Re: SkyCache/Cidera replacement?
On Mon, Sep 20, 2004 at 07:54:09PM -0400, Dan Mahoney, System Admin wrote: Assuming I wanted to go about setting up an NNTP server, how would I go about getting and maintaining the feeds? There's no central authority AFAIK, but does anyone have any knowledge as to relative price and/or bandwidth consumption? You get a feed mostly by knowing someone who gives it to you. Sometimes knowing somebody who knows somebody else who can give it to you also works. More hops are generally a problem. Bandwidth consumption strongly depends on what newsgroups you will be having on your newsserver. On a small local hierarchy the 9600Bd Modem might still do. For a full feed 100Mbit/s are needed. Nils
RE: NYSE
You can no longer order direct lines to SIAC unless you have an extremely compelling reason. Nowadays you must order a line to SFTI which is their Disaster-Recovery-centric service. You are correct about the connection method, but he will need to be specific and understand that he wants to connect to SFTI and not just SIAC directly anymore. See: https://sfti.siac.com/sfti/index.jsp for more details. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alen Capalik Sent: Monday, September 20, 2004 10:20 PM To: Philip Lavine Cc: nanog Subject: Re: NYSE On Mon, Sep 20, 2004 at 10:36:16AM -0700, Philip Lavine wrote: If I where to connect to SIAC thru a SONNET ring who's would it be? Is it private or public? They use any provider (Verizon, MCI, ATT and ConEd Comm.), however ConED Comm. is their primary backbone provider. So, here's how you go about it. You order a line (DS-1, DS-3, 100Mb/s, Gig, whatever) from any of the providers you use (if I were you I would use either Verizon or ConEd Comm, I can give you the number for ConEd Comm. head sales person). You contact SIAC, and you start the paperwork to get your network connected into their backbone SONET. Once you get permit numbers, you have the provider drop a line into one of 5 data centers around NY area, and SIAC gives you a port on one of their Juniper Routers. They also give you a VLAN setup requirements so you can configure your border switch/router. The line is owned by you. SIAC only gives you a port on their routers. NOTE: NEVER ORDER ONE LINE. ORDER TWO OR MORE LINES TO DIFFERENT SIAC DATA CENTERS. The cost for one port (one line) is as follows: MRC (Monthly Reaccuring Cost): $4,400.00 NRC (Non-Reaccuring Cost i.e. one time fee): $8,800 Any line you drop at SIAC will cost you that amount, and that's on top of the line costs from the provider. That's it. Hope this helps. Like I said it's a very long and tedious process getting the line up and running with SIAC. They are practically a government institution, and they don't move too fast for anybody. --- R. Benjamin Kessler [EMAIL PROTECTED] wrote: I've setup a highly-redundant connection for one of my clients (equipment in two different access-centers in two different cities). What are you looking to do? - Ben ~~ R. Benjamin Kessler Sr. Network Consultant CCIE #8762, CISSP, CCSE Midwest Network Services Group Email: [EMAIL PROTECTED] http://www.midwestnsg.com Phone: 260-625-3273 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philip Lavine Sent: Friday, September 17, 2004 2:38 PM To: [EMAIL PROTECTED] Subject: NYSE Does anyone have experience in setting up a direct connection with NYSE, specifically SIAC or SFTI? __ Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. http://promotions.yahoo.com/new_mail __ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail -- Alen Capalik CTO Wiretap Networks Inc. Tel: (310)497-3512 Email:[EMAIL PROTECTED] Website: http://www.wiretapnetworks.com /* * Anything that is considered impossibility, * will in fact occur with absolute certainty. */ IMPORTANT: The information contained in this email and/or its attachments is confidential. If you are not the intended recipient, please notify the sender immediately by reply and immediately delete this message and all its attachments. Any review, use, reproduction, disclosure or dissemination of this message or any attachment by an unintended recipient is strictly prohibited. Neither this message nor any attachment is intended as or should be construed as an offer, solicitation or recommendation to buy or sell any security or other financial instrument. Neither the sender, his or her employer nor any of their respective affiliates makes any warranties as to the completeness or accuracy of any of the information contained herein or that this message or any of its attachments is free of viruses.
Re: RE: NYSE
There are a few things about the SFTI set up that are a bit baffling to me. From their website: SFTI carries IP traffic over a topology of redundant, self-healing fiber-optic rings, completely independent of all other telco circuits and conduits. SFTI's design is straightforward, consolidating traffic into fewer pipes, which minimizes complexity and reduces the number of potential points of failure. What does completely independent of all other telco circuits and conduits mean? Did they get their very own new right of ways dug out. A certain government report listed their physical fiber provider, and they certainly are not new right of ways. Further, I'm a bit baffled how reducing the number of pipes reduces the number of potential points of failure. Usually fewer pipes means less diversity. A ring is nice till someone hits it in two places. I also wonder how many of these rings are collapsed in a single conduit. I hope someone over there is asking tough questions and are following up on getting a second physical fiber provider. I'd recommend not advertising who it this time either. - Original Message - From: Temkin, David [EMAIL PROTECTED] Date: Tuesday, September 21, 2004 9:45 am Subject: RE: NYSE You can no longer order direct lines to SIAC unless you have an extremely compelling reason. Nowadays you must order a line to SFTI which is their Disaster-Recovery-centric service. You are correct aboutthe connection method, but he will need to be specific and understandthat he wants to connect to SFTI and not just SIAC directly anymore. See: https://sfti.siac.com/sfti/index.jsp for more details. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alen Capalik Sent: Monday, September 20, 2004 10:20 PM To: Philip Lavine Cc: nanog Subject: Re: NYSE On Mon, Sep 20, 2004 at 10:36:16AM -0700, Philip Lavine wrote: If I where to connect to SIAC thru a SONNET ring who's would it be? Is it private or public? They use any provider (Verizon, MCI, ATT and ConEd Comm.), however ConED Comm. is their primary backbone provider. So, here's how you go about it. You order a line (DS-1, DS-3, 100Mb/s, Gig, whatever) from any of the providers you use (if I were you I would use either Verizon or ConEd Comm, I can give you the number for ConEd Comm. head sales person). You contact SIAC, and you start the paperwork to get your network connected into their backbone SONET. Once you get permit numbers, you have the provider drop a line into one of 5 data centers around NY area, and SIAC gives you a port on one of their Juniper Routers. They also give you a VLAN setup requirements so you can configure your border switch/router. The line is owned by you. SIAC only gives you a port on their routers. NOTE: NEVER ORDER ONE LINE. ORDER TWO OR MORE LINES TO DIFFERENT SIAC DATA CENTERS. The cost for one port (one line) is as follows: MRC (Monthly Reaccuring Cost): $4,400.00 NRC (Non-Reaccuring Cost i.e. one time fee):$8,800 Any line you drop at SIAC will cost you that amount, and that's on top of the line costs from the provider. That's it. Hope this helps. Like I said it's a very long and tedious process getting the line up and running with SIAC. They are practically a government institution, and they don't move too fast for anybody. --- R. Benjamin Kessler [EMAIL PROTECTED] wrote: I've setup a highly-redundant connection for one of my clients (equipment in two different access-centers in two different cities). What are you looking to do? - Ben ~~ R. Benjamin Kessler Sr. Network Consultant CCIE #8762, CISSP, CCSE Midwest Network Services Group Email: [EMAIL PROTECTED] http://www.midwestnsg.com Phone: 260-625-3273 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philip Lavine Sent: Friday, September 17, 2004 2:38 PM To: [EMAIL PROTECTED] Subject: NYSE Does anyone have experience in setting up a direct connection with NYSE, specifically SIAC or SFTI? __ Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. http://promotions.yahoo.com/new_mail __ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail -- Alen Capalik CTO Wiretap Networks Inc. Tel:(310)497-3512 Email: [EMAIL PROTECTED] Website:http://www.wiretapnetworks.com /* * Anything that is considered impossibility, * will in fact occur with absolute
