Re: anybody else been spammed by no-ip.com yet?
I'm going to make a suggestion which I realize that today there isn't any easy way to do this. However, I want to throw this out because I think if we could figure out how to do it, I think the spam problem will go away. Anytime anyone sends a mail to my server, I want to be paid 2 cents. 2 cents is probably less than the combined costs of me recieving a mail message. (Maybe 3 is better). That said, even if it was 2 cents, then a spammer dropping 10,000 messages on my server would net us $200.00 - and better, cost the spammer $200.00. Normal email between two people would likely cancel out and be of no net cost. You would also want to be able to accept mail from certain senders for free. What I envision is some sort of micropayment protocol extension to SNMP. something like you exchange helo's, mail from, and rcpt to's, and the receiving server says to the sender That will be x cents please, at which point the server sends some sort of cert-signed digital cash. I'm not sure how you would bootstrap this or if it will ever be possible. I just think that if we could get even $0.02 per email from the spammers a lot of them would stop. - Forrest W. Christian ([EMAIL PROTECTED]) AC7DE -- The Innovation Machine Ltd. P.O. Box 5749 http://www.imach.com/Helena, MT 59604 Home of PacketFlux Technogies and BackupDNS.com (406)-442-6648 -- Protect your personal freedoms - visit http://www.lp.org/
Re: anybody else been spammed by no-ip.com yet?
On Sat, 4 May 2002, Forrest W. Christian wrote: What I envision is some sort of micropayment protocol extension to SNMP. - Make that SMTP :) I guess I've been working on network monitoring too much recently. - Forrest W. Christian ([EMAIL PROTECTED]) AC7DE -- The Innovation Machine Ltd. P.O. Box 5749 http://www.imach.com/Helena, MT 59604 Home of PacketFlux Technogies and BackupDNS.com (406)-442-6648 -- Protect your personal freedoms - visit http://www.lp.org/
World-wide distributed DoS and warez bot networks (fwd)
From a forward to me on the DDos stuff...this might shed some light on the DDos problem, if not sorry for the bandwidth. begin forward [Note: I just noticed last night, after giving a talk on this incident, that several threads on the SANS Unisog list going back as far as February 18, 2002 have discussed this same botnet in generality and in some detail, so I can't claim to be the first to analyze this botnet. That credit goes to Christopher E. Cramer of Duke University. (That's what I get for letting myself get so far behind on email, and for not studying all sources of information I had available to me when we first started seeing problems. Hopefully someone on the unisog list will cross-post to [EMAIL PROTECTED] when a widespread incident like this pops up next time. ;) The Unisog threads can be found here: http://staff.washington.edu/dittrich/misc/ddos/unisog-xdcc.txt Since all this work was already done, I'll still post what I have assembled with the assistance of Mike Hornung and Alexander Howard at the UW, in hopes I'm adding something new in the way of tools and techniques (see my CanSecWest talk slides referenced at bottom) that will help speed up response the next time one of these massive botnets is assembled using compromised computers.] Summary === Over the months of March through late April of 2002, the University of Washington has seen multiple incidents of distributed warez (pirated software) and denial of service (DDoS) attacks, coming from Windows 2000 and NT systems. These systems all have several things in common: o They appeared to be found with no password on the Administrator account, and control taken over. o They had various IRC bots installed on them, including knight.exe, GTbot, and X-DCC (a distributed warez serving bot.) o They had the ServUFTP daemon running on them for incoming file transfer (to load the warez.) o They had Firedaemon (a program that registers programs for execution to serve incoming connections, similar to the Unix inetd daemon.) Details === Forensic analysis of hard drive contents and IRC traffic has revealed the methods and signatures of the malware installed on the compromised systems. To date we are not 100% sure of exactly how the initial backdoor installation occurs, but it appears to involve remote shell access (via telnetd). Whatever it is, the next step is to transfer a script onto the system and run it to bootstrap the rest of the installation of backdoors, bots, FTP server, and other support programs, the modification of directory/file permissions and attributes to hide files, and changes to registry settings to make programs run at each boot. On some system, FTP is also used to later transfer files onto the compromised system. The script does the following: o Creates a directory under the C:\RECYCLER directory, and marks it hidden and system directory. o Kills any previously running instances of itself. o Installs Firedeamon, and changes it (and other support programs) to be system/hidden. o Uses tftp to download IRC bot configuration files from a temporary cache (on another compromised system) o Does a net user administrator changem and deletes the ipc$ file share. o Starts the Firedaemon and registers services named Ms32dll, SVHOST and MSVC5 o Creates a file to set the following Registry settings, then runs regedit on this file: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\] restrictanonymous=1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\1.0\] NTLM=2 o Cleans up some files, and stops and deletes the following services: tlntsvr and PSEXESVC o (Re)Starts the following services: lmhosts and NtLmSsp =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= user_nick [XDCC]-649 slotsmax 20 loginname X filedir C:\RECYCLER\S-1-5-21-2686636377-1107193052-384560437-1000 uploaddir C:\RECYCLER\S-1-5-21-2686636377-1107193052-384560437-1000 xdccfile c:\winnt\system32\vmn32\asp\mybot.xdcc pidfile c:\winnt\system32\vmn32\asp\mybot.pid server irc.XX.net 6667 server irc.XX.net 7000 server .X.net 6667 server .X.net 7000 server XXX.XXX.XX.XXX 6667 logrotate weekly messagefile c:\winnt\system32\vmn32\asp\mybot.msg ignorefile c:\winnt\system32\vmn32\asp\mybot.ignl channel #XDCC -plist 15 user_realname XDCC user_modes +i virthost no vhost_ip virtip.domain.com firewall no dccrangestart 4000 queuesize 20 slotsmaxpack 0 slotsmaxslots 5 slotsmaxqueue 10 maxtransfersperperson 1 maxqueueditemsperperson 1 restrictlist yes restrictsend yes overallminspeed 5.0 transfermaxspeed 0 overallmaxspeed 2000 overallmaxspeeddayspeed 0 overallmaxspeeddaytime 9 17 overallmaxspeeddaydays MTWRF debug no autosend no autoword bleh automsg bleh autopack 1 xdccautosavetime 15 creditline
Re: anybody else been spammed by no-ip.com yet?
