Dave Pooser wrote:
Handling the abuse desk well (or poorly) builds (or damages) the brand.
...among people who are educated among such things. Unfortunately, people
with clue are orders of magnitude short of a majority, and the rest of the
world (ie: potential customers) wouldn't know an abuse
William Herrin wrote:
Without conceding the garbage collection issue, let me ask you
directly: how do you propose to motivate qualified folks to keep
working the abuse desk?
Ask AOL?
-Jack
cost to recover and repair what we have is far less than throwing anything
else into the ground, but no one considered needing as much copper as it would
take to bump everyone from DSL to a 4 pair system. I won't even discuss RBOC
mentality when it comes to rural plant (including the entire state of Oklahoma).
Jack Bates
Tim Franklin wrote:
For the UK (and NL), on the tech side we're seeing some success with EFM
on copper, in this particular case on an Actelis platform. It's a new
unit in the CO, from 1-8 pairs from the CO to the customer premises, up to
a total bandwidth across all pairs of 40Mb/s in each dire
ons it's flexible ratio as beyond DOCSIS 3.0 features which implies
the standard is still fixed ratio), but I suspect it will be years before
networks can adapt.
Jack Bates
Justin Scott wrote:
We also have home-grown scripts that figure out whether a domain is
delegated to us or not and flag the ones that aren't. In the case of
the free service we flag them for two weeks and if they still aren't
delegated to us after that period we disable them on the DNS servers
D'Arcy J.M. Cain wrote:
You're kidding, right? Have you ever called an ISP to report a
technical problem that has nothing to do with your computer or even
your connection to them, say a reverse DNS issue? If you tell them
that you run Unix they just ask you to run IE anyway. If you don't run
Donald Stahl wrote:
Working hard to defend privacy does not automatically equal protecting
people who exploit children- and I'm getting sick and tired of people
screaming "Think of the children!" It's a stupid, fear mongering tactic-
and hopefully one day people will think of it in the same wa
me for something which wasn't working!"
*checks logs*
"Well, interestingly enough we see that you used it here, here, here, and here.
Pay the bill, please."
Jack Bates
to. They said that those who give them the most flack usually get the
least amount of slack. Play hardball with the government, and it will play
hardball back at you. I'd definitely make sure you stick to #4 if following #1-3.
Of course, IANAL and YMMV.
Jack Bates
do the best we could to assist
in meeting the traffic tap.
Jack Bates
Todd Vierling wrote:
The reality is probably that the service is available, but the slow
motion of *infrastructure* network upgrades (where the CPE might not
even need a change in some cases) is holding back the rest of the
works.
Network upgrades tend to not be cheap, and I doubt the vendor
tiated and that's it's completely
impossible for one to have 20Mb up and 1.5 Mb down.
Jack Bates
Albert Meyer wrote:
Didn't we all figure out years ago that, when using a telephone or cable
company for Internet service, you have to just use the pipe and get your
services (mail, news, etc.) elsewhere? Bemoaning the poor quality of
telco/cableco mail servers is kind of like wishing that t
or "but basic RPF is easier
and you're doing something funky anyways".
Jack Bates
[EMAIL PROTECTED] wrote:
One wonders whether it might not be more effective in the
long run to sue ICANN/IANA rather than suing completewhois.com.
Of course, it could be that I used the wrong term. IANAL after all. Perhaps the
right term was injunction? Does that qualify as a lawsuit? Unfor
tworks and forget them in their firewalls. From previous posts, it appears
that this is a case of continued propagation of incorrect information after
being notified of the inaccuracy, and the information is published as being
fact; implying accuracy.
Jack Bates
he address space to slap them with a lawsuit.
Jack Bates
Matthew Crocker wrote:
Maybe the new slogan needs to be "Save the Internet! Train the chimps!"
Shouldnt 'ip verify unicast source reachable-by rx' be a default
setting on all interfaces? Only to be removed by trained chimps?
Only if you wish to break existing configurations during IOS
.. right?
The issue was that when revoking an IP from a customer, AT&T did not remove the
rDNS configuration for that IP. Had they done so, their own servers would have
reported back that there wasn't any rDNS (NXDOMAIN) which would have been
perfectly acceptable.
