Re: Off-Topic: N.Y. Buyout Firm Has Its Eye on MCI
Jeff Aitken wrote: On Tue, Jul 13, 2004 at 10:15:43PM -0400, Patrick W Gilmore wrote: I forgot (and am not registered for the Washington Post). See www.bugmenot.com for help here. If you are using Firefox, there is a BugMeNot extension you can install which will add a BugMeNot option to a context menu. Go to the page, right click, BugMeNot, and a popup appears with a username, PW, and two buttons- This Did Not Work will give you another(if they have another set) and Submit My Own will do the obvious. ~Ben -- Ben Browning [EMAIL PROTECTED] The River Internet Access Co. WA Operations Manager 1-877-88-RIVER http://www.theriver.com
Re: Attn MCI/UUNet - Massive abuse from your network
Steve Linford wrote: The statement by Ben Browning: I know several businesses who have, and a great many people who have blocked UUNet space from sending them email ... by using ... the SBL is false, the SBL has never blocked UUNet/MCI IP space that wasn't directly in the control of spammers. If Mr Browning does indeed know several businesses and a great many people whose UUNet/MCI IP space has been blocked by the SBL, then Mr Browning knows several spam outfits and a great many spammers. Let me rephrase: I know several businesses and a great many people who block *parts* of UUNet by the SBL and *larger* parts of it by means of SPEWS, blackholes.us, et al. Regardless, the SBL does block *some* UUNet space, much of which(according to responses here) no longer belongs to the spammers. Sorry for any confusion my poor choice of words may have caused. -- Ben Browning [EMAIL PROTECTED] The River Internet Access Co. WA Operations Manager 1-877-88-RIVER http://www.theriver.com
RE: Attn MCI/UUNet - Massive abuse from your network
At 04:00 PM 6/24/2004, Hannigan, Martin wrote: On Thu, 24 Jun 2004, Ben Browning wrote: this discussion anyways, is access to the internet. When the actions of a downstream damage that product(IE more and more networks nullroute UUNet traffic), [ Operations content: ] Do you know of any ISP's null routing AS701? ISPs? Not of the top of my head. I know several businesses who have, and a great many people who have blocked UUNet space from sending them email, either by using SPEWS, the SBL, or mci.blackholes.us . ~Ben --- Ben Browning [EMAIL PROTECTED] The River Internet Access Co. WA Operations Manager 1-877-88-RIVER http://www.theriver.com
Re: Attn MCI/UUNet - Massive abuse from your network
At 11:16 AM 6/24/2004, [EMAIL PROTECTED] wrote: On Thu, 24 Jun 2004 15:22:02 +0700, Dr. Jeffrey Race [EMAIL PROTECTED] said: Not at all. You can terminate for actions prejudicial to the safety and security of the system. Has nothing to do with anti-trust. I suspect that the spammer can find a lawyer who is willing to argue the idea that the safety and security of the AS701 backbone was not prejudiced by the spammer's actions, unless AS701 is able to show mtrg graphs and the like showing that the spammer was actually sending enough of a volume to swamp their core routers Likewise, I imagine MCI could argue that the damage is to their core product; namely, the trust of other ISPs and their willingness to exchange traffic with MCI. ~Ben --- Ben Browning [EMAIL PROTECTED] The River Internet Access Co. WA Operations Manager 1-877-88-RIVER http://www.theriver.com
Re: Attn MCI/UUNet - Massive abuse from your network
Chris, To start off, thank you for taking this issue seriously and investigating it. At 08:05 PM 6/23/2004, Christopher L. Morrow wrote: The sbl lists quite a few /32 entries, while this is nice for blocking spam if you choose to use their RBL service I'm not sure it's a good measure of 'spamhaus size'. I'm not sure I know of a way to take this measurement, but given size and number if IPs that terminate inside AS701 there certainly are scope issues. Netmasks aside, a spammer is a spammer. One spammer sending 100,000 emails from 4 machines is functionally equivalent to one sending 100,000 from 1 machine. All that said, I'm certainly not saying spam is good, I also believe that over the last 4.5 years uunet's abuse group has done quite a few good things with respect to the main spammers. That's possible, I suppose, but the view from outside sees only the bad(and there's plenty). As an example, I see a posting that says emailtools.com was alive on 206.67.63.41 