date:20030924


so far, the BIND8 code itself has been resistant to this feature, but...

see the current http://www.isc.org/products/BIND/delegation-only.html page.

Re: Any way to P-T-P Distribute the RBL lists?

2003-09-24 Thread Eric Kuhnke


Distribute the RBL list via Freenet ( http://freenet.sourceforge.net/ )

It's slow, but nearly impossible to suppress...

At 10:30 PM 9/24/2003 -0400, you wrote:

>I know you all have probably already thought of this, but can anyone 
> think of a feasible way to run a RBL list that does not have a single point of 
> failure? Or any attackable entry?
>
> 
>
>Disregard this if im totally out of line, but it would seem to me that this would be 
>possible.
>
> 
>
>Thanks,
>
>-Drew
>
>

Re: Any way to P-T-P Distribute the RBL lists?

2003-09-24 Thread Eric Kagan




    
I know you all have probably already thought of this, but can anyone think of a 
feasible way to run a RBL list that does not have a single point of failure? Or 
any attackable entry?
 
Subscription based and / 
or firewalled by approved IP ?

  
   
  Disregard this if im totally out 
  of line, but it would seem to me that this would be 
possible.
   
  Thanks,
  -Drew

Re: Any way to P-T-P Distribute the RBL lists?

2003-09-24 Thread william

Send RBL lists & updates by email :)

I'm mostly serious - rbl lists can be easily incorporated as special filter
for email or it can run internal rbl (rbldns is very small code), emails
sent with specific characteristics can be filtered to trigger the update
(all such emails would need to be signed and signature can be verified by 
recepient mail server to be one on its allowed rbl list). Any attempts to 
DoS origin of such email updates would be useless as origin can be changes 
very easily and the updates do not depend on working dns. Blacklist's 
websites would still be subject to DoS attacks, but that is separate 
issue and would not stop with blacklist actual use.

On Wed, 24 Sep 2003, Drew Weaver wrote:

> I know you all have probably already thought of this, but can
> anyone think of a feasible way to run a RBL list that does not have a single
> point of failure? Or any attackable entry?
> 
>  
> 
> Disregard this if im totally out of line, but it would seem to me that this
> would be possible.
> 
>  
> 
> Thanks,
> 
> -Drew

-- 
William Leibzon
Elan Networks
[EMAIL PROTECTED]

Re: williams spamhaus blacklist

2003-09-24 Thread Dan Hollis


On Wed, 24 Sep 2003, Andy Walden wrote:
> On Wed, 24 Sep 2003, Leo Bicknell wrote:
> > Osama and his followers told us for years they didn't like what we
> > were doing, and then escalated by flying a plane into a building
> > to "get our attention".  That must have been ok by the same logic.
> Godwin's Law should probably be extended to September 11 references.

I was thinking exactly the same thing. 9/11 has become the rallying cry of 
those on the losing side of a debate.

-Dan
-- 
[-] Omae no subete no kichi wa ore no mono da. [-]

Any way to P-T-P Distribute the RBL lists?

2003-09-24 Thread Drew Weaver









    I know you all have probably already thought of
this, but can anyone think of a feasible way to run a RBL list that does not
have a single point of failure? Or any attackable entry?

 

Disregard this if im totally out of line, but it would seem
to me that this would be possible.

 

Thanks,

-Drew

Re: williams spamhaus blacklist

2003-09-24 Thread Dr. Jeffrey Race

On Wed, 24 Sep 2003 20:01:48 -0400, Leo Bicknell wrote:

>Blocking wcg's corporate mail servers is not the solution. 

It is the ONLY solution that works, as shown many times including
the case just posted to this list about Sprint.

>Sure, it may get
>someone's attention at wcg, but it may also harm a lot of "innocent"
>communications, sales talking to clients, other wiltel customers
>requesting support, heck, the secretary ordering lunch to be
>delivered.

These people are also victims of bad corporate management and
they should complain to their managers, not to their fellow victims.

>
>There are laws against spam.  If you have evidence, sue in civil
>court, or get a DA to go for it in criminal court.

There are no presently enforceable laws for this kind of corporate
abuse.  The only thing that works is hitting the malafactors directly.

Regarding BLs: no one forces anyone to use them.   They are used  
because recipients don't want to get trash.

Those with a quiet moment who want to see a novel, amusing and detailed
ventilation of this issue may take a look at

   (some details dated)
and
    (work in progress)

I'd welcome any comments.

Jeffrey Race

Re: williams spamhaus blacklist

2003-09-24 Thread Eliot Lear

Andy Walden wrote:
Godwin's Law should probably be extended to September 11 references.
Walden's Corollary?

;-)

Eliot

Re: williams spamhaus blacklist

2003-09-24 Thread Avleen Vig

On Wed, Sep 24, 2003 at 08:01:48PM -0400, Leo Bicknell wrote:
> What you're missing in my argument is that it doesn't matter.  I
> have no idea who Eddy Marin is, nor do I care.  Blocking wcg's
> corporate mail servers is not the solution.  Sure, it may get
> someone's attention at wcg, but it may also harm a lot of "innocent"
> communications, sales talking to clients, other wiltel customers
> requesting support, heck, the secretary ordering lunch to be
> delivered.

Your first statement isn't true. Of course you care. If you didn't care
who was spamming, you wouldn't be using a DNSBL to block them.
By using a BL to block spammers, you are saying you don't want to
receive spam. The terms of use are known and clearly listed on each BL's
site.
You should have known that SBL would do this in extreme cases, if you
chose to use them.

Re: williams spamhaus blacklist

2003-09-24 Thread Andy Walden



On Wed, 24 Sep 2003, Leo Bicknell wrote:

> Osama and his followers told us for years they didn't like what we
> were doing, and then escalated by flying a plane into a building
> to "get our attention".  That must have been ok by the same logic.

Godwin's Law should probably be extended to September 11 references.

andy
--
PGP Key Available at http://www.tigerteam.net/andy/pgp

RE: what to do about joe-jobs?

2003-09-24 Thread badkarma2


>Speaking of joe-jobs, what's the "proper" proceedure
for >dealing with such?  The company I work for is
currently >undergoing an admitedly minor joe-job.
(about 300 or so >bounces that I've seen since mid last
week or so.)
>
>Any suggestions for dealing with this?

What domains are you seeing the joe-jobs from? We see
alot of joe jobbing attacks from the large webmail
providers eg. yahoo.com, hotmail.com, aol.com,
netscape.net, etc. A promising response that we've been
following is Sender Permitted From http://spf.pobox.com
. It's basically a reverse RBL. The owner of a domain
identifies ip's that are allowed to send mail for that
domain in a TXT DNS record. The rest are tagged with a
wildcard deny or probably softdeny initially. If
yahoo.com, hotmail.com etc alone just added the DNS
records, we'd all be able to identify joe-jobbers of
these domains. It won't help their own spam situation
but it'd help our massive attacks of spoofed email.
Spammers seem to use these big providers since blocking
all of hotmail.com or yahoo.com is tough for other
providers.

Re: williams spamhaus blacklist

On Wed, 24 Sep 2003 [EMAIL PROTECTED] wrote:

> Customers who use blacklists compiled by vengeance-oriented folk deserve 
> what they get: No email.
> 
> Suggested solutions:
> a) whitelist williams
> b) stop using SBLs similar to spamhaus.
> 
> It is a question of trust: Do you trust spamhaus to block 'evil' spammers? 
> 
> Do you trust them after they blocked important mails to your clients that
> could -not- -possibly- have been spam?
> 
> Make your own conclusions.
> 
> -alex
> 

Providers that sleep the dogs deserve exactly what they get: No email.

Suggested solutions:
a) find a ethical provider that responses to abuse complaints
b) I can't think of anything better than a.

It is a question of trust: Do you trust Williams to be ethical to their 
Internet peers and respond to abuse issues?

Do you trust them after they -repeatedly- -ignore- abuse complaints
regarding your clients receiving spam from a spamhaus on their network?

Make your own conclusions.

-justin

Re: williams spamhaus blacklist

In a message written on Wed, Sep 24, 2003 at 07:42:39PM -0400, Richard Welty wrote:
> there's nothing alleged about it. the Eddy Marin spam gang in Boca Raton is
> one of the nastiest bunches of vile spamming slime you will ever see. this
> is all extremely well documented. go see the spamhaus site for
> documentation, it's all there.

What you're missing in my argument is that it doesn't matter.  I
have no idea who Eddy Marin is, nor do I care.  Blocking wcg's
corporate mail servers is not the solution.  Sure, it may get
someone's attention at wcg, but it may also harm a lot of "innocent"
communications, sales talking to clients, other wiltel customers
requesting support, heck, the secretary ordering lunch to be
delivered.

There are laws against spam.  If you have evidence, sue in civil
court, or get a DA to go for it in criminal court.  Don't lob a
hand grenade in the general direction of the spammer and hope it
all comes out ok.

Osama and his followers told us for years they didn't like what we
were doing, and then escalated by flying a plane into a building
to "get our attention".  That must have been ok by the same logic.

-- 
   Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
Read TMBG List - [EMAIL PROTECTED], www.tmbg.org

pgp0.pgp
Description: PGP signature

Re[2]: williams spamhaus blacklist

2003-09-24 Thread Richard Welty

On Wed, 24 Sep 2003 16:28:52 -0700 Scott Granados <[EMAIL PROTECTED]> wrote:
> Even though this is off topic, I'd have to say that this seems very odd
> from
> SpamHaus.  They never seemed to isolate entire ranges but seemed more
> specific.  I can also say they were very fast to remove issues once the
> spammers were removed and were also quite helpful.

> I wonder does this strategy demonstrate some sort of change or is it
> just a
> one off?

disclaimer: i do not speak for spamhaus. i have used the sbl for many
years, found it effective, and believe that steve linford and his crew are
honestly trying to do a good job with a difficult project.

now, to answer your question.

spamhaus normally is extremely focused. they keep detailed records that
explain why they have chosen to block specific ranges. they are oriented
towards spammers of fixed address, that is, they don't chase open relays,
they don't chase abused proxies, or anything of that sort. there are other
lists that perform those functions.

the blacklisting of ISP ranges is very rare, it only occurs perhaps once a
year, in extreme cases. several years ago, the sbl listed sprint's coporate
mail servers during a period when sprint was providing connectivity for
many spamhausen. sprint responded by appointing a new head of abuse, and
giving him the power to terminate spammers. sprint's corporate mail servers
were delisted, and their network is now fairly clean. we don't jokingly
call their service "sprintpink" any more.

it takes a lot to get your ISP's corporate mail servers listed on the sbl.
wcg's problems must be pretty severe.

in another message, Leo Bicknell refered to Eddy Marin & crew as (i think)
"alleged spammers".

there's nothing alleged about it. the Eddy Marin spam gang in Boca Raton is
one of the nastiest bunches of vile spamming slime you will ever see. this
is all extremely well documented. go see the spamhaus site for
documentation, it's all there.

cheers,
  richard
(the scary thing is that spamming may be the closest thing to a legitimate
 business that Eddy Marin has ever been involved in.)
-- 
Richard Welty [EMAIL PROTECTED]
Averill Park Networking 518-573-7592
Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security

Re: williams spamhaus blacklist

2003-09-24 Thread Scott Granados


Even though this is off topic, I'd have to say that this seems very odd from
SpamHaus.  They never seemed to isolate entire ranges but seemed more
specific.  I can also say they were very fast to remove issues once the
spammers were removed and were also quite helpful.

