Re: Atrivo/Intercage: Now Only 1 Upstream
Looks like PIE got themselves a /22 in spamhaus - http://www.spamhaus.org/sbl/sbl.lasso?query=SBL67906 _quote__ 206.223.144.0/22 is listed on the Spamhaus Block List (SBL) 17-Sep-2008 09:57 GMT | SR04 Pacific Internet Exchange LLC. NT Technology ; nttec.com http://cidr-report.org/cgi-bin/as-report?as=AS32335 Hosted/routed Scott Richter AND Alan Ralsky - now decided to pick up Intercage/Atrivo. Perhaps someone does not read the news? http://news.google.com/news?q=intercage http://www.spamhaus.org/news.lasso?article=636 We hope that's the case and this is not a knowing routing decision. On Wed, Sep 17, 2008 at 6:31 AM, Matthew Moyle-Croft <[EMAIL PROTECTED]> wrote: > > On 16/09/2008, at 10:17 PM, *Hobbit* wrote: > >> So in cases like this where the community appears to agree that there's >> a consistently bad apple, what's preventing everyone from simply >> nullrouting the netblocks in question and imposing the death penalty? > > Dunno - but something did occur to me this morning on the drive into work:
Re: ingress SMTP
On Sat, Sep 13, 2008 at 11:38 PM, Frank Bulk <[EMAIL PROTECTED]> wrote: > How do you alert mail server operators who are smarthosting their e-mail > through you that their outbound messages contain spam? > > Frank If those are actual mailservers smarthosting and getting MX from you then you doubtless have quite a lot of reporting already set up. Have you seen what Messagelabs, MXLogic etc do? There's also feedback loops, ARF formatted, where users on those mailservers can report inbound spam to the filtering vendor. .. or was that a rhetorical question and am I missing something here? -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Why not go after bots? (was: ingress SMTP)
On Wed, Sep 3, 2008 at 5:12 AM, Michael Thomas <[EMAIL PROTECTED]> wrote: > That seems to be the convention wisdom, but the science experiment > as it were in blocking port 25 doesn't seem to be correlated (must > less causated) with any drop in the spam rate. Because so far as I've > heard there isn't any such drop. Spammers and the rest are pretty > resourceful. Let's put it this way .. a lot of ISPs have already realized that which is why port 25 blocking or management is the basics. They do that and have done that for years (and various providers elsewhere still proudly claim "hey, we do outbound port 25 blocking, we're great!!!"). The real action is in walled gardens to automatically detect and isolate botted hosts till they're cleaned up Go talk to arbor, sandvine, perftech etc etc srs
Re: ingress SMTP
you just found one? i think a few dozen over the last several years. surprised though, i thought this particular horse was finally dead after all the beatings it'd received. srs On Thu, Sep 4, 2008 at 8:13 AM, Ang Kah Yik <[EMAIL PROTECTED]> wrote: > Hmm.. if it helps - here's a link to an archived discussion on the same > issue earlier this year. > > http://www.mail-archive.com/[EMAIL PROTECTED]/msg52598.html
Re: ingress SMTP
On Wed, Sep 3, 2008 at 10:18 PM, Justin Scott <[EMAIL PROTECTED]> wrote: >> Do you operate your mailserver on a residential cablemodem or adsl >> rather than a business account? > > No, we co-lo equipment at a professional facility that our customers on any > type of connection need to have access to send mail through, regardless of > whether their ISP blocks the standard ports or not. That's why you set your outbound MTA to listen - for auth'd outbound connections only - on port 587 Endless loop of dead horse beating .. ouch srs -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: ingress SMTP
On Wed, Sep 3, 2008 at 9:26 PM, Justin Scott <[EMAIL PROTECTED]> wrote: >> What is preventing this from being an operational no-brainer, >> including making a few exceptions for customers that prove they know >> how to lock down their own mail infrastructure? > > As a small player who operates a mail server used by many local businesses, > this becomes a support issue for admins in our position. We operate an SMTP Do you operate your mailserver on a residential cablemodem or adsl rather than a business account? There's this little matter of a "no servers on home connections" type AUP that most providers have .. --srs
Re: ingress SMTP
On Wed, Sep 3, 2008 at 8:46 PM, *Hobbit* <[EMAIL PROTECTED]> wrote: > > What I'm trying to get a feel for is this: what proportion of edge > customers have a genuine NEED to send direct SMTP traffic to TCP 25 > at arbitrary destinations? I'm thinking mostly of cable-modem and Not too many - they got themselves port 587 to submit outbound mail. Read the maawg managing port 25 document - and while you are at it read the walled garden doc too.. port 25 abuse is the least of your worries with cable/dsl cpe swamps http://www.maawg.org/port25 http://www.maawg.org/about/whitepapers/MAAWG_Walled_Garden_BP_2007-09.pdf --srs
Re: GLBX De-Peers Intercage [Was: RE: Washington Post: Atrivo/Intercag e, w hy are we peering with the American RBN?]
