Re: Attn MCI/UUNet - Massive abuse from your network

[Steve Linford]

From Ben Browning, received 29/6/04, 9:56 am -0700 (GMT):
 Steve Linford wrote:
 The statement by Ben Browning: "I know several businesses who have,
 and a great many people who have blocked UUNet space from sending
 them email ... by using ... the SBL" is false, the SBL has never
 blocked UUNet/MCI IP space that wasn't directly in the control of
 spammers. If Mr Browning does indeed know "several businesses and a
 great many people" whose UUNet/MCI IP space has been blocked by the
 SBL, then Mr Browning knows several spam outfits and a great many
 spammers.
 Let me rephrase: I know several businesses and a great many people who
 block *parts* of UUNet by the SBL and *larger* parts of it by means
 of SPEWS, blackholes.us, et al.
I obviously read more into it than you meant, sorry (I though you 
were implying we were blocking MCI IPs above and in addition to IPs 
belonging to spammers, something we try hard not to do).

 Regardless, the SBL does block *some* UUNet space, much of
 which(according to responses here) no longer belongs to the
 spammers.
That's correct. At a guess I'd say possibly even 20% of our MCI 
listings are stale, and we don't know which ones. Without illegally 
scanning the MCI IPs to see what's running there we have very little 
way of knowing which spammers are departed or not, because MCI/UUNet 
Abuse will not tell us.

Unlike listings of normal providers which tend to manage themselves, 
MCI SBL listings continue to grow in number and are removed either 
because they've reached their time-out setting or because someone 
higher up yells and the Abuse guys get their fingers out. We see 
things start to happen when Christopher Morrow gets involved, but 
they soon revert if he's not chasing them. Vint Cerf is now aware of 
the situation so perhaps more might begin to move and we may soon see 
those MCI listings drop down, and maybe a refresh of MCI's AUP 
enforcement.

Thanks for voicing your opinion with MCI.
--
  Steve Linford
  The Spamhaus Project
  http://www.spamhaus.org

Re: Attn MCI/UUNet - Massive abuse from your network

[Ben Browning]

Steve Linford wrote:
The statement by Ben Browning: "I know several businesses who have,
and a great many people who have blocked UUNet space from sending
them email ... by using ... the SBL" is false, the SBL has never
blocked UUNet/MCI IP space that wasn't directly in the control of
spammers. If Mr Browning does indeed know "several businesses and a
great many people" whose UUNet/MCI IP space has been blocked by the
SBL, then Mr Browning knows several spam outfits and a great many
spammers.
Let me rephrase: I know several businesses and a great many people who
block *parts* of UUNet by the SBL and *larger* parts of it by means of 
SPEWS, blackholes.us, et al.

Regardless, the SBL does block *some* UUNet space, much of 
which(according to responses here) no longer belongs to the spammers.

Sorry for any confusion my poor choice of words may have caused.
--
   Ben Browning <[EMAIL PROTECTED]>
  The River Internet Access Co.
 WA Operations Manager
1-877-88-RIVER  http://www.theriver.com

Re: Attn MCI/UUNet - Massive abuse from your network

[Doug White]

:
: A simple "these statements are untrue, please contact me off list for the
: truth" is hardly unreasonable.
:
:
:
Unfortunately a restriction such as that on this list defeats the atmosphere of
openness and education for those who may be reading, but not necessarily
posting to the list.  Educating users, even if some of the subscribers are the
choir should be our collective goal.  In my case not all the conversations
(threads) on this list are pertinent to my operations but I still read them
all, and am educated from time to time as well, which makes it worth the
effort.  IMHO.

What I don't like to read are personal attacks or arrogance to the extreme.

Doug

Re: Attn MCI/UUNet - Massive abuse from your network

[Tom (UnitedLayer)]

On Sat, 26 Jun 2004, Richard Welty wrote:
> On Sat, 26 Jun 2004 10:50:12 -0700 (PDT) "Tom (UnitedLayer)" <[EMAIL PROTECTED]> 
> wrote:
> > The big deal is that spam complaining/etc is not operational content, and
> > there are several other lists to handle that sort of thing.
>
> but then, individuals get 1 free shot at saying things that are in
> some cases not true about spamhaus, and Steve is prohibited from
> attempting to correct them.

Steve can correct whomever he wants off list.
If he wants to do it on list, it better be for a good reason, no?
If the person posting the untrue information is not posting with
operational content, they should be censured as well...

A simple "these statements are untrue, please contact me off list for the
truth" is hardly unreasonable.

Re: Attn MCI/UUNet - Massive abuse from your network

[Richard Welty]

On Sat, 26 Jun 2004 10:50:12 -0700 (PDT) "Tom (UnitedLayer)" <[EMAIL PROTECTED]> wrote:
> The big deal is that spam complaining/etc is not operational content, and
> there are several other lists to handle that sort of thing.

but then, individuals get 1 free shot at saying things that are in
some cases not true about spamhaus, and Steve is prohibited from
attempting to correct them.

hardly seems fair,
  richard
-- 
Richard Welty [EMAIL PROTECTED]
Averill Park Networking 518-573-7592
Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security

Re: Attn MCI/UUNet - Massive abuse from your network

[Tom (UnitedLayer)]

On Sat, 26 Jun 2004, Jon R. Kibler wrote:
> > I seldom post here because the couple of times I have followed-up to
> > correct wrong statements in nanog regarding Spamhaus, such as the
> > above, I have each time been told by nanog's admin that I will be
> > removed from the nanog list if I respond to any question in nanog
> > regarding Spamhaus again. But, here goes:
>
> Why would you be removed from the list for posting corrections about
> Spamhaus?

I looked back through the archives, and I did see one post which was
fairly inflammatory, but I wasn't really that excited to read
everything

The big deal is that spam complaining/etc is not operational content, and
there are several other lists to handle that sort of thing.

Re: Attn MCI/UUNet - Massive abuse from your network

[Jon R. Kibler]

Steve Linford wrote:
> I seldom post here because the couple of times I have followed-up to
> correct wrong statements in nanog regarding Spamhaus, such as the
> above, I have each time been told by nanog's admin that I will be
> removed from the nanog list if I respond to any question in nanog
> regarding Spamhaus again. But, here goes:

Why would you be removed from the list for posting corrections about Spamhaus? 

Can the list admin or other responsible person please explain the reasoning?

It only seems fair that if someone is misrepresented by a posting on this list, they 
should be free to correct such misinformation.

Jon Kibler
-- 
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214




==
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.

RE: Attn MCI/UUNet - Massive abuse from your network

[Steve Linford]

At 9:43 am -0700 (GMT) 25/6/04, Ben Browning wrote:
 At 04:00 PM 6/24/2004, Hannigan, Martin wrote:
[ Operations content: ] Do you know of any ISP's null routing AS701?
 ISPs? Not of the top of my head. I know several businesses who
 have, and a great many people who have blocked UUNet space from
 sending them email, either by using SPEWS, the SBL, or
 mci.blackholes.us .
I seldom post here because the couple of times I have followed-up to 
correct wrong statements in nanog regarding Spamhaus, such as the 
above, I have each time been told by nanog's admin that I will be 
removed from the nanog list if I respond to any question in nanog 
regarding Spamhaus again. But, here goes:

The statement by Ben Browning: "I know several businesses who have, 
and a great many people who have blocked UUNet space from sending 
them email ... by using ... the SBL" is false, the SBL has never 
blocked UUNet/MCI IP space that wasn't directly in the control of 
spammers. If Mr Browning does indeed know "several businesses and a 
great many people" whose UUNet/MCI IP space has been blocked by the 
SBL, then Mr Browning knows several spam outfits and a great many 
spammers.

--
  Steve Linford
  The Spamhaus Project
  http://www.spamhaus.org

Re: Attn MCI/UUNet - Massive abuse from your network

[Valdis . Kletnieks]

On Fri, 25 Jun 2004 09:47:07 PDT, Jeff Shultz <[EMAIL PROTECTED]>  said:

> The problem with being totally open about infrastructure is that there
> are some vulnerabilities that simply cannot or will not be fixed -
> wires sometimes have to run across bridges, redundant pumping stations
> are too expensive... in these cases is it not better to hide where
> these vulnerabilities are? 

Anybody with a Rand McNally map of Manhattan can connect the dots for themselves.

Unless you're proposing that we issue Soviet-style maps that show the Brooklyn
Bridge between Williamsburg Bridge and Queens-Midtown Tunnel.

Or did you mean we should make the Brooklyn Bridge invisible so we can't
see it?  There's this magician looking for another prime-time TV special, you know???



pgpHzWJsTUjwr.pgp
Description: PGP signature

RE: Attn MCI/UUNet - Massive abuse from your network

[Henry Linneweh]

I think that is a bit irresponsible for the simple
reason that MCI has many co-lo clients and any of
their machines could be vulnerable, I think also that
needs to addressed so that blanket statements are
supported by fact and not the need to competitively
break a company down in hopes the you can steal away
it's customer base

-Henry

--- "Tom (UnitedLayer)" <[EMAIL PROTECTED]> wrote:
> 
> On Fri, 25 Jun 2004, Ben Browning wrote:
> > At 04:00 PM 6/24/2004, Hannigan, Martin wrote:
> > >[ Operations content: ] Do you know of any ISP's
> null routing AS701?
> >
> > ISPs? Not of the top of my head. I know several
> businesses who have, and a
> > great many people who have blocked UUNet space
> from sending them email,
> > either by using SPEWS, the SBL, or
> mci.blackholes.us .
> 
> Do these people know how much legitimate email
> they're missing, for every
> spam message that's blocked?
> 
> I noticed that from my personal mailbox (which I do
> filter with spam
> assassin), for every one legit mail that gets
> blocked/tagged by SPEWS,
> there's maybe 1-2 junkmails. Thats not a very
> impressive ratio...
> 
> 

RE: Attn MCI/UUNet - Massive abuse from your network

[Tom (UnitedLayer)]

On Fri, 25 Jun 2004, Ben Browning wrote:
> At 04:00 PM 6/24/2004, Hannigan, Martin wrote:
> >[ Operations content: ] Do you know of any ISP's null routing AS701?
>
> ISPs? Not of the top of my head. I know several businesses who have, and a
> great many people who have blocked UUNet space from sending them email,
> either by using SPEWS, the SBL, or mci.blackholes.us .

Do these people know how much legitimate email they're missing, for every
spam message that's blocked?

I noticed that from my personal mailbox (which I do filter with spam
assassin), for every one legit mail that gets blocked/tagged by SPEWS,
there's maybe 1-2 junkmails. Thats not a very impressive ratio...

Re: Attn MCI/UUNet - Massive abuse from your network

[Jerry Eyers]

>Do you really think that if we publish all the insecurities of the
>Internet infrastructure that anyone is gonna stop using it, or
>business, government, and private citizens are going to quit depending
>on it?

That is a totally foolish statement in today's world.  The incentive for
fixing the problem is going to be the competition's ability to say that
they do not suffer from the specified problem.  Market forces will push
on the area of problem and force a solution.

To take away the exposure limits the incentive to fix the problem.  
Companies are not going to spend $$ on something that does not
directly effect the income.  Reporting your problems to someone
who doesn't effect the income isn't going to result in the fixing of
any problems.

One only has to look at the telephone history to see that.

