Re: Best practices for abuse@ mailbox and network abuse complaint handling?
My experience is that there's no substitute for a human abuse administrator. You can't manage your abuse queue with a script; not even a really fancy script; not even if it's so fancy that it's called a Software Suite. You need a human (with clue about things like SMTP and email headers) to be reading the abuse mailbox so that they can recognize and deal with the complaints that represent genuine issues. For a small number of complaints this can be a small part of someone's job; for a larger number you will need one or more people doing abuse full-time. Many aspects of the abuse-handling process can be automated by a savvy abuse admin, but the abuse admin cannot be eliminated if you want to preserve your ability to appropriately respond to network incidents in a reasonable time. To see what happens when you eliminate the humans from your abuse handling, try sending an abuse complaint to yahoo or hotmail. Outsourcing could theoretically work, but the outside abuse administrator would need significant access to your network to track down and deal with issues. A powerless abuse admin with no ability to fix the issues he finds would be pretty useless. I haven't seen such a service. There are email management services like Postini but they mostly just filter incoming email for spam and virii. Here's a list of email abuse related best-practices; some of these are great; some are total crap (and some I didn't look at): http://spamcon.org/directories/best-practices.shtml The bestprac.org stuff looks pretty good; this appears to be relevant: http://www.bestprac.org/principles/isp.htm K K wrote: Can anybody point me at best practices for monitoring and responding to abuse complaints, and good solutions for accepting complaints about network abuse? Any recommended outsourced services for processing abuse complaints?
Re: Broadband routers and botnets - being proactive
Gadi, I and numerous others (including some whom any reasonable NANOG-L poster would respect and listen to) have asked you repeatedly to stop trolling NANOG-L with this botnet crap. It is off-topic here. The last time you pulled this (starting a 4-day troll-fest about a nonexistent INNURNET EMERGENCY) I asked you to stop it, and not one of the legions of supporters you talk about spoke up to say Wait, I want to see botnet crap on NANOG-L. Even if all 6 of your botnet-loving supporters spoke up, it would not change the fact that your botnet posts are off topic, unwanted, and disruptive. It's time for you to stop it. Please.
Re: On-going Internet Emergency and Domain Names
Gadi, 4 days and 56 messages later... no pieces of the sky have hit me on the head yet. Trolling NANOG-L is as productive as ever. How long until you troll us again? Will it be another INTERNET EMERGENCY or just a provocative statement that starts a 50-message OT argument about botnets? NANOG-L would be more useful to those of use who actually operate networks if you would stop it. Gadi Evron wrote: There is a current on-going Internet emergency: a critical 0day vulnerability currently exploited in the wild threatens numerous desktop systems which are being compromised and turned into bots, and the domain names hosting it are a significant part of the reason why this attack has not yet been mitigated.
Re: Solaris telnet vuln solutions digest and network risks
Gadi Evron wrote: A couple of updates and a summary digest of useful information shared from all around on this vulnerability, for those of us trying to make sense of what it means to our networks: Gadi, This post appears to have been written for another mailing list (where it is probably on-topic). Why did you repost it to NANOG-L?
Re: comcast spam policies
Didn't we all figure out years ago that, when using a telephone or cable company for Internet service, you have to just use the pipe and get your services (mail, news, etc.) elsewhere? Bemoaning the poor quality of telco/cableco mail servers is kind of like wishing that the rain wouldn't be so damn wet. [EMAIL PROTECTED] wrote: The current comcast policy seems to be to backhole mail servers at random.
Re: the authors of RFC 2317 have a question for att worldnet
I'm not from ATT, but that page contains three errors and three What to do sections. The section referring to RFC 2317 is for DNS errors: “550 Error. Blocked for status: unknown sender”: This error indicates that no identifying information has been entered into the DNS (Domain Name System) for this sending system. The ATT Worldnet mail system, like many others, does not accept messages from mail systems with no DNS records. The Spam complaint section has a different What to do: What to do: Ask the administrator of your mail system to contact us through our System Administrators' page and provide the information we need to investigate the problem. Paul Vixie wrote: What to do: Ask your system administrator to submit identifying information to the DNS. For more information, your administrator should refer to http://www.faqs.org/rfcs/rfc2317.html In the meantime, you should use a fully registered domain for sending your messages, such as the mail system from an ISP or one of the major free e-mail services. now, i count myself as a master of the obscure reference, but this is over the top. can someone from att worldnet please contact me for the purpose of explaining what RFC 2317 could possibly have to do with spam complaints?
