RE: Rulesemporium
Like a lot of other folks, I've not been able to get through to RulesEmporium for a while now. Personally - I run RDJ by hand, once or twice a week (depending upon amount of spam getting through), and find that usually does the trick ... but not any more. Even this limited amount of activity is either triggering Anti-DDOS stuff (if its there), or is falling victim to DDOS in progress. Just wondering if the RulesEmporium admins had any kind of 'official' advice/workaround that they preferred we use until a more permanent DDOS solution was found? Thanks Si.
Re: Rulesemporium
On Thu, 12 Jul 2007, Kelson wrote: I don't think the typical SA ruleset is big enough to take advantage of BitTorrent. Too much overhead. For comparison, Firefox updates are typically several hundred kilobytes (on Windows Linux, anyway), and they've looked into torrents and concluded they wouldn't gain anything by using them. However, what you might gain is the redundancy if (in fantasy world) every user was also serving them out via bittorrent. I was just mulling over in my head a hypothetical BittorrentMirror client. The idea being to mirror a group of files (rulesemporium rules, the whole site, etc). You start as a standard torrent, retrieve all files, and stay on the torrent providing bandwidth. When an update is available a new torrent is made. Clients can either check periodicaly for new versions of the torrent (DNS TXT record as clam uses) or just watch for the old tracker shutting down). At that point they grab the new torrent file, dissconnect from the old and reconnect to the new. As long as the actual directory the torrent's files are in doesn't change, it should only start transfering changed files -- and only the parts that changed, effectively using the torrent chunk checksums for rsync purposes. Once the torrent is back up to date, you need a signal to trigger that these rules should also be made 'live' (used by SpamAssassin). The only other 'addition' to standard bittorrent clients would be a way to remove files no longer in the mirror, if wanted. Other than these two things you could probably do this with standard clients and some scripting. And someone to make the torrents. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/
Re: Rulesemporium
On Fri, 13 Jul 2007, Christopher X. Candreva wrote: On Thu, 12 Jul 2007, Kelson wrote: I don't think the typical SA ruleset is big enough to take advantage of BitTorrent. However, what you might gain is the redundancy if (in fantasy world) every user was also serving them out via bittorrent. I was just mulling over in my head a hypothetical BittorrentMirror client. The idea being to mirror a group of files (rulesemporium rules, the whole site, etc). I'll bring this up again: coral. Is there some reason pointing everyone at the coral cache of the website won't work? Granted, coral is also intended for large files, but it is distributed and is almost transparent... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Liberals love sex ed because it teaches kids to be safe around their sex organs. Conservatives love gun education because it teaches kids to be safe around guns. However, both believe that the other's education goals lead to dangers too terrible to contemplate. --- 11 days until The 38th anniversary of Apollo 11 landing on the Moon
Re: Rulesemporium
On Fri, 13 Jul 2007, John D. Hardin wrote: Is there some reason pointing everyone at the coral cache of the website won't work? Granted, coral is also intended for large files, but it is distributed and is almost transparent... Well right now, www.rulesemporium.com came up in a few seconds directly, and took over a minute via the Coral Cache. So I would answer because it doesn't help, and slows things down in fact. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/
Re: Rulesemporium
John D. Hardin wrote: On Fri, 13 Jul 2007, Christopher X. Candreva wrote: On Thu, 12 Jul 2007, Kelson wrote: I don't think the typical SA ruleset is big enough to take advantage of BitTorrent. However, what you might gain is the redundancy if (in fantasy world) every user was also serving them out via bittorrent. I was just mulling over in my head a hypothetical BittorrentMirror client. The idea being to mirror a group of files (rulesemporium rules, the whole site, etc). I'll bring this up again: coral. Is there some reason pointing everyone at the coral cache of the website won't work? Granted, coral is also intended for large files, but it is distributed and is almost transparent... interesting. the coral wiki seems to be full of porno links.. seems that they could use some uribl assistance. :-( -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Liberals love sex ed because it teaches kids to be safe around their sex organs. Conservatives love gun education because it teaches kids to be safe around guns. However, both believe that the other's education goals lead to dangers too terrible to contemplate. --- 11 days until The 38th anniversary of Apollo 11 landing on the Moon -- Ken Anderson Pacific.Net
Re: Rulesemporium
On Fri, 13 Jul 2007, Christopher X. Candreva wrote: On Fri, 13 Jul 2007, John D. Hardin wrote: Is there some reason pointing everyone at the coral cache of the website won't work? Granted, coral is also intended for large files, but it is distributed and is almost transparent... Well right now, www.rulesemporium.com came up in a few seconds directly, and took over a minute via the Coral Cache. So I would answer because it doesn't help, and slows things down in fact. The initial retrieval of the cached pages *does* require a regular connection to the primary website, so the coral network would be just as impacted by a DDoS as regular users are. However, once it has its copy response should be quite fast. I just tried it and it took just a few seconds, whereas I haven't been able to get directly to the primary website at all for a week or more. http://www.rulseemporium.com.nyud.net:8080/ -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Liberals love sex ed because it teaches kids to be safe around their sex organs. Conservatives love gun education because it teaches kids to be safe around guns. However, both believe that the other's education goals lead to dangers too terrible to contemplate. --- 11 days until The 38th anniversary of Apollo 11 landing on the Moon
