Re: Disappointment at DENIC over Poor Rating in .net Procedure
Have to admit to being surprised at DENIC poor placing. The only time I did a comparison, DENIC were by far and away the best European TLD maintainers. Okay there wasn't much competition, and I was looking at purely technical aspects of how the TLD were arranged, but the results were so good it suggested people who actually knew what they were doing.
Re: Reports or data on data centres without access to competitive fibre
--On 05 April 2005 10:43 +1000 Stephen Baxter [EMAIL PROTECTED] wrote: I was looking around for any reports, press releases or even yarns about the issues data centres face when they are built without access to competitive fibre optic cable. See MFS MAE-East ad nauseam. Alex
Re: botted hosts
On Monday 04 Apr 2005 9:56 pm, Sam Hayes Merritt, III wrote: AOL blocks outbound 25. In the UK they proxy outbound port 25, some of the time. Blocking it would be far simpler for us, but I suspect create more support calls.
Re: botted hosts
On Monday 04 Apr 2005 11:06 am, Sean Donelan wrote: Although Microsoft probably did more to create the problem than anyone else, they finally have stepped up to the plate. In the last year they have been more successful than anyone else at fixing their piece of the problem. Like anyone else was going to fix Microsoft software? XP SP2 reduced the brand-new computer zombie problem. Alas couple of weeks back local firms were still shipping SP1 patched XP boxes sigh.
Re: botted hosts
On Mon, 4 Apr 2005, Dean Anderson wrote: Err, not likely. SPF came out, and now bots can find the ISPs closed relays with very little trouble at all. AFAIK bots use the MX of a parent domain of the infected machine's hostname to find an outgoing relay, not SPF. This is based on an incident I dealt with in September, and the Spamhaus article http://www.spamhaus.org/news.lasso?article=158 Fortunately it isn't too hard to lock down MXs to incoming only. Tony. -- f.a.n.finch [EMAIL PROTECTED] http://dotat.at/ BISCAY: WEST 5 OR 6 BECOMING VARIABLE 3 OR 4. SHOWERS AT FIRST. MODERATE OR GOOD.
Arrest for cable sabotage
Police make an arrest in cable sabotage case on Martha's Vineyard, Massachusetts. http://news.bostonherald.com/localRegional/view.bg?articleid=76510
Re: botted hosts
On Apr 5, 2005 3:33 PM, Tony Finch [EMAIL PROTECTED] wrote: AFAIK bots use the MX of a parent domain of the infected machine's hostname to find an outgoing relay, not SPF. This is based on an incident I dealt with in September, and the Spamhaus article http://www.spamhaus.org/news.lasso?article=158 Fortunately it isn't too hard to lock down MXs to incoming only. Some bots do that. Others just grab the smtp server (and AUTH settings if any) from your MUA - easier if its Outlook / OE - and send using that smarthost. Just that when you have SMTP AUTH usernames in your logs, and virus sign, it is quite easy to locate and lock down that user, or maybe use your radius server to drop his login session, then restrict his next login to a walled garden VLAN, or maybe cut it off altogether till the issue is fixed. -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: botted hosts
On Tue, 5 Apr 2005, Suresh Ramasubramanian wrote: Others just grab the smtp server (and AUTH settings if any) from your MUA - easier if its Outlook / OE - and send using that smarthost. Has that actually been observed in the wild? Tony. -- f.a.n.finch [EMAIL PROTECTED] http://dotat.at/ BISCAY: WEST 5 OR 6 BECOMING VARIABLE 3 OR 4. SHOWERS AT FIRST. MODERATE OR GOOD.
