Re: companies like microsoft and telia...

[Paul Vixie]

> > ... it is the year 2003, and you bloody well need to learn how to
> > accept complaints about YOUR CUSTOMERS using a format that is most
> > convenient to THE VICTIMS.  (and you should be THANKING US FOR IT since
> > we are DOING YOUR WORK FOR YOU.)
> 
> I agree, I was furious as well when I first noticed it. They're doing it 
> because a lot of people cannot report abuse in the proper way so they're 
> punishing all of us. What they get out of it is automatic tracing of who 
> did what when (because the date and IP is in a known format).

how convenient -- for them, that is.  however, it is counter to their own
self-interest.  as a network owner they need to know about abusive traffic
that comes from their customers.  making it hard to report means
(buddabing!) that it won't be as often reported.  how can THAT help?

> Perhaps someone could write a bcp for an email-form that lays out the same 
> information so we can make the complaints use this format and all abuse 
> departments can accept using this form, to get some structure to it?

yow.  i first asked that this be done in 1998, and for this very reason
among others.  can anybody beat that date (with an earlier one?)  this is
a hard problem but with outlook forms and sri-style ascii templates it's
quite achievable.  note though that many abusebots will reject MIME since
it might contain a virus.  and, there will be huge controversies about 
header munging, list cleaning, complaint forwarding, and definitions of
"abuse", "consent", "implied consent", "recourse", and "standing".

so if ``someone'' writes this up, count me as a grateful&willing reviewer.
-- 
Paul Vixie

Re: companies like microsoft and telia...

[Anne P. Mitchell, Esq.]

MS is also, I am told, behind the gutting, stalling, and undermining 
of Senator Bowen's SB 12 (the California anti-spam legislation).   

Right now her office is basically scrambling to get other ISPs to give 
their input so that they can demonstrate that MS does not speak for 
the networking world in wanting things like this:

"If a recipient has either provided direct consent or has a preexisting 
or current business relationship with the sender, commercial e-mail 
advertisements from that sender shall not be construed as 
unsolicited commercial e-mail advertisements."  
...
(k) "Preexisting or current business relationship," as used in 
connection with the sending of a commercial e-mail advertisement, 
means the recipient has made an inquiry, application, purchase, or 
transaction regarding products or services, including the use of free 
products or services, offered by the sender."

So pretty much if someone breathed in their general direction, it's 
ok to put them on a mailing list and spam the heck out of them.  
Period.

MS apparently threw their weight around in the Business & 
Professions committee, and asserted that they stand for everyone, 
and few others have come forth to refute it.

[Note:  We're leading a delegation to meet with Senator Bowen 
tomorrow;  if anybody here cares about this stuff, and would like to 
offer their 2cents, I'd be happy to send you a copy of the bill, and 
hand carry a fax to her (or give you a fax # for her). But it needs to 
be fast, I'm heading up there in about 8 hours.  This is CA legislation 
affecting any network which sends to or is in CA - it will impact 
everyone, on some level.]

We now end this "how Bill becomes a law" civics class, and return 
you to your regularly scheduled NANOG.

Anne

Re: companies like microsoft and telia...

[Kandra Nygårds]

From: "Paul Vixie" <[EMAIL PROTECTED]>

> route:217.208.0.0/13
> descr:TELIANET-BLK
> remarks:  Abuse issues should be reported at
> remarks:  http://www.telia.com/security/
> remarks:  Mail to [EMAIL PROTECTED] will be auto-replied
> remarks:  and referred to the URL above.
> origin:   AS3301
> mnt-by:   TELIANET-RR
> changed:  [EMAIL PROTECTED] 20010508
> source:   RIPE

[...]

One would think they'd learn, after AOL blocked them.


- Kandra

Re: companies like microsoft and telia...

[Paul Vixie]

> > gr.
> 
> telia has been on my list for 2.5 years now for this stuff.

let the public shaming begin, then.

four isp abusebots have rejected my complaints tonight because (gasp!)
i included a copy of the virus i was complaining about.  cluestick please!

Re: companies like microsoft and telia...

[Mikael Abrahamsson]

On Thu, 26 Jun 2003, Paul Vixie wrote:

> excuse me, telia, but your customers are spamming me, and i have no plans to
> teach lartomatic (my homebrew complaintbot) how to log into your web site.
> it is the year 2003, and you bloody well need to learn how to accept complaints
> about YOUR CUSTOMERS using a format that is most convenient to THE VICTIMS.
> (and you should be THANKING US FOR IT since we are DOING YOUR WORK FOR YOU.)

I agree, I was furious as well when I first noticed it. They're doing it 
because a lot of people cannot report abuse in the proper way so they're 
punishing all of us. What they get out of it is automatic tracing of who 
did what when (because the date and IP is in a known format).

Perhaps someone could write a bcp for an email-form that lays out the same 
information so we can make the complaints use this format and all abuse 
departments can accept using this form, to get some structure to it?

-- 
Mikael Abrahamssonemail: [EMAIL PROTECTED]

companies like microsoft and telia...

[Paul Vixie]

...are doing more to help spam than to stop it, in spite of themselves.

consider microsoft-yahoo-aol's big fad of the moment which is suing spammers
and blaming asia.  the number one (#1) contributor to spam is open proxies
running on windows/xp, several of which are installed by default as side
effects of other user activities.  spam can now come from tens of millions
of untraceable places, and since it's an open proxy rather than an open relay
there isn't even a Received: header trail.  WHAT a marketing department,
though, to be able to (successfully!) blame spam on asia.

but what have we here?  i would not have imagined that in 2003 any company
could be as blatantly irresponsible as to behave the way telia documents here:

route:217.208.0.0/13
descr:TELIANET-BLK
remarks:  Abuse issues should be reported at
remarks:  http://www.telia.com/security/
remarks:  Mail to [EMAIL PROTECTED] will be auto-replied
remarks:  and referred to the URL above.
origin:   AS3301
mnt-by:   TELIANET-RR
changed:  [EMAIL PROTECTED] 20010508
source:   RIPE

excuse me, telia, but your customers are spamming me, and i have no plans to
teach lartomatic (my homebrew complaintbot) how to log into your web site.
it is the year 2003, and you bloody well need to learn how to accept complaints
about YOUR CUSTOMERS using a format that is most convenient to THE VICTIMS.
(and you should be THANKING US FOR IT since we are DOING YOUR WORK FOR YOU.)

gr.  clearly i need to stop accepting e-mail from 217.208.0.0/13.

