Re: v4 and v6 BOGON list

[Suresh Ramasubramanian]

bogons.cymru.com has been around as a BGP feed for a long long time.

https://www.team-cymru.com/bogon-networks

From: NANOG  on behalf of Gabriel 
Terry 
Date: Friday, 22 March 2024 at 3:56 PM
To: nanog@nanog.org 
Subject: v4 and v6 BOGON list
All,

I was researching BOGON prefixes and found a reference from IANA listing 
special-purpose addresses, URLs listed below. Based on my understanding of the 
list I think I should be able to block all of the entries from my upstream 
peerings without affecting normal internet traffic. I assume that there would 
only be special scenarios that the addresses listed in the special-purpose 
entry would be used. I am interested to hear what others are doing when it 
comes to blocking BOGON NLRI from their upstream BGP peerings. If anyone has 
any insight into this please let me know your thoughts, I would love to discuss 
more on the topic.

URLs:
https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml

Thanks,

Gabriel L. Terry

Re: So what do you think about the scuttlebutt of Musk interfering in Ukraine?

[Suresh Ramasubramanian]

I have a feeling he’s fired far too much of his legal and compliance team to 
realise

--srs

From: NANOG  on behalf of Michael 
Thomas 
Sent: Thursday, September 14, 2023 6:17:17 AM
To: nanog@nanog.org 
Subject: So what do you think about the scuttlebutt of Musk interfering in 
Ukraine?

Doesn't this bump up against common carrier protections? I sure don't
want my utilities weaponizing their monopoly status to the whims of any
random narcissist billionaire.

Mike

Re: Captive portal for suspended accounts

[Suresh Ramasubramanian]

Comcast walled garden is a good starting point to Google - there’s even an rfc

This is to quarantine malicious customers rather than billing defaulters but 
well, much the same effect

--srs

From: NANOG  on behalf of Steve 
Saner via NANOG 
Sent: Monday, September 11, 2023 7:24:22 PM
To: NANOG list 
Subject: Captive portal for suspended accounts

We are a combination fiber and fixed wireless ISP with around 20k subscribers.

Management is wanting to develop something along the lines of a captive portal 
for suspended accounts such that those customers are forced to a portal that 
allows them to make payment and get reactivated.

This is a common thing for a cafe wifi hotspot or something, but has anyone 
here attempted to do it at this kind of scale who would be willing to share 
their experiences? If someone has successfully done this, I would love to pick 
your brain a bit to understand how you accomplished it.

Thanks much.

--


Steve Saner | Senior Network Engineer

ideatek INTERNET FREEDOM™ FOR ALL

316-640-8715 ext. 4005 | 111 Old Mill St., Buhler KS,67522 | 
 ideatek.com

This email transmission and any documents, files or previous email messages 
attached to it may contain confidential information. If the reader of this 
message is not the intended recipient or the employee or agent responsible for 
delivering the message to the intended recipient, you are hereby notified that 
any dissemination, distribution or copying of this communication is strictly 
prohibited. If you are not or believe you may not be the intended recipient, 
please advise the sender immediately by return email or by calling 
620.543.5026. Then, please take all steps necessary to permanently delete the 
email and all attachments from your computer system. No trees were affected by 
this transmission – though a few billion photons were mildly inconvenienced.

Re: Historical info on how 'x.com' came to be registered

[Suresh Ramasubramanian]

December 99. Grandfathered

--srs

From: NANOG  on behalf of Drew 
Weaver 
Sent: Thursday, July 27, 2023 6:12:43 PM
To: 'nanog@nanog.org' 
Subject: Historical info on how 'x.com' came to be registered


Does anyone have any historical information on how ‘x.com’ came to be 
registered even though single letters were reserved?



Is there a story or is it as simple as it was registered prior to the 
reservation?



Just wondering.



Thanks,

-Drew

Re: BKA Wiesbaden - Abteilung Cybercrime (Not sure if this is a phishing E-mail or real...)

[Suresh Ramasubramanian]

It appears legit.

BKA.DE is the German Bundeskriminalamt (Federal Police)

And the PTR records, SPF etc check out for the domain.

Might as well check the IP in question for malware if they’ve provided date / 
timestamps and such

--srs

From: NANOG  on behalf of Glen A. 
Pearce 
Date: Monday, 3 April 2023 at 12:29 PM
To: nanog@nanog.org 
Subject: BKA Wiesbaden - Abteilung Cybercrime (Not sure if this is a phishing 
E-mail or real...)
Hi All:

I received an E-mail with an attachment claiming something
on my network is infected and that I should look at the
attachment to find out what.

Normally I think everything with an attachment is phishing
to get me to run malware but:

#1: The sites linked to in it seem to be legit German
 government websites based on Wikipedia entries that
 haven't changed in several years.
 (Looked at archive.org)
#2: The attachment is a .txt file which I've normally
 assumed to be safe.
#3: None of the usual dead giveaways that most phishing
 E-mails have.

If it is a phishing E-mail it has got to be the cleverest
one I've ever seen, though someone would try to be cleaver
considering the target would be holders of IP blocks.

I right clicked and checked properties to make sure the
attached ip_addresses.txt file really is a text file and
not some fancy trickery with reverse direction characters
( As seen on https://www.youtube.com/watch?v=ieQUy8YTbFU )

I tried poking around to see if there was some vulnerability
in notepad (or some versions of it) that I didn't know about
and only found a vulnerability in the text editor on Macs
but nothing with Windows Notepad.

The other thing I felt was a bit off is that the originating
mail server is in Deutsche Telekom AG space and not IP Space
registered to the German government.  I'm thinking someone
could rent some IP space from Deutsche Telekom AG with a
connection to them in a data center and get the DNS delegated
to them so they could set the reverse DNS to whatever they want.
A lot of effort to try to look legit by coming out of Germany
and having a government domain in the reverse DNS to look like
a plausible legit outsourcing but again Network operators are
the target audience so the normal tricks that work on the
general public won't work with this group so I can see someone
going that far.

I'll attach the E-mail below with all headers.  Has anyone
else gotten these?  Is there some security risk opening it
in Windows Notepad that I don't know about or is it actually
safe to open this?


Return-Path: 
Delivered-To: [REDACTED]
Received: from ezp08-pco.easydns.vpn ([10.5.10.148])
 by ezb03-pco.easydns.vpn with LMTP
 id oCfeBO/yEmTokhgAzaFxkQ
 (envelope-from )
 for <[REDACTED]>; Thu, 16 Mar 2023 10:43:59 +
Received: from smtp.easymail.ca ([127.0.0.1])
 by ezp08-pco.easydns.vpn with LMTP
 id WCB5BO/yEmSHdgEABcrfzg
 (envelope-from ); Thu, 16 Mar 2023 10:43:59 +
Received: from localhost (localhost [127.0.0.1])
 by smtp.easymail.ca (Postfix) with ESMTP id 0DC85557DF
 for ; Thu, 16 Mar 2023 10:43:59 + (UTC)
X-Virus-Scanned: Debian amavisd-new at ezp08-pco.easydns.vpn
X-Spam-Flag: NO
X-Spam-Score: 0.075
X-Spam-Level:
X-Spam-Status: No, score=0.075 required=4 tests=[BAYES_00=-1.9,
 DEAR_SOMETHING=1.973, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from smtp.easymail.ca ([127.0.0.1])
 by localhost (ezp08-pco.easydns.vpn [127.0.0.1]) (amavisd-new, port
10024)
 with ESMTP id d0XbPteZN-Io for ;
 Thu, 16 Mar 2023 10:43:55 + (UTC)
Received: from mail.cyber.bka.de (mail.cyber.bka.de [80.146.190.22])
 by smtp.easymail.ca (Postfix) with ESMTPS id 0BC0C557DC
 for ; Thu, 16 Mar 2023 10:43:54 + (UTC)
Date: Thu, 16 Mar 2023 10:43:53 +
To: a...@ve4.ca
From: BKA Wiesbaden - Abteilung Cybercrime 
Reply-To: BKA Wiesbaden - Abteilung Cybercrime 
Subject: Information regarding possible infection with malware
Message-ID:

MIME-Version: 1.0
Content-Type: multipart/mixed;
  boundary="b1_M47LJRZpjy1zymUJDKsNtrYm3RimkafZfZTqeZpauZA"
Content-Transfer-Encoding: 8bit

Dear Sir or Madam,

As part of criminal proceedings, the German Federal Criminal Police
Office (Bundeskriminalamt) has been
informed about public IP addresses and timestamps which indicate a
potential infection by the malicious
software "Bumblebee" of one or more systems behind the respective public
IP address.

Within this letter, the BKA is providing you with the data of the
respective IP addresses which have been
assigned to you as the appropriate provider. You are asked to take
appropriate measures to inform your
customers about the potential infection.

The following information will be provided:

1. Public IP address
2. Last known timestamp of contact by the public IP address
3. Possible system name or username on the potentially infected system

The following information may be sent to your customers in addition to

Re: email spam

[Suresh Ramasubramanian]

100%. Also - there’s no way to offer a delivery sla for email.  If you have 
something business critical, let alone anything that affects child safety, pick 
up a phone and call, or send an officer over to the school.

--srs

From: Eric Tykwinski 
Sent: Wednesday, August 24, 2022 8:14:16 AM
To: Suresh Ramasubramanian 
Cc: nanog@nanog.org 
Subject: Re: email spam

Sorry about the bad examples, but I remember contacting both about issues with 
SPF multiple times.  They both have seemed have to fixed things at least 
searching my logs for the last week.  Most of my customers have had to 
whitelist them though for past issues. It’s also 
ezpassnj.com<http://ezpassnj.com> for the NJ collection.  Point still stands, 
assume incompetence over malice.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

On Aug 23, 2022, at 10:20 PM, Eric Tykwinski 
mailto:eric-l...@truenet.com>> wrote:

Bill,

Not only that, did they even follow their own rules, I’ve been fighting with 
septa.org<http://septa.org/>, the Pennsylvania train authority, and 
easypassnj.com<http://easypassnj.com/>, the New Jersey transit toll collectors 
about invalid SPF records for years, and they literally don’t give a shit.  If 
they say to put it in spam, well than that is their own fault.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

On Aug 23, 2022, at 10:00 PM, Suresh Ramasubramanian 
mailto:ops.li...@gmail.com>> wrote:

Without saying why the mail was blocked (dumb content filter looking for porn? 
a spamhaus listing because the police server was hacked? something else?) 
that’s not going to help too much.

I’ve been spam filtering stuff at large providers since the late 90s and it 
never gets any easier to block 100% spam or let 100% legit mail through.

—srs

--srs

From: NANOG 
mailto:nanog-bounces+ops.lists=gmail@nanog.org>>
 on behalf of William Herrin mailto:b...@herrin.us>>
Sent: Wednesday, August 24, 2022 7:03:52 AM
To: nanog@nanog.org<mailto:nanog@nanog.org> 
mailto:nanog@nanog.org>>
Subject: email spam

Hello,

To folks at places like Google and Godaddy which have gotten, shall we
say, overzealous about preventing spam from entering their systems,
consider the risk:

https://www.washingtonpost.com/education/2022/08/23/fairfax-county-counselor-solicitation-minor/

"Chesterfield County police said emails notifying Fairfax County
Public Schools that an employee was arrested and charged with
soliciting prostitution from a minor were not delivered to the school
system."

Long story short, the pedo kept his school job another year and a half.

There was once a time when both the outbound emails and the bounce
messages when they failed... worked. It was a spammy place but the
important emails got through.

Regards,
Bill Herrin

Re: email spam

[Suresh Ramasubramanian]

Without saying why the mail was blocked (dumb content filter looking for porn? 
a spamhaus listing because the police server was hacked? something else?) 
that’s not going to help too much.

I’ve been spam filtering stuff at large providers since the late 90s and it 
never gets any easier to block 100% spam or let 100% legit mail through.

—srs

--srs

From: NANOG  on behalf of William 
Herrin 
Sent: Wednesday, August 24, 2022 7:03:52 AM
To: nanog@nanog.org 
Subject: email spam

Hello,

To folks at places like Google and Godaddy which have gotten, shall we
say, overzealous about preventing spam from entering their systems,
consider the risk:

https://www.washingtonpost.com/education/2022/08/23/fairfax-county-counselor-solicitation-minor/

"Chesterfield County police said emails notifying Fairfax County
Public Schools that an employee was arrested and charged with
soliciting prostitution from a minor were not delivered to the school
system."

Long story short, the pedo kept his school job another year and a half.

There was once a time when both the outbound emails and the bounce
messages when they failed... worked. It was a spammy place but the
important emails got through.

Regards,
Bill Herrin

Re: Rogers Outage Canada

[Suresh Ramasubramanian]

Just leaving this (yes, satire site) link here

https://www.thebeaverton.com/2022/07/rogers-proudly-announces-10-service-charge-for-unplug-and-relax-nationwide-outage/


--srs

From: NANOG  on behalf of Andrew 
Paolucci via NANOG 
Sent: Saturday, July 9, 2022 12:49:09 PM
To: j...@west.net ; nanog@nanog.org 
Subject: Re: Rogers Outage Canada

Normally I'd take offense, but in my experience of endless technician calls, 
hundreds of hours on the phone with support.


I can assure Rogers staff are the utmost incompetent out of any I've seen. Only 
talked to one support tech with them that even knew what DOCSIS was. How can 
teaching employees about the technology they sell not be part of training?


Only reason they are even able to operate right now is reselling Xfinity 
products from Comcast after wasting billions trying to roll their own solutions.


Regards,

Andrew Paolucci






Sent from Proton Mail mobile




 Original Message 
On Jul. 9, 2022, 3:18 p.m., Jay Hennigan < j...@west.net> wrote:

On 7/9/22 09:54, JASON BOTHE via NANOG wrote: > I see the point you’re trying 
to make but using the word retarded in this context is not only dumb in itself 
but offense. Please be more respectful on this list. Shall we take another spin 
on the euphemism treadmill? -- Jay Hennigan - j...@west.net Network Engineering 
- CCIE #7880 503 897-8550 - WB6RDV

Re: ASN in use, but no whois data?

[Suresh Ramasubramanian]

Legacy lookup here


ASHandle:   AS394183
OrgID:  ORCL-2
ASName: OROCKLLC-USA-ASN
ASNumber:   394183
RegDate:2015-07-01
Updated:2015-07-01
Source: ARIN


OrgID:  ORCL-2
OrgName:Orange Rock Consulting, LLC
CanAllocate:
Street: 300 West Glenoaks Blvd., Suite 106
City:   Glendale
State/Prov: CA
Country:US
PostalCode: 91202
RegDate:2014-11-26
Updated:2014-11-26
OrgAbuseHandle: LEONJ4-ARIN
OrgAdminHandle: LEONJ4-ARIN
OrgNOCHandle:   LEONJ4-ARIN
OrgTechHandle:  LEONJ4-ARIN
Source: ARIN


POCHandle:  LEONJ4-ARIN
IsRole: N
LastName:   Leon
FirstName:  John
Street: 300 West Glenoaks Blvd., Suite 106
City:   Glendale
State/Prov: CA
Country:US
PostalCode: 91202
RegDate:2014-11-24
Updated:2020-12-01
MobilePhone:+1-714-782-4326
FaxPhone:   +1-818-484-2010
OfficePhone:+1-800-253-6121
Mailbox:j...@orockllc.com
Source: ARIN


--srs

From: NANOG  on behalf of Phineas 
Walton 
Sent: Saturday, February 26, 2022 4:25:56 AM
To: Matt Harris 
Cc: North American Network Operators' Group 
Subject: Re: ASN in use, but no whois data?

The AS customer could've churned from ARIN, freeing the ASN but leaving 
technically valid IRRs in databases such as RADb (which seems to be where they 
originate): https://i.imgur.com/r5xx7Y6.png

..thus allowing them to continue to announce their routes under that ASN as 
usual, even though technically it doesn't exist in the ARIN WHOIS.

Phin

On Fri, Feb 25, 2022 at 10:47 PM Matt Harris 
mailto:m...@netfire.net>> wrote:
Hey folks,
I'm looking at an ASN 394183 and I can't find any whois or other contact data. 
I've checked globally and then also ARIN directly and literally nothing as if 
it weren't registered. It's announcing prefixes, at least one of which is IRR 
invalid part of a larger old PSINET block, though, and I'm seeing them in the 
global routing table.

Anyone have any idea how this could happen where an ASN is in use, transiting 
several major providers to the internet, but no whois data as if it didn't 
exist?

Thanks,
Matt

[X]
Matt Harris​
|
Infrastructure Lead
816‑256‑5446
|
Direct
Looking for help?
Helpdesk
|
Email Support
[https://netfire.net/Flag-United-States-of-America.jpg]
We build customized end‑to‑end technology solutions powered by NetFire Cloud.

Re: Russian aligned ASNs?

[Suresh Ramasubramanian]

There are reports of bgp hijacks and ddos targeted at Ukrainian asns watch for 
and mitigate those?

--srs

From: NANOG  on behalf of Tony 
Wicks 
Sent: Friday, February 25, 2022 6:55:23 AM
To: 'William Allen Simpson' 
Cc: 'North American Network Operators Group' 
Subject: RE: Russian aligned ASNs?

I would suggest keeping the free flow of outside information to Russia would be 
the best thing we can do.

-Original Message-


What is our community doing to assist Ukraine against these attacks?

Re: S.Korea broadband firm sues Netflix after traffic surge

[Suresh Ramasubramanian]

Yet another peering dispute ending in litigation?

From: NANOG  on behalf of Sean 
Donelan 
Date: Friday, 1 October 2021 at 7:21 PM
To: nanog@nanog.org 
Subject: S.Korea broadband firm sues Netflix after traffic surge
South Korean Internet service provider SK Broadband has sued Netflix to
pay for costs from increased network traffic and maintenance work because
of a surge of viewers to the U.S. firm's content, an SK spokesperson said
on Friday.
[...]
Last year, Netflix had brought its own lawsuit on whether it had any
obligation to pay SK for network usage, arguing Netflix's duty ends with
creating content and leaving it accessible. It said SK's expenses were
incurred while fulfilling its contractual obligations to Internet users,
and delivery in the Internet world is "free of charge as a principle",
according to court documents.
[...]

https://www.reuters.com/business/media-telecom/skorea-broadband-firm-sues-netflix-after-traffic-surge-squid-game-2021-10-01/

Re: Abuse Contact Handling

[Suresh Ramasubramanian]

Since my first formal abuse desk job in 2001 to now, all at large email 
providers, I’ve seen a lot of junk come to abuse mailboxes, that is true.

YMMV depending on what sort of network you run / service you provide and what 
sort of customers you take on, but you do get a non trivial number of 
actionable complaints.

--srs

From: Tom Beecher 
Sent: Friday, August 6, 2021 11:42:48 PM
To: Suresh Ramasubramanian 
Cc: Mike Hammett ; Matt Corallo ; NANOG 

Subject: Re: Abuse Contact Handling

If you’re complaining about having to maintain an abuse desk or putting a dummy 
address into your whois records, sturgeons law says most of the time you’re the 
sort of provider who doesn’t want to staff an abuse desk.

At my previous job for an ISP, I was the abuse desk among my other 
responsibilities.

