Re: Finding clue at comcast.net

Howard C. Berkowitz wrote: At 10:40 PM -0400 10/9/03, Brandon Ross wrote: On Thu, 9 Oct 2003, Matt wrote: > I wouldn't recommend that actually. The local folks do not have any > control over the IP infrastructure, they only handle the HFC plant. Do you think that may have anything to do wi

large-scale IPSEC tunnel deployment

Hello, Does anyone have any experience with large scale production IPSEC tunnel deployment, where large scale is defined as over 100 net-to-net tunnels to different destination networks active at any time? If so, would such person(s) mind sharing any quirks/platforms/implementati

Re: Finding ASN from IP address

On 10/9/2003 at 12:49 PM, "Avleen Vig" <[EMAIL PROTECTED]> wrote: > I want to create a mapping of IP addresses to ASN, for a specific like > of IP addresses. Eg: > 1.2.3.4 > 12.34.56.78 > etc, gathered from my system logs. > What is the best way of doing this? http://www.spamshield.org/#t

Re: Finding clue at comcast.net

At 10:40 PM -0400 10/9/03, Brandon Ross wrote: On Thu, 9 Oct 2003, Matt wrote: > I wouldn't recommend that actually. The local folks do not have any > control over the IP infrastructure, they only handle the HFC plant. Do you think that may have anything to do with the complaints cited here?

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

On Thu, 9 Oct 2003 18:40:35 -0400, John Capo wrote: > I spent >the rest of the day googleing for case law that might be applied >to the network operators providing connectivity to the trojaned >boxes being used for illegal activities, identity theft. Didn't >accomplish much except wasting the d

Re: Finding clue at comcast.net

On Thu, 9 Oct 2003, Matt wrote: > > I wouldn't recommend that actually. The local folks do not have any > > control over the IP infrastructure, they only handle the HFC plant. > > Do you think that may have anything to do with the complaints cited here? Nope, most of the complaints here seem

Re: contact at yahoo mail? (they think we're an open relay :< )

Thus spake Kee Hinckley ([EMAIL PROTECTED]) [09/10/03 22:30]: > I have seen yahoo block based on excessive mail sent to non-existent > addresses. If you are bouncing mail with a return-path set to yahoo, > that can be a problem. Out of curiousity, can those who have had their mail blocked by Y

RE: contact at yahoo mail? (they think we're an open relay :< )

At 6:34 PM -0400 10/9/03, Mark Jeftovic wrote: So that, combined with the number of "same here" posts wrt yahoo lead me to believe that that's not the reason. I have seen yahoo block based on excessive mail sent to non-existent addresses. If you are bouncing mail with a return-path set to yahoo,

Re: Finding clue at comcast.net

> I wouldn't recommend that actually. The local folks do not have any > control over the IP infrastructure, they only handle the HFC plant. Do you think that may have anything to do with the complaints cited here?

Re: Is there anything that actually gets users to fix their computers?

At 3:26 PM -1000 10/9/03, Michael Painter wrote: http://www.wired.com/news/digiwood/0,1412,60613,00.html "When students first register on the network, they are required to read about peer-to-peer networks and certify that they will not share copyright files. Icarus then scans their computer, dete

Re: Wired mag article on spammers playing traceroute games with trojaned

Laurence F. Sheldon, Jr. wrote: Margie Arbon wrote: With all due respect, we have a *problem*. End user machines on broadband connections are being misconfigured and/or compromised in frightening numbers. These machines are being used for everything from IRC flooder to spam engines, to DNS serve

Re: contact at yahoo mail? (they think we're an open relay :< )

Thus spake Mark Jeftovic ([EMAIL PROTECTED]) [09/10/03 21:42]: > At the time of writing this I think its better than it was earlier: > > spawn:/home/markjr/tmp# telnet mx1.mail.yahoo.com 25 > Trying 64.157.4.78... > Connected to mta-v22.level3.mail.yahoo.com. > Escape character is '^]'. > 220 YSm

