other virus damages/costs.....(hello skynet.be ?)

[Mike Tancsa]

Looking at my disk stats, my mail storage spool has grown by 15% in the 
past week not due the deluge of viruses which I can block and reject, but 
in large part to those idiotic Hi, I am sorry in a happy idiotic way to 
inform you that the message you sent has a virus messages  As almost 
all of them forge their email address, what is the point of warning the 
sender.  Even better, I wake up this am to 285 (and growing) messages 
below telling me that someone at skynet is trying to send me a virus 
message and it cc's 64 other people.  Nice.

---Mike

From: Skynet Mail Protection [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Skynet Mail Protection scan results
Date: Mon, 02 Feb 2004 12:09:44 +0100
Importance: high
X-Mailer: ravmd/8.4.2
X-RAVMilter-Version: 8.4.3(snapshot 20030212) (september.skynet.be)
X-Virus-Scanned: by amavisd-new
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on
spamscanner4.sentex.ca
X-Spam-Level: *
X-Spam-Status: Yes, hits=5.7 required=5.1 tests=MAILTO_TO_SPAM_ADDR,
MISSING_MIMEOLE,MISSING_OUTLOOK_NAME,TW_JN,X_PRIORITY_HIGH,
X_PRI_MISMATCH_HI autolearn=no version=2.63
X-Spam-Report:
*  0.5 X_PRIORITY_HIGH Sent with 'X-Priority' set to high
*  0.1 TW_JN BODY: Odd Letter Triples with JN
*  1.1 MAILTO_TO_SPAM_ADDR URI: Includes a link to a likely 
spammer email
*  1.2 MISSING_MIMEOLE Message has X-MSMail-Priority, but no 
X-MimeOLE
*  2.8 X_PRI_MISMATCH_HI 'X-Priority' does not match 
'X-MSMail-Priority'
*  0.1 MISSING_OUTLOOK_NAME Message looks like Outlook, but isn't



---
This e-mail is generated by Skynet Mail Protection to warn you that the e-mail
sent by [EMAIL PROTECTED] to [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED]
 ru, [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED] is infected with virus: 
Win32/[EMAIL PROTECTED]
Deze e-mail is gegenereerd door Skynet Mail Protection om u te waarschuwen dat
de e-mail gestuurd door [EMAIL PROTECTED] naar [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], 

Re: Did Wanadoo, French ISP, block access to SCO?

[Miquel van Smoorenburg]

In article [EMAIL PROTECTED],
Stephen J. Wilcox [EMAIL PROTECTED] wrote:

So thats 1-0 to the worm!

You could do some real cool things if you were controlling the DNS for a site 
under a major sustained DDoS, who doesnt the intended victim like.. just
fire up 
an A record and they're gone! ;p

http://news.netcraft.com/archives/2004/01/30/wwwscocom_is_a_weapon_of_mass_destruction.html

Mike.

Re: other virus damages/costs.....(hello skynet.be ?)

[Stephen J. Wilcox]

our queue appears to increasing linearly since about last tuesday, since then
its increased 3000%, theres a huge dip midday saturday (it goes down to one
third its size in about 4hrs) then rapidly jumps up to higher than its pre-dip
value

thats messages tho, queue spool size hasnt gone up all that much, maybe 200%

no idea about our storage spools...

very odd!!

Steve

On Mon, 2 Feb 2004, Mike Tancsa wrote:

 
 
 Looking at my disk stats, my mail storage spool has grown by 15% in the 
 past week not due the deluge of viruses which I can block and reject, but 
 in large part to those idiotic Hi, I am sorry in a happy idiotic way to 
 inform you that the message you sent has a virus messages  As almost 
 all of them forge their email address, what is the point of warning the 
 sender.  Even better, I wake up this am to 285 (and growing) messages 
 below telling me that someone at skynet is trying to send me a virus 
 message and it cc's 64 other people.  Nice.
 
 
  ---Mike
 
 From: Skynet Mail Protection [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Subject: Skynet Mail Protection scan results
 Date: Mon, 02 Feb 2004 12:09:44 +0100
 Importance: high
 X-Mailer: ravmd/8.4.2
 X-RAVMilter-Version: 8.4.3(snapshot 20030212) (september.skynet.be)
 X-Virus-Scanned: by amavisd-new
 X-Spam-Flag: YES
 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on
  spamscanner4.sentex.ca
 X-Spam-Level: *
 X-Spam-Status: Yes, hits=5.7 required=5.1 tests=MAILTO_TO_SPAM_ADDR,
  MISSING_MIMEOLE,MISSING_OUTLOOK_NAME,TW_JN,X_PRIORITY_HIGH,
  X_PRI_MISMATCH_HI autolearn=no version=2.63
 X-Spam-Report:
  *  0.5 X_PRIORITY_HIGH Sent with 'X-Priority' set to high
  *  0.1 TW_JN BODY: Odd Letter Triples with JN
  *  1.1 MAILTO_TO_SPAM_ADDR URI: Includes a link to a likely 
  spammer email
  *  1.2 MISSING_MIMEOLE Message has X-MSMail-Priority, but no 
  X-MimeOLE
  *  2.8 X_PRI_MISMATCH_HI 'X-Priority' does not match 
  'X-MSMail-Priority'
  *  0.1 MISSING_OUTLOOK_NAME Message looks like Outlook, but isn't
 