Fully 50% of "abuse" reports were "STOP PINGING ME".  Another 20% were one 
gentleman who forwarded every spam message he ever received, adamantly refusing 
to use the 'Report Spam' button in our webmail application.

Even today, in my current role,I have had countless 'abuse' issues escalated to 
my level that turned out to be things that have nothing to do with our network 
at all.

When reporters don't understand the difference between 'abuse' and 'annoyance', 
abuse mailboxes become nothing more than a relic of the past.

On Fri, Aug 6, 2021 at 11:52 AM Suresh Ramasubramanian 
mailto:ops.li...@gmail.com>> wrote:
If the way x is managing their network or (not) managing their customers means 
my network and my customers are affected ..

route leaks? packet kiddies? phish sites? spammers? whatever.  If what you’re 
doing or not doing affects someone else, expect complaints, possibly to your  
upstreams if you aren’t receptive to these.

Not everybody mailing your abuse address is reporting random alerts their $50 
home router’s firewall throws up, or is trying to spam you.

OK. All that stuff happens but is easy enough to filter out, and well, spammers 
who add an abuse address to their lists deserve all the blocking they get.

If you’re complaining about having to maintain an abuse desk or putting a dummy 
address into your whois records, sturgeons law says most of the time you’re the 
sort of provider who doesn’t want to staff an abuse desk.

--srs

From: NANOG 
mailto:gmail@nanog.org>> on 
behalf of Mike Hammett mailto:na...@ics-il.net>>
Sent: Friday, August 6, 2021 7:51:04 PM
To: Matt Corallo mailto:na...@as397444.net>>
Cc: NANOG mailto:nanog@nanog.org>>
Subject: Re: Abuse Contact Handling

"we don’t get to tell someone they’re managing their network wrong"

Sure we do. They don't have to listen, but we get to tell them. RFCs are full 
of things that one shall not do, must do, etc. We shame network operators all 
of the time for things they do that affect the global community.



-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

Midwest-IX
http://www.midwest-ix.com


From: "Matt Corallo" mailto:na...@as397444.net>>
To: "Mike Hammett" mailto:na...@ics-il.net>>
Cc: "NANOG" mailto:nanog@nanog.org>>
Sent: Friday, August 6, 2021 8:50:00 AM
Subject: Re: Abuse Contact Handling

Costs real money to figure out, for each customer scanning parts of the 
internet, if they’re doing it legitimately or maliciously. Costs real money to 
look into whether someone is spamming or just sending bulk email that customers 
signed up for. And what do you do if it is legitimate? Lots of abuse reports 
don’t follow X-ARF, so now you have to have a human process than and chose 
which ones to ignore. Or you just tell everyone to fill out a common web form 
and then the data is all nice and structured and you can process it sanely.

Like Randy said, we don’t get to tell someone they’re managing their network 
wrong. If you don’t want to talk to AWS, don’t talk to AWS. If you want them to 
manage their network differently, reach out, understand their business 
concerns, help alleviate them. Maybe propose a second Abuse Contact type that 
only accepts X-ARF that they can use? There’s lots of things that could be done 
that are productive here.

Matt


On Aug 6, 2021, at 08:08, Mike Hammett 
mailto:na...@ics-il.net>> wrote:


I suppose if they did a better job of policing their own network, they wouldn't 
have as much hitting their e-mail boxes.



-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

Midwest-IX
http://www.midwest-ix.com


From: "Matt Corallo" mailto:na...@as397444.net>>
To: "Mike Hammett" mailto:na...@ics-il.net>>, "NANOG" 
mailto:nanog@nanog.org>>
Sent: Thursday, August 5, 2021 3:44:43 PM
Subject: Re: Abuse Contact Handling

There's a few old threads on this from last year or so, b

Re: Abuse Contact Handling

[Suresh Ramasubramanian]

If the way x is managing their network or (not) managing their customers means 
my network and my customers are affected ..

route leaks? packet kiddies? phish sites? spammers? whatever.  If what you’re 
doing or not doing affects someone else, expect complaints, possibly to your  
upstreams if you aren’t receptive to these.

Not everybody mailing your abuse address is reporting random alerts their $50 
home router’s firewall throws up, or is trying to spam you.

OK. All that stuff happens but is easy enough to filter out, and well, spammers 
who add an abuse address to their lists deserve all the blocking they get.

If you’re complaining about having to maintain an abuse desk or putting a dummy 
address into your whois records, sturgeons law says most of the time you’re the 
sort of provider who doesn’t want to staff an abuse desk.

--srs

From: NANOG  on behalf of Mike 
Hammett 
Sent: Friday, August 6, 2021 7:51:04 PM
To: Matt Corallo 
Cc: NANOG 
Subject: Re: Abuse Contact Handling

"we don’t get to tell someone they’re managing their network wrong"

Sure we do. They don't have to listen, but we get to tell them. RFCs are full 
of things that one shall not do, must do, etc. We shame network operators all 
of the time for things they do that affect the global community.



-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

Midwest-IX
http://www.midwest-ix.com


From: "Matt Corallo" 
To: "Mike Hammett" 
Cc: "NANOG" 
Sent: Friday, August 6, 2021 8:50:00 AM
Subject: Re: Abuse Contact Handling

Costs real money to figure out, for each customer scanning parts of the 
internet, if they’re doing it legitimately or maliciously. Costs real money to 
look into whether someone is spamming or just sending bulk email that customers 
signed up for. And what do you do if it is legitimate? Lots of abuse reports 
don’t follow X-ARF, so now you have to have a human process than and chose 
which ones to ignore. Or you just tell everyone to fill out a common web form 
and then the data is all nice and structured and you can process it sanely.

Like Randy said, we don’t get to tell someone they’re managing their network 
wrong. If you don’t want to talk to AWS, don’t talk to AWS. If you want them to 
manage their network differently, reach out, understand their business 
concerns, help alleviate them. Maybe propose a second Abuse Contact type that 
only accepts X-ARF that they can use? There’s lots of things that could be done 
that are productive here.

Matt


On Aug 6, 2021, at 08:08, Mike Hammett  wrote:


I suppose if they did a better job of policing their own network, they wouldn't 
have as much hitting their e-mail boxes.



-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

Midwest-IX
http://www.midwest-ix.com


From: "Matt Corallo" 
To: "Mike Hammett" , "NANOG" 
Sent: Thursday, August 5, 2021 3:44:43 PM
Subject: Re: Abuse Contact Handling

There's a few old threads on this from last year or so, but while unmonitored 
abuse contacts are terrible, similarly,
people have installed automated abuse contact spammer systems which is equally 
terrible. Thus, lots of the large hosting
providers have deemed the cost of actually putting a human on an abuse contact 
is much too high.

I'm not sure what the answer is here, but I totally get why large providers 
just say "we can better protect a web form
with a captcha than an email box, go use that if there's real abuse".

Matt

On 8/5/21 09:14, Mike Hammett wrote:
> What does the greater operator community think of RIR abuse contacts that are 
> unmonitored autoresponders?
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com

Re: Spamhaus ASN-DROP list

[Suresh Ramasubramanian]

This is probably an ex afrinic stolen block?

In which case it’s for afrinic to sort out and reclaim

--srs

From: NANOG  on behalf of Siyuan 
Miao 
Sent: Friday, July 23, 2021 12:38:16 PM
To: North American Network Operators' Group 
Subject: Spamhaus ASN-DROP list

Hi All,

One of our ASNs has been listed in the Spamhaus ASN-DROP list before it was 
assigned to us.

We emailed them last year but didn't get a response. Could anyone from Spamhaus 
contact us off the list?

Best Regards,
Siyuan

Re: Anyone from Proof Point or Comcast on this list?

[Suresh Ramasubramanian]

comcast.com is their corporate mail domain

comcast.net is their customer domain

Both have entirely different mx hosts and won’t relay mail for each other.

--srs

From: NANOG  on behalf of Matt 
Hoppes 
Sent: Monday, April 19, 2021 10:06:00 PM
To: North American Network Operators' Group 
Subject: Anyone from Proof Point or Comcast on this list?

It seems we are having trouble sending e-mail to some Comcast customers
and getting a relaying denied message, even though the mail should be
being accepted, not relayed.

Below is a copy of a transcript.  Could someone from Proof Point or
Comcast e-mail please contact me to resolve this?


[root@account ~]# dig mx comcast.com

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> mx comcast.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32690
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;comcast.com.   IN  MX

;; ANSWER SECTION:
comcast.com.9   IN  MX  5 
mxb-00143702.gslb.pphosted.com.
comcast.com.9   IN  MX  5 
mxa-00143702.gslb.pphosted.com.

;; Query time: 0 msec
;; SERVER: 172.16.0.21#53(172.16.0.21)
;; WHEN: Mon Apr 19 12:33:57 EDT 2021
;; MSG SIZE  rcvd: 112

[root@account ~]# telnet mxb-00143702.gslb.pphosted.com 25
Trying 148.163.141.77...
Connected to mxb-00143702.gslb.pphosted.com.
Escape character is '^]'.
220 mx0b-00143702.pphosted.com ESMTP mfa-m0184889
helo rivervalleyinternet.net
250 mx0b-00143702.pphosted.com Hello [192.81.87.236], pleased to meet you
mail from:i...@rivervalleyinternet.net
250 2.1.0 Sender ok
rcpt to:dr[redacted]@comcast.net
550 5.7.1 Relaying denied

Re: Newbie Question: Is anyone actually using the Null MX (RFC 7505)?

[Suresh Ramasubramanian]

OK. In your experience, which legacy system is going to misinterpret this 
record?

The current RFC is from 2014-15 but the original idea from Mark Delany (then at 
Yahoo now at Apple) has been kicking around from 2006 or so. I remember 
contributing some text to the original draft RFC but can’t find any trace of it 
online right now.

It worked just fine even back then, I assure you. So if there is any legacy MTA 
that still doesn’t accept it, it probably relies on UUCP domain maps or similar.

--srs

From: NANOG  on behalf of 
b...@uu3.net 
Date: Friday, 26 February 2021 at 10:51 PM
To: nanog@nanog.org 
Subject: Re: Newbie Question: Is anyone actually using the Null MX (RFC 7505)?
Thats cute, but remember that there are gazylion of legacy systems
on Internet as well. They might have no clue what do do with it..
Also remember that MTA is supposed to accept email to [ip] too.

On my opinion, its best to just have no MX record at all.
While MTA can fallback and try to do delivery by IN A record, I think
its not that big problem. You need to specify for what domains you
accept email anyway. And spammers will not care at all...


-- Original message --

From: Pirawat WATANAPONGSE via NANOG 
To: nanog@nanog.org
Subject: Newbie Question: Is anyone actually using the Null MX (RFC 7505)?
Date: Fri, 26 Feb 2021 17:19:41 +0700

Dear all,


I put the ˙˙Null MX˙˙ Record (RFC 7505) into one of my domains yesterday,
then those online mail diagnostic tools out there start getting me worried:

It looks like most of those tools do not recognize the Null MX as a special
case; they just complain that they cannot find the mail server at ˙˙.˙˙
[Sarcasm: as if the root servers are going to provide mail service to a
mere mortal like me!]

Among a few shining exceptions (in a good way) is the good ol˙˙
https://bgp.he.net/ which does not show that domain as having any MX record.
[maybe it is also wrong, in the other direction?]

I fear that the MTAs are going to behave that same way, treating my Null MX
as a ˙˙misconfigured mail server name˙˙ and that my record will mean
unnecessary extra queries to the root servers. [well, minus cache hit]

So, here comes the questions:
1. Is there anyone actively using this Null MX? If so, may I please see
that actual record line (in BIND zone file format) just to satisfy myself
that I wrote mine correctly?
2. Which one makes more sense from the practical point-of-view: having a
Null MX Record for the no-mail domain, or having no MX record at all?


Thanks in advance for all advices,

--

Pirawat.

Re: Newbie Question: Is anyone actually using the Null MX (RFC 7505)?

[Suresh Ramasubramanian]

MTAs don’t care what online analysis tools tell you and setting a null MX for a 
domain that you don’t receive mail for will work just fine, for the reasons 
explained in the rfc

Having no MX means the smtp connection will fall back to the A record for your 
domain if one exists


--srs

From: NANOG  on behalf of Pirawat 
WATANAPONGSE via NANOG 
Sent: Friday, February 26, 2021 3:49:41 PM
To: nanog@nanog.org 
Subject: Newbie Question: Is anyone actually using the Null MX (RFC 7505)?

Dear all,


I put the “Null MX” Record (RFC 7505) into one of my domains yesterday, then 
those online mail diagnostic tools out there start getting me worried:

It looks like most of those tools do not recognize the Null MX as a special 
case; they just complain that they cannot find the mail server at “.”
[Sarcasm: as if the root servers are going to provide mail service to a mere 
mortal like me!]

Among a few shining exceptions (in a good way) is the good ol’ 
https://bgp.he.net/ which does not show that domain as having any MX record.
[maybe it is also wrong, in the other direction?]

I fear that the MTAs are going to behave that same way, treating my Null MX as 
a “misconfigured mail server name” and that my record will mean unnecessary 
extra queries to the root servers. [well, minus cache hit]

So, here comes the questions:
1. Is there anyone actively using this Null MX? If so, may I please see that 
actual record line (in BIND zone file format) just to satisfy myself that I 
wrote mine correctly?
2. Which one makes more sense from the practical point-of-view: having a Null 
MX Record for the no-mail domain, or having no MX record at all?


Thanks in advance for all advices,

--

Pirawat.

Re: Famous operational issues

[Suresh Ramasubramanian]

He is. He asked a perfectly relevant question based on what he saw of the 
physical setup in front of him.

And he kept his cool when being talked down to.

I’d hire him the next minute, personally speaking.

From: Sabri Berisha 
Date: Friday, 19 February 2021 at 2:02 PM
To: Suresh Ramasubramanian 
Cc: nanog 
Subject: Re: Famous operational issues
On Feb 18, 2021, at 11:51 PM, Suresh Ramasubramanian  
wrote:

>> On 2/19/21 00:37, Warren Kumari wrote:

>> and says "'K. So, you doing a full iBGP mesh, or confeds?". I really hadn't
>> intended to be a condescending ass, but I think of that every time I realize 
>> I
>> might be assuming something about someone based on thier attire/job/etc.

> Did you at least hire the janitor?

Well, it's funny that you mention that because I worked at a place where the
company ended up hiring a young lady who worked in the cafeteria. When she
graduated she was offered a job in HR, and turned out to be absolutely awesome.

At some point in my life, I was carrying 50lbs bags of potato starch. Now I have
two graduate degrees and am working on a third. That janitor may be awesome, 
too!

Thanks,

Sabri

Re: Famous operational issues

[Suresh Ramasubramanian]

Did you at least hire the janitor?

From: NANOG  on behalf of Mark 
Tinka 
Date: Friday, 19 February 2021 at 10:20 AM
To: nanog@nanog.org 
Subject: Re: Famous operational issues

On 2/19/21 00:37, Warren Kumari wrote:

5: Another one. In the early 2000s I was working for a dot-com boom company. We 
are building out our first datacenter, and I'm installing a pair of Cisco 7206s 
in 811 10th Ave. These will run basically the entire company, we have some 
transit, we have some peering to configure, we have an AS, etc. I'm going to be 
configuring all of this; clearly I'm a router-god...
Anyway, while I'm getting things configured, this janitor comes past, wheeling 
a garbage bin. He stops outside the cage and says "Whatcha doin'?". I go into 
this long explanation of how these "routers"  will connect to "the 
Internet"  to allow my "servers"  to talk to other "computers"  
on "the Internet" . He pauses for a second, 
and says "'K. So, you doing a full iBGP mesh, or confeds?". I really hadn't 
intended to be a condescending ass, but I think of that every time I realize I 
might be assuming something about someone based on thier attire/job/etc.

:-), cute.

Mark.

Re: Vint Cerf & Interplanetary Internet

[Suresh Ramasubramanian]

Perfect. Where do I sign up?

--srs

From: NANOG  on behalf of C. A. 
Fillekes 
Sent: Thursday, October 22, 2020 12:53 PM
To: Mark Andrews
Cc: NANOG mailing list
Subject: Re: Vint Cerf & Interplanetary Internet


the subgroup for networks on aspherical planetoids would be EGGNOG -- we only 
meet during the holiays

On Wed, Oct 21, 2020 at 11:59 PM Mark Andrews 
mailto:ma...@isc.org>> wrote:
It wouldn’t be NANOG.  Perhaps LUNOG or MOONOG.

> On 22 Oct 2020, at 14:07, scott weeks 
> mailto:sur...@mauigateway.com>> wrote:
>
>
> *From:* NANOG 
> mailto:gmail@nanog.org>> on 
> behalf of Rod Beck 
> mailto:rod.b...@unitedcablecompany.com>>
>> https://www.quantamagazine.org/vint-cerfs-plan-for-building-an-internet-in-space-20201021/
> --------
>
> On 10/21/20 2:27 PM, Suresh Ramasubramanian wrote:
>
> Right. This means we are going to catch a spaceship for a future nanog / have
> interplanetary governance federation debates with space aliens from Andromeda,
> and we will finally run out of v6 and ipv9 will rule the roost while there’s a
> substantial aftermarket + hijack scene going on for the last remaining v6 
> blocks.
> 
>
>
> More like IP to Nokia's new cell network on the moon:
>
> https://www.theguardian.com/science/2020/oct/20/talking-on-the-moon-nasa-and-nokia-to-install-4g-on-lunar-surface
> (Everyone on the moon will want to have access to LOL cats!)
>
> Or... using DTN (https://datatracker.ietf.org/wg/dtn/about) to reach Mars and 
> other
> planets by being relayed through communications relay satellites similar to 
> the
> Mars Telecommunication Orbiter (canceled),  Mars Odyssey or Mars
> Reconnaissance Orbiter spacecraft.
>
> Or... IP to robots visiting other non-planet objects in the solar system like
> comets/asteroids:
> https://spacenews.com/osiris-rex-touches-down-on-asteroid
> https://www.bbc.com/news/science-environment-47293317
>
> Or... 
>
> The IPI idea has been around for a long time now:
> https://en.wikipedia.org/wiki/Interplanetary_Internet
>
> The main question is will NANOG On The Road meet on the moon?  I missed
> the only Hawaii one, so maybe I could make the moon one!
>
> scott

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: 
ma...@isc.org<mailto:ma...@isc.org>

Re: Vint Cerf & Interplanetary Internet

[Suresh Ramasubramanian]

Right. This means we are going to catch a spaceship for a future nanog / have 
interplanetary governance federation debates with space aliens from Andromeda, 
and we will finally run out of v6 and ipv9 will rule the roost while there’s a 
substantial aftermarket + hijack scene going on for the last remaining v6 
blocks.

--srs

From: NANOG  on behalf of Rod Beck 

Sent: Thursday, October 22, 2020 4:50:25 AM
To: nanog@nanog.org 
Subject: Vint Cerf & Interplanetary Internet

https://www.quantamagazine.org/vint-cerfs-plan-for-building-an-internet-in-space-20201021/


Roderick Beck

VP of Business Development

United Cable Company

www.unitedcablecompany.com

New York City & Budapest

rod.b...@unitedcablecompany.com

Budapest: 36-70-605-5144

NJ: 908-452-8183


[1467221477350_image005.png]

Re: Consolidation of Email Platforms Bad for Email?