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

On Thu, Oct 09, 2003 at 05:20:10PM -0700, Margie Arbon wrote: > > --On Thursday, October 09, 2003 7:54 PM -0400 Susan Harris > <[EMAIL PROTECTED]> wrote: > > > > >Folks, let's move this discussion onto one of the many lists that > >focuses on spam: > > > > http://www.claws-and-paws.com/spam-l/

Re: contact at yahoo mail? (they think we're an open relay :< )

>From what we can tell, its a type of "throttling" mechanism, perhaps intended to slow down problematic hosts. We went back in our logs and found its been happening for weeks but at a low level, we never noticed until today. Today it got much worse, but even so, mail would trickle through to ya

Re: Is there anything that actually gets users to fix their computers?

http://www.wired.com/news/digiwood/0,1412,60613,00.html "When students first register on the network, they are required to read about peer-to-peer networks and certify that they will not share copyright files. Icarus then scans their computer, detects any worms, viruses or programs that act as

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

(I dislike meta-discussion, but since it /is/ applicable to the list...) Thus spake Sean Donelan ([EMAIL PROTECTED]) [09/10/03 21:32]: > Susan did not say it wasn't an operational issue. She said there are > other lists which focus on that issue. Agreed. > There are many subjects of interest t

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

On Thu, 9 Oct 2003, Margie Arbon wrote: > I am curious as to why open proxies, compromised hosts, trojans and > routing games are not considered operational issues simply because > the vehicle being discussed is spam. Susan did not say it wasn't an operational issue. She said there are other lis

Re: contact at yahoo mail? (they think we're an open relay :< )

Thus spake chuck goolsbee ([EMAIL PROTECTED]) [09/10/03 18:37]: > Indeed. They were blocking our servers this morning, but without any > intervention by us (to my knowledge) it is working again now. Go > figure. Can someone from Yahoo! confirm that the borked blacklist has been fixed, and it's

Re: Finding clue at comcast.net

On Thu, 9 Oct 2003, Howard C. Berkowitz wrote: > *sigh* Y'know, I could live with it if I could even have a mailbox to > which I could send detailed trouble reports, even if no one looked at > them on the next day. While their routing seems to be fairly stable > these days, there would be times

Re: RE: Finding clue at comcast.net

On Thu, 9 Oct 2003, Alan Spicer wrote: > Now I'm not suggesting anyone lie ... or such a thing ... but say you > called the local office on a cold sales call asking for the person that > handles their data networking. As you work your way through that try to > find out who is the Head Engineer(s)

RE: Finding clue at comcast.net

On Thu, 9 Oct 2003, Eric Kagan wrote: > I was informed "legacy" ATTBI setup is still different from the router / > infrastructure side. (i.e. Old ATTBI has ping and ports blocked that > "native" Comcast does not) That is true for the moment. We're in the process of rectifying that. -- Brand

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

On Thu, Oct 09, 2003 at 07:44:35PM -0500, Laurence F. Sheldon, Jr. wrote: > > Two-three years ago the warnings were ignored because it was only > > IRC. Now it's only spam. What does it take to make the Network > > Operators and NANOG decide that things that are a "very bad thing" on > > one prot

RE: Qwest bgp communities

Disregard, I thought they had allowed bgp queries on that site as well -Original Message- From: Haesu [mailto:[EMAIL PROTECTED] Sent: Thursday, October 09, 2003 5:39 PM To: [EMAIL PROTECTED] Subject: Qwest bgp communities Hi, Anyone here know if Qwest operates a route server like

RE: Qwest bgp communities

http://stat.qwest.net/looking_glass.html -Original Message- From: Haesu [mailto:[EMAIL PROTECTED] Sent: Thursday, October 09, 2003 5:39 PM To: [EMAIL PROTECTED] Subject: Qwest bgp communities Hi, Anyone here know if Qwest operates a route server like GBLX, HE, ATT, that also shows AS

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

Margie Arbon wrote: > I am curious as to why open proxies, compromised hosts, trojans and > routing games are not considered operational issues simply because > the vehicle being discussed is spam. > > With all due respect, we have a *problem*. End user machines on > broadband connections are be

