other virus damages/costs.....(hello skynet.be ?)
Looking at my disk stats, my mail storage spool has grown by 15% in the past week not due the deluge of viruses which I can block and reject, but in large part to those idiotic Hi, I am sorry in a happy idiotic way to inform you that the message you sent has a virus messages As almost all of them forge their email address, what is the point of warning the sender. Even better, I wake up this am to 285 (and growing) messages below telling me that someone at skynet is trying to send me a virus message and it cc's 64 other people. Nice. ---Mike From: Skynet Mail Protection [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Skynet Mail Protection scan results Date: Mon, 02 Feb 2004 12:09:44 +0100 Importance: high X-Mailer: ravmd/8.4.2 X-RAVMilter-Version: 8.4.3(snapshot 20030212) (september.skynet.be) X-Virus-Scanned: by amavisd-new X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on spamscanner4.sentex.ca X-Spam-Level: * X-Spam-Status: Yes, hits=5.7 required=5.1 tests=MAILTO_TO_SPAM_ADDR, MISSING_MIMEOLE,MISSING_OUTLOOK_NAME,TW_JN,X_PRIORITY_HIGH, X_PRI_MISMATCH_HI autolearn=no version=2.63 X-Spam-Report: * 0.5 X_PRIORITY_HIGH Sent with 'X-Priority' set to high * 0.1 TW_JN BODY: Odd Letter Triples with JN * 1.1 MAILTO_TO_SPAM_ADDR URI: Includes a link to a likely spammer email * 1.2 MISSING_MIMEOLE Message has X-MSMail-Priority, but no X-MimeOLE * 2.8 X_PRI_MISMATCH_HI 'X-Priority' does not match 'X-MSMail-Priority' * 0.1 MISSING_OUTLOOK_NAME Message looks like Outlook, but isn't --- This e-mail is generated by Skynet Mail Protection to warn you that the e-mail sent by [EMAIL PROTECTED] to [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] ru, [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] is infected with virus: Win32/[EMAIL PROTECTED] Deze e-mail is gegenereerd door Skynet Mail Protection om u te waarschuwen dat de e-mail gestuurd door [EMAIL PROTECTED] naar [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED],
Re: Did Wanadoo, French ISP, block access to SCO?
In article [EMAIL PROTECTED], Stephen J. Wilcox [EMAIL PROTECTED] wrote: So thats 1-0 to the worm! You could do some real cool things if you were controlling the DNS for a site under a major sustained DDoS, who doesnt the intended victim like.. just fire up an A record and they're gone! ;p http://news.netcraft.com/archives/2004/01/30/wwwscocom_is_a_weapon_of_mass_destruction.html Mike.
Re: other virus damages/costs.....(hello skynet.be ?)
our queue appears to increasing linearly since about last tuesday, since then its increased 3000%, theres a huge dip midday saturday (it goes down to one third its size in about 4hrs) then rapidly jumps up to higher than its pre-dip value thats messages tho, queue spool size hasnt gone up all that much, maybe 200% no idea about our storage spools... very odd!! Steve On Mon, 2 Feb 2004, Mike Tancsa wrote: Looking at my disk stats, my mail storage spool has grown by 15% in the past week not due the deluge of viruses which I can block and reject, but in large part to those idiotic Hi, I am sorry in a happy idiotic way to inform you that the message you sent has a virus messages As almost all of them forge their email address, what is the point of warning the sender. Even better, I wake up this am to 285 (and growing) messages below telling me that someone at skynet is trying to send me a virus message and it cc's 64 other people. Nice. ---Mike From: Skynet Mail Protection [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Skynet Mail Protection scan results Date: Mon, 02 Feb 2004 12:09:44 +0100 Importance: high X-Mailer: ravmd/8.4.2 X-RAVMilter-Version: 8.4.3(snapshot 20030212) (september.skynet.be) X-Virus-Scanned: by amavisd-new X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on spamscanner4.sentex.ca X-Spam-Level: * X-Spam-Status: Yes, hits=5.7 required=5.1 tests=MAILTO_TO_SPAM_ADDR, MISSING_MIMEOLE,MISSING_OUTLOOK_NAME,TW_JN,X_PRIORITY_HIGH, X_PRI_MISMATCH_HI autolearn=no version=2.63 X-Spam-Report: * 0.5 X_PRIORITY_HIGH Sent with 'X-Priority' set to high * 0.1 TW_JN BODY: Odd Letter Triples with JN * 1.1 MAILTO_TO_SPAM_ADDR URI: Includes a link to a likely spammer email * 1.2 MISSING_MIMEOLE Message has X-MSMail-Priority, but no X-MimeOLE * 2.8 X_PRI_MISMATCH_HI 'X-Priority' does not match 'X-MSMail-Priority' * 0.1 MISSING_OUTLOOK_NAME Message looks like Outlook, but isn't --- This e-mail is generated by Skynet Mail Protection to warn you that the e-mail sent by [EMAIL PROTECTED] to [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] ru, [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] is infected with virus: Win32/[EMAIL PROTECTED] Deze
Re: AOL web troubles.. New AOL speedup seems to be a slowdown
