Re: Abuse response [Was: RE: Yahoo Mail Update]
On Tue, Apr 15, 2008 at 11:04 AM, Paul Ferguson [EMAIL PROTECTED] wrote: In fact, we have done just that -- develop a standard boilerplate very similar to what PIRT uses in its notification(s) to the stakeholders in phishing incidents. The boilerplate is no damned use. PIRT - and you - should be focusing on feedback loops, and that would practically guarantee instant takedown, especially when the notification is sent by trusted parties. Again, our success rate is somewhere in the 50% neighborhood. With the larger providers it will get to 100% once you go the feedback loop route. Do ARF, do IODEF etc. You will find it much easier for abuse desks that care to process your reports. You will also find it easier to feed these into nationwide incident response / alert systems like Australia's AISI (google it up, you will like the concept I think) srs
Re: Abuse response [Was: RE: Yahoo Mail Update]
On Tue, Apr 15, 2008 at 11:55 AM, Paul Ferguson [EMAIL PROTECTED] wrote: Really. How many people are actually doing IODEF? http://www.terena.org/activities/tf-csirt/iodef/ AISI - for example - and AISI feeds the top 25 australian ISPs - takes IODEF as an input And MAAWG does ARF, quite simple to use as well .. but they would take a standard format (with an RFC yet) if you and some other major players 1. Offer iodef (or say ARF) feeds 2. Tell them youre offering these feeds It should be simple -- not require a freeking full-blown standard. Its a standard. And it allows automated parsing of these complaints. And automation increases processing speeds by orders of magnitude.. you dont have to wait for an abuse desker to get to your email and pick it out of a queue with hundreds of other report emails, and several thousand pieces of spam [funny how [EMAIL PROTECTED] type addresses end up in so many spammer lists..] srs
Re: the O(N^2) problem
On Mon, Apr 14, 2008 at 11:27 AM, Edward B. DREGER [EMAIL PROTECTED] wrote: For such a system to scale, it would need to avoid OSPF-style convergence. Similarly, I would not want to query, for the sake of example, 15k different trust peers each time I needed to validate a new host,address tuple. (Hence the interdomain routing and d-v calc references.) And dkim layered with some kind of reputation (if only a locally built whitelist) wont scale for this?
Re: the O(N^2) problem
On Mon, Apr 14, 2008 at 11:50 AM, Steven M. Bellovin [EMAIL PROTECTED] wrote: The risk in a reputation system is collusion. Multiple reputation systems, each with their own reputation .. Sed quis custodiet ipsos custodes and all that .. A lot of the reputation (aka positive reputation) shall we say work is heavily sender / ESP / bulk mailer etc driven. And the negative reputation stuff (blocklists like spamhaus etc) have been around rather a long time. So quite a few ISPs tend to rely on trusted negative reputation systems (aka they'd use spamhaus) and build positive reputation (whitelists) on their own, possibly tying this to auth systems such as dkim. --srs -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Abuse response [Was: RE: Yahoo Mail Update]
On Tue, Apr 15, 2008 at 10:16 AM, Paul Ferguson [EMAIL PROTECTED] wrote: As I mentioned in my presentation at NANOG 42 in San Jose, the biggest barrier we face in shrinking the time-to-exploit window with regards to contacting people responsible for assisting in mitigating malicious issues is finding someone to actually respond. Fergie.. you (and various others in the send emails, expect takedowns biz) - phish, IPR violations, whatever.. you're missing a huge, obvious point If you send manual notificattions (aka email to a crowded abuse queue) expect 24 - 72 hours response If you have high enough numbers of the stuff to report, do what large ISPs do among themselves, set up and offer an ARF'd / IODEF feedback loop or some other automated way to send complaints, that is machine parseable, and that's sent - by prior agreement - to a specific address where the ISP can process it, and quite probably prioritize it above all the j00 hxx0r3d m3 by doing dns lookups email. That kind of report can be handled within minutes. If you send reports with lots of legal boilerplate, or reports with long lectures on why you expect an INSTANT TAKEDOWN, and send them to a busy abuse queue, there is no way - and zero reason - for the ISP people to prioritize your complaint above all the other complaints coming in. Unfortunately, most abuse requests/inquiries fall into a black-hole, or bounce. Not you, but several companies that do this as a business model need to learn how to do this properly. Some of them are spectacularly incompetent at what they do too. Me, I have pretty much given up on any domain-related avenues, since they generally end up in disappointment, and found more successes in going directly to the owners of the IP allocation, and upstream ISP, a regional/national CERT/CSIRT, or law enforcement. Yeah? And by the time your request filters right back down to where it actualy belongs.. guess what, it takes much longer than 72 hours. Mow, this has no bearing on the original subject (which I have now forgotten what it is -- oh yeah, something about Yahoo! mail), but it should be additional proof that the Bad Guys know how to manipulate the system, the system is broken, and the Bad Guys are now making much more money than we are. :-) And proof that various good guys dont know how to cooperate, and various other good guys are in the business only to score points off other providers to make themselves look good. http://blog.washingtonpost.com/securityfix/2007/12/top_10_best_worst_antiphishing.html for example.. I think Brian Krebs - given what I know of his usual high standards - would certainly have regretted publishing PR and marketing generated, highly debatable, statistics like the ones referenced in that article. --srs
Re: Problems sending mail to yahoo?
On Sun, Apr 13, 2008 at 11:15 AM, Roger Marquis [EMAIL PROTECTED] wrote: Sounds like the party line inside Yahoo, but there are plenty of ISPs that do a really good job of combating spam. They do it with standard tools like RBLs, Spamassassin, OCR, ClamAV and without ineffective diversions like SPF or DKIM. Unless you have actually implemented filters on production mail platforms with several million users.. please. Not that spam really has much to do with network operations, well, except perhaps for those pesky Netcool/Openview/Nagios alerts... You havent been sitting in on most of the security related talks and bofs at *nog, right? If you have, that'd be a surprisingly naïve statement. srs -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Yahoo Mail Update
On Sun, Apr 13, 2008 at 3:57 PM, Rob Szarka [EMAIL PROTECTED] wrote: True, though some aspects of mail service are inextricably tied to broader networking issues, and thus participation here might still benefit them. But sadly Yahoo doesn't even seem to participate in more relevant forums, such as the spam-l list. There are other lists, far more relevant than spam-l or nanae. There's a way to present spam issues and mail filtering operationally.. and I see it all the time at MAAWG meetings, just for example. The issue here is that 90% of the comments on a thread related to this are from people who might be wizards at packet pushing, but cant filter spam. Or on mailserver lists you might find people who can write sendmail.cf from scratch instead of building it from a .mc file and still dont know about the right way to do spam filtering. When what the larger companies do enables criminal behavior that impacts the very viability of the smaller companies through de factor DoS attacks, it's not funny at all. Yahoo, for example, has chosen a business model (free email with little to no verification) that inevitably leads to spam being originated from their systems. Why should they be able to shift the cost of their business model to me, just because I run a much smaller business? So has hotmail, so have several of the domains that we host. srs -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Yahoo Mail Update
On Sun, Apr 13, 2008 at 8:24 PM, Martin Hannigan [EMAIL PROTECTED] wrote: Having some provider or group(MAAWG?) explain the new and improved overhead driven mail/abuse desk would make an excellent NANOG presentation, IMHO, and it could include a V6 slant like and to handle V6 abuse issues the plan is.. MAAWG spent three entire meetings drafting this - and a very interactive drafting process it was too (hang flipcharts on the walls, each with a key question, people circulate around the room with marker pens, write their ideas. Other people rate these ideas. The flipcharts are then taken down, the contents edited to produce a BCP Here's the abuse desk management BCP - one that includes several things that I personally regard as a very good idea indeed - http://www.maawg.org/about/publishedDocuments/Abuse_Desk_Common_Practices.pdf And by the time v6 actually gets used for exchanging email except between guy with personal colo and a tunneled /48, and freebsd.org / isc.org etc hosted lists .. you'll probably find that the basic concepts of filtering remain much the same, v4, v6 (or perhaps even Jim Fleming's or that Chinese vendor's IPv9) srs -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Yahoo Mail Update
On Sun, Apr 13, 2008 at 10:09 PM, Joel Jaeggli [EMAIL PROTECTED] wrote: MAAWG, is fine but the requirements for participation are substantially higher than the nanog list. * Quite a lot of ISPs who already attend nanog are also maawg members * Lots of independent tech experts (Dave Crocker, Chris Lewis, Joe St.Sauver from UOregon etc) are regulars at maawg, designated as senior tech advisors * Quite a few other invited guest type people So, not as bad as it sounds People who have operational problems don't generally get to pick the skillset they already have just because a problem appears, some cognizance of that is surely in order. That was the only meta comment I had here. I'll stop now. srs -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Problems sending mail to yahoo?
1. They are not complaints as such. They are what AOL users click report spam on 2. They are sent in a standard format - http://www.mipassoc.org/arf/ - and if you weed out the obvious (separate forwarding traffic out through another IP, and ditto for bounce traffic), then you will find that - for actual ISPs - actual spam reports will far outweigh the amount of misclicked reports. 3. As I said, its in ARF and that's machine parseable and you can get stats from it. On Mon, Apr 14, 2008 at 2:11 AM, Geo. [EMAIL PROTECTED] wrote: When someone like AOL offloads their user complaints of spams to all the abuse@ addresses instead of verifying that they actually are spams before sending off complaints, is it any surprise that everyone else is refusing to do their jobs for them? The reason abuse@ addresses are useless is because what is being sent to them is useless.
