Re: (OT)MSN/hotmail postmaster contact
On Monday 30 Oct 2006 21:06, you wrote: > > Is there a postmaster from MSN/Hotmail out there? Mail from my domain to > any of yours is being junked and randomly blackholed. No progress has been > made yet with the normal tech support. I previously got responses from the advertised postmaster contact eventually. But if an email provider is bit bucketing email, other than as a tactical measure, rather than rejecting it, or quarantining it, your time is probably better spent advising people not to use that service. It is not as if, since AOLs Harvard email fiasco, anyone can claim they didn't know it wasn't a stupid thing to be doing. Since people have already told Hotmail it is a stupid thing to do, and they still do it, they are clearly stupid, or uncaring on the matter, neither is a good thing in an email provider. Or as put elsewhere "real friends don't let friends use hotmail".
Re: CWDM equipment (current favorites)
On Mon, 30 Oct 2006, Mikael Abrahamsson wrote: > On Mon, 30 Oct 2006, Deepak Jain wrote: > > We need to place a new order for some new fiber builds and were considering > > some other vendors. Especially in the nx2.5G and nx10G (are CWDM x-cievers > > even available in 10G yet?) range. Anyone have any new favorites? > > I have recommended Transmode (www.transmode.com) to several people and not > been flamed yet, so I think people are resonable satisfied with them. Are we talking about the same vendor? Who only only provides Web interface for management of the system? But maybe others are likewise less than ideal.. -- Pekka Savola "You each name yourselves king, yet the Netcore Oykingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
Re: Cogent now peering with Sprint?
On Oct 31, 2006, at 2:12 AM, Bob Collie wrote: That looks like a transit connection that Cogent bought at Ashburn, VA, not SFI peering connection. Hrmm, I can't tell by looking at a traceroute who paid whom, if anyone. Care to explain your magic? Is there a code in the in- addrs? Perhaps "sl-$FOO" means something in Sprint-speak? Secondly, does anyone really give a rat's ass who is "SFI" any longer? There are at least 2 fully "SFI" networks who can't route half as well as a whole slew of non-SFI networks these days. If [Cogent|Sprint] [buying|peering|whatever] [from|with] [Cogent| Sprint] makes their network better (i.e. lower latency, lower packet loss, higher throughput, and, if you care, lower jitter), I applaud them. Anyone who thinks "X pays Y" is more important than any of the metrics above needs to reevaluate their priorities. (At least from a customer / engineering PoV. I wouldn't suggest $NETWORK's bean counters have the same priorities as their network engineers & customers. :) IMHO, of course. -- TTFN, patrick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Ray Sent: Tuesday, October 31, 2006 12:11 AM To: nanog@merit.edu Subject: Cogent now peering with Sprint? I never thought Sprint would ever renew its relationship with Sprint: Tracing the route to portus.netsecdesign.com (66.6.208.6) 1 sl-bb24-rly-9-0.sprintlink.net (144.232.14.122) 0 msec 0 msec 0 msec 2 sl-st22-ash-6-0.sprintlink.net (144.232.20.189) 0 msec 4 msec 0 msec 3 p15-2.core01.iad01.atlas.cogentco.com (154.54.13.61) [AS 174] 4 msec 4 msec 0 msec 4 v3492-mpd01.iad01.atlas.cogentco.com (154.54.3.222) [AS 174] 16 msec 80 msec 196 msec 5 