Re: Major E-mail Delivery for FTC DNCR Launch

[Rafi Sadowsky]

## On 2003-06-25 21:25 -0400 Leo Bicknell typed:

LB> 
LB> 
LB> * Put in the e-mail a clear, short, easy to read over the phone
LB>   link (http://www.yoursite.com/spam.html)

 Oops: this is an existing URL titled "FREE Credit Card Gateway"  :-(


LB>   that describes what
LB>   action on the web site sends these e-mails, how to identify an
LB>   e-mail as actually coming from the site, and where to report any
LB>   sort of mailbombing (back to the first point).
LB> 
LB> 
LB> 

-- 
Rafi

Re: Weird email messages with "re:movie" and "re:application" in the subject line..

[Steven M. Bellovin]

In message <[EMAIL PROTECTED]>, Eric Brunner-Williams in 
Portland Maine writes:
>
>
>> W32/[EMAIL PROTECTED] per McAffee.
>
>I seem to have done one better ... according to a M$ host in Level3-land,
>the Unix box right in front of me sent the mail in question.
>
>Someone at L3 needs to call home. The only L3 turd in my mail log is their
>inbound...
>
>Jun 25 18:21:11 nic-naa sm-mta[24589]: h5PMLB5U024589: from=<[EMAIL PROTECTED]
>el3.com>, size=1711, class=0, nrcpts=1, msgid=<012d01c33b68$2bd14b40$d706010a@
>corp.global.level3.com>, proto=ESMTP, daemon=MTA, relay=machine77.Level3.com [
>209.244.4.106]

And I've gotten bounces from mail allegedly from me.  It's not L3's 
fault; this particular worm forges From: lines on its email.

Another day, another worm.

--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com (2nd edition of "Firewalls" book)

RE: Weird email messages with "re:movie" and "re:application" in the subject line..

[Mark Segal]

Here the best link I have seen so far... Thanks to kevin day..

http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED]


My guess is they might need to upgrade it to more than 55-999 infections :).

mark


--
Mark Segal 
Director, Network Planning
FCI Broadband 
Tel: 905-284-4070 
Fax: 416-987-4701 
http://www.fcibroadband.com

Futureway Communications Inc. is now FCI Broadband


-Original Message-
From: Eric Brunner-Williams in Portland Maine [mailto:[EMAIL PROTECTED] 
Sent: June 25, 2003 11:25 PM
To: Larry Rosenman
Cc: Mark Segal; '[EMAIL PROTECTED]'; [EMAIL PROTECTED]
Subject: Re: Weird email messages with "re:movie" and "re:application" in
the subject line.. 



> W32/[EMAIL PROTECTED] per McAffee.

I seem to have done one better ... according to a M$ host in Level3-land,
the Unix box right in front of me sent the mail in question.

Someone at L3 needs to call home. The only L3 turd in my mail log is their
inbound...

Jun 25 18:21:11 nic-naa sm-mta[24589]: h5PMLB5U024589:
from=<[EMAIL PROTECTED]>, size=1711, class=0, nrcpts=1,
msgid=<[EMAIL PROTECTED]>, proto=ESMTP,
daemon=MTA, relay=machine77.Level3.com [209.244.4.106]

Cheers,
Eric
--- Forwarded Message

Return-Path: [EMAIL PROTECTED]
Delivery-Date: Wed Jun 25 18:21:11 2003
Return-Path: <[EMAIL PROTECTED]>
Received: from f1ee40-19.idc1.level3.com (machine77.Level3.com
[209.244.4.106])
by nic-naa.net (8.12.9/8.12.9) with ESMTP id h5PMLB5U024589
for <[EMAIL PROTECTED]>; Wed, 25 Jun 2003 18:21:11 -0400 (EDT)
Received: from idc1exc0001.corp.global.level3.com (localhost [127.0.0.1])
by f1ee40-19.idc1.level3.com (8.8.8p2+Sun/8.8.8) with SMTP id
WAA02577
for <[EMAIL PROTECTED]>; Wed, 25 Jun 2003 22:21:50 GMT
Received: from idc1exc0005.corp.global.level3.com ([10.1.6.215]) by
idc1exc0001.corp.global.level3.com with Microsoft SMTPSVC(5.0.2195.4905);
 Wed, 25 Jun 2003 16:21:49 -0600
Received: from mail pickup service by idc1exc0005.corp.global.level3.com
with Microsoft SMTPSVC;
 Wed, 25 Jun 2003 16:21:49 -0600
thread-index: AcM7aCvRcfOY+VcOT2aAnuNoWHZmCQ==
Thread-Topic: [MailServer Notification]Alert to Sender:  File Attachment
Blocked
From: <[EMAIL PROTECTED]>
Sender: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: [MailServer Notification]Alert to Sender:  File Attachment Blocked
Date: Wed, 25 Jun 2003 16:21:49 -0600
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft CDO for Exchange 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4920.2300
X-OriginalArrivalTime: 25 Jun 2003 22:21:49.0631 (UTC)
FILETIME=[2BF044F0:01C33B68]

ScanMail for Microsoft Exchange has blocked an attachment.

Sender = [EMAIL PROTECTED]
Recipient(s) = [EMAIL PROTECTED]
Subject = Re: Movie
Scanning time = 06/25/2003 16:21:49

Action on file blocking:
The attachment your_details.zi matches the file blocking settings. ScanMail
has Deleted it. 

Attachment blocked due to extension match of .bat, .eml, .nws, .pif, .scr,
.src, .shs, .vbe, .vbs, .com, or .exe.