 
 
 ---
 This e-mail is generated by Skynet Mail Protection to warn you that the e-mail
 sent by [EMAIL PROTECTED] to [EMAIL PROTECTED], [EMAIL PROTECTED], 
 [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
 [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
 [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
 [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
 [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
 [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
 [EMAIL PROTECTED], [EMAIL PROTECTED], 
 [EMAIL PROTECTED], [EMAIL PROTECTED], 
 [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
 [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
 [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
 [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
 [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
 [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
 [EMAIL PROTECTED], [EMAIL PROTECTED]
   ru, [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
  [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
  [EMAIL PROTECTED], [EMAIL PROTECTED], 
  [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
  [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
  [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
  [EMAIL PROTECTED], [EMAIL PROTECTED] is infected with virus: 
  Win32/[EMAIL PROTECTED]
 Deze 

Re: AOL web troubles.. New AOL speedup seems to be a slowdown

[The Gunn]

Brian,

I have some friends in the web proxy group at AOL, if you can send me (or
post to this list) some urls that are breaking, they can take a look for
you.

According to them, if the java problem is happening on AOL 8.0 as well as
9.0, then it's not a TopSpeed issue (TopSpeed is just an executable that
runs in tandem with 9.0), but could be some other client-related problem..

And in response to Rob's suggestion to use SSL instead of implementing
cache-control, it would be a pretty wasteful implementation of SSL if its
purpose is solely to prevent a proxy from recompressing your images.

-- The Gunn
[EMAIL PROTECTED]



 snipped since its kinda long

 Just got done working with my mother's machine again, and have been
 watching
 her and a bunch of other people who use AOL 9.0 and some who use 8.0.
 Something over the past week alone has definately happened in regards to
 the
 AOL TopSpeed stuff.  I've got a situation with more then 75% of the people
 I've tested, that they have problems running java applets (including AOL's
 own
 link into pogo games) in AOL 9.0 GM (that they are distributing to end
 users).
 When the user switches to AOL 8.0, the problem exist.  When the user uses
 IE
 separate from AOL, the problem does not exist.  There are other issues
 developing as well - random freezing of java games for example.  Once
 again,
 this only happens in 9.0.

 This was working fine two weeks ago on all of these people's machines.

 Of course, this is increasing my daily workload, as I now have users
 having
 problems that I need to sit and try and diagnose.  I've been telling
 people to
 use AOL 8.0 or IE if they want to play games.

 But, yes, there appears to be a problem somewhere with this TopSpeed stuff
 that people have been noting complaints about.

 Sorta off topic, but alot of people here also do support for this kind of
 stuff, and would like to get some feedback as to what others are seeing
 with
 their end users.  I have a sinking feeling that when I take the time to
 file
 an official bug report/issue, they will tell me 'reformat and reinstall'.



 --
 Brian Bruns
 The Summit Open Source Development Group
 Open Solutions For A Closed World / Anti-Spam Resources
 http://www.sosdg.org

 The AHBL - http://www.ahbl.org

Re: other virus damages/costs.....(hello skynet.be ?)

[jlewis]

On Mon, 2 Feb 2004, Mike Tancsa wrote:

 Looking at my disk stats, my mail storage spool has grown by 15% in the 
 past week not due the deluge of viruses which I can block and reject, but 
 in large part to those idiotic Hi, I am sorry in a happy idiotic way to 
 inform you that the message you sent has a virus messages  As almost 
 all of them forge their email address, what is the point of warning the 
 sender.  Even better, I wake up this am to 285 (and growing) messages 
 below telling me that someone at skynet is trying to send me a virus 
 message and it cc's 64 other people.  Nice.

Enough people are sufficiently annoyed by antivirus 
notifications/advertisements that they're starting to ask for DNSBLs of 
systems that send them.  I suspect before long, there will be some.

But this really doesn't seem to be NANOG material.  Try spam-l or 
spamtools.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Re: other virus damages/costs.....(hello skynet.be ?)

[Valdis . Kletnieks]

On Mon, 02 Feb 2004 07:57:07 EST, Mike Tancsa [EMAIL PROTECTED]  said:
 all of them forge their email address, what is the point of warning the 
 sender.  Even better, I wake up this am to 285 (and growing) messages 
 below telling me that someone at skynet is trying to send me a virus 
 message and it cc's 64 other people.  Nice.

And at least one of those other 64 will next time actually get a virus,
where all those addresses will get used to seed the address scraper.
Remember that hitting 'delete' usually doesn't actually wipe it off the
disk in most MUAs


pgp0.pgp
Description: PGP signature

Re: other virus damages/costs.....(hello skynet.be ?)

[Valdis . Kletnieks]

On Mon, 02 Feb 2004 08:42:53 EST, [EMAIL PROTECTED] said:

 But this really doesn't seem to be NANOG material.  Try spam-l or 
 spamtools.

When the traffic blip caused by the A/V tools is bigger than the
traffic blip caused by the actual virus, it's an operational issue.


pgp0.pgp
Description: PGP signature

Re: other virus damages/costs.....(hello skynet.be ?)

