Re: Spamming of NANOG list members

[Niels Bakker]

* sa...@tislabs.com (Sandra Murphy) [Fri 24 May 2019, 00:28 CEST]:
And it arrived oddly coincident with my visit to the cvent 
registration page.  Any others who had that coincidence?


No, and I've gotten like five by now.


-- Niels.

Re: Spamming of NANOG list members

[Sandra Murphy]

Mine came 21 May.  It was a .doc.  

Sent from charter.net, with the user portion of the sender very similar to a 
nanog contributor.

And it arrived oddly coincident with my visit to the cvent registration page.  
Any others who had that coincidence?

—Sandy


> On May 23, 2019, at 5:39 PM, Richard  wrote:
> 
> On 5/23/19 4:16 PM, Matt Harris wrote:
>> On Thu, May 23, 2019 at 4:13 PM Hansen, Christoffer 
>>  wrote:
>> Appreciate the warning!
>> 
>> On 23/05/2019 19:46, Valerie Wittkop wrote:
>> > These messages are not flowing through NANOG servers, nor using the NANOG 
>> > domain. They are not messages coming from the NANOG organization. Please 
>> > be aware if you receive a message matching this description and always 
>> > make sure to scan attachments for a virus.
>> 
>> The one I received looked like this:
>> 
>> > From: "NANOG" 
>> 
>> ...
>> 
>> Has it been considered switching to "-all", instead of only "~all" in
>> the spf record?
>> 
>> > $ dig +short +nocmd +nocomments TXT nanog.org
>> > "v=spf1 include:_spf.google.com ip4:104.20.199.50 ip4:104.20.198.50  
>> > ip4:50.31.151.75 ip4:50.31.151.76 ip6:2001:1838:2001:8::19 
>> > ip6:2001:1838:2001:8::20 ip6:2400:cb00:2048:1::6814:c632 
>> > ip6:2400:cb00:2048:1::6814:c732 ~all"
>> 
>> -Christoffer
>> 
>> The SPF record wouldn't make a difference since that email was sent from 
>> @cegips.pl, not from @nanog.org.  You'd have to change the SPF record for 
>> the cegips.pl domain to impact their ability to send from that address.  
>> 
> The one I received was from rainphil.com and came with an ugly Trojan 
> attached as a PDF. 
> 
> Has anyone else received this type or am I just fortunate?
> 
> Richard Golodner
> 
> 
> 
> 

Re: Spamming of NANOG list members

[Richard]

On 5/23/19 4:16 PM, Matt Harris wrote:
> On Thu, May 23, 2019 at 4:13 PM Hansen, Christoffer
> mailto:christof...@netravnen.de>> wrote:
>
> Appreciate the warning!
>
> On 23/05/2019 19:46, Valerie Wittkop wrote:
> > These messages are not flowing through NANOG servers, nor using
> the NANOG domain. They are not messages coming from the NANOG
> organization. Please be aware if you receive a message matching
> this description and always make sure to scan attachments for a virus.
>
> The one I received looked like this:
>
> > From: "NANOG" mailto:serv...@cegips.pl>>
>
> ...
>
> Has it been considered switching to "-all", instead of only "~all" in
> the spf record?
>
> > $ dig +short +nocmd +nocomments TXT nanog.org 
> > "v=spf1 include:_spf.google.com 
> ip4:104.20.199.50 ip4:104.20.198.50  ip4:50.31.151.75
> ip4:50.31.151.76 ip6:2001:1838:2001:8::19 ip6:2001:1838:2001:8::20
> ip6:2400:cb00:2048:1::6814:c632 ip6:2400:cb00:2048:1::6814:c732 ~all"
>
>         -Christoffer
>
>
> The SPF record wouldn't make a difference since that email was sent
> from @cegips.pl , not from @nanog.org
> .  You'd have to change the SPF record for the
> cegips.pl  domain to impact their ability to send
> from that address.  
>
The one I received was from _rainphil.com_ and came with an ugly Trojan
attached as a PDF.

Has anyone else received this type or am I just fortunate?

Richard Golodner

Re: Google weird routing?