Re: Log Analizing tool for Cisco and Juniper router (switch)
try fwlogwatch
Re: Log Analizing tool for Cisco and Juniper router (switch)
Check last week's thread about Open Source NMS tools, there's quite a few messages there with references to log analyzers and similar tools. Cheers, Erik On Tue, 2004-09-21 at 16:49, Joe Shen wrote: Hi, We want to analize log from Cisco and Juniper Router and switch periodically. We have set up a Solaris box to collect all those log generated by Juniper router ,Cisco Router , cisco L2/L3 switch. But, we found log file format diverse greatly even between Cisco products. Is there any good tool for this? Thanks Joe __ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com -- --- Erik Haagsman Network Architect We Dare BV tel: +31(0)10 7507008 fax:+31(0)10 7507005 http://www.we-dare.nl
RE: RE: NYSE
It's my understanding that A) The providers of the actual ring did install Separate fiber for SFTI but I have no idea whether or not they're in new rights of way - I'm willing to bet not B) Reducing the points of entry into the ring reduces complexity and makes it much easier to recover the ring in the event of a disaster. Understanding that SIAC has thousands and thouands of customers connecting at the DS-3+ level to get data that's generated from one place means that you need to keep the distribution uniform. Basically, it boils down to them being able to say Our ring is up, if your connectivity to our ring is down it's your problem in order to maintain fairness between Trading firm A that has 10 people and Trading firm B that has 10,000 people. When they were maintaining separate interfaces for each customer they could potentially run into issues where they'd get certain larger firms back able to trade sooner than smaller ones and then you create unfair market disadvantages. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 21, 2004 10:40 AM To: Temkin, David Cc: Alen Capalik; Philip Lavine; nanog Subject: Re: RE: NYSE There are a few things about the SFTI set up that are a bit baffling to me. From their website: SFTI carries IP traffic over a topology of redundant, self-healing fiber-optic rings, completely independent of all other telco circuits and conduits. SFTI's design is straightforward, consolidating traffic into fewer pipes, which minimizes complexity and reduces the number of potential points of failure. What does completely independent of all other telco circuits and conduits mean? Did they get their very own new right of ways dug out. A certain government report listed their physical fiber provider, and they certainly are not new right of ways. Further, I'm a bit baffled how reducing the number of pipes reduces the number of potential points of failure. Usually fewer pipes means less diversity. A ring is nice till someone hits it in two places. I also wonder how many of these rings are collapsed in a single conduit. I hope someone over there is asking tough questions and are following up on getting a second physical fiber provider. I'd recommend not advertising who it this time either. - Original Message - From: Temkin, David [EMAIL PROTECTED] Date: Tuesday, September 21, 2004 9:45 am Subject: RE: NYSE You can no longer order direct lines to SIAC unless you have an extremely compelling reason. Nowadays you must order a line to SFTI which is their Disaster-Recovery-centric service. You are correct aboutthe connection method, but he will need to be specific and understandthat he wants to connect to SFTI and not just SIAC directly anymore. See: https://sfti.siac.com/sfti/index.jsp for more details. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alen Capalik Sent: Monday, September 20, 2004 10:20 PM To: Philip Lavine Cc: nanog Subject: Re: NYSE On Mon, Sep 20, 2004 at 10:36:16AM -0700, Philip Lavine wrote: If I where to connect to SIAC thru a SONNET ring who's would it be? Is it private or public? They use any provider (Verizon, MCI, ATT and ConEd Comm.), however ConED Comm. is their primary backbone provider. So, here's how you go about it. You order a line (DS-1, DS-3, 100Mb/s, Gig, whatever) from any of the providers you use (if I were you I would use either Verizon or ConEd Comm, I can give you the number for ConEd Comm. head sales person). You contact SIAC, and you start the paperwork to get your network connected into their backbone SONET. Once you get permit numbers, you have the provider drop a line into one of 5 data centers around NY area, and SIAC gives you a port on one of their Juniper Routers. They also give you a VLAN setup requirements so you can configure your border switch/router. The line is owned by you. SIAC only gives you a port on their routers. NOTE: NEVER ORDER ONE LINE. ORDER TWO OR MORE LINES TO DIFFERENT SIAC DATA CENTERS. The cost for one port (one line) is as follows: MRC (Monthly Reaccuring Cost): $4,400.00 NRC (Non-Reaccuring Cost i.e. one time fee): $8,800 Any line you drop at SIAC will cost you that amount, and that's on top of the line costs from the provider. That's it. Hope this helps. Like I said it's a very long and tedious process getting the line up and running with SIAC. They are practically a government institution, and they don't move too fast for anybody. --- R. Benjamin Kessler [EMAIL PROTECTED] wrote: I've setup a highly-redundant connection for one of my clients (equipment in two
Re: Log Analizing tool for Cisco and Juniper router (switch)
On Tue, 21 Sep 2004 22:49:36 +0800 (CST) Joe Shen [EMAIL PROTECTED] wrote: We want to analize log from Cisco and Juniper Router and switch periodically. cislog on the following page is Cisco specific, but you may find it useful: http://aharp.ittns.northwestern.edu/software/ It is basically a bunch of Perl regex's and some Top X reports, plus a summary of hourly log count. I haven't gotten around to packaging up the Juniper equivalent yet. John
Re: SkyCache/Cidera replacement?
[I'm informed my post violated the AUP. I submit a modified revision] Speaking on Deep Background, the Press Secretary whispered: People still use usenet? ;) yes. Seriously though, you'd have to be an awfully large organization for outsourced news to not be a slam dunk financially. Perhaps, but Panix runs their own; one of the many reasons they get my money. {And gosh durn little of it compared to the benefits..} -- A host is a host from coast to [EMAIL PROTECTED] no one will talk to a host that's close[v].(301) 56-LINUX Unless the host (that isn't close).pob 1433 is busy, hung or dead20915-1433
Re: RE: RE: NYSE
So, that would be a another conduit sitting in the same right of way, and this is supposed to make it completely independent. Last time I checked a backhoe treated all conduits the same. Not trying to shoot the messanger jsut trying to make a point. Points of entry is different than the number of pipes. The biggest single problem in the security of these networks is physical diversity, at least in my biased point of view. There are six different sets of right of ways in Manhattan and forty something fiber providers, but no one seems to fess up when they are not offering redundancy but just another pipe in the same conduit. Do the math and you see the problem. It is not just a SFTI problem but a generic problem. Just worrisome that it appears that SFTI does not see it as a problem, or worse view at as a problem they have solved by laying new pipe in the same conduits. The problem rears it head in several examples where effeciency and cost savings trumps true diversity. - Original Message - From: Temkin, David [EMAIL PROTECTED] Date: Tuesday, September 21, 2004 11:11 am Subject: RE: RE: NYSE It's my understanding that A) The providers of the actual ring did install Separate fiber for SFTI but I have no idea whether or not they're in new rights of way - I'm willing to bet not B) Reducing the points of entry into the ring reduces complexity and makes it much easier to recover the ring in the event of a disaster. Understanding that SIAC has thousands and thouands of customers connecting at the DS-3+ level to get data that's generated from one place means that you need to keep the distribution uniform. Basically,it boils down to them being able to say Our ring is up, if your connectivity to our ring is down it's your problem in order to maintainfairness between Trading firm A that has 10 people and Trading firm B that has 10,000 people. When they were maintaining separate interfaces for each customer they could potentially run into issues where they'd get certain larger firmsback able to trade sooner than smaller ones and then you create unfair market disadvantages. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 21, 2004 10:40 AM To: Temkin, David Cc: Alen Capalik; Philip Lavine; nanog Subject: Re: RE: NYSE There are a few things about the SFTI set up that are a bit baffling to me. From their website: SFTI carries IP traffic over a topology of redundant, self-healing fiber-optic rings, completely independent of all other telco circuits and conduits. SFTI's design is straightforward, consolidating traffic into fewer pipes, which minimizes complexity and reduces the number of potential points of failure. What does completely independent of all other telco circuits and conduits mean? Did they get their very own new right of ways dug out. A certain government report listed their physical fiber provider, and they certainly are not new right of ways. Further, I'm a bit baffled how reducing the number of pipes reduces the number of potential points of failure. Usually fewer pipes means less diversity. A ring is nice till someone hits it in two places. I also wonder how many of these rings are collapsed in a single conduit. I hope someone over there is asking tough questions and are following up on getting a second physical fiber provider. I'd recommend not advertising who it this time either. - Original Message - From: Temkin, David [EMAIL PROTECTED] Date: Tuesday, September 21, 2004 9:45 am Subject: RE: NYSE You can no longer order direct lines to SIAC unless you have an extremely compelling reason. Nowadays you must order a line to SFTI which is their Disaster-Recovery-centric service. You are correct aboutthe connection method, but he will need to be specific and understandthat he wants to connect to SFTI and not just SIAC directly anymore. See: https://sfti.siac.com/sfti/index.jsp for more details. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alen Capalik Sent: Monday, September 20, 2004 10:20 PM To: Philip Lavine Cc: nanog Subject: Re: NYSE On Mon, Sep 20, 2004 at 10:36:16AM -0700, Philip Lavine wrote: If I where to connect to SIAC thru a SONNET ring who's would it be? Is it private or public? They use any provider (Verizon, MCI, ATT and ConEd Comm.), however ConED Comm. is their primary backbone provider. So, here's how you go about it. You order a line (DS-1, DS-3, 100Mb/s, Gig, whatever) from any of the providers you use (if I were you I would use either Verizon or ConEd Comm, I can give you the number for ConEd Comm. head sales person). You contact SIAC,
The worst abuse e-mail ever, sverige.net
This is the rudest, most arrogant abuse complaint I have seen. It is a frigging dial up user. james - Original Message - From: RBL To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Sunday, September 19, 2004 12:32 PM Subject: Email is in RBL _ DENIED _ (by bl.spamcop.se from [EMAIL PROTECTED] reason Sending IP 65.19.17.201 support SPAM ) You have sent a message that has been stopped! This is because of your sending e-mailserver being listed in an anti spam database. You should probably alert your email administrator and/or your ISP and send this email along to him. The only reason a serious ISP or email administers would be on such a list is that he do not yet know about it being listed. Otherwise he would already have fixed the wrongfully configured server. Or he terminated the contract with the offending customer that put him on that list. We have also tried to send this letter on the following standardized addresses: === [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] === But very often administrators that don't know how to configure a secure mailserver, don't know that they have to implement these system addresses either. And we feel that you will probably get better results if you call or send this your self. Most responses we get are about the spelling and grammar from postmasters and administrators. They are usually angry that we have made their customers aware about their problems. This is kind of silly as the Information given is easy to understand anyway, and we could have sent the letter in correct Swedish instead. But as our purpose in sending this is neither to make it unreadable nor to make it offensive to anyone. Our purpose is to inform about systems being misused or miss configured so that the administrators gets a fair chance to fix their servers. So if you're an administrators please don't get angry just fix your email servers and we will be happy to relay your messages again. As a result your customers will be happy and you will get less angry calls and letters making you happy as well. The few administrators, postmasters and ISP's that just don't give a damn, will probably be noticed by their customers anyway. As these letters will keep arriving although they are probably just a very small part of the end users problems. Please send any comments to [EMAIL PROTECTED] Date time = 2004-09-19 18:32:03 Subject = Our promise: to save you money on your medication. CMHSO Message-ID = [EMAIL PROTECTED] rcipient = [EMAIL PROTECTED] rbl list = bl.spamcop.se ErrorMessage = 542 Rejected - see http://spamcop.net/w3m?action=checkblockip=65.19.17.201 Reason = Sending IP 65.19.17.201 support SPAM Denied IP = 65.19.17.201 Message Source 10 lines === Received: from [65.19.17.201] by mailbox.sverige.net (JPHS RBL mail from [EMAIL PROTECTED]) with SMTP id for [EMAIL PROTECTED]; Sun, 19 Sep 2004 20:31:59 +0200 Received: from coalesce.mail.tpnet.pl by 62.13.25.2; Sun, 19 Sep 2004 19:30:58 -0200 To: [EMAIL PROTECTED] From: anthony roop [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Subject: Our promise: to save you money on your medication. CMHSO Date: Sun, 19 Sep 2004 16:31:58 -0500 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/mixed; Content-Transfer-Encoding: 7bit X-Priority: 3 X-Mailer: PocoMail 2.61 (1055) - Licensed Version X-jphspassrblrun: 1 ===
Re: The worst abuse e-mail ever, sverige.net
on Tue, Sep 21, 2004 at 10:16:52AM -0600, james edwards wrote: This is the rudest, most arrogant abuse complaint I have seen. It is a frigging dial up user. I'm confused. Your user on 65.19.17.201 - a dialup user, probably running an infected Windows box, sent spam to the complainant, who figured out who to complain to, explained in great detail (and in English) that well, it shouldn't have happened if you'd had any clue whatsoever, and had blocked outbound port 25 connections from your own users (or at the very least those users of yours who are listed in DNSBLs for spamming or relaying!) and you think he's being /arrogant/? Christ, I'd say he's being helpful. Get over yourself and /fix your own network/. Deal with the frigging complaint, and STFU. I already waste /way/ too much time dealing with equally stupid and/or lazy network/mail admins who won't frigging fix their own networks, and doesn't blame the complainant one frigging bit. Currently, I'm dealing with the backscatter bounces from three concurrent joe jobs, sent by such laughably broken spamware that I'm /amazed/ any of it was accepted in the first place, much less accepted and /then backscattered to me, the victim/ because of still more misconfigured/idiotic antivirus stupidity. Sheesh. Get over /yourself/. Your network is rude by its very existence, if it lets spammers relay crud by way of it. Your own arrogance in thinking it's not your problem to fix is astounding. Please don't bother to reply; it will take time away from fixing your network. Steve -- join us! http://hesketh.com/about/careers/web_designer.html join us! hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.htmljoin us!