v3497.mpd01.dca01.atlas.cogentco.com (154.54.5.65) [AS 174] 4 msec 4 msec 4 msec 6 t9-3.mpd01.iah01.atlas.cogentco.com (154.54.2.222) [AS 174] 44 msec 44 msec 48 msec 7 t2-3.mpd01.lax01.atlas.cogentco.com (154.54.3.186) [AS 174] 72 msec 72 msec 72 msec 8 g2-0-0.core01.lax01.atlas.cogentco.com (154.54.2.101) [AS 174] 72 msec 72 msec 72 msec 9 g49.ba01.b002698-1.lax01.atlas.cogentco.com (66.250.12.130) [AS 174] 72 msec 72 msec 72 msec 10 PAJO-Networks.demarc.cogentco.com (38.112.9.190) [AS 174] 72 msec 76 msec 72 msec 11 dcap04.pcap.lax01.tierzero.net (216.31.128.14) [AS 11509] 72 msec 76 msec 72 msec 12 mmic-gw.dcap6.lax.us.tierzero.net (216.31.188.94) [AS 11509] 76 msec 80 msec 80 msec 13 dazedandconfused.netsecdesign.com (66.6.208.4) [AS 11509] 84 msec 84 msec 88 msec 14 portus.netsecdesign.com (66.6.208.6) [AS 11509] 84 msec 84 msec 88 msec Next I will see pigs flying :) Wonder how long it will last based on Cogent's past behavior as noted here. Edward Ray - This mail was scanned by BitDefender For more informations please visit http://www.bitdefender.com -
RE: (OT)MSN/hotmail postmaster contact
> Is there a postmaster from MSN/Hotmail out there? Mail from > my domain to any > of yours is being junked and randomly blackholed. No > progress has been made > yet with the normal tech support. Please reply off list if > you can help. I have sent it to the appropriate persons there. They should be in contact soon -Dennis
rbnnetwork.org
Is hosting a phishing site and bouncing abuse reports.. -- Forwarded message -- From: Alexander Harrowell <[EMAIL PROTECTED]> Date: Oct 31, 2006 2:38 PM Subject: Phisher To: [EMAIL PROTECTED] We're receiving large volumes of comments spam advertising a site hosted in your network. http://onlineinvestmentworld.com is located at 81.95.146.166, which is your netblock: inetnum:81.95.144.0 - 81.95.147.255 netname:RBNET descr: Russian Business Network admin-c:RBNR-ORG tech-c: RBNR-ORG mnt-by: RBN-MNT status: ASSIGNED PA country:RU remarks:INFRA-AW changed:[EMAIL PROTECTED] 20060 Tracert: 1 0 1 1 0.6 ms 66.36.240.2 AS14361 HOPONE-DCA c-vl102-d1.acc.dca2.hopone.net.255 US Unix: 14:38:16.496 2 0 2 6 0.6 ms [+0ms] 66.36.224.232 AS0 IANA-RSVD-0 gec2.core1.dca2.hopone.net. 0 miles [+0] 254 US Unknown: 833f257b 3 0 0 1 0.7 ms [+0ms] 66.36.224.233 AS0 IANA-RSVD-0 gec2.core2.dca2.hopone.net. 0 miles [+0] 254 US Unix: 14:07:58.580 4 6 8 6 6.5 ms [+5ms] 198.32.160.102 AS0 IANA-RSVD-0 gi3-0.nyc-002-inter-1.interoute.net.0 miles [+0] 253 US Unix: 14:37:46.936 5 * 75 77 74 ms [+67ms] 212.23.43.177 AS8928 INTEROUTEgi0-0.nyc-002-inter-1.interoute.net.0 miles [+0] 248 GB Unix: 14:37:47. 45 6 * 75 75 74 ms [+0ms] 212.23.43.150 AS8928 INTEROUTEpo3-0.lon-wal-core-2.interoute.net. 0 miles [+0] 250 GB Unix: 14:37:47.128 7 * 74 74 74 ms [+0ms] 217.118.119.26 AS8928 INTEROUTEte9-1.lon-wal-access-4.interoute.net. 0 miles [+0] 250 GB Unix: 14:37:47.162 8 * 85 78 78 ms [+3ms] 84.233.231.138 AS8928 INTEROUTEunknown.net.uk 0 miles [+0] 248 GB Unknown: 8100e8e2 9 * 124 125 124 ms [+46ms] 81.95.156.34 AS0 IANA-RSVD-0 gbit-eth-34-uk.sbttel.com. 0 miles [+0] 247 RU Unix: 14:37:16.972 10 * 125 124 124 ms [+0ms] 81.95.156.58 AS0 IANA-RSVD-0 oc-3-sbttel.rbnnetwork.com. 0 miles [+0] 55 RU Unix: 14:35:47.772 11 * 143 149 143 ms [+19ms] 81.95.146.166 ASN=40989[Destination Unreachable] ip-146-166.rbnnetwork.com.
RE: Cogent now peering with Sprint?