--- End of Forwarded Message

Re: Weird email messages with "re:movie" and "re:application" in the subject line..

[Eric Brunner-Williams in Portland Maine]

> W32/[EMAIL PROTECTED] per McAffee.

I seem to have done one better ... according to a M$ host in Level3-land,
the Unix box right in front of me sent the mail in question.

Someone at L3 needs to call home. The only L3 turd in my mail log is their
inbound...

Jun 25 18:21:11 nic-naa sm-mta[24589]: h5PMLB5U024589: from=<[EMAIL PROTECTED]>, 
size=1711, class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>, proto=ESMTP, daemon=MTA, 
relay=machine77.Level3.com [209.244.4.106]

Cheers,
Eric
--- Forwarded Message

Return-Path: [EMAIL PROTECTED]
Delivery-Date: Wed Jun 25 18:21:11 2003
Return-Path: <[EMAIL PROTECTED]>
Received: from f1ee40-19.idc1.level3.com (machine77.Level3.com [209.244.4.106])
by nic-naa.net (8.12.9/8.12.9) with ESMTP id h5PMLB5U024589
for <[EMAIL PROTECTED]>; Wed, 25 Jun 2003 18:21:11 -0400 (EDT)
Received: from idc1exc0001.corp.global.level3.com (localhost [127.0.0.1])
by f1ee40-19.idc1.level3.com (8.8.8p2+Sun/8.8.8) with SMTP id WAA02577
for <[EMAIL PROTECTED]>; Wed, 25 Jun 2003 22:21:50 GMT
Received: from idc1exc0005.corp.global.level3.com ([10.1.6.215]) by 
idc1exc0001.corp.global.level3.com with Microsoft SMTPSVC(5.0.2195.4905);
 Wed, 25 Jun 2003 16:21:49 -0600
Received: from mail pickup service by idc1exc0005.corp.global.level3.com with 
Microsoft SMTPSVC;
 Wed, 25 Jun 2003 16:21:49 -0600
thread-index: AcM7aCvRcfOY+VcOT2aAnuNoWHZmCQ==
Thread-Topic: [MailServer Notification]Alert to Sender:  File Attachment Blocked
From: <[EMAIL PROTECTED]>
Sender: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: [MailServer Notification]Alert to Sender:  File Attachment Blocked
Date: Wed, 25 Jun 2003 16:21:49 -0600
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft CDO for Exchange 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4920.2300
X-OriginalArrivalTime: 25 Jun 2003 22:21:49.0631 (UTC) FILETIME=[2BF044F0:01C33B68]

ScanMail for Microsoft Exchange has blocked an attachment.

Sender = [EMAIL PROTECTED]
Recipient(s) = [EMAIL PROTECTED]
Subject = Re: Movie
Scanning time = 06/25/2003 16:21:49

Action on file blocking:
The attachment your_details.zi matches the file blocking settings. ScanMail has 
Deleted it. 

Attachment blocked due to extension match of .bat, .eml, .nws, .pif, .scr, .src, .shs, 
.vbe, .vbs, .com, or .exe.

--- End of Forwarded Message

autoresponders, spam verifiers.

[Mark Segal]

Title: Message



Isn't 
it against nanog's BCP to have auto responders reply to people who post to the 
list...
 
This 
is very annoying ever time I post.. and being the zealot that I am (I know 
50,000 heads just nodded their agreement) I do not want to be on his "safe" 
list.
 
mark
--Mark SegalDirector, Network PlanningFCI BroadbandTel: 
905-284-4070Fax: 416-987-4701http://www.fcibroadband.com 
Futureway Communications Inc. is now FCI 
Broadband 

-Original Message-From: AntiSpam UOL 
[mailto:[EMAIL PROTECTED] Sent: June 25, 2003 11:11 
PMTo: [EMAIL PROTECTED]Subject: RE:RE: 
Weird email messages with "re:movie" and "re:application" 
in

  
  



  

  


   
  Olá,Você enviou uma mensagem 
para[EMAIL PROTECTED]Para que sua 
mensagem seja encaminhada, por favor,clique aqui
   

  Esta confirmação é necessária porque 
[EMAIL PROTECTED] usa o Antispam UOL, um programa que 
elimina mensagens enviadas por robôs, como pornografia, propaganda e 
correntes.
  

  

  

  


   
  Hi,You´ve just sent a message 
to[EMAIL PROTECTED]In order to confirm 
the sent message, please click here
   

  This confirmation is necessary because 
[EMAIL PROTECTED] uses Antispam UOL, a service that 
avoids unwanted messages like advertising, pornography, viruses, and 
spams.
  
Use o AntiSpam 
  UOL e proteja sua caixa 
postal

  
  

  

  
  

Re: Major E-mail Delivery for FTC DNCR Launch

[JC Dill]

Leo Bicknell wrote:

* Make sure your mail servers are squeeky clean.  Forward and
  reverse match, valid MX's, they report their own name in SMTP
  headers, no "untrusted sender used -f", etc.  Valid abuse@
  for the machine name, and the parent domain are essential.
  Valid contacts for the domain and IP block are helpful.
In addition to having all the above properly setup so that your mail 
servers appear squeekly clean from the outside, make sure they ARE 
squeeky clean - on the inside.  You may wish to raise this issue on the 
spam-l mailing list:



The participants on spam-l will be happy to share with you the many ways 
spammers relay thru web and mail servers, and how to ensure (and test) 
that your servers can't be abused.  All the pre-emptive whitelisting in 
the world won't help you if your machines are open relays and spammers 
start sending spew thru your mail servers.  There are too many systems 
that will automatically blacklist your IPs if they start spewing actual 
spam, and then you will have to go one-by-one to each of them to get 
unblocked.  It's much better to avoid the problem by not letting your 
machines send any spam in the first place!

jc

Re: Weird email messages with "re:movie" and "re:application" in the subject line..

[Anne P. Mitchell, Esq.]