Eric, as you say, it is a multi part test. With fairly clear distinctions between a compromised node and one under the direct control of a criminal So while it is unrealistic when viewed in isolation, put together with other factors it starts to make a lot of sense. thanks srs On Wed, Sep 3, 2008 at 7:59 AM, Eric Brunner-Williams <[EMAIL PROTECTED]> wrote: > In a parallel universe we're considering profiles for "licit use" of some > mechanism. One element of a multi-part test to distinguish "licit" from > "illicit" was the presence or absence of known signatures for malware. After > some thought it was understood that this test was equivalent to the node > subject to the test being "cleaner" than the average for network attached > consumer devices, and therefore not realistic.
Re: GLBX De-Peers Intercage [Was: RE: Washington Post: Atrivo/Intercag e, w hy are we peering with the American RBN?]
There's this concept known as "dual criminality" in such situations, when you're looking at international prosecutions (or whatever). So, while lesé majesté - insult to the king - is a crime in thailand (liable to get you lynched before you get prosecuted, at that) that doesnt mean the thai authorities can do much about youtube videos .. On the other hand, child pornography, malware, illegal sale of prescription narcotics etc are generally criminal acts around the world. regards srs On Mon, Sep 1, 2008 at 9:03 PM, Steven M. Bellovin <[EMAIL PROTECTED]> wrote: > I mostly agree with you -- but I get very worried about who defines > "scum". Consider the following cases, which I will assert are not very > far-fetched: > > (a) China labels Falun Gong as "scum" and demands that international > ISPs not carry it if they want to do business in China
Re: Washington Post: Atrivo/Intercage, why are we peering with the American RBN?
On Sat, Aug 30, 2008 at 1:32 AM, Gadi Evron <[EMAIL PROTECTED]> wrote: > 2. On a different note, why is anyone still accepting their route > announcements? I know some among us re-route RBN traffic to protect users. > Do you see this as a valid solution for your networks? > > What ASNs belong to Atrivo, anyway? The ASNs you ask about - as per the report - are on pages 4..8 of http://hostexploit.com/downloads/Atrivo%20white%20paper%20082808ac.pdf
Re: Revealed: The Internet's well known BGP behavior
Most of the spammer acquired /16s have been 1. pre arin 2. caused by buying up assets of long defunct companies .. assets that just happen to include a /16 nobody knew about Not exactly hijacks this lot .. just like those "barely legal" teen mags. srs On Thu, Aug 28, 2008 at 2:28 PM, Gadi Evron <[EMAIL PROTECTED]> wrote: > > People (especially spammers) have been hijacking networks for a while now, > maybe now that we have a presentation to whore around, operators can > pressure vendors and bosses. >
Re: [funsec] Subject line misleading. AT&T Pwned. Sweet Irony: Metasploit Creator a Victim of His Own Creation (fwd)
I can point it to a colo'd resolver I have elsewhere - but opendns is rather more redundant. Yes I know what else it does re advertising and such, but I dont do any sensitive work related stuff through those resolvers anyway. On Thu, Jul 31, 2008 at 9:55 AM, Skywing <[EMAIL PROTECTED]> wrote: > If you don't mind OpenDNS proxying all your Google searches, sure. < > http://blog.metasploit.com/2008/07/on-dns-attacks-in-wild-and-journalistic.html > > > > Personally, I would never use OpenDNS. Tactics like that are not > particularly acceptable in my book, well-meaning or not. Not, however, > trying to start a political debate - but OpenDNS does do a bit more than just > act as a plain DNS resolver for you, and you should make that aware to anyone > who uses it. >
Re: [funsec] Subject line misleading. AT&T Pwned. Sweet Irony: Metasploit Creator a Victim of His Own Creation (fwd)
On Thu, Jul 31, 2008 at 1:22 AM, Gadi Evron <[EMAIL PROTECTED]> wrote: > I guess history decided the previous discussion in favor of vix. Although I > doubt vix sees this compromise at ATT as a victory, but rather a loss. > > Note: HD has not been compromised. Well so if any of you uses an iphone to surf the net now's the time to see if an iphone's nameservers can be changed to opendns :)
Re: Looking for Network Solutions mail admin
I hope it is not in 128.168.0.0/16? http://www.spamhaus.org/sbl/sbl.lasso?query=SBL51908 http://www.47-usc-230c2.org/chapter3.html srs On Fri, Jul 18, 2008 at 12:41 PM, randal k <[EMAIL PROTECTED]> wrote: > NANOGers, > We're getting the run around from Network Solutions e-mail front-end > support personnel and only canned replies from the postmaster, with no > escalation available because we're the sender (i.e. not paying). > > Basic problem is that we have a client mail gateway that is unable to > send mail to a particular netsol-hosted domain; acts like an RBL > issue, even though the IP is squeeky clean. > > Can a NetSol email admin with some clue drop me a line? > > Thanks in advance -- > Randal > > -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Linkedin Contacts
On Thu, Jul 10, 2008 at 9:17 PM, mark seiden-via mac <[EMAIL PROTECTED]> wrote: > it probably has something to do with the large proportion of fraudsters > using linked in and every personals site in the world for 419 and > other confidence schemes, don't you think? > > of course, this only forces the fraudsters to use proxies, aol and satellite > providers which are more difficult to geolocate. Well, half of west african connectivity IS satellite so you're going to see a lot of Gilat, etc satellite carriers' IP space as the source for 419 activity Especially when it comes to a paid service like a lot of linkedin is, if firewalling off a particular section of IP space means far less chargebacks, well, it may not look good but it sure has a great impact on your bottom line. --srs
Re: Sure, I'm game (was Re: a business opportunity?)