[Patrick Schultz]

Seems to be more end-user oriented rather than targeted at netadmins.
There's no real contact to the GeoIP team besides the peering portal and that 
form, except maybe the NOC. (at least none I found yet)

Am 23.05.2019 um 23:23 schrieb Ross Tajvar:
> Yeah, that's honestly a pretty crappy form. No room for an explanation, no 
> individual contact, and an ETR of a month. I'm surprised there's not a better 
> way to address issues like this 
> 
> On Thu, May 23, 2019, 5:13 PM Matt Harris  > wrote:
> 
> On Thu, May 23, 2019 at 4:01 PM Patrick Schultz  
> wrote:
> 
> https://support.google.com/websearch/contact/ip/
> 
> 
> Thanks!  
> 
> Giving that a shot.  It's still loading www.google.com 
>  though if I try to hit it in a browser (not 
> redirecting to a different language/CCTLD specific site though) so I had to 
> put that in along with that I'm in the US, not sure
> that whoever sees that form will understand my issue and there's no 
> freeform comments section to mention "but it's loading from India!" 
> 

Re: Google weird routing?

[Ross Tajvar]

Yeah, that's honestly a pretty crappy form. No room for an explanation, no
individual contact, and an ETR of a month. I'm surprised there's not a
better way to address issues like this

On Thu, May 23, 2019, 5:13 PM Matt Harris  wrote:

> On Thu, May 23, 2019 at 4:01 PM Patrick Schultz 
> wrote:
>
>> https://support.google.com/websearch/contact/ip/
>>
>>
> Thanks!
>
> Giving that a shot.  It's still loading www.google.com though if I try to
> hit it in a browser (not redirecting to a different language/CCTLD specific
> site though) so I had to put that in along with that I'm in the US, not
> sure that whoever sees that form will understand my issue and there's no
> freeform comments section to mention "but it's loading from India!"
>
>

Re: Spamming of NANOG list members

[Matt Harris]

On Thu, May 23, 2019 at 4:13 PM Hansen, Christoffer <
christof...@netravnen.de> wrote:

> Appreciate the warning!
>
> On 23/05/2019 19:46, Valerie Wittkop wrote:
> > These messages are not flowing through NANOG servers, nor using the
> NANOG domain. They are not messages coming from the NANOG organization.
> Please be aware if you receive a message matching this description and
> always make sure to scan attachments for a virus.
>
> The one I received looked like this:
>
> > From: "NANOG" 
>
> ...
>
> Has it been considered switching to "-all", instead of only "~all" in
> the spf record?
>
> > $ dig +short +nocmd +nocomments TXT nanog.org
> > "v=spf1 include:_spf.google.com ip4:104.20.199.50 ip4:104.20.198.50
> ip4:50.31.151.75 ip4:50.31.151.76 ip6:2001:1838:2001:8::19
> ip6:2001:1838:2001:8::20 ip6:2400:cb00:2048:1::6814:c632
> ip6:2400:cb00:2048:1::6814:c732 ~all"
>
> -Christoffer
>

The SPF record wouldn't make a difference since that email was sent from @
cegips.pl, not from @nanog.org.  You'd have to change the SPF record for
the cegips.pl domain to impact their ability to send from that address.

Re: Spamming of NANOG list members

[Hansen, Christoffer]

Appreciate the warning!

On 23/05/2019 19:46, Valerie Wittkop wrote:
> These messages are not flowing through NANOG servers, nor using the NANOG 
> domain. They are not messages coming from the NANOG organization. Please be 
> aware if you receive a message matching this description and always make sure 
> to scan attachments for a virus.

The one I received looked like this:

> From: "NANOG" 

...

Has it been considered switching to "-all", instead of only "~all" in
the spf record?