[Matthew Sullivan]

[EMAIL PROTECTED] wrote:

Enough people are sufficiently annoyed by antivirus

notifications/advertisements that they're starting to ask for DNSBLs of 
systems that send them.  I suspect before long, there will be some.
 

Already thought about it (and dismissed it)

But this really doesn't seem to be NANOG material.  Try spam-l or 
spamtools.
 

It could be - it is a network issue - particually where so many people 
feel the need to reply with virus 'reports'...  I know the virus mails 
and the virus reports certainly caused some issues network wise at 
Telstra recently.

/ Mat

Re: other virus damages/costs.....(hello skynet.be ?)

[Randy Bush]

 Looking at my disk stats, my mail storage spool has grown by 15% in the 
 past week not due the deluge of viruses which I can block and reject, but 
 in large part to those idiotic Hi, I am sorry in a happy idiotic way to 
 inform you that the message you sent has a virus messages  As almost 
 all of them forge their email address, what is the point of warning the 
 sender.  Even better, I wake up this am to 285 (and growing) messages 
 below telling me that someone at skynet is trying to send me a virus 
 message and it cc's 64 other people.  Nice.

# MyDoom craziness
:
* ^Subject:.*(\
\{Spam\?\} Warning: E-mail viruses detected|\
Anti-Virus Notification|\
BANNED FILENAME|\
Disallowed attachment type found in sent message|\
File blocked - ScanMail for Lotus|\
InterScan NT Alert|\
Message deleted|\
NAV detected a virus|\
Norton AntiVirus detected|\
RAV AntiVirus scan|\
Returned due to virus|\
Skynet Mail Protection|\
Symantec AntiVirus|\
Undeliverable: test|\
VIRUS \(.*\) IN MAIL FROM YOU|\
VIRUS \(.*\) IN MAIL TO YOU|\
VIRUS IN YOUR MAIL|\
Virus Detected by Network Assoc|\
Virus Notification|\
Virus found in a message you sent|\
Virus found in sent message\
)
$TRASH

Need abuse contact for Yahoo Hostinng

[Christopher X. Candreva]

Sorry to bother the list, but if anyone from Yahoo is listening,

There is an credit card stealing web site hosted by Yahoo.  Complaints to
[EMAIL PROTECTED], as usual for complaints about their hosting, are returned
days later saysing Sorry, we can't do anything since this spam didn't come
through Yahoo.:

URL:  http://aol.account-cgi1.com/update.htm

Please contact me directly for a copy of the scam e-mail and the idiotic
Yahoo abuse response.


If [EMAIL PROTECTED] is not the correct address, then this really should
be added to the whois record for your hosting netblocks.


==
Chris Candreva  -- [EMAIL PROTECTED] -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/

Re: AOL web troubles.. New AOL speedup seems to be a slowdown

[Robert E. Seastrom]

The Gunn [EMAIL PROTECTED] writes:

 And in response to Rob's suggestion to use SSL instead of implementing
 cache-control, it would be a pretty wasteful implementation of SSL if its
 purpose is solely to prevent a proxy from recompressing your images.

To clarify (for list readers who are out of the loop because I made
the point in a private communication) I suggested use of SSL in the
cited hypothetical case of for example, high-res medical x-rays and
other confidential information, consumer purchased high-res images and
other copyrighted information purchased by the end user.  Given the
HIPAA and e-commerce implications of the two named cases, using SSL
would seem to be a no-brainer, and effectively renders the issue of
cache-control moot.

I also suggested that The Gunn read http://www.nanog.org/aup.html
item #7 and begin posting with an account that has a real name on it.

---Rob

Re: other virus damages/costs.....(hello skynet.be ?)

[Todd Vierling]

On Mon, 2 Feb 2004, Randy Bush wrote:

: # MyDoom craziness
: :
: * ^Subject:.*(\

Actually, Mydoom has a very detectable signature.  It has both X-Priority
and X-MSMail-Priority headers, but *neither* a X-Mailer nor X-MimeOLE
header.

These conditions make, for instance, SpamAssassin catch the worm easily.
Based on all the available mailboxes I can scan from here, such a check
should kill only Mydoom [and some spam].

Rolled that into a milter, and poof!

-- 
-- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED]

Re: Need abuse contact for Yahoo Hostinng

[Christopher X. Candreva]

On Mon, 2 Feb 2004, Barnabas Toth wrote:

 Maybe you should try to contact AOL abuse instead? I know, I know... Just
 a though.

Thanks to those who replied.  I've been contacted directly by an AOL rep
(who the site pretended to be), and an FBI agent.

Interestingly not a peep from Yahoo. Sigh.


==
Chris Candreva  -- [EMAIL PROTECTED] -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/

Re: Need abuse contact for Yahoo Hostinng

[Christopher X. Candreva]

On Mon, 2 Feb 2004, Christopher X. Candreva wrote:

 Interestingly not a peep from Yahoo. Sigh.

In fairness -- I just heard from someone at Yahoo-inc.com

==
Chris Candreva  -- [EMAIL PROTECTED] -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/

Unbelievable Spam.

