Re: DDoS Question

[Matthew Sullivan]

Raymond L. Corbin wrote:

messages to fail in our servers. You can always try the rbl that lists a
lot of residential IP's in it...i think it's the PBL from spamhaus. That
would help limit it, and blocking emails with the domain
  
You'd have better luck with SORBS DUHL if you don't want to pay for 
Spamhaus data.  (a peak of 192 messages/minute and an average of 4 
messages per minute were considered excessive enough for my DSL's to be 
blocked by Spamhaus).  I would also suggest NJABL as it used to list 
dynamics, except it is not listing just dynamics now, and it has merged 
into Spamhaus as the PBL.  Of course Trend are now running what was 
MAPS, which is another pay for service which is also useful.


Regards,

Mat

Re: TeliaSonera routing issue / microsoft.com

[Matthew Sullivan]

Pekka Savola wrote:


Hi -

TeliaSonera has reported routing problem due to prefix filtering leaks 
/ max-prefix triggering, starting around 0616 UTC.  I guess some 
others are seeing this as well.  I wonder what was the more exact 
reason, and why the problem still persists after about 6 hours.


This also times with when I lost connectivity to my hosts in the UK ... 
path is via Above+Telia.


Third hand/Chinese whipsers information:

The UK network(s) are now selectively dropping routes to the affected 
paths.  Telia have been notified.


Regards,

Mat

Re: Multiple different ISPs respond to Bots (was RE: DNS Hijacking by Cox)

[Matthew Sullivan]

Sean Donelan wrote:


On Sun, 22 Jul 2007, Raymond L. Corbin wrote:

I agree. They are at least trying to clean up their network. If they are
having a lot of problems with zombie bots that DDoS / Spam then this is
a good way to stop it, for now. The small group of users can either use
other nameservers or something like psybnc to connect if they want to
get on IRC.


It doesn't seem to be rogue Cox engineers.  Several major ISPs have 
all taken action against these particular IRC servers (not! IRC in 
general).
They either re-direct the traffic to a cleaning server, or are 
blackholing the traffic completely.


Yes, it could have been some type of false positive; but when multiple 
ISPs all start re-acting to something, I think there might be more to 
the story.  Especially when those ISPs are noted for not responding to 
incidents.  One ISP, it might be the ISP.  Multiple ISPs, gotta start 
looking at what has them disturbed.


Legit or not, well that's for each individual, because of the problem of 
Bots I'm happy that they are doing it, when my ISP stops me connecting 
to my IRC server I'll probably not be happy (actually I'd be *very* 
unhappy because I IPSec all traffic with the network it's on, but that's 
another story). 

Cox know they have a problem, they have taken steps which have been 
thought out to correct it.  How many legitimate users use irc.vel.net 
from *.cox.net against how many bots use IRC from *.cox.net ... all a 
matter of numbers and risk.  Not saying it's right or wrong, but am 
saying look at the numbers before making a personal call, and use your 
own server(s) for recursion if you can't accept what they have done to 
*their* DNS servers.  of course if Cox is blocking DNS traffic from home 
users then I can see a reason to complain loudly.


My $0.02...

Regards,

Mat

Re: Warning about UltraDNS terms

[Matthew Sullivan]

Peter Beckman wrote:


Try DNSmadeEasy.com, cheesy name, great service and reliability.  Much
cheaper, anycasted.  Not great for international, but perfect for US.


Do use a throw away email address with them though.

Regards,

Mat

Re: Blocking mail from bad places

[Matthew Sullivan]

Steven Champeon wrote:

I'll add that even if everyone were willing to email/call with problems,
the hideous things that (e.g.) Exchange does to your carefully
handcrafted rejection errors are enough to cripple the least tech-savvy
of your likely audience, anyway.
  
All the more reason to advise people not to use Exchange for any 
Internet based communications.


Regards,

Mat

Re: Slightly OT: Looking for an old domain for spam collection

[Matthew Sullivan]

Ken Simpson wrote:

Hi There,

Does anyone out there have an unused domain name that formerly
received lots of email? I am looking for a source of "throw away" SMTP
traffic. I don't need to own the domain -- just to have its MX'es
redirected to our farm.

  

Same here for SORBS.

Regards,

Mat

Re: Possibly OT, definately humor. rDNS is to policy set by federal law.

[Matthew Sullivan]

Peter Corlett wrote:


On 16 Mar 2007, at 18:21, Rich Kulawiec wrote:

[...] abusive, spam-supporting tactics such as
callbacks/sender address verification.)


Would you care to expand on why you think sender callback verification 
is apparently abusive and supports spam?


I sure don't mind my MXers being probed if it stops somebody forging 
mail from my domains.


What next, will forward lookups of rDNS to verify that they're not 
forged also be considered abusive because the forged third-party's 
servers get consulted out of paranoia?



Also others didn't mention it doesn't actually work properly when other 
things are going on.


Anywhere that is RBL'd when it tries to callback receives a message 
saying that delivery fails - this results in the outgoing mail not 
getting delivered (and I've had to deal with that problem several times 
where people are accusing SORBS of blocking their outgoing mail).



DDoS attack is very understated, consider any SOHO... I have an 8M link 
here, 2m call backs will wipe out both my bandwidth for a few hours, as 
well as probably use up my monthly quota.


Spammers who are blocked from my servers can use callback on your 
servers to determine what the real/working addresses are on my network.


Rate-limiting on my servers is useless under callback attack (because 
it's not a DoS, but a DDoS).



Many other things are bad about it...  Read Spam-L and other lists for 
information.


Regards,

Mat

Re: Possibly OT, definately humor. rDNS is to policy set by federal law.

[Matthew Sullivan]

Nachman Yaakov Ziskind wrote:

Steve Sobol wrote (on Thu, Mar 15, 2007 at 10:31:44PM -0400):
  

On Thu, 15 Mar 2007, S. Ryan wrote:
 

Personally, we gave up using SORBS because of it's very high 
false-positive ratio 
  

YMMV; at $DAYJOB we don't seem to have the same problem.



I gave up using SORBS (and I'm not Mat's enemy, mind you - I used to 
work for SORBS and still like the idea) because it was so random. 
Mat would block 2, say, out of AOL's 26 or whatever mailservers. 
Why? b/c those two were used to send spam. Right. So, not only do 
I have to explain to users why their AOL friends cannot write them, 
I *also* have to explain that the blocking is at random, and if 
their friend just retrys sending, they'll have a 92% chance of 
getting through. Completely unworkable. If you want to block AOL 
(and I totally sympathize with Mat here) just ... block ...

them and be done with it. Don't make me play email roulette.

  
This is a problem, and with the advent of the latest bots using ISPs 
MTAs etc I am more than happy to talk to people and listen to 
constructive suggestions from ISPs (such as those on this list) about 
how to resolve the issue.  I am even happy to receive constructive 
suggestions and to discuss changes to SORBS general policies (though 
would have to be another forum) if anyone here would like to do 
that  The spammers have changed, SORBS needs to, I don't have the 
answers.


Regards,

Mat

Possibly OT, definately humor. rDNS is to policy set by federal law.

[Matthew Sullivan]

Could be considered off-topic because it is humor.

I guess a lot of US network operators are going to have to change their 
DNS entries because apparently the rDNS policies are now set by federal 
law.


http://www.au.sorbs.net/~matthew/funny/rDNS-set-by-federal-law.txt

Regards,

Mat

Re: RBL for bots?

[Matthew Sullivan]

Drew Weaver wrote:
Has anyone created an RBL, much like (possibly) the BOGON list 
which includes the IP addresses of hosts which seem to be "infected" 
and are attempting to brute-force SSH/HTTP, etc?
 
It would be fairly easy to setup a dozen or more honeypots and examine 
the logs in order to create an initial list.
 
Anyone know of anything like this?


web.dnsbl.sorbs.net has hosts that do this as well as korgo infected 
machines, and a whole host of other types of vulnerabilities, trojans 
and bots.


Do be careful about how you use the data, we don't distinguish between 
the types for very good reason.


Regards,

Mat

Re: death of the net predicted by deloitte -- film at 11

[Matthew Sullivan]

Owen DeLong wrote:


Today IPTV is in its infancy and is strictly a novelty for early 
adopters.  As the technology
matures and as the market develops an understanding of the 
possibilities creating pressure
on manufacturers and content providers to offer better, it will 
gradually become compelling.
In case you missed it something we're doing over here... 
http://uctv.canberra.edu.au/


We have HDTV and quiet a list of channels on campus.  Of course 
licensing/broadcast restrictions (read: lawyers) have a lot stopped at 
the border, but hey, it's working ;-)


Regards,

Mat

Re: what the heck do i do now?

[Matthew Sullivan]

Andrew - Supernews wrote:

"Warren" == Warren Kumari <[EMAIL PROTECTED]> writes:



 Warren> Sure, but if we could all agree that 127.255.255.255 (or
 Warren> something) means that the BL has been shutdown then in the
 Warren> future this sort of issue could be mitigated.

You don't need to agree on something - it's already possible to apply
automated checks to a DNSBL that detect all known methods of shutting
it down.
  
You could also say if it returns anything outside of 127.0.0.0/8 then 
it's dead - that would stop it the moment it is wildcarded.


In any case the software writers would need to be persuaded to alter it 
in code.


/ Mat

Re: what the heck do i do now?

[Matthew Sullivan]

David Ulevitch wrote:

Not offering a solution but a bit of an explanation perhaps...

From: http://cr.yp.to/ucspi-tcp/rblsmtpd.html
"If you do not supply any -r options, rblsmtpd tries an RBL source of 
rbl.maps.vix.com. This will be changed in subsequent versions."


So checking the last released version:
/ucspi-tcp-0.88# grep -hn maps.vix.com rblsmtpd.c
193:  if (flagwantdefaultrbl) rbl("rbl.maps.vix.com");

Looks like that could be a cause of some of your pain...
Not everyone runs rblsmptd on their mailserver, but I know lots of 
large mail servers that run rblsmptd (qmail).


The fact that the option is the default without being explicit means 
that at least some folks don't even know maps.vix.com zones are no 
longer present and the current failure case is not impacting them.

The solution then:

maps.vix.com. IN NS   a.ns.yp.to.
maps.vix.com. IN NS   b.ns.yp.to.


/ Mat

Re: Cable-Tying with Waxed Twine

[Matthew Sullivan]

Dan Mahoney, System Admin wrote:
Upon leaving a router at telx and asking one of their techs to plug in 
the equipment for me, I came back to find all my cat5 cables neatly 
tied with some sort of waxed twine, using an interesting looping knot 
pattern that repeated every six inches or so using a single piece of 
string.  For some reason, I found this trick really cool.
As others have already indicated (and with some good links) it's cable 
lacing.


For how to's .. find anyone that has done a recognised apprenticeship in 
electrical, telecommunications, RF, or "multiskill" 
(electical/electromechanical/mechanical) and ask them to teach you (in 
this day and age of training courses, that probably means finding 
someone over the age of 35).  Also you could ask your friendly local 
full license, old school radio ham etc etc...  It's a dying skill, not 
because it isn't good, but because it takes training/practice and time.  
Tiewraps (Zip ties) are cheap, quick and require little (if any) training.


Regards,

Mat

Re: nanog revelancy to newcomers [was Re: Curious question on hop identity...]

[Matthew Sullivan]

Scott Weeks wrote:


I just have to add to this.  I have worked with quite a few CC{IE, NP, SP, ...} 
types lately that've been given lead positions and high responsibilities.  
(Hell, some have .sigs that look like the dictionary.  They're very good at 
passing cert tests.)  Many don't want to know about UNIX and Open Source 
Software.  I don't mean not use it in production, but don't want to know 
anything about it at all.  They don't want to know how the internals of any of 
it works.  They want to design by book regurgitation and operate by 
point-and-click.  They don't think about things organically or as the Big 
Picture, rather they have a very narrow point of view.  It's a change of 
personality type behind this.  Do the least amount of work for the most amount 
of money.  It's not geek-excitement that drives them.  It's a crazy world when 
CCxx certs are considered more valuable than EE or Comp Sci degrees.  :-(


  

s/CC/MS*\/CC/g
s/EE or /real world experience or EE and /

/ Mat

Re: Captchas was Re: ISP wants to stop outgoing web based spam

[Matthew Sullivan]

Paul Jakma wrote:


ASCII captches are no less effective than image-captcha just without 
the nasty "ban the blind from the internet!" side-effects.


Then again you have Authen::Captcha that has sound based Captcha's as 
well


/ Mat

Re: Question for the List Maintaners -- (Re: SORBS Contact)

[Matthew Sullivan]

Steve Sobol wrote:

Matthew Sullivan wrote:

  



Something to consider before replying: is this on or off topic for
NANOG? (personally I think part of this is on topic, other parts of the
thread are definitely off topic)



It has been agreed that spam is offtopic, although the issue of hijacked
netblocks certainly isn't. So I probably should have replied to you off-list
(apologies to everyone else for lowering the S:N ratio).

I don't know what the official word is on whether DNSBL operations in general
are on-topic for this list. I would appreciate if the people in charge of
deciding such things could tell me whether DNSBLs are on-topic or not...
  

List maintainers, would you please rule on whether:

1/ DNSbl operations are on or off topic.
2/ Hijacked netblocks are on/off topic (I suspect on topic, but would 
like to see an official word).


Regards,

Mat

Re: SORBS Contact

[Matthew Sullivan]

Allan Poindexter wrote:

  Matthew> so would you consider as it is my network, that I should
  Matthew> not be allowed to impose these 'draconian' methods and
  Matthew> perhaps I shouldn't be allowed to censor traffic to and
  Matthew> from my networks?

If you want to run a network off in the corner by yourself this is
fine.  If you have agreed to participate in the Internet you have an
obligation to deliver your traffic.
  
That's a very "interesting" statement. Here's my response, I'll deliver 
your traffic if it is not abusive if you delivery my non-abusive 
traffic.  My definition of 'abusive' is applied to what I will let cross 
my border (either direction) - I expect you will want to do the same 
with the traffic you define as abusive, and I expect you to and support 
your right to do that.

There are simple solutions to this.  They do work in spite of the
moanings of the hand wringers.  In the meantime my patience with email
"lost" silently due to blacklists, etc. is growing thin.
  
Anyone using SORBS as I have intended and provided (and documented) 
will/should not silently discard mail.


