Re: .mil dns problems?
On Thu, 2010-05-27 at 21:55 +0200, Florian Weimer wrote: Looks more like a routing issue. Looks like the .MIL operators put all their eggs into one basket. 8-( From .uk, the .pac and .con servers respond fine but the .eur servers don't. Go figure. Graeme
Re: Spamcop Blocks Facebook?
On Thu, 2010-03-04 at 23:27 -0800, Shon Elliott wrote: So really, my customers, and myself are victims of Spamcop's blocking of Facebook. I forget how far back in this thread someone said: Spamcop *listed* Facebook for valid reasons according to their published listing criteria. Other people blocked it. Not Spamcop. FWIW outright blocking on a Spamcop listing is a particularly risky business; best to use a listing as an intelligence point towards a decision whether to block a given message or not. That's why Spamcop is referred to by the default SpamAssassin ruleset, but not in a big enough way to block outright. Fresh operational content: one of the reasons services like Spamcop occasionally list services like Facebook is that they don't honour 5xx responses to RCPT TO:. I'd offer some statistics but I'm concerned that the legal brigade will jump down my throat, but I suggest that anyone running a system like an academic mail platform take a look at the number of invalid recipients services like Facebook try to deliver. If they stopped doing that they'd be a long way towards better behaviour, IMO. Graeme
Re: Spamcop Blocks Facebook?
On Fri, 2010-03-05 at 09:08 -0600, David E. Smith wrote: As long as we're going off-topic, might as well go all the way :V Well, the conversation has continued here despite repeated mentions of mai...@mailop.org so unless the MLC deem it off-topic and squash the thread I guess it'll rumble on. My reply below, although based on email, is most definitely on-topic as it covers good neighbo(u)r behaviour and could just as easily apply to all manner of bits and protocols which members of this list shovel around daily. Anyway: How long should a sender (say, Facebook) retain a database of 5xx SMTP responses? Just because jim...@school.edu doesn't exist today, doesn't mean that James Robert Jones won't enroll in the fall and get jimbob@ as his school-provided email address. Then that would be spam, would it not? The incoming jimbob isn't the one who left. The incoming jimbob doesn't want to hear about the old jimbob's friends fun night out, or be invited to their stag parties, or receive discriminatory, lewd or offensive material. Context: in $dayjob we have a delay before re-using usernames. Student email addresses are never re-used, but many students use the short form - u...@domain - of their email address to register with Facebook. [As a consequence of this problem alone, their ability to do so is being phased out] This academic year alone I have had to request Facebook strip an address from an account several times, 2 of which were for accounts which expired here over 12 months previously. In each of those cases, Facebook had been repeatedly attempting delivery of notifications/invitations and so on since the account had expired. *That's* why I mentioned it. If they had any decency they would trap those 5xx errors and do something to the account with the failing address after some period/number of failures. You know, a bit like Mailman, Sympa and other decent mailing list applications do. And yes, in at least one of the aforementioned cases the incoming recipient was clearly very upset at the emails they were receiving. So it isn't that surprising that they occasionally hit spamtraps or have complaints made against them which result in DNSBL entries. If they played nicely and observed the responses to their outgoing email stream, then it would be far less likely to happen. I guess the return question is: how long should a given operator return 5xx responses to increasing numbers of Facebook emails before trying to do something about it? Graeme
Re: Spamhaus and Barracuda Networks BRBL
On Mon, 2010-02-22 at 14:40 -0500, Dave Sparro wrote: Their list, their rules; but it is indeed strange to me. Not too strange: Little Bobby probably does one or two jobs and goes away, leaving the system to run by itself. the SpamAssassin people receive nothing from his choice of software. If Bob decides he wants to buy a commercial appliance from a profit-making company (presumption being made here) who are in turn making significant use of a free resource such as the SpamHaus lists in their appliance's configuration, and those appliances become very popular (as I understand they might be), then the infrastructure costs associated with the appliance are shifted away from both the vendor and the end-user onto the provider. If said provider gets a bit shirty about this and decides that they're going to analyse and block traffic from those appliances if they haven't paid for a service... If you stand back and look at this dispassionately then I would expect a large majority of this list would probably act in a similar way (or their companies or employers would) given a similar situation with their services. TANSTAAFL. Really. Someone has to pay for the meal; why should it be the chef? Graeme
Re: Spamhaus...