Re: The worst abuse e-mail ever, sverige.net
Sheesh. Get over /yourself/. Your network is rude by its very existence, if it lets spammers relay crud by way of it. Your own arrogance in thinking it's not your problem to fix is astounding. I did no say it is not my problem, we have a 10 year history of being very pro-active for all abuse issues and have a dedicated staff person to deal with these issues. Slaming my mail admin because a dial up user has a virus is rude, period. Our dial up address space is listed, if people choose to block mail from that space. james
RE: RE: RE: NYSE
You are correct. The rings are geographically diverse and separated (ie, they have separate rings for each metro and then tie the rings together in multiple places). No idea about the right-of-ways, but my understanding is that it wasn't necessarily meant to be a be-all-end-all for those sorts of outages. You are correct, however, it is one of the most reliable infrastructures we connect to. -Original Message- From: R. Benjamin Kessler [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 21, 2004 12:39 PM To: [EMAIL PROTECTED]; 'Temkin, David' Cc: 'Alen Capalik'; 'Philip Lavine'; 'nanog' Subject: RE: RE: RE: NYSE My understanding is that the way the SFTI network is built the loss of an entire ring between Site A and Site B wouldn't cause an outage because Site B would also have a ring between it and Site C and Site A would be connected to Site n. I can't speak to how the fibers were procured and whether or not they're in their own rights-of-way (as another poster suggested; I'd guess that they're using previously dark fiber in existing bundles). Based-on the drawings I've seen (unfortunately, they don't appear to be on SFTI's web site so they must be considered proprietary) the multiple rings are separated in some places by several hundred miles to prevent the single back hoe incident. Aside from the $$ and the joy of dealing with SIAC (they tend to be a bit inflexible at times), the infrastructure has been quite stable in the 18 months that my client has been using it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, September 21, 2004 10:31 AM To: Temkin, David Cc: Alen Capalik; Philip Lavine; nanog Subject: Re: RE: RE: NYSE So, that would be a another conduit sitting in the same right of way, and this is supposed to make it completely independent. Last time I checked a backhoe treated all conduits the same. Not trying to shoot the messanger jsut trying to make a point. Points of entry is different than the number of pipes. The biggest single problem in the security of these networks is physical diversity, at least in my biased point of view. There are six different sets of right of ways in Manhattan and forty something fiber providers, but no one seems to fess up when they are not offering redundancy but just another pipe in the same conduit. Do the math and you see the problem. It is not just a SFTI problem but a generic problem. Just worrisome that it appears that SFTI does not see it as a problem, or worse view at as a problem they have solved by laying new pipe in the same conduits. The problem rears it head in several examples where effeciency and cost savings trumps true diversity. - Original Message - From: Temkin, David [EMAIL PROTECTED] Date: Tuesday, September 21, 2004 11:11 am Subject: RE: RE: NYSE It's my understanding that A) The providers of the actual ring did install Separate fiber for SFTI but I have no idea whether or not they're in new rights of way - I'm willing to bet not B) Reducing the points of entry into the ring reduces complexity and makes it much easier to recover the ring in the event of a disaster. Understanding that SIAC has thousands and thouands of customers connecting at the DS-3+ level to get data that's generated from one place means that you need to keep the distribution uniform. Basically,it boils down to them being able to say Our ring is up, if your connectivity to our ring is down it's your problem in order to maintainfairness between Trading firm A that has 10 people and Trading firm B that has 10,000 people. When they were maintaining separate interfaces for each customer they could potentially run into issues where they'd get certain larger firmsback able to trade sooner than smaller ones and then you create unfair market disadvantages. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 21, 2004 10:40 AM To: Temkin, David Cc: Alen Capalik; Philip Lavine; nanog Subject: Re: RE: NYSE There are a few things about the SFTI set up that are a bit baffling to me. From their website: SFTI carries IP traffic over a topology of redundant, self-healing fiber-optic rings, completely independent of all other telco circuits and conduits. SFTI's design is straightforward, consolidating traffic into fewer pipes, which minimizes complexity and reduces the number of potential points of failure. What does completely independent of all other telco circuits and conduits mean? Did they get their very own new right of ways dug out. A certain government report listed their physical fiber provider, and they certainly are not new right of ways. Further, I'm a bit baffled how
FW: The worst abuse e-mail ever, sverige.net
On 9/21/04 1:00 PM, james edwards [EMAIL PROTECTED] wrote: Sheesh. Get over /yourself/. Your network is rude by its very existence, if it lets spammers relay crud by way of it. Your own arrogance in thinking it's not your problem to fix is astounding. I did no say it is not my problem, we have a 10 year history of being very pro-active for all abuse issues and have a dedicated staff person to deal with these issues. Slaming my mail admin because a dial up user has a virus is rude, period. Our dial up address space is listed, if people choose to block mail from that space. james To shift this to a more operational tone... Networks make choices. One choice is to declare their dynamic space and put the duty of ignoring emails from dialups users on the receiving networks. Another choice is to filter port 25. Filtering port 25 has its own costs - some users are offended/bothered by this, since they can't use their own corporate mail servers, in some cases. If a network makes the choice of putting the duty of filtering on the receiving party, they need to accept that this will upset some of those receivers. Today's security environment means that spam-sending viruses are common. The only responsible thing to do is filter port 25, smarthost for your users, and inform them about using the alternate submission port with authenticated SMTP in order to work with enterprise mail servers - or IPSec VPNs, for that matter. This is simply the best practice, at this point in time. Using humans (dedicated staff person) to stop spam isn't scalable - automated processes are sending this stuff, we need systematic ways to fight it - black/white lists, SPF, port 25 filtering, bayesian filtering and other tools. -- Daniel Golding Network and Telecommunications Strategies Burton Group
Re: The worst abuse e-mail ever, sverige.net
on Tue, Sep 21, 2004 at 11:00:53AM -0600, james edwards wrote: Sheesh. Get over /yourself/. Your network is rude by its very existence, if it lets spammers relay crud by way of it. Your own arrogance in thinking it's not your problem to fix is astounding. I did no say it is not my problem, we have a 10 year history of being very pro-active for all abuse issues and have a dedicated staff person to deal with these issues. OK, then, perhaps you can explain why I have received backscatter from web.cybermesa.com [65.19.6.7] or why even though I got spam from sf-du170.cybermesa.com [209.12.75.170] back in October 2001, and from sf-du201.cybermesa.com [209.12.75.201] in February 2002, you still haven't blocked outbound port 25 traffic from those obviously vulnerable hosts? http://groups.google.com/groups?num=50hl=enlr=ie=UTF-8newwindow=1safe=offc2coff=1q=group%3Anews.admin.net-abuse.*+cybermesa.combtnG=Search Looks like you've got an ongoing problem with those dialup ranges. Slaming my mail admin because a dial up user has a virus is rude, period. Nope. Sorry. Emitting spam/viruses or backscatter even though you know you (or your users) have a problem, expecting everyone else to block your network, and whining when someone has the gall to call you on it - that's rude. Of course, it's pretty common, but that doesn't make it any less rude. Our dial up address space is listed, if people choose to block mail from that space. I'm curious - where is it listed? I don't see anything on your Web site that even suggests a place to go looking for abuse/helpdesk/support info. Much less a banner inviting more responsible mail admins to block your listed netblocks Will a regex of [a-z]+[0-9]*\-du[0-9]+\.cybermesa\.com block all of your dialup ranges by rDNS? What about your DSL and ISDN ranges? How are they named? Consistently, I hope. And of course I also hope they resolve back-and-forwards to the IP, so spam/viruses don't squeak through sendmail due to being possibly forged. Why aren't they named so that sendmail and other MTAs can block your dynamic ranges by RHS in access.db, instead of having to use regexes? Hint: blah-1-2.dynamic.cybermesa.com or blah-3.4.dialup.cybermesa.com or foo-5-6-7-8.dsl.cybermesa.com makes this much less annoying and difficult, and conveys the same information as sf-du120.cybermesa.com. I apologize if I offended you personally, I intended to do it professioanlly. Steve -- join us! http://hesketh.com/about/careers/web_designer.html join us! hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.htmljoin us!