Re: Rulesemporium
On Fri, 13 Jul 2007, John D. Hardin wrote: http://www.rulseemporium.com.nyud.net:8080/ crap. That should of course be: http://www.rulesemporium.com.nyud.net:8080/ -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Liberals love sex ed because it teaches kids to be safe around their sex organs. Conservatives love gun education because it teaches kids to be safe around guns. However, both believe that the other's education goals lead to dangers too terrible to contemplate. --- 11 days until The 38th anniversary of Apollo 11 landing on the Moon
Re: Rulesemporium
Theo Van Dinter wrote: On Fri, Jul 13, 2007 at 10:03:07AM -0700, John D. Hardin wrote: I'll bring this up again: coral. Is there some reason pointing everyone at the coral cache of the website won't work? Granted, coral is also intended for large files, but it is distributed and is almost transparent... Because coral sucks? We tried it for sa-update, and kept finding that we'd get timeouts, or corrupted files, or ... We ended up dropping it in favor of more traditional mirrors. There is also the (small) issue of some sites not having web access to ports other than 80 or 443. For some, :8080 is a no go -Jim
Re: Rulesemporium
On Fri, Jul 13, 2007 at 10:03:07AM -0700, John D. Hardin wrote: I'll bring this up again: coral. Is there some reason pointing everyone at the coral cache of the website won't work? Granted, coral is also intended for large files, but it is distributed and is almost transparent... Because coral sucks? We tried it for sa-update, and kept finding that we'd get timeouts, or corrupted files, or ... We ended up dropping it in favor of more traditional mirrors. -- Randomly Selected Tagline: Paul: If rubbin' frozen dirt in your crotch is wrong, hey, I don't wanna be right. pgpcnbPsho5MR.pgp Description: PGP signature
Re: Rulesemporium
On Fri, 13 Jul 2007, Theo Van Dinter wrote: On Fri, Jul 13, 2007 at 10:03:07AM -0700, John D. Hardin wrote: I'll bring this up again: coral. Is there some reason pointing everyone at the coral cache of the website won't work? Granted, coral is also intended for large files, but it is distributed and is almost transparent... Because coral sucks? We tried it for sa-update, and kept finding that we'd get timeouts, or corrupted files, or ... We ended up dropping it in favor of more traditional mirrors. Okay, that's a pretty good reason. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- You do not examine legislation in the light of the benefits it will convey if properly administered, but in the light of the wrongs it would do and the harms it would cause if improperly administered. -- Lyndon B. Johnson --- 11 days until The 38th anniversary of Apollo 11 landing on the Moon
Re: Rulesemporium
John D. Hardin wrote: On Fri, 13 Jul 2007, Christopher X. Candreva wrote: On Thu, 12 Jul 2007, Kelson wrote: I don't think the typical SA ruleset is big enough to take advantage of BitTorrent. However, what you might gain is the redundancy if (in fantasy world) every user was also serving them out via bittorrent. I was just mulling over in my head a hypothetical BittorrentMirror client. The idea being to mirror a group of files (rulesemporium rules, the whole site, etc). I'll bring this up again: coral. Is there some reason pointing everyone at the coral cache of the website won't work? Granted, coral is also intended for large files, but it is distributed and is almost transparent... You and I already had a discussion about this on May 24th... coral sucks for two reasons; (i) it's on an alternate port and (ii) it corrupts the files. You suggested I get them to fix it, I suggested I couldn't be bothered. Daryl
Re: Rulesemporium
Simon Standley wrote: Like a lot of other folks, I've not been able to get through to RulesEmporium for a while now. Personally - I run RDJ by hand, once or twice a week (depending upon amount of spam getting through), and find that usually does the trick ... but not any more. Even this limited amount of activity is either triggering Anti-DDOS stuff (if its there), or is falling victim to DDOS in progress. Just wondering if the RulesEmporium admins had any kind of 'official' advice/workaround that they preferred we use until a more permanent DDOS solution was found? There have been *zero* rules updates since the DDoS begun so I wouldn't worry too much about getting your rules updated. Daryl
Re: Rulesemporium
John D. Hardin wrote: On Fri, 13 Jul 2007, Christopher X. Candreva wrote: On Fri, 13 Jul 2007, John D. Hardin wrote: Is there some reason pointing everyone at the coral cache of the website won't work? Granted, coral is also intended for large files, but it is distributed and is almost transparent... Well right now, www.rulesemporium.com came up in a few seconds directly, and took over a minute via the Coral Cache. So I would answer because it doesn't help, and slows things down in fact. The initial retrieval of the cached pages *does* require a regular connection to the primary website, so the coral network would be just as impacted by a DDoS as regular users are. However, once it has its copy response should be quite fast. I just tried it and it took just a few seconds, whereas I haven't been able to get directly to the primary website at all for a week or more. Hi John, Prolexic says... If you could ask any users with connectivity issues to submit a 'host www.rulesemporium.com' and 'tcptraceroute www.rulesemporium.com' along with a complaint of connectivity problems, that would be very helpful. So, if you want to send that to me, I can get the info to them so they can get to the bottom of it. -- Dallas Engelken [EMAIL PROTECTED] http://uribl.com
Re: Rulesemporium
Henrik Krohns skrev: On Wed, Jul 11, 2007 at 07:44:37PM -0400, Phil Barnett wrote: We can't be the first people to come up against this problem. How have others solved it? Bunch'o'Mirrors? Crude and effective. *raise a hand* I volonteer to mirror, I have lots of both hd and bw capacity to spare. Anders.