I wonder does this strategy demonstrate some sort of change or is it just a
one off?

- Original Message - 
From: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, September 24, 2003 2:14 PM
Subject: Re: williams spamhaus blacklist


>
> > Maybe I've missed something but since when did spamhaus become vengeance
> > oriented? All we try to do is eliminate as much spam as we can using a
> > wide variety of blacklists at the same time.
> The moment they started blacklisting IPs that never sent spam. (AKA
> williams corporate mail servers).
>
> -alex
>
>

Re: williams spamhaus blacklist

2003-09-24 Thread Gary E. Miller

Yo Leo!

On Wed, 24 Sep 2003, Leo Bicknell wrote:

> So, they have decided since WilTil has one (alleged?) spammer
> customer none of wiltel should be allowed to send or receive e-mail
> anymore.

Works for me.  Zero tolerance for those writing pink contracts with
known spam gangs.

Please send further complaints to WilTel not Nanog.

RGDS
GARY
---
Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
[EMAIL PROTECTED]  Tel:+1(541)382-8588 Fax: +1(541)382-8676

RE: williams spamhaus blacklist

2003-09-24 Thread McBurnett, Jim


this is not without precedent.. 
Anyone from Cable and Wireless listening?
If I remember correctly, Cable and Wireless was blocked last year
or earlier this year by a similiar ploy.
And I also seem to remember them making major
complaints over on the SPAM-L list.. 

Later,
J


> -Original Message-
> From: Leo Bicknell [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, September 24, 2003 6:30 PM
> To: [EMAIL PROTECTED]
> Subject: Re: williams spamhaus blacklist
> 
> 
> In a message written on Wed, Sep 24, 2003 at 05:14:04PM 
> -0400, [EMAIL PROTECTED] wrote:
> > The moment they started blacklisting IPs that never sent spam. (AKA 
> > williams corporate mail servers).
> 
> For those who care:
> 
> http://www.spamhaus.org/sbl/sbl.lasso?query=SBL10731
> 
> I quote:
> 
> ] WilTel Communications Group's Corporate Mail Relays
> ] Continued hosting of Eddy Marin spam gang and others have 
> caused this
> ] listing. Previous warnings and spam reports had no effect.
> 
> So, they have decided since WilTil has one (alleged?) spammer
> customer none of wiltel should be allowed to send or receive e-mail
> anymore.
> 
> The complete list of Williams issues is at:
> 
> http://www.spamhaus.org/sbl/listings.lasso?isp=wcg
> 
> As per usual, no amount of collateral damage is deemed unacceptable.
> 
> -- 
>Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440
> PGP keys at http://www.ufp.org/~bicknell/
> Read TMBG List - [EMAIL PROTECTED], www.tmbg.org
>

manure distribution

2003-09-24 Thread Petri Helenius

To put some semi-new information of the looping spam discussion;

Here is a breakdown of the junk that took the priviledge of not arriving
to my inbox but taking a detour to the spam/virus trap in the last few 
weeks:
| count| Country| asnumber | asdescription|
| 156 | IT   | 3269 | TELECOM ITALIA |
| 129 | US   | 3561 | Cable & Wireless   |
|  89 | NL   | 8737 | Planet Technologies BV |
|  74 | UK   | 2856 | BTnet UK Regional network  |
|  62 | UK   | 5089 | NTL Group Limited  |
|  53 | US   | 3356 | Level 3 Communications |
|  53 | FR   | 3215 | France Telecom Transpac|
|  38 | BE   | 5432 | SKYNETBE-AS|
|  33 | UK   | 5462 | Telewest Broadband |

The suggestion I would make that if you are considering applying filters 
to block large
geographical areas, here is a handy list to start from the top:   1/2 :-)
|count| country|
| 1813 | US   |
|  362 | CA   |
|  275 | IT   |
|  224 | UK   |
|  181 | NL   |
|  171 | CN   |
|  145 | AU   |
|   83 | JP   |
|   81 | FR   |
|   79 | BR   |
|   63 | KR   |

Pete

Re: williams spamhaus blacklist

In a message written on Wed, Sep 24, 2003 at 05:14:04PM -0400, [EMAIL PROTECTED] wrote:
> The moment they started blacklisting IPs that never sent spam. (AKA 
> williams corporate mail servers).

For those who care:

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL10731

I quote:

] WilTel Communications Group's Corporate Mail Relays
] Continued hosting of Eddy Marin spam gang and others have caused this
] listing. Previous warnings and spam reports had no effect.

So, they have decided since WilTil has one (alleged?) spammer
customer none of wiltel should be allowed to send or receive e-mail
anymore.

The complete list of Williams issues is at:

http://www.spamhaus.org/sbl/listings.lasso?isp=wcg

As per usual, no amount of collateral damage is deemed unacceptable.

-- 
   Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
Read TMBG List - [EMAIL PROTECTED], www.tmbg.org

pgp0.pgp
Description: PGP signature

Re: williams spamhaus blacklist

2003-09-24 Thread alex


> Maybe I've missed something but since when did spamhaus become vengeance
> oriented? All we try to do is eliminate as much spam as we can using a
> wide variety of blacklists at the same time.
The moment they started blacklisting IPs that never sent spam. (AKA 
williams corporate mail servers).

-alex

Re: williams spamhaus blacklist

2003-09-24 Thread Len Rose


Maybe I've missed something but since when did spamhaus become
vengeance oriented? All we try to do is eliminate as much spam
as we can using a wide variety of blacklists at the same time.

Thanks

[EMAIL PROTECTED] wrote:

> Customers who use blacklists compiled by vengeance-oriented folk deserve 
> what they get: No email.
> 
> Suggested solutions:
> a) whitelist williams
> b) stop using SBLs similar to spamhaus.
> 
> It is a question of trust: Do you trust spamhaus to block 'evil' spammers? 
> 
> Do you trust them after they blocked important mails to your clients that
> could -not- -possibly- have been spam?
> 
> Make your own conclusions.
> 
> -alex

Re: williams spamhaus blacklist

2003-09-24 Thread alex


> gateway.wcg.com (65.77.117.10) is being blacklisted by the spamhaus
> service.
> 
> Can someone at Williams Communications get this taken care of?
> 
> Your mail server is being blocked by everyone who uses spamhaus and it's
> delaying important mail from your company to one of our customers.
Customers who use blacklists compiled by vengeance-oriented folk deserve 
what they get: No email.

Suggested solutions:
a) whitelist williams
b) stop using SBLs similar to spamhaus.

It is a question of trust: Do you trust spamhaus to block 'evil' spammers? 

Do you trust them after they blocked important mails to your clients that
could -not- -possibly- have been spam?

Make your own conclusions.

-alex

williams spamhaus blacklist

2003-09-24 Thread Len Rose


gateway.wcg.com (65.77.117.10) is being blacklisted by the
spamhaus service.

Can someone at Williams Communications get this taken care of? 

Your mail server is being blocked by everyone who uses spamhaus
and it's delaying important mail from your company to one of our 
customers.

Re: Blacklisting: obvious P2P app

2003-09-24 Thread Damian Gerow


Thus spake David Schwartz ([EMAIL PROTECTED]) [24/09/03 17:39]:
>   If anyone who attempts to distribute such a list is DoSed to oblivion,
> people will stop being willing to distribute such a list. Yes, spam is an
> economic activity, but spammers may engage in long-term planning. You can't
> keep the list of distributors secret. I'd be very interested in techiques
> that overcome this problem. I've been looking into tricking existing
> widely-deployed infrastructures into acting a distributors, but this raises
> both ethical and technical questions.

P2P has been suggested, and while I make no comments about P2P itself...
What about Freenet?  It hides the origin of the file(s), it's truly
distributed, it's encrypted, it's authenticated, and it will do your dishes.

Okay, so it won't actually do your dishes.  But it seems to do everything
that most other people have suggested.  It's incredibly difficult to DoS a
Freenet node, and it's incredibly easy to set one up (just requires some
hefty CPU).

RE: Blacklisting: obvious P2P app

2003-09-24 Thread Vadim Antonov


On Wed, 24 Sep 2003, David Schwartz wrote:

> 
> 
> > Each mailserver could keep a cryptographically verified list, the
> > list is distributed via some P2P mechanism, and DoS directed at the
> > 'source' of the service only interrupts updates, and only does so until
> > the source slips an updated copy of the list to a few peers, and then
> > the update spreads. Spam is an economic activity and they won't DoS a
> > source if they know it won't help their situation.
> 
>   If anyone who attempts to distribute such a list is DoSed to oblivion,
> people will stop being willing to distribute such a list. Yes, spam is an
> economic activity, but spammers may engage in long-term planning. You can't
> keep the list of distributors secret. I'd be very interested in techiques
> that overcome this problem. I've been looking into tricking existing
> widely-deployed infrastructures into acting a distributors, but this raises
> both ethical and technical questions.
> 
>   DS
> 
>

RE: Blacklisting: obvious P2P app

2003-09-24 Thread David Schwartz



> Each mailserver could keep a cryptographically verified list, the
> list is distributed via some P2P mechanism, and DoS directed at the
> 'source' of the service only interrupts updates, and only does so until
> the source slips an updated copy of the list to a few peers, and then
> the update spreads. Spam is an economic activity and they won't DoS a
> source if they know it won't help their situation.

If anyone who attempts to distribute such a list is DoSed to oblivion,
people will stop being willing to distribute such a list. Yes, spam is an
economic activity, but spammers may engage in long-term planning. You can't
keep the list of distributors secret. I'd be very interested in techiques
that overcome this problem. I've been looking into tricking existing
widely-deployed infrastructures into acting a distributors, but this raises
both ethical and technical questions.

DS

Re: monkeys.dom UPL being DDOSed to death

2003-09-24 Thread Raymond Dijkxhoorn


Hi!

> http://www.openrbl.org
> 
> is also offline due to a DDoS.

The official announcememt can be read here:

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&newwindow=1&safe=off&selm=vn1lufn8h6r38%40corp.supernews.com

Bye,
Raymond.

Re: Nothing like viruses with bugs in them (Swen)

2003-09-24 Thread bmanning



Duh... thanks but I've done my homework... :)

Re: RADB

2003-09-24 Thread Larry J. Blunk

 Christopher,

   I suspect the "route" objects that one would typically register in
the RADB or other routing registries is generally a small subset of the 
"networks" one would register in their rwhois server.  The route objects
should consist of only those prefixes which are announced via BGP and
not the more specifics which are assigned to customers (but not
announced by them).

