Re: Slightly OT: Looking for an old domain for spam collection
On Wed, 2007-03-28 at 11:24 -0700, Douglas Otis wrote: On Mar 28, 2007, at 11:08 AM, william(at)elan.net wrote: On Wed, 28 Mar 2007, Tony Finch wrote: completewhois has lists in various forms of bogon and hijacked networks. http://completewhois.com/bogons/bogons_usage.htm This list apparently does not track much of the active spoofed announcements. This is understandable, as this tracking remains a difficult task. I've been tracking that list for the past few days, and it seems to change quite a bit. I've also seen it delete 30% on day, and add it back in the next. Do bogons really change that much? -Jim P.
Re: Slightly OT: Looking for an old domain for spam collection
On Sun, 8 Apr 2007, Jim Popovitch wrote: On Wed, 2007-03-28 at 11:24 -0700, Douglas Otis wrote: On Mar 28, 2007, at 11:08 AM, william(at)elan.net wrote: On Wed, 28 Mar 2007, Tony Finch wrote: completewhois has lists in various forms of bogon and hijacked networks. http://completewhois.com/bogons/bogons_usage.htm This list apparently does not track much of the active spoofed announcements. This is understandable, as this tracking remains a difficult task. I've been tracking that list for the past few days, and it seems to change quite a bit. I've also seen it delete 30% on day, and add it back in the next. Do bogons really change that much? If you're interested in comparing previous days data, its all archived at: http://completewhois.com/bogons/data/dailydata/ If you look at specific RIR files data files, you'd be able to tell that issue is lacnic space that is different. There exists a bug that causes cidr data after processing to not include .0 address which when happens severaly increases size of the list. Here is bogons data from today: 190.15.224.0/19 But yesterday the processing resulted in: 190.15.224.1/32 190.15.224.2/31 190.15.224.4/30 190.15.224.8/29 190.15.224.16/28 190.15.224.32/27 190.15.224.64/26 190.15.224.128/25 190.15.225.0/24 190.15.226.0/23 190.15.228.0/22 190.15.232.0/21 190.15.240.0/20 Stupid bug but its not reproduceable every time and with little impact (ok it does open small window for abuse) except size of file (correct size of is about 117-120k). -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: Slightly OT: Looking for an old domain for spam collection
On Sun, 2007-04-08 at 21:59 -0700, william(at)elan.net wrote: Stupid bug but its not reproduceable every time and with little impact (ok it does open small window for abuse) except size of file (correct size of is about 117-120k). Stupid bugs severely impact automated processes. ;-) I'm trying to automate updating my firewall rules, so it's only as good, wrt bogons, as the bogon list's consistency. Here's to hoping they get it straightened out. Thanks for the info William. -Jim P.
Re: Slightly OT: Looking for an old domain for spam collection
On Mon, 9 Apr 2007, Jim Popovitch wrote: On Sun, 2007-04-08 at 21:59 -0700, william(at)elan.net wrote: Stupid bug but its not reproduceable every time and with little impact (ok it does open small window for abuse) except size of file (correct size of is about 117-120k). Stupid bugs severely impact automated processes. ;-) Not really severally, at least not have been my case, but I can see though that extra firewall rules with already larger cidr list would have some performance impact. I'll put up a flag to not release data (i.e. yesterday's would stay) when it happens. -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: Slightly OT: Looking for an old domain for spam collection
On Wed, 28 Mar 2007, Chris L. Morrow wrote: didn't paul vixie post a problem domain a bit back that would suffice? IIRC he was complaining about junk DNS lookups to the RBL's original domain. Tony. -- f.a.n.finch [EMAIL PROTECTED] http://dotat.at/ DOGGER FISHER GERMAN BIGHT: EASTERLY 4 OR 5, OCCASIONALLY 6 IN NORTH FISHER, BECOMING CYCLONIC IN DOGGER LATER. SLIGHT OR MODERATE, OCCASIONALLY ROUGH IN NORTH FISHER. MAINLY FAIR. MODERATE OR GOOD.
Re: Slightly OT: Looking for an old domain for spam collection
On Wed, 28 Mar 2007, Tony Finch wrote: On Wed, 28 Mar 2007, Chris L. Morrow wrote: didn't paul vixie post a problem domain a bit back that would suffice? IIRC he was complaining about junk DNS lookups to the RBL's original domain. yup, and partway through the thread I thought he mentioned an MX as well.
Re: Slightly OT: Looking for an old domain for spam collection
On Wed, 2007-03-28 at 13:34 +0100, Tony Finch wrote: On Wed, 28 Mar 2007, Chris L. Morrow wrote: didn't paul vixie post a problem domain a bit back that would suffice? IIRC he was complaining about junk DNS lookups to the RBL's original domain. Correct. The conclusion of that thread can be found here: http://www.merit.edu/mail.archives/nanog/msg04555.html A word of caution. When attempting to collect IP address based abuse information, spoofed BGP announcements MUST be tracked as well. This topic or even mention of ASNs was excluded in the Guidelines for Management of DNS-Based Reputation Systems for Email written by Yakov Shafranovich, Nick Nicholas, Matt Sergeant, and Chris Lewis and published by Nick Nicholas on the ASRG reflector. This paper ironically excluded the role of the provider. A cooperative effort by providers is likely the _only_ viable solution for dealing with this chronic problem. Targeted abuse is also unlikely to be detected from disposed MX domains, but will detect amateurs. -Doug
Re: Slightly OT: Looking for an old domain for spam collection
The conclusion of that thread can be found here: http://www.merit.edu/mail.archives/nanog/msg04555.html Thanks! A word of caution. When attempting to collect IP address based abuse information, spoofed BGP announcements MUST be tracked as well. This topic or even mention of ASNs was excluded in the Guidelines for Management of DNS-Based Reputation Systems for Email written by Yakov Shafranovich, Nick Nicholas, Matt Sergeant, and Chris Lewis and published by Nick Nicholas on the ASRG reflector. This paper ironically excluded the role of the provider. We're not going to be using the data as a honey pot, so it won't affect anyone's reputation. This is really just for real-world load testing and evaluation of new techniques. Our customers get lots of mail, but we have to be -- how shall I say -- careful with it! A cooperative effort by providers is likely the _only_ viable solution for dealing with this chronic problem. Targeted abuse is also unlikely to be detected from disposed MX domains, but will detect amateurs. I agree whole-heartedly. What is particularly missing IMHO is a spoofed-BGP-route blacklist. Anyone making any progress on that sort of thing? Regards, Ken -- Ken Simpson, CEO MailChannels Corporation Reliable Email Delivery (tm) http://www.mailchannels.com
Re: Slightly OT: Looking for an old domain for spam collection
On Wed, 28 Mar 2007, Ken Simpson wrote: What is particularly missing IMHO is a spoofed-BGP-route blacklist. Anyone making any progress on that sort of thing? completewhois has lists in various forms of bogon and hijacked networks. http://completewhois.com/bogons/bogons_usage.htm Tony. -- f.a.n.finch [EMAIL PROTECTED] http://dotat.at/ MALIN HEBRIDES: NORTHWEST VEERING NORTH 3 OR 4 INCREASING 5 OR 6. MODERATE. SHOWERS. MAINLY GOOD.
Re: Slightly OT: Looking for an old domain for spam collection
On Wed, 28 Mar 2007, Tony Finch wrote: On Wed, 28 Mar 2007, Ken Simpson wrote: What is particularly missing IMHO is a spoofed-BGP-route blacklist. Anyone making any progress on that sort of thing? completewhois has lists in various forms of bogon and hijacked networks. http://completewhois.com/bogons/bogons_usage.htm Only bogon list will catch some real-time hijacking and only when they are doing at the unannounced space (which does happen - see presentation at couple nanogs ago about spammers announcing full /8 and using unallocated portions; there were other cases too that did not use as large of an announcement). The real-time hijacking (short-announcements that go away in about an hour although some do stay longer) of someone else's space or short-term announcements of unused legacy space can only be caught when you know where correct announcements should come from and until we have SIDR, there is no reliable way to do it. The way i'm testing it is by comparing where routes for where announcements come from before and setting certain time period before route is considered adequate (this has obvious bad implications for those changing from one ASN to another). If my project get sufficiently stable for public consumption trials I'll let you know more but from what I wrote you should get an idea on how set something like it yourself (and I think this is something similar to what others are doing too already, I'm unsure if they are making data public or not). -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: Slightly OT: Looking for an old domain for spam collection
On Mar 28, 2007, at 11:08 AM, william(at)elan.net wrote: On Wed, 28 Mar 2007, Tony Finch wrote: On Wed, 28 Mar 2007, Ken Simpson wrote: What is particularly missing IMHO is a spoofed-BGP-route blacklist. Anyone making any progress on that sort of thing? completewhois has lists in various forms of bogon and hijacked networks. http://completewhois.com/bogons/bogons_usage.htm This list apparently does not track much of the active spoofed announcements. This is understandable, as this tracking remains a difficult task. Only bogon list will catch some real-time hijacking and only when they are doing at the unannounced space (which does happen - see presentation at couple nanogs ago about spammers announcing full /8 and using unallocated portions; there were other cases too that did not use as large of an announcement). The real-time hijacking (short-announcements that go away in about an hour although some do stay longer) of someone else's space or short-term announcements of unused legacy space can only be caught when you know where correct announcements should come from and until we have SIDR, there is no reliable way to do it. The way i'm testing it is by comparing where routes for where announcements come from before and setting certain time period before route is considered adequate (this has obvious bad implications for those changing from one ASN to another). If my project get sufficiently stable for public consumption trials I'll let you know more but from what I wrote you should get an idea on how set something like it yourself (and I think this is something similar to what others are doing too already, I'm unsure if they are making data public or not). Some of this information is incorporated within one of our temporary lists, but not exclusively. The level of this activity is rather disconcerting. Perhaps there should be a list dedicated for this purpose for use beyond email, which appears to be the purpose of most but not all such announcements. -Doug
Re: Slightly OT: Looking for an old domain for spam collection
Ken Simpson wrote: Hi There, Does anyone out there have an unused domain name that formerly received lots of email? I am looking for a source of throw away SMTP traffic. I don't need to own the domain -- just to have its MX'es redirected to our farm. Same here for SORBS. Regards, Mat
Re: Slightly OT: Looking for an old domain for spam collection
didn't paul vixie post a problem domain a bit back that would suffice? On Tue, 27 Mar 2007, Ken Simpson wrote: Hi There, Does anyone out there have an unused domain name that formerly received lots of email? I am looking for a source of throw away SMTP traffic. I don't need to own the domain -- just to have its MX'es redirected to our farm. Karma and humor will be gladly provided in exchange for your generosity. Thanks! Ken -- Ken Simpson, CEO MailChannels Corporation Reliable Email Delivery (tm) http://www.mailchannels.com