> $ dig +short +nocmd +nocomments TXT nanog.org
> "v=spf1 include:_spf.google.com ip4:104.20.199.50 ip4:104.20.198.50  
> ip4:50.31.151.75 ip4:50.31.151.76 ip6:2001:1838:2001:8::19 
> ip6:2001:1838:2001:8::20 ip6:2400:cb00:2048:1::6814:c632 
> ip6:2400:cb00:2048:1::6814:c732 ~all"

-Christoffer
Return-Path: 
Delivered-To: u...@example.com
Received: from mx.cegips.pl (unknown [213.192.76.50])
by mx1.pub.mailpod7-cph3.one.com (Halon) with ESMTPS
id 9cdfc18c-7d3d-11e9-825c-506b4b1aa3a0;
Thu, 23 May 2019 09:31:59 + (UTC)
Received: from localhost (localhost [127.0.0.1])
by mx.cegips.pl (Postfix) with ESMTP id 306D4121593
for ; Thu, 23 May 2019 11:31:58 +0200 (CEST)
X-Spam-Flag: NO
X-Spam-Score: -2.403
X-Spam-Level:
X-Spam-Status: No, score=-2.403 tagged_above=- required=5
tests=[ALL_TRUSTED=-1, BAYES_00=-1.9, MISSING_MID=0.497]
autolearn=no autolearn_force=no
Received: from mx.cegips.pl ([127.0.0.1])
by localhost (mx.cegips.pl [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id X7bW28gISBQ9 for ;
Thu, 23 May 2019 11:31:56 +0200 (CEST)
Received: from [190.12.55.174] (corp-190-12-55-174.gye.puntonet.ec 
[190.12.55.174])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mx.cegips.pl (Postfix) with ESMTPSA id 05D4D121350
for ; Thu, 23 May 2019 11:31:52 +0200 (CEST)
Date: Thu, 23 May 2019 04:13:07 -0500
From: "NANOG" 
To: 
Subject: gescanntes Dokument LZVO-451-EY4074
MIME-Version: 1.0
Content-Type: multipart/mixed; 
boundary="=_Part_65483_1484872530.28790224771686175392"

signature.asc
Description: OpenPGP digital signature

Re: Google weird routing?

[Matt Harris]

On Thu, May 23, 2019 at 4:01 PM Patrick Schultz 
wrote:

> https://support.google.com/websearch/contact/ip/
>
>
Thanks!

Giving that a shot.  It's still loading www.google.com though if I try to
hit it in a browser (not redirecting to a different language/CCTLD specific
site though) so I had to put that in along with that I'm in the US, not
sure that whoever sees that form will understand my issue and there's no
freeform comments section to mention "but it's loading from India!"

Re: Google weird routing?

[Patrick Schultz]

https://support.google.com/websearch/contact/ip/

Am 23.05.2019 um 22:55 schrieb Matt Harris:
> On Thu, May 23, 2019 at 3:24 PM Filip Hruska  > wrote:
>
> Google maintains their own GeoIP database. If you peer with them and have 
> access to the peering portal, you can correct the location yourself.
> Otherwise they have a public form somewhere.
>
> --- Filip
>
>
> Googling around a bit does not yield results for that form... any chance 
> anyone here has a link to that?  Would be much appreciated!  
>
> Thanks,
> Matt
>  

Re: Google weird routing?

[Matt Harris]

On Thu, May 23, 2019 at 3:44 PM Christopher Morrow 
wrote:

> On Thu, May 23, 2019 at 4:11 PM Matt Harris  wrote:
> > On Thu, May 23, 2019 at 3:06 PM Christopher Morrow <
> morrowc.li...@gmail.com> wrote:
> >>
> >> not sure where you are starting from (really) .. can you provide a:
> >>   dig www.google.com
> >>
> >> for me? My guess is that as Jared noted you got somehow looking like
> >> you are in india to whatever does that magic :)
> >
> >
> > Google's coming back with bom* addresses; no idea why though.
> >
> > ;; ANSWER SECTION:
> > www.google.com. 300 IN  A   172.217.26.228
> >
>
> that's an ip in india alright :)
> I don't see why that's happening (in quick searching).
>
> >
> > Hoping someone over there can shed some light on why they are sending my
> packets on a world trip.  :)
>
> I'd be cuirous about:
>   dig www.google.com @8.8.8.8
>
> as well, please (jared's question as well)
>

Interestingly...


user@host # dig www.google.com @8.8.8.8

; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> www.google.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2110
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.google.com.IN  A

;; ANSWER SECTION:
www.google.com. 299 IN  A   216.58.203.164

;; Query time: 16 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu May 23 16:55:04 EDT 2019
;; MSG SIZE  rcvd: 59

user@host   # host 216.58.203.164
164.203.58.216.in-addr.arpa domain name pointer bom07s11-in-f4.1e100.net.