On Sun, 2010-02-21 at 06:27 +, John Levine wrote: In my experience, they're pretty reasonable. I would talk to them (or one of their datafeed sales agents) before assuming that they won't sell you the service you need. They are indeed. In my day job, a large group of related members of different institutions approached our umbrella networking organisation to speak to Spamhaus for the specific reason that we were concerned that; a) between us we were making millions (if not billions) of queries a day to the mirror servers, and b) collective negotiation would make a service available for all of us for far less than individual orgs paying for their own. We now have a private mirror, which is accessible only from within the same AS in which we all sit. The load is therefore not on the Spamhaus servers or public mirrors, and we're collectively paying for the service so the service is supported. Everyone wins. Unfortunately (for this discussion) I don't know how much it cost, but I would assume it wasn't much because the lead time between request and service implementation was pretty short. Personally I think Spamhaus are entirely correct to identify and block, or request payment, from heavy users of their _free_ service. A little like the organisations paying many other members of this list will do for heavy data users in a residential or mobile context, in fact - but that's far too controversial an issue to be conflated with this one (oh dear). Graeme
Re: Default Passwords for World Wide Packets/Lightning Edge Equipment
On Wed, 2010-01-13 at 15:12 -0500, Steven Bellovin wrote: Lots of gear has a button/jumper/pop_the_CMOS battery/other_physical_presence_magic to reset things to factory state, including the default pw. The threat went on to why default passwords are bad, to passwords on the bottom of the device, to RFIDs because the devices of interest to this community are racked and stacked -- and back to theme #2: default passwords are bad... And somewhere in the dim and distant past (Jan 6th), Nathan announced that he'd sorted out his original problem and now had the defaults. What a peculiar bunch we are. And this from the group lauded as anonymously and peacefully co-existing to hold the Internet together, eh? Graeme
Re: D/DoS mitigation hardware/software needed.
On Wed, 2010-01-06 at 17:00 +0200, Hank Nussbacher wrote: In that case, how do you run your current service: http://www.vialtus.com/en/Solutions/Hosting-and-Datacentre-Services/Security-Solutions/Distributed-Denial-of-Service-Protection.aspx It says how, right on that page. Not Arbor. Graeme (ex PIPEX employee who had first hand experience of just how good the aforementioned Cisco Guard kit was in production)
RE: SPF Configurations
On Fri, 2009-12-04 at 11:45 -0500, Jeffrey Negro wrote: Thanks for your input on this. My main concern is mail filters at the end users side thinking that our mail servers are spoofing our customer's domain. If you really feel that SPF is going to help, then keep all the mail in your domain's control by using VERP addresses as the envelope sender address (like most decent modern MLM packages do). That way you can have a From: header in the customer domain (or of your choosing), and the envelope sender in your own. The benefit here is that not only does it make the usage of SPF a lot less complex, but it also means that all bounces come back to the originating system and can be handled accordingly. Have a look at the headers of this message for a well-formed example. Of course, this does depend upon people believing that SPF is actually useful... Graeme
Re: SORBS?
On Tue, 2009-08-25 at 09:35 -0500, Marc Powell wrote: I don't think they watch here; at least I've never seen Michelle post here. I've had confirmation from Michelle personally this morning (following a similar question elsewhere) that the SORBS systems are indeed relocating. From a previous message to SPAM-L (reproduced with permission): Michelle Sullivan wrote: SORBS is not closing. SORBS has received 3 credible offers for the purchase of SORBS, one of which was not interested in continuing SORBS but obtaining the IP and spamtraps. SORBS will not be accepting the latter offer. Currently the two offers being considered are with anti-spam vendors and one of the two have indicated that they will not commercialise SORBS, but keep it as a community project. The other anti-spam vendor have indicated they would pursue a split commercial model, where there would be a free service as well as a 'premium' service (how this would work I do not know). An announcement about which company is successful will be forthcoming when necessary paperwork has been signed. Small outages will occur in the central database when the servers are moved, this will NOT affect SORBS services globally, only updates (listing and delisting) and local (Au) services during the outages. As inconvenient as this outage may be, the background to it is one with which a large proportion of this list is probably bearing scars - physical relocation. On a related note, no I don't have any information as to who it is that has taken SORBS on. Regards, Graeme
Are you an unpaid volunteer?
http://news.bbc.co.uk/1/hi/business/8163190.stm Some of it is right. Some of it is wrong. All of it makes for interesting reading from the point of view of a layperson. We are all, apparently, unsung heroes... Graeme PS Yes, there's plenty to tear apart in the article. Don't shoot the messenger though!
Re: several messages
On Tue, 2009-07-14 at 10:12 -0500, Ronald Cotoni seti...@gmail.com wrote: And I still have yet to get someone from sorbs to contact me off list. I wonder if they actually read email (highly doubtful at this point) I can almost guarantee that they don't subscribe to NANOG, so posting here will make next to no difference. As has already been pointed out, if you subscribe to SPAM-L and post there you are far more likely to get a response. That said, given the upheaval that SORBS is going through (which has also been pointed out) I'm not entirely surprised that other matters are more pressing for the proprietors. Graeme
RE: In a bit of bind...
Once upon a time, whilst working for a fairly well-known UK domain registration company, I put together a system built on an early version of the BIND-DLZ patchset against BIND 9.2.5 (If I recall correctly). It used MySQL as the backend database (because that's what the registration system used for CRM purposes) and worked very nicely, thankyou, for well in excess of a million zones and a query rate which I forget but was of the order of several thousand per second, maybe higher at times. We had a custom-written web management toolbox, part of which was exposed to customers through their control panel so they could manage their zones by themselves. The frontend nameservers - those actually answering queries - had a read only one-way replicated copy of the tables being managed by the CRM system, so all changes were near instantaneous. Copious caching options and indexing in MySQL gave the DB pretty good performance. The frontend servers themselves were load balanced and fault-tolerant and in theory at least a single machine could handle the overall system load. Unfortunately, after I moved on from that job the system broke in some spectacular way (I don't know why) and has since been significantly changed from the original spec, but I couldn't say how... DLZ worked for us - but the DB and management tools were built in house; I don't think there's an ideal off-the-shelf solution built around it (yet). Graeme
Re: delays to google
On Thu, 2009-05-14 at 12:34 -0400, Justin M. Streiner wrote: I'm guessing whatever the issue is has been resolved, or the storm has passed? http://www.google.com/appsstatus#rm:1/di:1/do:1/ddo:0 Not that it would have been much use to you at the time. Graeme
Re: Charter.net email routing issues
Meta: I'm one of the mailop list admins... On Tue, 2009-02-24 at 07:50 +0530, Suresh Ramasubramanian wrote: Anybody actually on that list? Most of the serious mailops work is on some other, entirely different lists. There are almost 400 on the list now, and it grows with every single mention here and on other lists. The reason Andy created it was in response to the plethora of any ISP XYZ mail admins contact me off list messages NANOG used to see, along with several threads which some posters saw as non-operational. I'd be very pleased to know about the other lists, especially as in previous years I've always come up against brick walls - you're not big enough, go away or we don't know you, go away. Not especially helpful, especially as the latter case would be resolved by allowing more open subscription. And why do people have to think nanog is solely for packet pushing related ops? Email is operational, and its often the first ops failure that your users notice, right after the ones that go I cant get to my pr0n. Email is operational, yes. But there are many on NANOG who feel that it isn't, judging by the reaction in the past to long-running threads about it. Graeme
Re: Tightened DNS security question re: DNS amplification attacks.
Hi On Wed, 2009-01-28 at 13:16 +0100, fredrik danerklint wrote: At 12:07:16 local time here in sweden, I saw a new address 70.86.80.98. At 12:09:36 another new address 64.57.246.123 At 12:20:10 the address 70.86.80.98 started to ask for funny domain name like: pjphcdfwudgaaabaaacboinf. This ended at 12:55:01 when it was back to just ask for the .NS records again. Same here - times different, though, in that it appeared at 1120 UTC and disappeared at 1159 UTC. There were 194 entries. Every query was the same format - a 32-byte lower case alphanumeric string, differing at the following positions marked with a period: ..fw.d.aaabaaa.. I expect that others will have seen similar patterns with differing fixed strings. I'm also starting to wonder if this is something to with the downadup/conficker worm, or another botnet. Graeme
Re: isprime DOS in progress
On Wed, 2009-01-21 at 12:27 -0500, Phil Rosenthal wrote: Representing ISPrime here. Well... representing myself and nobody else, so if that stretches my credibility thin so be it. It's somewhat absurd to suggest that we are attacking our own nameservers, I assure you, we didn't spend many hours looking for your specific nameserver to start sending 10 requests per second for the root zone, and our nameservers serve many popular domains. I just checked to make sure I did not make that assertion. I did not. I observed something odd, and stated as much to see if anyone else did. I apologise if you read my message as insinuating what you stated, but I assure you that wasn't the intention. I did say maybe I'm being dumb, and that is indeed the answer - I applied a temporary netfilter ruleset, then made it permanent - and it switched the DROP and LOG statements round so that... the packet got dropped first and the log statements never got hit. Schoolboy error (and interesting that someone else has observed this behaviour before!)... Normal service has been resumed. I should write a haiku here (sorry, MLC, poor joke). Given the attack is still in progress, I can't really say much more publicly, but suffice to say, we're working on the situation. In a previous job I've been on the receiving end of similar attacks so I have a large degree of understanding of the pressure you're under at the moment. I wish you the best of luck sorting it out. Graeme
Re: Are you getting Spam from Crossfire Media?
On Tue, 2009-01-13 at 17:19 -0800, JC Dill wrote: The particular email address ceased being used (by me) over a year ago, but suddenly 4 weeks ago I was subscribed to their mailing list. Apparently the common theme is that we all registered for the VON conference at one point. Aha, list re-purposing. That's something completely different - I cannot speak for your local or federal laws on spam, but in the UK we could fairly well go to town on a company doing that (not in law, sadly, but certainly in terms of professional shame through whichever organisations they belong to). I really can't understand why all of you are saying it's no big deal! Er... we're not. I'm not, certainly, and I haven't read anyone else as having done so. What we're saying is that there's nothing sinister (as the original reply to your message thought), that there's a simple explanation. As I said originally - if this is a company with any professional pride whatsoever, contact their CEO. Going from the top down can be instructive at the very least, if not actually productive. Graeme
Re: Are you getting Spam from Crossfire Media?
On Tue, 2009-01-13 at 14:43 -0500, Reynold Guerrier wrote: My subscription to NANOG aged 3 months ago and I am receiving this spam too. And this is my first post. I effectively think that someone might have crack the email database of the Nanog list. Funny; I'm not in that sort of business and I haven't received that sort of spam. Funny also that both Reynold and JC have quite significant online presences (as determined from a quick Google) which reveal lots of interesting info - if you were a person interested in selling them something, anyway. Especially wireless kit. I think there's far less to this than meets the eye, personally. Just a predictably asinine salesperson believing that your presence online provides your consent for bulk email... have you contacted their CEO? Graeme
Re: Exploit for DNS Cache Poisoning - RELEASED
On Fri, 2008-07-25 at 18:14 -0400, Pete Carah wrote: I saw much more than this *from the same address* starting two days ago, and from several other blocks belonging to the same university starting last week, to my home router and another server. So far my better connected servers haven't been hit hard. (and no non-auto answer from security at that university...) I saw this earlier in the week, along with queries for a domain name which happens to have been registered by Dan Kaminsky, so I emailed him about it. The addresses in question at Georgia Tech appear to be in use as part of Doxpara's scan for unpatched systems, which he confirmed. For those who are bothered, look out for queries from the same netblock of the form: rB6CIo_XgRlScY5K0iGISAAvygwAACujBAA=.ports.dns-integrity-scan.com/A/IN It's probably obvious to one and all what they should be for. And the fact that the queries are denied by correctly configured (ie. non-open) resolvers makes it even less of a panic. The sky isn't falling... yet. Graeme