Re: botted hosts
On Apr 5, 2005 5:56 PM, Tony Finch [EMAIL PROTECTED] wrote: On Tue, 5 Apr 2005, Suresh Ramasubramanian wrote: Others just grab the smtp server (and AUTH settings if any) from your MUA - easier if its Outlook / OE - and send using that smarthost. Has that actually been observed in the wild? We (Outblaze) have been seeing this for over a year now. Carl Hutzler at AOL has posted in various lists about having seen it for rather longer than that. I think it also hit the register after they interviewed someone at spamhaus -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: botted hosts
--- Tony Finch [EMAIL PROTECTED] wrote: On Tue, 5 Apr 2005, Suresh Ramasubramanian wrote: Others just grab the smtp server (and AUTH settings if any) from your MUA - easier if its Outlook / OE - and send using that smarthost. Has that actually been observed in the wild? yes -charles http://www.bullguard.com/antivirus/vit_bugbear_b.aspx (and others)
Re: so, how would you justify giving users security?
* [EMAIL PROTECTED] (Florian Weimer) [Mon 04 Apr 2005, 22:25 CEST]: * Gadi Evron: Lastly, I suppose that as a geek ISP, one might want to sell more bandwidth. After all, the more sh*t that goes through the tubes the bigger tubes people buy. Only if the end user market is ready for volume pricing. 8-) In Germany, we aren't quite there yet. And it would neatly solve the P2P problem. What is this P2P problem you speak of? Does it perhaps consist of the fact that your marketing department advertised with unlimited pipes, which some customers then started using, because they're more creative in thinking up new uses than your marketing department, and suffer less from wishful thinking about oversubscription rates than your technical staff did? -- Niels. -- The idle mind is the devil's playground
Re: so, how would you justify giving users security?
On Mon, 4 Apr 2005, Florian Weimer wrote: * Stephen J. Wilcox: On Mon, 4 Apr 2005, Gadi Evron wrote: Anyone ever considered just closing these ports? People will pay you more and just for your ACL services! You can put all your troubles you would need to do this on a per customer interface basis ie not at an aggregation point but on each ppp interface.. Not necessarily. Some Windows malware prefers local address ranges, but not all. If you quickly disconnect those who caught something, it's a great help in keeping the number of infected machines down. You could even spin this in a way that encourages your customers to recommend you to their friends: no hassle with the filters. I thought of that but then its only half a filtering effort, how would you package it up 'Telecomplete Broadband **Now with a bit of filtering**' ? Then a bunch of smallprint about how you dont actually provide any additional security? :) Steve
Re: botted hosts
Florian Weimer wrote: * Suresh Ramasubramanian: Find them, isolate them into what some providers call a walled garden - vlan them into their own segment from where all they can access are antivirus / service pack downloads Service pack downloads? Do you expect ISPs to pirate Windows (or large parts thereof)? Or has Microsoft finally seen the light? Walled garden is a term to describe selective external availability. This does not violate the usual download license conditions because no copy is made or stored at any time. The ISP can choose which external services are made available to the infected parties. Pete
RIPE50: Peering BoF
North American Network Operators, Since quite a few of you are also attending the RIPE meetings Susan though it would be a good idea for me to mention that a (European) Peering BoF will take place in Stockholm at RIPE50 on Sunday 1st May 2005 and from 18.00 to around 21.00. The format will be fairly informal and provide interested parties with an opportunity of presenting their peering policies to the participants (in a set format). Time permitting, anyone expressing an interest in presenting their policy will be given the opportunity to do so. Of course seeing the timing of the session there will be some food to keep the participants happy. And no Peering BoF would be complete without the mandatory free beer at the end of it which is brought to the participants in the interests of social networking by a number of European IXPs. Anyone interested can let me know by return whether you are interested in attending/presenting. Regards, Cara Mascini
Re: botted hosts