Qwest bgp communities

Hi, Anyone here know if Qwest operates a route server like GBLX, HE, ATT, that also shows AS209's communities? It would be useful for some bgp troubleshooting.. There is one peer in route-views.oregon-ix.net that shows 209 routes, but unfortunately, that particular peer strips off all 209's c

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

--On Thursday, October 09, 2003 7:54 PM -0400 Susan Harris <[EMAIL PROTECTED]> wrote: Folks, let's move this discussion onto one of the many lists that focuses on spam: http://www.claws-and-paws.com/spam-l/spam-l.html -- spam-l list forspam prevention and discussion http://www.abuse.n

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

Folks, let's move this discussion onto one of the many lists that focuses on spam: http://www.claws-and-paws.com/spam-l/spam-l.html -- spam-l list for spam prevention and discussion http://www.abuse.net/spamtools.html -- spam tools list for software tools that detect spam net.

Re: Wired mag article on spammers playing traceroute games with

At 03:00 PM 10/9/2003, [EMAIL PROTECTED] wrote: We seem to be slowly transforming the network into more and more just a network of port 80 boxes. :( Perhaps the Internet really is going to end up being just the Web, not through evil intervention, but by our own well-intentioned efforts. I imag

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

Quoting [EMAIL PROTECTED] ([EMAIL PROTECTED]): > [snip] > it? Convince registrars to kill domains that are clearly being used by > thieves? >From a post on NANE, here's what the registar for vano-soft.biz had to say on Oct 1: > In order to terminate service of this domain name we will need a

RE: contact at yahoo mail? (they think we're an open relay :< )

Its a very confusing page to read, we are listed as 127.0.0.2 and that is NERD-CA. The other entries like: ARIXDICTSTALE Sender has a history of dictionary spamming: stale.dict.rbl.arix.com -> 127.0.0.1 I think indicate what that RBL is for and what the value indicates, we are NOT in there:

Re: contact at yahoo mail? (they think we're an open relay :< )

Today our email forwarders started getting this from yahoo.com mail handlers: Us too. And more than one ISP that I have seen (for example, iglou.com mentioned that one of their boxes was being blocked) Something looks badly borked there. bork bork bork Indeed. They were blocking our servers t

Re: Wired mag article on spammers playing traceroute gameswith trojaned boxes

On Thu, 2003-10-09 at 16:41, Suresh Ramasubramanian wrote: > Affinity is a large - and extremely spammer infested - webhost. They do > happen to have quite a few legitimate customers though. That's simple to over come. You notify those legitimate customers that they are doing business with an

Re: contact at yahoo mail? (they think we're an open relay :< )

Thus spake Mark Jeftovic ([EMAIL PROTECTED]) [09/10/03 18:05]: > We are listed in no-more-funn.moensted.dk as 127.0.0.2 which > is described as: > > + NERD-CA ip-space assigned to Canada: ca.countries.nerd.dk -> 127.0.0.2 > 216.220.40/24 is in ca, rejected based on geographical location > about:

Need contact at Everyone Internet

I am seeking a contact at Everyone Internet (EV1.NET) who can address a routing problem at EV1's borders that is causing our users to be unable to reach many popular sites hosted there, or that have DNS servers there. We've tried contacting them by telephone, only to be referred to [EMAIL PROTE

Re: Wired mag article on spammers playing traceroute games with

> > Actually, running a web server on 8290 isn't as easy as 80. SpamAssassin > tests (WEIRD_PORT) for this, as do many other filtering packages. > Forcing spammers to use non-standard ports will greatly increase their rate > of detection, and in turn help to solve the spam problem. > -Mike

Re: Finding clue at comcast.net

- Original Message - From: "Howard C. Berkowitz" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, October 09, 2003 11:20 AM Subject: RE: Finding clue at comcast.net At 9:29 AM -0500 10/9/03, Austad, Jay wrote: >Comcast's phone support department is the *worst*, WORST, I've ev

RE: contact at yahoo mail? (they think we're an open relay :< )