Re: the O(N^2) problem
On Mon, Apr 14, 2008 at 10:34 AM, Owen DeLong [EMAIL PROTECTED] wrote: Now I'm lost again. You've mixed so many different metaphors from interdomain routing to distance-vector computaton to store-and-forward that I simply don't understand what you are proposing or how one could begin to approach implementing it or what problem you seem to think it solves (although it sort of seems like you're wanting to attack the trustworthiness of email to battle SPAM through some mechanism that depends only on the level of trust for the (source, arrival path) tuple from whence it came. Looks like what various people in the industry call a reputation system
Re: /24 blocking by ISPs - Re: Problems sending mail to yahoo?
On Fri, Apr 11, 2008 at 8:37 PM, Raymond L. Corbin [EMAIL PROTECTED] wrote: It's not unusual to do /24 blocks, however Yahoo claims they do not keep any logs as to what causes the /24 We keep quite detailed logs. No comment about yahoo - I've never been at the other end of a /24 block from them srs
Re: Problems sending mail to yahoo?
On Sat, Apr 12, 2008 at 2:34 AM, Barry Shein [EMAIL PROTECTED] wrote: The lesson one should get from all this is that the ultimate harm of spammers et al is that they are succeeding in corrupting the idea of a standards-based internet. The lesson here is that different groups at the same ISPs go to different places Packet pushers go to *NOG. And the abuse desks mostly all go to MAAWG. And any CERTs / security types the ISP has go to FIRST and related events. And most of them never do coordinate internally, run by different groups probably in different cities ... --srs
Re: Problems sending mail to yahoo?
On Sat, Apr 12, 2008 at 9:02 AM, Randy Bush [EMAIL PROTECTED] wrote: Packet pushers go to *NOG. And the abuse desks mostly all go to MAAWG. And any CERTs / security types the ISP has go to FIRST and related events. And most of them never do coordinate internally, run by different groups probably in different cities ... dear coo/ceo/whomever: i want approval to send the five folk who go to nanog, and the five folk who go to maawg, and the five folk who go to first to *all* go to the new frobnitz joint conference. Collocation would be a useful idea - save airfare, hotel etc. I had this lovely little experience where the lead CERT guy at ISP X was talking about a particular trojan that was hitting his ISP, and was hitting [ISP Y] and hitting [ISP Z]. He says I saw these trojans hitting ISPs Y and Z but didnt know anybody there. If he'd just bothered to step across the hall and talk to his colleagues at ISP X's abuse desk.. they are, and have been for years, in regular contact with their counterparts at Y and Z - email, face to face, phone, IM etc. otoh, being on the frobnitz program committee would be an interesting lesson and exercise in industry physics. You think there's not enough convergence + shared interests in such programs? I mean, abuse + security teams could care less about MPLS and peering, but there is a lot they're discussing (walled gardens, botnet mitigation etc) that does get discussed in far better detail at nanog. Or at FIRST. srs
/24 blocking by ISPs - Re: Problems sending mail to yahoo?
On Fri, Apr 11, 2008 at 1:22 AM, Raymond L. Corbin [EMAIL PROTECTED] wrote: Yeah, but without them saying which IP's are causing the problems you can't really tell which servers in a datacenter are forwarding their spam/abusing Yahoo. Once the /24 block is in place then they claim to have no way of knowing who actually caused the block on the /24. The feedback loop would help depending on your network size. Almost every large ISP does that kind of complimentary upgrade There are enough networks around, like he.net, Yipes, PCCW Global / Cais etc, that host huge amounts of snowshoe spammers - http://www.spamhaus.org/faq/answers.lasso?section=Glossary#233 (you know, randomly named / named after a pattern domains, with anonymous whois or probably a PO box / UPS store in the whois contact, DNS served by the usual suspects like Moniker..) a /27 or /26 in a /24 might generate enough spam to drown the volume of legitimate email from the rest of the /24, and that would cause this kind of /24 block In some cases, such as 63.217/16 on CAIS / PCCW, there is NOTHING except spam coming from several /24s (and there's a /20 and a /21 out of it in spamhaus), and practically zero traffic from the rest of the /16. Or there's Cogent with a similar infestation spread around 38.106/16 ISPs with virtual hosting farms full of hacked cgi/php scripts, forwarders etc just dont trigger /24 blocks at the rate that ISPs hosting snowshoe spammers do. /24 blocks are simply a kind of motivation for large colo farms to try choosing between hosting spammers and hosting legitimate customers. srs ..
Re: Hotmail NOC Contact
On Thu, Apr 3, 2008 at 3:00 AM, Jason J. W. Williams [EMAIL PROTECTED] wrote: Does anyone have a good contact number for the Hotmail NOC? We've got e-mails from Hotmail to some of our customers being returned the Hotmail sender with a 554 error message fairly regularly. Our logs aren't showing any rejections, so we need to talk to Hotmail and find out what the 554 means on their side (there's no error description). Any help is greatly appreciated. Easier if you paste a sample bounce And check if you have some kind of smtp capable firewall device (like a barracuda) or maybe an outsourced filtering provider that's filtering this lot before it reaches your mailserver. srs
Re: Hotmail NOC Contact
No. Thats not because of ordb. Because you see, if hotmail or these other providers were using ORDB (they sure as hell arent) none of the subscribers to those srevices would be getting ANY email at all. There's some other issue with your IP. And it is an issue that multiple providers are seeing NAT gateway and mailserver IP on the same interface, for instance? Or an overactive marketing department with a newsletter? Or an ISP with outbound spam problems from compromised user PCs? srs On Thu, Apr 3, 2008 at 8:07 PM, Fox, Thomas [EMAIL PROTECTED] wrote: In the last 10 days or so, ever since ORDB re-activated itself and blacklisted everything, we have had deliverability problems to: MSN Hotmail Bellsouth ATT (the same as Bellsouth I think) Yahoo Detroit Edison In the case of MSN and Hotmail, they told us they were using Symantec's Brightmail filtering system. So, does that mean Brightmail is not updating their system properly, or MSN/Hotmail is not updating their Brightmail? Seems like a huge waste of everyone's time because some LARGE network operators can't keep their stuff updated. *grumble* -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Hotmail NOC Contact
What we did was to isolate our forwarding traffic out through a separate set of IPs. And then told Hotmail, Yahoo, AOL etc about the IPs. They were very glad to tag these as such in their filters This was over three years ago, and admittedly, our email traffic is rather higher (by orders of magnitude) than most but it is still a good idea to isolate forwarding traffic and separate it from regular outbound email. Another advantage - monitor the mail queue of your forwarding IP and it gives you a very nice little snapshot of what kind of spam is slipping through your filters srs On Fri, Apr 4, 2008 at 2:22 AM, Raymond L. Corbin [EMAIL PROTECTED] wrote: yeah, We do hosting for about 300,000 users in our shared environment. They have forwarders setup or aliases that send to their external addresses. This forwards their spam as well. We purchased quite a few barracuda servers and became their case study for outbound units. They actually do a really good job at blocking the spam. But as spam changes every minute, we can only get updates every hour. The mail forwarders is the only spam that come from our network. Try subscribing to hotmails reporting services so you get reports on spam from your IP address, and they have the online reports that show if you add your AS so you can see a report for all ip's in your network. -Ray
Re: Kenyan Route Hijack
On 17 Mar 2008 04:12:13 +, Paul Vixie [EMAIL PROTECTED] wrote: i think, at this stage and at this date, that bringing up the ORBS/abovenet debacle constitutes a canard, and should be avoided, for the good of all. Completely unrelated to l'affaire ORBS of course, but in this more recent example, was uunet kenya a transit customer (or customer of a customer) of abovenet? And quoting from a previous email - An interesting bit is that the current announcement on routeviews directly from AS 6461 has Community 6461:5999 attached: ... 6461 64.125.0.137 from 64.125.0.137 (64.125.0.137) Origin IGP, metric 0, localpref 100, valid, external, best Community: 6461:5999 ... According to this, that community is used for internal prefixes: http://onesc.net/communities/as6461/ 6461:5999 internal prefix A sh ip bgp community 6461:5999 currently yields 130 prefixes with Origin AS of 6461 and that community. Nothing more specific than a /24, although many many adjacent prefixes that would presumably be aggregated normally are announced as well. --- anybody see similar routing loops for those other prefixes that'd make it look like 5999 is a blackhole community at abovenet, so this dude is seeing what ORBS saw way back when (2000, right) - that is, he had abuse issues, was downstream of a downstream of abovenet and got his /24 blackholed? srs
Re: Operators Penalized? (was Re: Kenyan Route Hijack)
On Mon, Mar 17, 2008 at 3:48 PM, Glen Kent [EMAIL PROTECTED] wrote: Do ISPs (PTA, AboveNet, etc) that unintentionally hijack someone else IP address space, ever get penalized in *any* form? Depending upon whom and what they hijack, and who all get affected, it sure can PTA's ASN actually did get disconnected for several hours by PCCW (which was leaking the youtube prefixes that PTA announced, and which shut off all of PTA's ASN rather than just filtering out the bogus announcements) Though, I am not too convinced that wasnt simply laziness at PCCW rather than a desire to punish PTA Nobody's blackholed abovenet yet that I know of. And if they did do that, they'd feel the effects real soon. --srs
Re: Operators Penalized? (was Re: Kenyan Route Hijack)
On Mon, Mar 17, 2008 at 6:38 PM, Jeff Aitken [EMAIL PROTECTED] wrote: IMHO a better use of our time would be to solve the underlying technical issue(s). Whether it's soBGP, sBGP, or something else, we need to figure out how to make one of these proposals work and get it implemented. Start with implement RFC 2827 yourself, and start pushing other SPs to implement it maybe? srs -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Operators Penalized? (was Re: Kenyan Route Hijack)
On Mon, Mar 17, 2008 at 8:48 PM, Larry J. Blunk [EMAIL PROTECTED] wrote: RFC2827 is about source address filtering which is not really the same as BGP route announcement filtering. Unfortunately, I have not come across Yup, radb etc for that. Not fully awake when I wrote that, and hit send too soon. The PTCL thing was deliberate origination of a bogus prefix, meant for consumption by Pakistani ISPs . Abovenet too - they surely intended SOMETHING (no idea what) - announcements dont come tagged with communities (and communities with maybe 130 odd prefixes out of the huge number that abovenet advertises) simply by accident.Leaking that prefix out might be accidental - or it was not leaked at all, abovenet is massive, lots of transit customers. PTCL leaking youtube prefixes out to the world rather than pakistani ISPs was an accident. And their upstream PCCW not filtering weird and wonderful route advertisements from downstream customers was .. well, a decision that PCCW took (or rather, chose not to take) That wasnt the first bogus announcement PTCL made .. about a day or so after l'affaire youtube, I looked up PTCL's AS17557 on cidr-report, which also lists allocations announced and withdrawn in the past week. One interesting allocation .. 22.22.22.0/24 22.0.0.0/8 Prefixes added and withdrawn by this origin AS in the past 7 days. - 22.22.22.0/24 Withdrawn That's nic.mil IP space - and that sounds a lot like someone with enable at PTCL probably meant 202 or something similar, but is in the habit of typing new routes directly into production routers, rather than pasting it into a text editor and doing some syntax checking first, using cvs or svn for routes etc. There are enough calls for sBGP and such - but a lot can be accomplished before then simply by doing all the mom and apple pie best practice stuff (and by carrot-and-sticking other SPs into doing them, more importantly - especially any that fit the large carrier upstream of multiple smaller ISPs with less than clued admins type places. http://www.apnic.net/meetings/22/docs/tut-routing-pres-bgp-bcp.pdf for example. srs
Re: IPv6 on SOHO routers?