Jerry

Re: Attn MCI/UUNet - Massive abuse from your network

[Crist Clark]

Jeff Shultz wrote:
** Reply to message from Brad Knowles <[EMAIL PROTECTED]> on Fri,
25 Jun 2004 18:14:43 +0200

At 8:44 AM -0700 2004-06-25, Jeff Shultz wrote:

At least if someone in this "clearing house" sells it to the
terrorists, they will have had to work for it a bit, instead of having
us hand it to them on a silver platter, as the FCC seems to want.
	Not true.  If the information is forced to be completely in the 
open, then everyone knows it's not insecure and no one depends on the 
fact that it was supposed to be kept secret.  This is a case where 
you are more secure the more open the information is -- indeed, as we 
are in most cases, which is why we have the age-old security mantra 
of "security through obscurity is not secure".


Do you realize that the basic element of security, the password, is
based on the entire premise you just dismissed? And yet we still use
them - and depend on the fact that they are supposed to be kept secret.
The problem with being totally open about infrastructure is that there
are some vulnerabilities that simply cannot or will not be fixed -
wires sometimes have to run across bridges, redundant pumping stations
are too expensive... in these cases is it not better to hide where
these vulnerabilities are? 
Not really. Security through obscurity in some circumstance can
help, but rarely when it comes to something like that. When it
comes to wires crossing a bridge or pumping stations, anyone who
tries hard enough will find out pretty easily. You end up with
two groups knowing where the vulnerabilities are, the handful of
"good guys" who oversee the resources and the bad guys.
It strikes me as similar to the outcry from the locksmith community
when the vulnerabilities of various master key mechanisms were
widely published. Who knew about the vulnerabilities? The "good
guy" locksmiths who used the vulnerabilities to break into your
office when you lost your keys (and sold you the locks) all knew,
and the bad guys who broke into your office to steal stuff knew.
Who didn't know? The consumer who was unable to make an informed
decision about the security of the various choices of key-lock
mechanisms he had available.
So the problem with the pumping station or the wires over the
bridge are that the limited number of experts know, the bad
guys know, but other people who should know (the network engineer
judging the reliability of his links or the civil engineer
deciding the capacity for an emergency water tower for an
industrial site) may not understand the true vulnerability
of the system.
But that doesn't mean we shouldn't put a fence around the
pumping station or a padlock on the door because a key is
just "security through obscurity" through some convoluted
logic.
The problem with your point is that even if the information is forced
to be completely in the open, that is no guarantee that it will be
fixed, and people _do_ depend on this stuff, regardless of its
reliability or security. 
Somethings cannot be and should not be "fixed." Making the
public water supply invulnerable to earthquake damage is not
practical. Individuals have the responsibility (even if most
don't) to keep a few days supply of potable water available
in the inevitable, but unlikely on any given day, event of
a powerful earthquake.
Making various infrastructure invulnerable to every foreseeable,
let alone unforeseeable, attack is not practical either. But
those who are affected by the failure of any piece of
infrastructure need to know how reliable it is and plan
accordingly.
Do you really think that if we publish all the insecurities of the
Internet infrastructure that anyone is gonna stop using it, or
business, government, and private citizens are going to quit depending
on it? 
Of course not. But they may be better able to quantify their
risks in depending on the 'Net and make contingency plans where
it is prudent. The real world is about risk management; even
the US federal government has given up on a risk avoidance
model and moved to risk management.
Security through obscurity is not secure - but sometimes it's all you
have.
But it is worse than nothing when you obscure the truth from
people who should know. If the vulnerability is exploited,
the impact is worse than if those who should have known had had
the ability to plan for the contingency.
--
Crist J. Clark   [EMAIL PROTECTED]
Globalstar Communications(408) 933-4387

Re: Attn MCI/UUNet - Massive abuse from your network

[Eric Brunner-Williams]

[EMAIL PROTECTED] wrote something like:

> Some ad hoc terrorists, in a country crawling with US troops, with a
> communications infrastructure nowhere as advanced as the USA just
> managed to coordinate a multiple bomb attack simultaneously. 

I just got back from lunch at the Wok Inn (Morrill's Corner, in scenic
Portland), where a fortune cookie museum has been added to educate the 
stand-and-waits like me. In the 13th century the dynasty established
by Ghengis Khan was overthrown by a synchronized distributed program.
The synchronization mechanism was "on date/time execute plan", and the
distribution mechanism was moon cakes.

This whole thread is wierd. A tunnel in Baltimore isn't exactly a big
secret anymore, and we did cover this (knowing, unknowing, and mechanism
considered harmful) in the RAVEN list that lead up to rfc2804.

Oh, the "crawling with US troops" line of thought is wicked wrong. For
the few who care, point a browser at juancole.com from time to time and
read a week or so of content.

Cheers,
Eric

Re: Attn MCI/UUNet - Massive abuse from your network

[Jeff Shultz]

** Reply to message from [EMAIL PROTECTED] on Fri, 25 Jun 2004
17:12:45 +0100

> Remember, that packet switched networking 
> originated with the desire to build a telecom
> network that could survive massive destruction
> on the scale of a nuclear war, but continue to
> function. If we apply that kind of thinking to
> planning network deployment then there should be
> little extra risk from terrorist knowing where
> the vulnerable points are. Spread the risk
> by spreading the vulnerable points.

I thought the old "nuclear survivable" argument was killed off years
ago - I seem to rember it being refuted in "Where Wizards Stay Up Late."

Packet switched networking originated with a desire to see if it would
work 

And you are welcome to assume the expense of spreading the vulnerable
points.

-- 
Jeff Shultz
A railfan pulls up to a RR crossing hoping that
there will be a train. 

Re: Attn MCI/UUNet - Massive abuse from your network

[Michael . Dillon]

> Food for thought: Could an analyst, looking at outage reports over a
> period of time, build a schematic that would demonstrate that if you
> took out  n points, you'd kill x% of data traffic in and out of
> $pickyourmetropolitanarea? 
> 
> If this analyst were working for Bin Ladin

Yes an analyst could do this. Our job is to make sure 
that he can't get a very large x% without also requiring
a large investment in n attack points.

Consider bin Laden's organization in 2000. They
had a plan to commandeer 10 airliners and attack
10 targets in the USA including things like the CIA
headquarters. Resource constraints caused them to
back off to 4 targets. We already win because 
the targets are not all in the same city block.

Next, the attack day arrived and the 4 teams
went to work. But only two of them achieved
100% objective. One team failed entirely when
they lost control of their weapon. And the third
team hit a glancing blow to the target that
damaged less than a fifth of the building. And
it turned out that they hit a less critical part
of the Pentagon as well. This is a typical result
of a military or terrorist operation. It is very
hard to plan and execute 100% effective coordinated
attacks against a large number of targets. On
9/11 the terrorists had no problem making 4 big booms
and getting attention. But they missed the Whitehouse
entirely and only did minor damage to the military
headquarters.

Remember, that packet switched networking 
originated with the desire to build a telecom
network that could survive massive destruction
on the scale of a nuclear war, but continue to
function. If we apply that kind of thinking to
planning network deployment then there should be
little extra risk from terrorist knowing where
the vulnerable points are. Spread the risk
by spreading the vulnerable points.

> Some ad hoc terrorists, in a country crawling with US troops, with a
> communications infrastructure nowhere as advanced as the USA just
> managed to coordinate a multiple bomb attack simultaneously. 

Iraq currently has a cellphone network that is 
more advanced than the USA, i.e. it's all GSM.
But in fact, all they really needed to pull this
off was a quiet pub and some accurate watches that
could be synchronized prior to the attacks. Better
go back and watch those old spy movies again...

--Michael Dillon

Re: Attn MCI/UUNet - Massive abuse from your network

[Jeff Shultz]

** Reply to message from Brad Knowles <[EMAIL PROTECTED]> on Fri,
25 Jun 2004 18:14:43 +0200

> At 8:44 AM -0700 2004-06-25, Jeff Shultz wrote:
> 
> >  At least if someone in this "clearing house" sells it to the
> >  terrorists, they will have had to work for it a bit, instead of having
> >  us hand it to them on a silver platter, as the FCC seems to want.
> 
>   Not true.  If the information is forced to be completely in the 
> open, then everyone knows it's not insecure and no one depends on the 
> fact that it was supposed to be kept secret.  This is a case where 
> you are more secure the more open the information is -- indeed, as we 
> are in most cases, which is why we have the age-old security mantra 
> of "security through obscurity is not secure".
> 

Do you realize that the basic element of security, the password, is
based on the entire premise you just dismissed? And yet we still use
them - and depend on the fact that they are supposed to be kept secret.

The problem with being totally open about infrastructure is that there
are some vulnerabilities that simply cannot or will not be fixed -
wires sometimes have to run across bridges, redundant pumping stations
are too expensive... in these cases is it not better to hide where
these vulnerabilities are? 

The problem with your point is that even if the information is forced
to be completely in the open, that is no guarantee that it will be
fixed, and people _do_ depend on this stuff, regardless of its
reliability or security. 

Do you really think that if we publish all the insecurities of the
Internet infrastructure that anyone is gonna stop using it, or
business, government, and private citizens are going to quit depending
on it? 

Security through obscurity is not secure - but sometimes it's all you
have.

-- 
Jeff Shultz
A railfan pulls up to a RR crossing hoping that
there will be a train. 

RE: Attn MCI/UUNet - Massive abuse from your network

[Ben Browning]

At 04:00 PM 6/24/2004, Hannigan, Martin wrote:
> >On Thu, 24 Jun 2004, Ben Browning wrote:
> this discussion anyways, is access to the internet. When the
> actions of a
> downstream damage that product(IE more and more networks
> nullroute UUNet
> traffic),
[ Operations content: ] Do you know of any ISP's null routing AS701?
ISPs? Not of the top of my head. I know several businesses who have, and a 
great many people who have blocked UUNet space from sending them email, 
either by using SPEWS, the SBL, or mci.blackholes.us .

~Ben
---
   Ben Browning <[EMAIL PROTECTED]>
  The River Internet Access Co.
 WA Operations Manager
1-877-88-RIVER  http://www.theriver.com

Re: Attn MCI/UUNet - Massive abuse from your network

[Jeff Shultz]

Has anyone noticed that the DHS plan is probably closer to the current
status of things than the FCC one is? 

AFAIK, Currently this information _isn't_ required to be publicly
reported. The FCC wants it to be. 

DHS would prefer that it be semi-public at best - just like Michael
Dillion wants.  

Three options:
1. Status quo - no gov't reporting requirements
2. FCC proposal - completely public reporting requirements 
3. DHS proposal - limited access reporting requirements

Food for thought: Could an analyst, looking at outage reports over a
period of time, build a schematic that would demonstrate that if you
took out  n points, you'd kill x% of data traffic in and out of
$pickyourmetropolitanarea? 

If this analyst were working for Bin Ladin

Some ad hoc terrorists, in a country crawling with US troops, with a
communications infrastructure nowhere as advanced as the USA just
managed to coordinate a multiple bomb attack simultaneously. 

What could they do here with the right information? 

Should we hand them this information freely? 

At least if someone in this "clearing house" sells it to the
terrorists, they will have had to work for it a bit, instead of having
us hand it to them on a silver platter, as the FCC seems to want.  

Let the flames continue.

** Reply to message from Scott McGrath <[EMAIL PROTECTED]> on
Fri, 25 Jun 2004 11:22:51 -0400 (EDT)

> Well said sir!
> 
> Scott C. McGrath
> 
> On Fri, 25 Jun 2004 [EMAIL PROTECTED] wrote:
> 
> >
> > > From the AOL theft article:
> > >  "The revelations come as AOL and other Internet providers have
> > > ramped up their efforts to track down the purveyors of spam, which
> > > has grown into a maddening scourge that costs consumers and
> > > businesses billions of dollars a year."
> >
> > Interesting. An insider at a network operator steals
> > a copy of some interesting operational data and sells
> > it to a 3rd party with an interest in doing nasty things
> > with said data.
> >
> > And if Homeland Security really does require all outages
> > to be reported to a clearing house where only network
> > operations insiders can get access to it, then what?
> > Will someone sell this to a terrorist organization?
> >
> > Better to leave all this information semi-public as
> > it is now so that we all know it is NOT acceptable
> > to build insecure infrastructure or to leave infrastructure
> > in an insecure state. Fear of a terrorist attack is
> > a much stronger motive for doing the right thing
> > than a government order to file secret reports to
> > a secret bureaucratic agency.
> >
> > --Michael Dillon
> >

-- 
Jeff Shultz
A railfan pulls up to a RR crossing hoping that
there will be a train. 

