Re: gmail dropping mesages
On Apr 25, 2011, at 10:12 AM, Jeff Mitchell wrote: > If you trust the issued certificates(!) being used to sign the mail, you at > least have a good indication that the spam is coming from the domain that it > says it's coming from. This can make spam blocking much more effective > because instead of simply hoping that a domain-based blocklist will block > spam and not ham (due to spoofed sender addresses), you have a pretty good > feeling that this will be the case. > > Of course this relies on various other bits and pieces to fall into place, > such as properly handling such messages (Gmail's detection and handling rules > aren't public AFAIK), CAs not being compromised, etc. Not to mention that the > spammers can simply register another domain and buy a new cert -- but then > the argument above still holds. DKIM doesn't use purchased certificates. It's all self-signed. As for catching spammers, using d= as an identifier is more effective at finding the good stuff than the bad stuff. So if this list were signed by nanog.org, we (or our reputation systems) could all recognize that mail signed d=nanog.org rarely resulted in user complaints, and thus it must be mail the users want to receive; conversely, mail which spoofs nanog.org but is not signed can safely* be stored in the big bit bucket in the cloud. -- J.D. Falk the leading purveyor of industry counter-rhetoric solutions * assuming nanog.org signs ALL mail -- but that's another long discussion
Re: IPv6 is on the marketers radar
On Feb 11, 2011, at 12:21 PM, Franck Martin wrote: > http://www.marketingvox.com/under-the-microscope-what-the-end-of-ipv4-means-for-marketers-048657/ > > > I can hear people, say oh no > > Interesting to see that marketers do not like CGNAT. Hmm, I recognize a lot of that article. If imitation is the sincerest form of flattery, what's heavy quoting and paraphrasing? http://www.returnpath.net/blog/received/2011/02/end-of-ipv4/ (I don't mind, really -- the word needs to get out, and marketers always resist technology unless there's either guaranteed ROI or guaranteed FUD.) -- J.D. Falk the leading purveyor of industry counter-rhetoric solutions
Targeted Phishing Attack
Last week, the security team at Return Path discovered that we were the source of a list of addresses used in a targeted phishing attack against a number of ESPs. We're sharing the results of our investigation with the larger community, in order to help others avoid similar attacks. I'm including NANOG in this distribution because, even though this particular attack was focused on mail operators, the same tactics could work equally well on network operators. http://www.returnpath.net/blog/received/2010/11/phishing-attack-an-open-letter-to-the-anti-spam-and-mailbox-operator-community/ -- J.D. Falk Internet Standards & Governance Return Path
Re: Tools for teaching users online safety
On Oct 25, 2010, at 6:13 PM, Alex Thurlow wrote: > I'm trying to find out if there are currently any resources available for > teaching people how to be safe online. As in, how to not get a virus, how to > pick out phishing emails, how to recognize scams. I'm sure everyone on this > list knows these things, but a lot of end users don't. I'm trying to find a > way to teach these things to people who aren't too technically savvy. > > It seems to me that the fewer end users that have issues, the easier our > lives will be. > > So what I'm trying to figure out is, is there a good site or set of sites for > this stuff, or is there anyone out there interested in helping to build a > unified list of instructions, videos, etc. for all this? http://staysafeonline.org/ has recently emerged as the primary site for all of that kind of information, supported by DHS and a lot of big companies (including many who send people to NANOG meetings.)
Re: Contacts re email deliverability problem to tmomail.net?
On May 15, 2010, at 4:38 PM, Graham Freeman wrote: > There appears to be a misunderstanding. The messages in question are in fact > 1:1 interpersonal communication between my client's customers (the people who > use my client's iPhone messaging app) and their correspondents (to whom we're > trying to deliver via the email->SMS gateway).We're not sending ads, > newsletters, or other such cruft. That's probably why the mail is only being deferred (as you indicated on the mailop list), rather than rejected outright. -- J.D. Falk Return Path Inc
Re: Call for papers (Deadline Extended): ISP-10, USA, July 2010
On Mar 26, 2010, at 6:38 AM, Rich Kulawiec wrote: > This is the same fake conference spammer who's been hitting a lot > of mailing lists and Usenet newsgroups -- best to blacklist the > sender address and the domain. Why is this fake conference still posting to NANOG? -- J.D. Falk Return Path Inc
Re: AOL Postmaster
On Mar 22, 2010, at 12:23 PM, Larry Sheldon wrote: > On 3/22/2010 14:03, Mark Keymer wrote: >> Hi, >> >> If at all possible can a AOL Postmaster please get a hold of me. I have >> a client that co-lo's with use and we do the support for them and we >> need some help on getting mail to be delivering again to AOL. > > Didn't I read that all of the AOL Postmasters had beenwhat is the > word this week...made redundant? Most, but not all. You can reach those who remain via http://postmaster.aol.net/, just as before. -- J.D. Falk Return Path Inc
PL/SQL & CIDR?
