Re: TAT 14 failure

2003-12-02 Thread Kurt Erik Lindqvist

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On onsdag, nov 26, 2003, at 07:44 Europe/Stockholm, Simon Lockhart 
wrote:

>
> On Tue Nov 25, 2003 at 08:32:50PM -0500, David Lesher wrote:
>> Is there not sizeable UK<->FR capacity through the Chunnel?
>
> Yes, I believe there's a sizable amount of fiber going through the
> service tunnel of the Chunnel (hence the much reduced cost of fiber 
> from
> UK to Europe these days).

Well, when they first deployed that tunnel fiber, you could pay a full 
undersea cable with the rent of one pair

- - kurtis -

-BEGIN PGP SIGNATURE-
Version: PGP 8.0.2

iQA/AwUBP8w8xaarNKXTPFCVEQL9hwCgvkAwcGTJce4N1fzRCkJzS5xrR0EAoLIU
MVHjggB6szrZ8CojbJj4Uk+8
=HF+C
-END PGP SIGNATURE-



Re: incorrect spam setups cause spool messes on forwarders

2003-12-02 Thread Michael . Dillon

>Also imagine your domain being joe-jobbed.  You, as an innocent 
bystander,
>then get hammered by Verizon as they try to do a lookup on possibly
>millions of incoming mails.

Why on earth would Verizon need to do the lookup once per
incoming email? If they need to verify that a given MX
does indeed exist and is reachable and is running an
SMTP server, then why not cache that info for some
reasonable time period, say an hour, to avoid disrupting
everyone else's Internet. Coupled with that caching, they
could reasonably make a few tries over the space of
3 to 5 minutes before giving up on the incoming email
by sending 450s.

And if they are going to do something like this which 
imposes a requirement on other ISPs, i.e. your MX
must point to a live SMTP server, and which impacts
other ISP's mail operations, i.e. we will send you
450s, then why can't they *PUBLISH* what they are
doing. NANOG seems an appropriate place for this.

--Michael Dillon





Re: incorrect spam setups cause spool messes on forwarders

2003-12-02 Thread John Brown (CV)

telling spammers 4xx or 5xx doesn't matter, they don't listen.

On Mon, Dec 01, 2003 at 09:18:21PM +0100, Daniel Roesen wrote:
> 
> On Mon, Dec 01, 2003 at 12:52:28PM -0700, Michael Lewinski wrote:
> > The idea is to "punish" spammers by filling up their queues, although 
> > honestly I don't know of any spammers who actually *have* queues. They 
> > just borrow other people's of course.
> 
> Correct. More and more, anti-spammers are annoying me more than
> the spammers. Anti-spammers tend to "make my problem YOUR problem"
> thinking. Be it mangled sender addresses (this "NOSPAM" nonsense),
> be it 450 to suspected spam.
> 
> Antispanners seem to be very easy in accepting collateral damage
> to the net.
> 
> 
> Regards,
> Daniel


Re: incorrect spam setups cause spool messes on forwarders

2003-12-02 Thread Suresh Ramasubramanian

" John Brown (CV)" <[EMAIL PROTECTED]> wrote:

> telling spammers 4xx or 5xx doesn't matter, they don't listen.

The goal is to keep your spool clear, and your mailservers operational.

At least, that is, if you are running a production server and not a hobbyist / family 
and friends type setup.

-- 
srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9
manager, outblaze.com security and antispam operations



Re: incorrect spam setups cause spool messes on forwarders

2003-12-02 Thread Suresh Ramasubramanian

[EMAIL PROTECTED] wrote:

> Why on earth would Verizon need to do the lookup once per
> incoming email? If they need to verify that a given MX
> does indeed exist and is reachable and is running an
> SMTP server, then why not cache that info for some

Er.. they are not looking for "MX exists".  If MX and A didn't exist or were bogus 
(pointing at rfc1918 space or the loopback IP for instance) the mail could be rejected 
without going through all this song and dance about SMTP callbacks.

Consider a domain like (say) email.com <- that's one of ours, btw, that is extensively 
forged into spam.

What they are trying to do is to connect back to email.com's MXs and ensure that the 
user <[EMAIL PROTECTED]> who is trying to send them mail really does exist, and is not 
just a figment of some spambot's imagination.

It does tend to cut down on the amount of spam, but fails in several ways which have 
been discussed upthread (the most common being: the MX has an smtpd listener with no 
view of the userdb, like a cisco pix appliance with "smtp fixup", or a qmail smtpd 
instance).  It is also a major headache for the operators of other mailserver 
clusters, especially the operators who host domains that are extensively forged into 
spam.

SMTP verification callbacks are a major nuisance, over and above the usual flood of 
forged spam.  And it can set off all kinds of alarms when a NOC tech finds the same 
address (say [EMAIL PROTECTED]) sending out thousands of emails to a whole lot of 
unknown addresses on your system.

Said tech went ahead and blocked that address.  By the time I could investigate, 
Verizon was rejecting a bunch of valid mail as well ... their sender verify process 
was failing because our NOC tech had blocked the address they used for verification.  
[Beats me why they don't use something like [EMAIL PROTECTED]

> reasonable time period, say an hour, to avoid disrupting
> everyone else's Internet. Coupled with that caching, they

They could cache information about that particular envelope sender, sure.