Still comes back with a bom* host, so it looks like it's not based on the
DNS recursion server used.

Re: Google weird routing?

[Matt Harris]

On Thu, May 23, 2019 at 3:24 PM Filip Hruska  wrote:

> Google maintains their own GeoIP database. If you peer with them and have
> access to the peering portal, you can correct the location yourself.
> Otherwise they have a public form somewhere.
>
> --- Filip
>

Googling around a bit does not yield results for that form... any chance
anyone here has a link to that?  Would be much appreciated!

Thanks,
Matt

Re: Google weird routing?

[Christopher Morrow]

On Thu, May 23, 2019 at 4:11 PM Matt Harris  wrote:
> On Thu, May 23, 2019 at 3:06 PM Christopher Morrow  
> wrote:
>>
>> not sure where you are starting from (really) .. can you provide a:
>>   dig www.google.com
>>
>> for me? My guess is that as Jared noted you got somehow looking like
>> you are in india to whatever does that magic :)
>
>
> Google's coming back with bom* addresses; no idea why though.
>
> ;; ANSWER SECTION:
> www.google.com. 300 IN  A   172.217.26.228
>

that's an ip in india alright :)
I don't see why that's happening (in quick searching).

>
> Hoping someone over there can shed some light on why they are sending my 
> packets on a world trip.  :)

I'd be cuirous about:
  dig www.google.com @8.8.8.8

as well, please (jared's question as well)

Re: Google weird routing?

[Jared Mauch]

> On May 23, 2019, at 4:11 PM, Matt Harris  wrote:
> 
> On Thu, May 23, 2019 at 2:55 PM Jared Mauch  wrote:
> I would say that it says BOM at the start of the name, perhaps they are 
> sending you to India?
> 
> Are you using a DNS service that uses ECS facing the various CDN/Cloud 
> providers or a different one?
> 
> This is my thinking, too, however my recursive DNS servers are all on the 
> same network as the systems trying to reach google, all of which are on IP 
> space that I own and announced exclusively by AS 394102 here in the US.  I've 
> also taken care to maintain as many geoip service entries as could be 
> found/maintained, including maxmind's.  Where they would get the idea that my 
> packets should go to India is beyond me.   
> 
> On Thu, May 23, 2019 at 3:06 PM Christopher Morrow  
> wrote:
> not sure where you are starting from (really) .. can you provide a:
>   dig www.google.com
> 
> for me? My guess is that as Jared noted you got somehow looking like
> you are in india to whatever does that magic :)
> 
> Google's coming back with bom* addresses; no idea why though.  
> 
> ;; ANSWER SECTION:
> www.google.com. 300 IN  A   172.217.26.228
> 
> 
> Hoping someone over there can shed some light on why they are sending my 
> packets on a world trip.  :)

If you send the query to 8.8.8.8 do you get a more favorable response (just 
curious).

You can also run this query:

dig TXT whoami.ds.akahelp.net.

Which may assist.

- jared

Re: Google weird routing?

[Filip Hruska]

Google maintains their own GeoIP database. If you peer with them and have 
access to the peering portal, you can correct the location yourself.
Otherwise they have a public form somewhere.