Brian, I have some friends in the web proxy group at AOL, if you can send me (or post to this list) some urls that are breaking, they can take a look for you. According to them, if the java problem is happening on AOL 8.0 as well as 9.0, then it's not a TopSpeed issue (TopSpeed is just an executable that runs in tandem with 9.0), but could be some other client-related problem.. And in response to Rob's suggestion to use SSL instead of implementing cache-control, it would be a pretty wasteful implementation of SSL if its purpose is solely to prevent a proxy from recompressing your images. -- The Gunn [EMAIL PROTECTED] snipped since its kinda long Just got done working with my mother's machine again, and have been watching her and a bunch of other people who use AOL 9.0 and some who use 8.0. Something over the past week alone has definately happened in regards to the AOL TopSpeed stuff. I've got a situation with more then 75% of the people I've tested, that they have problems running java applets (including AOL's own link into pogo games) in AOL 9.0 GM (that they are distributing to end users). When the user switches to AOL 8.0, the problem exist. When the user uses IE separate from AOL, the problem does not exist. There are other issues developing as well - random freezing of java games for example. Once again, this only happens in 9.0. This was working fine two weeks ago on all of these people's machines. Of course, this is increasing my daily workload, as I now have users having problems that I need to sit and try and diagnose. I've been telling people to use AOL 8.0 or IE if they want to play games. But, yes, there appears to be a problem somewhere with this TopSpeed stuff that people have been noting complaints about. Sorta off topic, but alot of people here also do support for this kind of stuff, and would like to get some feedback as to what others are seeing with their end users. I have a sinking feeling that when I take the time to file an official bug report/issue, they will tell me 'reformat and reinstall'. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The AHBL - http://www.ahbl.org
Re: other virus damages/costs.....(hello skynet.be ?)
On Mon, 2 Feb 2004, Mike Tancsa wrote: Looking at my disk stats, my mail storage spool has grown by 15% in the past week not due the deluge of viruses which I can block and reject, but in large part to those idiotic Hi, I am sorry in a happy idiotic way to inform you that the message you sent has a virus messages As almost all of them forge their email address, what is the point of warning the sender. Even better, I wake up this am to 285 (and growing) messages below telling me that someone at skynet is trying to send me a virus message and it cc's 64 other people. Nice. Enough people are sufficiently annoyed by antivirus notifications/advertisements that they're starting to ask for DNSBLs of systems that send them. I suspect before long, there will be some. But this really doesn't seem to be NANOG material. Try spam-l or spamtools. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: other virus damages/costs.....(hello skynet.be ?)
On Mon, 02 Feb 2004 07:57:07 EST, Mike Tancsa [EMAIL PROTECTED] said: all of them forge their email address, what is the point of warning the sender. Even better, I wake up this am to 285 (and growing) messages below telling me that someone at skynet is trying to send me a virus message and it cc's 64 other people. Nice. And at least one of those other 64 will next time actually get a virus, where all those addresses will get used to seed the address scraper. Remember that hitting 'delete' usually doesn't actually wipe it off the disk in most MUAs pgp0.pgp Description: PGP signature
Re: other virus damages/costs.....(hello skynet.be ?)
On Mon, 02 Feb 2004 08:42:53 EST, [EMAIL PROTECTED] said: But this really doesn't seem to be NANOG material. Try spam-l or spamtools. When the traffic blip caused by the A/V tools is bigger than the traffic blip caused by the actual virus, it's an operational issue. pgp0.pgp Description: PGP signature
Re: other virus damages/costs.....(hello skynet.be ?)
[EMAIL PROTECTED] wrote: Enough people are sufficiently annoyed by antivirus notifications/advertisements that they're starting to ask for DNSBLs of systems that send them. I suspect before long, there will be some. Already thought about it (and dismissed it) But this really doesn't seem to be NANOG material. Try spam-l or spamtools. It could be - it is a network issue - particually where so many people feel the need to reply with virus 'reports'... I know the virus mails and the virus reports certainly caused some issues network wise at Telstra recently. / Mat
Re: other virus damages/costs.....(hello skynet.be ?)