[Suresh Ramasubramanian via NANOG]

I don’t know. Do I miss the days of every person and their dog running a mail 
server on a Linux server in a basement cupboard?

Huge crowds and high drama on nanae and spam-l type places

You never know whether your mail is going to get through or not because of 
weird and wonderful notions about spam filtering

No shortage of open relays and hacked Matt Wright formmail.pl

Whoever heard of backup?
(etc)




--srs

From: NANOG  on behalf of Mike 
Hammett via NANOG 
Sent: Tuesday, September 8, 2020 3:57:27 AM
To: NANOG 
Subject: Consolidation of Email Platforms Bad for Email?

I originally asked on mailops, but here is a much wider net and I suspect 
there's a lot of overlap in interest.


I had read an article one time, somewhere about the ongoing consolidation of 
e-mail into a handful of providers was bad for the Internet as a whole. It was 
some time ago and thus, the details have escaped me, so I was looking to 
refresh my recollection.

Have any of you read a similar article before? If so, can you link me to it?



-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

Midwest-IX
http://www.midwest-ix.com

Re: Constant Abuse Reports / Borderline Spamming from RiskIQ

[Suresh Ramasubramanian]

The first warning sign would be where they discuss your AUP and exceptions / 
corner cases to it

--srs

From: NANOG  on behalf of Ross Tajvar 
Sent: Thursday, April 16, 2020 9:03:58 AM
To: Rich Kulawiec 
Cc: North American Network Operators' Group 
Subject: Re: Constant Abuse Reports / Borderline Spamming from RiskIQ

On Wed, Apr 15, 2020 at 8:52 AM Rich Kulawiec 
mailto:r...@gsp.org>> wrote:
there are
all kinds of things that can be done to detect problematic customers
before you sign them up and once they're in place.

Hey Rich,

Can you give some examples of the things you mention above? I'm not doing much 
in terms of customer filtering and would be interested to hear what others 
consider best practice.

-Ross

Re: Constant Abuse Reports / Borderline Spamming from RiskIQ

[Suresh Ramasubramanian]

Handle it in a reasonable amount of time, and please prioritize phishing 
somewhere after the usual threat to life / child abuse type cases (which are, 
fortunately, comparatively rare).  Phishes put people at risk of losing their 
life savings, and especially with covid already threatening to make that 
happen, that’s something we must all work to prevent.

There are providers that are good at handling abuse and responding as well (if 
only with boilerplate text and an automated ticket closure email, that’s fine.. 
as long as the threat is addressed I wouldn’t even need a reply) while there 
are others that have substantial abuse automation but are slow to respond at 
times, while others have no significant abuse prevention AND are slow to 
respond.

If, for whatever reason, the abuse load on a network goes out of control then 
the network does get pressured by escalation in one form or the other. 
Corporate contacts in this individual’s case, could be reports to various 
upstreams in some other case.

--srs
From: Matt Corallo 
Date: Tuesday, 14 April 2020 at 12:41 AM
To: Suresh Ramasubramanian 
Cc: Tom Beecher , Kushal R. , Nanog 
, Rich Kulawiec 
Subject: Re: Constant Abuse Reports / Borderline Spamming from RiskIQ
I don’t really get the point of bothering, then. AWS takes about ~forever to 
respond to SES phishing reports, let alone hosting abuse, and other, cheaper, 
hosts/mailers (OVH etc come up all the time) don’t bother at all. Unless you 
want to automate “1 report = drop customer”, you’re saying that we should all 
stop hosting anything?


On Apr 13, 2020, at 11:50, Suresh Ramasubramanian  wrote:

RiskIQ reports phish URLs for large brands

The life cycle of a typical phish campaign is in hours but I guess people can 
live with 24. If you handle the complaint only after two business days, that’s 
closing the barn door after the horse has bolted and crossed a state line.

--srs

From: NANOG  on behalf of Tom Beecher 

Sent: Tuesday, April 14, 2020 12:11:18 AM
To: Kushal R. 
Cc: Nanog ; Rich Kulawiec 
Subject: Re: Constant Abuse Reports / Borderline Spamming from RiskIQ

I would agree that Twitter is not a primary place for abuse reporting.

If they are reporting things via your correct abuse channel and you are indeed 
handling them within 48 business hours, then I would also agree this much extra 
spray and pray is excessive. However RiskIQ is known to be pretty responsible, 
so if they are doing this they likely feel like they are NOT getting 
appropriate responses from you and are resorting to scorched earth. Have you 
attempted to reach out to them and make sure they have the proper direct 
channel for abuse reporting?

On Mon, Apr 13, 2020 at 1:45 PM Kushal R. 
mailto:kusha...@h4g.co>> wrote:
All abuse reports that we receive are dealt within 48 business hours. As far as 
that tweet is concerned, it’s pending for 16 days because they have been 
blocked from sending us any emails due to the sheer amount of emails they 
started sending and then our live support chats.

We send our abuse reports to, but we don’t spam them to every publicly 
available email address for an organisation, it isn’t difficult to lookup the 
Abuse POC for an IP or network and just because you do not get a response in 24 
hours does not mean you forward the same report to 10 other email addresses. 
Similarly twitter isn’t a place to report abuse either.



On Apr 13, 2020 at 9:37 PM, mailto:r...@gsp.org>> wrote:

   On Mon, Apr 13, 2020 at 07:55:37PM +0530, Kushal R. wrote:  >  We 
understand these reports and deal with them as per our policies and timelines 
but this constant spamming by them from various channels is not appreciated. 
Quoting from: https://twitter.com/RiskIQ_IRT/status/1249696689985740800 which 
is dated 9:15 AM 4/13/2020: 5 #phishing URLs on admin12.find-textbook[.]com 
were reported to @Host4Geeks (Walnut, CA) from as far back as 16 days ago, and 
they are all STILL active 16 days is unacceptable. If you can't do better than 
that -- MUCH better -- then shut down your entire operation today as it's 
unworthy of being any part of the Internet community. ---rsk

Re: Constant Abuse Reports / Borderline Spamming from RiskIQ

[Suresh Ramasubramanian]

RiskIQ reports phish URLs for large brands

The life cycle of a typical phish campaign is in hours but I guess people can 
live with 24. If you handle the complaint only after two business days, that’s 
closing the barn door after the horse has bolted and crossed a state line.

--srs

From: NANOG  on behalf of Tom Beecher 

Sent: Tuesday, April 14, 2020 12:11:18 AM
To: Kushal R. 
Cc: Nanog ; Rich Kulawiec 
Subject: Re: Constant Abuse Reports / Borderline Spamming from RiskIQ

I would agree that Twitter is not a primary place for abuse reporting.

If they are reporting things via your correct abuse channel and you are indeed 
handling them within 48 business hours, then I would also agree this much extra 
spray and pray is excessive. However RiskIQ is known to be pretty responsible, 
so if they are doing this they likely feel like they are NOT getting 
appropriate responses from you and are resorting to scorched earth. Have you 
attempted to reach out to them and make sure they have the proper direct 
channel for abuse reporting?

On Mon, Apr 13, 2020 at 1:45 PM Kushal R. 
mailto:kusha...@h4g.co>> wrote:
All abuse reports that we receive are dealt within 48 business hours. As far as 
that tweet is concerned, it’s pending for 16 days because they have been 
blocked from sending us any emails due to the sheer amount of emails they 
started sending and then our live support chats.

We send our abuse reports to, but we don’t spam them to every publicly 
available email address for an organisation, it isn’t difficult to lookup the 
Abuse POC for an IP or network and just because you do not get a response in 24 
hours does not mean you forward the same report to 10 other email addresses. 
Similarly twitter isn’t a place to report abuse either.


On Apr 13, 2020 at 9:37 PM, mailto:r...@gsp.org>> wrote:


   On Mon, Apr 13, 2020 at 07:55:37PM +0530, Kushal R. wrote:  >  We 
understand these reports and deal with them as per our policies and timelines 
but this constant spamming by them from various channels is not appreciated. 
Quoting from: https://twitter.com/RiskIQ_IRT/status/1249696689985740800 which 
is dated 9:15 AM 4/13/2020: 5 #phishing URLs on admin12.find-textbook[.]com 
were reported to @Host4Geeks (Walnut, CA) from as far back as 16 days ago, and 
they are all STILL active 16 days is unacceptable. If you can't do better than 
that -- MUCH better -- then shut down your entire operation today as it's 
unworthy of being any part of the Internet community. ---rsk

Re: Constant Abuse Reports / Borderline Spamming from RiskIQ

[Suresh Ramasubramanian]

RiskIQ is a known good player.  If there’s a stream of abuse reports maybe 
removing whatever customer it is might be a good idea?

I am not sure why they are sending out mail to every contact they can find 
though.  Are abuse tickets resolved in a timely manner?

From: NANOG 
Date: Monday, 13 April 2020 at 7:57 PM
To: NANOG list 
Subject: Constant Abuse Reports / Borderline Spamming from RiskIQ
>From the past few months we have been receiving a constant stream of abuse 
>reports from a company that calls themselves RiskIQ (RiskIQ.com).

The problem isn’t the abuse reports themselves but the way they send them. We 
receive copies of the report, on our sales, billing, TECH-POCs and almost 
everything other email address of ours that is available publicly. It doesn’t 
end there, they even online on our website and start using our support live 
chat and as recently as tomorrow they I see that they have now started using 
Twitter (@riskiq_irt) to do the same.

We understand these reports and deal with them as per our policies and 
timelines but this constant spamming by them from various channels is not 
appreciated.

Does anyone have a similar experience with them?

Re: Tell me about AS19111

[Suresh Ramasubramanian]

I do get some results from an online whois or two - https://ipinfo.io/AS19111

nbty.com is registered with Markmonitor so presumably they’re legit enough and 
large enough to afford brand protection.  “Natures Bounty Inc” sounds like a 
reasonable name for a vendor of vitamins.

ASNumber:   19111
ASName: NBTY19111
ASHandle:   AS19111
RegDate:2016-02-01
Updated:2016-02-01
Ref:https://whois.arin.net/rest/asn/AS19111


OrgName:NBTY, Inc.
OrgId:  NATURE-24
Address:60 Orville Drive
City:   Bohemia
StateProv:  NY
PostalCode: 11716
Country:US
RegDate:2000-11-20
Updated:2016-01-20
Ref:https://whois.arin.net/rest/org/NATURE-24


OrgAbuseHandle: MRO234-ARIN
OrgAbuseName:   Roberts, Marlon
OrgAbusePhone:  +1-631-200-5305
OrgAbuseEmail:  mrobe...@nbty.com
OrgAbuseRef:https://whois.arin.net/rest/poc/MRO234-ARIN

OrgTechHandle: MRO234-ARIN
OrgTechName:   Roberts, Marlon
OrgTechPhone:  +1-631-200-5305
OrgTechEmail:  mrobe...@nbty.com
OrgTechRef:https://whois.arin.net/rest/poc/MRO234-ARIN

OrgNOCHandle: MRO234-ARIN
OrgNOCName:   Roberts, Marlon
OrgNOCPhone:  +1-631-200-5305
OrgNOCEmail:  mrobe...@nbty.com
OrgNOCRef:https://whois.arin.net/rest/poc/MRO234-ARIN

12.13.211.0/24
 AT Services, Inc.
256
12.154.146.0/24
 NBTY, INC
256
12.154.150.0/24
 NBTY, INC
256
12.180.219.0/24
 NBTY, INC
256
12.35.230.0/24
 NBTY, INC
256
144.121.136.0/24
 The Nature's Bounty Co.
256
63.116.19.0/24
 NBTY GLOBAL INC
256


From: NANOG 
Date: Thursday, 6 February 2020 at 7:02 AM
To: nanog@nanog.org 
Subject: Tell me about AS19111
1800vitamins.org has a web site at 12.180.219.234 which looks like
they would sell me vitamins should I or my dog need any.

Routeviews tells me that IP is in AS19111, routed via AS7018.  AS7018
is AT which isn't surprising for a 12/8 address, but ARIN says
AS19111 doesn't exist.  Huh?

Signed,
Confused
--
Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

Re: Prominent horse racing identities (was Re: Elad Cohen)

[Suresh Ramasubramanian]

Jesus was crucified during the later years of the reign of Tiberius

Hadrian on the other hand would have been loved by 45 for his dedication to 
building the wall

--srs


From: NANOG  on behalf of Mark Seiden 
Sent: Monday, January 27, 2020 11:47 PM
To: Large Hadron Collider; Valdis Klētnieks
Cc: nanog@nanog.org
Subject: Re: Prominent horse racing identities (was Re: Elad Cohen)

Wasn’t Hadron a Roman emperor who can somehow be blamed for the killing of 
Jesus?
(or was that Jebus?)

or was that Hadrian?  I forget…)

(jest sayin’…)




On Jan 27, 2020, 9:41 AM -0800, Valdis Klētnieks , 
wrote:
On Mon, 27 Jan 2020 07:10:02 +, Large Hadron Collider said:
As much as Mr Cohen's minor libel of Spamhaus and ARIN exposes him as perhaps
having something to hide on this subject, Mr Guilmette's message here, among
the other screeds of his I have read, seems to leak anti-Semitism from its
every fetid, infected pore.

Man, that must be one really high-frqequency dog whistle, because I'm not 
seeing it.

The closest I can come is the statement that "Cohen sits in impunity in
Israel", which combined the next part about him having a US based lawyer, only
indicated to me that getting the US legal system to get the Israel legal system
to do something is difficult.

And tagging on "every fetid, infected pore" certainly demonstrates that you
don't have any real intention of being fair-minded.

List management: I think we have a good candidate for somebody to be
frog-marched to the exit.

Re: Anyone have contacts at Bharti Airtel?

[Suresh Ramasubramanian]

Post on sa...@sanog.org there should be some Airtel people there

@anurag can you please forward to someone there

--srs


From: NANOG  on behalf of Elmar K. Bins 
Sent: Saturday, December 7, 2019 3:40 PM
To: Bottiger
Cc: nanog@nanog.org
Subject: Re: Anyone have contacts at Bharti Airtel?

bottige...@gmail.com (Bottiger) wrote:

> Does anyone have any contacts at Bharti Airtel? I either get no response or
> full inbox for emails in their WHOIS at AS9498 and AS24560.

Hi, if you get a response, please share...I'm also at a loss there...

Elmar.

Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft?

[Suresh Ramasubramanian]

The fact that the port authority building is also an office building with 
multiple other tenants?

Whois contacts on a defunct domain belonging to an Australian government port 
authority agency that’s since been renamed don’t appear to support your 
hypothesis that this is another tenant of a government owned building.

--srs


From: NANOG  on behalf of Mel Beckman 

Sent: Saturday, September 7, 2019 5:30 AM
To: Ronald F. Guilmette
Cc: nanog@nanog.org
Subject: Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft?

Ron,

I’m just saying that I randomly checked one fact and it doesn’t meet the level 
of positive certainty that you asserted. It’s thus reasonable to ask you to 
double check your research all around. I’m not willing to be your unpaid copy 
editor, so let me know when you’ve done a double check and I’ll be willing to 
invest time in your story again.

-mel via cell

> On Sep 6, 2019, at 2:07 PM, Ronald F. Guilmette  
> wrote:
>
> In message <23540.1567802...@segfault.tristatelogic.com>, I wrote:
>
>> Is anyone disputing that 168.198.0.0/16 belongs to the Australian
>> national government, or that AS174, Cogent was, until quite recently,
>> routing that down to their pals at FDCServers who then were routing
>> it down to their customer, Elad Cohen? If so, I ask that people look
>> up this network in the RIPE Routing history tool and ALSO that folks
>> have a look at, and explain, the following traceroute from August 23:
>>
>> https://pastebin.com/raw/2nJtbwjs
>
> My apologies. In my furious haste, I botched that one URL. Here is the
> correct file conatining my traceroute to 168.198.12.242 as performed by
> me on August 23rd:
>
> https://pastebin.com/raw/TrLbGZuW
>
>
> Regards,
> rfg

INNOG 2 cfp 7/1 to 7/4 New Delhi, India

[Suresh Ramasubramanian]

NANOG folks - I recognize that this is rather late notice for your travel 
schedules but if you happen to be in the region or have teams in India please 
do attend, or forward this. Thanks.

INNOG 2: Call for papers

The following is an open call for presentations for the conference and tutorial 
sessions for the 2nd Indian Network Operators Group (INNOG) Meeting being 
hosted from 1st July to 4th July 2019 in New Delhi, India.

Important dates regarding the Call for Papers:

Call For Papers Open: Now
First Draft Program Published: 25th June 2019
Deadline For Proposals: 20th June 2019
INNOG 2 Conference: 1st July 2019
INNOG 2 Workshops: 2nd July to 4th July 2019

Please submit Online at
https://submission.apnic.net/user/login.php?event=94

Event website: https://www.innog.net/

Note: Any marketing, sales and vendor proprietary content in the presentation 
is against the spirit of INNOG and it is strictly prohibited.

We are looking forward to welcoming you to INNOG 2 in New Delhi, India.

Thanks and warm regards,

On behalf of the INNOG 2 Program Committee

--srs

Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation

[Suresh Ramasubramanian]

Even among the network security community the number of people who track bgp 
hijacks and gather data is quite small yet such people do exist and have been 
active in speaking for this proposal when the same thing was discussed on the 
ripe anti abuse wg to an expected chorus of "we are not the internet police"

--srs

From: NANOG  on behalf of JORDI PALET MARTINEZ via 
NANOG 
Sent: Saturday, April 27, 2019 3:58 AM
To: Jon Lewis
Cc: North American Network Operators' Group
Subject: Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy 
Violation

It may happen that the end of the discussion is, instead of a group of experts, 
we need something different, or may be a compensation for them is needed, or 
instead of a complex policy we need a simple one, in the line of:
"The resources are allocated for the exclusive use of the recipient. 
Consequently, other members can't use them (unless authorized by the legitimate 
resource-holder) and not following this rule is a policy violation".




Re: friday fun - geko outsge

[Suresh Ramasubramanian]

Was it trying to help them save on car insurance?

On 16/03/19, 6:49 AM, "NANOG on behalf of Scott Weeks" 
 wrote:



I thought some here might enjoy this. 

--
Technician arrived onsite and found no issue with the 
fiber connection back to the CO. Tech then attempted 
to reseat the SM-A card and found a gecko in the card 
slot. Technician removed the gecko and verified that 
equipment was back in service after slotting back the 
card.
--

Troubleshooting in the tropics... :-)

scott

Re: FB?

[Suresh Ramasubramanian]

That's a 2010 outage that someone dug out and was doing the rounds as a new one

--srs


From: NANOG  on behalf of cosmo 

Sent: Thursday, March 14, 2019 9:50 PM
To: Bryan Holloway
Cc: nanog@nanog.org
Subject: Re: FB?

Facebook pushed an update to their code that manages cookies, that had a rather 
severe bug in it that resulted in a large flood of requests to their database 
servers. To deal with this load, they had to prevent all writes and then slowly 
allow people back on.

I saw the writeup for it last night but cannot seem to find it now! Grrr. Did I 
dream it?