in 2000. They aren't there any more... But now: [EMAIL PROTECTED] telnet mail.emailtools.com 25 Trying 65.210.168.34... Connected to mail.emailtools.com. Escape character is '^]'. Sure, customer of a customer we got emailtools.com kicked from their original 'home' now they've moved off (probably several times since 2000) to another customer. This happens to every ISP, each time they appear we start the process to disconnect them. I'm checking on the current status of their current home to see why we have either: 1) not gotten complaints about them, 2) have not made progress kicking them again. Excellent! I (and I am sure the rest of the antispam community) will be looking forward to hearing how all this pans out, and I am very glad I could bring some of this to your attention. On Mon, 21 Jun 2004, Ben Browning wrote: Allow me to rephrase- I wanted it to be read and hoped someone would act on complaints. I have no doubt MCI is serious about stopping DDOS and other abusive traffic of that ilk- when it comes to proxy hijacking and spamming, though, abuse@ turns a blind eye. What other conclusion can I draw from the This is not true, the action might not happen in the time you'd like, but there are actions being taken. I'd be the first to admit that the timelinees are lengthy :( but part of that is the large company process, getting all the proper people to realize that this abuse is bad and the offendors need to be dealt with. A lengthy timeline for action to be taken, from the viewpoint of the attacked, is indistinguishable from tacit approval of the attacks. I don't imagine MCI has a lengthy timeline when replying to sales email or billing issues. 200ish SBL entries under MCI's name? Why else would emailtools.com(for example) still be around despite their wholesale raping of misconfigured proxies? emailtools will be around in one form or another, all the owner must do is purchase 9$ virtual-hosting from some other poor ISP out there who needs the money... they may not even know who emailtools is, if that ISP is a uunet/mci customer then we'll have to deal with them as well, just like their current home. you must realize you can't just snap your fingers and make these things go away. Omaha Steaks has been there for 3+ weeks (since being added to the SBL). Scott Richter has likewise been spamming from there for a month. Do you need a permission slip to terminate him? Does it take a month to get one? I can snap my fingers many times in a month! According to ARIN records, both of these are swipped space only one step below yours(IE not a customer-of-a-customer). It's nice to say Oh well they move around and we can't stop them, but the point is that if they got terminated in a timely fashion (measured in hours or days at the most, *not* weeks and months) they would not keep moving around on your network; they would find another one to abuse instead. As it stands, they get a month to spam, then they have to move- that's pink gold in spammerland. All I want is a couple of straight-up answers. Why do complaints to uunet go unanswered and the abusers remain connected if, in fact, the complaints I believe you do get an answer, if not the auto-acks are off still from a previous mail flood ;( An auto-ack is not an answer. Please let me know if you are NOT getting ticket numbers back. They might be connected still if there were: 1) not enough info in the complaints to take action on them I've never been asked to furnish more info. 2) not enough complaints to terminate the account, but working with the downstream to get the problem resolved I've never been looped into this process either. What is the window you guys give your downstreams for ceasing such activities? 3) action is awaiting proper approvals. What's the timeframe on these approvals happening? Do you need such approvals in the event of a DDOS or other abuse? are read? Why has MCI gone from 111 SBL listings as of January 1 to 190 as I think the answer
Re: Attn MCI/UUNet - Massive abuse from your network
