Re: [EXTERNAL] Re: Yet another BGP hijacking towards AS16509

[Randy Bush]

as a fellow researcher said the other week, ROV, ASPA, ... are intended
to provide safety, not security.

randy

Re: email spam

[Anne Mitchell]

> On Aug 23, 2022, at 8:52 PM, Suresh Ramasubramanian  
> wrote:
> 
> If you have something business critical, let alone anything that affects 
> child safety, pick up a phone and call, or send an officer over to the school.

100%.  Belt and suspender approach.  If between 2020 and 2022 any child was 
actually harmed by the guy, their parents are going to have a good lawsuit 
(which sucks, because it would be much better to have no harmed child, of 
course, but in my _academic_ opinion (i.e. this is not legal advice) the PD was 
really, *really* negligent here, especially as it's *known* that email is not a 
reliable method of communication, and if you aren't requiring an 
acknowledgement that's on *you*).

--
Anne P. Mitchell, Attorney at Law
CEO Institute for Social Internet Public Policy
Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
Author: The Email Deliverability Handbook
Board of Directors, Denver Internet Exchange
Dean Emeritus, Cyberlaw & Cybersecurity, Lincoln Law School
Prof. Emeritus, Lincoln Law School
Chair Emeritus, Asilomar Microcomputer Workshop
Counsel Emeritus, eMail Abuse Prevention System (MAPS)

RE: Looking for contact within Comcast Xfinity

[Brotman, Alex via NANOG]

Michael,

Please contact me off-list and I'll see if I can be of any help.

--
Alex Brotman
Sr. Engineer, Anti-Abuse & Messaging Policy
Comcast

> -Original Message-
> From: NANOG  On
> Behalf Of Michael Brown
> Sent: Monday, August 22, 2022 4:18 PM
> To: North American Network Operators' Group 
> Subject: Looking for contact within Comcast Xfinity
> 
> If anyone from Comcast Xfinity is on this list, can you please reach out to 
> me?
> 
> We're getting increased reports of xFi Advanced Security customers being
> unable to access hosted sites and attempting to open tickets has had no 
> success.
> 
> Thanks,
> 
> Michael Brown

Legal notices being tagged as spam (was Re: email spam)

[Anne Mitchell]

> On Aug 23, 2022, at 7:33 PM, William Herrin  wrote:
> 
> Hello,
> 
> To folks at places like Google and Godaddy which have gotten, shall we
> say, overzealous about preventing spam from entering their systems,
> consider the risk:
> 
> https://www.washingtonpost.com/education/2022/08/23/fairfax-county-counselor-solicitation-minor/
> 
> "Chesterfield County police said emails notifying Fairfax County
> Public Schools that an employee was arrested and charged with
> soliciting prostitution from a minor were not delivered to the school
> system."

..and for those who don't have access to the WashPo, that was in 2020, and he 
was just arrested again for repeat offending, and "Police arrested Thornton 
again and were surprised he was still employed by Fairfax County Public 
Schools." (Because of the email notification they had sent in 2020 which, of 
course, was never delivered, but the police didn't know that.)

This is one of the primary reasons that three of our data response codes that 
receiving systems get when querying the IADB DNSL (what senders know as "the 
Good Senders List") are:

127.3.200.120   Legally mandated email – email from this IP address consists 
entirely of communications that are required by law

127.3.200.130   Court-ordered email – email from this IP address consists 
entirely of communications that have been ordered by a court of law such as 
public notice of service or notifications of class action lawsuits to members 
of the class

127.3.200.255   Services the emergency alert or first-responder sector – email 
from this IP address consists of time-critical urgent or emergency 
communications

Of course, if the sender isn't certified with is - or the receiving system 
doesn't query us - that doesn't help, but we *are* trying hard to do our part.

---
We provide the IADB Good Senders email sender reputation certification list to 
inbox providers
around the world. 

Anne P. Mitchell,  Esq.
CEO Get to the Inbox by ISIPP SuretyMail
Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal email marketing law)
Author: The Email Deliverability Handbook
Board of Directors, Denver Internet Exchange
Dean Emeritus, Cyberlaw & Cybersecurity, Lincoln Law School
Prof. Emeritus, Lincoln Law School
Chair Emeritus, Asilomar Microcomputer Workshop
Counsel Emeritus, eMail Abuse Prevention System (MAPS)

IMPORTANT – ARIN Election Deadline Approaching – and now relevant to many more organizations than previously...

[John Curran]

NANOGers -

For those who don’t closely follow ARIN, it’s important to know that in 2022 we 
made a substantial change to ARIN membership and ability to participate in 
ARIN’s elections – and as a result, many organizations that have never 
participated in ARIN elections in the past will be able to do so if they so 
wish.