On Sun, Jul 6, 2008 at 3:25 AM, Lynda <[EMAIL PROTECTED]> wrote: > Actually, that's not a bad idea. Of course, there's the larger problem; > verifying that the address space previously sullied is now worthy of being > cleaned up. In Nick Shank's case (and Bravo! to Nick), I would say that he's > off doing the right thing. It would seem that some serious investigation > would be necessary before acting as a third party for others in a similar > boat, of course. There's already a bunch of companies that have built up a business model on this.. they call it "deliverability"
Re: uceprotect.net
Do you actually have a problem beyond "ZOMG, dnsstuff.com says I am in uceprotect?". Its not a list that I personally would waste time with. BTW, the kind of issue that often affects "cost effective" colo shops - so-called snowshoe spam - typically HAS matching forward and reverse. srs On Fri, Jun 27, 2008 at 7:06 PM, Drew Weaver <[EMAIL PROTECTED]> wrote: >Hello everyone, this is possibly off-topic here, not entirely sure. > >I'm kind of confused about some of uceprotect's policies, they seem to > require every IP address to have reverse DNS with matching forwards (which > works fine for a wireless/broadband/dial-up ISP, but not so much for a
Re: Cloud service [was: RE: EC2 and GAE means end of ip addressreputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)]
On Mon, Jun 23, 2008 at 11:14 PM, Tomas L. Byrnes <[EMAIL PROTECTED]> wrote: > Barracuda, or you could build the exact same thing using OSS. > > Procmail, Spamassasin, ClamAV, and your choice of RBLs (or use > karmashpere to custom roll a hybrid one). Hate to point out the obvious, but ... That isnt "network gear" as such. It is an appliance that'll require repointing of MX records srs
Re: Cloud service [was: RE: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)]
On Mon, Jun 23, 2008 at 6:01 PM, Frank Bulk - iNAME <[EMAIL PROTECTED]> wrote: > Is there a vendor that makes a product that perform spam/malware filtering > literally in the network, i.e. as a service provider, can I provide spam > filtering for the enterprises in my customer base by adding a piece of > network gear? I'm not aware of one today except those who provide > enterprise-oriented gateways like SonicWall. Symantec Mail Security / Turntide Mailchannels Traffic Control --srs -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)
On Mon, Jun 23, 2008 at 7:20 PM, Patrick Giagnocavo <[EMAIL PROTECTED]> wrote: > What I think would/should happen is that EC2 is never assumed to be a > legitimate source of email; and any EC2 instance that sends email will > instead be relaying through a non-EC2 mail server. Mail / spam seems to be the least of ec2's problems though. This thread started off with ssh port probes. srs -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)
On Mon, Jun 23, 2008 at 1:13 AM, Steve Gibbard <[EMAIL PROTECTED]> wrote: > Likewise, anybody blocking EC2 would miss out on whatever bad stuff might be > coming out of EC2, but would miss out on being able to access services > hosted there as well. Would they miss it more than they'd miss their > friends on GMail? That seems far from guaranteed. SMTP blocks, when most of what's on EC2 doesnt actually originate email? Access to it would be over http which isnt firewalled. Or maybe ssh gets firewalled off. Death by a thousand access lists. Ouch. This simply means there must be a lot more effort - from their upstreams, and from their peers (not in a "network sense" as much as "large network operators who are of a sufficient size to talk to amazon and ensure that they're heard". To convince them that some filtering at their end, and implementation of abuse handling best practices would be a good idea. --srs
Re: Intrustion attempts from Amazon EC2 IPs
Well, there's spam originating from there, and some cracked scripts generating part of it. So ok, someone's found that it makes a handy platform for ssh port probes and such as well. srs "Paul Kelly :: Blacknight" <[EMAIL PROTECTED]> wrote: > Hi there, > > Have any of you recently noticed a lot of ssh scanning coming from amazons EC > "cloud" IP blocks? > > Today alone I've seen approx 4m attempts from EC2 IPs on just 20 nodes on our > network. > > Has anyone any experience with Amazons abuse people? > > Thanks, > > Paul
Re: Latest instalment of the "hijacked /16s" story
On Wed, Jun 18, 2008 at 9:40 AM, Justin Shore <[EMAIL PROTECTED]> wrote: > Is the whole AS (33302) rogue like the AS advertising the SF Bay Packet > Radio block is? Looking at the WHOIS for some of the prefixes advertised by > both ASs, I see some common company names. That would lead me to believe > that 33302 is no better than 33211 but I can't confirm that. Any takers? Not sure. The AS announces some more but an arin query for DATA102 simply has this /16 and a smaller netblock That 47-usc site is not mine either .. its by Ron Guilmette, interviewed in the Wash Post - http://blog.washingtonpost.com/securityfix/2008/04/a_case_of_network_identity_the_1.html [EMAIL PROTECTED] 22:17:45 <~> $ whois -h whois.arin.net Data102* Data102 Abuse Team (DAT13-ARIN) [EMAIL PROTECTED] +1-719-578-8842 Data102 Network Ops (DNO44-ARIN) [EMAIL PROTECTED] +1-719-578-8842 Data Works Inc DATA102984 (NET-63-243-82-144-1) 63.243.82.144 - 63.243.82.159 Gold Hill Computers DATA102 (NET-128-168-0-0-1) 128.168.0.0 - 128.168.255.255
Latest instalment of the "hijacked /16s" story
Another legacy /16, after the previous one - the sf bay packet radio /16 http://www.47-usc-230c2.org/chapter3.html This time 128.168/16 - and by the same group that seems to have acquired control of the earlier one. --srs -- Suresh Ramasubramanian ([EMAIL PROTECTED])
If bandwidth wasnt already cheap (!) enough ..
