RE: Google contact?
It'd be nice if more companies of their size responded that way. :) -Ray -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darden, Patrick S. Sent: Thursday, April 17, 2008 1:40 PM To: nanog@merit.edu Subject: RE: Google contact? Thanks everyone! Several people from Google responded very quickly, and the issue was resolved faster than I can believe. --Patrick Darden --ARMC
RE: Problems sending mail to yahoo?
I agree that they aren't completely useless. From our environment the abuse desks can be somewhat overwhelmed though. If you setup feedback loops for networks size of 1x /16 2x /17 2x /18 1x /19 to receive abuse complaints on dedicated / collocated customers you do get a some good complaints. Some of the time it is from compromised scripts, sometimes actual spammers, but most of the time it is from forwarded spam. This makes the abuse desk full of thousands and thousands of complaints. You can look in the headers of the spam complaints and see that it is forwarded spam, but it is still overhead. So signing up for a feedback loop for the entire network with something like Yahoo! can be burdensome and make abuse@ full of useless complaints. This isn't the problem I suppose in most environments, but it is in mine. Yahoo! blocking entire /24's are not necessarily a large problem, the larger problem is A. they don't tell you when it is blocked (I don't believe it would be hard to email the abuse@ contact of the IP address range..) B. their 'Bulk Mail Advocates' say they cannot tell what IP's are generating the /24 block once it is in place (perhaps it can be prior to the block?). C. They offer no way to exempt certain IP addresses to be exempted from the /24 'de-prioritization'. This means the smaller companies who send maybe 3 or 4 emails to Yahoo a day are having difficulty and there's nothing you can do until the issue with the entire /24 is solved. Administrators who actually find ways to get in touch with Yahoo to resolve issues are hindered by Yahoo's stance of 'It's coming from your network, you should be able to monitor it and figure it out'. In a dedicated/colo environment I don't think it is really reasonable to expect companies login to each server in a /24 to see who is sending mail to Yahoo. And even if they are sending mail to Yahoo were not psychic so we cannot tell what their users are marking as spam and what's not. I suppose the feedback loop would say that but...then abuse@ is flooded with complaints that are mostly mutual customers fault. Chances are if a server is sending spam to Yahoo they are sending it to quite a few other places as well which do actively report it. -Ray -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Dennis Sent: Sunday, April 13, 2008 7:16 PM To: Geo. Cc: nanog@merit.edu Subject: Re: Problems sending mail to yahoo? On Sun, 13 Apr 2008, Geo. wrote: of abuse might be useful for large providers, but since we can't even get many domains even to set up the already-specified abuse@ address, much less read the mail we send to it, When someone like AOL offloads their user complaints of spams to all the abuse@ addresses instead of verifying that they actually are spams before sending off complaints, is it any surprise that everyone else is refusing to do their jobs for them? The reason abuse@ addresses are useless is because what is being sent to them is useless. As one that works for a company that makes full use of complaints sent to it, abuse@ addresses are not useless, far from it. Please don't get the idea that because some think they're useless, it therefore is universal. We also get 100s of AOL feedbacks a day, which are filtered separately. Also not useless. And we've also reported incidents to other companies' abuse functions, and had them be resolved same-day because of it. Also, far from useless. How about if you're not actively in an abuse function, you hold off on declaring the function useless, cause the meme could catch on that it is, even if it's not, and I've yet to see an automated filtering/blocking system fully replace or completely obsolete a good trained network operator who understands what is and is not abuse on the network. -Dave D
RE: /24 blocking by ISPs - Re: Problems sending mail to yahoo?