Looking at my disk stats, my mail storage spool has grown by 15% in the past week not due the deluge of viruses which I can block and reject, but in large part to those idiotic Hi, I am sorry in a happy idiotic way to inform you that the message you sent has a virus messages As almost all of them forge their email address, what is the point of warning the sender. Even better, I wake up this am to 285 (and growing) messages below telling me that someone at skynet is trying to send me a virus message and it cc's 64 other people. Nice. # MyDoom craziness : * ^Subject:.*(\ \{Spam\?\} Warning: E-mail viruses detected|\ Anti-Virus Notification|\ BANNED FILENAME|\ Disallowed attachment type found in sent message|\ File blocked - ScanMail for Lotus|\ InterScan NT Alert|\ Message deleted|\ NAV detected a virus|\ Norton AntiVirus detected|\ RAV AntiVirus scan|\ Returned due to virus|\ Skynet Mail Protection|\ Symantec AntiVirus|\ Undeliverable: test|\ VIRUS \(.*\) IN MAIL FROM YOU|\ VIRUS \(.*\) IN MAIL TO YOU|\ VIRUS IN YOUR MAIL|\ Virus Detected by Network Assoc|\ Virus Notification|\ Virus found in a message you sent|\ Virus found in sent message\ ) $TRASH
Need abuse contact for Yahoo Hostinng
Sorry to bother the list, but if anyone from Yahoo is listening, There is an credit card stealing web site hosted by Yahoo. Complaints to [EMAIL PROTECTED], as usual for complaints about their hosting, are returned days later saysing Sorry, we can't do anything since this spam didn't come through Yahoo.: URL: http://aol.account-cgi1.com/update.htm Please contact me directly for a copy of the scam e-mail and the idiotic Yahoo abuse response. If [EMAIL PROTECTED] is not the correct address, then this really should be added to the whois record for your hosting netblocks. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
Re: AOL web troubles.. New AOL speedup seems to be a slowdown
The Gunn [EMAIL PROTECTED] writes: And in response to Rob's suggestion to use SSL instead of implementing cache-control, it would be a pretty wasteful implementation of SSL if its purpose is solely to prevent a proxy from recompressing your images. To clarify (for list readers who are out of the loop because I made the point in a private communication) I suggested use of SSL in the cited hypothetical case of for example, high-res medical x-rays and other confidential information, consumer purchased high-res images and other copyrighted information purchased by the end user. Given the HIPAA and e-commerce implications of the two named cases, using SSL would seem to be a no-brainer, and effectively renders the issue of cache-control moot. I also suggested that The Gunn read http://www.nanog.org/aup.html item #7 and begin posting with an account that has a real name on it. ---Rob
Re: other virus damages/costs.....(hello skynet.be ?)
On Mon, 2 Feb 2004, Randy Bush wrote: : # MyDoom craziness : : : * ^Subject:.*(\ Actually, Mydoom has a very detectable signature. It has both X-Priority and X-MSMail-Priority headers, but *neither* a X-Mailer nor X-MimeOLE header. These conditions make, for instance, SpamAssassin catch the worm easily. Based on all the available mailboxes I can scan from here, such a check should kill only Mydoom [and some spam]. Rolled that into a milter, and poof! -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Need abuse contact for Yahoo Hostinng
On Mon, 2 Feb 2004, Barnabas Toth wrote: Maybe you should try to contact AOL abuse instead? I know, I know... Just a though. Thanks to those who replied. I've been contacted directly by an AOL rep (who the site pretended to be), and an FBI agent. Interestingly not a peep from Yahoo. Sigh. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
Re: Need abuse contact for Yahoo Hostinng
On Mon, 2 Feb 2004, Christopher X. Candreva wrote: Interestingly not a peep from Yahoo. Sigh. In fairness -- I just heard from someone at Yahoo-inc.com == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
Unbelievable Spam.
Personally, I don't like spam, but I tolerate the messages that slip through to my mailbox as a penalty for my own laziness in not tightening down my spam rules. Today I got one that I couldn't believe. --snip-- Spam Hosting - from 20$ per mounth. Fraud Hosting - from 30$ per mounth. Stoln Credit Cards, Fake ID, DL's. Spam For free only from 1.02.2004 to 5.02.2004. --snip-- It's just wrong in my opinion, and exacerbated by the fact that it was spammend to our abuse account. Their /24 just fell off of my piece of the internet. Have I just been blind to this all along, or are the spammers getting bolder? -Ejay
Re: Unbelievable Spam.