I seem to remember something about Earthlink rolling out v6 enabled wifi routers to its customers (linksys with a hacked up firmware that'd create a v6 tunnel between the cpe and an elnk tunnelbroker) .. what happened to that interesting little product? Killed off and the few remaining users grandfathered? srs On Thu, Mar 13, 2008 at 1:36 AM, Frank Bulk - iNAME [EMAIL PROTECTED] wrote: Slightly off-topic, but tangentially related that I'll dare to ask. I'm attending an Emerging Communications course where the instructor stated that there are SOHO routers that natively support IPv6, pointing to Asia specifically.
Re: Prefix filtering for Cisco SUP2
Is it time for this nanog thread again? http://www.merit.edu/mail.archives/nanog/msg02822.html srs On Fri, Feb 29, 2008 at 11:45 PM, Henry Futzenburger [EMAIL PROTECTED] wrote: 1. Accept only default and partial routes from upstream. a. Accept directly-connected routes, reject everything else and rely on the default route. b. Assume a reduction to about 30,000 unique routes per upstream ISP (currently 3). 2. Accept only default and RIR minimum routes from upstream. a. Filter based on RIR minimums, rely on default for unaggregated routes. b. Assume a reduction of about 50,000-100,000 total routes.
Another cablecut - sri lanka to suez Re: Sicily to Egypt undersea cable disruption
http://www.marketwatch.com/news/story/third-undersea-cable-reportedly-cut/story.aspx?guid={1AAB2A79-E983-4E0E-BC39-68A120DC16D9} We had another cut today between Dubai and Muscat three hours back. The cable was about 80G capacity, it had telephone, Internet data, everything, one Flag official, who declined to be named, told Zawya Dow Jones. The cable, known as Falcon, delivers services to countries in the Mediterranean and Gulf region, he added. etc etc. On Jan 31, 2008 10:05 PM, Martin Hannigan [EMAIL PROTECTED] wrote: On Jan 31, 2008 11:20 AM, Rod Beck [EMAIL PROTECTED] wrote: http://www.kisca.org.uk/Web_SWApproaches.pdf And if you enlarge the map, you can see little dots on the lines representing the cables that denote repairs. Lots and lots of repairs. Treacherous waters. The distances are consistent with repeaters/op amps. And the chart legend notates the same. Coincidentally, Telecom Egypt announced a new cable to be built by Alcatel-Lucent this morning. TE North, which looks like it's going from Egypt to France, is an 8 pair system (128 x 10Gb/s x 8). Thanks for your input. -M -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Another cablecut - sri lanka to suez Re: Sicily to Egypt undersea cable disruption
On Feb 2, 2008 4:07 AM, Steven M. Bellovin [EMAIL PROTECTED] wrote: Yah. I'm a security guy, and hence suspicious by nature -- our slogan is Paranoia is our Profession -- and I'm getting very concerned. The old saying comes to mind: once is happenstance, twice is coincidence, but the third time is enemy action. The alternative some common mode failure -- perhaps the storm others have noted. Quite a few other lists I look at (especially those with a critical infrastructure protection type focus - seem to feel the same as you do. And at least one list has already started the maybe al qaeda is behind this idea running. The fun part is that quite a lot of these cables are in international waters, so it just might turn into a high level multiple UN agency conference, sooner or later with ideas like a bunch of navy or coast guard cutters tasked to patrol on the borders of cable landing areas and head off shipping that wants to anchor, trawlers that want to drag nets across the ocean floor, bubba driving his backhoe ship .. [and that still doesnt keep away sharks that want to sharpen their teeth on undersea cables...] srs
Re: Dictionary attacks prompted by NANOG postings?
On Jan 17, 2008 12:13 PM, Barry Shein [EMAIL PROTECTED] wrote: Once again shortly after posting a message to NANOG a fairly significant dictionary attack using Earthlink's mail servers fired up. The same thing happened around Nov 30th (I posted about it here.) Post Hoc, Ergo Propter Hoc. srs
Re: Network Operator Groups Outside the US
On Jan 16, 2008 5:39 PM, Rod Beck [EMAIL PROTECTED] wrote: 1. UK: UKNOF; http://www.uknof.org.uk/ I just attended the last meeting Monday. Free and a good lunch included! Please do not confuse UKNOF with the United Kingdom Nitric Oxide Forum. Nitric Oxide keeps your arteries relaxed and your blood pressure under control [...] APRICOT - http://www.apricot2008.net next month in Taipei. SANOG - www.sanog.org - going on right now in Dhaka, Bangladesh -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: houston.rr.com MX fubar?
I see roadrunner listens. frodo:~ dig +short houston.rr.com mx 0 . frodo:~ dig +short houston.rr.com txt v=spf1 -all --srs On Jan 13, 2008 8:55 AM, Suresh Ramasubramanian [EMAIL PROTECTED] wrote: A bunch of roadrunner subdomains migrated over to comcast and those are dud. One operationally better way to go seems to be Mark Delany's mx0dot proposal, which started out as an internet draft, but seems to have lost momentum .. the concept is sound though. http://ietfreport.isoc.org/idref/draft-delany-nullmx That'd mean houstonIN MX 0 . --srs On Jan 13, 2008 8:32 AM, Chris Boyd [EMAIL PROTECTED] wrote: We're bouncing email to houston.rr.com due to the MX being set to localhost. [EMAIL PROTECTED]:~$ host -t mx houston.rr.com houston.rr.com mail is handled by 10 localhost. Setting the MX to 127.0.0.1 seems like an odd way to handle the switch. http://www.chron.com/disp/story.mpl/business/silverman/4842611.html -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: houston.rr.com MX fubar?
On Jan 14, 2008 5:08 PM, Tony Finch [EMAIL PROTECTED] wrote: the . convention then it will look up the root's and A records, which is stupid but should cause the message to bounce as desired. However if it does implement the convention (just like the usage rules for a SRV record target of . in RFC 2782) then it can skip the address lookups and save the root some work. (It can also produce a better error message.) This really ought to be explained in draft-delany-nullmx. The draft died. And I think this stuff about looking up A / for the root was certainly raised in the IETF sometime back. Not that there isnt enough junk traffic (and DDoS etc) coming the roots' way that this kind of single lookup would get lost in the general noise .. Might want to revive it and take it forward? I rather liked that draft (and Mark Delany cites me in the acknowledgements as I suggested a few wording changes for the definition of a null MX - dot terminated null string, STD13 etc, during his drafting of the document) --srs -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: houston.rr.com MX fubar?
On Jan 15, 2008 8:53 AM, Mark Andrews [EMAIL PROTECTED] wrote: There are lots of places in the DNS where . makes sense as a null indicator. RP uses it today, as does SRV. MX should use it and fallback to A should be removed. It Fallback to A should be removed sure sounds like a plan. srs
Re: houston.rr.com MX fubar?
On Jan 13, 2008 9:55 PM, Tony Finch [EMAIL PROTECTED] wrote: On Sun, 13 Jan 2008, Suresh Ramasubramanian wrote: One operationally better way to go seems to be Mark Delany's mx0dot proposal, which started out as an internet draft, but seems to have lost momentum .. the concept is sound though. Exim implements this convention. Er, the concept is DNS related .. totally MTA independent. Simply declaring that there is no MX record in a way that stops fallback to an A record. Exim would check for such. Other MTAs, even those that dont explicitly check for it, would try to deliver email and fail immediately, creating a 550 / NDN / whatever. Basically - To indicate that a domain never accepts email, it advertises a solitary MX RR with a RDATA section consisting of an arbitrary preference number 0, and a dot terminated null string as the mail exchanger domain, to denote that there exists no mail exchanger for a domain. The dot termination denotes that the null MX domain is considered to be absolute, and not relative to the origin of the zone, the behavior of dot termination and the formatting of this record is as described in STD13 --srs
Re: houston.rr.com MX fubar?