--- Filip

On 23 May 2019 10:11:30 pm GMT+02:00, Matt Harris  wrote:
>On Thu, May 23, 2019 at 2:55 PM Jared Mauch 
>wrote:
>
>> I would say that it says BOM at the start of the name, perhaps they
>are
>> sending you to India?
>>
>> Are you using a DNS service that uses ECS facing the various
>CDN/Cloud
>> providers or a different one?
>>
>
>This is my thinking, too, however my recursive DNS servers are all on
>the
>same network as the systems trying to reach google, all of which are on
>IP
>space that I own and announced exclusively by AS 394102 here in the US.
>I've also taken care to maintain as many geoip service entries as could
>be
>found/maintained, including maxmind's.  Where they would get the idea
>that
>my packets should go to India is beyond me.
>
>On Thu, May 23, 2019 at 3:06 PM Christopher Morrow
>
>wrote:
>
>> not sure where you are starting from (really) .. can you provide a:
>>   dig www.google.com
>>
>> for me? My guess is that as Jared noted you got somehow looking like
>> you are in india to whatever does that magic :)
>>
>
>Google's coming back with bom* addresses; no idea why though.
>
>;; ANSWER SECTION:
>www.google.com. 300 IN  A   172.217.26.228
>
>
>Hoping someone over there can shed some light on why they are sending
>my
>packets on a world trip.  :)
>
>Thanks,
>Matt

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Google weird routing?

[Matt Harris]

On Thu, May 23, 2019 at 2:55 PM Jared Mauch  wrote:

> I would say that it says BOM at the start of the name, perhaps they are
> sending you to India?
>
> Are you using a DNS service that uses ECS facing the various CDN/Cloud
> providers or a different one?
>

This is my thinking, too, however my recursive DNS servers are all on the
same network as the systems trying to reach google, all of which are on IP
space that I own and announced exclusively by AS 394102 here in the US.
I've also taken care to maintain as many geoip service entries as could be
found/maintained, including maxmind's.  Where they would get the idea that
my packets should go to India is beyond me.

On Thu, May 23, 2019 at 3:06 PM Christopher Morrow 
wrote:

> not sure where you are starting from (really) .. can you provide a:
>   dig www.google.com
>
> for me? My guess is that as Jared noted you got somehow looking like
> you are in india to whatever does that magic :)
>

Google's coming back with bom* addresses; no idea why though.

;; ANSWER SECTION:
www.google.com. 300 IN  A   172.217.26.228


Hoping someone over there can shed some light on why they are sending my
packets on a world trip.  :)

Thanks,
Matt

Re: Google weird routing?

[Christopher Morrow]

not sure where you are starting from (really) .. can you provide a:
  dig www.google.com

for me? My guess is that as Jared noted you got somehow looking like
you are in india to whatever does that magic :)

On Thu, May 23, 2019 at 3:48 PM Matt Harris  wrote:
>
> Hey folks,
> Looking at an mtr going out via a couple of different transit circuits, 
> Google seems to be doing weird things.
>
> RTT pinging google.com is coming up with like 250-300ms times, but mtr's are 
> telling me my packets are hitting google's network very quickly.  Google's 
> network then seems to send them on a rather long trip before reaching the 
> google.com frontend servers.
>
> An example:
>
>  6  213.200.123.170 (213.200.123.170)  3.450 ms 
> ae-1-3502.ear4.Newark1.Level3.net (4.69.211.177)  1.469 ms  1.634 ms
>  7  72.14.213.34 (72.14.213.34)  1.336 ms  1.372 ms  1.381 ms
>  8  108.170.248.52 (108.170.248.52)  2.474 ms *  2.150 ms
>  9  216.239.62.170 (216.239.62.170)  1.401 ms 216.239.62.150 (216.239.62.150) 
>  1.400 ms 216.239.62.168 (216.239.62.168)  2.985 ms
> 10  216.239.57.136 (216.239.57.136)  20.043 ms 216.239.59.0 (216.239.59.0)  
> 20.235 ms 216.239.57.196 (216.239.57.196)  20.382 ms
> 11  209.85.254.241 (209.85.254.241)  2.155 ms 108.170.235.61 (108.170.235.61) 
>  74.295 ms 209.85.241.43 (209.85.241.43)  78.593 ms
> 12  72.14.239.155 (72.14.239.155)  96.254 ms 216.239.57.196 (216.239.57.196)  
> 19.672 ms 72.14.239.155 (72.14.239.155)  96.328 ms
> 13  108.170.235.217 (108.170.235.217)  153.391 ms 108.170.236.119 
> (108.170.236.119)  153.445 ms 108.170.235.221 (108.170.235.221)  152.858 ms
> 14  172.253.51.111 (172.253.51.111)  220.084 ms 66.249.94.141 (66.249.94.141) 
>  218.039 ms 72.14.239.197 (72.14.239.197)  75.008 ms
> 15  209.85.241.86 (209.85.241.86)  276.281 ms 72.14.235.160 (72.14.235.160)  
> 276.104 ms  277.497 ms
> 16  108.170.235.105 (108.170.235.105)  217.030 ms 209.85.248.4 (209.85.248.4) 
>  217.338 ms 66.249.94.141 (66.249.94.141)  217.573 ms
> 17  72.14.236.75 (72.14.236.75)  276.349 ms  276.097 ms 72.14.239.235 
> (72.14.239.235)  277.180 ms
> 18  bom07s01-in-f14.1e100.net (216.58.199.142)  276.139 ms  276.980 ms 
> 64.233.174.27 (64.233.174.27)  279.212 ms
>
> As you can see from this traceroute output, Level3 is delivering my packets 
> to Google (hop#7 and beyond) just fine, however all of the hops including #7 
> and beyond are all inside of google's network.
>
> My packets are originating from AS 394102.
>
> Anyone from google have any idea what's going on there?
>
> Thanks,
> Matt
>