You would need to somehow tag those network prefixes which
correspond to announced routes and also devise a mechanism to specify
the origin AS (a required field in the RPSL route object).

If you'd like to discuss this further, I'd suggest we move this
to [EMAIL PROTECTED] rather than spending additional NANOG bandwidth
on it (and if there is any other interest out there, please feel free
to let us know at this address as well).

  Regards,
Larry J. Blunk
Merit

On Wed, 2003-09-24 at 15:13, Christopher J. Wolff wrote:
> Hello,
> 
> On the RADB site, under features and benefits, the service claims to mirror
> "more than 30 other IRR databases."
> 
> My challenge is that I need to list my information with RADB and don't want
> to go through the hassle of manually submitting every subnet owner and
> first-born when I can put a RWHOIS server up for ARIN.  RADB should just
> poll my RWHOIS server.
> 
> Thank you in advance for your advice.
> 
> Regards,
> Christopher J. Wolff
>

Blacklisting: obvious P2P app

2003-09-24 Thread neal rauhauser



   It has been mentioned in other places on the net (ok, yammerings on 
slashdot, but this made a bit of sense) that blacklisting is a perfect 
P2P application.

   Each mailserver could keep a cryptographically verified list, the 
list is distributed via some P2P mechanism, and DoS directed at the 
'source' of the service only interrupts updates, and only does so until 
the source slips an updated copy of the list to a few peers, and then 
the update spreads. Spam is an economic activity and they won't DoS a 
source if they know it won't help their situation.

   I'm not an expert in DNS, email server configuration, or routing, 
but it seems to me that the whole thing requires a distributed solution 
to harden it against spammers, and that the logical place for this is 
the SMTP daemon itself, possibly coupled with some global registry that 
sells digital certs for a reasonable annual fee, much how domain names 
are handled now (Verisign excluded, of course).

--
mailto:[EMAIL PROTECTED]
phone:402-301-9555
"After all that I've been through, you're the only one who matters,
you never left me in the dark here on my own" - Widespread Panic

Re: what to do about joe-jobs?

On Wed, 24 Sep 2003, Kee Hinckley wrote:

> With the possible exception of the new California law, I've yet to 
> see any case in which the benefit from nailing a spammer (in terms of 
> damages, or even reduced attacks) comes even close to covering the 
> amount of time it took to find and pursue them.  I doubt even the big 
> ISPs recover their cost--their goal seems to be deterrence.  However 
> I'd be happy to donate somewhere.com's bogus inbound traffic (we 
> bounced ten million messages last year, definitely looking at more 
> than twenty million this year) to the cause.

How does $250,000 sound?  :-)

http://www.internetnews.com/IAR/article.php/3075271

Tracking them down can be time consuming.  It's not impossible though and 
in many cases it's unbelievably easy.  Getting a judgement is apparently 
the easy part.  Getting your money seems to be the hard part.  I've 
thought about using Kansas's anti-spam law myself but haven't yet.  I know 
very little about the legal system.  Even though my claim would be made in 
Small Claims Court, I'm leery about not going about the suit in the right 
way.  Kansas's law allows providers to sue as well though.  Receiving 
25,000 copies of the same spam makes winning a court case quite 
profitable.  We need more people that take this step IMHO.

Justin

Re: Another DNS blacklist is taken down

2003-09-24 Thread Chris Lewis

Jack Bates wrote:

Mark Segal wrote:

I think some RBLs might get better responses from the ISPs when they stop
taking "collateral damage gets the abuse department's attention" 
attitudes..
Some RBLs cause many providers a LOT of headaches, so it is not 
surprising
that when it is their turn to complain, the ISPs will just say: post to
abuse.ddos.isp.net and we might get around to fixing it. :).
It's useful to be careful in how we define collateral damage here. 
Collateral damage can include, for example, non-spam email coming from a 
spammer's site.

In this context, we're talking about _escalation_ of listings outside of 
the demonstrated spamming/abusive/insecure IPs.

monkey's had no collateral damage issues until PHL was released due to 
non-response from ISP's.
The PHL is the escalation.

openrbl.org does not host a blacklist and thus cannot have collateral 
damage.

SBL is famous for it's lack of collateral damage.
SBL does escalation, but rarely. (WCG, Chinanet for example).

ordb is specialized and has had no collateral damage issues.
ORDB does not escalate.  Has it been DDOS'd?  Pointless, open relay 
blacklists are virtually useless these days.

SPEWS escalates (obviously).

The DDOS's have been against SPEWS, SBL and Monkeys.  Most of the other 
targets were re-publishers/distributors of SPEWS (ie: SORBS, Osirus, 
openrbl.org). Each of the three are _very_ public targets and generate 
lots of chatter/discussion on NANAE.  Monkeys of course has RFG behind 
it and all that denotes.

Re: what to do about joe-jobs?

2003-09-24 Thread Kee Hinckley

At 2:07 PM -0500 9/24/03, Justin Shore wrote:
open proxy.  You're screwed if that's the case.  However since you have a
complete copy of the spam you can still follow the money trail.  Spammers
have to get their money somehow.  The actual spam will give you many
places to start.  Of course once you have that you still have to convince
With the possible exception of the new California law, I've yet to 
see any case in which the benefit from nailing a spammer (in terms of 
damages, or even reduced attacks) comes even close to covering the 
amount of time it took to find and pursue them.  I doubt even the big 
ISPs recover their cost--their goal seems to be deterrence.  However 
I'd be happy to donate somewhere.com's bogus inbound traffic (we 
bounced ten million messages last year, definitely looking at more 
than twenty million this year) to the cause.
--
Kee Hinckley
http://www.messagefire.com/ Next Generation Spam Defense
http://commons.somewhere.com/buzz/  Writings on Technology and Society

I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.

RE: Another DNS blacklist is taken down

2003-09-24 Thread Christopher Bird

I realize that this is seriously off the wall.

There is a pretty secure P2P system (Groove) that was developed by Ray
Ozzie. Focus is on security on the wire, on the box, everywhere with
serious authentication - Diffie-Hellman exchanges and all the right
security toys. Admittedly when I run it at home the lights in the
neighborhood dim.

I am wondering, though if there might be a way to use its kind of
services for some behind the scenes secure discovery - removing the
hackability of most of the P2P systems.

No I don't know how it scales, what it's throughput and licensing
limitations are..

I just heard P2P and immediately went outside the box.

Chris

 


My vcard is attached.


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
> Behalf Of Vadim Antonov
> Sent: Wednesday, September 24, 2003 3:05 PM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: RE: Another DNS blacklist is taken down
> 
> 
> 
> 
> > >RBLs Sounds like a great application for P2P.
> > 
> > Perhaps, but it also seems like moving an RBL onto a P2P 
> network would 
> > making poisoning the RBL far too easy...
> > 
> > Andrew
> 
> USENET, PGP-signed files, 20 lines in perl.
> 
> --vadim 
> 
> 
BEGIN:VCARD
VERSION:2.1
N:Bird;Christopher
FN:Christopher Bird ([EMAIL PROTECTED])
ORG:The Network Effect
TITLE:Independent Consultant
TEL;WORK;VOICE:(214) 764-6305
TEL;CELL;VOICE:(214) 236-8373
TEL;WORK;FAX:(972) 764-6301
ADR;WORK:;;4020 N. Macarthur # 122-322;Irving;TX;75038;United States of America
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:4020 N. Macarthur # 122-322=0D=0AIrving, TX 75038=0D=0AUnited States of Amer=
ica
EMAIL;PREF;INTERNET:[EMAIL PROTECTED]
REV:20030902T123447Z
END:VCARD

RE: monkeys.dom UPL being DDOSed to death

2003-09-24 Thread sowens


Provide me a list of requirements and I'll see what I can do about the
bandwidth, colo and BGP session.

Shane

-Original Message-
From: John Payne [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, September 23, 2003 7:41 PM
To: [EMAIL PROTECTED]
Subject: Re: monkeys.dom UPL being DDOSed to death





--On Tuesday, September 23, 2003 6:11 PM -0400 Kai Schlichting 
<[EMAIL PROTECTED]> wrote:

> - BGP anycast, ideally suited for such forwarding proxies.
>   Anyone here feeling very adapt with BGP anycast (I don't) for
>   the purpose of running such a service? This is a solution that
>   has to be suggested and explained to some of the DNSBL operators.

Anyone want to offer hardware, colo, bandwidth and a bgp session for a 
dnsbl anycast solution?

Re: Verisign Responds

2003-09-24 Thread Wayne E. Bouchard

The fact of the change is operational. The specifics may not be. In
this case, you've gone beyond general operational content and started
to delve into protocol specifications and the implementation thereof
for which there is a dedicated list in which there are people with
quite a bit more average knowledge and experience in the matter than
folks here.

IMO, namedroppers is deffinitely the better forum.

On Wed, Sep 24, 2003 at 02:46:06PM -0500, Jack Bates wrote:
> 
> Paul Vixie wrote:
> 
> >you are confused. and in any case this is off-topic. take it to 
> >namedroppers,
> >but before you do, please read rfc's 1033, 1034, 1035, 2136, 2181, and 
> >2317.
> 
> Can someone please tell me how a change to a critical component of the 
> Internet which has the capacity to cause harm is not an operational issue?
> 
> A TLD issues a wildcard. Instead of discovering if records match the 
> wildcard and returning NXDOMAIN (which is what everone wanted), the 
> software was designed to restrict records based on delegation.
> 
> Delegation was not broken. The changes made allow engineers to break it. 
> I'd consider this an issue. Reports have already come in of all the 
> various domains that people will mandate delegate-only for. For the 
> record, .museum was listed several times despite the request in 
> documentation to not force delegation, as were other zones.
> 
> In fact, many people were confused. They didn't understand what zone 
> delegation was. For the record, I've read all the RFC's you posted. To 
> many, it's an issue of wildcards. Yet BIND didn't solve the wildcard 
> problem. It solved a delegation problem, which was not only "not broken" 
> but has traditional use.
> 
> Which "countermeasures" being implemented did the IAB have an issue 
> with? I wonder since their arguement against the wildcards was the fact 
> that it breaks traditional use. BIND now easily breaks traditional use.
> 
> -Jack
> 
> 

---
Wayne Bouchard
[EMAIL PROTECTED]
Network Dude
http://www.typo.org/~web/


pgp0.pgp
Description: PGP signature

RE: Another DNS blacklist is taken down

2003-09-24 Thread Vadim Antonov



> >RBLs Sounds like a great application for P2P.
> 
> Perhaps, but it also seems like moving an RBL onto a P2P network would
> making poisoning the RBL far too easy...
> 
> Andrew

USENET, PGP-signed files, 20 lines in perl.