A bunch of roadrunner subdomains migrated over to comcast and those are dud. One operationally better way to go seems to be Mark Delany's mx0dot proposal, which started out as an internet draft, but seems to have lost momentum .. the concept is sound though. http://ietfreport.isoc.org/idref/draft-delany-nullmx That'd mean houstonIN MX 0 . --srs On Jan 13, 2008 8:32 AM, Chris Boyd [EMAIL PROTECTED] wrote: We're bouncing email to houston.rr.com due to the MX being set to localhost. [EMAIL PROTECTED]:~$ host -t mx houston.rr.com houston.rr.com mail is handled by 10 localhost. Setting the MX to 127.0.0.1 seems like an odd way to handle the switch. http://www.chron.com/disp/story.mpl/business/silverman/4842611.html
Re: can the memory technology save the routing table size scalability problem?
You could try this recent nanog thread for some ideas Route table growth and hardware limits...talk to the filter http://www.merit.edu/mail.archives/nanog/msg02822.html srs On Jan 9, 2008 7:55 AM, yangyang. wang [EMAIL PROTECTED] wrote: As we known, the DFZ RIB size expand rapidly. It may be resolved via router architecture improvement, such as adding memory chips or compressing RIB. or via changing routing and addressing scheme, which one will be the long-term essential approach? -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Creating a crystal clear and pure Internet
On Nov 27, 2007 8:08 PM, Sean Donelan [EMAIL PROTECTED] wrote: Several new projects have started around the world to achieve those goals. ITU anti-botnet initiative http://www.itu.int/ITU-D/cyb/cybersecurity/projects/botnet.html I wrote this one. And there are a few things in there that nanogers would probably agree with me are best practice. At least in this case, you have ITU putting money and resources into putting these BCPs into practice, at a national level. 1Q08 - there'll be a pilot project, implementing these ideas in Malaysia. http://www.itu.int/ITU-D/cyb/cybersecurity/docs/itu-botnet-mitigation-toolkit-background.pdf It quotes your 40-40-20 rule somewhere btw .. I forgot to attribute it to you, that's coming up in version #2 of the draft srs
Re: unwise filtering policy from cox.net
On Nov 22, 2007 1:27 PM, Leigh Porter [EMAIL PROTECTED] wrote: longer make any cheap plastic tat. If there is no cheap plastic tat, then Internet commerce will die because there will be nothing to buy! Great. So half the world's population is dead, lots of dotbombs are out of business .. but you have LOTS of IP space that's suddenly unused and available. Fun.
Re: unwise filtering policy from cox.net
On Nov 22, 2007 6:15 PM, Adrian Chadd [EMAIL PROTECTED] wrote: On Thu, Nov 22, 2007, Suresh Ramasubramanian wrote: Great. So half the world's population is dead, lots of dotbombs are out of business .. but you have LOTS of IP space that's suddenly unused and available. Is this actually a serious alternative to migrating to IPv6? Dotbombs are, if they occur. Not that you can bank on them to occur .. though given silly valley, they just might occur. If they do occur, and if the RIRs are on the ball about reclaiming IP space ... Lots of ifs.
Re: unwise filtering policy from cox.net
On Nov 21, 2007 5:46 PM, Eliot Lear [EMAIL PROTECTED] wrote: Given what Sean wrote goes to the core of how mail is routed, you'd pretty much need to overhaul how MX records work to get around this one, or perhaps go back to try to resurrect something like a DNS MB record, but that presumes that the problem can't easily be solved in other ways. Sean demonstrated one such way (move the high volume stuff to its own domain). Most mailservers do allow you to exempt specific addresses from filtering. srs
Re: unwise filtering policy from cox.net
On Nov 22, 2007 3:33 AM, Barry Shein [EMAIL PROTECTED] wrote: If that ([EMAIL PROTECTED]) overloads those servers, even if they're valiantly trying to pass the connection off to another machine, then you have to use some other method like [EMAIL PROTECTED] or [EMAIL PROTECTED] and hope the clients will somehow use that tho for BIGCOMPANY there's a tendency to just bang in [EMAIL PROTECTED] ... and the RFC says that, and those people that still do manually report abuse will email [EMAIL PROTECTED] or [EMAIL PROTECTED] instead of hitting report spam and letting their ISP forward it across in a feedback loop (which will go to an entirely different, machine parsed address as the ARF spec is designed to let you do). You can always alias abuse@ internally to a subdomain if you wish - but that wouldnt be because abuse@ slows down your MXs. The smtp load inbound to an abuse mailbox will be fairly small compared to the general load of smtp (and spam) coming your users' way for sure. There's lots of ways to manage an abuse mailbox (such as filter spam to your abuse mailbox into a bulk folder, review it and then feed it to scripts that parse the spam and feed the results to your filters). MAAWG's been working on an abuse desk bcp for quite some time (the hard / tech part of it, as well as soft abuse stuff like motivating and training abuse deskers, giving them career paths etc) --srs It can be a problem in joe jobs, as one e.g. If you think I'm wrong (or Sean's wrong) even for a milisecond then trust me, this is going right over your head. Think again or email me privately and I'll try to be more clear. P.S. It's an interesting thought. The only approach to a solution I could imagine is that the whole address would have to be passed in the MX query. On November 21, 2007 at 21:06 [EMAIL PROTECTED] (Paul Jakma) wrote: An unfortunate limitation of the SMTP protocol is it initially only looks at the right-hand side of an address when connecting to a server to send e-mail, and not the left-hand side. full) or the normal server administrators may make changes which affects all addresses passing through that server (i.e. block by IP address). I guess you're saying there's something architectural in email that makes it impossible/difficult (limitation) to apply different policy to the LHS. That's not correct though. The receiving MTA is quite free to apply differing policies to different LHSes. And at least one MTA allows you special-case measures applied to tables of addresses, such as whether DNSbl lookups should be applied. SMTP is distributed, so you do of course have to take care to keep distributed policy consistent. But, again, that has nowt to do with LHS/RHS of email addresses. regards, -- Paul Jakma [EMAIL PROTECTED] [EMAIL PROTECTED] Key ID: 64A2FF6A Fortune: A plumber is needed, the network drain is clogged -- -Barry Shein The World | [EMAIL PROTECTED] | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Login: Nationwide Software Tool Die| Public Access Internet | SINCE 1989 *oo* -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Postmaster Operator List?
On Nov 16, 2007 10:04 PM, Leigh Porter [EMAIL PROTECTED] wrote: If there was, I sure would not join it. It'd be full of I cannot send mail to your domain blah blah Been to a MAAWG meeting yet? Or been on one such list? There's a lot more interesting and useful / operationally relevant stuff that goes on.
Re: cpu needed to NAT 45mbs
On Nov 10, 2007 2:43 AM, Lamar Owen [EMAIL PROTECTED] wrote: I'm able to get 45Mb/s through a P3-800 with a four-port NIC running NAT and simple content filtering with SmoothWall Advanced Firewall 2 easily. Have a box doing that right now. Speaking of all that, does someone have a conference wireless' bcp handy? The sort that starts off with dont deploy $50 unbranded taiwanese / linksys etc routers that fall over and die at more than 5 associations, place them so you dont get RF interference all over the place etc before going on to more faqs like what to do so worms dont run riot? Comes in handy for that, as well as for public wifi access points. srs
Re: Friendly XO Mail-operational contact ?
[EMAIL PROTECTED] 04:39:42 ~ $ telnet dalsmlprd08.dal.dc.xo.com. smtp Trying 207.88.96.46... Connected to dalsmlprd08.dal.dc.xo.com. Escape character is '^]'. [long, long delay] 220 triton.xo.com ESMTP XO Communications mail gateway. Unauthorized access prohibited. All activities will be logged. Wed, 7 Nov 2007 06:51:09 -0600 And that box is in Sherman Oaks CA. You sure XO hasn't been playing with banner delays, and your MTA is timing out before establishing an smtp connection? On Nov 7, 2007 6:09 PM, Andy Davidson [EMAIL PROTECTED] wrote: hi, Can anyone put me in touch to a friendly XO mail admin ? For 36 hours (at least) my mail systems have been refused connections to any of the XO MXes listed in 'dig mx xo.com'. I've asked some other UK based operators, and roughly three-quarters get connection refused to the example I gave them - dalsmlprd08.dal.dc.xo.com. Many thanks Andy -- Regards, Andy Davidson // Engineering Localphone Limited http://www.localphone.com +44-(0)114-3191919 // Sheffield, UK -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: mail operators list
Well, the current nanog MLC is mostly because Susan Harris was cracking down equally on discussions of anything mail / spam filtering related (operational not kooky) .. in fact, on anything that didnt involve pushing packets from A to B. And we have Marty Hannigan from the MLC telling us that operational mail / spam filtering issues are perfectly on topic. New list not particularly necessary I think .. but sure, a spam or mailops bof at nanog would be a good idea. I (or well, APCAUCE) have been running a spam conference track at APRICOT for the past few years now .. srs On Oct 30, 2007 11:02 PM, Al Iverson [EMAIL PROTECTED] wrote: I would support the creation of a mail-operators list ( agenda time for a mailops bof, since a lot of networks are small enough to mean that netops and sysops are often the same guys) if it's deemed to be offtopic on nanog-l. I have a sinking fear it'll be overrun with loud people who aren't actually responsible for anything more than a single IP at most, like SPAM-L, but I suppose it's worth a shot.
Re: Any help for Yahoo! Mail arrogance?
