Re: TAT 14 failure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On onsdag, nov 26, 2003, at 07:44 Europe/Stockholm, Simon Lockhart wrote: > > On Tue Nov 25, 2003 at 08:32:50PM -0500, David Lesher wrote: >> Is there not sizeable UK<->FR capacity through the Chunnel? > > Yes, I believe there's a sizable amount of fiber going through the > service tunnel of the Chunnel (hence the much reduced cost of fiber > from > UK to Europe these days). Well, when they first deployed that tunnel fiber, you could pay a full undersea cable with the rent of one pair - - kurtis - -BEGIN PGP SIGNATURE- Version: PGP 8.0.2 iQA/AwUBP8w8xaarNKXTPFCVEQL9hwCgvkAwcGTJce4N1fzRCkJzS5xrR0EAoLIU MVHjggB6szrZ8CojbJj4Uk+8 =HF+C -END PGP SIGNATURE-
Re: incorrect spam setups cause spool messes on forwarders
>Also imagine your domain being joe-jobbed. You, as an innocent bystander, >then get hammered by Verizon as they try to do a lookup on possibly >millions of incoming mails. Why on earth would Verizon need to do the lookup once per incoming email? If they need to verify that a given MX does indeed exist and is reachable and is running an SMTP server, then why not cache that info for some reasonable time period, say an hour, to avoid disrupting everyone else's Internet. Coupled with that caching, they could reasonably make a few tries over the space of 3 to 5 minutes before giving up on the incoming email by sending 450s. And if they are going to do something like this which imposes a requirement on other ISPs, i.e. your MX must point to a live SMTP server, and which impacts other ISP's mail operations, i.e. we will send you 450s, then why can't they *PUBLISH* what they are doing. NANOG seems an appropriate place for this. --Michael Dillon
Re: incorrect spam setups cause spool messes on forwarders
telling spammers 4xx or 5xx doesn't matter, they don't listen. On Mon, Dec 01, 2003 at 09:18:21PM +0100, Daniel Roesen wrote: > > On Mon, Dec 01, 2003 at 12:52:28PM -0700, Michael Lewinski wrote: > > The idea is to "punish" spammers by filling up their queues, although > > honestly I don't know of any spammers who actually *have* queues. They > > just borrow other people's of course. > > Correct. More and more, anti-spammers are annoying me more than > the spammers. Anti-spammers tend to "make my problem YOUR problem" > thinking. Be it mangled sender addresses (this "NOSPAM" nonsense), > be it 450 to suspected spam. > > Antispanners seem to be very easy in accepting collateral damage > to the net. > > > Regards, > Daniel
Re: incorrect spam setups cause spool messes on forwarders
" John Brown (CV)" <[EMAIL PROTECTED]> wrote: > telling spammers 4xx or 5xx doesn't matter, they don't listen. The goal is to keep your spool clear, and your mailservers operational. At least, that is, if you are running a production server and not a hobbyist / family and friends type setup. -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Re: incorrect spam setups cause spool messes on forwarders
[EMAIL PROTECTED] wrote: > Why on earth would Verizon need to do the lookup once per > incoming email? If they need to verify that a given MX > does indeed exist and is reachable and is running an > SMTP server, then why not cache that info for some Er.. they are not looking for "MX exists". If MX and A didn't exist or were bogus (pointing at rfc1918 space or the loopback IP for instance) the mail could be rejected without going through all this song and dance about SMTP callbacks. Consider a domain like (say) email.com <- that's one of ours, btw, that is extensively forged into spam. What they are trying to do is to connect back to email.com's MXs and ensure that the user <[EMAIL PROTECTED]> who is trying to send them mail really does exist, and is not just a figment of some spambot's imagination. It does tend to cut down on the amount of spam, but fails in several ways which have been discussed upthread (the most common being: the MX has an smtpd listener with no view of the userdb, like a cisco pix appliance with "smtp fixup", or a qmail smtpd instance). It is also a major headache for the operators of other mailserver clusters, especially the operators who host domains that are extensively forged into spam. SMTP verification callbacks are a major nuisance, over and above the usual flood of forged spam. And it can set off all kinds of alarms when a NOC tech finds the same address (say [EMAIL PROTECTED]) sending out thousands of emails to a whole lot of unknown addresses on your system. Said tech went ahead and blocked that address. By the time I could investigate, Verizon was rejecting a bunch of valid mail as well ... their sender verify process was failing because our NOC tech had blocked the address they used for verification. [Beats me why they don't use something like [EMAIL PROTECTED] > reasonable time period, say an hour, to avoid disrupting > everyone else's Internet. Coupled with that caching, they They could cache information about that particular envelope sender, sure. But spammers send with extensively randomized and bogus addresses in the same spam run, so even that caching doesn't really help. > And if they are going to do something like this which > imposes a requirement on other ISPs, i.e. your MX > must point to a live SMTP server, and which impacts That it must. No argument about that. > other ISP's mail operations, i.e. we will send you An ISP whose domain's