--vadim

Re: "Class A Data Center"

2003-09-24 Thread Scott Francis

On Wed, Sep 24, 2003 at 03:06:30PM -0400, [EMAIL PROTECTED] said:
> On Wed, 24 Sep 2003, Scott Francis wrote:
> 
> > I don't know if it qualifies as an "established standard", but ISTR that
> > Steve Bellovin had a paper about various levels of reliability in data
> > centers ... [searches] argh. I can't find it yet. Perhaps Mr. Bellovin can
> > refresh my memory ... the paper I'm recalling had specifications for 5 or so
> > different levels of reliability and redundancy in data centers (able to
> > withstand criminal attack, armed attack, conventional explosives, nuclear
> > explosion, acts of God, etc.) and was interesting reading. The focus, as I
> > recall, was on the level of engineering required to reach various levels of
> > uptime (99.9, 99.99, 99.999, etc.).
> > 
> > This ringing a bell for anyone else?
> 
> Do you mean ?

doh! Indeed I do mean that file. I got Bellovin and Doneland mentally
transposed for some reason. Apologies all (still thought that document was a
good read, though).
-- 
Scott Francis || darkuncle (at) darkuncle (dot) net
  illum oportet crescere me autem minui


pgp0.pgp
Description: PGP signature

Re: "Class A Data Center"

2003-09-24 Thread Owen DeLong

Try looking under Sean Donnelan (sp?  Sorry Sean).

I think you are referring to something he did.  However, I don't remember
for sure.
Owen

--On Wednesday, September 24, 2003 3:34 PM -0400 "Steven M. Bellovin" 
<[EMAIL PROTECTED]> wrote:

In message <[EMAIL PROTECTED]>, Scott Francis writes:


On Thu, Sep 18, 2003 at 03:58:31PM -0400, [EMAIL PROTECTED] said:
=20
=20
This is the assumption I have come to as well.  Are there any
established standards for enterprise datacenters at all, aside from the
obvious, N+1 redundant everything, diverse paths, etc.?
I don't know if it qualifies as an "established standard", but ISTR that
Steve Bellovin had a paper about various levels of reliability in data
centers ... [searches] argh. I can't find it yet. Perhaps Mr. Bellovin
can refresh my memory ... the paper I'm recalling had specifications for
5 or so different levels of reliability and redundancy in data centers
(able to withstand criminal attack, armed attack, conventional
explosives, nuclear explosion, acts of God, etc.) and was interesting
reading. The focus, as I recall, was on the level of engineering
required to reach various levels of uptime (99.9, 99.99, 99.999, etc.).
Not me.

		--Steve Bellovin, http://www.research.att.com/~smb

Re: Verisign Responds

Paul Vixie wrote:

you are confused. and in any case this is off-topic. take it to namedroppers,
but before you do, please read rfc's 1033, 1034, 1035, 2136, 2181, and 2317.
Can someone please tell me how a change to a critical component of the 
Internet which has the capacity to cause harm is not an operational issue?

A TLD issues a wildcard. Instead of discovering if records match the 
wildcard and returning NXDOMAIN (which is what everone wanted), the 
software was designed to restrict records based on delegation.

Delegation was not broken. The changes made allow engineers to break it. 
I'd consider this an issue. Reports have already come in of all the 
various domains that people will mandate delegate-only for. For the 
record, .museum was listed several times despite the request in 
documentation to not force delegation, as were other zones.

In fact, many people were confused. They didn't understand what zone 
delegation was. For the record, I've read all the RFC's you posted. To 
many, it's an issue of wildcards. Yet BIND didn't solve the wildcard 
problem. It solved a delegation problem, which was not only "not broken" 
but has traditional use.

Which "countermeasures" being implemented did the IAB have an issue 
with? I wonder since their arguement against the wildcards was the fact 
that it breaks traditional use. BIND now easily breaks traditional use.

-Jack

Rack space in Chicago.

2003-09-24 Thread John Palmer


Looking for rack space in Chicago to house 2 - 2U servers, a cisco 3620, a hub and 
flat panel/keyboard tray. 

Will need net access and 8 ip addresses. Low bandwidth usage.

Contact me at user info  at domain adns.net.

Re: "Class A Data Center"

2003-09-24 Thread Steven M. Bellovin


In message <[EMAIL PROTECTED]>, Scott Francis writes:
>
>
>
>On Thu, Sep 18, 2003 at 03:58:31PM -0400, [EMAIL PROTECTED] said:
>>=20
>>=20
>> This is the assumption I have come to as well.  Are there any
>> established standards for enterprise datacenters at all, aside from the
>> obvious, N+1 redundant everything, diverse paths, etc.?
>
>I don't know if it qualifies as an "established standard", but ISTR that
>Steve Bellovin had a paper about various levels of reliability in data
>centers ... [searches] argh. I can't find it yet. Perhaps Mr. Bellovin can
>refresh my memory ... the paper I'm recalling had specifications for 5 or so
>different levels of reliability and redundancy in data centers (able to
>withstand criminal attack, armed attack, conventional explosives, nuclear
>explosion, acts of God, etc.) and was interesting reading. The focus, as I
>recall, was on the level of engineering required to reach various levels of
>uptime (99.9, 99.99, 99.999, etc.).

Not me.

--Steve Bellovin, http://www.research.att.com/~smb

Re: what to do about joe-jobs?

On Wed, 24 Sep 2003, Stephen J. Wilcox wrote:

> The one that they're doing on my own domain which I mentioned on list some 
> months ago is still going strong with many Mbs of bounces per day.. I think its 
> fair to say there is very little you can do as tracking the source is almost 
> impossible..

That depends on how detailed the bounce is, to an extent.  Many of the
bounces actually contain a complete copy of the message that generated the
bounce.  Ie, the full spam and nothing but the spam.  From that you can
find the original source IP.  Of course that source IP may very well be an
open proxy.  You're screwed if that's the case.  However since you have a
complete copy of the spam you can still follow the money trail.  Spammers 
have to get their money somehow.  The actual spam will give you many 
places to start.  Of course once you have that you still have to convince 
a provider to take action against their customer.

Justin

Re: Another DNS blacklist is taken down

In a message written on Wed, Sep 24, 2003 at 01:28:19PM -0500, Justin Shore wrote:
> True.  However I also subsribe those beliefs.  When an ISP knowingly
> allows a spammer to sign up for network service, knowing full well what
> they are planning to do with it (read: pink contracts), and ignores abuse
> complaints then what other form of action is there than to use collateral
> damage at that ISP?  Providers more often than not intentionally put

The answer is to take the high road and just list the spammer.

If, as you suggest, the ISP knowingly signs up the spammer then
they already expect the collateral damage, are probably, in general
ok with it, and you're not going to have any effect in getting them
to change.

However, by listing larger and larger blocks of unrelated customers
you piss off random end users, and more importantly the mail admins
that use -- and could support your RBL.  I know more than a few
mail admins who gave up on various RBL's after they "went off the
deep end", blocking more legitimate mail under the guise of trying
to force ISP's to do something than spam.

I suspect a well run RBL that was able to take the high road, and
offered good responce time would find mail admins would pay a small
subscription fee, they could buy bandwidth from a provider, and
more importantly since they were a paying customer and not a kook
they would get excellent support from ISP's in tracking DDOS attacks.

That said, I don't think the RBL users often understand the complexity
of the issue, which further annoys ISP's.  I know I've been involved
in several issues where a reputable e-commerce site buys service
quite above board.  They then have an affiliate program, where
people can sign up online and get goods.  A number of spammers then
sign up, joe-job the e-commerce company and make off with a few
hundred dollars in goods.  In the cases I've been involved with the
e-commerce company immediately terminates them for violating the
terms of the affiliates agreement, but it only takes two or three
of these instances for the RBL's to start blocking the company,
screaming "pink contracts" and blocking the ISP's other users.  So,
while the RBL's hurt the ISP's, and the ISP's tie up the RBL's time
with an issue they aren't going to be able to solve the real spammer
gets away scott free, and the ISP has to deal with other customers
who have been caught in the collateral damage of the RBL.

Just once I'd like to see an RBL come to my employer saying "we've
found this spam we think transited your servers and would like to
work with you to find the real source and block it".  Insted they
all seem to send an e-mail to the effect of "You pathetic worthless
$*&@&@#&$#$.  Stop sending this crap and terminate your customer
in the next 10 minutes, or else" and then proceed 10 minutes later
to list every IP ever affiliate with the ISP.  No wonder the same
abuse people aren't eager to help when the RBL comes back and asks
for help.

-- 
   Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
Read TMBG List - [EMAIL PROTECTED], www.tmbg.org

pgp0.pgp
Description: PGP signature

RADB

2003-09-24 Thread Christopher J. Wolff


Hello,

On the RADB site, under features and benefits, the service claims to mirror
"more than 30 other IRR databases."

My challenge is that I need to list my information with RADB and don't want
to go through the hassle of manually submitting every subnet owner and
first-born when I can put a RWHOIS server up for ARIN.  RADB should just
poll my RWHOIS server.

Thank you in advance for your advice.

Regards,
Christopher J. Wolff

Re: Another DNS blacklist is taken down

Mark Segal wrote:

I think some RBLs might get better responses from the ISPs when they stop
taking "collateral damage gets the abuse department's attention" attitudes..
Some RBLs cause many providers a LOT of headaches, so it is not surprising
that when it is their turn to complain, the ISPs will just say: post to
abuse.ddos.isp.net and we might get around to fixing it. :).
monkey's had no collateral damage issues until PHL was released due to 
non-response from ISP's.

openrbl.org does not host a blacklist and thus cannot have collateral 
damage.

SBL is famous for it's lack of collateral damage.

ordb is specialized and has had no collateral damage issues.

-Jack

Re: Detecting a non-existent domain

2003-09-24 Thread Kee Hinckley

At 10:24 AM -0400 9/24/03, John A. Martin wrote:
 > "Kee" == Kee Hinckley
 "RE: Detecting a non-existent domain"
  Tue, 23 Sep 2003 20:16:04 -0400
Kee> At 3:15 PM -0700 9/23/03, David Schwartz wrote:
>> How would you do this before? Does an A record for a hostname
>> mean that a host with that name exists? If so, then all *.com
>> 'hosts' now 'exist'. If not, what did you mean by exist before?
I just lurk nanog so my question probably doesn't count.  Anyway,
whats wrong with checking what used to be called "the DNS invariant",
ie. name <-> ip queries should agree as in
That seems like it would work as well.  In my case I need to make use 
of the A and MX records for other things anyway, so I might as well 
go that path.  I'd need to sit down and see which mechanism uses the 
least queries.

I'm concerned though that all these mechanisms could fall apart if 
Verisign decided to start using a third-party content provider to 
distribute the load on their server.
--
Kee Hinckley
http://www.messagefire.com/ Next Generation Spam Defense
http://commons.somewhere.com/buzz/  Writings on Technology and Society

I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.

Re: what to do about joe-jobs?