On Oct 29, 2007 11:01 PM, Tuc at T-B-O-H.NET [EMAIL PROTECTED] wrote: Fix your forwarding a lot better. Not sure what this means. My machines are MX's for the clients domain. They accept it, and either forward it around locally to one of the processing MX's or ARE one one of the processing MX's. Its Yes, that's just how forwarding and .forwards work. And if you mix inbound email (much dirtier than outbound email even if you run a secure shop) into a mail stream that includes email sent out by your clients, you potentially have random botnet spam, spam from sbl listed spammers etc (in other words, a lot of block on sight stuff) leaking through your IP, the same IP that a bunch of your other customers use to mail out to their aunt mary on yahoo. The numbers from that one .forward are enough to screw up the rest of your numbers, a 5% or less complaint rate on email from your IP (and believe me, if your user is jackass enough to click report spam on email that comes through his .forward the complaints can go up real high) .. is enough to get your IP blocked. Dealing with tier 1 support anywhere (not the least of where is yahoo) is always a pain. Which is why what I am suggesting is avoidance and prevention rather than going around alternatively begging yahoo to fix something or accusing them on nanog of being arrogant. --srs
Re: Any help for Yahoo! Mail arrogance?
On 10/29/07, Tuc at T-B-O-H.NET [EMAIL PROTECTED] wrote: Unfortunately, we cannot provide you with specific information other than to suggest a review of the questionnaire we supplied and try to determine where your mailing practices may be improved upon. In other words, fix your forwarding a lot better (and possibly segregate it from your main mail stream, clearly label the forwarding IP as a forwarder, etc) Yahoo arent really in the business of teaching people how to do a better job. If that sounds like arrogance .. srs
Re: Hotmail/MSN postmaster contacts?
On 10/26/07, Dave Pooser [EMAIL PROTECTED] wrote: What I did in the past in a similar situation was sign up for an MSN account, complain that my office couldn't email me, and keep escalating until I reached somebody who understood the problem. Of course the circumstances were somewhat different, and a spammer in a nearby netblock had ignored them and they ended up blacklisting the whole /24 instead of just the spammer's /27-- but it's still probably worth a try. Which works just great for some networks that don't otherwise care. Especially some of the large colo farms. srs
Re: Bee attack, fiber cut, 7-hour outage
On 9/22/07, Wayne E. Bouchard [EMAIL PROTECTED] wrote: I realize that it's expensive to run these lines but when you put your working and protect in the same cable or different cables in the same trench (not even a trench a few feet apart, but the same trench and same innerduct), you have to EXPECT that you're gonna have angry customers. And yet when telco folks learn that this has occured, they often fein being as surprised as the customers. .. and as long as they are the only telco with copper in the area, they could care less, I guess? jump off his tractor and hit a lever that lowered an auger that sliced a fiber-optic line. ps: That story had a kind of ... that killed the rat that ate the malt that made the house that jack built feel to it. srs
When insects become an operational problem ..
Bugs laying eggs in fiber tearing up a lot of broadband in Japan http://www.sciencemag.org/content/current/r-samples.dtl -- Suresh Ramasubramanian ([EMAIL PROTECTED])
For want of a single ethernet card, an airport was lost ...
This is rich .. LAX airport shut down for hours because of a PC with a duff network card. Now I wonder which major contractor has the contract to set up and run the network at LAX, and how much in damages and SLA costs he is looking at, when an airport gets shut down from 2 pm to midnight. http://blog.wired.com/sterling/2007/08/lax-outage-is-b.html -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: For want of a single ethernet card, an airport was lost ...
On 8/18/07, Steven Haigh [EMAIL PROTECTED] wrote: Oh noes! The terrerists can kill all the airports by installing dodgy network cards in a machine! I wonder if the machine had an RTL8139 card in there? ;) Well, if it is a mess of legacy equipment in there .. there's a high chance that everything is connected to a hub, and the faulty network card was flooding the network and causing collisions. Now I trashed my last hub several years back so I am not sure if that is the case, but it is quite plausible .. and the first explanation that I can think of [besides a worm of course, but the article did say faulty ethernet card]. --srs
Re: [policy] When Tech Meets Policy...
On 8/14/07, Carl Karsten [EMAIL PROTECTED] wrote: That doesn't make anything criminal or fraud any more than free samples. If a registrar wants to give a refund, I don't see anything wrong with that. As John Levine once said - its like running a wholesale ketchup business by picking up all the tiny plastic packets of ketchup at fast food stores .. -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Reliance / Flag telecom buys Yipes - $300m
http://www.thehindubusinessline.com/2007/07/18/stories/2007071850650400.htm -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: How should ISPs notify customers about Bots (Was Re: DNS Hijacking
On 7/24/07, Chris L. Morrow [EMAIL PROTECTED] wrote: Pleaes do this at 1Gbps, really 2Gbps today and 20gbps shortly, in a cost effective manner. Please also do this on encrypted control channels or channels not 'irc', also please stay 'cost effective'. Additionally, Right. However one consolation is that all this is edge filtering, outbound. And some of it can be pushed off onto the CPE (eoe availability of patched CPE) Outbound traffic volumes wont be as horrendously high as those inbound, and should be a bit easier to categorize than inbound traffic DNS and routing tricks are the silliest, to some - but well, they work for a lot of low hanging fruit. And as you say, they are cost effective. srs
Re: How should ISPs notify customers about Bots (Was Re: DNS Hijacking
On 7/24/07, Joe Greco [EMAIL PROTECTED] wrote: The problem is isolating the traffic in question. Since you DO NOT HAVE GIGABITS OF TRAFFIC destined for IRC servers, this becomes a Networking 101-style question. A /32 host route is going to be effective. Manipulating DNS is definitely the less desirable method, because it has the potential for breaking more things. But, hey, it can be done, and with an amount of effort that isn't substantially different from the amount of work Cox would have had to do to accomplish what they did. Yup - though I still dont see much point in specialcasing IRC. It would probably be much more cost effective in the long run to have something rather more comprehensive. Yes there are a few bots around still using IRC but a lot of them have moved to other, better things (and there's fun headless bots too, hardcoded with instructions and let loose so there's no CC, no centralized domain or dynamic dns for takedown.. you want to make a change? just release another bot into the wild).
Re: How should ISPs notify customers about Bots (Was Re: DNS Hijacking by Cox)
On 7/23/07, Sean Donelan [EMAIL PROTECTED] wrote: What should be the official IETF recognized method for network operators to asynchronously communicate with users/hosts connect to the network for various reasons getting those machines cleaned up? Most large carriers that are also MAAWG members seem to be pushing walled gardens for this purpose. -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: How should ISPs notify customers about Bots (Was Re: DNS Hijacking by Cox)
On 7/23/07, Sean Donelan [EMAIL PROTECTED] wrote: But, like other attempts to respond to network abuse (e.g. various block lists), sometimes there are false positives and mistakes. When it happens, you tweak the filters and undue the wrong block. Demanding zero chance of error before ISPs doing anything just means ISPs won't do anything. Running email abuse desks for about a decade now makes me tend to agree with you .. and completely unfiltered pipes to the internet for customer broadband are a pipe dream, most places. -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: How should ISPs notify customers about Bots (Was Re: DNS Hijacking
On 7/23/07, Joe Greco [EMAIL PROTECTED] wrote: All right, here we go. Please explain the nature of the bot on my freshly installed (last night) FreeBSD 6.2R box. %age of freshly installed freebsd 6.2R boxes v/s random windows boxes on cox cable? Like anything else, its a numbers game.
Re: How should ISPs notify customers about Bots (Was Re: DNS Hijacking
On 7/24/07, Chris L. Morrow [EMAIL PROTECTED] wrote: So, to back this up and get off the original complaint, if a service provider can protect a large portion of their customer base with some decent intelligence gathering and security policy implementation is that a good thing? keeping in mind that in this implementation users who know enough and are willing to forgoe that 'protection' (for some value of protection) can certainly circumvent/avoid it. Right. Let us get to best practices rather than debating ethics. So how would you keep your network clean of infected PCs? * Gather information (log parsers, darknet / honeynet traffic monitoring, feeds from XBL type blocklists) * Redirect common bot abused services like IRC by default either across your network or on whatever part of your network you see bot activity as evidenced from darknet etc observation (and run the risk that right after you get that IP information, the infected XP box on that IP is replaced not by another XP box but by a fully loaded geek install of freebsd, rather than by an infected win2k box, a patched vista etc) * Walled garden type outbound IDS to quarantine an IP completely when malware activity is noted. Yes, irc bots arent the only kind of bots - those are positively old fashioned, yes there can be multiple malware on a single PC, yes, port 25 blocking to stop bots is treating lung cancer with cough sirup (tip of the hat to Joe St.Sauver) .. etc etc etc. A good BCP would be a nice thing to have around. srs
Re: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help)
On 6/18/07, Sean Donelan [EMAIL PROTECTED] wrote: Simplicita: http://www.simplicita.com/ Bradbord: http://www.bradfordnetworks.com/ Motive: http://www.motive.com/ Cisco/Perfigo: http://www.cisco.com/en/US/products/ps6128/index.html F-Secure Network Control: http://www.f-secure.co.uk/enterprises/products/fsnc.html Trend Micro Intercloud: http://us.trendmicro.com/us/about/news/pr/article/20070123143622.html Add PerfTech - www.perftech.com to the list. I think Arbor and Sandvine have some kit for this as well. As for the rest - you're still preaching to the choir here, I dont see where we disagree on this -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Interesting new dns failures
On 5/26/07, Scott Weeks [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: the bits of governments that deal with online crime, spam, etc., I can report that pretty much all of the countries that matter realize there's a problem, and a lot of them have passed or will pass laws whether we like it or not. So it behooves us to engage them and help them pass better rather than worse laws. Which countries are pretty much all of the countries that matter? Do you have a list or is this just 'something you're sure of'? Quite a long list. http://www.londonactionplan.net/?q=node/5 -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Interesting new dns failures
On 5/24/07, David Ulevitch [EMAIL PROTECTED] wrote: Again, good idea, but doesn't belong in the core. If I register a domain, it should be live immediately, not after some 5 day waiting period. On the same token, if you want to track new domains and not accept any email from me until my domain is 5 days old, go for it. Your prerogative. Well then - all you need is to have some way to convince registrars take down scammer domains fast. Some of them do. Others dont know (several in asia) or are aware and dont care - theres some in russia, some stateside that mostly kite domains but dont mind registering a ton of blog and email spammer domains. -srs
Re: Interesting new dns failures
On 5/24/07, Per Heldal [EMAIL PROTECTED] wrote: It should be the registries responsibility to keep their registrars in line. If they fail to do so their delegation should be transferred elsewhere. Of course, to impose decent rules you'd need a root-operator whose Moving right back to where we started off .. the core, or at least operation of the core :) This is something that can't be solved at the edge. Unfortunately. srs
Re: Interesting new dns failures
On 5/25/07, John LaCour [EMAIL PROTECTED] wrote: If you're an network operator and you'd consider null routing IPs associated with nameservers used only by phishers, please let me know and we'll be happy to provide the appropriate evidence. Half of them are on fastflux so nullroutes wouldnt help. Some mailservers (recent postfix) allow you to block by NS, or there's always the good old expedient of bogusing these out in your bind resolver config, or serving up a fake zone for them. -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Best practices for abuse@ mailbox and network abuse complaint handling?