Re: IP adresss management verification
The myth that I've heard relates to links. From the comments on Matt's blog: 500 sites under the same IP interlinked in some way will provide the same benefit as 500 sites on uniques similarly interlinked all other things held constant? The answer to this question almost has to be no. A site with hundreds of links from the same IP should not be treated the same as a site with hundreds of links from other IPs. If it is treated the same, scientology-style fake links will proliferate. If it is treated differently, then separate IPs do add value. Warren Kumari wrote: Matt Cutts (Matt Cutts works at the Googleplex and at his blog writes about Google, search engine optimization traps and whatever comes to his mind) has just responded on his blog: http://www.mattcutts.com/blog/myth-busting-virtual-hosts-vs-dedicated-ip-addresses/
Re: register.com down sev0?
Charles J. Knipe wrote: Paul, As of right now I'm not prepared to comment on our recent outage in this forum. That said, I do want to discuss your assertion that Register.com is a source of spam. It's pretty well-known that register.com has been a source of spam, and that complaints to them have been ineffective. If you're here to tell us that the problem has recently been fixed, or that you're working on fixing it, people will be happy to hear that. If you're here to tell us that there never was a problem and that we're all just imagining it... you'll need these: http://www.spectorracing.com/catalog/category_477_UNDERWEAR_SParco_Racing_Underwear_page_1.html Carmyth fabric has a higher flame resistance than any previous material
Re: Outages mailing list
William Allen Simpson wrote: Don't forget to CC all the traffic to NANOG list. Please don't do that. We don't need more pontification from Gadi. This new separate list sounds like a great idea, if only because it will distract him from NANOG-L. I don't post much but I read NANOG-L for the operational content, and the off-topic posts generated by Gadi and his supporters/detractors significantly reduce the SNR. I've been sending him private emails asking him to stop polluting NANOG-L for some time, but those emails have had no effect, nor have the numerous public requests posted to the list by others. Hoping that another list will entice him away seems to be our only hope, and forwarding that list here would defeat the purpose.
Re: IPv6 PI block is announced - update your filters 2620:0000::/23
Yes, please, let's have that flamewar all over again... Or you could just read one or more of the previous flamewars and spare us another round. Here's a starting point: http://merit.edu/cgi-bin/swish/swish.cgi?query=bogon+filteringsubmit=Search%21si=0si=6dr_o=12dr_s_mon=9dr_s_day=15dr_s_year=2006dr_e_mon=9dr_e_day=15dr_e_year=2006 Peter Corlett wrote: [...] Call me naive, but could somebody enlighten me as to what tangible benefit filtering out bogon space actually achieves? It strikes me that it causes more headaches than it solves.
ARIN sucks? was Re: Kremen's Buddy?
I've heard the horror stories, and I remember that ARIN was difficult to deal with 10 years ago, but my recent experiences with them have been relatively painless. I expected the process to get worse as IPs become more scarce, but I haven't been seeing that. AFAICT they are more helpful and easier to work with right now than they have ever been. They came out with simplified templates last week and it looks like the process will now be even easier. Maybe it's harder for companies that don't run an rwhois server, and rwhois can be tricky to setup, but I was able to do it, and I would expect (or at least hope) that most of the people who are paid to run networks are in the same IQ range as me. What's so hard about this? http://www.arin.net/registration/templates/net-isp.txt Richard A Steenbergen wrote: Ever notice the only folks happy with the status quo are the few who have already have an intimate knowledge of the ARIN allocation process, and/or have the right political connections to resolve the issues that come up when dealing with them? Try looking at it from an outsider's point of view instead. If you're new to dealing with ARIN, it is not uncommon to find the process is absolutely baffling, frustrating, slow, expensive, and requiring intrusive disclosure just shy of an anal cavity probe.
Re: Amazon?