While previously one had to be an ARIN service provider (“ISP”) member to 
participate in ARIN’s elections, the recent change means that any organization 
with IPv4 or IPv6 number resources directly assigned and under contract with 
ARIN who is current with their ARIN fees may request ARIN General Member 
status, assign a voting contact & then participate in the upcoming elections 
for ARIN’s Board of Trustees, ARIN Advisory Council, etc.

Please see the message below for further information - thanks!
/John

John Curran
President and CEO
American Registry for Internet Numbers

Begin forwarded message:

From: ARIN mailto:i...@arin.net>>
Subject: [arin-announce] Deadline Approaching — Make Sure Your Organization is 
Eligible to Vote in ARIN’s Upcoming Election!
Date: 24 August 2022 at 11:17:26 AM EDT
To: "arin-annou...@arin.net" 
mailto:arin-annou...@arin.net>>

We hope you are excited to participate in ARIN Elections this October. Please 
note that a key deadline for the ARIN Elections process is coming up. All 
organizations who wish to vote in this year’s election must be a General Member 
in Good Standing before 5:00 PM ET on Monday, 5 September 2022.

A General Member in Good Standing is defined as an entity that is current on 
all annual fees as well as having a valid Voting Contact on record. Only 
General Members in Good Standing are eligible to vote in ARIN Elections.

If you are not sure what type of member your organization is, you may check its 
status in your ARIN Online account. If your organization is eligible to request 
General Membership, you can access the General Member request form through the 
ACTIONS drop down menu.

If you are already a General Member, please make sure your account has no 
overdue invoices on file and that you have designated a Voting Contact in your 
account before 5:00 PM ET on 5 September. To learn more about how to designate 
or view your current Voting Contact, visit: 
https://www.arin.net/participate/oversight/membership/voting/

Don’t forget — General Members may also participate on ARIN’s General Member 
Mailing List. Subscription to the list is limited to General Members only, as 
well as Trustees and key ARIN staff, and it is intended for discussion of 
topics related to the governance of ARIN as well as ARIN Elections.

For more information on ARIN’s Elections, including a calendar of important 
dates, visit https://www.arin.net/elections.

To learn more about membership at ARIN, visit https://www.arin.net/membership.

Voting in ARIN Elections helps steer the future of Internet number resource 
policy and Internet governance. We look forward to your organization being able 
to participate this October.

Regards,

John Sweeting
Chief Customer Officer
American Registry for Internet Numbers (ARIN)

___
ARIN-Announce
You are receiving this message because you are subscribed to
the ARIN Announce Mailing List 
(arin-annou...@arin.net).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-announce
Please contact i...@arin.net if you experience any issues.

Re: email spam

[Matthew Petach]

On Wed, Aug 24, 2022 at 7:28 AM Jawaid Bazyar 
wrote:

> "flawlessly map IP address to GPS coordinates"


Thanks, I needed a good hearty belly laugh to start off the day today.  ;P

*hint*
It's easier to fix the spam problem than it is to map IP addresses to
physical locations in reality-land.

This is one case where xkcd got it wrong.

https://imgs.xkcd.com/comics/tasks.png

Matt

Re: email spam

[Jawaid Bazyar]

Simple solution: create a system that can flawlessly map IP address to GPS 
coordinates, then just nuke the spammers from orbit. It's the only way to be 
sure.

Then the rest of us don't have to filter out emails.

On 8/23/22, 11:19 PM, "NANOG on behalf of b...@theworld.com" 
 wrote:


They should demand a full refund.

On August 23, 2022 at 18:33 b...@herrin.us (William Herrin) wrote:
 > Hello,
 > 
 > To folks at places like Google and Godaddy which have gotten, shall we
 > say, overzealous about preventing spam from entering their systems,
 > consider the risk:
 > 
 > 
https://www.washingtonpost.com/education/2022/08/23/fairfax-county-counselor-solicitation-minor/
 > 
 > "Chesterfield County police said emails notifying Fairfax County
 > Public Schools that an employee was arrested and charged with
 > soliciting prostitution from a minor were not delivered to the school
 > system."
 > 
 > Long story short, the pedo kept his school job another year and a half.
 > 
 > There was once a time when both the outbound emails and the bounce
 > messages when they failed... worked. It was a spammy place but the
 > important emails got through.
 > 
 > Regards,
 > Bill Herrin

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | 
http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

Re: email spam

[Tom Beecher]

>
>
> https://wjla.com/news/local/timeline-darren-thornton-sex-crime-case-fairfax-county-public-schools-fcps-virginia-what-we-know-arrest-charges-conviction-chesterfield-county-police-hiring-firing-corrections
>
> The outbound mail DID bounce. And the bounce message is what ended up in
> the sender's spam folder which the sender never checked... until later when
> they started the investigation. No mail was dropped on the floor by
> anti-spam.
>
> There is still a place for things to be formally delivered on a piece of
> paper. Sure, send the email for quick notification, but also back it up
> with a physical letter sent via certified mail.
>

This x100.

1. Send the email for notification.
2. Pick up the phone. "Hey, we just emailed you an official notification
about one of your employees that was arrested. Can you please get back to
us within 24h to confirm that you received it?"
3. Send a physical certified letter.

Just a LITTLE bit of extra effort would have prevented all of this, and the
nerds could poke at the email situation at their own pace.

On Wed, Aug 24, 2022 at 2:06 AM Crist Clark  wrote:

> From the timeline here,
>
>
> https://wjla.com/news/local/timeline-darren-thornton-sex-crime-case-fairfax-county-public-schools-fcps-virginia-what-we-know-arrest-charges-conviction-chesterfield-county-police-hiring-firing-corrections
>
> The outbound mail DID bounce. And the bounce message is what ended up in
> the sender's spam folder which the sender never checked... until later when
> they started the investigation. No mail was dropped on the floor by
> anti-spam.
>
> There is still a place for things to be formally delivered on a piece of
> paper. Sure, send the email for quick notification, but also back it up
> with a physical letter sent via certified mail.
>
> And not that I feel sorry for the guy who was convicted, more than once,
> of soliciting a minor, but it doesn't necessarily mean he's a pedophile.
>
>
> On Tue, Aug 23, 2022 at 8:09 PM Jeremy Chequer <
> jer...@resolvergroup.com.au> wrote:
>
>> Or at the bare minimum, require a response. Just assuming the email went
>> through and then blaming that for a pedo keeping their job for another year
>> and a half is just bad on the officials side. With scams increasing,
>> measures need to be in place. Unfortunately, several agencies seem to think
>> that you should just trust anything that comes from their address but
>> that’s how we end up with email spoofing. The agencies need to ensure they
>> have the right setup in place to avoid ending up in spam and also ensure
>> they are following up in some form, especially when its to do with child
>> safety.
>>
>>
>>
>> - Jeremy
>>
>>
>>
>> *From:* NANOG  *On
>> Behalf Of *Suresh Ramasubramanian
>> *Sent:* Wednesday, 24 August 2022 12:52 PM
>> *To:* Eric Tykwinski 
>> *Cc:* nanog@nanog.org
>> *Subject:* Re: email spam
>>
>>
>>
>> *[External Sender] Be cautious of any links or attachments within this
>> email as it has come from an External Sender.*
>>
>> 100%. Also - there’s no way to offer a delivery sla for email.  If you
>> have something business critical, let alone anything that affects child
>> safety, pick up a phone and call, or send an officer over to the school.
>>
>>
>>
>> --srs
>> --
>>
>> *From:* Eric Tykwinski 
>> *Sent:* Wednesday, August 24, 2022 8:14:16 AM
>> *To:* Suresh Ramasubramanian 
>> *Cc:* nanog@nanog.org 
>> *Subject:* Re: email spam
>>
>>
>>
>> Sorry about the bad examples, but I remember contacting both about issues
>> with SPF multiple times.  They both have seemed have to fixed things at
>> least searching my logs for the last week.  Most of my customers have had
>> to whitelist them though for past issues. It’s also ezpassnj.com for the
>> NJ collection.  Point still stands, assume incompetence over malice.
>>
>>
>>
>> Sincerely,
>>
>>
>>
>> Eric Tykwinski
>>
>> TrueNet, Inc.
>>
>> P: 610-429-8300
>>
>>
>>
>> On Aug 23, 2022, at 10:20 PM, Eric Tykwinski 
>> wrote:
>>
>>
>>
>> Bill,
>>
>>
>>
>> Not only that, did they even follow their own rules, I’ve been fighting
>> with septa.org, the Pennsylvania train authority, and easypassnj.com,
>> the New Jersey transit toll collectors about invalid SPF records for years,
>> and they literally don’t give a shit.  If they say to put it in spam, well
>> than that is their own fault.
>>
>>
>>
>> Sincerely,
>>
>>
>>
>> Eric Tykwinski
>>
>> TrueNet, Inc.
>>
>> P: 610-429-8300
>>
>>
>>
>> On Aug 23, 2022, at 10:00 PM, Suresh Ramasubramanian 
>> wrote:
>>
>>
>>
>> Without saying why the mail was blocked (dumb content filter looking for
>> porn? a spamhaus listing because the police server was hacked? something
>> else?) that’s not going to help too much.
>>
>>
>>
>> I’ve been spam filtering stuff at large providers since the late 90s and
>> it never gets any easier to block 100% spam or let 100% legit mail through.
>>
>>
>>
>> —srs
>>
>>
>>
>> --srs
>> --
>>
>> *From:* NANOG  on

Re: [EXTERNAL] Re: Yet another BGP hijacking towards AS16509

[Job Snijders via NANOG]

Heya,

On Wed, Aug 24, 2022 at 09:17:03AM +0200, Claudio Jeker wrote:
> On Tue, Aug 23, 2022 at 08:07:29PM +0200, Job Snijders via NANOG wrote:
> > In this sense, ASPA (just by itself) suffers the same challenge as
> > RPKI ROA-based Origin Validation: the input (the BGP AS_PATH) is
> > unsigned and unsecured; thus spoofable.
> 
> ASPA enforces that the neighbor AS appears as first element in the
> ASPATH. It also disallows empty ASPATHs from eBGP sessions. 

Yup, this is a helpful property of ASPA. ASPA also nukes routes which
have an AS_SET segment anywhere in the AS_PATH (which helps the
community to get a move on with 
https://datatracker.ietf.org/doc/html/draft-ietf-idr-deprecate-as-set-confed-set)
The addition of type of constraints helps keep the global Internet
routing tables clean.

> Because of this spoofing becomes harder. The problem is that this only
> works for paths that are validated by ASPA (all AS hops have been
> verified). An ASPA-unknown path can still be spoofed.

We might be talking about different types of 'spoofing'. ASPA doesn't
help verify the *authenticity* of the neighbor (or the ASes behind the
neighbor). Does the AS number transmitted in the BGP OPEN message really
belong to the entity that controls the router on the other side of the
link? Is the neighbor on the other side of the IX Route Server really
who they claim they are? ASPA doesn't solve that type of question.

Publication of ASPA records & verification of BGP UPDATES against the
published ASPA records will impose additional constraints on the global
routing table "so and so ASN should only appear behind AS X". This is
helpful, and I'm sure it'll knock down some fake paths generated by BGP
optimizers. :-)

> Spoofing will become much harder once a critical mass of infrastructure
> deployed ASPA.

I'd phrase it as "fat fingering will become even harder". :-)

Route Origin Validation based on RPKI ROAs reduced the number of BGP
routing incidents; but cynical critics could argue "silly you, you
published the exact list of Origin ASNs we need to spoof to bypass
ROV!". Similarly, publication of ASPA records tells the world what
exactly the fabricated AS_PATH should look like to bypass ASPA validation.
This is OK, it just means that ROV + ASPA is not a complete solution.

I think in-band signatures (BGPsec) are also needed to complete the
puzzle.

Kind regards,

Job

Re: [EXTERNAL] Re: Yet another BGP hijacking towards AS16509

[Claudio Jeker]

On Tue, Aug 23, 2022 at 08:07:29PM +0200, Job Snijders via NANOG wrote:
> On Tue, Aug 23, 2022 at 05:18:42PM +, Compton, Rich A wrote:
> > I was under the impression that ASPA could prevent route leaks as well
> > as path spoofing.  This "BGP Route Security Cycling to the Future!"
> > presentation from NANOG seems to indicate this is the case:
> > https://youtu.be/0Fi2ghCnXi0?t=1093 
> 
> I'm not sure how ASPA can prevent AS Path spoofing. Perhaps something
> got lost in translation?
> 
> ASPA records are published in the RPKI, from there a RPKI RP transforms
> the ASN.1/X.509/crypto stuff into something 'plain text'. This 'plain
> text' data is loaded into EBGP routers via RTR, which then compare the
> *plain text* AS_PATH attribute to the table of plain-text ASPA records,
> to determine if it came via an authorized upstream provider or not.
> 
> In this sense, ASPA (just by itself) suffers the same challenge as RPKI
> ROA-based Origin Validation: the input (the BGP AS_PATH) is unsigned and
> unsecured; thus spoofable.

ASPA enforces that the neighbor AS appears as first element in the ASPATH.
It also disallows empty ASPATHs from eBGP sessions.  Because of this
spoofing becomes harder. The problem is that this only works for paths
that are validated by ASPA (all AS hops have been verified). An
ASPA-unknown path can still be spoofed.

Spoofing will become much harder once a critical mass of infrastructure
deployed ASPA.
-- 
:wq Claudio