> On Oct 31, 2006, at 2:12 AM, Bob Collie wrote: > > > That looks like a transit connection that Cogent bought at Ashburn, > > VA, > > not SFI peering connection. > > Hrmm, I can't tell by looking at a traceroute who paid whom, if > anyone. Care to explain your magic? Is there a code in the in- > addrs? Perhaps "sl-$FOO" means something in Sprint-speak? Yea, but most of xfer-nets in this case appear to be assigned by Cogent (then again, how does that make any difference for special buy|peer cases): 2 sl-st21-la-13-0.sprintlink.net (144.232.20.69) 4 msec 4 msec 4 msec 3 p12-3.core01.lax05.atlas.cogentco.com (154.54.13.41) [AS 174] 4 msec 4 msec 4 msec 11 sprint.iad01.atlas.cogentco.com (154.54.13.62) 12.032 ms 12.061 ms 12.103 ms 9 sprint.dfw03.atlas.cogentco.com (154.54.10.18) 21.964 ms 21.897 ms 21.756 ms Etc.. And comm tags from Sprint side look similar to other SFI's: 1239 174 144.228.241.81 from 144.228.241.81 (144.228.241.81) Origin IGP, metric 4294967294, localpref 100, valid, external Community: 1239:321 1239:1000 1239:1011 1239 209 144.228.241.81 from 144.228.241.81 (144.228.241.81) Origin IGP, metric 4294967294, localpref 100, valid, external Community: 1239:321 1239:1000 1239:1011 > > Anyone who thinks "X pays Y" is more important than any of the > metrics above needs to reevaluate their priorities. (At least from a > customer / engineering PoV. I wouldn't suggest $NETWORK's bean > counters have the same priorities as their network engineers & > customers. :) > > IMHO, of course. Indeed, at the end of the day, it really doesn't matter these days :) james
Re: Cogent now peering with Sprint?
Patrick W. Gilmore schrieb: Hrmm, I can't tell by looking at a traceroute who paid whom, if anyone. Care to explain your magic? Is there a code in the in-addrs? Perhaps "sl-$FOO" means something in Sprint-speak? Secondly, does anyone really give a rat's ass who is "SFI" any longer? There are at least 2 fully "SFI" networks who can't route half as well as a whole slew of non-SFI networks these days. If [Cogent|Sprint] [buying|peering|whatever] [from|with] [Cogent|Sprint] makes their network better (i.e. lower latency, lower packet loss, higher throughput, and, if you care, lower jitter), I applaud them. I heard some rumours at the Euro-IX forum last week. Fact: Deutsche Telekom 3320 is playing the power play currently not upgrading their peering interconnections in Europe. 174 is experiencing up to 30% packet loss versus 3320 in Europe, making customers suffer. This is first hand info (we are involved with some popular content site sending out up to 800MBps peak to German-speaking users, and appx. 1/3 is 3320). Think of 174 started to peer with 1239 and redirecting some outbound traffic to 3320 over this new peer. Since 3320 is buying from 1239, they will pay more to 1239, and 1239 accepts 174 as a new peer because they get more money from 3320 ... as mentioned, this is just a rumour I heard, but reading William B. Norton's theory (tactic #9), this would make sense. Fredy
Re: CWDM equipment (current favorites)
On Mon, 30 Oct 2006, Deepak Jain wrote: Since then, I have actually touched some of the MRV product line personally and found it (and their customer support)... less than ideal. (not comparing to anyone else, and no one is really ideal). We're lucky enough that they have a helpful/clueful distributor here in the UK. The bigger problem was that the devices seem to be less than intuitive, but rock solid once they are working. (which is what everyone praised them for). Agreed, though the poor UI meant that debugging a cable problem on a span was much harder than it needed to be. I really wish they had syslog implemented, but look at it this way, it could be worse. At least you don't have to talk TL1 to them ;-). Cheers, Mike
Re: Cogent now peering with Sprint?
