Re: Enable BIND cache server to resolve chinese domain name?
On Jul 3, 2005, at 7:36 PM, John Palmer (NANOG Acct) wrote: ICANN has no right to claim that they are the authority for the namespace. They are NOT. Horse == dead. Also note the word PUBLIC in PUBLIC-ROOT. My i18n must be broken. All I see is SNAKE-OIL. -david ulevitch - Original Message - From: Mark Andrews [EMAIL PROTECTED] To: Joe Shen [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; NANGO nanog@merit.edu Sent: Sunday, July 03, 2005 9:12 PM Subject: Re: Enable BIND cache server to resolve chinese domain name? Hi, Some of our customer complaint they could not visit back to their web site, which use chinese domain name. I google the net and found some one recommend to use public-root.com servers in hint file. I found domain name like xn--8pru44h.xn--55qx5d could not be resolved either. Our cache server runs BIND9.3.1 with root server list from rs.internic.net. Do I need to modify our cache server configuration to enable it? regards Joe Only if you wish to do all your other customers a disfavour by configuring your caching servers to support a private namespace then yes. I would have thought the Site Finder experience would have stopped people from thinking that they can arbitarially add names to to the public DNS. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] !DSPAM:42c8a103122651094118373!
Re: AboveNet Network Issues -- East Coast...
quote who=David A. Ulevitch Good morning, AboveNet Client Services doesn't seem so keen on letting me know why packets are falling on the floor between over my abovenet connection from SFO to NYC this morning. Update: They claim it's *yet another* fiber cut this week... (???) Dear Valued Customer, There has been a fiber cut affecting our northern path across the US. Backup southern paths have taken the load however we are seeing latency at this time. There is no ETR for the fiber cut Crews have been dispatched to locate the cut. Thanks, David Ulevitch David A. Ulevitch - Founder, EveryDNS.Net http://david.ulevitch.com -- http://everydns.net
Re: Underscores in host names
quote who=william(at)elan.net Since changing SMTP2821 and waiting until everyone complies and accepts email addresses with no . is not an option, the solutions proposed are to either have address like [EMAIL PROTECTED] or [EMAIL PROTECTED] The only reason it has not been discussed more actively is that no TLD operator has yet come forward and said that they are going to use TLD host for emails, but as soon as one does this would have to be accommodated and quickly (otherwise it will remain as an open issue for future update to SMTP - probably RFC4821 if this numbering continues :) .ws has an MX record. host -t mx ws. == mail.worldsite.ws Most MUA's (unix ones tended to work, not surprisingly) complain or break on send but technically it works. :) Thanks, David Ulevitch David A. Ulevitch - Founder, EveryDNS.Net http://david.ulevitch.com -- http://everydns.net
Re: Major AboveNet problems?
On Jan 21, 2005, at 10:43 AM, Chris A. Epler wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Anyone have any details on what is going on with AboveNet? Evidently something major but our support contacts didn't have a lot of details, said there'd be something out later this afternoon about it. Wondering if others are experiencing problems with them. We received this totally ambiguous and non-specific message this morning: Dear Valued Customer, We are currently experiencing network connectivity issues. These issues began at 04:00am (EST). We are investigating the cause and will continue to keep you updated as to the progress and resolution of this event. If you have any further questions or concerns, please feel free to call the AboveNet 24x7 NMC. The number to call is as follows: 1 (877) 226- 8363 or 1 (877) ABOVENET or locally at (408) 350- 6673 or internationally at 001 (408)350-6673. Thank you, AboveNet Client Services Note: If you wish to be removed from the CNS (Customer Notification List), please respond to this email with Remove as the subject. I ignored it since our connectivity from multiple points all seem pretty reasonable... -davidu
Re: Spam Abuse Script from The World (roky@shell.TheWorld.com)
quote who=Joe Johnson I have been getting automated scripts from [EMAIL PROTECTED] for weeks that have no way to respond, but threaten FVI and Innerwise, and report to all their upstreams. I posted to NANOG about this issue week or so back.[1] There is nobody behind the wheel at The World and they continue to send out this odd anti-spam spam. Really, it's worse than the spam we recieve because they CC everyone from the FTC to our upstreams and everyone in between and we are forced to respond to our upstreams. If a real person at The World wants someone who still works at FVI that they can contact, I would happily provide them an address. However, in the mean time, STOP SPAMMING ME ABOUT YOUR SPAM. Eric Brunner-Williams kindly tried to connect our abuse desk to a Mr. Barry Shein but it was to no avail. They failed to respond to anything we sent them to resolve the complaint and they continued to send the harshly worded emails to us and our upstreams. Some folks emailed me privately to suggest the emails are coming from one of their users but I believe this is not the case. Many more folks emailed offlist to share their frustration at this spam coming from The World. Sadly, there was no resolution to this issue, we simply closed the tickets on our end and have long since moved on to more productive matters. -david 1: http://www.merit.edu/mail.archives/nanog/msg03610.html David A. Ulevitch - Founder, EveryDNS.Net http://david.ulevitch.com -- http://everydns.net
Re: Contact for 'The World'
quote who=Tony Rall On Monday, 2004-12-13 at 22:51 PST, David A. Ulevitch [EMAIL PROTECTED] wrote: Does anyone have a contact @ The World? Have you tried http://www.theworld.com/about/contact.shtml ? (I haven't.) My abuse desk was simply trying to reply to their email. It's not our job to hunt down the right address. They sent the mail from mailer-daemon, we respond to mailer-daemon. if they sent it from abuse@ or netadmin@ we'd respond to that. Unless it was something like noreply@ we'd probably just reply to the address it came from. Hhere are some choice quotes that were sent to our desk from his email (from [EMAIL PROTECTED] which is a bitbucket as far as I can tell): 64.158.219.0/24 is the responsible party for these and a huge number of other recent spams that tout illegal and fraudulent products, services and content. This is false. In fact, we hardly ever send out email from our servers. My personal email (this email) is coming from that netblock, not much else. Occasionally when one of our users does something wrong and is using our DNS servers we detect it and null0 it before we ever get the first report. I like to think we have a good repuation, particularly among those who provide free network services. The unread message which you just sent to an unassigned address on our network, and which follows, has already been sent to law enforcement authorities. Hopefully you will be sent to them as well, shortly. Thanks, that's a very nice thing to say to other people working to help you out. Thanks, david David A. Ulevitch - Founder, EveryDNS.Net http://david.ulevitch.com -- http://everydns.net
Contact for The World
Does anyone have a contact @ The World? They are not listed in Jared's NOC list nor do postmaster@ or mailer-daemon@ seem to have a human behind the wheel. As an aside, they send one of the most annoying spam-receipt-auto-ack's I've ever seen and the fact that you can't even reply to it is even more annoying. (sent from mailer-daemon) ISPs like them make the necessary evil of running an active abuse-desk all the more frustrating. Thanks, davidu David A. Ulevitch - Founder, EveryDNS.Net http://david.ulevitch.com -- http://everydns.net
Re: [nanog] Rack + IP trading sites
On Nov 12, 2004, at 3:31 PM, Dan Mahoney, System Admin wrote: On Fri, 12 Nov 2004, Nathan Allen Stratton wrote: You may want to look at www.communitycolo.net, they're a great operation. Dan, I don't thnk we're what he is looking for. He wants to swap colo with someone across the pond. We aren't across the pond (from where I'm sitting...), we don't swap colo and we don't provide colo to for-profit companies. Thanks, David A. Ulevitch (speaking with his communitycolo.net hat on...) Anyone know of good sites where you can trade rack space and IP bandwidth? I am looking for rack space and IP in London and trade if for space and IP in one of our US datacenters. I found lots of sites for trading raw capacity, but can't seem to find a good site for trading space with IP. Co Founder, CTO Nathan Stratton BroadVoice, Inc. nathan at robotics.net Talk IS Cheap http://www.robotics.net http://www.broadvoice.com -- I wish the Real World would just stop hassling me! -Matchbox 20, Real World, off the album Yourself or Someone Like You Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- !DSPAM:4195489e216585720279446!
Re: Excessive DNS Requests
quote who=Anderson, Ian Anyone else seeing excessive DNS requests hammering their local forwarders this evening. We've just taken our residence network off-line owing to the level of port 53 traffic coming from it. Can't see anything in the usual places regarding this Things seem normal over here... http://fiona.everybox.com/~davidu/dns1-101304-120500pdt.png (authoritative ns) Are the residents actually making legit DNS queries or just spewing down port 53? -davidu David A. Ulevitch - Founder, EveryDNS.Net http://david.ulevitch.com -- http://everydns.net
Spyware Equivalent to ISC.Sans.Org?
NANOG, I am trying to get some information on some of the worst spyware offenders currently nailing users. Is there something like isc.sans.org but for tracking spyware infection/spread rates? I'm not looking for specific papers on worm speeds ( ala the warhol worm paper) but a more generic statistics of worst offenders. I am also interested in knowing about any .edu's publishing this sort of information. Thanks for any help. -david David A. Ulevitch - Founder, EveryDNS.Net http://david.ulevitch.com -- http://everydns.net
Re: Tornados in Ashburn (Equinix affected)
quote who=Deepak Jain Specifically in Equinix's case: 1) Good that they [seemed] to have maintained partial power. 2) Good that they restored cooling [power to the blowers?] relatively quickly. By the graph someone posted and their message, it looks like their chillers were on an unaffected system, but their blowers weren't [as in, were affected]. 3) Good that they seemed to be able to bring together enough knowledgeable folks quickly to resolve the problems that did occur relatively quickly. I would have to agree. We have a setup in this facility and even with the quick temperature spike, we didn't skip a beat. Can't ask for much more than that. It seems to me like things worked nearly as they should have, and if they didn't, the contingency plans were effective. -david David A. Ulevitch - Founder, EveryDNS.Net http://david.ulevitch.com -- http://everydns.net
RE: Email Complexes
quote who=Hosman, Ross Your right this isn't my department and it's not my place to tell them how to do their job. If Roy would like to send me a valid abuse complaint I'll make sure to forward it on or even walk it over to the abuse department supervisor. I would also like to say I'm suprised at how many people have been attacking me on/off the list for asking a simple question. 1) You are posting with your employers email address and thus opened yourself up as a conduit to the man at Charter. If you didn't want that, you could do what many people do and post via a vanity address. 2) Perhaps you could take all these complaints as a way of saying maybe instead of making sure charter can email all these other networks I should make sure charter CANT email all these other networks. :) It's always good to monitor and optimize but not at the expense of dealing with outstanding support/abuse issues. -david David A. Ulevitch - Founder, EveryDNS.Net http://david.ulevitch.com -- http://everydns.net
RE: Email Complexes
quote who=Hosman, Ross We like automating a lot of our procedures as our mail complex isn't staffed 24/7. That's not surprising. Right now we have a script that monitors incoming mail sent from probes across the us. It monitors how long it takes the email to first hit the IronPort's, then how long it takes to hit the Brightmail, then how long it takes to hit the MTA's. Reverse the wires, the rest of the internet would appreciate it. You missed the point of my previous email. Thousands of hours are wasted by engineers dealing with abuse that is not insignificantly caused by Charter. And now Charter (not you, but Charter) is asking for some free accounts so they can enhance their mail complex. You *are* Charter and netops *is* a two-way street, please act accordingly. Don't just say it isn't your department because guess what, it's all of our departments. -david David A. Ulevitch - Founder, EveryDNS.Net http://david.ulevitch.com -- http://everydns.net
re: Senator Diane Feinstein Wants to know about the Benefits of P2P
quote who=Roland Perry I have a solution, but it's expensive. A url for the whole 266MB download (and not the smaller selective download that Windows Update would provide). If anyone's that desperate, email me. I only used it after waiting a week with the Automatic Updates switched on, and nothing arriving. Microsoft isn't hiding the link: http://download.microsoft.com/download/1/6/5/165b076b-aaa9-443d-84f0-73cf11fdcdf8/WindowsXP-KB835935-SP2-ENU.exe linked from: http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspx (well, click get the service pack and then download) Just because sp2torrent.com is down doesn't mean the rest of the torrent world is. Supernova.org seems to have some links to an SP2 torrent or two. as usual, ymmv, davidu David A. Ulevitch - Founder, EveryDNS.Net http://david.ulevitch.com -- http://everydns.net
Re: Senator Diane Feinstein Wants to know about the Benefits of P2P
quote who=Byron L. Hicks In fact, I would be very reluctant to trust a Windows update downloaded via P2P. why? Not only were there many sources all showing the same MD5 hash (and for the time being, we can still trust MD5...) BUT it was also digitally signed by Microsoft which was easily verifiable. Then again, I would be reluctant to install it because I have no idea how my debian system would respond... :) -david David A. Ulevitch - Founder, EveryDNS.Net http://david.ulevitch.com -- http://everydns.net
Re: Definition of P2P (was Feinstein)
quote who=Bora Akyol Sorry, was it possible to search for a file from millions of storage nodes in IRC? Yes, not that millions of storage nodes were connected... Napster was more or less a glorified version of IRC w/DCC, that's why it was centralized for searching. Anyways, we all know the biggest P2P bit movers are the routers... -davidu David A. Ulevitch - Founder, EveryDNS.Net http://david.ulevitch.com -- http://everydns.net
Re: bandwidth test
quote who=Bubba Parker Recently my DS3 has been turned up to 8 megabits. How can I test to see if I can actually achieve that throughput? Online bandwidth test sites are only good for up to 5mb at the most, and my upstream doesn't have a method to test that. We've been LART'ing some of our colo clients lately for running bittorrent trackers[1]. They seem to have no problem filling a 10mbps port rather quickly. -davidu 1: we do not run a commercial colo. our AUP does not allow this behavior. no need to create a separate discussion about this. eof. :) David A. Ulevitch - Founder, EveryDNS.Net http://david.ulevitch.com -- http://everydns.net
Re: filtering 1918 (was Re: Summary with...: Domain Name System ...)
quote who=Richard A Steenbergen Is it really enough traffic that you, as a root server operator, can't just suck it up and deal? Sure there are going to be a few folks who are misconfigured, but I can't imagine that it is enough to cause operational issues. No, no operational issues at all from RFC1918 space http://www.as112.net/ (just to drop the most well documented example...) -davidu David A. Ulevitch - Founder, EveryDNS.Net http://david.ulevitch.com -- http://everydns.net
Re: XO Mail engineers?
On Aug 4, 2004, at 12:23 PM, Forrest W. Christian wrote: This BCP seems to be changing. The new BCP which seems to be evolving requires customers to authenticate to their home mail server on the MSA port and send mail that way. This appears to be being driven by SPF/Sender-ID-like mechanisms. And at some point in the not-so-distant future {net|sys}ops will look up from their terminals, blink their eyes a few times and realize that they have just spent the last $x months jumping through a terrible number of hoops to support this SPF/SRS thing because everyone is doing it. And they will realize that all that time/effort/money has still required users to change the way they do things and that operators had to waste time implementing a half-solution (or less) when (this may be unspeakable) in a similar amount of time/effort/money a real (drastic) solution could have been implemented. I don't think SPF is worthless [1] but it isn't a drop-in solution and the impact on infrastructure will be significant if it becomes widely adopted. I think people will realize that if we're remodeling the boat that much we should have at least made sure we were fixing something in the process... -david 1: SRS may just be a boondoggle, we'll see. David A. Ulevitch - Founder, EveryDNS.Net http://david.ulevitch.com -- http://everydns.net
Re: SPF again (Re: XO Mail engineers?)
On Aug 4, 2004, at 3:23 PM, Edward B. Dreger wrote: DAU I think people will realize that if we're remodeling the DAU boat that much we should have at least made sure we were DAU fixing something in the process... Indeed. [snip] Running something DNS-based that requires simple parsing is hardly an earth-shattering change; it smells similar to DNSBLs, yes? Yet it's still somewhat controversial. SPF's use of TXT records doesn't bother me so much. It's more that people are (blindly) clamoring for it. SpamAssassin is going to start checking SPF records. If I don't choose to implement SPF my DNS servers are still going to get those TXT record requests. I can't opt-out of that. I don't look forward to getting a taste of what the root-server operators see in their valid/invalid lookup ratios. I think there are going to be some negative consequences as more people implement SPF that will only become apparent at a certain scale. -david David A. Ulevitch - Founder, EveryDNS.Net http://david.ulevitch.com -- http://everydns.net
Re: Spyware becomes increasingly malicious
On Jul 12, 2004, at 11:20 AM, Christopher Woodfield wrote: I think depeering is a bit over the top for this situation, but I wouldn't blink at nullrouting the prefix in question at my cores... :) I guess the big question is, is there anyone (other than those profiting directly from CWS) that would complain if a provider were to do such a thing... If (your network == your organization) then maybe it's okay, otherwise I wouldn't consider it. If your customers demand it then that's something different and as a provider you can choose to provide this sort of filtering for your customer. It's the old: I don't want some plumber deciding what can come down my pipe argument. -davidu
Re: VeriSign's rapid DNS updates in .com/.net
On Jul 10, 2004, at 1:19 PM, Alexei Roudnev wrote: It is cool, but where is any value in this (I mean - 5 minutes) rapid updates for .com and other base domains? I wish rapid DNS when running enterprise zone (with dynamic updates) or when running dynamic-dns service (for those who use dynalic IP's); but for .com and .net, it is just a public relation useless feature - registration time is 1 year, 5 minutes vs 1/2 day - do not makes any difference. It makes a big difference to people who sell web/mail/etc services to people that includes the domain name. It means that someone who pays for a new website through an automated system doesn't have to wait 12-24 hours for it to be live, just a few minutes. It also means that changes can be made to host records quickly which is important for people who don't plan well or have unexpected changes that they want propagated. I'm appreciative of this change -- but fyi, they aren't the only TLD operators doing this, there are quite a few doing near-instant changes to their respective zones. The only thing I would still want would be the ability to create multiple host records of the same name but with various values. At least the opposite, mutliple host names to the same value is now allowed. That's good enough for me. :) -davidu
Re: VeriSign's rapid DNS updates in .com/.net
On Jul 10, 2004, at 7:35 PM, Mike Lewinski wrote: David A.Ulevitch wrote: I'm appreciative of this change -- but fyi, they aren't the only TLD operators doing this, there are quite a few doing near-instant changes to their respective zones. I just registered a new .org and it had visibility from external NS not more than 15 minutes later (I would have paid closer attention to just how long it took, but didn't even think to check on it until reading this thread). Maybe I just got lucky and hit their update window (I registered ~ 3:15AM UTC on 11-July-2004 fwiw). Anyone know the status of .org updates? Nope, .org is run this way also (since the handover to udns, if I remember right. I don't know of a comprehensive list of tld's in this setup but I would say that the list is only growing...I learn of tlds running in this fashion every once in a while[1]. -davidu 1: not to imply any connection to when I notice it and when it is actually implemented. ;)
Re: Who broke .org?
On Jul 1, 2004, at 8:12 PM, Joe Maimon wrote: There was a gentleman a while back that posited that having only two anycast NS records was broken by design. It's the mother of SPOFs. (when your anti-spof solution has an spof...) Something about eggs all in one basket. The basket being the anycast topology. Precisely. It's a totally valid argument to say that domain.tld holders shouldn't be asked to add 13 nameservers for robustness but why not max out the payload of one UDP packet in the name of general robustness for a TLD? Granted there are plenty of ccTLDs that aren't as robust as they could be but I think com/net/org/edu are held to a higher standard and when you have the room, why not use it? UltraDNS could even list some unicast addresses from their anycast nodes without having to change anything (or much of anything, not knowing their infrastructure/backend)... -davidu David A. Ulevitch - Founder, EveryDNS.Net http://david.ulevitch.com -- http://everydns.net
Re: SprintPCS spam policies
On Jun 24, 2004, at 2:44 PM, Eric Kuhnke wrote: Has anyone ever encountered spammers doing a dictionary attack (emailing all phone numbers in a NXX) via email-to-SMS gateways? If they didn't before, they surely will now. -davidu David A. Ulevitch - Founder, EveryDNS.Net http://david.ulevitch.com -- http://everydns.net
Re: Can a customer take IP's with them?
On Jun 22, 2004, at 10:40 PM, David Schwartz wrote: IANAL, seek competent legal advice from a lawyer with experience in this area. I'm sure you can work out some sort of compromise where you let them keep using their IP space for a reasonable period of time (3 months? 6 months?) and they renumber in that time. I'm fairly sure they don't expect to keep your IPs forever and I'm fairly sure you don't need them back immediately. Then what was the whole year they had ARIN assigned IP space for? 12 months is plenty of time to renumber for most size organizations. I wonder if their ARIN application says anything about planning to renumber their existing space from NAC into the newly assigned space... -davidu David A. Ulevitch - Founder, EveryDNS.Net http://david.ulevitch.com -- http://everydns.net
Re: Can a customer take IP's with them?
On Jun 22, 2004, at 11:10 PM, Christopher J. Wolff wrote: David, Isn't renumbering an obligation? I am not sure however RFC 2071 Touches on this subject in section 4.2.3 but is ambiguous as to the nature of when the renumber should take place. 4.2.3 Change of Internet Service Provider As mentioned previously in Section 2, it is increasingly becoming current practice for organizations to have their IP addresses allocated by their upstream ISP. Also, with the advent of Classless Inter Domain Routing (CIDR) [11], and the considerable growth in the size of the global Internet table, Internet Service Providers are becoming more and more reluctant to allow customers to continue using addresses which were allocated by the ISP, when the customer terminates service and moves to another ISP. [SNIP] For obvious reasons, this practice is highly discouraged by ISP's with CIDR blocks, and some ISP's are making this a contractual issue, so that customers understand that addresses allocated by the ISP are non-portable. [SNIP] It should also be noted that (contrary to opinions sometimes voiced) this form of renumbering is a technically necessary consequence of changing ISP's, rather than a commercial or political mandate. In my opinion, which counts for nothing in this case, I would hope that 12 months was enough time for the company to renumber. Unless this decision to terminate services with NAC was 'just made' I think that space from ARIN 12 months ago was a heads up that their non-portable space should be eliminated from their network. Just my $.02 with some RFCs tossed in, davidu David A. Ulevitch - Founder, EveryDNS.Net http://david.ulevitch.com -- http://everydns.net
Re: akamaie dns issue
On Jun 17, 2004, at 5:52 AM, Curtis Maurand wrote: This was in my mail this am. This is why there was an akamai dns issue. Shouldn't someone like CAIDA be able to verify these claims? (They look at more than backscatter, right?) I feel like something of this magnitude could have been noticed. Is it possible that the attack was sophisticated enough that it was a DDoS that was just big enough to do the job but small enough to get lost in the ebb and flow of normal traffic? If so, that'd be quite a feat. I'm sure CAIDA or other groups are going over their datasets to see if there is anything anomalous. I'm looking forward to a third-party report. thanks, davidu David A. Ulevitch - Founder, EveryDNS.Net http://david.ulevitch.com -- http://everydns.net
Monitoring dark address space?
NANOG, I was wondering how many of you are running some sort of detection tool on dark address space on your network? In an effort to curb malicious outbound non-spoofed traffic from owned client machines I think one of the easiest methods we have is to look for scans in what should be dead space. The source-address spoofed traffic is easy to drop, the legal traffic is a bit more complex and I'm looking for non-inline methods of curbing this traffic. My questions are: 1) Are you doing this and if so, what tools are you using? Some sort of simple listening device with thresholds would probably do the trick if one machine monitored an entire /24 or some random /32's out of a /16. 2) What techniques seem to be better? Monitoring an entire /24 or picking a distributed selection of IPs from a /16? (using a /24 or /25 is much easier on the administrative end of things from where I sit...) 3) What sort of threshold metrics for considering something to be malicious have you found to be good? (ports/second, ip/second, etc) 4) Are there downsides to this (aside from false positives, which would hopefully be rare in truly dark address space). Off-list replies are fine and I'll summarize after a few days. thanks, davidu David A. Ulevitch - Founder, EveryDNS.Net Washington University in St. Louis http://david.ulevitch.com -- http://everydns.net
Re: disabling SMTP
On Mar 28, 2004, at 10:44 AM, Eric A. Hall wrote: To be more realistic (and to close-in on any 'proposal' which might subsequently develop), it would likely be far more feasible to assign somewhat agressive negative weighting to sessions that use HELO (and further possible to assign mild positive weighting to sessions that use properly-formed EHLO), such as for use with session-wide rejects. This solution might work/help for what, maybe a week? Spammers are scum but they aren't dumb. I would imagine that posting this technique to NANOG just made it totally worthless. Look for malware to start being ESMTP compliant in a few hours, days or maybe a week if the spammers are too busy laughing at our complete and total collective failure at dealing with them effectively to put down their pina colada's to code the fix. Cynical? maybe. True? Sadly I think it is. Thanks, david ulevitch
Re: Throttling mail
quote who=Adi Linden Does anyone have any resources on building a mail relay that would limit the amount of email a single user or ip address can relay over a given time period? relayd for qmail http://dizzy.roedu.net/relayd/ I'm sure something exists for Sendmail's milter interface. Might start looking at: http://www.mimedefang.org/ (aka http://www.canit.ca/) -davidu David A. Ulevitch - Founder, EveryDNS.Net Washington University in St. Louis http://david.ulevitch.com -- http://everydns.net
Re: who offers cheap (personal) 1U colo?
quote who=Michael Loftis Experiment ... go to a college dorm that's wired, plug your laptop or PC in, start using the net. Nine times out of ten you wont' be challenged and you'll be allowed to use the network. Has it been a while since you've been on a resnet? They're bad, but most all ResNet's I know of are now implementing some sort of MAC/DHCP combo at the very least. That might have been true a couple years ago but recent DMCA notices and Worm activity have /forced/ (often by their upstream) ResNet's to clean up their act. I don't think our ResNet is a shining example of excellence by any stretch but they know who is registered behind each port/ip/mac address which gives you a pretty good idea of who is on your network. I won't comment on what leaves the ResNet on port 25 and what leaves the network with no prayer of ever routing back. *cough* That's a whole 'nother issue for them to deal with, and at some point soon, I think they will. -davidu (speaking only for himself) David A. Ulevitch - Founder, EveryDNS.Net Washington University in St. Louis http://david.ulevitch.com -- http://everydns.net
Re: who offers cheap (personal) 1U colo?
quote who=Suresh Ramasubramanian And what is wrong with setting up a hub or something in a dormroom? I find it quite convenient to leave both my PC and a laptop running on my desk, for various reasons (too many open terminals and windows is one of them ...) Our ResNet doesn't forbid that in the AUP (yet). They provide the network connection to the person and tie it to a MAC address. If the student can figure out the rest and not abuse it, more power to them. When they complain about not being able to use the network dorm printers they don't get much support though...those are the breaks. I'm not sure if this policy applies to non-resnet users (depts., faculty, staff, etc), but for most issues, the resnet case is the one that matters. -davidu David A. Ulevitch - Founder, EveryDNS.Net Washington University in St. Louis http://david.ulevitch.com -- http://everydns.net
Re: who offers cheap (personal) 1U colo?
quote who=Charles Sprickman If anyone on the east coast also thinks this is something worth putting together (either for-profit or as a co-op situation), feel free to contact me directly. This is currently being organized in the IAD area: http://lists.gotroot.com/mailman/listinfo/dcccp We've done a similar setup as a non-profit in SFO/SJC). http://www.communitycolo.net/ It's not for everyone, but it is more than adequate for most people's needs. With some more networking volunteers (as opposed to systems people) we could probably become a lot more robust than we already are. We are currently using 8 cabinets at Hurricane Electric off a 100mbit feed with a bunch of Cisco 1900 and 2900 series switches. Email's to me offlist for anyone interested in knowing more. -davidu David A. Ulevitch - Founder, EveryDNS.Net Washington University in St. Louis http://david.ulevitch.com -- http://everydns.net
Re: External (not in the same domain) name server
quote who=Randy Bush i would not be unhappy if the registrar or registry would test this occasionally. For what values of occasionally? And for what operational benefit? Removal of the record(s) certainly wouldn't be appropriate so what would you like to see happen? A CIDR Report style email to nanog-l? *yawn* -davidu David A. Ulevitch - Founder, EveryDNS.Net Washington University in St. Louis http://david.ulevitch.com -- http://everydns.net
Re: External (not in the same domain) name server
quote who=Randy Bush And for what operational benefit? Removal of the record(s) certainly wouldn't be appropriate why not? what is the use of a zone that is not being served? A query not being answered to you or the verifier is not the same thing as a zone not being served. (I would also assume that a failed check would result in the zone being perhaps queued for more re-testing or asking the netop to autoack something.) I still don't see the operational benefit in removing these records. (Checking them could be worthwhile (see below), but removing them...why?) quote who=Tim Wilde You mean http://www.cymru.com/DNS/lame.html ? Team Cymru have been doing that for ages. Doesn't actually force the issue anywhere, but it does get checked and published, using contributed resolver logs. Three comments: 1) I think there is some operational value in tracking this data for the in-addr.arpa tree but less benefit to getting this data for general forward nameservice (except maybe to people like you and me). 2) For Cymru's page to be of much benefit it needs a lot more resolver contributions. If some large, end-user ISPs submitted data it would become much more useful. The problem (in getting data) with this project is that the people who submit are not necessarily the people who benefit which provides less incentive for sysops to participate. 3) With this data published someone could check the list for lame delegations and come to our site and setup those domains and begin using them. This could be used by spammers and other sludge to borrow domains. A solvable problem but one which would become substantially easier if there was a comprehensive list of lame delegations that could be correlated with third-party dns services. -davidu David A. Ulevitch - Founder, EveryDNS.Net Washington University in St. Louis http://david.ulevitch.com -- http://everydns.net
Re: Possibly yet another MS mail worm
quote who=John Palmer In this case, it is the IDIOIT users. You tell them time and time again DONT CLICK ON ATTACHMENTS UNLESS SOMEONE YOU KNOW IS SENDING IT AND TELLS YOU IN ADVANCE THEY ARE SENDING IT. Just telling people Don't do that, it's bad. is sure to fail for the same reason you can't tell people who wash their clothes in a disease filled river to just not wash there. The problem is dumb users who DONT LISTEN. This is mostly the office crowd. What makes you think they didn't listen? Not doing what you say and not listening are not the same thing. The real imbeciles are people operating a broadband connection without a license. Letting a computer illeterate, typical beer guzzling, porno hunting hick have a computer with a DSL/cable connection should be a capital offense. I'd hate to think about what you would do to network operators and companies who fail to filter their egress traffic. Surely they share no blame? Those are where most of the zombies are located. When you use words like attachment and '.exe' with them, their eyes just sort of glaze over. Hey, all I do is point and click and it just works. And it does just work -- do the mom test and see. Why have attachments if they shouldn't be opened? *That* would make no sense. We need to cleanse the gene pool of these kinds, or at least take away their dsl connections. Some problems are social and some are technical. These are social problems that can be mitigated on a large scale by technical means. The users need to be educated at some level but the network and system operators and companies need to be responsible for what is coming and going from their network. Back to the mom test, if an email with an attached virus gets to my mom's Outlook Express client, I place the blame squarely on her mail administrator (me). -davidu David A. Ulevitch - Founder, EveryDNS.Net Washington University in St. Louis http://david.ulevitch.com -- http://everydns.net
Re: [IP] VeriSign prepares to relaunch Site Finder -- calls technologists biased
quote who=Curtis Maurand That's not the point. A failed DNS lookup actually needs to fail, not get redirected. Perhaps you need to change your definition of failed? The lookup has not failed if the rcode in the reply is set to a non-failing value. -davidu David A. Ulevitch - Founder, EveryDNS.Net Washington University in St. Louis http://david.ulevitch.com -- http://everydns.net
Re: RBLs in use
Brian Bruns wrote: I run the Abusive Hosts Blocking List (http://www.ahbl.org). We list everything from spam sources, to spam supporters, open proxies, open relays, drones, etc. Its in use on all of the mail servers I help administrate (which includes several fortune 500 companies, half a dozen regional ISPs, and several .edu sites), plus SpamHaus, SpamCop BL, SORBS, EasyNet, and several others, which help balance out protection. Like what .edu's and fortune 500 companies? -davidu David A. Ulevitch - Founder, EveryDNS.Net Washington University in St. Louis http://david.ulevitch.com -- http://everydns.net
Re: OT: Midco.net
[EMAIL PROTECTED] wrote: Sorry for the off topic post, but has anyone dealt with Midco.net? I recently reported a Scan from a node belonging there and have met with nothing but side steps. Please contact me off list if you have any contacts there. Would like to get this resolved. http://www.rocknyou.com/midco.html On your site you say your server functions to: resolve names for Rocknyou.com, log scans and evil-do-ers attempting to breakin, and sometimes for fun I run nmap http://www.insecure.org/nmap/index.html back at those bad nodes. (http://www.rocknyou.com/aboutme.html) So since tonight is Halloween (GMT -6), would you prefer to be Pot or Kettle? :) There are perfectly valid reasons to get scanned, especially by a well known white-hat tool like Nessus. Script-kiddies and spammers have much more robust/directed tools than a general purpose (slow) tool like Nessus. And from the link you sent about Midco, it looks like they did a fine job responding to your request; probably better than most *SP's would do. -davidu
Potential downside to using (very) old domain as spam trap.
Hi, I've recently been delegated a domain of a dead ISP which hasn't existed in *any* form for about 5+ years. As a test, we setup an MX for it to see what kind of mail it would get since we noted a lot of DNS lookups for it. After going through a few hundred emails it started to look like the domain might be good fodder for a blacklist. We couldn't find a single legit email that passed through spamassassin and a couple other tools. I've seen people put spamtraps on web pages and at the bottom of emails to use as blacklist fodder but not a whole domain. I suppose more rigorous testing could be done to make sure no legit email is being sent to the domain, but I have a strong feeling that it is very, very dead. (It even expired at one point and was available from a registrar.) Is this done? Advisable? Experiences? Thanks in advance, David Ulevitch David A. Ulevitch -- http://david.ulevitch.com http://everydns.net -+- http://communitycolo.net Campus Box 6957 + Washington University in St. Louis
RE: has anyone notice this ?
quote who=Vicky Rode vickyr i'm a time warner end-user trying to access outside world which could be anything. [SNIP] vickyr yes i have and they think it could be the cable modem box and have issued a replacement. i sure hope they have a good stock because i know whole bunch of people who are having similar problems. maybe its time to buy some 3com stocks :) A twisted or crumpled up ethernet cable can sometimes impede the flow of ones and zeros. Often looping up extra slack in your cat-5 can prove catastrophic for the free flow of electrons down the pipe. Ahh...Saturday (PDT)... -davidu David A. Ulevitch -- http://david.ulevitch.com http://everydns.net -+- http://communitycolo.net Campus Box 6957 + Washington University in St. Louis