.US Harbors Prolific Malicious Link Shortening Service
https://krebsonsecurity.com/2023/10/us-harbors-prolific-malicious-link-shortening-service/ "The NTIA recently published a proposal that would allow registrars to redact all registrant data from WHOIS registration records for .US domains. A broad array of industry groups have filed comments opposing the proposed changes, saying they threaten to remove the last vestiges of accountability for a top-level domain that is already overrun with cybercrime activity." What hope is there when registrars are actively aiding and abeting criminal enterprises? Are there any legitimate services running solely on .us domain names? -Dan
Amir Golestan sentenced to 5 years in prison for IP theft scheme
https://krebsonsecurity.com/2023/10/tech-ceo-sentenced-to-5-years-in-ip-address-scheme/ And a statement from ARIN: https://www.arin.net/blog/2023/10/16/micfo-golestan-sentencing/
Re: NTP Sync Issue Across Tata (Europe)
On Mon, 14 Aug 2023, Masataka Ohta wrote: Mike Hammett wrote: " As such, the ultimate (a little expensive) solution is to have your own Rb clocks locally." Yeah, that's a reasonable course of action for most networks. For most data centers with time sensitive transactions, at least. *sigh* https://en.wikipedia.org/wiki/Atomic_clock Modern rubidium standard tubes last more than ten years, and can cost as little as US$50. https://www.ebay.com/sch/i.html?_nkw=rubidium From this discussion it seems there is very little overlap between nanog membership and time-nuts. Cheap Rb GPSDO are well known there. Even a bottom barrel OCXO GPSDO would provide significant protection against determined GPS attacker. -Dan
Re: Sigh, friends don't let politicians write tech laws
So instead of applying a label, just drop the email outright. -Dan On Fri, 29 Jul 2022, Michael Thomas wrote: https://www.congress.gov/bill/117th-congress/senate-bill/4409/text?r=9=1 the body of the proposed law: "(a) Conduct prohibited.— (1) IN GENERAL.—It shall be unlawful for an operator of an email service to use a filtering algorithm to apply a label to an email sent to an email account from a political campaign unless the owner or user of the account took action to apply such a label." where to even start with how bad this would be. thanks for the heads up from Anne Mitchell Mike
Re: FCC proposes fines against 73 applicants of Rural Digital Opportunity Fund
On Fri, 22 Jul 2022, William Herrin wrote: On Fri, Jul 22, 2022 at 1:12 PM Sean Donelan wrote: The FCC proposes $4,353,773.87 in total fines against 73 applicants in the Rural Digital Opportunity Fund Phase I Auction (Auction 904) that defaulted on their bids for support between July 26, 2021, and March 10, 2022. The overwhelming majority of the penalties were in the 4 and low 5 figures -- pocket change for a network business. The exceptions were: LTD Broadband LLC Kansas and Oklahoma $2.3M Time Warner Cable Information Services (Indiana), $276k Time Warner Cable Information Services (South Carolina) $276k Charter Fiberlink – Tennessee $231k RiverStreet Communications of Virginia, Inc North Carolina $117k What % of fines does FCC successfully collect, vs what they issue? -Dan
Re: Scanning the Internet for Vulnerabilities
On Mon, 20 Jun 2022, Carsten Bormann wrote: On 2022-06-20, at 14:14, J. Hellenthal wrote: Yeah that's another thing, "research" cause you need to learn it let's have them do it too, multiply that by every university \o/ there was some actual research involved. I agree that there should be a very good reason to expend a tiny bit of everyone’s resources on this. I do not agree that this externality makes any research in this space unethical. Consent is what makes it unethical. You signed up for this when you joined the Internet (er, stuck with the IPv4 Internet, I should probably say). "If you dont like the unsolicited email, just hit delete" ? How about ... NO. -Dan
Re: Scanning the Internet for Vulnerabilities
On Sun, 19 Jun 2022, Ronald F. Guilmette wrote: In earlier times, this was generally viewed as being distinctly anti-social behavior, but perhaps attitudes have changed relative to earlier eras. I would thus like to know how people feel about it now, in 2022. This has not changed. -Dan
Re: FYI - 2FA to be come mandatory for ARIN Online? (was: Fwd: [arin-announce] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts
On Sat, 28 May 2022, Jim Popovitch via NANOG wrote: On Sat, 2022-05-28 at 11:36 -0700, Randy Bush wrote: I am not in the ARIN region but I have attended few Arin meetings. As a comment, I live a country were mobile roaming does not exists, therefore, when 2FA only works with SMS I can not use the service. Having said that, please consider at least one more way to perform 2FA, maybe send a code to the email address or something else. i use google authenticator with arin.net There's also the RedHat supported app FreeOTP. There are lots of inexpensive hardware TOTP tokens as well. Personally when I have to 2fa where sms is not possible, I use a token2 molto-1. -Dan
Re: BANDWIDTH and VONAGE lose FCC rules exemption for STIR/SHAKEN
On Fri, 18 Feb 2022, Michael Thomas wrote: On 2/17/22 11:58 AM, Sean Donelan wrote: https://www.fcc.gov/document/fcc-finds-two-providers-failed-fully-implement-stirshaken-0 The Federal Communications Commission today took action to ensure that voice service providers meet their commitments and obligations to implement STIR/SHAKEN standards to combat spoofed robocall scams. Specifically, voice service providers Bandwidth and Vonage lost a partial exemption from STIR/SHAKEN because they failed to meet STIR/SHAKEN implementation commitments and have been referred to the FCC’s Enforcement Bureau for further investigation. So for probably a year or so before the Stir/Shaken mandate came, I have been seeing a lot less phone spam. I don't know if that's typical but it was quite noticeable for me. What that tells me is that providers likely started clamping down on their shady customers well ahead of the mandate which says that regulatory fiat would have been sufficient too. But that hinges on whether my situation is typical though. my phone spam is off the scale, and increased sharply just before stir/shaken went into effect. are spammers desperately trying to get their last bites in before their providers start getting shut down? -Dan
Re: Abuse Contact Handling
On Thu, 5 Aug 2021, Matt Corallo wrote: Thus, lots of the large hosting providers have deemed the cost of actually putting a human on an abuse contact is much too high. it seems they have decided that ending up on DBL is their abuse monitoring/reporting mechanism. -Dan
Re: SITR/SHAKEN implementation in effect today (June 30 2021)
On Fri, 9 Jul 2021, K. Scott Helms wrote: Nothing will change immediately. Having said that, I do expect that we will see much more effective enforcement. The investigations will come from the ITG (Industry Traceback Group) with enforcement coming from FCC or FTC depending on the actual offense. The problem has been that it's been far too easy for robocalling companies to hop from one telecom provider to another. Now there are requirements around "know your customer" that telecom operators have to follow and the ITG will have a much better chance of figuring out who the bad actor is than they have in the past. Longer term I worry that this will lead to more attacks on PBXs, eSBCs, and VOIP handsets to be able to call either from that endpoint itself or be able to use the SIP credentials. The market for robocalls will certainly not disappear. until there is enforcement there will be no changes. enforcement means more than just sternly worded letters. robocalls won't stop until the perps go to prison. -Dan
Re: SITR/SHAKEN implementation in effect today (June 30 2021)
On Fri, 9 Jul 2021, Michael Thomas wrote: Nothing has changed for me either. Color me surprised. The real proof will be to see if the originating domain can be determined, and whether the receiving domain does anything about it. Why would they do anything? The traffic is revenue. What is the FCC going to do other than write mean letters? -Dan
Re: Prefix hijacking by AS20115
On Mon, 28 Sep 2015, Seth Mattinen wrote: I'm at the tail end here almost 8 hours later since the hijacking started. Their NOC is just blowing me off now and they're happy to continue the hijacking until it's convenient for them to have a maintenance window. And that's apparently the final decision. Willful negligence. Will only be in your favor when it comes to collect damages. -Dan
Re: Working with Spamhaus
On Tue, 28 Jul 2015, Larry Sheldon wrote: On 7/28/2015 22:06, Bryan Tong wrote: If anyone has any advice on how to deal with these people. Please let me know here or off list. Based on years of experience, the very best way is don't. You have to work pretty hard to get a /17 listed. Don't profit from spam, and as a result don't deal with Spamhaus at all. Yep. -Dan
Re: Leap Second Folo/After Action
supposedly vulnerable devices sailed through without a peep. -Dan On Wed, 1 Jul 2015, Jay Ashworth wrote: Here's LWN's piece on the then-upcoming event from last week, presumably with comments trailing into today. http://lwn.net/Articles/648313/ How'd it go for everyone? Did the world end? Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Re: eBay is looking for network heavies...