[Ejay Hire]

Personally, I don't like spam, but I tolerate the messages
that slip through to my mailbox as a penalty for my own
laziness in not tightening down my spam rules.  Today I got
one that I couldn't believe.  

--snip--
Spam Hosting - from 20$ per mounth.
Fraud Hosting - from 30$ per mounth.
Stoln Credit Cards, Fake ID, DL's.
Spam For free only from 1.02.2004 to 5.02.2004.
--snip--


It's just wrong in my opinion, and exacerbated by the fact
that it was spammend to our abuse account.  Their /24 just
fell off of my piece of the internet.  Have I just been
blind to this all along, or are the spammers getting bolder?

-Ejay

Re: Unbelievable Spam.

[Jeff Shultz]

** Reply to message from Ejay Hire [EMAIL PROTECTED] on Mon, 2 Feb
2004 15:01:19 -0600

 Personally, I don't like spam, but I tolerate the messages
 that slip through to my mailbox as a penalty for my own
 laziness in not tightening down my spam rules.  Today I got
 one that I couldn't believe.  
 
 --snip--
 Spam Hosting - from 20$ per mounth.
 Fraud Hosting - from 30$ per mounth.
 Stoln Credit Cards, Fake ID, DL's.
 Spam For free only from 1.02.2004 to 5.02.2004.
 --snip--
 
 
 It's just wrong in my opinion, and exacerbated by the fact
 that it was spammend to our abuse account.  Their /24 just
 fell off of my piece of the internet.  Have I just been
 blind to this all along, or are the spammers getting bolder?
 
 -Ejay

This is known as Rule #3 on n.a.n-a.e... Spammers are stupid.

-- 
Jeff Shultz
Loose nut behind the wheel. 

Re: Unbelievable Spam.

[Richard Welty]

On Mon, 2 Feb 2004 15:01:19 -0600 Ejay Hire [EMAIL PROTECTED] wrote:
 It's just wrong in my opinion, and exacerbated by the fact
 that it was spammend to our abuse account.  Their /24 just
 fell off of my piece of the internet.  Have I just been
 blind to this all along, or are the spammers getting bolder?

this is actually a somewhat well known situation, it appears
that there are two warring groups of spammers joe-jobbing
each other (and if you look at the from addresses, you may
see them trying to get various ISP and anti-spammer mail
boxes pounded by angry responses.)

i've got a whole collection of them. been getting them
for months.

it's also somewhat offtopic for this list. i suggest that
followups be off list, unless they can be typed into
IOS.

richard
-- 
Richard Welty [EMAIL PROTECTED]
Averill Park Networking 518-573-7592
Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security

Re: Unbelievable Spam.

[Roland Perry]

In article [EMAIL PROTECTED], Ejay Hire 
[EMAIL PROTECTED] writes
Personally, I don't like spam, but I tolerate the messages
that slip through to my mailbox as a penalty for my own
laziness in not tightening down my spam rules.  Today I got
one that I couldn't believe.
--snip--
Spam Hosting - from 20$ per mounth.
Fraud Hosting - from 30$ per mounth.
Stoln Credit Cards, Fake ID, DL's.
Spam For free only from 1.02.2004 to 5.02.2004.
--snip--
It's just wrong in my opinion, and exacerbated by the fact
that it was spammend to our abuse account.  Their /24 just
fell off of my piece of the internet.  Have I just been
blind to this all along, or are the spammers getting bolder?
Remember, all spammers lie. But what were these spammers lying about?
--
Roland Perry

Re: Unbelievable Spam.

[Paul Vixie]

[EMAIL PROTECTED] (Ejay Hire) writes:

 It's just wrong in my opinion, and exacerbated by the fact
 that it was spammend to our abuse account.  Their /24 just
 fell off of my piece of the internet.  Have I just been
 blind to this all along, or are the spammers getting bolder?

the spammers have nothing to fear from you, or us, or me, or anybody.  with
the incredible number of bottomfeeders and antivirus companies polluting the
econsystem with their own various get-rich-quick schemes, there's no way to
tell the difference between good and bad traffic, good and bad intent, good
and bad providers, etc.  the spam/antispam battleground is all just mud now.
-- 
Paul Vixie

Re: Unbelievable Spam.

[Vadim Antonov]

On 2 Feb 2004, Paul Vixie wrote:

 the spammers have nothing to fear from you, or us, or me, or anybody.  with
 the incredible number of bottomfeeders and antivirus companies polluting the
 econsystem with their own various get-rich-quick schemes, there's no way to
 tell the difference between good and bad traffic, good and bad intent, good
 and bad providers, etc.  the spam/antispam battleground is all just mud now.

Everyone should be glad for the Internet making all of us feel like rich
and famous.  A lot more people want our attention (and money) than we wish
to deal with.  And this is not only the spam problem - the
technology-related privacy and identity issues are merely the other side
of the same phenomenon - the rich  famous had to fight with gossips,
paparazzi and various con artists for as long as there were money, power
and fame.

And because rich and famous had this problem for a long, long time, they 
managed to devise some solutions.  So everything we do about cyberage 
problems like spam is going to be some automation of those old solutions.