http://telephonyonline.com/ethernet/news/Cogent_price_cuts_06112008/ > "Cogent this morning is announcing new discounts for customers who commit to > three-year contracts and for higher volume service provider customers. The > new three-year price for Ethernet service is a flat $7 a megabit, a dollar > less than the previous rate for contracts of two years or more. For service > providers who buy Ethernet services at volumes between 100 megabits per > second and a Gigabit, rates are as low as $6 per megabit for a three-year > contract. > > Service providers who buy between one Gigabit and 10 gigabits will enjoy a > three-year contract rate of $5 a meg, and those that consume a full 10 > gigabit port can pay as little as $4 a meg on a three-year contract."
Re: amazonaws.com?
On Thu, May 29, 2008 at 10:03 PM, Barry Shein <[EMAIL PROTECTED]> wrote: > The most common fee is a $50 per incident charge for spam complaints > after a stern warning or two which depends on frequency, a few per day > is very different than one or two per month, and what to do with those > phony AOL TOS complaints which almost always mean "I asked to be on > this list but I forgot how to get off so maybe if I keep clicking the > spam button..."? You run a botique provider of shells that - at least today - almost exclusively caters to geeks. You arent as likely to pick up genuinely badhat spamming customers as the rest of us large ISPs are - and the large colo farms (he.net, softlayer etc) are even more vulnerable to this kind of thing. Feedback loops (such as those AOL provide, or we provide - and we were the second ISP after AOL to offer ARF'd feedback loops) are about the best tool any ISP has available to it, to get near real time spam reports. You're a corner case. And an opinionated corner case at that. That doesnt change just how useful FBLs are to the vast majority of consumer ISPs out there. --srs
Re: amazonaws.com?
On Sun, May 25, 2008 at 1:06 AM, Barry Shein <[EMAIL PROTECTED]> wrote: > Even when someone declines a charge it doesn't mean you can't collect > what you believe to be money legitimately owed you. You can hand it to > a collection agency if it's worthwhile. If not (e.g., you took a card > w/o any verification from someone in a country whose name you can't > even pronounce) OH WELL, you're a fool, or it better be part of your > cost of doing business. The funny part is, the scam artists already know that "mismatch between account holder's name and cc holder's name / address / country" is one of the first and most elementary anti fraud checks. So, if they steal a cc from Joe Sixpack of Bumfuck, Iowa, guess who signs up to Amazon AWS for 200 VMs and 20 minutes worth of service? --srs
Re: amazonaws.com?
On Sat, May 24, 2008 at 5:29 AM, Barry Shein <[EMAIL PROTECTED]> wrote: > > Is it just us or does someone pWn *.amazonaws.com? > > ec2-67-202-36-134.compute-1.amazonaws.com > ec2-67-202-37-35.compute-1.amazonaws.com Why dont you just use spamhaus PBL? That'd take care of email from the EC2 cloud, dynamic IP ranges etc etc. http://www.spamhaus.org/pbl/query/PBL181003 Ref: PBL181003 67.202.0.0/18 is listed on the Policy Block List (PBL) Outbound Email Policy of The Spamhaus Project for this IP range: This IP range has been identified by Spamhaus as not meeting our policy for IPs which should deliver 'direct-to-mx' mail to PBL users.
