Re: On-going Internet Emergency and Domain Names
whoa. this is like deja vu all over again. when [EMAIL PROTECTED] asked me to patch BIND gethostbyaddr() back in 1994 or so to disallow non-ascii host names in order to protect sendmail from a /var/spool/mqueue/qf* formatting vulnerability, i was fresh off the boat and did as i was asked. a dozen years later i find that that bug in sendmail is long gone, but the pain from BIND's "check-names" logic is still with us. i did the wrong thing and i should have said "just fix sendmail, i don't care how much easier it would be to patch libc, that's just wrong." are we really going to stop malware by blackholing its domain names? if so then i've got some phone calls to make. -- Paul Vixie
Re: On-going Internet Emergency and Domain Names
On Friday 30 March 2007 23:05, Fergie wrote: > -- "Steven M. Bellovin" <[EMAIL PROTECTED]> wrote: > >Jeff Shultz <[EMAIL PROTECTED]> wrote: > >> I won't discount the assertion that there is some sort of emergency > >> occurring. I would however, like to see a bit of a reference to where > >> we can learn more about what is going on (I assume this is the > >> javascript exploit I heard about a couple days ago). > > > >No -- it's a 0day in Internet Explorer involving animated cursors -- > >and it can be spread by visiting an infected web site or even by email. > > Not that I like being in the position of correcting Steve :-) but the > real answer is "yes" and "no" -- or ctually just yes. > > While the 0-day exploit is the ANI vulnerability, there are many, > many compromised websites (remember the MiamiDolhins.com embedded > javascript iframe redirect?) that are using similar embedded .js > redirects to malware hosted sites which fancy this exploit. Also to expand on that, if someone embeds this exploit or an iframe onto a high traffic site that's known to be "safe", via things like comment fields where HTML is allowed there's no telling the number of infections, it could possibly be in the hundreds of thousands of systems if an official patch isn't released - I hope Microsoft intends to release a patch by Monday at the latest. > > And some of them have vast audiences, increasing the potential > for a major "issue" -- TBD. > Agreed. > Track with the SANS ISC -- they're doing a good job of keeping the > community abreast. > > Cheers, > > - ferg
Re: On-going Internet Emergency and Domain Names
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- "Steven M. Bellovin" <[EMAIL PROTECTED]> wrote: >Jeff Shultz <[EMAIL PROTECTED]> wrote: > >> >> I won't discount the assertion that there is some sort of emergency >> occurring. I would however, like to see a bit of a reference to where >> we can learn more about what is going on (I assume this is the >> javascript exploit I heard about a couple days ago). >> > >No -- it's a 0day in Internet Explorer involving animated cursors -- >and it can be spread by visiting an infected web site or even by email. > Not that I like being in the position of correcting Steve :-) but the real answer is "yes" and "no" -- or ctually just yes. While the 0-day exploit is the ANI vulnerability, there are many, many compromised websites (remember the MiamiDolhins.com embedded javascript iframe redirect?) that are using similar embedded .js redirects to malware hosted sites which fancy this exploit. And some of them have vast audiences, increasing the potential for a major "issue" -- TBD. Track with the SANS ISC -- they're doing a good job of keeping the community abreast. Cheers, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGDc/4q1pz9mNUZTMRAjqiAJ0UYDDep4RbSmaJ3jUdsGssSVt7AwCgnDPV PIfR8hlav9Bh20TBXBPsUZo= =wtJu -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: On-going Internet Emergency and Domain Names
On Fri, 30 Mar 2007 19:44:23 -0700 Jeff Shultz <[EMAIL PROTECTED]> wrote: > > So, is there a list of domains that we could null-route if we could > convince our DNS managers to set us up as the SOA for those domains > on our local DNS servers - thus protecting our own customers somewhat? > > I won't discount the assertion that there is some sort of emergency > occurring. I would however, like to see a bit of a reference to where > we can learn more about what is going on (I assume this is the > javascript exploit I heard about a couple days ago). > No -- it's a 0day in Internet Explorer involving animated cursors -- and it can be spread by visiting an infected web site or even by email. See http://blogs.zdnet.com/security/?p=141&tag=nl.e622 http://www.avertlabs.com/research/blog/?p=230 http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FANICMOO%2EAX&VSect=T or see lots of news stories about it at http://news.google.com/?ned=us&ncl=1114901719&hl=en --Steve Bellovin, http://www.cs.columbia.edu/~smb
Re: On-going Internet Emergency and Domain Names