On 5/13/07, Niels Bakker [EMAIL PROTECTED] wrote: Difficult, as spam complaints generally include the original spam and thus trigger SpamAssassin (almost) just as hard. Otherwise, looking forward to your 98% effective procmail recipe Start with something as simple as to or cc your abuse desk .. and ask yourself how many times your abuse desk has been bcc'd on email in the past. -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Broadband routers and botnets - being proactive
On 5/12/07, Albert Meyer [EMAIL PROTECTED] wrote: I and numerous others (including some whom any reasonable NANOG-L poster would respect and listen to) have asked you repeatedly to stop trolling NANOG-L with this botnet crap. It is off-topic here. The last time you pulled this (starting As frequent as Gadi is with his botnet posts, insecure and wide open CPE getting deployed across a large provider is definitely operational. srs
Re: Best practices for abuse@ mailbox and network abuse complaint handling?
On 5/11/07, K K [EMAIL PROTECTED] wrote: Can anybody point me at best practices for monitoring and responding to abuse complaints, and good solutions for accepting complaints about network abuse? Any recommended outsourced services for processing abuse complaints? Well, there's a few things 1. Mitigate [port 25 management, walled gardens and such] = Cut down on the number of abuse causing issues 2. Automate = Abacus or other abuse desk optimized ticketing system, as John Levine said = Feedback loops (ARF formatted) from various ISPs = Ditto, automated feeds from Phishtank, Netcraft, your local CERT 3. Spread the load intelligently = Whatever can be handled by tier 1 should be handled by tier 1 Probably 98% of the mailbox is from are spammers who've harvested or randomly targeted abuse@ addresses for male enhancement, maybe 1.99% So? A little filtering should handle a lot of that, procmail even. At least to file the obvious crap into a different folder that can be looked at and blown away to educate management on responsible mass mailing). But every once in a while there is a legitimate network-related incident, and my team does need to see those messages in a timely manner. Separate POCs as far as possible (postmaster for block related issues, abuse for spam related issues, and a block interface like the one we have around - http://spamblock.outblaze.com/ip.add.re.ss), and quick, automated escalations. Ditto tools to automate as much of the search stuff as possible. Prioritizing incidents in your queue as well (stuff like LE requests, largescale network incidents etc can usually be spotted from the subject line itself) Takes time to build that kind of setup, but the time spent is well worth it MAAWG's working on an abuse desk best practice doc over the last few meetings, it should be well worth reading when it does come out. --srs -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Open WiFi Access Point BCP's???
On 4/28/07, Deepak Jain [EMAIL PROTECTED] wrote: Anyone have any recommendations for BCPs or software suggestions on running an open community-based access point (or network)? MAAWG BCPs on walled gardens (probably coming soon if not already out there). Quite a few ISPs - Bell Canada for example - are already doing this on a large scale. As these coffee shop APs are usually running off a standard DSL line - its not muni wifi as such - a walled garden should nail abuse very fast, and encourage sensible firewalling on the part of the coffee shop owner .. or he'll find that a NAT'ted IP with multiple infected laptops coming and going out of it might be in and out of a walled garden all the time. There's some vendors who concentrate on walled garden stuff - Perftech (www.perftech.com) for example. Arbor and Sandvine too have kit that can be used for this, I believe .. of course, at the edge of an ISP's DSL network. srs
Re: IP Block 99/8
On 4/23/07, David Lemon [EMAIL PROTECTED] wrote: still in dire need of assistance from this list as we still have many complaints from residential customers that cannot reach certain sites. Naming those sites / ASs would probably have some effect. And there's the peeringdb / inoc-dba to contact several AS operators. As you can see we do indeed own these blocks: When Bill Manning said this he was being more than a little sarcastic. Own? ARIN gave you title? ARIN assigns you those blocks. They dont give you ownership of those, as such. regards srs -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: On-going Internet Emergency and Domain Names
On 31 Mar 2007 06:09:30 +, Paul Vixie [EMAIL PROTECTED] wrote: are we really going to stop malware by blackholing its domain names? if so then i've got some phone calls to make. That does seem to be the single point of failure for these malwares, and for various other things besides [phish domains hosted on botnets, and registered on ccTLDs where bureaucracy comes in the way of quick takedowns] srs -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: On-going Internet Emergency and Domain Names
On 3/31/07, Adrian Chadd [EMAIL PROTECTED] wrote: .. just wait until they start living on in P2P trackerless type setups and not bothering with temporary domains - just use whatever resolves to the end-client. You'll wish it were as easy to track as accessing these websites p2p based botnets are already there, I'm afraid.
Re: On-going Internet Emergency and Domain Names
On 3/31/07, Adrian Chadd [EMAIL PROTECTED] wrote: p2p based botnets are already there, I'm afraid. Shiny. Know any papers which have looked at it? The recent storm worm for example seems to have had at least some p2p functionality. There's a bunch of papers, ISC SANS posts etc that can be found by a quick google for p2p+botnet -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: On-going Internet Emergency and Domain Names
On 4/1/07, Fergie [EMAIL PROTECTED] wrote: ICANN, from what I can tell, had this issue (doamin tasting) on their agenda as a discussion iten in Lisbon last week, but i am unaware of the discussion outcome. Some of the biggest domain tasters aren't too particular about what they register.. spammer domains or kited domains, it is all grist to their mill http://www.silicon.com/research/specialreports/thespamreport/0,39025001,39155545,00.htm srs
Re: AUP enforcement diligence
On 3/17/07, Steve Sobol [EMAIL PROTECTED] wrote: On Fri, 16 Mar 2007, David Barak wrote: It does surprise me that no enterprising person/group has turned this into a salable feature: we're the network which shuts down spammers/infected/baddies. IMHO being the good cop has never been a mass-marketable feature, whether we're talking spam, botnets, phising, cracking attempts, whatever... There are a few in that racket as well ... RSA Cyota for example. With some real big name customers. There's of course services like Markmonitor that go around looking for trademark violations on registered domains .. -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: wifi for 600, alex
There are a few fairly easy things to do. 1. Don't do what most hotel networks do and think that simply sticking lots of $50 linksys routers into various rooms randomly does the trick. Use good, commercial grade APs that can handle 150+ simultaneous associations, and dont roll over and die when they get traffic 2. Plan the network, number of APs based on session capacity, signal coverage etc so that you dont have several dozen people associating to the same AP, at the same time, when they could easily find other APs ... I guess a laptop will latch onto the AP that has the strongest signal first. 3. Keep an eye on the conference network stats, netflow etc so that bandwidth hogs get routed elsewhere, isolate infected laptops (happens all the time, to people who routinely login to production routers with 'enable' - telneting to them sometimes ..), block p2p ports anyway (yea, at netops meetings too, you'll be surprised at how many people seem to think free fat pipes are a great way to update their collection of pr0n videos), 3a. Keep in mind that when you're in a hotel and have an open wireless network, with the SSID displayed prominently all over the place on notice boards, you'll get a lot of other guests mooching onto your network as well. Budget for that too. 4. Isolate the wireless network from the main conference network / backbone so that critical stuff (streaming content for workshop and other presentations, the rego system etc) gets bandwidth allocated to it just fine, without it being eaten up by hungry laptops. 5. Oh yes, get a fat enough pipe to start with. A lot of hotel wireless is just a fast VDSL or maybe a T1, with random linksys boxes scattered around the place. --srs On 2/15/07, Marshall Eubanks [EMAIL PROTECTED] wrote: Carl Karsten wrote: Hi list, I just read over: http://www.nanog.org/mtg-0302/ppt/joel.pdf because I am on the PyCon ( http://us.pycon.org ) team and last year the hotel supplied wifi for the 600 attendees was a disaster How was the wifi at the resent nanog meeting? I thought it was quite good. I also think that the IETF wireless has gotten its act together recently as well; I suspect that Joel Jaeggli has had something to do with this. I have heard of some success stories 2nd hand. one 'trick' was to have separate networks which I think meant unique SSID's. but like I said, 2nd hand info, so about all I can say is supposedly 'something' was done.