** Reply to message from Ejay Hire [EMAIL PROTECTED] on Mon, 2 Feb 2004 15:01:19 -0600 Personally, I don't like spam, but I tolerate the messages that slip through to my mailbox as a penalty for my own laziness in not tightening down my spam rules. Today I got one that I couldn't believe. --snip-- Spam Hosting - from 20$ per mounth. Fraud Hosting - from 30$ per mounth. Stoln Credit Cards, Fake ID, DL's. Spam For free only from 1.02.2004 to 5.02.2004. --snip-- It's just wrong in my opinion, and exacerbated by the fact that it was spammend to our abuse account. Their /24 just fell off of my piece of the internet. Have I just been blind to this all along, or are the spammers getting bolder? -Ejay This is known as Rule #3 on n.a.n-a.e... Spammers are stupid. -- Jeff Shultz Loose nut behind the wheel.
Re: Unbelievable Spam.
On Mon, 2 Feb 2004 15:01:19 -0600 Ejay Hire [EMAIL PROTECTED] wrote: It's just wrong in my opinion, and exacerbated by the fact that it was spammend to our abuse account. Their /24 just fell off of my piece of the internet. Have I just been blind to this all along, or are the spammers getting bolder? this is actually a somewhat well known situation, it appears that there are two warring groups of spammers joe-jobbing each other (and if you look at the from addresses, you may see them trying to get various ISP and anti-spammer mail boxes pounded by angry responses.) i've got a whole collection of them. been getting them for months. it's also somewhat offtopic for this list. i suggest that followups be off list, unless they can be typed into IOS. richard -- Richard Welty [EMAIL PROTECTED] Averill Park Networking 518-573-7592 Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security
Re: Unbelievable Spam.
In article [EMAIL PROTECTED], Ejay Hire [EMAIL PROTECTED] writes Personally, I don't like spam, but I tolerate the messages that slip through to my mailbox as a penalty for my own laziness in not tightening down my spam rules. Today I got one that I couldn't believe. --snip-- Spam Hosting - from 20$ per mounth. Fraud Hosting - from 30$ per mounth. Stoln Credit Cards, Fake ID, DL's. Spam For free only from 1.02.2004 to 5.02.2004. --snip-- It's just wrong in my opinion, and exacerbated by the fact that it was spammend to our abuse account. Their /24 just fell off of my piece of the internet. Have I just been blind to this all along, or are the spammers getting bolder? Remember, all spammers lie. But what were these spammers lying about? -- Roland Perry
Re: Unbelievable Spam.
[EMAIL PROTECTED] (Ejay Hire) writes: It's just wrong in my opinion, and exacerbated by the fact that it was spammend to our abuse account. Their /24 just fell off of my piece of the internet. Have I just been blind to this all along, or are the spammers getting bolder? the spammers have nothing to fear from you, or us, or me, or anybody. with the incredible number of bottomfeeders and antivirus companies polluting the econsystem with their own various get-rich-quick schemes, there's no way to tell the difference between good and bad traffic, good and bad intent, good and bad providers, etc. the spam/antispam battleground is all just mud now. -- Paul Vixie
Re: Unbelievable Spam.
On 2 Feb 2004, Paul Vixie wrote: the spammers have nothing to fear from you, or us, or me, or anybody. with the incredible number of bottomfeeders and antivirus companies polluting the econsystem with their own various get-rich-quick schemes, there's no way to tell the difference between good and bad traffic, good and bad intent, good and bad providers, etc. the spam/antispam battleground is all just mud now. Everyone should be glad for the Internet making all of us feel like rich and famous. A lot more people want our attention (and money) than we wish to deal with. And this is not only the spam problem - the technology-related privacy and identity issues are merely the other side of the same phenomenon - the rich famous had to fight with gossips, paparazzi and various con artists for as long as there were money, power and fame. And because rich and famous had this problem for a long, long time, they managed to devise some solutions. So everything we do about cyberage problems like spam is going to be some automation of those old solutions. Call me elitist, or old-worlder, but my preferred way of dealing with it is choose who you are associating with. Introductions. In newspeak - whitelists. --vadim
Re: Unbelievable Spam.