> New spam technique or some new virus, similar to a Melissa?  Any body
> else seeing this?

We're seeing it here too, coming to role accounts.  Our folks are 
saying virus, but haven't identified which one yet.

Anne

Re: Weird email messages with "re:movie" and "re:application" inthe subject line..

[David Diaz]

Yep coming to my nanog email addy.

My email box has started receiving a bunch of emails recently (earlier this
evening) with a 80k zip attachment called "your_details.zip" and either
"re:movie" and "re:application" from a whole bunch of other address I have
never heard of..
New spam technique or some new virus, similar to a Melissa?  Any body else
seeing this?
mark

--
Mark Segal
Director, Network Planning
FCI Broadband
Tel: 905-284-4070
Fax: 416-987-4701
http://www.fcibroadband.com
Futureway Communications Inc. is now FCI Broadband

Re: Weird email messages with "re:movie" and "re:application" inthe subject line..

[Larry Rosenman]

--On Wednesday, June 25, 2003 22:56:52 -0400 Mark Segal 
<[EMAIL PROTECTED]> wrote:

My email box has started receiving a bunch of emails recently (earlier
this evening) with a 80k zip attachment called "your_details.zip" and
either "re:movie" and "re:application" from a whole bunch of other
address I have never heard of..
New spam technique or some new virus, similar to a Melissa?  Any body else
seeing this?
W32/[EMAIL PROTECTED] per McAffee.

in today's DAT files.

LER

mark

--
Mark Segal
Director, Network Planning
FCI Broadband
Tel: 905-284-4070
Fax: 416-987-4701
http://www.fcibroadband.com
Futureway Communications Inc. is now FCI Broadband



--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 972-414-9812 E-Mail: [EMAIL PROTECTED]
US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749

RE: Weird email messages with "re:movie" and "re:application" in the subject line..

[Williamson, Todd]

At least the "Re: Application" message is referenced here:
http://vil.nai.com/vil/content/v_100429.htm

I received several of these today.

Don't know about "Re: movie".

todd

> My email box has started receiving a bunch of emails recently 
> (earlier this
> evening) with a 80k zip attachment called "your_details.zip" 
> and either
> "re:movie" and "re:application" from a whole bunch of other 
> address I have
> never heard of..
> 
> New spam technique or some new virus, similar to a Melissa?  
> Any body else
> seeing this?
> 
> mark
> 
> 
> --
> Mark Segal 
> Director, Network Planning
> FCI Broadband 
> Tel: 905-284-4070 
> Fax: 416-987-4701 
> http://www.fcibroadband.com
> 
> Futureway Communications Inc. is now FCI Broadband
> 

RE: Weird email messages with "re:movie" and "re:application" in the subject line..

[Mark Segal]

That body should read ...

"either "re:movie" and "re:application"  in the subject line"

Sorry,
mark

--
Mark Segal 
Director, Network Planning
FCI Broadband 
Tel: 905-284-4070 
Fax: 416-987-4701 
http://www.fcibroadband.com

Futureway Communications Inc. is now FCI Broadband


-Original Message-
From: Mark Segal [mailto:[EMAIL PROTECTED] 
Sent: June 25, 2003 10:57 PM
To: '[EMAIL PROTECTED]'
Subject: Weird email messages with "re:movie" and "re:application" in the
subject line..



My email box has started receiving a bunch of emails recently (earlier this
evening) with a 80k zip attachment called "your_details.zip" and either
"re:movie" and "re:application" from a whole bunch of other address I have
never heard of..

New spam technique or some new virus, similar to a Melissa?  Any body else
seeing this?

mark


--
Mark Segal 
Director, Network Planning
FCI Broadband 
Tel: 905-284-4070 
Fax: 416-987-4701 
http://www.fcibroadband.com

Futureway Communications Inc. is now FCI Broadband

Weird email messages with "re:movie" and "re:application" in the subject line..

[Mark Segal]

My email box has started receiving a bunch of emails recently (earlier this
evening) with a 80k zip attachment called "your_details.zip" and either
"re:movie" and "re:application" from a whole bunch of other address I have
never heard of..

New spam technique or some new virus, similar to a Melissa?  Any body else
seeing this?

mark


--
Mark Segal 
Director, Network Planning
FCI Broadband 
Tel: 905-284-4070 
Fax: 416-987-4701 
http://www.fcibroadband.com

Futureway Communications Inc. is now FCI Broadband

Re: Major E-mail Delivery for FTC DNCR Launch

[Anne P. Mitchell, Esq.]

Oops..2nd time, sorry - had to resub to NANOG and hadn't actually 
sent the sub to -post.
 
> Except possibly don't use the word "spam", or anything else that is 
> liable to trip SpamAssassin and friends into giving your messages a 
> high score (so references to abdominal anatomy and cable tv decoders 
> are also probably unwise :). 
>  
> I'm frequently surprised that more people don't run their (legitimate, 
> opt-in, whatever) bulk mail through SpamAssassin before they send it 
> in order to see how spam-like it looks. I'm forever having to pick 
> itineraries and electronic tickets from airlines out of my spam 
> folder. 

Send them to us;  we're happy to tell them to use Habeas. :-) 

(SpamAssassin is a partner, and whitelists mail using our  
headers, so those itineraries and e-tickets will sail through  SpamAssassin, along 
with about 3 dozen other ISP and spam filter  partners :-)   Of course, if it's 
mailing list mail, it *has* to be  confirmed opt-in.] 

Anne 

Re: Country of Origin for Malicious Attacks

[Sean Donelan]

On Wed, 25 Jun 2003 [EMAIL PROTECTED] wrote:
> I was wondering if folks had noticed any trends with malicious network
> attacks predominantly originating from any individual or group of
> countries.  Any observations, comments or help would be greatly
> appreciated.

If you believe the Vatican, its mostly American's doing the attacking.
Although as a practical matter, I don't know if anyone really has good
information about the true country of origin.  In most cases, its the
country of last-hop.

http://www.abc.net.au/science/news/scitech/SciTechRepublish_887398.htm
 "The Vatican has revealed it has taken on a team of experts to protect
 the Pope's website which is attacked by some 10,000 viruses a month and
 at least 30 mainly American hackers every day."

Trivia: Unlike the usual Unix practice of naming things after demons,
the Vatican named its security computers after Archangels.  The Vatican
firewall was called Michael, after the Archangel charged with guarding
the gates of heaven with a flaming sword.

Re: Major E-mail Delivery for FTC DNCR Launch

[Joe Abley]

On Wednesday, Jun 25, 2003, at 21:25 Canada/Eastern, Leo Bicknell wrote:

* Put in the e-mail a clear, short, easy to read over the phone
  link (http://www.yoursite.com/spam.html) that describes what
  action on the web site sends these e-mails, how to identify an
  e-mail as actually coming from the site, and where to report any
  sort of mailbombing (back to the first point).
Except possibly don't use the word "spam", or anything else that is 
liable to trip SpamAssassin and friends into giving your messages a 
high score (so references to abdominal anatomy and cable tv decoders 
are also probably unwise :).

I'm frequently surprised that more people don't run their (legitimate, 
opt-in, whatever) bulk mail through SpamAssassin before they send it in 
order to see how spam-like it looks. I'm forever having to pick 
itineraries and electronic tickets from airlines out of my spam folder.

Joe

Re: Major E-mail Delivery for FTC DNCR Launch

[Leo Bicknell]

* Make sure repeated attempts to register the same e-mail address
  get throttled.  Don't make the web server a way to e-mail bomb
  people.

* Put in the e-mail a clear, short, easy to read over the phone
  link (http://www.yoursite.com/spam.html) that describes what
  action on the web site sends these e-mails, how to identify an
  e-mail as actually coming from the site, and where to report any
  sort of mailbombing (back to the first point).

* Make sure your mail servers are squeeky clean.  Forward and
  reverse match, valid MX's, they report their own name in SMTP
  headers, no "untrusted sender used -f", etc.  Valid abuse@
  for the machine name, and the parent domain are essential.
  Valid contacts for the domain and IP block are helpful.

In general this sounds like a low-risk activity, as described.

-- 
   Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
Read TMBG List - [EMAIL PROTECTED], www.tmbg.org


pgp0.pgp
Description: PGP signature

Re: Major E-mail Delivery for FTC DNCR Launch

[Simon Lyall]

You might want to look at one of the professional whitelisting outfits.

http://www.bondedsender.org
http://www.habeas.com/

are two I know of that seem to be supported.

-- 
Simon Lyall.|  Newsmaster  | Work: [EMAIL PROTECTED]
Senior Network/System Admin |  Postmaster  | Home: [EMAIL PROTECTED]
Ihug Ltd, Auckland, NZ  | Asst Doorman | Web: http://www.darkmere.gen.nz

Re: Lol - I guess we can all just put IPV6 back in the box.

[Matt Zimmerman]

On Wed, Jun 25, 2003 at 02:25:36PM -0400, Drew Weaver wrote:

> http://news.com.com/2100-1028_3-1020653.html?tag=fd_top
>  

Adjacent to the mythical shortage of IPv4 addresses, we find the IPv6 myths,
such as the notion that its larger address space is the only worthwhile
improvement over IPv4.

-- 
 - mdz

Re: Major E-mail Delivery for FTC DNCR Launch

[Eric Brunner-Williams in Portland Maine]

It wouldn't hurt to post the DCC signature either. 

Re: Major E-mail Delivery for FTC DNCR Launch

[Larry Rosenman]

One of my system admins passed the following, and he does have a point:

You might pass back:

The range of IP addresses that this stuff will be coming from, along
with an assurance that only these mails will be coming from these
servers would allow us to whitelist those addresses.


--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 972-414-9812 E-Mail: [EMAIL PROTECTED]
US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749

RE: Major E-mail Delivery for FTC DNCR Launch

[Ejay Hire]

You will want to make sure your email and sending server avoid the appearance of evil, 
I.e. Forward and reverse records match, valid MX for the sending domain, sent from a 
real address, not an HTML email, etc.

-Original Message-
From: Andy Dills [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 25, 2003 3:17 PM
To: Callahan, Richard M, SOLGV
Cc: [EMAIL PROTECTED]
Subject: Re: Major E-mail Delivery for FTC DNCR Launch



On Wed, 25 Jun 2003, Callahan, Richard M, SOLGV wrote:

>
> Good Afternoon
>  and forgive the new guy if I break any rules or conventions.
>
> I work for AT&T Government Solutions and we are about to launch the Do
> Not Call Registry for the Federal Trade Commission.  At a high level
> this allows consumers to register their phone numbers to keep most
> telemarketers from calling their homes.  Penalties for calling a
> consumer on the list can be $11K per call and enforcement begins in
> October.

And we thank you for it. If only you could apply this approach to spam...
:(

> We are launching consumer registrations on Friday.  My concern:
>
>  - every registration using the web generates an email which must be
> opened to complete the registration process
>
> We are looking at the potential of MILLIONS OF EMAILS PER DAY beginning
> Friday.  These will be from the same address and have the same subject
> line.
>
> I am worried about denial of service or blocking by spam filters if
> providers are not aware this is coming.
>
> I am hoping this group is a good medium to get the word out to inform
> the community of this impending event.
>
> At this time I am unable to provide the link or email address, but will
> do so on Thursday evening if it is of value.
>
> Any thoughts?

Posting to the news.admin.net-abuse.email newsgroup would definitely be a
good idea. The worst bunch to deal with is the SPEWS crew, and that's
their only contact method.

However, you don't really run too much risk; we provide co-location
services for an organization that does large opt-in only mailings
(financial services newsletters, catalogs, etc). They get almost NO
complaints, which is absolutely amazing considering the amount of mail
they send out. The complaints they do get are swiftly met with proof of
opt-in, which you guys will obviously have. They haven't had problems with
blacklists, and have been in business for several years.