MX points to a dead or nonexistent server would notice a severe impact on their mail operations, I assure you. > 450s, then why can't they *PUBLISH* what they are > doing. NANOG seems an appropriate place for this. Glad somebody realizes this. NANOG, according to the list FAQ, is not really the place to discuss spam, particularly as spam is not an operational problem. The reason that I disagree with this line of reasoning is that spam is just as much of an operational problem as some other topics that are considered fit for discussion here (or at any rate, are regularly discussed here). Especially as most if not all spam these days has a network security angle to it (trojans, compromised machines, hijacked /16s ...) Of course, most other operators meetings have whole conference tracks and tutorials on spam... in fact nanog seems to have had at least one or two of them in the past (with Paul Vixie speaking about spam). Yes, lists like spam-l and spamtools exist (and so do several other lists, some of them semi-secret and by invitation only, even). But * Quite a few nanog people don't read those * Quite a few issues are often better discussed in the focused and clued atmosphere of nanog than in the tower of babel (aka news.admin.net-abuse.email) --srs -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Re: incorrect spam setups cause spool messes on forwarders
On Tue, Dec 02, 2003 at 03:37:00AM -0700, John Brown (CV) wrote: > telling spammers 4xx or 5xx doesn't matter, they don't listen. Exactly this is the flawed point about returning 4xx. They produce only collateral damage, but don't hit their target at all. Regards, Daniel
Re: incorrect spam setups cause spool messes on forwarders
On Tue, 02 Dec 2003 19:23:41 +0800, Suresh Ramasubramanian <[EMAIL PROTECTED]> said: > What they are trying to do is to connect back to email.com's MXs and ensure > that the user <[EMAIL PROTECTED]> who is trying to send them mail > really does exist, and is not just a figment of some spambot's imagination. And they tell that how, exactly, given that many sites do NOT allow VRFY or EXPN? I suppose they could do a MAIL FROM/RCPT TO pair, look at the result, and QUIT instead of DATA. Of course, that would be silly, because if it ever ran into another site that tried the same thing, that site would try to call back and do a MAIL FROM/RCPT TO... pgp0.pgp Description: PGP signature
Re: incorrect spam setups cause spool messes on forwarders
[EMAIL PROTECTED] writes on 12/2/2003 9:32 AM: On Tue, 02 Dec 2003 19:23:41 +0800, Suresh Ramasubramanian <[EMAIL PROTECTED]> said: What they are trying to do is to connect back to email.com's MXs and ensure that the user <[EMAIL PROTECTED]> who is trying to send them mail really does exist, and is not just a figment of some spambot's imagination. And they tell that how, exactly, given that many sites do NOT allow VRFY or EXPN? MAIL FROM: RCPT TO: QUIT: is precisely what they are doing. Nobody except spammers / dictionary attackers seem to VRFY these days for this sort of stuff. In fact grepping your logs for VRFY is often a reliable sign of a dictionary attack on your machines. I suppose they could do a MAIL FROM/RCPT TO pair, look at the result, and QUIT instead of DATA. Of course, that would be silly, because if it ever ran into another site that tried the same thing, that site would try to call back and do a MAIL FROM/RCPT TO... MAIL FROM: <> typically, or from a sender that does not return callbacks to it ... so no danger of loops getting set up. Thank God for small mercies, I guess. srs -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Re: incorrect spam setups cause spool messes on forwarders
On Tue, 02 Dec 2003 14:37 UTC Suresh Ramasubramanian <[EMAIL PROTECTED]> wrote: | Nobody except spammers / dictionary attackers seem to VRFY these days | for this sort of stuff. In fact grepping your logs for VRFY is often | a reliable sign of a dictionary attack on your machines. VRFY is an (unavoidable) part of the checking routine built into the popular "Sam Spade for Windows" client, for manual verification of any suspect addresses found to have sent suspicious mail. So just looking for VRFY can give you some, er, false positives there ;-) and, as has been said, most sites don't allow it for obvious reasons. What is perhaps surprising, is the number of sites that disallow VRFY but leave EXPN fully operational ... | Thank God for small mercies, I guess. Implementing DELAY_CHECKS (which is normal anyway these days) will of course make a complete mockery of the process Verizon have implemented. -- Richard Cox
Re: incorrect spam setups cause spool messes on forwarders
Richard Cox writes on 12/2/2003 9:57 AM: VRFY is an (unavoidable) part of the checking routine built into the popular "Sam Spade for Windows" client, for manual verification of any suspect addresses found to have sent suspicious mail. So just looking for VRFY can give you some, er, false positives there ;-) "a stream of vrfy / expn" I should have said. Implementing DELAY_CHECKS (which is normal anyway these days) will of course make a complete mockery of the process Verizon have implemented. Say again? All that delay_checks in sendmail (and this is the default in exim / postfix etc) does is to defer any rejects based on IP / sender domain etc till the RCPT TO stage instead of returning 5xx at MAIL FROM: itself. I don't see how or where this will have an impact on verizon's sender verify. cf/README for sendmail says - delay_checksThe rulesets check_mail and check_relay will not be called when a client connects or issues a MAIL command, respectively. Instead, those rulesets will be called by the check_rcpt ruleset; they will be skipped under certain circumstances. See "Delay all checks" in the anti-spam configuration control section. Note: this feature is incompatible to the versions in 8.10 and 8.11. srs -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Re: incorrect spam setups cause spool messes on forwarders