On Monday, February 02, 2004 4:01 PM [GMT-5=EST], Ejay Hire [EMAIL PROTECTED] wrote: It's just wrong in my opinion, and exacerbated by the fact that it was spammend to our abuse account. Their /24 just fell off of my piece of the internet. Have I just been blind to this all along, or are the spammers getting bolder? Its called a joe job - spammers do it when they get spanked by an antispammer or someone else they don't like. Usually happens right after their service gets shut off, but they could do it for dozens of reasons. Hipcrime (aka dippy) loves doing this, and less then two months ago he went on a joe job spree spamming my home phone number and a dozen other people's. They are bold, and don't seem to fear anyone. You can keep killing them, and they don't learn. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The AHBL - http://www.ahbl.org
Strange public traceroutes return private RFC1918 addresses
Title: Strange public traceroutes return private RFC1918 addresses Any ideas how (or why) the following traceroutes are leaking private RFC1918 addresses back to me when I do a traceroute? Maybe try from your side of the internet and see if you get the same types of responses. It's really strange to see 10/8's and 192.168/16 addresses coming from the public internet. Has this phenomenon been documented anywhere? Connectivity to the end-sites is fine, it's just the traceroutes that are strange. (initial few hops sanitized) [EMAIL PROTECTED] /]# traceroute www.ibm.com traceroute: Warning: www.ibm.com has multiple addresses; using 129.42.17.99 traceroute to www.ibm.com (129.42.17.99), 30 hops max, 38 byte packets 1 (---.---.---.---) 2.481 ms 2.444 ms 2.379 ms 2 (---.---.---.---) 17.964 ms 17.529 ms 17.632 ms 3 so-1-2.core1.Chicago1.Level3.net (209.0.225.1) 17.891 ms 17.985 ms 18.026 ms 4 so-11-0.core2.chicago1.level3.net (4.68.112.194) 18.272 ms 18.109 ms 17.795 ms 5 so-4-1-0.bbr2.chicago1.level3.net (4.68.112.197) 17.851 ms 17.859 ms 18.094 ms 6 so-3-0-0.mp1.stlouis1.level3.net (64.159.0.49) 23.095 ms 22.975 ms 22.998 ms 7 ge-7-1.hsa2.stlouis1.level3.net (64.159.4.130) 23.106 ms 23.237 ms 22.977 ms 8 unknown.level3.net (63.20.48.6) 24.264 ms 24.099 ms 24.154 ms 9 10.16.255.10 (10.16.255.10) 24.164 ms 24.108 ms 24.105 ms 10 * * * [EMAIL PROTECTED] /]# traceroute www.att.net traceroute: Warning: www.att.net has multiple addresses; using 204.127.166.135 traceroute to www.att.net (204.127.166.135), 30 hops max, 38 byte packets 1 (---.---.---.---) 2.404 ms 2.576 ms 2.389 ms 2 (---.---.---.---) 17.953 ms 18.170 ms 17.435 ms 3 500.pos2-1.gw10.chi2.alter.net (63.84.96.9) 18.077 ms * 18.628 ms 4 0.so-6-2-0.xl1.chi2.alter.net (152.63.69.170) 18.238 ms 18.321 ms 18.213 ms 5 0.so-6-1-0.BR6.CHI2.ALTER.NET (152.63.64.49) 18.269 ms 18.396 ms 18.329 ms 6 204.255.169.146 (204.255.169.146) 19.231 ms 19.042 ms 18.982 ms 7 tbr2-p012702.cgcil.ip.att.net (12.122.11.209) 20.530 ms 20.542 ms 23.033 ms 8 tbr2-cl7.sl9mo.ip.att.net (12.122.10.46) 26.904 ms 27.378 ms 27.320 ms 9 tbr1-cl2.sl9mo.ip.att.net (12.122.9.141) 27.194 ms 27.673 ms 26.677 ms 10 gbr1-p10.bgtmo.ip.att.net (12.122.4.69) 26.606 ms 28.026 ms 26.246 ms 11 12.122.248.250 (12.122.248.250) 27.296 ms 28.321 ms 28.997 ms 12 192.168.254.46 (192.168.254.46) 28.522 ms 30.111 ms 27.439 ms 13 * * * 14 * * *
Re: Strange public traceroutes return private RFC1918 addresses