It's not unusual to do /24 blocks, however Yahoo claims they do not keep any logs as to what causes the /24 block. If they kept logs and were able to tell us which IP address in the /24 sent abuse to their network we would then be able to investigate it. Their stance of 'it's coming from your network you should know' isn't really helpful in solving the problem. When an IP is blocked a lot of ISP's can tell you why. I would think when they block a /24 they would atleast be able to decipher who was sending the abuse to their network to cause the block and not simply say 'Were sorry our anti-spam measures do not conform with your business practices'. Logging into every server using a /24 is looking for needle in a haystack. -Ray From: Suresh Ramasubramanian [EMAIL PROTECTED] Sent: Thursday, April 10, 2008 11:56 PM To: Raymond L. Corbin Cc: Chris Stone; nanog@merit.edu Subject: /24 blocking by ISPs - Re: Problems sending mail to yahoo? On Fri, Apr 11, 2008 at 1:22 AM, Raymond L. Corbin [EMAIL PROTECTED] wrote: Yeah, but without them saying which IP's are causing the problems you can't really tell which servers in a datacenter are forwarding their spam/abusing Yahoo. Once the /24 block is in place then they claim to have no way of knowing who actually caused the block on the /24. The feedback loop would help depending on your network size. Almost every large ISP does that kind of complimentary upgrade There are enough networks around, like he.net, Yipes, PCCW Global / Cais etc, that host huge amounts of snowshoe spammers - http://www.spamhaus.org/faq/answers.lasso?section=Glossary#233 (you know, randomly named / named after a pattern domains, with anonymous whois or probably a PO box / UPS store in the whois contact, DNS served by the usual suspects like Moniker..) a /27 or /26 in a /24 might generate enough spam to drown the volume of legitimate email from the rest of the /24, and that would cause this kind of /24 block In some cases, such as 63.217/16 on CAIS / PCCW, there is NOTHING except spam coming from several /24s (and there's a /20 and a /21 out of it in spamhaus), and practically zero traffic from the rest of the /16. Or there's Cogent with a similar infestation spread around 38.106/16 ISPs with virtual hosting farms full of hacked cgi/php scripts, forwarders etc just dont trigger /24 blocks at the rate that ISPs hosting snowshoe spammers do. /24 blocks are simply a kind of motivation for large colo farms to try choosing between hosting spammers and hosting legitimate customers. srs ..
RE: Problems sending mail to yahoo?
Hello, I have had to tell some dedicated server clients that they will need to disable their forwards to Yahoo or add something like postini for those accounts that forward to Yahoo...It generally works...however Yahoo! for the past three months is now blocking entire /24's if a few IP's get complaints. They have the feedback loops however when you have a network with 175,000 IP addresses and you sign up for a feedback loop for them all they tend to flood your abuse desk with false positives, or forwarded spam. They also don't keep track of which IP's are getting the complaints for you to investigate after the block on the /24 so asking them won't help :(. This potentially means one customer could easily effect the other customer. They offer whitelisting, but this won't get you passed their blocks on the entire /24. They apparently will eventually accept the message because they aren't necessarily 'blocked' but they are 'depriortized' meaning they don't believe your IP is important enough to deliver the message at that time, so they want you to keep trying and when their servers are not 'busy' or 'over loaded' they will accept the message. (Paraphrased from conversations with their 'Bulk Mail Advocacies and Anti-Abuse manager.) -Ray -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Stone Sent: Thursday, April 10, 2008 1:49 PM To: nanog@merit.edu Subject: Re: Problems sending mail to yahoo? -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Barry Shein wrote: Is it just us or are there general problems with sending email to yahoo in the past few weeks? Our queues to them are backed up though they drain slowly. They frequently return: 421 4.7.0 [TS01] Messages from MAILSERVERIP temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html (where MAILSERVERIP is one of our mail server ip addresses) Just wondering if this was a widespread problem or are we just so blessed, and any insights into what's going on over there. I see this a lot also and what I see causing it is accounts on my servers that don't opt for spam filtering and they have their accounts here set to forward mail to their yahoo.com accounts - spam and everything then gets sent there - they complain to yahoo.com about the spam and bingo - email delays from here to yahoo.com accounts Chris - Chris Stone, MCSE Vice President, CTO AxisInternet, Inc. 910 16th St., Suite 1110, Denver, CO 80202 - PH 303.592.AXIS x302 - 866.317.AXIS | FAX 303.893.AXIS - [EMAIL PROTECTED]| www.axint.net - -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org iD8DBQFH/lMZnSVip47FEdMRClejAJwOeQjw3CHu7C0XCv1vbazfGrJLBQCeP1sd wDWM0m17XPSV1nOkebTmnJE= =aiBv -END PGP SIGNATURE-
RE: Problems sending mail to yahoo?