Re: Rulesemporium
Phil Barnett writes: On Wednesday 11 July 2007, SARE Webmaster wrote: There has been discussion of taking down the public site, opening something new ( private access, invite only, acl by ip, etc), in hopes to avoid ddos and provide better services, more requent rule updates, and so on. We are trying our best to keep it alive, but there is only so much we can do with the limited time and resources we have. How about releasing the ruleset via torrent or something similar. Anything that you could do to distribute the load and location would make a ddos attack less effective. While there might not be a lot of people on this list who can use their server to take on the entire DDOS for you, there are a LOT of servers here that could participate in a pool. If you're going to be looking into new methods to distribute rulesets, may I suggest sa-update? ;) --j.
Re: Rulesemporium
On Thursday 12 July 2007, Justin Mason wrote: Phil Barnett writes: On Wednesday 11 July 2007, SARE Webmaster wrote: There has been discussion of taking down the public site, opening something new ( private access, invite only, acl by ip, etc), in hopes to avoid ddos and provide better services, more requent rule updates, and so on. � � We are trying our best to keep it alive, but there is only so much we can do with the limited time and resources we have. How about releasing the ruleset via torrent or something similar. Anything that you could do to distribute the load and location would make a ddos attack less effective. While there might not be a lot of people on this list who can use their server to take on the entire DDOS for you, there are a LOT of servers here that could participate in a pool. If you're going to be looking into new methods to distribute rulesets, may I suggest sa-update? ;) Is it DDOS resistant already? -- Phil Barnett AI4OF SKCC #600
sa-update and DDOSes (was Re: Rulesemporium)
Phil Barnett writes: On Thursday 12 July 2007, Justin Mason wrote: Phil Barnett writes: On Wednesday 11 July 2007, SARE Webmaster wrote: There has been discussion of taking down the public site, opening something new ( private access, invite only, acl by ip, etc), in hopes to avoid ddos and provide better services, more requent rule updates, and so on. We are trying our best to keep it alive, but there is only so much we can do with the limited time and resources we have. How about releasing the ruleset via torrent or something similar. Anything that you could do to distribute the load and location would make a ddos attack less effective. While there might not be a lot of people on this list who can use their server to take on the entire DDOS for you, there are a LOT of servers here that could participate in a pool. If you're going to be looking into new methods to distribute rulesets, may I suggest sa-update? ;) Is it DDOS resistant already? Well, it wasn't a design goal. But the polling, and initial stages of the download, are performed using DNS -- which is a hell of a lot harder to DOS than plain HTTP polling. --j.
Re: Rulesemporium
Phil Barnett wrote: How about releasing the ruleset via torrent or something similar. Anything that you could do to distribute the load and location would make a ddos attack less effective. While there might not be a lot of people on this list who can use their server to take on the entire DDOS for you, there are a LOT of servers here that could participate in a pool. I don't think the typical SA ruleset is big enough to take advantage of BitTorrent. Too much overhead. For comparison, Firefox updates are typically several hundred kilobytes (on Windows Linux, anyway), and they've looked into torrents and concluded they wouldn't gain anything by using them. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Rulesemporium
If your IP is blocked, for whatever reason, perhaps a proxy would help you until your IP is unblocked. http://translate.google.com/translate?u=http%3A%2F%2Fwww.rulesemporium.com%2Flangpair=fr%7Cen I bet the 'donate' link would help :-) Hmm, I doubt it, seeing that SARE has received 3 donations in 2007, $90 all total (yet 31k unique ips pull rules from the site every week.. ugh). Anyone want to sell us a VPS on a DDoS proof network for $90? ;) Ka-ching! Ka-ching ka-ching! Hey, it worked here; I'm in. A pay-per-view site, eh? ;) Three donations ... that's pathetic. -- Mike
Re: Rulesemporium
Mike Grau wrote: If your IP is blocked, for whatever reason, perhaps a proxy would help you until your IP is unblocked. http://translate.google.com/translate?u=http%3A%2F%2Fwww.rulesemporium.com%2Flangpair=fr%7Cen I bet the 'donate' link would help :-) Hmm, I doubt it, seeing that SARE has received 3 donations in 2007, $90 all total (yet 31k unique ips pull rules from the site every week.. ugh). Anyone want to sell us a VPS on a DDoS proof network for $90? ;) Ka-ching! Ka-ching ka-ching! Hey, it worked here; I'm in. A pay-per-view site, eh? ;) Three donations ... that's pathetic. That's actually better than I was expecting. :( Daryl
Re: Rulesemporium
Mike Grau wrote: If your IP is blocked, for whatever reason, perhaps a proxy would help you until your IP is unblocked. http://translate.google.com/translate?u=http%3A%2F%2Fwww.rulesemporium.com%2Flangpair=fr%7Cen I bet the 'donate' link would help :-) Hmm, I doubt it, seeing that SARE has received 3 donations in 2007, $90 all total (yet 31k unique ips pull rules from the site every week.. ugh). Anyone want to sell us a VPS on a DDoS proof network for $90? ;) Ouch. I just made a donation. It's not much, but thanks for all the hard work!