On Sat, 4 May 2002, Forrest W. Christian wrote: I'm going to make a suggestion which I realize that today there isn't any easy way to do this. However, I want to throw this out because I think if we could figure out how to do it, I think the spam problem will go away. Anytime anyone sends a mail to my server, I want to be paid 2 cents. Apart from the various obvious problme with this (as elaborated by someone else already), this could make things worse overall. Its an interesting, but naive idea.. The moment there's money to be made in receiving email, someone will exploit it in ways you won't expect. Bandwidth is about a dollar/gig nowadays? Thus, thats about 50,000 emails/dollar of bandwidth, and that dollar is capable of making the smart entrepreneur $1000.[1] Now, how do I build a ``business plan'' so that many people send me short bits of email, and where I can act as an email sink? Off of the top of my head: Troll for cash? (Like I am right now! :) Make a zombie network that continiously sends me email? Lottery sites. (``Send an email for a chance to win! The more emails, the bigger the pot and the higher your chances.'') Subscribe to every mailing list under the sun? I don't remember my SMTP, but this may adjust economics so that bounce messages are a financial cost and are no longer sent and/or may be used to bankrupt an orginzation. And, will that business plan be worse than the current situation? Scott P.S. If you get what you want, I'm going to get a business method patent on the email lottery idea. I got college loans to pay off! [1] This raises an interesting question of how can you claim an email costs $.02 to receive, when the bandwidth to get it is about 3 orders of magnitude less, and diskspace costs 2 orders of magnitude less ($10/gig)? If your average user gets 10 emails/day, that means that each user gets 300 emails/month, and costs you $6.00 in resources? If you have dialup users paying $20/month, do you kick them off if they subscribe to a busyish mailing list and get over 35 emails/day? In terms of ISP resources, emails cannot be costing $.02 each to receive. In terms of the time to delete them, I could believe that they cost $.02 each. (If you value your time at $20/hour, $.02 is 3 seconds)
Re: anybody else been spammed by no-ip.com yet?
On Fri, 3 May 2002 [EMAIL PROTECTED] wrote: Do you have data on approximate amount of this extra mail bandwidth due to spam per user? Actually lets be more exact, can some of you with 10,000 real user mail accounts reply how much traffic your mail server is using and if you have spam filter, how much (in percentage) of mail were filters. And how big were the filterd spam in comparison to all other regular mails? And if possible how much in amount of disk space was it in comparison to all other emails? Since sendmail applies our dnsbl rules before accepting the message, I can't say how much bandwidth the blocked spam would have used. On a MX that handles mail for several tens of thousands of actual user accounts, it's not unusual for us to deliver ~400k messages and reject anywhere from 200k-500k messages. A few weeks ago we had a several day period during which we rejected 1,000,000 messages/day. The rejected numbers can be somewhat inflated though by the 'alphabet spammers'. I'm not sure what else to call them...but these are the people who try to send mail to every conceivable address @yourdomain. If you run a large mail server, you've probably seen them hit you. When they dump their random address spam on an open relay, that relay gets blacklisted pretty quickly, resulting in large numbers of dnsbl rejected messages that would have eventually bounced as 'no such user' bounces, and likely double bounced. Worse, IMO, than the bandwidth issue (mail from/rcpt to/571 doesn't use that much bandwidth), is the mail server load issue. A couple of open relays pounding on our mail servers trying to deliver a truckload of spam someone dumped on them will drive up the load in no time. I'm seriously considering adapting some existing code to watch syslog data and use kernel packet filtering to cut off connectivity for say 24h from IP's after N dnsbl caused rejections in Y minutes. This should reduce load considerably. While typing this I was just watching the log on one mail server and noticed several rejections/sec from mail.ignacio.k12.co.us. That system is an open relay (listed in several blacklists) and has been trying to deliver mail to atlantic.net since last wednesday. We've rejected from them the following numbers of messages: Wed: 82102 Thur: 286861 Fri: 215779 Sat (so far): 62128 -- -- Jon Lewis *[EMAIL PROTECTED]*| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: anybody else been spammed by no-ip.com yet?
[EMAIL PROTECTED] writes: It does not cost very little to recieve spam. It costs the end-user very little to recieve spam. I'll echo Paul's comments about the cost of my time. In my case, a half hour a day seems about right (compared to Paul's hour a day). I suspect you may have a very different perception about the value of your time than Paul and I have about the value of ours. I am sure that we have customers whose time is worth a lot and whose time is worth very little. Over half of our customers, however, are in countries where there is a per-minute cost to being off-hook on a dialup. They see a very direct cost to download spam, aside from the human costs. Whether we like it or not however, this is a cost of doing business now, and is a normal part of determining your cost of goods sold (at least it *should* be). Counting inventory shrinkage costs as part of the cost of doing business at a retail establishment does not change the fact that shoplifting is a crime. Spam is theft, plain and simple. Spam is a reality that none of us, either alone or in concert, will ever be able to eradicate. That makes the general gnashing of teeth == tilting at windmills. Your position is noted. Our time is probably the most expensive part of an ISPs spam cleanups budget - automating a filter system (for those who specifically ask for it, of course) via the purchase of services from Vixie or your favorite equivalent is likely to be a reasonably inexpensive alternative to having us spinning our wheels. asbestos underwear in place ;- You have incomplete information. That's all I'm going to say about it. ---Rob
Re: anybody else been spammed by no-ip.com yet?