Does anyone know of a library, sample code, etc. to help Oracle PL/SQL do CIDR math? -- J.D. Falk Return Path Inc
abuse reporting (was Re: Yahoo abuse)
On Feb 11, 2010, at 6:45 PM, James Hess wrote: > That said, XML makes a terrible data interchange format for > communications where humans are supposed to understand the message, > using standard software (such as a legacy e-mail client). Exactly what we said when developing ARF. -- J.D. Falk Return Path Inc
Re: Yahoo abuse
On Feb 9, 2010, at 10:21 PM, Mikael Abrahamsson wrote: > On Wed, 10 Feb 2010, Suresh Ramasubramanian wrote: > >> That's IODEF, if and when it picks up enough steam to get widely deployed. > > That looks over-engineered, but at least someone can create a web service > where the user can fill in fields and use drop-down menus to create the XML > and the cut/paste this into an email and send. Question is how an end user > should handle the reply they get, it'll be pretty much unreadable to the > untrained eye. Some types of conversations simply don't take well to automation. -- J.D. Falk Return Path Inc
Re: Yahoo abuse
On Feb 9, 2010, at 7:53 AM, Mikael Abrahamsson wrote: > On Tue, 9 Feb 2010, John Peach wrote: > >> Damn forms; whatever happened to abuse@ addresses? > > A few years I proposed a standard way to report abuse by email (X-headers) > but nobody was interested. There's a (draft, de facto) standard format for automated reports between providers: http://mipassoc.org/arf/ http://tools.ietf.org/wg/marf/ > I suspect forms are because the abuse desks want necessary information in a > structured way that doesn't have to be manually processed each time, plus > trying to hunt people who can't realise what information is needed to do a > proper abuse complaint. Yep, that's certainly part of it. -- J.D. Falk Return Path Inc
Re: Article on spammers and their infrastructure
On Dec 22, 2009, at 11:58 PM, Christopher Morrow wrote: > On Wed, Dec 23, 2009 at 1:12 AM, Paul Ferguson wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> Folks should not be so obtuse about these activities. It's almost blatantly >> in-your-face, so to speak. These guys have no fear of retribution. > > no real arguement, but... 'please provide some set of workable solutions' > > The ARIN meetings (at least) are open, please come and help guide > policies. I'm sure RIPE also wouldn't mind a discussion, if there > could be some positive policy outcome. Rather than expecting anti-spam researchers to lobby at ARIN & RIPE meetings, perhaps ARIN & RIPE representatives could visit anti-spam meetings such as MAAWG to ask how they can help? I'd be happy to make some introductions. -- J.D. Falk Return Path Inc
Re: Repeated Blacklisting / IP reputation
Seth Mattinen wrote: I was always under the impression that smaller orgs were not allowed to join the MAAWG club. I've heard that, too, but have no idea where it comes from. It's not true; there's no size requirement or anything like that. http://www.maawg.org/ has the membership application and other info. -- J.D. Falk Co-Chair, Program Committee Messaging Anti-Abuse Working Group
Re: Ready to get your federal computer license?
Scott Morris wrote: So if someone hacks the electric grid, does it not make sense to unplug that portion of the infrastructrure from the Internet until the problem is fixed? (e.g. shut down traffic to/from) I think someone wrote an article after WAY over-thinking this whole thing and everyone else jumps on the bandwagon. Declan does that a lot. It's very annoying, but I suppose cnet has never claimed to be an impartial news organization...or have they? -- J.D. Falk
Re: Botnet hunting resources
Jack Bates wrote: J.D. Falk wrote: Hi, Luke! MAAWG recently published a document to help ISPs deal with infected machines in their networks. It's not the same kind of pressure, but (as we learned with open relays at MAPS) pressure isn't very effective unless there are tools available to deal with the problem. It could also use a lot more resources? Watching traffic flows for traffic destined to known C&C addresses is nice, but including a pointer to a resource that actually gives those addresses is much more useful. For those who don't deal with it every day, the document just says they need to spend even more time with google. I'll share your comments with the document authors. They're treating it as a living document, with updates expected regularly. -- J.D. Falk Return Path Inc http://www.returnpath.net/
Re: Botnet hunting resources
Luke S Crawford wrote: 1. are there people who apply pressure to ISPs to get them to shut down botnets, like maps did for spam? Hi, Luke! MAAWG recently published a document to help ISPs deal with infected machines in their networks. It's not the same kind of pressure, but (as we learned with open relays at MAPS) pressure isn't very effective unless there are tools available to deal with the problem. http://www.maawg.org/about/publishedDocuments/MAAWG_Bot_Mitigation_BP_2007-07.pdf -- J.D. Falk Return Path Inc http://www.returnpath.net/
Re: Is your ISP blocking outgoing port 25?
