i'm missing my copy of why a wildcard MX won't help sitefinder
at the meeting yesterday, verisign said they were considering the benefits of a wildcard MX RR whose target was a nonexistent name, as a way to keep smtp traffic from having to come to sitefinder for rejection. i recall a very good posting on this topic and i think it was on nanog but i can't find it now. can someone privately send it to me if you've got it? -- Paul Vixie
Update - Contacts for CHINANET-BJ?
I got two contacts on this, looks like the situation is resolved. On Wed, 8 Oct 2003, Tom (UnitedLayer) wrote: Anyone got a clueful contact over there? Getting 100Mbps or so of dos from over there and I'd rather not just blackhole the /16
Re: Transit and Paid Peering Exchanges
In general, enterprises are not willing to peer the way that ISPs are - that is, show up, and try to get some peering in a speculative fashion. Most are more comfortable showing up at a site with the expectation to pay, and a good idea of exactly who they can pay to get the services they need (basically, transit, not peering). They also tend to want centralized accounting, and sometimes a route server and a high degree of technical assistance are helpful. The average IXP does not even come close to meeting these requirements, sadly. There's been talk about running a subscription-based peering brokerage service on the west coast, primarily aimed at Asian carriers and networks, in exactly the fashion you're describing, and that talk has gone on for quite a few years, ever since the first few Japanese carriers showed up at the PAIX and had trouble getting peering because of communication (people not technical) issues. The Asia Pacific Internet Consortium nearly got it done, but attempts so far seem to have kind of petered out. I'd be interested in seeing what you find out, as would a lot of other people, I'm sure. Can you propose it as a talk to Susan Harris, for a future NANOG meeting, if your results are going to be public? -Bill
Re: Transit and Paid Peering Exchanges
Certainly - I'd be happy to. - Dan From: Bill Woodcock [EMAIL PROTECTED] Date: Thu, 9 Oct 2003 00:27:24 -0700 (PDT) To: Daniel Golding [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Transit and Paid Peering Exchanges In general, enterprises are not willing to peer the way that ISPs are - that is, show up, and try to get some peering in a speculative fashion. Most are more comfortable showing up at a site with the expectation to pay, and a good idea of exactly who they can pay to get the services they need (basically, transit, not peering). They also tend to want centralized accounting, and sometimes a route server and a high degree of technical assistance are helpful. The average IXP does not even come close to meeting these requirements, sadly. There's been talk about running a subscription-based peering brokerage service on the west coast, primarily aimed at Asian carriers and networks, in exactly the fashion you're describing, and that talk has gone on for quite a few years, ever since the first few Japanese carriers showed up at the PAIX and had trouble getting peering because of communication (people not technical) issues. The Asia Pacific Internet Consortium nearly got it done, but attempts so far seem to have kind of petered out. I'd be interested in seeing what you find out, as would a lot of other people, I'm sure. Can you propose it as a talk to Susan Harris, for a future NANOG meeting, if your results are going to be public? -Bill
Re: NANOG 29 hotels
On Fri, 3 Oct 2003, Stephen J. Wilcox wrote: I have a twin room in the Marriott 18th-22nd (no ARIN), and am happy to share for half the cost with anyone who knows me. Do they have to know you *before* you share the room? Because they certainly will afterwards, but you didn't specify prior knowledge... grin - Matt
BGP and OSPF
It is known that redistribution of routes learnt by BGP into an IGP is considered harmful, but I am still wondering how you can route without redistribution of BGP routes in an OSPF cloud that connects to several external networks. I have the following scenario. RA (AS100) |RB (AS101) R1 R2 R0(AS559) R3 R4 RC (AS201) |RD (AS202) All routers except R0 run BGP. R0--R4 are in the same AS and run OSPF. RA-RD are all in distinct ASs. RA is BGP peer to R1, RB to R2, RC to R3 and RD to R4. The addresses and numbers are fake. The ASs are peers, not customers. Assume that R1 learns a route to a network in AS100, says 1.1/16, with next hop = 3.3.3.1 (the IP address of the p2p link R1-RA). Now assume a data packet with destination address in 1.1/16 is received by any router in AS559, say for example R0 or R4. The router has to know where to forward it. Since AS559 connects to different peer ASs in different locations, it does not seem feasible to use default routes. (Method 1) One way to is to assume that R1 redistributes the route 1.1/16 into OSPF, which will then propagate it as a type 4 LSA. Then R0 and R4 can build a forwarding table (using OSPF) and set a forwarding entry to 1.1/16. This method is what is described in Huitema's book Routing in the Internet. Now I understand that this is not done in practice (I am right ?) since it forces OSPF to carry all the IP prefixes seen by BGP, which in that case might be all prefixes in the world. (Method 2) An alternative is to have recursive table lookup in forwarding entries at all border routers (R1 to R4). R4 writes that the destination address 1.1/16 is to be sent to NEXT-HOP = 3.3.3.1. R4 learns this over I-BGP from R1. The data packet with destination address in 1.1/16 uses loose source routing inside AS559 and is sent to the link R1-RA. The job of OSPF is only to propagate how to route to all addresses in AS559 (including 3.3.3.1) and there is no redistribution of BGP into OSPF. Border routers need to update the forwarding tables using their RIB learnt from BGP. Now source routing is obsolete in IPv4, does any one use it ? (Method 3) Same as method 2, but IP in IP encapsulation is used instead of loose source routing. Seems heavy weight for a high speed backbone. (Method 4) Same as method 2, but Tag Switching (or MPLS) is used instead of loose source routing. Can any one help me understand what is done in practice among Methods 1 to 4, or any other one that I missed ? Thanks in advance, JL
Re: BGP and OSPF
major snip (Method 1) One way to is to assume that R1 redistributes the route 1.1/16 into OSPF, which will then propagate it as a type 4 LSA. Then R0 and R4 can build a forwarding table (using OSPF) and set a forwarding entry to 1.1/16. This method is what is described in Huitema's book Routing in the Internet. Now I understand that this is not done in practice (I am right ?) since it forces OSPF to carry all the IP prefixes seen by BGP, which in that case might be all prefixes in the world. No. Don't.. Please. I've seen enough networks that break with IGP-BGP redists. (Method 2) An alternative is to have recursive table lookup in forwarding entries at all border routers (R1 to R4). R4 writes that the destination address 1.1/16 is to be sent to NEXT-HOP = 3.3.3.1. R4 learns this over I-BGP from R1. The data packet with destination address in 1.1/16 uses loose source routing inside AS559 and is sent to the link R1-RA. The job of OSPF is only to propagate how to route to all addresses in AS559 (including 3.3.3.1) and there is no redistribution of BGP into OSPF. Border routers need to update the forwarding tables using their RIB learnt from BGP. This is the way to do it. Recursive route lookup++ What you can even do is to reduce your IGP table entries: 1) Have all of your 'edge'/'border' routers set next-hop-self on their IBGP peering to core routers. This will eliminate the need for 'DMZ' or '/30 pointopoint (whatever u wanna call it)' routes to exist in IGP tables. Smaller IGP = Faster convergence = more stability = more SLA guarantee = more revenue :) 2) Have your edge/border routers become route reflector clients and the R0 or the routers sitting at the core would act as route reflectors. This way you don't have to keep adding up IBGP peers all over your network as you add more routers at your edge. Now source routing is obsolete in IPv4, does any one use it ? Not that I know of... At least not me. (Method 3) Same as method 2, but IP in IP encapsulation is used instead of loose source routing. Seems heavy weight for a high speed backbone. Yikes. (Method 4) Same as method 2, but Tag Switching (or MPLS) is used instead of loose source routing. Are we talking about IGP vs. EGP or are we talking about MPLS vs. other transport mechanisms? Can any one help me understand what is done in practice among Methods 1 to 4, or any other one that I missed ? Method 2. Please for the love of god, don't even try Method 1, that's quite bad. -hc -- Haesu C. TowardEX Technologies, Inc. Consulting, colocation, web hosting, network design and implementation http://www.towardex.com | [EMAIL PROTECTED] Cell: (978)394-2867 | Office: (978)263-3399 Ext. 170 Fax: (978)263-0033 | POC: HAESU-ARIN
Re: BGP and OSPF
You can avoid the problem by making all your BGP speaking routers your core routers (make sure they have direct adjacencies). Make non BGP speaking routers leaf nodes and avoid providing BGP transit sessions across them. Mike. On Thu, 9 Oct 2003, Jean-Yves Le Boudec wrote: It is known that redistribution of routes learnt by BGP into an IGP is considered harmful, but I am still wondering how you can route without redistribution of BGP routes in an OSPF cloud that connects to several external networks. I have the following scenario. RA (AS100) |RB (AS101) R1 R2 R0(AS559) R3 R4 RC (AS201) |RD (AS202) All routers except R0 run BGP. R0--R4 are in the same AS and run OSPF. RA-RD are all in distinct ASs. RA is BGP peer to R1, RB to R2, RC to R3 and RD to R4. The addresses and numbers are fake. The ASs are peers, not customers. Assume that R1 learns a route to a network in AS100, says 1.1/16, with next hop = 3.3.3.1 (the IP address of the p2p link R1-RA). Now assume a data packet with destination address in 1.1/16 is received by any router in AS559, say for example R0 or R4. The router has to know where to forward it. Since AS559 connects to different peer ASs in different locations, it does not seem feasible to use default routes. (Method 1) One way to is to assume that R1 redistributes the route 1.1/16 into OSPF, which will then propagate it as a type 4 LSA. Then R0 and R4 can build a forwarding table (using OSPF) and set a forwarding entry to 1.1/16. This method is what is described in Huitema's book Routing in the Internet. Now I understand that this is not done in practice (I am right ?) since it forces OSPF to carry all the IP prefixes seen by BGP, which in that case might be all prefixes in the world. (Method 2) An alternative is to have recursive table lookup in forwarding entries at all border routers (R1 to R4). R4 writes that the destination address 1.1/16 is to be sent to NEXT-HOP = 3.3.3.1. R4 learns this over I-BGP from R1. The data packet with destination address in 1.1/16 uses loose source routing inside AS559 and is sent to the link R1-RA. The job of OSPF is only to propagate how to route to all addresses in AS559 (including 3.3.3.1) and there is no redistribution of BGP into OSPF. Border routers need to update the forwarding tables using their RIB learnt from BGP. Now source routing is obsolete in IPv4, does any one use it ? (Method 3) Same as method 2, but IP in IP encapsulation is used instead of loose source routing. Seems heavy weight for a high speed backbone. (Method 4) Same as method 2, but Tag Switching (or MPLS) is used instead of loose source routing. Can any one help me understand what is done in practice among Methods 1 to 4, or any other one that I missed ? Thanks in advance, JL +- H U R R I C A N E - E L E C T R I C -+ | Mike Leber Direct Internet Connections Voice 510 580 4100 | | Hurricane Electric Web Hosting Colocation Fax 510 580 4151 | | [EMAIL PROTECTED] http://www.he.net | +---+
Re: News coverage, Verisign etc.
On Thursday 09 October 2003 00:55, the council of elders heard Joe Abley mumble incoherently: On 9 Oct 2003, at 00:32, Curtis Maurand wrote: I was able to view all of the .ppt's with openoffice.org running on RedHat 9. Just because the file formats have been reverse engineered, it doesn't mean they're open. Good point.
RE: Finding clue at comcast.net
Comcast's phone support department is the *worst*, WORST, I've ever dealt with. I think they are outsourced, they have to go by a script, and many of them probably hardly know what a computer even is. Once I called because of a problem on their network, and I told the person on the phone that there was a problem on their network, and I pinned it down to a couple of routers where the problem may be, and she responded, very sternly, Sir, WE DON'T HAVE ANY ROUTERS In any case, if you manage to get the call escalated a couple of times (after lying about rebooting your computer 47 times), you'll get someone good. Also, there are some good people who read this list. But calling their phone support to get anything useful is like trying to squeeze blood from a rock. -jay -Original Message- From: Howard C. Berkowitz [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 08, 2003 7:36 PM To: [EMAIL PROTECTED] Subject: Finding clue at comcast.net I'm rapidly beginning to believe this is equivalent to finding the pot of gold at the end of the rainbow. When my broadband alternative is Verizon and it's looking better, this is scary. Sometime today, their SMTP server started bouncing messages with more than 3 addressees. When I called customer support, I was told we only handle troubleshooting, not mail service. The operator guessed they might be doing software updates on the mail service, had no information, and said there was no person to which it could be escalated. She insisted that I call my local cable office to find out when the server repair would be completed, because they schedule all repairs. Is this a bad dream?
Re: BGP and OSPF
By definition, R0 should run BGP, or, R1-4 should be meshed and exchange BGP with each other. If R1-4 are meshed, then, it doesn't completely matter which of R1-4 R0 defaults to, they will handle it from there. If they are not properly meshed, then, it gets messy, but, the protocol spec. says as much. Owen --On Thursday, October 9, 2003 12:00 PM +0200 Jean-Yves Le Boudec [EMAIL PROTECTED] wrote: It is known that redistribution of routes learnt by BGP into an IGP is considered harmful, but I am still wondering how you can route without redistribution of BGP routes in an OSPF cloud that connects to several external networks. I have the following scenario. RA (AS100) |RB (AS101) R1 R2 R0(AS559) R3 R4 RC (AS201) |RD (AS202) All routers except R0 run BGP. R0--R4 are in the same AS and run OSPF. RA-RD are all in distinct ASs. RA is BGP peer to R1, RB to R2, RC to R3 and RD to R4. The addresses and numbers are fake. The ASs are peers, not customers. Assume that R1 learns a route to a network in AS100, says 1.1/16, with next hop = 3.3.3.1 (the IP address of the p2p link R1-RA). Now assume a data packet with destination address in 1.1/16 is received by any router in AS559, say for example R0 or R4. The router has to know where to forward it. Since AS559 connects to different peer ASs in different locations, it does not seem feasible to use default routes. (Method 1) One way to is to assume that R1 redistributes the route 1.1/16 into OSPF, which will then propagate it as a type 4 LSA. Then R0 and R4 can build a forwarding table (using OSPF) and set a forwarding entry to 1.1/16. This method is what is described in Huitema's book Routing in the Internet. Now I understand that this is not done in practice (I am right ?) since it forces OSPF to carry all the IP prefixes seen by BGP, which in that case might be all prefixes in the world. (Method 2) An alternative is to have recursive table lookup in forwarding entries at all border routers (R1 to R4). R4 writes that the destination address 1.1/16 is to be sent to NEXT-HOP = 3.3.3.1. R4 learns this over I-BGP from R1. The data packet with destination address in 1.1/16 uses loose source routing inside AS559 and is sent to the link R1-RA. The job of OSPF is only to propagate how to route to all addresses in AS559 (including 3.3.3.1) and there is no redistribution of BGP into OSPF. Border routers need to update the forwarding tables using their RIB learnt from BGP. Now source routing is obsolete in IPv4, does any one use it ? (Method 3) Same as method 2, but IP in IP encapsulation is used instead of loose source routing. Seems heavy weight for a high speed backbone. (Method 4) Same as method 2, but Tag Switching (or MPLS) is used instead of loose source routing. Can any one help me understand what is done in practice among Methods 1 to 4, or any other one that I missed ? Thanks in advance, JL
Wired mag article on spammers playing traceroute games with trojaned boxes
http://www.wired.com/news/business/0,1367,60747,00.html -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
RE: Finding clue at comcast.net
At 9:29 AM -0500 10/9/03, Austad, Jay wrote: Comcast's phone support department is the *worst*, WORST, I've ever dealt with. I think they are outsourced, they have to go by a script, and many of them probably hardly know what a computer even is. Once I called because of a problem on their network, and I told the person on the phone that there was a problem on their network, and I pinned it down to a couple of routers where the problem may be, and she responded, very sternly, Sir, WE DON'T HAVE ANY ROUTERS Same thing here. Last night, I was told that no escalation personnel were available. On the couple of occasions where I got escalation, I once had an informal conversation with a 3rd level. Their phone center is in Halifax, NS -- didn't find out if it is outsourced or not. While the person with whom I spoke was reasonably clueful, he told me that customer support had no interactive communication with network operations -- at best, they could send an email about a routing, SMTP, etc. problem and hope somebody would respond. At the time, I was paying for their Pro service, intermediate between regular residential and full business. My contact said that while that was supposed to get better customer support, an early plan to route it to business Comcast failed, and there really was NO separate Pro support organization. I dropped the Pro service after I learned that residential service no longer insisted you remove any local routers and firewalls before deigning to troubleshoot. They still ask you to do that, but repeated NO responses can get them to proceed. A few NANOGs back (Atlanta), I did a presentation on customer satisfaction, which, frankly, was in many respects a case study of how I'd reform customer support at my then ISP/DSL, cais.net. If NANOG ever did formal documents, I'd like to see a guideline on how to run customer support. In any case, if you manage to get the call escalated a couple of times (after lying about rebooting your computer 47 times), You forgot reinstalling Windows. On a Mac. you'll get someone good. Also, there are some good people who read this list. But calling their phone support to get anything useful is like trying to squeeze blood from a rock. -jay -Original Message- From: Howard C. Berkowitz [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 08, 2003 7:36 PM To: [EMAIL PROTECTED] Subject: Finding clue at comcast.net I'm rapidly beginning to believe this is equivalent to finding the pot of gold at the end of the rainbow. When my broadband alternative is Verizon and it's looking better, this is scary. Sometime today, their SMTP server started bouncing messages with more than 3 addressees. When I called customer support, I was told we only handle troubleshooting, not mail service. The operator guessed they might be doing software updates on the mail service, had no information, and said there was no person to which it could be escalated. She insisted that I call my local cable office to find out when the server repair would be completed, because they schedule all repairs. Is this a bad dream?
Why can't all my routers do FOO ?
I'm trying to finish off the operational security requirements draft (http://www.ietf.org/internet-drafts/draft-jones-opsec-01.txt) which is a collection of operational security requirements for routers and other network infrastructure. The last major change that needs to happen is splitting out the Best Current Practice (BCP) info from the other items. This is where I'd like some feedback. If you're so motivated take 5 minutes to brainstorm two lists. The first is *security features* I use everywhere now (logging, aaa, filters...). The second is everything else: I can't believe no vendor does FOO..., Vendor A does BAR, life/security would be so much better if all vendors did it etc. I'll take your lists and try to correctly align them with the drafts. If you're more motivated, you can see exactly which features have migrated from the BCP draft (opsec-01a-toc.txt) to the info draft (opsec-info-00.txt) by looking at the table of contents of the work-in-progress drafts @ http://www.port111.com/opsec/ Replies can come to the list (preferred to avoid duplication, allow discussion) or to me directly. Thanks, ---George Jones
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
On Thursday, October 9, 2003, at 10:04 AM, Suresh Ramasubramanian wrote: http://www.wired.com/news/business/0,1367,60747,00.html -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations I found one of these today, as a matter of fact. The spam was advertising an anti-spam package, of course. The domain name is vano-soft.biz, and looking up the address, I get Name:vano-soft.biz Addresses: 12.252.185.129, 131.220.108.232, 165.166.182.168, 193.165.6.97 12.229.122.9 A few minutes later, or from a different nameserver, I get Name:vano-soft.biz Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97, 12.229.122.9 12.252.185.129 This is a real Hydra. If everyone on the list looked up vano-soft.biz and removed the trojaned boxes, would we be able to kill it? --Chris
RE: Finding clue at comcast.net
On Thu, 9 Oct 2003, Howard C. Berkowitz wrote: At 9:29 AM -0500 10/9/03, Austad, Jay wrote: Comcast's phone support department is the *worst*, WORST, I've ever dealt with. I think they are outsourced, they have to go by a script, and many of On the couple of occasions where I got escalation, I once had an informal conversation with a 3rd level. Their phone center is in Halifax, NS -- didn't find out if it is outsourced or not. While the Anybody know to what extent Comcast and the old MediaOne/ATTBI customer support organizations have been merged? All of this sounds like classic MediaOne/ATTBI. I'm on the local cable board, which gets me a few phone numbers one level up the escalation chain, but still I do remember a few months back, on the weekend, hiking in the woods, when I got a callback from a tech. in Candada, who was also calling from his cell phone on his day off. This was part of a 6-month, ongoing problem that turned out to result from a memory leak in the nearest poletop box serving my home - it turns out that this specific box hadn't received the upgrade that fixed a problem that the industry knew about for a year. Sigh... Miles Fidelman
Customer support tutorial
I was about to answer a request for my presentation about customer support, but I had a cat-on-keyboard exploit and I don't know who asked. In any event, the Atlanta presentation is at http://www.nanog.org/mtg-0102/cust.html I did it as a two-part with an intermediate BGP tutorial. In one of the two, there is an RFC 2270 slide. Please, please ignore it -- my brain went out to lunch on that one! Actually, this raises the interesting point -- is there an interest in updating and having running commentary on older presentations, keeping some content up to date? Is this something the NANOG site could support?
RE: Wired mag article on spammers playing traceroute games with trojaned boxes
- -I found one of these today, as a matter of fact. The spam was -advertising an anti-spam package, of course. - -The domain name is vano-soft.biz, and looking up the address, I get - -Name:vano-soft.biz -Addresses: 12.252.185.129, 131.220.108.232, 165.166.182.168, -193.165.6.97 - 12.229.122.9 - -A few minutes later, or from a different nameserver, I get - -Name:vano-soft.biz -Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97, -12.229.122.9 - 12.252.185.129 - -This is a real Hydra. If everyone on the list looked up -vano-soft.biz -and removed the trojaned boxes, would we be able to kill it? - ---Chris I got : Canonical name: vano-soft.biz Addresses: 165.166.182.168 193.92.62.42 200.80.137.157 12.229.122.9 12.252.185.129 I think even if we get all the ones for this domain name today, assuming we can muster even man hours to get it today, another 5000 will be added tomarrow. And looking at my list We have US(a very small ISP and a large ISP) RIPE, and LACNIC. I wonder if the better question should be: Can Broadband ISP's require a Linksys, dlink or other broadband router without too many problems? That is what it will take to slow this down, and then only if ALL of ISP's do it. This not only affects this instance but global security as a whole. Just a few days ago, Cisco was taken offline by a large # of Zombies, I am willing to say that those are potentially some of the same compromised systems. Thoughts? Jim
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
At 11:51 AM 10/9/2003, Chris Boyd wrote: On Thursday, October 9, 2003, at 10:04 AM, Suresh Ramasubramanian wrote: http://www.wired.com/news/business/0,1367,60747,00.html -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations I found one of these today, as a matter of fact. The spam was advertising an anti-spam package, of course. The domain name is vano-soft.biz, and looking up the address, I get Name:vano-soft.biz Addresses: 12.252.185.129, 131.220.108.232, 165.166.182.168, 193.165.6.97 12.229.122.9 A few minutes later, or from a different nameserver, I get Name:vano-soft.biz Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97, 12.229.122.9 12.252.185.129 This is a real Hydra. If everyone on the list looked up vano-soft.biz and removed the trojaned boxes, would we be able to kill it? They're using extremely low TTL's on most of their records. Typically 2 minutes to accomplish this. The thing is I would imagine at least ONE of those NS servers cannot change within a 2 hour window whereas the others can change every 2 minutes. If you identify the server that only changes every 2 hours and track what it's replaced with every 2 hours, you're likely to find a rotating list of master servers... Another question is why is NeuLevel (the registrar for .biz) allowing TTL's on the NS records to be 2 hours and submitting those to the GTLD servers. Maybe it's just me, but that's the first time I've seen a registrar set such a low TTL on an NS record. If NeuLevel is any good they would likely have some sort of information to identify the owner of the domain, even if the information is invalid listed on their whois server. They might have a credit card transaction although that too could always be a stolen credit card number. Any other ideas or different angles/experiences? ; DiG 9.2.2 +trace a vano-soft.biz. ;; global options: printcmd . 80336 IN NS l.root-servers.net. . 80336 IN NS m.root-servers.net. . 80336 IN NS i.root-servers.net. . 80336 IN NS e.root-servers.net. . 80336 IN NS d.root-servers.net. . 80336 IN NS a.root-servers.net. . 80336 IN NS h.root-servers.net. . 80336 IN NS c.root-servers.net. . 80336 IN NS g.root-servers.net. . 80336 IN NS f.root-servers.net. . 80336 IN NS b.root-servers.net. . 80336 IN NS j.root-servers.net. . 80336 IN NS k.root-servers.net. ;; Received 449 bytes from 216.182.1.1#53(216.182.1.1) in 40 ms biz.172800 IN NS A.GTLD.biz. biz.172800 IN NS B.GTLD.biz. biz.172800 IN NS C.GTLD.biz. biz.172800 IN NS D.GTLD.biz. biz.172800 IN NS E.GTLD.biz. biz.172800 IN NS F.GTLD.biz. ;; Received 228 bytes from 198.32.64.12#53(l.root-servers.net) in 270 ms vano-soft.biz. 7200IN NS NS1.UZC12.biz. vano-soft.biz. 7200IN NS NS2.UZC12.biz. vano-soft.biz. 7200IN NS NS3.UZC12.biz. vano-soft.biz. 7200IN NS NS4.UZC12.biz. vano-soft.biz. 7200IN NS NS5.UZC12.biz. ;; Received 223 bytes from 209.173.53.162#53(A.GTLD.biz) in 150 ms vano-soft.biz. 120 IN A 200.80.137.157 vano-soft.biz. 120 IN A 12.229.122.9 vano-soft.biz. 120 IN A 12.252.185.129 vano-soft.biz. 120 IN A 165.166.182.168 vano-soft.biz. 120 IN A 193.92.62.42 vano-soft.biz. 120 IN NS ns5.uzc12.biz. vano-soft.biz. 120 IN NS ns1.uzc12.biz. vano-soft.biz. 120 IN NS ns2.uzc12.biz. vano-soft.biz. 120 IN NS ns3.uzc12.biz. vano-soft.biz. 120 IN NS ns4.uzc12.biz. ;; Received 287 bytes from 204.210.76.197#53(NS4.UZC12.biz) in 130 ms Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
Chris Boyd writes on 10/9/2003 9:21 PM: A few minutes later, or from a different nameserver, I get Name:vano-soft.biz Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97, 12.229.122.9 12.252.185.129 This is a real Hydra. If everyone on the list looked up vano-soft.biz and removed the trojaned boxes, would we be able to kill it? Nope - the guy would get more trojaned boxes, no shortage of unpatched windows machines on broadband. There are two ways to go here - * Nullroute or bogus out in your resolvers the DNS servers for this domain -- two problems here. One is that the spammer doesn't use vano-soft.biz in the smtp envelope, and second, he abuses open redirectors like yahoo's srd.yahoo.com * Follow the money - find out the spammer / the guy who he spams for, from payment information etc. Sic law enforcement on them. srs -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
RE: Wired mag article on spammers playing traceroute games with trojaned boxes
At 12:01 PM 10/9/2003, McBurnett, Jim wrote: - -I found one of these today, as a matter of fact. The spam was -advertising an anti-spam package, of course. - -The domain name is vano-soft.biz, and looking up the address, I get - -Name:vano-soft.biz -Addresses: 12.252.185.129, 131.220.108.232, 165.166.182.168, -193.165.6.97 - 12.229.122.9 - -A few minutes later, or from a different nameserver, I get - -Name:vano-soft.biz -Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97, -12.229.122.9 - 12.252.185.129 - -This is a real Hydra. If everyone on the list looked up -vano-soft.biz -and removed the trojaned boxes, would we be able to kill it? - ---Chris I got : Canonical name: vano-soft.biz Addresses: 165.166.182.168 193.92.62.42 200.80.137.157 12.229.122.9 12.252.185.129 I think even if we get all the ones for this domain name today, assuming we can muster even man hours to get it today, another 5000 will be added tomarrow. And looking at my list We have US(a very small ISP and a large ISP) RIPE, and LACNIC. I wonder if the better question should be: Can Broadband ISP's require a Linksys, dlink or other broadband router without too many problems? That is what it will take to slow this down, and then only if ALL of ISP's do it. This not only affects this instance but global security as a whole. Just a few days ago, Cisco was taken offline by a large # of Zombies, I am willing to say that those are potentially some of the same compromised systems. Thoughts? Personally, I think preventing residential broadband customers from hosting servers would limit a lot of that. I'm not saying that IS the solution. Whether or not that's the right thing to do in all circumstances for each ISP is a long standing debate that surfaces here from time to time. Same as allowing people to host mail servers on cable modems or even allowing them to access mail servers other than the ISP's. Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
Re: Finding clue at comcast.net
Miles Fidelman writes on 10/9/2003 9:25 PM: Anybody know to what extent Comcast and the old MediaOne/ATTBI customer support organizations have been merged? I think all the cable infrastructure from ATTBI has migrated to comcast. And people on attbi got transitioned to comcast email addresses quite some time back. srs -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
Thursday, October 9, 2003, 9:19:37 AM, you wrote: VA Personally, I think preventing residential broadband customers from hosting VA servers would limit a lot of that. I'm not saying that IS the solution. VA Whether or not that's the right thing to do in all circumstances for each VA ISP is a long standing debate that surfaces here from time to time. Same as VA allowing people to host mail servers on cable modems or even allowing them VA to access mail servers other than the ISP's. It's not like those customers are aware they are hosting servers, they most likely were exploited and are now unaware they are hosting websites. Regards, Joe Boyce --- InterStar, Inc. - Shasta.com Internet Phone: +1 (530) 224-6866 x105 Email: [EMAIL PROTECTED]
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
Vinny Abello writes on 10/9/2003 9:41 PM: They're using extremely low TTL's on most of their records. Typically 2 minutes to accomplish this. The thing is I would imagine at least ONE of those NS servers cannot change within a 2 hour window whereas the others They are using a whole lot of stuff that's basically dynamic DNS. low TTL on an NS record. If NeuLevel is any good they would likely have some sort of information to identify the owner of the domain, even if They seem to have a spammer infestation though. srs -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
Hi, #I think even if we get all the ones for this domain name today,=20 #assuming we can muster even man hours to get it today, another #5000 will be added tomarrow. Actually, we wrote a little tool to systematically track the dotted quads associated with the vano-soft domain name. We have been seeing a steady stream of new dotted quads advertised for that host, but no where near thousands per day. There have also been some Usenet posts talking about this particular site and the methodology it uses; see: http://groups.google.com/groups?selm= pan.2003.10.03.19.40.44.564854%40frontiernet.netoutput=gplain Regards, Joe
RE: Finding clue at comcast.net
I was informed legacy ATTBI setup is still different from the router / infrastructure side. (i.e. Old ATTBI has ping and ports blocked that native Comcast does not) Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Suresh Ramasubramanian Sent: Thursday, October 09, 2003 12:20 PM To: Miles Fidelman Cc: [EMAIL PROTECTED] Subject: Re: Finding clue at comcast.net Miles Fidelman writes on 10/9/2003 9:25 PM: Anybody know to what extent Comcast and the old MediaOne/ATTBI customer support organizations have been merged? I think all the cable infrastructure from ATTBI has migrated to comcast. And people on attbi got transitioned to comcast email addresses quite some time back. srs -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Re: Finding clue at comcast.net
-Original Message- From: Sirius F. Crackhoe [mailto:[EMAIL PROTECTED] Sent: Thursday, October 09, 2003 12:37 PM To: 'Howard C. Berkowitz' Comcast's Technical and Customer Support is outsourced to EDS and is based in the EDS call center in Hallifax. I believe they were also taking calls in the Winchester, KY call center, which was an old MCI/WorldCom Outsourced Call Center that they sold to EDS a few years back. They are setup the same as MSN, WebTV and RoadRunner. I used to do implementations for WorldCom's outsourced call centers and call tell you for sure, they have no access to the NOC or their staff. They are merely paid phone operators. :) Sirius -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Howard C. Berkowitz Sent: Thursday, October 09, 2003 11:21 AM To: [EMAIL PROTECTED] At 9:29 AM -0500 10/9/03, Austad, Jay wrote: Comcast's phone support department is the *worst*, WORST, I've ever dealt with. I think they are outsourced, they have to go by a script, and many of them probably hardly know what a computer even is. Once I called because of a problem on their network, and I told the person on the phone that there was a problem on their network, and I pinned it down to a couple of routers where the problem may be, and she responded, very sternly, Sir, WE DON'T HAVE ANY ROUTERS Same thing here. Last night, I was told that no escalation personnel were available. On the couple of occasions where I got escalation, I once had an informal conversation with a 3rd level. Their phone center is in Halifax, NS -- didn't find out if it is outsourced or not. While the person with whom I spoke was reasonably clueful, he told me that customer support had no interactive communication with network operations -- at best, they could send an email about a routing, SMTP, etc. problem and hope somebody would respond. At the time, I was paying for their Pro service, intermediate between regular residential and full business. My contact said that while that was supposed to get better customer support, an early plan to route it to business Comcast failed, and there really was NO separate Pro support organization. I dropped the Pro service after I learned that residential service no longer insisted you remove any local routers and firewalls before deigning to troubleshoot. They still ask you to do that, but repeated NO responses can get them to proceed. A few NANOGs back (Atlanta), I did a presentation on customer satisfaction, which, frankly, was in many respects a case study of how I'd reform customer support at my then ISP/DSL, cais.net. If NANOG ever did formal documents, I'd like to see a guideline on how to run customer support. In any case, if you manage to get the call escalated a couple of times (after lying about rebooting your computer 47 times), You forgot reinstalling Windows. On a Mac. you'll get someone good. Also, there are some good people who read this list. But calling their phone support to get anything useful is like trying to squeeze blood from a rock. -jay -Original Message- From: Howard C. Berkowitz [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 08, 2003 7:36 PM To: [EMAIL PROTECTED] Subject: Finding clue at comcast.net I'm rapidly beginning to believe this is equivalent to finding the pot of gold at the end of the rainbow. When my broadband alternative is Verizon and it's looking better, this is scary. Sometime today, their SMTP server started bouncing messages with more than 3 addressees. When I called customer support, I was told we only handle troubleshooting, not mail service. The operator guessed they might be doing software updates on the mail service, had no information, and said there was no person to which it could be escalated. She insisted that I call my local cable office to find out when the server repair would be completed, because they schedule all repairs. Is this a bad dream?
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
At 10:51 AM -0500 10/9/03, Chris Boyd wrote: A few minutes later, or from a different nameserver, I get Name:vano-soft.biz Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97, 12.229.122.9 12.252.185.129 This is a real Hydra. If everyone on the list looked up vano-soft.biz and removed the trojaned boxes, would we be able to kill it? I think in this instance your best approach may be to go after the name servers. Anything else is going to be a game of whack-a-mole. Our spam filtering software actually uses the address of a domain's name server in it's scoring system. Sometime's that's the only way we've been able to reliably detect a spammer. -- Kee Hinckley http://www.messagefire.com/ Next Generation Spam Defense http://commons.somewhere.com/buzz/ Writings on Technology and Society I'm not sure which upsets me more: that people are so unwilling to accept responsibility for their own actions, or that they are so eager to regulate everyone else's.
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
Hank Nussbacher writes on 10/9/2003 10:00 PM: I think we can all safely assume that the people behind this are most probably on NANOG or reading the archives and are now aware of your idea :-) vano-soft has been extensively discussed on other forums (spam-l, nanae etc) for quite some time. But yeah - it's stayed at the discussion level so far. -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Finding ASN from IP address
I want to create a mapping of IP addresses to ASN, for a specific like of IP addresses. Eg: 1.2.3.4 12.34.56.78 etc, gathered from my system logs. What is the best way of doing this? I thought about something along the lines of: install routing software (zebra?) pass software the IP's, get it to spit back a string from which I can grab the ASN Two problems being I don't know which software to install that can do that, or where to get a copy of the current routing table, so that I can feed that to the software. Suggestions appreciated. -- Avleen Vig Systems Administrator Personal: www.silverwraith.com EFnet:irc.mindspring.com
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
Vinny Abello wrote: Personally, I think preventing residential broadband customers from hosting servers would limit a lot of that. I'm not saying that IS the solution. Whether or not that's the right thing to do in all circumstances for each ISP is a long standing debate that surfaces here from time to time. Same as allowing people to host mail servers on cable modems or even allowing them to access mail servers other than the ISP's. The issue comes in defining a server. You can block 1024 access, but spammers don't have to reference port 80 in their emails. You can mandate NAT, but this breaks commonly used systems (especially for broadband) like DirectPlay. One of the selling points for broadband is gaming. Yet some gaming systems were designed to make connections both ways and dynamic port forwarding doesn't work in all senarios. -Jack
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
On Thu, 9 Oct 2003 12:01:35 -0400 McBurnett, Jim [EMAIL PROTECTED] wrote: | I think even if we get all the ones for this domain name today, | assuming we can muster even man hours to get it today, another | 5000 will be added tomorrow. And looking at my list We have US | (a very small ISP and a large ISP) RIPE, and LACNIC. This malware is not new, but is only just becoming widely visible. It succeeds solely because of the Dynamic-DYS (real-time updating) functionality built into the dot-biz registry. Certainly it can be killed, but the techniques to achieve that are better discussed OFF this list - for both AUP and other valid reasons. As soon as this exploit is killed, no doubt another, similar, exploit would follow. We therefore need a more generic solution to the issue. | This not only affects this instance but global security as a whole. | Just a few days ago, Cisco was taken offline by a large # of Zombies, | I am willing to say that those are potentially some of the same | compromised systems. Empirical evidence would seem to support your view. Even where they are not the same zombies, networks that allow this type of zombie to remain in place are just as likely to allow DDoS zombies to continue undisturbed. The problem is that many ISPs filter all issues of this nature through their abuse teams, rather than sending them directly to their security specialists. Most abuse teams have neither the time nor experience to investigate, and this particular trojan has been written to make it too easy for abuse teams to dismiss reports of its activity, and then to justify taking no action - that is exactly what the writers of the malware intended to happen. A step change in attitude from providers who offer 24/7-on connectivity is what is needed now, and agreement to separate all network security issues from their abuse desk procedures should be number one priority. -- Richard Cox
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
Date: Thu, 9 Oct 2003 10:51:08 -0500 Subject: Re: Wired mag article on spammers playing traceroute games with trojaned boxes From: Chris Boyd [EMAIL PROTECTED] To: [EMAIL PROTECTED] On Thursday, October 9, 2003, at 10:04 AM, Suresh Ramasubramanian wrote: http://www.wired.com/news/business/0,1367,60747,00.html -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations I found one of these today, as a matter of fact. The spam was advertising an anti-spam package, of course. The domain name is vano-soft.biz, and looking up the address, I get Name:vano-soft.biz Addresses: 12.252.185.129, 131.220.108.232, 165.166.182.168, 193.165.6.97 12.229.122.9 A few minutes later, or from a different nameserver, I get Name:vano-soft.biz Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97, 12.229.122.9 12.252.185.129 This is a real Hydra. If everyone on the list looked up vano-soft.biz and removed the trojaned boxes, would we be able to kill it? This is NOT a hydra. The IP addresses are the same but presented differently. This happens because of THIS setup in DNS: vano-soft.biz. IN A 131.220.108.232 IN A 165.166.182.168 IN A 193.165.6.97 IN A 12.229.122.9 IN A 12.252.185.129 This setup is called Round-robin because the name server provides the first IP address FIRST to the first query; the second IP address first to the second query; the third IP address first to the third query; ... to the fifth query. Then it starts over with the first IP Address in response to the sixth query... In each case, ALL IP addresses are provided in response to each query. Yes, the TTL may be a bit low, but it is a workable setup... And no, I am NOT condoning what vano-soft.biz is doing, just trying to explain why, when you checked the first time, you got one answer, and when you checked sometime later, you got a different answer... (Donning flameproof underwear...) Regards, Gregory Hicks --- The trouble with doing anything right the first time is that nobody appreciates how difficult it was. When a team of dedicated individuals makes a commitment to act as one... the sky's the limit. Just because We've always done it that way is not necessarily a good reason to continue to do so... Grace Hopper, Rear Admiral, United States Navy
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
Oops... Try this again... And as soon as you call law enforcement what happends? The spammer is located offshore. Then what? --- Hank Nussbacher [EMAIL PROTECTED] wrote: On Thu, 9 Oct 2003, Suresh Ramasubramanian wrote: * Follow the money - find out the spammer / the guy who he spams for, from payment information etc.Sic law enforcement on them. srs I think we can all safely assume that the people behind this are most probably on NANOG or reading the archives and are now aware of your idea :-) -Hank
RE: Wired mag article on spammers playing traceroute games with trojaned boxes
There are two ways to go here - * Nullroute or bogus out in your resolvers the DNS servers for this domain -- two problems here. One is that the spammer doesn't use vano-soft.biz in the smtp envelope, and second, he abuses open redirectors like yahoo's srd.yahoo.com There is another option, create an email filter and block any email that includes the text .biz/ in any email. That will do two things, it will stop the spams from being received in the first place and it will cause one heck of a headache for the .biz domain so they clean up their act and deal with their problems. Geo.
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
On 9 Oct 2003, at 12:19, Vinny Abello wrote: Personally, I think preventing residential broadband customers from hosting servers would limit a lot of that. I'm not saying that IS the solution. Whether or not that's the right thing to do in all circumstances for each ISP is a long standing debate that surfaces here from time to time. Same as allowing people to host mail servers on cable modems or even allowing them to access mail servers other than the ISP's. Hosting a server looks very similar to using an ftp client in active mode, playing games over the network or using a SIP phone to the network. Enumerating all permissible servers and denying all prohibited ones arguably requires an unreasonable shift of intelligence into the network. Allowing inbound connections by default and blocking specific types of traffic reactively has been demonstrated not to be an adequate solution, I think. A more aggressive policy of blocking all inbound connections (and analogues using connectionless protocols) essentially denies direct access between edge devices, which implies quite an architectural shift. I think it's more complicated than prevent residential users from hosting servers. Joe
Sitefinder and DDoS
Let's assume for a moment that Verisign's wildcards and Sitefinder go back into operation. Let's also assume someone sets up a popular webpage with malware HTML causing it, perhaps with a time delay, to issue rapid GETs to deliberately nonexistent domains. What would be the effect on overall Internet traffic patterns if there were one Sitefinder site? (flashback to ARPANET node announcing it had zero cost to any route) How many Sitefinder nodes would we need to avoid massive single-point congestion? AFAIK, the issues of distribution of Sitefinder, and even a formal content distribution network, were not discussed. I asked some general questions that touched on this at the ICANN ISSC committee meeting, but I think they were interpreted as directed toward the reliability of the Sitefinder service in operation, rather than potential vulnerabilities it might create. I am NOT suggesting this simply as an argument against Sitefinder, and I'd like to see engineering analysis of how this vulnerability could be prevented.
Re: Finding ASN from IP address
On 10/9/03 9:49 AM, Avleen Vig [EMAIL PROTECTED] wrote: I want to create a mapping of IP addresses to ASN, for a specific like of IP addresses. Eg: 1.2.3.4 12.34.56.78 etc, gathered from my system logs. What is the best way of doing this? Well, if you are not adverse to using a pre-existing tool, the Team CYMRU folks have been kind enough to provide a server that does just that. whois -h whois.cymru.com 66.119.192.4 ASN | IP | Name 16713 | 66.119.192.4 | NOANET-WA Northwest Open Acces Mike -- Michael K. Smith NoaNet 206.219.7116 (work) 206.579.8360 (cell) [EMAIL PROTECTED]http://www.noanet.net
RE: Wired mag article on spammers playing traceroute games with trojaned boxes
On Thursday, October 9, 2003, at 12:24 PM, Suresh Ramasubramanian wrote: Nope - the guy would get more trojaned boxes, no shortage of unpatched windows machines on broadband. There are two ways to go here - * Nullroute or bogus out in your resolvers the DNS servers for this domain -- two problems here. One is that the spammer doesn't use vano-soft.biz in the smtp envelope, and second, he abuses open redirectors like yahoo's srd.yahoo.com This may apply w/r/t something I've been seeing for the last couple of days. I've been seeing e-mails into our server with the following characteristics: 1). Sent to invalid user on our domain 2). Sent from varying origins; usually, groups of three arriving ~ every half hour 3). Origin IP on mostly home broadband networks in US 4). Frequently, purported sender's e-mail address non-US domain although originating from US domain, with the language of the e-mail text matching the purported sender's domain (lots of German spam...guess that's the current flavor). 5). Invalid user send-to addresses arriving in groups in alphabetical order (nice list processing) It looks like person(s) responsible is using distributed network of trojaned pcs, varying send-to mail servers every 3 messages or so. This way, spam arrives at purported sender's address as undelivered mail bounce with our address in the SMTP envelope, in low enough volume (they hope) not to trigger filtering based on source IP. I wonder about how long until legitimate mail servers start getting blackholed because of bounce messages? David Keith
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
At 12:53 PM 10/9/2003, you wrote: On 9 Oct 2003, at 12:19, Vinny Abello wrote: Personally, I think preventing residential broadband customers from hosting servers would limit a lot of that. I'm not saying that IS the solution. Whether or not that's the right thing to do in all circumstances for each ISP is a long standing debate that surfaces here from time to time. Same as allowing people to host mail servers on cable modems or even allowing them to access mail servers other than the ISP's. Hosting a server looks very similar to using an ftp client in active mode, playing games over the network or using a SIP phone to the network. Enumerating all permissible servers and denying all prohibited ones arguably requires an unreasonable shift of intelligence into the network. Allowing inbound connections by default and blocking specific types of traffic reactively has been demonstrated not to be an adequate solution, I think. A more aggressive policy of blocking all inbound connections (and analogues using connectionless protocols) essentially denies direct access between edge devices, which implies quite an architectural shift. I think it's more complicated than prevent residential users from hosting servers. Absolutely, and I was just referring to certain things, not all inbound access. I mentioned before that it doesn't really make much sense with web hosting because the port can easily be changed so it's not very effective at all. Blocking people from hosting mail servers that receive mail and can't send mail directly could be enforced much more easily than the web example so my original thought doesn't really apply all that much to web stuff, but then again I stated I didn't say that IS the solution to anything. Just a thought that's been kicked around forever that we've all heard. :) Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
On Thu, 9 Oct 2003, Joe Boyce wrote: VA Personally, I think preventing residential broadband customers from hosting VA servers would limit a lot of that. I'm not saying that IS the solution. It's not like those customers are aware they are hosting servers, they most likely were exploited and are now unaware they are hosting websites. That's obviously the case. No spammer has thousands of legitimately purchased DSL/Cable connections. The article pretty clearly says they're exploiting insecure windows (isn't that redundant?) boxes. Trouble is, how do you stop this? Just blocking common ports like 80 by default (unless the customer plans to actually run a web server and asks for the filter to be removed) won't work. The spammers can just as easily spam with urls containing ports (http://blah.biz:8290/) if they find 80 is filtered or find that filtering has become common. So other than waiting some infinitely long time for a secure out of the box version of windows (and for everyone to upgrade), how do you stop this? Widespread deployment of reflexive access lists? Force all broadband customers to use NAT and let them forward ports or entire IPs to their private IP servers if they have any? Wait for the legal system to catch and prosecute a few people who do this and deter others from trying it? Convince registrars to kill domains that are clearly being used by thieves? -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Sitefinder and DDoS
Let's assume for a moment that Verisign's wildcards and Sitefinder go back into operation. Let's also assume someone sets up a popular webpage with malware HTML causing it, perhaps with a time delay, to issue rapid GETs to deliberately nonexistent domains. What would be the effect on overall Internet traffic patterns if there were one Sitefinder site? (flashback to ARPANET node announcing it had zero cost to any route) How many Sitefinder nodes would we need to avoid massive single-point congestion? AFAIK, the issues of distribution of Sitefinder, and even a formal content distribution network, were not discussed. I asked some general questions that touched on this at the ICANN ISSC committee meeting, but I think they were interpreted as directed toward the reliability of the Sitefinder service in operation, rather than potential vulnerabilities it might create. I am NOT suggesting this simply as an argument against Sitefinder, and I'd like to see engineering analysis of how this vulnerability could be prevented.
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
Michael G writes on 10/9/2003 10:27 PM: Also, after doing some preliminary digging, it would seem that the GTLD.BIZ servers have very low TTLs on a lot of their domains. In fact, 7200 seems high compared to some other ones I found. Any correlation with the unusually high proportion of .biz domains that are being registered by spammers? -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Re: Finding ASN from IP address
Avleen Vig writes on 10/9/2003 10:19 PM: I want to create a mapping of IP addresses to ASN, for a specific like of IP addresses. Eg: 1.2.3.4 12.34.56.78 etc, gathered from my system logs. What is the best way of doing this? Rob Thomas (cymru.com) has something like this - see below. -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations * To: [EMAIL PROTECTED] * Subject: [apops] New Team Cymru IP2ASN whois server * From: Rob Thomas [EMAIL PROTECTED] * Date: Fri, 26 Sep 2003 01:56:11 -0500 (CDT) * List-archive: http://www.apnic.net/mailing-lists/apops/ * List-help: mailto:[EMAIL PROTECTED] * List-id: Asia Pacific Operators Forum apops.apops.net * List-post: mailto:[EMAIL PROTECTED] * List-subscribe: http://mailman.apnic.net/mailman/listinfo/apops,mailto:[EMAIL PROTECTED] * List-unsubscribe: http://mailman.apnic.net/mailman/listinfo/apops,mailto:[EMAIL PROTECTED] * Sender: [EMAIL PROTECTED] Fellow networkers, Team Cymru is happy to announce the availability of a public whois server dedicated to mapping IP numbers to ASNs, located at whois.cymru.com. You can find the link to this tool at: http://www.cymru.com/BGP/whois.html This link has been added to our main BGP data page available at: http://www.cymru.com/BGP/index.html We have also extended the functionality of this daemon to support BULK IP submissions for those who wish to further optimize their queries with netcat. Following is a quick overview of how to use it: $ whois -h whois.cymru.com IP Where IP is replaced by the IP you'd like to map, like so: $ whois -h whois.cymru.com 4.2.2.1 ASN | IP | Name 3356 | 4.2.2.1 | LEVEL3 Level 3 Communications You can also include port information, and/or timestamps in your queries. Be sure to include quotes around your queries, or the daemon will interpret your request as multiple lines: $ whois -h whois.cymru.com 4.2.2.1 -0600 GMT ASN | IP |Info | Name 3356 | 4.2.2.1 | -0600 GMT | LEVEL3 Level 3 Communications For instructions on how to submit BULK queries via netcat, simply issue the following command: $ whois -h whois.cymru.com help We hope you find this tool useful. Stay tuned for more features! If you have any comments or suggestions as to how we might improve this service, feel free to let us know! Thanks, Rob, for Team Cymru. -- Rob Thomas http://www.cymru.com ASSERT(coffee != empty);
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
And as soon as you call law enforcement what happends? The spammer --- Hank Nussbacher [EMAIL PROTECTED] wrote: On Thu, 9 Oct 2003, Suresh Ramasubramanian wrote: * Follow the money - find out the spammer / the guy who he spams for, from payment information etc.Sic law enforcement on them. srs I think we can all safely assume that the people behind this are most probably on NANOG or reading the archives and are now aware of your idea :-) -Hank
Re: Finding ASN from IP address
On Thu, Oct 09, 2003 at 09:49:32AM -0700, Avleen Vig wrote: I want to create a mapping of IP addresses to ASN, for a specific like of IP addresses. Eg: 1.2.3.4 12.34.56.78 etc, gathered from my system logs. What is the best way of doing this? Team Cymru is offering a IP to ASN Whois service: * Fellow networkers, Team Cymru is happy to announce the availability of a public whois server dedicated to mapping IP numbers to ASNs, located at whois.cymru.com. You can find the link to this tool at: http://www.cymru.com/BGP/whois.html This link has been added to our main BGP data page available at: http://www.cymru.com/BGP/index.html We have also extended the functionality of this daemon to support BULK IP submissions for those who wish to further optimize their queries with netcat. Following is a quick overview of how to use it: $ whois -h whois.cymru.com IP Where IP is replaced by the IP you'd like to map, like so: $ whois -h whois.cymru.com 4.2.2.1 ASN | IP | Name 3356 | 4.2.2.1 | LEVEL3 Level 3 Communications You can also include port information, and/or timestamps in your queries. Be sure to include quotes around your queries, or the daemon will interpret your request as multiple lines: $ whois -h whois.cymru.com 4.2.2.1 -0600 GMT ASN | IP | Info | Name 3356 | 4.2.2.1 | -0600 GMT | LEVEL3 Level 3 Communications For instructions on how to submit BULK queries via netcat, simply issue the following command: $ whois -h whois.cymru.com help We hope you find this tool useful. Stay tuned for more features! If you have any comments or suggestions as to how we might improve this service, feel free to let us know! Thanks, Steve, for Team Cymru http://www.cymru.com -- Stephen Gill
Re: Finding ASN from IP address
There's a paper on just this problem from SIGCOMM 2003: http://www.acm.org/sigcomm/sigcomm2003/papers.html#p365-mao On Thursday, Oct 9, 2003, at 09:49 US/Pacific, Avleen Vig wrote: I want to create a mapping of IP addresses to ASN, for a specific like of IP addresses. Eg: 1.2.3.4 12.34.56.78 etc, gathered from my system logs. What is the best way of doing this? I thought about something along the lines of: install routing software (zebra?) pass software the IP's, get it to spit back a string from which I can grab the ASN Two problems being I don't know which software to install that can do that, or where to get a copy of the current routing table, so that I can feed that to the software. Suggestions appreciated. -- Avleen Vig Systems Administrator Personal: www.silverwraith.com EFnet:irc.mindspring.com
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
Andy Ellifson writes on 10/9/2003 10:58 PM: Oops... Try this again... And as soon as you call law enforcement what happends? The spammer is located offshore. Then what? 99% of them are americans - and mostly from Florida at that. See http://www.spamhaus.org/rokso/ they might subcontract stuff offshore (to India and China, where a lot of legitimate software development / BPO etc work is also going), sure. -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Re: Sitefinder and DDoS
Let's assume for a moment that Verisign's wildcards and Sitefinder go back into operation. Let's also assume someone sets up a popular webpage with malware HTML causing it, perhaps with a time delay, to issue rapid GETs to deliberately nonexistent domains. What would be the effect on overall Internet traffic patterns if there were one Sitefinder site? (flashback to ARPANET node announcing it had zero cost to any route) How many Sitefinder nodes would we need to avoid massive single-point congestion? you may wish to review/examine the AS112 project materials. I used to run the single instance of the authoritative DNS service for RFC 1918 space. We were periodically hammered and discovered an interesting local optimization from one vendor who did not respect the negative-caching timers. The upshot was that the normal blow-the-bolts tactic that usually compartmentalizes failures actually aggrevated the problem. :) The single instance was migrated to the anycast model under the AS112 folks. I am NOT suggesting this simply as an argument against Sitefinder, and I'd like to see engineering analysis of how this vulnerability could be prevented. --bill
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
Looks like attachments wont go through, so I will repost without the attachment. If anyone wants a copy, let me know ---Mike At 01:28 PM 09/10/2003, Andy Ellifson wrote: Oops... Try this again... And as soon as you call law enforcement what happends? The spammer is located offshore. Then what? Actually, in the case of the wired article (removeform.com), it seems to be connected to a site in Florida. I asked my programmer ([EMAIL PROTECTED]) to decode the obfuscated java script/page that is served up by one of the zombies (On FreeBSD fetch -B 18192 -o danger.html http://www.removeform.com/d - I got it from 207.5.215.72 at the time). I have attached it as a zip file with its contents. You will note that the form post goes back to form action=http://207.36.47.68/cgi-bin/addinfo.cgi; OrgName:CyberGate, Inc. OrgID: CYBG Address:3250 W. Commercial Blvd. Suite 200 City: Ft. Lauderdale StateProv: FL PostalCode: 33309 Country:US ---Mike --- Hank Nussbacher [EMAIL PROTECTED] wrote: On Thu, 9 Oct 2003, Suresh Ramasubramanian wrote: * Follow the money - find out the spammer / the guy who he spams for, from payment information etc.Sic law enforcement on them. srs I think we can all safely assume that the people behind this are most probably on NANOG or reading the archives and are now aware of your idea :-) -Hank
RE: Finding ASN from IP address
There's a tool out there called tracesroute (note the s) that will also provide the AS number of every ip it lists. -Original Message- From: Suresh Ramasubramanian [mailto:[EMAIL PROTECTED] Sent: Thursday, October 09, 2003 12:46 PM To: Avleen Vig Cc: [EMAIL PROTECTED] Subject: Re: Finding ASN from IP address Avleen Vig writes on 10/9/2003 10:19 PM: I want to create a mapping of IP addresses to ASN, for a specific like of IP addresses. Eg: 1.2.3.4 12.34.56.78 etc, gathered from my system logs. What is the best way of doing this? Rob Thomas (cymru.com) has something like this - see below. -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations * To: [EMAIL PROTECTED] * Subject: [apops] New Team Cymru IP2ASN whois server * From: Rob Thomas [EMAIL PROTECTED] * Date: Fri, 26 Sep 2003 01:56:11 -0500 (CDT) * List-archive: http://www.apnic.net/mailing-lists/apops/ * List-help: mailto:[EMAIL PROTECTED] * List-id: Asia Pacific Operators Forum apops.apops.net * List-post: mailto:[EMAIL PROTECTED] * List-subscribe: http://mailman.apnic.net/mailman/listinfo/apops,mailto:apop [EMAIL PROTECTED] * List-unsubscribe: http://mailman.apnic.net/mailman/listinfo/apops,mailto:apop [EMAIL PROTECTED] * Sender: [EMAIL PROTECTED] Fellow networkers, Team Cymru is happy to announce the availability of a public whois server dedicated to mapping IP numbers to ASNs, located at whois.cymru.com. You can find the link to this tool at: http://www.cymru.com/BGP/whois.html This link has been added to our main BGP data page available at: http://www.cymru.com/BGP/index.html We have also extended the functionality of this daemon to support BULK IP submissions for those who wish to further optimize their queries with netcat. Following is a quick overview of how to use it: $ whois -h whois.cymru.com IP Where IP is replaced by the IP you'd like to map, like so: $ whois -h whois.cymru.com 4.2.2.1 ASN | IP | Name 3356 | 4.2.2.1 | LEVEL3 Level 3 Communications You can also include port information, and/or timestamps in your queries. Be sure to include quotes around your queries, or the daemon will interpret your request as multiple lines: $ whois -h whois.cymru.com 4.2.2.1 -0600 GMT ASN | IP |Info | Name 3356 | 4.2.2.1 | -0600 GMT | LEVEL3 Level 3 Communications For instructions on how to submit BULK queries via netcat, simply issue the following command: $ whois -h whois.cymru.com help We hope you find this tool useful. Stay tuned for more features! If you have any comments or suggestions as to how we might improve this service, feel free to let us know! Thanks, Rob, for Team Cymru. -- Rob Thomas http://www.cymru.com ASSERT(coffee != empty);
Re: RE: Finding clue at comcast.net
From: Austad, Jay [EMAIL PROTECTED] Date: 2003/10/09 Thu AM 10:29:25 EDT To: 'Howard C. Berkowitz' [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: RE: Finding clue at comcast.net Comcast's phone support department is the *worst*, WORST, I've ever dealt with. I think they are outsourced, they have to go by a script, and many of them probably hardly know what a computer even is. Once I called because of a problem on their network, and I told the person on the phone that there was a problem on their network, and I pinned it down to a couple of routers where the problem may be, and she responded, very sternly, Sir, WE DON'T HAVE ANY ROUTERS In any case, if you manage to get the call escalated a couple of times (after lying about rebooting your computer 47 times), you'll get someone good. Also, there are some good people who read this list. But calling their phone support to get anything useful is like trying to squeeze blood from a rock. -jay * You might want to try and Social Engineer this one a little bit. In your other email you had mentioned someone in their call center suggesting you call the local cable company about the server (or such). Now I'm not suggesting anyone lie ... or such a thing ... but say you called the local office on a cold sales call asking for the person that handles their data networking. As you work your way through that try to find out who is the Head Engineer(s). From there try to find out who handles the CMTS equipment (Cisco uBR?) equipment in the local office Head End, and likely who handles the network including routers and switches and such. You might even try emailing the domain Technical Contact and explain who you are and ask them if there is an Engineering or Network Administrative contact for the local head end of your city. Good Luck, --- Alan Spicer ([EMAIL PROTECTED]) Systems and Network Adminstration http://aspicer.homelinux.net
RE: Wired mag article on spammers playing traceroute games with trojaned boxes
At 09:01 AM 10/9/2003, McBurnett, Jim wrote: Can Broadband ISP's require a Linksys, dlink or other broadband router without too many problems? The router vendors would like that to happen :^)
Re: Sitefinder and DDoS
Howard C. Berkowitz wrote: I am NOT suggesting this simply as an argument against Sitefinder, and I'd like to see engineering analysis of how this vulnerability could be prevented. With $100M annual revenue at stake, I would be willing to provide distributed solutions to this problem if you send me a reasonable fraction of that money. Pete
RE: Wired mag article on spammers playing traceroute games with trojaned boxes
Actually, running a web server on 8290 isn't as easy as 80. SpamAssassin tests (WEIRD_PORT) for this, as do many other filtering packages. Forcing spammers to use non-standard ports will greatly increase their rate of detection, and in turn help to solve the spam problem. -Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 09, 2003 9:56 AM To: Joe Boyce Cc: [EMAIL PROTECTED] Subject: Re: Wired mag article on spammers playing traceroute games with trojaned boxes On Thu, 9 Oct 2003, Joe Boyce wrote: VA Personally, I think preventing residential broadband customers from hosting VA servers would limit a lot of that. I'm not saying that IS the solution. It's not like those customers are aware they are hosting servers, they most likely were exploited and are now unaware they are hosting websites. That's obviously the case. No spammer has thousands of legitimately purchased DSL/Cable connections. The article pretty clearly says they're exploiting insecure windows (isn't that redundant?) boxes. Trouble is, how do you stop this? Just blocking common ports like 80 by default (unless the customer plans to actually run a web server and asks for the filter to be removed) won't work. The spammers can just as easily spam with urls containing ports (http://blah.biz:8290/) if they find 80 is filtered or find that filtering has become common. So other than waiting some infinitely long time for a secure out of the box version of windows (and for everyone to upgrade), how do you stop this? Widespread deployment of reflexive access lists? Force all broadband customers to use NAT and let them forward ports or entire IPs to their private IP servers if they have any? Wait for the legal system to catch and prosecute a few people who do this and deter others from trying it? Convince registrars to kill domains that are clearly being used by thieves? -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
On Thu, 09 Oct 2003 12:01:35 EDT, McBurnett, Jim [EMAIL PROTECTED] said: Can Broadband ISP's require a Linksys, dlink or other broadband router without too many problems? So now instead of a misconfigured PC, you're going to have a misconfigured router front-ending a misconfigured PC? Or are you planning to require that the ISP provide/maintain/configure the router? pgp0.pgp Description: PGP signature
Re: Sitefinder and DDoS
At 10:41 PM +0300 10/9/03, Petri Helenius wrote: Howard C. Berkowitz wrote: I am NOT suggesting this simply as an argument against Sitefinder, and I'd like to see engineering analysis of how this vulnerability could be prevented. With $100M annual revenue at stake, I would be willing to provide distributed solutions to this problem if you send me a reasonable fraction of that money. Pete As long as I get a finder's fee! :-)
Re: Wired mag article on spammers playing traceroute gameswith trojaned boxes
Actually, in the case of the wired article (removeform.com), it seems to be connected to a site in Florida. I asked my programmer ([EMAIL PROTECTED]) to decode the obfuscated java script/page that is served up by one of the zombies (On FreeBSD fetch -B 18192 -o danger.html http://www.removeform.com/d - I got it from 207.5.215.72 at the time). I have attached it as a zip file with its contents. You will note that the form post goes back to form action=http://207.36.47.68/cgi-bin/addinfo.cgi; OrgName:CyberGate, Inc. OrgID: CYBG Address:3250 W. Commercial Blvd. Suite 200 City: Ft. Lauderdale StateProv: FL PostalCode: 33309 Country:US This appears to be a rather prolific spammer. At first I thought they were affiliated with www.skynetweb.com because they have the same address, including suite number, but it now appears that they are really affiliated with these guys: http://www.affinity.com/about/our_team/our_team.htm John --
Re: Sitefinder and DDoS
Let's also assume someone sets up a popular webpage with malware HTML causing it, perhaps with a time delay, to issue rapid GETs to deliberately nonexistent domains. You don't even have to imagine that. Imagine a long-term port 80 Denial of Service (DoS) attack against a given website (using the website url rather than IP, which is not uncommon). Imagine the attacked domain administrator removes their DNS records from the registry to alleviate the attack. The attack is now directed at the Verisign Sitefinder service. Adam OUCH. Yet worse.
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
On Thu, 9 Oct 2003 12:55:36 -0400 (EDT), [EMAIL PROTECTED] wrote: Trouble is, how do you stop this? You use the same principles that are successfully applied every in society (except the Internet) to prevent the negligent from injuring the public. http://www.camblab.com/misc/univ_std.txt and (if you have a moment for some chuckles as well as some deep insights into what ails our favorite organism) http://www.camblab.com/nugget/spam_03.pdf (Brief extract: One needs only to enforce existing contracts and management charters (e.g. ICANN's) and to apply the basic principles of civilization to the Internet. No one would fly an airline run like today's Internet. Why should we tolerate such misoperation of an ever more critical resource in modern life? Spam is not inevitable. It is the predictable consequence of management decisions to use the Environmental Polluter business model . . . .) It's not a technical problem and there are NO technical solutions. The only one that works is what is used in every other type of human activity. Jeffrey Race
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
At 03:42 PM 09/10/2003, [EMAIL PROTECTED] wrote: On Thu, 09 Oct 2003 12:01:35 EDT, McBurnett, Jim [EMAIL PROTECTED] said: Can Broadband ISP's require a Linksys, dlink or other broadband router without too many problems? So now instead of a misconfigured PC, you're going to have a misconfigured router front-ending a misconfigured PC? PCs of the MS variety by default are misconfigured and dangerous out of the box. (i.e. they dont have their patches installed and have questionable defaults). Routers of the soho variety generally are not. No its NOT perfect, but I would gladly take b) over a) any day of the week. ---Mike
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
On Thu, 09 Oct 2003 14:36:53 -0400, Mike Tancsa wrote: OrgName:CyberGate, Inc. This is a notorious spam-enabler about which I had a quarrel with ATT management several years back to get them thrown off the ATT network. I had to take it to their lawyers since the abuse staff would do nothing. Jeffrey Race
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
How many times have you received SPAM selling a product from a U.S. based company? I have received plenty follow the money Hank has it right. M (speaking only for myself) Oops... Try this again... And as soon as you call law enforcement what happends? The spammer is located offshore. Then what? --- Hank Nussbacher [EMAIL PROTECTED] wrote: On Thu, 9 Oct 2003, Suresh Ramasubramanian wrote: * Follow the money - find out the spammer / the guy who he spams for, from payment information etc.Sic law enforcement on them. srs I think we can all safely assume that the people behind this are most probably on NANOG or reading the archives and are now aware of your idea :-) -Hank
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
On Thu, 9 Oct 2003 10:28:30 -0700 (PDT), Andy Ellifson wrote: And as soon as you call law enforcement what happends? The spammer is located offshore. Then what? This is an easy one. Again, see http://www.camblab.oom/misc/univ_std.txt
Re: Sitefinder and DDoS
Howard C. Berkowitz wrote: The attack is now directed at the Verisign Sitefinder service. Adam OUCH. Yet worse. This would be the son-of-windowsupdate.com, right? Pete
Re: Wired mag article on spammers playing traceroute gameswithtrojaned boxes
OrgName:CyberGate, Inc. OrgID: CYBG Address:3250 W. Commercial Blvd. Suite 200 City: Ft. Lauderdale StateProv: FL PostalCode: 33309 Country:US This appears to be a rather prolific spammer. At first I thought they were affiliated with www.skynetweb.com because they have the same address, including suite number, but it now appears that they are really affiliated with these guys: http://www.affinity.com/about/our_team/our_team.htm John I decided to revise the way I phrased this. I should have said that this is a rather prolific home for spammers. I doubt Affinity or its associates are doing much spamming of their own. It does appear that Affinity, et. al., are hosting the page that is accepting information from that javascript. Affinity ought to know who is paying for that site and it seems like law enforcement might be rather interested in that information. John --
contact at yahoo mail? (they think we're an open relay : )
Today our email forwarders started getting this from yahoo.com mail handlers: 553 Mail from 216.220.40.247 not allowed - VS99-IP1 deferred - see help.yahoo.com/help/us/mail/defer/defer-02.html (#5.7.1) Connection closed by foreign host. Which when you go look at that page basically tells you you're probably an open relay (which we're not), etc. Can any mail admins at Yahoo contact me offlist, or post what the restrictions are or at what levels this will kick in? -mark -- Mark Jeftovic [EMAIL PROTECTED] Co-founder, easyDNS Technologies Inc. ph. +1-(416)-535-8672 ext 225 fx. +1-(416)-535-0237
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
It looks like they are using there little team of zombie machines that are doing the port 80 redirect to also respond to DNS requests: ;; AUTHORITY SECTION: vano-soft.biz. 120 IN NS ns3.uzc12.biz. vano-soft.biz. 120 IN NS ns4.uzc12.biz. vano-soft.biz. 120 IN NS ns5.uzc12.biz. vano-soft.biz. 120 IN NS ns1.uzc12.biz. vano-soft.biz. 120 IN NS ns2.uzc12.biz. ;; ADDITIONAL SECTION: ns3.uzc12.biz. 7200IN A 24.91.206.103 ns3.uzc12.biz. 7200IN A 12.206.49.107 ns4.uzc12.biz. 7200IN A 12.227.146.168 ns5.uzc12.biz. 7200IN A 66.21.211.204 ns5.uzc12.biz. 7200IN A 165.166.182.168 ns1.uzc12.biz. 7200IN A 24.243.218.127 ns1.uzc12.biz. 7200IN A 12.239.143.71 ns1.uzc12.biz. 7200IN A 66.90.158.89 ns1.uzc12.biz. 7200IN A 12.229.122.9 ns2.uzc12.biz. 7200IN A 24.107.74.166 ns2.uzc12.biz. 7200IN A 207.6.75.110 103.206.91.24.in-addr.arpa domain name pointer h00402b45512d.ne.client2.attbi.com. 168.182.166.165.in-addr.arpa domain name pointer rhhe16-168.2wcm.comporium.net 110.75.6.207.in-addr.arpa domain name pointer d207-6-75-110.bchsia.telus.net On Thu, 2003-10-09 at 11:53, Kee Hinckley wrote: At 10:51 AM -0500 10/9/03, Chris Boyd wrote: A few minutes later, or from a different nameserver, I get Name:vano-soft.biz Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97, 12.229.122.9 12.252.185.129 This is a real Hydra. If everyone on the list looked up vano-soft.biz and removed the trojaned boxes, would we be able to kill it? I think in this instance your best approach may be to go after the name servers. Anything else is going to be a game of whack-a-mole. Our spam filtering software actually uses the address of a domain's name server in it's scoring system. Sometime's that's the only way we've been able to reliably detect a spammer.
Re: Wired mag article on spammers playing traceroute gameswith trojaned boxes
Michael Airhart [EMAIL PROTECTED] 10/9/03 1:57:06 PM How many times have you received SPAM selling a product from a U.S. based company? I have received plenty follow the money Hank has it right. M (speaking only for myself) Well, Cisco has a sales office in the same building as CyberGate/Affinity/Skywebnet. Can you send a few of your people over to suite 200 and see if you can take care of that problem for us? :-) John --
Re: Finding clue at comcast.net
- Original Message - From: Howard C. Berkowitz [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 09, 2003 11:20 AM Subject: RE: Finding clue at comcast.net At 9:29 AM -0500 10/9/03, Austad, Jay wrote: Comcast's phone support department is the *worst*, WORST, I've ever dealt with. I think they are outsourced, they have to go by a script, and many of them probably hardly know what a computer even is. Once I called because of a problem on their network, and I told the person on the phone that there was a problem on their network, and I pinned it down to a couple of routers where the problem may be, and she responded, very sternly, Sir, WE DON'T HAVE ANY ROUTERS Same thing here. Last night, I was told that no escalation personnel were available. * Depending on how big a company is or how the outsourcing company staffs at night this can be true. No escalation personnel may be physically present, but this doesn't mean there isn't someone they can call. An outsourcing companies call center agents have to first decide (policy?) that the issue warrants escalation, and then they probably have to call THEIR manager (of the outsourcing company). This manager then gets to decide if it REALLY warrants escalation to their client (the cable company). They don't want to call them after-hours unneccesarily. And cable companies are used to having 24-hours to resolve most outages, and if it doesn't affect a LOT of their customers it isn't considered an outage worth escalating. A real world example is: 6 calls in one cable node with the problem persisting for 15 to 30 minutes (calls keep coming in) would be a case for an on-call technician to be called. Anything less just gets Service Calls placed in CableMaster on AS/400. These things can wait for a scheduled (all-day) appointment unless the customer insists on a time-frame. An outside company calling about something is a lot less likely to get escalated at all unless it sounds like a real emergency. If the Internet is not down to their customers ... there isn't much that would be considered an emergency. As long as Email works and typical Web Surfing works for their customers, nothing is wrong worth escalating. They get a fair amount of Their Hacking my firewall and I can't reach my company [or XYZ.COM] server. These kinds of things are usually escalated by email to someone able to investigate that level of problems (Network Admin. or Engineer). I'd bet not to many of them read email after hours. (I did and responded to a lot of them, wether I got appreciated for it or not...) On the couple of occasions where I got escalation, I once had an informal conversation with a 3rd level. Their phone center is in Halifax, NS -- didn't find out if it is outsourced or not. While the person with whom I spoke was reasonably clueful, he told me that customer support had no interactive communication with network operations -- at best, they could send an email about a routing, SMTP, etc. problem and hope somebody would respond. * Exactly what I described above. But I wouldn't accept hopefully somebody would respond. That is NOT acceptable. Someone should respond within 1 business day at most. Again your not going to find many on-call or higher-level support reading email after-hours and responding to things. Even I couldn't do it ALL of the time. And I was the only one doing that in a local cable company (not a national company) with 2 cities. At the time, I was paying for their Pro service, intermediate between regular residential and full business. My contact said that while that was supposed to get better customer support, an early plan to route it to business Comcast failed, and there really was NO separate Pro support organization. I dropped the Pro service after I learned that residential service no longer insisted you remove any local routers and firewalls before deigning to troubleshoot. They still ask you to do that, but repeated NO responses can get them to proceed. * Pro services, where I was working, gets escalated like the above description I wrote. If you are not completely down you're probably not going to see something done about it until the next business day (assuming after-hours). A few NANOGs back (Atlanta), I did a presentation on customer satisfaction, which, frankly, was in many respects a case study of how I'd reform customer support at my then ISP/DSL, cais.net. If NANOG ever did formal documents, I'd like to see a guideline on how to run customer support. * I saw you powerpoint and I liked it. In any case, if you manage to get the call escalated a couple of times (after lying about rebooting your computer 47 times), You forgot reinstalling Windows. On a Mac. * Typicall front line support (should) be able to figure out if you are reporting a problem with your connection, e.g. your cable modem is not acquired or you have no IP connectivity or DNS resolution, or if you are reporting
Re: contact at yahoo mail? (they think we're an open relay : )
Thus spake Mark Jeftovic ([EMAIL PROTECTED]) [09/10/03 16:57]: Today our email forwarders started getting this from yahoo.com mail handlers: 553 Mail from 216.220.40.247 not allowed - VS99-IP1 deferred - see help.yahoo.com/help/us/mail/defer/defer-02.html (#5.7.1) Connection closed by foreign host. Woah. Deja vu. We got exactly the same thing, starting last night. We've worked around it by relaying mail to yahoo.com/yahoo.ca through a different mail server. Which when you go look at that page basically tells you you're probably an open relay (which we're not), etc. Ditto. The page also has some links to removal requests, which I've already filled out. And submitted a followup asking /why/ we were listed. This was about seven hours ago now, and I haven't even gotten an autoresponse from them yet, for this note. Can any mail admins at Yahoo contact me offlist, or post what the restrictions are or at what levels this will kick in? Apparently, they blacklist you at whim -- our mail server is confirmed un-open-relay by ordb.org, and by rlytest. And we can be blacklisted for up to 60 days at their discretion, according to the page above. I have also sent a message to postmaster@, who was most unhelpful. Basically redirected me to the 'I need help with Yahoo! mail' web page. I /was/ going to wait until tomorrow to follow up on NANOG, but if a Yahoo! admin is already looking at this for easydns.com, care to drop me a line for the same reasons? Thanks. - Damian
Re: Wired mag article on spammers playing traceroute gameswith trojaned boxes
John Neiberger writes on 10/10/2003 1:12 AM: This appears to be a rather prolific spammer. At first I thought they were affiliated with www.skynetweb.com because they have the same address, including suite number, but it now appears that they are really affiliated with these guys: http://www.affinity.com/about/our_team/our_team.htm Affinity is a large - and extremely spammer infested - webhost. They do happen to have quite a few legitimate customers though. -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Re: Sitefinder and DDoS
Kee Hinckley wrote: At 10:41 PM +0300 10/9/03, Petri Helenius wrote: With $100M annual revenue at stake, I would be willing to provide distributed solutions to this problem if you send me a reasonable fraction of that money. But can you do it without breaking the assumption that any lookup on *.TLD will always return the same value as badxxxdomain.TLD? It would be doable, maybe not cover 100% of the cases, but if I would accept the offer to go over to the dark side, why I wouldn´t break that assumption to make your life more complicated? Pete
Re: contact at yahoo mail? (they think we're an open relay : )
On Thu, 09 Oct 2003 16:22:49 EDT, Mark Jeftovic [EMAIL PROTECTED] said: 553 Mail from 216.220.40.247 not allowed - VS99-IP1 deferred - see help.yahoo.com/help/us/mail/defer/defer-02.html (#5.7.1) Connection closed by foreign host. Yahoo is ticked at our mail server as well - apparently, Yahoo listens to some DNSBL that thinks it's a mortal sin to be in the same /24 as a machine that sends back your mail has a virus note. pgp0.pgp Description: PGP signature
Fw: Broadband World Forum Conference Proceedings
Title: IEC Broadband World Forum Proceedings CD-ROM ---Alan Spicer ([EMAIL PROTECTED])http://aspicer.homelinux.net/Systems and Network Administration,and Telecommunications(954) 977-5245 - Original Message - From: Julie Brandt To: [EMAIL PROTECTED] Sent: Thursday, October 09, 2003 11:04 AM Subject: Broadband World Forum Conference Proceedings The Broadband World Forum 2003 combined high-level educational programming with high-impact exhibits to explore the range of business strategies and technology alternatives available to today's decision-makers in building tomorrow's next-generation broadband networks. With more than 100 speakers, the World Forum 2003 provided its educational conference attendees with current and in-depth information on the status of the broadband industry. The educational sessions featured discussions of today's most critical issues, including broadband rollout, mobility applications, DSL advances, FTTx, emerging wireless technologies, the status of the global marketplace, and much more. If you were unable to attend the World Forum in London, you can still benefit from the insight and expertise of the industry leaders who presented within the educational program. See below for your IEC Web Registrant Discount on the CD-ROM proceedings of the Broadband World Forum 2003. This CD-ROM contains comprehensive information on the latest technology advancements and current market trends from the thought leaders who are guiding today's global broadband industry. Topics covered include: xDSL Optical access Metro-area networks Gigabit Ethernet topologies 802.11x, 802.16, and 3G wireless Satellite last-mile access solutions High-speed mobile Internet Emerging broadband architectures Revenue-driving applications, services, and content delivery A few of the featured presentations featured in this Proceedings CD-ROM include: Gilles Coullon, Chief Technical Officer, France Telecom Bernard Delvaux, Executive Vice President, Belgacom Yves Goblet, Deputy Chief Executive Officer, Bouygues Telecom Leif Aarthun Ims, Vice President, Telenor Roland Kittel, Member of the Board of Management, Deutsche Telekom AG Stefano Pileri, President, Telecom Italia Krish Prabhu, Vice Chairman of the Board of Directors, ECI Telecom Mario Mella, Network Planning Director, Fastweb Rupert Gavin, Chief Executive, BBC Worldwide Jean-Claude Vandenbosch, President, Belgacom Wireline Jong-Lok Yoon, Executive Vice President, KT Manuel Echánove Pasquin, General Manager, Telefónica de España Pinny Chaviv, President and CEO, Inovia Broadband Access Division, ECI Telecom David Cleevely, Chairman, Analysys Group Joe Crupi, Vice President-Broadband Communications, Texas Instruments Rupert Gavin, Chief Executive, BBC Worldwide Anders Gustafsson, President, Tellabs International Martin Harriman, Chief Marketing Officer, Marconi Markku Hynninen, Vice President-Broadband Systems Division, Nokia Networks Adam Joffe, Vice President of Information Technology and Chief Technology Officer, Sony Online Entertainment Hack Kim, Executive Vice President, RD Center, Samsung Krish Prabhu, Vice-Chairman of the Board of Directors, ECI Telecom Michel Rahier, President, Fixed Networks Division, and Chief Operating Officer, Fixed Communications Group, Alcatel Anton Schaaf, Member of the Group Executive Management, Siemens ICN Mike Short, Vice President, O2, and Chairman - Mobile Data Association Hiroaki (Harry) Takeichi, Corporate Vice President and Group President, Network Systems Group, Fujitsu Christian Wolff, Vice President General Manager, Infineon Technologies Don't miss this limited opportunity to learn from this impressive lineup of business leaders and technology innovators who are driving the broadband industry. Order your Broadband World Forum 2003 proceedings CD-ROM today for $295.00 ($495.00 retail). To receive this exclusive IEC Web Registrant Discount for your organization, simply reply "yes" to this e-mail or call Julie Brandt, IEC Publications Manager, at +1-312-559-3730. For a complete table of contents of the Broadband World Forum Proceedings CD-ROM visit http://www.iec.org/pubs/proceedings/2003/bbwf_2003_toc.html, call +1-312-559-3730, or e-mail the IEC Publications Department at [EMAIL PROTECTED]. The International Engineering
Re: contact at yahoo mail? (they think we're an open relay : )
Mark Jeftovic writes on 10/10/2003 1:52 AM: Today our email forwarders started getting this from yahoo.com mail handlers: 553 Mail from 216.220.40.247 not allowed - VS99-IP1 deferred - see help.yahoo.com/help/us/mail/defer/defer-02.html (#5.7.1) Connection closed by foreign host. Us too. And more than one ISP that I have seen (for example, iglou.com mentioned that one of their boxes was being blocked) Something looks badly borked there. -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Re: Sitefinder and DDoS
At 10:41 PM +0300 10/9/03, Petri Helenius wrote: With $100M annual revenue at stake, I would be willing to provide distributed solutions to this problem if you send me a reasonable fraction of that money. But can you do it without breaking the assumption that any lookup on *.TLD will always return the same value as badxxxdomain.TLD? -- Kee Hinckley http://www.messagefire.com/ Next Generation Spam Defense http://commons.somewhere.com/buzz/ Writings on Technology and Society I'm not sure which upsets me more: that people are so unwilling to accept responsibility for their own actions, or that they are so eager to regulate everyone else's.
RE: contact at yahoo mail? (they think we're an open relay : )
We are listed in no-more-funn.moensted.dk as 127.0.0.2 which is described as: + NERD-CA ip-space assigned to Canada: ca.countries.nerd.dk - 127.0.0.2 216.220.40/24 is in ca, rejected based on geographical location about: Please see our webpage for more information about: This zone lists ONLY based on geographic information about: The zone does NOT contain known spammers, nor open relays We do cop to being Canadian, but that's about it. I hope yahoo isn't keying on this RBL. -mark ...and we've already filled out the retest form at Yahoo. On Thu, 9 Oct 2003, Thor Larholm wrote: If you read through all of that page, you will notice that Yahoo itself has a re-test script you can use to trigger a verification. http://add.yahoo.com/fast/help/us/mail/cgi_retest Yahoo is not your only problem, if you look at http://moensted.dk/spam/?addr=216.220.40.247 you will notice that several DNSBL lists that IP address. No-more-fun believes it to be a Direct spam source and ArixDictStale says it has performed active dictionary attacks within the last 3 months. If you want to positively check whether you are an open relay, I would recommend testing through ORDB at http://ordb.org/submit/ Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher -Original Message- From: Mark Jeftovic [mailto:[EMAIL PROTECTED] Sent: Thursday, October 09, 2003 1:23 PM To: [EMAIL PROTECTED] Subject: contact at yahoo mail? (they think we're an open relay : ) Today our email forwarders started getting this from yahoo.com mail handlers: 553 Mail from 216.220.40.247 not allowed - VS99-IP1 deferred - see help.yahoo.com/help/us/mail/defer/defer-02.html (#5.7.1) Connection closed by foreign host. Which when you go look at that page basically tells you you're probably an open relay (which we're not), etc. Can any mail admins at Yahoo contact me offlist, or post what the restrictions are or at what levels this will kick in? -mark -- Mark Jeftovic [EMAIL PROTECTED] Co-founder, easyDNS Technologies Inc. ph. +1-(416)-535-8672 ext 225 fx. +1-(416)-535-0237
Re: Finding clue at comcast.net
- Original Message - From: Howard C. Berkowitz [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 09, 2003 11:20 AM Subject: RE: Finding clue at comcast.net At 9:29 AM -0500 10/9/03, Austad, Jay wrote: Comcast's phone support department is the *worst*, WORST, I've ever dealt with. I think they are outsourced, they have to go by a script, and many of them probably hardly know what a computer even is. Once I called because of a problem on their network, and I told the person on the phone that there was a problem on their network, and I pinned it down to a couple of routers where the problem may be, and she responded, very sternly, Sir, WE DON'T HAVE ANY ROUTERS Same thing here. Last night, I was told that no escalation personnel were available. * Depending on how big a company is or how the outsourcing company staffs at night this can be true. No escalation personnel may be physically present, but this doesn't mean there isn't someone they can call. An outsourcing companies call center agents have to first decide (policy?) that the issue warrants escalation, and then they probably have to call THEIR manager (of the outsourcing company). This manager then gets to decide if it REALLY warrants escalation to their client (the cable company). They don't want to call them after-hours unneccesarily. And cable companies are used to having 24-hours to resolve most outages, and if it doesn't affect a LOT of their customers it isn't considered an outage worth escalating. A real world example is: 6 calls in one cable node with the problem persisting for 15 to 30 minutes (calls keep coming in) would be a case for an on-call technician to be called. Anything less just gets Service Calls placed in CableMaster on AS/400. These things can wait for a scheduled (all-day) appointment unless the customer insists on a time-frame. *sigh* Y'know, I could live with it if I could even have a mailbox to which I could send detailed trouble reports, even if no one looked at them on the next day. While their routing seems to be fairly stable these days, there would be times I'd traceroute from several sites I could reach and take views from multiple looking glasses, giving me a pretty fair idea where, and even what, the problem is. The customer disservice people that really drive me nuts are the first-levels that believe they are NEVER wrong. If you say there's an IP routing problem, they may say how do you know there's a problem with our ippp(rhymes with pip)? We don't support SMTP or POP3. You have to use Outlook.. You must remove your firewall and router so we can troubleshoot. It's irrelevant that you can ping the access router. It must be your modem. Go to the local office and exchange it. I'm sure the problem will be resolved, so there's no reason to give you a trouble ticket b'gop? bajop? We don't support bee-gee-pee in our network. access router? We just have Windows servers. * Exactly what I described above. But I wouldn't accept hopefully somebody would respond. That is NOT acceptable. Someone should respond within 1 business day at most. Again your not going to find many on-call or higher-level support reading email after-hours and responding to things. Even I couldn't do it ALL of the time. And I was the only one doing that in a local cable company (not a national company) with 2 cities. I'd be happy, again, if they'd let me give them a trouble ticket. Oh, they have told me at times that I could do that at their website, which is an interesting problem when you don't have connectivity. I'd gladly pay extra for dial backup at low speed, but they don't offer that. At the time, I was paying for their Pro service, intermediate between regular residential and full business. My contact said that while that was supposed to get better customer support, an early plan to route it to business Comcast failed, and there really was NO separate Pro support organization. I dropped the Pro service after I learned that residential service no longer insisted you remove any local routers and firewalls before deigning to troubleshoot. They still ask you to do that, but repeated NO responses can get them to proceed. * Pro services, where I was working, gets escalated like the above description I wrote. If you are not completely down you're probably not going to see something done about it until the next business day (assuming after-hours). They treated completely-down situations like that. A few NANOGs back (Atlanta), I did a presentation on customer satisfaction, which, frankly, was in many respects a case study of how I'd reform customer support at my then ISP/DSL, cais.net. If NANOG ever did formal documents, I'd like to see a guideline on how to run customer support. * I saw you powerpoint and I liked it. In any case, if you manage to get the call escalated a couple of times (after lying about rebooting your computer 47 times), You forgot reinstalling Windows.
Re: Wired mag article on spammers playing traceroute games with
Actually, running a web server on 8290 isn't as easy as 80. SpamAssassin tests (WEIRD_PORT) for this, as do many other filtering packages. Forcing spammers to use non-standard ports will greatly increase their rate of detection, and in turn help to solve the spam problem. -Mike *sigh* Unfortunately, due to the evils of Code Red, Nimda, and other worms out in the wild, I've ended up moving our personal web servers off port 80, just so the logs don't fill up with useless probes from infected boxes. So in the ever-escalating war against spam, this means when I mail out to my friends telling them the correct URL for my site (including the port), I now have to worry about those messages being improperly tagged as spam, due to the inclusion of URLs that reference specific port numbers. We seem to be slowly transforming the network into more and more just a network of port 80 boxes. :( Perhaps the Internet really is going to end up being just the Web, not through evil intervention, but by our own well-intentioned efforts. Matt (starting to feel more and more like a Star Trek redshirt frantically rotating shield frequencies to try to stay one step ahead of the attacking aliens...)
Need contact at Everyone Internet
I am seeking a contact at Everyone Internet (EV1.NET) who can address a routing problem at EV1's borders that is causing our users to be unable to reach many popular sites hosted there, or that have DNS servers there. We've tried contacting them by telephone, only to be referred to [EMAIL PROTECTED] We have sent mail there from outside our network, but have received no response. If someone from Everyone Internet is reading this, I would very much appreciate a response. If you cannot get email to me, please call at 213-739-5173. Or if you know how to reach someone at the EV1 NOC for problems of this sort, I'd appreciate that as well. Thank you. --- The avalanche has already begun. It is too late for the pebbles to vote. -- Kosh
Re: contact at yahoo mail? (they think we're an open relay : )
Thus spake Mark Jeftovic ([EMAIL PROTECTED]) [09/10/03 18:05]: We are listed in no-more-funn.moensted.dk as 127.0.0.2 which is described as: + NERD-CA ip-space assigned to Canada: ca.countries.nerd.dk - 127.0.0.2 216.220.40/24 is in ca, rejected based on geographical location about: Please see our webpage for more information about: This zone lists ONLY based on geographic information about: The zone does NOT contain known spammers, nor open relays We do cop to being Canadian, but that's about it. I hope yahoo isn't keying on this RBL. We're in three. Two because we're Canucks, one because it's the URBL.
Re: Wired mag article on spammers playing traceroute gameswith trojaned boxes
On Thu, 2003-10-09 at 16:41, Suresh Ramasubramanian wrote: Affinity is a large - and extremely spammer infested - webhost. They do happen to have quite a few legitimate customers though. That's simple to over come. You notify those legitimate customers that they are doing business with an irresponsible provider. Surely there are providers on this list that would welcome the legitimate customers with open arms. -Jim P.
Re: contact at yahoo mail? (they think we're an open relay : )
Today our email forwarders started getting this from yahoo.com mail handlers: snip Us too. And more than one ISP that I have seen (for example, iglou.com mentioned that one of their boxes was being blocked) Something looks badly borked there. bork bork bork Indeed. They were blocking our servers this morning, but without any intervention by us (to my knowledge) it is working again now. Go figure. Does yahoo have any *real* mail accounts anyway? I think the only time I actually send anything to yahoo.com mail addresses is when we are actively hiring people. Isn't yahoo mail only used to hide job hunting from current employers? =) --chuck goolsbee -- __ There's only so much stupidity you can compensate for; there comes a point where you compensate for so much stupidity that it starts to cause problems for the people who actually think in a normal way. -Bill, digital.forest tech support
RE: contact at yahoo mail? (they think we're an open relay : )
Its a very confusing page to read, we are listed as 127.0.0.2 and that is NERD-CA. The other entries like: ARIXDICTSTALE Sender has a history of dictionary spamming: stale.dict.rbl.arix.com - 127.0.0.1 I think indicate what that RBL is for and what the value indicates, we are NOT in there: host smtp.easydns.comstale.dict.rbl.arix.com and the txt record looks like a wildcard for all of the lists. In fact, several of the people who emailed me off list saying you're in no-more-funn were ALSO listed in no-more-funn in the same manner. So that, combined with the number of same here posts wrt yahoo lead me to believe that that's not the reason. -mark On Thu, 9 Oct 2003, Thor Larholm wrote: If you would read the page through, you would see that you are listed MULTIPLE places. No-more-funn.moensted.dk ARIXDICTSTALE NERD-CA NERD-ZZ Only the last two are country specific /thor -Original Message- From: Mark Jeftovic [mailto:[EMAIL PROTECTED] Sent: Thursday, October 09, 2003 2:30 PM To: Thor Larholm Cc: [EMAIL PROTECTED] Subject: RE: contact at yahoo mail? (they think we're an open relay : ) We are listed in no-more-funn.moensted.dk as 127.0.0.2 which is described as: + NERD-CA ip-space assigned to Canada: ca.countries.nerd.dk - 127.0.0.2 216.220.40/24 is in ca, rejected based on geographical location about: Please see our webpage for more information about: This zone lists ONLY based on geographic information about: The zone does NOT contain known spammers, nor open relays We do cop to being Canadian, but that's about it. I hope yahoo isn't keying on this RBL. -mark ...and we've already filled out the retest form at Yahoo. On Thu, 9 Oct 2003, Thor Larholm wrote: If you read through all of that page, you will notice that Yahoo itself has a re-test script you can use to trigger a verification. http://add.yahoo.com/fast/help/us/mail/cgi_retest Yahoo is not your only problem, if you look at http://moensted.dk/spam/?addr=216.220.40.247 you will notice that several DNSBL lists that IP address. No-more-fun believes it to be a Direct spam source and ArixDictStale says it has performed active dictionary attacks within the last 3 months. If you want to positively check whether you are an open relay, I would recommend testing through ORDB at http://ordb.org/submit/ Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher -Original Message- From: Mark Jeftovic [mailto:[EMAIL PROTECTED] Sent: Thursday, October 09, 2003 1:23 PM To: [EMAIL PROTECTED] Subject: contact at yahoo mail? (they think we're an open relay : ) Today our email forwarders started getting this from yahoo.com mail handlers: 553 Mail from 216.220.40.247 not allowed - VS99-IP1 deferred - see help.yahoo.com/help/us/mail/defer/defer-02.html (#5.7.1) Connection closed by foreign host. Which when you go look at that page basically tells you you're probably an open relay (which we're not), etc. Can any mail admins at Yahoo contact me offlist, or post what the restrictions are or at what levels this will kick in? -mark -- Mark Jeftovic [EMAIL PROTECTED] Co-founder, easyDNS Technologies Inc. ph. +1-(416)-535-8672 ext 225 fx. +1-(416)-535-0237
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
Quoting [EMAIL PROTECTED] ([EMAIL PROTECTED]): [snip] it? Convince registrars to kill domains that are clearly being used by thieves? From a post on NANE, here's what the registar for vano-soft.biz had to say on Oct 1: In order to terminate service of this domain name we will need a strong sampling of complaints. Please fax a complaint to 858.560.9417 and include your complaint, name, email address and any supporting evidence you have. It is not our intent to keep a domain active that promoted criminal activity but we do take the suspension of a domain name very seriously. Thank you in advance for you cooperation and I can assure you that your faxed complaint will be taken seriously. Anyone with half a clue can see that vano-soft.biz is using a network of zombies. Obviously domaindiscover.com/buydomains.com has no clue. I started the day with a few hundred bounces from vano-soft's spam runs due to forged sender addresses in one of my domains. I spent the rest of the day googleing for case law that might be applied to the network operators providing connectivity to the trojaned boxes being used for illegal activities, identity theft. Didn't accomplish much except wasting the day. John Capo
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
Folks, let's move this discussion onto one of the many lists that focuses on spam: http://www.claws-and-paws.com/spam-l/spam-l.html -- spam-l list for spam prevention and discussion http://www.abuse.net/spamtools.html -- spam tools list for software tools that detect spam net.admin.net-abuse.email | net.admin.net-abuse.usenet -- usenet lists Thanks -- Susan
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
--On Thursday, October 09, 2003 7:54 PM -0400 Susan Harris [EMAIL PROTECTED] wrote: Folks, let's move this discussion onto one of the many lists that focuses on spam: http://www.claws-and-paws.com/spam-l/spam-l.html -- spam-l list forspam prevention and discussion http://www.abuse.net/spamtools.html -- spam tools list for softwaretools that detect spam net.admin.net-abuse.email | net.admin.net-abuse.usenet -- usenet lists I am curious as to why open proxies, compromised hosts, trojans and routing games are not considered operational issues simply because the vehicle being discussed is spam. With all due respect, we have a *problem*. End user machines on broadband connections are being misconfigured and/or compromised in frightening numbers. These machines are being used for everything from IRC flooder to spam engines, to DNS servers to massive DDoS infrastructure. If the ability of a teenager to launch a gb/s DDoS, or of someone DoSing mailservers off the internet with a trojan that contains a spam engine is not operational, perhaps it's just me that's confused. Two-three years ago the warnings were ignored because it was only IRC. Now it's only spam. What does it take to make the Network Operators and NANOG decide that things that are a very bad thing on one protocol generally can bite you later on another if you ignore it because it's only insert your least favorite program or protocol here? -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -= Margie Arbon Mail Abuse Prevention System, LLC [EMAIL PROTECTED] http://mail-abuse.org
Qwest bgp communities
Hi, Anyone here know if Qwest operates a route server like GBLX, HE, ATT, that also shows AS209's communities? It would be useful for some bgp troubleshooting.. There is one peer in route-views.oregon-ix.net that shows 209 routes, but unfortunately, that particular peer strips off all 209's communities. I am trying to troubleshoot a problem where 209:70 set on a prefix doesn't seem to work/propagate, etc et al. Or does anyone know of any route-servers run by a Qwest customer/peer that receives communities? I know that http://stat.qwest.net has looking glass but it doesn't let you run any bgp commands; just ping and traceroute :-( If you can assist, please reply to me off-list. Thank you very much for your time, -hc -- Haesu C. TowardEX Technologies, Inc. Consulting, colocation, web hosting, network design and implementation http://www.towardex.com | [EMAIL PROTECTED] Cell: (978)394-2867 | Office: (978)263-3399 Ext. 170 Fax: (978)263-0033 | POC: HAESU-ARIN
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
Margie Arbon wrote: I am curious as to why open proxies, compromised hosts, trojans and routing games are not considered operational issues simply because the vehicle being discussed is spam. With all due respect, we have a *problem*. End user machines on broadband connections are being misconfigured and/or compromised in frightening numbers. These machines are being used for everything from IRC flooder to spam engines, to DNS servers to massive DDoS infrastructure. If the ability of a teenager to launch a gb/s DDoS, or of someone DoSing mailservers off the internet with a trojan that contains a spam engine is not operational, perhaps it's just me that's confused. Two-three years ago the warnings were ignored because it was only IRC. Now it's only spam. What does it take to make the Network Operators and NANOG decide that things that are a very bad thing on one protocol generally can bite you later on another if you ignore it because it's only insert your least favorite program or protocol here? I believe that to be one of the most succint summaries of the issues as I have read.
RE: Qwest bgp communities
http://stat.qwest.net/looking_glass.html -Original Message- From: Haesu [mailto:[EMAIL PROTECTED] Sent: Thursday, October 09, 2003 5:39 PM To: [EMAIL PROTECTED] Subject: Qwest bgp communities Hi, Anyone here know if Qwest operates a route server like GBLX, HE, ATT, that also shows AS209's communities? It would be useful for some bgp troubleshooting.. There is one peer in route-views.oregon-ix.net that shows 209 routes, but unfortunately, that particular peer strips off all 209's communities. I am trying to troubleshoot a problem where 209:70 set on a prefix doesn't seem to work/propagate, etc et al. Or does anyone know of any route-servers run by a Qwest customer/peer that receives communities? I know that http://stat.qwest.net has looking glass but it doesn't let you run any bgp commands; just ping and traceroute :-( If you can assist, please reply to me off-list. Thank you very much for your time, -hc -- Haesu C. TowardEX Technologies, Inc. Consulting, colocation, web hosting, network design and implementation http://www.towardex.com | [EMAIL PROTECTED] Cell: (978)394-2867 | Office: (978)263-3399 Ext. 170 Fax: (978)263-0033 | POC: HAESU-ARIN
RE: Qwest bgp communities
Disregard, I thought they had allowed bgp queries on that site as well -Original Message- From: Haesu [mailto:[EMAIL PROTECTED] Sent: Thursday, October 09, 2003 5:39 PM To: [EMAIL PROTECTED] Subject: Qwest bgp communities Hi, Anyone here know if Qwest operates a route server like GBLX, HE, ATT, that also shows AS209's communities? It would be useful for some bgp troubleshooting.. There is one peer in route-views.oregon-ix.net that shows 209 routes, but unfortunately, that particular peer strips off all 209's communities. I am trying to troubleshoot a problem where 209:70 set on a prefix doesn't seem to work/propagate, etc et al. Or does anyone know of any route-servers run by a Qwest customer/peer that receives communities? I know that http://stat.qwest.net has looking glass but it doesn't let you run any bgp commands; just ping and traceroute :-( If you can assist, please reply to me off-list. Thank you very much for your time, -hc -- Haesu C. TowardEX Technologies, Inc. Consulting, colocation, web hosting, network design and implementation http://www.towardex.com | [EMAIL PROTECTED] Cell: (978)394-2867 | Office: (978)263-3399 Ext. 170 Fax: (978)263-0033 | POC: HAESU-ARIN
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
On Thu, Oct 09, 2003 at 07:44:35PM -0500, Laurence F. Sheldon, Jr. wrote: Two-three years ago the warnings were ignored because it was only IRC. Now it's only spam. What does it take to make the Network Operators and NANOG decide that things that are a very bad thing on one protocol generally can bite you later on another if you ignore it because it's only insert your least favorite program or protocol here? I believe that to be one of the most succint summaries of the issues as I have read. Not only that, but it's arguable that the problem is now significantly worse. Now IRC networks are *still* under attack, AND spam is a problem. And reading from the wired article, hard-to-trace, possibly very illegal websites are in the mix also. What next, national security compromised because someone created a massive P2P system with all these trojaned systems, and uploaded the list of names of CIA operatives? Nice. It's not inconceivable. Personally I'm in favour of specific port filtering, and charging a (small) premium ($10 a month?) for be able to run servers on residential broadband connections. Aunt Maggie in Florida doesn't NEED to run a server of any kind, and it would probably make my life easier trying to solve problems for her. -- Avleen Vig Systems Administrator Personal: www.silverwraith.com EFnet:irc.mindspring.com (Earthlink user access only)
RE: Finding clue at comcast.net
On Thu, 9 Oct 2003, Eric Kagan wrote: I was informed legacy ATTBI setup is still different from the router / infrastructure side. (i.e. Old ATTBI has ping and ports blocked that native Comcast does not) That is true for the moment. We're in the process of rectifying that. -- Brandon Ross AIM: BrandonNR Principal IP Engineer ICQ: 2269442 Comcast IP Services Yahoo: BrandonNRoss
Re: RE: Finding clue at comcast.net
On Thu, 9 Oct 2003, Alan Spicer wrote: Now I'm not suggesting anyone lie ... or such a thing ... but say you called the local office on a cold sales call asking for the person that handles their data networking. As you work your way through that try to find out who is the Head Engineer(s). From there try to find out who handles the CMTS equipment (Cisco uBR?) equipment in the local office Head End, and likely who handles the network including routers and switches and such. I wouldn't recommend that actually. The local folks do not have any control over the IP infrastructure, they only handle the HFC plant. -- Brandon Ross AIM: BrandonNR Principal IP Engineer ICQ: 2269442 Comcast IP Services Yahoo: BrandonNRoss
Re: Finding clue at comcast.net
On Thu, 9 Oct 2003, Howard C. Berkowitz wrote: *sigh* Y'know, I could live with it if I could even have a mailbox to which I could send detailed trouble reports, even if no one looked at them on the next day. While their routing seems to be fairly stable these days, there would be times I'd traceroute from several sites I could reach and take views from multiple looking glasses, giving me a pretty fair idea where, and even what, the problem is. I'll probably regret this, but I guess you found it. I'm quite interested in any detailed trouble reports NANOGers can provide, especially on the routing side. I will not be able to respond right away, but I'm quite interested in improving our infrastructure and service. -- Brandon Ross AIM: BrandonNR Principal IP Engineer ICQ: 2269442 Comcast IP Services Yahoo: BrandonNRoss
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
On Thu, 9 Oct 2003, Margie Arbon wrote: I am curious as to why open proxies, compromised hosts, trojans and routing games are not considered operational issues simply because the vehicle being discussed is spam. Susan did not say it wasn't an operational issue. She said there are other lists which focus on that issue. There are many subjects of interest to operators which occasionally flare up on NANOG, but then move to other lists. BIND issues concern network operations, but a namedroppers list exists for the topic. Peering is of operational interest, but the model-peer mailing list exists for the topic. Network time synchronization if of interest to operators but then the ntp newsgroup exists for the topic. Network security is of interest to operators, but then nsp security mailing lists exists for the topic. Address hijacking is of interest to operators, but then the hijack mailing list exists for the topic. Not every operators' forum must discuss spam. There is a reason why more than one mailing list or forum on different topics exist on the Internet. I now return you to your meta-discussion whether the topic is on topic for a particular forum. If you believe in zero tolorance, should the forum moderator report us to our ISPs for network abuse and terminate our Internet connection for discussion something the forum moderators considers off topic?
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
(I dislike meta-discussion, but since it /is/ applicable to the list...) Thus spake Sean Donelan ([EMAIL PROTECTED]) [09/10/03 21:32]: Susan did not say it wasn't an operational issue. She said there are other lists which focus on that issue. Agreed. There are many subjects of interest to operators which occasionally flare up on NANOG, but then move to other lists. BIND issues concern network operations, but a namedroppers list exists for the topic. Peering is of operational interest, but the model-peer mailing list exists for the topic. Network time synchronization if of interest to operators but then the ntp newsgroup exists for the topic. Network security is of interest to operators, but then nsp security mailing lists exists for the topic. Address hijacking is of interest to operators, but then the hijack mailing list exists for the topic. So if there's a more specific list for every operational issue, should we just shift discussion off to those lists? Should NANOG exist simply as a live resource for 'What mailing list should I consult for ...'?
Re: Is there anything that actually gets users to fix their computers?
http://www.wired.com/news/digiwood/0,1412,60613,00.html When students first register on the network, they are required to read about peer-to-peer networks and certify that they will not share copyright files. Icarus then scans their computer, detects any worms, viruses or programs that act as a server, such as Kazaa. Students are then given instructions on how to disable offending programs. Kinda' does some of what you want done? s - Original Message - From: Sean Donelan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 02, 2003 10:12 PM Subject: Is there anything that actually gets users to fix their computers? Short of turning off their network access, why won't users fix their computers when the computer is infected or needs a patch? The University of Massachusetts posted bulletins, sent an email to all incoming students, included an alert when they connected. Nevertheless, almost three months after Microsoft released the critical patch and almost two months after the first Blaster worm was released over 1,600 students failed to patched their computers. Eventually, the University started shutting off network access for the students and charging $3 for the CD with the patch and $25/hour for support to clean the student's computers. http://www.dailycollegian.com/vnews/display.v/ART/2003/10/03/3f7cfeb12c8c2 Some students told the staff that they thought the University gave their systems a virus. By no means was this a UMass internet problem, said Fairey. People were probably infected before they got to campus. One student threatened to sue OIT, arguing that the offices did not have the right to turn off her port. We have policies that clearly state our right to shut off systems, mentioned Fairey. It's not something that we want to do. It's a nightmare.
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
On Thu, Oct 09, 2003 at 05:20:10PM -0700, Margie Arbon wrote: --On Thursday, October 09, 2003 7:54 PM -0400 Susan Harris [EMAIL PROTECTED] wrote: Folks, let's move this discussion onto one of the many lists that focuses on spam: http://www.claws-and-paws.com/spam-l/spam-l.html -- spam-l list forspam prevention and discussion http://www.abuse.net/spamtools.html -- spam tools list for softwaretools that detect spam net.admin.net-abuse.email | net.admin.net-abuse.usenet -- usenet lists I am curious as to why open proxies, compromised hosts, trojans and routing games are not considered operational issues simply because the vehicle being discussed is spam. With all due respect, we have a *problem*. End user machines on broadband connections are being misconfigured and/or compromised in frightening numbers. These machines are being used for everything from IRC flooder to spam engines, to DNS servers to massive DDoS infrastructure. If the ability of a teenager to launch a gb/s DDoS, or of someone DoSing mailservers off the internet with a trojan that contains a spam engine is not operational, perhaps it's just me that's confused. I think that in the case of spam, it is not some teenager, but rather adult, vicious, sociopathic criminals. They are not fooling around, folks. -- -=[L]=-