Re: abuse reporting tools
On Thu, Nov 20, 2014 at 6:44 AM, Paul Bennett paul.w.benn...@gmail.com wrote: Inspired by this thread (and other recent similar ones about how hard it is to report abuse in the right format to the right people), I've decided I'm going to start work on [a] Perl module Well ... preliminary ground work has started. It's not much, yet, but it's out there _just_ enough to (hopefully) prove I'm serious about this https://github.com/PWBENNETT/Net-Abuse-Reporter Patches / collaboration more than welcome, if you think you can glean what's going on inside my head (related to this project, at least). -- Paul W Bennett
Re: abuse reporting tools
Inspired by this thread (and other recent similar ones about how hard it is to report abuse in the right format to the right people), I've decided I'm going to start work on the Perl module presumed by this gist ... https://gist.github.com/PWBENNETT/18970413677c5df79c6a Reporting network abuse should be *EASY*. Say it with me ... *EASY*. No promises, at this stage, but I thought some of you would like to know that this project is at least in the pre-planning stages. -- Paul W Bennett
Re: abuse reporting tools
On Wed, Nov 19, 2014 at 12:14 PM, John Kristoff j...@cymru.com wrote: On Tue, 18 Nov 2014 16:58:24 -0800 Mike mike-na...@tiedyenetworks.com wrote: I provide broadband connectivity to mostly residential users. I can point you to some tools and references I'm aware of, but I can't talk about how effectively they are operationally or whether or not you should abide by or use them. Don't forget IETF RFC 5970 IODEF format as well. It provides a much more comprehensive and flexible reporting format than either X-ARF or RFC 5965 (both of which are really geared primarily towards single badguy / single incident). With that power comes greater complexity, though. I'll have to look at Net::Abuse::Utils since that's the first I've ever heard of it and I don't know what it can do. If it can't make IODEF, I'm a capable Perl programmer, so I can take a look, but no promises. -- Paul W Bennett
Re: abuse reporting tools
Don't forget IETF RFC 5970 IODEF Sorry, that's 5070, not 5970. Slip of the finger. -- Paul W Bennett
Re: Reporting DDOS reflection attacks
On Sat, Nov 8, 2014 at 2:00 AM, Roland Dobbins rdobb...@arbor.net wrote: On 8 Nov 2014, at 1:56, srn.na...@prgmr.com wrote: But right now how should we be doing it? http://www.team-cymru.org/Services/ip-to-asn.html Once you get the ASN or at least the domain name of the ISP providing service to the reflecting host, several major reputable ISPs (including my employer, who I can't name because I'm not an official spokesperson) will welcome RFC 5070 IODEF reports for general network abuse and RFC 5965 MARF format for email abuse, directed to abuse@ the main domain for that ISP. http://www.ietf.org/rfc/rfc5070.txt http://www.ietf.org/rfc/rfc5965.txt -- Paul W Bennett
Re: Automatic abuse reports
I can't speak directly for them, as I'm not an official company spokesperson, but this conversation has got my dander up enough that I can't keep my big mouth shut. I know of at least one 500 pound gorilla (with zillions of retail customers, and their share of 500 pound gorillas as customers (and everything in between)) that has a working and effective abuse@ address, one that can and does aggregate and pass on abuse complaints, and that can and does suspend service over failure to fix. On occasion, I understand even significant customers have been not just suspended but terminated over failure to follow the ToS/AUP. The company in question accepts abuse complaints in ARF, MARF, X-ARF and IODEF format, among others, and (I cannot emphasize this enough) does act on them. Anyone who suggests roundfiling abuse@ complaints is (IMNSHO) actively working to make the problem worse, not better. Anyone who thinks that all networks do roundfile abuse@ complaints would seem to be making an over-generalization. Note, once again, that these are my opinions, and not my employers', so much so that I can't even tell you directly who my employer is. Not that it's hard to find out, but I'm so very much not speaking in an official capacity here. -- Paul
Re: 172.0.0.0/12 has been Allocated
On Thu, 23 Aug 2012 17:11:42 -0400, Jeroen van Aart jer...@mompl.net wrote: The 16777214 IP addresses (give or take) in their 12/8 assignment aren't enough? Oh wait, it's probably used internally and renumbering to 10/8 would be too big a hurdle to take. ;-) The 12/8 address space is fully allocated out, I believe entirely to customers. Do the math. 35,000,000 residential customers (plus) on DSL and FTTx (many with a /29, /27, or larger assigned), plus very many managed services customers with full /24s and even /16s. It's no wonder they're hungry for IP space. Their enormous customer base is hungry for it. -- Paul Bennett
Re: how to report spam to Yahoo!