If you were to provide evidence of the request in the email that you send
out, and considering that this is basically an anti-phone-spam service,
I'm willing to wager your complaint rate will be very minimal, especially
if the email arrives quickly after the request for processing.

Andy

---
Andy Dills
Xecunet, Inc.
www.xecu.net
301-682-9972
---

Re: Major E-mail Delivery for FTC DNCR Launch

[Steven M. Bellovin]

In message <[EMAIL PROTECTED]>
, "Callahan, Richard M, SOLGV" writes:
>
>Good Afternoon 
> and forgive the new guy if I break any rules or conventions.
>
>I work for AT&T Government Solutions and we are about to launch the Do Not Cal
>l Registry for the Federal Trade Commission.  At a high level this allows cons
>umers to register their phone numbers to  keep most telemarketers from calling
> their homes.  Penalties for calling a consumer on the list can be $11K per ca
>ll and enforcement begins in October.
>
>We are launching consumer registrations on Friday.  My concern:
>
> - every registration using the web generates an email which must be opened to
> complete the registration process
>
>We are looking at the potential of MILLIONS OF EMAILS PER DAY beginning Friday
>.  These will be from the same address and have the same subject line.
>
>I am worried about denial of service or blocking by spam filters if providers 
>are not aware this is coming.
>
>I am hoping this group is a good medium to get the word out to inform the comm
>unity of this impending event.
>
>At this time I am unable to provide the link or email address, but will do so 
>on Thursday evening if it is of value.
>

You should definitely contact the postmasters for some of the major 
consumer ISPs -- they often have their own filtering policies and 
procedures.  AOL's policies have been discussed on this list in the 
past.  Also watch out for Earthlink's challenge/response scheme.

--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com (2nd edition of "Firewalls" book)

Re: Latency generator?

[Andy Dills]

On Wed, 25 Jun 2003, David Barak wrote:

>
> Try a 486 with two ethernet cards - that'll introduce
> PLENTY of latency :)  Not too configurable, but it
> sure is cheap...

If you say so...I've seen plenty a 486 route 10 megs without breaking a
sweat.

FreeBSD 2.1 in the hizzy!

Andy

---
Andy Dills
Xecunet, Inc.
www.xecu.net
301-682-9972
---

Re: Major E-mail Delivery for FTC DNCR Launch

[Andy Dills]

On Wed, 25 Jun 2003, Callahan, Richard M, SOLGV wrote:

>
> Good Afternoon
>  and forgive the new guy if I break any rules or conventions.
>
> I work for AT&T Government Solutions and we are about to launch the Do
> Not Call Registry for the Federal Trade Commission.  At a high level
> this allows consumers to register their phone numbers to keep most
> telemarketers from calling their homes.  Penalties for calling a
> consumer on the list can be $11K per call and enforcement begins in
> October.

And we thank you for it. If only you could apply this approach to spam...
:(

> We are launching consumer registrations on Friday.  My concern:
>
>  - every registration using the web generates an email which must be
> opened to complete the registration process
>
> We are looking at the potential of MILLIONS OF EMAILS PER DAY beginning
> Friday.  These will be from the same address and have the same subject
> line.
>
> I am worried about denial of service or blocking by spam filters if
> providers are not aware this is coming.
>
> I am hoping this group is a good medium to get the word out to inform
> the community of this impending event.
>
> At this time I am unable to provide the link or email address, but will
> do so on Thursday evening if it is of value.
>
> Any thoughts?

Posting to the news.admin.net-abuse.email newsgroup would definitely be a
good idea. The worst bunch to deal with is the SPEWS crew, and that's
their only contact method.

However, you don't really run too much risk; we provide co-location
services for an organization that does large opt-in only mailings
(financial services newsletters, catalogs, etc). They get almost NO
complaints, which is absolutely amazing considering the amount of mail
they send out. The complaints they do get are swiftly met with proof of
opt-in, which you guys will obviously have. They haven't had problems with
blacklists, and have been in business for several years.

If you were to provide evidence of the request in the email that you send
out, and considering that this is basically an anti-phone-spam service,
I'm willing to wager your complaint rate will be very minimal, especially
if the email arrives quickly after the request for processing.

Andy

---
Andy Dills
Xecunet, Inc.
www.xecu.net
301-682-9972
---

Re: Latency generator?

[David Barak]

Try a 486 with two ethernet cards - that'll introduce
PLENTY of latency :)  Not too configurable, but it
sure is cheap...

-David Barak

--- "Temkin, David" <[EMAIL PROTECTED]> wrote:
> Does anyone know of any free, cheap, or potentially
> rentable latency
> generators?  Ideally I'd like something that just
> sits between two ethernet
> devices to induce layer 2/3 latency in traffic, but
> am open to any
> options...
> 
> 
> 
> David Temkin
> S-I-G
> 401 City Avenue
> Bala Cynwyd, PA 19004
> http://www.sig.com  
> 
> 
> 
> IMPORTANT:The information contained in this email
> and/or its attachments is
> confidential. If you are not the intended recipient,
> please notify the
> sender immediately by reply and immediately delete
> this message and all its
> attachments.  Any review, use, reproduction,
> disclosure or dissemination of
> this message or any attachment by an unintended
> recipient is strictly
> prohibited.  Neither this message nor any attachment
> is intended as or
> should be construed as an offer, solicitation or
> recommendation to buy or
> sell any security or other financial instrument. 
> Neither the sender, his or
> her employer nor any of their respective affiliates
> makes any warranties as
> to the completeness or accuracy of any of the
> information contained herein
> or that this message or any of its attachments is
> free of viruses.
> 
> 
> 


=
David Barak
-fully RFC 1925 compliant-

__
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com

Major E-mail Delivery for FTC DNCR Launch

[Callahan, Richard M, SOLGV]

Good Afternoon 
 and forgive the new guy if I break any rules or conventions.