On Tue, 9 Jun 2015, Jay Ashworth wrote: - Original Message - From: Shane Ronan sh...@ronan-online.com When I was asked the default BGP timers across three different vendor platforms as measure of my networking ability during an interview, I replied saying I'd look them up if needed them. I was told I didn't understand BGP in enough detail, despite being able to describe all the steps of BGP session establishment and route exchange. Certs have ruined the industry. Maybe. But they certainly saved you from having to work for an asshole with misplaced priorities... Indeed, the interview process is a two way street. Lets you evaluate who you would be working for -- or if you really would want to. -Dan
Re: reclaiming arin IP allocations?
On Mon, 13 Apr 2015, Bill Woodcock wrote: Speaking individually, not with my ARIN board hat on: If you???d like to report the address to ab...@arin.net, an ARIN postmaster can contact the web.com POC, and get an authoritative answer. Very interesting: http://whois.arin.net/rest/net/NET-209-17-112-0-1/pft Note ARIN has attempted to validate the data for this POC, but has received no response from the POC since 2013-11-06 So if the owner does not care to respond to ARIN, what now? -Dan
reclaiming arin IP allocations?
web.com/netsol is disavowing ownership of 209.17.115.109. NetRange: 209.17.112.0 - 209.17.127.255 CIDR: 209.17.112.0/20 NetName:WEB-COM-BLK3 NetHandle: NET-209-17-112-0-1 Parent: NET209 (NET-209-0-0-0-0) What is the process to get this netblock reclaimed? -Dan
Re: reclaiming arin IP allocations?
i reported abuse to them that was originating directly from 209.17.115.109, they responded stating they have no control over the origin IP and that i should look up the IP in arin to get the owner. -Dan On Mon, 13 Apr 2015, Mel Beckman wrote: What makes you think they are disavowing ownership? Did they state that to you personally, or are you inferring that from other information? -mel beckman On Apr 13, 2015, at 1:36 PM, goe...@anime.net goe...@anime.net wrote: web.com/netsol is disavowing ownership of 209.17.115.109. NetRange: 209.17.112.0 - 209.17.127.255 CIDR: 209.17.112.0/20 NetName:WEB-COM-BLK3 NetHandle: NET-209-17-112-0-1 Parent: NET209 (NET-209-0-0-0-0) What is the process to get this netblock reclaimed? -Dan
Re: BGP offloading (fixing legacy router BGP scalability issues)
On Fri, 3 Apr 2015, valdis.kletni...@vt.edu wrote: We've been down this road before - we've had our own problems on this side of the puddle with transit providers who refused to deal with problem customers because the provider billed by the packet, and the customers were good about paying their bill - so dealing with the problem caused less packets and thus less revenue. At least in the US the provider could be charged with willful negligence and face liability. But in most cases RBL is enough pressure to get the US providers to do the right thing. -Dan
Re: BGP offloading (fixing legacy router BGP scalability issues)
On Mon, 6 Apr 2015, John Levine wrote: In article pine.lnx.4.64.1504061101030.24...@sasami.anime.net you write: On Fri, 3 Apr 2015, valdis.kletni...@vt.edu wrote: We've been down this road before - we've had our own problems on this side of the puddle with transit providers who refused to deal with problem customers because the provider billed by the packet, and the customers were good about paying their bill - so dealing with the problem caused less packets and thus less revenue. At least in the US the provider could be charged with willful negligence and face liability. Please provide legal citations. ignore a dmca takedown request, see what happens. -Dan
Re: BGP offloading (fixing legacy router BGP scalability issues)
On Fri, 3 Apr 2015, Barry Shein wrote: On April 2, 2015 at 14:19 goe...@anime.net (goe...@anime.net) wrote: a number of years back i did have someone contact in chinese and the response was that the customer was doing nothing wrong. Ok, that's progress of a sort, what's the authoritative source of right and wrong, something beyond c'mon it's obvious!? in their case the excuse was 1) they are a paying customer (thus can do no wrong) 2) they were breaking no chinese law (attacking US hosts) -Dan
Re: BGP offloading (fixing legacy router BGP scalability issues)
On Thu, 2 Apr 2015, Mark Tinka wrote: Most of the spam I get comes from North America. Go figure. I'm not about to cut access to that continent off. Big difference is that north america is usually responsive to abuse notifications and sometimes has LEO who will listen. china is neither. -Dan
Re: BGP offloading (fixing legacy router BGP scalability issues)
emails to the registered contacts bounce, for one, undeliverable. which is a bit of a change from the old chinanet auto-responder which auto-responded to every email with i cannot find that IP or that IP not by my Control. Please send the correct IP. a number of years back i did have someone contact in chinese and the response was that the customer was doing nothing wrong. -Dan On Thu, 2 Apr 2015, Barry Shein wrote: The essence of this discussion is IMHO a little...um...trite. Be that as it may how many of you have attempted to contact these providers in Chinese? Or do you all have good reason to believe that is never the problem? On April 2, 2015 at 11:05 goe...@anime.net (goe...@anime.net) wrote: On Thu, 2 Apr 2015, Mark Tinka wrote: Most of the spam I get comes from North America. Go figure. I'm not about to cut access to that continent off. Big difference is that north america is usually responsive to abuse notifications and sometimes has LEO who will listen. china is neither. -Dan -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: A translation (was Re: An update from the ICANN ISPCP meeting...)
On Mon, 27 Oct 2014, Barry Shein wrote: I disagree. Perhaps my age is showing, but I believe the whole point of the registration database is to provide contact information to allow someone to contact the registrant for whatever reason, e.g., hey, stop that!. It's the old problem, crooks don't hand out business cards. And, again, at what cost, and to whom? If you can't be bothered to have correct contact info, your packets go into the scavenger queue. Or get redirected to a webpage explaining why your network is blocked until you correct it. Your customers will be the ones complaining to you. -Dan
Re: A translation (was Re: An update from the ICANN ISPCP meeting...)
On Mon, 27 Oct 2014, Eric Brunner-Williams wrote: On 10/27/14 10:12 AM, goe...@anime.net wrote: If you can't be bothered to have correct contact info, your packets go into the scavenger queue. Or get redirected to a webpage explaining why your network is blocked until you correct it. Your customers will be the ones complaining to you. the (icann accredited) registrar which accepted {bogus|non-verified|accurate} registrant data at some point in time less than 10 years ago which is now {bogus|non-verified|accurate|aged-out} is likely to be providing dns for the domain in question, or the dns is likely to be provided by the registrant, so the packets [DO NOT] go into the scavenger queue. NOR are they redirected ... I should clarify I was thinking about whois on the IP blocks and/or ASN. not dns for domain names. if your network is spewing sewage, there should be some way to contact you. if you are uninterested in being contacted, there's always RBLs I guess. -Dan
peer1 contact?
Can someone from peer1.net contact me? You are filtering your ab...@peer1.net mailbox. -Dan
Re: peer1 contact?