At the moment I'm actually interested in statistics on size of spam messages as compared to average size of mail message to try to caclulate amount of mail bandwdith they really waste... My own calculations show around 27% spam email and I'v seen statistics from 20-30% from others (someone else also wrote me 1/3 of the email, this is a little inflated but shows generaly what is). But I'm interested in actual numbers on per size of email statistics if possible. On Sat, 4 May 2002 [EMAIL PROTECTED] wrote: On Fri, 3 May 2002 [EMAIL PROTECTED] wrote: Do you have data on approximate amount of this extra mail bandwidth due to spam per user? Actually lets be more exact, can some of you with 10,000 real user mail accounts reply how much traffic your mail server is using and if you have spam filter, how much (in percentage) of mail were filters. And how big were the filterd spam in comparison to all other regular mails? And if possible how much in amount of disk space was it in comparison to all other emails? Since sendmail applies our dnsbl rules before accepting the message, I can't say how much bandwidth the blocked spam would have used. On a MX that handles mail for several tens of thousands of actual user accounts, it's not unusual for us to deliver ~400k messages and reject anywhere from 200k-500k messages. A few weeks ago we had a several day period during which we rejected 1,000,000 messages/day. The rejected numbers can be somewhat inflated though by the 'alphabet spammers'. I'm not sure what else to call them...but these are the people who try to send mail to every conceivable address @yourdomain. If you run a large mail server, you've probably seen them hit you. When they dump their random address spam on an open relay, that relay gets blacklisted pretty quickly, resulting in large numbers of dnsbl rejected messages that would have eventually bounced as 'no such user' bounces, and likely double bounced. Worse, IMO, than the bandwidth issue (mail from/rcpt to/571 doesn't use that much bandwidth), is the mail server load issue. A couple of open relays pounding on our mail servers trying to deliver a truckload of spam someone dumped on them will drive up the load in no time. I'm seriously considering adapting some existing code to watch syslog data and use kernel packet filtering to cut off connectivity for say 24h from IP's after N dnsbl caused rejections in Y minutes. This should reduce load considerably. While typing this I was just watching the log on one mail server and noticed several rejections/sec from mail.ignacio.k12.co.us. That system is an open relay (listed in several blacklists) and has been trying to deliver mail to atlantic.net since last wednesday. We've rejected from them the following numbers of messages: Wed: 82102 Thur: 286861 Fri: 215779 Sat (so far): 62128
Re: Effective ways to deal with DDoS attacks?
On the subject of uRPF, I thought I should point out that Juniper just added support for it in JunOS 5.3. The news seems to have been obscured by the T640, but I think its a pretty big deal. One less excuse for the people who still aren't RPF filtering their customers (you know who you are). Go forth and be filterful. :) -- Richard A Steenbergen [EMAIL PROTECTED] http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
Re: Effective ways to deal with DDoS attacks?
In the referenced message, Iljitsch van Beijnum said: On Fri, 3 May 2002, Stephen Griffin wrote: for single-homed customers, simple uRPF for multihomed customers, acl exceptions based upon their registered IRR-policy, since the customer should already be registering in the IRR you have a list of all networks reachable via the customer, regardless of the actual real-time announcements or policy applications (prepending, localpref tweaks, etc) This doesn't make any sense. If you use uRPF on a customer interface, it will check the packets coming in from the customer to see if they match the prefixes you route to that customer. So as long as what you route to them and what they use as source addresses are identical, you don't have a problem. think MEDs and localpref twiddles., identical prefixes do not necessarily relate to best paths. For multihomed customers, these sets of prefixes should be identical, just like with single homed customers. The only time when those sets of prefixes is NOT the same is for a backup connection. But if a connection is a pure backup for incoming traffic, it's reasonable to assume it's a pure backup for outgoing traffic as well, so as long as the backup is dormant, you don't see any traffic so no uRPF problems. Not always the case, customer behaviour can not be accurately modeled. Using an exception access list is pretty silly: if you're going through the trouble of listing all a cutomer's prefixes in a list, you might as well just apply this acl to the interface rather than uRPF with the acl as exceptions. the acl will only be used on packets failing the rpf check. interface acls get applied to all traffic. There is another way to handle backups: you can also set the weight to a higher value for customer routes. This way, the router connecting to the customer will always use the routes announced by the customer, even if the rest of the network deems them inferior to another route to this customer because of a lower local pref, a higher MED or a longer AS path. This mechanism is also useful for peering: because of the higher weight, the border router will always prefer the exchange (or private peering link) for all traffic to the customer, so uRPF works. The rest of the network can still decide to send the traffic to another exchange point. I'm quite leery of having islands of widely divergent policy, and I wouldn't think it would help if you have multiple non-equal-cost-paths on the same router with which to accept traffic on. for non-clued peers, accept based upon any available forwarding path [hopefully, by the 100th time you beat on the peer about spoofed crud coming from them, they'll get religion and register, since you'll have less overall spoofing to track down, you can devote it to slapping them around more] If people stop peering with those network polluters they'll clean up their act soon enough. This is unlikely to occur, unfortunately, so merely making it as annoying as possible for polluters and less annoying as possible for non-polluters, is probably the way to go. you should also in/egress filter known bogons at all borders, like src/dst in rfc1918 src/dst in class e Why? That doesn't buy you much except job security because someone spending so much time on those impressive filters can't be missed of course. Because it is polite to not send crap to your neighbors, and advantageous to not have crap coming into your network. src in class d (not dest, however) Some multicast apps set the source to the group address as well. How... odd... Iljitsch van Beijnum
Re: anybody else been spammed by no-ip.com yet?
At 08:21 PM 03-05-02 -0700, Paul Vixie wrote: 456 05/03 Big Brother Protect your family on the InternetHTML BOD 457 05/03 Big Brother Protect your family on the InternetHTML BOD 458 05/03 Big Brother Protect your family on the InternetHTML BOD 459 05/03 Big Brother Protect your family on the InternetHTML BOD 460 05/04 FreeSampleCenter Win $20,000! Win $20,000 to RENOVATE your Home! 463 05/04 my_own_business20 If a 15 year old boy can earn $71,000 in just a 464 05/03 mikeYOUR HEALTH zNAUiqxgExThis is a multi-part mes 465 05/03 National Financia InvestorFacts: NasdaqNM: DSSI -Data Systems and 466 05/02 Pamila Binkley don't Pay another monthly Bill until you read th 469 05/04 [EMAIL PROTECTED] Large Annual Tax Savings!html head title remember, it would be ~4X higher without filtering, according to my syslogs. As an interesting aside, one of my filter rules to throw away spam was looking in the subject line for adv. Inadvertently, it ending up throwing away email from a lawyer who was trying to send me email since he signed his name as Joe Blow, Adv. :-) -Hank
Re: anybody else been spammed by no-ip.com yet?