Re: Google weird routing?

[Jared Mauch]

I would say that it says BOM at the start of the name, perhaps they are sending 
you to India?

Are you using a DNS service that uses ECS facing the various CDN/Cloud 
providers or a different one?

- Jared

> On May 23, 2019, at 3:47 PM, Matt Harris  wrote:
> 
> Hey folks,
> Looking at an mtr going out via a couple of different transit circuits, 
> Google seems to be doing weird things.  
> 
> RTT pinging google.com is coming up with like 250-300ms times, but mtr's are 
> telling me my packets are hitting google's network very quickly.  Google's 
> network then seems to send them on a rather long trip before reaching the 
> google.com frontend servers.  
> 
> An example:
> 
>  6  213.200.123.170 (213.200.123.170)  3.450 ms 
> ae-1-3502.ear4.Newark1.Level3.net (4.69.211.177)  1.469 ms  1.634 ms
>  7  72.14.213.34 (72.14.213.34)  1.336 ms  1.372 ms  1.381 ms
>  8  108.170.248.52 (108.170.248.52)  2.474 ms *  2.150 ms
>  9  216.239.62.170 (216.239.62.170)  1.401 ms 216.239.62.150 (216.239.62.150) 
>  1.400 ms 216.239.62.168 (216.239.62.168)  2.985 ms
> 10  216.239.57.136 (216.239.57.136)  20.043 ms 216.239.59.0 (216.239.59.0)  
> 20.235 ms 216.239.57.196 (216.239.57.196)  20.382 ms
> 11  209.85.254.241 (209.85.254.241)  2.155 ms 108.170.235.61 (108.170.235.61) 
>  74.295 ms 209.85.241.43 (209.85.241.43)  78.593 ms
> 12  72.14.239.155 (72.14.239.155)  96.254 ms 216.239.57.196 (216.239.57.196)  
> 19.672 ms 72.14.239.155 (72.14.239.155)  96.328 ms
> 13  108.170.235.217 (108.170.235.217)  153.391 ms 108.170.236.119 
> (108.170.236.119)  153.445 ms 108.170.235.221 (108.170.235.221)  152.858 ms
> 14  172.253.51.111 (172.253.51.111)  220.084 ms 66.249.94.141 (66.249.94.141) 
>  218.039 ms 72.14.239.197 (72.14.239.197)  75.008 ms
> 15  209.85.241.86 (209.85.241.86)  276.281 ms 72.14.235.160 (72.14.235.160)  
> 276.104 ms  277.497 ms
> 16  108.170.235.105 (108.170.235.105)  217.030 ms 209.85.248.4 (209.85.248.4) 
>  217.338 ms 66.249.94.141 (66.249.94.141)  217.573 ms
> 17  72.14.236.75 (72.14.236.75)  276.349 ms  276.097 ms 72.14.239.235 
> (72.14.239.235)  277.180 ms
> 18  bom07s01-in-f14.1e100.net (216.58.199.142)  276.139 ms  276.980 ms 
> 64.233.174.27 (64.233.174.27)  279.212 ms
> 
> As you can see from this traceroute output, Level3 is delivering my packets 
> to Google (hop#7 and beyond) just fine, however all of the hops including #7 
> and beyond are all inside of google's network.  
> 
> My packets are originating from AS 394102.  
> 
> Anyone from google have any idea what's going on there?  
> 
> Thanks,
> Matt
> 

Google weird routing?