Call me elitist, or old-worlder, but my preferred way of dealing with it 
is choose who you are associating with.  Introductions.  In newspeak - 
whitelists.

--vadim

Re: Unbelievable Spam.

[Brian Bruns]

On Monday, February 02, 2004 4:01 PM [GMT-5=EST], Ejay Hire
[EMAIL PROTECTED] wrote:

 It's just wrong in my opinion, and exacerbated by the fact
 that it was spammend to our abuse account.  Their /24 just
 fell off of my piece of the internet.  Have I just been
 blind to this all along, or are the spammers getting bolder?


Its called a joe job - spammers do it when they get spanked by an antispammer
or someone else they don't like.  Usually happens right after their service
gets shut off, but they could do it for dozens of reasons.  Hipcrime (aka
dippy) loves doing this, and less then two months ago he went on a joe job
spree spamming my home phone number and a dozen other people's.

They are bold, and don't seem to fear anyone.  You can keep killing them, and
they don't learn.


-- 
Brian Bruns
The Summit Open Source Development Group
Open Solutions For A Closed World / Anti-Spam Resources
http://www.sosdg.org

The AHBL - http://www.ahbl.org

Strange public traceroutes return private RFC1918 addresses

[Brian (nanog-list)]

Title: Strange public traceroutes return private RFC1918 addresses





Any ideas how (or why) the following traceroutes are leaking private RFC1918 addresses back to me when I do a traceroute?

Maybe try from your side of the internet and see if you get the same types of responses.


It's really strange to see 10/8's and 192.168/16 addresses coming from the public internet. Has this phenomenon been documented anywhere? Connectivity to the end-sites is fine, it's just the traceroutes that are strange.

(initial few hops sanitized)


[EMAIL PROTECTED] /]# traceroute www.ibm.com
traceroute: Warning: www.ibm.com has multiple addresses; using 129.42.17.99
traceroute to www.ibm.com (129.42.17.99), 30 hops max, 38 byte packets
1 (---.---.---.---) 2.481 ms 2.444 ms 2.379 ms
2 (---.---.---.---) 17.964 ms 17.529 ms 17.632 ms
3 so-1-2.core1.Chicago1.Level3.net (209.0.225.1) 17.891 ms 17.985 ms 18.026 ms
4 so-11-0.core2.chicago1.level3.net (4.68.112.194) 18.272 ms 18.109 ms 17.795 ms
5 so-4-1-0.bbr2.chicago1.level3.net (4.68.112.197) 17.851 ms 17.859 ms 18.094 ms
6 so-3-0-0.mp1.stlouis1.level3.net (64.159.0.49) 23.095 ms 22.975 ms 22.998 ms
7 ge-7-1.hsa2.stlouis1.level3.net (64.159.4.130) 23.106 ms 23.237 ms 22.977 ms
8 unknown.level3.net (63.20.48.6) 24.264 ms 24.099 ms 24.154 ms
9 10.16.255.10 (10.16.255.10) 24.164 ms 24.108 ms 24.105 ms
10 * * *



[EMAIL PROTECTED] /]# traceroute www.att.net
traceroute: Warning: www.att.net has multiple addresses; using 204.127.166.135
traceroute to www.att.net (204.127.166.135), 30 hops max, 38 byte packets
1 (---.---.---.---) 2.404 ms 2.576 ms 2.389 ms
2 (---.---.---.---) 17.953 ms 18.170 ms 17.435 ms
3 500.pos2-1.gw10.chi2.alter.net (63.84.96.9) 18.077 ms * 18.628 ms
4 0.so-6-2-0.xl1.chi2.alter.net (152.63.69.170) 18.238 ms 18.321 ms 18.213 ms
5 0.so-6-1-0.BR6.CHI2.ALTER.NET (152.63.64.49) 18.269 ms 18.396 ms 18.329 ms
6 204.255.169.146 (204.255.169.146) 19.231 ms 19.042 ms 18.982 ms
7 tbr2-p012702.cgcil.ip.att.net (12.122.11.209) 20.530 ms 20.542 ms 23.033 ms
8 tbr2-cl7.sl9mo.ip.att.net (12.122.10.46) 26.904 ms 27.378 ms 27.320 ms
9 tbr1-cl2.sl9mo.ip.att.net (12.122.9.141) 27.194 ms 27.673 ms 26.677 ms
10 gbr1-p10.bgtmo.ip.att.net (12.122.4.69) 26.606 ms 28.026 ms 26.246 ms
11 12.122.248.250 (12.122.248.250) 27.296 ms 28.321 ms 28.997 ms
12 192.168.254.46 (192.168.254.46) 28.522 ms 30.111 ms 27.439 ms
13 * * *
14 * * *

Re: Strange public traceroutes return private RFC1918 addresses

[Jonas Frey (Probe Networks)]

This is quite often used. You cant (d)DoS the routers this way, nor try
to do any harm to them as you cant reach them.

Regards,
Jonas

On Tue, 2004-02-03 at 00:01, Brian (nanog-list) wrote:
 Any ideas how (or why) the following traceroutes are leaking private
 RFC1918 addresses back to me when I do a traceroute?
 
 Maybe try from your side of the internet and see if you get the same
 types of responses.
 