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Jeff Shultz <[EMAIL PROTECTED]> wrote: >So, is there a list of domains that we could null-route if we could convince our DNS managers to set us up as the SOA for those domains on our local DNS servers - thus protecting our own customers somewhat? > >I won't discount the assertion that there is some sort of emergency occurring. I would however, like to see a bit of a reference to where we can learn more about what is going on (I assume this is the javascript exploit I heard about a couple days ago). > Yes -- I would suggest that the best point of reference right now is the SANS ISC Daily Handler's Diary. They have done a great job of summarizing the issues: http://isc.sans.org/ - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGDcucq1pz9mNUZTMRAp6KAKCB2Pm1AE1Muawlfz33pSfb0Ij67wCeM7Sk 57+JNx+REjiILkNkdSerqQQ= =d3Bq -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: On-going Internet Emergency and Domain Names
On Fri, 30 Mar 2007, Jeff Shultz wrote: > > So, is there a list of domains that we could null-route if we could > convince our DNS managers to set us up as the SOA for those domains on > our local DNS servers - thus protecting our own customers somewhat? > > I won't discount the assertion that there is some sort of emergency > occurring. I would however, like to see a bit of a reference to where we > can learn more about what is going on (I assume this is the javascript > exploit I heard about a couple days ago). I'm afraid disclosing these URLs at this time is not wise. The SANS ISC released strings from them which would help you mitigate. This email is about the problem with the current incident (which is being handled) as the latest example of a situation going bad. Thanks, Gadi.
Re: On-going Internet Emergency and Domain Names
So, is there a list of domains that we could null-route if we could convince our DNS managers to set us up as the SOA for those domains on our local DNS servers - thus protecting our own customers somewhat? I won't discount the assertion that there is some sort of emergency occurring. I would however, like to see a bit of a reference to where we can learn more about what is going on (I assume this is the javascript exploit I heard about a couple days ago). Thanks. Fergie wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Gadi Evron <[EMAIL PROTECTED]> wrote: There is a current on-going Internet emergency: a critical 0day vulnerability currently exploited in the wild threatens numerous desktop systems which are being compromised and turned into bots, and the domain names hosting it are a significant part of the reason why this attack has not yet been mitigated. This incident is currenly being handled by several operational groups. ...and before people starting bashing Gadi for being off-topic, etc., I'll side with him on the fact that this particular issue appears to be quite serious. Please check the facts regarding this issue before firing up your flame-throwers -- this weekend could prove to be a quite horrible one. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGDcayq1pz9mNUZTMRAj48AKCVdw3bZ63ryIAI6f/NSbABZR10VACg3iZf thCHKv5hpQ6Dqrq+iY4j1J8= =MoWp -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ -- Jeff Shultz
Re: On-going Internet Emergency and Domain Names
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Gadi Evron <[EMAIL PROTECTED]> wrote: >There is a current on-going Internet emergency: a critical 0day >vulnerability currently exploited in the wild threatens numerous desktop >systems which are being compromised and turned into bots, and the domain >names hosting it are a significant part of the reason why this attack has >not yet been mitigated. > >This incident is currenly being handled by several operational groups. > ...and before people starting bashing Gadi for being off-topic, etc., I'll side with him on the fact that this particular issue appears to be quite serious. Please check the facts regarding this issue before firing up your flame-throwers -- this weekend could prove to be a quite horrible one. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGDcayq1pz9mNUZTMRAj48AKCVdw3bZ63ryIAI6f/NSbABZR10VACg3iZf thCHKv5hpQ6Dqrq+iY4j1J8= =MoWp -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
On-going Internet Emergency and Domain Names
There is a current on-going Internet emergency: a critical 0day vulnerability currently exploited in the wild threatens numerous desktop systems which are being compromised and turned into bots, and the domain names hosting it are a significant part of the reason why this attack has not yet been mitigated. This incident is currenly being handled by several operational groups. This past February, I sent an email to the Reg-Ops (Registrar Operations) mailing list. The email, which is quoted below, states how DNS abuse (not the DNS infrastructure) is the biggest unmitigated current vulnerability in day-to-day Internet security operations, not to mention abuse. While we argue about this or that TLD, there are operational issues of the highest importance that are not being addressed. The following is my original email message, elaborating on these above statements. Please note this was indeed just an email message, sent among friends. - Begin quoted message - Date: Fri, 16 Feb 2007 02:32:46 -0600 (CST) From: Gadi Evron To: [EMAIL PROTECTED] Subject: [reg-ops] Internet security and domain names Hi all, this is a tiny bit long. Please have patience, this is important. On this list (which we maintain as low-traffic) you guys (the registrars) have shown a lot of care and have become, on our sister mitigation and research lists (those of you who are subscribed), an integral part of our community we now call "The Internet Security Operations Community". We face problems today though, that you can not help us solve under the current setting. But only you can help us coming up with new ideas. Day-to-day, we are able to report hundreds and thousands of completely bogus phishing and other bad domains, but both policy-wise and resources-wise, registrars can't handle this. I don't blame you. In emergencies, we can only mitigate threats if one of you or yours are in control.. Just a week ago we faced the problem of the Dolphins stadium being hacked and malicious code being put on it: 1. We tracked down all the IP addresses involved and mitigated them (by we I mean also people other than me. Many were involved). 2. We helped the Dolphins Stadium IT staff take care of the malicious code on their web page - Specifically Gary Warner). 3. We coordinated with law enforcement. 4. We coordinated that no one does a press release which will hurt law enforcement. 5. We did a lot more. Including actually convincing a Chinese registrar to pull one of the domains in question. A miracle. There was another domain to be mitigated, unsuccessfully. One thing though - at a second's notice, this could all be for nothing as the DNS records could be updated with new IP addresses. There were hundreds of other sites also infected. Even if we could find the name server admin, some of these domains have as many as 40 NSs. That doesn't make life easy. Then, these could change, too. This is the weakest link online today in Internet security, which we in most cases can't mitigate, and the only mitigation route is the domain name. Every day we see two types of fast-flux attacks: 1. Those that keep changing A records by using a very low TTL. 2. Those that keep changing NS records, pretty much the same. Now, if we have a domain which can be mitigated to solve such emergencies and one of you happen to run it, that's great... However, if we end up with a domain not under the care of you and yours.. we are simply.. fucked. Sorry for the language. ICANN has a lot of policy issues as well, and the good guys there can't help. ICANN has enough trouble taking care of all those who want money for .com, .net or .xxx. All that being said, the current situation can not go on. We can no longer ignore it nor are current measures sufficient. It is imperative that we find some solutions, as limited as they may be. We need to be able to get rid of domain names, at the very least during real emergencies. I am aware how it isn't always easy to distinguish what is good and what is bad. Still, we need to find a way. Members of reg-ops: What do you think can be conceivably done? How can we make a difference which is REALLY needed on today's Internet? Please participate and let me know what you think, we simply can no longer wait for some magical change to happen. Gadi. - End of quoted message - Thousands of malicious domain names and several weeks later, we face the current crisis. The 0day vulnerability is exploited in the wild, and mitigating the IP addresses is not enough. We need to be able to "get rid" of malicious domain names. We need to be able to mitigate attacks on the weakest link - DNS, which are not necessarily solved by DNS-SEC or Anycast. On Reg-Ops and other operational groups, we came up with some imperfect ideas on what we can make happen on our own in short term which will help us reach better mitigation, as security does not seem to be on the agenda of those running DNS: 1. A system by which registrars can ack
Link-Rank 1.0 alpha for visualizing BGP routing changes
Dear all, We recently released an alpha version of Link-Rank 1.0 tool. Summary: Link-Rank works by weighing AS-AS links from each BGP router by the number of BGP routes carried, and visualizes routing events as changes in AS-AS link weights. Red edges represent loss of routes while green edges represent gain of routes. The tool can currently visualize data starting from January 1, 2007 from RouteViews' Oregon collector, with a time lag of 1-2 hours. The tool can be downloaded from http://sourceforge.net/projects/link-rank/ More information about the Link-Rank project can be found on the website http://linkrank.cs.ucla.edu/ The new version has various improvements over existing version including 1. Better handling of very large routing events. 2. Ability to save and load graphs. Some sample events are included in the "Examples" directory. 3. Near real-time continuous visualization (This feature is being tested and will be available in the beta release soon). 4. Redesigned GUI based on feedback from previous release. We expect to move to beta release in a few weeks and would really appreciate any bug reports or feature requests. The full source code of the tool will be available with the beta release. We will also be releasing a set of scripts and instructions to be able to use the tool with your own BGP data. We hope you find this tool useful. Feel free to send us an email at linkrankhelp-at-cs-dot-ucla-dot-edu Thanks Link-Rank team