But spammers send with extensively randomized and bogus addresses in the same spam 
run, so even that caching doesn't really help.

> And if they are going to do something like this which 
> imposes a requirement on other ISPs, i.e. your MX
> must point to a live SMTP server, and which impacts

That it must.  No argument about that.

> other ISP's mail operations, i.e. we will send you

An ISP whose domain's MX points to a dead or nonexistent server would notice a severe 
impact on their mail operations, I assure you.

> 450s, then why can't they *PUBLISH* what they are
> doing. NANOG seems an appropriate place for this.
 
Glad somebody realizes this.

NANOG, according to the list FAQ, is not really the place to discuss spam, 
particularly as spam is not an operational problem.  

The reason that I disagree with this line of reasoning is that spam is just as much of 
an operational problem as some other topics that are considered fit for discussion 
here (or at any rate, are regularly discussed here).  Especially as most if not all 
spam these days has a network security angle to it (trojans, compromised machines, 
hijacked /16s ...)

Of course, most other operators meetings have whole conference tracks and tutorials on 
spam... in fact nanog seems to have had at least one or two of them in the past (with 
Paul Vixie speaking about spam).

Yes, lists like spam-l and spamtools exist (and so do several other lists, some of 
them semi-secret and by invitation only, even).  But 

* Quite a few nanog people don't read those

* Quite a few issues are often better discussed in the focused and clued atmosphere of 
nanog than in the tower of babel (aka news.admin.net-abuse.email)

--srs

-- 
srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9
manager, outblaze.com security and antispam operations


Re: incorrect spam setups cause spool messes on forwarders

2003-12-02 Thread Daniel Roesen

On Tue, Dec 02, 2003 at 03:37:00AM -0700,  John Brown (CV) wrote:
> telling spammers 4xx or 5xx doesn't matter, they don't listen.

Exactly this is the flawed point about returning 4xx. They produce
only collateral damage, but don't hit their target at all.


Regards,
Daniel


Re: incorrect spam setups cause spool messes on forwarders

2003-12-02 Thread Valdis . Kletnieks
On Tue, 02 Dec 2003 19:23:41 +0800, Suresh Ramasubramanian <[EMAIL PROTECTED]>  said:

> What they are trying to do is to connect back to email.com's MXs and ensure
> that the user <[EMAIL PROTECTED]> who is trying to send them mail
> really does exist, and is not just a figment of some spambot's imagination.

And they tell that how, exactly, given that many sites do NOT allow VRFY or EXPN?

I suppose they could do a MAIL FROM/RCPT TO pair, look at the result, and
QUIT instead of DATA.  Of course, that would be silly, because if it ever ran
into another site that tried the same thing, that site would try to call back
and do a MAIL FROM/RCPT TO...


pgp0.pgp
Description: PGP signature


Re: incorrect spam setups cause spool messes on forwarders

2003-12-02 Thread Suresh Ramasubramanian
[EMAIL PROTECTED]  writes on 12/2/2003 9:32 AM:
On Tue, 02 Dec 2003 19:23:41 +0800, Suresh Ramasubramanian <[EMAIL PROTECTED]>  said:


What they are trying to do is to connect back to email.com's MXs and ensure
that the user <[EMAIL PROTECTED]> who is trying to send them mail
really does exist, and is not just a figment of some spambot's imagination.


And they tell that how, exactly, given that many sites do NOT allow VRFY or EXPN?
MAIL FROM: RCPT TO: QUIT: is precisely what they are doing.

Nobody except spammers / dictionary attackers seem to VRFY these days 
for this sort of stuff.  In fact grepping your logs for VRFY is often a 
reliable sign of a dictionary attack on your machines.

I suppose they could do a MAIL FROM/RCPT TO pair, look at the result, and
QUIT instead of DATA.  Of course, that would be silly, because if it ever ran
into another site that tried the same thing, that site would try to call back
and do a MAIL FROM/RCPT TO...
MAIL FROM: <> typically, or from a sender that does not return callbacks 
to it ... so no danger of loops getting set up. Thank God for small 
mercies, I guess.

	srs

--
srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9
manager, outblaze.com security and antispam operations


Re: incorrect spam setups cause spool messes on forwarders

2003-12-02 Thread Richard Cox

On Tue, 02 Dec 2003 14:37 UTC Suresh Ramasubramanian
<[EMAIL PROTECTED]> wrote:

| Nobody except spammers / dictionary attackers seem to VRFY these days
| for this sort of stuff.  In fact grepping your logs for VRFY is often
| a reliable sign of a dictionary attack on your machines.

VRFY is an (unavoidable) part of the checking routine built into the
popular "Sam Spade for Windows" client, for manual verification of any
suspect addresses found to have sent suspicious mail.  So just looking
for VRFY can give you some, er, false positives there ;-)

and, as has been said, most sites don't allow it for obvious reasons.
What is perhaps surprising, is the number of sites that disallow VRFY
but leave EXPN fully operational ...

| Thank God for small mercies, I guess.

Implementing DELAY_CHECKS (which is normal anyway these days) will of
course make a complete mockery of the process Verizon have implemented.