Re: Rulesemporium
Anders Norrbring wrote: Henrik Krohns skrev: On Wed, Jul 11, 2007 at 07:44:37PM -0400, Phil Barnett wrote: We can't be the first people to come up against this problem. How have others solved it? Bunch'o'Mirrors? Crude and effective. *raise a hand* I volonteer to mirror, I have lots of both hd and bw capacity to spare. Sure, until you get your first DDoS... SURBL had like 10 mirrors for www when they started getting the ddos, and all of them took over 200mbit/s.. some upwards of 450mbit. URIBL had 3, and Spamhaus has 2 that I know of. If they can ddos at well over 3gbit/s (15*200), it really doesnt matter how many damn mirrors there are. Even if your mirror providers would take 20mbit/s each and not null route your ass, you'd need well over 150 mirrors. I do not believe Bunch'o'Mirrors is the solution.It may be all fine and good for distribution of load/bandwidth, but thwarting off ddos it is not. The proper solution would be to dismantle the botnets that are capable of mass ddos. Some ISPs need to gain a clue, step it up, and do their part to cut off access to infected PCs. -- Dallas Engelken [EMAIL PROTECTED] http://uribl.com
Re: Rulesemporium
From: Daryl C. W. O'Shea [EMAIL PROTECTED]
jdow wrote:
From: Daryl C. W. O'Shea [EMAIL PROTECTED]
Loren Wilton wrote:
Mike Grau [EMAIL PROTECTED] 07/09/07 5:15 PM
On 07/09/2007 04:01 PM the voices made Joe Zitnik write:
I can't get here:
http://www.rulesemporium.com/rules
Is rulesemporium having issues again?
I can rarely get there (via a browser). So rarely the site is almost
useless.
I've been having intermittent issues getting there from home for a
while. Last time it happened, the site was down. I still can't get
there
Hum. I just tried again, and didn't have any problems this time
either.
Guess I'm lucky.
Perhaps you are. I get 500 Server closed connection without sending
any data back or 500 Can't connect to www.rulesemporium.com:80
(connect: timeout) at least once an hour out of three queries an hour.
Daryl, I've tried before to tell you and other people RDJ is broken.
Actually, you've not, and if you did it would be a waste of time given
that I don't use RDJ and actually provide the sa-update channels for SARE
rules.
Put
a 1 second sleep between each file fetch and see if that improves things.
If you weren't in a hurry to make 3 posts about the same thing to the same
thread, you'd see that I wrote that I'm seeing the timeout in 1 (or more)
of ONLY THREE QUERIES AN **HOUR**. I've already got a 20 minute delay
between queries. I'll try adding a 1 second delay to that though. :)
It keeps you from looking like a DoS attack.
Since I put that hack in my GetRule.sh script has never failed me.
As has been noted already, by Dallas, it's a problem with at least one of
their network links being saturated by the DoS, not the DoS protection.
Is this perhaps a difference in wget and curl? This is an off hour. But I
am running again with no problems so far. (A friend put in the delay and
it worked for him, too.) Yeah, just finished faster than earlier today.
What was happening to me was nice fast progress through the first few of
my long list. Then it would start showing the timeouts for all the rest.
It was pure hunch that led to the delay strategy. And it has appeared to
work. I've never seen a timeout since then.
Go figure. It's magic? I dunno.
{^_^}
Re: Rulesemporium
As I said, we use a trick that makes the fetches work. It does not get us tarred by the DoS filter. So access to the web site is really easy. I also check when I feel like it rather than hourly as I've heard some people work. Weekly is more than enough unless you see a notification here. Well that could be automated. I dont know why they cannot use someting like an RSS and we could get rules as feeds. Rather than having to get each file all the time Thanks Ram
RE: Rulesemporium
Hi! Wouldn't you say the DDOS protection theory and/or implementation is broken if topology and routing is not taken into account? You know, we are not posting to this list to rag on them, we just wanna be able to hit the website for info when necessary and without being tossed in the crapper after a few page views etc. If you can provide a better solution let us know. Bye, raymond.