> telling spammers 4xx or 5xx doesn't matter, they don't listen. yes, but interestingly, every "smtp transport" (remote ip address who connects to your tcp/25 service) who ignores 5XX (which you can tell because they come back and try the same thing again over and over) is either a spammer or the output side of a proxy (which might be hard to detect). so it turns out that ignoring 5XX is like sending up a flare, "blackhole me!". -- Paul Vixie
APNIC delegation change
Just a heads up for those who use http://ftp.apnic.net/stats/apnic/apnic-latest It moved. If you have scripts that slurp APNIC ASN or IPv4 allocations, they probably broke this morning. The new correct link is at http://ftp.apnic.net/stats/apnic/new/delegated-apnic-latest == Eric GermannCCTec [EMAIL PROTECTED] Van Wert OH 45891 http://www.cctec.comPh: 419 968 2640 Fax: 603 825 5893 "The fact that there are actually ways of knowing and characterizing the extent of one’s ignorance, while still remaining ignorant, may ultimately be more interesting and useful to people than Yarkovsky" -- Jon Giorgini of NASA’s Jet Propulsion Laboratory
Re: incorrect spam setups cause spool messes on forwarders
> Exactly this is the flawed point about returning 4xx. They produce > only collateral damage, but don't hit their target at all. but they can feel self-righteous, which is probably the major goal
AOL postmaster (new request)
I really hate doing this but after 5 days and no one at AOL's helpdesk can even tell me why our subnets are being blocked. Can someone with the Postmaster helpdesk level 2 or higher please contact me. I have a ticket, I have followed all the rules, and I am still being told that no one knows why the block is there and no one knows when I will get a phone call or an email. Yes I accept mail for postmaster and root @ServerIP. No there is nothing in either mailbox. I am not listed on any other blacklists so I am really quite confused as to why this is so difficult. Thanks, Derrick
SPAM from own customers
Hi All The topic "Spam sent over infected or malconfigured enduser pc's" will become an big issue. We saw Virus' sending Spam directly from the users pc, downloading the recipient list and the payload trough HTTP from the web. How will you deal with the problem, that one user can flood your SMTP Server with tousends of emails within 10-20 minutes? Opinions, Suggestions? thanks, michel
Re: APNIC delegation change
Interstingly enough, the FTP url hasnt changed: http://ftp.apnic.net/stats/apnic/apnic-latest there are some strange differences between the http version and the ftp version. I have some automated stuff that grabs the data once a week and makes it available in an actually-human-usable format at: http://mrtg.snark.net/apnic.php matto On Tue, 2 Dec 2003, Eric Germann wrote: Just a heads up for those who use http://ftp.apnic.net/stats/apnic/apnic-latest It moved. If you have scripts that slurp APNIC ASN or IPv4 allocations, they probably broke this morning. The new correct link is at http://ftp.apnic.net/stats/apnic/new/delegated-apnic-latest == Eric GermannCCTec [EMAIL PROTECTED] Van Wert OH 45891 http://www.cctec.comPh: 419 968 2640 Fax: 603 825 5893 "The fact that there are actually ways of knowing and characterizing the extent of ones ignorance, while still remaining ignorant, may ultimately be more interesting and useful to people than Yarkovsky" -- Jon Giorgini of NASAs Jet Propulsion Laboratory [EMAIL PROTECTED]< Flowers on the razor wire/I know you're here/We are few/And far between/I was thinking about her skin/Love is a many splintered thing/Don't be afraid now/Just walk on in. #include
Re: incorrect spam setups cause spool messes on forwarders
(susan, this is in a spam related thread but i'm adding offtopic remarks which i think are actually in-charter for nanog. --pv) > Verizon does SMTP callbacks, connecting back to the MX of the envelope > sender and trying to verify that the user exists while something like RMX or MAILFROM would probably be a more robust alternative, verizon's actions are not irrational on a purely cost:benefit basis when the costs and benefits being measured are only their own. however, cost and benefit are not isolatable in that way, and folks who try to isolate them end up causing others to pile workaround on top of workaround until the whole system is just gum and mud. if verizon wanted to jointly sponsor a clearinghouse of email senders who had passed the callback test, with appropriate caching and error analysis and robust global mirroring, i'm sure that there would be other isp's and large e-mail carriers who would want to help, and i'm sure that authors of mail software, both opensource and not, would want to offer the feature of checking such a "ephemeral sender whitelist" (ESW?) but as long as verizon acts alone, they're just hurting themselves, and the overall system. consider what would happen if everybody did callbacks; first, what would happen to the load on the world's nonabusing mail servers, and then, what would the spammers do in response if this was effective? -- Paul Vixie
objective performance tests - broadwing, cogent
Does anyone have some objective performance tests of Cogent and Broadwing? Or any insight into eithers peering and peer relationships or ideas of how they route traffic? Thanks. -- matthew zeier - "Curiosity is a willing, a proud, an eager confession of ignorance." - Leonard Rubenstein
Re: incorrect spam setups cause spool messes on forwarders
Hi, ...on Tue, Dec 02, 2003 at 07:23:41PM +0800, Suresh Ramasubramanian wrote: > What they are trying to do is to connect back > to email.com's MXs and ensure that the user > <[EMAIL PROTECTED]> who is trying to > send them mail really does exist, [..] > It does tend to cut down on the amount of spam, > but fails in several ways which have been discussed > upthread (the most common being: the MX has an smtpd > listener with no view of the userdb, While sender address verification puts additional load on (more or less) innocent bystanders, it's right to exist is, as you said, based on the fact that it eases the spam load to the recipient - like many other intrusive anti-spam techniques. I agree that much of the anti-spam stuff out there is kludgy at best, and often harmful to other users, but let's not forget that it's the spammers who make all this necessary... At the edge of the net, where traffic can still be a major cost factor despite the limited bandwidth, having to transport 20% to 50% spam is a real burden that fuels many desperate decisions. If some of the large Email providers like Outblaze, Hotmail, Yahoo, AOL, etc. could agree on a more integrated approach to implement at least some form of sender authorization - possibly in the line of the RMX RR draft[1] - as a service to the public, the aggressive MX callbacks would perhaps be made redundant... While RMX and similar ideas certainly are no perfect solution, it's a cheap way to attach some trust level to a message, and gives the email providers the chance to solve the problem at their end as they gain control over the users of their domain name(s) by hampering unauthorized usage. Alex. [1] http://www.ietf.org/internet-drafts/draft-danisch-dns-rr-smtp-03.txt -- AB54-RIPE
WLAN shielding results
Thanks to all who responded to my query. I suppose I should have added that the brass in my company are somewhat loathe to work a little harder at things like using SecurID tokens, firing up VPN software, etc. "I want a single login solution" is a common mantra on the top floor. OK, OK, we're working on it... The majority of the respondents suggested software solutions - VPN tunneling, strong crypto, not broadcasting SSIDs, etc. I've been somewhat successful in relating to the higher-ups that they can either have security or convenience, and the mileage and pricing will vary. Our VPN boxes seldom hit 10% CPU utilization, even with 2000 users, so why not still use them? Thanks again, and my apologies for decreasing the S/N ratio. Andy
APRICOT 2004 : Speakers for Peering and Internet Exchange Track
Hi all - You may have heard that there will be a new one-day track on Peering and Internet Exchanges at the upcoming APRICOT in Kuala Lumpur in February. I'd like to describe the track in brief and solicit a few more Peering Coordinators / Network Architects / Network Engineers as speakers for the track. (See http://www.apricot2004.net/ for information on the broader APRICOT 2004 conference). This Peering and Internet Exchange Track is intended to facilitate regional ISP Peering by providing a forum for Peering Coordinators to meet each other and share information about Asia Pacific peering. We will facilitate this with several panels, each one focused on peering in a particular country. If you are a Peering Coordinator with experience peering in the AP Region, please send me an e-mail answering the questions below. I will use this information to match panelists together into panels focused on certain AP countries. Thanks! Bill --- Speaker Questionnaire If you are able and willing to speak at the Feb 2004 APRICOT Peering and Internet Exchange Track, please fill out the following form and e-mail to William B. Norton at [EMAIL PROTECTED]: Name: __ Title: ___ Company: ___ AS # _ In what country do you live? _ Email Address: __ We will select a set of panelists based on the answers to the questions below: 1) In what countries do you peer? 2) In which AP Country do you have peering experiences that you can share with the audience? 3) Answer as many of the questions below as applicable, as you would present as part of your presentation a) We are looking for speakers that have found interesting or unique country peering ecosystem characteristics. Have you uncovered any unexpected or interesting/unique peering ecosystem characteristics in any of the countries where you peer? Please give a few examples. b) We are also looking for unusual or unexpected traffic patterns. For example, a large amount of Japan traffic is ultimately destined to and from Brazil! Identifying and explaining this type of inter-country traffic would be a good set of data to launch a presentation. Do you have any of this type of data that you can share? c) What are the problems and challenges that you face as you build peering infrastructure into various AP countries? d) If other Peering Coordinators follow your footsteps into regions in which you now peer, what would you tell them: · is information that you would have liked to have had? · Are unexpected problems that you faced? e) What are the emerging trends that you see in the peering ecosystems in which you operate (transit and transport prices going up or down and the implications as you see them). /* William B. Norton <[EMAIL PROTECTED]> 650.315.8635 Co-Founder and Chief Technical LiaisonEquinix, Inc. */
Re: SPAM from own customers
Michel Renfer writes on 12/2/2003 12:50 PM: How will you deal with the problem, that one user can flood your SMTP Server with tousends of emails within 10-20 minutes? Virus filtering Rate limit (+ script to auto terminate user) and smtp auth on outbounds Separate inbound and outbound smtp relay. Don't let your inbound MX relay for your dialup pool (some trojans take the rDNS name / hostname of the infected box and do nslookup -q=mx domainname) Ask AOL for an [EMAIL PROTECTED] feed - a lot of these trojan spams seem to target AOL users. etc -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Re: incorrect spam setups cause spool messes on forwarders
On Tue, 02 Dec 2003 20:05:47 +0100, Alexander Bochmann <[EMAIL PROTECTED]> said: > I agree that much of the anti-spam stuff out there > is kludgy at best, and often harmful to other users, > but let's not forget that it's the spammers who make > all this necessary... Today's stupid spammer trick: The other day, I posted something in reply to Stephen Wilcox, with a cc: to this list. Less than 10 minutes later, I got 4 notes from a site saying that my posting (which still had nanog and wilcox referenced) had tripped a content sensitivity filter. Double checking my outbox, I'd only posted one thing that had both wilcox and nanog in the headers for at least a month. Despite all this, the site admin in question fished out the actual note from their quarantine, and discovered that it was spam for some enhancement product. The only conclusion we could come up with is that somebody on the NANOG list is infected with some sort of malware that waits for mail to arrive and then uses its headers to generate a joe-job spam, and that 4 spams had gone off to the site that generated the notes back to me. Forget the baseball bat, this one deserves a lead pipe... :) pgp0.pgp Description: PGP signature
Re: SPAM from own customers
- Original Message - From: "Suresh Ramasubramanian" <[EMAIL PROTECTED]> To: "Michel Renfer" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, December 02, 2003 2:23 PM Subject: Re: SPAM from own customers > > Virus filtering > > Rate limit (+ script to auto terminate user) and smtp auth on outbounds > SMTP AUTH is becoming risky if its not carefully setup and monitored. I can name one big time spammer who has warmed up to cracking weak passwords on e-mail systems that do SMTP AUTH. Means you'd have to filter your outbound mail servers port 25 from anyone not inside your network or a trusted source. Virus filtering is a must, but, alas, not all mail servers filter *outgoing* mail. Most filter only incoming mail. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The AHBL - http://www.ahbl.org
Re: incorrect spam setups cause spool messes on forwarders
Alexander Bochmann writes on 12/2/2003 2:05 PM: If some of the large Email providers like Outblaze, Hotmail, Yahoo, AOL, etc. could agree on a more integrated approach to implement at least some form of sender authorization - possibly in the line of the RMX RR draft[1] - as a service to the public, the aggressive MX callbacks would perhaps be made redundant... There are just too many RMX proposals around. Once some of them get consolidated, it will be a good idea to adopt the best and most popularly accepted one. At least now that ASRG has some good new leadership with John Levine stepping in as co-chair (Yakov has always been doing a great job) I hope things move forward :) By the way there will be a panel on the different proposals during the conference track on spam that we at apcauce.org are organizing at APRICOT 2004 (www.apricot2004.net). Speakers include Dave Crocker and Meng Weng Wong (the originator of spf) srs -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Re: SPAM from own customers
> Ask AOL for an [EMAIL PROTECTED] feed - a lot of these trojan spams seem to > target AOL users. Something to be aware of with the AOL scomp feed...any time one of your users sends a message with no To address, and everyone in the BCC or CC fields, it will generate a notification to the e-mail address you've registered with them. We have caught some spam originating from our network through the feed, but for the most part it's mostly legitimate mail. Thanks, Adam Debus Network Engineer, ReachONE Internet [EMAIL PROTECTED]
Re[2]: SPAM from own customers
On Tue, 2 Dec 2003 14:32:16 -0500 Brian Bruns <[EMAIL PROTECTED]> wrote: > SMTP AUTH is becoming risky if its not carefully setup and monitored. I can > name one big time spammer who has warmed up to cracking weak passwords on > e-mail systems that do SMTP AUTH. Means you'd have to filter your outbound > mail servers port 25 from anyone not inside your network or a trusted > source. not just weak passwords, but there are also obvious default, admin, and guest accounts on some SMTP servers which are sitting there, easily guessed, and they are indeed being taken advantage of. richard -- Richard Welty [EMAIL PROTECTED] Averill Park Networking 518-573-7592 Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security
RR Abuse contact
Could someone from Road Runner's abuse department contact 407-482-8487 or ghadlockepik(dot>net please. Shane
re: s.o. out there from Finland's ISPs
Hello List, thank you all for your replies and kindness to help us. I looked for dialup connectivity in Finland. The choice went to TeliaSonera. Thank's to the guys out there. -- Best regards, frankmailto:[EMAIL PROTECTED]
Re: SPAM from own customers
Michel Renfer wrote: Hi All The topic "Spam sent over infected or malconfigured enduser pc's" will become an big issue. We saw Virus' sending Spam directly from the users pc, downloading the recipient list and the payload trough HTTP from the web. How will you deal with the problem, that one user can flood your SMTP Server with tousends of emails within 10-20 minutes? In addition to the other suggestions, scanning the CBL (cbl.abuseat.org) for your own IPs is useful from an operational standpoint to find open proxies and trojans. On a similar vein, detecting customer IPs trying to connect to 47.129.25.87 on port 25 (no legitimate email goes there) will give you similar intelligence, tho, it's not quite as definitive as a CBL listing. Most reliable if you exclude legitimate customer mail servers (bounced forged spam and virii) or correlate to the CBL. Couple either or both with an autodisconnect script like what Suresh suggested.
prefix filter generation for customers
Hi, I'm looking for input about how other people deal with this problem: We generate prefix filters for our customers from RADB using their AS or as-set. Our upstreams do the same for us. Our filters are generated with a simple WHOIS query and will pick up objects not only from RADB but from the various other IRRs that are mirrored in RADB. The problem is that it looks like at least one of our upstreams does not pick up the route objects that are in IRRs other than the one we asked them to use for us (RADB). One of our customers uses a different IRR and their routes did not get included in the filter generated by our upstream. Do we need to force all of our customers to use the same IRR as we do, or is there some way that we can support offering our customers a choice of IRRs just like our upstreams do for us? -Phil
DS-3 test equipment
I've searched the archives and find some hits on DS-1 test gear, but I'm looking for opinions/experience with DS-3 test gear. We've started bringing up more DS-3 circuits, both directly to customers and also for Frame/ATM/DSL aggregation. Telco used to do all provisioning and testing for us, but we are looking to be able to more troubleshooting in-house. Any recommended gear for basic functional testing (clock, loop, insert patterns and errors)? It would be nice if the test gear could do T-1 testing, too. I'm seeing a fair number of hits on eBay for TTC/Acterna gear, but I don't know what I'm looking at/for. I've done BERT testing many lifetimes ago, but don't have any current knowledge/experience. Thanks, Rick
Re: WLAN shielding
At 9:06 PM -0500 11/26/03, David Lesher wrote: Speaking on Deep Background, the Press Secretary whispered: My company is investigating the use of wireless in a couple of our conference rooms. Aside from limiting the scope of reception with various directional antennae, does anyone have any suggestions or pointers for other ways to limit the propagation of signals (i.e. special shielding paint, panels or other wall coatings)? As I told Andy, you need a "RayProof" or similar brand shielded conference room. This is Faraday Cage, with a tight-fighting door, etc. I don't know what they cost, but I've installed one or 2. Outside of labor, I suppose they might be in the $50-500K range or so, for small (12'x6') ones. Note it's a PITA to keep tight; as the door needs very tight-fitting gaskets. You'll need to bring phone/Ethernet in over fiber, but that's not hard. If you do put one in, and your local laws don't prevent smoking, make it an absolutely no-smoking area. Ventilation tends not to be wonderful. I was once attending a Federal Telecommunications Standards Committee meeting, where we were displaced from our regular conference room and given a SCIF vault/conference room. It was stuffy enough as we met for a couple of hours, but as we adjourned, the NSA representative lit a cigar. That's when we found out that the vault door was jammed. No simple cipherlock. Full combination lock. Trust me. Do not ever get in a mostly-sealed room with a dead cigar and some smoke remnants. When we got out, maybe two hours later, our faces matched the government green [1] walls. If this hadn't been in the then-Defense Communications Agency headquarters with resident locksmiths, I don't know how long we'd have been there! Seriously, give ventilation a lot of thought. You'll need ducts with grounded screening and lots of 90-degree bends. Also, consider having a kick-out panel for emergency escape. Even without high-security locks, I've seen the gasketed doors get stuck just in shielded labs. Think of fire protection -- you really don't want a fire suppression gas release in a vault. [1] I believe the proper descriptor for that shade of green is "gang".
Re: WLAN shielding
At 9:51 PM -0500 11/26/03, Sean Donelan wrote: On Wed, 26 Nov 2003, David Lesher wrote: Speaking on Deep Background, the Press Secretary whispered: > My company is investigating the use of wireless in a couple of our > conference rooms. Aside from limiting the scope of reception with various > directional antennae, does anyone have any suggestions or pointers for > other ways to limit the propagation of signals (i.e. special shielding > paint, panels or other wall coatings)? As I told Andy, you need a "RayProof" or similar brand shielded conference room. This is Faraday Cage, with a tight-fighting door, etc. Uhm, dumb question. If it is that important, why are you using wireless at all? Why not install a cheap switch/hub in the middle of the conference table and let people plug a patch cord from the hub to their laptops? Stupid pen-test tricks, instead of using an expensive WiFi scanner and cracking WEP; often you can collect better intelligence with a radio turned to the frequency used by wireless lapel mics used by executives during briefings. Or by lecturers forgetting them as they went to the bathroom. I only did that once.
Re: WLAN shielding
"Howard C. Berkowitz" wrote: > >Stupid pen-test tricks, instead of using an expensive WiFi scanner and > >cracking WEP; often you can collect better intelligence with a radio > >turned to the frequency used by wireless lapel mics used by executives > >during briefings. > > Or by lecturers forgetting them as they went to the bathroom. I only > did that once. [New Yorker cartoon of years gone by about the early shoulder-cameras the CreepyPeepy]
Re: prefix filter generation for customers
On Tue, 2 Dec 2003, Phillip Vandry wrote: > > Hi, > > I'm looking for input about how other people deal with this problem: > > We generate prefix filters for our customers from RADB using their AS > or as-set. Our upstreams do the same for us. > > Our filters are generated with a simple WHOIS query and will pick up > objects not only from RADB but from the various other IRRs that are > mirrored in RADB. > > The problem is that it looks like at least one of our upstreams does not > pick up the route objects that are in IRRs other than the one we asked > them to use for us (RADB). One of our customers uses a different IRR and > their routes did not get included in the filter generated by our upstream. Hi Phil, Have you asked them how they are generating the info? Maybe they are only looking at one source (for security reasons or whatever). If you look at the peval man page: ENVIRONMENT VARIABLES IRR_HOST Specifies the radbserver host to connect. IRR_PORT Specifies the radbserver port number to connect. IRR_SOURCES Specifies the source list (comma separated) to consider. Did you try the following to see if it picks up all the networks? peval -h whois.radb.net -expand_all ASnnn Another option might be to ``proxy'' the objects into RADB by making your own entries for the networks. I think I have seen people do this before. It all depends on the software that your upstream/peers are using to generate their filter lists. > > Do we need to force all of our customers to use the same IRR as we do, > or is there some way that we can support offering our customers a > choice of IRRs just like our upstreams do for us? > > -Phil > +--+ | Michael MoscovitchCiteNet Telecom Inc. | | [EMAIL PROTECTED] Tel: (514) 861-5050| +--+
RE: WLAN shielding
I have been looking into the Cisco Aironet solution recently for a project I'm working on. They seem to have some great security features, if you want to take the time to configure it. Oh, another caveat is that you have to use Cisco's wireless adapter as well, otherwise, good ol' WEP for you! I haven't thought of the VPN idea that others have spoken of on the NANOG list yet...that's a good idea too...hmm - Erik -Original Message- From: Andy Grosser [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 26, 2003 11:02 AM To: [EMAIL PROTECTED] Subject: WLAN shielding Apologies in advance if this may not quite be the proper list for such a question... My company is investigating the use of wireless in a couple of our conference rooms. Aside from limiting the scope of reception with various directional antennae, does anyone have any suggestions or pointers for other ways to limit the propagation of signals (i.e. special shielding paint, panels or other wall coatings)? Feel free to reply off-list. Thanks! Andy --- Andy Grosser, CCNP andy at meniscus dot org ---
Re: WLAN shielding
On Tue, 2 Dec 2003 20:36:51 -0600 "Erik Amundson" <[EMAIL PROTECTED]> wrote: > > > I have been looking into the Cisco Aironet solution recently for > a project I'm working on. They seem to have some great security > features, if you want to take the time to configure it. Oh, another > caveat is that you have to use Cisco's wireless adapter as well, > otherwise, good ol' WEP for you! Then I hope you saw this today : Cisco Security Advisory: SNMP trap Reveals WEP Key in Cisco Aironet AP Revision 1.0 For Public Release 2003 December 02 17:00 UTC (GMT) - Summary === Cisco Aironet Access Points (AP) running Cisco IOS software will send any static Wired Equivalent Privacy (WEP) key in the cleartext to the Simple Network Management Protocol (SNMP) server if the snmp-server enable traps wlan-wep command is enabled. Affected hardware models are the Cisco Aironet 1100, 1200, and 1400 series. This command is disabled by default. The workaround is to disable this command. Any dynamically set WEP key will not be disclosed. Cisco Aironet AP models running VxWorks operating system are not affected by this vulnerability. No other Cisco product is affected. This advisory will be available at http://www.cisco.com/warp/public/707/cisco-sa-20031202-SNMP-trap.shtml > > I haven't thought of the VPN idea that others have spoken of on > the NANOG list yet...that's a good idea too...hmm > > - Erik > > > > -Original Message- > From: Andy Grosser [mailto:[EMAIL PROTECTED] > Sent: Wednesday, November 26, 2003 11:02 AM > To: [EMAIL PROTECTED] > Subject: WLAN shielding > > > Apologies in advance if this may not quite be the proper list for such a > question... > > My company is investigating the use of wireless in a couple of our > conference rooms. Aside from limiting the scope of reception with > various directional antennae, does anyone have any suggestions or > pointers for other ways to limit the propagation of signals (i.e. > special shielding paint, panels or other wall coatings)? > > Feel free to reply off-list. > > Thanks! > > Andy > > --- > Andy Grosser, CCNP > andy at meniscus dot org > --- > > > >
Re: AOL postmaster (new request)
On Tue, 2 Dec 2003, Derrick Bennett wrote: > I really hate doing this but after 5 days and no one at AOL's helpdesk > can even tell me why our subnets are being blocked. Can someone with the > Postmaster helpdesk level 2 or higher please contact me. I have a > ticket, I have followed all the rules, and I am still being told that no > one knows why the block is there and no one knows when I will get a I'd have thought this was common knowledge by now...enough of us have gone through it. Do you currently get scomp reports from AOL for your IP space? If not, tell their helpdesk people you want to get setup for scomp reports. The most likely reason for AOL blocking you is they've received greater than some threshold of AOL user spam complaints for email originating at or relayed through your network. Have you verified that they're blocking entire subnets or all of your IP space, or is it just one or a few mail server IPs? If it's just a few IPs, the quickest fix is to add some additional IPs to your outgoing mail server(s) and make them talk to AOL using the new IPs. That will get mail flowing again, but you still need to track down and deal with whatever problem caused them to block you, or your new IPs will end up blocked as well. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
OT: Level 3 Secrets to Contact? Very OT! Please Ignore!
Does anyone know the secret to contacting a dark fiber salesperson at Level 3? The website directs a prospect to their toll free number 1-877-2LEVEL3 but the voicemail decision tree has some very dead limbs. It's not always easy to convey one's frustration in email. But the mugshot in this story seems to capture my general disposition: http://www.denverpost.com/Stories/0,1413,36~33~1765189,00.html# Just hoping to get some quick answers to easy questions so I'll be on my way to feeling like this: http://www.columbia.edu/cu/record/record2011.19c.gif ...but if the wait goes on much longer, I'll be left in this state: http://images.usatoday.com/money/_photos/2001-04-16-buffett.jpg Thanks, BM PS hope the employee-owners over there have a sense of humortheir contact apparatus is costing them money...is my guess. PPS You'd be surprised how many images there are of Warren Buffet on the web. And come to think of it, why should that rich (*&%$#$ ever have a grumpy look on his face?! The man should be walking around with a smile that makes his ears itch.