We are listed in no-more-funn.moensted.dk as 127.0.0.2 which is described as: + NERD-CA ip-space assigned to Canada: ca.countries.nerd.dk -> 127.0.0.2 216.220.40/24 is in ca, rejected based on geographical location about: Please see our webpage for more information about: This zone lists ONLY ba

Re: Sitefinder and DDoS

At 10:41 PM +0300 10/9/03, Petri Helenius wrote: With $100M annual revenue at stake, I would be willing to provide distributed solutions to this problem if you send me a reasonable fraction of that money. But can you do it without breaking the assumption that any lookup on *.TLD will always retur

Re: contact at yahoo mail? (they think we're an open relay :< )

Mark Jeftovic writes on 10/10/2003 1:52 AM: Today our email forwarders started getting this from yahoo.com mail handlers: 553 Mail from 216.220.40.247 not allowed - VS99-IP1 deferred - see help.yahoo.com/help/us/mail/defer/defer-02.html (#5.7.1) Connection closed by foreign host. Us too. And more

Fw: Broadband World Forum Conference Proceedings

Title: IEC Broadband World Forum Proceedings CD-ROM   ---Alan Spicer ([EMAIL PROTECTED])http://aspicer.homelinux.net/Systems and Network Administration,and Telecommunications(954) 977-5245   - Original Message - From: Julie Brandt To: [EMAIL PROTECTED] Sent: Thursday, October 09, 2

Re: contact at yahoo mail? (they think we're an open relay :< )

On Thu, 09 Oct 2003 16:22:49 EDT, Mark Jeftovic <[EMAIL PROTECTED]> said: > 553 Mail from 216.220.40.247 not allowed - VS99-IP1 deferred - see > help.yahoo.com/help/us/mail/defer/defer-02.html (#5.7.1) > Connection closed by foreign host. Yahoo is ticked at our mail server as well - apparently,

Re: Sitefinder and DDoS

Kee Hinckley wrote: At 10:41 PM +0300 10/9/03, Petri Helenius wrote: With $100M annual revenue at stake, I would be willing to provide distributed solutions to this problem if you send me a reasonable fraction of that money. But can you do it without breaking the assumption that any lookup on

Re: Wired mag article on spammers playing traceroute gameswith trojaned boxes

John Neiberger writes on 10/10/2003 1:12 AM: This appears to be a rather prolific spammer. At first I thought they were affiliated with www.skynetweb.com because they have the same address, including suite number, but it now appears that they are really affiliated with these guys: http://www.affin

Re: contact at yahoo mail? (they think we're an open relay :< )

Thus spake Mark Jeftovic ([EMAIL PROTECTED]) [09/10/03 16:57]: > Today our email forwarders started getting this from yahoo.com > mail handlers: > > 553 Mail from 216.220.40.247 not allowed - VS99-IP1 deferred - see > help.yahoo.com/help/us/mail/defer/defer-02.html (#5.7.1) > Connection closed by

Re: Wired mag article on spammers playing traceroute gameswith trojaned boxes

On Thu, 9 Oct 2003, John Neiberger wrote: Doing some Googling on tubul I found: WAP S.A. Katarzyna Piatek (tubul at wp.pl) +48.327811019 FAX- +48.327811025 Opolska 22 Katowice, 40-084 PL -Hank > >Actually, in the case of the wired article (removeform.com), it seems > to be > >connected to a si

Re: Finding clue at comcast.net

- Original Message - From: "Howard C. Berkowitz" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, October 09, 2003 11:20 AM Subject: RE: Finding clue at comcast.net > > At 9:29 AM -0500 10/9/03, Austad, Jay wrote: > >Comcast's phone support department is the *worst*, WORST, I

Re: Wired mag article on spammers playing traceroute gameswith trojaned boxes

Michael Airhart <[EMAIL PROTECTED]> 10/9/03 1:57:06 PM >>> > >How many times have you received SPAM selling a product from a U.S. based >company? I have received plenty follow the money Hank has it right. > >M >(speaking only for myself) Well, Cisco has a sales office in the same b