2003-09-24 Thread Stephen L Johnson


On Wed, 2003-09-24 at 13:10, Stephen L Johnson wrote:
> Please forgive my ignorance, but what is a "joe-job"?

Thank for all of the off-line reponses. I was aware of the tactic. But
It was the first time I've heard it called a "joe job".

(Stephen has learn his one new thing for the day)

-- 
Stephen L Johnson   [EMAIL PROTECTED]
Unix Systems Administrator  [EMAIL PROTECTED]
Department of Information Systems
State of Arkansas
501-682-4339

Summary of responses: Lucent/Avaya Cajun experiences

2003-09-24 Thread Andy Grosser

Well, thanks to all who replied.  I've attached annotated replies at the
bottom of this message.

On Tue, 23 Sep 2003, Andy Grosser wrote:
> This request is largely for anecdotal/historical purposes.  The recent
> Foundry/Riverstone posts reminded me of a topic I'd kept meaning to
> broach.
>
> My organization will probably be replacing all of our L2/L3 Lucent/Avaya
> Cajun switches in the next few months with Catalyst 65XX series boxes.
> Our experience has largely been disastrous - 3 operational years have been
> filled with _constant_ HW and SW failures, buggy code (i.e. backplane
> suddenly stops all traffic forwarding), horrible tech support, lousy
> online resources (a la SW releases).  Their M770 ATM gear hasn't been much
> better, and their PacketStar media gateways are still, surprisingly,
> limping along.
>
> Anyone care to share their own Lucent/Avaya experiences?

---

We have 1000 ports of Cajun 550 with redundant management- never had a
problem with anything in 2 years.

---

friend's experience mirrors yours...

---

Actually tying back into the previous conversation, I have first hand
knowledge that DISA (Defense Information Systems Agency), which is
essentially the telco for all of the military is swapping out all of their
Cajuns and Lucent AP1000s with Riverstone RS 8000s. Both Cisco and Juniper
couldn't meet the requirements during the bakeoff.

---

After the extreme 48 port switch I have at home died, I bought a 24
port cajun as my home network.

So far, the interface sucks.  While it works fine for what I need (a
few vlans is most of what I need).  Here's the list of my qualms:

1) Every time I reboot my switch seems to believe that its 1970.  I've
got an ntp server for it to sync to, but it won't.  There doesn't seem
to be a cli option to set the time, either.

2) show port doesn't give any per-interface stats.  That's hidden away
in "show rmon statistics" and once there I have to subtract 1024 to
figure out which interface I'm looking at.  Its not too helpful when
I'm trying to figure out what ended being a cable problem.

Besides that, its a nice home switch.  Well, I guess its a home switch
for someone who cares about the news on nanog.  I wish my extreme was
still working, though.

---

Bought a P333 off of eBay. Two days later, the management card quit
talking to the switch backplane. Got a 133, it's been flawless ever since
but is on a protected network.

Marconi/FORE has also rebranded the P333 has a ESX-1800.

---

We had a P550 that turned up in our department that was the worst piece of
networking equipment we had on our network (before we upgraded to all
alcatel omniswitch and omnicore gear had cabletron 10bt hubs). Had
problems with vlan bleeding on it, seemed to require constant reboots, it
would just randomly stop working correctly. One cool thing it could do is
auto learn vlans for the gig ports, however that was about the only cool
thing.

---

We have 5 Lucent PM4 boxes. They were $250-300k when they came out. Within
60 days of the Lucent/Ascend merger, the product was dead. All development
stopped and many stupid bugs which would have been easy to fix were never
resolved. Promised developments never came. Free upgrades for life ended.
The product never evolved from the expensive boat anchor it was when we
first bought it. The PM4s work reasonably well for old v.90 RAS boxes, but
they never became the VoIP, v.92, super stable boxes they were touted to
be
when they were introduced. In the middle of all this, my Lucent sales rep
called to see if we wanted to buy Cajun switches to replace our Catalysts.
I said, "I don't think I'd take them if you gave them to me." She replied
by saying she didn't blame me and "they weren't that good anyway." Can you
believe it?!?! I saw a tractor trailer load of them for sale (literally) a
few years ago for about $2500. It was a list of hundreds of boards and
chassis all brand new. I spoke to a friend who still worked at Lucent and
he told me they stopped using them in the lab and bought a number of Cisco
Catalysts because they had too many problems with them. :) We haven't
bought a Lucent product since and I never will again.

---

[end of responses]

---
Andy Grosser, CCNP
[EMAIL PROTECTED]

"After all, if a bumbling Zen-like talking penguin
 with a thing for canned herring and pinwheel hats
 and sly meditations on the state of the galaxy
 can't save the damn nation, well, who can?"
- Mark Morford, San Francisco Chronicle
---

The *.com/robots.txt

2003-09-24 Thread Guy Coslado (GC0111)


I've found  inconsistencies in search engines mainly with  domain name 
having transient status. Such dn inherit a new IP , the  *.com IP ( the
sitefinder IP). 

And sitefinder itself has its own inconsistency:

Here an example using Nestscape or Mozilla  (my  IE6 config gives
other results).

http://www.pallet-containers-unlimited.com/bizdc.html

http://sitefinder.verisign.com/lpc?url=pallet-containers-unlimited.com/bizdc.html&host=pallet-containers-unlimited.com

That gives  a link in
Did You Mean ?
We did find these similar Web addresses. 
http://www.pallet-containers-unlimited.com/bizdc.html

And now searching with sitefinder
http://sitefinder.verisign.com/spc?sb=pallet-containers-unlimited.com&searchboxtype=1&op=landing&search=Search

If VeriSign sitefinder doesnt take care of  this case, what can we 
wait with other search engines ?

The query :
http://www.pallet-containers-unlimited.com/robots.txt
gives

User-agent: *
Disallow: /

is also a  false answer that can  confuse lot of  http agents 
=>
for simple example,  sites with dn in REDEMPTIONPERIOD  can  be 
suppressed or  blacklisted   from  search engines indexes for a while.

Because nobody knows already all the side effects
I'm not sure having a robots.txt  here is  the best choice.

On the other hand SE indexes can keep undefinitively no (more) existent sites  
without the  *.com/robots.txt

Possibly  the  *.com redirect will give us other surprises  with search engines.



Guy Coslado.

http://www.coslado.com  Bots & Smart Agents
Pour la Guilde des metiers du logiciel: [EMAIL PROTECTED]
http://www.fr.scguild.com

RE: Another DNS blacklist is taken down

On Wed, 24 Sep 2003, Mark Segal wrote:

> 
> 
> I think some RBLs might get better responses from the ISPs when they stop
> taking "collateral damage gets the abuse department's attention" attitudes..
> Some RBLs cause many providers a LOT of headaches, so it is not surprising
> that when it is their turn to complain, the ISPs will just say: post to
> abuse.ddos.isp.net and we might get around to fixing it. :).
> 
> Regards,
> Mark

True.  However I also subsribe those beliefs.  When an ISP knowingly
allows a spammer to sign up for network service, knowing full well what
they are planning to do with it (read: pink contracts), and ignores abuse
complaints then what other form of action is there than to use collateral
damage at that ISP?  Providers more often than not intentionally put
non-spamming customers' networks within spitting distance of their
spamming customers in the hopes that RBLs won't blacklist the provider's
networks around the spammers.  I don't want to start an off-topic flame
thread on NANOG but the merits of collateral damage have been discussed
numerous times in numerous places.  Many people won't use it.  Most don't
like it.  No one has offered another plausible alternative.  Anyhow, this 
is getting OT.  Back to the topic at hand, DNS RBLs coming under the gun. 
:-(

Justin

California Spam-busting bill comes with $1 million penalty

2003-09-24 Thread JC Dill

At 10:54 AM 9/24/2003, Timo Janhunen wrote:

The Do Not Call registry is on hold...

http://news.findlaw.com/cnn/docs/ftc/donotcall92303ord.pdf
Meanwhile, on the good news front:



jc

RE: Another DNS blacklist is taken down

2003-09-24 Thread Patrick

On Wed, 24 Sep 2003, Justin Shore wrote:

>
> On Wed, 24 Sep 2003 [EMAIL PROTECTED] wrote:
>
> > Perhaps, but it also seems like moving an RBL onto a P2P network would
> > making poisoning the RBL far too easy...
>
> That's what I was getting ready to suggest.  As it stands now we have at
> least somewhat of an assurance that the zone we're working with isn't
> tainted.

Web of trust, yada yada. Still distributed, still resiliant.

And/Or, encrypt the zones/updates.

Admittedly this is all off-the-cuff and I haven't given it much
thought(scalability and performance issues immediately come to mind,)
but it might be an interesting enough problem to sit down and
research/think about at some point. It certainly would be interesting to
find some more "substantially non-infringing" uses for P2P.

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
   Patrick Greenwell
 Asking the wrong questions is the leading cause of wrong answers
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

Re: what to do about joe-jobs?

2003-09-24 Thread David Raistrick


On Wed, 24 Sep 2003, Stephen L Johnson wrote:

> Please forgive my ignorance, but what is a "joe-job"?

Typically spam using forged source email addresses targeting a specific
company/person/etc.

http://www.everything2.com/index.pl?node=Joe%20Job
http://www.spamfaq.net/terminology.shtml


---
david raistrick
[EMAIL PROTECTED]   http://www.expita.com/nomime.html

RE: Another DNS blacklist is taken down

On Wed, 24 Sep 2003, Joel Perez wrote:

> 
> Great,
> Just Great. Wasn't there a post a while back that listed what providers
> are SPAM friendly? My fingers are getting tired trying to create ACL's
> lists to block ranges of IP's without compromising my service. I wish
> the power's up above would buy the right software to try and curb the
> SPAM but that is not to be according to them. 
> 
> So back to my ACL's I go!

This is one of the most likely things to happen.  DNS RBLs are effective.  
Otherwise spammers wouldn't be targeting them for abuse.  Mail admins will
eventually start running their own RBLs or rejecting mail by other means
locally.  This distributed method creates hundreds and eventually
thousands of separate points of contact for getting yourself off a RBL.  
I ran my own domain and netblock list in the past and I can say from
experience that it is a very time consuming process.  At the time it was
also extremely effective.  I didn't list open relays/proxies/formmail.cgi 
IPs.  I did however list spamming domains and providers.  It caught a 
surprising amount of spam.  It also left me with little time to do 
anything else.  There's got to be a better way.

Justin

Re: what to do about joe-jobs?

2003-09-24 Thread Stephen J. Wilcox

On Wed, 24 Sep 2003, Stephen L Johnson wrote:
> On Wed, 2003-09-24 at 12:48, David Raistrick wrote:
> > On Wed, 24 Sep 2003, Justin Shore wrote:
> > 
> > 
> > > joe-job earlier this week.  Apparently the joe-jobbing was enough to
> > > convince some extremely ignorant mail admins that Compu.net is spamming
> > > and blocked mail from compu.net.  Compu.net has also seen the effects of
> > 
> > 
> > Speaking of joe-jobs, what's the "proper" proceedure for dealing with
> > such?  
> 
> Please forgive my ignorance, but what is a "joe-job"?