On Fri, 10 Oct 2014, Tom Hill wrote: On 10/10/14 19:01, Alistair Mackenzie wrote: Gmail gave me a warning about this email too so that may be your problem. Yeah, my provider classified it as spam too (which I think is a fairly basic SpamAssassin installation). nope. peer1 is rejecting emails on their end. - The following addresses had permanent fatal errors - ab...@peer1.net (reason: 554 This message contains a virus (HTML/PayPal.EE) (Mode: normal)) - Transcript of session follows - ... while talking to peer1.com.inbound10.mxlogicmx.net.: DATA 554 This message contains a virus (HTML/PayPal.EE) (Mode: normal) 554 5.0.0 Service unavailable peer1 is making it impossible to report criminal scams originating directly from IP addresses under their direct control. peer1 - remove your filtering from your abuse@ mailbox. -Dan
Re: Dealing with abuse complaints to non-existent contacts
On Mon, 11 Aug 2014, Paul S. wrote: It would appear you've done your part in trying to reach out (and subsequently failed), so the next step to go is dropping all traffic from it. Nothing wrong with trying to protect your own customer from people who cannot be bothered to do their own due diligence. It would be nice if allocations would be revoked due to invalid/fake contact info. -Dan
Re: Dealing with abuse complaints to non-existent contacts
On Sun, 10 Aug 2014, David Conrad wrote: On Aug 10, 2014, at 2:05 PM, Bill Woodcock wo...@pch.net wrote: It would be nice if allocations would be revoked due to invalid/fake contact info. That?s been debated many times, in most of the RIRs, and has not resulted in any persistent policies that I remember offhand. The tide may turn, as it were, if problems get sufficiently bad, at which point these sorts of policies might receive sufficient support to be passed, and stick. Which, of course, would not actually cause address space to be magically returned to the RIR. The RIRs are not the Internet Police and attempting to use the Whois database as a stick to beat ?bad? ISPs will simply result in the Whois database becoming less and less relevant. What might work would be for the RIRs to annotate registration data records with stuff like valid/invalid contact information? (accessible programmatically via RDAP) and allow ISPs to build filters based on that annotation. But yes, this has been debated many times and nothing ever seems to get done. RBL / BGP blackholes based on bad registration info? Could work. -Dan
Re: Richard Bennett, NANOG posting, and Integrity
On Sun, 27 Jul 2014, Richard Bennett wrote: This is one of the more clueless smears I've seen. The astroturf allegation is hilarious because it shows a lack of understanding of what the term means: individuals can't be astroturf by definition; it takes an organization. Individuals can be paid shills though. -Dan
Re: Muni Fiber and Politics
On Mon, 21 Jul 2014, Constantine A. Murenin wrote: Cool story, however, http://www.ashlandfiber.net/productcenter.aspx#residential ... is nothing to brag home about. 5Mbps uploads max? Meh, I get more with mobile phone, plus my data is actually unlimited. Consider that AFN was setup when the majority of people were still on dialup, and was originally geared toward providing cable TV service with IP as an afterthought. Back then it was really something. They are definitely overdue for a hardware/service refresh. -Dan
Re: Muni Fiber and Politics
On Mon, 21 Jul 2014, Miles Fidelman wrote: - the anti-muni laws hurt small localities the most, where none of the big players have any intent of deploying anything This is exacatly why ashland fiber network came to be. Because no provider was willing to step up and provide service. So the city did it. If there were laws against it there, then ashland would still have no service at all to this day. -Dan
Re: Feedback Requested: Routing Resilience Manifesto
On Wed, 2 Jul 2014, Larry Sheldon wrote: On 7/2/2014 1:00 PM, Jared Mauch wrote: On Jul 2, 2014, at 1:52 PM, William Herrin b...@herrin.us wrote: People will notice you streaking across a football field. They won't pay the slightest attention to what you have to say but they sure will notice you. Shall we organize a naked routing run? No, but how else do you suggest we work to address these problems? I am no longer active in the field, but back in the day, the ways of successfully selling stuff to management involved some mix of: It will improve sales. It will reduce costs. It will allow you to do something you want to do. It will keep you out of court and jail. No variation It is the right thing to do ever worked unless management thought of it. Things like DNSBLs could be used to encourage correct behavior. Why is your network performance shit? Because you allow your customers to spew sewage and you ended up on a blacklist, everyone now puts all your traffic in scavenger queue. -Dan
yahoo.fr is no longer interested in your abuse reports.
Looks like they've finally completely blocked off their abuse mailboxes. - The following addresses had permanent fatal errors - ab...@yahoo.fr (reason: 554 Message not allowed - [298]) - Transcript of session follows - ... while talking to mx-eu.mail.am0.yahoodns.net.: DATA 554 Message not allowed - [298] 554 5.0.0 Service unavailable -Dan
Re: yahoo.fr is no longer interested in your abuse reports.
It's the content. They're spamfiltering their abuse mailbox. -Dan On Wed, 11 Jun 2014, Blake Hudson wrote: goe...@anime.net wrote the following on 6/11/2014 3:00 PM: Looks like they've finally completely blocked off their abuse mailboxes. - The following addresses had permanent fatal errors - ab...@yahoo.fr (reason: 554 Message not allowed - [298]) - Transcript of session follows - ... while talking to mx-eu.mail.am0.yahoodns.net.: DATA 554 Message not allowed - [298] 554 5.0.0 Service unavailable -Dan May just be you... or transient, seems OK to me: # telnet mx-eu.mail.am0.yahoodns.net 25 Trying 188.125.69.79... Connected to mx-eu.mail.am0.yahoodns.net. Escape character is '^]'. 220 mta1157.mail.ir2.yahoo.com ESMTP ready ehlo ispn.net 250-mta1157.mail.ir2.yahoo.com 250-PIPELINING 250-SIZE 41943040 250-8BITMIME 250 STARTTLS mail from:serv...@ispn.net 250 sender serv...@ispn.net ok rcpt to:ab...@yahoo.fr 250 recipient ab...@yahoo.fr ok data 354 go ahead test . 250 ok Wed Jun 11 20:40:00 2014: ql 0, qr 93206887
linkedin.com abuse admins around?
If there is anyone from linkedin.com abuse around please let me know. I've been trying for 2 months to get an abuse issue resolved. -Dan
Re: The FCC is planning new net neutrality rules. And they could enshrine pay-for-play. - The Washington Post
If the carriers now get to play packet favoritism and pay-for-play, they should lose common carrier protections. -Dan
Re: RE: Level 3 blames Internet slowdowns on ISPs’ refusal to upgrade networks | Ars Technica
On Sat, 22 Mar 2014, Keith Medcalf wrote: I don't see this as a technical problem, but one of business and ethics. ISP X advertises/sells customers up to 8Mbps (as an example), but when it comes to delivering that product, they've only guaranteed 512Kbps (if any) because the ISP hasn't put in the infrastructure to support 8Mbps per customer. Customer believes he/she has 8Mbps, Content provider says we provide 8Mbps content, but ISP can (theoretically and in practice) only deliver a fraction of that. That feels like false advertising to me. The problem is that the consumer is too stupid to own a computer and use a network. The consumer purchased a product advertized as up to 8Mbps but really wanted not less than 8Mbps. It is not false advertizing. What was delivered is exactly what was advertized and exactly what was purchased. Up to includes 0. How close to 0 are you delivering on average? -Dan
Re: BCP38 [Was: Re: TWC (AS11351) blocking all NTP?]