Re: The worst abuse e-mail ever, sverige.net
On Tue, 21 Sep 2004, james edwards wrote: I did no say it is not my problem, we have a 10 year history of being very pro-active for all abuse issues and have a dedicated staff person to deal with these issues. Slaming my mail admin because a dial up user has a virus is rude, period. Our dial up address space is listed, if people choose to block mail from that space. Listed where? I don't see it jumping out anywhere on your web site or in any common/free DNSBL and the way your rDNS is setup isn't doing anyone any favors. 201.10.19.65.in-addr.arpa name = albq-du201.cybermesa.com. 201.16.19.65.in-addr.arpa name = sf-du201.cybermesa.com. The more primitive MTAs need you do be doing something like albq-201.du.cybermesa.com. Then they can be setup to reject du.cybermesa.com, which will reject .*\.du\.cybermesa\.com. And if you think their message was rude, just try to imagine the crap people send _to_ DNSBLs. It makes the message from the Swedes seem like they were kissing your @$$. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: NYSE
My advice to you is to use a third party provider like Radianz, TNS or Sector (SIAC owned company). They can take a lot of headaches away from this. David is right, you can't connect to SIAC directly any more, that's a legacy network (called so by SIAC) and are phasing it out. Again, if you are in CA then use one of the above mentioned providers. It's cost effective and faster then if you were dealing with SFTI directly. BTW, to everybody, please don't write back saying that third party providers are NO GOOD or that you had bad experiences with them. I'm well aware of all this and don't need a lecture on it. My opinion (and I have been dealing with all of them extensivly for a long time) if you are in CA, use them it takes away lot of headaches (make sure you're redundant with them) and gets you up and running fast. My prefered way of connecting would either be Radianz or Sector, I don't like TNS (to all TNS guys outthere, sorry). Hope this helps. AC On Tue, Sep 21, 2004 at 06:01:36AM -0700, Philip Lavine wrote: I am assuming this means that I have a POP on the East Coast. I am Burbank California, currently. --- Alen Capalik [EMAIL PROTECTED] wrote: On Mon, Sep 20, 2004 at 10:36:16AM -0700, Philip Lavine wrote: If I where to connect to SIAC thru a SONNET ring who's would it be? Is it private or public? They use any provider (Verizon, MCI, ATT and ConEd Comm.), however ConED Comm. is their primary backbone provider. So, here's how you go about it. You order a line (DS-1, DS-3, 100Mb/s, Gig, whatever) from any of the providers you use (if I were you I would use either Verizon or ConEd Comm, I can give you the number for ConEd Comm. head sales person). You contact SIAC, and you start the paperwork to get your network connected into their backbone SONET. Once you get permit numbers, you have the provider drop a line into one of 5 data centers around NY area, and SIAC gives you a port on one of their Juniper Routers. They also give you a VLAN setup requirements so you can configure your border switch/router. The line is owned by you. SIAC only gives you a port on their routers. NOTE: NEVER ORDER ONE LINE. ORDER TWO OR MORE LINES TO DIFFERENT SIAC DATA CENTERS. The cost for one port (one line) is as follows: MRC (Monthly Reaccuring Cost): $4,400.00 NRC (Non-Reaccuring Cost i.e. one time fee):$8,800 Any line you drop at SIAC will cost you that amount, and that's on top of the line costs from the provider. That's it. Hope this helps. Like I said it's a very long and tedious process getting the line up and running with SIAC. They are practically a government institution, and they don't move too fast for anybody. --- R. Benjamin Kessler [EMAIL PROTECTED] wrote: I've setup a highly-redundant connection for one of my clients (equipment in two different access-centers in two different cities). What are you looking to do? - Ben ~~ R. Benjamin Kessler Sr. Network Consultant CCIE #8762, CISSP, CCSE Midwest Network Services Group Email: [EMAIL PROTECTED] http://www.midwestnsg.com Phone: 260-625-3273 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philip Lavine Sent: Friday, September 17, 2004 2:38 PM To: [EMAIL PROTECTED] Subject: NYSE Does anyone have experience in setting up a direct connection with NYSE, specifically SIAC or SFTI? __ Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. http://promotions.yahoo.com/new_mail __ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail -- Alen Capalik CTO Wiretap Networks Inc. Tel:(310)497-3512 Email: [EMAIL PROTECTED] Website:http://www.wiretapnetworks.com /* * Anything that is considered impossibility, * will in fact occur with absolute certainty. */ __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- Alen Capalik CTO Wiretap Networks Inc. Tel:(310)497-3512 Email: [EMAIL PROTECTED] Website:http://www.wiretapnetworks.com /* * Anything that is considered impossibility, * will in fact occur with absolute certainty. */
Re: The worst abuse e-mail ever, sverige.net
Listed where? I don't see it jumping out anywhere on your web site or in any common/free DNSBL and the way your rDNS is setup isn't doing anyone any favors. We were a MAPS customer/user for a number of years and were listed then and I see we are not now. We will be listed again, shortly. james
Re: NYSE
I would prefer not to use a third party provider because of the IP backbone. My experience has been witht eh third party providers is that there is not enough responsiveness (packet loss issues) to burstable traffic at market open and close. Unfortunately when the third party networks were designed there was no forethought into the need for market data traffic or multicast. They were concentrating on FIX and CMS traffic which is low volume low BW TCP traffic. I think the real answer here is to be as close to SFTI as possible if you intend to go direct. Hosting at 2 or more SFTI DC's seems is the best option. Direct local access seems second best --- Alen Capalik [EMAIL PROTECTED] wrote: My advice to you is to use a third party provider like Radianz, TNS or Sector (SIAC owned company). They can take a lot of headaches away from this. David is right, you can't connect to SIAC directly any more, that's a legacy network (called so by SIAC) and are phasing it out. Again, if you are in CA then use one of the above mentioned providers. It's cost effective and faster then if you were dealing with SFTI directly. BTW, to everybody, please don't write back saying that third party providers are NO GOOD or that you had bad experiences with them. I'm well aware of all this and don't need a lecture on it. My opinion (and I have been dealing with all of them extensivly for a long time) if you are in CA, use them it takes away lot of headaches (make sure you're redundant with them) and gets you up and running fast. My prefered way of connecting would either be Radianz or Sector, I don't like TNS (to all TNS guys outthere, sorry). Hope this helps. AC On Tue, Sep 21, 2004 at 06:01:36AM -0700, Philip Lavine wrote: I am assuming this means that I have a POP on the East Coast. I am Burbank California, currently. --- Alen Capalik [EMAIL PROTECTED] wrote: On Mon, Sep 20, 2004 at 10:36:16AM -0700, Philip Lavine wrote: If I where to connect to SIAC thru a SONNET ring who's would it be? Is it private or public? They use any provider (Verizon, MCI, ATT and ConEd Comm.), however ConED Comm. is their primary backbone provider. So, here's how you go about it. You order a line (DS-1, DS-3, 100Mb/s, Gig, whatever) from any of the providers you use (if I were you I would use either Verizon or ConEd Comm, I can give you the number for ConEd Comm. head sales person). You contact SIAC, and you start the paperwork to get your network connected into their backbone SONET. Once you get permit numbers, you have the provider drop a line into one of 5 data centers around NY area, and SIAC gives you a port on one of their Juniper Routers. They also give you a VLAN setup requirements so you can configure your border switch/router. The line is owned by you. SIAC only gives you a port on their routers. NOTE: NEVER ORDER ONE LINE. ORDER TWO OR MORE LINES TO DIFFERENT SIAC DATA CENTERS. The cost for one port (one line) is as follows: MRC (Monthly Reaccuring Cost):$4,400.00 NRC (Non-Reaccuring Cost i.e. one time fee): $8,800 Any line you drop at SIAC will cost you that amount, and that's on top of the line costs from the provider. That's it. Hope this helps. Like I said it's a very long and tedious process getting the line up and running with SIAC. They are practically a government institution, and they don't move too fast for anybody. --- R. Benjamin Kessler [EMAIL PROTECTED] wrote: I've setup a highly-redundant connection for one of my clients (equipment in two different access-centers in two different cities). What are you looking to do? - Ben ~~ R. Benjamin Kessler Sr. Network Consultant CCIE #8762, CISSP, CCSE Midwest Network Services Group Email: [EMAIL PROTECTED] http://www.midwestnsg.com Phone: 260-625-3273 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philip Lavine Sent: Friday, September 17, 2004 2:38 PM To: [EMAIL PROTECTED] Subject: NYSE Does anyone have experience in setting up a direct connection with NYSE, specifically SIAC or SFTI? __ Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. http://promotions.yahoo.com/new_mail __ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail -- Alen Capalik CTO Wiretap Networks Inc. Tel:
Re: FW: The worst abuse e-mail ever, sverige.net
At 01:29 PM 9/21/2004, Daniel Golding wrote: On 9/21/04 1:00 PM, james edwards [EMAIL PROTECTED] wrote: Sheesh. Get over /yourself/. Your network is rude by its very existence, if it lets spammers relay crud by way of it. Your own arrogance in thinking it's not your problem to fix is astounding. I did no say it is not my problem, we have a 10 year history of being very pro-active for all abuse issues and have a dedicated staff person to deal with these issues. Slaming my mail admin because a dial up user has a virus is rude, period. Our dial up address space is listed, if people choose to block mail from that space. james To shift this to a more operational tone... Networks make choices. One choice is to declare their dynamic space and put the duty of ignoring emails from dialups users on the receiving networks. Another choice is to filter port 25. Filtering port 25 has its own costs - some users are offended/bothered by this, since they can't use their own corporate mail servers, in some cases. If a network makes the choice of putting the duty of filtering on the receiving party, they need to accept that this will upset some of those receivers. Today's security environment means that spam-sending viruses are common. The only responsible thing to do is filter port 25, smarthost for your users, and inform them about using the alternate submission port with authenticated SMTP in order to work with enterprise mail servers - or IPSec VPNs, for that matter. This is simply the best practice, at this point in time. Using humans (dedicated staff person) to stop spam isn't scalable - automated processes are sending this stuff, we need systematic ways to fight it - black/white lists, SPF, port 25 filtering, bayesian filtering and other tools. I'd add on to this in one area. Dan's text is good as far as it goes. What I'd add is: Implement Reasonable and Easily Handled INADDR 1) By this I mean provide PTR records for all ports 2) for dialup, DSL and Cable users on dynamic ports who should not generally be running servers, name the INADDR with something like: w-x-y-z.dialup.example.net w-x-y-z.dynamic.example.net or similar. I don't care what scheme you want to use to the LEFT of 'dialup.example.com' or 'dynamic.example.com' but please put the information about these being dynamic blocks in a place where they can be filtered using simple mechanisms (i.e. without regex overheads). With the naming above, it's easy to filter out dialup.example.com in the access lists of mail servers without any worries. Users coming in from those addresses using authenticated connections to the submission port will work fine, while spam direct from those machines will not work. Many ISPs do this quite well. While it's still some work for the receiving systems vs. port 25 filtering, it sure beats guessing about remote topologies. Also note that while some large ISPs have handed out IP address ranges of dynamically assigned address in the past, telling others they can block from those addresses, this results in stale data almost instantly. Keeping this type of thing based on PTR records in DNS means the owner of that space has the job of maintaining the designations, as it should be, and avoids pushing that task onto recipients. 3) Provide proper PTR records for your business customers. A PTR record of .biz.example.net sure looks a lot more questionable than office.example.com (where example.com is a small business, let's say). 4) Think about the other guy. If you have issues identifying what to block on your inbound flows, perhaps you might think about how your naming and other policies affect how others see your outflow. Cooperation makes things better for everyone. -- - Daniel Senie [EMAIL PROTECTED] Amaranth Networks Inc.http://www.amaranth.com
Re: FW: The worst abuse e-mail ever, sverige.net
on Tue, Sep 21, 2004 at 02:11:11PM -0400, Daniel Senie wrote: snip good info 2) for dialup, DSL and Cable users on dynamic ports who should not generally be running servers, name the INADDR with something like: w-x-y-z.dialup.example.net w-x-y-z.dynamic.example.net or similar. I don't care what scheme you want to use to the LEFT of 'dialup.example.com' or 'dynamic.example.com' but please put the information about these being dynamic blocks in a place where they can be filtered using simple mechanisms (i.e. without regex overheads). With the naming above, it's easy to filter out dialup.example.com in the access lists of mail servers without any worries. Users coming in from those addresses using authenticated connections to the submission port will work fine, while spam direct from those machines will not work. Many ISPs do this quite well. While it's still some work for the receiving systems vs. port 25 filtering, it sure beats guessing about remote topologies. FYI - I've been tracking rDNS naming conventions for many ISPs for the past year and a half. (Basically, if your network is secure, I don't know about you - I only track rDNS for hosts that relay spam or spew viruses at me). Of the approximately 4800 networks (by domain) I've tracked, 1935 are known to be in the US, Mexico, or Canada. Of those, 509 have some form of RHS-friendly rDNS. Roughly 26%. Better than last year, but still pretty bad. cgocable.ca cabletv.on.ca aci.on.ca eastlink.ca powergate.caprimus.ca sympatico.caubc.ca uoguelph.ca uniserve.ca utoronto.ca videotron.ca netidea.bc.ca ulaval.ca ualberta.ca dal.ca uottawa.ca uwo.ca connection.ca terago.ca accesscomm.ca ucc-net.ca sfu.ca yorku.ca ncf.ca rushcomm.ca eol.ca mcgill.ca oricom.ca vdn.ca amdsb.caumontreal.ca cyberus.ca knet.ca magma.camcmaster.ca usherbrooke.ca cgi.ca unb.ca sprintdsl.ca aol.com aracnet.com atlantabroadband.com attbi.com insightbb.com mchsi.com bbtel.com ccapcable.com cerfnet.com charter.com dancris.com execulink.com mindspring.com nexband.com rcn.com redshift.com ripnet.com rogers.com rr.com theplanet.com wideopenwest.comxmission.comcablenet-va.com charter-ala.com cox-internet.comquik.comgvtc.combah.com lan2wan.com westelcom.com power1.com mdsg-pacwest.com eschelon.comgvtel.com nettally.comoctapus.com firstlink.com hbci.comiinet.com naxs.com ntplx.com tfb.com srtnet.com theriver.com vcn.com visi.comwebhostplus.com winbeam.com gtlakes.com varian.com royaume.com primarydns.com netdoor.com registeredsite.com bearingpoint.comcore.com tvc-ip.com teksavvy.comopt2opt.com quiknet.com srt.com pcspeed.com cadvision.com mynethost.com 800hosting.com scrtc.com speede.com warpdriveonline.com wavecable.com lightyearcom.commidmaine.comprairieweb.com c2bandwidth.com innercite.com cintelecom.com hyperusa.com seanet.com cwia.commcttelecom.com osp-chicago.com primenet.comfire2wire.com calltech.comanobi.com telus.com hyatthsiagx.com spiritone.com aesirnetworks.com foxinternet.com willscot.comacetechusa.com aeanetwork.com alabanza.comarishost.comcalpop.com computechnv.com datapeer.comfatcow.com iwaynetworks.comlinuxwebnet.com mobilenetics.comskybitz.com tir.com unitedcolo.com zedcom.com zoolink.com crestviewcable.com mipops.com neteze.com wilnet1.com conninc.com asu.edu berkeley.edubrown.edu bucknell.educmich.edu cmu.edu colorado.educolumbia.educornell.edu csulb.edu csuohio.edu dartmouth.edu duke.edu ecu.edu fsu.edu furman.edu gac.edu gatech.edu harvard.edu hawaii.edu indiana.edu msu.edu ncsu.edunodak.edu pepperdine.edu psu.edu