Hmm probably something that isnt going to happen now that all domains are valid 
a la verisign

Its when spammers take your domain name and use it as their from address, it 
*used* to get around sender verify in smtp which a lot of smtp servers 
implement. 

Basicalyl if you're being joe jobbed you will get the bounce messages from all 
the email addresses the spammers are sending to that dont exist.

The one that they're doing on my own domain which I mentioned on list some 
months ago is still going strong with many Mbs of bounces per day.. I think its 
fair to say there is very little you can do as tracking the source is almost 
impossible..

Steve

Re: "Class A Data Center"

2003-09-24 Thread Scott Francis

On Thu, Sep 18, 2003 at 03:58:31PM -0400, [EMAIL PROTECTED] said:
> 
> 
> This is the assumption I have come to as well.  Are there any
> established standards for enterprise datacenters at all, aside from the
> obvious, N+1 redundant everything, diverse paths, etc.?

I don't know if it qualifies as an "established standard", but ISTR that
Steve Bellovin had a paper about various levels of reliability in data
centers ... [searches] argh. I can't find it yet. Perhaps Mr. Bellovin can
refresh my memory ... the paper I'm recalling had specifications for 5 or so
different levels of reliability and redundancy in data centers (able to
withstand criminal attack, armed attack, conventional explosives, nuclear
explosion, acts of God, etc.) and was interesting reading. The focus, as I
recall, was on the level of engineering required to reach various levels of
uptime (99.9, 99.99, 99.999, etc.).

This ringing a bell for anyone else?
-- 
Scott Francis || darkuncle (at) darkuncle (dot) net
  illum oportet crescere me autem minui


pgp0.pgp
Description: PGP signature

Re: Inevitable Consequences--Verisign

2003-09-24 Thread just me


I'm keeping track of sitefinder vs. google page load times, just for
giggles. You can see the results at:

http://mrtg.snark.net/http-time/

One thing thats missing is accounting for refused connections; I'll
have to put a little more thought into that.

matto


On Wed, 24 Sep 2003, Declan McCullagh wrote:

  Repeated (though informal) testing over the last 90 minutes showed
  that at one point, about one-third of attempted HTTP connections to
  sitefinder took over one minute to complete or, in a few cases, failed
  entirely.

  Now only about one of every 5 or 10 connections is displaying that
  behavior.

  -Declan


[EMAIL PROTECTED]<
   Flowers on the razor wire/I know you're here/We are few/And far
   between/I was thinking about her skin/Love is a many splintered
   thing/Don't be afraid now/Just walk on in. #include

Re: what to do about joe-jobs?


On Wed, 24 Sep 2003, Stephen L Johnson wrote:

> Please forgive my ignorance, but what is a "joe-job"?

I dug up some links for you.

http://www.spamfaq.net/terminology.shtml#joe_job
http://www.techtv.com/news/culture/story/0,24195,3415219,00.html
http://catb.org/~esr/jargon/html/J/joe-job.html
http://www.everything2.com/index.pl?node=Joe%20Job (might be down?)

Basically it's of spoofing the source of spam so as to appear to come from 
an innocent person.  I've been on the receiving end of it a couple of 
times.  Basically the innocent person gets flooded with bounces from 
poorly written MTAs and anti-spam scripts.  Think email-based virus 
bounces.  You didn't send the virus; you aren't even infected.  However 
some machine somewhere is infected and spoofed your address as source of 
the infected email.  You of course end up with the bounce and 
blame from uneducated people for being infected (which again you are not).

Hope that helps
 Justin

Re: New CA Law


> Word is Gray Davis signed [sb186].

that's most unfortunate.

> It seems to be a pretty strong anti-spam bill.

it's not.

> Given all the talk of black lists and DDOS's and the like does anyone
> think this will make a difference?  Is anyone planning on using the law
> to recover damages?

since this law legitimizes most forms of spam while attempting to
delegitimize only the kinds of spam where you can't get recourse because of
untraceability, it will do far far far more harm than good.  the time is
now coming when actions which prevent (or actors who prevent) the forms of
spam which are legitimized in sb186 may be civilly penalizable.  OUCH.  when
i read heinlein's "magic, inc." i thought there actually had to be underworld
demons in political power before this kind of thing could happen, but i now
see that i completely missed the point of the story.

but like most threads on nanog this week, this one is offtopic.
-- 
Paul Vixie

RE: Another DNS blacklist is taken down

2003-09-24 Thread Mark Segal



I think some RBLs might get better responses from the ISPs when they stop
taking "collateral damage gets the abuse department's attention" attitudes..
Some RBLs cause many providers a LOT of headaches, so it is not surprising
that when it is their turn to complain, the ISPs will just say: post to
abuse.ddos.isp.net and we might get around to fixing it. :).

Regards,
Mark

--
Mark Segal 
Director, Network Planning
FCI Broadband 
Tel: 905-284-4070 
Fax: 416-987-4701 
http://www.fcibroadband.com

Futureway Communications Inc. is now FCI Broadband


-Original Message-
From: Justin Shore [mailto:[EMAIL PROTECTED] 
Sent: September 24, 2003 12:29 PM
To: [EMAIL PROTECTED]
Subject: Another DNS blacklist is taken down



I thought ya'll might be interested to hear that yet another DNS blacklist
has been taken down out of fear of the DDoS attacks that took down
Osirusoft, Monkeys.com, and the OpenRBL.  Blackholes.compu.net suffered a
joe-job earlier this week.  Apparently the joe-jobbing was enough to
convince some extremely ignorant mail admins that Compu.net is spamming and
blocked mail from compu.net.  Compu.net has also seen the effects of DDoS
attacks on other DNS blacklist maintainers.  They've decided that the risk
to their actual business is too great and they are pulling the plug on their
DNS blacklist before they come under the gun by spammers.

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=3f70e839%24
1%40dimaggio.newszilla.com

Ron Guilmette, maintainer of the Monkeys.com blacklists has posted a 
farewell from Monkeys.com to news.admin.net-abuse.email.  Ron cites the 
total lack of interest in the attacks by both big network providers and 
law enforcement authorities as the ultimate reason he's pulling the plug.

http://groups.google.com/groups?q=%22Now+retired+from+spam+fighting%22&hl=en
&lr=&ie=UTF-8&oe=UTF-8&selm=vn1lufn8h6r38%40corp.supernews.com&rnum=4

It's truely a sad day for spam fighters everywhere.

So, my question for NANOG is how does one go about attracting the 
attention of law enforcement when your network is under attack?  How does 
the target of such an attack get a large network provider who's customers 
are part of the attack to pay attention?  Is media attention the only way 
to pressure a response from either group?  These DDoS attacks have 
received some attention in mainstream media:

http://www.msnbc.com/news/959094.asp?0cv=TB10
http://www.boston.com/news/nation/articles/2003/08/28/saboteurs_hit_spams_bl
ockers

Apparently it hasn't been enough.  Legal remedies take too long and are cost
prohibitive (unless you're the DoJ).  Subpoenas and civil lawsuits take
months if not years.  Relief is needed in days if not hours.

Justin

Re: what to do about joe-jobs?

2003-09-24 Thread Valdis . Kletnieks

On Wed, 24 Sep 2003 13:10:43 CDT, Stephen L Johnson <[EMAIL PROTECTED]>  said:

> Please forgive my ignorance, but what is a "joe-job"?

http://searchsecurity.techtarget.com/gDefinition/0,294236,sid14_gci917469,00.html

says it better than I can.  Or google for +"joe job" +definition, it's your friend. ;)


pgp0.pgp
Description: PGP signature

Re: Verisign Responds


> > oh... that wasn't a joke, then?
> > 
> > there won't be a protocol change of that kind, not in a million years.
> 
> It doesn't have to be a protocol change. Strictly an implementation change.

you are confused. and in any case this is off-topic. take it to namedroppers,
but before you do, please read rfc's 1033, 1034, 1035, 2136, 2181, and 2317.
-- 
Paul Vixie

RE: Another DNS blacklist is taken down

On Wed, 24 Sep 2003 [EMAIL PROTECTED] wrote:

> Perhaps, but it also seems like moving an RBL onto a P2P network would
> making poisoning the RBL far too easy...

That's what I was getting ready to suggest.  As it stands now we have at 
least somewhat of an assurance that the zone we're working with isn't 
tainted.  I only use DNSBLs that offer zone transfers.  I only get an AXFR 
from authorized NSs for that DNSBL.  Assuming that NS hasn't been 
compromised I feel fairly safe in assuming that the data I'm getting is 
valid.  It might not be but I feel that it is.  If a P2P system was 
devised for distributing RBL zones then some for of validation for the 
distributed zones will have to be created.  That would most likely involve 
a central server.  Now you have a server to DDoS again.  *sigh*  We should 
just educate spammers with clue-by-fours and make the world a better 
place.

Justin

Re: what to do about joe-jobs?

2003-09-24 Thread Stephen L Johnson


On Wed, 2003-09-24 at 12:48, David Raistrick wrote:
> On Wed, 24 Sep 2003, Justin Shore wrote:
> 
> 
> > joe-job earlier this week.  Apparently the joe-jobbing was enough to
> > convince some extremely ignorant mail admins that Compu.net is spamming
> > and blocked mail from compu.net.  Compu.net has also seen the effects of
> 
> 
> Speaking of joe-jobs, what's the "proper" proceedure for dealing with
> such?  

Please forgive my ignorance, but what is a "joe-job"?

-- 
Stephen L Johnson   [EMAIL PROTECTED]
Unix Systems Administrator  [EMAIL PROTECTED]
Department of Information Systems
State of Arkansas
501-682-4339

Do not call on hold

2003-09-24 Thread Timo Janhunen

The Do Not Call registry is on hold...

http://news.findlaw.com/cnn/docs/ftc/donotcall92303ord.pdf

Re: what to do about joe-jobs?, was: Re: Another DNS...

2003-09-24 Thread David Raistrick



> Total: 308

Erps, I told my script to mis-count:

Total: 284


---
david raistrick
[EMAIL PROTECTED]   http://www.expita.com/nomime.html

RE: Another DNS blacklist is taken down

2003-09-24 Thread Dan Hollis


On Wed, 24 Sep 2003 [EMAIL PROTECTED] wrote:
> Perhaps, but it also seems like moving an RBL onto a P2P network would
> making poisoning the RBL far too easy...

nope. updates will be crypto signed, thus poisoned updates will be dropped 
instantaneously.

RE: Another DNS blacklist is taken down

2003-09-24 Thread Joel Perez


Great,
Just Great. Wasn't there a post a while back that listed what providers
are SPAM friendly? My fingers are getting tired trying to create ACL's
lists to block ranges of IP's without compromising my service. I wish
the power's up above would buy the right software to try and curb the
SPAM but that is not to be according to them. 