If anyone asks how to silently discard mail I actively and vigorously 
discourage the practice.*  In fact because I disagree with that even in 
the case of virus infected mail I patches my postfix servers to virus 
scan inline so virus infected mail can be rejected at the SMTP 
transaction. RFC2821 is clear when you have issued an ok response to the 
endofdata command you accept responsibility for the delivery of that 
message and that should not fail or be lost through trivial or avoidable 
reasons - I consider virus detection and spam as trivial reasons - if 
you can't detect a reason for rejection at the SMTP transaction, deliver 
the mail.


Regards,

Mat


* except in extreme/unusual circumstances - for example, there are 2 
email addresses that if they send mail *to* me, they will get routed to 
/dev/null regardless of content.

Re: SORBS Contact

[Matthew Sullivan]

Mark Andrews wrote:

I wasn't thinking about SORBS.  It was a general warning to
only put blocks on lists where the usage matches the policy
of the list.
  

Ah my apologies I misinterpreted.

I was thinking about a Australian cable provider that doesn't
do the right thing.  I'm sure there will be other ISP's that
also fail to check the list policy before nominating the
address blocks for the lists.

In reality there shouldn't be the need for dialup lists.
  
You'll get nothing but agreement from me on that statement.  There 
currently is a need for the list, however there *shouldn't* be any need 
for it.


Regards,

Mat

Re: SORBS Contact

[Matthew Sullivan]

Mark Andrews wrote:

Actually there can be false positive.  ISP's
who put address blocks into "dialup" blocks
which have the qualification that the ISP is
also supposed to only do it if they *don't*
allow email from the block but the ISP's
policy explicitly allows email to be sent.
  
Actually that's debatable - the SORBS DUHL is about IPs assigned to 
hosts/people/machines dynamically.  We do not list addresses where the 
ISP have sent the list explictitly saying 'these are static hosts, but 
they are not allowed to send mail' - similarly we do list hosts in the 
DUHL where the ISP has said 'these are dynamic but we allow them to send 
mail' - it's about the people using the SORBS DUHL for their purposes, 
not for helping ISPs getting around the issue of whether to use SORBS as 
a replacement to port 25 blocking.


Regards,

Mat

Re: SORBS Contact

[Matthew Sullivan]

I'll post this back to NANOG as others are likely to comment similar ways...

Michael J Wise wrote:

On Aug 9, 2006, at 1:06 PM, Matthew Sullivan wrote:


This is also why I took the time to create:

<http://www.ietf.org/internet-drafts/draft-msullivan-dnsop-generic-naming-schemes-00.txt> 



Seems like it specifies a bit TOO much detail, but.
This is why it says that it is a suggestion and indicated that the level 
of detail you choose to use is upto you, however if you adopt some of 
the more specific detail you should use the less specific detail.


ie if you follow it you should as a minimum specify static/dynamic.  If 
you want to add more detail like service type, that is your choice, but 
you shouldn't specify the service types (eg wifi) without specifying 
static/dynamic (does that make sense?).


Also it should be noted that it is a 'suggested naming scheme for 
generic records' and therefore not intended to be mandatory, further it 
says you should indicate the hostname of the machine in preference to 
generic records.


The idea being a common but extensible naming scheme for organisations 
want to specify generic/generated records rather than go to the hassle 
of creating individual records for each customer/host.


Regards,

Mat

Re: SORBS Contact

[Matthew Sullivan]

Noel wrote:

On Thu, 2006-08-10 at 06:49, Mikael Abrahamsson wrote:

  
We were hit by the requirement to include the word "static" in our DNS 
names to satisfy requirements. It wasn't enough to just say "this /17 is 
only static IPs, one customer, one IP, no dhcp or other dynamics at all), 
we actually had to change all PTR records to this arbitrary "standard".


Took several weeks to get delisted even after that.



We've had our moments with SORBS, Matthew is a very approachable person.
Things get sorted out pretty quickly, generally within a few days,
Matthew also has others who help him and one of them is an obnoxious
.
  
I'd love to know which one...  I have had several (had being the 
operative word) and from time to time some still are.

I do agree though, the requirment to have X TTL and 'static' or non
'dsl' 'dial' in DNS is a bit too far, I understand this is for
automation,
It is for automation, but it is also so that the SORBS DUHL would become 
pointless.  If a standard format was used admins would be able to choose 
their policy by simple regexs instead of relying on third-party lists 
which cannot possibly ever be 'uptodate' just because of the number of 
changes that happen on a daily basis around the world.  This is also why 
I took the time to create:


http://www.ietf.org/internet-drafts/draft-msullivan-dnsop-generic-naming-schemes-00.txt

There are things in the works that will enable the most complained about 
aspects of SORBS to be fixed and to go away permanently...  The only 
thing that is delaying it is developer time...   So I will say this 
publicly - those that want to see drastic changes @ SORBS that are, or 
have access to a perl coder with SQL knowledge, and is able to spend 
20-40 hours of pure coding time writing a user interface for user 
permissions & roles in Perl contact me off list as the user interface is 
the only thing that is holding up moving to the beta stage of the SORBS2 
database.  The SORBS2 database will allow registered RIR contacts to 
update list/delist parts/all of their netblocks within SORBS as well as 
getting instant reporting of issues (by mail or by SMS (fee applicable 
for SMS)) with minimal intervention from SORBS admins - this includes 
spam and DUHL listings.


Regards,

Mat

Re: SORBS Contact

[Matthew Sullivan]

Steve Sobol wrote:

On Wed, 9 Aug 2006, Matthew Sullivan wrote:

  
Sad state of affairs when ISPs are still taking money from spammers and 
providing transit to known criminal organisations.



Hey Mat.

You aren't wrong, but that doesn't absolve you of the responsibility to 
de-list in an efficient manner when you have made a mistake, or if the 
listing is no longer accurate (i.e. if all the spammers have been kicked 
off the netblock in question.)
  
If you checked with the original complainant you would find that both 
the zombie and DUHL listings are cleared.  If you knew the ticket 
numbers and where they sit in the SORBS RT Support system you would know 
that there were multiple tickets logged the oldest now being 10 days, 
the most recent being 5 days - and under published policy the earliest 
was pushed into the more recent.  You'll also note that the original 
complaint was about a single IP address as part of a /27 within a /19 
listing.


$DAYJOB lists spam filtering amongst the services we offer to our 
clients. I know we're using you to block IPs at the firewall, and we're 
probably also doing so at the server level. I am going to talk to my boss 
and co-workers about the impact of removing SORBS from our DNSBL list, 
because your replies lately have been snarky and completely 
unprofessional, including the reply quoted above. (Yes. It sucks that 
spammers are still spamming. So what?)
  
The quoted text above is intended for a few that might still be on this 
list, non of which posted to this thread.  The fact remains some ISPs 
provide transit to known criminal organisations for hijacked netblocks 
which are used for nothing but abuse (hosting trojans and viruses).  
Money talks.
I don't know what your problem is, but you're not making things any better 
by refusing to fix listings that aren't incorrect or, in some cases, never 
were.
  
Where do you get that from...?  We fix incorrect listings as soon as 
notified and with no deliberate delay.  If you are refering to listings 
like Dean Anderson's stolen netblock these are not delisted until such 
time as proof is obtained that our information is incorrect. 

We have been informed that Dean picked up that portable /16 (and 2 other 
networks - one of which was a non-portable UUNET block) when he parted 
company with OSF in 1998.  I have been contacted on a few occasions by 
Dean demanding delisting, each time I have asked for proof that he did 
not steal the netblock from the OSFs creditors (taking without 
permission even from a company folding is still stealing) - his response 
was a lot of bluster followed by the creation of the IADL.org site.  A 
few people (including myself) have attempted to contact 'The Open Group' 
who are the new owners of the old OSF organisation.  I am not aware of a 
reply that has been received from anyone other than Dean indicating that 
Dean is the legitimate owner of the said netblock.  You will also note 
that at least one of the netblocks that Dean has indicated that he was a 
legitimate owner of have been taken back and are reallocated.  To date 
no-one has backed Dean up in his assertion that he did not steal the 
netblock, all that we have seen is a short time after the listing 
suddenly Dean started providing services to 'opengroup.org' and cited 
that as proof he owns the block - considering the OpenGroup is in the UK 
now and are now unlikely to be able to prove to a court that they are 
the legitimate owners of the netblock I don't see that as reason to 
consider Dean the legitimate owner.  A verifiable document from the 
OSF/OpenGroup indicating that Dean Anderson is the legitimate owner of 
their /16 and it was transfered to him with their knowledge and 
permission is all that is required for delisting... however it seems 
Dean cannot obtain that adding weight to the view that he did indeed 
steal the netblocks.


Something to consider before replying: is this on or off topic for 
NANOG? (personally I think part of this is on topic, other parts of the 
thread are definitely off topic)


Regards,

Mat

Re: SORBS Contact

[Matthew Sullivan]

Allan Poindexter wrote:

The functionality of my email is still almost completely intact.  The
only time it isn't is when some antispam kook somewhere decides he
knows better than me what I want to read.  Spam is manageable problem
without the self appointed censors.  Get over it and move on.
 
  
Interesting comment - so would you consider as it is my network, that I 
should not be allowed to impose these 'draconian' methods and perhaps I 
shouldn't be allowed to censor traffic to and from my networks?  Should 
you not be allowed to censor my traffic going to your network (if any)?  
The "self appointed censors" are not self appointed - they produce lists 
the admins of their own networks choose what traffic to accept or deny, 
if they choose to accept or deny based on a third party it doe not 
automatically make that person a "self appointed censor".


Regards,

Mat

Re: SORBS Contact

[Matthew Sullivan]

william(at)elan.net wrote:

That was old user of that ip block. The block has been deleted
and ARIN now reassigned/reallocated it to somebody else.

The file you need to watch (which gets updated when ip block
previously hijacked is no longer an issue) is:
 http://www.completewhois.com/hijacked/hijacked_flist.txt

(though a few more legacy blocks listed there got deleted
 in last months, so it does need to be updated again)



Ta, missed that link previously.

Regards,

Mat

Re: SORBS Contact

[Matthew Sullivan]

Brian Boles wrote:

Can someone from SORBS contact me offlist if they are on here

My most recent allocation from ARIN turned out to be dirty IP's, and 
I'm having trouble getting them removed following the steps on their 
website (no action on tickets opened).


64.79.128.0/20 

If course checking this we find that SORBS is not the only problem you 
have...


http://www.completewhois.com/hijacked/files/64.79.128.0.txt


Regards,

Mat

Re: SORBS Contact

[Matthew Sullivan]

Michael Nicks wrote:


Sad state of affairs when looney people dictate which IPs are "good" 
and "bad".
Sad state of affairs when ISPs are still taking money from spammers and 
providing transit to known criminal organisations.



/ Mat

Re: APC Matrix 5000 question(s)

[Matthew Sullivan]

[EMAIL PROTECTED] wrote:

Update: I replaced the batteries today, and indeed, several of the old
ones (mostly in the first pack) were split and some had popped a couple of
their "sealed" tops.

I left for several hours and came back to the house stinking like burning
rubber.  The new batteries are apparently melting the terminal rubber
insulation.  I had to throw it back into bypass mode and unplug that pack
(the only one with new batteries!)

Any ideas to the cause?  The status screens looked ok. ("no bad batteries"
again)
  
Tip: Except where a newly supplied battery is faulty, replace all or 
none - across all your packs connected to the same UPS.


/ Mat

Re: Tor and network security/administration

[Matthew Sullivan]

Lionel Elie Mamane wrote:


On Thu, Jun 22, 2006 at 11:58:34AM +1000, Matthew Sullivan wrote:
 


Jeremy Chadwick wrote:
   


On Wed, Jun 21, 2006 at 05:02:47PM -0400, Todd Vierling wrote:
 



 


If the point of the technology is to add a degree of anonymity,
you can be pretty sure that a marker expressly designed to state
the message "Hi, I'm anonymous!" will never be a standard feature
of said technology.  That's a pretty obvious non-starter.
   



 


Which begs the original question of this thread which I started:
with that said, how exactly does one filter this technology?
 



 


Of course SORBS' position is actually this - if you are allowing
Trojan traffic over the Tor network you will get listed (regardless
of whether the Trojans can talk to port 25 or not)
   



How an open proxy that will not connect to port 25 is relevant for an
*email* blacklist is beyond me.
 

Perhaps because SORBS is not just an email blacklist?  Perhaps because 
it is also used for webmail and other things...



...and for what it's worth, I have no problems with anonymous
networks for idealistic reasons, however they are always abused,
they will continue to be abused, Tor is being abused, and I should
be able to allow or deny traffic into my networks as I see fit
   



 


All of my discussions with Tor people have indicated [they] do not
think I should have the right to deny traffic based on IP address,
and that I should find other methods of authenticating traffic into
my networks.
   



Isn't it rather that they think that filtering on the base of IP
address is broken in today's Internet, even if tor didn't exist? Open
proxies, trojans, multi-user computers, dynamic IPs, ... all this
makes that substituting IP address for people is very, very,
imprecise.
 

and that is your opinion, which you are entitled to, others feel 
filtering by IP address is still valid and needed which is why they do 
it...  Surely they are entitled to their opinions?


Regards,

Mat

Re: Tor and network security/administration

[Matthew Sullivan]

Jeremy Chadwick wrote:


On Wed, Jun 21, 2006 at 05:02:47PM -0400, Todd Vierling wrote:
 


If the point of the technology is to add a degree of anonymity, you
can be pretty sure that a marker expressly designed to state the
message "Hi, I'm anonymous!" will never be a standard feature of said
technology.  That's a pretty obvious non-starter.
   



Which begs the original question of this thread which I started: with
that said, how exactly does one filter this technology?
 

..and that is also the reason why SORBS and Tor have been a logger 
heads...  This think that their answer addresses SORBS' position from 
their Abuse FAQ ( http://tor.eff.org/faq-abuse.html.en ):


SORBS is putting some Tor server IPs on their email blacklist as well. 
They do this because they passively detect whether your server connects 
to certain IRC networks, and they conclude from this that your server is 
capable of spamming. We tried to work with them to teach them that not 
all software works this way, but we have given up. We recommend you 
avoid them, and teach your friends (if they use them) to avoid abusive 
blacklists too .


Of course SORBS' position is actually this - if you are allowing Trojan 
traffic over the Tor network you will get listed (regardless of whether 
the Trojans can talk to port 25 or not)  Considering they were told 
that, it shows the lack of concern, respect, intelligence or nettiqette 
for such issues.  The new SORBS DB (coming soon) will include a Tor 
DNSbl (like the AHBL's) where administrators of services can choose to 
block this type of traffic.


Our response to people whilst Tor is "That's what you get for using Tor, 
if you must use Tor we recommend moving it to a server/IP that is not 
used for anything important and getting a good lawyer."



"You can't" doesn't make for a very practical solution, by the way.
The same was said about BitTorrent (non-encrypted) when it came out,
and the same is being said about encrypted BT (which has caused
some ISPs to induce rate-limiting).

I'm also left wondering something else, based on the "Legalities"
Tor page.  The justification seems to be that because no one's ever
been sued for using Tor to, say, perform illegitimate transactions
(Kevin's examples) or hack a server somewhere (via SSH or some other
open service), that somehow "that speaks for itself".
 

I actually know of someone who was caught trying to brute force an ISPs 
SSH server - he blamed it on Tor - that didn't stop legal action and 
getting his connection terminated.  (Sorry I am not permitted to give 
details of who or which ISP - so don't ask) - I don't know whether he 
was the responsible party or not, but I do know he has had several 
accounts terminated for similar 'suspect' activity.  He continues to run 
a Tor node.



I don't know about the rest of the folks on NANOG, but telling a
court "I run the Tor service by choice, but the packets that come
out of my box aren't my responsibility", paraphrased, isn't going
to save you from prison time (at least here in the US).  Your box,
your network port, your responsibility: period.
 

AFAIK nor here (Australia) nor in the UK - if the traffic is seen to be 
coming from your machine *you* are responsible unless *you* can show the 
traffic was generated by someone else. i.e. you cannot say 'sorry 
officer it was not me it was my machine' you have to be able to say (and 
prove), 'sorry officer it was not me it was someone else, I don't know 
who, but here is the information about the next step back to the source 
so that you can continue your investigation.' (same as speeding tickets 
- you can't just say "I wasn't driving" - you have to either say 'x was 
driving' or "It wasn't me, I don't know who was driving but I lent the 
car to x you should ask them."


...and for what it's worth, I have no problems with anonymous networks 
for idealistic reasons, however they are always abused, they will 
continue to be abused, Tor is being abused, and I should be able to 
allow or deny traffic into my networks as I see fit


All of my discussions with Tor people have indicated [they] do not think 
I should have the right to deny traffic based on IP address, and that I 
should find other methods of authenticating traffic into my networks.


Regards,

Mat

Re: Spam filtering bcps

[Matthew Sullivan]

Bryan Bradsby wrote:


Silently deleting other people's e-mail should never even be considered.
   



Unless that email is a virus, or a spam with a forged envelope sender.
 

Why?  - You can scan for viruses inline using a variety of products (eg: 
I have patched Postfix to use clamav inline on modest hardware (single 
CPU AMD64 will do it, so will a Dual PIII 866) and it will accept 
messages at 50 messages per second (sustained load) and scan for viruses 
before responding to the end-of-data command, rejecting if a virus is 
detected.).


Spam is a different subject altogether - are you that sure you can 
detect spam without a false positive?  If so then why aren't you doing 
it inline?  If you can't why are you blindly deleting the messages? - My 
BCP comment is if you can't detect inline (eg for performance reasons) 
tag it and deliver it (if you have the capabilities, deliver it to a 
junk folder) - that way you are following the RFC's and no non spam mail 
is deleted by the system.


Regards,

Mat

Re: Spam filtering bcps [was Re: Open Letter to D-Link about their NTP vandalism]

[Matthew Sullivan]

Steve Thomas wrote:


Earlier today, I said:
 


Unless you're the final recipient of the message, you have no business
deleting it. If you've accept a message, you should either deliver or
bounce it, per RFC requirements.
   



I just want to clarify that I was in no way suggesting that anyone bounce
spam - I was merely pointing out that if you choose to 250 a message, you
have to deliver it. The much better option is to 550 it after DATA if you
don't like what you see. Silently deleting other people's e-mail should
never even be considered.
 



This policy I whole heartedly agree with, and I strive where ever 
possible to enforce this in every place I work, where ever people get 
listed in SORBS for backscatter, I work with them telling them how they 
can do this


With the current technologies available there is no reason a 
small-medium organisation cannot virus and spam scan mail inline at the 
SMTP transaction stage. (Even the barracuda's can spamassassin scan at 
around 8 messages per second - my previous employment were receiving 
around 4 messages per second - which translated to 1-2 million emails 
per day)


It is possible to do inline scanning in larger ISPs (I personally have 
configured a 'system' to handle upto 90 message per second inline 
scanning) - though it requires a lot more planning, thought, and careful 
consideration.


Regards,

Mat

Re: Spam filtering bcps [was Re: Open Letter to D-Link about their NTP vandalism]

[Matthew Sullivan]

Suresh Ramasubramanian wrote:


On 4/11/06, Matthew Black <[EMAIL PROTECTED]> wrote:
 


Are you suggesting that we configure our e-mail servers to notify
people upon automatic deletion of spam? Frequently, spam cannot be
properly identified until closure of the SMTP conversation and that
final 200 mMESSAGE ACCEPTED...or do you think that TCP/IP connection
should be held open until the message can be scanned for spam and
viruses just so we can give a 550 MESSAGE REJECTED error instead of
silently dropping it?

   



You can reject right after DATA, at the . stage, before QUIT

That's still an in line smtp reject rather than an accept + bounce DSN.

Exim with the spamassassin patches (sa-exim) does this, for example.

-srs
 

Of course Postfix can be setup (using spampd) with spamassassin to do 
exactly the same.


I believe Sendmail+MimeDefang+Spamassassin will also reject inline if 
set to do so.


Regards,

Mat

Re: Presumed RF Interference

[Matthew Sullivan]

Jon,

Peter Dambier wrote:


Cut the ground wire in your power cords but ground the equipment directly
to a metal frame.


As a time-served electrician... *DO NOT DO THIS* - it will kill 
someone.


However

You could try separate earth bonding of each components (ie connecting 
all the chassis together via a provided grounding terminal using nice 
thick copper wire), however if there is a significant earth fault even 
that could be dangerous (think fire) - so get a qualified electrician to 
do it - if there is a ground fault it will use the chassis and the 
bonded earths as it's route to ground.


Earth faults are often easily detectable by using a digital volt meter 
(Note: analog volt meters do not work for this unless there is a serious 
fault).  First check for induced and ungrounded 'floating' voltages (any 
AC or DC voltage above 0.05v should be investigated), then if the DVM is 
fused, check for any current (amps) between chassis.


If you have money to spend before investigation find out if the building 
has a grounding stake and if not add one...  A couple of meters of 
copper stake which  will be connected to either the armoring of the 
supply cable (TN-S) or to the incoming return cable and installation 
earth PME (TN-C-S) - likely based what someone else in this threat 
said.  In either type of grounding scheme the structure metal frame 
could (and should) be grounded (esp if exposed) which is likely to cause 
the phone RF signal drop.  A faulty bonding in the structure (esp as it 
is steal) can also provide for some interesting ground faults as it is 
not uncommon to provide localised grounding to building frames.  (In the 
UK where I served my apprenticeship, we were required to provide earth 
bonding to the copper plumbing system, additional bonding at every 
exposed fitting - this caused a few issues when plumbers first starting 
using PVC pipes)... All this said with the faults appearing with no 
external power and with just UPS supply, ground faults really do not 
'fit' the problem - however if a generator is used also, you are in an 
IT type installation (electrical term 'IT' not 'Information Technology' 
;-)) and will have to have a grounding stake on site.


Please note, I am trained from the UK - laws and regulations change from 
country to country - get a local qualified/licensed sparky to do the 
work or assist you.


Regards,

Mat

Re: Compromised machines liable for damage?

[Matthew Sullivan]

Florian Weimer wrote:


* Martin Hannigan:

 


Dave, RIAA wins almost 100pct vs p2p'ers ir sues. Its an interesting dichotomy.
   



Sure, but copyright law is a bit out of proportion.  Maybe you could
hunt down the bad guys if they packeted you with Celine Dion
 


Nah, torture is a criminal offence. ;-)

/ Mat

Re: SMTP store and forward requires DSN for integrity (was Re:Clueless anti-virus )

[Matthew Sullivan]

Robert, sorry I missed the full conversation, and don't have time to 
read the whole thread, but based on your mail alone a few words of 
agreement...


Please remember people..

RFC 2821 states explicitly that once the receiving server has issued a 
250 Ok to the end-of-data command, the receiving server has accepted 
responsibility for either delivering the message or notifying the sender 
that it has been unable to deliver.  RFC2821 also says that a message 
MUST NOT be dropped for trivial reasons such as lack of storage space 
for the message.  To that end is a detected 
virus/trajan/malware/phishing scam etc... a trivial reason to drop the 
message?


Personally I believe that not trivial means not unless the entire server 
crashes and disks fry etc...  To that end I am a firm believer that 
malware messages SHOULD BE rejected at the end of the data command 
(which is why I have gone to great lengths to ensure this happens at 
$employer, and at SORBS)..  Failure to have the resources available to 
perform the virus scanning will result in the messages being delivered 
to the recipient as a broken message (attachment stripped).


There is certainly NO EXCUSE for ANYONE to bounce virus warning messages 
to ANY user whether local or remote, particularly when the anti virus 
software will identify the virus and the virus is KNOWN to forge the 
sender address.


As such anyone bouncing large numbers virus warning messages are game 
for having their servers blocked, and I will not apologise to anyone 
getting caught by a SORBS automated spamtrap getting a virus warning 
message (though I will remove them promptly when notified of such an entry).


Regards,

Mat

Re: a record?

[Matthew Sullivan]

John Levine wrote:


Moving sshd from port 22 to port 137, 138 or 139. Nasty eh?
 


don't do that! Lots of (access) isps around the world (esp here in
Europe) block those ports
   



If you're going to move sshd somewhere else, port 443 is a fine
choice.  Rarely blocked, rarely probed by ssh kiddies.  It's probed
all the time by malicious web spiders, but since you're not a web
server, you don't care.
 



Except if you're running a version of OpenSSL that has a vulnerability, 
you could be inviting trouble - particularly with kiddies scanning for 
Apache with vulnerable versions of OpenSSL attached by way of mod_ssl etc...


Regards,

Mat

Re: a record?

[Matthew Sullivan]

william(at)elan.net wrote:


On Tue, 15 Nov 2005, Peter Dambier wrote:


Moving sshd from port 22 to port 137, 138 or 139. Nasty eh?


Or run two daemons. One on port 22 does not allow ANY logins at all but
just tracks incoming connections and attempts (and possibly allows to
block-list them in real time - typically not worth the effort though) 
and another one on some higher port of your choice that is a real sshd 
daemon for login into your system.


Been doing it this way for some time - 'tis amusing to see them try.  It 
also has the side effect of those that scan for open ports when they 
find ssh not open tend not to scan for another SSH.


/ Mat

Re: Call to Arms: Rita Scams

[Matthew Sullivan]

Gadi Evron wrote:


This is a notice from MWP, the malicious websites and phishing research
& operational mailing list.

Over the next few days some of us are going to process information
about sites that will probably be used for Rita scams.

Through MWP resources and ISP connections we are going to make sure
these sites are taken off-line as soon as we detect them.



In case you missed it, Steve Linford of Spamhaus, posted to the NANAE 
newsgroup indicating he had been contacted by the FBI who also want to 
follow up with any Rita Scams ASAP.  Instructions are please forward any 
scams that arrive in mail to your local Spamhaus volenteer.  (IF you 
don't know any you can forward them to me, and I'll make sure they get 
there).


Regards,

Mat

Re: SWIP and Rwhois in the Real World

[Matthew Sullivan]

william(at)elan.net wrote:




On Wed, 7 Sep 2005, Andrew - Supernews wrote:


"william" == william(at)elan net <[EMAIL PROTECTED]> writes:




william> The above line is as clear as it gets (if the other two
william> mentions that data is to be made available to public is not
william> enough), so there this argument that rwhois should be made
william> available only to ARIN is now against ARIN's policies and
william> whoever you know who is still making it should be pointed to
william> URL I listed.

NetRange:   4.0.0.0 - 4.255.255.255
ReferralServer: rwhois://rwhois.level3.net:4321

% telnet rwhois.level3.net 4321
Trying 209.244.1.179...
telnet: connect to address 209.244.1.179: Operation timed out

Doesn't seem to have made much difference yet...



Its kind of hard for ARIN to enforce its policies on L3 when they have
a /8 already and are not likely to ask for additional allocation...

But obviously L3 is not giving a very good example for others, so we
can all now say - don't be like L3 :)

Does ARIN have a policy that allows deallocation based on not conforming 
to the requirements of allocations...?


(Might sound ridiculous, but if it works.)

Regards,

Mat

Re: NANOG List Server on several BlockLists

[Matthew Sullivan]

Mikael Abrahamsson wrote:


On Wed, 27 Jul 2005, Matthew Sullivan wrote:


John Palmer wrote:

FYI: The IP address of the mail server that sends out NANOG list 
messages

(198.108.1.26) is once again on most of the major RBLs.



Was a mistake and was removed promptly as soon as we were notified.



What was the mistake? Would be informational to know how this happened 
(again) and how it's not going to happen again in the future?


I'm not going to give the gory details, but part of it was a mistake 
with a mouse click that I personally made.  Ironically the main part of 
the reason it happened was because I was modifying the scripts to help 
prevent this sort of thing occuring in the future.


Regards,

Mat

Re: NANOG List Server on several BlockLists

[Matthew Sullivan]

Resent to the list this time... :/

John Palmer wrote:


FYI: The IP address of the mail server that sends out NANOG list messages
(198.108.1.26) is once again on most of the major RBLs.


Was a mistake and was removed promptly as soon as we were notified.

Regards,

Mat

Re: SORBs

[Matthew Sullivan]

Sanfilippo, Ted wrote:

We have been asking them to fix it for over a month now.  

 


Got a SORBS Ticket number?

(If you've been asking us you should have)

I suspect it might be related to some wrong ARIN records  (I know there 
has been an issue with a Canadian ISP that doesn't exist anymore - 
Others on this list contacted me over the issue a while back), or a lack 
of a support ticket.


Regards,

Mat


-Original Message-
From: Suresh Ramasubramanian [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, July 06, 2005 9:51 AM

To: Sanfilippo, Ted
Cc: nanog@merit.edu
Subject: Re: SORBs

On 06/07/05, Sanfilippo, Ted <[EMAIL PROTECTED]> wrote:
 


Does anyone know of an easier way to remove IP blocks from a
   


blacklist?
 

We received a /16 from ARIN in May and have been trying to get SORB's 
to remove the blacklist association on these addresses. They seem to 
take forever to remove the blacklist association.


   



If it is a whole /16 you probably bought some old dynamic IP space that
was recycled - and then reassigned it to a datacenter, probably?

SORBS does respond, eventually.

--
Suresh Ramasubramanian ([EMAIL PROTECTED])
 

Re: SMTP AUTH

[Matthew Sullivan]

Dean Anderson wrote:
On Mon, 2 May 2005, Matthew Sullivan wrote:
 

Off topic again Dean...?  Can't you keep on topic and keep the personal 
attacks out of the list...?
   

Funny how its only off topic when its about your abuse.
 

No it's because you're off topic.  Whether justified or not SORBS 
complaints and SORBS bashing are not on-topic for NANOG.

Re: SMTP AUTH

[Matthew Sullivan]

Off topic again Dean...?  Can't you keep on topic and keep the personal 
attacks out of the list...?

Dean Anderson wrote:
ignored.  Then, in the fall of 2003, when the major open relay blacklists
shutdown, open relay abuse JUST DROPPED OFF TO NOTHING. And when SORBS
started scanning, abuse picked back up again. Well, lamely.
 

FYI, until mid-late 2004 SORBS did no automatic open relay scanning.
From Day one SORBS has gone after open-proxy servers.
And we caught Matthew Sullivan THREATENING MAILBOMBING---that is,
threatening to spam people. As his defense, he said he didn't know that
mailbombing was against the AUP(!?!) And MAPS employees were caught
**working for spammers**, and that very SAME spammer was on the FTC
anti-spam panel, which was stuffed with MAPS-associated people.  And we
caught (several times) blacklists being used for personal vendettas.
There's more.  The list is long and dishonorable.
 

And some people use mailing lists to sprout complete and utter twaddle 
to the world in the hope that the more they say it the more it will be 
believed as true...  Now can we get back ontopic please?

Regards,
Mat

Re: Slashdot: Providers Ignoring DNS TTL?

[Matthew Sullivan]

Dean Anderson wrote:
relays. They don't advertise this fact, due to, well, abusers like Matthew
Sullivan. *You* need to put down the crackpipe.
 

I thought personal attacks were against the list rules...?
Moderators...?
Regards,
Mat

Re: Jonathan Yarden @ TechRepublic: Disable DNS caching on workstations

[Matthew Sullivan]

Mikael Abrahamsson wrote:
On Mon, 18 Apr 2005, Jason Frisvold wrote:
Is it possible to "prevent" poisoning attacks?  Is it beneficial, or 
even possible, to prevent TTL's from being an excessively high value?

It would be very interesting in seeing the difference in DNS traffic 
for a domain if it sets TTL to let's say 600 seconds or 86400 seconds. 
This could perhaps be used as a metric in trying to figure out the 
impact of capping the TTL? Anyone know if anyone did this on a large 
domain and have some data to share?
First hand experience, I can tell you that decreasing the SORBS NS 
records TTLs to 600 seconds resulted in 90qps to the primary servers, 
increating the TTLs to 86400 dropped the query rate to less than 5 per 
second. (That's just the base zone, not the dnsbl NS records)

Regards,
Mat

Re: SORBS Identity theft alert

[Matthew Sullivan]

Dean Anderson wrote:
See http://www.iadl.org/sorbs/sorbs-story.html 

SORBS seems to be collecting a lot of sensitive information to view
listings:
 

All pages on http://www.sorbs.net/ look on the menu for 'Privacy Policy' 
(unless you have chosen not to view that menu in the preferences).

Just in case you have a problem reading here's a hint: 
http://www.sorbs.net/w3c/privacy.shtml

One typo under 'Changes to the Policy' - the doc id is at the bottom not 
the top as stated, too small to warrant an update at this time of night.

This detailed information could be sold to IT recruiters, used for
identity theft, password collection, or used for other mass marketing
purposes.
It could be, but it isn't, and it won't be.
Security questions are often used by sensitive sites such as
domain registries to authenticate users who have lost their passwords.
 

Security question and answer box is for the user to choose a backup 
question and answer, don't tell me you didn't understand a simple 
concept as that?

This is very alarming information collection.
 

This is also way off topic, but I don't think that bothers you.
*End of thread*
/ Mat

FYI/OT: AV8 zombie listing in SORBS & the rantings of Dean A

[Matthew Sullivan]

Dean Anderson wrote:
Hi folks. A few points about Sorbs (I've also started a web site
www.iadl.org to track abuse of the internet for defamation purposes. The
web site isn't finished, yet.)
1) Someone said Sorbs is just Matthew Sullivan.
Well, _Sullivan_ said it isn't just him. Yeah, sure, that has
credibilty...
However, my own experience with Sorbs has revealed that it is also Alan
Brown (formerly of ORBS) and Kai Schlicting. We all remember Alan from the 
ORBS shutdown, I hope. Alan was found by three courts in separate cases to 
be defaming people (two by using a blacklist). 

 

Dean, this is so far off topic its not funny.  I am not going to discuss 
this further on NANOG, should you wish to discuss it you are welcome to 
join [EMAIL PROTECTED] and make your case there (as anyone 
interested is welcome to subscribe and take a look).

My information is that you did not apply for the address space in 
question for AV8, and that you took the address space from your former 
employers when you left by virtue of being the admin and technical 
contact for the netspace.  That information has come from multiple 
reputable sources.  I have repeatedly asked you for proof that you are 
the rightful owner of the netspace, and am still waiting for that proof 
- I'll be happy to delist any Zombie/Hijacked listings as soon as the 
rightful owners have the netspace in their possession and where they 
think they are the rightful owners and the information suggests 
otherwise (your case), a small piece of evidence is required for the 
delisting (eg a copy of a letter from the OSF stating that they gave you 
the netspace as a leaving 'present')

 and some facts that you seem to be lacking:
SORBS was created by me and I along with 18 other volunteers run it.
Neither Alan nor Kia have anything to do with SORBS (neither past or 
present).

My sites have not been, nor have ever been, booted from XO netspace 
(ns1.sorbs.net and http://www.isux.com/ ).

I have never been a student of The University of Queensland.
Regards,
Matthew
PS: If you reply in NANOG, don't expect a reply from me this is OFF TOPIC!

Re: sorbs.net

[Matthew Sullivan]

Robert Bonomi wrote:
Anyone on the list involved with this project?  I need to speak to 
someone ASAP.  No, I am not going to pay your ridiculous fine.

   

SORBS is a one-man operation out of Australia.
 

Not quite, though it is owned by me.
I really doubt that he participates in the NORTH AMERICAN network operators
group.
 

erm, no ;-)
Contact means for SORBS *is* provided on the web-site.  it works reliably. 
Be advised, however, that a 'need' on your part does not translate to 
urgency on the part of anyone else.
 

(multiple contacts) and fortunately and thanks to 18 or so _very_ hard 
working volunteers the response time has gone from weeks to hours (in 
most cases).

Note: *Nobody*, not even SORBS, says you 'have to' make that charitable
 contribution.  All the 'spam' listings _do_ "age off" the SORBS
 system, eventually.
 

Correct - it just takes time, and depending on the reason different 
amounts of time. (eg if you have 'BlueRockDove' or 'NewAgeOptIn' on your 
network there is currently and 'indefinite' aging time)

Caveat: I have nothing to do with SORBS. I don't use it -- or *any* blocklist,
for that matter -- myself (I use other means that are better suited for _my_
requirements).  I don't even know the operator thereof.   Everything I've
said is based on published and publicly available information.
 

No, but you did a fine job of explaining it (best I have seen 
personally), thank you.

The original poster has already noted a contact has been made, and I 
will watch it with interest - and the poster may note at least one of 
the entries has probably been resolved already.

Regards,
Mat

Re: enom/name-services.com nameservers are severe broken

[Matthew Sullivan]

Michael Tokarev wrote:
And this is Very Wrong (tm):
$ host -t cname -v name-services.com. dns1.name-services.com.
Host name-services.com not found: 3(NXDOMAIN)
In short: for *some* types of records for a valid name, the server
returns NXDOMAIN, which it should not be.
Obviously, when doing this query using a caching nameserver, the
cache gets poisoned (remembering that the domain in question
does not exists, as opposed to "No data of requested type"
response).
Another example for a domain hosted by them:

And as an example of the issue:
$ host -t ns name-services.com.
name-services.com name server dns4.name-services.com.
name-services.com name server dns5.name-services.com.
name-services.com name server dns1.name-services.com.
name-services.com name server dns2.name-services.com.
name-services.com name server dns3.name-services.com.
$ host -t cname name-services.com.
Host name-services.com not found: 3(NXDOMAIN)
$ host -t ns name-services.com.
Host name-services.com not found: 3(NXDOMAIN)
Regards,
Mat

Re: Regarding panix.com

[Matthew Sullivan]

Steve Sobol wrote:
Matthew Sullivan wrote:
What sort of support would you give a not-for-profit Org such as 
SORBS.net or an Org such as Spamhaus.org if our domains were hijacked 
maliciously (or not)?

Shouldn't matter, should it?
No, that was my point.
Regards,
Mat

Re: panix hijack press

[Matthew Sullivan]

Thornton wrote:
a user can lock a domain..they can login to the control panel for there
registrar and select registrar lock, registrar-lock, or lock and i am
sure there are other registrars that word it even differently. once you
select that it effectively locks your domain so it cant be transfered.
 

Erm...  please tell me where GANDI does this?...   I'd love to know 
(I'm sure there are others without locking facilities as well)

Regards,
Mat
(and I am aware that locking was available to panix.com)

Re: Regarding panix.com

[Matthew Sullivan]

Something to give thought to everyone on this list using DNSbls
Bruce Tonkin wrote:
I have had a few emails regarding a perception that we have limited
support to deal with issues such as panix.com, so I will just set the
record straight.
We provide a standard first level retail customer service line 24 hours
by 5.5 days.  (which gives business hours service in all world time
zones).
We provide 24 hour by 7 day customer service for resellers (typically
ISPs, web hosting companies etc).
What sort of support would you give a not-for-profit Org such as 
SORBS.net or an Org such as Spamhaus.org if our domains were hijacked 
maliciously (or not)?

This would be particularly important to consider in the event of somone 
hijacking and creating a record such as:

*.dnsbl.sorbs.net 604800 IN A 127.0.0.2
or
*.sbl.spamhaus.org 604800 IN A 127.0.0.2
etc
We provide 24 hour by 7 day second level technical operations support.
Most major registrars and ICANN have direct contacts into the technical
parts of Melbourne IT.I received notification from several parties
via email (but I don't read email 24 hours a day).
We are looking at our processes to ensure that incidents such as
occurred with panix.com can be addressed more quickly within Melbourne
IT, and also checking to ensure that an appropriate number of external
people have access to the right contacts at Melbourne IT to fast track
serious issues.
 

This is certainly a start, and hopefully the nessesary people will make 
things happen to ensure it never happens again.

For the record, SORBS.net is registered with GANDI, I have no intention 
of updating the NS servers away from ones listed in the SORBS.net domain 
or transfering the domains to another registrar, however I am yet to 
find any method to 'LOCK' or 'UNLOCK' the domain... 

I note that Spamhaus.org is set 'CLIENT TRANSFER PROHIBITED' and 'CLIENT 
UPDATE PROHIBITED' so in theory this shouldn't be a problem, but the 
various earlier comments indicating that panix.com was thought to be 
'LOCKED' before the issues of the last few days provide more food for 
thought.

Regards,
Matthew

Re: DDoS attacks...?

[Matthew Sullivan]

As a followup for those interested:
Matthew Sullivan wrote:
Can people make a quick check the for DDoS attacks on 209.220.100.158 
in the last 12 hours (to 00:00 17th Nov 2004 GMT+0) - I am trying to 
get the exact time it appeared to occur, however I suspect it was in 
the time period of 13:00-14:00 16th Nov 2004 GMT+0 which coincided 
with the SORBS primary network dropping out of the global routing 
table (I don't have a clue as to why that happened either - it's being 
investigated).  (I have a suspicion that there was no DDoS attack and 
as the IP hosts NS1.SORBS.NET I'm guessing that when the primary NS 
for SORBS.NET dropped of the face of the earth the resulting increase 
in traffic came as a bit of a shock for the network admin/owner).
Turns out the 'DDoS' was in actual fact not a deliberate DDoS and was 
indeed excessive DNS queries all going to the same host due to problems 
with a global routing table update/corruption last night (localtime).

Regards,
Mat

DDoS attacks...?

[Matthew Sullivan]

Hi All,
Can people make a quick check the for DDoS attacks on 209.220.100.158 in 
the last 12 hours (to 00:00 17th Nov 2004 GMT+0) - I am trying to get 
the exact time it appeared to occur, however I suspect it was in the 
time period of 13:00-14:00 16th Nov 2004 GMT+0 which coincided with the 
SORBS primary network dropping out of the global routing table (I don't 
have a clue as to why that happened either - it's being investigated).  
(I have a suspicion that there was no DDoS attack and as the IP hosts 
NS1.SORBS.NET I'm guessing that when the primary NS for SORBS.NET 
dropped of the face of the earth the resulting increase in traffic came 
as a bit of a shock for the network admin/owner).

Thanks for your time,
Matthew

Re: Verisign vs. ICANN

[Matthew Sullivan]

Dan Hollis wrote:
On Mon, 16 Aug 2004, Andre Oppermann wrote:
 

PS: I will patent it myself to prevent Versign from doing this.
   

Wouldnt it be beautiful if a bunch of people patented the hell out of 
various ways to exploit dns wildcarding, thus preventing verisign from 
doing anything useful with it at all...
 

It would only be useful if those people were also in a position to 
vigorously defend said patents when (and if) they were infringed.

/ Mat

On the back of other security posts (well some over a year ago now)....

[Matthew Sullivan]

Need I say more...?
http://www.securityfocus.com/news/9411
My thanks to those who listened and helped me.  My thanks to those who 
helped Spamhaus, and my thanks to anyone else who got involved with the 
whole deal.

/ Mat

Re: Akamai DNS Issue?

[Matthew Sullivan]

Leo Bicknell wrote:
From here neither www.google.com, nor www.apple.com work.  Both
seem to return CNAMES to akadns.net addresses (eg, www.google.akadns.net,
www.apple.com.akadns.net), and from here all of the akadns.net
servers listed in whois are failing to respond.
Can someone confirm from another location?  Comments from Akamai?
 

It started happening here a few minutes ago, but seems to be ok again...
/ Mat

Re: "Default" Internet Service

[Matthew Sullivan]

Owen DeLong wrote:
Smith, Donald wrote:
> First are the consumers willing to pay for a "safer" internet
> DSL/dial/isdn?
>
Why should they have to?

Because it costs money to mitigate the attacks coming from their
infected machines.
It takes people and people want to be paid. Given a larger security
abuse team we could do more.
That's a reason abusers should have to pay cleanup fees.
Which is something people condem me for doing with the SORBS spam 
database even with the money going directly to charity (or other non 
charity good causes)

Majority of people in the SORBS spam database are those who have abused 
my mailserver and my mailbox.

/ Mat

Re: "Default" Internet Service

[Matthew Sullivan]

Smith, Donald wrote:
I don't expect you the ISP to solve all these problems, nor 
do I expect 
you the ISP to stop your users from getting infected 
However you the 
ISP are responsible for traffic coming from and going to your 
users, and 
most of us don't care if you want to allow your users to get 
infected, 
however we do care if you allow your customers to attack 
us  Whether 
it be an attack in the form of spam, DDoS or trojan/virus spreading.
   

As an ISP I am responsible to ensure my users can send and receive
packets.
Want to contribute? 
Consider volunteering time at one of the public internet security sites.
Complaining that ISP's are not doing enough is not productive.
 

I consider the work I put into SORBS a significant contribution to 
internet security

/ Mat

Re: "Default" Internet Service

[Matthew Sullivan]

Owen DeLong wrote:

--On Tuesday, June 15, 2004 7:26 +1000 Matthew Sullivan 
<[EMAIL PROTECTED]> wrote:

Smith, Donald wrote:
First are the consumers willing to pay for a "safer" internet
DSL/dial/isdn?
Why should they have to?
Because providing it costs more.
I believe if they were there would be a safer service available. I have
seen several "secure" isp's fail in the last
few years. If you have any data that shows that there is a market for a
more secure dialup/DSL/isdn... please share it.
No, but it won't belong before you will find half a dozen reasons why as
an ISP you will want to do it - but then it may be too late.
Such as? 
That I am bound not to say unfortunately, however all will become clear 
soon (it'll be in the press).

2nd blaming infected machines on the internet is similar to blaming 
your
postal carrier for bringing you junk mail and bills.
Crap
It's not crap.  Infected machines are no more the fault of the 
internet than
junkmail in your mailbox is the fault of the post office.  There's 
literally
no difference to the model.  The post office delivers mail that is 
addressed
to you.  They don't care if it's junk mail or not.  They deliver it. 
If you're a water company, and you deliver rusty water through your 
pipes - you are responsible

Actually, I suspect it's a much larger fraction, more along the lines
of 80 to 90%, possibly more. 
Agreed
Even with a secure OS this simple method of infection will continue to
work.
Correct
And how is an ISP supposed to do anything about this? 
Education... and how to educate - well if they don't want to do it for 
their own personal gain, force them How to force them... don't give 
them access until they have learnt the basics...  Hitting them 
financially when they get it wrong will force most to learn rather than 
get caught again, but it would be nice to stop them in the first 
place further what are you going to do with those who you try to 
'fine' and they just go to another ISP...? (I do have some experience 
with this don't forget - much to the annoyance of some) ... Anyhow 
remember this:

Prevention is better than a cure...
However you are ignoring the fact that once the machine is infected, the
machine can be used by hundreds of people (skript kiddies) to damage
other parts of the internet, further they can (and are) being used by
organised crime to extort money out of large financial institutions and
companies, and that's not to mention DDoS's on the smaller people who 
are
just in the way.
Right... So, you should be working really hard to get people not to allow
their machines to be infected, and, to get ISPs to disconnect infected
sites from the network.  I support both of those moves.  The rest is just
a way to tax the clueful for the ignorance of the masses with little 
benefit. 
We're already being taxed... In Australia we are forced to pay for 
incoming and outgoing traffic - so DDoSes and Spam cost the recipient.

How and when did it become the responsibility of the ISP to protect the
end users machines?
It hasn't, however the data coming from an ISPs network has always been
the responsibility of the ISP and I would suggest if you cannot stop
the endusers getting infected, then you should look at stopping those
machines from abusing other machines on the internet  If you will 
not
do that you should not be peered.
Sorry... The data ORIGINATING from the ISPs network is the responsibility
of the ISP.
I did say 'data coming from an ISP'...
  The data transiting the ISPs network is just that.  The ISP
has no obligation, indeed, no right to look into the data beyond what is
necessary for delivery and operation of the service (ECPA). 
Now that is debatable - and probably not best discussed here or in this 
thread AFAIAC the traffic coming from an ISP is the responsibility 
of that ISP - if it's transiting they are still responsible...  It's the 
'car accident' principle..  3 cars (A,B & C) pull up at a stop sign, B 
stops behind A, C runs into B and pushed B into A...  A doesn't sue 
C A sues B for A's damage, and B sues C for B's damage, A's damage 
and costs.

I agree that ISPs should shut off sites that are demonstrably spewing
abuse and notify those sites of the problem.  I've repeatedly supported
several models for doing just that.  However, this is different from 
making
the ISP responsible for breaking the users connectivity prior to such
an event in the name of preventing the user from shooting themselves 
in the
foot.  I further like the idea of de-peering ISPs who don't do this, and,
if you can get a critical mass of the major ISPs to do that, life will
start to get better.  If you can't, it won't. 
...and in the current economical enviroment, and the size of the 'worst' 
ISPs is going to stop tha from hap

Re: hybrid approaches (Re: "Default" Internet Service)

[Matthew Sullivan]

Edward B. Dreger wrote:
Apologies for forking yet another thread from one which I myself
have been largely ignoring.  AFAICT, though, most posts have
shown little interest in combining different approaches:
* Provide a "default" sandbox.
* Allow unrestricted access -- perhaps after a quiz, perhaps when
 a user activates a form.
* Let IDS trigger sandbox mode.
* Provide IDS-triggered-sandbox override for those who agree in
 writing to .
* Anyone in the IDS-proof class who spews filth deserves to be
 fined.
* Use different IP ranges for different service classes.  Flag in
 rwhois, a special RRTYPE, or whatever suits one's fancy.  (This
 assumes that providers could agree on a standard.)
Perhaps no one tactic fixes everything.  Fine.  I readily admit
that the above combination isn't a miracle cure.  But is there a
moderate chance for improvement?  I think so.
 

*applause*
Whilst I may not communicate it sometimes - this sums up all my thoughts 
on the matter quite neatly, you have my whole hearted support.

/ Mat

Re: "Default" Internet Service

[Matthew Sullivan]

Owen DeLong wrote:
--On Monday, June 14, 2004 17:57 -0500 Adi Linden <[EMAIL PROTECTED]> 
wrote:

It's not crap.  Infected machines are no more the fault of the internet
than junkmail in your mailbox is the fault of the post office.  There's
literally no difference to the model.  The post office delivers mail
that is addressed to you.  They don't care if it's junk mail or not.
They deliver it.

So what about little envelopes with white powder? Does the post office
still have an obligation to deliver it or should they be concerned about
the welfare of their customers? Perhaps they should insist that 
customers
are properly vaccinated

That depends... Is it an envelope covered in suspicious white powder,
or, is it a well sealed envelope that happens to contain a plastic
baggy of white powder?  If it's the former, then, there is obvious
reason, and, this would be equivalent to a malformed IP datagram,
which most (all) ISPs will drop.  If it's the latter, then, the
post office has no legitimate way to know that the envelope contains
white powder, nor, does it know what the white powder is.  Also,
the primary reason/responsibility the post office has in not delivering
the white powder on the outside of the envelope is to protect postal
employees.  Secondarily, the mail may come into contact with other
than it's intended target.  The post office does not, in my opinion,
have an obligation to protect you from mail properly addressed to you. 
And yet the UK postoffice xrays all parcels looking for bombs 
(confirmable with the UK post office)  AFAIK they also now use 
sniffer technology to look for other 'nasties' (this is completely 
unconfirmed)

Point I am making is that the post office is not responsible and/or
liable  for the content of the packages they deliver. However, if they
deliver  packages that are obviously visibly dangerous to the recipient
they have  an obligation to investigate and not deliver the package.
Actually, there is some debate about that.  However, there are also
strong boundaries on that.  The obligation you speak of applies to
things that endanger human life.  If you send a diskette mailer to
someone with the label "Diskette inside contains live computer virus",
I bet the post office will probably deliver it.  That's every bit
as harmful as the packets you're complaining about the ISPs delivering. 
And to the same respect you send a package with 'The package contains 
the Anthrax virus" they'll probably deliver it as well...
(wouldn't recommed anyone testing it though ;-))

Most residential ISPs get paid the same whether the customer spews
abuse or not.  Their costs go up some when they get abuse complaints
and when abuse starts using more bandwidth, so, for the most part, most
residential ISPs have no incentive to support abuse, but, not enough
incentive to pay to staff an abuse department sufficiently to be truly
responsive.  Further, most abuse departments don't get enough support
from management when the sales and marketing departments come whining
about how much revenue that abusing customer produces each month.
This is one of the unfortunate realities of a free-market economy.  It
doesn't always tie profit to doing the right thing, and, it favors
short-term thinking over long-term planning.

Who do you suppose pays for the abuse department staff? Those are
operational costs passed on to all customers. If increasing abuse 
results
in increasing staff, hopefully eventually, these cost will most 
likely be
passed on to all customer. It would be nice to see per incident billing
so  only offenders and repeat offenders pay. I doubt that'll happen 
(just
a  gut feeling, no other justification).

Right... that's why I support the "abuser pays" model of charging cleanup
fees for users that get infected.  That's what I'd like to see too. 
Hear hear..
Arguing for ISPs to filter customers arbitrarily, distracts from this. 
No it doesn't - it's two different models - I'm sure some customers 
would prefer filtered access rather than risk a cleanup charge being 
dumped on them...

/ Mat

Re: "Default" Internet Service

[Matthew Sullivan]

Owen DeLong wrote:
Until they sign up for Vonage, get hooked on that new multiplayer 
realtime
game, discover that they can share music with their friends, or just
want to see what that next killer-app is all about.

Oh, yeah, there's also IRC, YIM, AIM, etc.
Those are just the applications I ran up against when I put a strict
firewall in for my parents (who I regard as being pretty typical of the
we don't know what internet is, but, we want it mom/dad set). 
I'm not saying don't permit them at all, I'm saying create a default 
account where access is not available, where the customers have to know 
a bit about what's going on to make that default blocked account into a 
default not blocked account - there gives the ability to force 
education.  You could also then add extra terms into the equation - as 
part of the 'non blocked account agreement' the customer has a 'bond' 
where they get infected without due dilligence, they loose their 
bond there are hundreds of ideas, some which will work some which 
won't - the key point is most of the ISPs in the USA (but not only them, 
other countries too) are doing NOTHING about the problem except saying 
'it costs money, whose going to pay?'... Well why should I pay, when 
your customers DDoS me?  Why should I pay to keep my email free of spam 
sent via your customers..?  Why should I pay for firewalls and spend all 
my time looking for hacking incidents because you don't want to pay for 
a little education?

And, there's still the question of funding.  Adding simple filters
costs money (labor, if nothing else).  Adding stateful inspection filters
costs more money (same labor, roughly, but, most provider-side routers
don't do stateful inspection, at least not in a scalable way).  The few
that do, usually require additional hardware options (ASPIC, for 
example).

Who should pay for that?  I don't think the responsible clueful customers
of an ISP should have to subsidize the clueless, even if the clueless are
the majority.
No you're right, but then the large ISPs should have working abuse 
desks, and they should are responsible for traffic originating from 
their network.  It's only a matter of time before something will 
break...  The way things are going now with infections and exploits, I'm 
surprised people are still signing up for the internet, if something is 
not done about the problems sooner rather than later I guarentee you the 
Internet will go the way of the CB radio Noise will drown out the 
signal, people will stop using it because it is no longer useable, 
people who can afford it will setup on either own private frequency, the 
noise will continue until there are just a few die hards left, at which 
point the noise will slow and stop because there is no fun in drowning 
those few anymore, and all channels will become disused and quiet.  
Then all those large ISPs out there who say 'filtering costs money why 
should we...?' will realise that it's too late to fix the problem, and 
they will either diversify or die.

/ Mat
PS: Owen, this mail is not directed specifically at you, or anyone in 
particular, I'm just on my soap box again.

Re: "Default" Internet Service

[Matthew Sullivan]

Smith, Donald wrote:
First are the consumers willing to pay for a "safer" internet
DSL/dial/isdn?
Why should they have to?
I believe if they were there would be a safer service available. I have
seen several "secure" isp's fail in the last
few years. If you have any data that shows that there is a market for a
more secure dialup/DSL/isdn... please share it.
No, but it won't belong before you will find half a dozen reasons why as 
an ISP you will want to do it - but then it may be too late.

2nd blaming infected machines on the internet is similar to blaming your
postal carrier for bringing you junk mail and bills.
Crap
About 1/2 of all of
the large "infection" events on the internet are the result of people
running unpatched unsecured applications on their machines. The other
half of the infections I see are due to an end user opening an email and
running an attachment.
Correct
Even with a secure OS this simple method of infection will continue to work.
Correct
However you are ignoring the fact that once the machine is infected, the 
machine can be used by hundreds of people (skript kiddies) to damage 
other parts of the internet, further they can (and are) being used by 
organised crime to extort money out of large financial institutions and 
companies, and that's not to mention DDoS's on the smaller people who 
are just in the way.

How and when did it become the responsibility of the ISP to protect the
end users machines? 

It hasn't, however the data coming from an ISPs network has always been 
the responsibility of the ISP and I would suggest if you cannot stop 
the endusers getting infected, then you should look at stopping those 
machines from abusing other machines on the internet  If you will 
not do that you should not be peered.

Do ISP's get paid to protect end user machines?
No, they get paid for traffic, which is the reason some ISPs out there 
don't care if their customers are DDoSing anothers network.

If you want to blame someone maybe the company that provided the
insecure os that requires monthly patches to fix portions of the broken
code they sold. Or you could blame the end users who open unknown
attachments. 

Yup, we've been doing that for years, and they have been fixing things 
as fast as possible (not always, and not until more recently) however 
they are making steps in the right direction, so I feel it's about time 
ISP's started taking some of the responsibility for traffic on their 
network.  As far as the attachments go, education is the only way - and 
if they cannot be educated they shouldn't be on the Internet.

I would like a real solution to the problem. Simply blocking ports is
not successful. 
So I recommend 2 steps. 

First buy OS's that are more secure out of the box.
That's not going to happen anytime soon, even with Microsoft starting to 
follow the 'right' road.

2nd Teach users NOT to click on every thing they see.
 

...and how are you going to do that?  If you give a user a $10 account 
where they have full internet access they click on everything, then they 
get infected, their machine is controlled by someone else across the 
world and is used for DDoS attacks or spam (or..hacking, or...?) .. what 
are you going to do to educate them in the middle?  What is the ISP 
going to do to make sure that the enduser has been educated?   What are 
you the ISP going to do to ensure the machine that was infected has now 
been disinfected...?

I don't expect you the ISP to solve all these problems, nor do I expect 
you the ISP to stop your users from getting infected However you the 
ISP are responsible for traffic coming from and going to your users, and 
most of us don't care if you want to allow your users to get infected, 
however we do care if you allow your customers to attack us  Whether 
it be an attack in the form of spam, DDoS or trojan/virus spreading.

/ Mat

Re: "Default" Internet Service

[Matthew Sullivan]

Owen DeLong wrote:
Frankly, I don't want to have to read the [EMAIL PROTECTED]( tutorial.  I should at 
least
have the option of skipping to the questions.  I don't mind "You must be
this tall to ride."  I do mind "Now we, who have been in business for
fewer years than you have been running backbone routers, are going to
give you a brief tutorial on internet security."
No, I referred to the questions as simple questions where someone would 
have had to have read the tutorial (or already knows the answers) to get 
a less restricted account.

There would of course be the option to say 'I want a completely 
unrestricted incoming and outgoing account, I do know what I'm doing'

The point being that the majority of mum's, dad's and indeed small 
businesses don't have a clue about what they are doing, and most just 
want to be able to browse the web, do some internet banking or shopping, 
and have access to email.

Yours
Mat

Re: "Default" Internet Service

[Matthew Sullivan]

Christopher L. Morrow wrote:
On Sat, 12 Jun 2004, John Curran wrote:
 

The real challenge here is that the "default" Internet service is
wide-open Internet Protocol, w/o any safeties or controls.   This
made a lot of sense when the Internet was a few hundred sites,
but is showing real scaling problems today (spam, major viruses,
etc.)
One could imagine changing the paradigm (never easy) so that
the normal Internet service was proxied for common applications
and NAT'ed for everything else...  This wouldn't eliminate all the
problems, but would dramatically cut down the incident rate.
   

This sounds like a fantastic idea, for instance: How much direct IP does
joe-average Internet user really require? Do they require anything more
than imap(s)/pop(s)/smtp(+tls) and dns/http/https ? I suppose they also
need:
1) internet gaming
2) voip
3) kazaa/p2p-app(s)-of-choice
4) IM
Actually I'm sure there are quite a few things they need, things which
require either very smart NAT/Proxy devices or open access. The filtering
of IP on the broad scale will hamper creativity and innovation. I'm fairly
certain this was not what we want in the long term, is it?
 

I acutally suggested something like this at the recent AusCERT 2004 
conference...  It's not such a bad idea

The real question being "why are we giving mum's and dad's who sign up 
to the internet, and know nothing about either the Internet or 
computers, full unrestricted incoming and outgoing access...?"  ... 
answer because the more bandwidth they use the more the ISP earns... so 
the ISPs don't care (in some cases) if the mum's and dad's get trojaned, 
because it's all money.

My suggestion to the AusCERT delegates was to introduce a new default 
service which has very limited access, and if people ask for more, give 
them the access after they have read through various 'educational' 
pages  Perhaps a simple online quiz at the end -just 3-5 questions 
with the answers being very clearly explained in the previous pages - 
just to show the people have actually read the pages, rather than 
skipped to the end and hit 'I accept'.

I also suggested that if ISPs have the technology perhaps a simple IP 
pools method of allocating the users IP, where they could turn on and 
turn off access to certain protocols - eg: have a pool for P2P users, a 
pool for VOIP etc...

/ Mat

"zero day" exploit...?

[Matthew Sullivan]

In case you haven't seen it...
http://www.computerworld.com.au/index.php?id=117316298&eid=-255
/ Mat

Re: SORBS Insanity

[Matthew Sullivan]

Jeremy Kister wrote:

Hi Matthew,

I highly appreciate your time in replying to my emails. I further
appreciate you removing 64.115.0.0/16 from the sorbs duhl.
One of my partners in crime sent the first email (via web-form) to sorbs on
April 6th. On april 10th, I repeated. both were addressed from
[EMAIL PROTECTED]  I havent received anything further about these.
Most of the time we investigate them first - if the contact is from the 
RIR PoC we contact them immediately (as soon as we get to the ticket of 
course)

On april 11th i helped a friend who is using 64.115.47.0/24 by filling out
the web-form, addressed from [EMAIL PROTECTED] i received
sorbs.net # 5799 on this. but again, this was only for that /24.
That's the one that I saw.

on april 13th at about 7pm, i sent the following email to [EMAIL PROTECTED]
from [EMAIL PROTECTED]
Ok didn't see this one - but it depends on the subject - I searched on 
the IP in the subject in this case.

true dynamic ranges out of the 64.115.0.0/16 are:
   



Got them and fixed up the DUHL.

to prevent further hysteria, dns now shows
"static-64-115-x-x.isp.broadviewnet.net".   it would have been quite
simple to send an email to {abuse,ipadmin,[EMAIL PROTECTED]
(as listed in ARIN lookup), call our support line (as listed in ARIN,
whois, and our web site), or send us a letter (as listed on our web site,
and whois information) to confirm your unfounded opinions about our
network.  Next time, you should give it a try; you may not receive such
emotional emails from frustrated Systems Engineers trying to deal with
worthless projects ran by ignorant half-wits.
As you can see I was quite frustrated at the time, and may have been a bit
harsh. At that point i was dealing with the problem for 10 days -- and saw
no end in sight.
End is awlways in sight, unfortunately not fast enough for some people - 
there is always the option of mailing me direct - the problem is (as 
always) I am probably the most busiest person at SORBS and have the 
least time to deal with tickets - the last 48-72 hours have have left me 
with time to answer 3 tickets.

All done now, I'll fix up the ticket closures when I get a chance.

Yours

Mat

Re: SORBS Insanity

[Matthew Sullivan]

Jeremy Kister wrote:

I became aware that just about all of 64.115.0.0/16

In this same email, I also stated:
1.  exactly which 64.115 networks were dynamic
Ok now I have settled into another night of fixing things...  I see no 
mails from yourself in the ticketting system which indicate dynamic 
ranges - all seem to just demand delisting of all the blocking the /16 
statin gthey are all static (I have not looked at tickets owned by 
the other SORBS staff)

In your mail you indicated some of the rDNS is clear in that it 
indicates what address ranges are dynamic, and you also say above you 
have stated them - so I have removed the /16, now lets see a little help 
and give us this list, and I will then be able to list them 
otherwise I will have to go back to analysing the rDNS dump and guessing 
which are which again.

Yours

Mat

Re: SORBS Insanity

[Matthew Sullivan]

Jeff Kell wrote:

Jeremy Kister wrote:
[... giant snip ...]
We are a former user of SORBS.  Our issue was not that of dynamic IPs, 
but rather their spamtrap listings.  A few weeks ago, at least two of 
Comcast's legitimate mail servers was blacklisted.  As Comcast has a 
majority of the cable service in our area, we have a lot of users that 
use Comcast as their ISP.  Needless to say, listing several of 
Comcast's prominent mail servers caused our mailers to reject the mail 
with the SORBS bounce reply.  We have since ceased using SORBS and 
cured the Comcast problem, as well as a couple of other unrelated (and 
previously unreported) problems. 
I do recommend anyone using the complete DB to whitelist any major 
mailservers 'near' them.  If you can't do this I recomend you use 
tagging and/or use 'safe.dnsbl.sorbs.net' which doesn't contain the spam 
DB, but does contain all other DBs.

But I have/had a considerable degree of respect for SORBS, and as part 
of our abuse department, I dutifully report all of our reported spam 
deliveries to SpamCop.  When SpamCop does it's analysis and notes that 
the spam in question was listed in SORBS, I now cringe.  It would have 
been blocked.

So currently I'm considering asking for partial zone transfers of some 
of their blocks (our mailer doesn't discriminate against the DNS 
return address being 127.0.0.x or 127.0.0.y, a hit is a hit) and 
omitting at least the 'spamtrap' portion (for the same reason we don't 
use SpamCop directly -- the knee-jerk false positives outweigh the 
real hits to upset a considerable portion of our user base). 
safe.dnsbl.sorbs.net - available on all the public DNS servers and by 
using the zonefiles.

From the opposite standpoint in acting on spam that originates in our 
domain, everything to date has been a compromised machine and/or virus.
If SpamCop lists our registered mailers, I can at least respond from 
the abuse address that the problem has been corrected and there are no 
further interruptions in our mail service.  I can only imagine the 
problems if you end up blacklisted by SORBS if their response time and 
effort is really this low for cleaning up their lists.  While the big 
ISPs may not act immediately (or at all) on compromised hosts with 
trojan proxies, we do keep a tight lid on it (and block SMTP from 
end-users at egress, but that is another discussion). 
You will note my post before Christmas about the up and coming 
whitelisting mechanism - I am still collecting details for people 
wanting to use it - unfortunately for a variety of reasons the 
whitelisting mechanism is still not ready to go public.

Yours

Matthew

Re: SORBS Insanity

[Matthew Sullivan]

In case you didn't know, SORBS admins do populate this list from time to 
time, so I might be worth going through a few things...

Jeremy Kister wrote:

I became aware that just about all of 64.115.0.0/16, a network that I (among
others) run, has been listed as "dynamic ip space" in sorbs as of April 2nd.
On
April 6th I sent my first email (via web-form) to sorbs telling them they
were mistaken.
What address did you use?  What tracking number did you get?

 Finding no documentation on how they deem networks "dynamic" or
"static" I changed my rDNS scheme from ppp-64-115-x-x to 64-115-x-x  Note
to all: "ppp" in no way signifies dial-up; we run ppp over almost every
circuit we have -- from dialup to OC12, to Ethernet and ATM.
I also stated how all of our network was scanned twice a day for open-relay
mail servers.  Being a bigish ISP, we are _huge_ on our abuse policies, and
our abuse bucket [usually] has only memories of tumbleweed blowing by.
On april 10th I again wrote, only to be ignored further.

Again, tracking number please?  Address you used?

The reason I am asking is I only fine one ticket from the address you 
posted from.

Yesterday, April 13th, One of my customers opened a trouble ticket stating
that he had successfully received a response from SORBS, and had forwarded
me the conversation.  I sent an email to [EMAIL PROTECTED] (the author of the
email) quoting what they had written one of my customers.  They said to my
customer that I had to either provide custom reverse DNS for each customer
who was not dynamic, or I had to provide sorbs with POCs for all my
non-dynamic customers.  I stated how this was absurd, and that there was
already a functioning medium for this task -- rwhois.
In this same email, I also stated:
1.  exactly which 64.115 networks were dynamic
I gather then you are not actually '[EMAIL PROTECTED]' then (see 
below)...

2.  that to prevent further hysteria, I had changed the reverse dns from
 ppp-64-115-x-x to static-64-115-x-x and dynamic-64-115-x-x,
 respectively.
And yet the mail I received from '[EMAIL PROTECTED]' - which I 
found oddly worded for a professional - stated there are no dynamic 
blocks in the entire /16  Which is it?

3.  their blindness was very unprofessional, deeming SORBS a Worthless
 Project ran by Ignorant Half-Wits
..who are unpaid, for both answering tickets, and the time in dealing 
with obnoxious people who threaten various amounts of legal action... 
not to mention the cost involved in running the services to both the 
owner and those who generously give resourses to the SORBS project

Actually the instructions I have given to those answering the DUHL 
tickets are that if there is no rDNS or rDNS that may indicate the 
address space is not static then they are to accept requests only from 
the confirmed RIR PoC... This is specifically because every man and his 
dog come to us explaining how their part of the net is not dynamic.

As of this date I have not received a response from anyone at sorbs, and do
not expect one.   Our support crew is overwhelmed with upset customers who
cant send email to their associates.  Our only response to them is that we
have tried to resolve the issue, but could not, and that the remote ISP
should stop using sorbs.
Funny the person logging the first ticket also said that...

I am upset that they blindly blacklisted most of 64.115.0.0/16 because some
of the reverse dns was generic.  64.115.47.0/25, for example, hasnt very
much generic rDNS at all, but was blacklisted just the same.
It was blacklisted because of a tipoff from someone from who is widely 
known at trusted.  I checked up on the tip, and in this case I either 
didn't look close enough, or your rDNS has changed significantly for the 
network

I hope all stop using SORBS.  I especially hope Mr. Vixie reconsiders his
helpfulness to such a harmful organization.
 

Now I'm not going to reveal details of the actual comments in the 
tickets unless you grant your permission and indicate which ticket(s) 
are yours...

I will say though as there are no indications of any dynamic ranges in 
any of the tickets logged, I spent all day yesturday going through the 
rDNS logs for the entire /16 (yes we do go through the entire dump), and 
had I not spent until the early hours of the morning this morning 
tracking a DoS attack, and then most fo the day in my dayjob I would 
have already have fixed this... but I guess by your post that doesn't 
matter.

Yours

Matthew

Re: Hi (fwd)

[Matthew Sullivan]

william(at)elan.net wrote:

FYI - if you're on windows machine DON'T TRY TO FOLLOW URL in that post

Somebody sent me a copy of the content and its vbscript that downloads an 
image converts it into executable and then probably uses some bug in 
microshit products to have it executed. I'm not that good with windows 
scripting so whoever of the security people here wants to see it futher if 
you can not get it yourself, let me know. Its possible this maybe zombie 
making virus using nanog to replicate (somebody's sick joke) but possibly
its more general with other lists too. Spammers and virus writers joined
together are getting nastier and nastier.
 

It's another varient of Bagle...

My analysis of it is at: http://www.au.sorbs.net/virus.explain.txt - 
since then Symantec has release it's more detailed explaination under 
the headings for Bagle.r and Bagle.s

/ Mat

Re: Interesting BIND error

[Matthew Sullivan]

[EMAIL PROTECTED] wrote:

Multicast ends at 239.255.255.255, unless somebody dorked with the

RFCs while I wasn't looking, and failed to update the listing at
http://www.iana.org/assignments/ipv4-address-space while they were at it.
 

Doh! knew I should have checked ;-)

Re: Interesting BIND error

[Matthew Sullivan]

Brian Bruns wrote:

On Thu, February 12, 2004 4:52 pm, Brian Wallingford said:
 

We've been seeing the following on all of our (9.2.1) authoritative
nameservers since approximately 10am today.  Googling has turned up
nothing;  I'm currently trying to glean some useful netflow data.  Just
wondering if this is local, or if others have suddenly seen the same.
Seems harmless enough, but the logging is eating a disproportionate amount
of cpu.
Feb 12 16:25:07 ns1 named[3150]: internal_send: 244.254.254.254#53:
Invalid argument
   



Its possible that someone is spoofing UDP packets to your nameserver from
that IP range (which is IANA reserved space).  It looks like BIND is
refusing to send to that address, and thus the error.
At least, IMHO.  So I could be wrong :)

 

Considering the address range, I'd say it'll have problems sending 
there... multicast anyone?

/ Mat

Re: Stopping open proxies and open relays

[Matthew Sullivan]

Robin Lynn Frank wrote:

On Friday 06 February 2004 20:43, Adi Linden  wrote:
 

There are valid reasons not to run antivirus software,
   

And they are?
 

With the exception of my BBS (still running) and until 2 weeks ago I 
hadn't run any av software on my machines (now I run clamav via postfix 
to stop the stream of incoming crap in my inbox)

I've never needed to run any anti virus software.  Funnily enough 
neither has my wife or son (age 9) they both know the golden rules.  No 
disks from friends, no cover disks,  and don't open any attachment 
unless you know what it is and who it's from.  (and the other measure - 
linux runs on the desktops, so no LookOut Express)

To date I haven't been infected with a virus (except when analysing a 
few, but that's another story).

/ Mat

Re: antivirus in smtp, good or bad?

[Matthew Sullivan]

Stephen J. Wilcox wrote:

Hi,
When investigating our mail queue it seems we have quite a lot of mails which 
are stuck in transit...

Whats happening is we're accepting the mail as the primary MX for the domain but
the user has setup a forwarding to another account at another ISP, they have
antivirus service on that other account. So we get the mail, spool it and try to
forward it but then we get a "550 Error: Suspected W32/[EMAIL PROTECTED] virus" after
DATA and our server freezes the mail.
Surely this is an incorrect way to do this as there will be lots of similar MXs 
like ours backing this mail up? They should accept the mail and then bounce it?
 

That's what I just wrote a patch into Postfix to do ( 
http://www.isux.com/projects/ if anyone is interested, uses libclamav )

This is the only way I can see the virus laden mails should be dealt 
with - you certainly cannot return it to the sender, that is _most_ 
annoying, causes no end of users to call the support desk about being 
virus laden when they haven't actually been infected etc...

/ Mat

Re: other virus damages/costs.....(hello skynet.be ?)

[Matthew Sullivan]

[EMAIL PROTECTED] wrote:

Enough people are sufficiently annoyed by antivirus

notifications/advertisements that they're starting to ask for DNSBLs of 
systems that send them.  I suspect before long, there will be some.
 

Already thought about it (and dismissed it)

But this really doesn't seem to be NANOG material.  Try spam-l or 
spamtools.
 

It could be - it is a network issue - particually where so many people 
feel the need to reply with virus 'reports'...  I know the virus mails 
and the virus reports certainly caused some issues network wise at 
Telstra recently.

/ Mat

Re: interesting article on Saudi Arabia's http filtering

[Matthew Sullivan]

Chris Brenton wrote:

On Thu, 2004-01-15 at 17:11, Eric Kuhnke wrote:
 

And if he fails, what with the fact that sending all Internet traffic in 
the whole country through a single chokepoint obviously creates a single 
point of failure, all Net traffic in Saudi Arabia stops.
   

Not sure if its still the same setup, but up till 2 years ago this
consisted of 6 HTTP proxies sitting on the same class C. Best part was
they were _open_ proxies, so it was not uncommon to have a .net or .uk
attacker bounce through them on the way to attacking your site. 
 

Not open anymore (took some persuading with SORBS, but they got closed - 
doubt it was just SORBS, but I know he complained many times because 
they were running a lot of mail through the same subnet as well)

/ Mat

Re: Extreme spam testing

[Matthew Sullivan]

Speaking as and for SORBS (another hated and loved antispam bl)..

Chris Lewis wrote:

It's worth commenting:

Triggering relay testing can occur in a number of different ways.

Some simply scan all IPs. 
I consider this abuse and don't do it.

Some scan particular ranges. 
Same as above ;-)

Some scan an IP when they receive email from it.  RR and AOL do this 
amongst biggies. 
This is what SORBS started doing - now the volume is so high, and the 
number of ports to check (and ways to check them) are so large I cannot 
do it.

Some scan an IP when they receive suspicious/spam email from a given 
IP. We've done this from time to time.  MANY other sites do this. 
This is what SORBS does now.  If we receive a mail to a SORBS feeder 
server with a spam assassin score of 5 or more, we automatically scan 
the host for proxies and relays.

Many consider scanning to be abusive in and of itself, however, there 
is a considerable amount of agreement that "scanning with email in 
hand", or, more stringently, "scanning with spam in hand" is perfectly 
justified, as in "sending me email gives implicit permission to check 
that you're secure", or, "sending me spam gives permission to check 
that you're secure" respectively.

[Some people say "if they've sent you spam, why test?  Simply 
blacklist!".  Which is silly, because you end up blacklisting everyone 
sooner or later.  By testing and not listing on a negative result, you 
have less chance of blocking a legitimate site.] 
SORBS scans after listing with 'spam in hand' for a number of reasons

1/ Not everyone uses the spam DB for blocking (eg: I use it for 
weighting at the ISP I run - I use it for blocking on my home mail)
2/ People listed will demand delisting immediately regardless (they 
don't care - it's their "right to send email"), and if they have an open 
proxy/relay, telling them to fix that first is the best way of stopping 
future spam.
3/ Proxy and relay scanning takes on average 2 hours per host (purely 
because we don't want to crash it, or the testers for that matter).  
SORBS updates ever 20 minutes.

As another dimension, some people prefer to do very aggressive 
scanning - they'll test every combination of "tricks" that has been 
known to bypass anti-relay.  Others try to avoid "tricks" that are 
likely to cause grief to the testee (eg: avoiding double bounces). 
We do 19 relay tests, and we perform them twice 2 sets of to and from 
data.  Some of our tests cause bounces - we do try to avoid upsetting 
people, but the 'from [EMAIL PROTECTED]' test is an important one, so we 
do use it.  The test message does include a details description of what 
it is and who to contact if there is a problem though.

In the scheme of things, such testing is relatively minor, even of the 
"obnoxious bounce to postmaster" variety.  Tune your alarm system to 
ignore them.  If you consider a dozen or two relay tests to be 
"extreme", I'd hate to think of what you'd think of _some_ other forms 
of vulnerability testing... 
wait till he triggers SORBS - it starts with a full port scan... :-/

By blackholing the tester, you run a _significant_ risk of getting 
blacklisted, even if you don't relay or proxy.  Some blacklists do 
that. [I don't think NJABL does, but others do.]  Secondly, some of 
them use highly distributed testing.  Like SORBS.  You'll never get 
them all. 
That's right an if SORBS detects firewalling to avoid open-relay 
detection you get listed as a test blocker in the system, and should you 
get listed for spam, you will find it near on impossible to get out 
(even if it was one of your users) - just because you are considered to 
be someone 'hiding something'.

SORBS makes a point of being up front and port scanning uses no stealth 
features of nmap.  It also doesn't do stealth testing.

The spamming problem really has gotten so bad that many reputable 
organizations feel they have no choice do test.  It's a sign of the 
times.  It's best to not get bent out of shape over it and adjust your 
processes to suit.

NJABL is reasonably well regarded.  It's best not to play games with 
it, otherwise, you may end up getting blocked by all of its users. 
We're not using NJABL, but it is one of the ones we'd consider if some 
of our current ones went down. Some medium to large sites _do_ use it.

And don't expect a "we want to be blocked so we can discourage the use 
of blacklists" attitude to work anymore.  From us, at best you'd get a 
whitelist entry.  The spamming problem really _is_ that bad.

...and I'll be a very happy man the day I shut down SORBS because spam 
is no longer an issue.  I might get a life then.

/ Mat

Whitelisting mechanism in SORBS.

[Matthew Sullivan]

Hi All,

My appologies for the public post, I'd have rather replied to the 
individuals who mailed me in response of a previous post, however time 
has passed and I have a huge inbox, and of course I would like to 
solicit more entries from those interested and just waiting to see what 
it is.

The whitelisting system previously discussed is now nearly 
complete.  The database and administration interface are indeed 
complete.  I am therefore inviting those who wanted to whitelist to 
submit the following information to me off list:

- ISP Name.
- Email address of primary ISP/company contact incase of issues (bounced 
alerts for your company will go here along with any communication from 
SORBS).
- Out facing IP addresses of your outgoing mailservers (last hop in the 
headers).
- Netblocks you wish to receive reports/alerts for. (Plain text CIDR 
format list Minimum /32 maximum /8)
- A list of email addresses where you wish the alerts to go to.

The system works as follows:

For the mailservers:

When spam is received at a spamtrap (automated and/or manual) you will 
have your server listed with a 1 hour TTL, you will be sent a coded URL 
to the nominated alert email addresses.  Using that coded URL you can 
delist your server immediately from the SORBS spam DB (no fine etc).  
The coded URL will timeout after 48 hours, if you have not used the URL 
by this time you will not be able to automatically remove yourself and 
the listing TTL will revert to the default (6 hours for an automated 
listings and 48 hours for a manual listings).  You will receive no more 
than 1 URL per hour per IP address.  The full headers (minus 
desitination email addresses of all spams received relating to a 
particular URL) will be available using the coded URL.  Using the URLs 
to view the headers will not acknowledge the termination of the spammer 
- there is an extra step similar to that in spamcop.

Each whitehat entry has a 'whiteness' value - each expired URL will make 
your whiteness decrease by 1, each time you use a valid URL it will go 
up 1.  If further spam is received from an address to an automated 
spamtrap within 1 hour *after* you have used the URL, and acknowledged 
termination, for that IP your whiteness will decrease by 5.  Using the 
URL and acknowledgement indicates you have identified and stopped the 
flow of spam, if you choose to delist yourself before you stop the flow 
that is considered not whitehat - hence the peanlty when you get caught  
(mail queuing in our system has been thought of and taken care of).  You 
can get a maximum whiteness of 9 and a minimum of -9, for anything below 
1 (ie -8 through 0 inclusive) you will be treated as not whitehat and 
will still get keys and be subject to normal TTLs (6 & 48).  If you get 
to -9 you will be considered blackhat and removed from the system.

For the network lists:

Same principles as the mailserver IP however URLs will expire after 7 
days, and TTLs are 6 hours by default.

Anyone caught listwashing will be removed.

Minimum entry is owning your own /24 (as found in public whois ;-))

Initial 'whiteness' will be 3.

Note: The whitelist/whitehat system is completely independant of the ISP 
reporting system which will provide weekly reports to ISPs/companies 
requesting them.

Yours

Matthew

SORBS DUL (Dynamic User List) announcement and suggestions welcome.

[Matthew Sullivan]

For those that didn't see it, I believe it is on topic as it is relating 
to connectivity/locations of ISPs mailservers.

---
Subject: Notice SORBS DNSbl users, regarding the easynet blacklists 
being discontinued Dec 1 2003

Hi All,

As of a last night SORBS imported and merged the Easynet (Wirehub) 
Dynablock database into the SORBS DUL.

SORBS also has included the Dynablock exceptions list and now has a 
mechanism to include more exceptions to the DUL should they be nessesary.

Users of the EasyNet Dynablock are welcome to use the SORBS DUL, however 
please remember that the Dynablock list was merged with the SORBS DUL.  
The DUL is available on its own as: dul.dnsbl.sorbs.net  It is also 
available via the aggregate zone: dnsbl.sorbs.net

Any positive entry in the DUL will return 127.0.0.10

Yours

Matthew
@ SORBS
---
Network operators, you are welcome and requested to submit your 
networks, both static and dynamic to SORBS for inclusion/exclusion from 
the list.  A number of you already do, for which I thank you, however 
with the import of a massive amount of data there are likely to be a 
couple or errors here and there , if you see any please mail me directly 
and I will be happy to correct the entry by either removing it or by 
creating an exclusion.

My next planned work on SORBS is as mentioned a few days ago, creating a 
whitehat system for the spam databases.  Again assuming I am not called 
off topic when it is complete I will announce it here and discuss it 
offlist.  If anyone wishes to talk to me about SORBS which would be 
considered offtopic please mail me privately or subscribe and post to 
the public '[EMAIL PROTECTED]' list.

Also network listed over the last few days in the spam database are 
requested to contact me as soon as possible as there are some virus 
mails that got into a spamtrap that made it into the system, these need 
to be removed asap, so if you are blocked or see any, please mail me 
offlist and I will sort them aout as soon as possible. (Earthlink 
representitive (if you are listening) I think one of your servers got in 
it, but I am unable to get an IP from your users at the moment)

Thanks

Yours

Matthew

Re: RBLs in use

[Matthew Sullivan]

I'm gonna post this back publically because it will be of interest to 
all (I hope)...

Jasper van Beusekom wrote:

Mat:

 

Noone is exempt from listing in SORBS, but proven whitehats don't get
blocked.
   

Do you have many such contacts?

I have a few (less than 50)

Would it be something to create a DNSBL
list for known whitehats and sites with functioning abuse teams? Such a
whitelist could be a partial implementation of a 'trusted network'
principle.
I am *currently* creating an extension to SORBS which will allow ISPs to 
register as whitehats along with their mailservers and netblocks, and a 
fast response email address.

The idea being if a mailserver is about to be listed they will get 24 
hours warning to avert the listing.  If addresses within their netblocks 
get listed they will get notification mails, and the host is listed 
immediately.

A similar project runs under the DNSBL domain:
 nlwhitelist.dnsbl.bit.nl
Usenet reference unfortunately in Dutch: 
 [EMAIL PROTECTED]

Basically, respectable ISPs with active abuse desks can request to get 
listed, and will be removed when complaints start coming in.

Whitelists wouldn't attract the same kind of DDoS activities either.

I think I'll still be a DDoS target though ;-/

Yours

Mat

Re: RBLs in use

[Matthew Sullivan]

Suresh Ramasubramanian wrote:

Kai Schlichting <[EMAIL PROTECTED]> writes:

 

BT have (quite rightly) been repeatedly blocked by DNSBL's and private
lists as a result of their poor record in handling abuse incidents (whether
that's by intent or negligence by way of a colossal management failure is
another debate entirely).
   

How sure are you, beyond just the usual nan(og|ae) idle chatter?  BT is much better off than some ISPs I can think of.

I do happen to know they have a few good people in there working for them.

There are?  SORBS has been listing BT for some time now because of the 
continual stream of spam to the spamtraps, and first contact was made 
within the last 7 days - and from memory that mail appear to be a bit of 
throwing ones weight around (which doesn't wash with me at all - 
everyone is treated the same, and if I am treated with respect I treat 
others with respect).

If the guy is asking for DNSBLs to use, and you have some good ones in mind, help him, I'd say.
 

I agree, though based on the recent communication I wonder whether 
someone is after finding out whether they should be able to safely 
ignore lists such as mine ... ;-/

Yours

Mat

PS: If there are BT staffers here with clout, you might want to contact 
me over the listings.  Noone is exempt from listing in SORBS, but proven 
whitehats don't get blocked.

Re: ISPs' willingness to take action

[Matthew Sullivan]

Scott Francis wrote:

Top posting self-reply: looks like a lot of what I've suggested may have
finally been acknowledged by MS, according to a recent Register.co.uk
article.
http://www.theregister.co.uk/content/56/33599.html
We can only hope ...
 

I read that article when it was new, a long article, however a damn good 
read, and IMO worth 10 minutes to read it properly.

Yours

Mat

Re: Portscans/PROXY scans

[Matthew Sullivan]

Andrew D Kirch wrote:

There are however legitimate reasons for a portscan, responding to incoming abuse and attack being one of them, automatically searching for openrealys used to send you spam is another.

And on that note I would like to inform all, the new SORBS scanning 
process is running, this involves scanning all ports of machines used to 
send spam or high spamassassin scoring mail.  When scanning is complete 
it will test each port for various proxy and relay methods, 
identification rate varies, but I have found a large number of proxy 
servers recently (as many as 30 in any one minute) on unusual ports 
(similar to jeem, but appearing anywhere port 1 through 65535).

If you see a scan, the SORBS scans are initiated with nmap and are not 
using any of the stealth options (deliberately), each host scanning has 
a PTR record indicating a sorbs.net host barring one - that one will 
answer on port 80 with the SORBS website.

Scans are performed after a host sends spam or high scoring mail only, 
and should only be tested once in any 3 month period, unless spam is 
received in which case it may be tested manually as well.

I'm sorry if that inconvinences users, and/or admins, however I believe 
it is for the greater good.

As before anyone wanting network reports for the networks they are 
responsible for should send email to me (off list) and I will arrange 
it, there is a weekly reporting system already running at SORBS.

Yours

Matthew

Re: ISPs' willingness to take action

[Matthew Sullivan]

Stewart, William C (Bill), RTSLS wrote:

I'm really surprised to hear the assertion that people are
leaving unfirewalled Exchange servers out on the net.
Is this actually common?/shudders...
 

If that causes you to shudder I won't tell you the extend of the 
Exchange Servers I have found on the internet to date.

The problem is more that there is no 'easy' VPN solution, and without it 
you have the situation of companies making Exchange accessable in a 
semi-unfirewalled state (semi in that some ports are firewalled however 
the Microsoft ports are not).

/ Mat

PS: Some of the worst are in the SORBS database because they couldn't 
even work out how to secure them against simple relay.

Re: Abuse Departments

[Matthew Sullivan]

Bryan Heitman wrote:

Would you perhaps have more underlying problems if a "script kiddie" on a
dialup can attack you in such a way to impact your service?
 

Yeah?  See:  http://www.irbs.net/internet/nanog/0308/1463.html

/ Mat

Re: Security v. Privacy (was Re: Is there anything that actually gets users to fix their computers?)

[Matthew Sullivan]

Sean Donelan wrote:

The difference being campus machines are null routed rather than
disconnected, and they are not reconnected until checked and clean.
   

And once again, the question: how do you know the machines have been
checked and cleaned before they are reconnected?  Do you take the
customers word, or do you perform some other check yourself?
If it's in the campus we take their word for it the first time 
(local/dept IT personnel only).

Dialups/externals we take their word for it the first time.

Second time for campus machines they are usually checked over by a 
member of the ITS security team.

Second time for dialups/externals again take their word for it, however 
warn strongly about the 3rd time.

Third time externals/dialups don't connect with us again.

Campus machines - I have yet to have this happen.

Network security is high priority here and it doesn't matter what
machine is compromised, they are all disconnected in one way or another,
and yet we still have to nuke machines occasionally because of
suspicious (DDoS/scanning etc) traffic.
   

Seems like a re-active policy.  Why don't you check the computers before
they start exhibiting suspicious behavior, such as when they are first
connected to the network?  Waiting until after the computer is compromised
is too late.
 

Already doing this...  except we are also actively scanning (new policy) 
all computers connected periodically.  It has taken a lng time 
to get the train of thought that scanning is a good thing.  (FYI using 
Nessus)

Should commercial service providers have the same policy when new
customers connect to the network?
That is still reactive here, but I see no real reason why it shouldn't be.

Or is it considered a bad thing to warn customers about vulnerabilities
in their computers in advance.  Instead waiting until after your receive a
complaint about something exploiting those vulnerabilities before taking
action?
 

Personally I feel there are 3 problems

1/ Some people are already security concious and will give you merry 
hell over security scans (filling logs, false positives etc)
2/ Some poeple consider it an invasion of privacy - personally I'd tell 
these people to go else where if it was upto me.
3/ People install software after installing the machines and getting 
them connected.

/ Mat

Re: Security v. Privacy (was Re: Is there anything that actually gets users to fix their computers?)

[Matthew Sullivan]

Suresh Ramasubramanian wrote:

Matthew Sullivan [06/10/03 11:38 +1000]:
 

Third time their account is deleted.

I am yet to have one that has reached the third time - 85k users here.
   

Let me guess - that'd mostly be dialup users, right?  Or maybe simply email
users?  Not (say) T1 and larger users? 

 

That's:

Dialup, ISDN and analog (ISP)
Hosted Servers (ISP)
Gigabit/100M Connected Networks (Uni Campus/Colleges)
Counting the campus & colleges machines there are a lot more than 85k.

The difference being campus machines are null routed rather than 
disconnected, and they are not reconnected until checked and clean.

We have one machine that within 2 weeks got trojaned twice, 4 months 
later it's still null routed because the machine owner cannot guarentee 
that it won't get trojaned again.

Network security is high priority here and it doesn't matter what 
machine is compromised, they are all disconnected in one way or another, 
and yet we still have to nuke machines occasionally because of 
suspicious (DDoS/scanning etc) traffic.

/ Mat

Re: Security v. Privacy (was Re: Is there anything that actually gets users to fix their computers?)

[Matthew Sullivan]

Suresh Ramasubramanian wrote:

Sean Donelan [05/10/03 17:44 -0400]:
 

What happens a few hours later when you start getting complaints again
about the same customer?  Do you turn the connection off again.  And
   

Sure, turn it off again.  And again.

Sooner or later, it will dawn on the customer that no, his system is not
fixed.  And in the meantime, both his bandwidth quota (if any) and the ISP's
pipes avoid getting saturated with worms.
 

We have a better way - first time they get turned off.

Second time they get turned off and told if it happens again you will be 
told to get service elsewhere.

Third time their account is deleted.

I am yet to have one that has reached the third time - 85k users here.

/ Mat

Re: Any way to P-T-P Distribute the RBL lists?

[Matthew Sullivan]

Jay Kline wrote:

The trick then will be to have as many different participants as possible,
and to have each participant share who it thinks the other participants are
(or explicitly are not).  Then if you take out one node, the others are not
prevented from functioning.
 

Again, the problem is if you are the secondary or distribution point  
that is having it's turn at being DDoSed are you going to be happy with 
100M of targetted crap being aimed at your ip space?

Are you going to come back online as soon as the DDoSer moves to the 
next target?

The problem here is the amount of DDoS traffic is significant for the 
upstreams to say "we're not going to carry this, fix it or we'll drop 
you" - except in the cases of nodes in various IX's - however there 
aren't many willing to put nodes in IX's (and certainly not for free).

/ Mat

Re: Any way to P-T-P Distribute the RBL lists?

[Matthew Sullivan]

Aaron Dewell wrote:

On Thu, 25 Sep 2003, Eric A. Hall wrote:
> > I know you all have probably already thought of this, but
> > can anyone think of a feasible way to run a RBL list that does not have
> > a single point of failure? Or any attackable entry?
>
> Easy. Have the master server only be reachable by replication partners
> through a VPN connection, and have dozens of secondaries advertising
> through multiple anycast addresses.
So why couldn't you follow this plan without the VPN and anycast?  Have a
couple of master servers totally unpublished (nobody except the secondaries
know about it), then have dozens of secondaries that are the ones actually
used (or AXFR'd off of).  You can't attack all the secondaries at once if
there are enough of them, and the master server is unknown (hopefully).
You could certainly improve on that system with a VPN, but the service is
reasonable without it.  Make your secondaries be volunteers who sign an
agreement to never tell anyone what your master IP addresses are.  If they
get out, shift the master files to a secondary, notify the other secondaries
by secure channels, and you're back in business.
Even better - Publish all the servers, nobody knows who the masters are of
this list of N servers, and rotate it when needed or every so often.
I'd be a secondary/rotating master in that setup.  I'm sure you'd get a
bunch of volunteers.
 

All well an good until the DDoSer systematically DDoSes each secondary 
in order as has happened with SPEWS and SORBS.

Further, what's the point of having a DNSbl if the blocked parties 
cannot get to the website to:

1/ Find out why they are blocked.
2/ Get delisted when they have fixed the issue.
When it comes to SPEWS - that isn't so much of an issue, with SORBS it 
is the main part of the system.

/ Mat

Re: monkeys.dom UPL being DDOSed to death

[Matthew Sullivan]

Kai Schlichting wrote:

On 9/23/2003 at 5:16 PM, "Mike Tancsa" <[EMAIL PROTECTED]> wrote:
 


- BGP anycast, ideally suited for such forwarding proxies.
 Anyone here feeling very adapt with BGP anycast (I don't) for
 the purpose of running such a service? This is a solution that
 has to be suggested and explained to some of the DNSBL operators.
If someone reading this has gone forward with a private mailing list to
discuss all these issues, I'd be happy to receive an invitation to donate
my [lack of] smarts to the cause.
 

I'm trying to get the funds together to create a free for free DNSbls 
anycast network, however it's not cheap, and the idea hosters are not 
gonna do it for free.

/ Mat

Appologies

[Matthew Sullivan]

Appologies to all, and the other DNSbls,  I'm a little uptight about how 
long it is taking for the arrest of the DDoSer.

Yes he has been identified, and that's all I can say.

/ Mat

Follow up to: [Fwd: monkeys.dom UPL DNSBL being DDOSed to death]

[Matthew Sullivan]

Hi all,

Sorry people I had forgotten about EasyNet.nl's proxy list (Wirehub) 
and for the record for a proxy spam blocker I don't rate the opm.

Yours

Matthew

[Fwd: monkeys.dom UPL DNSBL being DDOSed to death]

[Matthew Sullivan]

Forwarded for your information.  That leave 2 proxy DNSbls left - SORBS and 
DSBL...  Looking at the stats for SORBS over at SDSC looks like SORBS is 
pretty ineffective thanks to the DDoS:

(see: http://www.sdsc.edu/~jeff/spam/cbc.html)

 Original Message 
From: Jon R. Kibler <[EMAIL PROTECTED]>
Newsgroups: news.admin.net-abuse.email
Subject: monkeys.dom UPL DNSBL being DDOSed to death
Date: Tue, 23 Sep 2003 14:26:47 -0400
Greetings to all:

I have some really sad news. I just got off the telephone with Ron Guilmette 
who runs the monkeys.com Unsecured Proxies List DNSBL. I hate to say it, but 
monkeys.com has been killed. It has been DDOSed to death.

Ron says that every aspect of his network is undergoing a massive DDOS 
attack from thousands of IPs -- apparently many/all spoofed. He has tried to 
get law enforcement to investigate, but to no avail. He indicated that this 
is probably the end of his service.

This makes two DNSBLs that have been DDOSed to death recently. Which one is 
next? NJABL? ORDB?

The computer security industry really needs to figure out how to get law 
enforcement to take these attacks seriously. It would only take a few good 
prosecutions to put an end to these types of attacks. Any thoughts/suggestions?

This is really a dark day for those of us fighting spam. It looks like the 
spammers have won a BIG battle. The only question now is who will be the 
causality in this war?

Jon R. Kibler
A.S.E.T., Inc.
Charleston, SC  USA

Re: VeriSign SMTP reject server updated

[Matthew Sullivan]

Declan McCullagh wrote:

On Sat, Sep 20, 2003 at 11:34:17AM -0700, ken emery wrote:
 

I think you haven't "gotten it".  I'm getting the message from you that
the changes made to the com and net gTLD's are fait accompli.  From the
   

That's the exact message I got from Verisign on Thursday. See:
http://news.com.com/2100-1024-5078657.html
Basically Verisign is willing to tweak the service to make it less
controversial but not stop it.
 

Then Verisign is no longer a responsible holder of the data and ICANN 
sould act to remove their control and invalid data.

/ Mat

Re: What *are* they smoking?

[Matthew Sullivan]

Patrick W. Gilmore wrote:

-- On Tuesday, September 16, 2003 00:56 +0200
-- Niels Bakker <[EMAIL PROTECTED]> supposedly wrote:
A wildcard A record in the net TLD.

$ host does.really-not-exist.net
does.really-not-exist.net has address 64.94.110.11
$ host 64.94.110.11
11.110.94.64.IN-ADDR.ARPA domain name pointer 
sitefinder-idn.verisign.com

It even responds on port 25 (says 550 on every RCPT TO).  Gah.


No, it accepts if the from domain exists - but only if it *REALLY* 
exists.

[...]
rcpt to: [EMAIL PROTECTED]
250 OK
mail from: [EMAIL PROTECTED]
550 User domain does not exist.
mail from: [EMAIL PROTECTED]
250 OK
Nice that their spam filters still work. :(

And I love the 221 close message:

data
221 snubby1-wcwest Snubby Mail Rejector Daemon v1.3 closing 
transmission channel
Connection closed by foreign host.

Worse than that - it's a fixed sequence of responses...

$ telnet akdjflasdf.com 25
Trying 64.94.110.11...
Connected to akdjflasdf.com.
Escape character is '^]'.
220 snubby4-wceast Snubby Mail Rejector Daemon v1.3 ready
sdfg
250 OK
sdfgsdfgsdfgsdf
250 OK
sdfgdfgaegqaergqaergvav
550 User domain does not exist.
asdfgasdfgasdf
250 OK
sdfasdfadsfasdf
221 snubby4-wceast Snubby Mail Rejector Daemon v1.3 closing transmission 
channel
Connection closed by foreign host.

/ Mat