Re: Rulesemporium
jdow wrote:
From: Ken A [EMAIL PROTECTED]
SARE Webmaster wrote:
Daryl C. W. O'Shea wrote:
div class=moz-text-flowed style=font-family: -moz-fixedLoren
Wilton wrote:
Mike Grau [EMAIL PROTECTED] 07/09/07 5:15 PM
On 07/09/2007 04:01 PM the voices made Joe Zitnik write:
I can't get here:
http://www.rulesemporium.com/rules
Is rulesemporium having issues again?
I can rarely get there (via a browser). So rarely the site is
almost useless.
I've been having intermittent issues getting there from home for a
while. Last time it happened, the site was down. I still can't get
there
Hum. I just tried again, and didn't have any problems this time
either.
Guess I'm lucky.
Perhaps you are. I get 500 Server closed connection without
sending any data back or 500 Can't connect to
www.rulesemporium.com:80 (connect: timeout) at least once an hour
out of three queries an hour.
Ok, so the word is that the telia link is saturated with traffic from
the ddos yet.. I'd like some traceroutes to www.rulesemporium.com
for anyone that is having problems.
darn spammers.. don't they have anything else to do?
From both Northern California and N.E. Arkansas, I get nothing beyond
9 so-6-0-0.gar1.Miami1.Level3.net (4.68.112.42) 75.275 ms
so-7-0-0.gar1.Miami1.Level3.net (4.68.112.46) 78.995 ms
so-6-0-0.gar1.Miami1.Level3.net (4.68.112.42) 81.046 ms
Looks like maybe Level3 has dampend the route to you due to the problem.
Time to get a mirror in Miami?
Ken
The issue with the html found in rulesets (the 0.1 refresh page)
should be cleared up. If anyone is seeing this, please let me know
immediately.
I am in the Los Angeles area. The mtr utility reports:
My traceroute [v0.71]
morticia.wizardess.wiz (0.0.0.0) Tue Jul 10
19:05:13 2007
Keys: Help Display mode Restart statistics Order of fields quit
Packets Pings
HostLoss% Snt Last Avg Best Wrst
StDev
1. netblock-68-183-128-1.dslextreme 0.0% 3 23.3 23.4 23.3 23.4
0.0
2. LAX1.CR1.Gig9-0-3.dslextreme.com 0.0% 3 23.7 24.3 23.7 25.3
0.9
3. ge-5-1-115.ipcolo1.LosAngeles1.L 0.0% 3 23.6 24.2 23.6 24.6
0.5
4. ae-2-54.bbr2.LosAngeles1.Level3. 0.0% 3 24.2 24.4 24.2 24.6
0.2
5. as-1-0.mp1.Miami1.Level3.net 0.0% 3 87.8 98.4 87.2 120.1
18.8
6. so-7-0-0.gar1.Miami1.Level3.net 0.0% 3 87.6 87.6 87.6 87.6
0.0
7. ???
So as you see there already is a mirror in the Miami area. (It is probably
the one that just worked. For the mtr check I probably got the address out
of the DNS cache.)
Put A DelayBetweenEachFileYouFetchor
attempttofetch.
Maybe typing slowly so you guys can read will help.
{o.o}
sarcasm A little misinformation tossed to spammers isn't bad here. I
hear there's a mirror in Afghanistan too. And by all means.. when you
browse the site.. click the stop button in your browser between it's
loading each image on each page, then click the start button again. It's
tricky, but if you do it just right, you can browse the whole site
before the IDS blocks you. /sarcasm
The rulesemporium site is great, and much thanks goes to the ninjas who
operate it and write the rules, forcing spammers to read harry potter books.
