Re: ASNumber Extension for Firefox available
On Mon, 13 Feb 2006 14:44:13 +0100 Andre Oppermann [EMAIL PROTECTED] wrote: Another thing I want to do is to show the number of RBL (Spamhaus, etc) listed IPs per AS. That sounds useful. As would be the possibility to block access to sites that are so listed (in the same way that software installation by unauthorised sites is blocked until specifically enabled) Contacting those RBLs is rather difficult and any help to discuss this directly with the RBL administrators is appreciated. That's certainly not been my experience and if you are still having problems I suggest you write to me and I'll forward the request. Richard Cox
Re: Yahoo, Google, Microsoft contact?
On Fri, 03 Feb 2006 12:42:04 -0500 Martin Hannigan [EMAIL PROTECTED] wrote: I'd like to see evidence that there is a problem. For example, don't see why these worm lists couldn't have just gone to the abuse address. Of course that's the right answer. IN THEORY. The practice is rather different, and that's WHY the need for some direct contact exists. I followed through with two large UK ISPs, who had both had the list of worm IPs sent to their official abuse address. In neither case had the mail been read or passed on. A copy to their security specialists was appreciated, and resulted in much hurried activity. No, I'm not going to identify who they were; there probably would have been many more ISPs in that position if I'd looked further. the customer is shifting the cost of support off of their own provider and on to the rest of us which is inherently not fair. s/customer/provider/ - if the provider wasn't doing that, the customer quite likely WOULD have gone directly to them. I think it's ok to post these things to NANOG as long as there's more information than just who they are looking for. If it's too private to tell all of us, then don't use our list as a directory service. True. Nevertheless there is a need for some directory system, so that appropriate people can contact key security etc people in other network entities, without giving NANOG a full-disclosure on the situation ... -- Richard Cox
Re: Infected list
On Sun, 25 Dec 2005 13:33:44 -0600 (CST) Rob Thomas [EMAIL PROTECTED] wrote: Here is Barrett's list, including and sorted by ASN. And even that won't be sufficient for many networks to take action. A lot of people provide lists of the IPs that spam/attack/etc them, but do not provide the actual time. Since many consumer networks are running DHCP, they will have no way to know which of their many customers using the claimed IP on the day in question was actually an attacker, and so they will almost certainly ignore such a report. To get action, lists of compromised (etc) systems NEED to include: Date/Time (preferably UTC), exact IP (as hostnames can have multiple A-records) and AS number. -- Richard
Re: Clueless anti-virus products/vendors (was Re: Sober)
On Sat, 03 Dec 2005 00:45:05 + W.D.McKinney [EMAIL PROTECTED] wrote: It's a simple switch in the GUI of Barracuda Networks to turn of this annoyance. More operator error than Barracuda's fault, IMHO. Not if a software upgrade from Barracuda can cause the current configuration to be silently reverted to Barracuda's defaults ... -- Richard
Re: [Latest draft of Internet regulation bill]
On 13 Nov 2005 00:56 UTC, Leo Bicknell [EMAIL PROTECTED] wrote: The sad thing is, these are not things with a precise definition. You can invision defining Long Distance before there were cell phones, and it might not have included them. Of course, I think if you stop anyone on the street and ask if they can call a cell phone using their long distance service they would stare at you blankly with a of course, why wouldn't you kind of response. Not at all. In many parts of the world Long Distance still does not include cellphones. Even calls from the USA to Europe or Australasia (over the cheaper networks) will not complete at all if a cellphone number range is dialled. On other networks there is a price uplift. (It didn't used to be like that in the olden days, though!) -- Richard Cox
Re: NANOG List Server on several BlockLists
On Tue, 26 Jul 2005 14:56:39 -0700 (PDT) william(at)elan.net [EMAIL PROTECTED] wrote: Its only on SORBS (of the major ones) as far as I can tell. And not even on that, now ... -- Richard
Re: You're all over thinking this (was: Re: Vonage Selects TCS For VoIP E911 Service)
On Thu, 21 Jul 2005 10:20:07 + (UTC) [EMAIL PROTECTED] (Peter Corlett) wrote: Given that there are UK telephone numbers starting 911 When I worked with Oftel on the design of the new UK numbering schemes, one of my strongest recommendations was for certain prefixes, including 911, to be ringfenced from all local numbering schemes - for exactly the reasons that you are now pointing to. Sadly Oftel were never known for their ability to understand reasoned argument within the technical arena ... A current, and related, problem is the introduction of emergency SMS messaging from cellphones ... a very necessary feature for deaf people to use, where they cannot access a text/relay service (eg when they are in a foreign country) Of course, the design of GSM predicates that such messages will go to the message center in their home country, and as things stand would be routed from there to the home country emergency services, regardless of where in the world the user actually is! -- Richard
Re: You're all over thinking this
On Thu, 21 Jul 2005 15:21:36 + (UTC) [EMAIL PROTECTED] (Peter Corlett) wrote: 112/999 takes priority over regular calls. There doesn't seem to be any evidence that calls to 999 from mobiles were any more prone to failure than those from landlines. 112 takes priority at all levels. 999 will get priority once the call reaches a basestation, but won't override congestion in the radio path. -- Richard
Re: New IANA IPv4 allocation to AfriNIC (41/8)
On Wed, 13 Apr 2005 20:38:44 UTC Steve Meuse [EMAIL PROTECTED] wrote: On 4/13/05, John Palmer [EMAIL PROTECTED] wrote: Thank you for that information. I can leave 41/8 in my router bogon list and hopefully eliminate the Nigerian 419 problem somewhat. Personally, I believe we should give them the chance to fail before we cut them off from the rest of the world. I don't think the majority of 419 email comes from addresses actually sourced in Nigeria. The largest part (90%) does originate in Nigeria. The remainder comes from countries adjacent to Nigeria such as Togo, Senegal, etc (~6%) or from the Netherlands (~4%) Unfortunately, the traffic originating in Nigeria comes out on satellite connections which have established IP ranges assigned to the Satellite operator and configured as part of his ASN. In other words, they will mostly match the location of the Satellite downlink - UK, Denmark, or Israel etc. Typically less than 10% of the traffic from Nigeria uses IPs assigned on the basis of the network actually being in Nigeria. The 419 scammers are so used now to port 25 on their own IP addresses being blocked (either by their own ISP or by the recipient network) that they have all but given up on direct mailing. Their main methods are to send through Webmail on a network that doesn't take subscription security sufficiently seriously (Tiscali, Microsoft Hotmail, etc) or to use a compromised server such one running PHPNuke webmail. Leaving 41/8 as a bogon, or otherwise filtering it, will make less than 1% overall difference in the volume of 419-style spam that you receive. Just for completeness, the lottery style scams, which are another form of Advance Fee Fraud, also originate in Nigeria even though they may claim to be from people in the UK or in other parts of the EEC. Just to keep this on topic I will relate the tale of a systems engineer who I called, to point out the volume of 419 mail coming through their mailservers. I can't look at that now, he said, the current load on our smarthosts is so high that the mail is backing up - and I have to get this proposal for four new servers finished for the Board tonight Then it suddenly dawned on him why his mail load had become so high ... -- Richard Cox
Re: Cisco to merge with Nabisco
On Fri, 1 Apr 2005 10:15:55 -0800 Dave Hilton [EMAIL PROTECTED] wrote: Must we now redefine nibbles bytes. Well, I guess remote configs will have to be disabled - from now on the only permitted access will be via the cereal port ... Richard
Re: More on Vonage service disruptions...
On Wed, 2 Mar 2005 12:39:45 -0500 Thor Lancelot Simon [EMAIL PROTECTED] wrote: On Wed, Mar 02, 2005 at 09:46:05AM -0600, Church, Chuck wrote: Another thing for an ISP considering blocking VoIP is the fact that you're cutting off people's access to 911. That alone has got to have some tough legal ramifications. I can tell you that if my ISP started blocking my Vonage, my next cell phone call would be my attorney... Why? Do you have a binding legal agreement with your ISP that requires them to pass all traffic? Do you really think you can make a persuasive case that you have an implicit agreement to that effect? (Note that I am not expressing an opinion about whether you _should_ or _might like to_ have such an agreement, just my skepticism that you actually _do_ have such an agreement, and can enforce it) The 911 issue is a tremendous red herring. In fact, it's more of a red halibut, or perhaps a red whale. Vonage fought tooth-and-nail to *not* be considered a local exchange carrier precisely *so that* they could avoid the quality of service requirements associated with 911 service. One of their major arguments in that dispute was that they provided a service accessible by dialing 911 that was like real 911 service but that was not actually 911 service. The problem is that, as more people take up VOIP service, it cannot be long before some of those people start dropping wireline. Examples of possible places are apartment blocks, with DSL on the janitor's phone line, and each apartment having VOIP service off that DSL. When that happens, if VOIP access to 911/112 is still problematic, we can expect standards for it to be mandated by governments - and they WILL do it - there is nothing politicians hate more than an avoidable fatality where the blame can be attributed to their failure to act. Far better that we get this right in advance, so that nothing needs to be made mandatory anyway. Some of my responsibilities involve work protecting telecommunications for deaf people, where emergency calls may have to be made by means of text messages. Some very similar issues seem to be arising there! -- Richard Cox
Re: ChinaNet Contacts
On Thu, 17 Feb 2005 12:13:07 -0500 Jon R. Kibler [EMAIL PROTECTED] wrote: I know that this is a REALLY sore point, but has anyone ever established any good working relations with anyone in CHINANET or other China-based ISPs? Yes, indeed. And been out to Beijing to have meetings with them. -- Richard Cox
Re: Spamhaus problems anybody?
On Tue, 25 Jan 2005 09:37:46 -0500 Chris Allermann [EMAIL PROTECTED] wrote: Has anybody here been experiencing any abnormalities with the spamhaus SBL-XBL lists? I've gotten an alarming number of complains in the last 24 hours regarding mail rejections from IP's that do not appear to be listed in the SBL-XBL databse. It would help to have some examples of the IPs involved. Could you possibly mail (some|all) of them to me offlist? -- Richard Cox
Re: The entire mechanism is Wrong!
On Mon, 17 Jan 2005 07:12:58 + (GMT) Christopher L. Morrow [EMAIL PROTECTED] wrote: provided their contract requires some form of 24/7 support, and there is an SLA to manage that requirement. If there isn't then there is no need for 24/7 support (no contractual reason), it just becomes a business differentiator for clients when chosing registrar X or registrar Y (or so it seems to me) Then you miss the point that there was no contractual relationship between the real PANIX and MelbourneIT, yet in the first instance it was MelbourneIT that needed to respond so that an investigation into this unfortunate incident could be started. However excellent the SLA that a domain owner may have with their registrar, it is inevitably of no value when the central system is compromised (as appears on the surface to have been the case here). Your argument would have been completely sound if, in addition to whatever level of customer support they choose/contract to provide, there were an obligation for every accredited registrar to guarantee a response within a given timescale and on a 24/7 basis, to any emergency request received from any other accredited registrar. Indeed, such may already have been the case. Fire Drills have a habit of discovering shortcomings within well-planned emergency arrangements! -- Richard Cox
Re: Regarding panix.com
On Mon, 17 Jan 2005 10:52:11 +1100 Bruce Tonkin [EMAIL PROTECTED] wrote: In this case one of the parties was an ISP in the United Kingdom, which is a reseller of Melbourne IT. I find it interesting that you assert that the ISP/reseller was in the United Kingdom. Our investigations established that the ISP appeared to be in Ottawa, Canada: with various whois entries which, if believed, would have placed them in Wilmington, Delaware, and/or Beckenham, Kent and/or what looks like a mail forwarding service on the Isle of Man (which is NOT part of the UK ...) Where Registrars deal extensively through resellers, it is equally important for those resellers to be as accessible and accountable as the Registrar - and much of the difficulty in this case was caused by the inability to identify exactly who and where the reseller was. Not that the problem is in any way new - we encountered difficulties (as an ISP) in contacting this same reseller, when trying to transfer a domain for one of our clients, many months ago, and at the time I wrote to your Melissa Fitzpatrick to convey my concern about the non-contactability of the reseller - and also about the questionable whois entries. There was, of course, no meaningful reply, and I believe that if your company had addressed this at the time in a more professional manner, it is highly likely that most of the problems that were experienced this past weekend could have been avoided. -- Richard Cox
Re: panix.com hijacked
On Sat, 15 Jan 2005 22:05:47 -0600 Chris Adams [EMAIL PROTECTED] wrote: I do know that we've had hosting customers that have had domains with melbourneit.com as the registrar that they were unable to ever transfer to another registrar (despite emails, faxes, and phone calls; IIRC one customer tried for most of a year to transfer a domain to another registrar or at least get the nameservers changed without success). We have had a comparable experience and now, on checking the DNS for the hijacked panix domain, I see name-servers similar to those I noted on that previous occasion. Known under various names that infer a UK connection, (such as Fibranet Services Ltd/freeparking.co.uk) but in fact seem to be Activebytes Software of 2530 Channin Drive Wilmington Delaware, with servers routed via Koallo Inc in Canada! So far as we were able to determine, there was no actual UK presence. ns1.ukdnsservers.co.uk has address 142.46.200.67 ns2.ukdnsservers.co.uk has address 207.61.90.196 ns3.ukdnsservers.co.uk has address 142.46.200.68 ns4.ukdnsservers.co.uk has address 207.61.90.197 MelbourneIT appear to have a U.S. Office near San Francisco: 2200 Powell Street, Sixth Floor, Suite 690, Emeryville CA 94608 which would be slightly more accessible for service of writs, etc ... -- Richard Cox
Re: Problem with whois.ripe.net?
On Wed, 15 Sep 2004 11:16:44 -0700 Greg Schwimer [EMAIL PROTECTED] wrote: I'm seeing this from multiple locations. Anyone else? I get a similar response from their web whois as well. Just now I got correct responses on (my own) RIPE assigned address block, accessing from multiple locations, and via their website. -- Richard Cox
Re: 30 Gmail Invites
On Mon, 13 Sep 2004 11:03:57 +0100 [EMAIL PROTECTED] wrote: I find it interesting how many people are concerned with sending email to gmail users yet are quite willing to send email to public mailing lists that are archived and indexed by Google. There is in most cases a significantly lower expectation of privacy when sending to any public mailing list (regardless of who indexes it) than when sending to a single individual. The difference you cite is, therefore, somewhat understandable. Even more so if people set up forwards from their existing email addresses into GMail accounts, when the senders do not know that the mail they send will be read on Gmail. -- Richard Cox
Re: Spammers Skirt IP Authentication Attempts
On Wed, 8 Sep 2004 13:52:59 +0100 [EMAIL PROTECTED] asked: I see that 56trf5.com is a real domain. Does this mean that the domain name registries and DNS are now being polluted with piles of garbage entries in the same way that Google searches have been polluted with tons of pages full of nothing but search keywords and ads? Yes. Hadn't you noticed? Statistically speaking there are now more domains with fake contact records than there are with genuine contact records, and certain registrars have been allowing new domains to be registered using contact addresses that have previously been proved to be bogus. -- Richard Cox
Re: Phishing (Was Re: WashingtonPost computer security stories)
On Tue, 17 Aug 2004 08:05:41 -0400 (EDT) David Lesher [EMAIL PROTECTED] wrote: | I wonder if the banks have ever considered how they have contributed | to the problem. If their pages were straight up, no pop-up's, no | JavaVirus, etc it would be far easier to tell their customers: | | == | Here is what our page looks like: | | The address ALWAYS starts with: https;//www.countrybank.com/... | | With a page like this. [graphic image] | If you have pop-ups, or a different page, stop... | | == | | But of course, that would not be glitzy enough No matter how often they told customers that, a sufficient percentage would ALWAYS be susceptible to the fraudsters' social engineering ... That feature seems to be hard-coded into the class $customer -- Richard Cox
Re: VeriSign's rapid DNS updates in .com/.net
On Thu, 22 Jul 2004 15:27:37 -1000 Randy Bush [EMAIL PROTECTED] wrote: | all they need to do is register foo.bar with delegation to their | dns servers, and change a third level domain name at will. Er, no. They have of course tried that already! By registering foo.bar with delegation to THEIR dns servers gives full identification of THEIR dns servers, and the host or upstream of those servers can (and often does) start invoking their acceptable use policy. If not, then all the considerations that Paul V. recently cited about neighbours who allow bad things on their network, start to kick in. The scenario I have outlined - now well established, and the mechanism understood - allows the malfeasants to operate on the 'net with zero traceability of their identity or location, based on everything they do being able to be done through zombied Windows PCs or open(ed) proxies. -- Richard Cox
Re: VeriSign's rapid DNS updates in .com/.net
On Thu, 22 Jul 2004 17:24:07 -0700 Robert L Mathews [EMAIL PROTECTED] wrote: | At 7/22/04 10:08 AM, Paul Vixie wrote: | | the primary beneficiaries of this new functionality are spammers | and other malfeasants | | I think you're suggesting that such people will register domain | names and use them right away (which may be true), and that the | lack of a delay enables them to do things they couldn't otherwise | do (which isn't). The key here is not registration but change. Currently, while spammers and other malfeasants have the ability to send out through compromised proxies and zombied PCs, there is little that can be done to identify them until they require a response, and then the return path provides some traceability via the IP addresses used, at least for nameservers. One of the latest spammer exploits involves relying on compromised PCs for hosting of websites and DNS: which, coupled with the ability to update the root DNS in close-to-real-time, means that the entire hosting operation including nameservers can be based on compromised boxes, often with an encrypted/obfuscated link back to the real point of control, and that is significantly harder to track. This becomes of rather greater significance if the hosting is for a phishing site. The root DNS is controlled through the registrar, and what contact information is held by the registrars frequently turns out to be at best highly imaginative. In removing the previous delays in updating root DNS, the registrars have removed the last obstacle to making hosting totally-untraceable: and then the only record of a hosting activity will be whatever data is held by the registrar. The only impact of the changes that ICANN made to improve whois-accuracy, has been that the malfeasants are now registering more domains, so that they can rely on the mandated 15-day grace period during which when the registrar is required to keep their domain up even though the provided contact details are totally bogus. The demand for extra domains serves the registrars' business model well. When a contact address is proved to be bogus, and at the end of 15 days the domain complained of is in consequence shut down, it does not seem to occur to most registrars that the other (say) six hundred - perhaps thousands of domains - that were registered by the same person with the identical contact details, must also have bogus contact details and so should be automatically shut down. No, an individual complaint seems to be needed in each case, which means that the malfeasants are given 15 days from the first appearance of EACH domain during which the entire domain is, as it were, bulletproof. -- Richard Cox
Re: Persistent DNS Zone Transfer Attempts from IP 128.232.0.31
On Sat, 26 Jun 2004 11:19:16 -0400 Jon R. Kibler [EMAIL PROTECTED] wrote: | Anyone know anything about IP 128.232.0.31? | # host 128.232.0.31 | 31.0.232.128.in-addr.arpa domain name pointer dns-probe.srg.cl.cam.ac.uk. | | We have been getting persistent zone transfer attempts that originate | from this IP address. We have had repeated zone transfer attempts | against all of our DNS zones -- and against all 7 name servers that we | manage. This has been going on now for about a month or two -- more or | less. Recently, we have also seen attempts to do zone transfers for | non-authoritative domains. Logging shows that this IP apparently never | attempts to make legitimate DNS queries, only zone transfers. | | Anyone know anything about this IP? | | Anyone else have the appropriate logging enabled and also seeing this | IP make zone transfer attempts? | | Thoughts/comments/suggestions? If you go to http://dns-probe.srg.cl.cam.ac.uk you will see that this activity is part of a well-documented research project at Cambridge University in the UK, which has a widely-respected computer laboratory. I have, out of courtesy, forwarded your concerns to appropriate people there but would assure everybody that this activity is entirely benign! -- Richard Cox
Re: Can a customer take IP's with them?
| Why? Nobody cares who owns the IPs, just whether or not the ISP allows | the customer to continue using them, which the ISP certainly has the | ability to do. Not necessarily. Use of the IPs is effectively licensed to the ISP by the RIR, and sublicensed by the ISP to the user. If either breaches any conditions under which the IPs are licensed, then the ISP should expect to LOSE the right to sublicense them. -- Richard Cox
Re: Real-Time Mitigation of Denial of Service Attacks Now Available With ATT
On Wed, 2 Jun 2004 09:26:27 -0700 Michel Py [EMAIL PROTECTED] wrote: Woulda, shoulda. The original quote, from the song title, is Coulda, Woulda, Shoulda ^^ And that sums it up MUCH better ... -- Richard Cox
Re: handling ddos attacks
On 21 May 2004 18:11 UTC Scott Weeks [EMAIL PROTECTED] wrote: | How much more of my time do you think it'd take to convince | international authorities that some kid who ran LC4 from Europe, | got a password and put something from | http://www.packetstormsecurity.org/DoS/index.html on one of the | computers to attack his enemy of the day is worth their time and | effort? Think globally. It ain't gonna happen... If you can get past local barriers, it very probably will happen. I'm in regular touch with the relevant authorities and I can tell you that the FBI is 100% targeted on getting results in exactly that area. While there are obvious difficulties with Russian (and neighbouring country) ISPs, for the rest of Europe any such misconduct gets fast action - as witness the speed with which Law Enforcement moved over the Sasser worm - the author of which is already in custody. If you are aware of any live case believed to be originating in Europe, I'm sure you can think of a suitable person with whom to get in touch! -- Richard Cox
Re: Barracuda Networks Spam Firewall
On 19 May 2004 15:12:29 -0700 James Couzens [EMAIL PROTECTED] wrote: | if URL IP addr is in China then score=100 | I beg to differ Eric A. Hall. ... | | So contrary to what you said, perhaps I should just Null Route all | email originating from the USA? ;) While this is verging off our remit here, I would clarify the point originally made, which is that if a URL - that is, a URL cited in the body of a message - points to an IP physically located in China, then that signals a high probability of the message being spam. The physical source of the message - which is likely to be in the US or China - will most probably not be visible to the recipient due to the use of anonymising proxies and other zombie senders - those IPs are likely to be on consumer networks just about anywhere ... -- Richard Cox
Re: Flash crowds and DOS on POTS
On Mon, 17 May 2004 10:32:32 +0200 Iljitsch van Beijnum [EMAIL PROTECTED] wrote: | If they knew the difference between a busy signal and a congestion | signal they probably would... Er, no. Congestion signal normally means that there are no circuits and the phone network has handled that situation without any issues. But that's not the primary threat that the switches have to handle When the call demand far exceeds the number of circuits/operators available, repeated busy or congestion tones will cause callers to make repeat attempts. Local (originating) switches handle this just fine, and then send forward a C7 call set-up request to the switch that handles inbound for that number range (I guess, that's their equivalent of an MX host). And that's where things go wrong. Digital circuit-switches such as AXE10, DMS100/250 etc are far more vulnerable to high levels of call-set-up traffic, which would cause their processors to be overloaded. Again, the IP analogy is obvious. Multiple-repeat-attempts at call setup to the same number (and same destination switch) from numerous originating switches, cause the processor at the destination switch to be overloaded and to crash. That's doesn't result in busy or congestion signals - that results in NO signals (not even dialtone in that exchange's local area). The telcos' priority therefore is to block the call-setup-attempts at the edges of their network (i.e. originating /early transit switches). This is known as call-gapping and is not without some controversy. -- Richard Cox
Re: Abuse mail boxese (was Re: Lazy network operators)
On Mon, 12 Apr 2004 15:53:20 -0400 (EDT) Sean Donelan [EMAIL PROTECTED] wrote: | According to the Washington Post | | America Online says it has seen a dramatic decline in spam over | the past month, due to improved filtering techniques and fear of | litigation under a new U.S. law. In a one-month period ending | March 20, customer complaints about spam nearly halved to | 6.8 million per day, the Time Warner Inc. unit said. The team at AOL have put a SUBSTANTIAL effort into resolving problems over recent months - finding solutions to things that would have had most network admins despairing whether any solutions even existed. Nothing even close to that can be said of NTL. Unfortunately. -- Richard Cox
Re: Lazy network operators
On Sat, 10 Apr 2004 14:26:46 -0500 Chris Boyd [EMAIL PROTECTED] quoted: Any reports sent to this email address will not be read and will be automatically deleted. Based on experience, it is arguable that not so very much has changed. -- Richard Cox
Re: Compromised Hosts?
On 22 Mar 2004 00:26 UTC Deepak Jain [EMAIL PROTECTED] asked: Would any broadband providers that received automated, detailed (time/date stamp, IP information) with hosts that are being used to attack (say as part of a DDOS attack) actually do anything about it? We are a broadband provider and I am responsible for the abuse desk. If we have reason to believe that a host on our IP range is compromised it comes offline unless we are able to contact the customer immediately and satisfy ourselves that the compromise will be taken care of right away. We believe that is the only policy that can meet the established expectation that ISPs will behave as Responsible Neighbours. Would the letter have to include information like x.x.x.x/32 has been blackholed until further notice or contact with you to be effective? Not here, anyway. We accept email, IRC, SMS, telephone, snailmail or fax: all we require to see is some verifiable evidence of the report. The problem with any fully-automated reports is that systems used to generate those reports have, generically, reputations for reporting false alarms. We feel we have to accept and discard false alarms in order to be sure not to miss the genuine reports. However the issue of blackholing x.x.x.x/32 might be ineffective since quite a few broadband providers are using DHCP for their IP assignments, (presumably so they can charge more for static IPs). Users, on finding a loss of connectivity, would almost always reboot, and/or restart their cablemodem or xDSL router until a new IP was assigned ... which would defeat the objective of the blackholing. For that the only effective remedy would be the inclusion of the entire DHCP range in any blacklist. Such a policy might attract some controversy in several quarters ... If even 5% of these were acted upon, it might make a difference. Sadly, any difference it did make would probably not be particularly noticeable, as a strict mathematical analysis reveals. -- Richard
Re: Cable and Wireless Security Contact?
On Mon, 05 Jan 2004 07:40:38 +0800 someone claiming to be Richard Cocks [EMAIL PROTECTED] wrote: {snip} For the record, neither that post, nor the earlier post which asserted a Sender name of Hijacked-L were from, or in any way authorised by me. I'm sure colleagues here are capable of header analysis, probably more so than I am, so I won't attempt to analyse them here, apart from this: nycmny1-ar7-4-46-056-062.nycmny1.elnk.dsl.genuity.net [4.46.56.62]dnsbl.njabl.org : BLOCKED [4.46.56.62]dnsbl.sorbs.net : BLOCKED -- Richard Cox
Re: African porn dialers, civil war and networks
On Mon, 29 Dec 2003 04:42:06 -0800 Eric Kuhnke [EMAIL PROTECTED] wrote: | Forwarded from the Risks digest (www.risks.org) | By Brian King, Balancing Act's News Update 188 (21 Dec 2003) | http://www.balancingact-africa.com This is a serious fraud-related issue that my company has investigated over the last few years. The problems go a LOT deeper that the Risks item would at first suggest, and I have sent a suitable note to the original author. Details are unquestionably off-topic for NANOG, so if anyone here wants more details, private mail would be appropriate. So far I have resisted all temptations to resubscribe to Risks! -- Richard Cox
Re: Working contact for AS6342?
On Sun, 21 Dec 2003 01:23 UTC Jeroen Massar [EMAIL PROTECTED] wrote: | The below information, from whois.lacnic.net doesn't work, | thus has anyone got a working contact ? :) The Mexican phone numbering has been expanded and the area code for Monterrey is now 81 (that's 005281 from the Netherlands) All Monterrey numbers are now eight digits long You will probably reach someone relevant at the following addresses: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] or you may want to try one or more of the following telephone numbers: 0052 81 8358 2000 0052 81 8155 2580 0052 81 8346 6351 (from USA/Canada, replace 0052 with 01152 throughout) -- Richard Cox \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ Contribute to the SpamCon Legal Fund!! http://www.spamcon.org/legalfund/
Re: Authority
On 10 Dec 2003 19:49 UTC Jeff S Wheeler [EMAIL PROTECTED] wrote: | the nanog-l is not WILLIAM LEIBZON's personnal hatered list. If he | wants people to read on his stuff, he can just start his own list. | | Actually, he has his own mailing list, and it is closed to the public. | You can read it at http://archive.humbug.org.au/hijacked/ though this | is an unauthorized archive that some dissenting list member populates. The Hijacked list is certainly not William's private list, although he is a welcome contributor there. I am but the humble keeper of that list and with the rest of the participants we try to share information about IP/ASN misuse so that (parts of) the 'net can run more smoothly. Anyone can join and (within reason) contribute unless they appear to be involved with the routing of IP blocks of dubious provenance. (And yes, I admit it, I'm behind with the new joiners queue. Apologies for that!) The archive site is expected to be relocating on or about 12/31/2003 Blaxthos [EMAIL PROTECTED] previously wrote: | I take issue with anyone who publically accuses another entity of | wrongdoing beyond his scope of authority. Then you would appear to have a circular argument to contend with. -- Richard Cox
Re: incorrect spam setups cause spool messes on forwarders
On Tue, 02 Dec 2003 14:37 UTC Suresh Ramasubramanian [EMAIL PROTECTED] wrote: | Nobody except spammers / dictionary attackers seem to VRFY these days | for this sort of stuff. In fact grepping your logs for VRFY is often | a reliable sign of a dictionary attack on your machines. VRFY is an (unavoidable) part of the checking routine built into the popular Sam Spade for Windows client, for manual verification of any suspect addresses found to have sent suspicious mail. So just looking for VRFY can give you some, er, false positives there ;-) and, as has been said, most sites don't allow it for obvious reasons. What is perhaps surprising, is the number of sites that disallow VRFY but leave EXPN fully operational ... | Thank God for small mercies, I guess. Implementing DELAY_CHECKS (which is normal anyway these days) will of course make a complete mockery of the process Verizon have implemented. -- Richard Cox
Re: Anit-Virus help for all of us??????
On Mon, 24 Nov 2003 10:46:26 -0800 Jeff Shultz [EMAIL PROTECTED] wrote: | Personally I wish that there was something that we could install | on customer machines that would absolutely and totally block the | installation of net.net stuff, to the point of deleting any | installation files that have been downloaded. The latest version of Zone Alarm Pro does stop all applications from accessing the net outbound unless specifically authorised, and it does check the executable by checksum to make sure it hasn't been changed. Of course, this doesn't cope with the clueless who are willing to click on just about anything, particularly if it looks cute, but the one good point about Zone Alarm Pro is that it requires a separate authorisation before any executable is allowed to access an external site on Port 25. -- Richard Cox
Re: Router with 2 (or more) interfaces in same network
On 11 Nov 2003 08:35 UTC Sylvia Sugar [EMAIL PROTECTED] wrote: I have a customer who insists he wants to do this, without providing any explanations! In my experience if a customer says they want to do something but will not provide explanations, then either they have been told by someone else to ask for that (and have possibly misunderstood the requirement) or they know that if they did provide the explanations, you would be most unlikely to agree to their doing it. If the former case applies you should always ask that the request come directly to you - rather than through the (often-unwilling) intermediary! -- Richard Cox \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ Contribute to the SpamCon Legal Fund!! http://www.spamcon.org/legalfund/
Re: Harassment (was Re: ELAN.NET ...)
On Sun, 02 Nov 2003 15:32:57 -0500 William Allen Simpson [EMAIL PROTECTED] wrote: | I've reviewed all the postings from this Michael (ENG) Booth, | and found none that add to the knowledge of this group. The only relevance of those postings to this group can be found by observing exactly how the MX (69.60.142.242) for his email address ([EMAIL PROTECTED]) answers on Port 25. Most interesting! | As has been noted, his company is listed as a net hijacker | and a spam friendly carrier. The latter issue is certainly not relevant here, while the former might be - if any hijacked blocks were being currently announced by their ASN. That doesn't seem to be the case: whois.cymru.com reports 199.120.254.0 as being NOT currently being announced by any ASN Unless I missed one? -- Richard Cox
Re: CCO/cisco.com issues.
On Mon, 06 Oct 2003 18:45:15 -0500 Laurence F. Sheldon, Jr. [EMAIL PROTECTED] wrote: | Now we have clear evidence that there are no less than three who | understand the threat. If you mean the threat from those who will attack and disable sites because they don't like what people at those sites say or do, then I assure you there are many who do understand that threat; some of whom can see little difference in terms of effect between DDoS attacks run by individuals, and the null-routing by a backbone network of IPs (or ranges of IPs) for which they make BGP announcements. Both are actions designed to interfere with individual freedoms; both are serious operational issues, and need to be discussed here. Or was it a different kind of threat that you were referring to, which might have discouraged some who understand the real threat from talking about it? -- Richard Cox
Re: VeriSign SMTP reject server updated
On Mon, 22 Sep 2003 10:42:51 +0100 [EMAIL PROTECTED] wrote: | Meanwhile, I would have diverted a copy of the mailserver | communications at the Ethernet switch to a secret server that | does the actual logging of addresses and messages. | | Son of Carnivore? Son? or Brother? See: http://lists.insecure.org/lists/politech/2002/Oct/0009.html -- Richard
Re: Providers removing blocks on port 135?
On Sat, 20 Sep 2003 15:05:08 -0700 Owen DeLong [EMAIL PROTECTED] wrote: | I'm not convinced blocking port 25 on dialups helps much with that. | What it does help with is preventing them from connecting to open | relays. There are so few open relays now that spammers have moved on. They now use, almost without exception, compromised Windows boxes acting as open proxies, or on which a trojan spam-sender of some sort has been installed - usually by one of the recent stream of viruses/worms. Blocking outbound port 25, other than via a designated smarthost, would at least prevent the direct-to-MX traffic from compromised boxes - which currently seems to be the spammers method of choice. | The real solution in the long run will be two-fold: | 1. Internet hosts need to become less penetrable. |(or at least one particular brand of software) | | 2. SMTP AUTH will need to become more widespread and end-to-endish. Right on both counts. But end-to-end may have to include the senders' fingers: as if bundled mail-client software contains the AUTH password it will be trivial for the spammers to hijack at the client level. And users won't like having to key in their password each time, meaning that trivial, guessable passwords will often be used. In recent weeks one particular spammer seems to have perfected a knack of breaking SMTP AUTH passwords on a widespread basis. Governments on both sides of the Pond may be reluctant to make spam illegal, but the issue is not spam (or we couldn't be discussing it here). This is a matter of system and network security, and if law enforcement had the skills, resources and motivation to deal with what are clear breaches of existing laws, admins' jobs would be significantly easier. Until then, we have to deal with issues as they arise. Networks need to be contactable quickly when compromised sites start to be misused, and to respond immediately. Not just wait until Monday Morning in their timezone ... if we can't deal with the incidents in real time, how can we expect law enforcement to do anything? Hello Comcast, Skynet, Ireland-onLine, NTL in the UK ... need I go on? Where's Declan McC when we need him? -- Richard
Re: IP issues with .com/.net change?
On Wed, 17 Sep 2003 19:39 (UTC) Len Sassaman [EMAIL PROTECTED] wrote: | As Microsoft's features are client-side, no user information | is leaked without the user's knowledge. Do you have any form of evidence to support that proposition? s/is/should be/ and I might have been with you ... ;-) | We hope that Verisign will reconsider their actions. In the mean time, | we'll be doing everything we can to mitigate the risks to our users. As will we. -- Richard Cox RC1500-RIPE
Re: Verisign insanity - Distributed non-attack
On Tue, 16 Sep 2003 17:02:59 +0200 RoDent [EMAIL PROTECTED] wrote: | Effectively this would amount to denial of service attack, but since | there is nothing illegal about making an http request to an invalid | hostname, Verisign will be bringing the denial of service attack upon | themselves, and unfortunately dragging ISP's with them. Why ISP's | haven't publically taken a stance against this yet is fascinating. While I completely share your concern about Verisign's behaviour, I have a higher level concern about anything seeking to disrupt services on the 'net. For some weeks now, several of the abuse-prevention organisations have been subjected to Distributed Denial-of-Service attacks; the attack on SORBS is still continuing, and very few of the networks carrying this DDoS traffic have lifted a finger to either limit or trace the attacking traffic. Which, I have to say, is *most* disappointing. -- Richard Cox
Re: 157.112.0.0/16 ARIN info updated, ATT still announcing /16
On Thu, 11 Sep 2003 16:32 UTC John Payne [EMAIL PROTECTED] wrote: | I stopped seeing 157.112.0.0/16 announced via ATT earlier this week. So did many people. That route came back again soon afterwards. I have received an assurance directly from senior ATT management that the route has - in the last few minutes - been removed with prejudice. It will not be returning. We will now be working with ATT management to help them to identify exactly and how where their internal processes failed on this issue. Way back on Thu, 10 Apr 2003 01:06 UTC I wrote: | I've been asked to draw the attention of Network administrators to the | recent hijacking of various large blocks of ARIN IP-space: particularly | six /16 blocks allocated to the London-based Trafalgar House Group. | | Trafalgar House Group (THG): | Trafalgar House Group TRAF (NET-144-176-0-0-1) 144.176.0.0/16 | Trafalgar House Group THIN1 (NET-144-177-0-0-1) 144.177.0.0/16 | Trafalgar House Group THIN3 (NET-144-179-0-0-1) 144.179.0.0/16 | Trafalgar House Group THIN4 (NET-144-180-0-0-1) 144.180.0.0/16 | Trafalgar House Group THIN5 (NET-144-181-0-0-1) 144.181.0.0/16 | Trafalgar House Group THIN2 (NET-158-181-0-0-1) 158.181.0.0/16 The other good news is that all those blocks have now been either returned to Aker Kvaerner Group (successors-in-title to Trafalgar House Group) or returned to ARIN for reuse, as appropriate. Any filters you routing people may have put in place to prevent abuse from those blocks can be - and, please, SHOULD be, removed as soon as practicable. The DNSBL entries for them at Spamhaus and SORBS have already been removed. Anyone wanting more information is welcome to join the Hijacked list (mailto:[EMAIL PROTECTED]subscribe hijacked) which is where we discuss and resolve the Hijacking incidents as they occur. Most network operators are now represented there, and as a result we have been able to resolve most of the hijacking incidents within a very short time of their coming to notice. -- Richard Cox (Listowner, Hijacked List) Mandarin Technology Ltd, Wales \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ Contribute to the SpamCon Legal Fund!! http://www.spamcon.org/legalfund/
Re: dns.exe virus?
On Mon, 8 Sep 2003 13:52:41 -0700 Christopher J. Wolff [EMAIL PROTECTED] wrote: | Here is an example of what the two hosts .3 and .4 were up to. {snipped} The list of hosts they were accessing is ... well, interesting! 24.221.129.4aztutmux01.az.sprintbbd.net 24.221.129.5aztutmns01.az.sprintbbd.net 63.210.142.26 unknown.Level3.net 63.215.198.78 unknown.Level3.net 63.240.144.98 a63.240.144.98.deploy.akamaitechnologies.com 63.240.15.245 [CERFnet] 64.215.170.28 [Akamai Technologies/Dallas] 64.24.79.2 [StarNet] 64.24.79.3 [StarNet] 64.24.79.5 [StarNet] 65.102.83.43ns2.granitecanyon.com 128.121.26.10 [Verio] 166.90.208.166 a166-90-208-166.deploy.akamaitechnologies.com 192.26.92.30c.gtld-servers.net 192.31.80.30d.gtld-servers.net 192.35.51.30f.gtld-servers.net 192.36.148.17 i.root-servers.net 192.41.162.30 l.gtld-servers.net 192.43.172.30 i.gtld-servers.net 192.48.79.30j.gtld-servers.net 192.5.6.30 a.gtld-servers.net 192.52.178.30 k.gtld-servers.net 192.55.83.30m.gtld-servers.net 205.166.226.38 ns1.granitecanyon.com 213.161.66.159 213-161-66-159.akamai.com 216.239.32.10 ns1.google.com 216.239.38.10 ns4.google.com 216.74.14.155 [XO] (Where no rDNS existed, the Netblock owner is shown in []) -- Richard Cox %% HELO - the first word of every Email transaction - is in Welsh! %%
Re: On the back of other 'security' posts....
On 31 Aug 2003 06:51 UTC Owen DeLong [EMAIL PROTECTED] wrote: | I define it as the port on one of my routers where the other | end of the link is connected to a machine I don't control. Or one that you didn't control this time yesterday ? -- Richard Cox
Re: On the back of other 'security' posts....
On Sat, 30 Aug 2003 17:36 UTC Jack Bates [EMAIL PROTECTED] wrote: | The person responsible is the bot maintainer. Finding the controller | medium (probably irc) is the hard part, but once done, monitoring who | controls the bots isn't near as hard. For various values of control. In the cases where we've tracked down bot-masters, they have themselves been throw-away trojaned machines in countries like Taiwan, Korea, etc. The bots found their master through DNS - and the person controlling the DNS had effective control of the botnetwork. If the trojaned site was taken down or tampered with, the human controller would just point the DNS at a different trojaned box. In those cases. the most valuable evidence can therefore be got just by seeing who makes the changes to the DNS for the domain being used. (Of course, different bot-maintainers will have different approaches; I'm not suggesting this is the only system out there!) Co-operation from the LE authorities in the country involved would be a prerequisite to tracking which machines connected to that botmaster and I'm sure the trojaned boxes used were chosen with thought for the likely level of co-operation from the country they were in! | A few media enriched prison sentences would be good. Some interest from law enforcement authorities in friendly countries (like, the ones we live and work in) would be a good way to start. More commonly they won't get involved because it's too difficult, plus they don't understand the technology properly, they're under-resourced (particularly in terms of handling the international relationships) and there are no guarantees of brownie-points from the effort anyway! Without law-enforcement interest and adduceable evidence you don't get any prosecutions, and without prosecutions you don't get any prison sentences, media-enriched or otherwise. It's a hard world (for us). -- Richard Cox RC1500-RIPE %% HELO - the first word of every Email transaction - is in Welsh! %%
Re: Fun new policy at AOL
On Thu, 28 Aug 2003 10:10 (UTC) Stephen J. Wilcox [EMAIL PROTECTED] wrote: | Whoa.. thats crazy. Obviously its an effort to stop relay forwarding | from cable modem and DSL customers but there are *lots* of legitimate | smtp servers sitting on customer sites on dynamic addresses. And at one time it was considered helpful for mail servers to relay anything that was presented to them. We don't think that way now, as a DIRECT result of the way in which that arrangement has been abused. So with legitimate smtp servers sitting on customer sites on dynamic addresses: the flexibility and convenience of such arrangements became subsidiary to the abuse and security issues they facilitated. Now if the abuse and security teams of the large providers would move *quickly* to isolate compromised machines and deal with other security related issues when they arise, the flexibility and convenience would probably win out in the end. But as things stand it isn't going to. We can thank the usual suspects - Cogent, Qwest, ATT, Comcast - and in Europe: BT, NTL and possibly the world-abuse-leader, Deutsche Telekom (who run dtag.de and t-dialin.net) for this being the situation. They may think it's better for their bottom line to de-resource their security and abuse departments, and better for their customers to let them stay online while issues are resolved, but they remain oblivious to the harm this policy is doing to the internet community as a whole. | I've numerous customers I can think of straight away who use setups | such a MS Exchange on dynamic addresses where they poll POP3 boxes | and send their own SMTP! The fact that it is impossible to readily distinguish between their IPs and those of compromised boxes running Jeem etc, will mean that those sites are already likely to be experiencing significant mail rejection - and that will get worse, not better. Unless there is a turn-around soon in the attitude of backbones and other providers, I can see a registered SMTP senders only policy being put in place by the majority of sites by the end of 2004. Or possibly sooner. AOL's mail handling policy may be disappointing - but those of us who have been hit by their other disappointing mail policy (of accepting all undeliverable mail and then bouncing it to the (forged) sender), may see this as actually improving the situation because it visibly reduces the quantity of forged bounces *we* see originating from AOL! -- Richard Cox %% HELO - the first word of every Email transaction - is in Welsh! %%
Re: Is there a technical solution to spam?
(Subject line quotes adjusted to avoid infringing Hormel's trademark!) On 29 Jul 2003 13:24 UTC [EMAIL PROTECTED] wrote: | Anyone who believes that spam can be solved by technical means snip is missing the point completely. Social controls placed on spam by some network operators, and by recipients, have led the senders to adopt techniques that challenge the security of the parts of the internet that we have to manage. An obvious example is the compromising of user machines by viruses such as Jeem, SoBig-E, etc: by compromising these machines, some of which are connected (almost) 24/7, with the intention of their being used to send untraceable spam, has prepared those same machines for other nefarious use, such as Distributed Denial of Service attacks. | the solutions will be found in the social, political and legal | spaces, not in network engineering. The solutions may well be found there but will be unimplementable without much needed support from the operators - particularly the major backbones - who currently turn a blind eye to protect their revenue. To see which these operators are, read: http://groups.google.com/groups?dq=hl=enlr=ie=UTF-8oe=UTF-8selm=vi1vl24ue5hm72%40corp.supernews.comrnum=1 | Some combination of education and training, new laws, arrests | and public trials will be needed to get rid of it. None of which will be possible without adduceable evidence. This will lead to onerous compliance and logging requirements being imposed on all operators as a result of past non-cooperation by a small subset. Had that subset co-operated from the start, the extra duties that are likely to cause us all extra work would never have become necessary. | In any case, I suggest that we should ban all future discussion of | spam and spammers from this mailing list since it is not related to | network engineering or operating an IP network. That's already the case, but discussion of the security issues that result from the activities of spammers still seems to be unavoidable. -- Richard Cox RC1500-RIPE