Re: [NANOG] IOS rootkits
On Mon, May 19, 2008 at 2:03 AM, Dragos Ruiu <[EMAIL PROTECTED]> wrote: > So in my opinion the benefits of discussing serious issues at conferences > far outweigh the potential drawbacks of misguided media coverage of them. > What I infer from your post is that you are of the opinion that issues such Well, there are any number of closed, no media, relevant people only conferences, or communities like nsp-sec, that come in useful Report to CSIRT by all means but that doesnt imply "brush it under the carpet". Getting releases out and fixes (if only router management bcp like in Joel Jaeggli's post) without various people spreading FUD about it should certainly be an achievable goal? srs ___ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
Re: [NANOG] IOS rootkits
Let's put it this way. 1. Yes there's nothing to patch, as such 2. It can be prevented by what's widely regarded as BCP on router security, and has been covered at *nog, in cisco training material, etc etc for quite some time now. I am much less concerned about security conferences discussing this than about the (highly uninformed) publicity that accompanies these conferences. Yes, this sounds a lot more like the bugtraq v/s full disclosure discussion than I'm comfortable with, but I still think this could have been handled a lot better. --srs On Sun, May 18, 2008 at 7:27 PM, Dragos Ruiu <[EMAIL PROTECTED]> wrote: > Bullshit. > There is nothing to patch. > It needs to be presented at conferences, exactly because people will play > ostrich and stick their heads in the sand and pretend it can't happen to > them, and do nothing about it until someone shows them, "yes it can happen" > and here is how > Which is exactly why we've accepted this talk. We've all known this is a > possibility for years, but I haven't seen significant motion forward on this > until we announced this talk. So in a fashion, this has already helped make > people more realistic about their infrastructure devices. And the > discussions, and idea interchange that will happen between the smart folks > at the conference will undoubtedly usher forth other related issues and > creative solutions. Problems don't get fixed until you talk about them. > cheers, > --dr ___ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
Re: [NANOG] IOS rootkits
On Sat, May 17, 2008 at 12:47 PM, Matthew Moyle-Croft <[EMAIL PROTECTED]> wrote: > If the way of running this isn't out in the wild and it's actually > dangerous then a pox on anyone who releases it, especially to gain > publicity at the expensive of network operators sleep and well being. > May you never find a reliable route ever again. This needs fixing. It doesnt need publicity at security conferences till after cisco gets presented this stuff first and asked to release an emergency patch. --srs -- Suresh Ramasubramanian ([EMAIL PROTECTED]) ___ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
Re: [NANOG] BCP Muni WiFI?
On Fri, May 16, 2008 at 2:51 AM, Deepak Jain <[EMAIL PROTECTED]> wrote: > > Are there any good (published) BCPs for building out Municipal WiFi > networks? Particularly in the security/authentication/scaling areas? > Ask Earthlink, they just announced pulling out of Philly .. and I guess they had a working deployment going by the time they pulled out (and the reasons for that pullout would do for a great white paper all by themselves, I expect...) -- Suresh Ramasubramanian ([EMAIL PROTECTED]) ___ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
Re: [NANOG] Linkedin
On Wed, May 14, 2008 at 11:23 AM, Felix Bako <[EMAIL PROTECTED]> wrote: > Hi Guyz, anyone from linkedin please contact me off list as we have not > been able to open the website www.linkedin.com for sometime now!! Hi, have you tried to curb 419 spam sent over http/https from your IP space (through linkedin among other services)? Perhaps that would go quite far towards reducing the occurence of such blocks. ___ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
Re: [NANOG] fair warning: less than 1000 days left to IPv4 exhaustion
Let's think smaller. /16 shall we say? Like the /16 here. Originally the SRI / ARPANET SF Bay Packet Radio network that started back in 1977. Now controlled by a shell company belonging to a shell company belonging to a "high volume email deployer" :) http://blog.washingtonpost.com/securityfix/2008/04/a_case_of_network_identity_the_1.html srs On Sun, May 4, 2008 at 9:07 AM, Joel Jaeggli <[EMAIL PROTECTED]> wrote: > William Warren wrote: > > That also doesn't take into account how many /8's are being hoarded by > > organizations that don't need even 25% of that space. > > which one's would those be? > > legacy class A address space just isn't that big... ___ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
MAAWG BCP on something very similar Re: Interpersonal skills needed for Network Engineers
On Feb 17, 2008 12:17 PM, Henry Linneweh <[EMAIL PROTECTED]> wrote: > > Funny that this issue came up, I recently took a class in Interpersonal > Communications, > which are essential in the "New Workforce", I highly recommend such classes MAAWG came out with a doc on bcp for managing an abuse desk .. talks a lot of hard / tech skills specific to abuse desking (or hell, to NOC, tech support etc), and also soft skills (motivation, career path etc) Might prove an interesting read: http://www.maawg.org/about/publishedDocuments/Abuse_Desk_Common_Practices.pdf srs
Re: Stupid Question: Network Abuse RFC?
On Jan 14, 2008 12:39 AM, Sean Donelan <[EMAIL PROTECTED]> wrote: > Although you need a some overlap, I think you get much better "buy-in" > when people from the same industry are developing their operational > standards. Well, MAAWG does that, and has produced a lot of good work in the past. Has the same ISPs that come to NANOG, NSPSEC etc too, and in some cases the same people. So is that a call for *NOGs to come out with operational BCPs (no, not "standards")? --srs
Re: Stupid Question: Network Abuse RFC?
On Jan 13, 2008 12:05 PM, Sean Donelan <[EMAIL PROTECTED]> wrote: > The great thing about standards is there are so many to choose from. > There is also ARF: Abuse Feedback Reporting Format from the Mutual > Internet Practices Assocation. > Messaging Anti-Abuse Working Group has multiple documents. ARF is the de facto standard, widely deployed, for ISP spam reporting feedback loops As for INCH, standards track or not, as much as I keep asking about, I can find very few instances of CERTs actually using the damned thing. And quite a few feeds dont appear to provide "take" in INCH format. > And then there are various one-shot things produced by many groups such as > the OECD, ASTA, FTC, NASD, etc. The only relevant one I remember that the OECD did, in the context of their spam toolkit, was an earlier version of the MAAWG sender best practices documents, developed by MAAWG jointly with OECD's business constituency BIAC. Newer versions of the sender bcp (which is bcp for legit bulk mailers) have since been published on the MAAWG website. The ASTA docs became the MAAWG best practices, more or less ..pretty much the same crowd behind both (large ISPs + email providers). And most of that lot is not reporting standards or formats, it is best practices for abuse handling / legit email marketing etc. --srs -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Q: What do ISPs really think about security issues?