Ken
--
Ken Anderson
Pacific.Net
Re: Rulesemporium
sarcasm A little misinformation tossed to spammers isn't bad here. I hear there's a mirror in Afghanistan too. And by all means.. when you browse the site.. click the stop button in your browser between it's loading each image on each page, then click the start button again. It's tricky, but if you do it just right, you can browse the whole site before the IDS blocks you. /sarcasm The rulesemporium site is great, and much thanks goes to the ninjas who operate it and write the rules, forcing spammers to read harry potter books. Ken Yes, the rulesemporium site _is_ great. As are the rules themselves. That's why I'd like to use my browser and read just one page. Right now all I get (and this is my first attempt to browse the site since yesterday) is Waiting for www.rulesemporium.com I'm not talking about rules_du_jour or sa-update or seeing how fast I can manually click stop or cycle through pages with my browser. I just want to go to the one page I have bookmarked. Isn't that the point of having a website? Allowing people to view your content? I'd say the DDOS is still very effective one way or another. My sympathies to the rulesemporium folks. I wish I could help, but I'm just some slob who wants to view their website. Still waiting ... Mike
Re: Rulesemporium
Mike Grau wrote: sarcasm A little misinformation tossed to spammers isn't bad here. I hear there's a mirror in Afghanistan too. And by all means.. when you browse the site.. click the stop button in your browser between it's loading each image on each page, then click the start button again. It's tricky, but if you do it just right, you can browse the whole site before the IDS blocks you. /sarcasm The rulesemporium site is great, and much thanks goes to the ninjas who operate it and write the rules, forcing spammers to read harry potter books. Ken Yes, the rulesemporium site _is_ great. As are the rules themselves. That's why I'd like to use my browser and read just one page. Right now all I get (and this is my first attempt to browse the site since yesterday) is Waiting for www.rulesemporium.com I'm not talking about rules_du_jour or sa-update or seeing how fast I can manually click stop or cycle through pages with my browser. I just want to go to the one page I have bookmarked. Isn't that the point of having a website? Allowing people to view your content? I'd say the DDOS is still very effective one way or another. My sympathies to the rulesemporium folks. I wish I could help, but I'm just some slob who wants to view their website. Still waiting ... Mike If your IP is blocked, for whatever reason, perhaps a proxy would help you until your IP is unblocked. http://translate.google.com/translate?u=http%3A%2F%2Fwww.rulesemporium.com%2Flangpair=fr%7Cen I bet the 'donate' link would help :-) Ken -- Ken Anderson Pacific.Net
Re: Rulesemporium
If your IP is blocked, for whatever reason, perhaps a proxy would help you until your IP is unblocked. http://translate.google.com/translate?u=http%3A%2F%2Fwww.rulesemporium.com%2Flangpair=fr%7Cen I bet the 'donate' link would help :-) Ken Okay, done. We'll see if it helps. Mike
Re: Rulesemporium
Ken A wrote: Mike Grau wrote: sarcasm A little misinformation tossed to spammers isn't bad here. I hear there's a mirror in Afghanistan too. And by all means.. when you browse the site.. click the stop button in your browser between it's loading each image on each page, then click the start button again. It's tricky, but if you do it just right, you can browse the whole site before the IDS blocks you. /sarcasm The rulesemporium site is great, and much thanks goes to the ninjas who operate it and write the rules, forcing spammers to read harry potter books. Ken Yes, the rulesemporium site _is_ great. As are the rules themselves. That's why I'd like to use my browser and read just one page. Right now all I get (and this is my first attempt to browse the site since yesterday) is Waiting for www.rulesemporium.com I'm not talking about rules_du_jour or sa-update or seeing how fast I can manually click stop or cycle through pages with my browser. I just want to go to the one page I have bookmarked. Isn't that the point of having a website? Allowing people to view your content? I'd say the DDOS is still very effective one way or another. My sympathies to the rulesemporium folks. I wish I could help, but I'm just some slob who wants to view their website. Still waiting ... Mike If your IP is blocked, for whatever reason, perhaps a proxy would help you until your IP is unblocked. http://translate.google.com/translate?u=http%3A%2F%2Fwww.rulesemporium.com%2Flangpair=fr%7Cen I bet the 'donate' link would help :-) Hmm, I doubt it, seeing that SARE has received 3 donations in 2007, $90 all total (yet 31k unique ips pull rules from the site every week.. ugh). Anyone want to sell us a VPS on a DDoS proof network for $90? ;) Maybe if we had a buck for every one of those IPs we could afford one. However, we're running on donated bandwidth/hardware from vr.org, and frontended by ddos mitigation services from prolexic.com... so really, I'm just glad the sites comes up at all. Without those guys it would be long gone. There has been discussion of taking down the public site, opening something new ( private access, invite only, acl by ip, etc), in hopes to avoid ddos and provide better services, more requent rule updates, and so on. We are trying our best to keep it alive, but there is only so much we can do with the limited time and resources we have. Speaking about lacking of resources... we need more good people who want to join SARE and contribute with rules, scripts, masscheckers, etc... anyone interested should email [EMAIL PROTECTED] Thanks, -- SARE Webmaster [EMAIL PROTECTED] http://www.rulesemporium.com
Re: Rulesemporium
Robert - eLists wrote: Praise God Almighty! We were able to spend more than a few seconds and many click on the rulesemporium website. Awesome. As it says, was it moved over to vr.org ??? A couple years ago... yup. Which is now netactuate.com -- Dallas Engelken [EMAIL PROTECTED] http://uribl.com
Re: Rulesemporium