ISPs & BCP38
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I would like to talk briefly to any ISPs who implement BCP38 -- just a couple of casual questions. If you could contact me off-list, it would be much appreciated. Cheers, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGDVMtq1pz9mNUZTMRAlH5AKDYdEVAB7kRblbGIsDz884b3MR0OQCg7w3D wR4C+PcVHjQ2xBqL1IJbSMs= =b6rW -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Weekly Routing Table Report
This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. Daily listings are sent to [EMAIL PROTECTED] For historical data, please see http://thyme.apnic.net. If you have any comments please contact Philip Smith <[EMAIL PROTECTED]>. Routing Table Report 04:00 +10GMT Sat 31 Mar, 2007 Analysis Summary BGP routing table entries examined: 216896 Prefixes after maximum aggregation: 116021 Deaggregation factor: 1.87 Unique aggregates announced to Internet: 105580 Total ASes present in the Internet Routing Table: 24788 Origin-only ASes present in the Internet Routing Table: 21588 Origin ASes announcing only one prefix: 10438 Transit ASes present in the Internet Routing Table:3200 Transit-only ASes present in the Internet Routing Table: 71 Average AS path length visible in the Internet Routing Table: 3.6 Max AS path length visible: 32 Max AS path prepend of ASN (31269) 23 Prefixes from unregistered ASNs in the Routing Table: 4 Unregistered ASNs in the Routing Table: 5 Special use prefixes present in the Routing Table:0 Prefixes being announced from unallocated address space: 12 Number of addresses announced to Internet: 1696136904 Equivalent to 101 /8s, 24 /16s and 254 /24s Percentage of available address space announced: 45.8 Percentage of allocated address space announced: 62.9 Percentage of available address space allocated: 72.8 Total number of prefixes smaller than registry allocations: 113042 APNIC Region Analysis Summary - Prefixes being announced by APNIC Region ASes:49774 Total APNIC prefixes after maximum aggregation: 20064 APNIC Deaggregation factor:2.48 Prefixes being announced from the APNIC address blocks: 46835 Unique aggregates announced from the APNIC address blocks:21082 APNIC Region origin ASes present in the Internet Routing Table:2911 APNIC Region origin ASes announcing only one prefix:783 APNIC Region transit ASes present in the Internet Routing Table:432 Average APNIC Region AS path length visible:3.6 Max APNIC Region AS path length visible: 15 Number of APNIC addresses announced to Internet: 289521472 Equivalent to 17 /8s, 65 /16s and 191 /24s Percentage of available APNIC address space announced: 71.7 APNIC AS Blocks4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911 APNIC Address Blocks 58/7, 60/7, 116/6, 120/6, 124/7, 126/8, 202/7 210/7, 218/7, 220/7 and 222/8 ARIN Region Analysis Summary Prefixes being announced by ARIN Region ASes:105390 Total ARIN prefixes after maximum aggregation:61644 ARIN Deaggregation factor: 1.71 Prefixes being announced from the ARIN address blocks:77433 Unique aggregates announced from the ARIN address blocks: 30092 ARIN Region origin ASes present in the Internet Routing Table:11448 ARIN Region origin ASes announcing only one prefix:4390 ARIN Region transit ASes present in the Internet Routing Table:1049 Average ARIN Region AS path length visible: 3.4 Max ARIN Region AS path length visible: 21 Number of ARIN addresses announced to Internet: 323997824 Equivalent to 19 /8s, 79 /16s and 208 /24s Percentage of available ARIN address space announced: 71.5 ARIN AS Blocks 1-1876, 1902-2042, 2044-2046, 2048-2106 (pre-ERX allocations) 2138-2584, 2615-2772, 2823-2829, 2880-3153 3354-4607, 4865-5119, 5632-6655, 6912-7466 7723-8191, 10240-12287, 13312-15359, 16384-17407 18432-20479, 21504-23551, 25600-26591, 26624-27647, 29696-30719, 31744-33791 35840-36863, 39936-40959 ARIN Address Blocks24/8, 63/8, 64/5, 72/6, 76/8, 96/6, 199/8, 204/6, 208/7 and 216/8 RIPE Region Analysis Summary Prefixes being announced by RIPE Region ASes: 44789 Total RIPE prefixes after maximum aggregation:29241 RIPE Deaggregation factor: 1.53 Prefixes being announced from the R
Re: Yahoo! clue (Slightly OT: Spiders)
On Thu, Mar 29, 2007 at 10:17:50AM -0400, Kradorex Xeron wrote:
> Another problem is that the Yahoo/Inktomi search robots do not stop if no site
> is present at that address, Thus, someone could register a DNS name and have
> a site set on it temporarily, just enough time for Yahoo/Inktomi's bots to
> notice it, then redirect it thereafter to any internet host's address and the
> bots would proceed to that host and access them over and over in succession,
> wasting bandwidth of both the user end (Which in most cases is being
> monitored and is limited, sometimes highly by the ISP), and the bot's end
> wasted time that could have been used spidering other sites.
