College increases fine for virus computers to $100

[Sean Donelan]

Rollins College in Florida has increased its fine for students with
infected computers to $100.  Despite repeated warnings, nearly
1/3 of the 1,100 students ignored instructions to install the
patch and anti-virus software.  The College sent teams door-to-door
on campus looking for infected computers to fix them.  Even after
that, 35 students still didn't fix their computers, and the college
turned off their network access.

http://www.orlandosentinel.com/news/education/orl-locvirus26092603sep26,0,4672743.story?coll=orl-news-headlines


In Anchorage, the cable modem provider has started cutting off 500
infected customers.  When the customer calls in, GCI won't let them
re-connect to the network until they fix their computers.  Which can
be a difficult process for some customers since the only way Microsoft
distributes the patches is on-line.

http://www.adn.com/business/story/4002138p-4023398c.html

How many other ISPs are turning off customers due to worms isn't
known.

Re: New Team Cymru IP2ASN whois server

[Pekka Savola]

On Fri, 26 Sep 2003, Stephen Gill wrote:
> $ whois -h whois.cymru.com 4.2.2.1
>     ASN |   IP | Name
>    3356 |  4.2.2.1 | LEVEL3 Level 3 Communications

Do you plan to support IPv6 -> ASN mappings as well, at some point?

Another interesting feature related to that would be supporting special
resolution of 6to4 addresses (RFC3056); looking up 2002:0102:0304:: would
give you also the info on IP 1.2.3.4.

-- 
Pekka Savola "You each name yourselves king, yet the
Netcore Oykingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

Re: Increase in tcp traffic from spoofed source to bogon?

[Pekka Savola]

On Thu, 25 Sep 2003, Mike Tancsa wrote:
> Is it all to 135 ?  I  drop lots of that at my border.  Each time I traced 
> it back to the customer, it was some infected machine that was not being 
> natted for various reasons.
> 
> e.g.
> 
> Deny TCP 172.16.4.1:4616 192.100.103.4:135
> 
> We also see the odd ntp request.  Is it bogon as in RFC 1918 or bogon as in 
> not yet allocated / routed ?

We are seeing some amount of traffic to the SMTP port of 127.0.0.2 (!!!).  
I haven't bothered to check this out at the moment.  One would suppose the 
routers would blackhole the loopback traffic (or have a route to 
127.0.0.1), but no... :-)

> At 05:26 PM 25/09/2003, Mark Segal wrote:
> 
> >While cleaning the narchi virus icmp traffic.. I noticed a lot of tcp
> >traffic (it seems to be increasing) from spoofed address to bogon space?
> >Any ideas on what virus or worm this is?  Is it new?
> >
> >Regards,
> >Mark
> >
> >--
> >Mark Segal
> >Director, Network Planning
> >FCI Broadband
> >Tel: 905-284-4070
> >Fax: 416-987-4701
> >http://www.fcibroadband.com
> >
> >Futureway Communications Inc. is now FCI Broadband
> 

-- 
Pekka Savola "You each name yourselves king, yet the
Netcore Oykingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

RE: New Team Cymru IP2ASN whois server

[Jeroen Massar]

-BEGIN PGP SIGNED MESSAGE-

Pekka Savola wrote:

> On Fri, 26 Sep 2003, Stephen Gill wrote:
> > $ whois -h whois.cymru.com 4.2.2.1
> > ASN |   IP | Name
> >3356 |  4.2.2.1 | LEVEL3 Level 3 Communications
> 
> Do you plan to support IPv6 -> ASN mappings as well, at some point?
> 
> Another interesting feature related to that would be 
> supporting special resolution of 6to4 addresses (RFC3056); looking up 
> 2002:0102:0304:: would give you also the info on IP 1.2.3.4.

Indeed _also_, as the source ASN's can differ between the ASN's
used for announcing the IPv4 and the IPv6 prefix.

Fortunatly, except for currently 4 prefixes, there should not
be something more specific than 2002::/16 per RFC3056.

>From GRH:
2002:c2b1:d06e::/48  More specific 6to4 prefix (194.177.208.110/32) from AS5408 
2002:c8a2::/33   More specific 6to4 prefix (200.162.0.0/17) from AS15180 
2002:c8c6:4000::/34  More specific 6to4 prefix (200.198.64.0/18) from AS15180 
2002:c8ca:7000::/36  More specific 6to4 prefix (200.202.112.0/20) from AS15180 

BTW if somebody has a working contact for AS15180, don't mind to
mention it, as they seem quite unresponsive... Others did respond
and cleansed it up btw :)

Greets,
 Jeroen

-BEGIN PGP SIGNATURE-
Version: Unfix PGP for Outlook Alpha 13 Int.
Comment: Jeroen Massar / [EMAIL PROTECTED] / http://unfix.org/~jeroen/

iQA/AwUBP3QMqymqKFIzPnwjEQLZbACgrd07hx6Xmdg+0AB0SoP5aH82LvgAoKvP
8mmfHiQ56nPpBy0mwIkWvmqr
=3Out
-END PGP SIGNATURE-

The Cidr Report

[cidr-report]

This report has been generated at Fri Sep 26 21:48:00 2003 AEST.
The report analyses the BGP Routing Table of an AS4637 (Reach) router
and generates a report on aggregation potential within the table.

Check http://www.cidr-report.org/as4637 for a current version of this report.

Recent Table History
Date  PrefixesCIDR Agg
19-09-03124625   88453
20-09-03124231   88712
21-09-03124485   88757
22-09-03124825   88767
23-09-03124583   88869
24-09-03124650   88899
25-09-03124729   88878
26-09-03124718   88911


AS Summary
 15808  Number of ASes in routing system
  6252  Number of ASes announcing only one prefix
  1441  Largest number of prefixes announced by an AS
AS701  : ALTERNET-AS UUNET Technologies, Inc.
  73355264  Largest address span announced by an AS (/32s)
AS568  : SUMNET-AS DISO-UNRRA


Aggregation Summary
The algorithm used in this report proposes aggregation only
when there is a precise match using the AS path, so as 
to preserve traffic transit policies. Aggregation is also
proposed across non-advertised address space ('holes').

 --- 26Sep03 ---
ASnumNetsNow NetsAggr  NetGain   % Gain   Description

Table 125286889173636929.0%   All ASes

AS6197   964  284  68070.5%   BATI-ATL BellSouth Network
   Solutions, Inc
AS4323   668  195  47370.8%   TW-COMM Time Warner
   Communications, Inc.
AS701   1441 1007  43430.1%   ALTERNET-AS UUNET
   Technologies, Inc.
AS7018  1403  986  41729.7%   ATT-INTERNET4 AT&T WorldNet
   Services
AS7843   529  137  39274.1%   ADELPHIA-AS Adelphia Corp.
AS3908   906  535  37140.9%   SUPERNETASBLK SuperNet, Inc.
AS6198   497  208  28958.1%   BATI-MIA BellSouth Network
   Solutions, Inc
AS4355   393  107  28672.8%   ERMS-EARTHLNK EARTHLINK, INC
AS1221   983  698  28529.0%   ASN-TELSTRA Telstra Pty Ltd
AS6347   354   87  26775.4%   DIAMOND SAVVIS Communications
   Corporation
AS4134   374  118  25668.4%   CHINANET-BACKBONE
   No.31,Jin-rong Street
AS1239   909  656  25327.8%   SPRINTLINK Sprint
AS22773  286   37  24987.1%   CCINET-2 Cox Communications
   Inc. Atlanta
AS27364  314   70  24477.7%   ACS-INTERNET Armstrong Cable
   Services
AS17676  263   30  23388.6%   GIGAINFRA Softbank BB Corp.
AS25844  242   15  22793.8%   SKADDEN1 Skadden, Arps, Slate,
   Meagher & Flom LLP
AS209501  291  21041.9%   ASN-QWEST Qwest
AS6140   340  135  20560.3%   IMPSAT-USA ImpSat
AS11305  230   38  19283.5%   INTERLAND-NET1 Interland
   Incorporated
AS4519   1784  17497.8%   MAAS Maas Communications
AS6327   201   27  17486.6%   SHAW Shaw Communications Inc.
AS22909  297  123  17458.6%   DNEO-OSP1 Comcast Cable
   Communications, Inc.
AS2386   374  202  17246.0%   INS-AS AT&T Data
   Communications Services
AS2048   256   87  16966.0%   LANET-1 State of Louisiana
AS14654  1712  16998.8%   WAYPORT Wayport
AS9498   183   20  16389.1%   BBIL-AP BHARTI BT INTERNET
   LTD.
AS705408  249  15939.0%   ALTERNET-AS UUNET
   Technologies, Inc.
AS5786   1635  15896.9%   UPRENET University of Puerto
   Rico
AS9583   261  108  15358.6%   SATYAMNET-AS Satyam Infoway
   Ltd.,
AS9800   203   52  15174.4%   UNICOM CHINA UNICOM

Total  14292 6513 777954.4%   Top 30 total


Possible Bogus Routes

24.119.0.0/16AS11492 CABLEONE CABLE ONE
61.12.32.0/24AS7545  TPG-INTERNET-AP TPG Internet Pty Ltd
61.12.34.0/24AS7545  TPG-INTERNET-AP TPG Internet Pty Ltd
64.30.64.0/19AS14900 USLEC-CORP-1 USLEC Corp.
66.41.192.0/18   AS13367 ATT-BBND-B AT&T Broadband
132.0.0.0/10 AS5

Re: Any way to P-T-P Distribute the RBL lists?

[Andy Smith]

On Thu, Sep 25, 2003 at 09:41:07PM +0200, Sabri Berisha wrote:
> Whatever you come up with, it practically always has a downside:
> spammers can get the whole list as well.
> 
> Image an open-proxy-dnsbl being distributed via peer to peer or via
> distributed means as usenet. Spammers would love it as they no longer
> have to scan for themselves, same for open relays. 

Most of the large open proxy dnsbls in existence already offer their
zones to essentially anyone via rsync.

http://abuse.easynet.nl/proxies.html skip down to "rsync"

Re: AOL Proxy Servers not connecting via https - resolved

[Ron da Silva]

On Thu, Sep 25, 2003 at 04:48:11PM -0700, Andy Ellifson wrote:
> 
> Actually a /12.  But the value of 172.16.0.0 0.15.255.255 has been
> burned into my head for some reason...

yup... s/20/12/  typo...thanks Andy
-ron

Re: The Cidr Report

[Saku Ytti]

On (2003-09-26 22:00 +1000), [EMAIL PROTECTED] wrote:

> 192.88.99.0/24   AS3246  SONGNETWORKS  Song Networks

RFC3068.

-- 
  ++ytti

RE: New Team Cymru IP2ASN whois server

[Stephen Gill]

Hi Pekka,

Yep, we'd like to.  Stay tuned!

Cheers,
Steve, for Team Cymru
--
Stephen Gill

-Original Message-
From: Pekka Savola [mailto:[EMAIL PROTECTED] 
Sent: Friday, September 26, 2003 3:30 AM
To: Stephen Gill
Cc: 'NANOG'
Subject: Re: New Team Cymru IP2ASN whois server

On Fri, 26 Sep 2003, Stephen Gill wrote:
> $ whois -h whois.cymru.com 4.2.2.1
>     ASN |   IP | Name
>    3356 |  4.2.2.1 | LEVEL3 Level 3 Communications

Do you plan to support IPv6 -> ASN mappings as well, at some point?

Another interesting feature related to that would be supporting special
resolution of 6to4 addresses (RFC3056); looking up 2002:0102:0304::
would
give you also the info on IP 1.2.3.4.

-- 
Pekka Savola "You each name yourselves king, yet the
Netcore Oykingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

Re: Proposed changes to the AUP.

[doug]

Sure - why not; I have a letter in a safety deposit box in case of helicopters
(of any color).

I virtually never post and think (in retrospect) that a couple of my posting
were probably in violation of the AUP. It does seem that a number of recent
threads have wandered off topic (under any definition of the word). That said, I
like the content of this list, both on and off topic because I have learned so
much from it.

If the AUP stays the way it is (which is fine with me), why not just not post
individual messages that make personal attacks or are in violation in some
manner, and just kill a thread when it wanders 'too' far off topic.

On Thu, 25 Sep 2003, Damian Gerow wrote:

>
> Thus spake Leo Bicknell ([EMAIL PROTECTED]) [25/09/03 17:19]:
> > Well, I've received 9 private responses to the e-mail.  7 indicate
> > support for my proposal, 2 were neutral comments.
> >
> > I post this because 2 of the 7 offered in their message that they
> > were unwilling to support my proposal on the list because they felt
> > it might get them thrown off the list.  That is an interesting
> > chilling effect I had not expected.
> >
> > Please, if you think it's a good idea and aren't afraid to post
> > step up and voice your support to help those unwilling to do so.
>
> I'll voice a public support.  And yes, I also received notice from Susan
> about my Freenet posting.
>
> What had me most confused was that I was contacted personally.  I'm sure
> everyone else in the thread was /also/ contacted personally, but that meant
> that the thread continued on.  It would be nice to have a public notice that
> the thread has wandered (or started) off-topic, and to continue conversation
> elsewhere.
>

_
Douglas Denault
[EMAIL PROTECTED]
Voice: 301-469-8766
  Fax: 301-469-0601

RE: Detecting a non-existent domain

[alex]

> The answer so far seems to be to query *.TLD, nab all the records, 
> and then compare them all the results you get back from querying the 
> domain.  If there is anything that doesn't match, you are in the 
> clear.  (Modulo internal networks and localhost and all those fun 
> tricks of course--but that's a different problem.)
> 
> The fact that this is a single IP comparison with Verisign today 
> presumably does not preclude the wonders of MX records, CNAME's, 
> multiple A records and all of that in the future.

Alg 101

1. Seed the isWildCard[] probability array.

Generate N random strings. Attach ".NET" or ".COM" to them.  Get records for
them. Compare records to each other assigning them probability of being a
wildcard based on the repetitiveness of the data.

2. Query domain name in question.

Compare the result with isWildCard[] probability array.


Alex

Re: Proposed changes to the AUP.

[bdragon]

> It would be great to add sending messages encoded in HTML is prohibited.

My apologies for the self-followup. As several people have emailed pointing
out that the original AUP email was not html (of which I'm aware since my
client doesn't do MIME, I was merely following up to the original message
since it proposed AUP updates. I don't recall ever seeing Leo post an
html mail.

My apologies for the confusion esp. to Leo if he thought my message
was directed at _him_ rather than those who routinely post in html.

FW: e-bay

[Mike Tomasura]

> I guess e-bay had some problems? A few users got this message from them.
> 
> Dear eBay user!
> 
> At 09.24.2003 our company has lost a number
> of accounts in the system during the database
> maintenance. If you have an active account, please
> click on the link below to update your credit card
> information. If you have problems with your account, please let us know
> at email [EMAIL PROTECTED] 
> 
> https://cgi.ebay.com/saw-cgi/eBayISAPI.dll?UpdateInformation
>  
> 
> 
> 
> 

Re: FW: e-bay

[Simon Lockhart]

On Fri Sep 26, 2003 at 12:25:52PM -0400, Mike Tomasura wrote:
> > https://cgi.ebay.com/saw-cgi/eBayISAPI.dll?UpdateInformation
> >  
 ^^^

Looks like another scam

Simon

-- 
Simon Lockhart  |   Tel: +44 (0)1628 407720 (x37720) | Si fractum 
Technology Manager  |   Fax: +44 (0)1628 407701 (x37701) | non sit, noli 
BBC Internet Operations | Email: [EMAIL PROTECTED]| id reficere
BBC Technology, Maiden House, Vanwall Road, Maidenhead. SL6 4UB. UK

Re: FW: e-bay

[Krzysztof Adamski]

On Fri, 26 Sep 2003, Mike Tomasura wrote:

>
>
> > I guess e-bay had some problems? A few users got this message from them.
> >
> > Dear eBay user!
> >
> > At 09.24.2003 our company has lost a number
> > of accounts in the system during the database
> > maintenance. If you have an active account, please
> > click on the link below to update your credit card
> > information. If you have problems with your account, please let us know
> > at email [EMAIL PROTECTED] 
> >
> > https://cgi.ebay.com/saw-cgi/eBayISAPI.dll?UpdateInformation
> > 

The fact that the url is e-bay.com and they don't have a valid certificate
is a good indication that this is a scam. There are lots of them that look
very similar.

K

> >
> >
> >
> >
>

Re: FW: e-bay

[Gregory Hicks]

> From: Mike Tomasura <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: FW: e-bay
> Date: Fri, 26 Sep 2003 12:25:52 -0400
> 
> 
> 
> > I guess e-bay had some problems? A few users got this message from them.
> > 
> > Dear eBay user!
> > 
> > At 09.24.2003 our company has lost a number
> > of accounts in the system during the database
> > maintenance. If you have an active account, please
> > click on the link below to update your credit card
> > information. If you have problems with your account, please let us know
> > at email [EMAIL PROTECTED] 

Nope!  It is a 'credit card harvesting scam'...  (Or whatever the term
dujour is today...)

Good for identity theft purposes and for stealing credit card numbers
to run up someone else's bill...

I mean...  Look at it:  Poor grammar, poor punctuation, ...

> > 
> > https://cgi.ebay.com/saw-cgi/eBayISAPI.dll?UpdateInformation
> >  

Also, if this is for real, it looks like eBay has bigger problems:
Connection refused to both of these URLs.

Regards,
Gregory Hicks

---
Gregory Hicks| Principal Systems Engineer
Cadence Design Systems   | Direct:   408.576.3609
555 River Oaks Pkwy M/S 6B1  | Fax:  408.894.3400
San Jose, CA 95134   | 

"The trouble with doing anything right the first time is that nobody
appreciates how difficult it was."

When a team of dedicated individuals makes a commitment to act as
one...  the sky's the limit.

Just because "We've always done it that way" is not necessarily a good
reason to continue to do so...  Grace Hopper, Rear Admiral, United
States Navy

Re: FW: e-bay

[Tony Rall]

On Friday, 2003-09-26 at 12:25 AST, Mike Tomasura 
<[EMAIL PROTECTED]> wrote:
>  I guess e-bay had some problems? A few users got this message from 
them.
> 
>  Dear eBay user!
> 
>  At 09.24.2003 our company has lost a number
>  of accounts in the system during the database
>  maintenance. If you have an active account, please
>  click on the link below to update your credit card
>  information. If you have problems with your account, please let us know
>  at email [EMAIL PROTECTED] 
> 
>  https://cgi.ebay.com/saw-cgi/eBayISAPI.dll?UpdateInformation
>  

This is a clever attempt to harvest ebay account information.

The message, with the subject "Official Notice for all eBay users"
consists of 2 parts:

1. An html section, which includes a link to (don't click on this)
http://[EMAIL PROTECTED]:%34%39%30%31/%75%70%64%61%74%65/%69%6E%64%65%78%2E%68%74%6D, 
and
a display of "pic.gif".

2. A base 64 attachment - pic.gif.

What you normally see when you open the message is just the gif file. 
But the gif appears to be text, including a picture of the text asking
you to click on
"http://scgi.ebay.com/saw-cig/eBayISAPI.dll?VerifyInformation";

But the real link (as might be displayed at the bottom of your mail client 
window if it gives you a preview of links) is the one shown in #1.  And 
that link doesn't go to ebay.com - it really goes to 211.217.224.102, port 
4901.  That is because everything in front of the "@" is treated by your 
browser as data (a userid, in theory) to be passed to the target host, not 
as the host name.

That target web server, when it was working, displayed a page that is
forged to look like an ebay page, asking you to reenter your ebay
userid and password.  Don't do it!

Today, the host at 211.217.224.102 is no longer listening on port
4901.

Tony Rall

RE: FW: e-bay

[Mike Tomasura]

Anyone that has a Spam filter should have "ebay" and "e-bay" in the list.
That is how we caught it.

-Original Message-
From: Justin B. Newman [mailto:[EMAIL PROTECTED]
Sent: Friday, September 26, 2003 12:30 PM
To: Mike Tomasura
Subject: Re: FW: e-bay


I presume you've figured out that the link goes to e1bay.com, not ebay. 
  It's a fraud.

-jbn

On Friday, September 26, 2003, at 12:25 PM, Mike Tomasura wrote:

>
>
>> I guess e-bay had some problems? A few users got this message from 
>> them.
>>
>> Dear eBay user!
>>
>> At 09.24.2003 our company has lost a number
>> of accounts in the system during the database
>> maintenance. If you have an active account, please
>> click on the link below to update your credit card
>> information. If you have problems with your account, please let us 
>> know
>> at email [EMAIL PROTECTED] 
>>
>> https://cgi.ebay.com/saw-cgi/eBayISAPI.dll?UpdateInformation
>> 
>>
>>
>>
>>
>
>

Re: FW: e-bay

[Mike Tancsa]

Its sad how many people get taken in by obvious and less obvious scams like 
this But I guess this is as old as the "knock knock:  Wallet 
inspector."...
There was a similar paypal scam that had "click here to go to 
www.paypal.com" which looked and displayed nice and legit in the email, but 
the href really sent you to a site in Korea that looked exactly like the 
paypal login screen  "Thank you for verifying your information" Indeed!

---Mike

At 12:25 PM 26/09/2003, Mike Tomasura wrote:


> I guess e-bay had some problems? A few users got this message from them.
>
> Dear eBay user!
>
> At 09.24.2003 our company has lost a number
> of accounts in the system during the database
> maintenance. If you have an active account, please
> click on the link below to update your credit card
> information. If you have problems with your account, please let us know
> at email [EMAIL PROTECTED] 
>
> https://cgi.ebay.com/saw-cgi/eBayISAPI.dll?UpdateInformation
> 
>
>
>
>

Re: Increase in tcp traffic from spoofed source to bogon?

[Crist Clark]

Pekka Savola wrote:
> 
> On Thu, 25 Sep 2003, Mike Tancsa wrote:
> > Is it all to 135 ?  I  drop lots of that at my border.  Each time I traced
> > it back to the customer, it was some infected machine that was not being
> > natted for various reasons.
> >
> > e.g.
> >
> > Deny TCP 172.16.4.1:4616 192.100.103.4:135
> >
> > We also see the odd ntp request.  Is it bogon as in RFC 1918 or bogon as in
> > not yet allocated / routed ?
> 
> We are seeing some amount of traffic to the SMTP port of 127.0.0.2 (!!!).
> I haven't bothered to check this out at the moment.  One would suppose the
> routers would blackhole the loopback traffic (or have a route to
> 127.0.0.1), but no... :-)

I've been seeing this too. There are some jokers (SPAMmers?) out there
putting 127.0.0.2 in their MX records.

Our Solaris mail server actually puts 127.0.0.2 out on the wire (the
default route) despite,

  lo0: flags=1000849 mtu 8232 index 1
  inet 127.0.0.1 netmask ff00 

the fact it looks like these should be routed to the loopback. This also
flies in the face of RFC1122, Sec. 3.2.1.3(g),

(g)  { 127,  }
 Internal host loopback address.  Addresses of this form
 MUST NOT appear outside a host.

This is however historical UN*X behavior. We hardcoded FreeBSD to drop
127/8 heading out of the host only a year ago and got a few complaints
from people who were doing things they probably should not have been doing
or could have just as easily done with RFC1918 addresses.

I would expect 127/8 to be on any bogon list.
-- 
Crist J. Clark   [EMAIL PROTECTED]
Globalstar Communications(408) 933-4387

European and Far East Connectivity in the US

[Timothy Brown]

I'm looking for recommendations for providers who provide excellent 
European and/or Far East transit from multiple points in the 
southeastern United States.  Specifically, i'm looking for people who have 
strong connectivity to Chinalink and DTAG.  Sales droids need not reply.  
Send replies off-list, i'll summarize.

Thanks,
Tim

Re: FW: e-bay

[Ken Stubbs]

this is most definitely a combination credit card & ebay account scam..

this has happened numerous times over the last year and, in many cases the
offender has
also used the hijacked account information to offer items for sale &
setup phoney escrow companies to lull the purchaser into
putting up the funds..

the scale of this fraud is, frankly, huge, but many companies like ebay &
paypal downplay it
to avoid tainting the legitimacy of their respective businesses

ken stubbs

- Original Message - 
From: "Mike Tancsa" <[EMAIL PROTECTED]>
To: "Mike Tomasura" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Friday, September 26, 2003 12:39 PM
Subject: Re: FW: e-bay


>
>
> Its sad how many people get taken in by obvious and less obvious scams
like
> this But I guess this is as old as the "knock knock:  Wallet
> inspector."...
> There was a similar paypal scam that had "click here to go to
> www.paypal.com" which looked and displayed nice and legit in the email,
but
> the href really sent you to a site in Korea that looked exactly like the
> paypal login screen  "Thank you for verifying your information"
Indeed!
>
>  ---Mike
>
> At 12:25 PM 26/09/2003, Mike Tomasura wrote:
>
>
> > > I guess e-bay had some problems? A few users got this message from
them.
> > >
> > > Dear eBay user!
> > >
> > > At 09.24.2003 our company has lost a number
> > > of accounts in the system during the database
> > > maintenance. If you have an active account, please
> > > click on the link below to update your credit card
> > > information. If you have problems with your account, please let us
know
> > > at email [EMAIL PROTECTED] 
> > >
> > > https://cgi.ebay.com/saw-cgi/eBayISAPI.dll?UpdateInformation
> > > 
> > >
> > >
> > >
> > >
>
>
>

Re: FW: e-bay

[Mike Tancsa]

At 01:40 PM 26/09/2003, Ken Stubbs wrote:
the scale of this fraud is, frankly, huge, but many companies like ebay &
paypal downplay it
to avoid tainting the legitimacy of their respective businesses
I went through the steps to report it to ebay and paypal via their web 
interface.  I got an email requesting the original message, I bounced it to 
them the same day quoting the appropriate ticket #.  A day or so later a 
human being had sent a template email saying yes, its a scam etc etc and 
that they were investigating and that was that.  2 days later, the IP is dead.

I really feel for them.  The scam site is in Korea, the email was sent via 
an open proxy on a cable modem in the US somewhere.  Big or small, I doubt 
its an easy job coordinating international law enforcement to 'whack a 
mole' essentially.  In my case, the initial IP that was in the scam  mail 
was gone 2 days after I reported it.  I dont know if that was weeks after 
someone else or if they did get it shut down in 48hrs.  But 3 days later, I 
got another email with the same scam, this time to a different provider in 
Korea Next.

---Mike 

Re: FW: e-bay

[Joe Abley]

On Friday, Sep 26, 2003, at 14:06 Canada/Eastern, Mike Tancsa wrote:

But 3 days later, I got another email with the same scam, this time to 
a different provider in Korea Next.
Korea has a very large number of reliably- and permanently-connected 
windows boxes in comparison to most other countries (the OECD numbers 
on broadband access in 2001 ranked Korea way up there at the top of the 
list, with Canada a distant second, or so I heard on the radio the 
other day). You can buy residential 20Mbit/s VDSL services there over 
the phone, as a regular service, and people do.

Given this, I'm guessing that if you choose a windows box with a stable 
connection on the net at random, chances are good that it's in Korea.

All the network operators I have in Korea are both efficient and 
technically proficient, and I certainly didn't get any impression that 
people were lax or in any way irresponsible with respect to running 
networks: the fact that the networks there are still functioning at all 
suggests they are well-practiced at dealing with infected windows 
boxes. It's seems to be much less common to find people who speak 
English in Korea than it is in other places in Asia, though, which 
might help explain apparent unresponsiveness to complaints which are 
not written in Korean.

So, here's my point (and I know I'm rambling, come on, it's a Friday): 
when every other back trace leads to Korea, it's not necessarily 
because Korea is irresponsible or incompetent; in terms of the global 
distribution of windows-based worm factories, they just account for a 
disproportionate amount of the Internet.

Given the numbers of clients they have to deal with it's eminently 
possible that they're doing a much better job, in relative and general 
terms, than operators in the US, Europe and Australasia.

Joe

Re: FW: e-bay

[Mike Tancsa]

At 03:01 PM 26/09/2003, Joe Abley wrote:


So, here's my point (and I know I'm rambling, come on, it's a Friday): 
when every other back trace leads to Korea, it's not necessarily because 
Korea is irresponsible or incompetent; in terms of the global distribution 
of windows-based worm factories, they just account for a disproportionate 
amount of the Internet.
Yes, I should have clarified this.  I dont think the folks in Korea are any 
more or less competent than their NA counter parts-- be that end user or 
operator.  In my case, the open relay was an Adelphia cable user on the US 
east coast somewhere.  I think from a criminal's point of view its more 
desirable to locate offshore as it will be more difficult due to language, 
legal and even time differentials to track down the people controlling the 
victim host site.

---Mike 

[OT] question on NANOG meetings

[William Caban]

Are NANOG meetings webcasted? More specifically, Is NANOG29 going to be
webcasted/multicasted/netcasted?

Thanks,

William
-- 
William Caban <[EMAIL PROTECTED]>

Re: Korean network problems, was FW: e-bay

[John R. Levine]

> Yes, I should have clarified this.  I dont think the folks in Korea
> are any more or less competent than their NA counter parts-- be that
> end user or operator.

Unfortunately, my experience is that system managers in Korea are
considerably less competent than their NA counterparts.  The managers
are not stupid, but they are hopelessly underqualified.  Korea made a
big push to wire the country for broadband without any consideration
of who would run the gazillion computers with their swell new
high-speed permanent connections.  So they did things like setting up
every school in the country with servers with identical Windows
configs that are all subject to the same wide range of well known
Windows exploits.  Many of the people who are by default in charge of
these systems wouldn't know what to do with Windows Update even if
they could read the English language instructions, because they have
no computer background.

That, along with an extremely ill-advised law that made spam legal if
you put the Korean version of ADV: in the subject line, is why I set
up the korea.services.net DNSBL which blocks all the networks in Korea
except for a handful of networks with responsive admins and low spam
counts.  I'll be very happy to take out networks that solve their spam
problems, but so far none have done so.

Now and then someone writes and says "I fixed my open relay, please
unlist me" (no, it's not a list of individual open relays) or "your
list blocks mail that is very very important" (quite possibly, but
it's not as important to me as blocking the thousands of spams that
your ISP would otherwise have sent me and whoever it is that's using
the list to reject your mail.)

The Korean government knows that they've dug themeselves a hole, but
it'll be a while until they dig themselves out of it.  In the
meantime, my DNSBL continues to block a heck of a lot of spam and I
can live without the two legit messages a year that I otherwise would
have gotten from Korea.

Regards,
John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner
"A book is a sneeze." - E.B. White, on the writing of Charlotte's Web


 

Re: [OT] question on NANOG meetings

[Petri Helenius]

William Caban wrote:

Are NANOG meetings webcasted? More specifically, Is NANOG29 going to be
webcasted/multicasted/netcasted?
 

NANOG meetings have typically very narrowband realmedia stream sent.

Pete

Submit your comments on Verisign's SiteFinder service to ICANN

[Craig A. Huegen]

Hi all,

I strongly recommend that if you have an opinion on the Verisign
SiteFinder service, that you visit
http://www.icann.org/general/wildcard-history.htm
and submit your comments appropriately ahead of the October 7 meeting
of the SSAC.

/cah

Re: [OT] question on NANOG meetings

[Joel Jaeggli]

On Sat, 27 Sep 2003, Petri Helenius wrote:

> 
> William Caban wrote:
> 
> >Are NANOG meetings webcasted? More specifically, Is NANOG29 going to be
> >webcasted/multicasted/netcasted?
> >
> >  
> >
> NANOG meetings have typically very narrowband realmedia stream sent.

and 1 - 3  multicast sources...
 
> Pete
> 
> 

-- 
-- 
Joel Jaeggli   Unix Consulting [EMAIL PROTECTED]
GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2

A list of (mostly) technical consequences of TLD wildcards

[Duane Wessels]

I've been collecting a list of things that are broken, or might break,
now that the two most populated TLDs have A and MX record wildcards.

You can find the list at  http://www.packet-pushers.net/tld-wildcards/

I'll be happy to receive any additions or corrections that you might
have.

Duane W.

Re: [OT] question on NANOG meetings

[Richard A Steenbergen]

On Sat, Sep 27, 2003 at 01:28:27AM +0300, Petri Helenius wrote:
> 
> William Caban wrote:
> 
> >Are NANOG meetings webcasted? More specifically, Is NANOG29 going to be
> >webcasted/multicasted/netcasted?
> >
> > 
> >
> NANOG meetings have typically very narrowband realmedia stream sent.

And historically, almost guaranteed to cut out every 30 seconds and be 
close to unwatchable on the live feed.

-- 
Richard A Steenbergen <[EMAIL PROTECTED]>   http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

Re: Average case performance vs. Worst-case guarantee

[Mark Rogaski]

An entity claiming to be [EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote:
: 
: >   When an ISP buys a router does it want a worst-case guarantee about the
: > router's capabilities? Or will it buy a router which can give better
: > performance in the average case (it may drop some packets if the traffic
: > pattern changes suddenly)? Assuming both cost the same.
: 
: Worst case guarantee is necessary in many cases. Easy example:
: 
: A router that can handle an STM-1 of regular Internet traffic is worthless
: to us if it dies in the face of an STM-1 with minimum sized attack traffic.
: 

Perhaps we can generalize this by pointing out the dearth of SLA's based
upon average-case.  

Mark

-- 
[] Mark 'Doc' Rogaski | Guess what? I got a fever! And the only
[] [EMAIL PROTECTED]  | prescription ... is more cowbell!
[] 1994 Suzuki GS500ER| -- Christopher Walken (as Bruce Dickinson)
[] 1975 Yamaha RD250B |


pgp0.pgp
Description: PGP signature