On Wednesday 11 July 2007, SARE Webmaster wrote: There has been discussion of taking down the public site, opening something new ( private access, invite only, acl by ip, etc), in hopes to avoid ddos and provide better services, more requent rule updates, and so on. We are trying our best to keep it alive, but there is only so much we can do with the limited time and resources we have. How about releasing the ruleset via torrent or something similar. Anything that you could do to distribute the load and location would make a ddos attack less effective. While there might not be a lot of people on this list who can use their server to take on the entire DDOS for you, there are a LOT of servers here that could participate in a pool. Maybe a DNS round robin? Just some ideas. -- Phil Barnett AI4OF SKCC #600
Re: Rulesemporium
On 7/12/2007 12:50 AM, Phil Barnett wrote: On Wednesday 11 July 2007, SARE Webmaster wrote: There has been discussion of taking down the public site, opening something new ( private access, invite only, acl by ip, etc), in hopes to avoid ddos and provide better services, more requent rule updates, and so on. We are trying our best to keep it alive, but there is only so much we can do with the limited time and resources we have. How about releasing the ruleset via torrent or something similar. Anything that you could do to distribute the load and location would make a ddos attack less effective. While there might not be a lot of people on this list who can use their server to take on the entire DDOS for you, there are a LOT of servers here that could participate in a pool. Maybe a DNS round robin? Just some ideas. hey great ideas - who volunteers to setup the Torrent stuff and manage it all ? -- Spammer Hell has not DSL
Re: Rulesemporium
Phil Barnett wrote: How about releasing the ruleset via torrent or something similar. Anything that you could do to distribute the load and location would make a ddos attack less effective. While there might not be a lot of people on this list who can use their server to take on the entire DDOS for you, there are a LOT of servers here that could participate in a pool. Or another thing would be to look at anycast, http://en.wikipedia.org/wiki/Anycast matt
Re: Rulesemporium
On Wednesday 11 July 2007, Yet Another Ninja wrote: On 7/12/2007 12:50 AM, Phil Barnett wrote: On Wednesday 11 July 2007, SARE Webmaster wrote: There has been discussion of taking down the public site, opening something new ( private access, invite only, acl by ip, etc), in hopes to avoid ddos and provide better services, more requent rule updates, and so on. We are trying our best to keep it alive, but there is only so much we can do with the limited time and resources we have. How about releasing the ruleset via torrent or something similar. Anything that you could do to distribute the load and location would make a ddos attack less effective. While there might not be a lot of people on this list who can use their server to take on the entire DDOS for you, there are a LOT of servers here that could participate in a pool. Maybe a DNS round robin? Just some ideas. hey great ideas - who volunteers to setup the Torrent stuff and manage it all ? Thinking further, torrent is not exactly what is needed. Torrents need to be reseeded for every change, so that's a maintenance nightmare. RSS has some of the pieces, but i'm not sure if it can be just a file delivery method. rsync has obvious benefist in reducing bandwidth, but doesn't have any security built into it. I think some brainstorming to come up with a peer distributed subscription service is the starting point. If there isn't one, that's the next battle. We can't be the first people to come up against this problem. How have others solved it? -- Phil Barnett AI4OF SKCC #600
Re: Rulesemporium
At 04:00 PM 7/11/2007, Yet Another Ninja wrote: hey great ideas - who volunteers to setup the Torrent stuff and manage it all ? I wouldn't know how to do that, but would be willing to offer some of my tiny server and bandwidth to the cause. Current system is OS X Server, but will be ported to Ubuntu when I get new hardware. -- Jerry Durand, Durand Interstellar, Inc. www.interstellar.com tel: +1 408 356-3886, USA toll free: 1 866 356-3886 Skype: jerrydurand
Re: Rulesemporium
From: Phil Barnett [EMAIL PROTECTED]
On Wednesday 11 July 2007, Yet Another Ninja wrote:
On 7/12/2007 12:50 AM, Phil Barnett wrote:
On Wednesday 11 July 2007, SARE Webmaster wrote:
There has been discussion of taking down the public site, opening
something new ( private access, invite only, acl by ip, etc), in hopes
to avoid ddos and provide better services, more requent rule updates,
and so on. We are trying our best to keep it alive, but there is
only so much we can do with the limited time and resources we have.
How about releasing the ruleset via torrent or something similar.
Anything that you could do to distribute the load and location would
make
a ddos attack less effective. While there might not be a lot of people
on
this list who can use their server to take on the entire DDOS for you,
there are a LOT of servers here that could participate in a pool.
Maybe a DNS round robin?
Just some ideas.
hey
great ideas - who volunteers to setup the Torrent stuff and manage it all
?
Thinking further, torrent is not exactly what is needed. Torrents need to
be
reseeded for every change, so that's a maintenance nightmare. RSS has some
of
the pieces, but i'm not sure if it can be just a file delivery method.
rsync
has obvious benefist in reducing bandwidth, but doesn't have any security
built into it.
I think some brainstorming to come up with a peer distributed subscription
service is the starting point. If there isn't one, that's the next battle.
We can't be the first people to come up against this problem. How have
others solved it?
If the file already exists:
/usr/bin/wget -r -l 1 -nd -N $source$file
else
/usr/bin/wget -l 1 -nd -N $source$file
source is the host URL directory eg. http://www.rulesemporium.com/rules/
file is the file eg. 88_FVGT_subject.cf
Several times in the last day or so - nary a problem if I have that silly
one second delay in there between files.