[Matt Harris]

Hey folks,
Looking at an mtr going out via a couple of different transit circuits,
Google seems to be doing weird things.

RTT pinging google.com is coming up with like 250-300ms times, but mtr's
are telling me my packets are hitting google's network very quickly.
Google's network then seems to send them on a rather long trip before
reaching the google.com frontend servers.

An example:

 6  213.200.123.170 (213.200.123.170)  3.450 ms
ae-1-3502.ear4.Newark1.Level3.net (4.69.211.177)  1.469 ms  1.634 ms
 7  72.14.213.34 (72.14.213.34)  1.336 ms  1.372 ms  1.381 ms
 8  108.170.248.52 (108.170.248.52)  2.474 ms *  2.150 ms
 9  216.239.62.170 (216.239.62.170)  1.401 ms 216.239.62.150
(216.239.62.150)  1.400 ms 216.239.62.168 (216.239.62.168)  2.985 ms
10  216.239.57.136 (216.239.57.136)  20.043 ms 216.239.59.0 (216.239.59.0)
 20.235 ms 216.239.57.196 (216.239.57.196)  20.382 ms
11  209.85.254.241 (209.85.254.241)  2.155 ms 108.170.235.61
(108.170.235.61)  74.295 ms 209.85.241.43 (209.85.241.43)  78.593 ms
12  72.14.239.155 (72.14.239.155)  96.254 ms 216.239.57.196
(216.239.57.196)  19.672 ms 72.14.239.155 (72.14.239.155)  96.328 ms
13  108.170.235.217 (108.170.235.217)  153.391 ms 108.170.236.119
(108.170.236.119)  153.445 ms 108.170.235.221 (108.170.235.221)  152.858 ms
14  172.253.51.111 (172.253.51.111)  220.084 ms 66.249.94.141
(66.249.94.141)  218.039 ms 72.14.239.197 (72.14.239.197)  75.008 ms
15  209.85.241.86 (209.85.241.86)  276.281 ms 72.14.235.160 (72.14.235.160)
 276.104 ms  277.497 ms
16  108.170.235.105 (108.170.235.105)  217.030 ms 209.85.248.4
(209.85.248.4)  217.338 ms 66.249.94.141 (66.249.94.141)  217.573 ms
17  72.14.236.75 (72.14.236.75)  276.349 ms  276.097 ms 72.14.239.235
(72.14.239.235)  277.180 ms
18  bom07s01-in-f14.1e100.net (216.58.199.142)  276.139 ms  276.980 ms
64.233.174.27 (64.233.174.27)  279.212 ms

As you can see from this traceroute output, Level3 is delivering my packets
to Google (hop#7 and beyond) just fine, however all of the hops including
#7 and beyond are all inside of google's network.

My packets are originating from AS 394102.

Anyone from google have any idea what's going on there?

Thanks,
Matt

Grande Communications Contact

[Conrad Rockenhaus]

Hello,

Does anyone have a Grande Communications Contact?

Thanks,

Conrad

smime.p7s
Description: S/MIME cryptographic signature

Spamming of NANOG list members

[Valerie Wittkop]

Hello NANOG Community,

It has come to our attention there are spamming messages being sent to members 
of the NANOG mail list spoofed to look as though they are coming from the NANOG 
organization.  The messages being sent refer to NANOG Remittance, with an 
attachment containing a virus.

These messages are not flowing through NANOG servers, nor using the NANOG 
domain. They are not messages coming from the NANOG organization. Please be 
aware if you receive a message matching this description and always make sure 
to scan attachments for a virus.

Cheers,

Valerie

Valerie Wittkop - NANOG Program Director
305 E. Eisenhower Pkwy, Suite 100, Ann Arbor, MI 48108
Tel: +1 866 902 1336, ext 103