Surely it doesn't need to be pointed out AGAIN that many major domains spawn lots of these joke whois records. This GULLI.COM whois record is unrelated to AMAZON.COM. OMGWTFLOL!!! Mircosoft is hakkd!!! MICROSOFT.COM.ZZZ.IS.0WNED.AND.HAX0RED.BY.SUB7.NET MICROSOFT.COM.WILL.LIVE.FOREVER.BECOUSE.UNIXSUCKS.COM MICROSOFT.COM.WILL.BE.SLAPPED.IN.THE.FACE.BY.MY.BLUE.VEINED.SPANNER.NET MICROSOFT.COM.WILL.BE.BEATEN.WITH.MY.SPANNER.NET MICROSOFT.COM.WAREZ.AT.TOPLIST.GULLI.COM MICROSOFT.COM.SMELLS.SIMPLECODES.COM MICROSOFT.COM.SHOULD.GIVE.UP.BECAUSE.LINUXISGOD.COM MICROSOFT.COM.RAWKZ.MUH.WERLD.MENTALFLOSS.CA MICROSOFT.COM.OHMYGODITBURNS.COM MICROSOFT.COM.LIVES.AT.SHAUNEWING.COM MICROSOFT.COM.IS.POWERED.BY.MIKLEFEDOROV.COM MICROSOFT.COM.IS.NOT.YEPPA.ORG MICROSOFT.COM.IS.NOT.HOSTED.BY.ACTIVEDOMAINDNS.NET MICROSOFT.COM.IS.NOT.AS.COOL.AS.SIMPLECODES.COM MICROSOFT.COM.IS.IN.BED.WITH.CURTYV.COM MICROSOFT.COM.IS.GOD.BECOUSE.UNIXSUCKS.COM MICROSOFT.COM.IS.A.STEAMING.HEAP.OF.FUCKING-BULLSHIT.NET MICROSOFT.COM.IS.A.MESS.TIMPORTER.CO.UK MICROSOFT.COM.HAS.ITS.OWN.CRACKLAB.COM MICROSOFT.COM.HAS.A.PRESENT.COMING.FROM.HUGHESMISSILES.COM MICROSOFT.COM.FILLS.ME.WITH.BELLIGERENCE.NET MICROSOFT.COM.CAN.GO.FUCK.ITSELF.AT.SECZY.COM MICROSOFT.COM.ARE.GODDAMN.PIGFUCKERS.NET.NS-NOT-IN-SERVICE.COM MICROSOFT.COM.AND.MINDSUCK.BOTH.SUCK.HUGE.ONES.AT.EXEGETE.NET Jon R. Kibler wrote: I am currently in the DC area. It appears that Amazon came up about 20 minutes ago. SANS ISC has a little info on the problem. Quoting from http://isc.sans.org/diary.php?nstoryid=1625 : UPDATE: Diligent Reader Corwin Grey points out: Amazon may be having more than a 'little' trouble. :/ Check out their whois: Server Name: AMAZON.COM.IS.N0T.AS.1337.AS.WWW.GULLI.COM IP Address: 80.190.192.24 Registrar: KEY-SYSTEMS GMBH Whois Server: whois.rrpproxy.net Referral URL: http://www.key-systems.net
Re: i am not a list moderator, but i do have a request
Thomas Kuehling wrote: Dear Fergie, On So, 2006-08-13 at 21:49 +, Fergie wrote: For what it's worth, there _is_ a botnet discussison list: General information about the mailing list is at: http://www.whitestar.linuxbox.org/mailman/listinfo/botnets thanks, didn't know about it. But isn't it still usefull, when urgent matters concerning botnets will still discussed on the nanog-list? Please let me disabussed to it, but it's just my opinion. Urgent matters... All I see is a bunch of pontification. What is the urgency of the present botnet discussion? How is it different from last week's botnet discussion? It's the same pointless pontification rehashed week after week. I've been asking Gadi privately to stop polluting the list for a while now (to no avail). I too found it interesting at first, but after 20 iterations of the same discussion, what is the point?
Re: SORBS Contact
I think we can sufficiently indict SORBS by saying that they are a poorly managed email blacklist which isn't used by anyone with a clue, without putting on our tinfoil hats. http://www.iadl.org makes some interesting claims, but anyone who puts Paul Vixie in the same list of offenders with Alan Brown and Matt Sullivan is clueless at best. SORBS, SPEWS, etc. are a problem, but they aren't a criminal conspiracy, and claiming that they are isn't going to win any points among people who haven't followed the instructions at http://zapatopi.net/afdb/build.html Michael Nicks wrote: Don't forget racketeering. A person who commits crimes such as extortion, loansharking, bribery, and obstruction of justice in furtherance of illegal business activities. I think most network operators have learned about the ultra-liberal listing activities of RBLs these days. -Michael
Re: Zebra/linux device production networking?
Linux routers are great for redundantly routing between your cable-modem and DSL at home. Using a linux router in production is a very very bad idea, although it may seem appealing to suits with no networking knowledge. I'm sure that other posters will provide you with many pages of reasons why linux routers suck, but I'll keep it short. 1. Mean Time Between Failures 2. OS exploits 3. Service/support Nick Burke wrote: How many of you have actually use(d) Zebra/Linux as a routing device (core and/or regional, I'd be interested in both) in a production (read: 99.999% required, hsrp, bgp, dot1q, other goodies) environment?
A proposal - was Re: Is your ISP Influenza-ready?
How about this? I will not post anything to NANOG that discounts the hysteria. Yall will take the bird flu discussion (and the discussion of the meaning, origin and proper usage of pessimal for crissake) elsewhere. Deal? Etaoin Shrdlu wrote: ...I don't mean to add to the hysteria, but I also would prefer that you not discount it...
Re: Net Neutrality
We've already discussed this in great detail, but that doesn't mean that the demise of the Net Neutrality amendment yesterday can't prompt us to do it again. http://news.com.com/2100-1028_3-6058223.html?part=rsstag=6058223subj=news If you want to review a previous flamewar, searching the archives for Two Tiered Internet is a good starting point. David Diaz wrote: The list is extremely quiet on Net Neutrality. I cannot find a single post. I thought this would be a good debate topic. The usual gov regulation vs free market argument along side the RBOC vs Everyone else topic. David
Re: The dissention grows towards AOL and pay per message
This is a done deal. They may just now be announcing it, but they have been doing it for several months. Nicole wrote: This was sent to me on another mailing list. I am on a number of smaller and or community mailing lists who feel very threatend by this.
Re: live chat with other nanog'ers
I briefly contacted the previous maintainer of #nanog on freenode but he seems to have dropped out of sight again. We can talk in the channel now but nobody has ops. I am emailing him again today; if he doesn't respond, and if there are no objections, I'll work with freenode to get the channel resurrected. If anyone wants to object, please do so now. Kyle Lutze wrote: I've been watching the list, saw some posts, but nothing definite has been done, is there another place besides efnet where competent people are joining to chat on topic? Otherwise I would love to see people on freenode or oftc Kyle
#nanog: was Re: http://weblog.disgu.st down
I'd like to see a useful #nanog where network operators could chat. I looked around at the various IRC networks and freenode looks OK. They bind channels to organizations, so #nanog could be bound to NANOG; this would allow the channel to be rescued if it got lost. Does anyone agree that this would be a good idea? Andrew Kirch wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 william(at)elan.net wrote: I think you're confusing nanog-l with #nanog
Re: #nanog: was Re: http://weblog.disgu.st down
The channel is unused at this time. -ChanServ- Contact: Duke, last seen: 44 weeks 5 days (13h 25m 33s) ago -ChanServ-Alternate: kerx, last seen: 18 weeks 6 days (14h 27m 0s) ago I checked with freenode staff; they confirmed that it is unused. chip wrote: Actually, looks like #nanog on freenode is already registered as belonging to NANOG: /msg chanserv info #nanog chanserv info #nanog -ChanServ- Channel: #nanog -ChanServ- Contact: Duke, last seen: 44 weeks 5 days (13h 25m 33s) ago -ChanServ-Alternate: kerx, last seen: 18 weeks 6 days (14h 27m 0s) ago -ChanServ- Registered: 2 years 27 weeks 2 days (5h 49m 57s) ago -ChanServ-Topic: North American Network Operators Group -ChanServ-Email: [EMAIL PROTECTED] -ChanServ- Options: Secure, SecureOps -ChanServ-Mode Lock: -s --chip -- Just my $.02, your mileage may vary, batteries not included, etc
Re: Cogent move without renumbering
William Allen Simpson wrote: However, we should assist everybody without an AS and at least /24 to move to Cogent without renumbering. That means the blocks should be reassigned. That requires registry assistance. If a single-homed network moves from L3 to Cogent, how would they benefit? Would they not still be cut off from a significant percentage of the Internet? Is it reasonable to think that numerous /24's from L3's IP space could be reassigned elsewhere without causing significant trouble for L3 and others? Even if it could work, what would be the justification for taking L3's property?
Re: Correct inclusion of rwhois info in WHOIS server output?