 It's really strange to see 10/8's and 192.168/16 addresses coming from
 the public internet.  Has this phenomenon been documented anywhere? 
 Connectivity to the end-sites is fine, it's just the traceroutes that
 are strange.
 
 (initial few hops sanitized)
 
 [EMAIL PROTECTED] /]# traceroute www.ibm.com
 traceroute: Warning: www.ibm.com has multiple addresses; using
 129.42.17.99
 traceroute to www.ibm.com (129.42.17.99), 30 hops max, 38 byte packets
  1  (---.---.---.---)  2.481 ms  2.444 ms  2.379 ms
  2  (---.---.---.---)  17.964 ms  17.529 ms  17.632 ms
  3  so-1-2.core1.Chicago1.Level3.net (209.0.225.1)  17.891 ms  17.985
 ms  18.026 ms
  4  so-11-0.core2.chicago1.level3.net (4.68.112.194)  18.272 ms 
 18.109 ms  17.795 ms
  5  so-4-1-0.bbr2.chicago1.level3.net (4.68.112.197)  17.851 ms 
 17.859 ms  18.094 ms
  6  so-3-0-0.mp1.stlouis1.level3.net (64.159.0.49)  23.095 ms  22.975
 ms  22.998 ms
  7  ge-7-1.hsa2.stlouis1.level3.net (64.159.4.130)  23.106 ms  23.237
 ms  22.977 ms
  8  unknown.level3.net (63.20.48.6)  24.264 ms  24.099 ms  24.154 ms
  9  10.16.255.10 (10.16.255.10)  24.164 ms  24.108 ms  24.105 ms
 10  * * *
 
 
 [EMAIL PROTECTED] /]# traceroute www.att.net
 traceroute: Warning: www.att.net has multiple addresses; using
 204.127.166.135
 traceroute to www.att.net (204.127.166.135), 30 hops max, 38 byte
 packets
  1  (---.---.---.---)  2.404 ms  2.576 ms  2.389 ms
  2  (---.---.---.---)  17.953 ms  18.170 ms  17.435 ms
  3  500.pos2-1.gw10.chi2.alter.net (63.84.96.9)  18.077 ms *  18.628
 ms
  4  0.so-6-2-0.xl1.chi2.alter.net (152.63.69.170)  18.238 ms  18.321
 ms  18.213 ms
  5  0.so-6-1-0.BR6.CHI2.ALTER.NET (152.63.64.49)  18.269 ms  18.396
 ms  18.329 ms
  6  204.255.169.146 (204.255.169.146)  19.231 ms  19.042 ms  18.982 ms
  7  tbr2-p012702.cgcil.ip.att.net (12.122.11.209)  20.530 ms  20.542
 ms  23.033 ms
  8  tbr2-cl7.sl9mo.ip.att.net (12.122.10.46)  26.904 ms  27.378 ms 
 27.320 ms
  9  tbr1-cl2.sl9mo.ip.att.net (12.122.9.141)  27.194 ms  27.673 ms 
 26.677 ms
 10  gbr1-p10.bgtmo.ip.att.net (12.122.4.69)  26.606 ms  28.026 ms 
 26.246 ms
 11  12.122.248.250 (12.122.248.250)  27.296 ms  28.321 ms  28.997 ms
 12  192.168.254.46 (192.168.254.46)  28.522 ms  30.111 ms  27.439 ms
 13  * * *
 14  * * *

Re: Strange public traceroutes return private RFC1918 addresses

[Matthew Crocker]

Search the archives,  Comcast and other cable/DSL providers use the 
10/8 for their infrastructure.  The Internet itself doesn't need to be 
Internet routable.  Only the edges need to be routable. It is common 
practice to use RFC1918 address space inside the network. Companies 
like Sprint and Verio use 'real' IPs but don't announce them to their 
peers on customer edge routes.

-Matt

On Feb 2, 2004, at 6:01 PM, Brian (nanog-list) wrote:

Any ideas how (or why) the following traceroutes are leaking private 
RFC1918 addresses back to me when I do a traceroute?

Maybe try from your side of the internet and see if you get the same 
types of responses.

It's really strange to see 10/8's and 192.168/16 addresses coming from 
the public internet.  Has this phenomenon been documented anywhere?  
Connectivity to the end-sites is fine, it's just the traceroutes that 
are strange.

(initial few hops sanitized)

[EMAIL PROTECTED] /]# traceroute www.ibm.com
traceroute: Warning: www.ibm.com has multiple addresses; using 
129.42.17.99
traceroute to www.ibm.com (129.42.17.99), 30 hops max, 38 byte packets
 1  (---.---.---.---)  2.481 ms  2.444 ms  2.379 ms
 2  (---.---.---.---)  17.964 ms  17.529 ms  17.632 ms
 3  so-1-2.core1.Chicago1.Level3.net (209.0.225.1)  17.891 ms  17.985 
ms  18.026 ms
 4  so-11-0.core2.chicago1.level3.net (4.68.112.194)  18.272 ms  
18.109 ms  17.795 ms
 5  so-4-1-0.bbr2.chicago1.level3.net (4.68.112.197)  17.851 ms  
17.859 ms  18.094 ms
 6  so-3-0-0.mp1.stlouis1.level3.net (64.159.0.49)  23.095 ms  22.975 
ms  22.998 ms
 7  ge-7-1.hsa2.stlouis1.level3.net (64.159.4.130)  23.106 ms  23.237 
ms  22.977 ms
 8  unknown.level3.net (63.20.48.6)  24.264 ms  24.099 ms  24.154 ms
 9  10.16.255.10 (10.16.255.10)  24.164 ms  24.108 ms  24.105 ms
10  * * *