On Sat, May 04, 2002 at 11:57:04AM -0700, Gary E. Miller wrote: Yo Scott! On Sat, 4 May 2002, Scott A Crosby wrote: I'd like the costs quantified.. Servers and disks are expensive, but if they handle a ten million messages during their lifetime, the amortized cost PER MESSAGE is cheap. I guess at a school you get free labor for setup, admin, backup, tech support, etc. FOr the rest of us those are major costs you left out. Correct, The people that call in and say Please delete my mailbox as i can't download anything from it because my mail client freaks out. that costs real $$$, since they want an 800# to dial, and those support costs are not directly tangible to spam but it's very complicated to add up. Most providers needed to build a custom mail system to get past 30-50k users as you can't run that on one beefy system. You need to keep duplicates away, reliable delivery and good responses for checking your mail. Then at this size you need to be integrated into your billing system otherwise your required resources to manage your isp grow very quickly. the costs of smtp() and pop3() are all related here. If you go back 10 years ago, you did not need a dedicated abuse/security staff to police your users. These are all intereleated. - jared -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: anybody else been spammed by no-ip.com yet?
trollishly What do you guess for the amortized cost/spam? /trollishly a cost that you are forced to pay in order to enrich somebody else is theft, no matter how microscopic the payment might be. we all know what (they) are, now we're just arguing about the price. I do find it amusing that nobody responded to my more relevant and intended thrust, about how putting a 'sender pays receiver for email' could cause a variety of new abuses of the email system. on the one hand, you're right that any micropayment system would have to be very carefully thought out and even more carefully implemented, lest it open the door to many and varied forms of microabuse. on the other hand, that doesn't disprove the case, since even in your example it would merely cause people to become a LOT more careful about they mail they sent. that CAN'T be a bad thing. bill washburn's XNS effort, while nowhere near ready for critical review, shows some of the throught that needs to occur to make micropayments not be a bad deal for one or both parties. www.xns.org has an overview and www.onename.com goes so far as to say With an OneName solution, you control and manage all relevant identity data, with no need to involve a third party in your business relationships. You can customize authentication and permission structures for every business relationship and automate specific types of data exchange, both within and across the corporate firewall. These same permission structures provide an easy way for customers to provide consent for the usage of their personal data. note that i'm not advocating the approach, but rather, holding it up as one example of how personal messaging will have to work at full scale.
Re: anybody else been spammed by no-ip.com yet?
I've been roasted privately and called naive in thinking that pay-per-mail is a valid solution. Let me first say that the $0.02 I pulled out of the air was derived simply by taking the $80/hr I bill to clients and dividing that by 3600 (number of seconds in an hour) thus $0.022. I'd say that about 1 second per email is probably real in relation to my time. Let me explain why I've come up the pay per message as an answer. I realize that this has got issues with it - such as abuses of the micropayment system, etc. etc. etc. Anyone who thinks that government can pass a law and this will go away is hopelessly naieve. The spammers will go overseas. Besides, if you look at the content of a lot of the spams I receive I doubt the senders care much about the law. The junk fax law, in my opinion, worked primarily because sending faxes from locations outside the us jurisdiction cost more and there were few things you could provide from overseas which were marketable via fax. Anyone who thinks we're going to be able to educate people and make them all close their open relays is going to make the problem go away is hopelessly naieve. There are just too many admins out there, most of which are of the I think running my own mail server is a good idea, but I really don't have much of a clue about how the mail server REALLY works variety. It's not possible. That leaves technological measures. Spam filters are a good idea, but spam is a very moving target. I run spamassassin (highly recommended) on a couple of mail servers. When I first install a newly-released version of spamassassin it is nearly perfect. Over a couple of months it gets less and less effective, at which point I install the newest version, which improves effectiveness again. Occam's razor is good, but in reality only catches spam if it has been reported to the razor. rbldns lists are effective only against the worst offenders, as the rest don't get reported until it is too late. and so on. I think the only other methods I can think of are best described as some sort of web of trust type method. These are essentially whitelist systems. In order to send me mail you have to *do* something. The first option is a traditional If you send me email and I don't know you, I'll bounce the message and you have to reply with a specially formatted mail message in order to get your mail through. The main problem with this model is that in circumstances where bulk mailing is necessary (such as notifications of credit card payment due, etc.), you run into a problem. The other thing is that eventually, spammers will learn how to respond to these messages automatically. The second is more of a secure-smtp model, in that each mail server is Certificated in one way or another and that you only accept mail from Certificated mail servers. One of the conditions of being certificated is verification of anti-spam technological and other measures (such as being able to identify spammers, etc.). In a small internet, this is a perfectly workable solution. In a globally sized one, it seems to me that the likelihood of spammers being able to work around the system is as close to 100% as you can get. The pay-per-message system I proposed was an outgrowth of the certificated option. In essence, my theory is that if you paid *something* for each message you send, than everything should equal out in the long run. Generally, other than mailing lists and spam, I send about 1 message for every one I receive. A spammer sends tens of thousands of messages for every one he receives. There are a whole new set of problems caused by this which I think have mostly been mentioned - to summarize, they mostly relate to the technical problems with doing this, plus the possibility of abuse of the system, etc. etc. etc. Someone pointed me to a discussion of camram at http://harvee.billerica.ma.us/~esj/camram.html. I initially *like* something like this option. In short, it forces the sender to spend a lot of CPU cycles for every message they send. Need to send a lot of email, well, spend a LOT of cpu cycles. The point I was trying to make with the pay-per-message is that the real cause of spam is an economic one. That is, the cost of sending the spam is less than the profit the spammers make from the spam. If we can increase the cost of sending the spam, then we will lessen the profitability of sending it, and the problem will diminish substantially. Remember almost 100% of the spam is driven by greed, and if we can't satisfy the greed of the spammers, they will go elsewhere. - Forrest W. Christian ([EMAIL PROTECTED]) AC7DE -- The Innovation Machine Ltd. P.O. Box 5749 http://www.imach.com/Helena, MT 59604 Home of PacketFlux Technogies and BackupDNS.com (406)-442-6648
Re: Large ISPs doing NAT?