Re: FW: The worst abuse e-mail ever, sverige.net
On Tue, 21 Sep 2004, Daniel Senie wrote: w-x-y-z.dialup.example.net w-x-y-z.dynamic.example.net The company I work for hand out static IP addresses to all DSL subscribers (one IP only per subscriber in all cases). Is there a BCP as to what to do with this regarding registering with RBL etc, so we won't get our entire netblock blacklisted when a single subscriber gets backdoored/trojaned/virusinfected? -- Mikael Abrahamssonemail: [EMAIL PROTECTED]
Re: FW: The worst abuse e-mail ever, sverige.net
On Tue, 21 Sep 2004, Dan Mahoney, System Admin wrote: Unless your connection is permenent, with a permanent static ip, you should not be *directly* sending out mail. The very nature of dynamic ips implies that even if a single subscriber gets infected, you have no guarantee YOU won't wind up with that ip next. As I said, this is DSL, which to me implies always on. Each DSLAM port only allows one IP address, this is set statically. The customer has a static IP address assigned to him/her, which never changes over time. No DHCP, nothing dynamic what so ever. If you want to make yourself unreachable to one of our customers you blacklist their IP which is always the same. Simple. Now, how do we make the world understand this? -- Mikael Abrahamssonemail: [EMAIL PROTECTED]
RE: FW: The worst abuse e-mail ever, sverige.net
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mikael Abrahamsson Sent: Tuesday, September 21, 2004 1:01 PM As I said, this is DSL, which to me implies always on. Each DSLAM port only allows one IP address, this is set statically. The customer has a static IP address assigned to him/her, which never changes over time. No DHCP, nothing dynamic what so ever. If you want to make yourself unreachable to one of our customers you blacklist their IP which is always the same. Simple. We configure our DSL customers the same way you do. Static PVC, Static IP. Each user has a static IP and in 99% of the cases, we do not assign any dynamic IPs. However, I would say that it is safe to say that the majority of the ILECs here in the US provide DSL service where the IP is dynamic. Most of the time, it doesn't change, but it is very possible that the next time that the user logs in (most are also using PPPoE for the connection setup) that the DHCP server might give them another IP. As such, when we have seen our IP blocks get blocked strictly because of the rDNS entry having 'dsl' in it, a simple email to the admins explaining that we are not providing dynamic services has gotten our rDNS entries taken off of the blacklist. -Sean Sean P. Crandall VP Engineering Operations MegaPath Networks Inc. 6691 Owens Drive Pleasanton, CA 94588 (925) 201-2530 (office) (925) 201-2550 (fax)
Re: FW: The worst abuse e-mail ever, sverige.net
On Tue, 2004-09-21 at 13:01, Mikael Abrahamsson wrote: On Tue, 21 Sep 2004, Dan Mahoney, System Admin wrote: Unless your connection is permenent, with a permanent static ip, you should not be *directly* sending out mail. The very nature of dynamic ips implies that even if a single subscriber gets infected, you have no guarantee YOU won't wind up with that ip next. As I said, this is DSL, which to me implies always on. Each DSLAM port only allows one IP address, this is set statically. The customer has a static IP address assigned to him/her, which never changes over time. No DHCP, nothing dynamic what so ever. If you want to make yourself unreachable to one of our customers you blacklist their IP which is always the same. Simple. Now, how do we make the world understand this? When this customer discontinues services, would you want to reuse this address? If your network was (ab)used sending spam, then the next customer may find this address unusable and you would need to contact a few hundred blacklists in an attempt to rehabilitate the address. As a prophylactic measure, Port 25 is blocked or transparently intercepted to monitor the network via error logs. For external mail submissions, Port 587 would be recommended. There is an overview of this at: http://www.ietf.org/internet-drafts/draft-hutzler-spamops-01.txt -Doug
port 25 blocking [Re: FW: The worst abuse e-mail ever, sverige.net]
On Tue, 21 Sep 2004, Douglas Otis wrote: As a prophylactic measure, Port 25 is blocked or transparently intercepted to monitor the network via error logs. For external mail submissions, Port 587 would be recommended. There is an overview of this at: http://www.ietf.org/internet-drafts/draft-hutzler-spamops-01.txt We want to receive abuse email and act on them, doesn't matter if customers are infected and sending spam or if they're infected and trying to remote-exploit web-servers or windows computers or what have you. We've been considering using netflow to detect end-users doing a lot of port 25 activity towards a lot of random destinations, I find this much more net-friendly than to just block 25 and force them to use our smarthost (also stops our smarthost from being blacklisted by some overzealous blacklist-admins). Starting to block just means you will have to block more and more all the time. Port 135-139 and 445 will be practially unusable on the network for a long time (some users complain about this). I was under the impression that most blacklists would have a time-out period when there was no more activity from this certain IP, it would be removed from the blacklist. Is this not the case? Also, having hundreds of blacklists as per your email seems like a very silly idea? I can understand 3-5, but hundreds? -- Mikael Abrahamssonemail: [EMAIL PROTECTED]
Re: FW: The worst abuse e-mail ever, sverige.net
on Tue, Sep 21, 2004 at 02:04:18PM -0700, Sean Crandall wrote: We configure our DSL customers the same way you do. Static PVC, Static IP. Each user has a static IP and in 99% of the cases, we do not assign any dynamic IPs. However, I would say that it is safe to say that the majority of the ILECs here in the US provide DSL service where the IP is dynamic. Most of the time, it doesn't change, but it is very possible that the next time that the user logs in (most are also using PPPoE for the connection setup) that the DHCP server might give them another IP. As such, when we have seen our IP blocks get blocked strictly because of the rDNS entry having 'dsl' in it, a simple email to the admins explaining that we are not providing dynamic services has gotten our rDNS entries taken off of the blacklist. Why do you assume that an IP being static, but having generic rDNS showing it to be a DSL line, automatically makes it worthy of relaying or sending mail? I certainly don't make that assumption - rather the opposite, given my experience of the past three years. In my view of the universe, IPs with generically named rDNS should never emit mail except by way of a suitably configured MTA, which ought to have non-generic rDNS, preferably of the sort 'mail.$domain' where [EMAIL PROTECTED] is a live account manned by an abuse desk, rather than a generic '1-2-3-4.assignmenttype.technologytype.bigisp.example.net', where complaints to [EMAIL PROTECTED] may or may not make any difference. In the past 60 days, we've refused mail from ip-69-33-132-156.nyc.megapath.net (claimed to be 'hal.org', and sender was a yahoo.com account) and ip-66-80-96-99.aus.megapath.net (claimed to be 'asu.edu', and sender was an asu.edu account) and ip-66-80-90-195.iad.megapath.net (claimed to be 'ccs1.clinicofcosmeticsurgery.com', sent to an inactive account) and ip-66-80-206-37.lax.megapath.net (claimed to be 'mail.totexusa.com', sent to my account - I don't know anyone at 'totexusa.com'; both messages were backscatter from a joe job) Were we wrong to do so? I don't think so. Static or dynamic, makes little difference. Today's email services require more than the current status quo. And I haven't seen any reason to adjust my policy. I'm left with the overall impression from many on this thread that in the view of many ISPs, DNSBLs have removed the ISP's burden of policing their own networks. And that's a shame. Steve PS: this message certified ad hominem free :/ -- join us! http://hesketh.com/about/careers/web_designer.html join us! hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.htmljoin us!