I work for AT&T Government Solutions and we are about to launch the Do Not Call 
Registry for the Federal Trade Commission.  At a high level this allows consumers to 
register their phone numbers to  keep most telemarketers from calling their homes.  
Penalties for calling a consumer on the list can be $11K per call and enforcement 
begins in October.

We are launching consumer registrations on Friday.  My concern:

 - every registration using the web generates an email which must be opened to 
complete the registration process

We are looking at the potential of MILLIONS OF EMAILS PER DAY beginning Friday.  These 
will be from the same address and have the same subject line.

I am worried about denial of service or blocking by spam filters if providers are not 
aware this is coming.

I am hoping this group is a good medium to get the word out to inform the community of 
this impending event.

At this time I am unable to provide the link or email address, but will do so on 
Thursday evening if it is of value.

Any thoughts?

Richard M. Callahan
Client Business Manager
AT&T Government Solutions
Office:  (703)506-5780
Mobile: (703)608-0665
Fax: (703)245-3749

Lol - I guess we can all just put IPV6 back in the box.

[Drew Weaver]

http://news.com.com/2100-1028_3-1020653.html?tag=fd_top

 

-Drew

 

Re: Country of Origin for Malicious Attacks

[sgorman1]

Thanks for all the replies.  I was not sure how to tackle the origin problem, so I 
figured I'd leave it wide open.  Both origin as seen by the network, prima facia, and 
orgin as traced through proxies etc. are useful.  Please send along either, but maybe 
a discalimer saying which would be useful.  

Many thanks,

sean

- Original Message -
From: "Scott A. McIntyre" <[EMAIL PROTECTED]>
Date: Wednesday, June 25, 2003 12:46 pm
Subject: Re: Country of Origin for Malicious Attacks

> 
> 
> Hi,
> 
> >> : I was wondering if folks had noticed any trends with 
> malicious network
> >> : attacks predominantly originating from any individual or 
> group of
> >> : countries.  Any observations, comments or help would be greatly
> >> : appreciated.
> 
> As I'm sure will be mentioned a few dozen times by the time this 
> message 
> gets to the list, "origin" isn't as simple as where the packets 
> you see 
> come from.
> 
> Malicious attacks can and do come from many places, people, 
> groups, 
> organizations -- utilizing any number of compromised systems, 
> trojans, 
> bots, proxies, truly malicious attacks can often be as difficult 
> to trace 
> as a Hollywood movie phone call, routing through a dozen systems 
> in as many 
> countries.
> 
> If people replying on this thread mean that they've actually 
> tracked the 
> true source of the malicious activity back to 
> (.it|.cn|.ro|.ru|.fr|...) by 
> working with network and system administrators then it might be 
> useful to 
> point that part out, as well as share how you found responsible 
> contacts 
> who verified your investigations and assisted for some of these 
> (and many 
> other) countries.
> 
> Scott
> 
> 
> 

Re: Latency generator?

[Bradley Dunn]

Temkin, David wrote:
Does anyone know of any free, cheap, or potentially rentable latency 
generators?  Ideally I'd like something that just sits between two 
ethernet devices to induce layer 2/3 latency in traffic, but am open to 
any options...
NIST Net: http://snad.ncsl.nist.gov/itg/nistnet/

Bradley

Re: Latency generator?

[David G. Andersen]

On Wed, Jun 25, 2003 at 12:48:29PM -0400, Temkin, David quacked:
> Does anyone know of any free, cheap, or potentially rentable latency
> generators?  Ideally I'd like something that just sits between two ethernet
> devices to induce layer 2/3 latency in traffic, but am open to any
> options...

Dummynet.  We use it at Emulab (http://www.emulab.net/) to do
exactly what you're describing.  You have to use it in conjunction
with the bridging code, and then you can just do it.  By default,
it still uses the ipfw firewall rules to match traffic, so it only
delays IP, but that could probably be fixed with a little hacking
if you also want to delay ARP and other things.

Built into FreeBSD.  Should work mostly out of the box.
It'll also do traffic shaping and whatnot.

Your .signature disclaimer was longer than your message, by the way. ;-)

  -Dave

-- 
work: [EMAIL PROTECTED]  me:  [EMAIL PROTECTED]
  MIT Laboratory for Computer Science   http://www.angio.net/
  I do not accept unsolicited commercial email.  Do not spam me.

Re: Latency generator?

[Kevin Oberman]

> From: "Temkin, David" <[EMAIL PROTECTED]>
> Date: Wed, 25 Jun 2003 12:48:29 -0400
> Sender: [EMAIL PROTECTED]
> 
> Does anyone know of any free, cheap, or potentially rentable latency
> generators?  Ideally I'd like something that just sits between two ethernet
> devices to induce layer 2/3 latency in traffic, but am open to any
> options...

dummynet(4)? It's a standard part of FreeBSD and may be in other BSDs.
It's very configurable to generate delays, congestion like behavior
and such.

NAME
 dummynet - traffic shaper, bandwidth manager and delay emulator

DESCRIPTION
 dummynet is a system facility that permits the control of traffic going
 through the various network interfaces, by applying bandwidth and queue
 size limitations, implementing different scheduling and queue management
 policies, and emulating delays and losses.
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: [EMAIL PROTECTED]   Phone: +1 510 486-8634

Re: Latency generator?

[Rick Ernst]

FreeBSD and DUMMYNET?

On Wed, 25 Jun 2003, Temkin, David wrote:

:>Does anyone know of any free, cheap, or potentially rentable latency
:>generators?  Ideally I'd like something that just sits between two ethernet
:>devices to induce layer 2/3 latency in traffic, but am open to any
:>options...
:>
:>
:>
:>David Temkin
:>S-I-G
:>401 City Avenue
:>Bala Cynwyd, PA 19004
:>http://www.sig.com 
:>
:>
:>
:>IMPORTANT:The information contained in this email and/or its attachments is
:>confidential. If you are not the intended recipient, please notify the
:>sender immediately by reply and immediately delete this message and all its
:>attachments.  Any review, use, reproduction, disclosure or dissemination of
:>this message or any attachment by an unintended recipient is strictly
:>prohibited.  Neither this message nor any attachment is intended as or
:>should be construed as an offer, solicitation or recommendation to buy or
:>sell any security or other financial instrument.  Neither the sender, his or
:>her employer nor any of their respective affiliates makes any warranties as
:>to the completeness or accuracy of any of the information contained herein
:>or that this message or any of its attachments is free of viruses.
:>
:>
:>

RE: Country of Origin for Malicious Attacks

[McBurnett, Jim]

Sean,
of the scans I get and have seen..
60% APNIC region
Most noteably- Taiwan, China, and Korea (north)
20% RIPE 
Most noteable- Former Soviet Block nations then
Scandanavian countries...
20% ARIN/LACNIC

This is a rough estimate from the last 3 weeks...