Joe Provo wrote: On Thu, Jun 18, 2009 at 03:36:44PM -0400, Zhiyun Qian wrote: It has been long heard that many ISPs block outgoing port 25 for the purpose of reducing spam originated from their network. Yes, it is standard practice for non-server accounts and most dynamic-only accounts; only allow unauthenticated smtp traffic to your own smtp servers. If you are not running server-to-server traffic at the end of that broadband pipe, then you should be shifting your userbase to authenticated on the SUBMIT port [587] anyway... The Messaging Anti-Abuse Working Group (MAAWG) published recommendations for managing port 25 traffic a few years ago, and even then it had already been a widely-accepted best practice for nearly a decade. http://www.maawg.org/port25 -- J.D. Falk Return Path Inc http://www.returnpath.net/
Re: spamhaus drop list
Patrick W. Gilmore wrote: I have not used MAPS, so I cannot comment on its utility. but I have never heard a single credible claim Mr. Vixie is a spammer, more or less a verifiable one. (Yes, that includes the claim below.) From my personal experience, Mr. Vixie is very much the opposite of a spammer. Mr. Vixie gave the Keynote speech at the NANOG conference yesterday, so I would submit the community at large disagrees with Mr. Anderson's assessment. The former MAPS offerings have been owned by Trend Microsystems since 2005, and I'm fairly certain that Mr. Vixie hasn't been involved in that project since before Trend took over. There's more information at http://www.mail-abuse.com/. (Full disclosure: I worked for the Mail Abuse Prevention System from 2000-2001.) -- J.D. Falk Return Path Inc http://www.returnpath.net/
Beware surfers: cyberspace is filling up
'Experts predict that consumer demand, already growing at 60 per cent a year, will start to exceed supply from as early as next year because of more people working online and the soaring popularity of bandwidth-hungry websites such as YouTube and services such as the BBC’s iPlayer. It will initially lead to computers being disrupted and going offline for several minutes at a time. From 2012, however, PCs and laptops are likely to operate at a much reduced speed, rendering the internet an “unreliable toy”.' http://technology.timesonline.co.uk/tol/news/tech_and_web/the_web/article6169488.ece (I don't even know where to start.) -- J.D. Falk Return Path Inc http://www.returnpath.net/
Re: Peering Wars of 1998
nan...@yorku.ca wrote: I'm rsrching the Peering Wars of 1998...anyone able to provide info wd be greatly appreciated. MAE-East was knee-deep in blood. I still have nightmares. -- J.D. Falk Return Path Inc http://www.returnpath.net/
Re: Yahoo and their mail filters..
Barry Shein wrote: I suggested that probably 99% of the false positives I see could be avoided by just waiting until there are two or more complaints from the same source before firing it back as spam. I've developed systems for ISPs to handle inbound complaints from AOL & such, and that's exactly what we did: multiple complaints were acted upon, single complaints only fed into the aggregate stats. On the INBOUND side. We didn't ask AOL to do that work for us. Many recipients of complaint feedback actually /want/ to receive every complaint, because -- like John Levine -- they treat those complaints as unsubscribe requests. Yours is not the common use case. -- J.D. Falk Return Path Inc http://www.returnpath.net/
Re: Yahoo and their mail filters..
Brian Keefer wrote: The other options is to stuff all the spam messages in a folder and expose them to the user, taking up a huge amount of storage space for something the vast majority of users are never going to look at any way. Which is, in fact, what Yahoo! does by default. Users have the option to have that stuff deleted immediately, should they desire. Blocking an entire site just because one John Doe user clicked a button they don't even understand just does not make sense. You're right -- but Yahoo! has a sufficiently large userbase that they can count multiple complaints before blocking anything. Same story with AOL, and Hotmail, and Cloudmark, and many others who've used this technique for years. In all of those cases, they have safeguards to prevent gaming, to prevent bouncing, and pretty much everything else anyone's suggested thus far in this thread. Last, anywhere that I've seen extensive use of forwards has had a maze of difficult to untangle abuse problems related to forwarded spam. Any site allowing forwarding should apply very robust filtering of outbound mail. Very true. MAAWG published a document last year which includes some additional recommendations: http://www.maawg.org/about/publishedDocuments/MAAWG_Email_Forwarding_BP.pdf -- J.D. Falk Return Path Inc http://www.returnpath.net/
Re: Are we really this helpless? (Re: isprime DOS in progress)
Seth Mattinen wrote: Jeffrey Lyon wrote: I respectfully disagree. Network engineers have to keep up with many tasks and preventing DoS/DDoS should be the responsibility of everyone. I see more folks worried about spam than they are actual security. Back to my original question: is there really not a better solution? This sounds a lot like the conversations which led to the creation of the original Realtime Blackhole List of spam sources. When was that, 1996? -- J.D. Falk Return Path Inc http://www.returnpath.net/