On Thu, Mar 14, 2019 at 8:42 AM Bryan Holloway 
mailto:br...@shout.net>> wrote:

On 3/14/19 9:06 AM, Tom Beecher wrote:
> As much as I wanted to crack jokes because I cannot stand Facebook (the
> product), much love to all you FB engineers that went through (and are
> probably still going through) much hell.
>

+1 on both counts.

We've all been there; no bueno.

Re: A Zero Spam Mail System [Feedback Request]

[Suresh Ramasubramanian]

I've tried never to hand write a sendmail.cf, to be honest - I doubt even the 
sendmail authors recommended being that brave :). And I haven't done all that 
much with dmarc beyond using it.

--srs


From: NANOG  on behalf of Brielle Bruns 

Sent: Thursday, February 21, 2019 4:01 AM
To: nanog@nanog.org
Subject: Re: A Zero Spam Mail System [Feedback Request]

On 2/20/2019 1:22 PM, Matthew Black wrote:
> Have you ever created a sendmail.cf without using M4?

Well, that brought back memories I did not want to revisit.

You are going to make me want to take up drinking.

--
Brielle Bruns
The Summit Open Source Development Group
http://www.sosdg.org / http://www.ahbl.org

Re: A Zero Spam Mail System [Feedback Request]

[Suresh Ramasubramanian]

... and of all those, once you solve v6 multihoming (possibly with ipv9) do 
come back to nanog where I'm sure it will be operational.

On 18/02/19, 8:23 AM, "NANOG on behalf of Michel Py"  wrote:

> Viruthagiri Thirumavalavan wrote :
> I solved the email spam problem.

Oh, this is wonderful news.
There are plenty of other problems that need your brilliance. In no 
specific order :

- Global warming.
- Nuclear proliferation.
- Peace in the middle east.
- World hunger.
- IPv6 multihoming.

We will be looking for your next improvement.

TSI Disclaimer:  This message and any files or text attached to it are 
intended only for the recipients named above and contain information that may 
be confidential or privileged. If you are not the intended recipient, you must 
not forward, copy, use or otherwise disclose this communication or the 
information contained herein. In the event you have received this message in 
error, please notify the sender immediately by replying to this message, and 
then delete all copies of it from your system. Thank you!...

Re: A Zero Spam Mail System [Feedback Request]

[Suresh Ramasubramanian]

There's this small percentage of cranks that are brilliant Doc Emmett
Brown level inventors who come up with truly brilliant products and
solutions.  And then there's the much larger percentage of cranks that
have a bad idea that they're prepared to defend to the last.  Very
well then ..

On Mon, Feb 18, 2019 at 7:51 AM Brielle  wrote:
>
> You literally lost my interest in reading your solution when I realized that 
> 99.999% of this post is just you railing against people.
>
> People are right, if you can’t get my attention in 50 words, then either your 
> solution isn’t a solution but a marketing ploy, or you need someone who 
> actually knows how to present things to people in this field.
>
> Im a former DNSbl maintainer - I get excited over new anti spam solutions and 
> love to throw resources at new solutions.
>
> So yeah, this is a non starter.
>
> Sent from my iPhone
>
> On Feb 17, 2019, at 7:03 PM, Viruthagiri Thirumavalavan  
> wrote:
>
> Hello Everyone,
>
> My name is Viruthagiri Thirumavalavan. I'm the guy who proposed SMTP over TLS 
> on Port 26 last month. I'm also the guy who attacked (???) John Levine.
>
> Today I have something to show you.
>
> Long story short I solved the email spam problem. Well... Actually I 
> solved it long time back. I'm just ready to disclose it today. Again...
>
> Yeah.. Yeah.. Yeah... If only I had a dime for every time people insult me 
> for saying "I solved the spam problem"
>
> They usually start with the insult like "You think you are the inventor of 
> FUSSP?"
>
> These guys always are the know-it-all assholes. They don't listen. They don't 
> want to listen. They are like barking dogs. If one started to bark, everyone 
> else gets the courage to do the same thing.
>
> I'm tired of fighting these assholes in every mailing list.  I'm on your side 
> morons. So how about you all knock it off?
>
> Six months back, it was John Levine who humiliated me in the DMARC list. 
> Apparently, for him 50 words are enough to attack me.
>
> Töma Gavrichenkov and Suresh Ramasubramanian even started to defend this man 
> saying 50 words are enough to judge a 50,000 words paper.  [We are gonna 
> figure it out today]
>
> --
>
> @Töma Gavrichenkov
>
>> In theory, I can easily recall a few cases in my life when going
>> through just 50 words was quite enough for a judgment.
>
>
> How can you be so sure that you didn't fuck up none of the lives of these 
> "few cases"? Or in more technical terms, How can you be absolutely sure that 
> there is no "False Positives"?
>
> --
>
> @Suresh Ramasubramanian
>
>> Yes, 50 words are more than enough to decide a bad idea is bad.  You don't 
>> have to like that, or like any of us, but facts are facts
>
>
> Merely appending the text "facts are facts" not gonna convert a bullshit 
> statement into a fact.
>
> You know what's the meaning of the word "fact"? It's a statement that can be 
> proved TRUE.
>
> Let's do a little experiment. 100 researchers presents their lifetime work to 
> us. Each of their research paper contain 50,000 words. We are gonna judge 
> them.
>
> You are gonna judge them based on only the first 50 words. And I'm gonna 
> judge them by tossing a coin. Can you guess who is gonna fuck up less number 
> of researcher lives?
>
> I'm claiming that I solved the email spam problem. If that's true, then you 
> should know, common sense is one of the very basic requirement for that.
>
> I designed my email system. Every inch of it. I wrote my research paper. 
> Every word of it. I made my prototype video. Every second of it. So I'm the 
> captain of my ship. Not you. But you all think you know my system better than 
> me? That too, with only 50 words?
>
> My research paper has around 50,000 words. And you think 50 words are enough 
> to judge my work? Let me make sure I get this right. You are all saying, you 
> know what's in the rest of the 49,950 words based on only the first 50 words? 
> That's stupid on so many levels.
>
> If you are gonna do a half-assed job and relay that misinformation to 
> thousands of people, why volunteer in the first place? And by the way, by 
> saying you are all doing half-assed job, I'm actually insulting the people 
> who are REALLY doing the half-assed job.
>
> --
>
> John Levine vs. me
>
> One month back, some of you may have noticed a thread created by John Levine 
> where he goes like "He's Forum Shopping". The whole gist of that message was 
> "We already have DANE and MTA-STS. We do

Re: yet another round of SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request]

[Suresh Ramasubramanian]

To the IP

Other people try to sugar coat what they tell you

John has never minced his words in the past two decades that I know him and 
that's good

Yes, 50 words are more than enough to decide a bad idea is bad.  You don't have 
to like that, or like any of us, but facts are facts

--srs

From: NANOG  on behalf of Töma Gavrichenkov 

Sent: Sunday, January 13, 2019 4:48 AM
To: Viruthagiri Thirumavalavan
Cc: John Levine; nanog list
Subject: Re: yet another round of SMTP Over TLS on Port 26 - Implicit TLS 
Proposal [Feedback Request]

On Sun, Jan 13, 2019 at 12:51 AM Viruthagiri Thirumavalavan
 wrote:
> 5 months back I posted my spam research on DMARC list.
> You have gone through only 50 words and judged my work.
> The whole thread gone haywire because of you. I was
> humiliated there and left.

By the way, since that you've left no traces of whatever piece of work
you've posted to that list. The website is empty, slides are removed
from Speakerdeck, etc.

In theory, I can easily recall a few cases in my life when going
through just 50 words was quite enough for a judgment.

> To be very honest, I don't like you.

Please keep our busy mailing list out of this information, though for
me it's a valuable piece of data that someone I don't know personally
doesn't like someone else.

> Although I don't like you, I still managed to respond politely in
> IETF lists. Again... In that list the only thing you did was
> attacking my work.

So, I've read the whole thread, and, as far as I can see, there was
nothing coming from John except for a balanced judgement.

> And then please tell me this man is not biased at all.

Sorry, he's not.

--
Töma

Re: SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request]

[Suresh Ramasubramanian]

Any place that has a TLS misconfig will pretty much notice it very quickly 
indeed

Opportunistic just means use TLS if it is advertised as available else continue 
encrypted.  Not sure why encountering a starttls negates it.

To the OP - what's the point of hiding the hostname in the smtp banner?  You 
already know from the dns. Concerned about the MTA version? You can configure 
postfix to claim it is exchange or avian carrier for that matter

--srs


From: Constantine A. Murenin 
Sent: Saturday, January 12, 2019 10:08 AM
To: Suresh Ramasubramanian
Cc: nanog@nanog.org
Subject: Re: SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request]

On Fri, 11 Jan 2019 at 22:00, Suresh Ramasubramanian
 wrote:
> Most new MTA implementations over the past several years default to TLS with 
> strong ciphers. So how much of a problem is low or no TLS right now?

The real problem is that opportunistic StartTLS stops being
opportunistic the minute you encounter a `STARTTLS` extension on
`EHLO`.

At that point and henceforth, TLS is pretty much 100% mandatory.

What happens if there are SSL negotiation failures? I'll tell you
what happens — the sender will receive a few bounces, X hours and Y
days after sending the mail; recipient doesn't receive anything at
all. (Unless, of course, one of the administrators would magically
decide to change the SSL options in the meantime to be compatible, or
to disable the "opportunistic" StartTLS to start with, before the
final bounce gets generated by the MTA of the sender.)

These problems are real. They're already happening today. StartTLS
being "opportunistic" is a pretty big scam.

C.

Re: SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request]

[Suresh Ramasubramanian]

Most new MTA implementations over the past several years default to TLS with 
strong ciphers.  So how much of a problem is low or no TLS right now?

How much more of a problem will it be over the next year or two as older 
hardware is retired and new servers + software deployed, or as is more likely, 
people move their mail to cloud services that already do support strong ciphers 
for TLS?

How worth solving is rhe problem - what is the return for all this effort?

--srs


From: NANOG  on behalf of 
Viruthagiri Thirumavalavan 
Sent: Saturday, January 12, 2019 9:21 AM
To: nanog@nanog.org
Subject: Re: SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request]

If you all think my prefix proposal have some merits, it still paves the way 
for future smtps proposals. So I have no issues with killing smtps part of my 
proposal.

As for signalling, I'm not sure whether moving the signalling part to another 
record type is a good idea.

Because my signalling proposal is flawed without DNSSEC as Brandon Martin 
pointed out.

So if we move the signalling part to another record type, then we may have to 
deal with multiple record set signatures. Also there is one more configuration 
for the end user. But i'm open for suggestions.

To the person who trolled me. I'm here to have some intellectual conversation. 
So please stop trolling me. You are an engineer. So don't behave like a teen in 
youtube comments section.  I'm proposing these stuffs, so the world can benefit 
something. By trolling me, you are just killing that.

To everyone else, please go easy on me. If I'm little off on something, please 
forgive my ignorance. The reason I'm here is because you all know these stuffs 
better than me. I'm here to get some feedback.

If you all think opening a new port is waste of time, I'm ok with that. But if 
you see some benefits on Implicit TLS over Opportunistic TLS, please point that 
out too.

Thank you for your time.

Re: SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request]

[Suresh Ramasubramanian]

 But why do you think creating an out of band verification channel and separate 
port is going to work for this?

There is plenty of local policy available as well to mandate that  tls be 
negotiated with a set of allowed ciphers and prohibit others

—srs


From: NANOG  on behalf of Viruthagiri Thirumavalavan 

Sent: Saturday, January 12, 2019 7:43 AM
To: Doug Royer
Cc: nanog@nanog.org
Subject: Re: SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request]

Hello Doug, it's happening in ietf-smtp. This is my first proposal. So haven't 
created the I-D yet.

I'm not sure how to create one.

That's why I published my proposal in the medium. Please see the medium link I 
posted earlier.

Thanks.

On Sat, Jan 12, 2019, 6:46 AM Doug Royer 
mailto:douglasro...@gmail.com> wrote:
On 1/11/19 10:38 AM, Viruthagiri Thirumavalavan wrote:
> Hello NANOG, Belated new year wishes.
>
> I would like to gather some feedback from you all.
>
> I'm trying to propose two things to the Internet Standard and it's
> related to SMTP.
>
> (1) STARTTLS downgrade protection in a dead simple way
>
> (2) SMTPS (Implicit TLS) on a new port (26). This is totally optional.
>
> I posted my proposal in IETF mailing list. I got very good feedback
> there. Some support my proposal. Many are against it.
>

What is the IETF draft name?
Which IETF mailing list did this discussion happen on?

--

Doug Royer - (http://DougRoyer.US  http://goo.gl/yrxJTu )
douglasro...@gmail.com
714-989-6135

ARIN NS down?

[Suresh Ramasubramanian]

couldn't get address for 'ns1.arin.net': not found
couldn't get address for 'ns2.arin.net': not found
couldn't get address for 'u.arin.net': not found
couldn't get address for 'ns3.arin.net': not found
dig: couldn't get address for 'ns1.arin.net': no more

srs@Sureshs-MacBook-Pro-2 19:56:18 <~> $ dig +trace +norec whois.arin.net

; <<>> DiG 9.10.6 <<>> +trace +norec whois.arin.net
;; global options: +cmd
.   2230IN  NS  m.root-servers.net.
.   2230IN  NS  b.root-servers.net.
.   2230IN  NS  c.root-servers.net.
.   2230IN  NS  d.root-servers.net.
.   2230IN  NS  e.root-servers.net.
.   2230IN  NS  f.root-servers.net.
.   2230IN  NS  g.root-servers.net.
.   2230IN  NS  h.root-servers.net.
.   2230IN  NS  i.root-servers.net.
.   2230IN  NS  j.root-servers.net.
.   2230IN  NS  a.root-servers.net.
.   2230IN  NS  k.root-servers.net.
.   2230IN  NS  l.root-servers.net.
.   2230IN  RRSIG   NS 8 0 518400 2019012105 
2019010804 16749 . JqXTRb0qik0Iy1zDpwKRfKr1iZjTeiJRTk1GCfIWh9dFFvhN0c7Fiz6H 
lbNfhgQbPsacG0b/1I3rguS13H2guX7apppK2w88h+z8mzym2Bw1C1HR 
ZR3ocj/jHLJbMqHdQ+DFyRdw/AxCXBdhnbX46C8+unhQ03D/MzS0M0t4 
vgadYi7BN4sa+iZIilwFV56n2dOfpzyO+evVbcnTLRZ6D4bjCHZLCtO8 
EDziAPUbVAPZWiflb7/Y2dECe5gbOuGYYU/xv/Pal5+v9cjgMjcf8buG 
S+iTIL/lnus0JJSRDmkM6yzfYMBXC2ZqhOp+Ls+EfvmqFjIZzi394XCi pdKRZw==
;; Received 525 bytes from 10.0.0.1#53(10.0.0.1) in 40 ms

net.172800  IN  NS  g.gtld-servers.net.
net.172800  IN  NS  c.gtld-servers.net.
net.172800  IN  NS  j.gtld-servers.net.
net.172800  IN  NS  e.gtld-servers.net.
net.172800  IN  NS  h.gtld-servers.net.
net.172800  IN  NS  k.gtld-servers.net.
net.172800  IN  NS  m.gtld-servers.net.
net.172800  IN  NS  i.gtld-servers.net.
net.172800  IN  NS  f.gtld-servers.net.
net.172800  IN  NS  b.gtld-servers.net.
net.172800  IN  NS  a.gtld-servers.net.
net.172800  IN  NS  d.gtld-servers.net.
net.172800  IN  NS  l.gtld-servers.net.
net.86400   IN  DS  35886 8 2 
7862B27F5F516EBE19680444D4CE5E762981931842C465F00236401D 8BD973EE
net.86400   IN  RRSIG   DS 8 1 86400 2019012413 
201902 16749 . uahpltN27UkKaFJRaAU1on+IpC2lpgZo84XEM7Pk7dQysKfSnqUkaVLY 
PXQf9kvgW5eOx/+BttQB2OWFLckJs8vv5ScOpz7dDhs8zR2FPLm93HTD 
4F/XEKDNOQbFGSA3g4pZq3fatY7kFEkV9sFTH90WqJt0sXe64LYFcwr2 
FtrJaS/yhEV4XDbsN3RLkBP58bf526LPpvonwSZsMUTDZcnXtUnc57ZI 
dlTHg2snNhVWu4qJfHDsEQPwOZagRXJhjlRT8Ox/7HwXvplmRfmeuhZb 
Vj5kdiY+3j0RTxpLRCG/SZRDIRcvdFKh9umdwQvAzuTS0xzO8OyPw9q8 8QCCYg==
;; Received 1171 bytes from 192.112.36.4#53(g.root-servers.net) in 207 ms

arin.net.   172800  IN  NS  ns1.arin.net.
arin.net.   172800  IN  NS  ns2.arin.net.
arin.net.   172800  IN  NS  u.arin.net.
arin.net.   172800  IN  NS  ns3.arin.net.
arin.net.   86400   IN  DS  48281 5 2 
6EB0CCF325A8101A768C93D10CE084303D3714D4E92FEE53D6E683D2 22291017
arin.net.   86400   IN  DS  48281 5 1 
FCBF93357C8FE3247CECB2CD277F45EB955EE4CE
arin.net.   86400   IN  RRSIG   DS 8 2 86400 20190117062448 
20190110051448 6140 net. 
stuWyfC0PDuk2hNF/Bnz0lnypk+bA/slTa2KYznjmoLXDtq7v1obJq41 
ZfloQKXuC7MnzpCQj70GU9ZESZq1/XU+u6wDmCqmEUbJ3kyrILxkVrln 
bTEySJWPmurpwUVzDVfvqFpXEOhWxOjDu6drZMcC3wG9EdPqBuFC6wlf FIQ=
couldn't get address for 'ns1.arin.net': not found
couldn't get address for 'ns2.arin.net': not found
couldn't get address for 'u.arin.net': not found
couldn't get address for 'ns3.arin.net': not found
dig: couldn't get address for 'ns1.arin.net': no more

Re: Should ISP block child pornography?

[Suresh Ramasubramanian]

In the USA, you need to contact NCMEC - http://www.missingkids.com/home or the 
FBI.

 

From: Mark Seiden 
Date: Friday, 7 December 2018 at 12:16 PM
To: Suresh Ramasubramanian 
Cc: "Lotia, Pratik M" , "nanog@nanog.org" 

Subject: Re: Should ISP block child pornography?

 

thanks, suresh. what it seems to say is get in touch with the ncb in your 
country to sign an nda and get instructions.  (but it's actually quite hard to 
figure out how to do that, no email address or phone numbers apparent for 
interpol dc)

 

 

Re: Should ISP block child pornography?

[Suresh Ramasubramanian]

https://www.interpol.int/Crime-areas/Crimes-against-children/Access-blocking

 

From: NANOG  on behalf of Mark Seiden 
Date: Friday, 7 December 2018 at 11:54 AM
To: "Lotia, Pratik M" 
Cc: "nanog@nanog.org" 
Subject: Re: Should ISP block child pornography?

 

where is this list of dirty domains?

On Thu, Dec 6, 2018, 10:08 PM Lotia, Pratik M  wrote:

Hello all, was curious to know the community’s opinion on whether an ISP should 
block domains hosting CPE (child pornography exploitation) content? Interpol 
has a ‘worst-of’ list which contains such domains and it wants ISPs to block it.

 

Re: bloomberg on supermicro: sky is falling

[Suresh Ramasubramanian]

IVR credit card PIN entry is a thing

For example - 
https://www.hdfcbank.com/personal/making-payments/security-measures/ivr-3d-secure

On 10/10/18, 9:57 PM, "NANOG on behalf of Naslund, Steve" 
 wrote:

True and that should be mandatory but does not solve the telephone agent 
problem.

Steven Naslund
Chicago IL

  >  I understand that in some countries the common practice is that the
  >  waiter or clerk brings the card terminal to you or you go to it at the
  >  cashier's desk, and you insert or swipe it, so the card never leaves
  >  your hand.  And you have to enter the PIN as well.  This seems
  >  notably more secure against point-of-sale compromise.
  > - Brian

Re: bloomberg on supermicro: sky is falling

[Suresh Ramasubramanian]

This is common in India but then chip and pin has been mandatory for a good few 
years, as has 2fa (vbv / mastercard secure code) for online transactions.

Waiters would earlier ask for people's pins so they could go back and enter it 
- back when a lot of the POS terminals were connected to POTS lines rather than 
battery operated + with a GSM sim.  That's stopped now as people grew more 
aware.

On 10/10/18, 9:49 PM, "NANOG on behalf of Brian Kantor" 
 wrote:

I understand that in some countries the common practice is that the
waiter or clerk brings the card terminal to you or you go to it at the
cashier's desk, and you insert or swipe it, so the card never leaves
your hand.  And you have to enter the PIN as well.  This seems
notably more secure against point-of-sale compromise.
- Brian

On Wed, Oct 10, 2018 at 04:01:07PM +, Naslund, Steve wrote:
> Sure and with the Exp Date, CVV, and number printed on every card you are 
open to compromise every time you stay in the hotel or go to a restaurant where 
you hand someone your card.  Worse yet, the only option if you are compromised 
is to change all your numbers and put the burden on your of notifying everyone 
and that evening you hand your card to the waiter and the cycle starts over.  
The system is so monumentally stupid it’s unbelievable.
> 
>   Steven Naslund
> 
>  Chicago IL

Re: SP security knowledge build up

[Suresh Ramasubramanian]

As for MOOC course content - I don't know these guys from Adam's off
ox, and while I know IIIT (note, not IIT) Bangalore, this is a course
offered by them in collaboration with an outfit called FISST (oh
dear.. the name).

The course name looks like it is meant to train skript kiddeez but the
content looks much more reasonable.

Of course, given the extremely short course length, it is possibly
like the usual mile wide inch deep CISSP training that'll help you
learn a lot of buzzwords if nothing else.

--srs

https://talentedge.in/certified-cyber-warrior-iiit-bangalore/

Syllabus

Cyber Security Foundation Module:

Introduction & Overview of Cyber Security
Common Security threats and prevention/mitigation plans
Cryptography – fundamentals with theory of encryption keys (LMS)
Networking Security – fundamentals with N/w layers and various protocols (LMS)

Introduction to IT Act and Cyber Laws:

Cyber Laws – Overview of Cyber Civil Wrong
Cyber Laws – overview of Cyber Offences
Case studies where brand and financial loss has been reported

Introduction to Dark web and Deep Web:

Dark web & Deep Web
Anatomy of Financial Cyber Crime Organization

Network Security & Best practices for secured n/w administration

VPN
Wireless Security

 Vulnerabilities in various layers of Information Systems:

Overview of Multitasking and Multiprocessing

Assess And Mitigate Security Vulnerabilities
Understanding Security Capabilities of Information System
Virtualization
Memory Protection
Memory & Address protection
Protection Mechanisms

Brief Introduction to Cyber Risk and Cyber Insurance Best Practices:

Cyber Risk & Information Risk Management

Risk Management Concepts
Component of Risk Management – example
Risk Management Process
Common Cyber Threats
Framework for Cyber and IS Risk Management

Cyber Insurance – an Introduction

What is cyber insurance
How to assess and bargain a good policy
How to implement documentation for claims
Best practices for ‘zero’ risk policies

Introduction to Physical Security & importance to protect IT Assets:

Physical Security Introduction
Perimeter / Boundary Security
Building Security
Inside Building with back-end command & Control System
Overview of IoT devices Security & Concerns

Introduction to Blockchain, Cryptocurrencies, and Bitcoins

Introduction to Blockchain concept
Cryptocurrencies

Cyber Security Design and Maintaining Resilience

Cyber Security Designing And Maintaining Resilience
Designing a Resilient Enterprise
Maintaining Enterprise Resilience
Perimeter Protection with Firewall
Incident Response Plan
Cyber Risk Management process
Inventory Authorized and Unauthorized devices and Software

Recommended Best practices for Cyber Security:

Cyber Hygiene
Data Security
Wireless networking
Invoke the Incident Response Plan
Recover
RTO – RPO
Preparedness Plan Audit
Test your incident response plan
Vendor Incident response

20 Critical Security Components – Part 1

Critical Control 1: Inventory of Authorized and Unauthorized Devices
Critical Control 2: Inventory of Authorized and Unauthorized Software
Critical Control 3: Secure Configurations for Hardware and Software on
Laptops, Workstations, and Servers
Critical Control 4: Continuous Vulnerability Assessment and Remediation
Critical Control 5: Controlled Use of Administrative Privileges
Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
Critical Control 7: Email and Web Browser Protections
Critical Control 8: Malware Defenses
Critical Control 9: Limitation and Control of Network Ports,
Protocols, and Services

20 Critical Security Components – Part 2

Critical Control 10: Data Recovery Capability
Critical Control 11: Secure Configurations for Network Devices such as
Firewalls, Routers, and Switches
Critical Control 12: Boundary Defense
Critical Control 13: Data Protection
Critical Control 14: Controlled Access Based On Need to Know
Critical Control 15: Wireless Device Control
Critical Control 16: Account Monitoring and Control
Critical Control 17: Security Skills Assessment and Appropriate
Training to Fill Gaps
Critical Control 18: Application Software Security
Critical Control 19: Incident Response and Management
Critical Control 20: Penetration Tests and Red Team Exercises

2 Day On Campus Boot Camp at IIIT B

Lab Session – General Threats
Lab Session – Cryptography
Boot Camp 1
Boot Camp 2
On Fri, Jul 27, 2018 at 5:39 PM Suresh Ramasubramanian
 wrote:
>
> Please start with the nanog videos Chris referenced and the book that I told 
> you about.
>
>
>
> Before security knowledge, there’s a lot of hard CS and pure math involved if 
> you want to teach it as a discipline – but that should be available most 
> anywhere.   And of course practical courses on network and system 
> administration.
>
>
>
> Depends on whether you want to train junior analysts and build their 
> knowledge in a more hands on manner in on the job training, or pro

Re: SP security knowledge build up

[Suresh Ramasubramanian]

Please start with the nanog videos Chris referenced and the book that I told 
you about.

 

Before security knowledge, there’s a lot of hard CS and pure math involved if 
you want to teach it as a discipline – but that should be available most 
anywhere.   And of course practical courses on network and system 
administration.

 

Depends on whether you want to train junior analysts and build their knowledge 
in a more hands on manner in on the job training, or proceed with a graduate 
course that’ll take years and give them a deeper dive into this.

 

For on the job training the videos and the Limoncelli book will do very well 
indeed for a start.

 

--srs

 

From: Ramy Hashish 
Date: Friday, 27 July 2018 at 5:12 PM
To: NANOG Mailing List , , 
, Suresh Ramasubramanian , 

Subject: Re: SP security knowledge build up

 

Thank you guys for all your academic recommendation, unfortunately we are not 
US residents, so can you recommend the references/books/curriculum used in the 
mentioned programs?

Re: SP security knowledge build up

[Suresh Ramasubramanian]

Not a MOOC.  But several schools now have graduate programs in security.  Off 
the top of my head, Georgia Tech, UAB, GMU ..

 

They might offer some shorter courses as well, for working professionals.   
Take a look.

 

From: Ramy Hashish 
Date: Tuesday, 24 July 2018 at 2:33 PM
To: "Compton, Rich A" 
Cc: Christopher Morrow , Suresh Ramasubramanian 
, nanog list 
Subject: Re: SP security knowledge build up

 

Thank you Christopher, Compton and Suresh, that was helpful.

 

I am still looking for more.

 

Does anyone want to recommend any MOOC?

 

Thanks,

 

Ramy

 

On 23 July 2018 at 17:30, Compton, Rich A  wrote:

Barry Greene's site has some good info on ISP security as well: 
http://www.senki.org


On 7/23/18, 8:08 AM, "NANOG on behalf of Christopher Morrow" 
 wrote:

I thought also there was a set of videos from nanog meetings...
I can't find a set, but here are some:

ISP Security 101 primer
https://www.youtube.com/watch?v=ueRminCpnMc

isp security real-world techniques - 2
https://www.youtube.com/watch?v=Ijd9A5wUS_0
https://www.youtube.com/watch?v=T6ZSxgVvjdA (older version of previous?)

ISP Security toolkits
https://www.youtube.com/watch?v=w7XcZS_99WQ

NRIC Best Practices for ISP Security
https://www.youtube.com/watch?v=1bzL5eUGC-0

there are actually quite a few more, searching for 'security nanog' turned
up.

On Mon, Jul 23, 2018 at 9:32 AM Suresh Ramasubramanian 
wrote:

> The usual / canonical sysadmin book might work, there is a lot of security
> related material in there as well.
>
>
> 
https://www.amazon.com/Practice-System-Network-Administration-Second/dp/0321492668
>
> And this updated for enterprise / devops and other such new fangled things
>
>
> 
https://www.amazon.com/Practice-System-Network-Administration-Enterprise/dp/0321919165/ref=pd_lpo_sbs_14_t_0?_encoding=UTF8=1=2N4F09FPM9FG9VQNT433
>
>
> On 23/07/18, 6:55 PM, "NANOG on behalf of Ramy Hashish"
>  ramy.ihash...@gmail.com> wrote:
>
> Hello All,
>
> I am planning to build up a security team of fresh engineers whom are
> "network oriented", any advice on the knowledge resources we can start
> with? We are looking forward to building a concrete foundation of a
> well-rounded security engineer, we are looking for vendor/operator
> agnostic
> resources.
>
> Thanks,
>
> Ramy
>
>
>
>


E-MAIL CONFIDENTIALITY NOTICE: 
The contents of this e-mail message and any attachments are intended solely for 
the addressee(s) and may contain confidential and/or legally privileged 
information. If you are not the intended recipient of this message or if this 
message has been addressed to you in error, please immediately alert the sender 
by reply e-mail and then delete this message and any attachments. If you are 
not the intended recipient, you are notified that any use, dissemination, 
distribution, copying, or storage of this message or any attachment is strictly 
prohibited.

 

Re: SP security knowledge build up

[Suresh Ramasubramanian]

The usual / canonical sysadmin book might work, there is a lot of security 
related material in there as well.  

https://www.amazon.com/Practice-System-Network-Administration-Second/dp/0321492668

And this updated for enterprise / devops and other such new fangled things

https://www.amazon.com/Practice-System-Network-Administration-Enterprise/dp/0321919165/ref=pd_lpo_sbs_14_t_0?_encoding=UTF8=1=2N4F09FPM9FG9VQNT433


On 23/07/18, 6:55 PM, "NANOG on behalf of Ramy Hashish" 
 wrote:

Hello All,

I am planning to build up a security team of fresh engineers whom are
"network oriented", any advice on the knowledge resources we can start
with? We are looking forward to building a concrete foundation of a
well-rounded security engineer, we are looking for vendor/operator agnostic
resources.

Thanks,

Ramy

Re: AS3266: BitCanal hijack factory, courtesy of Cogent, GTT, and Level3

[Suresh Ramasubramanian]

Oh dear. The problem with sarcasm is that it falls flat if people don't realize 
you're being sarcastic.

On 27/06/18, 6:53 AM, "NANOG on behalf of Scott Weeks" 
 wrote:


   On Mon, 25 Jun 2018 at 22:49, Ronald F. Guilmette 

wrote:

> Without the generous support of Cogent, GTT, and Level3 this dumbass
> lowlife IP address space thief would be largely if not entirely toast.
> So what are they waiting for?  Why don't their turf this jackass?  Are
> they waiting for an engraved invitation or what?
>
> As I always ask, retorically, in cases like this:  Where are the 
grownups?


--- ops.li...@gmail.com wrote:
From: Suresh Ramasubramanian 

"we are not the internet police" right? (
-


So your answer is to let them hijack whatever/whenever they want?

scott

Re: AS3266: BitCanal hijack factory, courtesy of Cogent, GTT, and Level3

[Suresh Ramasubramanian]

"we are not the internet police" right? (

On 26/06/18, 10:33 AM, "NANOG on behalf of Job Snijders" 
 wrote:

On Mon, 25 Jun 2018 at 22:49, Ronald F. Guilmette 
wrote:

> Without the generous support of Cogent, GTT, and Level3 this dumbass
> lowlife IP address space thief would be largely if not entirely toast.
> So what are they waiting for?  Why don't their turf this jackass?  Are
> they waiting for an engraved invitation or what?
>
> As I always ask, retorically, in cases like this:  Where are the grownups?



You could ask the same about the IXPs that facilitate the reach and impact
of Bitcanal’s BGP hijacks by allowing that network on their platform:
https://bgp.he.net/AS197426#_ix

Kind regards,

Job

Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent

[Suresh Ramasubramanian]

Seems to be a set of MUA bugs that are being overblown and hyped up.

TL;DR = Don't use HTML email with some mail clients when sending pgp encrypted 
mail.

https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html

--srs

On 14/05/18, 1:15 PM, "NANOG on behalf of George William Herbert" 
 wrote:


This is likely bad enough operators need to pay attention.

@seecurity tweeted:

"We'll publish critical vulnerabilities in PGP/GPG and S/MIME email 
encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of 
encrypted emails, including encrypted emails sent in the past. #efail 1/4"

Thread starts here:
https://twitter.com/seecurity/status/995906576170053633?s=21

I have no particular insight into what it is other than presuming from 
thread that decryption can be tricked to do bad things.

They recommend temporary disabling downthread:

"There are currently no reliable fixes for the vulnerability. If you use 
PGP/GPG or S/MIME for very sensitive communication, you should disable it in 
your email client for now. Also read @EFF’s blog post on this issue: 
eff.org/deeplinks/2018… #efail 2/4"

-george 

Sent from my iPhone

Re: Is WHOIS going to go away?

[Suresh Ramasubramanian]

The fun problem here is that anonymity, encryption etc - everything that's good 
and recommended for privacy and security conscious people - gets heavily used, 
and early adopted, by criminals, the good ones among whom are paranoid about 
both these at least so they stay out of prison.

If only all registrars and registries would actually act proactively about 
keeping abuse off their networks. Some do a great job, others do just enough to 
keep ICANN and the security community off their backs, while still others 
couldn't care less about either.

If we had this level of proactiveness, the problem of whois going away would be 
far less of an issue.


From: NANOG  on behalf of Badiei, Farzaneh 

Sent: Friday, April 20, 2018 9:17:21 AM
To: John Levine; nanog@nanog.org
Cc: b...@theworld.com
Subject: Re: Is WHOIS going to go away?

Dear John,


The days when some in the technical community could just discard others 
arguments by saying that  "[you] have no idea how the Internet works" have long 
passed. I will not get intimidated nor will I step back. Old tricks, won't 
work, it's as old as the dysfunctional WHOIS and will disappear.


Also your last paragraph obliges me to clarify: it's not always a "he" that 
might be arguing! it's sometimes, though might it be rarely, a "she".


No one asked to protect people from their governments (I have heard this before 
as well). But also people should not be endangered or even minimally disturbed 
by making their personal information public. There are many many scenarios when 
personal information can be abused, and governments might not be involved.


I might not know as much as you do about how the Internet works. But I know one 
thing: There will be a change. The convenience of security researchers and 
trademark owners is not going to be set above domain name registrants right to 
data protection. But I am sure the cybersecurity community can come up with a 
more creative way of preserving cybersecurity without relying on using personal 
information of domain name registrants and violating their rights!


Farzaneh




In article <23257.12824.250276.763...@gargle.gargle.howl> you write:
>So you think restricting WHOIS access will protect dissidents from
>abusive governments?
>
>Of all the rationalizations that one seems particularly weak.

Oh, you're missing the point.  This is a meme that's been floating
around in academia for a decade: the brave dissident who somehow has
managed to find web hosting, e-mail, broadband, and mobile phone
service but for whom nothing stands between her and certain death but
the proxy whois on her vanity domain.

If someone makes this argument you can be 100% sure he's parroting
something he heard somewhere and has no idea how the Internet actually
works.



From: NANOG  on behalf of John Levine 
Sent: Thursday, April 19, 2018 10:43 PM
To: nanog@nanog.org
Cc: b...@theworld.com
Subject: Re: Is WHOIS going to go away?

In article <23257.12824.250276.763...@gargle.gargle.howl> you write:
>So you think restricting WHOIS access will protect dissidents from
>abusive governments?
>
>Of all the rationalizations that one seems particularly weak.

Oh, you're missing the point.  This is a meme that's been floating
around in academia for a decade: the brave dissident who somehow has
managed to find web hosting, e-mail, broadband, and mobile phone
service but for whom nothing stands between her and certain death but
the proxy whois on her vanity domain.

If someone makes this argument you can be 100% sure he's parroting
something he heard somewhere and has no idea how the Internet actually
works.

R's,
John

Re: China Showdown Huawei vs ZTE

[Suresh Ramasubramanian]

Ah. ZTE is in a spot of trouble right about now.

http://www.scmp.com/tech/article/2142557/zte-calls-us-government-ban-extremely-unfair-vows-fight-its-rights

On 20/04/18, 5:58 PM, "NANOG on behalf of Colton Conor" 
 wrote:

Of the two large Chinese Vendors, which has the better network operating
system? Huawei is much larger that ZTE is my understanding, but larger does
not always mean better.

Both of these manufactures have switches and routers. I doubt we will use
their routing products anytime soon, but the switching products with MPLS
are what we are exploring. Price wise both of these vendors seem to have
10G MPLS capable switches that are a 1/4 of the price of a Cisco or Juniper
wants to charge.

On the Huawei side looks like the S6720 is a fit.
On the ZTE side, it looks like the ZXR10 5960 Series is a fit.

Has anyone had experience with either of these two switches? How do they
compare?

Also, for each independent brand, is their switching network operating
system the same as their routing network operating system that their
routers run?

Re: Courses/Trainings for NOC leaders

[Suresh Ramasubramanian]

These books.

https://www.amazon.com/UNIX-Linux-System-Administration-Handbook/dp/0131480057

https://www.amazon.com/Practice-System-Network-Administration-Enterprise/dp/0321919165/
https://www.amazon.com/Practice-Cloud-System-Administration-Practices/dp/032194318X/
https://www.amazon.com/Time-Management-System-Administrators-Working/dp/0596007833/

Lots of SAGE workshops too, but these distil them quite well indeed.

--srs

On 09/01/18, 3:45 PM, "NANOG on behalf of Ramy Hashish" 
 wrote:

Hello there,

I am looking for recommendations -preferably based on experience- for
training/workshops for NOC engineers that have made significant difference
in root cause analysis, analytical thinking, troubleshooting skills and
problem solving skills.

Thanks,

Ramy

Re: How can I obtain the abuse e-mail address for IPs from Japan?

[Suresh Ramasubramanian]

whois -h whois.nic.ad.jp IP /e

--srs

> On 23-Aug-2017, at 7:38 PM, Kurt Kraut  wrote:
> 
> Hello,
> 
> 
> I'm having a hard time to figure out the abuse e-mail address for IPs from
> Japan. Any query I perform at the WHOIS, for any IP, from any autonomoyus
> system I get the same e-mail addresses:
> 
> ab...@apnic.net
> hm-chan...@apnic.net
> ip-ap...@nic.ad.jp
> hostmas...@nic.ad.jp
> 
> These e-mail addresses belong to JPNIC, not the autonomous system itself.
> So any messages sent to these e-mail addresses will not reach the offending
> NOC/SOC so I can report vulnerabilities and DDoS attacks.
> 
> What am I missing and how should I report security issues to autonomous
> systems from this region? Has anyone here any experience on this?
> 
> 
> Thanks in advance,
> 
> 
> Kurt Kraut

Re: AS29073, 196.16.0.0/14, Level3: Why does anyone peer with these schmucks?

[Suresh Ramasubramanian]

1. They aren’t the internet police either or so quite a few of them think 

2. Hanlon’s razor

--srs

> On 15-Aug-2017, at 2:17 AM, Baldur Norddahl  wrote:
> 
> Why are domain registrars allowing some of those domains, which are clearly
> advertising highly illegal content that will get you in jail in most of the
> world?

Re: Purchased IPv4 Woes

[Suresh Ramasubramanian]

Which one was it that demanded 2500?

There's only one reasonably well known pay for whitelisting type of blocklist 
but I'd have thought they're a lot cheaper.

--srs

> On 20-Mar-2017, at 9:02 AM, Justin Wilson  wrote:
> 
> Then you have the lists which want money to be removed.  I have an IP that 
> was blacklisted by hotmail. Just a single IP. I have gone through the 
> procedures that are referenced in the return e-mails.  No response.  My next 
> step says something about a $2500 fee to have it investigated.  I know 
> several blacklists which are this way.  Luckily, many admins do not use such 
> lists.

Re: Someone's scraping NANOG for phishing purposes again

[Suresh Ramasubramanian]

Or a nanog member might be infected and the malware is scraping his mailbox for 
bogus froms.  Got headers?

On 10/02/17, 9:40 AM, "NANOG on behalf of Alexander Harrowell" 
 wrote:

I'm getting suspicious e-mail pretending to come from leading NANOGers. Not
the first time this has happened, but you may want to be warned.

Yours,

Alex Harrowell

Re: ticketmaster.com 403 Forbidden

[Suresh Ramasubramanian]

My guess is you have or had sometime in the long distant past a scalper 
operating on your network, using automated ticket purchase bots.

If you still have that scalper around, you might want to turf him.  If he’s 
ancient history, saying so might induce them to remove the block.

--srs

On 06/02/17, 8:45 AM, "nanog-boun...@nanog.org on behalf of 
mike.l...@gmail.com"  
wrote:

Yup, i have a /22 that has the same problem. Support is useless...

> On Feb 6, 2017, at 08:35, Ethan E. Dee  wrote:
> 
> It gives me a Forbidden error.
> It has for over a year.
> There support says they are not allowed to me why by their policy.
> it is across an entire /19.
> I gave up after the fifth time and encourage the customers to call them 
individually.
> 
>> On 02/06/2017 11:09 AM, Niels Bakker wrote:
>> * charles.man...@charter.com (Manser, Charles J) [Mon 06 Feb 2017, 16:21 
CET]:
>>> It seems that browsing to ticketmaster.com or any of the associated IP 
addresses results in a 403 Forbidden for our customers today. Is anyone else 
having this issue?
>> 
>> 
http://help.ticketmaster.com/why-am-i-getting-a-blocked-forbidden-or-403-error-message/
 
>> 
>> 
>>-- Niels.
> 

Re: PlayStationNetwork blocking of CGNAT public addresses

[Suresh Ramasubramanian]

Well yes – if you have the automation, that is great.

 

Of course the format of whatever log they send you matters too.

 

I’ve had abuse complaints in a past life where the abuse report was a 
screenshot from a checkpoint firewall with “Dear team, for your attention” in 
bright red in a large font.

 

Personally I don’t trash abuse reports that are valid.

 

--srs

 

From: Tom Beecher <beec...@beecher.cc>
Date: Thursday, 22 September 2016 at 7:35 PM
To: Brian Rak <b...@gameservers.com>
Cc: Suresh Ramasubramanian <ops.li...@gmail.com>, "nanog@nanog.org" 
<nanog@nanog.org>
Subject: Re: PlayStationNetwork blocking of CGNAT public addresses

 

The format of the abuse complaint doesn't mean anything if it still doesn't 
contain any relevant data to say what the abuse IS. (Or, even if it IS abuse at 
all.)

 

 

 

 

On Thu, Sep 22, 2016 at 9:37 AM, Brian Rak <b...@gameservers.com> wrote:

Single IP per email: automated, zero time at all.

Multiple IPs per email: manual process, minutes per IP.


On 9/22/2016 9:34 AM, Suresh Ramasubramanian wrote:

Considering that there are likely to be many such emails - just how much time 
is it going to take your abuse desk staffer to just parse out those IPs from 
whatever log that they send you?

And how much time would processing say 50 individual emails take compared to 50 
IPs in a single email?

--srs

On 22-Sep-2016, at 6:58 PM, Brian Rak <b...@gameservers.com 
<mailto:b...@gameservers.com>> wrote:

We've also started ignoring their abuse emails, for the same reason.  Their 
abuse emails at one point contained the line:

> P.S. If you would prefer an individual email for each IP address on this 
> list, please let us know.

But, they didn't respond after we contacted them requesting it (and that line 
has since been removed).

 

 

Re: PlayStationNetwork blocking of CGNAT public addresses

[Suresh Ramasubramanian]

Considering that there are likely to be many such emails - just how much time 
is it going to take your abuse desk staffer to just parse out those IPs from 
whatever log that they send you?

And how much time would processing say 50 individual emails take compared to 50 
IPs in a single email?

--srs

> On 22-Sep-2016, at 6:58 PM, Brian Rak  wrote:
> 
> We've also started ignoring their abuse emails, for the same reason.  Their 
> abuse emails at one point contained the line:
> 
> > P.S. If you would prefer an individual email for each IP address on this 
> > list, please let us know.
> 
> But, they didn't respond after we contacted them requesting it (and that line 
> has since been removed).

One more thing to watch out for at data centers - fire drills

[Suresh Ramasubramanian]

http://motherboard.vice.com/read/a-loud-sound-just-shut-down-a-banks-data-center-for-10-hours?utm_source=bbcfb

Releasing inert gas from fire suppression units that were over pressurized 
resulted in an extremely loud noise – causing cabinets full of hard drives to 
vibrate – which got transmitted to the read – write heads of the drives.

Amazing sort of outage + data loss, and this time the physical security plant 
chief gets to write up the RCA.

--srs

Re: Operations task management software?

[Suresh Ramasubramanian]

Been meaning to dig into this one 
https://www.upguard.com/blog/guardrail-tasks-a-lightweight-tracking-system-for-ops

--srs

> On 27-Jul-2016, at 11:46 PM, David Hubbard  
> wrote:
> 
> Hi all, curious if anyone has recommendations on software that helps manage 
> routine duties assigned to operations staff?
> 
> For example, let’s say we have a P that says someone from the netops group 
> must check that Rancid is successfully backing up all router configs 
> bi-weekly.  Ideally, it would send an email reminder to this pre-defined 
> group of people saying hey, it’s Monday, someone needs to check this and come 
> acknowledge the task as having been completed.  If that doesn’t occur, 
> pre-defined manager X is notified on Tuesday.  If manager X doesn’t get 
> someone to complete the task, director Y is notified, so on and so forth.  
> Then, perhaps periodically it emails manager X anyway and says hey, it’s been 
> three months, you need to audit netops to ensure they’re actually doing the 
> Rancid audit and not just checking that it was done.  This could be applied 
> to the staff who check on backup failures, backup internet circuit status, 
> out of band interfaces, etc.
> 
> A data center I looked at recently had QR code stickers on all of their 
> infrastructure stuff and there were staff assigned to check and log certain 
> displayed values each day.  The software would at least ensure they actually 
> visited the equipment by requiring they scan the relevant QR code when in 
> front of it.  So I figure something that does what I’m looking for properly 
> already exists.
> 
> Thanks,
> 
> David
> 

Re: Charter FYI - FW: [SANOG] Reliance Jio (AS55836) origating a /16 belonging to Charter (AS20115)

[Suresh Ramasubramanian]

On 03/07/16, 9:05 PM, "NANOG on behalf of Suresh Ramasubramanian" 
<nanog-boun...@nanog.org on behalf of ops.li...@gmail.com> wrote:

> Is anyone from Jio network engineering team on this list? 
> I see AS55836 is originating  47.35.0.0/16 while the pool belongs to 
> Charter. There's even /18 slices of the pool being announced by Charter.

Acked / fixed in record time actually

Charter FYI - FW: [SANOG] Reliance Jio (AS55836) origating a /16 belonging to Charter (AS20115)

[Suresh Ramasubramanian]

 

 

From: sanog  on behalf of Anurag Bhatia 

Date: Sunday, 3 July 2016 at 8:46 PM
To: SANOG 
Subject: [SANOG] Reliance Jio (AS55836) origating a /16 belonging to Charter 
(AS20115)

 

Hello everyone! 

 

 

Is anyone from Jio network engineering team on this list? 

 

 

I see AS55836 is originating  47.35.0.0/16 while the pool belongs to Charter. 
There's even /18 slices of the pool being announced by Charter. 

 

 

 

>From Oregon route-views: 

 

 

route-views>sh ip bgp 47.35.0.0/16 long | exclude 20115

BGP table version is 18764390, local router ID is 128.223.51.103

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

  r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,

  x best-external, a additional-path, c RIB-compressed,

Origin codes: i - IGP, e - EGP, ? - incomplete

RPKI validation codes: V valid, I invalid, N Not found

 

 Network  Next HopMetric LocPrf Weight Path

 *   47.35.0.0/16 195.208.112.1610 3277 3267 174 
64049 55836 i

 *217.192.89.50  0 3303 6762 64049 
55836 i

 *212.66.96.126  0 20912 1267 64049 
55836 i

 *162.243.188.2  0 393406 6453 6762 
64049 55836 i

 *192.241.164.4  0 62567 2914 174 
64049 55836 i

 *129.250.0.11  1007 0 2914 174 64049 
55836 i

 *104.192.216.1  0 46450 174 64049 
55836 i

 *202.93.8.242   0 24441 3491 3491 
174 64049 55836 i

 *66.59.190.221  0 6539 577 6762 
64049 55836 i

 *144.228.241.130 80 0 1239 174 64049 
55836 i

 *207.172.6.20 0 0 6079 3356 174 
64049 55836 i

 

 

 

 

Does not seem good! 

 

-- 

 

 

Anurag Bhatia

anuragbhatia.com

___ sanog mailing list 
sa...@sanog.org https://lists.sanog.org/mailman/listinfo/sanog

Re: IPv4 Legacy assignment frustration

[Suresh Ramasubramanian]

There is absolutely no budgeting for idiots.  Beyond a long hard process that 
is helped by internal escalations from affected people on a corporate network - 
ideally as senior as you can get - ot their IT staff.  “Missouri isn’t in 
China, you nitwit.  Fix it or I, the CFO, will go have a word with the CIO and 
..”

In other words, have affected people escalate up the chain to the ISP or more 
likely corporate IT team that’s doing this sort of stupid filteringg.

> On 21-Jun-2016, at 8:07 PM, Spurling, Shannon  wrote:
> 
> I am not sure how many on the list are Legacy resource holders from before 
> the RIR's were established, but there is an extremely short sighted security 
> practice that is being used across the internet.
> 
> Apparently, the RIR that has been given "authority" for an IP prefix range 
> that was a legacy assignment is being used as a geographical locator for 
> those prefixes. For instance, we provide access for several /16's that are in 
> the 150/8 prefix that was set as APNIC. I am aware of quite a few 
> organizations in the US that have prefixes in that range. We have registered 
> our legacy resources with ARIN, but there are some people insist that somehow 
> the state of Missouri must be part of China because... "APNIC!". They set 
> firewalls and access rules based on that, and are hard pressed to not fix 
> them.
> 
> Is there any way to raise awareness to this inconsistency so that security 
> people will stop doing this?

Re: Detecting Attacks

[Suresh Ramasubramanian]

Is your aim to generate attack traffic?  Or rather a mix of normal and attack 
traffic. That's one part.   Googling ddos simulator will get you lots of 
results you can evaluate

Logging it appropriately and capturing the logs, storing them in a db is the 
next.

--srs

> On 11-Jun-2016, at 10:52 AM, subashini hariharan  wrote:
> 
> Hello,
> 
> I am Subashini, a graduate student. I am interested in doing my project in
> Network Security. I have a doubt related to it.
> 
> The aim is to detect DoS/DDoS attacks using the application. I am going to
> use ELK (ElasticSearch, Logstash, Kibanna) for processing the logs (Log
> Analytics).
> 
> My doubt is regarding how do we generate logs for detecting this attack? As
> I am new to this process, I am not sure about it.
> 
> Also, if it is possible to do any other attacks similar to this, you can
> please give a hint about it.
> 
> Could anyone please help with this, it would be a great help!!
> 
> 
> -- 
> Thank You.
> 
> With Regards,
> H.Subashini

Re: [tld-admin-poc] Fwd: Re: .pro whois registry down?

[Suresh Ramasubramanian]

Worst comes to worst there's a python based whois client called pwhois that 
lets you dump whois data into json 

--srs

> On 10-Mar-2016, at 6:50 AM, Royce Williams  wrote:
> 
> I'm not affiliated, but there are a couple of companies that normalize
> whois data.  It's a whackamole game, but it sucks less than trying to
> do it yourself.

Re: de-peering for security sake

[Suresh Ramasubramanian]

Well, at least she's here rather than sprinkling eggnog and brandy flavoured 
pixie dust on our gear over the Christmas break.

--srs

> On 25-Dec-2015, at 9:08 AM, Owen DeLong  wrote:
> 
> Yes… Isn’t it impressive just how persistent the bad idea fairy can be?
> 
> Owen

Re: de-peering for security sake

[Suresh Ramasubramanian]

Hmm, has anyone at all kept count of the number of times such a discussion has 
started up in just the last year, and how many more times in the past 16 or so 
years?

Mind you, back in say 2004, this discussion would have run to 50 or 60 emails 
at a bare minimum, in no time at all.

--srs

On 25-Dec-2015, at 6:55 AM, Stephen Satchell  wrote:

>> On 12/24/2015 04:50 PM, Daniel Corbe wrote:
>> Let’s just cut off the entirety of the third world instead of having
>> a tangible mitigation plan in place.
> 
> While you thing you are making a snarky response, it would be handy for end 
> users to be able to turn on and off access to other countries retail.

Re: Google IMAP (with k9mail)

[Suresh Ramasubramanian]

Not protocols as much as less secure ssl ciphers is my guess 

--srs

> On 23-Oct-2015, at 9:50 PM, Jay Ashworth  wrote:
> 
> - Original Message -
>> From: "Christopher Morrow" 
> 
>> Incoming settings
>> IMAP server: imap.gmail.com
>> Port: 993
>> Security type: SSL (always)
>> 
>> Outgoing settings
>> SMTP server: smtp.gmail.com
>> Port: 465
>> Security type: SSL (always)
> 
> Hijack: to use k9mail with gmail IMAP, I have to enable "allow less secure 
> clients" in the gmail web UI, but neither the Gmail people nor the k9mail
> people seem to want to actually document which protocol is disliked or
> required.
> 
> Anyone have any actual facts on this point?
> 
> Cheers,
> -- jra
> -- 
> Jay R. Ashworth  Baylink   
> j...@baylink.com
> Designer The Things I Think   RFC 2100
> Ashworth & Associates   http://www.bcp38.info  2000 Land Rover DII
> St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647 1274

Re: Google IMAP

[Suresh Ramasubramanian]

Right now imap.gmail.com appears down for me from at least two local
networks in India, just saying

I guess that's what the original poster wanted to ask about.

On Wednesday, October 21, 2015, Jason Hellenthal 
wrote:

> $ dig @8.8.8.8 imap.gmail.com
>
> ; <<>> DiG 9.10.3 <<>> @8.8.8.8 imap.gmail.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49149
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> ;; QUESTION SECTION:
> ;imap.gmail.com.IN  A
>
> ;; ANSWER SECTION:
> imap.gmail.com. 299 IN  CNAME   gmail-imap.l.google.com.
> gmail-imap.l.google.com. 299IN  A   173.194.74.108
> gmail-imap.l.google.com. 299IN  A   173.194.74.109
>
> ;; Query time: 28 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Wed Oct 21 01:02:22 UTC 2015
> ;; MSG SIZE  rcvd: 109
>
>
> I don’t recall this ever being imap.google.com
>
> > On Oct 20, 2015, at 19:54, Nathanael Cariaga <
> nathanael.cari...@adec-innovations.com > wrote:
> >
> > Any GMail / Google Apps guys here?  Just want to ask if there are issues
> > with imap.google.com
> >
> >
> > ; <<>> DiG 9 <<>> @localhost imap.google.com A
> > ; (1 server found)
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24131
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> >
> > ;; QUESTION SECTION:
> > ;imap.google.com. IN  A
> >
> > ;; AUTHORITY SECTION:
> > google.com.   60  IN  SOA ns4.google.com.
> dns-admin.google.com.
> > 105915603 900 900 1800 60
> >
> > ;; Query time: 16 msec
> > ;; SERVER: 127.0.0.1#53(127.0.0.1)
> > ;; WHEN: Wed Oct 21 02:53:04 2015
> > ;; MSG SIZE  rcvd: 83
> >
> >
> >
> >
> > --
> > Regards,
> >
> >
> > -nathan
>
>
> --
>  Jason Hellenthal
>  JJH48-ARIN
>
>
>
>
>

-- 
--srs (iPad)

Re: /27 the new /24

[Suresh Ramasubramanian]

Besides which more than one provider filters by a minimum prefix length per /8 
- wasn't  Swisscom or someone similar doing that?  So multi homing with even a 
/24 is somewhat patchy in terms of effectiveness

--srs

> On 02-Oct-2015, at 8:54 PM, William Herrin  wrote:
> 
>> On Fri, Oct 2, 2015 at 10:32 AM, Justin Wilson - MTIN  wrote:
>> However, what do we do about the new networks which
>> want to do BGP but only can get small allocations from
>> someone (either a RIR or one of their upstreams)?
> 
> Hi Justin,
> 
> Rent or sell them a /24 and make money. If they can't afford a /24 at
> today's market rate, why should the rest of us spend much more money
> upgrading routers to accommodate their advertisement?
> 
> The annual systemic cost of carrying that prefix is still more than
> double the one-time cost of acquiring a /24. No doubt that gap will
> close, but there's no cost justification to change the /24 filters
> just yet.
> 
> Regards,
> Bill Herrin
> 
> 
> 
> -- 
> William Herrin  her...@dirtside.com  b...@herrin.us
> Owner, Dirtside Systems . Web: 

Re: /27 the new /24

[Suresh Ramasubramanian]

There would be a default route sure - but the filter simply means that if your 
packets from say a src IP in a level 3 /24 (where the minimum alloc size was 
what, /20) wouldn't go through if you sent them though say a cogent interface

--srs

> On 02-Oct-2015, at 10:04 PM, William Herrin <b...@herrin.us> wrote:
> 
> On Fri, Oct 2, 2015 at 11:55 AM, Suresh Ramasubramanian
> <ops.li...@gmail.com> wrote:
>> Besides which more than one provider filters by a minimum prefix length
>> per /8 - wasn't  Swisscom or someone similar doing that?  So multi
>> homing with even a /24 is somewhat patchy in terms of effectiveness
> 
> Hi Suresh,
> 
> That hasn't been true for something like a decade. Anybody who filters
> anything shorter than /24 without also taking a default route (or the
> equivalent) is not fully connected to the Internet.
> 
> Regards,
> Bill Herrin
> 
> 
> 
> -- 
> William Herrin  her...@dirtside.com  b...@herrin.us
> Owner, Dirtside Systems . Web: <http://www.dirtside.com/>

Re: Quick Update on the North American BCOP Efforts

[Suresh Ramasubramanian]

Late to the party but which best current practices were these and - as the 
board asked - how much of it reinvents the several other best practice wheels 
around?

--srs

> On 30-Sep-2015, at 8:47 PM, Mike Hammett  wrote:
> 
> If NANOG isn't developing and publishing BCOPs, what's the point of NANOG 
> other than a mailing list? 
> 
> 
> 
> 
> - 
> Mike Hammett 
> Intelligent Computing Solutions 
> http://www.ics-il.com 
> 
> - Original Message -
> 
> From: "Chris Grundemann"  
> To: nanog@nanog.org 
> Sent: Wednesday, September 30, 2015 9:41:38 AM 
> Subject: Quick Update on the North American BCOP Efforts 
> 
> Hail NANOGers! 
> 
> After receiving several off-line inquiries about the status of BCOP in 
> North America I think it's appropriate to send a general announcement here. 
> 
> The biggest news here is that the current NANOG Board of Directors has 
> disbanded the NANOG BCOP Committee. The stated rationale for this decision 
> can be found in the minutes from their 2 February 2015 meeting. 
> 
> https://www.nanog.org/sites/default/files/sites/default/files/BOD-BCOPMinutes_2.2.2015.pdf
>  
> 
> As you might expect, I find this extremely disappointing. Our reaction has 
> been twofold: 
> 
> 1) We're moving to a new home. You can now find all of the current 
> documents at http://nabcop.org. Everything is moving forward, despite a bit 
> of jostling. Please jump in and get involved! 
> 
> 2) I'm so disappointed by this decision, and the future course of NANOG 
> implied, that I've decided to run for the NANOG Board of Directors. There's 
> a really great slate of candidates running, so whatever your decision, I 
> highly encourage you to really consider your selections. 
> 
> https://www.nanog.org/elections/2015/BoDcandidates 
> 
> If you have any questions at all, please feel free to email me directly, or 
> send them to bcop-supp...@nabcop.org. 
> 
> See you in Montréal! 
> 
> Cheers, 
> ~Chris 
> 

Re: free Tools to monitor website performance

[Suresh Ramasubramanian]

Nagios will do it at a pinch but only from one location.  But if you want 
professional URL monitoring from across multiple locations worldwide, you need 
Gomez, Neustar Webmetrics etc.  Not quite cheap.

 On 05-Aug-2015, at 7:23 PM, sathish kumar Ippani 
 sathish.kumar.ipp...@gmail.com wrote:
 
 Hi All,
 
 Thanks to all for reviewing my topic, may it is slightly off topic.
 
 We have almost 300 URL's (local and web) and we want to monitor few of them
 which are very critical URL's for web access and local access.
 
 I would like to know is there any free tool or software with I can use to
 monitor url performance in terms of response time. Which gives more
 information like how much time it taken to connect the server and time to
 load the page and total response time.
 
 Thanks in advance.
 
 
 
 -- 
 With Regards,
 
 Sathish Ippani

Re: Working with Spamhaus

[Suresh Ramasubramanian]

It's what they call a free country 

Those that don't use it don't use it, and those who do are free to do so

--srs

 On 31-Jul-2015, at 4:56 PM, Ricky Beam jfb...@gmail.com wrote:
 
 On Fri, 31 Jul 2015 17:28:34 -0400, Jaren Angerbauer 
 jarenangerba...@gmail.com wrote:
 I work for Proofpoint -- we acquired SORBS back in 2011.
 
 Hint: The Internet has a LONG memory.
 
 The liberal and numerous dropping of for free makes me laugh. You knew 
 the tainted nature of what you were buying. Nobody, to this day, places much 
 trust at all in SORBS. I dare say there isn't anyone on NANOG (certainly any 
 long hairs) that haven't had at least one interaction with SORBS, most 
 likely due to spamtraps; that number drops to almost zero when you put the 
 word good in that sentence. Maybe it's better now under new management; we 
 (the royal we) moved on long ago.

Re: Working with Spamhaus

[Suresh Ramasubramanian]

delurk

They come to M3AAWG on a regular basis and there’s the M3AAWG hosting SIG that 
you might want to participate in.

NANOG doesn’t always have a mail abuse (and not very many network abuse) 
session on the agenda, plus just how many people doing routing or DNS seem to 
even care what their colleagues down the hall in the abuse team are doing or 
which conferences they attend?

I remember a time (under the previous list management) when discussing spam 
here was deemed OT and non operational - off list warnings, suspensions and 
such.  Ancient history I guess, but still ..

/delurk

—srs

 On 29-Jul-2015, at 10:06 AM, Bob Evans b...@fiberinternetcenter.com wrote:
 
 Would be nice to have an RBL service that attended NANOG meetings.
 Would make for a more trusted RBL we can tell customers to make use.
 Spamhaus ever attend a NANOG meetings ?
 Thank You
 Bob Evans
 CTO

Re: Working with Spamhaus

[Suresh Ramasubramanian]

Er - a couple of ways

1. If you run a farm of mail servers, something like splunk for your logs is 
kind of necessary.  How difficult is it going to be to trigger a splunk alert 
on whatever looks like an administrative block?  Either by a large provider, or 
by a DNS block list.

2. You can rsync spamhaus and grep for mentions of your ASN, get ISP feedback 
loops etc.

On a larger topic - NANOG and M3AAWG (also RIPE and M3AAWG’s summer meeting in 
Europe) really ought to collocate or at least be back to back in the same city 
somewhere down the line - maybe with a day’s worth of joint sessions on topics 
of mutual interest (malware detection and mitigation, DDoS filtering .. there’s 
a lot going on in M3AAWG that’s not plain old mail or even messaging)

It still won’t solve the larger problem that a lot of routing and DNS folks 
won’t find it of interest, but well, over the decade ++ I’ve been around M3AAWG 
I see an ever increasing number of (security focused, mainly) *nog regulars 
turn up there.

—srs

 On 29-Jul-2015, at 10:37 AM, Bob Evans b...@fiberinternetcenter.com wrote:
 
 I see that point - however, spamhaus has become a haus-hold word these
 days and everyone runs into these issuesits not malware or bots we
 block from a network level blackhole. Yet it is basic network operations
 these days to have to deal with someone complaining about their hacked
 mail server is now fixed yet they cant get mail. We usually tell them the
 quickest way is to address spamhaus to get it removed and in parallel also
 move the mail server to a new IP and change the dns and rDNS to the new
 one. It gets us out of having to help with these RBL issues.
 
 When an RBL sends a notice we jump on it and get it to the
 customer...however, they usually dont send us or the customer anything.

Re: Route leak in Bangladesh

[Suresh Ramasubramanian]

I have sent this to a contact at another Bangladeshi ISP that should be able to 
reach the right person for this ASAP.

 On 30-Jun-2015, at 1:57 pm, Grzegorz Janoszka grzeg...@janoszka.pl wrote:
 
 We have just received alert from bgpmon that AS58587 Fiber @ Home Limited has 
 hijacked most of our (AS43996) prefixes and Hurricane Electric gladly 
 accepted them.
 
 Anybody see their prefixes hijacked as well?

Re: World's Fastest Internet™ in Canadaland

[Suresh Ramasubramanian]

Parkinson's law of sorts? Use expanding to fill the bandwidth available

One kid with a torrent downloading random stuff, streaming hd and music off the 
internet etc and a family of four can make decent inroads into gigabit or so I 
would have thought 

Don't even start counting say a gb here and several mb there in software, os 
etc upgrades across a variety of devices.

Exrtrapolating from current usage levels on comparatively lower speed broadband 
doesn't quite make sense to me

--srs

 On 27-Jun-2015, at 12:09 am, Rafael Possamai raf...@gav.ufsc.br wrote:
 
 How does one fully utilize a gigabit link for home use? For a single person
 it is overkill. Similar to the concept of price elasticity in economics,
 going from 50mbps to 1gbps doesn't necessarily increase your average
 transfer rate, at least I don't think it would for me. Anyone care to
 comment? Just really curious, as to me it's more of a marketing push than
 anything else, even though gigabit to the home sounds really cool.
 
 
 
 On Fri, Jun 26, 2015 at 1:13 PM, Eric Dugas edu...@zerofail.com wrote:
 
 Nice try Bell.. So-Net did it two years ago, 2Gbps FTTH in Japan.
 
 Article: http://bgr.com/2013/06/13/so-net-nuro-2gbps-fiber-service/
 
 If you read Japanese: http://www.nuro.jp/hikari/
 
 Eric
 
 -Original Message-
 From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Hank Disuko
 Sent: June 26, 2015 2:04 PM
 To: NANOG
 Subject: World's Fastest Internet™ in Canadaland
 
 Bell Canada is apparently gearing up to provide the good people of Toronto
 with the World's Fastest Internet™.
 
 http://www.thestar.com/news/city_hall/2015/06/25/bell-canada-to-give-toronto-worlds-fastest-internet.html
 
 
 

Re: World's Fastest Internet™ in Canadaland

[Suresh Ramasubramanian]

Like Peter Lothberg's mother's home :)

--srs

 On 27-Jun-2015, at 12:22 am, Mikael Abrahamsson swm...@swm.pp.se wrote:
 
 And yes, fastest Internet in the world is pure BS, gigabit ethernet access 
 to peoples homes have been around for years in other places

Re: vendor spam OTD

[Suresh Ramasubramanian]

Given we’re going down this “what is spam” rathole again, spam is generally 
defined as unsolicited BULK email

As the email appears to be one to one, though a remarkably persistent one to 
one, I would suggest procmail, unless you know he’s harvested nanog and is 
sending the same offer mail merged to a bunch of operators.

—srs

 On 28-Apr-2015, at 8:29 am, Rob Seastrom r...@seastrom.com wrote:
 
 On 04/27/2015 07:02 PM, Rob Seastrom wrote:
 Anyone else been spammed by Andy Boland at Function5 Technology
 Group?
 
 I'm not sure it's fair to class the e-mail as spam, but he is one
 persistent fellow.  My company made list for some of the equipment we
 retired for purchase, and his Cisco buyer never got back to me.  So
 the excess inventory is being offered to another reseller.
 
 Well, it's unsolicited email from a company who I've never had any
 commercial relationship with.  If it's not fair to class it as spam,
 what is it fair to class it as?
 
 I reported it to the appropriate abuse folks.

Re: vendor spam OTD

[Suresh Ramasubramanian]

Having seen my share of pesky vendors - though not this one .. Yeah idle 
speculation it is.  Informed idle I hope. :)

--srs

 On 28-Apr-2015, at 9:00 am, Rob Seastrom r...@seastrom.com wrote:
 
 Have you gotten a copy too, or are you just idly speculating here?

M3AAWG 34 in Dublin - public call for papers

[Suresh Ramasubramanian]

fyi

 From: Alec Peterson a...@messagesystems.com
 To: techni...@mailman.m3aawg.org techni...@mailman.m3aawg.org
 Date: Tue, Mar 3, 2015 11:32 PM
 Subject: [Technical] M3AAWG 34 Call for Papers


 The 34th General Meeting of the Messaging Malware Mobile Anti-Abuse
Working Group (M3AAWG) will be held in Dublin, Ireland from June 8-11,
2015.  You may find information about all of our upcoming meetings at
http://www.maawg.org/events/upcoming_meetings. The Technical Committee is
currently seeking proposals for sessions for our upcoming meeting in
Dublin.  Sessions may involve single speakers or panels with up to four
participants and are typically 60 minutes long.  A successful proposal is
of a technical nature that is relevant to the operationally-focused
participants of M3AAWG. Topics of relevance include but are not limited to:
 + DANE / DNSSEC
 + DMARC / (DMARC.org) [http://DMARC.org]
 + IPv6 (other than mailbox provider perspective)
 + Pervasive Monitoring / Encryption Efforts (Messaging Security)
 + Unique Attack and/or Mitigation Analysis
 + Emerging Threats
 + Viruses, Worms, Trojans, and other Malware
 + Exploit Kits
 + Pay-Per-Install Campaigns
 + Cybercrime Underground Economy
 + Targeted Attacks
 + Advanced Persistent Threats (APTs)
 + Security Issues involving the 'Internet of Things'
 + Security Issues involving Critical Infrastructure
 + Social Engineering
 + Phishing and Other Scams
 + The evolution of mobile malware (e.g., NotCompatible)
 + Mobile penetration of non-mobile networks barriers
 + The rise of Over-the-Top sources of mobile messaging abuse
 Please submit your session proposals to  https://www.maawg.org/submissions by
May 1, 2015 at the latest. Travel assistance is available for special
cases.  All participants must adhere to the M3AAWG Conduct Policy at
https://www.maawg.org/page/m3aawg-conduct-policy.  Media will be permitted
into sessions only with the speakers’ advance consent. The contents of this
CFP are public. Please feel free to redistribute this document.
 Alec


 ALEC H PETERSON
 cto
 tel +1 443 656 3322
 twitter @ahpeterson
 email a...@messagesystems.com

Large Ontario DC busted for hosting petabytes of child abuse material

[Suresh Ramasubramanian]

18 million dollars revenue in three months so certainly pretty large sized.

Any idea which DC this is?

http://motherboard.vice.com/en_ca/read/police-could-charge-a-data-center-in-the-largest-child-porn-bust-ever

Re: AOL Postmaster

[Suresh Ramasubramanian]

You think every accountant, realtor, coffee shop etc uses their own domain?
On Feb 26, 2015 3:12 AM, Bill Patterson billpatterso...@gmail.com wrote:

 That was my first response as well. But that response was frowned upon by
 my customer service reps.
 On Feb 25, 2015 8:56 AM, Ken Chase m...@sizone.org wrote:

  Simple, one simply does not conduct business email over an AOL account.
 
  This is what I've been telling several of my customers about their
  contacts for a while now.
 
  /kc
 
 
  On Wed, Feb 25, 2015 at 05:24:12AM -0500, Rich Kulawiec said:

Their own announcement:


 
 http://postmaster-blog.aol.com/2014/04/22/aol-mail-updates-dmarc-policy-to-reject/

says that DMARC issues should be referred here:

 dmarc-h...@teamaol.com

(And before anyone asks, yes, the headers on mailing list traffic
have been modified precisely as that page stipulates.)

Perhaps it's too much to expect that in 2015 system and network admins
will actually demonstrate baseline professionalism and competence by
reading and answering role account email.

---rsk
 
  --
  Ken Chase - Toronto Canada
 

Re: AOL Postmaster

[Suresh Ramasubramanian]

And how many users do you have, again?
On Feb 24, 2015 6:29 PM, Colin Johnston col...@gt86car.org.uk wrote:

 block aol like china blocks with no engagement of comms as justification

 colin

 Sent from my iPhone

  On 24 Feb 2015, at 12:36, Rich Kulawiec r...@gsp.org wrote:
 
  On Tue, Feb 24, 2015 at 03:19:06AM +0100, Fred wrote:
  Having exactly the same issue. Also never received any response from
  AOL. Quite annoying.
 
  I've been waiting since January 26th for a response from
 dmarc-h...@teamaol.com,
  which is their stipulated contact point for DMARC issues.
 
  Of course I wouldn't *need* a response about that if they hadn't
 implemented
  DMARC so foolishly.
 
  It seems that the days when Carl Hutzler ran the place -- and ran it
 well --
  are now well behind them.  I didn't always agree with their decisions,
  but it was obvious that they were working hard and trying to make AOL a
  good network neighbor, so even when I disagreed I could at least
 acknowledge
  their good intentions.   It seems now that AOL is determined to permit
  unlimited abuse directed at the entire rest of the Internet while
  simultaneously making life as difficult as possible for everyone who
  *doesn't* abuse...and is counting on their size to make them immune from
  the consequences of that decision.
 
  ---rsk

Re: gmail spam help

[Suresh Ramasubramanian]

Which distro is it that has dnsbl filtering on by default, and also
defaulting to  shady no name blocklists?

I have yet to see a case where turning this sort of thing on first and
kicking self later wasn't because of a clueless sysadmin.
 On Feb 13, 2015 7:36 AM, Daniel Taylor dtay...@vocalabs.com wrote:

 Of course not, and I didn't mean to imply that they were.

 I was surprised to see it still present *anywhere* (this was in a major
 Linux distribution, and may still be), and that hidden presence may be
 polluting data streams used by even the most responsible vendors unless
 they are running entirely self-contained.

 On 02/12/2015 07:04 PM, Suresh Ramasubramanian wrote:


 Please. Gmail isn't ever likely to use long dead hobbyist block lists.

 On Feb 12, 2015 9:38 PM, Daniel Taylor dtay...@vocalabs.com mailto:
 dtay...@vocalabs.com wrote:

 Possibly related: http://www.ahbl.org/content/changes-ahbl

 We had to manually remove it from spamassassin for our local
 installation, and I am pretty sure that a lot of sites still
 haven't figured it out so there's a lot of false positives being
 generated all over the place to throw off even filters that don't
 use it directly.

 On 02/12/2015 09:54 AM, Alex Rubenstein wrote:

 Mainly because I own it, and the people who use it. The server
 has been around 10+ years and has tight oversight. SPF is
 proper. This is a recent issue.






 From: Scott Helms [mailto:khe...@zcorum.com
 mailto:khe...@zcorum.com]
 Sent: Thursday, February 12, 2015 10:51 AM
 To: Alex Rubenstein
 Cc: Josh Luthman; NANOG list
 Subject: Re: gmail spam help

 I'd be interested to know how you can be so adamant about the
 lack of spam from this specific server.  A great percentage of
 the spam hitting servers I have visibility into comes from
 very similar kinds of set ups because they tend to have little
 or no over sight in place.

 Also, lots of commercial email gets flagged as spam by users,
 even when they opted in for the email.  If enough people
 flagged email from this server as spam it will cause Google to
 consider other email from the same small server as likely to
 be spam as well.  Small systems, especially new ones, tend to
 unintentionally look like spam sources by not having proper
 reverse records, making sure you have SPF set up for the
 domain, etc.


 Scott Helms
 Vice President of Technology
 ZCorum
 (678) 507-5000
 
 http://twitter.com/kscotthelms
 

 On Thu, Feb 12, 2015 at 10:41 AM, Alex Rubenstein
 a...@corp.nac.net
 mailto:a...@corp.nac.netmailto:a...@corp.nac.net
 mailto:a...@corp.nac.net wrote:
 I should have been clearer.

 I have been getting complaints from my sales folks that when
 they send emails to people who use gmail (either a gmail
 account or google apps) that they recipient is reporting that
 the email is ending up in the Spam folder. So, I tested this
 myself, sending an email from a...@corp.nac.net
 mailto:a...@corp.nac.netmailto:a...@corp.nac.net
 mailto:a...@corp.nac.netmailto:a...@corp.nac.net
 mailto:a...@corp.nac.netmailto:a...@corp.nac.net
 mailto:a...@corp.nac.net to rubenstei...@gmail.com
 mailto:rubenstei...@gmail.commailto:rubenstei...@gmail.com
 mailto:rubenstei...@gmail.commailto:rubenstei...@gmail.com
 mailto:rubenstei...@gmail.commailto:rubenstei...@gmail.com
 mailto:rubenstei...@gmail.com

 [cid:image001.png@01D046AD.3B2FA890]

 This is curious to me, since @corp.nac.net
 http://corp.nac.nethttp://corp.nac.net is a small exchange
 implementation with only about 50 users behind it, and there
 is no question that there is no spamming going on from here.

 So, it’s not a question of adding a filter or not using gmail;
 it is not me who is using gmail in this problem.



 From: Josh Luthman [mailto:j...@imaginenetworksllc.com
 mailto:j...@imaginenetworksllc.commailto:josh@
 imaginenetworksllc.com
 mailto:j...@imaginenetworksllc.com]
 Sent: Thursday, February 12, 2015 9:32 AM
 To: Alex Rubenstein
 Cc: NANOG list
 Subject: Re: gmail spam help


 Create a filter.

 Josh Luthman
 Office: 937-552-2340tel:937-552-2340
 Direct: 937-552-2343tel:937-552-2343
 1100 Wayne St
 Suite 1337
 Troy, OH 45373
 On Feb 12, 2015 8:11 AM, Alex Rubenstein a...@corp.nac.net
 mailto:a...@corp.nac.netmailto:a...@corp.nac.net
 mailto:a...@corp.nac.netmailto:a...@corp.nac.net
 mailto:a

Re: gmail spam help

[Suresh Ramasubramanian]

Please. Gmail isn't ever likely to use long dead hobbyist block lists.
On Feb 12, 2015 9:38 PM, Daniel Taylor dtay...@vocalabs.com wrote:

 Possibly related: http://www.ahbl.org/content/changes-ahbl

 We had to manually remove it from spamassassin for our local installation,
 and I am pretty sure that a lot of sites still haven't figured it out so
 there's a lot of false positives being generated all over the place to
 throw off even filters that don't use it directly.

 On 02/12/2015 09:54 AM, Alex Rubenstein wrote:

 Mainly because I own it, and the people who use it. The server has been
 around 10+ years and has tight oversight. SPF is proper. This is a recent
 issue.






 From: Scott Helms [mailto:khe...@zcorum.com]
 Sent: Thursday, February 12, 2015 10:51 AM
 To: Alex Rubenstein
 Cc: Josh Luthman; NANOG list
 Subject: Re: gmail spam help

 I'd be interested to know how you can be so adamant about the lack of
 spam from this specific server.  A great percentage of the spam hitting
 servers I have visibility into comes from very similar kinds of set ups
 because they tend to have little or no over sight in place.

 Also, lots of commercial email gets flagged as spam by users, even when
 they opted in for the email.  If enough people flagged email from this
 server as spam it will cause Google to consider other email from the same
 small server as likely to be spam as well.  Small systems, especially new
 ones, tend to unintentionally look like spam sources by not having proper
 reverse records, making sure you have SPF set up for the domain, etc.


 Scott Helms
 Vice President of Technology
 ZCorum
 (678) 507-5000
 
 http://twitter.com/kscotthelms
 

 On Thu, Feb 12, 2015 at 10:41 AM, Alex Rubenstein a...@corp.nac.net
 mailto:a...@corp.nac.net wrote:
 I should have been clearer.

 I have been getting complaints from my sales folks that when they send
 emails to people who use gmail (either a gmail account or google apps) that
 they recipient is reporting that the email is ending up in the Spam folder.
 So, I tested this myself, sending an email from a...@corp.nac.netmailto:
 a...@corp.nac.netmailto:a...@corp.nac.netmailto:a...@corp.nac.net
 to rubenstei...@gmail.commailto:rubenstei...@gmail.commailto:
 rubenstei...@gmail.commailto:rubenstei...@gmail.com

 [cid:image001.png@01D046AD.3B2FA890]

 This is curious to me, since @corp.nac.nethttp://corp.nac.net is a
 small exchange implementation with only about 50 users behind it, and there
 is no question that there is no spamming going on from here.

 So, it’s not a question of adding a filter or not using gmail; it is not
 me who is using gmail in this problem.



 From: Josh Luthman [mailto:j...@imaginenetworksllc.commailto:
 j...@imaginenetworksllc.com]
 Sent: Thursday, February 12, 2015 9:32 AM
 To: Alex Rubenstein
 Cc: NANOG list
 Subject: Re: gmail spam help


 Create a filter.

 Josh Luthman
 Office: 937-552-2340tel:937-552-2340
 Direct: 937-552-2343tel:937-552-2343
 1100 Wayne St
 Suite 1337
 Troy, OH 45373
 On Feb 12, 2015 8:11 AM, Alex Rubenstein a...@corp.nac.netmailto:alex
 @corp.nac.netmailto:a...@corp.nac.netmailto:a...@corp.nac.net
 wrote:
 Is there anyone on-list that can help me with a world - gmail email
 issue, where email is being considering spam by gmail erroneously?

 Thanks.



 --
 Daniel Taylor  VP OperationsVocal Laboratories, Inc.
 dtay...@vocalabs.com   http://www.vocalabs.com/(612)235-5711

Re: Facebook outage?

[Suresh Ramasubramanian]

It is back now fwiw
On Jan 27, 2015 12:18 PM, Damien Burke dam...@supremebytes.com wrote:

 Facebook outage? Everyone panic!

 https://twitter.com/search?q=facebooksrc=typd

 -Damien

Re: Transparent hijacking of SMTP submission...

[Suresh Ramasubramanian]

Yes. Till that hotspots IP space gets blackholed by a major freemail
because of all the nigerians and hijacked devices emitting bot traffic
through stolen auth credentials.

There's other ways to stop this but they take actual hard work and rather
more gear than a rusted up old asa you pull out of your closet as like as
not.
 On Nov 28, 2014 2:10 AM, Mark Andrews ma...@isc.org wrote:


 Which is why your MTA should always be setup to require the use of
 STARTTLS.  Additionally the CERT presented should also match the
 name of the server.

 There is absolutely no reason for a ISP / hotspot to inspect
 submission traffic.  The stopping spam argument doesn't wash with
 submission.

 Mark

 In message 54778167.7080...@bogus.com, joel jaeggli writes:
 
  I don't see this in my home market, but I do see it in someone else's...
  I kind of expect this for port 25 but...
 
  J@mb-aye:~$telnet 147.28.0.81 587
  Trying 147.28.0.81...
  Connected to nagasaki.bogus.com.
  Escape character is '^]'.
  220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014
  19:17:44 GMT
  ehlo bogus.com
  250-nagasaki.bogus.com Hello XXX.wa.comcast.net
  [XXX.XXX.XXX.XXX], pleased to meet you
  250 ENHANCEDSTATUSCODES
 
  J@mb-aye:~$telnet 2001:418:1::81 587
  Trying 2001:418:1::81...
  Connected to nagasaki.bogus.com.
  Escape character is '^]'.
  220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014
  19:18:33 GMT
  ehlo bogus.com
  250-nagasaki.bogus.com Hello
  [IPv6:2601:7:2380::::c1ae:7d73], pleased to meet you
  250-ENHANCEDSTATUSCODES
  250-PIPELINING
  250-8BITMIME
  250-SIZE
  250-DSN
  250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN
  250-STARTTLS
  250-DELIVERBY
  250 HELP
 
  that's essentially a downgrade attack on my ability to use encryption
  which seems to be in pretty poor taste frankly.
 --
 Mark Andrews, ISC
 1 Seymour St., Dundas Valley, NSW 2117, Australia
 PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: Transparent hijacking of SMTP submission...

[Suresh Ramasubramanian]

No. He is a comcast customer. And some third party wifi access point
blocked his smtp submission over TLS by setting up an asa device to inspect
587 as well.
On Nov 28, 2014 6:16 AM, William Herrin b...@herrin.us wrote:

 On Thu, Nov 27, 2014 at 2:54 PM, joel jaeggli joe...@bogus.com wrote:
  I don't see this in my home market, but I do see it in someone else's...
  I kind of expect this for port 25 but...
 
  J@mb-aye:~$telnet 147.28.0.81 587
  Trying 147.28.0.81...
  Connected to nagasaki.bogus.com.
  Escape character is '^]'.
  220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014
  19:17:44 GMT
  ehlo bogus.com
  250-nagasaki.bogus.com Hello XXX.wa.comcast.net
  [XXX.XXX.XXX.XXX], pleased to meet you
  250 ENHANCEDSTATUSCODES
 
  J@mb-aye:~$telnet 2001:418:1::81 587
  Trying 2001:418:1::81...
  Connected to nagasaki.bogus.com.
  Escape character is '^]'.
  220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014
  19:18:33 GMT
  ehlo bogus.com
  250-nagasaki.bogus.com Hello
  [IPv6:2601:7:2380::::c1ae:7d73], pleased to meet you
  250-ENHANCEDSTATUSCODES
  250-PIPELINING
  250-8BITMIME
  250-SIZE
  250-DSN
  250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN
  250-STARTTLS
  250-DELIVERBY
  250 HELP
 
  that's essentially a downgrade attack on my ability to use encryption
  which seems to be in pretty poor taste frankly.


 Hi Joel,

 I'm not sure I follow your complaint here. Are you saying that Comcast or a
 Comcast customer in Washington state stripped the STARTTLS verb from the
 IPv4 port 587 SMTP submission connection between you and a third party?

 Thanks,
 Bill Herrin


 --
 William Herrin  her...@dirtside.com  b...@herrin.us
 Owner, Dirtside Systems . Web: http://www.dirtside.com/
 May I solve your unusual networking challenges?

Re: Transparent hijacking of SMTP submission...

[Suresh Ramasubramanian]

Oh it depends on the numbers.

Just how many legitimate smtp submission attempts do you get from say an
access point at Joes diner in nowhere, OH?

Versus just how many password cracking and malware relay attempts across
how many of your users, from an unpatched xp box the guy is using for a
billing app?

At the scale of the problem a provider with any kind of userbase faces, you
need a chainsaw, not a scalpel, given that you're out to cut a tree rather
than perform plastic surgery.
 On Nov 28, 2014 6:08 AM, Mark Andrews ma...@isc.org wrote:


 In message CAArzuouvhnHo7BbAWUwiR3=m0x2O6Qe=
 2qlcvb29i07oax-...@mail.gmail.com
 , Suresh Ramasubramanian writes:
 
  Yes. Till that hotspots IP space gets blackholed by a major freemail
  because of all the nigerians and hijacked devices emitting bot traffic
  through stolen auth credentials.

 Why would it black hole the address rather than the block the
 compromised credentials?  The whole point of submission is to
 authenticate the submitter and to be able to trace spam back to the
 submitter and deal with the issue at that level of granuality.

 Blocking at that level also stop the credentials being used from
 anywhere.

 scalpel vs chainsaw.

 Just because you provide free email doesn't give you the right to
 not do the service properly.  You encouraged people to use your
 service.  You should resource it to deal with the resulting load
 and that includes dealing with spam and scans being sent with stolen
 credentials.  As a free email provider you have the plain text.

 Mark

  There's other ways to stop this but they take actual hard work and rather
  more gear than a rusted up old asa you pull out of your closet as like as
  not.
   On Nov 28, 2014 2:10 AM, Mark Andrews ma...@isc.org wrote:
 
  
   Which is why your MTA should always be setup to require the use of
   STARTTLS.  Additionally the CERT presented should also match the
   name of the server.
  
   There is absolutely no reason for a ISP / hotspot to inspect
   submission traffic.  The stopping spam argument doesn't wash with
   submission.
  
   Mark
  
   In message 54778167.7080...@bogus.com, joel jaeggli writes:
   
I don't see this in my home market, but I do see it in someone
 else's...
I kind of expect this for port 25 but...
   
J@mb-aye:~$telnet 147.28.0.81 587
Trying 147.28.0.81...
Connected to nagasaki.bogus.com.
Escape character is '^]'.
220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov
 2014
19:17:44 GMT
ehlo bogus.com
250-nagasaki.bogus.com Hello XXX.wa.comcast.net
[XXX.XXX.XXX.XXX], pleased to meet you
250 ENHANCEDSTATUSCODES
   
J@mb-aye:~$telnet 2001:418:1::81 587
Trying 2001:418:1::81...
Connected to nagasaki.bogus.com.
Escape character is '^]'.
220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov
 2014
19:18:33 GMT
ehlo bogus.com
250-nagasaki.bogus.com Hello
[IPv6:2601:7:2380::::c1ae:7d73], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN
250-STARTTLS
250-DELIVERBY
250 HELP
   
that's essentially a downgrade attack on my ability to use encryption
which seems to be in pretty poor taste frankly.
   --
   Mark Andrews, ISC
   1 Seymour St., Dundas Valley, NSW 2117, Australia
   PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
  
 
  --bcaec517c6c01f783d0508e015a5
  Content-Type: text/html; charset=UTF-8
  Content-Transfer-Encoding: quoted-printable
 
  p dir=3DltrYes. Till that hotspots IP space gets blackholed by a
 major =
  freemail because of all the nigerians and hijacked devices emitting bot
 tra=
  ffic through stolen auth credentials. /p
  p dir=3DltrThere#39;s other ways to stop this but they take actual
 har=
  d work and rather more gear than a rusted up old asa you pull out of
 your c=
  loset as like as not. br
  /p
  div class=3Dgmail_quoteOn Nov 28, 2014 2:10 AM, quot;Mark
 Andrewsquot=
  ; lt;a href=3Dmailto:ma...@isc.org;ma...@isc.org/agt; wrote:br
 type=
  =3Dattributionblockquote class=3Dgmail_quote style=3Dmargin:0 0 0
 .8=
  ex;border-left:1px #ccc solid;padding-left:1exbr
  Which is why your MTA should always be setup to require the use ofbr
  STARTTLS.=C2=A0 Additionally the CERT presented should also match thebr
  name of the server.br
  br
  There is absolutely no reason for a ISP / hotspot to inspectbr
  submission traffic.=C2=A0 The quot;stopping spamquot; argument
 doesn#39;=
  t wash withbr
  submission.br
  br
  Markbr
  br
  In message lt;a href=3Dmailto:54778167.7080...@bogus.com
 54778167.70808=
  0...@bogus.com/agt;, joel jaeggli writes:br
  gt;br
  gt; I don#39;t see this in my home market, but I do see it in someone
 els=
  e#39;s...br
  gt; I kind of expect this for port 25 but...br
  gt;br
  gt; J@mb-aye:~$telnet 147.28.0.81 587br
  gt; Trying 147.28.0.81...br
  gt; Connected

Re: Level3 rwhois broken

[Suresh Ramasubramanian]

Works for me, thanks.

I forgot exactly which IPs this was about right now though :)
On Fri, 21 Nov 2014 at 05:12 Siegel, David david.sie...@level3.com wrote:


 We decommissioned our rwhois server, but apparently we didn't get DNS
 cleaned up (which we'll do in the near future).

 The closest thing we have to that is our whois server rr.level3.net, or
 if that doesn't quite meet your needs, you can contact our security
 department at ab...@level3.net.

 Dave



 -Original Message-
 From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Jeff Walter
 Sent: Thursday, November 20, 2014 2:50 PM
 To: Suresh Ramasubramanian
 Cc: nanog@nanog.org
 Subject: Re: Level3 rwhois broken

 It's nice to see someone is using RWHOIS. Back when I wrote the RWHOIS
 daemon for HE I spoke with Mark Kosters (one of the authors of RFC 2167). I
 wish I still had the emails because at the time he was shocked anyone would
 create software for something that no one really uses. I seem to recall him
 calling it a waste of time ;-)

 That said... I'm seeing Level 3's RWHOIS down as well. And to be honest,
 they're probably not monitoring it.

 On Tue, Nov 18, 2014 at 11:53 PM, Suresh Ramasubramanian 
 ops.li...@gmail.com wrote:

  Anybody?   Makes it a pain to perform surgical spam blocking when this
  happens :)
 
  suresh@samwise 01:52:24 ~ $ telnet rwhois.level3.net 4321 Trying
  209.244.1.179...
 
  ^C
 
 
  --
  Suresh Ramasubramanian (ops.li...@gmail.com)
 

Level3 rwhois broken

[Suresh Ramasubramanian]

Anybody?   Makes it a pain to perform surgical spam blocking when this
happens :)

suresh@samwise 01:52:24 ~ $ telnet rwhois.level3.net 4321
Trying 209.244.1.179...

^C


-- 
Suresh Ramasubramanian (ops.li...@gmail.com)

Re: Inside China GFW - basic dedicated server or cloud instance

[Suresh Ramasubramanian]

The other thing is, it is pretty much useless to measure connectivity
speed, or path through the gfw from a colo box when your users in the
mainland are using broadband or maybe dedicated leased lines.
On Nov 11, 2014 10:37 PM, Grant Ridder shortdudey...@gmail.com wrote:

 You can try AWS China, but I think you need an ICP license for that.

 -Grant

 On Tue, Nov 11, 2014 at 8:27 AM, Andrius Kasparavicius 
 andr...@andrius.org
 wrote:

  Business needs some permanent basic browser/tcp/ip view from *inside
 China
  great firewall* (Hong Kong or unfirewalled locations not good) for
  connectivity testing, troubleshooting for customers in China. Ideally
 just
  a dedicated windows box/server. Are there any simple providers with
  self-provisioning VPS or similar low cost solutions. Best to have it on
  ChinaTel network. No hosting or content would be shared from this box.
  Thanks
 

Re: Shipping bulk hardware via freight

[Suresh Ramasubramanian]

If you are planning to scrap it after retiring it from production, talk to
nsrc @ uoregon, they'll pick it up and ship it to developing countries that
could use it.
 On Nov 6, 2014 4:45 AM, Jason 8...@tacorp.us wrote:


 I'm interested in talking with someone who has experience shipping
 hardware that has been pulled from a working environment.  The assumption
 is that it would not use a normal carriers such as UPS of Fedex, but via
 private freight.

 Assuming that 20 x 1U switches and a handful of 10U chassis's were to be
 shipped, has anyone found a productive way to package them in something
 other than the boxes they come in?  Has anyone tried to crate / pallet pack
 them or something more efficient?


 If so, please contact me offline if you are willing to share your
 experience.


 Jason