At 11:34 PM 6/23/2004, Christopher L. Morrow wrote: I'd also point out someting that any provider will tell you: Spammers never pay their bills. Yes, but this is not a problem for a large carrier, as the people that receive it sure do. In other words, the money you lose on the spammer is subsidized by all the people that pay you to receive it. This is, in fact (for you nanae watchers), the reason that most of them get canceled by us FASTER... Sadly, non-payment is often a quicker and easier method to term a customer than 'abuse', less checks since there is no 'percieved revenue' :( A revenue check has no place in abuse terminations. --- Ben Browning [EMAIL PROTECTED] The River Internet Access Co. WA Operations Manager 1-877-88-RIVER http://www.theriver.com
Re: Attn MCI/UUNet - Massive abuse from your network
At 02:36 PM 6/24/2004, Christopher L. Morrow wrote: On Thu, 24 Jun 2004, Ben Browning wrote: like showing that the spammer was actually sending enough of a volume to swamp their core routers Likewise, I imagine MCI could argue that the damage is to their core product; namely, the trust of other ISPs and their willingness to exchange traffic with MCI. you mean the phone companies we do business with? No, I mean the internet. (Hence, ISPs). Your product, in the context of this discussion anyways, is access to the internet. When the actions of a downstream damage that product(IE more and more networks nullroute UUNet traffic), I would assume that you have appropriate privilege to toss them overboard in the contracts. IANAL, though. ~Ben --- Ben Browning [EMAIL PROTECTED] The River Internet Access Co. WA Operations Manager 1-877-88-RIVER http://www.theriver.com
Re: Unplugging spamming PCs
At 10:07 AM 6/23/2004, Sam Hayes Merritt, III wrote: That is still reactive (first the abuse has to occur, then you try and filter anymore from occuring), at least they might be now be doing something that everyone else has been doing for years. To me, this smacks of an intent to continue ignoring the root cause of the problem(the box is 0wnz0r3d) and just shoving it under the rug. When these customers move to another provider, they will still have the problem, and the cost of educating the customer (w/r/t spam, virii, etc) gets shunted to the next ISP the customer moves to. ~Ben --- Ben Browning [EMAIL PROTECTED] The River Internet Access Co. WA Operations Manager 1-877-88-RIVER http://www.theriver.com
Re: Attn MCI/UUNet - Massive abuse from your network
At 10:45 PM 6/22/2004, Tim Thorne wrote: Not so long ago I took a long look at the SBL for MCI and I came to the conclusion that the data is mostly out of date and therefore inaccurate. The folks at the SBL posting in NANAE said this may be the case, but its up to the MCI folks to clean up the SBL database. MCI does not want to legitimize blacklists by helping clean up their own records. Any company or network that afraid of accountability obviously must have its reasons. I am sure they have seen the many many times some provider has said We removed Spammer A and the antispam community has responded with Great, how about spammers B through Z?. That's a question they don't and won't answer beyond the token Email to abuse@ does get read. Maybe it does- I am not MCI, so I don't know. Regardless of whether the mail does get read, the spammers remain connected. Why? One can only come to the conclusion that it is either due to technical ineptitude or protection of their revenue stream. Likewise, they have no doubt noticed that providers that lie about canning spammers are quickly outed, and their blocklist listings(and no doubt private firewall rules, which are much harder to escape) tend to expand greatly. So, MCI has (correctly) identified that their options as A) clean up their network B) try to lie or C) do nothing. Given that A involves loss of revenue and a (short term) increase in labor and B will cause them even more problems, C is their obvious recourse. As an example, I see a posting that says emailtools.com was alive on 206.67.63.41 in 2000. They aren't there any more... But now: Emailtools.com aren't spammers, but they sell spamware. That subtle difference is enough to keep them on the MCI network. This may be true, but Atriks is still there, and they are one of the most technically malicious spammers in the game today. Spam support is spam support, whether you are hosting the website, DNS, proxy mining operation, or a drop-box. Any provider that is OK with hosting software that does this: Email Marketing 98 is our high-end email marketing tool. It is one of the best extractors on the market while remaining price competitive. At the push of a button, Email Marketing 98 will retrieve Email addresses of all the posters on an Internet news group or a series of groups. Then it will send your Email message to any or all of those addresses. may as well be sending the spam themselves, IMO. If you want rid of sites like this that are based in Florida, then you best get Florida to change their laws. Wouldn't *that* be lovely. --- Ben Browning [EMAIL PROTECTED] The River Internet Access Co. WA Operations Manager 1-877-88-RIVER http://www.theriver.com