Re: Attn MCI/UUNet - Massive abuse from your network

[Scott McGrath]

Well said sir!

Scott C. McGrath

On Fri, 25 Jun 2004 [EMAIL PROTECTED] wrote:

>
> > From the AOL theft article:
> >  "The revelations come as AOL and other Internet providers have
> > ramped up their efforts to track down the purveyors of spam, which
> > has grown into a maddening scourge that costs consumers and
> > businesses billions of dollars a year."
>
> Interesting. An insider at a network operator steals
> a copy of some interesting operational data and sells
> it to a 3rd party with an interest in doing nasty things
> with said data.
>
> And if Homeland Security really does require all outages
> to be reported to a clearing house where only network
> operations insiders can get access to it, then what?
> Will someone sell this to a terrorist organization?
>
> Better to leave all this information semi-public as
> it is now so that we all know it is NOT acceptable
> to build insecure infrastructure or to leave infrastructure
> in an insecure state. Fear of a terrorist attack is
> a much stronger motive for doing the right thing
> than a government order to file secret reports to
> a secret bureaucratic agency.
>
> --Michael Dillon
>

RE: Attn MCI/UUNet - Massive abuse from your network

[Smith, Donald]

Michael, I agree totally. Every ISP I know of is working to combat spam.
They all have a staffed abuse desk. They all coordinate with other ISP's
that is one of the reasons I joined this list.
I believe its time to move this to the next level. Follow the money.
When you see spam  report it to the abuse team for the isp the spam came
from AND report the advertiser (follow the link in the spam) to their
ISP. Getting the advertiser ($$$) site shutdown will be more effective
then getting the trojaned/botted/infected pc disabled.
When spam is no longer a profitable method of advertisement then it will
end. Till then we will continue to see virii and worms add proxy ports
to allow the spammers 1000's of points to bounce their spam off of.


[EMAIL PROTECTED] GCIA 
I reserve the right to be wrong but don't exercise it too often.


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
> Behalf Of Michael Painter
> Sent: Friday, June 25, 2004 4:11 AM
> To: [EMAIL PROTECTED]
> Subject: Re: Attn MCI/UUNet - Massive abuse from your network
> 
> 
> 
> - Original Message - 
> From: "Dr. Jeffrey Race" <[EMAIL PROTECTED]>
> To: "Smith, Donald" <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Thursday, June 24, 2004 6:22 PM
> Subject: RE: Attn MCI/UUNet - Massive abuse from your network
> 
> 
> >
> > On Thu, 24 Jun 2004 21:39:26 -0600, Smith, Donald wrote:
> >
> > >I am not a lawyer. I am not aware of the law that requires uunet to
> > >go to court to prevent spammers who are not their direct 
> customers from using
> > their network.
> >
> >
> > Doctrine of attractive nuisance
> 
> When I worked for IBM back in the '60s, on many occasions 
> during my 7 years there I heard
> upper management say that they were proud to be with a 
> company that tried to be a "Good Corporate Citizen ".
> One branch manager had a cube on his desk which had printed 
> on each side the(ir) manifesto of Corporate Social Responsibility.
> 
> From the AOL theft article:
>  "The revelations come as AOL and other Internet providers 
> have ramped up their efforts to track down the purveyors of 
> spam, which
> has grown into a maddening scourge that costs consumers and 
> businesses billions of dollars a year."
> 
> Perhaps those Corporate Citizens who can do something to 
> ensure the viability of E-mail, should.
> 
> --Michael
> 
> 
> 
> 
> 

Re: Attn MCI/UUNet - Massive abuse from your network

[Michael . Dillon]

> From the AOL theft article:
>  "The revelations come as AOL and other Internet providers have 
> ramped up their efforts to track down the purveyors of spam, which
> has grown into a maddening scourge that costs consumers and 
> businesses billions of dollars a year."

Interesting. An insider at a network operator steals
a copy of some interesting operational data and sells
it to a 3rd party with an interest in doing nasty things
with said data.

And if Homeland Security really does require all outages
to be reported to a clearing house where only network
operations insiders can get access to it, then what?
Will someone sell this to a terrorist organization?

Better to leave all this information semi-public as
it is now so that we all know it is NOT acceptable
to build insecure infrastructure or to leave infrastructure
in an insecure state. Fear of a terrorist attack is 
a much stronger motive for doing the right thing
than a government order to file secret reports to
a secret bureaucratic agency.

--Michael Dillon

Re: Attn MCI/UUNet - Massive abuse from your network

[Michael Painter]

- Original Message - 
From: "Dr. Jeffrey Race" <[EMAIL PROTECTED]>
To: "Smith, Donald" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, June 24, 2004 6:22 PM
Subject: RE: Attn MCI/UUNet - Massive abuse from your network


>
> On Thu, 24 Jun 2004 21:39:26 -0600, Smith, Donald wrote:
>
> >I am not a lawyer. I am not aware of the law that requires uunet to
> >go to court to prevent spammers who are not their direct customers from using
> their network.
>
>
> Doctrine of attractive nuisance

When I worked for IBM back in the '60s, on many occasions during my 7 years there I 
heard
upper management say that they were proud to be with a company that tried to be a 
"Good Corporate Citizen ".
One branch manager had a cube on his desk which had printed on each side the(ir) 
manifesto of Corporate Social Responsibility.

>From the AOL theft article:
 "The revelations come as AOL and other Internet providers have ramped up their 
efforts to track down the purveyors of spam, which
has grown into a maddening scourge that costs consumers and businesses billions of 
dollars a year."

Perhaps those Corporate Citizens who can do something to ensure the viability of 
E-mail, should.

--Michael

Re: Attn MCI/UUNet - Massive abuse from your network

[Dr. Jeffrey Race]

On Thu, 24 Jun 2004 16:27:32 +0200, Brad Knowles wrote:
>>  It is the same way credit reporting works: you mess up, you get no>>  credit.
>   Except then you can generate yet another fake credit card and go 
>on with your life.  Do that a few thousand times a day, even -- no >problem.
>   The credit reporting scheme only works against people who are 
>willing to play by the rules.  Even then, it only hurts the 
>legitimate credit card holders who don't know how to fight the system.
>>  Come on guys, you are all smart engineers.   This is not rocket science.
>
>   See above.  Credit card fraud is a multi-billion dollar business. 
>When the credit card companies have figured out this problem, maybe 
>we can apply similar techniques to the spam problem.

Please, this is trivial.  You have to prove your personal identity.  What many
firms do is to require a bank to certify it.  

The credit card thievery to which you refer is done anonymously; not relevant here

RE: Attn MCI/UUNet - Massive abuse from your network

[Dr. Jeffrey Race]

On Thu, 24 Jun 2004 21:39:26 -0600, Smith, Donald wrote:

>I am not a lawyer. I am not aware of the law that requires uunet to
>go to court to prevent spammers who are not their direct customers from using 
their network.


Doctrine of attractive nuisance

RE: Attn MCI/UUNet - Massive abuse from your network

[Smith, Donald]

I am not a lawyer. I am not aware of the law that requires uunet to
go to court to prevent spammers who are not their direct customers from using their 
network. Spammers use many differnt means to send their spam. Most ISPs use AUP's to 
prevent spamming but afaik no isp has successfully sued a spammer and recovered any 
reasonable percentage of their expenses in fighting this same spam. When that becomes 
a method to pay for combating spam I am sure most ISPs will pursue it. This is a money 
issue. 

NSP/ISP have shareholders who desire a return on their investment. 

When I notify the abuse team at uunet of a spammer they act promptly shutting down any 
account that I can show is being used for spam. 

Chris is a very trusted and active member of the NSP community, to his credit is a 
detailed document on blackhole filtering one of the primary tools used by other 
NSP/ISP's for stopping bad traffic. AFAIK he can not authorize legal action against 
spammers.

[EMAIL PROTECTED] my opinions are mine and do not reflect qwest policy.

 

-Original Message-
From: Dr. Jeffrey Race
To: Smith, Donald
Cc: [EMAIL PROTECTED]
Sent: 6/24/2004 9:40 PM
Subject: RE: Attn MCI/UUNet - Massive abuse from your network

On Thu, 24 Jun 2004 19:26:10 -0600, Smith, Donald wrote:

>Are you offering to finance ISP's legal battles against spammers?

No, it's their network and their legal responsibility to keep it clean.
However
I did voluntarily prepare a case for Neil Patel to file on behalf of
UUNET
under the Va computer crimes act, and he refused.  I would have been
a witness.   At this point (esp when he said the matter lay with "Mr
Ebbers", who is now up on other criminal charges) it became obvious what
was the ethical level of this firm's management.   

Jeffrey Race

RE: Attn MCI/UUNet - Massive abuse from your network

[Dr. Jeffrey Race]

On Thu, 24 Jun 2004 19:26:10 -0600, Smith, Donald wrote:

>Are you offering to finance ISP's legal battles against spammers?

No, it's their network and their legal responsibility to keep it clean.  However
I did voluntarily prepare a case for Neil Patel to file on behalf of UUNET
under the Va computer crimes act, and he refused.  I would have been
a witness.   At this point (esp when he said the matter lay with "Mr
Ebbers", who is now up on other criminal charges) it became obvious what
was the ethical level of this firm's management.   

Jeffrey Race

RE: Attn MCI/UUNet - Massive abuse from your network

[Smith, Donald]

Are you offering to finance ISP's legal battles against spammers?

 

-Original Message-
From: [EMAIL PROTECTED]
To: Ben Browning
Cc: [EMAIL PROTECTED]
Sent: 6/24/2004 9:16 PM
Subject: Re: Attn MCI/UUNet - Massive abuse from your network


On Thu, 24 Jun 2004 11:50:44 -0700, Ben Browning wrote:

>Likewise, I imagine MCI could argue that the damage is to their core 
>product; namely, the trust of other ISPs and their willingness to
exchange 
>traffic with MCI.


This was Earthlink's argument in the case I cited in 
<http://www.camblab.com/nugget/spam_03.pdf>: their
connectivity was jeopardized by the spammer's activity.
As far as I know they prevailed.

The point is, we have not seen MCI go down valiantly on the
field of battle against the spammers in court or anywhere else.
I proposed a complete open-and-shut legal case to MCI, with
the perp's legal service address, and Neil Patel refused to take
any action.   The management's intention was clear: continue
to profit rather than take the perps to court.   All this talk about
how difficult it would be blah blah blah is just a smokescreen for
inaction

Jeffrey Race

Re: Attn MCI/UUNet - Massive abuse from your network

[Dr. Jeffrey Race]

On Thu, 24 Jun 2004 21:33:35 + (GMT), Christopher L. Morrow wrote:
>This is true. The 'security' or 'safety' of the backbone is not affected
>by:
>1) portscaning by morons for openshares
>2) spam mail sending
>3) spam mail recieving
>
>(atleast not to my view, though I'm no lawyer, just a chemical engineer)
>
>So, the issue of termination for this reason isn't really valid. Hence the
>off-topic-ness of this thread.

Compromise to connectivity due to harboring spammers is a security
and safety issue by any reasonable definition.Being a vector for trojan
horse mechanisms is a security issue.  

Re: Attn MCI/UUNet - Massive abuse from your network

[Dr. Jeffrey Race]

On Thu, 24 Jun 2004 11:50:44 -0700, Ben Browning wrote:

>Likewise, I imagine MCI could argue that the damage is to their core 
>product; namely, the trust of other ISPs and their willingness to exchange 
>traffic with MCI.


This was Earthlink's argument in the case I cited in 
: their
connectivity was jeopardized by the spammer's activity.
As far as I know they prevailed.

The point is, we have not seen MCI go down valiantly on the
field of battle against the spammers in court or anywhere else.
I proposed a complete open-and-shut legal case to MCI, with
the perp's legal service address, and Neil Patel refused to take
any action.   The management's intention was clear: continue
to profit rather than take the perps to court.   All this talk about
how difficult it would be blah blah blah is just a smokescreen for
inaction

Jeffrey Race

Re: Attn MCI/UUNet - Massive abuse from your network

[Dr. Jeffrey Race]

On Thu, 24 Jun 2004 14:16:49 -0400, [EMAIL PROTECTED] wrote:

>I suspect that the spammer can find a lawyer who is willing to argue the idea
>that the "safety and security" of the AS701 backbone was not prejudiced by
>the spammer's actions, 

OK, let them sue.  If you are against spam, you have to stand up in 
court and say so.

Anyway all the spamming is now in violation of contracts.   These people 
would come to court with 'dirty hands' in the term of art, and the court
would not look favorably on any case they might try to make

Jeffrey Race

Re: Attn MCI/UUNet - Massive abuse from your network

[Paul Vixie]

> spamhaus has gotten too agressive.
> Its now preventing too much legitimate email.

that's funny, really funny.  s/spamhaus/maps/ or s/spamhaus/sorbs/ or indeed
look at any receiver-side filtering mechanism that gets a little traction,
and sooner or later folks will say it's too aggressive and prevents too much
legitimate e-mail.

"the internet" as a disintermediator is going to cause more things like maps
and spamhaus and sorbs to be created and to become successful/effective over
time.  the only way to remain a successful sender of e-mail is to find a way
to thread all of those needles at once, plus new ones that come along later.

same thing for anti-spam features of common MTA's.  once in a while someone
can't get e-mail to me because they don't have a DNS-PTR or DNS-MX, or
because their SMTP-HELO doesn't match their DNS-PTR, and they complain,
quite rightly, that RFC821 doesn't require them to do it and that i'm in
violation of the protocol by rejecting their e-mail.  i usually respond by
telling them my fax number.  they usually respond by changing their DNS or
SMTP configuration to conform to my violations of the protocol.  lather,
rinse, repeat.

somebody told me the other day that we couldn't implement graylisting here
because a lot of mail relays wouldn't retry for way too long, or would retry
too quickly, or would retry from a different ip address each time, or etc.
i said "our fax number is on the web page, so senders will have recourse."

spam is fundamentally an exercise in unilateral cost shifting, by advertisers
toward eyeballs, with all kinds of middlemen.  to cope with this, these costs
are going to have to be shifted elsewhere.  it would be loverly to shift them
back toward advertisers, with fines and lawsuits and lost connectivity and
increased transit disconnection/reconnection fees, but that's not working.
(compare the u.s. federal anti-spam law with california's to see what i mean.)

so, the costs are being shifted toward legitimate e-mail senders.  oh well.
if somebody can't reach you because they don't know how to thread the needle,
then send them your fax number or postal address.  getting legitimate e-mail
has to become the sender's problem, because receiver costs are too high now.

i'm not preaching that this should be so; i'm explaining that it's become so.
it's like with chris and sean not being able to disco their spewing endsystems:
just because the source-provider or transit-provider doesn't make connectivity
less available to these spewers, doesn't mean it won't become less available.
all it does is change who does it, and it usually ends up getting done by
folks whose tools aren't as sharp as the (source|transit)-provider's.

it's a very twisted variation on "you broke it, you bought it."

Re: Attn MCI/UUNet - Massive abuse from your network

[Paul Vixie]

chris has been answering a lot of complaintage here today.  here's my omnibus:

> ...
> 2) 701 gets complaints, notifies good customer Exodus who terms the
> ...
> 13) return to step 2
> 
> This process happens repeatedly, spammers know they can get about a month
> of time (or more, depending on upstreams and hosting providers in question)
> ...

so, normal business case or risk analysis would seem to have led uunet to
put procedures in place that would try to break this loop.  for example, if
a complaint indicated that a known spammer was back downstream of as701 but
through a different customer of yours, you'd null-route their cidr block
BEFORE "notifying good customer who terminates".  all you have to do to
break this kind of loop is make it less profitable, or more expensive, for
the person who is presently benefitting from your lack of procedures.  you
don't have to stop the spam, merely reverse the shifting of costs.

but that presumes it's costing you more than you're making from it, which is
probably a very difficult business case to make to upper management.  by the
lack of ordinary cost control and risk analysis, your management team shows
their true colours.

> The 'security' or 'safety' of the backbone is not affected by:
> 
> 1) portscaning by morons for openshares
> 2) spam mail sending
> 3) spam mail recieving
> ...
> So, the issue of termination for this reason isn't really valid. Hence the
> off-topic-ness of this thread.

what about

  4) using receiver-side blackholes to make up for lack of sender-side policy

you can terminate the thread, but the fact that you and sean aren't willing
to disco spewing endsystems is leading to intentional internet instability,
and that means sooner or later, this thread will be back, just like always.
-- 
Paul Vixie

Re: Attn MCI/UUNet - Massive abuse from your network

[Tom (UnitedLayer)]

On Thu, 24 Jun 2004, Ben Browning wrote:
> >you mean the phone companies we do business with?
>
> No, I mean the internet. (Hence, ISPs). Your product, in the context of
> this discussion anyways, is access to the internet. When the actions of a
> downstream damage that product(IE more and more networks nullroute UUNet
> traffic), I would assume that you have appropriate privilege to toss them
> overboard in the contracts.

I think you'll be hard pressed to find anyone running a real ISP who will
null route any/all of UUNet.

UUNet is a large organization, network wise, and people wise.
The fact that they don't have people dedicated to jumping on customers who
you consider to be spamming, should not be suprising nor expected.

Re: Attn MCI/UUNet - Massive abuse from your network

[Christopher L. Morrow]

On Thu, 24 Jun 2004, Ben Browning wrote:

> At 02:36 PM 6/24/2004, Christopher L. Morrow wrote:
> >On Thu, 24 Jun 2004, Ben Browning wrote:
> >
> > >
> > > >like showing that the spammer was actually sending enough of a volume to
> > > >swamp their core routers
> > >
> > > Likewise, I imagine MCI could argue that the damage is to their core
> > > product; namely, the trust of other ISPs and their willingness to exchange
> > > traffic with MCI.
> >
> >you mean the phone companies we do business with?
>

whoops, forgot my smilies :(

> No, I mean the internet. (Hence, ISPs). Your product, in the context of
> this discussion anyways, is access to the internet. When the actions of a

I'm not sure that there are many who are wholesale null routing uunet ip
space, if they do they might be causing their customers unnecessary
outages.

> downstream damage that product(IE more and more networks nullroute UUNet
> traffic), I would assume that you have appropriate privilege to toss them
> overboard in the contracts.

RE: Attn MCI/UUNet - Massive abuse from your network

[Hannigan, Martin]

> At 02:36 PM 6/24/2004, Christopher L. Morrow wrote:
> >On Thu, 24 Jun 2004, Ben Browning wrote:
> >

[ SNIP ]

> this discussion anyways, is access to the internet. When the 
> actions of a 
> downstream damage that product(IE more and more networks 
> nullroute UUNet 
> traffic),  


[ Operations content: ] Do you know of any ISP's null routing AS701? 


-M

Re: Attn MCI/UUNet - Massive abuse from your network

[Ben Browning]

At 02:36 PM 6/24/2004, Christopher L. Morrow wrote:
On Thu, 24 Jun 2004, Ben Browning wrote:
>
> >like showing that the spammer was actually sending enough of a volume to
> >swamp their core routers
>
> Likewise, I imagine MCI could argue that the damage is to their core
> product; namely, the trust of other ISPs and their willingness to exchange
> traffic with MCI.
you mean the phone companies we do business with?
No, I mean the internet. (Hence, ISPs). Your product, in the context of 
this discussion anyways, is access to the internet. When the actions of a 
downstream damage that product(IE more and more networks nullroute UUNet 
traffic), I would assume that you have appropriate privilege to toss them 
overboard in the contracts.

IANAL, though.
~Ben
---
   Ben Browning <[EMAIL PROTECTED]>
  The River Internet Access Co.
 WA Operations Manager
1-877-88-RIVER  http://www.theriver.com

Re: Attn MCI/UUNet - Massive abuse from your network

[Tom (UnitedLayer)]

On Thu, 24 Jun 2004, Ben Browning wrote:
> >This is, in fact (for you nanae watchers), the reason that most of them
> >get canceled by us FASTER... Sadly, non-payment is often a quicker and
> >easier method to term a customer than 'abuse', less checks since there
> >is no 'percieved revenue' :(
>
> A revenue check has no place in abuse terminations.

That would be nice, but this is the real world.
We (presumably technical people) don't get to make all of the choices in
life. If we did, things might be a lot better, but then again maybe only
10-15% of us would still be employed :)

Re: Attn MCI/UUNet - Massive abuse from your network

[Tom (UnitedLayer)]

On Thu, 24 Jun 2004 [EMAIL PROTECTED] wrote:
> But most people are happy with things the way they are. They love SPAM
> because it gives them something to complain about and get emotional
> about.

I unfortunately have to agree there.
There's a large portion of the internet who has nothing better to do than
sit around and do essentially nothing.
Be it IRC, read email, spam, complain about spam, complain about hijacked
netblocks, complain about how slow their dialup is, complain about how
slow their cablemodem is, complain about how slow their computer
is, etc...

Spammers and Spamcomplainers belong to eachother, eventually they'll get
their own private intarweb, and they can torment eachother directly :)

Re: Attn MCI/UUNet - Massive abuse from your network

[Paul G]

- Original Message - 
From: "Christopher L. Morrow" <[EMAIL PROTECTED]>
To: "Ben Browning" <[EMAIL PROTECTED]>
Cc: "Dr. Jeffrey Race" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Thursday, June 24, 2004 5:55 PM
Subject: Re: Attn MCI/UUNet - Massive abuse from your network

--- snipped ---

> this is not entirely true, a majority of these far-end customers are
> paying the same price regardless of utilization. Even the utilization
> charged customers are not having their 95th Percentile changed because of
> spam, or that'd be my guess. In the end there is no money for mci from
> spammers.

agreed, in the majority of the cases. on the other had, implementing the
FUSSP jrace proposed would cost mci (or any other carrier) revenue as they
would be seen as frothing-at-the-mouth fanatics that present a business risk
when used for upstream transit even for folks that run clean networks and
deal with abuse complaints properly.

and yes, it's time for this thread to die.

paul

Re: Attn MCI/UUNet - Massive abuse from your network

[Christopher L. Morrow]

On Thu, 24 Jun 2004, Grant A. Kirkwood wrote:

> Ben Browning said:
> >
> 
> >
> > A lengthy timeline for action to be taken, from the viewpoint of the
> > attacked, is indistinguishable from tacit approval of the attacks. I don't
> > imagine MCI has a lengthy timeline when replying to sales email or billing
> > issues.
>
>
> You ARE kidding, right?

Sorry, I'll reply to ben's message part here: "Actually getting sales
involved is a timely process from my perspective :( I used to know a sales
person I could count on, he got RIF'd so now finding someone to help a
customer that needs an upgrade is a very difficult task."

Keep in mind, this is a very large corporation, Abuse/Security is in an
entirely different arm of the beast than the Sales/marketting folks :(
Affecting change from either direction is often times 'challenging'.

-Chris

Re: Attn MCI/UUNet - Massive abuse from your network

[Christopher L. Morrow]

On Thu, 24 Jun 2004, Ben Browning wrote:

> At 11:34 PM 6/23/2004, Christopher L. Morrow wrote:
> >I'd also point out someting that any provider will tell you: "Spammers
> >never pay their bills."
>
> Yes, but this is not a problem for a large carrier, as the people that
> receive it sure do. In other words, the money you lose on the spammer is
> subsidized by all the people that pay you to receive it.

this is not entirely true, a majority of these far-end customers are
paying the same price regardless of utilization. Even the utilization
charged customers are not having their 95th Percentile changed because of
spam, or that'd be my guess. In the end there is no money for mci from
spammers.

-chris

Re: Attn MCI/UUNet - Massive abuse from your network

[Grant A. Kirkwood]

Ben Browning said:
>

>
> A lengthy timeline for action to be taken, from the viewpoint of the
> attacked, is indistinguishable from tacit approval of the attacks. I don't
> imagine MCI has a lengthy timeline when replying to sales email or billing
> issues.


You ARE kidding, right?


-- 
Grant A. Kirkwood - grant(at)tnarg.org
Fingerprint = D337 48C4 4D00 232D 3444 1D5D 27F6 055A BF0C 4AED

Re: Attn MCI/UUNet - Massive abuse from your network

[Christopher L. Morrow]

On Thu, 24 Jun 2004, Ben Browning wrote:

>
> >like showing that the spammer was actually sending enough of a volume to
> >swamp their core routers
>
> Likewise, I imagine MCI could argue that the damage is to their core
> product; namely, the trust of other ISPs and their willingness to exchange
> traffic with MCI.

you mean the phone companies we do business with?

Re: Attn MCI/UUNet - Massive abuse from your network

[Christopher L. Morrow]

First, I'd like to see this thread end, not due to the beetings, but due
to the severity of the offtopic-ness of it :) BUT... see below.

On Thu, 24 Jun 2004 [EMAIL PROTECTED] wrote:

> On Thu, 24 Jun 2004 15:22:02 +0700, "Dr. Jeffrey Race" <[EMAIL PROTECTED]>  said:
>
> > Not at all.  You can terminate for actions prejudicial to the safety and security
> > of the system.   Has nothing to do with anti-trust.
>
> I suspect that the spammer can find a lawyer who is willing to argue the idea
> that the "safety and security" of the AS701 backbone was not prejudiced by
> the spammer's actions, unless AS701 is able to show mtrg graphs and the
> like showing that the spammer was actually sending enough of a volume to
> swamp their core routers
>

This is true. The 'security' or 'safety' of the backbone is not affected
by:
1) portscaning by morons for openshares
2) spam mail sending
3) spam mail recieving

(atleast not to my view, though I'm no lawyer, just a chemical engineer)

So, the issue of termination for this reason isn't really valid. Hence the
off-topic-ness of this thread.

-Chris

Re: Attn MCI/UUNet - Massive abuse from your network

[Ben Browning]

At 11:34 PM 6/23/2004, Christopher L. Morrow wrote:
I'd also point out someting that any provider will tell you: "Spammers
never pay their bills."
Yes, but this is not a problem for a large carrier, as the people that 
receive it sure do. In other words, the money you lose on the spammer is 
subsidized by all the people that pay you to receive it.

This is, in fact (for you nanae watchers), the
reason that most of them get canceled by us FASTER... Sadly, non-payment
is often a quicker and easier method to term a customer than 'abuse', less
checks since there is no 'percieved revenue' :(
A revenue check has no place in abuse terminations.
---
   Ben Browning <[EMAIL PROTECTED]>
  The River Internet Access Co.
 WA Operations Manager
1-877-88-RIVER  http://www.theriver.com

Re: Attn MCI/UUNet - Massive abuse from your network

[Ben Browning]

Chris,
To start off, thank you for taking this issue seriously and investigating it.
At 08:05 PM 6/23/2004, Christopher L. Morrow wrote:
The sbl lists quite a few /32 entries, while this is nice for blocking
spam if you choose to use their RBL service I'm not sure it's a good
measure of 'spamhaus size'. I'm not sure I know of a way to take this
measurement, but given size and number if IPs that terminate inside AS701
there certainly are scope issues.
Netmasks aside, a spammer is a spammer. One spammer sending 100,000 emails 
from 4 machines is functionally equivalent to one sending 100,000 from 1 
machine.

All that said, I'm certainly not saying "spam is good", I also believe
that over the last 4.5 years uunet's abuse group has done quite a few good
things with respect to the main spammers.
That's possible, I suppose, but the view from outside sees only the bad(and 
there's plenty).

> As an example, I see a posting that says emailtools.com was alive on
> 206.67.63.41 in 2000. They aren't there any more... But now:
>
> [EMAIL PROTECTED] telnet mail.emailtools.com 25
> Trying 65.210.168.34...
> Connected to mail.emailtools.com.
> Escape character is '^]'.
Sure, customer of a customer we got emailtools.com kicked from their
original 'home' now they've moved off (probably several times since 2000)
to another customer. This happens to every ISP, each time they appear we
start the process to disconnect them. I'm checking on the current status
of their current home to see why we have either: 1) not gotten complaints
about them, 2) have not made progress kicking them again.
Excellent! I (and I am sure the rest of the antispam community) will be 
looking forward to hearing how all this pans out, and I am very glad I 
could bring some of this to your attention.

> >On Mon, 21 Jun 2004, Ben Browning wrote:
> Allow me to rephrase- I wanted it to be read and hoped someone would act on
> complaints. I have no doubt MCI is serious about stopping DDOS and other
> abusive traffic of that ilk- when it comes to proxy hijacking and spamming,
> though, abuse@ turns a blind eye. What other conclusion can I draw from the
This is not true, the action might not happen in the time you'd like, but
there are actions being taken. I'd be the first to admit that the
timelinees are lengthy :( but part of that is the large company process,
getting all the proper people to realize that this abuse is bad and the
offendors need to be dealt with.
A lengthy timeline for action to be taken, from the viewpoint of the 
attacked, is indistinguishable from tacit approval of the attacks. I don't 
imagine MCI has a lengthy timeline when replying to sales email or billing 
issues.

> 200ish SBL entries under MCI's name? Why else would emailtools.com(for
> example) still be around despite their wholesale raping of misconfigured
> proxies?
emailtools will be around in one form or another, all the owner must do is
purchase 9$ virtual-hosting from some other poor ISP out there who needs
the money... they may not even know who emailtools is, if that ISP is a
uunet/mci customer then we'll have to deal with them as well, just like
their current home. you must realize you can't just snap your fingers and
make these things go away.
Omaha Steaks has been there for 3+ weeks (since being added to the SBL).
Scott Richter has likewise been spamming from there for a month. Do you 
need a permission slip to terminate him? Does it take a month to get one? I 
can snap my fingers many times in a month!

According to ARIN records, both of these are swipped space only one step 
below yours(IE not a customer-of-a-customer).

It's nice to say "Oh well they move around and we can't stop them", but the 
point is that if they got terminated in a timely fashion (measured in hours 
or days at the most, *not* weeks and months) they would not keep moving 
around on your network; they would find another one to abuse instead. As it 
stands, they get a month to spam, then they have to move- that's pink gold 
in spammerland.

> All I want is a couple of straight-up answers. Why do complaints to uunet
> go unanswered and the abusers remain connected if, in fact, the complaints
I believe you do get an answer, if not the auto-acks are off still from a
previous mail flood ;(
An auto-ack is not an answer.
Please let me know if you are NOT getting ticket
numbers back. They might be connected still if there were:
1) not enough info in the complaints to take action on them
I've never been asked to furnish more info.
2) not enough complaints to terminate the account, but working with the
downstream to get the problem resolved
I've never been looped into this process either. What is the window you 
guys give your downstreams for ceasing such activities?

3) action is awaiting proper approvals.
What's the timeframe on these approvals happening? Do you need such 
approvals in the event of a DDOS or other abuse?

> are read? Why has MCI gone from 111 SBL listings as of January 1 to 190 as
I thin

Re: Attn MCI/UUNet - Massive abuse from your network

[Ben Browning]

At 11:16 AM 6/24/2004, [EMAIL PROTECTED] wrote:
On Thu, 24 Jun 2004 15:22:02 +0700, "Dr. Jeffrey Race" 
<[EMAIL PROTECTED]>  said:

> Not at all.  You can terminate for actions prejudicial to the safety 
and security
> of the system.   Has nothing to do with anti-trust.

I suspect that the spammer can find a lawyer who is willing to argue the idea
that the "safety and security" of the AS701 backbone was not prejudiced by
the spammer's actions, unless AS701 is able to show mtrg graphs and the
like showing that the spammer was actually sending enough of a volume to
swamp their core routers
Likewise, I imagine MCI could argue that the damage is to their core 
product; namely, the trust of other ISPs and their willingness to exchange 
traffic with MCI.

~Ben
---
   Ben Browning <[EMAIL PROTECTED]>
  The River Internet Access Co.
 WA Operations Manager
1-877-88-RIVER  http://www.theriver.com

Re: Attn MCI/UUNet - Massive abuse from your network

[Paul G]

- Original Message - 
From: "Dr. Jeffrey Race" <[EMAIL PROTECTED]>
To: "Robert E. Seastrom" <[EMAIL PROTECTED]>
Cc: "Christopher L. Morrow" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Thursday, June 24, 2004 9:59 AM
Subject: Re: Attn MCI/UUNet - Massive abuse from your network


>
> On 24 Jun 2004 09:26:15 -0400, Robert E. Seastrom wrote:
> >"Dr. Jeffrey Race" <[EMAIL PROTECTED]> writes:>

-- snip --

> We see this all the time on Spam-L.  It shows up quickly in the numbers
when there is a
> management decision.

perhaps we can move this discussion there, then?

paul

Re: Attn MCI/UUNet - Massive abuse from your network

[Valdis . Kletnieks]

On Thu, 24 Jun 2004 15:22:02 +0700, "Dr. Jeffrey Race" <[EMAIL PROTECTED]>  said:

> Not at all.  You can terminate for actions prejudicial to the safety and security
> of the system.   Has nothing to do with anti-trust.

I suspect that the spammer can find a lawyer who is willing to argue the idea
that the "safety and security" of the AS701 backbone was not prejudiced by
the spammer's actions, unless AS701 is able to show mtrg graphs and the
like showing that the spammer was actually sending enough of a volume to
swamp their core routers

And of course, none of the Tier-1's wants to argue in court that one spammer is
able to present enough of a load to jeopardize their network stability, when
even large DDoS attacks usually aren't much of a blip except near the victim
node...



pgpTCGZWkwbxZ.pgp
Description: PGP signature

Re: Attn MCI/UUNet - Massive abuse from your network

[John Payne]

--On Thursday, June 24, 2004 3:25 PM +0100 [EMAIL PROTECTED] wrote:
f anyone really cared about SPAM, then the credit reporting
companies would already be collecting information about
SPAMmers
Why would the credit reporting companies care about my choice of tasty 
luncheon meat?

ITYM spam, and spam-l is still two folders ---> thatta way

Re: Attn MCI/UUNet - Massive abuse from your network

[Christopher L. Morrow]

On Thu, 24 Jun 2004, George Roettger wrote:

>
>
> > This process happens repeatedly, spammers know they can get about a month
> > of time (or more, depending on upstreams and hosting providers in
> > question) of life, either way it's just 50 bucks
>
> forgive my question, but why does it take a month? If you had a bad route
> causing an outage for the spammer, would it take a month for the involved
> ISPs to fix that?

spammer comes, starts work, spams, complaints arrive, downstream customer
is notified of 'problem', they get their 3 strikes to deal with said
problem, then the ip is null routed. Sometimes it's a month, sometimes
less. It's situationally dependent :( I picked a round number because
saying: "Spammers get 9.759 days on average per webhosting adventure" is
cumbersome.

Re: Attn MCI/UUNet - Massive abuse from your network

[Michael . Dillon]

> It is the same way credit reporting works: you mess up, you get no
> credit.
> 
> Come on guys, you are all smart engineers.   This is not rocket science.

If anyone really cared about SPAM, then the credit reporting
companies would already be collecting information about
SPAMmers and network operators would pay them for that info
when they sign up new customers.

But most people are happy with things the way
they are. They love SPAM because it gives them
something to complain about and get emotional about.

Personally, I find SPAM to be a minor annoyance. I just delete
the dozen or so messages a day that make their way through the
SPAM filter. 

But what concerns me far more than SPAM is the
fundamental insecurity of the email system which
makes it impossible to trust the source of any
email message unless you have some prior knowledge 
of the sender. Back in the old days, at least we
had alternatives like Compuserve and MCI-Mail. Now
there is only one email system and it is rotten
at the core. If we would fix that then most of the
time, SPAM would be a minor annoyance like graffitti
or vandalism is in the real world. As it currently
stands, SPAM is like terrorism circa 1999, i.e. it's
escalating and you ain't seen nuthin' yet...

--Michael Dillon

Re: Attn MCI/UUNet - Massive abuse from your network

[Brian W. Gemberling]

Is it possible for some people to chime in on backbone scaling
issues that have a linksys cable modem "router" to test on?

On Thu, 24 Jun 2004, Robert E. Seastrom wrote:

>
>
> "Dr. Jeffrey Race" <[EMAIL PROTECTED]> writes:
>
> > Poof!  MCI spam problem goes away in 30 days.
>
> http://www.rhyolite.com/anti-spam/you-might-be.html
>
> I think the discussion is over.
>
> ---Rob
>

Re: Attn MCI/UUNet - Massive abuse from your network

[Dr. Jeffrey Race]

On 24 Jun 2004 09:26:15 -0400, Robert E. Seastrom wrote:
>"Dr. Jeffrey Race" <[EMAIL PROTECTED]> writes:>
>> Poof!  MCI spam problem goes away in 30 days.>
>http://www.rhyolite.com/anti-spam/you-might-be.html>
>I think the discussion is over.

Ha ha ha!

Well the FACT is that lots of firms have cleaned up their networks
after management or policy changes.  We see this all the time on
Spam-L.  It shows up quickly in the numbers when there is a
management decision.

Jeffrey Race

Re: Attn MCI/UUNet - Massive abuse from your network

[Dr. Jeffrey Race]

On Thu, 24 Jun 2004 09:20:30 -0400, Stephen Perciballi wrote:
>I think you may be missing a major point.  UUNET/MCI provides dedicated internet 
>services to so many downstreams that it is impossible to stop spammers from 
>signing up to those downstreams.  Preventing spammers from signing up for 
>UUNET/MCI services is, yes, trivial.  Preventing spammers from signing up on a 
>downstream of a downstream of a downstream etc is impossible.

With this procedure (please re-read it carefully, everyone in the entire contractual
chainv) is bound) they can sign up ONCE.  After that they go in the
common database.

It is the same way credit reporting works: you mess up, you get no
credit.

Come on guys, you are all smart engineers.   This is not rocket science.

Jeffrey Race

Re: Attn MCI/UUNet - Massive abuse from your network

[Stephen Perciballi]

[Thu, Jun 24, 2004 at 10:20:33AM +0700]
Dr. Jeffrey Race Inscribed these words...


> 
> On Thu, 24 Jun 2004 03:05:41 + (GMT), Christopher L. Morrow wrote:
> >Sure, customer of a customer we got emailtools.com kicked from their
> >original 'home' now they've moved off (probably several times since 2000)
> >to another customer. This happens to every ISP, each time they appear we
> >start the process to disconnect them.
> 
> This is too flagrant to let pass without comment.
> 
> This "endless loop" situation does NOT happen to every ISP, only to those who
> have not emplaced procedures to prevent serial signups of serial abusers.  This is 
> trivially easy to do and your firm's failure to do so and to enforce this rule on 
> your
> contracting parties definitively proves your management's decision to profit from
> spam rather than to stop spam.
> 

I think you may be missing a major point.  UUNET/MCI provides dedicated internet 
services to so many downstreams that it is impossible to stop spammers from 
signing up to those downstreams.  Preventing spammers from signing up for 
UUNET/MCI services is, yes, trivial.  Preventing spammers from signing up on a 
downstream of a downstream of a downstream etc is impossible.


> Jeffrey Race
> 
> 
> 

-- 

Stephen (routerg)
irc.dks.ca

Re: Attn MCI/UUNet - Massive abuse from your network

[Robert E. Seastrom]

"Dr. Jeffrey Race" <[EMAIL PROTECTED]> writes:

> Poof!  MCI spam problem goes away in 30 days.

http://www.rhyolite.com/anti-spam/you-might-be.html

I think the discussion is over.

---Rob

Re: Attn MCI/UUNet - Massive abuse from your network

[Jun-ichiro itojun Hagino]

> > spamhaus has gotten too agressive.  Its now preventing too much legitimate 
> > email.
> 
> Spammers have gotten too agressive. If you don't filter you would not
> see any legitimate email.

a couple of days before my primary email server crashed, so i
configured a backup machine.  the backup machine does not have spam
filtering database at first.  i managed to install bogofilter,
but anyways, it became apparent that i get 50+ Mbytes of spams per day.
what a waste of electrons!  we need to conserve electrons!!

itojun

Re: Attn MCI/UUNet - Massive abuse from your network

[william(at)elan.net]

On Thu, 24 Jun 2004, Curtis Maurand wrote:

> spamhaus has gotten too agressive.  Its now preventing too much legitimate 
> email.

Spammers have gotten too agressive. If you don't filter you would not
see any legitimate email.

-- 
William Leibzon
Elan Networks
[EMAIL PROTECTED]

Re: Attn MCI/UUNet - Massive abuse from your network

[Curtis Maurand]

spamhaus has gotten too agressive.  Its now preventing too much legitimate 
email.

Curtis
--
Curtis Maurand
mailto:[EMAIL PROTECTED]
http://www.maurand.com
On Thu, 24 Jun 2004, Christopher L. Morrow wrote:

On Mon, 21 Jun 2004, Ben Browning wrote:
At 12:28 PM 6/21/2004, Christopher L. Morrow wrote:
the ethics office doesn't need to see your complaints, they don't really
deal with these anyway.
I am quite sure that the ethics department does not deal with spam
complaints. My complaint is that your stated policy is clearly not being
followed. MCI is currently the Number 1 spam source on many lists-
certainly, your overall size skews that figure somewhat, but the listings I
see (on the SBL anyway, I do not have the many hours needed to read all the
documentation SPEWS has to offer) have reports that are at least 6 months
old and are still alive...
The sbl lists quite a few /32 entries, while this is nice for blocking
spam if you choose to use their RBL service I'm not sure it's a good
measure of 'spamhaus size'. I'm not sure I know of a way to take this
measurement, but given size and number if IPs that terminate inside AS701
there certainly are scope issues.
All that said, I'm certainly not saying "spam is good", I also believe
that over the last 4.5 years uunet's abuse group has done quite a few good
things with respect to the main spammers.
As an example, I see a posting that says emailtools.com was alive on
206.67.63.41 in 2000. They aren't there any more... But now:
[EMAIL PROTECTED] telnet mail.emailtools.com 25
Trying 65.210.168.34...
Connected to mail.emailtools.com.
Escape character is '^]'.
Sure, customer of a customer we got emailtools.com kicked from their
original 'home' now they've moved off (probably several times since 2000)
to another customer. This happens to every ISP, each time they appear we
start the process to disconnect them. I'm checking on the current status
of their current home to see why we have either: 1) not gotten complaints
about them, 2) have not made progress kicking them again.
On Mon, 21 Jun 2004, Ben Browning wrote:
At 11:42 AM 6/21/2004, Christopher L. Morrow wrote:
curious, why did you not send this to the abuse@ alias?
I wanted it to get read.
messages to abuse@ do infact get read...
Allow me to rephrase- I wanted it to be read and hoped someone would act on
complaints. I have no doubt MCI is serious about stopping DDOS and other
abusive traffic of that ilk- when it comes to proxy hijacking and spamming,
though, abuse@ turns a blind eye. What other conclusion can I draw from the
This is not true, the action might not happen in the time you'd like, but
there are actions being taken. I'd be the first to admit that the
timelinees are lengthy :( but part of that is the large company process,
getting all the proper people to realize that this abuse is bad and the
offendors need to be dealt with.
200ish SBL entries under MCI's name? Why else would emailtools.com(for
example) still be around despite their wholesale raping of misconfigured
proxies?
emailtools will be around in one form or another, all the owner must do is
purchase 9$ virtual-hosting from some other poor ISP out there who needs
the money... they may not even know who emailtools is, if that ISP is a
uunet/mci customer then we'll have to deal with them as well, just like
their current home. you must realize you can't just snap your fingers and
make these things go away.
All I want is a couple of straight-up answers. Why do complaints to uunet
go unanswered and the abusers remain connected if, in fact, the complaints
I believe you do get an answer, if not the auto-acks are off still from a
previous mail flood ;( Please let me know if you are NOT getting ticket
numbers back. They might be connected still if there were:
1) not enough info in the complaints to take action on them
2) not enough complaints to terminate the account, but working with the
downstream to get the problem resolved
3) action is awaiting proper approvals.
There might be a few more steps things could be in, but in general all
complaints that have proper/actionable info are dealt with.

are read? Why has MCI gone from 111 SBL listings as of January 1 to 190 as
I think the answer is shifting winds in spammer homelands, I'll look
through the list and see if we know about the problem children in the list
and what we are doing about them.
If I am a kook and an idiot for wanting a cleaner internet, well then I
guess I am a kook and an idiot.
not for that, just for taking this up in the wrong place... but people
call me kooky too, so maybe I'm just skewed.

Re: Attn MCI/UUNet - Massive abuse from your network

[George Roettger]

> This process happens repeatedly, spammers know they can get about a month
> of time (or more, depending on upstreams and hosting providers in
> question) of life, either way it's just 50 bucks

forgive my question, but why does it take a month? If you had a bad route
causing an outage for the spammer, would it take a month for the involved
ISPs to fix that?

Geo.

Re: Attn MCI/UUNet - Massive abuse from your network

[Dr. Jeffrey Race]

On Wed, 23 Jun 2004 21:34:39 -0600, Mike Lewinski wrote:

>. How do you 
>retroactively modify your contract to tell all your existing clients 
>"don't do business with company X" or we'll terminate you 

It is ALREADY in the contracts and TOS.  Just has to be enforced.


>(actually, >such a contract term would probably run afoul of antitrust regs esp. for 
>an entity as large as AS701).

Not at all.  You can terminate for actions prejudicial to the safety and security
of the system.   Has nothing to do with anti-trust.   

>
>In general, policing the customer of a customer is not an easy thing.

Well it is an OBLIGATION so easy or hard (and lots of things in life are hard)
it has to be done.  

Re: Attn MCI/UUNet - Massive abuse from your network

[Dr. Jeffrey Race]

Chris why do you give me such easy ones? :)

This situation has been known for years and it is I repeat trivially easy to solve.

1-There are relatively small numbers of serious spammers and of ISPs.
2-In your contract you require all your customers to know the true identities of
their customers (if juridical entities, their officers and directors) and to impose
this requirement on every subcontract.  ISP violators will be terminated 
immediately.
3-The end-user contract must state that spamming is forbidden; there are
   penalties for infraction, notionally $500 for the first offense, $5,000 for
  the next, $50,000 for the third, AT WHATEVER CARRIER IN THE SYSTEMWIDE
  DATABASE.   The end-user
  must provide a validated credit card.   Customer agrees that violation will
  result in immediate termination with prejudice which will be logged in a system-wide
  shared database.
4-No applicant can be accepted without first checking this database and ROKSO.

Violation of such a contract is not just a civil matter resulting in penalties (charged
against the credit card which affects the applicant's credit history).   It is also the
criminal offense of "fraud in the inducement" because the perp signed the 
agreement with the prior intention to violate it.

Therefore when your downstream terminates a perp, they enter him (by real name)
in the system-wide database, collect the penalty, and file a police report and have
him criminally prosecuted.  If they refuse, you terminate the downstream.

Poof!  MCI spam problem goes away in 30 days.

I went through all this with your counsel Neil Patel.  Your company refused to
do anything, because it wanted to continue to profit from spam.The adventure
continues.

Chris--nothing personal.   It's just business.  These are the facts.  Lots of
companies have procedures like this in place which is why they don't have
spam problems.

Jeffrey Race





On Thu, 24 Jun 2004 06:34:25 + (GMT), Christopher L. Morrow wrote:
>On Thu, 24 Jun 2004, Dr. Jeffrey Race wrote:
>> On Thu, 24 Jun 2004 03:05:41 + (GMT), Christopher L. Morrow wrote:
>> >Sure, customer of a customer we got emailtools.com kicked from their
>> >original 'home' now they've moved off (probably several times since 2000)
>> >to another customer. This happens to every ISP, each time they appear we
>> >start the process to disconnect them.
>>
>> This is too flagrant to let pass without comment.
>>
>> This "endless loop" situation does NOT happen to every ISP, only to those who
>> have not emplaced procedures to prevent serial signups of serial
>> abusers.  This is
>
>Sorry, you mistook my statement, or I mis-spoke it such that you would
>misunderstand it :( So, the point I was trying to make I'll try again with
>an example: (situtation not made up, parties made up)
>
>1) spammer#12 signs up as a webhosting customer of Exodus who is a
>customer of As701
>2) 701 gets complaints, notifies good customer Exodus who terms the
>spammer's website/box/blah
>3) spammer#12 signs up with next 50$/month hosting site Abovenet off 1239
>4) 1239 gets complaints notifies the good customer abovenet who terms the
>customer.
>.
>.
>.
>12) spammer#12 signs up with webhosting group rackspace who is a 701
>customer
>13) return to step 2
>
>This process happens repeatedly, spammers know they can get about a month
>of time (or more, depending on upstreams and hosting providers in
>question) of life, either way it's just 50 bucks At all times, they
>are not customers of 1239, 701, whomever... they are a customer of a
>customer. So, 701 or 1239 never know who the downstream is, in the
>particular case of emailtools.com this is the case... Or, that's what
>seems to have happened since they were a customer of some NYC based
>customer 4 years ago, and are now a customer of some TPA based customer
>now.
>
>> trivially easy to do and your firm's failure to do so and to enforce
>> this rule on your
>> contracting parties definitively proves your management's decision to
>> profit from
>> spam rather than to stop spam.
>>
>
>I'd also point out someting that any provider will tell you: "Spammers
>never pay their bills." This is, in fact (for you nanae watchers), the
>reason that most of them get canceled by us FASTER... Sadly, non-payment
>is often a quicker and easier method to term a customer than 'abuse', less
>checks since there is no 'percieved revenue' :(

Re: Attn MCI/UUNet - Massive abuse from your network

[Christopher L. Morrow]

On Thu, 24 Jun 2004, Dr. Jeffrey Race wrote:

>
> On Thu, 24 Jun 2004 03:05:41 + (GMT), Christopher L. Morrow wrote:
> >Sure, customer of a customer we got emailtools.com kicked from their
> >original 'home' now they've moved off (probably several times since 2000)
> >to another customer. This happens to every ISP, each time they appear we
> >start the process to disconnect them.
>
> This is too flagrant to let pass without comment.
>
> This "endless loop" situation does NOT happen to every ISP, only to those who
> have not emplaced procedures to prevent serial signups of serial
> abusers.  This is

Sorry, you mistook my statement, or I mis-spoke it such that you would
misunderstand it :( So, the point I was trying to make I'll try again with
an example: (situtation not made up, parties made up)

1) spammer#12 signs up as a webhosting customer of Exodus who is a
customer of As701
2) 701 gets complaints, notifies good customer Exodus who terms the
spammer's website/box/blah
3) spammer#12 signs up with next 50$/month hosting site Abovenet off 1239
4) 1239 gets complaints notifies the good customer abovenet who terms the
customer.
.
.
.
12) spammer#12 signs up with webhosting group rackspace who is a 701
customer
13) return to step 2

This process happens repeatedly, spammers know they can get about a month
of time (or more, depending on upstreams and hosting providers in
question) of life, either way it's just 50 bucks At all times, they
are not customers of 1239, 701, whomever... they are a customer of a
customer. So, 701 or 1239 never know who the downstream is, in the
particular case of emailtools.com this is the case... Or, that's what
seems to have happened since they were a customer of some NYC based
customer 4 years ago, and are now a customer of some TPA based customer
now.

> trivially easy to do and your firm's failure to do so and to enforce
> this rule on your
> contracting parties definitively proves your management's decision to
> profit from
> spam rather than to stop spam.
>

I'd also point out someting that any provider will tell you: "Spammers
never pay their bills." This is, in fact (for you nanae watchers), the
reason that most of them get canceled by us FASTER... Sadly, non-payment
is often a quicker and easier method to term a customer than 'abuse', less
checks since there is no 'percieved revenue' :(

-Chris

Re: Attn MCI/UUNet - Massive abuse from your network

[Mike Lewinski]

Dr. Jeffrey Race wrote:
This "endless loop" situation does NOT happen to every ISP, only to those who
have not emplaced procedures to prevent serial signups of serial abusers.  This is 
trivially easy to do and your firm's failure to do so and to enforce this rule on your
contracting parties definitively proves your management's decision to profit from
spam rather than to stop spam.
I don't think "trivially easy" is the right word in this case. If this 
were someone doing hit and run dialup directly on UUnet I might agree. 
But here he's talking about a customer of a customer. How do you 
retroactively modify your contract to tell all your existing clients 
"don't do business with company X" or we'll terminate you (actually, 
such a contract term would probably run afoul of antitrust regs esp. for 
an entity as large as AS701).

In general, policing the customer of a customer is not an easy thing. We 
were once sued by the French organization for the preservation of the 
name "Champagne". One of our clients was apparently hosting a domain for 
one of their clients named "champ-pagne.com" which was selling bottled 
water for dogs(!). But by the time we were served with the papers, the 
DNS had been moved away from our client. We had to go to court just to 
find out just why they were suing us to begin with since the paperwork 
didn't explicitly mention our client by name or IP.

Re: Attn MCI/UUNet - Massive abuse from your network

[Paul G]

- Original Message - 
From: "Dr. Jeffrey Race" <[EMAIL PROTECTED]>
To: "Jeffrey Race" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, June 23, 2004 11:20 PM
Subject: Re: Attn MCI/UUNet - Massive abuse from your network


>
> On Thu, 24 Jun 2004 03:05:41 + (GMT), Christopher L. Morrow wrote:
> >Sure, customer of a customer we got emailtools.com kicked from their
> >original 'home' now they've moved off (probably several times since 2000)
> >to another customer. This happens to every ISP, each time they appear we
> >start the process to disconnect them.
>
> This is too flagrant to let pass without comment.

not specifically in response to jeffrey, but may i suggest we &>
/dev/{nanae,null} ?

paul

Re: Attn MCI/UUNet - Massive abuse from your network

[Dr. Jeffrey Race]

On Thu, 24 Jun 2004 03:05:41 + (GMT), Christopher L. Morrow wrote:
>Sure, customer of a customer we got emailtools.com kicked from their
>original 'home' now they've moved off (probably several times since 2000)
>to another customer. This happens to every ISP, each time they appear we
>start the process to disconnect them.

This is too flagrant to let pass without comment.

This "endless loop" situation does NOT happen to every ISP, only to those who
have not emplaced procedures to prevent serial signups of serial abusers.  This is 
trivially easy to do and your firm's failure to do so and to enforce this rule on your
contracting parties definitively proves your management's decision to profit from
spam rather than to stop spam.

Jeffrey Race

Re: Attn MCI/UUNet - Massive abuse from your network

[Christopher L. Morrow]

On Tue, 22 Jun 2004, Myke Place wrote:

> Can you then explain why there are 189 Spamhaus complaint against
> UUnet/MCI which haven't been dealt with?

I answered ben already (a few minutes ago) but I'll answer you as well. I
said I'd look into the listings and see what's known or being done about
them.

Re: Attn MCI/UUNet - Massive abuse from your network

[Christopher L. Morrow]

On Mon, 21 Jun 2004, Ben Browning wrote:

> At 12:28 PM 6/21/2004, Christopher L. Morrow wrote:
> >the ethics office doesn't need to see your complaints, they don't really
> >deal with these anyway.
>
> I am quite sure that the ethics department does not deal with spam
> complaints. My complaint is that your stated policy is clearly not being
> followed. MCI is currently the Number 1 spam source on many lists-
> certainly, your overall size skews that figure somewhat, but the listings I
> see (on the SBL anyway, I do not have the many hours needed to read all the
> documentation SPEWS has to offer) have reports that are at least 6 months
> old and are still alive...

The sbl lists quite a few /32 entries, while this is nice for blocking
spam if you choose to use their RBL service I'm not sure it's a good
measure of 'spamhaus size'. I'm not sure I know of a way to take this
measurement, but given size and number if IPs that terminate inside AS701
there certainly are scope issues.

All that said, I'm certainly not saying "spam is good", I also believe
that over the last 4.5 years uunet's abuse group has done quite a few good
things with respect to the main spammers.

>
> As an example, I see a posting that says emailtools.com was alive on
> 206.67.63.41 in 2000. They aren't there any more... But now:
>
> [EMAIL PROTECTED] telnet mail.emailtools.com 25
> Trying 65.210.168.34...
> Connected to mail.emailtools.com.
> Escape character is '^]'.

Sure, customer of a customer we got emailtools.com kicked from their
original 'home' now they've moved off (probably several times since 2000)
to another customer. This happens to every ISP, each time they appear we
start the process to disconnect them. I'm checking on the current status
of their current home to see why we have either: 1) not gotten complaints
about them, 2) have not made progress kicking them again.

