[swinog] Re: [swinog] Whois für microsoft
On Tue, Feb 17, 2004 at 03:15:19AM +0100, Matthias Hertzog wrote: Aborting search 20 records found . MICROSOFT.COM.RUNS.ON.AN.8088.ORG MICROSOFT.COM.RAWKZ.MUH.WERLD.MENTALFLOSS.CA MICROSOFT.COM.OHMYGODITBURNS.COM [...] I discovered this problem after not being able to reach microsoft's website at www.microsoft.com don't worry, the names you see are just registred name servers from some funny people... :) for example try: whois -h whois.internic.net MICROSOFT.COM.AINT.WORTH.SHIT.KLUGE.ORG Server Name: MICROSOFT.COM.AINT.WORTH.SHIT.KLUGE.ORG Registrar: VERISIGN GRS (ORG) Whois Server: whois.verisign-grs.com Referral URL: http://www.verisign-grs.com whois -h whois.internic.net MICROSOFT.COM.HAS.TEH.GAY.OMFGLOL.COM Server Name: MICROSOFT.COM.HAS.TEH.GAY.OMFGLOL.COM IP Address: 130.94.123.8 Registrar: ABACUS AMERICA, INC. DBA NAMES4EVER Whois Server: whois.names4ever.com Referral URL: http://www.names4ever.com etc. (look at the real domain names... for example here kluge.org or omfglol.com...) for more info about that feature, check http://lists.netsys.com/pipermail/full-disclosure/2003-December/015092.html or others of the many pages about that listed in google: http://www.google.com/search?q=%22MICROSOFT.COM.IS.NOT.SEXYCOOL.ORG%22 cheers have a nice day, Olivier -- _ Olivier Mueller - [EMAIL PROTECTED] - PGPkeyID: 0E84D2EA - Switzerland -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
Re: [swinog] Mass mailing: how to do it nicely?
Hi Markus thanks for your feedback! On Tue, Feb 10, 2004 at 04:32:32PM +0100, Markus Wild wrote: Do big ISP have security systems, which blacklist or return a SMTP 55x after getting n*1000 mails from the same server? You'll be automatically blocked for a day if you send us more than a (low) amount of non-existant recipients (which easily happens if... nice concept, should be quite practical against dictionnary attacks. Have you implemented that by yourself, or was it already a feature of your MTA ? And what kind of blocking art, if I may ask: 4xx, 5xx or even iptable rule? I'll try to setup the same kind of system for our servers (qmail-vmailmgr qmail-ldap based). regards, Olivier -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
[swinog] Re: [swinog] Should IDN (äöüé etc.) domains be postponed? [statement from switch]
On Wed, Jan 28, 2004 at 10:48:42PM +0100, Fredy Kuenzler wrote: http://www.reisen.ch/idn/ sorry, currently only german. But interesting topic. F. And here the statement from Switch from yesterday about this issue (see below). I guess three will be many people online on 1st March at midnight... (including myself: of course I _need_ müller.ch :) - Statement (source: http://www.switch.ch/id/announcements.html?id=63 ) 09.02.2004 by SWITCH on the press release issued by the company, reisen.ch AG, Berne. In a press release dated 28 January 2004, the company, reisen.ch AG, Berne, wrote that it considers unlawful the procedure selected by SWITCH for the introduction of IDN (Internationalised Domain Names, i.e. domain names with accents and umlauts). SWITCH sets out its opinion here and clarifies the misunderstandings that have arisen. The company, reisen.ch AG, Berne, the holder of domain names which contain ue as a substitute for the unavailable character ü asked SWITCH to allocate it the corresponding domain names with ü instead of ue and to postpone the introduction date for domain names with accents and umlauts (Internationalised Domain Names, or IDN). The characters ue are not identical to ü, and e is not identical to é in either linguistic or technical terms. For instance, poet is not the same as pöt, and ships dont travel through the Süzkanal but through the Suezkanal. In technical terms, Internationalised Domain Names constitute an extension of the address space (A-Z, 0-9, hyphen). The IDN bücher.ch is really made up of the character sequence xn--bcher-kva.ch, referred to in technical terms as the ACE-string. xn--bcher-kva.ch and bücher.ch are thus two different things. To quote SWITCHs lawyer, Nicole Beranek Zanon: AA transcription of the type that reisen.ch AG is asking for goes against the 'first come, first served' principle that SWITCH is legally obliged to apply. Also, SWITCH does not have to check who is entitled to a domain name, and the transcription would make it necessary to perform checks of this type. Added to this, SWITCH is forbidden by law to accept reservations for domain names. SWITCH is aware of the fact that conflicts may arise in individual cases. This is why the introduction of IDN is being accompanied by the introduction of a Dispute Resolution Service, designed to ensure that conflicts can be resolved amicably and efficiently. It is claimed that SWITCH has not observed the statutory period of notice. The standard referred to is not applicable to domain names, however, which is why no violation has occurred. Both the Swiss Federal Office of Communications (OFCOM) and SWITCH have issued press releases giving the public sufficient information on the forthcoming introduction of IDN. The first press release by SWITCH was issued in 2002, and information was provided in a media release of 24 November 2003 that was taken up on a nationwide basis. SWITCH has had information on the basic technical principles, the background and the legal aspects of IDN (domain names with accents and umlauts) posted continuously on its website for many months at www.switch.ch/id/idn IDN, or domain names with accents and umlauts are being introduced for the Internet community on 1 March 2004, and the corresponding requests will be processed by SWITCH as of this date on a strict first come, first served basis and in accordance with SWITCHs valid General Terms and Conditions (GTC). © 2004 SWITCH - regards, Olivier -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
Re: [swinog] Mass mailing: how to do it nicely?
Wow, thx for the detailled answer! Also working late I see... :) On Tue, Feb 10, 2004 at 10:33:00PM +0100, Markus Wild wrote: It's a custom modification to sendmail-8.12.10. My recent conversion of the previous berkeley-db based approach to a central MySQL db for storing the records of violating IP addresses is now in field trial on two of our mail servers. If nothing goes wrong I should have all of them on the new code by the weekend, and I'll then also publish the code. Just an idea btw: everybody seems to work on that problem alone in its kitchen. Why not work a bit more together, for example on Switzerland/Swinog-level, to setup a kind of dynamic Swinog RBL ? There are so many people around (network experts, ISP abuse officiers, mta/(djb)dns specialists, students, etc): I belive there is the potential to build something interesting And this could be a good topic for a Semesterarbeit/Diplomarbeit if there are some FH/ETH teachers reading... Regards 'nite, Olivier -- _ Olivier Mueller - [EMAIL PROTECTED] - PGPkeyID: 0E84D2EA - Switzerland -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
Re: [swinog] spam?
On Sun, Nov 30, 2003 at 03:55:27AM +0100, John Morgan Salomon wrote: I never saw spam in person before. usually i can press the delete-button or throw some paper away but it is never happen, that spam put me out of my warm and comfortably bed. It is possible to delete this kind of spam; it's just generally illegal and fairly messy. You just have to hire Kill Bill's Black Mamba, it's then quite quick simple... :-) Regads, Olivier -- _ Olivier Mueller - [EMAIL PROTECTED] - PGPkeyID: 0E84D2EA - Switzerland -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
Re: [swinog] Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet
On Thu, Jul 17, 2003 at 05:03:44PM +0200, Reza Kordi wrote: A client of ours has already been attacked too! We are upgrading the most urgent cases, FYI, exploits are already around: check for example: http://lists.insecure.org/lists/fulldisclosure/2003/Jul/0592.html (the attached file). And a french netadmin also told that unpached ciscos are vulnerable to: hping some parameters... (not sure if it is a good idea to post it here, what do you think?). regards, Olivier -- _ Olivier Mueller - [EMAIL PROTECTED] - PGPkeyID: 0E84D2EA - Switzerland qmail projects: http://omail.omnis.ch - http://webmail.omnis.ch -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
Re: [swinog] Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet
On Fri, Jul 18, 2003 at 04:46:56PM +0200, Pascal Gloor wrote: Exploit tested on a 2600 12.1(6) IP PLUS and worked very well. Afaik everything written in the exploit could be done manually with hping. didnt tested that. Could you try with -0 --ipproto 55 --ttl 1 ? (can't (and won't) test it myself: my provider's cisco's are already safe :) Regards, Olivier -- _ Olivier Mueller - [EMAIL PROTECTED] - PGPkeyID: 0E84D2EA - Switzerland -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
Re: [swinog] ADSL and CPS on ISDN
On Mon, Mar 10, 2003 at 10:15:02PM +0100, Flavio Curti wrote: but i think it does say nothing about the case where you have cps and want to get adsl with somebody else... it's just a nice decision-'influence' for everybody ordering a new isdn.. just like the heavy bluewin publicity included in *every* Swisscom invoice... should't this kind of mass advertising be forbidden (every adsl user = swisscom user = will get this unsolicited commercial stuff) ? regards 'night, Olivier -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
Re: [swinog] SwiNOG-6 announcement / Call for presentations
Bonjour, On Fri, Feb 07, 2003 at 04:33:28PM +0100, Michel Renfer wrote: We're very happy to do the offical announcement for SwiNOG-6: At this time we're searching for presentations to fill the agenda. If you have a idea or if you want to hold a presentation, please send your offer directly to the list! We would be glad to present the results our Swiss Internet Analysis Diploma Thesis: it would take around 30 minutes, plus maybe 15 for QA. You will find more details under the project homepage: http://www.swiss-internet-analysis.org/ It was a work of the ZHW (Zürcher Hochschule Winterthur), supported by IXEurope Telehouse Facilites AG and with the help of Switch, BAKOM many swiss ISPs. Feedback (and questions etc.) welcome! Regards, Olivier -- _ Olivier Mueller - [EMAIL PROTECTED] - PGPkeyID: 0E84D2EA - Switzerland qmail projects: http://omail.omnis.ch - http://webmail.omnis.ch -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
Re: [swinog] New worm / port 1434
Good morning, On Sat, Jan 25, 2003 at 12:10:51PM +0100, Michel Renfer wrote: We (AS-LAN) blocked one customer, which seems to be infected (outgoing traffic is up to the line rate). Anyone also see such problems? yes, just saw this message on bugtraq: Subject: [bugtraq] MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! http://online.securityfocus.com/archive/1/308306/2003-01-22/2003-01-28/0 Regards, Olivier -- _ Olivier Mueller - [EMAIL PROTECTED] - PGPkeyID: 0E84D2EA - Switzerland -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
Re: [swinog] New worm / port 1434
On Sat, Jan 25, 2003 at 12:21:46PM +0100, Olivier M. wrote: Subject: [bugtraq] MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! http://online.securityfocus.com/archive/1/308306/2003-01-22/2003-01-28/0 there are now a few attacks pro minute: omega:~ # tcpdump udp port 1434 tcpdump: listening on eth0:0 12:53:06.430071 213-161-85-70.agcl.com.1040 195.134.143.46.ms-sql-m: udp 376 12:53:15.792279 202.188.6.86.3697 omega.omnis.ch.ms-sql-m: udp 376 12:53:30.012801 195.219.131.6.ricardo-lm omega.omnis.ch.ms-sql-m: udp 376 12:54:04.194407 164.223.1.115.3567 195.134.143.45.ms-sql-m: udp 376 12:55:15.292800 lsdata.cit.buffalo.edu.zephyr-hm 195.134.143.45.ms-sql-m: udp 376 12:55:27.625343 vrbensky.utia.cas.cz.4292 omega.omnis.ch.ms-sql-m: udp 376 12:55:39.936282 op12.diepresse.at.4020 195.134.143.46.ms-sql-m: udp 376 12:56:00.208818 user-3.quicknowledge.fiber.net.4062 omega.omnis.ch.ms-sql-m: udp 376 12:56:00.339223 ppsw140178.ppsw.rug.nl.btpp2audctr1 195.134.143.45.ms-sql-m: udp 376 12:56:08.425801 61.136.63.110.iad2 omega.omnis.ch.ms-sql-m: udp 376 12:56:09.379342 130.75.66.70.3895 omega.omnis.ch.ms-sql-m: udp 376 12:56:17.885228 www.ae.salford.ac.uk.4171 195.134.143.46.ms-sql-m: udp 376 12:56:35.737695 80.80.120.197.3443 195.134.143.107.ms-sql-m: udp 376 Microsoft patch: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp Original advisory: (6 months old!!) http://www.nextgenss.com/advisories/mssql-udp.txt Olivier -- _ Olivier Mueller - [EMAIL PROTECTED] - PGPkeyID: 0E84D2EA - Switzerland -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/