Attn MCI/UUNet - Massive abuse from your network
(apologies to NANOG for only quasi-operational content of this message - I only post this here due to the fact that I am sure it is a problem on many of your networks) Attention UUNet, Regarding your continued unabated spam support, when do you plan to address the *189* issues outlined in the Spamhaus SBL (http://www.spamhaus.org/sbl/listings.lasso - ISPs in the United States - MCI.com )? Here's part of your AUP: Email: Sending unsolicited mail messages, including, without limitation, commercial advertising and informational announcements, is explicitly prohibited. A user shall not use another site's mail server to relay mail without the express permission of the site. What does your ethics department say about your blatant disregard for the internet in general and your complete and willful ignorance of your stated policies and procedures? Does UUNet *ever* plan on enforcing this AUP? I can't help but notice that several of these spammers are career hard-line operations- including Eddy Marin, G-Force Marketing, and Atriks to name a few. Are these customers operating under some form of undisclosed Special Customer Agreement ( http://global.mci.com/publications/service_guide/s_c_a/)? If so, how much do they pay for their pink contract? At this point I am just curious what the answers to these questions are. I have not (yet) widely blocklisted uunet, but if things don't change I fear such a measure may be the only way to stop the abuse spewing from your networks. Seeing such a large (and once-respected) network go as completely black-hat rogue as UUNet has is a sad thing. Any reply at all would be most welcome. ~Ben --- Ben Browning [EMAIL PROTECTED] The River Internet Access Co. WA Operations Manager 1-877-88-RIVER http://www.theriver.com
Re: Attn MCI/UUNet - Massive abuse from your network
At 11:42 AM 6/21/2004, Christopher L. Morrow wrote: curious, why did you not send this to the abuse@ alias? I wanted it to get read. Did you include any logs or other relevant data about the problems you are reporting? These problems are systemic and internet-wide. I can likely drudge up a great many examples if someone from UUNet can assure me they will be read and acted on. ~Ben --- Ben Browning [EMAIL PROTECTED] The River Internet Access Co. WA Operations Manager 1-877-88-RIVER http://www.theriver.com
Re: Attn MCI/UUNet - Massive abuse from your network
At 12:28 PM 6/21/2004, Christopher L. Morrow wrote: the ethics office doesn't need to see your complaints, they don't really deal with these anyway. I am quite sure that the ethics department does not deal with spam complaints. My complaint is that your stated policy is clearly not being followed. MCI is currently the Number 1 spam source on many lists- certainly, your overall size skews that figure somewhat, but the listings I see (on the SBL anyway, I do not have the many hours needed to read all the documentation SPEWS has to offer) have reports that are at least 6 months old and are still alive... As an example, I see a posting that says emailtools.com was alive on 206.67.63.41 in 2000. They aren't there any more... But now: [EMAIL PROTECTED] telnet mail.emailtools.com 25 Trying 65.210.168.34... Connected to mail.emailtools.com. Escape character is '^]'. 220 mail.emailtools.com ESMTP Merak 5.1.5; Mon, 21 Jun 2004 18:55:20 -0400 quit 221 2.0.0 mail.emailtools.com closing connection Connection closed by foreign host. [EMAIL PROTECTED] whois `dnsip mail.emailtools.com` UUNET Technologies, Inc. UUNET65 (NET-65-192-0-0-1) 65.192.0.0 - 65.223.255.255 MTI SOFTWARE UU-65-210-168-32-D9 (NET-65-210-168-32-1) 65.210.168.32 - 65.210.168.39 I can furnish as many examples as needed of cases where UUNet has demonstrably ignored complaints. Alternately, you could go ask any major anti-spam community(NANAE for example) or entity (SpamCop, etc) how they feel your abuse@ response has been. If this sounds like a pain, I will gladly collect such stories and send them to whoever there can effect changes in these policies. On Mon, 21 Jun 2004, Ben Browning wrote: At 11:42 AM 6/21/2004, Christopher L. Morrow wrote: curious, why did you not send this to the abuse@ alias? I wanted it to get read. messages to abuse@ do infact get read... Allow me to rephrase- I wanted it to be read and hoped someone would act on complaints. I have no doubt MCI is serious about stopping DDOS and other abusive traffic of that ilk- when it comes to proxy hijacking and spamming, though, abuse@ turns a blind eye. What other conclusion can I draw from the 200ish SBL entries under MCI's name? Why else would emailtools.com(for example) still be around despite their wholesale raping of misconfigured proxies? All I want is a couple of straight-up answers. Why do complaints to uunet go unanswered and the abusers remain connected if, in fact, the complaints are read? Why has MCI gone from 111 SBL listings as of January 1 to 190 as of today? To whom does the anti-spam community turn when it becomes obvious a tier-1 provider is ignoring complaints? If I am a kook and an idiot for wanting a cleaner internet, well then I guess I am a kook and an idiot. ~Ben --- Ben Browning [EMAIL PROTECTED] The River Internet Access Co. WA Operations Manager 1-877-88-RIVER http://www.theriver.com
PING: blacklist.mail.ops.worldnet.att.net-clueful admin at ATT
The following is an autoresponse I have been forced to make in my email client. I get, on average, 1-2 emails per week since I originally posted here asking for help with my own att.net blacklisting woes. That was in *August*. I posted this here once before, in hopes that perhaps it would get as widespread in Google as my original post has been. Today alone I have received 3 emails about this issue. I would highly appreciate an offlist email telling me what you are doing to document your blacklist and the procedure ISPs must follow to get removed. Alternately, ATT payroll may contact me and we can discuss my consulting rates, should you wish me to continue being your only source of documentation and support for this blacklist. ~Ben ---begin autoresponse--- Here's a post I posted to NANOG and news.admin.net-abuse.email, as I have gotten a lot of replies abut this. --- Subject: ATTN: Anyone with RBL clue at att.net Something must be highly broken at ATT. I have been receiving tons of emails in response to a Usenet posting I made months ago asking if anyone knew how to get out of att.net's private RBL. The procedure: What I did: Called the contact in the whois record... Administrative Contact, Technical Contact: GNMC (VXGTRUVDOO)[EMAIL PROTECTED] 3324 Hollenberg Bridgeton, MO 63044 US 314-264-9672 fax: 281-664-9975 Asked for their abuse department. Kept asking and calling back and leaving messages, etc, until finally I got a response. It took me several days. ATT - please document the removal procedures on your website immediately. You are apparently doing some very heavyhanded blocking and professionalism demands you at least give admins some recourse to figure out why they are blocked and how to fix their problems. ~Ben (I speak for myself here) --- Ben Browning [EMAIL PROTECTED] The River Internet Access Co. WA Operations Manager 1-877-88-RIVER http://www.theriver.com
ATTN: Anyone with RBL clue at att.net
Something must be highly broken at ATT. I have been receiving tons of emails in response to a Usenet posting I made months ago asking if anyone knew how to get out of att.net's private RBL. The procedure: What I did: Called the contact in the whois record... Administrative Contact, Technical Contact: GNMC (VXGTRUVDOO)[EMAIL PROTECTED] 3324 Hollenberg Bridgeton, MO 63044 US 314-264-9672 fax: 281-664-9975 Asked for their abuse department. Kept asking and calling back and leaving messages, etc, until finally I got a response. It took me several days. ATT - please document the removal procedures on your website immediately. You are apparently doing some very heavyhanded blocking and professionalism demands you at least give admins some recourse to figure out why they are blocked and how to fix their problems. ~Ben --- Ben Browning [EMAIL PROTECTED] The River Internet Access Co. WA Operations Manager 1-877-88-RIVER http://www.theriver.com
Re: Worst design decisions?
Was doing some upgrades on a UBR7246 (to a VXR), and I got to thinking about short sighted design considerations. I was curious if any of you had some pet peeves from a design perspective to rant about. I'll start with a couple. Here are a few of mine: The little clippy widgets (looks kind of like @) on some oldschool racks, that hold the nut in place for the hex-head bolt. Why these were considered desirable is beyond me. The slimline DS3 patch panels. God help you should you need to do something with the two innermost wires on the back end of that- there's barely room for pliers, much less fingers. Procurve switch management interface. Archaic, arcane, insane, unusable. Cisco V-notched power cables - Design feature geared around getting suckers to buy a power cable for 45USD. ~Ben --- Ben Browning [EMAIL PROTECTED] The River Internet Access Co. WA Operations Manager 1-877-88-RIVER http://www.theriver.com
Re: What *are* they smoking?
At 12:07 PM 9/16/2003, Rich Braun wrote: VeriSign stands to gain financially, take a look at this excerpt from an AP news blurb published yesterday: ... Anyone find out any details of the contracts which VeriSign has apparently signed to profit from this little venture? No, but check this out: http://sitefinder.verisign.com/spc?sb=bulk+emailsearchboxtype=2 http://sitefinder.verisign.com/spc?sb=bulk+mailerssearchboxtype=2 Not that I am shocked. ~Ben --- Ben Browning [EMAIL PROTECTED] The River Internet Access Co. WA Operations Manager 1-877-88-RIVER http://www.theriver.com
ATT.net private blacklist
Greetings, We have somehow fallen into the private blackhole list maintained by att.net at blacklist.mail.ops.worldnet.att.net I have tried for the last two days to approach ATT via phone and email with no response whatsoever. [EMAIL PROTECTED], [EMAIL PROTECTED], and several addresses pulled from ARIN and NetSol lookups have not yielded any response. The calls I have placed have resulted in me leaving a message that was never returned and several instances of Try [EMAIL PROTECTED]. None of these are working at all. On top of that, there is no page or FAQ pertaining to blacklist.mail.ops.worldnet.att.net (at least, not one that is readily apparent to myself or Google). If there are any ATT.net admins here, or someone that may have some contact information of said admins, I would appreciate an email or a call. Thanks! ~Ben --- Ben Browning [EMAIL PROTECTED] The River Internet Access Co. WA Operations Manager 1-877-88-RIVER http://www.theriver.com
[OT] Anyone have clueful AOL postmaster contacts?
I have been wrestling with their Postmaster contact staff (via phone, and the email black holes at [EMAIL PROTECTED] and [EMAIL PROTECTED]) for over a week now. I need some sort of resolution, or anything other than Your case is open. Someone somewhere will do something. Someday. If anyone has any contacts inside AOL, I would greatly appreciate an off-list email. ~Ben --- Ben Browning [EMAIL PROTECTED] The River Internet Access Co. Network Operations 1-877-88-RIVER http://www.theriver.com
Re: DNS issues various
At 02:44 PM 10/24/2002, Barry Shein wrote: That sounds to me more like considering the use of sonic repellants rather than rat poison to keep the vermin out of the relays and providing latex gloves for removing the dead rats, rather than designing out the relays the rodents get into entirely. Given time, rats can chew through concrete. They are smart enough to trip traps before eating the cheese, or to lick the cheese off triggers rather than pulling or chewing, so as not to cross the alarm threshold. They breed faster than you can keep up with them, which not only ensures a generous supply of them but also ensures that they adapt to new environments quickly. They have been known to become resistant to poisons that killed rats a few years before. In short, your rats versus script kiddies analogy is perfect, but I think you are forgetting that we still have rats everywhere. ~Ben (who speaks for himself alone here) --- Ben Browning [EMAIL PROTECTED] The River Internet Access Co. Network Operations 1-877-88-RIVER http://www.theriver.com