On Jan 12, 2008 3:49 PM, Sean Donelan <[EMAIL PROTECTED]> wrote: > We could just meet at the Universal Postal Union meeting, and get rid > of all those extra organizations like the ITU, IETF, NANOG, etc :-) The fun part is, they do take a lot of interest in this too .. the US postal service, the various European Lapostes etc - anybody who operates a postal bank + wire transfer system and gets to face phishers, malware and such just like regular banks do. That wasn't an argument for consolidation .. more like "cooperation". And the sort of cooperation that isnt aimed at making headlines and scoring points .. stuff like (for example) surveys of the top 10 best and worst registrars (which dont name the very worst, and include some very good registrars among the worst, but that's another story altogether..). > Having both shared and separate meetings and communications is important. > > We can all learn alot from sharing. But its also important for > organizations and people to be able to communicate just with similar We're on the same page there, Sean. srs
Re: Q: What do ISPs really think about security issues?
On Jan 11, 2008 8:01 PM, Gadi Evron <[EMAIL PROTECTED]> wrote: > Naturally, diversity is not *always* good, which is the second ammendment > to the thinking process. Yes, diversity is actually a good idea when everybody concerned is aware of what the others are doing, and at least coordinate to some extent if they are in the same space. You aren't going to achieve some monolithic conference that will become the go-to place for everything in this field, for sure. > It is not about an holier than thou attitude, it's about understanding > that the Internet is truly the only functioning anarchy, and that "doing" Perhaps I ought to explain. That remark was about at least some people / groups who routinely send takedown notices. Arrogance coupled with a sad lack of clue at one end (lots of tier 1 techs, often outsourced to some place with far more customer support clue than actual abuse desk clue, employed to send alerts, without the least idea of how to send these) One particular vendor that saw a nigerian create a free email account [EMAIL PROTECTED] of our domains], and went after our registrar trying to get the domain itself canceled. Some fun ensued when I emailed all that to the VP of their parent company (for whom takedown services appears to be a sideline, at best). That lot has behaved themselves for a while I must say Another vendor who, after being given clear escalation paths, first kept cc'ing our upstream abuse desk, and every role account OTHER than abuse at our domain. When they finally get enough clue hammered into them to cc our abuse desk, they escalate to my work address within two hours of that, demanding it be taken down. Our abuse desk would handle tix within a business day, or even earlier. And email about phish takes priority right after (say) LE requests that find their way there (instead of the special POC we already have given most LE agencies). So, escalating a manual complaint after two hours is a bit thick, I'd say. Anyway, that particular vendor got told to take a hike, told that we wouldnt accept any further reports from them (and that our automated scripts kill about 20 for every one that they report anyway), and that we'd contact the one client they seem to send these alerts for directly and set up something more automated, where they could send us a list (in a standard format, and verified at their end) and we'd take it down automatically. Of course with manual review later. Neither of those two takedown services (especially not the one in #2) is going to get anything like this offered to them. Not until they actually learn to play nice with other ISPs. Which comes right back to Sean's remark that I replied to. Sorry for the long emails, but I do wish more takedown services (and more abuse / security desks) would read the MAAWG abuse desk best practice document .. http://www.maawg.org/about/publishedDocuments/Abuse_Desk_Common_Practices.pdf --srs -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Q: What do ISPs really think about security issues?
On Jan 11, 2008 10:02 AM, Sean Donelan <[EMAIL PROTECTED]> wrote: > That's why I suggested to Rob and other folks the importance of listening > to what they tell you how to work their particular processes. Every large > organization has them, although often the real processes are unwritten. > Once you understand how the organization works, its much easier to figure > out how to make it work for you. All of it translates to 1. X more mailing lists to sign up to (lots and lots more email, great) 2. X more conferences to attend (more miles, yay, that's plat for this year taken care of) 3. A sizeable amount of reinvention of the wheel too Fun, isn't it? Listening is, of course, important. As is coming in with an open mind and without a holier than thou attitude .. especially if the attitude is combined with the sort of URGENT!! TAKE THIS PHISHER DOWN NOW!!" abrasiveness nobody else really appreciates. That, by the way, is why I'm glad to see more and more organizations holding collocated / joint meetings .. across, to use some igov jargon (and for want of a better word) "stakeholder communities" .. banks talking to ISPs talking to LE / regulators talking to independent researchers etc. --srs
Re: Q: What do ISPs really think about security issues?
On Jan 11, 2008 1:17 AM, Rob Thomas <[EMAIL PROTECTED]> wrote: > I'll second this point. We've had great luck working with providers > globally, but only after folks (such as Sean) took us under their > wing and mentored us on the processes and setups that best help > ISPs. That alone would make a great *NOG presentation. Setups that best help *ISPs*? The fun part is that there's this fundamental disconnect even within ISPs .. their CERT guys or security guys go talk to each other, their abuse desks go talk to each other, their packet pushers go talk to each other .. at nspsec/gadicon/whatever, at MAAWG, at *NOG .. There's little or no cross pollination between these groups, if at all. It is this kind of gap that needs to be bridged, just as much as the gaps between ISPs and LE, ISPs and the anti phishing community (banks etc, + the takedown vendor crowd), ISPs and the security community etc etc needs bridging. Leads to the kind of fun situation where a guy who does CERT/security stuff for a very large ISP was up in front of a mostly abuse desk audience, describing the Hotlan trojan (which compromises PCs to script account creation and spamming through various webmail sites). He's like "they were hitting us, Y, Z pity I didnt know who to contact at Y or Z at all" That, when people from the Y and Z abuse teams (Z being us in this story), were in the same room as the abuse team from X (which the guy works for). And where the X, Y and Z abuse desks know each other very well, are in constant touch over email / IM / face to face at various conferences etc. Talk about fundamental disconnects .. not that I know the packet pushers from X and Y at all (the one packet pusher I knew from X recently got assimilated by G, so that puts paid to that ..) --srs disclaimer: Names replaced by X, Y and Z solely to render this little story fit for public consumption .. it took place at a nominally closed meeting. It wont take you too long to arrive at reasonably plausible guesses for X, Y and Z, so I will leave you to the guessing. No points for the right answer, no comment either .. what I'm pointing out is general enough that it could be any X, Y and Z companies,
Re: Comcast.net Email Admin
On Nov 30, 2007 3:59 AM, Stasiniewicz, Adam <[EMAIL PROTECTED]> wrote: > > Can a Comcast.net email admin please contact me? One of your non-outermost > email servers is running an SPF/SenderID filter (so all messages from > domains with –all SPF/SenderID records are getting rejected, regardless of > sending server). > Well, silly of them to [1] run an spf/sender id filter and [2] to run it on an internal mailhost Equally silly of you to publish spf records in this day and age though. Get rid of the record and that solves your issue rather neatly. srs -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Misguided SPAM Filtering techniques
On 10/24/07, William Herrin <[EMAIL PROTECTED]> wrote: > You must have been irked by the airport wireless in ABQ then. I > couldn't figure out why my ssh connection was failing until I checked > the DNS and relized that even after clicking "free access" button in a > web browser they returned 192.168.1.1 for almost every name requested. > :( I will trade your ABQ wireless for almost anything that uses Nomadix's hotspot product .. the one that has a login page on http://1.1.1.1 - even more broken dns jail, returns 0.0.0.0 if I remember correctly for random queries till their upstream dns resolver actually decides to go update its cache. Probably because I have a v6 aware resolver + some of the hosts I accessed were dual v4/v6 or something, not sure. I got a really well filled /etc/hosts file for trips through paris airport (where the paris airport hilton charges 25 EUR a day for wifi, and it is 9 EUR a hour at the airport, ugh) srs
Re: Misguided SPAM Filtering techniques
On 10/22/07, William Herrin <[EMAIL PROTECTED]> wrote: > Do you publish SPF records so that remote sites can detect forgeries > claiming to be from your domain? In other words "Do you play russian roulette with your email"? John Levine's got something really good on this at http://www.circleid.com/posts/spf_loses_mindshare/ -srs
Re: Myanmar Internet turned off
On 10/4/07, Marshall Eubanks <[EMAIL PROTECTED]> wrote: > Given the 6 hour sampling, I have to assume that there have been > other short term re-appearances of routes to Burma. > Whether this is due to internal struggles, accidents, or urgent needs > for data transfer I cannot say. I believe the NYT said something about embassies, international organizations and such being allowed to retain their dedicated satellite connectivity?
Re: Yahoo! Mail/Sys Admin
On 9/24/07, Raymond L. Corbin <[EMAIL PROTECTED]> wrote: > Can a Yahoo! Mail/SysAdmin contact me off list? I am having a problem > with multiple mail servers within our network not being able to send to > Yahoo mail servers. http://help.yahoo.com/l/us/yahoo/mail/yahoomail/postmaster/ -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: An IPv6 address for new cars in 3 years?