Re: port 25 blocking [Re: FW: The worst abuse e-mail ever, sverige.net]
On Tue, 21 Sep 2004 23:22:42 +0200, Mikael Abrahamsson said: Also, having hundreds of blacklists as per your email seems like a very silly idea? I can understand 3-5, but hundreds? Just because one organization with clue provides a BGP feed with the current list of bozon addresses doesn't mean there aren't still several hundred sites that are still blocking 69/8 as a bogon. Similarly for blacklists - lots of sites have their own personal list of places they really don't want to hear from. pgpT6rOqqmq7M.pgp Description: PGP signature
Re: FW: The worst abuse e-mail ever, sverige.net
On Tue, Sep 21, 2004 at 01:29:44PM -0400, Daniel Golding wrote: [snip] Another choice is to filter port 25. Filtering port 25 has its own costs - some users are offended/bothered by this, since they can't use their own corporate mail servers, in some cases. [snip] SUBMIT, SASL, etc. This is a solved problem; if MS Lookout! Virus Express! supports it, your know it isn't rocket science. SMTP 25 is for inter-server traffic. There is absolutely no reason for end-user pseudo-MTAs to use it. Some networks will enforce it. Expect that and move on. -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE
Re: The worst abuse e-mail ever, sverige.net
The port 25 blocking seemed like a real good idea. -M I disagree. Port blocking does not change user behavior it is user behavior that is causing this problem. Blocking just hides it. I used to believe in port blocking as the solution to many user problems but now I have 3 and 4 page ACL's on my border routers. This does not scale. Yes, I could push this out via radius to the NAS but again this does not solve the problem. I feel blocking just pushes us closer to ports loosing their uniqueness, as we have seen with PTP filesharing. The solution I am working toward is quickly identifying user infections. We are almost there. I collect and record all traffic from the users going to dark space and am almost finished with the system that will identify who held that IP at a specific time. It is all in SQL so that is easy. We already have a system in place where users, after multiple virus problems, must obtain protection software prior to being re-enabled. Ramping up the amount of proof we have at hand will allow us to enforce our existing AUP. The key to changing a behavior is to create consequences to this behavior. I have noticed we never have problems getting a user to get virus/firewall software after they pay to have their box disinfected. Hit the users first with e-mails, then phone contact, ending with being shut off should create the consequences needed to change their behavior. james
Re: FW: The worst abuse e-mail ever, sverige.net
Daniel The only responsible thing to do is filter port 25, Daniel smarthost for your users, and inform them about using the Daniel alternate submission port with authenticated SMTP in order Daniel to work with enterprise mail servers - or IPSec VPNs, for Daniel that matter. This is simply the best practice, at this point Daniel in time. Using humans (dedicated staff person) to stop Daniel spam isn't scalable - automated processes are sending this Daniel stuff, we need systematic ways to fight it - black/white Daniel lists, SPF, port 25 filtering, bayesian filtering and other Daniel tools. Let's put this in perspective. Say a hypothetical sysadmin were to disable any and all authentication on his SSH server. And that someone then used SSH from your network to run code that sysadmin didn't like on that machine. Would you then consider it reasonable if the sysadmin proposed: The only responsible thing to do is filter port 22, smarthost for your users, and inform them about using the alternate submission port with authenticated SSH in order to work with enterprise SSH servers - or IPSec VPNs, for that matter. This is simply the best practice, at this point in time. For that matter would anyone take seriously someone who then proposed as a solution to the breakin[1] that: we need systematic ways to fight it - black/white lists, SSH Permitted From, port 22 filtering, bayesian filtering and other tools in order to filter out harmful commands while allowing anything else to get through without ever once suggesting enabling passwords or SSH keys? If you don't want to accept mail from anyone and everyone then make them use a password or a key to send mail to you. There are several ways to do this right now. (For example, procmail is your friend.) If you don't like something that arrives in your house figure out a way to put a lock on your door. Don't insist everyone else is at fault because they wouldn't put bars over their own. - [1] A curious term since it's hard to imagine a way to leave the door open much wider than our hapless hypothetical sysadmin has.
Re: port 25 blocking [Re: FW: The worst abuse e-mail ever, sverige.net]
On Tue, 2004-09-21 at 14:22, Mikael Abrahamsson wrote: On Tue, 21 Sep 2004, Douglas Otis wrote: As a prophylactic measure, Port 25 is blocked or transparently intercepted to monitor the network via error logs. For external mail submissions, Port 587 would be recommended. There is an overview of this at: http://www.ietf.org/internet-drafts/draft-hutzler-spamops-01.txt We want to receive abuse email and act on them, doesn't matter if customers are infected and sending spam or if they're infected and trying to remote-exploit web-servers or windows computers or what have you. We've been considering using netflow to detect end-users doing a lot of port 25 activity towards a lot of random destinations, I find this much more net-friendly than to just block 25 and force them to use our smarthost (also stops our smarthost from being blacklisted by some overzealous blacklist-admins). Cisco offers a Content Services Gateway that will allow audit of SMTP error messages as example. Just looking at user SMTP traffic will not always be a good indication something nefarious is happening. The Wack-a-Mole game that results may clobber your good customers perhaps once too often. Tracking the reply codes for things like 550,1,3 and filter for results greater than 50 or so should alert you to something bad is happening, or that they are having a hard time typing addresses. : ) Starting to block just means you will have to block more and more all the time. Port 135-139 and 445 will be practially unusable on the network for a long time (some users complain about this). I was under the impression that most blacklists would have a time-out period when there was no more activity from this certain IP, it would be removed from the blacklist. Is this not the case? Hard to know how the average black-listing service ages their data. Some IP addresses cycle over large periods of time. Some segments were so bad, a few providers enter them using BGP into a router to conserve network resources. That entry may live for decades and be very difficult to correct. Also, having hundreds of blacklists as per your email seems like a very silly idea? I can understand 3-5, but hundreds? I was not recommending that you post to blacklisting services, but rather you will end up dealing with these services in an effort to allow the address to once again reliably send mail should your customer expect that ability. -Doug
Re: The worst abuse e-mail ever, sverige.net
I'll admit to not knowing too much about this project, but what you are describing sounds similar in part to the Network Admission Control that Cisco is pushing - an automated way of ensuring user machines are protected before being admitted on to the network. Here is a link to their site on the subject: http://www.cisco.com/en/US/netsol/ns466/ networking_solutions_white_paper0900aecd800fdd66.shtml - Jeff On Sep 21, 2004, at 6:00 PM, james edwards wrote: The port 25 blocking seemed like a real good idea. -M I disagree. Port blocking does not change user behavior it is user behavior that is causing this problem. Blocking just hides it. I used to believe in port blocking as the solution to many user problems but now I have 3 and 4 page ACL's on my border routers. This does not scale. Yes, I could push this out via radius to the NAS but again this does not solve the problem. I feel blocking just pushes us closer to ports loosing their uniqueness, as we have seen with PTP filesharing. The solution I am working toward is quickly identifying user infections. We are almost there. I collect and record all traffic from the users going to dark space and am almost finished with the system that will identify who held that IP at a specific time. It is all in SQL so that is easy. We already have a system in place where users, after multiple virus problems, must obtain protection software prior to being re-enabled. Ramping up the amount of proof we have at hand will allow us to enforce our existing AUP. The key to changing a behavior is to create consequences to this behavior. I have noticed we never have problems getting a user to get virus/firewall software after they pay to have their box disinfected. Hit the users first with e-mails, then phone contact, ending with being shut off should create the consequences needed to change their behavior. james
Re: FW: The worst abuse e-mail ever, sverige.net
:Let's put this in perspective. Say a hypothetical sysadmin were to :disable any and all authentication on his SSH server. And that :someone then used SSH from your network to run code that sysadmin :didn't like on that machine. Would you then consider it reasonable if :the sysadmin proposed: : : The only responsible thing to do is filter port 22, smarthost for : your users, and inform them about using the alternate submission : port with authenticated SSH in order to work with enterprise SSH : servers - or IPSec VPNs, for that matter. This is simply the best : practice, at this point in time. : Apples oranges; thanks for playing, please try again...
New Improved Worm nonsense
I've managed to get more information should anyone care to take peek at what one machine I ran into had. Quickie (ugly) write up/dissection includes two irclogs stored on the infected machine, parsed infected machine IP addresses (good to check if your network is spewing worm/virus traffic), and to get an overall assessment of this annoyance. Cross posted this to UNISog http://infiltrated.net/setver32-variables.html =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x51F9D78D http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x51F9D78D lynx -dump 0xD1.0x5E.0x7B.0x9B/fatal|sed '1!G;h;$!d;s/\#/ /g;s/\+/ /g sil @ politrix . orghttp://www.politrix.org sil @ infiltrated . net http://www.infiltrated.net How can we account for our present situation unless we believe that men high in this government are concerting to deliver us to disaster? Joseph McCarthy America's Retreat from Victory