Hi Fredy, [EMAIL PROTECTED] (Fredy Kuenzler) wrote: > Think of 174 started to peer with 1239 and redirecting some outbound > traffic to 3320 over this new peer. Since 3320 is buying from 1239, they > will pay more to 1239, and 1239 accepts 174 as a new peer because they > get more money from 3320 ... as mentioned, this is just a rumour I > heard, but reading William B. Norton's theory (tactic #9), this would > make sense. In the very least it's eventually something to use to put pressure on those AS3320 guys. The idea is pretty smart ;) Elmar. -- "Hinken ist kein Mangel eines Vergleichs, sondern sollte als wesentliche Eigenschaft von Vergleichen angesehen werden." (Marius Fränzel in desd) --[ ELMI-RIPE ]---
Re: CWDM equipment (current favorites) (fwd)
On Mon, 30 Oct 2006, Deepak Jain wrote: > A few years ago, NANOG had a discussion regarding various CWDM vendors. > Repeatedly MRV was brought up as a good option for metro-area LAN type > applications. There's been some discussions more recently, such as (coauthored by yours truly): http://www.nanog.org/mtg-0606/pdf/lightning-talks/4-pilosov.pdf http://www.nanog.org/mtg-0610/presenter-pdfs/pilosov.pdf > Since then, I have actually touched some of the MRV product line > personally and found it (and their customer support)... less than ideal. > (not comparing to anyone else, and no one is really ideal). > > The bigger problem was that the devices seem to be less than intuitive, > but rock solid once they are working. (which is what everyone praised > them for). Passive CWDM gear is pretty much all created equal as far as intuitiveness in how to connect it (assuming gear is non-broken). You have muxes, you have SFPs/GBICs, and you plug GBIC output into the mux input. :) As far as the SFP/GBIC quality, I think MRV is very good. At one point, (maybe even still) Cisco OEM'd MRV gbics under their brand (and with attendant 1000% markup). You can also look at cubo and infineon optics, good quality at reasonable price. Be wary about chiwanese vendors - quality is questionable: high DOA rate, output light level and input sensitivity vary from one module to another. Pricewise, you might find that cubo isn't *that* much more expensive than chiwanese gear. Also, there's market (like, again, from yours truly) of the new-in-box MRV gear, which may also be an option. > We need to place a new order for some new fiber builds and were > considering some other vendors. Especially in the nx2.5G and nx10G (are > CWDM x-cievers even available in 10G yet?) range. Anyone have any new > favorites? 2.5G are only slightly more expensive than 1G - if you have OC48 gear that is SFP-capable, by all means, use that. 10G CWDM is *rumoured* to exist, but I don't think there are any production ones yet. Feel free to correct me. 10G is all DWDM, and so far very pricy.
Re: rbnnetwork.org
Alexander Harrowell wrote: > > Is hosting a phishing site and bouncing abuse reports.. Not so strange, gmail addresses are being used a lot a for spam sources. With the description you gave, I would also ignore it, it's a miracle that the spamfilter didn't drop it dead on the floor in the first place, especially as you are spamvertizing a certain website ;) Lets see what you should do different the next time you try to report something: > -- Forwarded message -- > From: Alexander Harrowell <[EMAIL PROTECTED]> Don't use gmail, use a real address, not something which everybody can create on the fly, at random and throw away again. That gives you some credit that you are not trying to fake somebody else. Having your full name instead of barbylover666 is a good part though, gmail isn't. > Date: Oct 31, 2006 2:38 PM > Subject: Phisher Phisher? Is that it? Lets assume you have to handle abuse@ and you get 1000 mails a day from silly automated tools, seeing 'Phisher' as the only thing in the subject from a person from gmail will simply trigger only one action: [del]. In the 'description' below you write that they are doing comment spam. Phising != comment spam. A better subject would have been: "Spamvertized website at <$ip> in your <$ispnet>, AS". Having the ASN in there gives some credibility. > To: [EMAIL PROTECTED] > > > We're receiving large volumes of comments spam advertising a site > hosted in your network. http://onlineinvestmentworld.com is located at > 81.95.146.166, which is your netblock: inetnum:81.95.144.0 - > 81.95.147.255 Who is "We"? Gmail? When reporting something it is actually useful to show proof somewhere, thus simply point to the websites in question. As those websites are yours you most likely also have logs of those sites, then you can also contact the ISP's who are actually spamming the comments. They know who they are, so you don't have to repeat that. As this message, according to you, bounced, you could also have tried the admin and tech handles. Altough in this case that leads only to [EMAIL PROTECTED] Email wise you are thus out of luck, but those handles do contain phone numbers, which you can use then to resolve this. Another way, instead of calling (which might be horrible if you don't speak russian ;) is too check their peers and transits: http://www.robtex.com/as/as40989.html which tells you that it is a very small company with only one /22, they are pretty new to the game and some other things. As they are a small ISP, they clearly have a transit and you can always contact them if they don't reply to your mails or they simply drop them on the floor. If you would have done a whois on rbnnetwork.com you would have found another email address and strangely, a US address and phone number. They are not so russian as they seem like after all ;) What does a traceroute do at all? It might be handy only in the case where some IP hijack is in progress, but in that case you can always do a BGPPlay using RIPE's RIS to figure out where it came from. Last but not least: there are dedicated spam etc reporting sites. Afaik Nanog is not that place. Unless your network went down because an ISP was overloading you with traffic of course ;) Greets, Jeroen signature.asc Description: OpenPGP digital signature
Reciprocal billing by independent LECs
Hi all, I am investigatng the reciprocal compensation model in use today between the ILECs and some independents. Specifically, many companies are offering multi party conferencing for free as a side effect of of this reciprocity fee. Seems like there were some disputes about it in the past : http://telephonyonline.com/mag/telecom_draining_incumbent_us/ So is this still a valid business model or is a crackdown by the ILECs in the cards ? All info appreciated. Thanks, Ashe Canvar.