Re: comcast spam policies
On 2/8/07, Al Iverson [EMAIL PROTECTED] wrote: Actually, http://www.comcast.net/help/faq/index.jsp?faq=SecurityMail_Policy18627 links you to http://www.comcastsupport.com/rbl aka http://www.comcastsupport.com/sdcxuser/lachat/user/Blockedprovider.asp What Al said, in spades. That blacklist_comcastnet address IS the right address to use and that form feeds to it. --srs
Re: broken DNS proxying at public wireless hotspots
On 2/3/07, Gadi Evron [EMAIL PROTECTED] wrote: On Sat, 3 Feb 2007, Suresh Ramasubramanian wrote: What do nanogers usually do when caught in a situation like this? Important question: if memory serves, and you are in the Paris Charles de Gaulle International Airport, wireless costs money. Yes - at a hilton there. Only - its a swisscom hotspot. And trying to explain things to tier 1 tech support might not be the most useful thing to do .. I'm going to be already jetlagged and catching up on work before my next flight. I had this problem in a more annoying location. On a connexxion wireless on a flight to NYC. Funny. During its all too brief life, Connexion By Boeing never gave me this sort of problem, I used to use it all the time on lufthansa flights. What I do if there are no alternatives is very simply... kick back and listen to some music (unless you have some cellular 3G connectivity). Yeah, and then go catch up on all the work that's piled up after 18++ hours flying from the US to India. Fun. Thread's gone way OT now - I'll close it here. -- Suresh Ramasubramanian ([EMAIL PROTECTED])
broken DNS proxying at public wireless hotspots
Right now, I'm on a swisscom eurospot wifi connection at Paris airport, and this - yet again - has a DNS proxy setup so that the first few queries for a host will return some nonsense value like 1.2.3.4, or will return the records for com instead. Some 4 or 5 minutes later, the dns server might actually return the right dns record. ;; -HEADER- opcode: QUERY, status: NOERROR, id: 25634 ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 11 ;; QUESTION SECTION: ;www.kcircle.com. IN A ;; AUTHORITY SECTION: com.172573 IN NS j.gtld-servers.net. com.172573 IN NS k.gtld-servers.net. [etc] ;; Query time: 1032 msec ;; SERVER: 192.168.48.1#53(192.168.48.1) ;; WHEN: Sat Feb 3 11:33:07 2007 ;; MSG SIZE rcvd: 433 They're not the first provider I've seen doing this, and the obvious workarounds (setting another NS in resolv.conf, or running a local dns caching resolver) dont work either as all dns traffic is proxied. Sure I could route dns queries out through a ssh tunnel but the latency makes this kind of thing unusable at times. I'm then reduced to hardwiring some critical work server IPs into /etc/hosts What do nanogers usually do when caught in a situation like this? thanks srs -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Another article on the fiber cut - a geopolitical slant
Pointing out some of the chokepoints in international undersea fiber routes (the straits of malacca, luzon straits etc) and discussing the geopolitical implications of these http://www.pinr.com/ has the article but as it has a no redistribution without written permission disclaimer .. go there anyway. Worth a read. -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Undersea fiber cut after Taiwan earthquake - PCCW / Singtel / KT etc connectivity disrupted
http://www.bloomberg.com/apps/news?pid=20601087sid=aYHaxhLE4rr0refer=home Singapore Telecom, PCCW Say Internet Disrupted by Taiwan Quakes By Andrea Tan Dec. 27 (Bloomberg) -- Singapore Telecommunications Ltd. Southeast Asia's largest telephone company, and Hong Kong's PCCW Ltd. said Internet service in Asia slowed down after three earthquakes hit southern Taiwan yesterday. ``The Taiwan earthquake has affected several submarine cable systems in Asia, causing cable cuts near Taiwan late last night,'' Singapore Telecom spokesman Chia Boon Chong said by telephone today. ``Some customers might experience a slowdown in data or Internet access. Traffic diversion and restoration works are currently in progress.'' Taiwan was jolted by three earthquakes yesterday, killing two people and injuring 42 others, the island's National Fire Agency said. The tremors damaged undersea cables, causing a disruption to Internet traffic and some telephone calls in the region for customers including Singapore Telecom, PCCW, Chunghwa Telecom Co., Taiwan's biggest telephone operator, and KDDI Corp., Japan's second-largest telephone carrier. PCCW, Hong Kong's largest phone company, said data capacity on its networks was reduced to 50 percent due to the quake. ``Data service to Japan, Taiwan, South Korea and the U.S. were affected,'' said Hans Leung, a spokesman in Hong Kong. Two of Chunghwa Telecom's cables were damaged by the earthquake, resulting in ``near zero'' capacity for voice calls to Southeast Asia, apart from Vietnam, said Leng Tai-feng, the company's vice president of international business. ``The repairs could take two to three weeks,'' Leng said. ``We're doing our best to coordinate with other operators in the region to resolve the problem.'' Southern Taiwan The first earthquake, which was magnitude 6.7, occurred at 8:26 p.m. local time yesterday off Taiwan's south coast, the island's Central Weather Bureau said on its Web site. The second, magnitude 6.4, happened at 8:34 p.m. and the third, magnitude 5.2, occurred at 8:40 p.m. All three were centered in the same area, the bureau said. On Dec. 26, 2004, a magnitude 9.1 earthquake off Sumatra unleashed waves that destroyed coastal villages on the Indian Ocean from Indonesia to Sri Lanka, killing more than 220,000 people. Some of the areas have yet to recover. KDDI said its fiber-optic undersea cable in Taiwan was damaged, affecting fixed-line services to Southeast Asia. The company is re-routing phone calls to go through the U.S. and Europe and may take several weeks to two months to repair cables that are damaged, KDDI's Tokyo-based spokesman Haruhiko Maede said. KT Corp., South Korea's largest provider of fixed-line phone and Internet access service, said the outages affected overseas connections of the foreign ministry and Reuters, which use leased lines, said Kim Cheol Kee, a spokesman for Seongnam-based KT. KT is in discussions with foreign phone companies to redirect traffic elsewhere, Kim says. To contact the reporter on this story: Andrea Tan in Singapore at [EMAIL PROTECTED] Last Updated: December 26, 2006 22:57 EST -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Microsoft Corporate Postmaster Contact?
On 12/19/06, Jay Stewart [EMAIL PROTECTED] wrote: This may not be much of a help, but can be a good resource for data when dealing with mail issues regarding MS. https://postmaster.live.com/snds/index.aspx Of course, you need a Valid MSN passport for registration. . . . . sigh. . It probably would NOT help wrt issues with Microsoft corporate email. And not sending mail *TO* msn .. the guy is apparently having issues receiving mail from there and wants a contact to troubleshoot stuff at their end. In short, not your typical deliverability question. -srs
Re: Best Email Time
On 12/5/06, William Allen Simpson [EMAIL PROTECTED] wrote: The study says that nearly 20 percent of email does not get delivered to the inbox as intended, largely because it gets mistaken as spam. That's utter hogwash. My Mail Mailguard statistics this year show that for me personally, only 0.1% of messages are false positives! Systemwide, it's only 0.6%! Depends on - 1. How large your network is (how many millions of mailboxes) 2. How you define spam [that study probably defines anything that's can-spam compliant as non-spam? haven't checked]
Re: Contact for THEPLANET.COM
They've been bought by ev1.net a few months back. And ev1.net has a quite usable rwhois server (and their abuse desk does work, as it happens) srs On 10/20/06, Matthew Black [EMAIL PROTECTED] wrote: Does anyone have a contact for THEPLANET.COM beyond their WHOIS listing? We are receiving 20,000 spam per day from one of their customers and they aren't very responsive. I'd rather get beyond first-line support before blocking a large swath 67.18.0.0/15. matthew black e-mail postmaster california state university, long beach -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Broadband ISPs taxed for generating light energy
On 10/11/06, Joseph S D Yao [EMAIL PROTECTED] wrote: Why is 10 October their 01 April? Looks like you got october-fooled, Mr.Yao :) 10 October is just a date like any other .. those of us in India who want to play tricks on our friends stick to 4/1 like everybody else -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Broadband ISPs taxed for generating light energy
.. because they provide internet over fiber optic cables, which work by sending pulses of light down the cable to push packets .. http://www.hindu.com/2006/10/10/stories/2006101012450400.htm So they get slapped with tax + penalties of INR 241.8 million. Broadband providers accused of tax evasion Special Correspondent Commercial Tax Department serves notice on Airtel # Firms accused of evading tax on sale of `light energy' # Loss to State exchequer estimated at Rs. 1,200 crore Bangalore: The Commercial Tax Department has served a notice on Airtel, owned by Bharti Televentures Ltd., seeking payment of Rs. 24.18 crore as tax, interest and penalty for the sale of `light energy' to its customers for providing broadband through optical fibre cables (OFC). The department has been investigating alleged tax evasion by OFC broadband providers, both in the public and private sectors, for selling light energy to customers. While the assessment on Airtel was completed and a notice issued to it for alleged tax evasion during the year 2005-06, no assessment has been concluded on other OFC broadband providers, A.K. Chitaguppi, Deputy Commissioner of Commercial Taxes, said. Other OFC broadband providers facing tax evasion charges are public sector BSNL and private sector VSNL, Reliance, Tata Teleservices and Sify. The Commercial Tax Department has estimated a loss of Rs. 1,200 crore to the State exchequer in this regard since OFC broadband providers have been operating in the State for several years. Mr. Chitaguppi said that OFC operates on light energy, which is artificially created by the OFC providers and sold to customers for the purpose of data transmission and information, on the OFC broadband line. Without such energy, data or information cannot be transmitted. Whoever sells light energy is liable to pay VAT as it comes under the category of goods, and hence its sale constitutes taxable turnover attracting VAT at 12.5 per cent, he said. Bharti Televentures had approached the Karnataka High Court seeking to quash the demand notice, but failed to get a stay when the case was heard by Justice Shantanu Goudar on September 1. The judge rejected Bharti's plea seeking issue of an injunction against any initiatives from the Commercial Tax Department on the recovery of the tax. Bharti Televentures had contended in the High Court that re-assessment orders passed by State tax officials and the issue of demand notice was not valid as the disputed activity fell under the provision of service tax levied by the Union Government and did not attract VAT. The High Court is expected to take up the case for hearing again in the next few days. `Business venture' The Commercial Tax Department has argued that the OFC broadband operators are running a business venture after investing thousands of crores to put in place a state-of-the-art set-up to artificially generate light energy and supply it to its customers for their data transmission work. The characteristics of the light energy constitute a moveable property, which has to be categorised as `goods' as per the norms laid down by the Supreme Court. In the process of data transmission, other than light energy, no other elements are involved and the customers are paying for the same. This proves that light energy constitutes goods, which is liable for levy of tax. Therefore, the State has every legal competence and jurisdiction to tax it, the department has contended. It has taken serious note of the non-payment of taxes by the broadband service providers. Reporting a turnover and then claiming exemption is one thing. But some of the OFC operators don't even report their turnovers, Mr. Chitaguppi alleged.