On Fri, 3 May 2002, Avleen Vig wrote: Ha! I've been in Burbank (in the Valley north of LA) for 7 months now, I moved here from London. I've looked and looked and looked for *ANYTHING* other than the odd gas station or supermarket open passed 9pm! ?? Plenty of gas stations around here open after 9, some all night long. Same with groceries. Drugstores close pretty early though. Coming from a place where restaurants are regularly open until 3am, even far into the suburbs, this is a serious culture shock :-/ -- Steve Sobol, CTO (Server Guru, Network Janitor and Head Geek) JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET http://JustThe.net The Indians are unfolding into the 2002 season like a lethal lawn chair. (_News-Herald_ Indians Columnist Jim Ingraham, April 11, 2002)
Re: RoadRunner abuse?
On Fri, 3 May 2002, Mitch Halmu wrote: anyone out there before I go whining to MAPS, et al. Good luck. Roadrunner is a (presumed paying) MAPS customer: Eddy, contact me off-list, I have a contact at RR. - The following addresses had permanent fatal errors - [EMAIL PROTECTED] [EMAIL PROTECTED] - Transcript of session follows - ... while talking to vamx01.mgw.rr.com.: MAIL From:[EMAIL PROTECTED] 553 5.3.0 Mail from 205.159.140.2 rejected,see http://mail-abuse.org/rbl/enduser.html 501 [EMAIL PROTECTED],[EMAIL PROTECTED] Data format error NetSide is a MAPS et al. blocked ISP. We have plenty of rr.com spam examples, but are unable to notify them. If anyone cares... --Mitch NetSide -- Steve Sobol, CTO (Server Guru, Network Janitor and Head Geek) JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET http://JustThe.net The Indians are unfolding into the 2002 season like a lethal lawn chair. (_News-Herald_ Indians Columnist Jim Ingraham, April 11, 2002)
Re: anybody else been spammed by no-ip.com yet?
On Sat, 4 May 2002, Eric A. Hall wrote: Forrest W. Christian wrote: Anyone who thinks that government can pass a law and this will go away is hopelessly naieve. Uh, thanks. The government has all kinds of property protection laws. My mail spool is my property. Do the math. Been there, done that, and it made no significant difference. Both J.D. Falk and I put a lot of work into getting tough anti-spam legislation passed, and we were successful. Here in California we now have jail time for second-offense spammers. Does it make a damned bit of difference? No. Was it worth trying? Yes, of course. The conclusion I came to at the time was that the bond-posting micropayment schemes were the only way out of the problem, and I haven't seen anything to change my mind on that since. Whitelists are too drastic, I think, but I'm slowly headed that way. -Bill
Re: anybody else been spammed by no-ip.com yet?
On Sat, 4 May 2002, Eric A. Hall wrote: Uh, thanks. The government has all kinds of property protection laws. My mail spool is my property. Do the math. Your car is your private property as well, but if you park it in a public place, with the engine running, and offer every passerby the opportunity to use it at no cost or obligation, the government is not going to help you get the car back when someone takes you up on your offer. Laws are a necessary first step and will have the most positive effect. Micropayments won't be needed if the right laws are passed. Given the history, the biggest problem with the legal approach is that congress will pass a bad law instead of the one they need to, which is to extend the TCPA to include spam. Yeah, another unenforceable law that nobody will give a shit about, except when it's time to pay for the [non-enforcing] enforcement agents (tax time). -- Yours, J.A. Terranson [EMAIL PROTECTED] If Governments really want us to behave like civilized human beings, they should give serious consideration towards setting a better example: Ruling by force, rather than consensus; the unrestrained application of unjust laws (which the victim-populations were never allowed input on in the first place); the State policy of justice only for the rich and elected; the intentional abuse and occassionally destruction of entire populations merely to distract an already apathetic and numb electorate... This type of demogoguery must surely wipe out the fascist United States as surely as it wiped out the fascist Union of Soviet Socialist Republics. The views expressed here are mine, and NOT those of my employers, associates, or others. Besides, if it *were* the opinion of all of those people, I doubt there would be a problem to bitch about in the first place...
Re: anybody else been spammed by no-ip.com yet?
Forrest W. Christian wrote: Grandma would get 2c for each mail she received. Grandma would pay 2c for each email she sent. Where does that cause the problems you are talking about? I send a lot more mail than grandma does. -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Re: anybody else been spammed by no-ip.com yet?
I want to clarify this a bit, before I get flamed (not that I'm not going to anyways). On Sat, 4 May 2002, Forrest W. Christian wrote: The people in the middle would get *nothing* beyond what they are getting today. Grandma would get 2c for each mail she received. Grandma would pay 2c for each email she sent. Where does that cause the problems you are talking about? What I am *specifically* talking about is a situation where people who receive on average as many emails as they send don't pay ANYTHING above what they are paying now. We're trying to discourage bulk emailers, not individuals. - Forrest W. Christian ([EMAIL PROTECTED]) AC7DE -- The Innovation Machine Ltd. P.O. Box 5749 http://www.imach.com/Helena, MT 59604 Home of PacketFlux Technogies and BackupDNS.com (406)-442-6648 -- Protect your personal freedoms - visit http://www.lp.org/
Re: anybody else been spammed by no-ip.com yet?
On Sat, 4 May 2002, Forrest W. Christian wrote: We're trying to discourage bulk emailers, not individuals. Then the way to do this is to make the cost of sending mass mail more expensive than sending only a few here and there. In short, we need a way to prevent the use of the $19.95 throw-away account that is used to send the vast majority of spam. Let's face it, only the biggest of the hardcore spammers are willing to pay out for dedicated lines. How about something along the lines of dial accounts having their outgoing SMTP connections rate limited to, oh, let's say 100 per day, and limiting the maximum number of recipients on any given email to some low number, say 5? A customer reaches the limit, the account auto-rejects all email for 24 hours. Someone bitches? Let them buy full rate dedicated services, with the first month, last month, and a security deposit up front before service is established. -- Yours, J.A. Terranson [EMAIL PROTECTED] If Governments really want us to behave like civilized human beings, they should give serious consideration towards setting a better example: Ruling by force, rather than consensus; the unrestrained application of unjust laws (which the victim-populations were never allowed input on in the first place); the State policy of justice only for the rich and elected; the intentional abuse and occassionally destruction of entire populations merely to distract an already apathetic and numb electorate... This type of demogoguery must surely wipe out the fascist United States as surely as it wiped out the fascist Union of Soviet Socialist Republics. The views expressed here are mine, and NOT those of my employers, associates, or others. Besides, if it *were* the opinion of all of those people, I doubt there would be a problem to bitch about in the first place...
Re: anybody else been spammed by no-ip.com yet?
facetious Hey! Where's my reply? I'm in the hole $.04 on this thread now! Right! No more mail to you until you send me two messages! /facetious Then we all move to some other medium that doesn't cost money -- and then the spammers follow us there too. Eric A. Hall wrote: Forrest W. Christian wrote: Grandma would get 2c for each mail she received. Grandma would pay 2c for each email she sent. Where does that cause the problems you are talking about? I send a lot more mail than grandma does. -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Re: anybody else been spammed by no-ip.com yet?
Theft/Taxes nearly the same . ;-) JimL Really? What's the difference? I was giving the thief the benefit of doubt ;-) . JimL http://www.gmu.edu/departments/economics/bcaplan/anarfaq.htm See the part on public goods problem and Pareto optimality :) --vadim
Re: anybody else been spammed by no-ip.com yet?
On Sat, 4 May 2002 [EMAIL PROTECTED] wrote: How about something along the lines of dial accounts having their outgoing SMTP connections rate limited to, oh, let's say 100 per day, and limiting the maximum number of recipients on any given email to some low number, say 5? A customer reaches the limit, the account auto-rejects all email for 24 hours. Someone bitches? Let them buy full rate dedicated services, with the first month, last month, and a security deposit up front before service is established. The problem with this is how do you enforce this across thousands of mail servers, controlled by many many different organizations? I'm not saying the pay-per-message option is perfect. In fact, the more I think about a camram-type solution the more I like it: where the sender proves to the recipient that they spent a fair bit of CPU time before sending the message. The bottom line is that in my opinion people need to give up *something* for the privlege of sending mail. I suggested a couple of cents per message. Others reject this as it will destroy the net. Camram requires people to give up CPU cycles. This might be an easier thing to swallow. Passing laws and putting on filters don't work. Depending on each mail server admin to do the right thing doesn't work. We need to find something else that will. - Forrest W. Christian ([EMAIL PROTECTED]) AC7DE -- The Innovation Machine Ltd. P.O. Box 5749 http://www.imach.com/ Helena, MT 59604 Home of PacketFlux Technogies and BackupDNS.com (406)-442-6648 -- Protect your personal freedoms - visit http://www.lp.org/
Re: anybody else been spammed by no-ip.com yet?
On Sat, 4 May 2002, Eric A. Hall wrote: Grandma would get 2c for each mail she received. Grandma would pay 2c for each email she sent. Where does that cause the problems you are talking about? I send a lot more mail than grandma does. Yes, but even if you send one a day and she never responds, this only comes out to $7.30/year. Hey, I'm not saying this is perfect. I'm just saying that passing laws and filtering and depending on admins to do the right thing just doesn't work. Ask people in those states which have anti-spam laws how many fewer spam messages they receive than before. We need something else. It must be enforceable at the receiving side, and we must be able to step into it gradually. The best solution I've seen, thanks to someone else on the list, is camram, which makes you pay for the email sending with proving you have spent about 15 seconds worth of CPU cycles. In fact, I'm thinking this is probably a better solution than the pay-per-message solution, as we don't have to worry about settlement, etc. etc. which was the real problem with the pay-per-message. - Forrest W. Christian ([EMAIL PROTECTED]) AC7DE -- The Innovation Machine Ltd. P.O. Box 5749 http://www.imach.com/Helena, MT 59604 Home of PacketFlux Technogies and BackupDNS.com (406)-442-6648 -- Protect your personal freedoms - visit http://www.lp.org/
Re: anybody else been spammed by no-ip.com yet?
On Sat, 4 May 2002, Forrest W. Christian wrote: On Sat, 4 May 2002 [EMAIL PROTECTED] wrote: How about something along the lines of dial accounts having their outgoing SMTP connections rate limited to, oh, let's say 100 per day, and limiting the maximum number of recipients on any given email to some low number, say 5? A customer reaches the limit, the account auto-rejects all email for 24 hours. Someone bitches? Let them buy full rate dedicated services, with the first month, last month, and a security deposit up front before service is established. The problem with this is how do you enforce this across thousands of mail servers, controlled by many many different organizations? I'm not saying the pay-per-message option is perfect. In fact, the more I think about a camram-type solution the more I like it: where the sender proves to the recipient that they spent a fair bit of CPU time before sending the message. It doesn't scale to those who source lots of email, like mailing lists or webmail providers. It also has its own set of problems that are much much worse, if its enabled by default on users: -- [1] User (to ISP): ``Why does getting mail from NANOG never seem to work.'' Response: ``Because you haven't enabled them in the no-pay list.'' [2] User (to mailing list admin): ``Whenever I try to subscribe, I don't get a confirmation message.'' Response: ``Because you haven't enabled them in the no-pay list.'' [3] User (to ISP): ``Why does email from grandma never get through.'' Response: ``Because their email client doesn't support CAMRAM and you haven't enabled them in the no-pay list.'' [4] User (to ISP): ``Why does email to grandma never get through.'' Response: ``You need a CAMRAM-aware email client. Switch from MS-Outlook to Mutt.'' -- I dunno, but I'd think that the tech-support manpower for this would be pricy, especially if you get a phone call everytime a user tries to subscribe to mailing list. Spam sucks... But, these alternatives seem like they'd be a lot more expensive for ISP's. The bottom line is that in my opinion people need to give up *something* for the privlege of sending mail. I suggested a couple of cents per message. Others reject this as it will destroy the net. Camram requires people to give up CPU cycles. This might be an easier thing to swallow. Imagine a requirement that you had to listen to 30 seconds of muzak before every telephone call. Somewhere in the 30 seconds would be a 4 digit number you'd have to type in in order to complete the call. This is done to make sure people ``give up *something* for the privlege of'' making a telephone call. Why is this done, other than to discourage people from making telephone calls? Dunno.. Are telephone calls something we need to discourage? Passing laws and putting on filters don't work. Depending on each mail server admin to do the right thing doesn't work. We need to find something else that will. I hope so too.. But sender-pays isn't true for postal mail or telephone. If I get a junk mail, I have to waste time *and* pay to have it carted to a landfill. If I get a phone-spam, I have to waste time. In ways, it seems like this is trying to force email into the idealized mold of postal mail. A mold that never really existed in the first place. This is impossible in any case as email isn't postal mail. Where is the analogy of NANOG for postal mail? A weekly newsletter? That newsletter would be what? $.35/issue, or $350/week if it had a readership of 1000. How much cheaper is NANOG to run than what that newsletter would cost? We could make a NANOG posting cost $20/message for sender-pays, but do we want to sacrifice mailing lists on the alter of fitting a square peg into a circular hole? Scott
Re: anybody else been spammed by no-ip.com yet?
On Sat, 4 May 2002, Forrest W. Christian wrote: Passing laws and putting on filters don't work. Depending on each mail server admin to do the right thing doesn't work. We need to find something else that will. Define doesn't work? Yes there is still spam - but the laws are in all cases relatively new (even on a technology timeline) and far from universal. None of these solutions is going to work overnight. The large amount of spam that people are filtering/bouncing at this point proves that they are far better than nothing. What might work, instead of setting up a micropayments system (would take years) or convincing the 'net to adopt a Camram type system (might not take as long, but it wouldn't happen anytime soon) is to set up a reliable, centralized blacklist/filter provider, and to enact and enforce anti UCE laws on a national basis. For the filters to work, they have to have a certain critical mass, in terms of users or sources to key into spam. If you're talking about expending all the energy to coordinate and set up the above, why not instead lobby for a federal law, and enforcement of that law, along with a centralized and well admin'd blacklist (who's operations would be funded in part by proceeds from enforcement of antispam laws). The point that the spammers would just go overseas was well answered by the fact that generally (not always, but in a huge % of the cases) there is a US based contact for selling the stuff. Spam has always been a problem - but it's become much more of a problem in the last 18 months. People dislike it - but I would be willing to bet the average person on this list gets more / has stronger feelings on / etc spam than the average public. The problem will get worse before it gets better - but I think it could be argued that the tools that are being developed now (filters, blacklists, etc) are the least intrusive, disruptive and most practical of the three options. I think the other thing that has to happen, which hasn't reliably yet, is that the large providers have to be better about cutting off spammers and isp's that support them. Run an open relay? Your immediate upstream is notified, and if they can't get you to fix it, _they_ black hole it till you do. That would get your attention and stop the spam. I'm interested that (as far as I've seen) there hasn't been much talk in this thread yet about the larger networks' role in the enforcement side of this. Whatever happens, it's going to take time to make work - more time than the current (possibly stopgap) measures have been given.
Re: anybody else been spammed by no-ip.com yet?
On Sat, May 04, 2002 at 07:22:35PM -0500, Eric A. Hall wrote: Ask people in those states which have anti-spam laws how many fewer spam messages they receive than before. Although responding to this message puts me back to -$.04, I will point out that the junk fax law worked pretty well. It didn't take long for people to get the point that they shouldn't be faxing lunchroom menus to everybody in their area code. Faxes are a little bit easier to trace than email. The bottom line is, spamming makes money. People don't spam because they think that maybe it might work, they spam because it gets responses and it makes them money. Maybe one really stupid person gets prosecuted on an anti-spam law once, but it doesn't seem to be making much of an impact. If you beheaded 10 spammers on primetime TV I really don't think they would stop. Spamming will stop when it stops being effective. That said, I'm pretty sure this thread has now excercised my D key more then a month's supply of spam. Isn't it about time we called it a day, or perhaps moved this to a list more appropriate for complaining and sending email about people sending email. :) -- Richard A Steenbergen [EMAIL PROTECTED] http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
Re: anybody else been spammed by no-ip.com yet?
ben hubbard wrote: why not instead lobby for a federal law, and enforcement of that law, along with a centralized and well admin'd blacklist (who's operations would be funded in part by proceeds from enforcement of antispam laws). Actually, a well-written law wouldn't need funding. MAPS could make a decent income by filing class-action suits against spammers, for example. No reason for the government to get involved other than holding court. -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Re: anybody else been spammed by no-ip.com yet?
On Sat, 4 May 2002, Forrest W. Christian wrote: On Sat, 4 May 2002 [EMAIL PROTECTED] wrote: How about something along the lines of dial accounts having their outgoing SMTP connections rate limited to, oh, let's say 100 per day, and limiting the maximum number of recipients on any given email to some low number, say 5? A customer reaches the limit, the account auto-rejects all email for 24 hours. Someone bitches? Let them buy full rate dedicated services, with the first month, last month, and a security deposit up front before service is established. The problem with this is how do you enforce this across thousands of mail servers, controlled by many many different organizations? Obviously, it is a self-enforcement issue, aimed at the ISPs who do sial services. I firmly believe that if we could control the dial accounts in this respect, we'd wipe out a very large portion of the problem children The incentive to the ISP is obvious: $19.95 throw away accounts (which are likely not paid anyway) disappear, their SpamCop nightmares disappear, and the legitimate mass mail customer pays for commercial services. I'm not saying the pay-per-message option is perfect. I am a fan of micropayments in theory, but I do not believe that they can ever be applied to email, attractive though it may be. Since I don't believe it's really possible, I choose not to burn cycles on it. snip The bottom line is that in my opinion people need to give up *something* for the privlege of sending mail. Agreed: to send it for free, they lose the right to do it in significant volume. I suggested a couple of cents per message. Others reject this as it will destroy the net. Camram requires people to give up CPU cycles. This might be an easier thing to swallow. Possibly, but I doubt that you can explain this to Joe and Jane Sixpack. Passing laws and putting on filters don't work. Amen. Depending on each mail server admin to do the right thing doesn't work. The problem here is defining the right thing, no? We need to find something else that will. Agreed. - Forrest W. Christian ([EMAIL PROTECTED]) AC7DE -- Yours, J.A. Terranson [EMAIL PROTECTED] If Governments really want us to behave like civilized human beings, they should give serious consideration towards setting a better example: Ruling by force, rather than consensus; the unrestrained application of unjust laws (which the victim-populations were never allowed input on in the first place); the State policy of justice only for the rich and elected; the intentional abuse and occassionally destruction of entire populations merely to distract an already apathetic and numb electorate... This type of demogoguery must surely wipe out the fascist United States as surely as it wiped out the fascist Union of Soviet Socialist Republics. The views expressed here are mine, and NOT those of my employers, associates, or others. Besides, if it *were* the opinion of all of those people, I doubt there would be a problem to bitch about in the first place...
Re: anybody else been spammed by no-ip.com yet?
On Fri, 3 May 2002, Gregory Hicks wrote: money. Today with flat rate access and many people not paying on a per packet basis it seems to me that the responsibility lies with the end user to filter properly and or dress that delete key. I always shut [...snip...] The problem with this is that, yes, to the END USER, there is no direct cost involved. However, in order to maintain the same level of service, the ISP is forced to go get a bigger pipe and/or bigger, faster routers and/or servers. (Raises prices a bit per account) Yes, I've always said that the costs MUST be looked at in the aggregate. In all of this, the bozo (well..., 'user' really) no, 'bozo' is appropriate. -- Steve Sobol, CTO (Server Guru, Network Janitor and Head Geek) JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET http://JustThe.net The Indians are unfolding into the 2002 season like a lethal lawn chair. (_News-Herald_ Indians Columnist Jim Ingraham, April 11, 2002)
Re: anybody else been spammed by no-ip.com yet?
On Fri, 3 May 2002, Scott Granados wrote: Well the costs you mentioned with aol seem high Not when you consider how much time and money AOL has sunk into the development of their mail system. They are the only company that has to scale their operations to the size to which they scale, and I guarantee you can't do what they do with off-the-shelf software. Plus, you have to multiply costs out over *mumble* million users. The case against spam probably should be decided entirely on economics not on content issues. Agreed, completely. Start dealing with content and you get into very murky waters. -- Steve Sobol, CTO (Server Guru, Network Janitor and Head Geek) JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET http://JustThe.net The Indians are unfolding into the 2002 season like a lethal lawn chair. (_News-Herald_ Indians Columnist Jim Ingraham, April 11, 2002)
Re: Effective ways to deal with DDoS attacks?
On Sat, 4 May 2002, Stephen Griffin wrote: In the referenced message, Iljitsch van Beijnum said: On Fri, 3 May 2002, Stephen Griffin wrote: For multihomed customers, these sets of prefixes should be identical, just like with single homed customers. The only time when those sets of prefixes is NOT the same is for a backup connection. But if a connection is a pure backup for incoming traffic, it's reasonable to assume it's a pure backup for outgoing traffic as well, so as long as the backup is dormant, you don't see any traffic so no uRPF problems. Not always the case, customer behaviour can not be accurately modeled. I was hoping someone else might mention this, BUT what about the case of customers providing transit for outbound but not inbound traffic for their customers? We have many, many cases of customers that are 'default routing' for their customers that get inbound traffic down alternate customers or peers or wherever... uRPF seems like a not so good solution for these instances :( especially since some of these are our worst abusers :( -Chris
Re: anybody else been spammed by no-ip.com yet?
On Sat, 4 May 2002, Eric A. Hall wrote: Anyone who thinks that government can pass a law and this will go away is hopelessly naieve. Uh, thanks. The government has all kinds of property protection laws. My mail spool is my property. Do the math. Indeed, the courts have already ruled that an ISP has a right to tell a spammer to sod off. -- Steve Sobol, CTO (Server Guru, Network Janitor and Head Geek) JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET http://JustThe.net The Indians are unfolding into the 2002 season like a lethal lawn chair. (_News-Herald_ Indians Columnist Jim Ingraham, April 11, 2002)
Re: anybody else been spammed by no-ip.com yet?
On Sat, 4 May 2002, Richard A Steenbergen wrote: Faxes are a little bit easier to trace than email. Sometimes. If the faxer is identifying s/h/itself properly. -- Steve Sobol, CTO (Server Guru, Network Janitor and Head Geek) JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET http://JustThe.net The Indians are unfolding into the 2002 season like a lethal lawn chair. (_News-Herald_ Indians Columnist Jim Ingraham, April 11, 2002)