On Wed, Mar 21, 2012 at 9:27 AM, Chuck Anderson c...@wpi.edu wrote: Yahoo!'s abuse contact from whois: OrgAbuseEmail: network-ab...@cc.yahoo-inc.com Have you tried ab...@att.net ? They accept ARF and X-ARF reports, or anything with the complete message headers (or logs) in it will work in a pinch. Plain-text, no attachments, etc. Don't expect anything more than an autoreply, but all complaints do get processed. -- Paul
Consumer-grade dual-homed connectivity options?
Not sure whether this is an appropriate place to post this, but I thought I'd give it a shot, since you're all knowledgeable folks with regard to networking things... At home, I currently run two DSL lines. Right now, we just have two separate LANs, one connected to each line, with my wife's devices attached to one, and my devices attached to the other. For a while now, I've been thinking about setting up a load-balancing routing solution to give both of us access to both lines. I have the opportunity to acquire a refurbed Cisco Catalyst 2960 at a ridiculously low price. I also have access to a (nominally) spare quad-core 64-bit PC with 8GB of RAM. I say nominally because I'm thinking about setting it up as a media center / gaming rig connected to the TV in the den. That's largely beside the point, but it bears pointing out that keeping the PC available for my other needs would be a good thing. So. Is it going to be a more-effective solution to drop a few bucks on the 2960 and go through the hassle of learning how to set it up (and then setting it up), or would I be better off putting a secured Linux distro (e.g. gentoo-hardened, or something) on the semi-spare PC and running the load-balancing via iproute2 and friends? Either way, I'm looking at a learning curve, and a good amount of time fannying around getting the damn thing working -- there's a good chance I'd spend almost as much cash on the PC-based solution getting good-quality network cards, and maybe fast HDD tech (though it seems like RAM and cores would be more important than disk IO). What are your opinions? -- Paul
Re: ATT blocking individual IP addresses
On Wed, 09 Dec 2009 10:22:50 -0500, Scott Howard sc...@doc.net.au wrote: As of about an hour ago ATT appear to have started blocking access to a few of our IP addresses. ATT won't talk to me as I'm not a customer... So, wait, are they your addresses or not? -- Paul
Re: obvious intent (Re: the Intercage mess)
On 9/25/08, Paul Vixie [EMAIL PROTECTED] wrote: so, now begins the search for the line that mustn't be crossed. if they have N spamming customer or M captured machines running CC and they disconnect such customers after P warnings or Q days, then will the community still rise up in arms and if so will that still be enough negativity to cause their (new?) provider to lose connectivity? if not, then what about P-1 or Q+1 or M*2 or N/2? discovering the process by which N, M, P, and Q are discovered, will be even uglier than everything we've seen on this topic to date. I work the at the abuse department of one of the big ISPs, and I have to note that finding effective values for those four varables is sticky business from the abuse preventers' side too. We get tens of thousands of abuse complaints every single day. Even filtering out the frequent-flyer abuse miscomplainers (certain ISPs seem to have no outbound filtering -- to cope with the very large number of times when their customers seem to confuse Report Spam with Move to Trash, for instance), there's still a butt-load of data to be analysed and acted on, and only a finite number of monkeys with typewriters to churn through it. At best, it's a trans-global game of whack-a-mole, suspending orgs and consumers who have never heard the word firewall, or at least have never learned router ACL config. Add to this the potential legal and/or press minefield of being accused of wiretapping, traffic-shaping, and other nefarious deeds, and we have to tread very gently indeed around certain abuse detection and prevention issues. In short, it's a big hairy beast, and it's even scarier if you take a closer-than-normal look. Paul (not an official spokesperson, nor a policy-maker, of any ISP or similar company)