Yeah, but without them saying which IP's are causing the problems you can't really tell which servers in a datacenter are forwarding their spam/abusing Yahoo. Once the /24 block is in place then they claim to have no way of knowing who actually caused the block on the /24. The feedback loop would help depending on your network size. When you have a few hundred thousand clients, and those clients have clients, and they even have client, it simply floods your abuse desk with complaints from Yahoo when it is obviously forwarded spam. So it's more of pick your poison deal with customer complaints about not being able to send to yahoo for a few days or get your abuse desk flooded with complaints which hinders solving actual issues like compromised accounts. -Ray -Original Message- From: Chris Stone [mailto:[EMAIL PROTECTED] Sent: Thursday, April 10, 2008 3:33 PM To: Raymond L. Corbin Cc: nanog@merit.edu Subject: Re: Problems sending mail to yahoo? -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Raymond L. Corbin wrote: Hello, I have had to tell some dedicated server clients that they will need to disable their forwards to Yahoo or add something like postini for those accounts that forward to Yahoo...It generally works...however Yahoo! for the past three months is now blocking entire /24's if a few IP's get complaints. They have the feedback loops however when you have a network with 175,000 IP addresses and you sign up for a feedback loop for them all they tend to flood your abuse desk with false positives, or forwarded spam. They also don't keep track of which IP's are getting the complaints for you to investigate after the block on the /24 so asking them won't help :(. This potentially means one customer could easily effect the other customer. They offer whitelisting, but this won't get you passed their blocks on the entire /24. They apparently will eventually accept the message because they aren't necessarily 'blocked' but they are 'depriortized' meaning they don't believe your IP is importan t enough to deliver the message at that time, so they want you to keep trying and when their servers are not 'busy' or 'over loaded' they will accept the message. (Paraphrased from conversations with their 'Bulk Mail Advocacies and Anti-Abuse manager.) I've had to tell some of our customers the same and that if they wanted to continue the forwarding to their yahoo.com accounts, they'd need to add spam filtering to their accounts here so that the crap is not forwarded, resulting in the email delays for all customers. Works for some and generated more revenue ;-) Chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org iD8DBQFH/muAnSVip47FEdMRCthkAKCW80FIV2FvdctuCxT3JYI2q0MyfACfai2t YkgPN/PGEmxsS6tJplWKg90= =p9F7 -END PGP SIGNATURE-
RE: Problems sending mail to yahoo?
In a large multi-datacenter environment you can't login to each users servers and tail their logs to see who's forwarding :( . I'm more of a windows person, but when working with a client on Linux using EXIM I think I did fgrep yahoo.com /etc/valiases/* yahoo-fwds.txt Something like that to get a list of all of the addresses that forward to Yahoo...I think they used CPanel on their server too. Other then that I believe I was grepping through other clients logs for the most popular Yahoo email addresses... I think that if they are going to do CIDR blocks they should at least keep logs as to what caused them to escalate it to that not simply say 'it's your network you figure it out..' -Ray -Original Message- From: Chris Stone [mailto:[EMAIL PROTECTED] Sent: Thursday, April 10, 2008 4:08 PM To: Raymond L. Corbin Cc: nanog@merit.edu Subject: Re: Problems sending mail to yahoo? -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Raymond L. Corbin wrote: Yeah, but without them saying which IP's are causing the problems you can't really tell which servers in a datacenter are forwarding their spam/abusing Yahoo. Once the /24 block is in place then they claim to have no way of knowing who actually caused the block on the /24. The feedback loop would help depending on your network size. When you have a few hundred thousand clients, and those clients have clients, and they even have client, it simply floods your abuse desk with complaints from Yahoo when it is obviously forwarded spam. So it's more of pick your poison deal with customer complaints about not being able to send to yahoo for a few days or get your abuse desk flooded with complaints which hinders solving actual issues like compromised accounts. I look at all my mail server log files and see which logs show obvious spam being forwarded (a lot of times the MAIL FROM address is a dead giveaway) or I tail -F the mail log for a bit and watch the spam coming in and forwarding back out. When I see the forwarding domain that's who I have contacted to upsell some spam filtering. But, we're a small ISP, so I don't have thousands, let alone hundreds of thousands of clients, to deal with... Chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org iD8DBQFH/nORnSVip47FEdMRCi+HAJ9CJoJ/VAkEssv6TznwcYQVGVWkIACfRwhI VYw0v4HWI8mWs2SHEF3jnq0= =YMQR -END PGP SIGNATURE-
RE: Problems sending mail to yahoo?
I hope that's sarcasm? Instead of getting the bounces your messages will simply go missing after they accepted it...or you will get bounces sent to you a few years after you sent the message...(happened to a client yesterday...). -Ray -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Henry Yen Sent: Thursday, April 10, 2008 4:17 PM To: nanog@merit.edu Subject: Re: Problems sending mail to yahoo? On Thu, Apr 10, 2008 at 12:23:24PM -0600, Chris Stone wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Matt Baldwin wrote: mostly. It feels like a poorly implemented spam prevention system. Doing some Google searches will turn up some more background on the issue. We've been telling our users that Yahoo mail is problematic and if they can to switch away from using them as their private email or hosted email. Maybe we all should do the same to them until they quit spewing out all the Nigerian scams and the like that I've been seeing from their servers lately! Naaah. I hear that Microsoft is going to buy Yahoo!, so this problem will go away once Yahoo! mail gets folded into Microsoft hotmail, whereupon things will get soo much better!
RE: Yahoo Mail Update
I've talked to employees in other departments who agree that something needs changed (especially when their own mail wasn't making it to their personal yahoo inboxes) You can reach yahoo's 'mail' department(s) after doing a lot of digging and googling... Their ' Bulk Mail Advocacy Agent' was somewhat helpful, but the anti-abuse manager seemed to get things done after you at least try the proper channels of submitting a ticket and waiting about a week and still having no resolve...I submitted a ticket to them to update my whitelisted IP's from adding/removing servers and it took about a month to get a reply. AOL's postmaster is easy to reach via their 1-800# however they seem to read off the screen and are really only general support. Their actual 'postmasters' (once you get passed their general support) are usually pretty helpful and quick to resolve issues. -Ray -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of chuck goolsbee Sent: Thursday, April 10, 2008 8:51 PM To: nanog@merit.edu Subject: Re: Yahoo Mail Update An anonymous source at Yahoo told me that they have pushed a config update sometime today out to their servers to help with these deferral issues. Please don't ask me to play proxy on this one of any other issues you may have, but take a look at your queues and they should be getting better. - Jared Thanks for the update Jared. I can understand your request to not be used as a proxy, but it exposes the reason why Yahoo is thought to be clueless: They are completely opaque. They can not exist in this community without having some visibity and interaction on an operational level. Yahoo should have a look at how things are done at AOL. While the feedback loop from the *users* at AOL is mostly a source of entertainment, dealing with the postmaster staff at AOL is a benchmark in how it should be done. Proxy that message over and perhaps this issue of Yahoo's perennially broken mail causing the rest of us headaches will go away. It seems to come up here on nanog and over on the mailop list every few weeks. --chuck
RE: Hotmail NOC Contact
Hey, Are you having trouble emailing them, or them to you. I think this thread is about emails coming from hotmail never reaching the destinations. What type of problems are you having with these companies? /r From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Fox, Thomas [EMAIL PROTECTED] Sent: Thursday, April 03, 2008 10:37 AM Cc: nanog@merit.edu Subject: RE: Hotmail NOC Contact In the last 10 days or so, ever since ORDB re-activated itself and blacklisted everything, we have had deliverability problems to: MSN Hotmail Bellsouth ATT (the same as Bellsouth I think) Yahoo Detroit Edison In the case of MSN and Hotmail, they told us they were using Symantec’s Brightmail filtering system. So, does that mean Brightmail is not updating their system properly, or MSN/Hotmail is not updating their Brightmail? Seems like a huge waste of everyone’s time because some LARGE network operators can’t keep their stuff updated. *grumble*
RE: Hotmail NOC Contact
yeah, We do hosting for about 300,000 users in our shared environment. They have forwarders setup or aliases that send to their external addresses. This forwards their spam as well. We purchased quite a few barracuda servers and became their case study for outbound units. They actually do a really good job at blocking the spam. But as spam changes every minute, we can only get updates every hour. The mail forwarders is the only spam that come from our network. Try subscribing to hotmails reporting services so you get reports on spam from your IP address, and they have the online reports that show if you add your AS so you can see a report for all ip's in your network. -Ray From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Fox, Thomas [EMAIL PROTECTED] Sent: Thursday, April 03, 2008 12:26 PM To: 'Michael Holstein' Cc: nanog@merit.edu Subject: RE: Hotmail NOC Contact Do you rewrite/forward mail? .. we're a .edu, and allow our students to forward to hotmail/yahoo/whatever .. so when a phishing/malware sweep hits campus, about 60% is reflected back onto the Internet (sometimes our Anticrap gateway catches it, sometimes not). Because of the way addresses are re-written, it looks like it came from us. Hi Micheal, We do host mail for about 100 companies, but no remailing. Tom
RE: Hotmail NOC Contact
Try https://support.msn.com/eform.aspx?productKey=edfsmsblct=eformts Is it hotmail users sending your users emails that are being rejected, or is it your users sending hotmail emails that end up rejected? /r From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason J. W. Williams Sent: Wednesday, April 02, 2008 5:31 PM To: nanog@merit.edu Subject: Hotmail NOC Contact Hey All, Does anyone have a good contact number for the Hotmail NOC? We've got e-mails from Hotmail to some of our customers being returned the Hotmail sender with a 554 error message fairly regularly. Our logs aren't showing any rejections, so we need to talk to Hotmail and find out what the 554 means on their side (there's no error description). Any help is greatly appreciated. -J Jason J. W. Williams COO/CTO, DigiTar http://www.digitar.com Voice: 208.343.8520 Mobile: 208.863.0727 FAX: 208.322-8522 E-mail: [EMAIL PROTECTED] XMPP/Jabber: [EMAIL PROTECTED]
RE: Hotmail NOC Contact
I've seen similar things when hotmail users are sending emails to some of our users but it bounces back to them within their network. Generally it was DNS related. After having about 3 correspondences with them they end up fixing it. From what I remember they were sending to the A record and not the MX record. /r From: Jason J. W. Williams [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2008 6:13 PM To: Raymond L. Corbin; nanog@merit.edu Subject: RE: Hotmail NOC Contact Hi Raymond, It's @hotmail.com/@live.com/@msn.com addresses sending to our users. The senders get a 554 error from Hotmail with no description. Our logs on our side are clean, so its a bit of a blackbox. We need some insight from Hotmail's side. Thank you also for the link. -J Jason J. W. WilliamsCOO/CTO, DigiTarhttp://www.digitar.com Voice: 208.343.8520Mobile: 208.863.0727FAX: 208.322-8522 E-mail: [EMAIL PROTECTED]/Jabber: [EMAIL PROTECTED] -Original Message- From: Raymond L. Corbin [mailto:[EMAIL PROTECTED] Sent: Wed 4/2/2008 3:45 PM To: Jason J. W. Williams; nanog@merit.edu Subject: RE: Hotmail NOC Contact Try https://support.msn.com/eform.aspx?productKey=edfsmsblct=eformts Is it hotmail users sending your users emails that are being rejected, or is it your users sending hotmail emails that end up rejected? /r From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason J. W. Williams Sent: Wednesday, April 02, 2008 5:31 PM To: nanog@merit.edu Subject: Hotmail NOC Contact Hey All, Does anyone have a good contact number for the Hotmail NOC? We've got e-mails from Hotmail to some of our customers being returned the Hotmail sender with a 554 error message fairly regularly. Our logs aren't showing any rejections, so we need to talk to Hotmail and find out what the 554 means on their side (there's no error description). Any help is greatly appreciated. -J Jason J. W. Williams COO/CTO, DigiTar http://www.digitar.com Voice: 208.343.8520 Mobile: 208.863.0727 FAX: 208.322-8522 E-mail: [EMAIL PROTECTED] XMPP/Jabber: [EMAIL PROTECTED] !SIG:47f3fe96285631435346667!
RE: Yahoo! Mail/Sys Admin
Hello, Try encorporating DomainKeys and applying for their feedback loop. http://help.yahoo.com/l/us/yahoo/mail/postmaster/forms_index.html I still have the same problem. Do you have any users who forward their email to their free @yahoo.com addresses from your server? Let me know if you get in touch with anyone :) -Ray From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Justin Wilson [EMAIL PROTECTED] Sent: Wednesday, February 27, 2008 10:01 AM To: nanog@merit.edu Subject: RE: Yahoo! Mail/Sys Admin Hello Everyone, It's been a while since I posted on this topic, and unfortunately I'm still having trouble with Yahoo deferrals. The links that were provided in this post worked, but after the forms were received by what I *think* is a human I still got a canned reply. I've tried replying with specific details about our problem, but is either answered with another generic reply or not at all. We are running Imall, and each domain has it's own IP address. Queue Timer and Tries before returning to sender are set to 30 minutes / 5 attempts. According to yahoo they do want you to attempt to resend if you get a 421 error. SPF is also set on a per-domain basis. I'm not sure what else to try. Does anyone have a better understanding of how Yahoo greylisting works? Thanks in advance! Justin Wilson
Running Application when Network Connection Detected
Hey, Fairly certain this isn't the place for this but I've exhausted my googling and I'm sure someone here may know. I was looking for an application that will detect when you connect to a specific wireless network that when connected automatically run a specified application. Any ideas? Thanks! -Ray
RE: Running Application when Network Connection Detected
Ah. Sorry, guess that would be important. Win XP Thanks, -Ray -Original Message- From: Paul Fleming [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 27, 2007 10:28 PM To: Raymond L. Corbin Cc: nanog Subject: Re: Running Application when Network Connection Detected -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 What OS? Raymond L. Corbin wrote: Hey, Fairly certain this isn't the place for this but I've exhausted my googling and I'm sure someone here may know. I was looking for an application that will detect when you connect to a specific wireless network that when connected automatically run a specified application. Any ideas? Thanks! -Ray - -- Paul Fleming Network Operations Hostdime.com Inc Cell:407.468.4646 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (MingW32) iD8DBQFHTOA5wlPOUqXUp3MRAh4cAKCL5opxZehwnZ07nv+JcljjlvV+nACfavPk ja8Y+SKxJDN78EyffHk94q4= =KXXf -END PGP SIGNATURE-
RE: unwise filtering policy from cox.net
Heh better then my all time favorite was the mailbox is full reply from an abuse@ address for an ISP based in Nigeria who had a few servers trying to open umpteen fraud accounts :D -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, November 20, 2007 2:21 PM To: 'nanog@merit.edu' Subject: unwise filtering policy from cox.net if anyone from cox.net is reading... - The following addresses had permanent fatal errors - [EMAIL PROTECTED] (reason: 552 5.2.0 F77u1Y00B2ccxfT000 Message Refused. A URL in the content of your message was found on...uribl.com. For resolution do not contact Cox Communications, contact the block list administrators.) This seems a rather unwise policy on behalf of cox.net -- their customers can originate scam emails, but cox.net abuse desk apparently does not care to hear about it.
