Re: [NANOG] NANOG TEST
On 07/10/2011 10:03 PM, Steve Feldman wrote: Another test, sorry for the noise. Steve Well, at least the fears that nanog would be IPv4 only are unfounded.. Received: from mail.amsl.com (mail.amsl.com [IPv6:2001:1890:1112:1::14])... -- Joe Sniderman joseph.snider...@thoroquel.org
Re: The state-level attack on the SSL CA security model
On 03/25/2011 11:12 PM, Steven Bellovin wrote: On Mar 25, 2011, at 12:19 52PM, Akyol, Bora A wrote: One could argue that you could try something like the facebook model (or facebook itself). I can see it coming. Facebook web of trust app ;-) Except, of course, for the fact that people tend to have hundreds of friends, many of whom they don't know at all, and who achieved that status simply by asking. You need a much stronger notion of interaction, to say nothing of what the malware in your friends' computers are doing to simulate such interaction. Then again there are all the friend us for a chance to win $prize gimmicks... not a far jump to friend us, _with trust bits enabled_ for a chance to win $prize Yeah sounds like a wonderful idea. :P -- Joe Sniderman joseph.snider...@thoroquel.org
Re: Blocking International DNS
On 11/22/2010 07:47 PM, Wil Schultz wrote: The more I think about this COICA deal the more I can't even fathom how it could be implemented. If an upstream server won't resolve, what's to stop a network admin from using an offshored DNS server, or even the root servers? The way I read it its specifically aimed at whoever is running the resolver, ISP or otherwise. Querying recursively starting at the root would be a violation then. (hence my comment earlier about taking my recursor from my cold dead hands.) So, short of actually searching out and confiscating or destroying uncensored resolvers (like the ones, 5th amendment notwithstanding, that will continue to run each of my notebooks, even if just for spite if the law passes.), or raiding ICANN guns drawn and ordering removal of non compliant ccTLDs from the root, IMHO enforcement would be pretty much impossible. Unless we're talking about keeping DNS traffic confined to the ISP's network. tunneled connections. unless all IP traffic is kept to a specific ISP, in which case the I would become a misnomer, and would be easier said done. Then what's to stop a global HOSTS.TXT from circulating via torrent? Hey as long is its not a DNS server. :P It's shortsighted and problematic, which is usually what happens when technical discussions are dictated by politics. Yup. -- Joe Sniderman joseph.snider...@thoroquel.org
Re: Blocking International DNS
On 11/19/2010 03:45 PM, Marshall Eubanks wrote: It seems that the Combating Online Infringement and Counterfeits Act (COICA) passed through the Senate Judiciary Committee with a unanimous (!) vote : http://arstechnica.com/tech-policy/news/2010/11/pirate-slaying-censorship-bill-gets-unanimous-support.ars http://www.govtrack.us/congress/billtext.xpd?bill=s111-3804 I claim operational content for this as, on the basis of court orders, i..e. a temporary restraining order, a preliminary injunction, or an injunction against the domain name used by an Internet site dedicated to infringing activities it requires that, for foreign domain names, (i) a service provider, as that term is defined in section 512(k)(1) of title 17, United States Code, or other operator of a domain name system server shall take reasonable steps that will prevent a domain name from resolving to that domain name’s Internet protocol address; So I suppose operation of a recursor requires one to check with the government to see what names its okay to resolve.. They can have my dns recursor when they pry it from my cold dead hands. Otherwise no. /me waits for the knock at the door and the yell of Search warrant, we hear you're running an uncensored BIND -- Joe Sniderman joseph.snider...@thoroquel.org
Re: What must one do to avoid Gmail's retarded non-spam filtering?
On 09/29/2010 12:05 AM, Erik L wrote: Google appears to have blacklisted our domain. From the edge MTA, I sent three messages, differing only in the From header: 1. valid email @klssys.com 2. valid email @caneris.com 3. abc...@caneris.com 1 not spam; 2 3 spam Ok, so its the domain not the IP. You're a DSL provider, right? IP's assigned to customers have PTR's in caneris.com, right? [..snip..] - Original Message - From: Erik L erik_l...@caneris.com To: William Pitcock neno...@systeminplace.net Cc: nanog@nanog.org Sent: Tuesday, September 28, 2010 7:17:45 PM Subject: Re: What must one do to avoid Gmail's retarded non-spam filtering? Hi William, I do so for our entire IP space on a regular basis. The edge MTA I mentioned in the reply to Bill shows up as Neutral there. Ok, but there are a couple customer IP's that show up as Poor there, with rDNS in caneris.com not in klssys.com. One of those is on CBL (and XBL) and PSBL, and is spamming using your domain: http://psbl.surriel.com/evidence?ip=199.19.168.33action=Check+evidence Its not PBL listed even though its a dynamic IP it seems: http://www.spamhaus.org/query/bl?ip=199.19.168.33 That would be an SPF pass as well, because of: caneris.com.3600IN TXT v=spf1 a mx ptr -all So, from the receiving end it could easily look like its one of caneris.com's outbound servers.. But not one of klssys.com's servers. Maybe this has something to do with the problem. HTH, Joe -- Joe Sniderman