Re: Broadband ISPs taxed for generating light energy
On 10/10/06, Fergie [EMAIL PROTECTED] wrote: Is it April 1st already? :-) - ferg Sadly, I dont think taxmen ever had a sense of humor
Re: Broadband ISPs taxed for generating light energy
Well there's of course back taxes charged for a period of ~ 3 years or more, plus interest and late payment penalties on those back taxes On 10/10/06, Roy [EMAIL PROTECTED] wrote: A Cisco ZX GBIC produces a max of 4.77 dBm (or less than 4mw). 4mw corresponds to 35 watt hours in one year. However, since the customer must beam back light as part of the exchange then you must track the number of pulses in both directions and determine the difference. Some days the customer gets more energy and some days it doesn't. That should affect the tax. -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: [Fwd: Important ICANN Notice Regarding Your Domain Name(s)]
On 10/7/06, Matt Ghali [EMAIL PROTECTED] wrote: I must be dumb, but how does a registrar 'block an ip' in a manner that affects anyone but themselves? Godaddy also hosts a sizeable number of vanity domains registered with them If you register with them you have the option of also buying NS, mail and webhosting -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: AOL Lameness
On 10/2/06, Matt Baldwin [EMAIL PROTECTED] wrote: Yes, I'm noticing this too. Very lame indeed. Doing a quick Google on it in the Groups it seems that it was a feature that was enabled earlier this year. My guess is they turned it off, then turned it Drew the attention of a friend at AOL to this and got a reply quoted below - this was apparently an issue at AOL's end. Thanks to AOL for quickly acting to fix this. I've been asked by my friend to post this below srs [quote] We found a problem with the way URL's were being identified and have undergone steps to correct it. In the interim, the rule change has been backed out pending further testing. Thanks to all on the list. [unquote]
Re: Have you really got clue?
On 9/22/06, Laurence F. Sheldon, Jr. [EMAIL PROTECTED] wrote: It is pretty simple, really. These are examples of the topics that are on-topic. 1. that posting is off-topic. 2. somebody with clue from ${SmallUnknownOperator} (e.g. AOL) please contact me off list about a connectivity issue.: Now that we're firmly into offtopic territory - http://www.kitenet.net/~joey/blog/entry/thread_patterns.html Here's how to subscribe to mailing lists with a combined total posts of 2000 or more per day, and live. It's all about pattern recognition. [snip] -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Removal of my name
at least a rather updated version of ucb mail, that also does imap / pop / ssl / smtp + auth etc heirloom mailx aka nail - http://nail.sourceforge.net On 9/20/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: PINE? looking at MUTT, but i'm really partial to UCBMail stripping out all kinds of cruft/spam. Next you'll be telling me that IMAP is the wave of the future and that i should read email on some PDA/CELL thingie... -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Ryan Air mailops contact please?
Some of our users (on a large Irish webmail domain) are complaining that they're not getting email from you. As far as I can tell we're not blocking any email at all from you gentlemen I'd appreciate a mailops contact from Ryan Air hitting me offlist and helping me troubleshoot this from your end. -- Suresh Ramasubramanian ([EMAIL PROTECTED]) ps: I do wish people who forward me this URL on your website would add a not safe for work type disclaimer to it :) http://www.ryanair.com/site/EN/notices.php?notice=060822-ASP-EN
hp.com contact, please?
Can someone from HP please email me offlist? thanks srs -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: ISP wants to stop outgoing web based spam
On 8/10/06, Sean Donelan [EMAIL PROTECTED] wrote: On Thu, 10 Aug 2006, Suresh Ramasubramanian wrote: The MAAWG bcps, for example, state that ISPs must take responsiblity for mitigating outbound spam and abuse. The RIAA, for example, states that ISPs must take responsibility for mitigating copyright infringement by its users. Oh - but maawg (http://www.maawg.org) is a group of ISPs themselves (AOL, comcast, charter, france telecom, Hotmail, us ..) Lots of groups state that ISPs must take responsibility for lots of things. Lots of ISPs together stated that ISPs must take responsibility for a few things. Small, but significant difference there, dont you think? srs
Re: ISP wants to stop outgoing web based spam
On 8/10/06, Simon Waters [EMAIL PROTECTED] wrote: The webmail provider on the other hand can easily and cheaply check if content from one member is suspicious in either content or volume, and suspend the account. So perhaps you are trying to apply the solution in the wrong place. Being a webmail provider - yes, I've got measures in place. This is for ISPs who provide connectivity to mitigate abuse at their end as well. -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: rDNS naming conventions (was: Re: SORBS Contact)
On 8/10/06, Steven Champeon [EMAIL PROTECTED] wrote: redundancy bigisp-foo-bar-baz.dyn.bigisp.net. Worst among those who actually provide rDNS in SE Asia is probably tm.net.my, who name all of their customer PTRs 'tm.net.my'. Hm. Maybe encoding the IP in the PTR There's at least one vietnamese ISP that has / had till recently set localhost as rDNS for all their IPs. -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: ISP wants to stop outgoing web based spam
On 8/11/06, Florian Weimer [EMAIL PROTECTED] wrote: How can I, as an ISP, stop abuse that is carried out over HTTPS? There are technological solutions for intercepting HTTPS traffic, but I don't think we want to put them to even wider use. 1. Concentrate on finding abusive patterns 2. Focus on stopping the tons of spam that's pumped out over plain old http as well -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: ISP wants to stop outgoing web based spam
On 8/9/06, Gregory Kuhn [EMAIL PROTECTED] wrote: I think he's talking about blog spam, which is definitely submitted over HTTP. Similar. Picture this ... 1. A satellite connectivity provider, that provides connectivity to huge swathes of west africa, among other places. 2. West african cities like Lagos, Nigeria, that are full of cybercafes that use this satellite connectivity, and have a huge customer base that has a largish number of 419 scam artists who sit around in cybercafes doing nothing except opening up free hotmail, gmail etc accounts, and posting spam through those accounts, using the cybercafe / satellite ISP's connectivity. 3. The cybercafe / satellite IP shows up in a Received: or X-Originating-IP type header in the spam that results. 4. The satellite provider really needs to do something about this - something proactive, because trying to whack cybercafe based scam artists after the fact is just not going to work. 5. So - a spamassassin plugin to a squid or other transparent proxy, for outbound filtering. Something that can be rolled out at the satellite provider level, or probably at the cybercafe level, and with an attached alert mechanism that logs the spamming IP, and the mac address of the PC that's sending the spam that got caught. Something that ISPs in west africa that operate on wafer thin margins, and resell satellite connectivity, can easily afford. Oh - and something that is not the usual kind of corporation / library type firewall [those would do this, but they'd roll over and die at the least hint of actual production use in this kind of scenario .. as some ISPs who deployed these in W. Africa apparently found out] I got asked this way back in 2005, and then talked to Justin Mason of the spamassassin project. He was of the opinion that it could be done but he wasnt too aware of anybody who had tried it, plus he didnt exactly have much free time on his hands for that. Anybody who can do it - with open source and reasonably low costs, plus ISP grade scalablity - please do let me know. I know some people (including govt / LE) who would be just as interested as Hank is. -srs -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: ISP wants to stop outgoing web based spam
On 8/10/06, Sean Donelan [EMAIL PROTECTED] wrote: Shouldn't most of freemail/webmail services be doing their own outbound spam and virus checking now? Yes, Sean - they are. But it is far, far more productive for the source of this abuse to be choked off. Call it the difference between using mosquito repellant and draining a huge pool of stagnant water just outside your home. srs -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: ISP wants to stop outgoing web based spam
On 8/10/06, Sean Donelan [EMAIL PROTECTED] wrote: Do we really want ISPs to become the enforcers for every Internet application someone may use or abuse? Webmail, online game cheating, blog complaints, auctions disputes, instant message harrasment, music sharing, online gambling, etc. Imagining you are going to stop drug dealers by removing public pay phones isn't addressing the real source of the problem. The MAAWG bcps, for example, state that ISPs must take responsiblity for mitigating outbound spam and abuse. Whether the problem is bad enough for an ISP to put in automated filtering instead of dealing with abuse reports on a case by case basis, is a call for the ISP to make. For example, egress filtering / bcp38, port 25 blocking, route filters to stop martian packets and leaked routes from propogating .. or network level filtering slammer and other worm traffic for that matter. srs -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Detecting parked domains
On 8/3/06, Jim Popovitch [EMAIL PROTECTED] wrote: Don't parked domains exist on a registrar owned IP? I would think a list could be built from spending some time contacting each registrar (http://www.icann.org/registrars/accredited-list.html). ;-) Not always. You will find several registrars that run a value added domain hosting + email service - netsol, register.com, tucows etc all do that. That is - lots and lots of small personal domains, in active use, not parked or squatted upon --srs