On 6/29/07, Rich Emmings <[EMAIL PROTECTED]> wrote: Topicality: Looks like someone, somewhere intends to be live with IPv6 in 3-5 years. Off Topic: The privacy and security ramifications boggle the mind Fully mobile, high speed botnets? -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help)
On 6/19/07, Leigh Porter <[EMAIL PROTECTED]> wrote: Agreed, SMTP is not really a special vector, other than it's ovbious commercial spam use. So just block all the usual virus vector ports, block 25 and force people to use your own SMTP servers and the problem 9this particular one goes away.. No. the part of it you target (outbound spam) merely relocates itself, and your smtp servers become huge spam sinks. Filter all you want and you'll still leak spam unless you take those hosts down And in the meantime those hosts will also be launching dos attacks, hosting "fast flux" pills / warez / kiddy pr0n sites, carrying out id / card theft .. best to isolate and take them down. You can port block at your edge till you burst and you'll still be in a lot of hot water. -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help)
On 6/19/07, Per Heldal <[EMAIL PROTECTED]> wrote: Before you make it a technical or HR issue you first have to either find a way to make aggressive ISP policies profitable or introduce .gov-regulations that say you either operate according to some standard or not at all. Well - you have to have your management behind you on this one - it involves monitoring and a change or two all across your network, not just at the edge, or the core. Plus changes to support and other. -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help)
On 6/18/07, Jack Bates <[EMAIL PROTECTED]> wrote: Joe also pointed out the biggest problem with blocking port 25; it pushes the abuse towards the smarthosts. This creates a lot of issues. Smarthosts have to So .. great. You have a huge spam problem that flew under your radar as it was spread across multiple /24s or far larger netblocks, now concentrated within far fewer servers that are part of the same cluster. That kind of makes your job a bit easier then .. half full glass v/s half empty glass, and all that. I'd rather monitor and filter traffic patterns on port 25 (and the various other ports that are also often spewing other things) than block it. It's not unusual to see tcp/25 spewing at the same time as udp/135 and tcp/445 or even tcp/1025. [...] Which is what a lot of the kit Sean posted about does .. srs -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help)
On 6/18/07, Sean Donelan <[EMAIL PROTECTED]> wrote: Automation is a non-starter unless you have people to deal with the exceptions. If you don't deal with exceptions, eventually problems with any automated system will overwhelm you. You can only hid behind IVR recordings "You call is very important to us" for so long. You're preaching to the choir there. That still doesnt underrate the importance of automating this. Throwing people at it simply doesnt scale. -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help)
On 6/18/07, Sean Donelan <[EMAIL PROTECTED]> wrote: The great thing about opinions is everyone has one. See also http://www.maawg.org/port25 MAAWG's port 25 management document is kind of based on consensus. Joe is a senior tech advisor at MAAWG. contributed substantially to that document .. and those two presentations were made at a maawg (san diego in 2005 if I remember right) so .. The best answer is probably paying for a strong ISP abuse team. But for whatever reasons, some ISPs prefer to invest in other areas. Bah. Not to underrate having a strong and clued abuse team. However, throwing more people at this is a non starter. You need to automate. -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help)
On 6/18/07, Jeroen Massar <[EMAIL PROTECTED]> wrote: Of course, though 25 is (afaik ;) the most abused one that will annoy a lot of other folks with spam, phishings and virus distribution, though the latter seems to have come to a near halt from what I see. Read these and weep, then - http://darkwing.uoregon.edu/~joe/port25.pdf http://darkwing.uoregon.edu/~joe/zombies.pdf As Joe says (and I agree), trying to fix infected hosts on your network by blocking port 25 is like treating lung cancer with cough syrup. srs -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help)
On 6/17/07, Jeroen Massar <[EMAIL PROTECTED]> wrote: IMHO ISPs should per default simply feed port 25 outbound through their own SMTP relays. BUT always have a very easy way (eg a Control Panel behind a user/pass on a website) to disable this kind of filtering. This Y'know, port 25 is just the tip of the iceberg when it comes to what all an infected host can do .. which is why quite a lot of ISPs (Bell Canada is particularly good at it, as are some others) are getting good at deploying "Walled Gardens" - vlan the infected host into its own little sandbox from where it can access only windows update, AV update sites and the ISP's support pages, nothing else, on any port. The user has to fix (disinfect, reimage, whatever) his host before he contacts the ISP support desk and gets let back onto their network. --srs
Re: Port 1080 probes from AOL
On 5/31/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: One of my virtual web host servers have been getting multiple probes to TCP port 1080 (socks) every day for months from AOL IP addresses. Is AOL known to be doing something relatively innocuous on that port? I ask because I have portsentry null routing IP addresses that make probes like this. If they're [SOME HEX].ipt.aol.com rDNS'd IPs - those are AOL dialups, so probably compromised / virus infected nodes
Re: ISP CALEA compliance
On 5/24/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: The ITU itself is likely irrelevant. However, those who run ISPs across either the left or right puddle are likely to be hit with CALEA-like issues within the next few years, when their countries adopt similar laws. And those who think the EU's stand on privacy of data will prevent a CALEA should consider the sorts of data-retention proposals that are getting floated over there. Fully agree. But there's a bit more "system" about what's going on in the EU, and stronger privacy safeguards. The Council of Europe convention on cybercrime should be a good starting point, as should at least some of the presos here: http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/agenda.phtml Look at Session 5, and the special post lunch session the council of europe organized The meeting was audiocast as well so if you dont mind running realplayer you should be able to listen to the panels as well -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: ISP CALEA compliance
On 5/24/07, Owen DeLong <[EMAIL PROTECTED]> wrote: The more I think about this, the more I think a refereed boxing^h^h^h^h^h^hpanel discussion between representatives from DHS, FBI, EFF, FCC, Verisign, Neustar, and ITU might be a good approach to this. Humor me.. but just where does ITU come into this whole mess? -- Suresh Ramasubramanian ([EMAIL PROTECTED])