So back to my ACL's I go!



--
Joel Perez <[EMAIL PROTECTED]>  | IP Engineer
http://www.ntera.net/ | Ntera
305.914.3412

>>-Original Message-
>>From: Justin Shore [mailto:[EMAIL PROTECTED]
>>Sent: Wednesday, September 24, 2003 12:29 PM
>>To: [EMAIL PROTECTED]
>>Subject: Another DNS blacklist is taken down
>>
>>
>>I thought ya'll might be interested to hear that yet another DNS
blacklist
>>has been taken down out of fear of the DDoS attacks that took down
>>Osirusoft, Monkeys.com, and the OpenRBL.  Blackholes.compu.net
suffered a
>>joe-job earlier this week.  Apparently the joe-jobbing was enough to
>>convince some extremely ignorant mail admins that Compu.net is
spamming
>>and blocked mail from compu.net.  Compu.net has also seen the effects
of
>>DDoS attacks on other DNS blacklist maintainers.  They've decided that
the
>>risk to their actual business is too great and they are pulling the
plug
>>on their DNS blacklist before they come under the gun by spammers.
>>
>>http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-
>>8&selm=3f70e839%241%40dimaggio.newszilla.com
>>
>>Ron Guilmette, maintainer of the Monkeys.com blacklists has posted a
>>farewell from Monkeys.com to news.admin.net-abuse.email.  Ron cites
the
>>total lack of interest in the attacks by both big network providers
and
>>law enforcement authorities as the ultimate reason he's pulling the
plug.
>>
>>http://groups.google.com/groups?q=%22Now+retired+from+spam+fighting%22
&hl=
>>en&lr=&ie=UTF-8&oe=UTF-8&selm=vn1lufn8h6r38%40corp.supernews.com&rnum=
4
>>
>>It's truely a sad day for spam fighters everywhere.
>>
>>So, my question for NANOG is how does one go about attracting the
>>attention of law enforcement when your network is under attack?  How
does
>>the target of such an attack get a large network provider who's
customers
>>are part of the attack to pay attention?  Is media attention the only
way
>>to pressure a response from either group?  These DDoS attacks have
>>received some attention in mainstream media:
>>
>>http://www.msnbc.com/news/959094.asp?0cv=TB10
>>http://www.boston.com/news/nation/articles/2003/08/28/saboteurs_hit_sp
ams_
>>blockers
>>
>>Apparently it hasn't been enough.  Legal remedies take too long and
are
>>cost prohibitive (unless you're the DoJ).  Subpoenas and civil
lawsuits
>>take months if not years.  Relief is needed in days if not hours.
>>
>>Justin

what to do about joe-jobs?, was: Re: Another DNS...

2003-09-24 Thread David Raistrick


On Wed, 24 Sep 2003, Justin Shore wrote:


> joe-job earlier this week.  Apparently the joe-jobbing was enough to
> convince some extremely ignorant mail admins that Compu.net is spamming
> and blocked mail from compu.net.  Compu.net has also seen the effects of


Speaking of joe-jobs, what's the "proper" proceedure for dealing with
such?  The company I work for is currently undergoing an admitedly minor
joe-job. (about 300 or so bounces that I've seen since mid last week or
so.)

Any suggestions for dealing with this?

A current count and list of last-source IPs so far are listed below:

  40 152.163.225.154
   5 216.93.66.93
   5 205.138.96.56
   4 216.93.66.90
   4 216.93.66.87
   3 63.226.138.21
   3 216.93.66.95
   3 216.93.66.94
   3 216.93.66.91
   3 216.93.66.86
   3 216.93.66.83
   3 193.70.192.90
   2 64.58.4.45
   2 64.58.4.41
   2 64.12.138.3
   2 64.12.138.17
   2 62.79.79.110
   2 62.58.50.89
   2 216.93.66.85
   2 216.93.66.80
   2 216.190.15.195
   2 216.170.230.85
   2 209.81.147.229
   2 207.181.101.13
   2 204.97.92.20
   2 200.221.11.51
   2 199.46.198.233
   2 199.171.96.5
   1 69.57.207.194
   1 67.92.168.237
   1 67.92.168.236
   1 66.98.162.42
   1 66.40.221.254
   1 66.218.66.90
   1 66.218.66.104
   1 66.147.14.221
   1 66.132.147.79
   1 66.118.64.13
   1 66.118.64.12
   1 65.54.251.76
   1 65.54.237.68
   1 65.54.165.146
   1 65.24.0.113
   1 65.24.0.112
   1 65.221.240.107
   1 64.72.200.50
   1 64.7.153.18
   1 64.58.4.44
   1 64.51.58.8
   1 64.30.1.165
   1 64.27.65.25
   1 64.255.237.183
   1 64.233.50.135
   1 64.141.33.31
   1 64.12.138.5
   1 64.12.138.22
   1 64.12.138.21
   1 64.12.138.19
   1 64.12.138.1
   1 63.65.184.152
   1 63.65.120.64
   1 63.236.115.2
   1 63.226.138.22
   1 63.220.222.103
   1 63.172.164.162
   1 63.146.184.41
   1 62.81.134.6
   1 62.58.50.88
   1 62.58.50.87
   1 62.253.162.46
   1 62.163.139.96
   1 62.151.8.31
   1 62.151.8.30
   1 62.117.40.69
   1 61.6.32.154
   1 61.185.36.130
   1 61.129.163.105
   1 57.250.224.237
   1 38.115.133.179
   1 24.92.226.25
   1 24.92.226.159
   1 24.75.44.123
   1 219.94.53.243
   1 217.15.34.130
   1 216.93.66.92
   1 216.93.66.89
   1 216.93.66.82
   1 216.93.66.81
   1 216.93.24.2
   1 216.60.154.2
   1 216.55.26.70
   1 216.39.128.16
   1 216.3.58.2
   1 216.241.29.119
   1 216.238.0.22
   1 216.235.160.81
   1 216.176.128.9
   1 216.170.230.86
   1 216.17.128.133
   1 216.163.120.8
   1 216.141.24.3
   1 216.139.64.35
   1 216.126.204.154
   1 216.115.81.3
   1 216.113.192.65
   1 213.63.193.16
   1 213.56.31.20
   1 213.228.0.191
   1 213.193.13.83
   1 213.193.13.82
   1 212.78.66.183
   1 212.26.128.10
   1 212.250.7.7
   1 212.216.176.223
   1 212.216.176.185
   1 212.20.195.131
   1 212.166.64.99
   1 212.106.140.5
   1 211.43.197.64
   1 211.43.197.54
   1 210.86.15.146
   1 210.59.228.24
   1 210.116.116.31
   1 209.53.150.130
   1 209.53.147.17
   1 209.42.47.69
   1 209.242.224.42
   1 209.214.216.60
   1 209.196.77.103
   1 209.104.62.3
   1 208.34.108.125
   1 208.236.9.12
   1 208.223.124.36
   1 208.197.227.11
   1 208.197.227.10
   1 208.136.106.6
   1 208.13.39.139
   1 207.71.36.233
   1 207.70.175.249
   1 207.54.158.40
   1 207.241.196.7
   1 207.195.212.6
   1 207.115.64.115
   1 207.115.63.70
   1 206.64.143.9
   1 206.30.164.20
   1 205.232.46.4
   1 205.188.159.13
   1 204.60.105.46
   1 204.253.83.42
   1 204.111.11.45
   1 203.87.94.3
   1 203.199.83.25
   1 203.199.211.196
   1 203.179.51.34
   1 202.37.101.20
   1 202.138.0.51
   1 199.197.130.1
   1 198.5.241.38
   1 198.185.163.3
   1 198.165.106.2
   1 195.85.130.97
   1 195.62.32.27
   1 195.238.3.56
   1 195.238.2.127
   1 195.206.80.98
   1 195.167.192.88
   1 195.149.39.8
   1 194.47.245.158
   1 194.158.97.218
   1 194.125.133.231
   1 193.71.71.240
   1 193.70.192.59
   1 193.70.192.54
   1 193.252.22.23
   1 193.246.86.43
   1 193.2.4.66
   1 192.139.197.95
   1 17.254.13.22
   1 165.76.4.115
   1 165.21.74.85
   1 165.21.74.73
   1 165.21.74.70
   1 161.155.123.57
   1 161.114.1.209
   1 161.114.1.207
   1 158.116.149.131
   1 151.164.30.67
   1 144.140.254.13
   1 142.77.1.52
   1 142.110.131.131
   1 138.194.2.8
   1 132.156.11.189
   1 131.228.20.21
   1 130.244.199.150
   1 130.227.241.162
   1 129.12.21.15
   1 129.11.16.35
   1 128.242.238.173
   1 12.9.139.96
   1 12.155.160.2

Total: 308





---
david raistrick
[EMAIL PROTECTED]   http://www.expita.com/nomime.html

RE: Another DNS blacklist is taken down

2003-09-24 Thread andrew2


>> > So, my question for NANOG is how does one go about attracting the 
>> > attention of law enforcement when your network is under attack?
How 
>> > does the target of such an attack get a large network provider
who's 
>> > customers are part of the attack to pay attention?  Is media 
>> > attention the only way to pressure a response from either group?  
>> > These DDoS attacks have received some attention in mainstream
media:
>>
>> People will pay attention as soon as there is money in black lists. 
>> ISP's are businesses.  If losing the customer is cheaper than helping

>> them far too many will choose to lose the customer.  Many black lists

>> don't pay the ISP at all, indeed they are offered as free services
for 
>> the good of the community.  As a result they get the response that
any 
>> freeloader would, none.
>
>RBLs Sounds like a great application for P2P.

Perhaps, but it also seems like moving an RBL onto a P2P network would
making poisoning the RBL far too easy...

Andrew

More ports to block

2003-09-24 Thread Sean Donelan



Pop-Up Scam Beats AOL Filter

http://www.wired.com/news/technology/0,1282,60564,00.html
AOL is not the only Internet service provider currently blocking all port
135 traffic. Many ISPs began filtering the port last month to mitigate the
spread of the MSBlaster computer worm, Baldwin said. While AOL also could
block UDP ports 1025-1029 to fully eliminate Messenger service spams, the
big ISP likely is worried about the potential "collateral damage" such a
move might cause to users with legitimate programs that require those port
addresses, he said.

Re: Verisign Responds

Paul Vixie wrote:

oh... that wasn't a joke, then?

there won't be a protocol change of that kind, not in a million years.
It doesn't have to be a protocol change. Strictly an implementation 
change. It would break less than the current implementation change ya'll 
made can break. Reguardless of if resolver functionality for application 
support is included or not doesn't really matter. The ability to tell 
the recursor to accept or not accept the wildcard records is functional 
and doesn't care about delegation; strictly if the record returned 
matched a wildcard set. It preforms the same service that the delegation 
patches did except it won't break tld's like de.