Re: advise on network security report
Roland Dobbins wrote: On Oct 30, 2006, at 8:53 AM, Rick Wesson wrote: I'm expecting to post a weekly report once a month to nanog, would this be disruptive? Far better to simply post a pointer to your new list, IMHO, and let folks subscribe if the so choose. As it is, many of these various automated postings to NANOG are mildly annoying to those who aren't interested or who already receive the information in another form. the point of the posting are to generate discussion; the list subscription will be made available for those that desire access to higher frequency of reporting. Whatever service you end up offering, a a full-text RSS or Atom feed would probably be useful, as well. we do CSV for detail reporting and will be posting these directly to the abuse@ mbox for the nextworks we have contacts for. -rick
Re: advise on network security report
On Oct 31, 2006, at 3:45 PM, Rick Wesson wrote: the point of the posting are to generate discussion; I believe there are those who would argue that there's already a surfeit of discussion on NANOG, quite a bit of it irrelevant and of little interest to many subscribers. Posting stats and reports to a list which contains people who may not be interested in same often results in those stats and reports being filtered out and ignored. Posting a pointer to said stats and lists so that interested parties can subscribe if they so choose guarantees a community of common interests to whom discussion of the topic(s) at hand will come naturally, without the need for artificial stimulus. --- Roland Dobbins <[EMAIL PROTECTED]> // 408.527.6376 voice Any information security mechanism, process, or procedure which can be consistently defeated by the successful application of a single class of attacks must be considered fatally flawed. -- The Lucy Van Pelt Principle of Secure Systems Design
RE: (OT)MSN/hotmail postmaster contact
Eliot Gillum gave a talk at Nanog you might want to review: http://www.nanog.org/mtg-0606/gillum.html Thanks, Christian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edward F. Klimowicz Sent: Monday, October 30, 2006 1:07 PM To: nanog@merit.edu Subject: (OT)MSN/hotmail postmaster contact Is there a postmaster from MSN/Hotmail out there? Mail from my domain to any of yours is being junked and randomly blackholed. No progress has been made yet with the normal tech support. Please reply off list if you can help. -- Edward F. Klimowicz Voicenet Systems Administration [EMAIL PROTECTED] 215.259.2131
RE: advise on network security report
Postings like this to NANOG will not have any impact. So if your goal is instigate action, posting is not going to work. The core data point is the weekly CIDR report. It only works if you have peers using the weekly list to apply peer pressure to the networks listed to act. Sharing summaries to communities like dshield, NSP-SEC, DA, SANs and other security mitigation communities along with a subscription web page that would allow an organization to get enough details to take action. Also, posting too much hear just helps the criminals/miscreants. Some of the better ones who have any clue can be assumed to be on NANOG. They would love details on how well their tools are working and which ones are going under the detection radar. > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Rick Wesson > Sent: Monday, October 30, 2006 8:53 AM > To: nanog@merit.edu > Subject: advise on network security report > > > > I would appreciate a bit of advise on a service I am about to deploy. > I've spoken at different venues (including nanog) on global > infection rates of bots and the general degradation of well > behaved hosts. > > I now track around 2.2M abuse events per day and now have the > capability to produce reports for the community on which > networks have the largest problems. I am prepared to make > reports monthly to the community ordering networks by their > volume of issues. > > I'd like some hints of which might be the most valuable to > the community. > > o are hosts counts or issue counts more important > > o is a 7 or 30 day window sufficient for aggregation? > > o I'm not repaired for graphs yet so don't go there. > > o should I post sub-reports for regions, by RIR? > > o which kinds of abuse are more interesting. > > I'm expecting to post a weekly report once a month to nanog, > would this be disruptive? We have a mailing list set up for > weekly reports, once