This is quite often used. You cant (d)DoS the routers this way, nor try to do any harm to them as you cant reach them. Regards, Jonas On Tue, 2004-02-03 at 00:01, Brian (nanog-list) wrote: Any ideas how (or why) the following traceroutes are leaking private RFC1918 addresses back to me when I do a traceroute? Maybe try from your side of the internet and see if you get the same types of responses. It's really strange to see 10/8's and 192.168/16 addresses coming from the public internet. Has this phenomenon been documented anywhere? Connectivity to the end-sites is fine, it's just the traceroutes that are strange. (initial few hops sanitized) [EMAIL PROTECTED] /]# traceroute www.ibm.com traceroute: Warning: www.ibm.com has multiple addresses; using 129.42.17.99 traceroute to www.ibm.com (129.42.17.99), 30 hops max, 38 byte packets 1 (---.---.---.---) 2.481 ms 2.444 ms 2.379 ms 2 (---.---.---.---) 17.964 ms 17.529 ms 17.632 ms 3 so-1-2.core1.Chicago1.Level3.net (209.0.225.1) 17.891 ms 17.985 ms 18.026 ms 4 so-11-0.core2.chicago1.level3.net (4.68.112.194) 18.272 ms 18.109 ms 17.795 ms 5 so-4-1-0.bbr2.chicago1.level3.net (4.68.112.197) 17.851 ms 17.859 ms 18.094 ms 6 so-3-0-0.mp1.stlouis1.level3.net (64.159.0.49) 23.095 ms 22.975 ms 22.998 ms 7 ge-7-1.hsa2.stlouis1.level3.net (64.159.4.130) 23.106 ms 23.237 ms 22.977 ms 8 unknown.level3.net (63.20.48.6) 24.264 ms 24.099 ms 24.154 ms 9 10.16.255.10 (10.16.255.10) 24.164 ms 24.108 ms 24.105 ms 10 * * * [EMAIL PROTECTED] /]# traceroute www.att.net traceroute: Warning: www.att.net has multiple addresses; using 204.127.166.135 traceroute to www.att.net (204.127.166.135), 30 hops max, 38 byte packets 1 (---.---.---.---) 2.404 ms 2.576 ms 2.389 ms 2 (---.---.---.---) 17.953 ms 18.170 ms 17.435 ms 3 500.pos2-1.gw10.chi2.alter.net (63.84.96.9) 18.077 ms * 18.628 ms 4 0.so-6-2-0.xl1.chi2.alter.net (152.63.69.170) 18.238 ms 18.321 ms 18.213 ms 5 0.so-6-1-0.BR6.CHI2.ALTER.NET (152.63.64.49) 18.269 ms 18.396 ms 18.329 ms 6 204.255.169.146 (204.255.169.146) 19.231 ms 19.042 ms 18.982 ms 7 tbr2-p012702.cgcil.ip.att.net (12.122.11.209) 20.530 ms 20.542 ms 23.033 ms 8 tbr2-cl7.sl9mo.ip.att.net (12.122.10.46) 26.904 ms 27.378 ms 27.320 ms 9 tbr1-cl2.sl9mo.ip.att.net (12.122.9.141) 27.194 ms 27.673 ms 26.677 ms 10 gbr1-p10.bgtmo.ip.att.net (12.122.4.69) 26.606 ms 28.026 ms 26.246 ms 11 12.122.248.250 (12.122.248.250) 27.296 ms 28.321 ms 28.997 ms 12 192.168.254.46 (192.168.254.46) 28.522 ms 30.111 ms 27.439 ms 13 * * * 14 * * *
Re: Strange public traceroutes return private RFC1918 addresses
Search the archives, Comcast and other cable/DSL providers use the 10/8 for their infrastructure. The Internet itself doesn't need to be Internet routable. Only the edges need to be routable. It is common practice to use RFC1918 address space inside the network. Companies like Sprint and Verio use 'real' IPs but don't announce them to their peers on customer edge routes. -Matt On Feb 2, 2004, at 6:01 PM, Brian (nanog-list) wrote: Any ideas how (or why) the following traceroutes are leaking private RFC1918 addresses back to me when I do a traceroute? Maybe try from your side of the internet and see if you get the same types of responses. It's really strange to see 10/8's and 192.168/16 addresses coming from the public internet. Has this phenomenon been documented anywhere? Connectivity to the end-sites is fine, it's just the traceroutes that are strange. (initial few hops sanitized) [EMAIL PROTECTED] /]# traceroute www.ibm.com traceroute: Warning: www.ibm.com has multiple addresses; using 129.42.17.99 traceroute to www.ibm.com (129.42.17.99), 30 hops max, 38 byte packets 1 (---.---.---.---) 2.481 ms 2.444 ms 2.379 ms 2 (---.---.---.---) 17.964 ms 17.529 ms 17.632 ms 3 so-1-2.core1.Chicago1.Level3.net (209.0.225.1) 17.891 ms 17.985 ms 18.026 ms 4 so-11-0.core2.chicago1.level3.net (4.68.112.194) 18.272 ms 18.109 ms 17.795 ms 5 so-4-1-0.bbr2.chicago1.level3.net (4.68.112.197) 17.851 ms 17.859 ms 18.094 ms 6 so-3-0-0.mp1.stlouis1.level3.net (64.159.0.49) 23.095 ms 22.975 ms 22.998 ms 7 ge-7-1.hsa2.stlouis1.level3.net (64.159.4.130) 23.106 ms 23.237 ms 22.977 ms 8 unknown.level3.net (63.20.48.6) 24.264 ms 24.099 ms 24.154 ms 9 10.16.255.10 (10.16.255.10) 24.164 ms 24.108 ms 24.105 ms 10 * * * [EMAIL PROTECTED] /]# traceroute www.att.net traceroute: Warning: www.att.net has multiple addresses; using 204.127.166.135 traceroute to www.att.net (204.127.166.135), 30 hops max, 38 byte packets 1 (---.