Jack Bates
ould time out connections waiting
for the non-existent nameservers. We weren't really interested in handling rDNS
for the IP given that it wasn't handling mail, web, or have any A records
pointing to it. It is the easiest way to get it done, though.
Jack Bates
riots
broke out and shortly after I left it paid not to be white in Zimbabwe and
definitely not a white farmer. The economy didn't fare well. A beautiful
country, but unfortunately not very ideal for a network engineer.
Jack Bates
Lasher, Donn wrote:
YMMV, but my mileage has been just as bad yours, in some cases worse.
Converting from swip's to RWHOIS took 6 months. ARIN is painful. Overly
painful for someone who you pay for the right to USE IP addresses on a
yearly basis
Of course, that's just my personal viewpoi
David Conrad wrote:
I'm sure the same argument was used for telephone numbers when technical
folk were arguing against number portability.
Number portability is a different can of worms, and many telephone companies
pushed for it. However, telephone numbers have been assigned in large block
Richard A Steenbergen wrote:
Ever notice the only folks happy with the status quo are the few who have
already have an intimate knowledge of the ARIN allocation process, and/or
have the right political connections to resolve the "issues" that come up
when dealing with them?
Try looking at it
Niels Bakker wrote:
Address space policy has always been the result of a community
consensus. Just because that consensus has shifted over the years does
not mean that older entries in some database have suddenly developed
into property. All it means is that the community is very friendly for
Matt Ghali wrote:
Yes, at the least, wasting huge piles of ARIN's money on legal fees;
which is likely Kremen's entire intent, to "teach them a lesson" for not
handing over what he wanted.
Correction. Wasting huge piles of our money. I was hoping the money would go
towards a new template
Jon Lewis wrote:
In small quantities, and which tie you to particular providers. Shells
of companies have been bought (or just claimed) for their large,
especially pre-ARIN, PI-IP assignments. To a young ISP, a /16 for
example may seem like a lifetime supply of IP space, and save the
co
Christopher L. Morrow wrote:
agreed, punting this problem to the helpdesk makes the helpdesk manager
grab his gun(s) and find the security wonk that put a hurtin' on his
numbers :) Also, it costs lots of money, which isn't generally a good
plan.
Do you find that web redirection actually stems
David Nolan wrote:
(*): For anyone who doesn't know, URPF is essentially a way to do
automatic acls, comparing the source IP of on an incoming packet to the
routing table to verify the packet should have come from this
interface. With the right hardware this is significantly cheaper then
Andy Davidson wrote:
And they don't care ! How is someone else telling them that they need a
virus checker going to change anything ?
We allowed users back online to run Housecall at trendmicro for free so
they could get cleaned up and save some money. However, the resuspend
rate was
[EMAIL PROTECTED] wrote:
The network itself is the primary contact information
for a domain. Every nameserver has an IP address
whose connectivity can be tracked through the network.
Same thing for mail servers and anything else with
an A record. This means that operationally it is
far more importa
lity (nothing like
equipment which likes to bring circuits up twice before resuming
service). Hints, tips, and tricks welcome. I have certain edge routers
that I need to ensure availability even during catastrophic failure
without requiring each of the customers on those routers to maintain
separate circuits.
Thanks,
Jack Bates
Erik Haagsman wrote:
Which means you have to make sure the revenue generated by those 98%
underutilized servers covers your powerbill and other expenses,
preferrably leaving some headroom for a healthy profit margin. As
long as that's the case there's no real waste of energy, the services
peop
David Raistrick wrote:
You seem to be arguing that NAT is the only way to prevent inbound access.
While it's true that most commercial IPv4 firewalls bundle NAT with packet
filtering, the NAT is not required..and less-so with IPv6.
I think the point that was being made was that NAT allows the filt
Dave Howe wrote:
Indeed so yes - however... A large and increasing segment of my users are
VPN laptop users with ADSL at home. our accounts department looks a
certain amount of askance at IT when they get a large phone bill in
expenses for someone using a 33.6 modem right next to a nice shiny half
Owen DeLong wrote:
The issues that must be addressed are the issues of internet governance,
control of the root (does Verisign serve ICANN or vice-versa), and
finally, whether the .com/.net zones belong to the public trust or to
Verisign. Focusing on the technical is to fiddle while Rome burns.
Th
todd glassey wrote:
Richard -
Do they (Verisign) have any legal reason to??? - is there anything between
them and ANY of their clients that requires them to inform them before any
changes to protocol facilities are made - I think not.
To inform? Not yet, although I have the feeling that this will
Jun-ichiro itojun Hagino wrote:
While short term traffic filters are deployed, the appropriate recommended
longer term action is to:
Edge networks have a lot more to upgrade than backbone networks.
Obtaining IOS code that works for all the different types of routers and
meets the ISP's policy is
Paul Vixie wrote:
While I agree that handling of NXDOMAIN needs to improve, such handling
must be done by the application. Popular browsers have already started ...
i think i agree with where this was going, but it would be a fine thing if
we all stop calling this NXDOMAIN. the proper term is
Owen DeLong wrote:
They claim to be representing the "USER" community and to know better
than we what they end users want. They think we're just a bunch of
geek engineers that are unwilling to embrace new ideas. Most of all,
they think they can make money this way, and, they don't really care
Vinny Abello wrote:
Personally, I think preventing residential broadband customers from
hosting servers would limit a lot of that. I'm not saying that IS the
solution. Whether or not that's the right thing to do in all
circumstances for each ISP is a long standing debate that surfaces here
fro
John Renwick wrote:
You've put your finger on it. ISPs have to help users understand that their
machines are broken in a way that makes them unable to gain access to the
Internet -- then most will take them to the shop PDQ, and hopefully get them
back with some protection installed.
While suspendi
Jeffrey Meltzer wrote:
What valid reason would you have for getting in contact with a domain owner,
if they've unlisted themselves and don't want to be contacted?
Problem with email or a website to a given domain. The fact that IP
addresses aren't swip'd out to the individual owners. Multiple dom
Allen McRay wrote:
To learn how to assign WHOIS contact information and about other actions you
can take to protect your personal information today, visit
www.InternetPrivacyAdvocate.org.
It's rediculous to state that placing contact information for a domain
name is a privacy issue. A domain is p
Paul Vixie wrote:
you are confused. and in any case this is off-topic. take it to namedroppers,
but before you do, please read rfc's 1033, 1034, 1035, 2136, 2181, and 2317.
Can someone please tell me how a change to a critical component of the
Internet which has the capacity to cause harm is not
Mark Segal wrote:
I think some RBLs might get better responses from the ISPs when they stop
taking "collateral damage gets the abuse department's attention" attitudes..
Some RBLs cause many providers a LOT of headaches, so it is not surprising
that when it is their turn to complain, the ISPs will
Paul Vixie wrote:
oh... that wasn't a joke, then?
there won't be a protocol change of that kind, not in a million years.
It doesn't have to be a protocol change. Strictly an implementation
change. It would break less than the current implementation change ya'll
made can break. Reguardless of if
Geo. wrote:
There shouldn't be a need for any removal process. A server should be listed
for as long as the spam continues to come from it. Once the spam stops the
blacklisting should stop as well. That is how a dynamic list SHOULD work.
Depends on the type of listing. Open proxies and open relays
Geo. wrote:
Blacklists are just one kind of filter. If we could load software that
allowed us to forward spams caught by other filters into it and it
maintained a DNS blacklist we could have our servers use, we wouldn't need
big public rbl's, everyone doing any kind of mail volume could easily run
Paul Vixie wrote:
It's still to be seen if ISC's cure is worse than the disease; as
instead of detecting and stoping wildcard sets, it looks for delegation.
that's because wildcard ("synthesized") responses do not look different
on the wire, and looking for a specific A RR that can be changed
Kee Hinckley wrote:
Getting practical for a minute. What is the optimal way now to see if a
given host truly exists? Assume that I can't control the DNS server--I
need to have this code run in any (*ix) environment. Assume also that I
don't want to run around specialcasing specific IP address
Joe St Sauver wrote:
Note that not all DNSBLs are being effectively hit. DNSBLs which run with
publicly available zone files are too distributed to be easily taken down,
particularly if periodic deltas are distributed via cryptographically
signed Usenet messages (or other "push" channels). You can
Raymond Dijkxhoorn wrote:
[Mimedefang] monkeys.dom UPL being DDOSed to death
Jon R. Kibler [EMAIL PROTECTED]
Tue Sep 23 14:15:01 2003
The computer security industry really needs to figure out how to get law
enforcement to take these attacks seriously. It would only take a few good
prosecution
Dan Hollis wrote:
On Tue, 23 Sep 2003 [EMAIL PROTECTED] wrote:
On Mon, 22 Sep 2003, Dave Stewart wrote:
Courts are likely to support the position that Verisign has control of .net
and .com and can do pretty much anything they want with it.
ISC has made root-delegation-only the default behaviour
Paul Vixie wrote:
wildcards don't work that way. there are ns rr's in .com for verisign.com,
so you get a referral to those servers no matter whether a *.com wildcard
exists or not.
I think the point was that if catching typographical errors was so
important to verisign, they would have created
Mike Tancsa wrote:
I am not advocating that at all. ("everyone's doing it, so let's not
bother") However, I dont see what the municipal government has to do
with a matter like this. I imagine its a civil issue where you have to
get the lawyers involved :( Certainly if the company persisted,
Dan Riley wrote:
It breaks a few things we care about--for example, www.ithaca.ny.us is
a naked CNAME in the the us root:
There's no reason to force .us as delegate only. Force com and net to
delegate only and you'll have the Internet as it was before this debate
started.
-Jack
Mike Tancsa wrote:
Local government has nothing to do with it. It was just some dime a
dozen porn company.
Back to the "everyone's doing it, so let's not bother" syndrome.
-Jack
Paul Vixie wrote:
i do not expect the ietf to say that root and tld zones should all be
delegation-only. but good luck trying.
It hasn't been that large an issue in the past, and as pointed out by
some, the countermeasures are just as harmful. I hope that
delegation-only is only a temporary meas
John Dvorak wrote:
and the response from Russell Lewis:
http://www.icann.org/correspondence/lewis-to-twomey-21sep03.htm
! The Internet works perfectly fine for years. They
make a change which is confirmed to disrupt service. Instead of
restoring the stable state while conducting a review, they fe
Matt Larson wrote:
In response to this feedback, we have deployed an alternate SMTP
implementation using Postfix that should address many of the concerns
we've heard. Like snubby, this server rejects any mail sent to it (by
returning 550 in response to any number of RCPT TO commands).
Matt,
The
Andy Walden wrote:
I'm not necessarily making a statement one way or the other on port 25
filtering, but SMTP Auth, when properly configured and protected against
brute force attacks is certainly a useful thing. YMMV of course.
Keyloggers are popular in the same viruses that install open proxies.
Owen DeLong wrote:
Yes. I responded to this in a previous post. We must do what we must do
temporarily to keep things running. However, breaking the net is not a
long
term solution. We must work to solve the underlying problem or it just
becomes
an arms-race where eventually, no services ar
Adam Hall wrote:
Anyone know anything about prorviders removing ACLs from their routers
to allow ports 135/445/ back into their network? Curious only
because customers are calling in saying that Verizon, Cox, Bellsouth,
and DSL.net are doing so and seem to have a big problem with the fac
[EMAIL PROTECTED] wrote:
Particularly of interest would be "established standards" for "Class A
Datacenter" specifically relating to the physical plant -- Power,
cooling, physical security, etc. I think we can all agree in general on
N+1 everything, and we can go round and round again on what exac
Paul Vixie wrote:
actually, i had it convincingly argued to me today that wildcards in root
or top level domains were likely to be security problems, and that domains
like .museum were the exception rather than the rule, and that bind's
configuration should permit a knob like "don't accept anythin
Alex Kamantauskas wrote:
Not really operational content, but I was wondering if there was an
intellectual property issue with the Verisign .com/.net redirect?
Not sure about IP, but there are privacy issues. Verisign has
intentionally redirected all email that was mistyped on the recipient to
Aaron Dewell wrote:
The point is, this makes a reasonable backup plan. Far from ideal, but
we're dealing with a state-supported monopoly who can do whatever they
want. Get this in place, then think about how to throw the monopolies
out. This works in the meantime. They will likely compromise t
Aaron Dewell wrote:
What if there was a requirement to add something that would work as a
wildcard, but also be easily detected as a wildcard with one additional
query? thisisawildcard.*.com IN A 127.0.0.1 or something. One additional
query, and applications can decide whether they want a wildca
Eric Germann wrote:
And whats to say they don't get around our methods of blacklisting it by
changing the IP around every zone update?
result=query domain.tld
wild=query *.tld
if result=wild & dontwantwild then result=NXDOMAIN
-Jack
Paul Vixie wrote:
no. not just because that's not how our internal hashing works, but
because "hosted" tld's like .museum have had wildcards from day 1 and
the registrants there are perfectly comfortable with them. there's
no one-policy-fits-all when it comes to tld's, so we would not want
to off
[EMAIL PROTECTED] wrote:
How frikking many hacks will we need to BIND9 to work around this braindamage?
One to stuff back in the NXDomain if the A record points there, another to
do something with make-believe DNSsec from them. What's next?
You mean that you don't like it when the Authority the
Eric Gauthier wrote:
Take a look and let me know what you think. Any question or comments -
editorial or otherwise - would be greatly appreciated.
Nice layout. Reverse the the process so default is a good host a
Petri Helenius wrote:
How long until the next worm/virus/trojan would first disable this
handshake and then attach
to the network? Or you expect to terminate customers within the 24 hours
new patches
are out if they donĀ“t patch? or 72 hours?
I fully expect malicious code and even users to disabl
Sean Donelan wrote:
If infected users have an offline method for obtaining patches, then we
don't need to figure out a way to keep their buggy, infected computers
connected to the network long enough to download the patches.
And wouldn't it be nice if someone developed a good protocol that
allowed
Robert Bridgham wrote:
it runs but even Hotmail.com uses Qmail as it's MTA. This the one of the
leading webmail sites in the world with between 80-100million accounts, and
still running strong. I would definitely put my vote to Qmail for any
organization, any size!
telnet mx1.hotmail.com 25
Tryi
Christopher L. Morrow wrote:
keep in mind its not destination addresses that are the problem here, BUT
True, but there is RPF checks based on routing. anything routed to NULL0
is generally treated by such filters as an invalid route and will
discard the packet of any source address from such a r
[multiple response]
Christopher L. Morrow wrote:
I'm going to take a stab at: The next 69.0.0.0/8 release? Certainly there
was some lesson learned from this, no?
I don't buy it, Chris. Are you saying that a large backbone provider
can't maintain up-to-date bogon filters? In fact, I'd say they wo
Fisher, Shawn wrote:
I would like to get some opinions on the Best Mailserver in the Universe.
Is there a more appropriate list for this question?
I'm partial to sendmail due to the grandfather clause, but if I could go
back in time and redesign everything, I'd be a diehard postfix fan. I
have s
Christopher L. Morrow wrote:
At the edge, very near the originating host there is no reason not to
filter these, if you find the sources you might consider asking them why
they didn't filter these for you...
And what is the reason to not filter these in the backbone? Full spoof
protection at some
Johannes Ullrich wrote:
Charge the same and take your 'abuse' team out for lunch on the change
you save by blocking the ports ;-)
We were looking at blocking 25 outbound except to designated servers as
well for many of our dialup and broadband customers. Those with the
service get the benefit of
Gerardo Gregory wrote:
these ports. The "internet" in itself is nothing more than a
communications link, and the ISP's are providers to this link. The
purpose of which is the exchange of information over a "public" medium.
You want an ISP to begin filtering at the 4th layer (OSI
Reference...y
Nenad Pudar wrote:
Again my point is that your site (or any other that use the same dns for
ipv4 and 6) may be "blackholed" by ipv6 (it is not the question primary
about the quality ipv6 connction it is the fact that your ipv4
connection which may be excelant is blackholed with your ipv6 connec
If you look closely, they are probably not just stripping your AS. They
are probably aggregating your network. One provider that I am aware of
that does this is AT&T. Since your advertisements out the other network
will be more specific, traffic will only come through them. If the
networks are
Owen DeLong wrote:
Again, I just don't see where an ISP can or should be held liable for
forwarding what appears to be a correctly formatted datagram with a valid
destination address. This is the desired behavior and without it, the
internet stops working. The problem is systems with consistent
Sean Donelan wrote:
How many ISPs disconnect infected computers from the network? Do you
leave them connected because they are paying customers, and how else
could they download the patch from microsoft?
We disconnect after contact if they remain infected after 72 hours or
once we determine cont
Sean Donelan wrote:
If you don't want to download patches from Microsoft, and don't want to
pay McAfee, Symantec, etc for anti-virus software; should ISPs start
charging people clean up fees when their computers get infected?
www.google.com
+Free +AntiVirus
Now was that so hard?
-Jack
Rob Thomas wrote:
Oh, good gravy! I have a news flash for all of you "security experts"
out there: The Internet is not one, big, coordinated firewall with a
handy GUI, waiting for you to provide the filtering rules. How many
of you "experts" regularly sniff OC-48 and OC-192 backbones for all
th
[EMAIL PROTECTED] wrote:
So the provider allows the user to pick an insecure password, and then
complains that they can't support a security measure because of their poor
policy choices/enforcement?
You have an easy way to change password enforcement of an existing user
base? Dealing with people
JC Dill wrote:
Either the webmail solution meets your needs, or you need to obtain
service from a company that offers a solution that meets your needs.
Why is this so hard to understand?
Or people implement a protocol that doesn't break existing uses of the
system (let's not forget the issues
Mikael Abrahamsson wrote:
You switch service provider or give them a whack with the cluebat.
Some providers don't support auth do to the insecure passwords their
users have. Having your server opened up to relay spam because your user
had a bad password is not a good prospect.
-Jack
Michel Py wrote:
If ISPs don't want people to run SMTP servers on their DSL line they
should provide a top-notch smarthost, which most don't.
The one's that don't provide a top-notch smarthost usually don't handle
abuse complaints either. Just what do they do for their customers? I'm
curious.
Gary E. Miller wrote:
Maybe if PacBell (and others) actually disciplined their more out of
control DSL customers then other ISPs would not feel the need to do it
for them.
It doesn't matter. A large percentage of open proxies are on dynamic
DSL. Since a lot of ISPs will not handle proxy reports an
Temkin, David wrote:
We've noticed that one of our upstreams (Global Crossing) has introduced
ICMP rate limiting 4/5 days ago. This means that any traceroutes/pings
through them look awful (up to 60% apparent packet loss). After
contacting their NOC, they said that the directive to install th
Henry Linneweh wrote:
Microsoft has a task scheduler that people should learn to use to remind
them to check update to make sure their patches are current, it is
located in the control panel and labled Scheduled Tasks and has an
Add Scheduled Tasks icon to add update, FYI
And that helps a fresh
Paul A. Bradford wrote:
2. the "remote control" being hijacked by someone besides MS?
2a. Hey I'd love to be able to shut folks that were killing my network
off until they update, but is it my right?
Automatic cutoff until update check every 7 days?
-Jack
Sean Donelan wrote:
As some of you know, the standard Microsoft OS distribution sold
in stores on CD is a year or so old, and doesn't include any recent
patches. You needed to download recent patches from Microsoft's
web site. Unfortunately, with the latest round of worms, Windows
doesn't surviv
[EMAIL PROTECTED] wrote:
ip address (access-lists): 199
^^^
Extended IP access list 181
^^^
Did you mean to have a mismatch between the numbers?
Or is there some magic configuration detail that links
the two together that I haven'
Scott McGrath wrote:
Geo,
Look at your set interface Null0 command the rest is correct
you want to set the next hop to be Null0. How to do this is left as an
exercise for the reader.
Interface Null0 works fine. Here's a quick check.
Inbound (from peers) policy matches
route-map nachi-worm, pe
1 - 100 of 272 matches
Mail list logo