On Tue, 4 Feb 2014, valdis.kletni...@vt.edu wrote: On Tue, 04 Feb 2014 10:09:02 -0800, Paul Ferguson said: I'd like to echo Jared's sentiment here -- collectively speaking, service providers need to figure out a way to deal with this issue, before some congresscritters start to try to introduce legislation that will force you to to do it in a way that no one will like. Can somebody explain to me why those who run eyeball networks are able to block outbound packets when the customer hasn't paid their bill, but can't seem to block packets that shouldn't be coming from that cablemodem? (And yes, I know that in the first case, it urges the customer to cough up the bucks, and in the second case, it's usually not a revenue generator) The only way this is going to get fixed is to make it more expensive to originate abuse than it is to block it. The only thing management is going to pay attention to is their pocketbooks. -Dan
Re: Automatic abuse reports
On Wed, 13 Nov 2013, Sam Moats wrote: The only thing I can think of is that they are making the decisions about how important their abuse desk is based solely on the cost of running that desk. They are seeing it as a cost center and not thinking about it's long term benefit to the entire network. I can't think of a way to remove the incentive for this short term thinking. Spam needs to become a financial liability rather than a lucrative revenue stream. That's the only way this is going to change. -Dan
rr.com contact please
Can someone from rr.com please contact me. Your abuse desk seems to believe this netblock does not belong to you: network:Class-Name:network network:ID:NETBLK-ISRC-24.39.128.0-17 network:Auth-Area:24.39.128.0/17 network:Org-Name:Road Runner Commercial network:Tech-Contact:ipadd...@rr.com network:Updated:2013-09-16 10:40:06 network:IP-Network:24.39.128.0/17 network:Admin-Contact:IPADD-ARIN network:IP-Network-Range:24.39.128.0 - 24.39.255.255 -Dan
RE: ARIN WHOIS for leads
On Fri, 26 Jul 2013, Otis L. Surratt, Jr. wrote: -Original Message- From: Ryan Pavely [mailto:para...@nac.net] Sent: Friday, July 26, 2013 8:33 AM To: nanog@nanog.org Subject: Re: ARIN WHOIS for leads Even the anti-spam army out there seem to ignore 'This is the abuse contact', and end up spamming all whois org contacts. What's the point in that? I agree. Most of them end up blasting all contacts which is completely stupid!!! That's why you see on the comment sections with many providers something along the lines of Please use Abuse Handle or please send requests for DMCA to this handle Because your mail servers are broken. Because you put spamfilters on your abuse@ mailbox, IF you even have an abuse@, which a lot of you don't. Because we tried calling, and your tier1 are clueless. Fix your mailservers. Train your staff. Staff your abuse desk. Then we'll talk. If your network didn't spew sewage into peoples mailboxes, and if you actually took action on abusive customers, this wouldn't be a problem. Some providers have responsive abuse desks. For the rest, well thats what RBL are for I guess. -Dan
Re: Prism continued
cellphones with cameras are probably better for the purposes of covert mass surveillance, especially ones with front facing cameras. far more of them out there, and wireless to boot. suprised everyone gets their panties in a bunch over presumed games console monitoring, what about all your iphones already out there? -Dan On Wed, 12 Jun 2013, John Lightfoot wrote: Let's see: Requires always-on internet connection Only available with Kinect Includes infrared sensor Manufactured by Microsoft, the first company to sign up for Prism When can I get my Xbox One?? http://www.nbcnews.com/technology/new-kinect-can-track-you-so-well-you-may- not-6C10287970 On 6/9/13 12:26 PM, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: I suppose this system was part of the 20MM as well? http://gizmodo.com/meet-boundless-informant-the-nsa-tool-that-watches-the- 512107983 Sent from my Mobile Device.
Re: PRISM: NSA/FBI Internet data mining project
On Thu, 6 Jun 2013, Matthew Petach wrote: Much less stress in life that way. ^_^ complacency is always the easiest path. many abuse@ mailboxes follow the same policy. -Dan
Re: nokiamail spam
On Mon, 3 Jun 2013, Rich Kulawiec wrote: 2. I have yet to see any evidence this century that Yahoo cares in the slightest about the unceasing flood of spam/phish/abuse flowing outbound from its operation. After all, if they did, we would not be having this conversation. wasn't yahoo's abuse team disbanded years ago? -Dan
Re: Illegal usage of AS51888 (and PI 91.220.85.0/24) from AS42989 and AS57954 (in ukraine)
if anyone wondered why abuse goes unchecked, wonder no longer. -Dan On Mon, 6 May 2013, Warren Bailey wrote: +1 Sent from my T-Mobile 4G LTE Device Original message From: Christopher Morrow morrowc.li...@gmail.com Date: 05/06/2013 9:29 AM (GMT-08:00) To: Valdis Kletnieks valdis.kletni...@vt.edu Cc: Warren Bailey wbai...@satelliteintelligencegroup.com,Adam Vitkovsky adam.vitkov...@swan.sk,Nick Hilliard n...@foobar.org,NANOG nanog@nanog.org Subject: Re: Illegal usage of AS51888 (and PI 91.220.85.0/24) from AS42989 and AS57954 (in ukraine) On Mon, May 6, 2013 at 12:23 PM, valdis.kletni...@vt.edumailto:valdis.kletni...@vt.edu wrote: On Mon, 06 May 2013 15:27:35 -, Warren Bailey said: Illegal or undesired? This sort of stuff comes in two flavors: typo and intentionally done in furtherance of criminal activities. The fact that an AS number and matching IP range are involved tends to say it's not a typo. maybe warren's question is better stated: Please point to relevant legal code in the jurisdiction(s) which are relevant. (if you feel this is 'illegal', showing where in the relevant code(s) where this would be classified as such would help) -chris
Re: Illegal usage of AS51888 (and PI 91.220.85.0/24) from AS42989 and AS57954 (in ukraine)
And then you end up on RBLs. That seems to help the caring aspect PDQ. -Dan On Mon, 6 May 2013, Warren Bailey wrote: Abuse is abuse.. People are going to do bad things, even when you call them illegal (in some cases, as a result of calling them illegal). It's not illegal to be a tool, but it is illegal to break a law. In my opinikn Laws need to be written and passed, not thought about and argued over. If we are going to arbitrarily make our own laws, why don't we start at something cooler than preventing a guy announcing someone's Internet addresses? I understand the magnitude of these actions, but at some point we need to pay attention to things outside of /dev/internet. Again.. I'm not saying these hijackers aren't pricks, I'm saying that stealing an AS number shouldn't be illegal - committing a crime with information gained should be (and is). It's not that I don't care, I just don't care that MUCH. Sent from my T-Mobile 4G LTE Device Original message From: goe...@anime.net Date: 05/06/2013 11:31 AM (GMT-08:00) To: Warren Bailey wbai...@satelliteintelligencegroup.com Cc: Christopher Morrow morrowc.li...@gmail.com,Valdis Kletnieks valdis.kletni...@vt.edu,NANOG nanog@nanog.org Subject: Re: Illegal usage of AS51888 (and PI 91.220.85.0/24) from AS42989 and AS57954 (in ukraine) if anyone wondered why abuse goes unchecked, wonder no longer. -Dan On Mon, 6 May 2013, Warren Bailey wrote: +1 Sent from my T-Mobile 4G LTE Device Original message From: Christopher Morrow morrowc.li...@gmail.com Date: 05/06/2013 9:29 AM (GMT-08:00) To: Valdis Kletnieks valdis.kletni...@vt.edu Cc: Warren Bailey wbai...@satelliteintelligencegroup.com,Adam Vitkovsky adam.vitkov...@swan.sk,Nick Hilliard n...@foobar.org,NANOG nanog@nanog.org Subject: Re: Illegal usage of AS51888 (and PI 91.220.85.0/24) from AS42989 and AS57954 (in ukraine) On Mon, May 6, 2013 at 12:23 PM, valdis.kletni...@vt.edumailto:valdis.kletni...@vt.edu wrote: On Mon, 06 May 2013 15:27:35 -, Warren Bailey said: Illegal or undesired? This sort of stuff comes in two flavors: typo and intentionally done in furtherance of criminal activities. The fact that an AS number and matching IP range are involved tends to say it's not a typo. maybe warren's question is better stated: Please point to relevant legal code in the jurisdiction(s) which are relevant. (if you feel this is 'illegal', showing where in the relevant code(s) where this would be classified as such would help) -chris
Re: Tier 2 ingress filtering
On Thu, 28 Mar 2013, Jon Lewis wrote: It's time for people to stop passing the buck on BCP38 (we don't do it, because it really ought to be done at that other level) and start implementing it where possible. An economic factor will be required for BCP38 to be effective. It will have to cost more money to not implement BCP38 than it will to implement it, in order to get widespread adoption. -Dan
RE: William was raided for running a Tor exit node. Please help if
On Fri, 30 Nov 2012, Naslund, Steve wrote: My message to the cops and my lawyer would be charge me or lets clear this up. There are laws to protect you from the government from taking your stuff in an unfair manner if you want to go that route. If there is a misunderstanding I will talk to the cops all they want. If I feel I need representation, I will get some. If I am really innocent, I doubt they could ask me too much that would upset me. My guess is they would rather move on in their case instead of spinning their wheels with me. http://www.sjgames.com/SS/ -Dan
Re: The Department of Work and Pensions, UK has an entire /8
On Tue, 18 Sep 2012, Owen DeLong wrote: On Sep 18, 2012, at 21:11 , Mike Hale eyeronic.des...@gmail.com wrote: this is the arin vigilante cultural view of the world. luckily, the disease does not propagate sufficiently to cross oceans. I'd love to hear the reasoning for this. Why would it be bad policy to force companies to use the resources they are assigned or give them back to the general pool? Many of them _ARE_ using them, just not using them directly on the public internet. There is nothing wrong with that. As others have said... !announced != !used. Is they are not using them directly on the public internet, then there's no reason we can't use them. Problem solved! -Dan
Re: The Department of Work and Pensions, UK has an entire /8
On Wed, 19 Sep 2012, Mark Andrews wrote: In message pine.lnx.4.64.1209182339200.5...@sasami.anime.net, goe...@anime.ne t writes: On Tue, 18 Sep 2012, Owen DeLong wrote: On Sep 18, 2012, at 21:11 , Mike Hale eyeronic.des...@gmail.com wrote: this is the arin vigilante cultural view of the world. luckily, the disease does not propagate sufficiently to cross oceans. I'd love to hear the reasoning for this. Why would it be bad policy to force companies to use the resources they are assigned or give them back to the general pool? Many of them _ARE_ using them, just not using them directly on the public internet. There is nothing wrong with that. As others have said... !announced != !used. Is they are not using them directly on the public internet, then there's no reason we can't use them. Problem solved! !announced whole world != !announced. There is a simple rule. i guess my sarcasm was missed. DO NOT USE ADDRESSES THAT YOU HAVE NOT BEEN ALLOCATED. Anything else has the potential to cause operational problems. Tell that to the providers who keep routing hijacked blocks for spammers :) -Dan
Re:
On Tue, 21 Aug 2012, George Herbert wrote: On Tue, Aug 21, 2012 at 3:25 PM, valdis.kletni...@vt.edu wrote: On Tue, 21 Aug 2012 17:11:49 -0500, Grant Ridder said: I love spam from Honduras. I am hoping that someone is going to kick this email from the members list. I'm hoping for something a tad more drastic. The bozo has an upstream, and this is NANOG. :) Back when I was at Berkeley, we used to punish offenders by routing their packets out to Finland and back (before Finland's net admins figured out what we were doing and quite rightly complained). Does anyone have a very lightly used, long long low bandwidth link they can dedicate to The Cause? I'm thinking wire cutters would be more effective. -Dan
Re: job screening question
On Mon, 9 Jul 2012, Jeroen van Aart wrote: William Herrin wrote: This is, incidentally, is a detail I'd love for one of the candidates to offer in response to that question. Bonus points if you discuss MSS clamping and RFC 4821. The less precise answer, path MTU discovery breaks, is just fine. I would say that the ability to quickly understand, troubleshoot and find a solution to a problem (and document it) is a far better skill to have than having ready made answers to interview questions learned by heart. It should take a skilled person less than 30 minutes to find the answer to that question and understand it too. The importance of knowing many things by heart has become incredibly moot. If you are applying for a network position, you better know the *basics*. Having to look up the basics is not a good sign. Do you really want to hire someone who is going to have to look up basic networking concepts for 30 minutes every time they are in a meeting and asked a question? -Dan
Re: job screening question
On Fri, 6 Jul 2012, Nick Hilliard wrote: On 06/07/2012 16:12, valdis.kletni...@vt.edu wrote: On Fri, 06 Jul 2012 17:42:42 +1000, Matthew Palmer said: Ugh, I know someone (thankfully no longer a current colleague) who ardently *defends* his use of questions like what does the -M option to ps do? on Is that an African ps or a European ps? ;) I'll admit that I once asked a question like in an interview, but it was only because the candidate had said that he was an expert with the tar command. If you're going to be that full of poop on a CV, you should expect to be called up on it. This is what baffles me. People keep putting stuff on their resume that they simply don't know anything about. TCP/IP expert, yet they don't know SYN/SYNACK/ACK or subnetting. HTTP expert but they don't know what a 200 response is. -Dan
Re: ZOMG: IPv6 a plot to stymie FBI !!!11!ONE!
On Fri, 15 Jun 2012, Scott Weeks wrote: This is not a question of willful rejection,ISPs are happy to do this. They're just lazy...It doesn't have a direct impact on them and their ability to get new address space because they don't need new address space. Yep, we're definitely the lazy ones. No one else. this is indeed supported with plenty of evidence. We're hoping through all of this you can come up with some self-regulatory method in which you can do it, Because otherwise, there will be other things that people are going to consider. That's definitely a threat. ignore it at your own risk. We're hoping that people in the community seize the opportunity to work and to have that self-regulation, because, if not, if all of the different governments then get involved, it could get uglier. Yeah, that one, too. ditto. Yep, that's the kind of attitude that fosters community cooperation. Yep. That's it... nothing else has worked so far. keep complaining and do nothing, the decision will be made for you. or you can fix the problem that has been festering for 10+ years. the choice is yours. -Dan
Re: ZOMG: IPv6 a plot to stymie FBI !!!11!ONE!
On Fri, 15 Jun 2012, Scott Weeks wrote: --- goe...@anime.net wrote: or you can fix the problem that has been festering for 10+ years. --- Yeah, that. Why make it seem that v6 is the problem when it isn't. if arin would clamp down and revoke allocations that had provably wrong/fraudulent whois data, we would probably get 50% IPv4 space back. without incentives, we have proven it results in no action. -Dan
Re: Earthlink/RIR1.ORG admin with a clue?
fix your mail filters and maybe someone might be able to respond to you. - Transcript of session follows - ... while talking to smtp.cidc.net.: DATA 550 5.7.1 Rejected (100.00) - Retry with Cc: ab...@b2b2c.ca for analysis 554 5.0.0 Service unavailable -Dan On Tue, 15 May 2012, Chris Conn wrote: Hello, If a Earthlink/rir1.org hosting admin would care to contact me off-list since it appears the abuse department at earthlink does not understand what hosting a phishing site means. I am being asked for logs to prove something, yet the URL I supply which clearly brings someone to a phishing site is apparently not proof. Thanks, Chris Conn B2B2C.ca
The day SORBS goes away ...
The day SORBS goes away is the day ab...@yahoo.com starts functioning properly and yahoo starts booting spammers. The day SORBS goes away is the day BS like this stops happening: - The following addresses had permanent fatal errors - ab...@noc.privatedns.com (reason: 554 rejected due to spam content) -Dan
Re: The day SORBS goes away ...
the yahoo item was a point all its own, unrelated to iweb's idiocy. yahoo no longer care to receive abuse reports from anyone at all. -Dan On Sat, 7 Apr 2012, Suresh Ramasubramanian wrote: err, i dont know but yahoo hasnt yet acquired this random webhost whose abuse you're trying to mail On Friday, April 6, 2012, goe...@anime.net wrote: The day SORBS goes away is the day ab...@yahoo.com starts functioning properly and yahoo starts booting spammers. The day SORBS goes away is the day BS like this stops happening: - The following addresses had permanent fatal errors - ab...@noc.privatedns.com (reason: 554 rejected due to spam content) -Dan -- Suresh Ramasubramanian (ops.li...@gmail.com)
RE: SORBS?!
This is often the only way to get peoples attention and get action. Providers dont care about individual /32's and will let them sit around and spew nigerian scams and pill spams without any consequences. But they will care about a /24. -Dan On Thu, 5 Apr 2012, Drew Weaver wrote: Now, if we could only teach Senderbase that if their customers receive 'questionable' smtp traffic from 1 IP address in a /24 it doesn't mean that all IP addresses in that /24 are malicious we'd really be living it up in 2012. -Original Message- From: Sam Oduor [mailto:sam.od...@gmail.com] Sent: Thursday, April 05, 2012 7:56 AM To: Chris Conn Cc: nanog@nanog.org Subject: Re: SORBS?! Some of the IP's I manage got blacklisted and its true they were spamming and Sorbs had a very valid reason for blacklisting them. I got this response response from sorbs after resolving the problem amicably. Sorbs responded well on time. *Your request appear to have been resolved. If you have any further questions or concerns, please respond to this message. Please note: If your IP address has been delisted (marked as 'Inactive'), it will take up to 2 hours to get from the database to all the SORBS DNS servers. Changes to the database are exported to the DNS zone files periodically, not immediately after every change. Furthermore, after the updated database contents have been exported to the DNS zone files, it will then take up to 48 hours for the outdated DNS information to be removed from DNS caches around the world - none of these are in SORBS' control. Please do not reply to this call with problems not related to this ticket or your request will be ignored. * *On Wed, Apr 4, 2012 at 10:53 PM, Chris Conn cc...@b2b2c.ca wrote: * *Hello, Is anyone from SORBS still listening? We have a few IP addresses here and there that are listed, one in particular that has been for a spam incident from over a year ago. The last spam date is 03/05/2011 according to their lookup tools.* * We don't have access to their Net Manager even if our ARIN POC corresponds to the account on their system we opened a while ago. We use their ISP feedback form and never get any responses back.* * Is SORBS still relevant and functional?* * Sincerely,* Chris Conn B2B2C.ca -- Samson Oduor
Re: BCP38 Deployment
On Wed, 28 Mar 2012, David Conrad wrote: Actually, given the uptick in spoofing-based DoS attacks, the ease in which such attacks can be generated, recent high profile targets of said attacks, and the full-on money pumping freakout about anything with cyber- tacked on the front, I suspect a likely outcome will be proposals for legislation forcing ISPs to do something like BCP38. Exactly. Either do it voluntarily or it will be done for you involuntarily at the federal level and you will have nobody but yourselves to blame. The choice is yours. -Dan
Re: BCP38 Deployment
On Wed, 28 Mar 2012, Bingyang LIU wrote: the provider may not be able to protect its customers, because ingress filtering (including uRPF) is inefficient when done near the destination. In other words, an ISP can deploy BCP38 or whatever, but still cannot well protect its customers from spoofing attacks from other ASes. The ASes which enable spoofing need to have some penalty imposed or they will never engage in correct behavior. Something like throwing all their traffic into scavenger class. If their customers start complaining to them, maybe then they will shape up. -Dan
Re: Whitelist of update servers
vague question gets vague answer. yes -Dan On Mon, 12 Mar 2012, Maverick wrote: Is there a whitelist that applications have to talk to in order to update themselves?
Clueful road runner contact?
Anyone have a clueful road runner contact? -Dan
is 74.218.84.10 a road runner IP address?
ab...@rr.com doesn't seem to think so. -Dan
Re: is 74.218.84.10 a road runner IP address?
So anyone have a roadrunner contact with some clue? -Dan On Sat, 3 Mar 2012, Alex Conner wrote: According to Whois that's a commercial roadrunner connection, and it falls in one of their netblocks. Plenty of info here: http://bgp.he.net/ip/74.218.84.10 goe...@anime.net mailto:goe...@anime.net March 3, 2012 9:45 PM ab...@rr.com doesn't seem to think so. -Dan
Re: do not filter your customers
On Fri, 24 Feb 2012, Steven Bellovin wrote: Sure; I don't disagree, and I don't think that Randy does. But just because we can't solve the whole problem, does that mean we shouldn't solve any of it? that is often the way things are argued in engineering circles. the solution is imperfect therefore it is useless. this philosophy is reflected in the shoddy state of networks today. -Dan
Re: Hijacked Network Ranges
On Mon, 6 Feb 2012, Christopher Morrow wrote: why aren't filters applied at all? filters don't generate revenue. -Dan
Re: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks)
On Wed, 1 Feb 2012, Jimmy Hess wrote: What the internet really needs is Tier1 and Tier2 providers participating in the internet who care, regardless of the popularity or size of netblocks or issues involved. And by care, I mean, providers efficiently investigating reports of hijacking or rogue announcement, and taking switft responsible actions, without bureaucratic processes requiring years and reams of paperwork, or any attempt to shrug off responsibility they have as intermediary. caring doesn't make money. terminating abusive customers is lost revenue. what needs to happen is retaining abusive customers needs to be more expensive than letting them go. -Dan
Re: [#135346] Unauthorized BGP Announcements (follow up to Hijacked
On Thu, 2 Feb 2012, Joe Provo wrote: The suits won, and many nerds either threw in with them or revealed their affinity for the easy life and gave up. Being principled and turning away dirty money or exercising the fire the customer clause tends to be disliked by corporate officers. bottom line -- the only way to fix this problem is for bad behavior to become more expensive than good behavior. it's the only thing the pointy hairs will understand. -Dan
Re: Fwd: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks)
I think the correct term for this is bullet proof hosting. Now you know where to go. -Dan On Tue, 31 Jan 2012, Kelvin Williams wrote: I hope none of you ever get hijacked by a spammer housed at Phoenix NAP. :) We're still not out of the woods, announcing /24s and working with upper tier carriers to filter out our lists. However, I just got this response from Phoenix NAP and found it funny. The thief is a former customer, whom we terminated their agreement with. They then forged an LOA, submitted it to CWIE.net and Phoenix NAP and resumed using space above and beyond their terminated agreement. So now any request for assistance to stop our networks from being announced is now responded to with an instruction to contact the thief's lawyer. kw -- Forwarded message -- From: Kelvin Williams kwilli...@altuscgi.com Date: Tue, Jan 31, 2012 at 7:43 PM Subject: Re: [#135346] Unauthorized BGP Announcements To: n...@phoenixnap.com We'll be forwarding this to our peers in the industry--rather funny that Phoenix NAP would rather send us to the attorney of the people stealing our space than bothering to perform an ARIN WHOIS search, or querying any of the IRRs. Interesting... Very interesting... So, who all do you have there--spammers and child pornographers? Is this level of protection what you give to them all? On Tue, Jan 31, 2012 at 7:30 PM, Brandon S brand...@phoenixnap.com wrote: Hello, Thank you for your email. Please direct any further questions regarding this issue to the following contact. Bennet Kelley 100 Wilshire Blvd. Suite 950 Santa Monica, CA 90401 bkel...@internetlawcenter.net Telephone 310-452-0401 Facsimile 702-924-8740 -- Brandon S. NOC Services Technician ** We want to hear from you!** We care about the quality of our service. If you’ve received anything less than a prompt response or exceptional service or would like to share any feedback regarding your experience, please let us know by sending an email to management: supportfeedb...@phoenixnap.com -- Kelvin Williams Sr. Service Delivery Engineer Broadband Carrier Services Altus Communications Group, Inc. If you only have a hammer, you tend to see every problem as a nail. -- Abraham Maslow
Re: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks)
On Wed, 1 Feb 2012, Mark Andrews wrote: And if I have a contract to commit murder that doesn't mean that it is right nor legal. A contract can't get you out of dealing with the law of the land and in most place in the world aiding and abetting is illegal. the topic at hand would appear to be more 'willful negligence' than 'aiding and abetting'. punitive damages could apply. -Dan
Re: ab...@brasiltelecom.com.br Contact - Re: http://ipcacoal.org/ipcacoal/includes/kiwi.htm
On Sun, 20 Nov 2011, Don Gould wrote: Anyone with any clue on how to contact ab...@brasiltelecom.com.br like to forward this? Their abuse contact in the whois database is just bouncing. I think most sane operators totally blocked brasiltelecom ages ago. I would like to see the community address the whois database, clean it up and return it to being functional. Mine is not perfect either, and I will pledge to work on that over the next 12 months. I'd like to year your commitment to the same. Until there are real, serious consequences to out of date / incorrect / forged data, nobody will fix it. If you can't be bothered to keep your contact information up to date, you obviously don't need the address space and it should be revoked. -Dan
aster.pl unwise abuse policy
Anyone with contacts at aster.pl advise them of their unwise policies? Thanks. -Dan From: Abuse ASTER ab...@aster.pl === This email was send automatically ! Do not reply to this email. --- Dear Sir or Madam, We kindly inform you that reports of violations of the Rules and Regulations of detailed benefits of internet access by ASTER Sp. z o.o based in Warsaw made by ASTER subscribers can only be sent by the help of the form available on the website: http://abuse.aster.pl. Reports sent via E-Mail will not be processed. Sincerely, Departament of Customer Service ASTER http://www.aster.pl/ebok/ tel: 0-801-014-014 lub 022 4-014-014
Re: SBL99576 195.191.102.0/24 SR04
On Tue, 22 Mar 2011, Sven Olaf Kamphuis wrote: as a european provider, we have no liability whatsoever for what customers do or do not do about the best reason i can think of for listing this block until the heat death of the universe. -Dan
Re: SBL99576 195.191.102.0/24 SR04
On Tue, 22 Mar 2011, John Peach wrote: On Tue, 22 Mar 2011 17:17:30 -0700 (PDT) goe...@anime.net wrote: On Tue, 22 Mar 2011, Sven Olaf Kamphuis wrote: as a european provider, we have no liability whatsoever for what customers do or do not do about the best reason i can think of for listing this block until the heat death of the universe. I thought it was very kind of him to supply the address ranges which need blocking. He also shouldnt worry about RBLs since everyone will have hardcoded his address ranges into their routers and access lists. -Dan
Re: Why does abuse handling take so long ?
On Sun, 13 Mar 2011, Alexander Maassen wrote: Why o why are isp's and hosters so ignorant in dealing with such issues and act like they do not care? they don't act like they do not care. they really *don't* care. no acting. 1) you're not a direct customer, why should they do anything? by doing nothing it cost them nothing. 2) why should they do anything to shut down paying customers? shutting down abusive customers is shutting off revenue sources. 3) lifting a finger is too much like work. it costs the money and gains them nothing. the only way to correct this behavior is to make it more expensive for providers to retain abusive customers than it is to keep them.
Re: Why does abuse handling take so long ?
On Sun, 13 Mar 2011, Jeff Wheeler wrote: So ultimately, there is already a good framework in place to substantially fix this problem. No one uses it. That is unlikely to change until there is an economic incentive, such as a lawsuit by someone targeted by DoS which can be proven to be originated from a negligent network, causing calculable damages. Until some network has to pay out a million bucks because they sat on their hands, I don't see anything changing. Exactly. Make this a question of economics and the problem will solve itself. It has to become more expensive to ignore abuse than it is to deal with it. Until that changes, the abuse will continue.
Re: Why does abuse handling take so long ?
On Sun, 13 Mar 2011, Alexander Maassen wrote: On 13-3-2011 18:31, William Allen Simpson wrote: On 3/13/11 7:45 AM, Alexander Maassen wrote: Why o why are isp's and hosters so ignorant in dealing with such issues and act like they do not care? So, part of the problem is *your* upstream. Why didn't your upstream actively remove the entire abusive netblock? Why didn't your upstream contact other providers with your evidence, and together remove the abusive network from the global routing tables? My hoster did mail, his upstream is EGI, however, EGI does not want to block/filter since it would pollute their routers they say. I asked through my hoster if they would be willing to place a simple UDP filter, blocking all of it. They refuse. again make it a question of economics. vote with your wallet, vote with your feet. if they won't block, leave.
Re: Why does abuse handling take so long ?
On Sun, 13 Mar 2011, Leo Bicknell wrote: Quite frankly, most ISP's aren't going to take your DDOS report seriously via e-mail. If it's not bad enough to you that it is worth your time and money to make a phone call and help them track it down it is not worth their time and money to track it down and make it stop. In short, try picking up the phone. You'll bypass the entire e-mail reporting cesspool I just described, and show the ISP you actually care. 9 out of 10 times they will respond by showing they care as well. In my experience, most phone calls cause the ISP to become immediately hostile. They find abuse report phone calls extremely threatening / scary / etc. and go into full shields-up mode. 9 out of 10 times the very first words out of their mouth is talk to our lawyers. the remaining 1 out of 10 is block it on your end. Email tends to be non threatening. As useless as it tends to be, it is still generally better than calling. the real cesspool is POC registries. i wish arin would start revoking allocations for entities with invalid POCs.
admin-c/tech-c deny responsibility/ownership of netblock
Is there a process to revoke netblocks from entities which deny ownership? http://www.db.ripe.net/whois?searchtext=77.223.129.43 The admin-c, tech-c deny any responsibility for this netblock. -Dan
Working abuse contact for lstn.net / limestonenetworks.com?
Anyone have a WORKING abuse contact for lstn.net / limestonenetworks.com? I have tried the usual channels (ab...@limestonenetworks.com, phone calls, live chat) with no results. -Dan
Re: ARIN Fraud Reporting Form ... Don't waste your time
Yearly? I say every 30 days. mailing lists do the c-r every 30 days. surely correct arin registration data is more important than a single email address on a mailing list. -Dan On Fri, 1 Oct 2010, Franck Martin wrote: A yearly challenge response for legacy space contacts, could be useful. I think there is a plan like this in some RIRs - Original Message - From: Owen DeLong o...@delong.com To: George Bonser gbon...@seven.com Cc: nanog@nanog.org Sent: Friday, 1 October, 2010 4:03:56 PM Subject: Re: ARIN Fraud Reporting Form ... Don't waste your time On Oct 1, 2010, at 2:27 PM, George Bonser wrote: -Original Message- From: Ricky Beam Sent: Friday, October 01, 2010 1:00 PM To: nanog@nanog.org Subject: Re: ARIN Fraud Reporting Form ... Don't waste your time In the case of legacy space, it's actually very hard for ARIN to even identify the status of the organization in question, let alone take any sort of action with respect to said space. Owen
RE: BGP hijack from 23724 - 4134 China?
On Fri, 9 Apr 2010, George Bonser wrote: I suppose it is easier and takes less of your resources to get the world to block you than it is to block the world. operating a bullet proof spam network, ignoring complaints, is certainly one way to achieve that. anyone remember chinanet's lying autoresponder: In your SPAM eMail,I can't find the IP or the IP is not by my control.Please give me the correct IP.Thank you. ? -Dan
Re: BGP hijack from 23724 - 4134 China?
On Thu, 8 Apr 2010, Danny McPherson wrote: FWIW, this is a lot like putting a bandaid on a headache - it's not going to do much good in reality, and likely cause more harm than good in properly secured networks - but it might make some folks feel a little better. behavior modification. chinanet doesn't listen to complaints from victims. perhaps they'll listen to complaints from customers when they can't reach anyone anymore. this is after all how spam RBLs work. providers don't care one whit about everyone who gets spammed, but they care if their customers walk because they can't reach anyone. -Dan
Re: ATT Mind Boggles...
On Thu, 11 Feb 2010, Jay Hennigan wrote: Mark Tinka wrote: not usually my style to whine, but... ATT, what gives? /not usually my style to whine, but... You need the proper perspective on these things. Rent and watch this classic movie from 1967, then you'll understand. http://www.imdb.com/title/tt0062153/ This is a bit more accessible, and free: http://www.hulu.com/watch/4163/saturday-night-live-ernestine -Dan
Re: he.net down/slow?
On Sat, 9 Jan 2010, James Hess wrote: Spam filter your inbox on /CONFIDENTIALITY NOTICE.*intended recipient.*destroy.*copies/siand be done with it.The individual sender normally has no control over the matter, so their only two choices are: (a) Post with the notice, or (b) Don't post at all. senders who don't have control over the matter shouldn't be using such accounts to subscribe to public mailing lists like nanog. -Dan
tpg.com.au contact?
Anyone have a clueful mail admin contact for tpg.com.au? The usual attempts result in completely clueless and unhelpful responses, going round in circles with no progress. -Dan
Re: Follow up to previous post regarding SAAVIS
On Wed, 12 Aug 2009, Christopher Morrow wrote: On Wed, Aug 12, 2009 at 9:57 AM, Drew Weaverdrew.wea...@thenap.com wrote: Anyone know why SAAVIS would be allowing PEER1 (AS 13768) to advertise routes for whatever IP addresses they want? sadly savvis didn't learn the pccw lesson, which is also the turk-telecom lesson which is also the as7007 lesson which is... fairly sad really in 2009. for the sake of $diety put a prefix-filter on your customer bgp sessions, it ain't hard! sounds too much like work to me. not interested. -Dan
Re: Botnet hunting resources (was: Re: DOS in progress ?)
On Mon, 10 Aug 2009, Luke S Crawford wrote: goe...@anime.net writes: On Fri, 8 Aug 2009, Luke S Crawford wrote: 1. are there people who apply pressure to ISPs to get them to shut down botnets, like maps did for spam? sadly no. ... Why do you think this might be? Fear of (extralegal) retaliation by botnet owners? or fear of getting sued by listed network owners? or is the idea (shunning packets from ISPs that host botnets) fundamentally unsound? such a list would include all of chinanet and france telecom. it would likely not last long. what do you do when rogue networks are state owned? If someone sufficiently trustworthy produced a BGP feed of networks that were unresponsive to abuse complaints, do you think other networks would use it to block traffic? no. I mean, ultimately I think that having several providers of such feeds with differing levels of aggression would be the best case, but someone has got to go first. consider how much time and effort it took to get intercage shut down and you'd realize it's pretty much a lost cause. -Dan
Re: Botnet hunting resources (was: Re: DOS in progress ?)
On Fri, 8 Aug 2009, Luke S Crawford wrote: 1. are there people who apply pressure to ISPs to get them to shut down botnets, like maps did for spam? sadly no. I've got 50 gigs of packet captures, and have been going through with perl to detect IPs who send me lots of tcp packets with 0 payloads, then manually sending abuse reports. Half the abuse reports bounce, and the other half are ignored. (most of the hosts in question are in china.) it's a big problem, especially with rogue networks like france and china. there is currently zero incentive for anyone clean up, as there are no consequences for not doing so. this will not change until there are real consequences for operating IP cesspools. -Dan
Re: ATT. Layer 6-8 needed.
On Mon, 27 Jul 2009, William Pitcock wrote: On Sun, 2009-07-26 at 20:05 -0700, Shon Elliott wrote: There has been alot of customers on our network who were complaining about ACK scan reports coming from 207.126.64.181. We had no choice but to block that single IP until the attacks let up. It was a decision I made with the gentleman that owns the colo facility currently hosts 4chan. There was no other way around it. I'm sure ATT is probably blocking it for the same reason. 4chan has been under attack for over 3 weeks, the attacks filling up an entire GigE. If you want to blame anyone, blame the script kiddies who pull this kind of stunt. ...have you ever heard of forged packet headers? Just saying. everyone who *still* refuses to block spoofing should think hard about it. you know who you are. -Dan
Re: questionable email filtering policies?
On Thu, 24 Jul 2009, John Levine wrote: ab...@btopenworld.com I'm not sure which is worse: 1) That they filter their abuse mailbox. 2) That they outsource their abuse mailbox (and potentially others) to Yahoo. BT outsources all of their mail to Yahoo. It actually works pretty well, either POP or web mail. so far btopenworld.com looks like bullet proof phishing drop boxes, based on yahoo's cluefree response. anyone from yahoo with clue around? or is this a lost cause... -Dan
Re: ATT. Layer 6-8 needed.
http://status.4chan.org/ On Sun, 26 Jul 2009, jamie wrote: No ears enclosing clue will be reached via normal channels at ~950E on a Sunday, but this is clearly a problem needing addressing, resolution, action and, who knows - suit? http://www.hulu.com/watch/4163/saturday-night-live-ernestine
questionable email filtering policies?
Seems rather unwise to filter your abuse mailbox. - The following addresses had permanent fatal errors - ab...@btopenworld.com (reason: 554 Message not allowed - UP Email not accepted for policy reasons. Please visit http://help.yahoo.com/help/us/mail/defer/defer-04.html [120]) -Dan
Re: questionable email filtering policies?
assume i have already done this, and received a completely and utterly useless response from yahoo indicating they have absolutely not the slightest clue. -Dan On Thu, 23 Jul 2009, Ben Carleton wrote: Try filling out this form to reach Y's abuse dept? http://help.yahoo.com/l/us/yahoo/mail/postmaster/defer.html --bc On Jul 23, 2009, at 4:22 PM, goe...@anime.net wrote: Seems rather unwise to filter your abuse mailbox. - The following addresses had permanent fatal errors - ab...@btopenworld.com (reason: 554 Message not allowed - UP Email not accepted for policy reasons. Please visit http://help.yahoo.com/help/us/mail/defer/defer-04.html [120]) -Dan
Re: Minnesota Sends List of Blacklisted Gambling Sites to ISPs, Telcos
On Wed, 6 May 2009, Jeremy L. Gaddis wrote: With regard to the recent discussion... Late last month the Minnesota Department of Public Safety announced it would require ISPs and telcos to block computers located in the state from accessing gambling sites, and said non-compliant companies would be referred to the FCC. Now, the state has sent each ISP and telco the enclosed blacklist of sites and URLs. http://www.govtech.com/gt/articles/656645 On the topic of gambling websites, is the minnesota state lottery website going to be blocked as well? -Dan
Re: Redundant AS's
On Wed, 18 Mar 2009, Hank Nussbacher wrote: At 08:18 AM 18-03-09 +0100, Henk Uijterwaal wrote: It's a bit dated now, but the RIPE report, ASN MIA, sounds like what you're looking for... www.apnic.net/meetings/21/docs/sigs/routing/routing-pres-uijterwaal-asn-mia.ppt When I look at this more recently, the conclusion still seems to be valid: we'll run out of 16 bit ASN's somewhere in 2011 to 2013. There are a lot of unused ASN's out there. Recovering them will postpone the problem by a few years but it won't solve it. The basic problem with recovery is how to decide if an ASN is really no longer used/needed. There is (still) no mechanism to do this. Henk Why not go after low lying fruit first? If an ASN was assigned years ago and hasn't appeared in the RIB for the past year that ASN should be reclaimed. Send warning emails to the registered contacts as well as to the assigning LIR and after 3 months - just reclaim it. How about just nailing everyone who has invalid contact info? That would certainly be incentive to get it updated. Nothing else seems to work. -Dan
clueful yahoo admin?
Can a yahoo mail admin with clue pleae contact me? I'm going around in circles with your support staff who are unable to read headers. -Dan