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

It looks like they are using there little team of zombie machines that are doing the port 80 redirect to also respond to DNS requests: ;; AUTHORITY SECTION: vano-soft.biz. 120 IN NS ns3.uzc12.biz. vano-soft.biz. 120 IN NS ns4.uzc12.biz. vano-soft.biz.

contact at yahoo mail? (they think we're an open relay :< )

Today our email forwarders started getting this from yahoo.com mail handlers: 553 Mail from 216.220.40.247 not allowed - VS99-IP1 deferred - see help.yahoo.com/help/us/mail/defer/defer-02.html (#5.7.1) Connection closed by foreign host. Which when you go look at that page basically tells you yo

Re: Wired mag article on spammers playing traceroute gameswithtrojaned boxes

>>OrgName:CyberGate, Inc. >>OrgID: CYBG >>Address:3250 W. Commercial Blvd. Suite 200 >>City: Ft. Lauderdale >>StateProv: FL >>PostalCode: 33309 >>Country:US > >This appears to be a rather prolific spammer. At first I thought they >were affiliated with www.skynetweb.com beca

Re: Sitefinder and DDoS

Howard C. Berkowitz wrote: The attack is now directed at the Verisign Sitefinder service. Adam OUCH. Yet worse. This would be the son-of-windowsupdate.com, right? Pete

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

On Thu, 9 Oct 2003 10:28:30 -0700 (PDT), Andy Ellifson wrote: >And as soon as you call law enforcement what happends? The spammer is >located offshore. Then what? This is an easy one. Again, see

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

How many times have you received SPAM selling a product from a U.S. based company? I have received plenty follow the money Hank has it right. M (speaking only for myself) Oops... Try this again... And as soon as you call law enforcement what happends? The spammer is located offshore.

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

On Thu, 09 Oct 2003 14:36:53 -0400, Mike Tancsa wrote: >OrgName:CyberGate, Inc. This is a notorious spam-enabler about which I had a quarrel with AT&T management several years back to get them thrown off the AT&T network. I had to take it to their lawyers since the abuse staff would do not

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

At 03:42 PM 09/10/2003, [EMAIL PROTECTED] wrote: On Thu, 09 Oct 2003 12:01:35 EDT, "McBurnett, Jim" <[EMAIL PROTECTED]> said: > Can Broadband ISP's require a Linksys, dlink or other > broadband router without too many problems? So now instead of a misconfigured PC, you're going to have a misconf

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

On Thu, 9 Oct 2003 12:55:36 -0400 (EDT), [EMAIL PROTECTED] wrote: >Trouble is, how do you stop this? You use the same principles that are successfully applied every in society (except the Internet) to prevent the negligent from injuring the public.

Re: Sitefinder and DDoS

> Let's also assume someone sets up a popular webpage with malware HTML causing it, perhaps with a time delay, to issue rapid GETs to deliberately nonexistent domains. You don't even have to imagine that. Imagine a long-term port 80 Denial of Service (DoS) attack against a given website (using

Re: Wired mag article on spammers playing traceroute gameswith trojaned boxes

>Actually, in the case of the wired article (removeform.com), it seems to be >connected to a site in Florida. I asked my programmer ([EMAIL PROTECTED]) >to decode the obfuscated java script/page that is served up by one of the >zombies (On FreeBSD fetch -B 18192 -o danger.html >http://www.re

Re: Sitefinder and DDoS

At 10:41 PM +0300 10/9/03, Petri Helenius wrote: Howard C. Berkowitz wrote: I am NOT suggesting this simply as an argument against Sitefinder, and I'd like to see engineering analysis of how this vulnerability could be prevented. With $100M annual revenue at stake, I would be willing to provide

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

On Thu, 09 Oct 2003 12:01:35 EDT, "McBurnett, Jim" <[EMAIL PROTECTED]> said: > Can Broadband ISP's require a Linksys, dlink or other > broadband router without too many problems? So now instead of a misconfigured PC, you're going to have a misconfigured router front-ending a misconfigured PC? O