-- 
Richard Cox



Re: incorrect spam setups cause spool messes on forwarders

2003-12-02 Thread Suresh Ramasubramanian
Richard Cox  writes on 12/2/2003 9:57 AM:

VRFY is an (unavoidable) part of the checking routine built into the
popular "Sam Spade for Windows" client, for manual verification of any
suspect addresses found to have sent suspicious mail.  So just looking
for VRFY can give you some, er, false positives there ;-)
"a stream of vrfy / expn" I should have said.

Implementing DELAY_CHECKS (which is normal anyway these days) will of
course make a complete mockery of the process Verizon have implemented.
Say again?  All that delay_checks in sendmail (and this is the default 
in exim / postfix etc) does is to defer any rejects based on IP / sender 
domain etc till the RCPT TO stage instead of returning 5xx at MAIL FROM: 
itself.

I don't see how or where this will have an impact on verizon's sender 
verify.

cf/README for sendmail says -

delay_checksThe rulesets check_mail and check_relay will not be called
when a client connects or issues a MAIL command, respectively.
Instead, those rulesets will be called by the check_rcpt
ruleset; they will be skipped under certain circumstances.
See "Delay all checks" in the anti-spam configuration control
section.  Note: this feature is incompatible to the versions
in 8.10 and 8.11.
	srs

--
srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9
manager, outblaze.com security and antispam operations


Re: incorrect spam setups cause spool messes on forwarders

2003-12-02 Thread Paul Vixie

> telling spammers 4xx or 5xx doesn't matter, they don't listen.

yes, but interestingly, every "smtp transport" (remote ip address who
connects to your tcp/25 service) who ignores 5XX (which you can tell
because they come back and try the same thing again over and over) is
either a spammer or the output side of a proxy (which might be hard
to detect).  so it turns out that ignoring 5XX is like sending up a
flare, "blackhole me!".
-- 
Paul Vixie


APNIC delegation change

2003-12-02 Thread Eric Germann

Just a heads up for those who use
http://ftp.apnic.net/stats/apnic/apnic-latest 

It moved.  If you have scripts that slurp APNIC ASN or IPv4 allocations,
they probably broke this morning.

The new correct link is at
http://ftp.apnic.net/stats/apnic/new/delegated-apnic-latest




==
  Eric GermannCCTec
  [EMAIL PROTECTED] Van Wert OH 45891
  http://www.cctec.comPh:  419 968 2640
  Fax: 603 825 5893

"The fact that there are actually ways of knowing and characterizing the
extent of one’s ignorance, while still remaining ignorant, may ultimately be
more interesting and useful to people than Yarkovsky"

  -- Jon Giorgini of NASA’s Jet Propulsion Laboratory




Re: incorrect spam setups cause spool messes on forwarders

2003-12-02 Thread Randy Bush

> Exactly this is the flawed point about returning 4xx. They produce
> only collateral damage, but don't hit their target at all.

but they can feel self-righteous, which is probably the major goal



AOL postmaster (new request)

2003-12-02 Thread Derrick Bennett


I really hate doing this but after 5 days and no one at AOL's helpdesk can even
tell me why our subnets are being blocked. Can someone with the Postmaster
helpdesk level 2 or higher please contact me. I have a ticket, I have followed
all the rules, and I am still being told that no one knows why the block is
there and no one knows when I will get a phone call or an email. Yes I accept
mail for postmaster and root @ServerIP. No there is nothing in either mailbox.
I am not listed on any other blacklists so I am really quite confused as to why
this is so difficult.


Thanks,
Derrick




SPAM from own customers

2003-12-02 Thread Michel Renfer

Hi All

The topic "Spam sent over infected or malconfigured enduser pc's"
will become an big issue. We saw Virus' sending Spam directly from
the users pc, downloading the recipient list and the payload trough
HTTP from the web.

How will you deal with the problem, that one user can flood your
SMTP Server with tousends of emails within 10-20 minutes?

Opinions, Suggestions?

thanks,
michel


Re: APNIC delegation change

2003-12-02 Thread just me


Interstingly enough, the FTP url hasnt changed:
http://ftp.apnic.net/stats/apnic/apnic-latest

there are some strange differences between the http version and
the ftp version.

I have some automated stuff that grabs the data once a week and makes
it available in an actually-human-usable format at:

http://mrtg.snark.net/apnic.php

matto


On Tue, 2 Dec 2003, Eric Germann wrote:


  Just a heads up for those who use
  http://ftp.apnic.net/stats/apnic/apnic-latest 

  It moved.  If you have scripts that slurp APNIC ASN or IPv4 allocations,
  they probably broke this morning.