On Mon, 4 Apr 2005 [EMAIL PROTECTED] wrote: The problem arises when you are trying to push signal (spam) to a non-cooperating recipient. I've seen spam that's so obfuscated that it's unclear whether it's trying to sell me a R00leckss or medications. At that point, it may be able to pass under the effective-bandwidth filter of your covert channel. You are making the assumption that spam means to sell something. Spam includes mailbombing, in which the purpose is not commercial at all, but rather purely for annoyance. (there may be secondary commercial purposes, ie, to annoy users at a certain ISP to harm its business, but we can't discover that purpose by looking a single message. The terribly obfuscated spams never seem to be genuinely commercial. But its hard to count*. The confluence of CAN-SPAM and rapid early genuine spammer adoption of SPF records has revealed some interesting things about how much spam is genuinely commercial and how much is annoyance. It gave us a way to label commercial spam in an easily countable way. The numbers suggested that only about 6% of spam was genuinely commercial. And so leaving the other 94% as non-commercial garbage of one kind or another*. [See Malicious Cryptography: Exposing Cryptovirology by Adam Young et al. Unintelligible spam-like messages may be parts of an encrypted message sent to a mix-net] If you hide the spam in a steganographic message inside a .JPG of a giraffe, it will almost certainly make it to the mailbox. But at that point, the user is left looking at a picture of a giraffe.. And on the girafe, the spots spell out a message that is immediately recognizable to a human. Sort of just like those crawler-thwarting image authenticators do now. Partly, this example is a deviation from info theory. The girafe example is just reliant on the fact that machines aren't as good a human at these sort of recognition tasks. If machines were, we'd have other problems, but unwanted messages would still be one of them. Info theory is much deeper. --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000
Re: botted hosts
On Mon, 4 Apr 2005, Sam Hayes Merritt, III wrote: Unblocking on customer request is an expensive operation, for both the ISP and the customer. And they frequently assume that network operations changes are free---Comcast reported that it would cost $58 million to implement port 25 blocking and notify customers, just for Comcast. Anyone can come up with a number to convince themselves that they don't need to do the 'right thing'. Comcast is probably using Docsis. Docsis makes applying filters on a per user basis pretty darn easy. Thats not the only thing they have to do. They have to (probably) 1) change the user service agreements 2) notify users of upcoming change several times 3) alter docsis on networks in hundreds of cities. 4) Staff additional support to handle calls. 5) lose business because many people want to send email to the server of their choice. AOL blocks outbound 25. They've said this for many years, but I have hundreds of AOL addresses that have tried to abuse our relays. Maybe they do in some places, but not everywhere. Aug 6 2003 172.155.12.106 Trace 1638 This sort of attempted open relay abuse stopped only after the open relay blacklists shutdown in late 2003. Indeed, after about a year of complete quiet, abuse just started up again about mid March, but not as strong as before: Very few hosts, very few nets. Pretty lame, really, in comparision with the old days. All from Korea, and China targeting Korean ISPs, and one from Uruguay targeting Uruguayan ISP. Pretty definitely mailbombing by some open relay zealots or script kiddies, who probably pass themselves off as anti-spammers. It was interesting because I first got wind when some bounces were recieved from a Korean open relay. I got them because they were forged av8 from: addresses. Possibly, av8 was the target. Now who would target av8 with mailbombing? --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000
Re: botted hosts
On Tue, 5 Apr 2005, Tony Finch wrote: On Mon, 4 Apr 2005, Dean Anderson wrote: Err, not likely. SPF came out, and now bots can find the ISPs closed relays with very little trouble at all. AFAIK bots use the MX of a parent domain of the infected machine's hostname to find an outgoing relay, not SPF. This is based on an incident I dealt with in September, and the Spamhaus article http://www.spamhaus.org/news.lasso?article=158 Fortunately it isn't too hard to lock down MXs to incoming only. Yes. Many ISPs have MXs incoming only for reasons besides spam. But SPF identifies _outgoing_ mailservers. Just what a bot needs. --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000
ICANN's Questionable Deals Coming Under Attack
Scathing critisism building over ICANN policies: http://www.techdirt.com/articles/20050405/1329204_F.shtml - ferg -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED]
The Register: .net report speared a third time
The Register: The .net report has been speared a third time - by bidder Sentan. http://www.theregister.co.uk/2005/04/05/sentan_slams_dot_net_report/ - ferg -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED]
Re: The Register: .net report speared a third time
* [EMAIL PROTECTED] (Fergie (Paul Ferguson)) [Wed 06 Apr 2005, 02:19 CEST]: The Register: [..] Dear Paul, Would it belong to the realm of possibilities that you got yourself a deli.cio.us account and post a link to the RSS feed here, once? Very truly yours, -- Niels. -- The idle mind is the devil's playground