RE: Wired mag article on spammers playing traceroute games with trojaned boxes

Actually, running a web server on 8290 isn't as easy as 80. SpamAssassin tests (WEIRD_PORT) for this, as do many other filtering packages. Forcing spammers to use non-standard ports will greatly increase their rate of detection, and in turn help to solve the spam problem. -Mike -O

Re: Sitefinder and DDoS

Howard C. Berkowitz wrote: I am NOT suggesting this simply as an argument against Sitefinder, and I'd like to see engineering analysis of how this vulnerability could be prevented. With $100M annual revenue at stake, I would be willing to provide distributed solutions to this problem if you sen

RE: Wired mag article on spammers playing traceroute games with trojaned boxes

At 09:01 AM 10/9/2003, McBurnett, Jim wrote: Can Broadband ISP's require a Linksys, dlink or other broadband router without too many problems? The router vendors would like that to happen :^)

Re: RE: Finding clue at comcast.net

>From: "Austad, Jay" <[EMAIL PROTECTED]> >Date: 2003/10/09 Thu AM 10:29:25 EDT >To: "'Howard C. Berkowitz'" <[EMAIL PROTECTED]>, [EMAIL PROTECTED] >Subject: RE: Finding clue at comcast.net > > >Comcast's phone support department is the *worst*, WORST, I've ever dealt >with. I think they are out

RE: Finding ASN from IP address

There's a tool out there called "tracesroute" (note the "s") that will also provide the AS number of every ip it lists. > -Original Message- > From: Suresh Ramasubramanian [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 09, 2003 12:46 PM > To: Avleen Vig > Cc: [EMAIL PROTECTED] > Su

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

Looks like attachments wont go through, so I will repost without the attachment. If anyone wants a copy, let me know ---Mike At 01:28 PM 09/10/2003, Andy Ellifson wrote: Oops... Try this again... And as soon as you call law enforcement what happends? The spammer is located offshore

Re: Sitefinder and DDoS

> > > Let's assume for a moment that Verisign's wildcards and Sitefinder go > back into operation. > > Let's also assume someone sets up a popular webpage with malware HTML > causing it, perhaps with a time delay, to issue rapid GETs to > deliberately nonexistent domains. > > What would be

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

Andy Ellifson writes on 10/9/2003 10:58 PM: Oops... Try this again... And as soon as you call law enforcement what happends? The spammer is located offshore. Then what? 99% of them are americans - and mostly from Florida at that. See http://www.spamhaus.org/rokso/ they might subcontract stuf

Re: Finding ASN from IP address

There's a paper on just this problem from SIGCOMM 2003: http://www.acm.org/sigcomm/sigcomm2003/papers.html#p365-mao On Thursday, Oct 9, 2003, at 09:49 US/Pacific, Avleen Vig wrote: I want to create a mapping of IP addresses to ASN, for a specific like of IP addresses. Eg: 1.2.3.4 12.34.56.78

Re: Finding ASN from IP address

On Thu, Oct 09, 2003 at 09:49:32AM -0700, Avleen Vig wrote: > > I want to create a mapping of IP addresses to ASN, for a specific like > of IP addresses. Eg: > 1.2.3.4 > 12.34.56.78 > > etc, gathered from my system logs. > > What is the best way of doing this? Team Cymru is offering a IP t

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

And as soon as you call law enforcement what happends? The spammer --- Hank Nussbacher <[EMAIL PROTECTED]> wrote: > > On Thu, 9 Oct 2003, Suresh Ramasubramanian wrote: > > > * "Follow the money" - find out the spammer / the guy who he spams > for, > > from payment information etc.Sic law enf

Re: Finding ASN from IP address

Avleen Vig writes on 10/9/2003 10:19 PM: I want to create a mapping of IP addresses to ASN, for a specific like of IP addresses. Eg: 1.2.3.4 12.34.56.78 etc, gathered from my system logs. What is the best way of doing this? Rob Thomas (cymru.com) has something like this - see below. -- srs (

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

Michael G writes on 10/9/2003 10:27 PM: Also, after doing some preliminary digging, it would seem that the GTLD.BIZ servers have very low TTLs on a lot of their domains. In fact, 7200 seems high compared to some other ones I found. Any correlation with the unusually high proportion of .biz domain

Sitefinder and DDoS

Let's assume for a moment that Verisign's wildcards and Sitefinder go back into operation. Let's also assume someone sets up a popular webpage with malware HTML causing it, perhaps with a time delay, to issue rapid GETs to deliberately nonexistent domains. What would be the effect on overall I

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

On Thu, 9 Oct 2003, Joe Boyce wrote: > VA> Personally, I think preventing residential broadband customers from hosting > VA> servers would limit a lot of that. I'm not saying that IS the solution. > > It's not like those customers are aware they are hosting servers, they > most likely were exp

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

At 12:53 PM 10/9/2003, you wrote: On 9 Oct 2003, at 12:19, Vinny Abello wrote: Personally, I think preventing residential broadband customers from hosting servers would limit a lot of that. I'm not saying that IS the solution. Whether or not that's the right thing to do in all circumstances fo

RE: Wired mag article on spammers playing traceroute games with trojaned boxes

>On Thursday, October 9, 2003, at 12:24 PM, Suresh Ramasubramanian wrote: > > Nope - the guy would get more trojaned boxes, no shortage of unpatched > windows machines on broadband. > > There are two ways to go here - > > * Nullroute or bogus out in your resolvers the DNS servers for this > doma

Re: Finding ASN from IP address

On 10/9/03 9:49 AM, "Avleen Vig" <[EMAIL PROTECTED]> wrote: > > I want to create a mapping of IP addresses to ASN, for a specific like > of IP addresses. Eg: > 1.2.3.4 > 12.34.56.78 > > etc, gathered from my system logs. > > What is the best way of doing this? > Well, if you are not adverse t

Sitefinder and DDoS

Let's assume for a moment that Verisign's wildcards and Sitefinder go back into operation. Let's also assume someone sets up a popular webpage with malware HTML causing it, perhaps with a time delay, to issue rapid GETs to deliberately nonexistent domains. What would be the effect on overall I

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

On 9 Oct 2003, at 12:19, Vinny Abello wrote: Personally, I think preventing residential broadband customers from hosting servers would limit a lot of that. I'm not saying that IS the solution. Whether or not that's the right thing to do in all circumstances for each ISP is a long standing deb

RE: Wired mag article on spammers playing traceroute games with trojaned boxes

>>There are two ways to go here - * Nullroute or bogus out in your resolvers the DNS servers for this domain --> two problems here. One is that the spammer doesn't use vano-soft.biz in the smtp envelope, and second, he abuses open redirectors like yahoo's srd.yahoo.com << There is another optio

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

Oops... Try this again... And as soon as you call law enforcement what happends? The spammer is located offshore. Then what? --- Hank Nussbacher <[EMAIL PROTECTED]> wrote: > > On Thu, 9 Oct 2003, Suresh Ramasubramanian wrote: > > > * "Follow the money" - find out the spammer / the guy who h

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

> Date: Thu, 9 Oct 2003 10:51:08 -0500 > Subject: Re: Wired mag article on spammers playing traceroute games with trojaned boxes > From: Chris Boyd <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > > > > On Thursday, October 9, 2003, at 10:04 AM, Suresh Ramasubramanian > wrote: > > > > > http:

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

On Thu, 9 Oct 2003 12:01:35 -0400 "McBurnett, Jim" <[EMAIL PROTECTED]> wrote: | I think even if we get all the ones for this domain name today, | assuming we can muster even man hours to get it today, another | 5000 will be added tomorrow. And looking at my list We have US | (a very small ISP an

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

Vinny Abello wrote: Personally, I think preventing residential broadband customers from hosting servers would limit a lot of that. I'm not saying that IS the solution. Whether or not that's the right thing to do in all circumstances for each ISP is a long standing debate that surfaces here fro

Finding ASN from IP address

I want to create a mapping of IP addresses to ASN, for a specific like of IP addresses. Eg: 1.2.3.4 12.34.56.78 etc, gathered from my system logs. What is the best way of doing this? I thought about something along the lines of: install routing software (zebra?) pass software the IP's,

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

On Thu, 2003-10-09 at 09:11, Vinny Abello wrote: > > They're using extremely low TTL's on most of their records. Typically 2 > minutes to accomplish this. The thing is I would imagine at least ONE of > those NS servers cannot change within a 2 hour window whereas the others > can change every

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

Hank Nussbacher writes on 10/9/2003 10:00 PM: I think we can all safely assume that the people behind this are most probably on NANOG or reading the archives and are now aware of your idea :-) vano-soft has been extensively discussed on other forums (spam-l, nanae etc) for quite some time. But y

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

At 10:51 AM -0500 10/9/03, Chris Boyd wrote: A few minutes later, or from a different nameserver, I get Name:vano-soft.biz Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97, 12.229.122.9 12.252.185.129 This is a real Hydra. If everyone on the list looked up vano-soft.biz a

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

At 12:31 PM 10/9/2003, Joe Boyce wrote: Thursday, October 9, 2003, 9:19:37 AM, you wrote: VA> Personally, I think preventing residential broadband customers from hosting VA> servers would limit a lot of that. I'm not saying that IS the solution. VA> Whether or not that's the right thing to do

Re: Finding clue at comcast.net

-Original Message- From: Sirius F. Crackhoe [mailto:[EMAIL PROTECTED] Sent: Thursday, October 09, 2003 12:37 PM To: 'Howard C. Berkowitz' Comcast's Technical and Customer Support is outsourced to EDS and is based in the EDS call center in Hallifax. I believe they were also taking cal

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

On Thu, 9 Oct 2003, Suresh Ramasubramanian wrote: > * "Follow the money" - find out the spammer / the guy who he spams for, > from payment information etc.Sic law enforcement on them. > > srs I think we can all safely assume that the people behind this are most probably on NANOG or readin

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

I can kinda agree with this idea for the most part. In past ISP environments I've worked in and had input in decisions we did redirect SMTP traffic back to our mail servers or blocked out-right access to mail servers outside our control but there were always some special cases. Just as stop

RE: Finding clue at comcast.net

I was informed "legacy" ATTBI setup is still different from the router / infrastructure side. (i.e. Old ATTBI has ping and ports blocked that "native" Comcast does not) Eric > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > Suresh Ramasubramanian > S

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

Hi, #I think even if we get all the ones for this domain name today,=20 #assuming we can muster even man hours to get it today, another #5000 will be added tomarrow. Actually, we wrote a little tool to systematically track the dotted quads associated with the vano-soft domain name. We have been

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

Vinny Abello writes on 10/9/2003 9:41 PM: They're using extremely low TTL's on most of their records. Typically 2 minutes to accomplish this. The thing is I would imagine at least ONE of those NS servers cannot change within a 2 hour window whereas the others They are using a whole lot of stuff

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

Thursday, October 9, 2003, 9:19:37 AM, you wrote: VA> Personally, I think preventing residential broadband customers from hosting VA> servers would limit a lot of that. I'm not saying that IS the solution. VA> Whether or not that's the right thing to do in all circumstances for each VA> ISP

Re: Finding clue at comcast.net

Miles Fidelman writes on 10/9/2003 9:25 PM: Anybody know to what extent Comcast and the old MediaOne/ATTBI customer support organizations have been merged? I think all the cable infrastructure from ATTBI has migrated to comcast. And people on attbi got transitioned to comcast email addresses qui

RE: Wired mag article on spammers playing traceroute games with trojaned boxes

At 12:01 PM 10/9/2003, McBurnett, Jim wrote: -> ->I found one of these today, as a matter of fact. The spam was ->advertising an anti-spam package, of course. -> ->The domain name is vano-soft.biz, and looking up the address, I get -> ->Name:vano-soft.biz ->Addresses: 12.252.185.129, 131.22

  1   2   >