It's not limited to that. I bought this domain which had previously been
in use. I've owned the domain for over 5 years, but I still get requests
for pages that I've never had up.
<[EMAIL PROTECTED]:/var/www/logs:8>$ grep ' 404 ' access_log | grep
darkstar.frop.org | awk '/Yahoo/ { print $8 }' | wc -l
830
<[EMAIL PROTECTED]:/var/www/logs:9>$ grep ' 404 ' access_log | grep
darkstar.frop.org | awk '/Yahoo/ { print $8 }' | sort -u | wc -l
82
That's 82 unique URLs that have been returning a 404 for over 5 years.
That log file was last rotated 2006 Sep 26. That's averaging 138
requests per month for pages that don't exist on that one domain alone.
How many bogus requests are they sending each month, and what can
we do to stop them? (The first person to say something involving
robots.txt gets a cookie made with pickle juice.)
Sure, on my domain alone that's not a big deal. It hasn't cost me any
money that I'm aware of, and it hasn't caused any trouble. However, it
is annoying, and at some point it becomes a little ridiculous.
Can anyone that runs a large web server farm weigh in on these sorts of
requests? Has this annoyance multiplied over thousands of domains and
IPs caused you problems? Increased bandwidth costs?
-Zach
Re: Jumbo frames
Thus spake "Andy Davidson" <[EMAIL PROTECTED]> The original poster was talking about a streaming application - increasing the frame size can cause it take longer for frames to fill a packet and then hit the wire increasing actual latency in your application. Probably doesn't matter when the stream is text, but as voice and video get pushed around via IP more and more, this will matter. It's a serious issue for voice due to the (relatively) low bandwidth, which is why most voice products only put 10-30ms of data in each packet. Video, OTOH, requires sufficient bandwidth that packetization time is almost irrelevant. With a highly compressed 1Mbit/s stream you're looking at 12ms to fill a 1500B packet vs 82ms to fill a 10kB packet. It's longer, yes, but you need jitter buffers of 100-200ms to do real-time media across the Internet, so that and speed-of-light issues are the dominant factors in application latency. And, as bandwidth inevitably grows (e.g. ATSC 1080i or 720p take up to 19Mbit/s), packetization time quickly fades into the background noise. Now, if we were talking about greater-than-64kB jumbograms, that might be another story, but most folks today use "jumbo" to mean packets of 8kB to 10kB, and "baby jumbos" to mean 2kB to 3kB. S Stephen Sprunk "Those people who think they know everything CCIE #3723 are a great annoyance to those of us who do." K5SSS --Isaac Asimov
Re: What is the correct way to get Whitelisted?
On Mar 30, 2007, at 7:33 AM, Wil Schultz wrote: So at my workplace we have a fairly fast moving newsletter machine that people sign up for. Rules are followed as in: Mail isn't sent unless people request it, an address is removed upon subscription cancel, and addresses are removed after the 3rd bounce. On another side note, if anyone has information on how to get whitelisted (or DeBlacklisted :-) ) from Hotmail, MSN, Earthlink, AOL, Yahoo!, etc feel free to email offlist... It is good practice to confirm the subscription. As you have moved your operation, do a black-hole list search available at: http://www.moensted.dk/spam/ -Doug
Re: What is the correct way to get Whitelisted?