-Jack

Re: Inevitable Consequences--Verisign

2003-09-24 Thread Haesu


I am not surprised at all. If VeriSign took their efforts and time to show us
some purported "recommendations" to abide to their new service, they better at
least deal with DoS pretty fast before more people get uptight.

-hc

-- 
Haesu C.
TowardEX Technologies, Inc.
Consulting, colocation, web hosting, network design and implementation
http://www.towardex.com | [EMAIL PROTECTED]
Cell: (978)394-2867 | Office: (978)263-3399 Ext. 174
Fax: (978)263-0033  | POC: HAESU-ARIN

On Wed, Sep 24, 2003 at 11:54:59AM -0500, Declan McCullagh wrote:
> 
> Repeated (though informal) testing over the last 90 minutes showed
> that at one point, about one-third of attempted HTTP connections to
> sitefinder took over one minute to complete or, in a few cases, failed
> entirely.
> 
> Now only about one of every 5 or 10 connections is displaying that
> behavior.
> 
> -Declan
> 
> 
> On Wed, Sep 24, 2003 at 05:22:49PM +0300, Petri Helenius wrote:
> > 
> > Curt Akin wrote:
> > 
> > >This morning, more often than not, nonexistent domain name access via
> > >http is returning timeouts. Overload? DoS? It appears, for whatever
> > >reason, that Verisign's scheme is not impervious to the inevitable
> > >consequences of arrogant behavior.
> > >
> > >  
> > >
> > The service seems to have experienced about 30 minute downtime about an 
> > hour ago.
> > 
> > On average, the redirect servers has responded in less than four seconds 
> > in the last
> > 36 hours. This performance is far from what any commercial enterprise 
> > should provide.
> > 
> > Performance seems to be worst from 9 UTC to 22 UTC, with best hours to
> > access yourreallyreallynonexistentdomain.com are 1 to 6 UTC.
> > 
> > Pete
> > 
> >

Re: Another DNS blacklist is taken down

2003-09-24 Thread Patrick


On Wed, 24 Sep 2003, Leo Bicknell wrote:

> In a message written on Wed, Sep 24, 2003 at 11:28:39AM -0500, Justin Shore wrote:
> > So, my question for NANOG is how does one go about attracting the
> > attention of law enforcement when your network is under attack?  How does
> > the target of such an attack get a large network provider who's customers
> > are part of the attack to pay attention?  Is media attention the only way
> > to pressure a response from either group?  These DDoS attacks have
> > received some attention in mainstream media:
>
> People will pay attention as soon as there is money in black lists.
> ISP's are businesses.  If losing the customer is cheaper than helping
> them far too many will choose to lose the customer.  Many black
> lists don't pay the ISP at all, indeed they are offered as free
> services for the good of the community.  As a result they get the
> response that any freeloader would, none.

RBLs Sounds like a great application for P2P.


/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
   Patrick Greenwell
 Asking the wrong questions is the leading cause of wrong answers
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

Re: Verisign Responds


> See the NANOG archives for my post reguarding wildcard caching and set
> comparison with additional resolver functionality for requesting if the
> resolver wishes to receive wildcards or NXDOMAIN.

oh... that wasn't a joke, then?

there won't be a protocol change of that kind, not in a million years.

Re: Another DNS blacklist is taken down

In a message written on Wed, Sep 24, 2003 at 11:28:39AM -0500, Justin Shore wrote:
> So, my question for NANOG is how does one go about attracting the 
> attention of law enforcement when your network is under attack?  How does 
> the target of such an attack get a large network provider who's customers 
> are part of the attack to pay attention?  Is media attention the only way 
> to pressure a response from either group?  These DDoS attacks have 
> received some attention in mainstream media:

People will pay attention as soon as there is money in black lists.
ISP's are businesses.  If losing the customer is cheaper than helping
them far too many will choose to lose the customer.  Many black
lists don't pay the ISP at all, indeed they are offered as free
services for the good of the community.  As a result they get the
response that any freeloader would, none.

For better or for worse you get to vote with your dollars, which
really means no dollars, no vote, no support.

-- 
   Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
Read TMBG List - [EMAIL PROTECTED], www.tmbg.org

pgp0.pgp
Description: PGP signature

Another DNS blacklist is taken down

I thought ya'll might be interested to hear that yet another DNS blacklist
has been taken down out of fear of the DDoS attacks that took down
Osirusoft, Monkeys.com, and the OpenRBL. Blackholes.compu.net suffered a
joe-job earlier this week. Apparently the joe-jobbing was enough to
convince some extremely ignorant mail admins that Compu.net is spamming
and blocked mail from compu.net. Compu.net has also seen the effects of
DDoS attacks on other DNS blacklist maintainers. They've decided that the
risk to their actual business is too great and they are pulling the plug
on their DNS blacklist before they come under the gun by spammers.

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=3f70e839%241%40dimaggio.newszilla.com

Ron Guilmette, maintainer of the Monkeys.com blacklists has posted a
farewell from Monkeys.com to news.admin.net-abuse.email. Ron cites the
total lack of interest in the attacks by both big network providers and
law enforcement authorities as the ultimate reason he's pulling the plug.

http://groups.google.com/groups?q=%22Now+retired+from+spam+fighting%22&hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=vn1lufn8h6r38%40corp.supernews.com&rnum=4

It's truely a sad day for spam fighters everywhere.

So, my question for NANOG is how does one go about attracting the
attention of law enforcement when your network is under attack? How does
the target of such an attack get a large network provider who's customers
are part of the attack to pay attention? Is media attention the only way
to pressure a response from either group? These DDoS attacks have
received some attention in mainstream media:

http://www.msnbc.com/news/959094.asp?0cv=TB10
http://www.boston.com/news/nation/articles/2003/08/28/saboteurs_hit_spams_blockers

Apparently it hasn't been enough. Legal remedies take too long and are
cost prohibitive (unless you're the DoJ). Subpoenas and civil lawsuits
take months if not years. Relief is needed in days if not hours.

Justin

Re: Inevitable Consequences--Verisign

2003-09-24 Thread Declan McCullagh


Repeated (though informal) testing over the last 90 minutes showed
that at one point, about one-third of attempted HTTP connections to
sitefinder took over one minute to complete or, in a few cases, failed
entirely.

Now only about one of every 5 or 10 connections is displaying that
behavior.

-Declan


On Wed, Sep 24, 2003 at 05:22:49PM +0300, Petri Helenius wrote:
> 
> Curt Akin wrote:
> 
> >This morning, more often than not, nonexistent domain name access via
> >http is returning timeouts. Overload? DoS? It appears, for whatever
> >reason, that Verisign's scheme is not impervious to the inevitable
> >consequences of arrogant behavior.
> >
> >  
> >
> The service seems to have experienced about 30 minute downtime about an 
> hour ago.
> 
> On average, the redirect servers has responded in less than four seconds 
> in the last
> 36 hours. This performance is far from what any commercial enterprise 
> should provide.
> 
> Performance seems to be worst from 9 UTC to 22 UTC, with best hours to
> access yourreallyreallynonexistentdomain.com are 1 to 6 UTC.
> 
> Pete
> 
>

NANOG 29 registration problems.

2003-09-24 Thread nicholas harteau



Once again, Verisign screws up.  Can someone point me to the correct
contact information to see if my registration actually went through or
not?  I don't see anything besides [EMAIL PROTECTED] listed on the website.


-- 
nicholas harteau
[EMAIL PROTECTED]

Re: monkeys.dom UPL being DDOSed to death

Geo. wrote:

There shouldn't be a need for any removal process. A server should be listed
for as long as the spam continues to come from it. Once the spam stops the
blacklisting should stop as well. That is how a dynamic list SHOULD work.
Depends on the type of listing. Open proxies and open relays are best 
removed by request of owner once they are fixed or staled out after a 
retest at a later time, although retests should be far and few between 
(many use anything from 1-6 months). Just because spam is not 
temporarily coming from an insecure host does not mean that the host has 
been secured.

Direct Spam is difficult to automatically detect, and reports are not 
always accurate (see SpamCop). It tends to be a very manual process. A 
lot of work goes into maintaining a list like SBL or SPEWS.

Spam is also very transient which makes local detection of a spammer's 
activities difficult. They may just be focusing on someone else for a 
week or two before plastering your servers again. If you removed them, 
they will do considerable damage before they get relisted via the manual 
process (delay between first email received and first recipient 
reporting can easily exceed hours).

The other issue with shared listings is what one considers acceptable or 
unacceptable. Easynet, for example, lists a lot of mail senders which I 
accept mail for due to user demand. They consider the email spam or 
resource abuse (broken mailers) while I am meeting the demands of my 
customers who are paying to receive the email. This isn't a collateral 
damage issue. It is an issue of where a network decides to draw the line 
on accepting or rejecting email.

-Jack

RE: monkeys.dom UPL being DDOSed to death

2003-09-24 Thread Geo.


>>The benefit of using a blacklist like monkeys or ordb is that there is
only one removal process for all the mail servers. The issue is that
when the webserver is dDOS'd, it is very hard for people to get removed.<<


There shouldn't be a need for any removal process. A server should be listed
for as long as the spam continues to come from it. Once the spam stops the
blacklisting should stop as well. That is how a dynamic list SHOULD work.

Geo.

Re: Inevitable Consequences--Verisign

2003-09-24 Thread Petri Helenius

Curt Akin wrote:

This morning, more often than not, nonexistent domain name access via
http is returning timeouts. Overload? DoS? It appears, for whatever
reason, that Verisign's scheme is not impervious to the inevitable
consequences of arrogant behavior.
 

The service seems to have experienced about 30 minute downtime about an 
hour ago.

On average, the redirect servers has responded in less than four seconds 
in the last
36 hours. This performance is far from what any commercial enterprise 
should provide.

Performance seems to be worst from 9 UTC to 22 UTC, with best hours to
access yourreallyreallynonexistentdomain.com are 1 to 6 UTC.
Pete

Re: monkeys.dom UPL being DDOSed to death

Geo. wrote:

Blacklists are just one kind of filter. If we could load software that
allowed us to forward spams caught by other filters into it and it
maintained a DNS blacklist we could have our servers use, we wouldn't need
big public rbl's, everyone doing any kind of mail volume could easily run
their own IF THE SOFTWARE WAS AVAILABLE. A distributed solution for a
distributed problem.
The benefit of using a blacklist like monkeys or ordb is that there is 
only one removal process for all the mail servers. The issue is that 
when the webserver is dDOS'd, it is very hard for people to get removed.

Running local blacklists on common themes (such as open proxy/open 
relay) has the same issue. Yes, one can blacklist the site, but how do 
you get it delisted once the problem is fixed?

I had openrbl.org in my rejections for awhile so that people could find 
all the blacklists that they were on. Since the dDOS of openrbl, I've 
had to change it to my local scripts which don't cover near what openrbl 
did.

-Jack

Re: Verisign Responds