[EMAIL PROTECTED] /]# traceroute www.att.net
traceroute: Warning: www.att.net has multiple addresses; using 
204.127.166.135
traceroute to www.att.net (204.127.166.135), 30 hops max, 38 byte 
packets
 1  (---.---.---.---)  2.404 ms  2.576 ms  2.389 ms
 2  (---.---.---.---)  17.953 ms  18.170 ms  17.435 ms
 3  500.pos2-1.gw10.chi2.alter.net (63.84.96.9)  18.077 ms *  18.628 ms
 4  0.so-6-2-0.xl1.chi2.alter.net (152.63.69.170)  18.238 ms  18.321 
ms  18.213 ms
 5  0.so-6-1-0.BR6.CHI2.ALTER.NET (152.63.64.49)  18.269 ms  18.396 
ms  18.329 ms
 6  204.255.169.146 (204.255.169.146)  19.231 ms  19.042 ms  18.982 ms
 7  tbr2-p012702.cgcil.ip.att.net (12.122.11.209)  20.530 ms  20.542 
ms  23.033 ms
 8  tbr2-cl7.sl9mo.ip.att.net (12.122.10.46)  26.904 ms  27.378 ms  
27.320 ms
 9  tbr1-cl2.sl9mo.ip.att.net (12.122.9.141)  27.194 ms  27.673 ms  
26.677 ms
10  gbr1-p10.bgtmo.ip.att.net (12.122.4.69)  26.606 ms  28.026 ms  
26.246 ms
11  12.122.248.250 (12.122.248.250)  27.296 ms  28.321 ms  28.997 ms
12  192.168.254.46 (192.168.254.46)  28.522 ms  30.111 ms  27.439 ms
13  * * *
14  * * *

 

Re: Unbelievable Spam.

[Bill Thompson]

On Mon, 2 Feb 2004 15:01:19 -0600
Ejay Hire [EMAIL PROTECTED] wrote:
 --snip--
 
 It's just wrong in my opinion, and exacerbated by the fact
 that it was spammend to our abuse account.  Their /24 just
 fell off of my piece of the internet.  Have I just been
 blind to this all along, or are the spammers getting bolder?
 
 -Ejay

Don't forget that the bulk of SPAM sent nowadays originate from zombie M$
boxes sitting on home broadband connections. Be very sure that the IP
space is owned by the guilty party before blackholing addresses.

-- 
Bill Thompson
[EMAIL PROTECTED]
GPG Key ID:0xFB966670

Re: Strange public traceroutes return private RFC1918 addresses

[Matthew Crocker]

On Feb 2, 2004, at 6:20 PM, Jonas Frey (Probe Networks) wrote:

This is quite often used. You cant (d)DoS the routers this way, nor try
to do any harm to them as you cant reach them.
Sure you can,  easy,  attack a router 1 hop past your real target and 
spoof your target as the source.  The resulting ICMP responses will 
hammer the target.  If the Internet edge actually protected itself 
against spoofing it would be harder but it is still very do-able now.

Re: Unbelievable Spam.

[Vadim Antonov]

On Mon, 2 Feb 2004, Brian Bruns wrote:

 They are bold, and don't seem to fear anyone.  You can keep killing them, and
 they don't learn.

That's because nobody's _killing_ them.

There is an anecdotal story of some russian ISP actually sending few 
toughs to beat up some HACK0R DUD3Z.  That ISP had seen a dramatically 
decreased number of attacks on its servers and customers.

--vadim

Re: Strange public traceroutes return private RFC1918 addresses

[Bob Snyder]

Matthew Crocker wrote:

Search the archives,  Comcast and other cable/DSL providers use the 
10/8 for their infrastructure.  The Internet itself doesn't need to be 
Internet routable.  Only the edges need to be routable. It is common 
practice to use RFC1918 address space inside the network. Companies 
like Sprint and Verio use 'real' IPs but don't announce them to their 
peers on customer edge routes.
Which (as discussed previously) breaks things like Path MTU Discovery, 
traceroute, and other things that depend on the router sending back ICMP 
packets to the sender if any ISP along the return path (properly) 
filters RFC1918 address space as being bogus. You can use RFC1918 space 
on any device that really has no need to communicate with the outside 
world, but generally, un-NAT'ed routers don't qualify for this, at least 
on their transit interfaces.

I believe Comcast (and I'm going only on my experience as a customer) is 
or has moved from RFC1918 space to routable IP space for their routers, 
at least on interfaces I've been doing traceroutes through.

Bob

Re: Strange public traceroutes return private RFC1918 addresses

[Rubens Kuhl Jr.]