Thanks to everyone who replied on and off-list. I'm concluding that there is a problem with WHOIS server output, caused mostly by a lack of standards, but people with more influence than me are already working on fixing that. In the meantime I'll see if I talk to the gnu maintainer about making jwhois more rwhois-friendly.
Correct inclusion of rwhois info in WHOIS server output?
I've been talking to ARIN about the rwhois setup on our SWIPped blocks, and there appears to be a problem with the standard output from whois.arin.net. The two rwhois clients I've tried are rwhois and jwhois. The rwhois client behavior is something like this: 1. Query whois.arin.net. 2a. If the response contains the name of an rwhois server, query that server and return its output. 2b. If the response doesn't contain the name of an rwhois server, follow the links. Query every rwhois server you find and return all of the output. The jwhois client behavior is something like this: 1. Query whois.arin.net. 2a. If the response contains the name of an rwhois server, query that server and return its output. 2b. If the response doesn't contain the name of an rwhois server, return the SWIP. On blocks which are owned by CoreNAP, that works fine. For example, if I type: whois -h whois.arin.net 66.219.44.0 The whois server returns our complete SWIP record including: ReferralServer: rwhois://rwhois.corenap.com:4321/ So this block works fine with both jwhois and rwhois: bash-2.05$ jwhois 66.219.44.0 [Querying whois.arin.net] [Redirected to rwhois.corenap.com:4321] [Querying rwhois.corenap.com] [rwhois.corenap.com] %rwhois V-1.5:003fff:00 cache02.ns.corenap.com (by Network Solutions, Inc. V-1.5.7.3) network:Auth-Area:66.219.32.0/19 ... On blocks which are SWIPped to CoreNAP by an upstream provider, the response from whois.arin.net does not include an rwhois record. For example, if I type: whois -h whois.arin.net 65.59.252.0 The whois server returns this: Level 3 Communications, Inc. LC-ORG-ARIN-BLK2 (NET-65-56-0-0-1) 65.56.0.0 - 65.59.255.255 Core NAP, L.P. LVLT-CORENAP-NETBLOCK-03 (NET-65-59-252-0-1) 65.59.252.0 - 65.59.252.255 VC Sterling, Inc. NET-65-59-252-0-1 (NET-65-59-252-0-2) 65.59.252.0 - 65.59.252.255 Since there is no rwhois server listed here, rwhois clients don't necessarily manage to find the referral. rwhois apparently follows both links and returns results from every rwhois server it finds, but jwhois doesn't follow either link; it just returns the SWIP info. I believe that the correct response to this query would be: Level 3 Communications, Inc. LC-ORG-ARIN-BLK2 (NET-65-56-0-0-1) 65.56.0.0 - 65.59.255.255 ReferralServer: rwhois://rwhois.level3.net:4321 Core NAP, L.P. LVLT-CORENAP-NETBLOCK-03 (NET-65-59-252-0-1) 65.59.252.0 - 65.59.252.255 ReferralServer: rwhois://rwhois.corenap.com:4321/ VC Sterling, Inc. NET-65-59-252-0-1 (NET-65-59-252-0-2) 65.59.252.0 - 65.59.252.255 I've read through the apparently relevant RFCs (812, 954, 1714, 1834, 1835, 1913, 1914, 2050, 2167, 3912) but did not find a clear specification of correct WHOIS server output. The people I talked to at ARIN say that the configuration of whois.arin.net can be changed based on significant community consensus but they suggested that the problem could be fixed by rewriting the jwhois client (and any other client that doesn't follow links to search for an rwhois server). I spent a fair amount of time looking through the (apparently non-searchable) mailing list archive at http://lists.arin.net/pipermail/dbwg/ and saw some discussion of rwhois issues but I didn't manage to find information showing how the previous change was initiated. Questions: 1. Does anyone agree that the present lack of rwhois server information in the initial WHOIS response for SWIPped blocks is a problem? 2. Can anyone think of a compelling reason why rwhois server information should not be included in the initial response to a standard whois query for all IP blocks, including SWIPped blocks, besides the fact that it is not included now? 3. Would this change (adding rwhois server information to the initial response to a standard whois query for SWIPped blocks) break your scripts that parse WHOIS output? 4. How disruptive was the change when rwhois server information was initially added to WHOIS output? 5. Was the issue fully thought through at that time, and the rwhois server information intentionally left out of the initial response for SWIPped blocks, or did this happen by accident? 6. Does anyone know where that change process was documented?