finalized I'll post the location for its > list manager. > > The global report usually has about 6,000+ networks, the top > 100 from last week are below. > > again, thanks for your feedback. > > > -rick > > > Table 1. Networks with abuse, ordered by #incidents > +---+---+--+-+ > | asn | incidents | cc | left(asname,35) | > +---+---+--+-+ > | 4134 |517830 | CN | CHINANET-BACKBONE | > | 9121 |331955 | EU | TTNet | > | 4837 |289984 | CN | CHINA169-Backbone | > | 3320 |231516 | DE | Deutsche Telekom AG | > | 3352 |211504 | ES | TELEFONICA-DATA-ESPANA Internet Acc | > | 5617 |194685 | PL | TPNET | > | 3215 |181686 | FR | AS3215 | > | 3269 |175858 | EU | ASN-IBSNAZ | > | 4766 |129722 | KR | KIXS-AS-KR | > | 19262 |125003 | US | Verizon Internet Services | > | 8551 |116014 | EU | ISDN-NET-AS | > | 3209 | 94981 | DE | UNSPECIFIED | > | 3462 | 82089 | TW | HINET | > | 9829 | 80538 | IN | BSNL-NIB| > | 8151 | 79223 | EU | Uninet S.A. de C.V. | > | 8359 | 73640 | RU | MTUONLINE | > | 5486 | 65757 | EU | Euronet Digital Communications | > | 12322 | 65638 | FR | PROXAD AS for Proxad ISP| > | 4788 | 53863 | MY | TMNET-AS-AP | > | 9116 | 53375 | IL | Goldenlines main autonomous system | > | 4814 | 52712 | CN | CHINA169-BBN| > | 22927 | 51899 | AR | Telefonica de Argentina | > | 4812 | 46462 | CN | CHINANET-SH-AP | > | 1680 | 45848 | IL | NETVISION | > | 9105 | 44450 | UK | TISCALI-UK | > | 15557 | 42792 | FR | LDCOMNET| > | 9498 | 42774 | IN | BBIL-AP | > | 8584 | 41914 | US | Barak AS| > | 2856 | 41820 | EU | BT-UK-AS| > | 13184 | 41688 | DE | HANSENET HanseNet Telekommunikation | > | 9318 | 40930 | KR | HANARO-AS | > | 12479 | 39009 | EU | UNI2-AS Uni2 Autonomous System | > | 6147 | 38716 | US | Telefonica del Peru S.A.A. | > | 3243 | 38586 | PT | RIPE NCC ASN block | > | 6713 | 35777 | EU | IAM-AS | > | 12876 | 35068 | FR | AS12876 | > | 6739 | 32639 | ES | ONO-AS
Re: advise on network security report
Barry Greene (bgreene) wrote: Postings like this to NANOG will not have any impact. So if your goal is instigate action, posting is not going to work. The core data point is the weekly CIDR report. It only works if you have peers using the weekly list to apply peer pressure to the networks listed to act. I beg to differ, wither I aggregate my announcements does not impact the $50B charge identity theft puts on the US economy. would it assist if I associated a dollar value for each bot hosted, we can estimate the number of credit cards stolen per bot and extrapolate in to something with some zeros on it. Sharing summaries to communities like dshield, NSP-SEC, DA, SANs and other security mitigation communities along with a subscription web page that would allow an organization to get enough details to take action. nsp-sec players still won't let us in their sand-box... but we will share to the communities you have enumerated. -rick
Re: advise on network security report
On Tue, 31 Oct 2006, Rick Wesson wrote: > > > Whatever service you end up offering, a a full-text RSS or Atom feed > > would probably be useful, as well. > > we do CSV for detail reporting and will be posting these directly to the > abuse@ mbox for the nextworks we have contacts for. whichever notification method you use you need to include information that the abuse@ address folks can actually use. Saying: "machine 1.2.3.4 sent spam" isn't useful, however sending: -example- machine 1.2.3.4 delivered this spam: -end example is useful... Extend that to virus/trojan/bot/C&C info of course (send logs of the abuse). If you don't provide this there is no reasonable way to affect change. Also, make sure that whatever you send is machine parsable, it'd be great to send things in some 'standards compliant' manner as well (INCH perhaps?) sending an email that a human has to process will get that email deleted/ignored/not-processed-to-your-satisfaction. I also believe that since you are aiming at something machine parseable you should submit one email per 'incident' you are reporting, that way abuse@ folks can judge the volume of the problem in a fairly simple manner. it's just an opinion or 3... :) Oh, and as Scott said, pleaes tag the subject so it can get procmail'd appropriately. -Chris
FYI: Explosions Reported At eBay PayPal Building In SJ, All Cool Now
No one injured, no operations interrupted on this, Oidhche Shamhna. http://cbs5.com/local/local_story_305004735.html Cheers, - ferg -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