I guess you may be after this kind of fact:
When I blocked HINET
(Taiwan based-- has a single /16 to my knowledge)
I cut scans/probes by 20%


Later,
Jim


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 25, 2003 11:58 AM
To: [EMAIL PROTECTED]
Subject: Country of Origin for Malicious Attacks




I was wondering if folks had noticed any trends with malicious 
network attacks predominantly originating from any individual 
or group of countries.  Any observations, comments or help 
would be greatly appreciated.

Thanks,

sean

Latency generator?

[Temkin, David]

Title: Latency generator?





Does anyone know of any free, cheap, or potentially rentable latency generators?  Ideally I'd like something that just sits between two ethernet devices to induce layer 2/3 latency in traffic, but am open to any options...



David Temkin
S-I-G
401 City Avenue
Bala Cynwyd, PA 19004
http://www.sig.com




IMPORTANT:The information contained in this email and/or its attachments is confidential. If you are not the intended recipient, please notify the sender immediately by reply and immediately delete this message and all its attachments.  Any review, use, reproduction, disclosure or dissemination of this message or any attachment by an unintended recipient is strictly prohibited.  Neither this message nor any attachment is intended as or should be construed as an offer, solicitation or recommendation to buy or sell any security or other financial instrument.  Neither the sender, his or her employer nor any of their respective affiliates makes any warranties as to the completeness or accuracy of any of the information contained herein or that this message or any of its attachments is free of viruses.

Re: Country of Origin for Malicious Attacks

[Scott A. McIntyre]

Hi,

: I was wondering if folks had noticed any trends with malicious network
: attacks predominantly originating from any individual or group of
: countries.  Any observations, comments or help would be greatly
: appreciated.
As I'm sure will be mentioned a few dozen times by the time this message 
gets to the list, "origin" isn't as simple as where the packets you see 
come from.

Malicious attacks can and do come from many places, people, groups, 
organizations -- utilizing any number of compromised systems, trojans, 
bots, proxies, truly malicious attacks can often be as difficult to trace 
as a Hollywood movie phone call, routing through a dozen systems in as many 
countries.

If people replying on this thread mean that they've actually tracked the 
true source of the malicious activity back to (.it|.cn|.ro|.ru|.fr|...) by 
working with network and system administrators then it might be useful to 
point that part out, as well as share how you found responsible contacts 
who verified your investigations and assisted for some of these (and many 
other) countries.

Scott

Re: Country of Origin for Malicious Attacks

[Adam Debus]

We've also had a high amount of attacks from .de and .it.

Thanks,

Adam Debus
Linux Certified Professional, Linux Certified Administrator #447641
Network Administrator, ReachONE Internet
[EMAIL PROTECTED]
- Original Message - 
From: "Scott Weeks" <[EMAIL PROTECTED]>
To: "netadm" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Wednesday, June 25, 2003 9:09 AM
Subject: RE: Country of Origin for Malicious Attacks


> 
> 
> 
> 
> 
> My observations lately concur with that.   .fr .cn .kr (and a sprinkling
> of .nl) with .fr way in the lead here.  :-(
> 
> scott
> 
> 
> 
> On Wed, 25 Jun 2003, netadm wrote:
> 
> :
> : Outside of the U.S., I'll nominate France and the Pacific Rim
> : countries.
> :
> : -Original Message-
> : From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> : Sent: Wednesday, June 25, 2003 11:58 AM
> : To: [EMAIL PROTECTED]
> : Subject: Country of Origin for Malicious Attacks
> :
> :
> :
> :
> : I was wondering if folks had noticed any trends with malicious network
> : attacks predominantly originating from any individual or group of
> : countries.  Any observations, comments or help would be greatly
> : appreciated.
> :
> : Thanks,
> :
> : sean
> :
> :
> :
> 
> 

RE: Country of Origin for Malicious Attacks

[Scott Weeks]

My observations lately concur with that.   .fr .cn .kr (and a sprinkling
of .nl) with .fr way in the lead here.  :-(

scott



On Wed, 25 Jun 2003, netadm wrote:

:
: Outside of the U.S., I'll nominate France and the Pacific Rim
: countries.
:
: -Original Message-
: From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
: Sent: Wednesday, June 25, 2003 11:58 AM
: To: [EMAIL PROTECTED]
: Subject: Country of Origin for Malicious Attacks
:
:
:
:
: I was wondering if folks had noticed any trends with malicious network
: attacks predominantly originating from any individual or group of
: countries.  Any observations, comments or help would be greatly
: appreciated.
:
: Thanks,
:
: sean
:
:
:

RE: Country of Origin for Malicious Attacks

[netadm]

Outside of the U.S., I'll nominate France and the Pacific Rim countries.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, June 25, 2003 11:58 AM
To: [EMAIL PROTECTED]
Subject: Country of Origin for Malicious Attacks




I was wondering if folks had noticed any trends with malicious network
attacks predominantly originating from any individual or group of
countries.  Any observations, comments or help would be greatly
appreciated.

Thanks,

sean

Country of Origin for Malicious Attacks

[sgorman1]

I was wondering if folks had noticed any trends with malicious network attacks 
predominantly originating from any individual or group of countries.  Any 
observations, comments or help would be greatly appreciated.

Thanks,

sean