Using real but announced IPs for routers will make their packets fail
unicast-RPF checks, dropping traceroute and PMTUD responses as happens with
RFC1918 addresses.


Rubens

- Original Message - 
From: Matthew Crocker [EMAIL PROTECTED]
To: Brian (nanog-list) [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Monday, February 02, 2004 9:25 PM
Subject: Re: Strange public traceroutes return private RFC1918 addresses




Search the archives,  Comcast and other cable/DSL providers use the
10/8 for their infrastructure.  The Internet itself doesn't need to be
Internet routable.  Only the edges need to be routable. It is common
practice to use RFC1918 address space inside the network. Companies
like Sprint and Verio use 'real' IPs but don't announce them to their
peers on customer edge routes.

-Matt

On Feb 2, 2004, at 6:01 PM, Brian (nanog-list) wrote:

 Any ideas how (or why) the following traceroutes are leaking private
 RFC1918 addresses back to me when I do a traceroute?

 Maybe try from your side of the internet and see if you get the same
 types of responses.

 It's really strange to see 10/8's and 192.168/16 addresses coming from
 the public internet. Has this phenomenon been documented anywhere?
 Connectivity to the end-sites is fine, it's just the traceroutes that
 are strange.

 (initial few hops sanitized)

 [EMAIL PROTECTED] /]# traceroute www.ibm.com
 traceroute: Warning: www.ibm.com has multiple addresses; using
 129.42.17.99
 traceroute to www.ibm.com (129.42.17.99), 30 hops max, 38 byte packets
 1 (---.---.---.---) 2.481 ms 2.444 ms 2.379 ms
 2 (---.---.---.---) 17.964 ms 17.529 ms 17.632 ms
 3 so-1-2.core1.Chicago1.Level3.net (209.0.225.1) 17.891 ms 17.985
 ms 18.026 ms
 4 so-11-0.core2.chicago1.level3.net (4.68.112.194) 18.272 ms
 18.109 ms 17.795 ms
 5 so-4-1-0.bbr2.chicago1.level3.net (4.68.112.197) 17.851 ms
 17.859 ms 18.094 ms
 6 so-3-0-0.mp1.stlouis1.level3.net (64.159.0.49) 23.095 ms 22.975
 ms 22.998 ms
 7 ge-7-1.hsa2.stlouis1.level3.net (64.159.4.130) 23.106 ms 23.237
 ms 22.977 ms
 8 unknown.level3.net (63.20.48.6) 24.264 ms 24.099 ms 24.154 ms
 9 10.16.255.10 (10.16.255.10) 24.164 ms 24.108 ms 24.105 ms
 10 * * *



 [EMAIL PROTECTED] /]# traceroute www.att.net
 traceroute: Warning: www.att.net has multiple addresses; using
 204.127.166.135
 traceroute to www.att.net (204.127.166.135), 30 hops max, 38 byte
 packets
 1 (---.---.---.---) 2.404 ms 2.576 ms 2.389 ms
 2 (---.---.---.---) 17.953 ms 18.170 ms 17.435 ms
 3 500.pos2-1.gw10.chi2.alter.net (63.84.96.9) 18.077 ms * 18.628 ms
 4 0.so-6-2-0.xl1.chi2.alter.net (152.63.69.170) 18.238 ms 18.321
 ms 18.213 ms
 5 0.so-6-1-0.BR6.CHI2.ALTER.NET (152.63.64.49) 18.269 ms 18.396
 ms 18.329 ms
 6 204.255.169.146 (204.255.169.146) 19.231 ms 19.042 ms 18.982 ms
 7 tbr2-p012702.cgcil.ip.att.net (12.122.11.209) 20.530 ms 20.542
 ms 23.033 ms
 8 tbr2-cl7.sl9mo.ip.att.net (12.122.10.46) 26.904 ms 27.378 ms
 27.320 ms
 9 tbr1-cl2.sl9mo.ip.att.net (12.122.9.141) 27.194 ms 27.673 ms
 26.677 ms
 10 gbr1-p10.bgtmo.ip.att.net (12.122.4.69) 26.606 ms 28.026 ms
 26.246 ms
 11 12.122.248.250 (12.122.248.250) 27.296 ms 28.321 ms 28.997 ms
 12 192.168.254.46 (192.168.254.46) 28.522 ms 30.111 ms 27.439 ms
 13 * * *
 14 * * *

wildly successful

[bill]

so...
funding found. 
nanog bound.
... hotel sold out?
wow!

--bill

Re: Strange public traceroutes return private RFC1918 addresses

[Pekka Savola]

On Tue, 3 Feb 2004, Rubens Kuhl Jr. wrote:
 Using real but announced IPs for routers will make their packets fail
 unicast-RPF checks, dropping traceroute and PMTUD responses as happens with
 RFC1918 addresses.

I guess you meant unannounced.

This is the case for those who run uRPF towards their upstream (or
transit ISPs peering with them who'd run uRPF on the peering links).  
I don't think too many folks do that.

But I see very little point in not announcing them.  Equally well you
could just set up an acl at the edge which drops or rate-limits the
traffic.  Well, you might not be able to if you're using a vendor 
the implementation of which doesn't allow you to do that.. :)

-- 
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings