Question on the topology of Internet Exchange Points
A typical Internet Exchange Point (IXP) consists of one or more network switches <http://en.wikipedia.org/wiki/Network_switch>, to which each of the participating ISPs connect. We call it the exchange-based topology. My question is if some current IXPs use directly-connected topology, in which ISPs just connect to each other by direct link, not through a network switch?? If so, what's the percentage of this directly-connected case? Kai
Re: RBLs in use
On 11/20/2003 at 10:51 AM, "Paul S. Brown" <[EMAIL PROTECTED]> wrote: > Nope, > Just an ISP with normal ISP type operational spam problems. I'm trying to > quantify how often we actually appear on RBL, but I want to get some idea of > how much credence to give to appearing on any given list. > For example something like the old Dorkslayers lists should be ignored because > they would blacklist you if you sneezed at the wrong time, however MAPS is > probably a good list. > P. Based on what you said in http://groups.google.com/groups?selm=bneav9%2410frig%241%40ID-169718.news.uni-berlin.de&oe=UTF-8&output=gplain you appear to be working for BT (British Telecom). BT have (quite rightly) been repeatedly blocked by DNSBL's and private lists as a result of their poor record in handling abuse incidents (whether that's by intent or negligence by way of a colossal management failure is another debate entirely). Are you looking to apply leverage internally to arrange for that situation to change, or are you (perhaps) attempting to gather information which your employer can use to harass or pursue DNSBL maintainers or other spam foes in some way?" I have several individuals privately voicing this suspicion to me, along with other wild suspicions, like: has BT hired Mark E. "Felonstein" Felstein to provide legal advice based on his impeccable experience gained in the E-Marketers of America vs. SPEWS et.al. case? (http://www.spamhaus.org/legal/index.html) bye,Kai
paging Motorola - please evacuate your ninja bots from route-views.oregon-ix.net
Paging Motorola. Please leave some system resources for the rest of us and LOG OFF when you're done. Thank you. bye,Kai sonet:~$ date Mon Nov 10 13:56:46 EST 2003 sonet:~$ telnet route-views.oregon-ix.net [] route-views.oregon-ix.net>who Line User Host(s) Idle Location 2 vty 0idle 1w3d gate01.mot.com 3 vty 1idle 1w3d gate02.mot.com 4 vty 2idle 1w3d 203.135.29.11 5 vty 3idle 1w2d www.sohoskyway.net 6 vty 4idle 1w3d mippet.ci.com.au 7 vty 5idle 1w2d a65-124-16-8.svc.towardex.com 8 vty 6idle 1w2d gate01.mot.com 9 vty 7idle 1w2d gate02.mot.com 10 vty 8idle 1w3d 216.140.58.174 11 vty 9idle 1w3d host1.tla.com 12 vty 10 idle 1w3d gate01.mot.com 13 vty 11 idle 1w2d gate02.mot.com 14 vty 12 idle 1w3d gate01.mot.com 15 vty 13 idle 1w2d gate01.mot.com 16 vty 14 idle2d19h gate02.mot.com 17 vty 15 idle 1w1d gate02.mot.com 18 vty 16 idle 1w1d gate01.mot.com 19 vty 17 idle 1w1d gate02.mot.com 20 vty 18 idle 1w1d gate01.mot.com 21 vty 19 idle 1w0d gate02.mot.com 22 vty 20 idle 1w0d gate02.mot.com 23 vty 21 idle4d10h 203.130.226.203 24 vty 22 idle5d23h gate02.mot.com 25 vty 23 idle 1w0d Blackberry.rt.ru 26 vty 24 idle 1w0d gate01.mot.com 27 vty 25 idle 1w0d gate02.mot.com 28 vty 26 idle 1w0d gate02.mot.com 29 vty 27 idle 1w0d gate01.mot.com 30 vty 28 idle6d12h gate01.mot.com 31 vty 29 idle3d18h gate02.mot.com 32 vty 30 idle3d20h office.gill.force.vcn.com 33 vty 31 idle4d16h gate02.mot.com 34 vty 32 idle6d17h gate02.mot.com 35 vty 33 idle2d13h gate02.mot.com 36 vty 34 idle5d13h 203.130.226.203 37 vty 35 idle4d22h gate01.mot.com 38 vty 36 idle2d03h phlox.cs.wisc.edu 39 vty 37 idle4d23h a207-99-126-144.svc.towardex.com 40 vty 38 idle3d15h gate01.mot.com 41 vty 39 idle3d14h gate02.mot.com 42 vty 40 idle3d06h gate02.mot.com 43 vty 41 idle4d05h gate02.mot.com 44 vty 42 idle3d17h mail-out.hk.reach.com 45 vty 43 idle3d12h gate02.mot.com 46 vty 44 idle2d15h gate02.mot.com * 47 vty 45 idle 00:00:00 sonet.conti.nu 48 vty 46 idle2d14h gate02.mot.com 49 vty 47 idle2d22h gate02.mot.com 50 vty 48 idle1d07h gate02.mot.com 51 vty 49 idle2d01h gate02.mot.com 52 vty 50 idle2d09h gate02.mot.com 53 vty 51 idle 00:00:14 ip-157-14.newcomamericas.net 54 vty 52 idle 00:04:10 office.gill.force.vcn.com 55 vty 53 idle 11:10:41 gate02.mot.com 56 vty 54 idle 00:00:34 gateway.panamsat.com 57 vty 55 idle 16:11:06 gate01.mot.com 58 vty 56 idle 01:40:51 johnnypc.csu.net 61 vty 59 idle 16:17:18 hq1.colosseum.com 62 vty 60 idle2d00h gate02.mot.com 65 vty 63 idle 09:30:35 CPE-144-136-76-220.nsw.bigpond.net.au 69 vty 67 idle 00:04:49 turing.servers.luna.net 70 vty 68 idle 00:04:52 turing.servers.luna.net 71 vty 69 idle 00:04:47 turing.servers.luna.net 72 vty 70 idle
Re: Finding ASN from IP address
On 10/9/2003 at 12:49 PM, "Avleen Vig" <[EMAIL PROTECTED]> wrote: > I want to create a mapping of IP addresses to ASN, for a specific like > of IP addresses. Eg: > 1.2.3.4 > 12.34.56.78 > etc, gathered from my system logs. > What is the best way of doing this? http://www.spamshield.org/#tools : ip-leecher.pl And damn you, if you don't use your own router instead of the route-servers for more than a few 100 queries per day :) bye,Kai
Re: CCO/cisco.com issues.
On Mon, 6 Oct 2003 14:01:31 -0700, Roland Dobbins wrote > Folks, > > We've been handling a multi-vector DDoS - 40-byte spoofed SYN-flooding > towards www.cisco.com (198.133.219.25/32) as well as an HTTP-AUTH > resource-exhaustion attack, and working these issues with our > upstreams. Our apologies for any inconveniences, and our thanks to > those who've assisted in tracing and blocking the spoofed traffic. > > We're continuing the work the issue, and would be grateful if > operators would check for 40-byte spoofed TCP headed towards > 198.133.219.25/32 and trace/block it as warranted. Your patience and > understanding are greatly appreciated. > > Thanks! > > - > Roland Dobbins <[EMAIL PROTECTED]> // 408.527.6376 voice My mailbox has filled quite a bit (to the tune of a dozen-plus mails) with comments along the lines of "don't quote me, NANOG is too important for my work, I don't want to get on Sue Harris' bad side" since my last so-called "off-topic" NANOG post (which all but *one* person, other than Sue Harris, found to be "within range and reason"). The spammers, the DDoS'ers, the proxy scanners and rapists, the SMTP auth crackers. the trojan spreaders, the DNSBL-DOS'ers, the hardcore computer criminals are the evil army of one? The following well-remembered lines come to mind here, and excuse me if you hear a slight hysterical laughter from my direction: "First They Came for the Jews First they came for the Jews and I did not speak out because I was not a Jew. Then they came for the Communists and I did not speak out because I was not a Communist. Then they came for the trade unionists and I did not speak out because I was not a trade unionist. Then they came for me and there was no one left to speak out for me." Pastor Martin Niemöller
Re: williams spamhaus blacklist
On 9/25/2003 at 3:04 PM, "Susan Harris" <[EMAIL PROTECTED]> wrote to me: > This is the third time I've contacted you concerning violations of the > NANOG list AUP. Your message below focuses on spam/blacklists, issues > that are not considered operational and are therefore off-topic for the > list. This is your last warning - if subsequent messages violate any > terms of the NANOG list, we'll need to remove your posting privileges from > the list. > Please refer to the AUP: > http://www.nanog.org/aup.html > Susan Harris, Ph.D. > Merit Network/Univ. of Mich. (above is a template, btw) oops - too late - been busy writing the next post that is SUPPOSEDLY off topic, and I hit 'send' before seeing this one. Now tell me: why are you not posting this notice to the list to kill the thread, if that is the desired effect? bye,Kai
Re: williams spamhaus blacklist
On 9/25/2003 at 2:19 PM, "Deepak Jain" <[EMAIL PROTECTED]> wrote: >> But it's ok when AboveNet does it?...or actually does much worse by >> secretly and arbitrarily blackholing various networks at will, while >> advertising connectivity to those networks to their BGP customers and >> peers? >> > So why keep connectivity to them? A contract term? Now that you know of the > policy and aren't very happy about it, why not change providers -- you > already have a few. :) > I think anyone who blackholes sites within their own network should take the > specifics with a community that clueful customers can use to route-around > them, but obviously its their network, and whoever is setting up the > blackholes can decide that for themselves. Just a suggestion. Travis Haymore, Director of Security at AboveNet, has reportedly (see Spam-L a couple weeks back) made telephoned threats to at least one system owner (digistar.com), threatening (and then following up on that threat) to null-route that particular system (/32) on all of AboveNet/MFNX's routers, for no other reason than a user of that system making unfavorable public statements about AboveNet in public forums - while not disputing the truth of such statements made; he just wanted "that user gone, or else". Unfortunately for Travis, that happened to be the backup outgoing MX for a mailing list of quite some importance to a few ISPs and RIRs: Hijacked-L. As far as my own case is concerned, presumably the same individual null-routed the machine this mail originates from (208.241.101.2), for reasons not explained and not justified with internal documentation whatsoever (that much I got from an AboveNet manager; causing removal of this IP from their BL, for lack of documentation, and the unnamed individual responsible for its entry (Travis was never mentioned by name to me by this AboveNet person, but everyone else who has reported similar experiences with AboveNet seems to be pointing back to him at this point) never contested it). Indeed, quite a bit of mail to [EMAIL PROTECTED] has been sent from this IP (we are talking of maybe a few hundred since Jan 2003, a fraction of the number of actual incidents observed) - and that appeared to be the one and only reason why this machine would appear on his/their radar at all. Legitimate, persistent and continuing complaints about illegal trespassing originating from AboveNet's (or their customer's) IP space into your servers apparently can get you transit-blackholed at AboveNet, rather than getting yourself blocked from accessing *AboveNet OWNED AND OPERATED* machines - while AboveNet, knowingly and willingly, does nothing to stop the illegal activity by itself. If null0-routing the complainant shields that complainant from the illegal activity (in order to make him shut up), I become quite suspicious that the remaining illegal activity against the other 99.999% of the Internet is not just being ignored, but endorsed and shielded from further discovery by the complainant. That's called "collusion", in my I-am-not-a-lawyer-way of expressing this. Add the secrecy on AboveNet's side and the unusual paths it takes to even partially uncover any of this, then tell me: would you rather be SBL-listed for everyone to see, or secretly null0'd at a transit point, with no public or privately accessible record, until you randomly find out about it, because some customer-used services (websites, email, etc.) have been failing randomly for a couple of weeks (blame the Internet!) ? > This way, blackholes designed to protect clue-light customers can be used > with little detriment to clueful customers (once the communities are used > and well-described/published). Funny as it is, none of the definitions found at http://www.above.net/antispam.html (section (3) and (8)) ever seem to apply to the cases that we are hearing and reading about here, making the interception and redirection of this traffic NOT AIMED AT AboveNET quite unlawful under federal wiretapping statutes - and all of this is happening with AboveNet managers being well-aware - less the details on the legalities, I am sure. And this one is for Deepak: how exactly would a single host (e.g.: any prefix longer than a /24) evade the giant traffic vacuum cleaner (AboveNet, busy cleansing the Internet of "unwanted by anyone" packets) when your route, as seem from most of the Internet, is a /10, rather than a /22, /23 or /24? And last but not least: Infrastructure failures as a result of operator behavior are on-topic, the last time I checked. bye,Kai
Re: williams spamhaus blacklist
[at the risk of getting whacked by Sue Harris, like: what does "operational" mean anyway when the flood of criminal activity that's been the subject of discussion here in recent days is frustrating massive amounts of ordinary customers/Internet users, who will turn away from the Internet in frustration altogether ; the impact on operators should be quite obvious] On 9/25/2003 at 11:58 AM, "netadm" <[EMAIL PROTECTED]> wrote: > This is exactly the problem with certain e-mail block lists (i.e. > www.spamhaus.org). A few zealots who control this particular block list > have made a decision based on inaccurate information. > Mr. Linford has listed (in his block list) 48 /24s allocated to Infolink > (yes we are a real ISP with real customers) for 2 customers we are > working to terminate. > In addition, as previously mentioned, Mr. Linford refuses to remove > listings once we notify him of the termination. And with good reason. > Given the above, it is imprudent for any network operator (North > American or Other) to use Mr. Linford's SBL to restrict the delivery of > e-mail. It is inadvisable for any network operator to even accept your BGP announcements like yours, inbound into their network: Anyone who is bleeding 32 /24's in addition to an enclosing /19 supernet (presumably out of incompetence, but maybe this is part of a strategy to circumvent less-skilled operators nullrouting the /19 at router level, and failing to notice that that doesn't work when there's longer prefixes) is worthy of being dropped for stealing too much of our router CPU/RAM. Anyone who (at least at one point in the past) replied to mail sent to [EMAIL PROTECTED] with a note that the complaint will be ignored and the only complaints that will be addressed (yeah right) are those sent in PLAIN OLD PAPER HARDCOPY, deserves no access to other networks whatsoever. Any ASN that announces the equivalent of only 51 /24's, yet manages to generate 106 AUP violations (mailing spamtraps, dead users, failing to yield to SMTP 550, etc., many of them continuous 'repeat action') in a four month period to 2 rather small MXs, and continues such illegal trespass after their 4 upstreams are informed (and have in turn informed you) of this continuously, deserves to be dropped until the end of time. Current AS 15083 upstreams: 2914 (Verio) 16631 (Cogentco) 19094 (Adelphia/telcove.com) My guess is that abuse@ people at (at least) Verio and Adelphia are tipping on their toes, waiting until the complaint count has reached the magic number high enough to term you with their management's support, so you can go find yourself some new upstreams - again. That won't change our stance of blocking you by ASN, IP space and known domain names - indefinitely. Given that there is 1000's of systems like ours, this makes the SBL listing seem like an insignificant problem for your so-called "ethucal bizniz". bye,Kai
Re: monkeys.dom UPL being DDOSed to death
On 9/23/2003 at 5:16 PM, "Mike Tancsa" <[EMAIL PROTECTED]> wrote: > http://www.openrbl.org > is also offline due to a DDoS. And the ignorance of front-end personnel in LE agencies, unless you are the NY Times and claim $500,000 in purely fictious damages, can be a bit frustrating. Spamcop and Spamhaus have been undergoing intense DDoS attacks for months, and I am only partially aware how they are being mitigated. If certain large operators can donate bandwidth and equipment for IRC servers in locations with OC-12 and better connectivity, AND live through the DDoS attacks that come with it, why not step forward and provide some forwarding-proxy service for some of the websites and distribution sites for DNSBLs, plus possibly proxying DNS traffic? OpenRBL.org has stated (http://www.openrbl.org/index-2.htm) that the bandwidth required for actual application traffic can be very low (0.5Mbps or less), not counting DDoS traffic. No arrangements of that kind have to be public knowledge. Other measures: - Got a spare /20 that can be used to make the forwarding proxy hop around a bit, every 5 minutes or so, with DNS TTLs in the 10-minute range? It's been done with 'moving-target' spamvertised sites like optinspecialists.info , which is currently using a LARGE number of compromised Windows hosts illegally to proxy DNS and HTTP traffic for them. They've been doing it for weeks. Do the registrars care? Hell no. (see morozreg.biz, bubra.biz, the domains used for DNS, domains you probably want to add local zone overrides for, in your nameservers, not your HOSTS file. Now we know how Al-Quaeda is hiding their websites, at last. It would be trivial to 'sinkhole' DoS traffic still going on to IPs of the recent past, greatly increasing the chances of catching the perpetrators as they keep switching their trojans to new IPs, hitting a few fully-sniffed honeypots while they are at it. - BGP anycast, ideally suited for such forwarding proxies. Anyone here feeling very adapt with BGP anycast (I don't) for the purpose of running such a service? This is a solution that has to be suggested and explained to some of the DNSBL operators. If someone reading this has gone forward with a private mailing list to discuss all these issues, I'd be happy to receive an invitation to donate my [lack of] smarts to the cause. bye,Kai
157.112.0.0/16 ARIN info updated, AT&T still announcing /16
>From the [Hijacked] list: > The ARIN information has been updated to have up-to-date contact info for > the original owner, the original owners' ISP is announcing 4 /18s but AT&T > is still announcing 157.112.0.0/16. Can whoever's been bugging AT&T to stop > announcing it to bug them some more? [EMAIL PROTECTED] seems to be a dead horse - demands from numerous parties, including the owner of this /16 (the true source of records is JPNIC: whois -h whois.nic.ad.jp "157.112.0.0 /e" , ARIN has not proceeded with 'early registration' transfer of this group of records to JPNIC, it seems) that have been mailed there and to various other @att.net addresses, including their so-called "legal demands center" (that is reportedly hard to reach via email) have been summarily ignored, and we mean "/dev/null'd". AT&T, for lack of presenting any TRO forcing them to keep routing this, appears to willingly conspire with the Empire Towers IP space hijackers while presented with overwhelming evidence that whatever forged documents Empire Towers and Thomas Cowles may have presented to them are indeed that - forged. ARIN zapping the legacy record for this block apparently isn't convincing enough for them to stop announcing this route. The ISP for Systems Clipper Inc. (AS 23720) had started announcing a competing /16 almost 2 weeks ago, but for reasons obvious to nearly all members of this list, that of course wasn't good enough: it's four /18's now, and AT&T should be seeing none of the traffic just about now. If you are peering with AS 7018, a nicely worded email to your peering contacts expressing your concern with AT&T's non-existent cooperation in IP space hijacking cases would be appreciated. Thank you. bye,Kai ps: and this says nothing about the amount and nature of actual abuse that's been reported from this /16 while it originated from AS 7018.
paging AS226 : 63/8 does not belong to you
(whois.arin.net once again resolves, thanks Rodney Joffe who seems to have gotten this fixed before I could reply to him) Now today: route-views.oregon-ix.net>sh ip bgp 63.0.0.0/8 BGP routing table entry for 63.0.0.0/8, version 1548358 Paths: (1 available, best #1, table Default-IP-Routing-Table) Not advertised to any peer 7500 2516 226 202.249.2.86 from 202.249.2.86 (210.173.176.242) Origin incomplete, localpref 100, valid, external, best Now: what is ln.net's excuse for not updating the ARIN registration for AS 226 since 1991? An AS with this amount of IP space advertised: (http://bgp.potaroo.net/cgi-bin/as-report?as=226&view=4637) Rank AS TypeOriginate Addr Space (pfx) Transit Addr space (pfx) Description 224 AS226ORG+TRN Originate: 739584 /12.50 Transit: 922880 /12.18 LOS-NETTOS-AS Los Nettos ...can't keep it's own ASN record up to date? bye,Kai
arin.net DNS problems
I had intermittent failures to resolve whois.arin.net today, and haven't bothered to investigate this until now: someone please forward this to an after-hours person at ARIN, [EMAIL PROTECTED] will probably not be read for a while. Reason: BUCHU.arin.net. 3H IN A 192.100.59.110 arrowroot.arin.net. 3H IN A 198.133.199.110 are both not returning any A record for 'whois.arin.net' $ dig +norec @a.gtld-servers.net arin.net ns ;; ANSWER SECTION: arin.net. 2D IN NSl3.nstld.com. arin.net. 2D IN NSa3.nstld.com. arin.net. 2D IN NSc3.nstld.com. arin.net. 2D IN NSf3.nstld.com. arin.net. 2D IN NSg3.nstld.com. arin.net. 2D IN NSbuchu.arin.net. arin.net. 2D IN NSarrowroot.arin.net. All *.nstld.com servers respond with: whois.arin.net. 3H IN A 192.149.252.43 The zone serials are consistent: ;; ANSWER SECTION: arin.net. 3H IN SOA arrowroot.arin.net. bind.arin.net. ( 2003061812 ; serial 3H ; refresh 10M ; retry 2W ; expiry 1H ); minimum However, buchu and arrowroot.arin.net BOTH answer very oddly when queried for an SOA: they are returning an A record for arin.net - not quite what was asked for! $ dig +norec @198.133.199.110 arin.net soa ; <<>> DiG 8.2 <<>> +norec @198.133.199.110 arin.net soa ; (1 server found) ;; res options: init defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1426 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 10, ADDITIONAL: 2 ;; QUERY SECTION: ;; arin.net, type = SOA, class = IN ;; ANSWER SECTION: arin.net. 3H IN A 192.149.252.17 ;; AUTHORITY SECTION: arin.net. 3H IN NSL3.NSTLD.COM. arin.net. 3H IN NSG3.NSTLD.COM. arin.net. 3H IN NSF3.NSTLD.COM. arin.net. 3H IN NSE3.NSTLD.COM. arin.net. 3H IN NSD3.NSTLD.COM. arin.net. 3H IN NSC3.NSTLD.COM. arin.net. 3H IN NSBUCHU.arin.net. arin.net. 3H IN NSB3.NSTLD.COM. arin.net. 3H IN NSarrowroot.arin.net. arin.net. 3H IN NSA3.NSTLD.COM. ;; ADDITIONAL SECTION: arrowroot.arin.net. 3H IN A 198.133.199.110 BUCHU.arin.net. 3H IN A 192.100.59.110 ;; Total query time: 17 msec ;; FROM: sonet.conti.nu to SERVER: 198.133.199.110 ;; WHEN: Mon Sep 8 18:34:11 2003 ;; MSG SIZE sent: 26 rcvd: 263 However, an 'any' query yields: $ dig +norec @198.133.199.110 arin.net any ; <<>> DiG 8.2 <<>> +norec @198.133.199.110 arin.net any ; (1 server found) ;; res options: init defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55882 ;; flags: qr aa; QUERY: 1, ANSWER: 16, AUTHORITY: 0, ADDITIONAL: 4 ;; QUERY SECTION: ;; arin.net, type = ANY, class = IN ;; ANSWER SECTION: arin.net. 3H IN SOA arrowroot.arin.net. bind.arin.net. ( 2003061812 ; serial 3H ; refresh 10M ; retry 2W ; expiry 1H ); minimum arin.net. 3H IN A 192.149.252.17 arin.net. 3H IN MX10 smtp2.arin.net. arin.net. 3H IN MX20 smtp1.arin.net. arin.net. 3H IN NSL3.NSTLD.COM. arin.net. 3H IN NSG3.NSTLD.COM. arin.net. 3H IN NSF3.NSTLD.COM. arin.net. 3H IN NSE3.NSTLD.COM. arin.net. 3H IN NSD3.NSTLD.COM. arin.net. 3H IN MX40 cumin.apnic.net. arin.net. 3H IN NSC3.NSTLD.COM. arin.net. 3H IN NSBUCHU.arin.net. arin.net. 3H IN NSB3.NSTLD.COM. arin.net. 3H IN MX30 aso.icann.org. arin.net. 3H IN NSarrowroot.arin.net. arin.net. 3H IN NSA3.NSTLD.COM. ;; ADDITIONAL SECTION: smtp2.arin.net. 3H IN A 192.149.252.32 smtp1.arin.net. 3H IN A 192.149.252.33 arrowroot.arin.net. 3H IN A 198.133.199.110 BUCHU.arin.net. 3H IN A 192.100.59.110 ;; Total query time: 117 msec ;; FROM: sonet.conti.nu to SERVER: 198.133.199.110 ;; WHEN: Mon Sep 8 18:36:01 2003 ;; MSG SIZE sent: 26
Re: Cable & Wireless, Verio and/or Level 3 port blocking?
On 9/8/2003 at 3:58 PM, "Stephen J. Wilcox" <[EMAIL PROTECTED]> wrote: > I dont have a url for such an app (assuming one has been written) but you should > be able to run a traceroute using the tcp ports and see where it stops? > Steve > On Mon, 8 Sep 2003, William Devine, II wrote: >> >> Can anyone from these three carriers tell me if you're doing port blocking >> on the Windows file/print ports (135-139, 445 & 593) ? >> A client of ours (in the US), against our recommendation, still wants to >> connect to their Exchange server in the UK without a VPN. We're not >> blocking their IP#'s from anything but somewhere in between it's getting >> blocked. We use C&W directly and Verio/Level3 through a peer. >> >> Thanks! >> william That'd be http://michael.toren.net/code/tcptraceroute/ bye,Kai
Re: CalPOP contact? HTTP CONNECT scanning
On 9/3/2003 at 8:17 PM, "Jeroen Massar" <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > As people are complaining all around about ISP's, > here is my small question. Who has a _working_ contact at > "CalPOP" (216.240.128.0/19 and others). It is not in puck :( > If anybody has a working one please mail it me offlist so > that the following long version of the problem can be solved. > Is there anything alive at CalPOP that doesn't try > to abuse open proxies for massively spamming hotmail ? > These are the hits from Sep 3rd: [Spam-L] BLOCK,MISC: WHO'S SPAMMING YOU? (2003-08-27) Top 40 Proxy-Hijacker-Friendly Nets http://www.monkeys.com/phl/top-20030827.post 10. 216.240.140(4) level3.net - calpop.com (Los Angeles, CA) days.cblock=2 29. 216.240.149(3) level3.net - calpop.com (Los Angeles, CA) days.cblock=5 We consider them a 'possibly rogue operator' at this point. We have numerous logged instances of unlawful trespass from their IP space - mail or attempted mail to spamtraps - and real uglyness like 66.250.115.0/24 (no longer announced by them) housing the proxy-scanning criminals at nextdatacorp.com/ newengineroom.com. Never a darn word from them, except auto-replies. Their appearance in RFG's "top-40" list is definitely paving the way for death-by-ASN-filter (joining 90+ others). ARIN has marked the contact info for AS 7796 as invalid - BACK IN MAY(!) - and "Network Operations Account" has confirmed to us that they (AS 13374) are not the registrant of that ASN, but CalPOP is. CalPOP has certainly had every opportunity to correct the false record(s) in question with ARIN by now. Unless ARIN steps into this discussion and gives us a good reason why they haven't updated anything (e.g.: no or false documentation provided by CalPOP), I'll assume that this lack of even remotely accurate records for the ASN is deliberate, rather than mere negligence, and evokes strong suspicions of this ASN being hijacked, bar evidence to the contrary. The fact that their upstreams are or have been: - Level3 (known spammer-tolerant, complaint-ignorant, deliberately hiding customers in their IP space without SWIP/rwhois) - rogue operator AS 22298 (ewan1.com) (RIS says they are gone since 2003-08-25) - Cogent (known spammer-tolerant, complaint-ignorant) (RIS says they are gone since 2003-08-06) lets you expect nothing good coming from calpop.com . AS 7796 announcing 216.240.128.0/19 as 32 /24's should make some people here wonder: who the hell am I wasting my router's RAM for, and why am I still accepting /24's from space other than the traditional swamp? bye,Kai ps: RFG's monkeys.com is undergoing a joe-job right now - with the suspects most certainly present within (or acting on behalf and in concert with) the group of hard-core computer criminals listed in his "Top 40" list. Which criminals does your employer support?
Re: Windows update down again?
On 8/17/2003 at 5:27 PM, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote: > It's just come back now. Must have been a temporary holding page while > they did some maintenance. > On Sun, 17 Aug 2003, [EMAIL PROTECTED] wrote: >> >> Hi all, >> >> I was just updating a couple of Windows machines and had been using >> Windows Update without any problems until about 5 mins ago (22:10 GMT) >> when I've started getting this: >> >> "Thank you for your interest in Windows Update >> >> Windows Update is the online extension of Windows that helps you get the >> most out of your computer. >> >> The latest version of Windows Update is available on computers that are >> running Microsoft Windows 98, Windows 98 Second Edition, Windows >> Millennium Edition, Windows 2000 (except Windows 2000 Datacenter Server), >> Windows XP, and the Windows Server 2003 family." >> >> URL is http://v4.windowsupdate.microsoft.com/default.asp which redirects >> to http://v4.windowsupdate.microsoft.com/en/thanks.asp. Also happens for >> http://windowsupdate.microsoft.com/. >> >> This is from multiple machines running Windows 2000 (Pro and Server) and >> Windows 2003 server. Anyone else seeing this yet? >> >> Does anyone know of an alternative URL for Windows Update in the meantime? >> >> Rich Not exactly. Windows update has been failing lately when the computer trying to use it is using a web proxy (Squid, etc.). I have tracked this down to said proxies not being able to proxy objects larger than about 1MB in size: some down-the-line chained proxies I administer were running "cache_mem 4 MB" - and that breaks it consistently. Why this breaks M$ Windows update and seemingly little else is beyond me: I don't know the exact fail-over mechanics of Squid, but I have downloaded single files greater than 50MB through proxies with only 8MB cache_mem with nothing unusual happening. bye,Kai
Re: Edge 1 Networks/Williams Communications Group
(off-topic) On 8/4/2003 at 10:26 PM, "Jeff Kell" <[EMAIL PROTECTED]> wrote: > After several run-ins with Edge 1 Networks [69.44.28.0/22] having their > machines "hijack" victim machines on our networks infected with Jeem, > and then making their spam runs, I've had it. I have reported both to > Edge 1 and their parent Williams Communications Group [AS7911] with no > result and I will be blocking Edge 1 [in theory, AS29986, but no doubt > private spewage from WCG.NET). [I omitted quoting the follow-up post where Nick Geyer and Chris 'Rizler' Smith are being ratted out by fellow IP space hijackers at Web Design House (AS 26857): - 199.60.102.0/24 hijacked by registering henningassoc.com (which has the same POC e-mail addr as AS26857 until recently: [EMAIL PROTECTED], with interesting nameservers that have since moved out of that /24: NS1.NANOG.US 216.66.69.69, NS2.NANOG.US 216.66.69.169 ; - announced hijacked 148.3.32.0/20 IT-SOUTHLTD.COM - provided transit for AS 27526 (endai.com/endai.net/dmx0.com), originating hijacked 148.3.0.0/21 (IT-SOUTHLTD.COM) ] The following (now posted daily) feature in Spam-L should make some silent NANOG subscribers ask themselves a question: do I work for a large criminal enterprise and could my own actions as an employee be considered active participation with possible criminal culpability? And for those OTHER NANOG subscribers that decided that joining the unemployment line after the Internet bubble burst was not for them, but legal work suiting their qualifications was nowhere to be found: you should read up on some of the statutes of limitations for computer fraud and abuse acts (federal and state) and reconsider your current activities. Your acts are definitely not going unnoticed nor are they being ignored. There's a reason why Chris 'Rizler' Smith and 2 of his associates fled^Wrelocated to Costa Rica, you know, but Mary Jo White sure as hell didn't care that the last batch of people she had indicted had relocated to small caribbean island nations to evade US justice: http://zdnet.com.com/2100-11-508027.html ISPs, including Level3.net and Cogent, are conspiring (that's what 'knowingly providing assistance to the perpetrator of a criminal act' actually is) with hard core computer criminals, and there's a handy list right here: --- This is a forwarded message From: Ronald F. Guilmette To: [EMAIL PROTECTED] Date: Monday, August 4, 2003, 4:06:47 PM Subject: BLOCK,MISC: WHO'S SPAMMING YOU? Top 40 Proxy-Hijacker-Friendly ISPs 2003-08-04 ===8<==Original message text=== Date: Mon, 4 Aug 2003 13:06:47 -0700 Sender: Spam Prevention Discussion List <[EMAIL PROTECTED]> From: "Ronald F. Guilmette" Subject: BLOCK,MISC: WHO'S SPAMMING YOU? Top 40 Proxy-Hijacker-Friendly ISPs 2003-08-04 To: [EMAIL PROTECTED] Precedence: list The following list is based on proxy honeypot network data collected between 12 Noon 2003-08-03 and 12 noon 2003-08-04. Commentary follows below... 1. 38.112.197 cogentco.com - daicahosting.com/daica.com (Tampa, FL) 2. 38.114.11 cogentco.com - tailoredservers.com (Frisco, TX) 3. 66.135.15 broadbandip.net (Baton Rouge, LA) 4. 38.114.3cogentco.com - tailoredservers.com (Frisco, TX) 5. 63.246.136 unitedcolo.com aka sagonet.com (San Francisco, CA) 6. 66.44.228 sterlingnetwork.net - savanti.net (Tucson, AZ) 7. 166.90.206 level3.com - ?Alan Ralsky? (Detroit area, MI) 8. 66.118.187 sagonet.com (Tampa, FL) 9. 63.246.135 unitedcolo.com aka sagonet.com (San Francisco, CA) 10. 66.250.125 cogentco.com - applicationx.net (Alpha, NJ) 11. 66.111.39 unitedcolo.com aka sagonet.com (San Francisco, CA) 12. 63.246.133 unitedcolo.com aka sagonet.com (San Francisco, CA) 13. 66.118.189 sagonet.com (Tampa, FL) 14. 64.5.51 theplanet.com (Dallas, TX) 15. 66.111.49 unitedcolo.com aka sagonet.com (San Francisco, CA) 16. 66.118.142 sagonet.com - argobroadcast.com (Tampa, FL) 17. 66.205.223 cetnetworks.com - smartmailhosting.com (New Orleans, LA) 18. 66.44.231 sterlingnetwork.net - savanti.net (Tucson, AZ) 19. 64.180.125 telus.net - "Trinity Prof-Soho" (Vancouver, BC, CA) 20. 206.47.187 bell.ca - "Datatech Communications" (Windsor, ON, CA) 21. 66.17.157 yipes.com - net-sentry.net (Dallas, TX) 22. 38.118.143 cogentco.com - infinology.com (Goleta, CA) 23. 66.118.180 sagonet.com (Tampa, FL) 24. 216.99.99 nutnbut.net - pntsi.ca (London, ON, CA) 25. 66.111.40 unitedcolo.com aka sagonet.com (San Francisco, CA) 26. 66.70.114 datapipe.com (Hoboken, NJ) 27. 66.111.33 unitedcolo.com aka sagonet.com (San Francisco, CA) 28. 209.50.253 servint.com (McLean, VA) 29. 219.109.197 tcn-catv.ne.jp (Tokyo, JP) 30. 66.205.219 cetnetworks.com (Redwood City, CA) 31. 63.246.131 unitedcolo.com aka sagonet.com (San Francisco, CA) 32. 61.220.193 hinet.net (Taipei, TW) 33. 38.112.199 cogentco.com - daicahosting.com/daica.com (Tampa, FL) 34. 66.111.35 unitedcolo.com aka sagonet.com (San Francisco, CA)
MFN/AboveNet blocking pac-rim.net/spamshield.org MX
Coming back from my vacation, I had to discover that some losers (who, no doubt, had something to lose as far as their hijacked IP space is concerned) have attempted to DoS the MX for pac-rim.net/spamshield.org by sending a few 100,000 spams with randomized @pac-rim.net return addresses around June 25/26th, and us seeing 10,000's of bounces generated by misbehaving mail hosts that bounce to MAIL FROM: addresses sometime after their mail back-end decides that the recipients don't exist (nice AOL-style abuse amplifier, just un-AOL-like unthrottled). At the same time, MFN/Above.net seems to have null0'd 208.241.101.2 (in response to that? we have yet to see a SINGLE complaint/forwarded copy), thus denying transit of all their non-multihomed downstreams (or those that transit through them to the UUnet /10 aggregate this IP lives in) to our MXs, as well as the SpamShield.org website and the private SpamShield DNSBL zone origin host. While we have to suffer constantly under attempts of unlawful trespass originating from MFN/Above.net's customers, with never a peep of a follow-up after the auto-reply coming back from [EMAIL PROTECTED] (and in quite a few cases with such trespass continuing unabated) we've never bothered to null0 more than a surrounding /22 around for such abuse for more than a brief amount of time (1-3 days max). Whoever is wielding 'enable' power at MFN/AboveNet may want to re-think what abuse actually is - and may want to consult with his boss at this time wether it was appropriate to block a DoS victims' MX without contacting same beforehand. Meanwhile it seems that it took Above.net a LOT longer to null0 hijacked IP space (like: a couple weeks) announced from customer AS 26891 than it took them to null0 a /32 they seemed to perceive as a threat that isn't paying them: # routes (20030515): # 199.120.163.0/24 from AS: 26891 (upstreams: 6461), # 199.120.164.0/24 from AS: 26891 (upstreams: 6461), # 199.166.200.0/22 from AS: 26891 (upstreams: 6461), # 199.201.151.0/24 from AS: 26891 (upstreams: 6461), # 199.201.152.0/24 from AS: 26891 (upstreams: 6461), # 204.19.162.0/24 from AS: 26891 (upstreams: 6461 23352), (all gone now) Waiting for AboveNet/MFN's mail on this - and no, renumbering the host to another IP number would be too annoying. bye,Kai sonet:~# tcptraceroute -s 208.241.101.2 whois.gandi.net Selected device exp0, address 208.241.101.2, port 58193 for outgoing packets Tracing the path to whois.gandi.net (80.67.173.20) on TCP port 80, 30 hops max [...] 4 0.so-1-1-0.XL2.NYC1.ALTER.NET (152.63.19.98) 10.150 ms 8.815 ms 10.136 ms 5 0.so-7-0-0.XL2.NYC8.Alter.Net (152.63.0.37) 13.199 ms 11.889 ms 12.103 ms 6 0.so-3-0-0.XR2.NYC8.ALTER.NET (152.63.19.34) 16.530 ms 13.251 ms 11.268 ms 7 182.ATM6-0.BR1.NYC8.ALTER.NET (152.63.23.173) 8.762 ms 7.053 ms 10.339 ms 8 * * * 9 * * * ^C sonet:~# tcptraceroute -s another.address.on.the.same.box whois.gandi.net Selected device exp0, address x.x.x.x, port 58185 for outgoing packets Tracing the path to whois.gandi.net (80.67.173.20) on TCP port 80, 30 hops max [...] 4 0.so-1-1-0.XL2.NYC1.ALTER.NET (152.63.19.98) 9.631 ms 8.728 ms 10.066 ms 5 0.so-7-0-0.XL2.NYC8.Alter.Net (152.63.0.37) 9.621 ms 8.731 ms 10.017 ms 6 0.so-3-0-0.XR2.NYC8.ALTER.NET (152.63.19.34) 9.663 ms 8.736 ms 10.131 ms 7 182.ATM5-0.BR1.NYC8.ALTER.NET (152.63.23.77) 19.588 ms 9.054 ms 10.067 ms 8 200.atm6-0.pr1.lga2.us.mfnx.net (208.184.231.245) 29.625 ms 36.590 ms 29.811 ms 9 so-2-2-0.cr2.lga2.us.mfnx.net (216.200.127.169) 49.795 ms 35.010 ms 29.780 ms 10 so-0-0-0.cr2.lga1.us.mfnx.net (208.184.232.197) 49.766 ms 28.664 ms 39.752 ms 11 so-6-0-0.cr2.lhr3.uk.above.net (64.125.31.181) 99.797 ms 103.668 ms 99.700 ms 12 so-0-0-0.cr1.lhr3.uk.above.net (208.184.231.145) 109.793 ms 108.402 ms 99.705 ms 13 pos12-0.cr1.cdg2.fr.above.net (64.125.31.130) 109.857 ms 107.870 ms 109.774 ms 14 pos0-2.er1a.cdg2.fr.above.net (208.184.231.205) 109.799 ms 108.622 ms 109.779 ms 15 gitoyen-voltaire-gw.gitoyen.net (62.4.73.30) 119.632 ms 111.625 ms 109.781 ms 16 80.67.168.6 (80.67.168.6) 129.879 ms 119.700 ms 109.803 ms 17 jd.gandi.net (80.67.173.20) [open] 109.893 ms 1.390 ms 119.798 ms
Re: Ettiquette and rules regarding Hijacked ASN's or IP space?
On 6/9/2003 at 4:06 PM, "Christopher L. Morrow" <[EMAIL PROTECTED]> wrote: > Sure, you are announcing 196.1.1.0/24 and only that, fine, but are you > allowed to announce that prefix? Are you "Centre for Monitoring Indian > Economy" ?? Or is this your direct customer and you are just the sat-link > provider for him? Being able to answer such 64,000-dollar-questions with authority is the issue ARIN's registry operations are facing, pass or fail. And you can take that literally: the recent hijacking events have put ARIN's rules, procedures and current registry data so much into question - it'll be (do || die) for them. The inherited Internic data going back almost 20 years doesn't help things. Indeed, I think that any and all legacy assignments should be purged, like the old Usenet, one by one. Some things that could be done: - contact all owners of IP space or ASNs with a demand to show legal, notarized paperwork showing their company's status as incorporated/active, and/or legal successor to the original registrant. Gotta use those 7 years of business records you're required to hold for something! - non-announced IP space with defunct contacts: -> reserved status, no AS may route those, until resolved per above - non-announced IP space with working contacts: email to POC every 30 days with the legal demands (email/paper mail). After 90 days: network set to 'reserved' status, no AS may announce these, until resolved per above. - announced IP space: announcing AS to be contacted in addition to POC for the network object. For AS's in violation, this shall mean that all upstream ASs as visible at popular exchange points should be contacted (at least once) as well. - announcing AS's that violate the 'do not announce' rule shall be dealt with in ways similar to the non-cooperating entities described in: http://www.arin.net/policy/2003_1.html - they will get their own network objects suspended. - complete publicly accessible list of all 'reserved' networks - the DNSBLs and private BGP blackhole feeds will do the rest. Wouldn't you want to know how quiet your inbox can be, when you have a BGP4 blackhole feed with SPEWS L1 as the source...
Re: receiving spam to NANOG-harvested archive message-id's
On 5/27/2003 at 3:26 PM, I wrote: > Speaking of the archives: www.nanog.org makes no reference to the list > archives at http://www.nanog.org/email.html any longer - where did they > go? humans finding and using it is desirable :) (rather than illegal web > harvesters) Thanks to a number of people, including List-Mom, that have pointed me to the right location: http://www.nanog.org/mailinglist.html and from there: http://www.cctec.com/maillists/nanog/index.html http://www.merit.edu/mail.archives/nanog/ It appears that http://www.nanog.org/isp.html is freshly redesigned and is not (yet) linking to the above page. And no, the archives have the headers stripped. Can't see the Message-ID's there. Hmm.
receiving spam to NANOG-harvested archive message-id's
I have received spam to a [EMAIL PROTECTED] address belonging to a post to NANOG 2 years ago: Date: Fri, 18 May 2001 13:59:06 -0400 From: Kai Schlichting <[EMAIL PROTECTED]> Message-ID: <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: mobile.att.net MX meltdown Speaking of the archives: www.nanog.org makes no reference to the list archives at http://www.nanog.org/email.html any longer - where did they go? humans finding and using it is desirable :) (rather than illegal web harvesters)
Re: RIPE Down or DOSed ?
On 2/27/2003 at 9:58 PM, [EMAIL PROTECTED] wrote: > ... > NetRange: 69.6.0.0 - 69.6.63.255 > CIDR: 69.6.0.0/18 > NetName:WHOLE-2 > NetHandle: NET-69-6-0-0-1 > Parent: NET-69-0-0-0-0 > NetType:Direct Allocation > NameServer: NS1.WHOLESALEBANDWIDTH.COM > NameServer: NS2.WHOLESALEBANDWIDTH.COM > ... > Where are the swips? The rest of that record makes no mention of an > rwhois server. Doing a bunch of whois requests for IPs in that block, I > found only one swip (for a /21). I realize the ARIN regs don't seem to > require that reassignment info be made available to the public (just to > ARIN), but using your innocent customers (if there are any) as a shield to > hide your spammer customers is just wrong. Should I block 69.6.4.0/24 > from sending email into my systems? 69.6.0.0/18? Correct answer: the /18, and then some. Oh, how you wished you hadn't posted this to the list (and Cc:'d wholesalebandwidth.com on it), but chosen reply-to-poster :) Random example from this block appearing in my rejects: http://www.openrbl.org/lookup?i=69.6.4.153 or: "I see red!" Extended answer directly from my auto-complaint override map: 'as:26956' => 'as:17054,isp:cogent', # netfreeinc.com/wholesalebandwidth.com - rogue AS 'as:11938' => '[EMAIL PROTECTED],isp:verio', # wholesalebandwidth.com - rogue AS 'as:17054' => '[EMAIL PROTECTED],isp:genuity,[EMAIL PROTECTED],isp:gblx', # e-xpedient.com - rogue AS? Anything announced out of 26956 and 11938 goes straight to the sendmail access file here, and given the various pointers from OTHER rogues back to 17054, e-xpedient.com routes will be there RSN, too. And if you thought /18 is a big block in spammer-hand, go check out various DNSBLs for listings and the history of AS's announcing portions of: 142.105.0.0/16 162.73.0.0/16 160.122.0.0/16 157.156.0.0/16 138.121.0.0/16 160.116.0.0/16 144.176.0.0/16 146.100.0.0/16
Re: RIPE Down or DOSed ?
On 2/27/2003 at 1:44 PM, [EMAIL PROTECTED] (Will Yardley) wrote: > There is no public access to rwhois.level3.net (it worked at one point, > but, accurding to Level3, not intentionally). They say that they don't > have to make this information available to anyone except ARIN. I was > always under the impression that delegations had to be publicly visible, > but looking at ARIN's policy more closely, it seems that the information > only has to be available to ARIN. Secrecy over a public resource = no oversight = facilitator of abuse. It has worked as long as I can remember, and them intentionally shutting it off is completely against letter and spirit of ARIN's allocation policy: rwhois, or SWIP delegations, but not "none of the above". 7018 Realized this for 12.0.0.0/8 at some point. Why do I get the distinct feeling that this "move" by Level3 is aimed not at creating greater customer privacy (it never served POC email addresses), or protecting themselves from getting their customer base poached by other providers, but at preventing people from identifying spamming Level3 customers (of which they seem to have 100's) by organization name and being able to correlate activity from different netblocks of theirs. So instead of select prefixes, most longer than /24 appearing in the various DNSBLs that do manual listing "by organization" (Spamhaus SBL, SPEWS, Wirehub), Level3 customers can now look forward to /24 to /17 knock-outs that should absolutely positive cover the hiding criminal scum they so willingly receive money from. And then some. If you are a Level3 customer using Level3 IP space, you might want to expediously insist that your IP space delegation appears at whois.arin.net properly, or else consider a new network provider or buying yourself your own /16 on the grey market^W^W^W^Wacquire a defunct company with a mostly unused /16. What did Randy once say? "I welcome my competitors running their networks this way" (paraphrased)
Re: RIPE Down or DOSed ?
And on a related topic (whois.ripe.net almost unreachable, along with the rest of RIPE): rwhois.level3.net:4321 as been MIA or AWOL for about 4 days: Level3 was informed, but seems to have some good reasons of their own not to fix this $ telnet rwhois.level3.net 4321 Trying 209.244.1.179... telnet: Unable to connect to remote host: Connection refused
Staten Island refinery fire
News reports say that about 10:10am EST, a refinery (Mobile Port) at the channel between New Jersey and Staten Island caught fire due to a propane barge explosion: When I passed by the Verrezano Narrows bridge (on the other side of S.I., towards Brooklyn) at around 10:25am, there was a GIANT plume of smoke rising at least several miles into the air before being blown by the wind in south/south-eastern direction. www.news12.com and www.ny1.com are completely slashdotted right now, with www.cnn.com having slowed to a crawl.
Re: att.net email issues?
Now that the noise level (SQLSlammer) is down: It looks like AT&T put the finger back into the dike on this for now: You don't really want your customer service call center get flooded by two issues at once: http://www.internet-magazine.com/news/view.asp?id=3110 On 1/24/2003 at 7:16 PM, [EMAIL PROTECTED] wrote: > In the good old days, when network engineers used VT100 terminals and 300 > baud (not bps) acoustic modems, ftp.uu.net enforced the requirement for > "valid" reverse and forward DNS entries for anonymous FTP access. It was the single most important source for files on the Internet, along with maybe SIMTEL-20 : you couldn't get around it, no matter how hard you tried. Fast forward 10 years: would you even dare to put "HostnameLookups yes" into your Apache config? Not if you don't feel like having well-populated DNS caches useful to you for some other purpose, you don't. A purely operational configuration choice. > Doesn't anyone else find it funny when people scream that ISPs should > block ports and shoot people with misconfigured systems; yet when > an ISP actually does enforce even a modest requirement; people start > screaming how unfair or stupid that ISP is for doing that. We sure all hate tracerouting through APNIC space, and seeing up to 12 routers in a row without reverse DNS - to the point where one could believe that noone in Korea ever heard of the in-addr.arpa zone : Apart from AT&T having the "left hand/right hand" (hypocritic) problem with being service providers to spammers on one hand, and aching under the receiving load of it on the other: Good intentions, but failed to even do a basic Google search to see how other people fared with this, let alone running a test and labelling incoming mails rather than blocking them. Now to toss a bit more oil into the fire: "unknown.level3.net" , anyone ? And remember: it's not neglience, it's Level3's secret "handshake", telling you that the block in question should be filtered by you at any cost :)
Re: att.net email issues?
On 1/24/2003 at 2:40 AM, [EMAIL PROTECTED] wrote: > Chris at UUNet help determine this is a rDNS issue. att.net seems to have > started rejecting email from mail servers that don't have a proper reverse > DNS entry. This is a good thing, even though it is causing me some problems > at the moment. Thanks Chris. > -Jim P. The question is: is that a knee-jerk reaction to them getting clobbered by spam, or maybe a knee-jerk reaction for receiving "too much" mail ABOUT their customers to [EMAIL PROTECTED] ? Example: 12.158.240.0/23, 12.42.172.0/22, 12.158.224.0/23, 12.158.234.0/23, 12.158.236.0/23: Jan 24 16:11:03 sonet sendmail[7]: NOQUEUE: ruleset=check_relay, arg1=if1.dlyforyourinfo.com, arg2=12.158.240.237, relay=if1.dlyforyourinfo.com [12.158.240.237], reject=550 NETBLOCK for CBB/cotennet.com - access for jpmailer.com denied - perpetual mail to non-existing users - Spammers must die. Upon complaint re: this spamhaus continuing to connect here: The original message was received at Fri, 24 Jan 2003 16:11:09 -0500 (EST) from root@localhost - The following addresses had permanent fatal errors - [EMAIL PROTECTED] - Transcript of session follows - ... while talking to gateway2.att.net.: <<< 550 208.241.101.2 must be verifiable in DNS ... while talking to gateway3.att.net.: >>> QUIT <<< 550 208.241.101.2 must be verifiable in DNS ... while talking to gateway1.att.net.: >>> QUIT <<< 550 208.241.101.2 must be verifiable in DNS 554 [EMAIL PROTECTED] Service unavailable (a temporary failure due to renumbering) Rejecting on broken or non-existing DNS will probably reject mail from more than 15% of all mail servers on the Internet - guaranteeing a false positive rate not even matched by the combined 6 DNSBL's I use - cumulative and with hard 5xx rejects. AT&T on the other hand, will use DNSBL's when the first snowball emerges from hell unscathed. Makes you wonder if [EMAIL PROTECTED] is missing a lotta mail today - "gee, za eanternet w0rcks zplend1d todey, duznt eet!" - think of http://www.despair.com/ap24x30prin.html :) Last but not least, Level3's tolerance of spamming customers has nothing on AT&T's ignorance of reports of DoS attacks in the form of address forgery committed by their spamming customers, or on behalf of said customers, despite notifying them by fax of such activity. That, and the mindless blather you receive back from [EMAIL PROTECTED] on very rare occasions when you complain about their customers hitting your spamtraps (dead users, rejects): "please forward the header and full body of the spam you received". Next: "please call 1-900-ATT-ABUSEDESK, get charged $5 for the call, and use the authorization code given to you in the subject line of your complaint to guarantee that your message is not shoved into /dev/null"
Re: MIA: oregon-ix.net
On 11/20/2002 at 1:37 PM, Jared Mauch <[EMAIL PROTECTED]> wrote: > I was getting dns resolver errors earlier back. > (like the zone expired) > it appears someone fixed something since. > - jared Mental note to self: never rely on results of an investigation you did a few days ago - *gulp* Indeed the resolver problems I had as well have triggered my email to the list, but I had previously investigated the "disappearance" of the network route-views.oregon-ix.net lives in - it plainly disappeared from my own site's BGP4 views. I am receiving other /24's out of 198.32.0.0/16 though (plenty of them), and route-flap dampening didn't kill it. Surely not a PBMS (problem between monitor and chair), and I expect a reaction from the NOC responsible through the regular support channel shortly. Thanks to Joel Jaeggli and Lucy E. Lynch from UO Academic User Services for pointing out the man behind the curtain that is BIND :) Go Ducks! Thanks, bye,Kai
Re: Weird distributed spam attack
On 11/20/2002 at 12:40 PM, <[EMAIL PROTECTED]> wrote: > In addition to thousands of open relays, which are bad enough in > their own right, there are also thousands of open proxy servers > which a growing number of spammers have been using to launch spam > runs lately. I suspect that's what you're seeing. Almost all SMTP dictionary-crack attacks are done through open proxies, otherwise it's a "delivery attack" carrying actual spam. Some ISPs seem to have problems understanding the concept that log evidence showing 200 unknown users being probed is in-your-face evidence of illegal trespass and accessing another host/network without authorization. Indeed, the SMTP-cracking malware that Elcomsoft (Advanced Maillist Verifier Pro) pumps out, specifically uses "rotating proxies" to do its illegal work. Talk about a company not worth defending, even if it's against the DMCA. Dimitry should find himself a more ethical employer, even if Adobe was wrong on this to begin with. > If you aren't blocking traffic from open proxy servers via a dns > blacklist, I predict that you will definitely see increasingly > aggressive spam attacks coming in from diverse locations (although > the more you look at the problem, the easier it becomes to identify > the handful of carriers who are open proxy-tolerant). If you don't use at least several DNSBL's, you are already DEAD from dictionary attacks, I'd say. I have personally observed an attack against a DS3-connected server from a single source IP, ratcheting through 2400 RCPT TO: checks in just 2-3 seconds. Yes, they are not trying to hide very well, they are trying to crack through your mail server at maximum speeds, with 10-25 probes per connection. There is a demonstration patch for Sendmail to slow down the SMTP dialogue (at the expense of keeping the process in memory too long, and long after the attacking host disconnects) at http://www.spamshield.org/sendmail8.9.0b5-rcpt-patch.txt Do not use this in production, unless you really know what you are doing and are tongue-in-cheek with Sendmail and its source: it has several deficiencies that are obvious to a good observer (and tester) and that may impede or render it useless to most. I wonder if Eric ever reconsidered by suggestion (from 4-5 years ago) to optionally drop processing arguments for a given SMTP dialogue if the client host disconnects the TCP connection prematurely [while not in "pipeline" mode, but the latter was not part of the argument]. This is very much Sendmail-specific, so you may ignore this. > [I will also say that it would really be great if mail-abuse.org would > add an open proxy listing project to complement their RSS, DUL, and > other initiatives.] What we really want is a DNSBL that lists SMTP dictionary-crack attacks in real-time. The overlap of the mechanics required for running this with other DNSBL's are obvious: Unfortunately I could only spare some expertise, but not a whole lot of time or expenses to set something like that up (and merge it into an existing DNSBL such as Osirusoft's as far as day-to-day ops is concerned). Without touting my horn, SS2.0 will succesfully defend a given (OS)Sendmail (Un*x) against SMTP dictionary-cracking, distributed or not, but other significant reasons are holding up its release right now, in case you were going to ask. bye,Kai
MIA: oregon-ix.net
As some of you have noticed, the BGP4 route containing the address for route-views.oregon-ix.net has disappeared a while ago (mid-October?). Their website seems to be gone, and I swear, I couldn't resolve the domain for a little while just now. Has the Oregon IX been shut down? Their route-server was probably the best-connected one, with the most views, of any public route server I am aware of (please prove me wrong, but do not torment me with any web-based looking glasses :) . Nothing like having to poke around 10 other RS's to establish that rogue AS 26212 really only has 1, 6402 and 2914 as their upstreams.
Re: Praise to XO's Security/Abuse
y their customers, and continues to aid and abet these criminal activities on a daily basis by knowingly and willingly providing service and /dev/null'ing complaints about them - kinda like Sprintlink/Sprint aiding and abetting their criminals^Wcustomers while committing acts of forgery, false declaration of goods, false declaration of goods in interstate and international commerce, criminal impersonation, falsification of business records and business and wire fraud across state lines - only more passively. I could point the finger in almost any direction from here. >From UnSavvy to APiss&Pee. From Uh-Oh!Net to Clueless&Witless. >From FraudLynx to VeryUglio, From Exorcism to Worldcunt. The bigger, the more bankrupt, the more aiding and abetting. It's 5pm: do you know who you work for? -- "Just say No" to Spam Kai Schlichting New York, Palo Alto, You name it Sophisticated Technical Peon Kai's SpamShield is FREE! http://www.SpamShield.org | | LeasedLines-FrameRelay-IPLs-ISDN-PPP-Cisco-Consulting-VoiceFax-Data-Muxes WorldWideWebAnything-Intranets-NetAdmin-UnixAdmin-Security-ReallyHardMath
Re: verio arrogance
How's THIS for Verio arrogance, going to a whole new level: http://www.monkeys.com/anti-spam/filtering/verio-demand.ps Details were on the SPAM-L list Wed, 17 Jul 2002 15:51:05 EDT: Verio threatens to sue Ron Guilmette over the IP 208.55.91.59 appearing on his FormMail.pl open-proxy/formmail server DNSBL. And given the ever-increasing number of spammers now hopping onto Verio tells me that Verio must be well down the spiral of death (spammers seem to be attracted by NSP's going chapter 7/11, or who are getting close), or else the dozen-or-so automated messages going to [EMAIL PROTECTED] every week complaining about connections (real or attempted) to hosts under my control, and originating from their spamming customers would have shown any results over time. I don't need connectivity to 208.55.0.0/16. I really don't, and I have not the slightest tolerance for litigious, small-minded, panic-lawyer-dialling scum like this. /etc/mail$ grep 208.55 access.local 208.55 550 Access for FormMail spam and litigious scum denied - Verio in their XXX - we block more than just 208.55.91.59 - Spammers must die - see http://www.monkeys.com/anti-spam/filtering/verio-demand.ps /etc/mail$ PS: I also have zero tolerance for Nadine-type spam-generating, "single-opt-in", "87% permission-based" emailers nowadays: 2 bounces or a single mail to a never-existing account, and all your /24's are off into gated.conf as a next-hop route to 127.0.0.1. And no, they won't get around that by advertising /25's. Good-bye route-prefix-filtering wars, and welcome to the war on spam, where Null0'd /28's for filtering 'undesirables' just doesn't cut it any more. Casualties like 10-15 bystanding rackspace.com customers with a "Nadine- type" mailer in neighboring IP space be damned: "move your servers into a different slum, cause da landlord's running down 'da neighborhood". -- "Just say No" to Spam Kai Schlichting New York, Palo Alto, You name it Sophisticated Technical Peon Kai's SpamShield is FREE! http://www.SpamShield.org | | LeasedLines-FrameRelay-IPLs-ISDN-PPP-Cisco-Consulting-VoiceFax-Data-Muxes WorldWideWebAnything-Intranets-NetAdmin-UnixAdmin-Security-ReallyHardMath