On 3/30/07, Wil Schultz <[EMAIL PROTECTED]> wrote: On another side note, if anyone has information on how to get whitelisted (or DeBlacklisted :-) ) from Hotmail, MSN, Earthlink, AOL, Yahoo!, etc feel free to email offlist... Wil, Here's an overview I've written on how to deal with this with regard to AOL: http://www.spamresource.com/2007/01/how-to-deliver-mail-to-aol.html If the online forms don't work for AOL, or you get declined, the next step would be to call the phone number in AOL's domain registration. The people on the other end will ask a bunch of questions, then you'll go into a queue and get a call back from somebody with more information. Hope that helps. It's certainly worth trying to ask for more help over on SPAM-L, but it'd pretty much be a coin toss as to whether or not you'd get useful advice, or simply be accused of being a dirty rotten spammer. Regards, Al Iverson -- Al Iverson on Spam and Deliverabilty, see http://www.aliverson.com Message copyright 2007 by Al Iverson. For posts to SPAM-L, permission is granted only to this lists's owners to redistribute to their sub- scribers and to archive this message on site(s) under their control.
Re: What is the correct way to get Whitelisted?
On Friday 30 March 2007 15:33, Wil Schultz wrote: > > Sorry of this is off topic: Try SPAM-L, a lot of overlap between that and this group, but it exists for these issues, NANOG doesn't (unless you are sending so much email it adversely affects network stability). > On another side note, if anyone has information on how to get > whitelisted (or DeBlacklisted :-) ) from Hotmail, MSN, Earthlink, > AOL, Yahoo!, etc feel free to email offlist... Hotmail, and AOL, provide various feedback systems, the SPAM-L archive discusses relative merits. The more clueful of the providers return all you need to know in the reject message. Ultimately if you are sending bulk email, and a significant number of the recipients claim it is unsolicited, the big email providers are going to block you, whether the recipients are right or wrong about the solicited nature of the list. Hotmail silently bitbucket email from us regularly (we have a lot of rarely used forwards, so the little bits of spam that leak through count badly against our email server), we've given up on Hotmail, but I think it is possible to ask for a whitelisting.
What is the correct way to get Whitelisted?
Sorry of this is off topic: So at my workplace we have a fairly fast moving newsletter machine that people sign up for. Rules are followed as in: Mail isn't sent unless people request it, an address is removed upon subscription cancel, and addresses are removed after the 3rd bounce. Life was reasonably well up until about a week ago at which point we moved this newsletter machine and gave it a new address. At this point most of the major ISPs see a bunch of email coming from this new address and proceed to block it. I understand completely why they block this kind of traffic but I am wondering what we can do proactively to prove we are good internet citizens to minimize these problems in the future? We have already published SPF records and made sure forward and reverse entries exist, are there other things that can be done? On another side note, if anyone has information on how to get whitelisted (or DeBlacklisted :-) ) from Hotmail, MSN, Earthlink, AOL, Yahoo!, etc feel free to email offlist... Thanks!
The Cidr Report
This report has been generated at Fri Mar 30 21:51:39 2007 AEST.
The report analyses the BGP Routing Table of an AS4637 (Reach) router
and generates a report on aggregation potential within the table.
Check http://www.cidr-report.org/as4637 for a current version of this report.
Recent Table History
Date PrefixesCIDR Agg
24-03-07212978 137770
25-03-07213361 137704
25-03-07213382 137719
26-03-07213264 137946
27-03-07213449 137933
28-03-07213343 137975
29-03-07213422 137986
30-03-07213735 137885
AS Summary
24688 Number of ASes in routing system
10436 Number of ASes announcing only one prefix
1479 Largest number of prefixes announced by an AS
AS7018 : ATT-INTERNET4 - AT&T WorldNet Services
90405120 Largest address span announced by an AS (/32s)
AS721 : DISA-ASNBLK - DoD Network Information Center
Aggregation Summary
The algorithm used in this report proposes aggregation only
when there is a precise match using the AS path, so as
to preserve traffic transit policies. Aggregation is also
proposed across non-advertised address space ('holes').
--- 30Mar07 ---
ASnumNetsNow NetsAggr NetGain % Gain Description
Table 213633 1379467568735.4% All ASes
AS4134 1257 319 93874.6% CHINANET-BACKBONE
No.31,Jin-rong Street
AS4323 1266 355 91172.0% TWTC - Time Warner Telecom,
Inc.
AS4755 1074 194 88081.9% VSNL-AS Videsh Sanchar Nigam
Ltd. Autonomous System
AS9498 967 96 87190.1% BBIL-AP BHARTI BT INTERNET
LTD.
AS6478 1077 278 79974.2% ATT-INTERNET3 - AT&T WorldNet
Services
AS18566 998 259 73974.0% COVAD - Covad Communications
Co.
AS11492 1016 369 64763.7% CABLEONE - CABLE ONE
AS22773 691 53 63892.3% CCINET-2 - Cox Communications
Inc.
AS8151 1058 457 60156.8% Uninet S.A. de C.V.
AS19262 706 173 53375.5% VZGNI-TRANSIT - Verizon
Internet Services Inc.
AS6197 1030 507 52350.8% BATI-ATL - BellSouth Network
Solutions, Inc
AS7018 1479 971 50834.3% ATT-INTERNET4 - AT&T WorldNet
Services
AS18101 538 32 50694.1% RIL-IDC Reliance Infocom Ltd
Internet Data Centre,
AS17488 624 143 48177.1% HATHWAY-NET-AP Hathway IP Over
Cable Internet
AS19916 567 100 46782.4% ASTRUM-0001 - OLM LLC
AS17676 503 65 43887.1% JPNIC-JP-ASN-BLOCK Japan
Network Information Center
AS4766 742 315 42757.5% KIXS-AS-KR Korea Telecom
AS4812 444 72 37283.8% CHINANET-SH-AP China Telecom
(Group)
AS2386 1093 738 35532.5% INS-AS - AT&T Data
Communications Services
AS721619 277 34255.3% DISA-ASNBLK - DoD Network
Information Center
AS5668 578 238 34058.8% AS-5668 - CenturyTel Internet
Holdings, Inc.
AS3602 518 183 33564.7% AS3602-RTI - Rogers Telecom
Inc.
AS15270 513 179 33465.1% AS-PAETEC-NET - PaeTec.net -a
division of
PaeTecCommunications, Inc.
AS7029 560 232 32858.6% WINDSTREAM - Windstream
Communications Inc
AS16852 396 73 32381.6% BROADWING-FOCAL - Broadwing
Communications Services, Inc.
AS7011 781 461 32041.0% FRONTIER-AND-CITIZENS -
Frontier Communications, Inc.
AS16814 361 42 31988.4% NSS S.A.
AS4668 3108 30297.4% LGNET-AS-KR LG CNS
AS33588 430 129 30170.0% BRESNAN-AS - Bresnan
Communicatio
BGP Update Report
BGP Update Report Interval: 16-Mar-07 -to- 29-Mar-07 (14 days) Observation Point: BGP Peering with AS4637 TOP 20 Unstable Origin AS Rank ASNUpds % Upds/PfxAS-Name 1 - AS462118197 1.5% 128.1 -- UNSPECIFIED UNINET-TH 2 - AS17974 17117 1.4% 50.8 -- TELKOMNET-AS2-AP PT TELEKOMUNIKASI INDONESIA 3 - AS24731 13611 1.1% 349.0 -- ASN-NESMA National Engineering Services and Marketing Company Ltd. (NESMA) 4 - AS306 11181 0.9% 61.4 -- DNIC - DoD Network Information Center 5 - AS982910205 0.8% 54.6 -- BSNL-NIB National Internet Backbone 6 - AS3255 9609 0.8% 72.2 -- UARNET-AS Ukrainian Academic and Research Network 7 - AS7545 9414 0.8% 16.0 -- TPG-INTERNET-AP TPG Internet Pty Ltd 8 - AS721 8374 0.7% 14.3 -- DISA-ASNBLK - DoD Network Information Center 9 - AS6198 8087 0.7% 13.2 -- BATI-MIA - BellSouth Network Solutions, Inc 10 - AS9583 8062 0.7% 7.4 -- SIFY-AS-IN Sify Limited 11 - AS702 7989 0.6% 13.1 -- AS702 MCI EMEA - Commercial IP service provider in Europe 12 - AS126547901 0.6% 202.6 -- RIPE-NCC-RIS-AS RIPE NCC RIS project 13 - AS9121 7530 0.6% 29.3 -- TTNET TTnet Autonomous System 14 - AS178857507 0.6% 85.3 -- JKTXLNET-AS-AP PT Excelcomindo Pratama 15 - AS176456766 0.5% 615.1 -- NTT-SG-AP ASN - NTT SINGAPORE PTE LTD 16 - AS182316416 0.5% 53.9 -- EXATT-AS-AP Exatt Technologies Private Ltd. 17 - AS4657 6287 0.5% 29.9 -- STARHUBINTERNET-AS Starhub Internet, Singapore 18 - AS8151 6267 0.5% 6.1 -- Uninet S.A. de C.V. 19 - AS5803 5983 0.5% 63.0 -- DDN-ASNBLK - DoD Network Information Center 20 - AS243265801 0.5% 52.3 -- TTT-AS-AP TT&T Public Company Limited, Service Provider,Bangkok TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASNUpds % Upds/PfxAS-Name 1 - AS381511701 0.1%1701.0 -- ENUM-AS-ID APJII-RD 2 - AS118283309 0.3%1654.5 -- SOINET - State of Illinois/CMS 3 - AS313071200 0.1%1200.0 -- YKYATIRIM YAPI KREDI YATIRIM 4 - AS34378 866 0.1% 866.0 -- RUG-AS Razguliay-UKRROS Group 5 - AS380773392 0.3% 848.0 -- TIMOR-TELECOM-AS-AP Timor Telecom, SA 6 - AS3043 3376 0.3% 844.0 -- AMPHIB-AS - Amphibian Media Corporation 7 - AS10210 823 0.1% 823.0 -- HOSTECHNET-AP Hostech.Net 8 - AS41664 784 0.1% 784.0 -- SEMSER-AS Semser Provider LLP 9 - AS31594 773 0.1% 773.0 -- FORTESS-AS Fortess LLC Network 10 - AS176456766 0.5% 615.1 -- NTT-SG-AP ASN - NTT SINGAPORE PTE LTD 11 - AS331881190 0.1% 595.0 -- SCS-NETWORK-1 - Sono Corporate Suites 12 - AS33025 554 0.0% 554.0 -- QE-ASN-01 - Quinn Emanuel Urquhart Oliver & Hedges LLP 13 - AS307071577 0.1% 525.7 -- 14 - AS19580 522 0.0% 522.0 -- ZONETEL - ZONE TELECOM, INC. 15 - AS39610 948 0.1% 474.0 -- LCH-CLEARNET LCH Clearnet 16 - AS297001338 0.1% 446.0 -- CYPRESS-SEMICONDUCTOR - Cypress Semiconductor 17 - AS12408 419 0.0% 419.0 -- BIKENT-AS Bikent Ltd. Autonomous system 18 - AS5310 386 0.0% 386.0 -- DODNIC - DoD Network Information Center 19 - AS227791093 0.1% 364.3 -- 20 - AS12890 359 0.0% 359.0 -- SEPTOR-NET Septor Ltd. TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 1 - 89.4.129.0/24 3440 0.2% AS24731 -- ASN-NESMA National Engineering Services and Marketing Company Ltd. (NESMA) 2 - 89.4.131.0/24 3425 0.2% AS24731 -- ASN-NESMA National Engineering Services and Marketing Company Ltd. (NESMA) 3 - 209.140.24.0/243373 0.2% AS3043 -- AMPHIB-AS - Amphibian Media Corporation 4 - 163.191.160.0/19 3308 0.2% AS11828 -- SOINET - State of Illinois/CMS 5 - 89.4.128.0/24 3223 0.2% AS24731 -- ASN-NESMA National Engineering Services and Marketing Company Ltd. (NESMA) 6 - 89.4.130.0/24 2435 0.2% AS24731 -- ASN-NESMA National Engineering Services and Marketing Company Ltd. (NESMA) 7 - 58.65.1.0/24 2391 0.2% AS17645 -- NTT-SG-AP ASN - NTT SINGAPORE PTE LTD 8 - 125.162.94.0/232372 0.1% AS17974 -- TELKOMNET-AS2-AP PT TELEKOMUNIKASI INDONESIA 9 - 80.243.64.0/20 2192 0.1% AS21332 -- NTC-AS New Telephone Company 10 - 202.136.176.0/24 2173 0.1% AS17645 -- NTT-SG-AP ASN - NTT SINGAPORE PTE LTD 11 - 202.136.182.0/24 2168 0.1% AS17645 -- NTT-SG-AP ASN - NTT SINGAPORE PTE LTD 12 - 62.89.226.0/24 2020 0.1% AS20663 -- INAR-VOLOGDA-AS Autonomous System of Vologda 13 - 59.94.240.0/20 1955