---.---.---) 2.404 ms 2.576 ms 2.389 ms 2 (---.---.---.---) 17.953 ms 18.170 ms 17.435 ms 3 500.pos2-1.gw10.chi2.alter.net (63.84.96.9) 18.077 ms * 18.628 ms 4 0.so-6-2-0.xl1.chi2.alter.net (152.63.69.170) 18.238 ms 18.321 ms 18.213 ms 5 0.so-6-1-0.BR6.CHI2.ALTER.NET (152.63.64.49) 18.269 ms 18.396 ms 18.329 ms 6 204.255.169.146 (204.255.169.146) 19.231 ms 19.042 ms 18.982 ms 7 tbr2-p012702.cgcil.ip.att.net (12.122.11.209) 20.530 ms 20.542 ms 23.033 ms 8 tbr2-cl7.sl9mo.ip.att.net (12.122.10.46) 26.904 ms 27.378 ms 27.320 ms 9 tbr1-cl2.sl9mo.ip.att.net (12.122.9.141) 27.194 ms 27.673 ms 26.677 ms 10 gbr1-p10.bgtmo.ip.att.net (12.122.4.69) 26.606 ms 28.026 ms 26.246 ms 11 12.122.248.250 (12.122.248.250) 27.296 ms 28.321 ms 28.997 ms 12 192.168.254.46 (192.168.254.46) 28.522 ms 30.111 ms 27.439 ms 13 * * * 14 * * *
Re: Unbelievable Spam.
On Mon, 2 Feb 2004 15:01:19 -0600 Ejay Hire [EMAIL PROTECTED] wrote: --snip-- It's just wrong in my opinion, and exacerbated by the fact that it was spammend to our abuse account. Their /24 just fell off of my piece of the internet. Have I just been blind to this all along, or are the spammers getting bolder? -Ejay Don't forget that the bulk of SPAM sent nowadays originate from zombie M$ boxes sitting on home broadband connections. Be very sure that the IP space is owned by the guilty party before blackholing addresses. -- Bill Thompson [EMAIL PROTECTED] GPG Key ID:0xFB966670
Re: Strange public traceroutes return private RFC1918 addresses
On Feb 2, 2004, at 6:20 PM, Jonas Frey (Probe Networks) wrote: This is quite often used. You cant (d)DoS the routers this way, nor try to do any harm to them as you cant reach them. Sure you can, easy, attack a router 1 hop past your real target and spoof your target as the source. The resulting ICMP responses will hammer the target. If the Internet edge actually protected itself against spoofing it would be harder but it is still very do-able now.
Re: Unbelievable Spam.
On Mon, 2 Feb 2004, Brian Bruns wrote: They are bold, and don't seem to fear anyone. You can keep killing them, and they don't learn. That's because nobody's _killing_ them. There is an anecdotal story of some russian ISP actually sending few toughs to beat up some HACK0R DUD3Z. That ISP had seen a dramatically decreased number of attacks on its servers and customers. --vadim
Re: Strange public traceroutes return private RFC1918 addresses
Matthew Crocker wrote: Search the archives, Comcast and other cable/DSL providers use the 10/8 for their infrastructure. The Internet itself doesn't need to be Internet routable. Only the edges need to be routable. It is common practice to use RFC1918 address space inside the network. Companies like Sprint and Verio use 'real' IPs but don't announce them to their peers on customer edge routes. Which (as discussed previously) breaks things like Path MTU Discovery, traceroute, and other things that depend on the router sending back ICMP packets to the sender if any ISP along the return path (properly) filters RFC1918 address space as being bogus. You can use RFC1918 space on any device that really has no need to communicate with the outside world, but generally, un-NAT'ed routers don't qualify for this, at least on their transit interfaces. I believe Comcast (and I'm going only on my experience as a customer) is or has moved from RFC1918 space to routable IP space for their routers, at least on interfaces I've been doing traceroutes through. Bob
Re: Strange public traceroutes return private RFC1918 addresses