MXLogic Mail Admins
Hello, Is any MXLogic Mail admins subscribed to this list, or anyone who has a contact inside MXLogic that can contact me off list? Multiple outbound gateways have been having problems with the MXLogic inbound servers over the past few days and the tier1 support continues to say that our IP's are not on their blacklists and that there shouldn't be anything wrong. Thanks for the help! -Ray
Any Comcast Mail/Sysadmins?
Hey, I'm having a few deliverability issues to a few comcast mail gateways. Is there any comcast mail/sys admins here or anyone who can get me in contact with them off list? It would be greately appreciated. Thanks for the help! -Ray
RE: DDoS Question
Did you check the source IP in the headers? My logs show that they are coming from a buncha residential IP addresses so its prolly a bot network doing it. Most of the messages going through our servers with that have the domain lifeleaksfromyo.com in it which is causing the messages to fail in our servers. You can always try the rbl that lists a lot of residential IP's in it...i think it's the PBL from spamhaus. That would help limit it, and blocking emails with the domain lifeleaksfromyo.com Other then that I'm out of ideas. What spam appliance are you using? Raymond Corbin HostMySite.com 877.215.4678 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Martin Hannigan Sent: Thursday, September 27, 2007 7:32 PM To: nanog@merit.edu Subject: DDoS Question Folks, I'm receiving about 25K spams per minute with this subject: Subject: Looking for Sex Tonight? Curtis Blackman They randomize the name on the subject line. Is this any particular virus/malware/zombie signature and any suggestion on how to defend against it besides what I'm already doing (which is all of the obvious, rbls, spam appliances, hot cocoa, etc.)? This happened right around the time I started securing the name server infrastructure with BIND upgrades and recursor/authoritative NS splitting. :-) Best, Marty
RE: Anyone from live.com or hotmail around here?
Hello, I think I posted about this yesterday. Their 'support' got back to me today with: Thank you for Contacting MSN Hotmail Domain Support. Unfortunately we won't be abl;e to provide you with spam samples I assumed this as a canned response. Then I noticed the abl;e. I would really like to speak with one of the MSN/Hotmail/Live postmasters/sysadmins. The mailservers are giving a lot of 550 responses from various servers in our network and the 'support' isn't really giving me anything to go on. Raymond Corbin Support Analyst HostMySite.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Drew Weaver Sent: Tuesday, August 28, 2007 11:23 AM To: 'nanog@merit.edu' Subject: Anyone from live.com or hotmail around here? I've been having a very hard time getting a simple question answered from your postmaster tech support, please hit me off-list. Thanks, -Drew
Any MSN/Live Mail Admin Contacts?
Hello, I'm experiencing a lot of problems with about 8 of our outbound mail gateways to the MSN/Live mail servers throughout the day. Are there any mail/sysadmins on this list, or anyone that can get me in contact with someone there, as the general postmaster support is less then fourth coming with information. Anything would be greatly appreciated. Thanks, Raymond Corbin Support Analyst HostMySite.com
RE: How should ISPs notify customers about Bots (Was Re: DNS Hijacking
Obviously, botnet authors are lazy, and not motivated to do all that work to do all that extra stuff, when we're still focusing on the *last* generation of use a well-known IRC net for CC bots, and haven't really address the *current* use a hijacked host running a private IRC net bots yet. Most 'large' botnets are run of off private IRC servers. Any good IRC admin would notice when more then 1k 'bots' started joining their servers. They can look at channel topics and see if it says something like .scan .advscan etc etc. Theres a whole list of commands the old RXBot use to do, I'm sure its more advanced then it was two years ago when I last used IRC. http://www.darksun.ws/phatrxbot/rxbot.html Typically it's the really new kiddies who setup botnets on public IRCD servers, as the IRC admins don't want the extra traffic caused by the bots, nor the problems the script kiddies cause. So adding a public EFNet server to their redirect list wasn't best, however it's simply a false positive. These bots are very simple to use, and you can simply find your better 'bots' by checking the ISP it's from and its uptime. Take that then make it download a preconfigured IRCD such as Unreal and make it run in the background and you have a private IRCD server to route your bots to. So it may not be as fruitful if the public IRC servers are in fact ensuring script kiddies don't live on their networks, but if they check the packets to see what FQDN they are using for their botnet then it wouldn't bother me that they change the DNS to their own 'cleansing' servers. But in doing this it may lead to false positives such as the problem when the EFNet server got blocked. Just my thoughts... Raymond Corbin Support Analyst HostMySite.com
RE: San Francisco Power Outage
They should have generators running...I can't foresee any good datacenter not having multiple generators to keep their customers servers online with UPS. -Ray -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adrian Chadd Sent: Tuesday, July 24, 2007 7:54 PM To: Seth Mattinen Cc: nanog list Subject: Re: San Francisco Power Outage On Tue, Jul 24, 2007, Seth Mattinen wrote: I have a question: does anyone seriously accept oh, power trouble as a reason your servers went offline? Where's the generators? UPS? Testing said combination of UPS and generators? What if it was important? I honestly find it hard to believe anyone runs a facility like that and people actually *pay* for it. If you do accept this is a good reason for failure, why? Didn't you read? He paid extra for super-reliable power from his electricity provider.. Adrian
RE: DNS Hijacking by Cox
On Mon, 23 Jul 2007, Joe Greco wrote: I can't help but notice you totally avoided responding to what I wrote; I would have to take this to mean that you know that it is fundamentally unreasonable to expect users to set up their own recursers to work around ISP recurser brokenness (which is essentially what this is). Its more resonable to expect users to know how to remove bots and fix their compromised computers? No amount of IRC redirection is going to remove bots and fix their compromised computers. ... JG I disagree. A lot of the compromised computers are still using the old versions of like Phatbot, agobot, rxbot, all of which have the remove commands. Placing the .remove in the subject line will effectively remove the bots as they join the channels. The .remove will effectively completely remove the bot from their computer, not everything else, but alteast that bot instance is done. Its one way a lot of IRC networks get rid of the botnets started on their networks, simply glineing them causes them to keep trying to reconnect. Granted it won't stop the more experienced script kiddies, but it will certainly stop the ones who use the preconfigured scripts because they don't know what the soruce code means. As many have said this is more about numbers. The number of infected computers within their network used to DDoS and Spam compared to the number of legitimate IRC users. Unfortunately the number of zombies outweighs the good. Raymond Corbin Support Analyst HostMySite.com
RE: DNS Hijacking by Cox
Hey Well I suppose that would get rid of some of the script kiddies bots off of their network... http://www.dslreports.com/forum/remark,12922412 http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/55016 Though...I cannot think of another means to achieve their goal. However I wonder how they generated what records to point to their servers. Is it simply anything with irc.* ? I suppose it would stop the script kiddies if they didnt use their own unique DNS and specified a different port in the config before compiling. Typically zombies are set to listen to the topic commands in order to either continue a DDoS attack or like scan for other hosts to infect. This would prevent the bots from getting a valid command to start scanning or DDoS, or in this case .remove would remove the bot from their customers computer (unless the default command character was changed), so I suppose it gets what they want, DDoS's to not originate in their network + XDCC Bots being created from zombies etc etc, credit card, zombie bots can be set to listen for paypal information and credit card information etc...but at the same time causing problems for their customers who legitimately use IRC. If weighed, I believe their problems with DDoS bots is weighted more heavily then the few who legitimately use IRC. I suppose they can always use like psyBNC to connect to IRC. I agree with their goal but not really the means they are using reach their goal. If they are going to manipulate DNS to do this...how far will they go with other problems? Raymond Corbin Support Analyst HostMySite.com (sorry if it this posted twice...outlook froze on me :( ) -Original Message- From: [EMAIL PROTECTED] on behalf of Andrew Matthews Sent: Sun 7/22/2007 5:56 PM To: nanog@merit.edu Subject: DNS Hijacking by Cox It looks like cox is hijacking dns for irc servers. bash2-2.05b$ nslookup server 68.6.16.30 Default server: 68.6.16.30 Address: 68.6.16.30#53 irc.vel.net Server: 68.6.16.30 Address:68.6.16.30#53 Name: irc.vel.net Address: 70.168.71.144 server ns1.vel.net Default server: ns1.vel.net Address: 207.182.224.10#53 irc.vel.net Server: ns1.vel.net Address:207.182.224.10#53 Name: irc.vel.net Address: 64.161.255.2 it looks like they are using it to clean drones, when you connect to their fake irc server you get forced joined into a channel. #martian_ [INFO] Channel view for #martian_ opened. --|YOU (andrew.m) have joined #martian_ =-= Mode #martian_ +nt by localhost.localdomain =-= Topic for #martian_ is .bot.remove =-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM =-= Topic for #martian_ is .remove =-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM =-= Topic for #martian_ is .uninstall =-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM =-= Topic for #martian_ is !bot.remove =-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM =-= Topic for #martian_ is !remove =-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM =-= Topic for #martian_ is !uninstall =-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM Marvin_ .bot.remove Marvin_ .remove Marvin_ .uninstall Marvin_ !bot.remove Marvin_ !remove isn't there a law against hijacking dns? What can i do to persue this?
RE: DNS Hijacking by Cox
I'm still unsure that this is either a good idea or a bad idea... changing the DNS can only help until the bots start connecting directly to IP addresses. Then where do we go? NAT those connections to elsewhere? It's one of those lovely arms races where things just get more and more invasive. I don't foresee the programming of IP addresses instead of IP addresses. Because if/when they are found and their exploited server is shut down, their dedicated server turned off for AUP violations etc they will loose access to all of the bots set to that IP address. This happens a lot and when it does they simply change the DNS. And these people have been flamed senseless. I like to think of it as a case of the work the blocklists do is excellent and saves many a network from being overrun by spam - however there is always collateral damage from things like this. The good far outweighs the bad however. I agree. They are at least trying to clean up their network. If they are having a lot of problems with zombie bots that DDoS / Spam then this is a good way to stop it, for now. The small group of users can either use other nameservers or something like psybnc to connect if they want to get on IRC. Raymond Corbin Support Analyst HostMySite.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steven Haigh Sent: Sunday, July 22, 2007 9:56 PM To: nanog@merit.edu Subject: Re: DNS Hijacking by Cox Quoting Sean Donelan [EMAIL PROTECTED]: On Sun, 22 Jul 2007, William Allen Simpson wrote: Comcast still blocks port 25. And last week, a locally well-known person was blocked from sending outgoing port 25 email to their servers from her home Comcast service. MSA port 587 is only 9 years old. I guess it takes some people longer than others to update their practices. Based on what I know how comcast's abuse systems implement their port 25 restrictions, I think it is extremely unlikely it was based on other people having her e-mail address in their Outlook programs. Indeed. There's just not enough info to make anything but wild guesses about this. Some people complain ISPs refuse to take action about abuse and compromised computers on their networks. On the other hand, people complain when ISPs take action about abuse and compromised computers on their networks. ISPs are pretty much damned if they do, and damned if they don't. Gotta love the techie world :) Several ISPs have been redirecting malware using IRC to cleaning servers for a couple of years trying to respond to the massive number of bots. On occasion they pick up CC server which also contains some legitimate uses. Trying to come up with a good cleaning message for each protocol can be a challenge. I'm still unsure that this is either a good idea or a bad idea... changing the DNS can only help until the bots start connecting directly to IP addresses. Then where do we go? NAT those connections to elsewhere? It's one of those lovely arms races where things just get more and more invasive. In the short term, it's a good thing - the amount of spam I get from their network has halved - which is great - however in the long term, the writers of this crudware will find another way to do business (web? ftp?). Yes, false positives and false negatives are always an issue. People running sevaral famous block lists for spam and other abuse also made mistakes on occasion. And these people have been flamed senseless. I like to think of it as a case of the work the blocklists do is excellent and saves many a network from being overrun by spam - however there is always collateral damage from things like this. The good far outweighs the bad however. -- Steven Haigh Email: [EMAIL PROTECTED] Web: http://www.crc.id.au Phone: (03) 9017 0597 - 0404 087 474
RE: Earthlink NOC Contact Info
Hey, I believe I had this problem before as well. There was that and a few other problems with earthlinks mailservers. I'll contact you off list with the information that I could have about them, but you may need to go through their corporate relations dept first as they give the 'no one can talk to our postmaster team' speech. Raymond Corbin Support Analyst HostMySite.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason J. W. Williams Sent: Wednesday, July 18, 2007 5:05 PM To: nanog@merit.edu Subject: Earthlink NOC Contact Info Hello, We're having some serious issues with Earthlink's mail servers connecting 8-10 times to our servers to send a single message. The target is one of our e-mail security customers and really need to get in touch with the Earthlink NOC to find out why they are retrying when we are successfully accepting the message. Unfortunately, the NOC number's been removed from puck.net, and after being shuffled to 4 different departments at Earthlink we're being told to e-mail [EMAIL PROTECTED] We've been trying to get this resolved for 6 months with Earthlink ([EMAIL PROTECTED]) and its to a pain point where really do need to resolve the issue. If anyone could point us in the right direction, or if you're with Earthlink contact us off-list it would be really great. Thank you in advance. Best Regards, Jason Williams DigiTar Support [EMAIL PROTECTED]