  The new correct link is at
  http://ftp.apnic.net/stats/apnic/new/delegated-apnic-latest




  ==
Eric GermannCCTec
[EMAIL PROTECTED] Van Wert OH 45891
http://www.cctec.comPh:  419 968 2640
Fax: 603 825 5893

  "The fact that there are actually ways of knowing and characterizing the
  extent of one’s ignorance, while still remaining ignorant, may ultimately be
  more interesting and useful to people than Yarkovsky"

-- Jon Giorgini of NASA’s Jet Propulsion Laboratory




[EMAIL PROTECTED]<
   Flowers on the razor wire/I know you're here/We are few/And far
   between/I was thinking about her skin/Love is a many splintered
   thing/Don't be afraid now/Just walk on in. #include 



Re: incorrect spam setups cause spool messes on forwarders

2003-12-02 Thread Paul Vixie

(susan, this is in a spam related thread but i'm adding offtopic remarks
which i think are actually in-charter for nanog. --pv)

> Verizon does SMTP callbacks, connecting back to the MX of the envelope
> sender and trying to verify that the user exists

while something like RMX or MAILFROM would probably be a more robust
alternative, verizon's actions are not irrational on a purely cost:benefit
basis when the costs and benefits being measured are only their own.

however, cost and benefit are not isolatable in that way, and folks who
try to isolate them end up causing others to pile workaround on top of
workaround until the whole system is just gum and mud.

if verizon wanted to jointly sponsor a clearinghouse of email senders who
had passed the callback test, with appropriate caching and error analysis
and robust global mirroring, i'm sure that there would be other isp's and
large e-mail carriers who would want to help, and i'm sure that authors of
mail software, both opensource and not, would want to offer the feature of
checking such a "ephemeral sender whitelist" (ESW?)

but as long as verizon acts alone, they're just hurting themselves, and
the overall system.  consider what would happen if everybody did callbacks;
first, what would happen to the load on the world's nonabusing mail servers,
and then, what would the spammers do in response if this was effective?
-- 
Paul Vixie


objective performance tests - broadwing, cogent

2003-12-02 Thread matthew zeier


Does anyone have some objective performance tests of Cogent and Broadwing?
Or any insight into eithers peering and peer relationships or ideas of how
they route traffic?

Thanks.


--
matthew zeier - "Curiosity is a willing, a proud, an eager confession
of ignorance." - Leonard Rubenstein




Re: incorrect spam setups cause spool messes on forwarders

2003-12-02 Thread Alexander Bochmann

Hi,

...on Tue, Dec 02, 2003 at 07:23:41PM +0800, Suresh Ramasubramanian wrote:

 > What they are trying to do is to connect back 
 > to email.com's MXs and ensure that the user 
 > <[EMAIL PROTECTED]> who is trying to 
 > send them mail really does exist, [..]
 > It does tend to cut down on the amount of spam, 
 > but fails in several ways which have been discussed 
 > upthread (the most common being: the MX has an smtpd 
 > listener with no view of the userdb, 

While sender address verification puts additional 
load on (more or less) innocent bystanders, it's 
right to exist is, as you said, based on the fact 
that it eases the spam load to the recipient - like 
many other intrusive anti-spam techniques.

I agree that much of the anti-spam stuff out there 
is kludgy at best, and often harmful to other users, 
but let's not forget that it's the spammers who make 
all this necessary... At the edge of the net, where 
traffic can still be a major cost factor despite the 
limited bandwidth, having to transport 20% to 50% 
spam is a real burden that fuels many desperate 
decisions.

If some of the large Email providers like Outblaze, 
Hotmail, Yahoo, AOL, etc. could agree on a more 
integrated approach to implement at least some form 
of sender authorization - possibly in the line of the 
RMX RR draft[1] - as a service to the public, the 
aggressive MX callbacks would perhaps be made 
redundant... 

While RMX and similar ideas certainly are no perfect 
solution, it's a cheap way to attach some trust level 
to a message, and gives the email providers the chance 
to solve the problem at their end as they gain control 
over the users of their domain name(s) by hampering 
unauthorized usage. 

Alex.
 
[1] http://www.ietf.org/internet-drafts/draft-danisch-dns-rr-smtp-03.txt

-- 
AB54-RIPE



WLAN shielding results

2003-12-02 Thread Andy Grosser

Thanks to all who responded to my query.  I suppose I should have added
that the brass in my company are somewhat loathe to work a little harder
at things like using SecurID tokens, firing up VPN software, etc.  "I want
a single login solution" is a common mantra on the top floor.  OK, OK,
we're working on it... 

The majority of the respondents suggested software solutions - VPN
tunneling, strong crypto, not broadcasting SSIDs, etc.  I've been somewhat
successful in relating to the higher-ups that they can either have security or
convenience, and the mileage and pricing will vary.  Our VPN boxes seldom
hit 10% CPU utilization, even with 2000 users, so why not still use them?

Thanks again, and my apologies for decreasing the S/N ratio.

Andy




APRICOT 2004 : Speakers for Peering and Internet Exchange Track

2003-12-02 Thread William B. Norton
Hi all -

You may have heard that there will be a new one-day track on Peering and 
Internet Exchanges at the upcoming APRICOT in Kuala Lumpur in February. I'd 
like to describe the track in brief and solicit a few more Peering 
Coordinators / Network Architects / Network Engineers as speakers for the 
track. (See http://www.apricot2004.net/ for information on the broader 
APRICOT 2004 conference).

This Peering and Internet Exchange Track is intended to facilitate regional 
ISP Peering by providing a forum for Peering Coordinators to meet each 
other and share information about Asia Pacific peering. We will facilitate 
this with several panels, each one focused on peering in a particular 
country. If you are a Peering Coordinator with experience peering in the AP 
Region, please send me an e-mail answering the questions below. I will use 
this information to match panelists together into panels focused on certain 
AP countries.

Thanks!

Bill

--- Speaker Questionnaire 

If you are able and willing to speak at the Feb 2004 APRICOT Peering and 
Internet Exchange Track, please fill out the following form and e-mail to 
William B. Norton at [EMAIL PROTECTED]:

Name: __
Title: ___
Company: ___ AS # _
In what country do you live? _
Email Address: __
We will select a set of panelists based on the answers to the questions below:
1) In what countries do you peer?
2) In which AP Country do you have peering experiences that you can share 
with the audience?

3) Answer as many of the questions below as applicable, as you would 
present as part of your presentation…

a) We are looking for speakers that have found interesting or unique 
country peering ecosystem characteristics. Have you uncovered any 
unexpected or interesting/unique peering ecosystem characteristics in any 
of the countries where you peer? Please give a few examples.

b) We are also looking for unusual or unexpected traffic patterns. For 
example, a large amount of Japan traffic is ultimately destined to and from 
Brazil! Identifying and explaining this type of inter-country traffic would 
be a good set of data to launch a presentation. Do you have any of this 
type of data that you can share?

c) What are the problems and challenges that you face as you build peering 
infrastructure into various AP countries?

d) If other Peering Coordinators follow your footsteps into regions in 
which you now peer, what would you tell them:
· is information that you would have liked to have had?
· Are unexpected problems that you faced?

e) What are the emerging trends that you see in the peering ecosystems in 
which you operate (transit and transport prices going up or down and the 
implications as you see them).

/*
  William B. Norton <[EMAIL PROTECTED]>   650.315.8635
  Co-Founder and Chief Technical LiaisonEquinix, Inc.
*/


Re: SPAM from own customers

2003-12-02 Thread Suresh Ramasubramanian
Michel Renfer  writes on 12/2/2003 12:50 PM:

How will you deal with the problem, that one user can flood your
SMTP Server with tousends of emails within 10-20 minutes?
Virus filtering

Rate limit (+ script to auto terminate user) and smtp auth on outbounds

Separate inbound and outbound smtp relay. Don't let your inbound MX 
relay for your dialup pool (some trojans take the rDNS name / hostname 
of the infected box and do nslookup -q=mx domainname)

Ask AOL for an [EMAIL PROTECTED] feed - a lot of these trojan spams seem to 
target AOL users.

etc

--
srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9
manager, outblaze.com security and antispam operations


Re: incorrect spam setups cause spool messes on forwarders

2003-12-02 Thread Valdis . Kletnieks
On Tue, 02 Dec 2003 20:05:47 +0100, Alexander Bochmann <[EMAIL PROTECTED]>  said:

> I agree that much of the anti-spam stuff out there 
> is kludgy at best, and often harmful to other users, 
> but let's not forget that it's the spammers who make 
> all this necessary... 

Today's stupid spammer trick:

The other day, I posted something in reply to Stephen Wilcox, with a cc: to
this list.  Less than 10 minutes later, I got 4 notes from a site saying that
my posting (which still had nanog and wilcox referenced) had tripped a content
sensitivity filter.  Double checking my outbox, I'd only posted one thing that
had both wilcox and nanog in the headers for at least a month.  Despite all
this, the site admin in question fished out the actual note from their
quarantine, and discovered that it was spam for some enhancement product.

The only conclusion we could come up with is that somebody on the NANOG list is
infected with some sort of malware that waits for mail to arrive and then uses
its headers to generate  a joe-job spam, and that 4 spams had gone off to the
site that generated the notes back to me.

Forget the baseball bat, this one deserves a lead pipe... :)


pgp0.pgp
Description: PGP signature


Re: SPAM from own customers

2003-12-02 Thread Brian Bruns


- Original Message - 
From: "Suresh Ramasubramanian" <[EMAIL PROTECTED]>
To: "Michel Renfer" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Tuesday, December 02, 2003 2:23 PM
Subject: Re: SPAM from own customers

>
> Virus filtering
>
> Rate limit (+ script to auto terminate user) and smtp auth on outbounds
>

SMTP AUTH is becoming risky if its not carefully setup and monitored.  I can
name one big time spammer who has warmed up to cracking weak passwords on
e-mail systems that do SMTP AUTH.  Means you'd have to filter your outbound
mail servers port 25 from anyone not inside your network or a trusted
source.

Virus filtering is a must, but, alas, not all mail servers filter *outgoing*
mail.  Most filter only incoming mail.


--
Brian Bruns
The Summit Open Source Development Group
Open Solutions For A Closed World / Anti-Spam Resources
http://www.sosdg.org

The AHBL - http://www.ahbl.org



Re: incorrect spam setups cause spool messes on forwarders

2003-12-02 Thread Suresh Ramasubramanian
Alexander Bochmann  writes on 12/2/2003 2:05 PM:

If some of the large Email providers like Outblaze, 
Hotmail, Yahoo, AOL, etc. could agree on a more 
integrated approach to implement at least some form 
of sender authorization - possibly in the line of the 
RMX RR draft[1] - as a service to the public, the 
aggressive MX callbacks would perhaps be made 
redundant... 
There are just too many RMX proposals around.

Once some of them get consolidated, it will be a good idea to adopt the 
best and most popularly accepted one.

At least now that ASRG has some good new leadership with John Levine 
stepping in as co-chair (Yakov has always been doing a great job) I hope 
things move forward :)

By the way there will be a panel on the different proposals during the 
conference track on spam that we at apcauce.org are organizing at 
APRICOT 2004 (www.apricot2004.net).  Speakers include Dave Crocker and 
Meng Weng Wong (the originator of spf)

	srs

--
srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9
manager, outblaze.com security and antispam operations


Re: SPAM from own customers

2003-12-02 Thread Adam Debus

> Ask AOL for an [EMAIL PROTECTED] feed - a lot of these trojan spams seem to
> target AOL users.

Something to be aware of with the AOL scomp feed...any time one of your
users sends a message with no To address, and everyone in the BCC or CC
fields, it will generate a notification to the e-mail address you've
registered with them.

We have caught some spam originating from our network through the feed, but
for the most part it's mostly legitimate mail.

Thanks,

Adam Debus
Network Engineer, ReachONE Internet
[EMAIL PROTECTED]



Re[2]: SPAM from own customers

2003-12-02 Thread Richard Welty

On Tue, 2 Dec 2003 14:32:16 -0500 Brian Bruns <[EMAIL PROTECTED]> wrote:
> SMTP AUTH is becoming risky if its not carefully setup and monitored.  I can
> name one big time spammer who has warmed up to cracking weak passwords on
> e-mail systems that do SMTP AUTH.  Means you'd have to filter your outbound
> mail servers port 25 from anyone not inside your network or a trusted
> source.

not just weak passwords, but there are also obvious default, admin,
and guest accounts on some SMTP servers which are sitting there,
easily guessed, and they are indeed being taken advantage of.

richard
-- 
Richard Welty [EMAIL PROTECTED]
Averill Park Networking 518-573-7592
Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security



RR Abuse contact

2003-12-02 Thread sowens

Could someone from Road Runner's abuse department contact 407-482-8487 or
ghadlockepik(dot>net please.

Shane 




re: s.o. out there from Finland's ISPs

2003-12-02 Thread frank

Hello List,

thank you all for your replies and kindness to help us.
I looked for dialup connectivity in Finland. The choice went
to TeliaSonera. Thank's to the guys out there.


-- 
Best regards,
 frankmailto:[EMAIL PROTECTED]



Re: SPAM from own customers

2003-12-02 Thread Chris Lewis


Michel Renfer wrote:
Hi All

The topic "Spam sent over infected or malconfigured enduser pc's"
will become an big issue. We saw Virus' sending Spam directly from
the users pc, downloading the recipient list and the payload trough
HTTP from the web.
How will you deal with the problem, that one user can flood your
SMTP Server with tousends of emails within 10-20 minutes?
In addition to the other suggestions, scanning the CBL (cbl.abuseat.org) 
for your own IPs is useful from an operational standpoint to find open 
proxies and trojans.

On a similar vein, detecting customer IPs trying to connect to 
47.129.25.87 on port 25 (no legitimate email goes there) will give you 
similar intelligence, tho, it's not quite as definitive as a CBL 
listing. Most reliable if you exclude legitimate customer mail servers 
(bounced forged spam and virii) or correlate to the CBL.

Couple either or both with an autodisconnect script like what Suresh 
suggested.



prefix filter generation for customers

2003-12-02 Thread Phillip Vandry

Hi,

I'm looking for input about how other people deal with this problem:

We generate prefix filters for our customers from RADB using their AS 
or as-set. Our upstreams do the same for us.

Our filters are generated with a simple WHOIS query and will pick up
objects not only from RADB but from the various other IRRs that are
mirrored in RADB.

The problem is that it looks like at least one of our upstreams does not
pick up the route objects that are in IRRs other than the one we asked
them to use for us (RADB). One of our customers uses a different IRR and
their routes did not get included in the filter generated by our upstream.

Do we need to force all of our customers to use the same IRR as we do,
or is there some way that we can support offering our customers a
choice of IRRs just like our upstreams do for us?

-Phil


DS-3 test equipment

2003-12-02 Thread Rick Ernst


I've searched the archives and find some hits on DS-1 test gear, but I'm
looking for opinions/experience with DS-3 test gear.

We've started bringing up more DS-3 circuits, both directly to customers and
also for Frame/ATM/DSL aggregation.  Telco used to do all provisioning and
testing for us, but we are looking to be able to more troubleshooting
in-house.

Any recommended gear for basic functional testing (clock, loop, insert
patterns and errors)?  It would be nice if the test gear could do T-1 testing, too.

I'm seeing a fair number of hits on eBay for TTC/Acterna gear, but I don't
know what I'm looking at/for.  I've done BERT testing many lifetimes ago, but
don't have any current knowledge/experience.

Thanks,
Rick




Re: WLAN shielding

2003-12-02 Thread Howard C. Berkowitz
At 9:06 PM -0500 11/26/03, David Lesher wrote:
Speaking on Deep Background, the Press Secretary whispered:


 My company is investigating the use of wireless in a couple of our
 conference rooms.  Aside from limiting the scope of reception with various
 directional antennae, does anyone have any suggestions or pointers for
 other ways to limit the propagation of signals (i.e. special shielding
 paint, panels or other wall coatings)?
As I told Andy, you need a "RayProof" or similar brand shielded
conference room. This is Faraday Cage, with a tight-fighting door,
etc.
I don't know what they cost, but I've installed one or 2. Outside
of labor, I suppose they might be in the $50-500K range or so,
for small (12'x6') ones.
Note it's a PITA to keep tight; as the door needs very
tight-fitting gaskets.
You'll need to bring phone/Ethernet in over fiber,
but that's not hard.
If you do put one in, and your local laws don't prevent smoking, make 
it an absolutely no-smoking area. Ventilation tends not to be 
wonderful.

I was once attending a Federal Telecommunications Standards Committee 
meeting, where we were displaced from our regular conference room and 
given a SCIF vault/conference room.  It was stuffy enough as we met 
for a couple of hours, but as we adjourned, the NSA representative 
lit a cigar.

That's when we found out that the vault door was jammed.

No simple cipherlock. Full combination lock.  Trust me. Do not ever 
get in a mostly-sealed room with a dead cigar and some smoke 
remnants.  When we got out, maybe two hours later, our faces matched 
the government green [1] walls. If this hadn't been in the 
then-Defense Communications Agency headquarters with resident 
locksmiths, I don't know how long we'd have been there!

Seriously, give ventilation a lot of thought. You'll need ducts with 
grounded screening and lots of 90-degree bends.

Also, consider having a kick-out panel for emergency escape.  Even 
without high-security locks, I've seen the gasketed doors get stuck 
just in shielded labs.  Think of fire protection -- you really don't 
want a fire suppression gas release in a vault.

[1] I believe the proper descriptor for that shade of green is "gang".


Re: WLAN shielding

2003-12-02 Thread Howard C. Berkowitz
At 9:51 PM -0500 11/26/03, Sean Donelan wrote:
On Wed, 26 Nov 2003, David Lesher wrote:
 Speaking on Deep Background, the Press Secretary whispered:
 > My company is investigating the use of wireless in a couple of our
 > conference rooms.  Aside from limiting the scope of reception with various
 > directional antennae, does anyone have any suggestions or pointers for
 > other ways to limit the propagation of signals (i.e. special shielding
 > paint, panels or other wall coatings)?
 As I told Andy, you need a "RayProof" or similar brand shielded
 conference room. This is Faraday Cage, with a tight-fighting door,
 etc.
Uhm, dumb question.  If it is that important, why are you using
wireless at all?  Why not install a cheap switch/hub in the middle of the
conference table and let people plug a patch cord from the hub to their
laptops?
Stupid pen-test tricks, instead of using an expensive WiFi scanner and
cracking WEP; often you can collect better intelligence with a radio
turned to the frequency used by wireless lapel mics used by executives
during briefings.
Or by lecturers forgetting them as they went to the bathroom. I only 
did that once.




Re: WLAN shielding

2003-12-02 Thread Laurence F. Sheldon, Jr.

"Howard C. Berkowitz" wrote:

> >Stupid pen-test tricks, instead of using an expensive WiFi scanner and
> >cracking WEP; often you can collect better intelligence with a radio
> >turned to the frequency used by wireless lapel mics used by executives
> >during briefings.
> 
> Or by lecturers forgetting them as they went to the bathroom. I only
> did that once.

[New Yorker cartoon of years gone by about the early shoulder-cameras
the CreepyPeepy]


Re: prefix filter generation for customers

2003-12-02 Thread Michael Moscovitch

On Tue, 2 Dec 2003, Phillip Vandry wrote:

>
> Hi,
>
> I'm looking for input about how other people deal with this problem:
>
> We generate prefix filters for our customers from RADB using their AS
> or as-set. Our upstreams do the same for us.
>
> Our filters are generated with a simple WHOIS query and will pick up
> objects not only from RADB but from the various other IRRs that are
> mirrored in RADB.
>
> The problem is that it looks like at least one of our upstreams does not
> pick up the route objects that are in IRRs other than the one we asked
> them to use for us (RADB). One of our customers uses a different IRR and
> their routes did not get included in the filter generated by our upstream.


Hi Phil,

Have you asked them how they are generating the info? Maybe they
are only looking at one source (for security reasons or whatever).

If you look at the peval man page:

ENVIRONMENT VARIABLES
  IRR_HOST
 Specifies the radbserver host to connect.

  IRR_PORT
 Specifies the radbserver port number to connect.

  IRR_SOURCES
 Specifies the source list (comma separated) to
 consider.


Did you try the following to see if it picks up all the networks?

peval -h whois.radb.net -expand_all ASnnn

Another option might be to ``proxy'' the objects into RADB
by making your own entries for the networks.
I think I have seen people do this before.

It all depends on the software that your upstream/peers are using
to generate their filter lists.


>
> Do we need to force all of our customers to use the same IRR as we do,
> or is there some way that we can support offering our customers a
> choice of IRRs just like our upstreams do for us?
>
> -Phil
>



+--+
| Michael MoscovitchCiteNet Telecom Inc.   |
| [EMAIL PROTECTED]  Tel: (514) 861-5050|
+--+





RE: WLAN shielding

2003-12-02 Thread Erik Amundson


I have been looking into the Cisco Aironet solution recently for
a project I'm working on.  They seem to have some great security
features, if you want to take the time to configure it.  Oh, another
caveat is that you have to use Cisco's wireless adapter as well,
otherwise, good ol' WEP for you!