Using real but announced IPs for routers will make their packets fail unicast-RPF checks, dropping traceroute and PMTUD responses as happens with RFC1918 addresses. Rubens - Original Message - From: Matthew Crocker [EMAIL PROTECTED] To: Brian (nanog-list) [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Monday, February 02, 2004 9:25 PM Subject: Re: Strange public traceroutes return private RFC1918 addresses Search the archives, Comcast and other cable/DSL providers use the 10/8 for their infrastructure. The Internet itself doesn't need to be Internet routable. Only the edges need to be routable. It is common practice to use RFC1918 address space inside the network. Companies like Sprint and Verio use 'real' IPs but don't announce them to their peers on customer edge routes. -Matt On Feb 2, 2004, at 6:01 PM, Brian (nanog-list) wrote: Any ideas how (or why) the following traceroutes are leaking private RFC1918 addresses back to me when I do a traceroute? Maybe try from your side of the internet and see if you get the same types of responses. It's really strange to see 10/8's and 192.168/16 addresses coming from the public internet. Has this phenomenon been documented anywhere? Connectivity to the end-sites is fine, it's just the traceroutes that are strange. (initial few hops sanitized) [EMAIL PROTECTED] /]# traceroute www.ibm.com traceroute: Warning: www.ibm.com has multiple addresses; using 129.42.17.99 traceroute to www.ibm.com (129.42.17.99), 30 hops max, 38 byte packets 1 (---.---.---.---) 2.481 ms 2.444 ms 2.379 ms 2 (---.---.---.---) 17.964 ms 17.529 ms 17.632 ms 3 so-1-2.core1.Chicago1.Level3.net (209.0.225.1) 17.891 ms 17.985 ms 18.026 ms 4 so-11-0.core2.chicago1.level3.net (4.68.112.194) 18.272 ms 18.109 ms 17.795 ms 5 so-4-1-0.bbr2.chicago1.level3.net (4.68.112.197) 17.851 ms 17.859 ms 18.094 ms 6 so-3-0-0.mp1.stlouis1.level3.net (64.159.0.49) 23.095 ms 22.975 ms 22.998 ms 7 ge-7-1.hsa2.stlouis1.level3.net (64.159.4.130) 23.106 ms 23.237 ms 22.977 ms 8 unknown.level3.net (63.20.48.6) 24.264 ms 24.099 ms 24.154 ms 9 10.16.255.10 (10.16.255.10) 24.164 ms 24.108 ms 24.105 ms 10 * * * [EMAIL PROTECTED] /]# traceroute www.att.net traceroute: Warning: www.att.net has multiple addresses; using 204.127.166.135 traceroute to www.att.net (204.127.166.135), 30 hops max, 38 byte packets 1 (---.---.---.---) 2.404 ms 2.576 ms 2.389 ms 2 (---.---.---.---) 17.953 ms 18.170 ms 17.435 ms 3 500.pos2-1.gw10.chi2.alter.net (63.84.96.9) 18.077 ms * 18.628 ms 4 0.so-6-2-0.xl1.chi2.alter.net (152.63.69.170) 18.238 ms 18.321 ms 18.213 ms 5 0.so-6-1-0.BR6.CHI2.ALTER.NET (152.63.64.49) 18.269 ms 18.396 ms 18.329 ms 6 204.255.169.146 (204.255.169.146) 19.231 ms 19.042 ms 18.982 ms 7 tbr2-p012702.cgcil.ip.att.net (12.122.11.209) 20.530 ms 20.542 ms 23.033 ms 8 tbr2-cl7.sl9mo.ip.att.net (12.122.10.46) 26.904 ms 27.378 ms 27.320 ms 9 tbr1-cl2.sl9mo.ip.att.net (12.122.9.141) 27.194 ms 27.673 ms 26.677 ms 10 gbr1-p10.bgtmo.ip.att.net (12.122.4.69) 26.606 ms 28.026 ms 26.246 ms 11 12.122.248.250 (12.122.248.250) 27.296 ms 28.321 ms 28.997 ms 12 192.168.254.46 (192.168.254.46) 28.522 ms 30.111 ms 27.439 ms 13 * * * 14 * * *
wildly successful
so... funding found. nanog bound. ... hotel sold out? wow! --bill
Re: Strange public traceroutes return private RFC1918 addresses
On Tue, 3 Feb 2004, Rubens Kuhl Jr. wrote: Using real but announced IPs for routers will make their packets fail unicast-RPF checks, dropping traceroute and PMTUD responses as happens with RFC1918 addresses. I guess you meant unannounced. This is the case for those who run uRPF towards their upstream (or transit ISPs peering with them who'd run uRPF on the peering links). I don't think too many folks do that. But I see very little point in not announcing them. Equally well you could just set up an acl at the edge which drops or rate-limits the traffic. Well, you might not be able to if you're using a vendor the implementation of which doesn't allow you to do that.. :) -- Pekka Savola You each name yourselves king, yet the Netcore Oykingdom bleeds. Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings