Re: Spam (un)blocking
On Thu, Apr 07, 2005 at 12:10:43AM +0200, JP Velders wrote: > Over here in "RIPE land" so to speak, several ISP's (most notably > FIRST members) have put a lot of effort in getting 'IRT' objects in > the RipeDB. Isn't it funny, how everyone always takes a "lot of efforts" reinventing things that are there for years ... RFC 1183 - New DNS RR Definitions (October 1990) 2. Responsible Person The purpose of this section is to provide a standard method for associating responsible person identification to any name in the DNS. The domain name system functions as a distributed database which contains many different form of information. For a particular name or host, you can discover it's Internet address, mail forwarding information, hardware type and operating system among others. A key aspect of the DNS is that the tree-structured namespace can be divided into pieces, called zones, for purposes of distributing control and responsibility. The responsible person for zone database purposes is named in the SOA RR for that zone. This section describes an extension which allows different responsible persons to be specified for different names in a zone. networks $ dig -x 195.30 rp 30.195.in-addr.arpa.IN RP abuse.space.net. . or even hostnames $ dig -x 195.30.0.8 rp 8.0.30.195.in-addr.arpa. IN RP abuse.space.net. . It's as easy as that. (Or better would be ... if most of the software used for managing DNS space wouldn't be broken, but would support RR types that are nearly 15 years old). Yeah, I know about the urban legend about the revDNS zone being dead. And the whois databases are broken, too, and have dangling referrals and outdates or wrong information and no common agreed upon format. And I often have to talk to some upstream provider to get information fixed in the whois database I could change myself with existing revDNS delegation. \Maex -- SpaceNet AG| Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0 Research & Development | D-80807 Muenchen| Fax: +49 (89) 32356-299 "The security, stability and reliability of a computer system is reciprocally proportional to the amount of vacuity between the ears of the admin"
Re: Spam (un)blocking
On Apr 8, 2005 6:51 PM, Howard, W. Lee <[EMAIL PROTECTED]> wrote: > - Because "abuse@" went to a 24x7 team, with an auto-responder, and > (on advice of counsel and for scalability reasons) we did not reply > to every complaint with a description of the action taken, it was > assumed no action was taken. > > There's no pleasing some people, and it's a shame that not everyone > can take the time to understand what filtering policies they're > importing. As long as the action does get taken you can reply to it .. nobody says you have to reply personally to everything Boilerplates and perl scripts exist for a particular reason, and people demanding that you tell them in great detail how you eviscerated your spamming customer, and then spread sackcloth and ashes on your head and humbly begged the antispam community for pardon [yes, seen at least some like this] are the reason srs -- Suresh Ramasubramanian ([EMAIL PROTECTED])
RE: Spam (un)blocking
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Daniel Senie > Sent: Wednesday, April 06, 2005 6:43 PM > To: JP Velders; Adam Jacob Muller > Cc: nanog@merit.edu > Subject: Re: Spam (un)blocking > > At 06:10 PM 4/6/2005, JP Velders wrote: > > >Over here in "RIPE land" so to speak, several ISP's (most > notably FIRST > >members) have put a lot of effort in getting 'IRT' objects in the > >RipeDB. > > And this is MUCH appreciated. When trying to figure out where > to send spam > complaints, a network that's taken the time to put their > abuse address in > their records certainly appears to at least care, and so gets > better treatment. "Better" != "good." In past experience, - Since the Abuse POC was "abuse@" instead of "Lee.Howard@" it wasn't acceptable. - Because "abuse@" went to a 24x7 team, with an auto-responder, and (on advice of counsel and for scalability reasons) we did not reply to every complaint with a description of the action taken, it was assumed no action was taken. There's no pleasing some people, and it's a shame that not everyone can take the time to understand what filtering policies they're importing. YMMV Lee
RE: Spam (un)blocking
The ARIN DB allows many points of contact types, including the abuse contact. ARIN WHOIS reflects those registrants who choose to designate an abuse contact. Richard Jimmerson Director of External Relations American Registry for Internet Numbers (ARIN) > > We have tech support on duty 24/7 and abuse complaints are > dealt with > > in a timely manner, so I am wondering if there is a way to > communicate > > our willingness to help in the fight against spam. > > Replace spam with abuse and you have something like the IRT object. ;D > > No doubt someone on NANOG knows what's happening with the > ARIN version ;) (or if there will be one, if people want it, etc.) > > Regards, > JP Velders > >
Re: Spam (un)blocking
* JP Velders: > Over here in "RIPE land" so to speak, several ISP's (most notably > FIRST members) have put a lot of effort in getting 'IRT' objects in > the RipeDB. I think you mean "Terena/TI" instead of "FIRST", although there is some overlap. The IRT object is mostly useless because the way it was deployed, it too often routes complaints *away* from the actual network operators (even if they aren't completely clueless).
Re: Spam (un)blocking
At 06:43 PM 06-04-05 -0400, Daniel Senie wrote: Since the uptake on IRT has been slow, and after much internal discussion, RIPE has decided to add an "abuse-mailbox" attribute. For further details see: https://www.ripe.net/ripe/maillists/archives/db-wg/2005/msg00015.html -Hank At 06:10 PM 4/6/2005, JP Velders wrote: > Date: Wed, 6 Apr 2005 14:54:08 -0400 > From: Adam Jacob Muller <[EMAIL PROTECTED]> > Subject: Spam (un)blocking > [ ... ] > Second, is there some way to mark my block of addresses is owned by > responsible responsive system administrators. Over here in "RIPE land" so to speak, several ISP's (most notably FIRST members) have put a lot of effort in getting 'IRT' objects in the RipeDB. $ whois -h whois.ripe.net -r 194.171.31.0 | egrep '^(inetnum|remarks|mnt-irt):' inetnum: 194.171.31.0 - 194.171.31.255 remarks: utilized by 802.1x authenticated guests utilizing EduRoam remarks: see http://www.eduroam.nl/ for more information remarks: in case of abuse: [EMAIL PROTECTED] and [EMAIL PROTECTED] mnt-irt: irt-SURFnet-CERT And this is MUCH appreciated. When trying to figure out where to send spam complaints, a network that's taken the time to put their abuse address in their records certainly appears to at least care, and so gets better treatment. That IRT object (I believe there were efforts underway for a similar system in the ARINdb, but I haven't followed it for over a year :( ) is an object to identify the "Incident Response Team" which can be contacted regarding certain blocks of space. $ whois -h whois.ripe.net -r irt-SURFnet-CERT | egrep '^(irt|signature|encryption|remarks|mnt-by):' irt: irt-SURFNET-CERT signature:PGPKEY-A6D57ECE encryption: PGPKEY-A6D57ECE remarks: SURFNET-CERT is the Computer Emergency remarks: Response Team of SURFnet remarks: This is a TI accredited CSIRT remarks: (see http://www.ti.terena.nl/teams/level2.html) mnt-by: TRUSTED-INTRODUCER-MNT More information can be found in Google, or on the FAQ by Jan Meijer: http://www.surfnetters.nl/meijer/tf-csirt/irt-object-faq.html > We have tech support on duty 24/7 and abuse complaints are dealt > with in a timely manner, so I am wondering if there is a way to > communicate our willingness to help in the fight against spam. Replace spam with abuse and you have something like the IRT object. ;D No doubt someone on NANOG knows what's happening with the ARIN version ;) (or if there will be one, if people want it, etc.) SWIPs can hold abuse contact info. Again, this is a good thing for folks to do. +++ This Mail Was Scanned By Mail-seCure System at the Tel-Aviv University CC.
Re: Spam (un)blocking
At 06:10 PM 4/6/2005, JP Velders wrote: > Date: Wed, 6 Apr 2005 14:54:08 -0400 > From: Adam Jacob Muller <[EMAIL PROTECTED]> > Subject: Spam (un)blocking > [ ... ] > Second, is there some way to mark my block of addresses is owned by > responsible responsive system administrators. Over here in "RIPE land" so to speak, several ISP's (most notably FIRST members) have put a lot of effort in getting 'IRT' objects in the RipeDB. $ whois -h whois.ripe.net -r 194.171.31.0 | egrep '^(inetnum|remarks|mnt-irt):' inetnum: 194.171.31.0 - 194.171.31.255 remarks: utilized by 802.1x authenticated guests utilizing EduRoam remarks: see http://www.eduroam.nl/ for more information remarks: in case of abuse: [EMAIL PROTECTED] and [EMAIL PROTECTED] mnt-irt: irt-SURFnet-CERT And this is MUCH appreciated. When trying to figure out where to send spam complaints, a network that's taken the time to put their abuse address in their records certainly appears to at least care, and so gets better treatment. That IRT object (I believe there were efforts underway for a similar system in the ARINdb, but I haven't followed it for over a year :( ) is an object to identify the "Incident Response Team" which can be contacted regarding certain blocks of space. $ whois -h whois.ripe.net -r irt-SURFnet-CERT | egrep '^(irt|signature|encryption|remarks|mnt-by):' irt: irt-SURFNET-CERT signature:PGPKEY-A6D57ECE encryption: PGPKEY-A6D57ECE remarks: SURFNET-CERT is the Computer Emergency remarks: Response Team of SURFnet remarks: This is a TI accredited CSIRT remarks: (see http://www.ti.terena.nl/teams/level2.html) mnt-by: TRUSTED-INTRODUCER-MNT More information can be found in Google, or on the FAQ by Jan Meijer: http://www.surfnetters.nl/meijer/tf-csirt/irt-object-faq.html > We have tech support on duty 24/7 and abuse complaints are dealt > with in a timely manner, so I am wondering if there is a way to > communicate our willingness to help in the fight against spam. Replace spam with abuse and you have something like the IRT object. ;D No doubt someone on NANOG knows what's happening with the ARIN version ;) (or if there will be one, if people want it, etc.) SWIPs can hold abuse contact info. Again, this is a good thing for folks to do.
Re: Spam (un)blocking
> Date: Wed, 6 Apr 2005 14:54:08 -0400 > From: Adam Jacob Muller <[EMAIL PROTECTED]> > Subject: Spam (un)blocking > [ ... ] > Second, is there some way to mark my block of addresses is owned by > responsible responsive system administrators. Over here in "RIPE land" so to speak, several ISP's (most notably FIRST members) have put a lot of effort in getting 'IRT' objects in the RipeDB. $ whois -h whois.ripe.net -r 194.171.31.0 | egrep '^(inetnum|remarks|mnt-irt):' inetnum: 194.171.31.0 - 194.171.31.255 remarks: utilized by 802.1x authenticated guests utilizing EduRoam remarks: see http://www.eduroam.nl/ for more information remarks: in case of abuse: [EMAIL PROTECTED] and [EMAIL PROTECTED] mnt-irt: irt-SURFnet-CERT That IRT object (I believe there were efforts underway for a similar system in the ARINdb, but I haven't followed it for over a year :( ) is an object to identify the "Incident Response Team" which can be contacted regarding certain blocks of space. $ whois -h whois.ripe.net -r irt-SURFnet-CERT | egrep '^(irt|signature|encryption|remarks|mnt-by):' irt: irt-SURFNET-CERT signature:PGPKEY-A6D57ECE encryption: PGPKEY-A6D57ECE remarks: SURFNET-CERT is the Computer Emergency remarks: Response Team of SURFnet remarks: This is a TI accredited CSIRT remarks: (see http://www.ti.terena.nl/teams/level2.html) mnt-by: TRUSTED-INTRODUCER-MNT More information can be found in Google, or on the FAQ by Jan Meijer: http://www.surfnetters.nl/meijer/tf-csirt/irt-object-faq.html > We have tech support on duty 24/7 and abuse complaints are dealt > with in a timely manner, so I am wondering if there is a way to > communicate our willingness to help in the fight against spam. Replace spam with abuse and you have something like the IRT object. ;D No doubt someone on NANOG knows what's happening with the ARIN version ;) (or if there will be one, if people want it, etc.) Regards, JP Velders
Re: Spam (un)blocking
On Wednesday 06 April 2005 13:54, Adam Jacob Muller wrote: > Hi, > I'm a network operator at a small hosting company that has about a /20 > slice of IP addresses. Recently we have suffered a few break-ins (and > some fraud) which caused a large quantity of spam to find it's way onto > the internet. > This has resulted in some of our network space being listed in several > DNS blacklists, and being blacklisted by individual ISPs. > So my question is this. > Firstly, what is the best way to remove myself from each of these > blacklists, if there is anything aside from going to each one > individually and saying "i'm not spamming anymore". > Second, is there some way to mark my block of addresses is owned by > responsible responsive system administrators. > We have tech support on duty 24/7 and abuse complaints are dealt with > in a timely manner, so I am wondering if there is a way to communicate > our willingness to help in the fight against spam. > > > Thanks, > Adam Jacob Muller Adam, As JD already mentioned, many will most probably go away within a few days if there is not other "spam" from the IP space to keep the entry active. Quite a few have web space, so if you know the BL that is blocking, you might look and see if there are "remove" instructions/capability. Only other thing I can think of would be to register your domain(s) with abuse.net. Personally that is one of the first places I check domains against (if they have a "valid" abuse address) then I report first and block second or third. (meaning if the spam continues after reporting)... -- Larry Smith SysAd ECSIS.NET [EMAIL PROTECTED]
Re: Spam (un)blocking
On 04/06/05, Adam Jacob Muller <[EMAIL PROTECTED]> wrote: > Firstly, what is the best way to remove myself from each of these > blacklists, if there is anything aside from going to each one > individually and saying "i'm not spamming anymore". Right now, that's about it -- but many folks only do temporary blocking based on recent traffic patterns, so you can also just wait a few days and I bet some of the problem will go away. > Second, is there some way to mark my block of addresses is owned by > responsible responsive system administrators. If there was, the spammers would be the first to adopt it. > We have tech support on duty 24/7 and abuse complaints are dealt with > in a timely manner, so I am wondering if there is a way to communicate > our willingness to help in the fight against spam. http://www.maawg.org/ is probably the best industry group focused on these issues right now. -- J.D. Falk As a carpenter bends the seat of a chariot <[EMAIL PROTECTED]>I bend this frenzy round my heart.