

Re: Open source traffic shaper experiences? (was Re: looking for a review of traffic shapers)

[Steve Atkins]

On Tue, Nov 25, 2003 at 11:38:01AM -0600, [EMAIL PROTECTED] wrote:

> Note: delurk.
> 
> Some of the commercial traffic shaping devices reviewed here are tens of 
> thousands of dollars.  For a smaller ISP (i.e. less than a DS3 of 
> aggregate upstream bandwidth), that kind of expense doesn't make sense--
> but the need to control bandwidth consumption is still an issue.
> 
> Is anyone on the NANOG list aware of a disk-less Linux solution? One might
> imagine a Knoppix-like bootable CD image (perhaps CD-RW, so config files
> could be updated) that would turn an inexpensive Linux box into an
> effective traffic shaping device, using tools like CBQinit, MRTG/RRDTOOL,
> and a Webmin-like admin interface. The closest thing to this I've seen is
> ETINC's BWMGR, but that's a closed-source solution and is still somewhat
> expensive.

http://www.bandwidtharbitrator.com/ perhaps? The full version is inexpensive,
the non-GUI version is freely available.

Cheers,
  Steve

More .com/.net issues

[Steve Atkins]

I'm seeing bulk access to .com and .net blocked at the moment. Other zones
are available from Verisigns ftp server as usual, but .net and .com are
empty (and the signature files are listing them as empty too).

Anyone heard anything from Verisign about this?

Cheers,
  Steve
-- 
-- Steve Atkins -- [EMAIL PROTECTED]