I haven't thought of the VPN idea that others have spoken of on
the NANOG list yet...that's a good idea too...hmm

- Erik



-Original Message-
From: Andy Grosser [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, November 26, 2003 11:02 AM
To: [EMAIL PROTECTED]
Subject: WLAN shielding


Apologies in advance if this may not quite be the proper list for such a
question...

My company is investigating the use of wireless in a couple of our
conference rooms.  Aside from limiting the scope of reception with
various directional antennae, does anyone have any suggestions or
pointers for other ways to limit the propagation of signals (i.e.
special shielding paint, panels or other wall coatings)?

Feel free to reply off-list.

Thanks!

Andy

---
Andy Grosser, CCNP
andy at meniscus dot org
---






Re: WLAN shielding

2003-12-02 Thread Marshall Eubanks

On Tue, 2 Dec 2003 20:36:51 -0600
 "Erik Amundson" <[EMAIL PROTECTED]> wrote:
> 
> 
>   I have been looking into the Cisco Aironet solution recently for
> a project I'm working on.  They seem to have some great security
> features, if you want to take the time to configure it.  Oh, another
> caveat is that you have to use Cisco's wireless adapter as well,
> otherwise, good ol' WEP for you!

Then I hope you saw this today :

Cisco Security Advisory: SNMP trap Reveals WEP Key in Cisco Aironet AP

Revision 1.0

For Public Release 2003 December 02 17:00 UTC (GMT)

- 

Summary
===
Cisco Aironet Access Points (AP) running Cisco IOS software will send
any static Wired Equivalent Privacy (WEP) key in the cleartext to the
Simple Network Management Protocol (SNMP) server if the snmp-server
enable traps wlan-wep command is enabled. Affected hardware models are
the Cisco Aironet 1100, 1200, and 1400 series. This command is disabled
by default. The workaround is to disable this command. Any dynamically
set WEP key will not be disclosed.

Cisco Aironet AP models running VxWorks operating system are not
affected by this vulnerability. No other Cisco product is affected.

This advisory will be available at
http://www.cisco.com/warp/public/707/cisco-sa-20031202-SNMP-trap.shtml

> 
>   I haven't thought of the VPN idea that others have spoken of on
> the NANOG list yet...that's a good idea too...hmm
> 
> - Erik
> 
> 
> 
> -Original Message-
> From: Andy Grosser [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, November 26, 2003 11:02 AM
> To: [EMAIL PROTECTED]
> Subject: WLAN shielding
> 
> 
> Apologies in advance if this may not quite be the proper list for such a
> question...
> 
> My company is investigating the use of wireless in a couple of our
> conference rooms.  Aside from limiting the scope of reception with
> various directional antennae, does anyone have any suggestions or
> pointers for other ways to limit the propagation of signals (i.e.
> special shielding paint, panels or other wall coatings)?
> 
> Feel free to reply off-list.
> 
> Thanks!
> 
> Andy
> 
> ---
> Andy Grosser, CCNP
> andy at meniscus dot org
> ---
> 
> 
> 
> 



Re: AOL postmaster (new request)

2003-12-02 Thread jlewis

On Tue, 2 Dec 2003, Derrick Bennett wrote:

> I really hate doing this but after 5 days and no one at AOL's helpdesk
> can even tell me why our subnets are being blocked. Can someone with the
> Postmaster helpdesk level 2 or higher please contact me. I have a
> ticket, I have followed all the rules, and I am still being told that no
> one knows why the block is there and no one knows when I will get a

I'd have thought this was common knowledge by now...enough of us have gone 
through it.

Do you currently get scomp reports from AOL for your IP space?
If not, tell their helpdesk people you want to get setup for scomp 
reports.

The most likely reason for AOL blocking you is they've received greater 
than some threshold of AOL user spam complaints for email originating at 
or relayed through your network.

Have you verified that they're blocking entire subnets or all of your IP 
space, or is it just one or a few mail server IPs?  If it's just a few 
IPs, the quickest fix is to add some additional IPs to your outgoing mail 
server(s) and make them talk to AOL using the new IPs.  That will get mail 
flowing again, but you still need to track down and deal with whatever 
problem caused them to block you, or your new IPs will end up blocked as 
well.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



OT: Level 3 Secrets to Contact? Very OT! Please Ignore!

2003-12-02 Thread Brennan_Murphy

Does anyone know the secret to contacting a dark fiber salesperson
at Level 3? The website directs a prospect to their toll free number
1-877-2LEVEL3 but the voicemail decision tree has some very dead
limbs.

It's not always easy to convey one's frustration in email. But the
mugshot in this story seems to capture my general disposition:

http://www.denverpost.com/Stories/0,1413,36~33~1765189,00.html#

Just hoping to get some quick answers to easy questions so I'll
be on my way to feeling like this:

http://www.columbia.edu/cu/record/record2011.19c.gif

...but if the wait goes on much longer, I'll be left in this state:

http://images.usatoday.com/money/_photos/2001-04-16-buffett.jpg

Thanks,
BM

PS hope the employee-owners over there have a sense of humortheir
contact apparatus is costing them money...is my guess.  

PPS You'd be surprised how many images there are of Warren Buffet
on the web. And come to think of it, why should that rich (*&%$#$  ever
have a grumpy look on his face?!  The man should be walking around with
a 
smile that makes his ears itch.