> >On Mon, 21 Jun 2004, Ben Browning wrote:
> >
> > > At 11:42 AM 6/21/2004, Christopher L. Morrow wrote:
> > > >curious, why did you not send this to the abuse@ alias?
> > >
> > > I wanted it to get read.
> >
> >messages to abuse@ do infact get read...
>
> Allow me to rephrase- I wanted it to be read and hoped someone would act on
> complaints. I have no doubt MCI is serious about stopping DDOS and other
> abusive traffic of that ilk- when it comes to proxy hijacking and spamming,
> though, abuse@ turns a blind eye. What other conclusion can I draw from the

This is not true, the action might not happen in the time you'd like, but
there are actions being taken. I'd be the first to admit that the
timelinees are lengthy :( but part of that is the large company process,
getting all the proper people to realize that this abuse is bad and the
offendors need to be dealt with.

> 200ish SBL entries under MCI's name? Why else would emailtools.com(for
> example) still be around despite their wholesale raping of misconfigured
> proxies?

emailtools will be around in one form or another, all the owner must do is
purchase 9$ virtual-hosting from some other poor ISP out there who needs
the money... they may not even know who emailtools is, if that ISP is a
uunet/mci customer then we'll have to deal with them as well, just like
their current home. you must realize you can't just snap your fingers and
make these things go away.

>
> All I want is a couple of straight-up answers. Why do complaints to uunet
> go unanswered and the abusers remain connected if, in fact, the complaints

I believe you do get an answer, if not the auto-acks are off still from a
previous mail flood ;( Please let me know if you are NOT getting ticket
numbers back. They might be connected still if there were:
1) not enough info in the complaints to take action on them
2) not enough complaints to terminate the account, but working with the
downstream to get the problem resolved
3) action is awaiting proper approvals.

There might be a few more steps things could be in, but in general all
complaints that have proper/actionable info are dealt with.


> are read? Why has MCI gone from 111 SBL listings as of January 1 to 190 as

I think the answer is shifting winds in spammer homelands, I'll look
through the list and see if we know about the problem children in the list
and what we are doing about them.

>
> If I am a kook and an idiot for wanting a cleaner internet, well then I
> guess I am a kook and an idiot.

not for that, just for taking this up in the wrong place... but people
call me kooky too, so maybe I'm just skewed.

Re: Attn MCI/UUNet - Massive abuse from your network

[Ben Browning]

At 10:45 PM 6/22/2004, Tim Thorne wrote:
Not so long ago I took a long look at the SBL for MCI and I came to
the conclusion that the data is mostly out of date and therefore
inaccurate. The folks at the SBL posting in NANAE said this may be the
case, but its up to the MCI folks to clean up the SBL database.
MCI does not want to "legitimize" blacklists by helping clean up their own 
records.

Any company or network that afraid of accountability obviously must have 
its reasons. I am sure they have seen the many many times some provider has 
said "We removed Spammer A" and the antispam community has responded with 
"Great, how about spammers B through Z?". That's a question they don't and 
won't answer beyond the token "Email to abuse@ does get read". Maybe it 
does- I am not MCI, so I don't know. Regardless of whether the mail does 
get read, the spammers remain connected. Why? One can only come to the 
conclusion that it is either due to technical ineptitude or protection of 
their revenue stream.  Likewise, they have no doubt noticed that providers 
that lie about canning spammers are quickly outed, and their blocklist 
listings(and no doubt private firewall rules, which are much harder to 
escape) tend to expand greatly. So, MCI has (correctly) identified that 
their options as A) clean up their network B) try to lie or C) do nothing. 
Given that A involves loss of revenue and a (short term) increase in labor 
and B will cause them even more problems, C is their obvious recourse.

>As an example, I see a posting that says emailtools.com was alive on
>206.67.63.41 in 2000. They aren't there any more... But now:
Emailtools.com aren't spammers, but they sell spamware. That subtle
difference is enough to keep them on the MCI network.
This may be true, but Atriks is still there, and they are one of the most 
technically malicious spammers in the game today. Spam support is spam 
support, whether you are hosting the website, DNS, proxy mining operation, 
or a drop-box. Any provider that is OK with hosting software that does this:

"Email Marketing 98 is our high-end email marketing tool. It is one of the 
best extractors on the market while remaining price competitive. At the 
push of a button, Email Marketing 98 will retrieve Email addresses of all 
the posters on an Internet news group or a series of groups. Then it will 
send your Email message to any or all of those addresses."

may as well be sending the spam themselves, IMO.
If you want rid
of sites like this that are based in Florida, then you best get
Florida to change their laws.
Wouldn't *that* be lovely.
---
   Ben Browning <[EMAIL PROTECTED]>
  The River Internet Access Co.
 WA Operations Manager
1-877-88-RIVER  http://www.theriver.com

Re: Attn MCI/UUNet - Massive abuse from your network

[Dr. Jeffrey Race]

On Mon, 21 Jun 2004 19:28:07 + (GMT), Christopher L. Morrow wrote:
>> >  Did you includeany logs or other relevant data about the problems you are 
>> > reporting?
>>These problems are systemic and internet-wide. I can likely drudge up a
>> great many examples if someone from UUNet can assure me they will be read
>> and acted on.
>the best way to get abuse complaints handled is to infact send them to the
>abuse@ 


Messages are read and ignored.  I went through the complete process all the way up
to the staff attorney in charge of this matter.  The firm ran then (see article cited 
in
previous post) on the Environmental Polluter business model (externalize the costs,
internalize the revenue) and clearly still does.   It is a policy decision of senior 
management.
This is why they are always high up in the list of internet scum enablers.

Ben, that is your answer.  Wish I had better news for you.  It will go on this way 
until
the management persons responsible for this continuing fraud upon us are led away
in handcuffs just as were those members of this firm who were responsible for the
(similar) financial frauds.   

Chris, if a massively insecure network by management choice is not an operational 
issue for the victims, what is?

Jeffrey Race

Re: Attn MCI/UUNet - Massive abuse from your network

[Dr. Jeffrey Race]

On Mon, 21 Jun 2004 11:09:05 -0700, Ben Browning wrote:
>At this point I am just curious what the answers to these questions are. I 
>have not (yet) widely blocklisted uunet, but if things don't change I fear 
>such a measure may be the only way to stop the abuse spewing from your 
>networks. Seeing such a large (and once-respected) network go as completely 
>black-hat rogue as UUNet has is a sad thing.>
>Any reply at all would be most welcome.

For my own amusing experience with this spam enabler,  see

 


You will find the answer to your questions

Jeffrey Race

Re: Attn MCI/UUNet - Massive abuse from your network

[Ben Browning]

At 12:28 PM 6/21/2004, Christopher L. Morrow wrote:
the ethics office doesn't need to see your complaints, they don't really
deal with these anyway.
I am quite sure that the ethics department does not deal with spam 
complaints. My complaint is that your stated policy is clearly not being 
followed. MCI is currently the Number 1 spam source on many lists- 
certainly, your overall size skews that figure somewhat, but the listings I 
see (on the SBL anyway, I do not have the many hours needed to read all the 
documentation SPEWS has to offer) have reports that are at least 6 months 
old and are still alive...

As an example, I see a posting that says emailtools.com was alive on 
206.67.63.41 in 2000. They aren't there any more... But now:

[EMAIL PROTECTED] telnet mail.emailtools.com 25
Trying 65.210.168.34...
Connected to mail.emailtools.com.
Escape character is '^]'.
220 mail.emailtools.com ESMTP Merak 5.1.5; Mon, 21 Jun 2004 18:55:20 -0400
quit
221 2.0.0 mail.emailtools.com closing connection
Connection closed by foreign host.
[EMAIL PROTECTED] whois `dnsip mail.emailtools.com`
UUNET Technologies, Inc. UUNET65 (NET-65-192-0-0-1)
  65.192.0.0 - 65.223.255.255
MTI SOFTWARE UU-65-210-168-32-D9 (NET-65-210-168-32-1)
  65.210.168.32 - 65.210.168.39
I can furnish as many examples as needed of cases where UUNet has 
demonstrably ignored complaints. Alternately, you could go ask any major 
anti-spam community(NANAE for example) or entity (SpamCop, etc) how they 
feel your abuse@ response has been. If this sounds like a pain, I will 
gladly collect such stories and send them to whoever there can effect 
changes in these policies.

On Mon, 21 Jun 2004, Ben Browning wrote:
> At 11:42 AM 6/21/2004, Christopher L. Morrow wrote:
> >curious, why did you not send this to the abuse@ alias?
>
> I wanted it to get read.
messages to abuse@ do infact get read...
Allow me to rephrase- I wanted it to be read and hoped someone would act on 
complaints. I have no doubt MCI is serious about stopping DDOS and other 
abusive traffic of that ilk- when it comes to proxy hijacking and spamming, 
though, abuse@ turns a blind eye. What other conclusion can I draw from the 
200ish SBL entries under MCI's name? Why else would emailtools.com(for 
example) still be around despite their wholesale raping of misconfigured 
proxies?

All I want is a couple of straight-up answers. Why do complaints to uunet 
go unanswered and the abusers remain connected if, in fact, the complaints 
are read? Why has MCI gone from 111 SBL listings as of January 1 to 190 as 
of today? To whom does the anti-spam community turn when it becomes obvious 
a tier-1 provider is ignoring complaints?

If I am a kook and an idiot for wanting a cleaner internet, well then I 
guess I am a kook and an idiot.

~Ben
---
   Ben Browning <[EMAIL PROTECTED]>
  The River Internet Access Co.
 WA Operations Manager
1-877-88-RIVER  http://www.theriver.com

Re: Attn MCI/UUNet - Massive abuse from your network

[Petri Helenius]

Randy Bush wrote:
curious, why did you not send this to the abuse@ alias?
 

I wanted it to get read.
   

you have just certified yourself as an idiot

 

One down, only ~6 billion to go. I sure hope we don´t have to list them 
one by one.

Pete

Re: Attn MCI/UUNet - Massive abuse from your network

[Randy Bush]

>> curious, why did you not send this to the abuse@ alias?
> I wanted it to get read.

you have just certified yourself as an idiot

Re: Attn MCI/UUNet - Massive abuse from your network

[Christopher L. Morrow]

the ethics office doesn't need to see your complaints, they don't really
deal with these anyway.

On Mon, 21 Jun 2004, Ben Browning wrote:

> At 11:42 AM 6/21/2004, Christopher L. Morrow wrote:
> >curious, why did you not send this to the abuse@ alias?
>
> I wanted it to get read.
>

messages to abuse@ do infact get read...

> >  Did you include
> >any logs or other relevant data about the problems you are reporting?
>
> These problems are systemic and internet-wide. I can likely drudge up a
> great many examples if someone from UUNet can assure me they will be read
> and acted on.
>

the best way to get abuse complaints handled is to infact send them to the
abuse@ alias (or whereever arin/ripe/apnic records point if that is
somewhere other than abuse@) complaints in public forums generally just
make you look kooky.

please back to network operations discussions, thanks.

Re: Attn MCI/UUNet - Massive abuse from your network

[Ben Browning]

At 11:42 AM 6/21/2004, Christopher L. Morrow wrote:
curious, why did you not send this to the abuse@ alias?
I wanted it to get read.
 Did you include
any logs or other relevant data about the problems you are reporting?
These problems are systemic and internet-wide. I can likely drudge up a 
great many examples if someone from UUNet can assure me they will be read 
and acted on.

~Ben
---
   Ben Browning <[EMAIL PROTECTED]>
  The River Internet Access Co.
 WA Operations Manager
1-877-88-RIVER  http://www.theriver.com

Re: Attn MCI/UUNet - Massive abuse from your network

[Christopher L. Morrow]

On Mon, 21 Jun 2004, Ben Browning wrote:

>
> (apologies to NANOG for only quasi-operational content of this message - I
> only post this here due to the fact that I am sure it is a problem on many
> of your networks)
>

curious, why did you not send this to the abuse@ alias? Did you include
any logs or other relevant data about the problems you are reporting?

> Attention UUNet,
>