{o.o}
Re: Re: Rulesemporium
Daryl C. W. O'Shea wrote: div class=moz-text-flowed style=font-family: -moz-fixedLoren Wilton wrote: Mike Grau [EMAIL PROTECTED] 07/09/07 5:15 PM On 07/09/2007 04:01 PM the voices made Joe Zitnik write: I can't get here: http://www.rulesemporium.com/rules Is rulesemporium having issues again? I can rarely get there (via a browser). So rarely the site is almost useless. I've been having intermittent issues getting there from home for a while. Last time it happened, the site was down. I still can't get there Hum. I just tried again, and didn't have any problems this time either. Guess I'm lucky. Perhaps you are. I get 500 Server closed connection without sending any data back or 500 Can't connect to www.rulesemporium.com:80 (connect: timeout) at least once an hour out of three queries an hour. Ok, so the word is that the telia link is saturated with traffic from the ddos yet.. I'd like some traceroutes to www.rulesemporium.com for anyone that is having problems. The issue with the html found in rulesets (the 0.1 refresh page) should be cleared up. If anyone is seeing this, please let me know immediately. Thanks, -- SARE Webmaster [EMAIL PROTECTED] http://www.rulesemporium.com
Re: Re: Rulesemporium
At 04:57 AM Tuesday, 7/10/2007, SARE Webmaster wrote -= Ok, so the word is that the telia link is saturated with traffic from the ddos yet.. I'd like some traceroutes to www.rulesemporium.com for anyone that is having problems. The issue with the html found in rulesets (the 0.1 refresh page) should be cleared up. If anyone is seeing this, please let me know immediately. From somewhere in sunny southern California: [EMAIL PROTECTED] ~]$ traceroute www.rulesemporium.com traceroute to www.rulesemporium.com (209.200.135.151), 30 hops max, 40 byte packets 1 ns5gt.wrenkasky.com (10.10.10.1) 0.632 ms 0.861 ms 1.193 ms 2 router.wrenkasky.com (216.102.129.41) 635.312 ms 636.093 ms 637.040 ms 3 dist4-vlan60.irvnca.sbcglobal.net (67.114.50.66) 638.464 ms 639.417 ms 640.596 ms 4 bb2-g4-0.irvnca.sbcglobal.net (151.164.43.143) 641.546 ms 642.494 ms 643.673 ms 5 ex1-p2-0.eqlaca.sbcglobal.net (151.164.40.161) 644.560 ms 645.740 ms 646.693 ms 6 te-3-4.car3.LosAngeles1.Level3.net (4.68.110.113) 647.873 ms 743.477 ms 1185.795 ms 7 ae-2-56.bbr2.LosAngeles1.Level3.net (4.68.102.161) 1186.617 ms ae-2-54.bbr2.LosAngeles1.Level3.net (4.68.102.97) 1187.442 ms ae-2-52.bbr2.LosAngeles1.Level3.net (4.68.102.33) 1188.649 ms 8 as-1-0.mp1.Miami1.Level3.net (64.159.0.1) 1313.398 ms 1314.443 ms 1315.393 ms 9 so-6-0-0.gar1.Miami1.Level3.net (4.68.112.42) 1316.574 ms 1317.520 ms so-7-0-0.gar1.Miami1.Level3.net (4.68.112.46) 1354.421 ms 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * * . . . . . . . . . . . . . . . . . . Randomly Generated Quote (483 of 1244): Don't be yourself. Be someone a little nicer. -Mignon McLaughlin, journalist and author (1913-1983)
Re: Rulesemporium
Ok, so the word is that the telia link is saturated with traffic from the ddos yet.. I'd like some traceroutes to www.rulesemporium.com for anyone that is having problems. # traceroute www.rulesemporium.com traceroute to www.rulesemporium.com (209.200.135.151), 30 hops max, 40 byte packets 1 a004001.kcc.state.ks.us (192.168.4.1) 0.437 ms 0.099 ms 0.106 ms 2 165.201.4.162 0.763 ms 0.813 ms 0.746 ms 3 165.201.85.201 0.870 ms 0.677 ms 0.780 ms 4 165.201.60.3 1.032 ms 1.149 ms 0.929 ms 5 165.201.254.25 2.071 ms 1.563 ms 2.457 ms 6 165.201.254.10 2.441 ms 2.306 ms 2.260 ms 7 wsip-68-106-191-61.ks.ok.cox.net (68.106.191.61) 3.365 ms 3.314 ms 3.614 ms 8 ip70-183-65-49.ks.ks.cox.net (70.183.65.49) 11.048 ms 10.998 ms 12.317 ms 9 wichdsrj01-ge704.0.rd.ks.cox.net (70.183.71.25) 12.517 ms 15.284 ms 14.833 ms 10 mtc3dsrj02-ge710.0.rd.ok.cox.net (68.1.0.109) 23.132 ms 22.519 ms 23.396 ms 11 ae-2-52.bbr2.Chicago1.Level3.net (4.68.101.33) 57.604 ms ae-2-56.bbr2.Chicago1.Level3.net (4.68.101.161) 55.696 ms ae-2-52.bbr2.Chicago1.Level3.net (4.68.101.33) 53.787 ms 12 as-1-0.mp1.Miami1.Level3.net (64.159.0.1) 85.394 ms 85.578 ms 85.523 ms 13 so-6-0-0.gar1.Miami1.Level3.net (4.68.112.42) 85.479 ms 84.752 ms so-7-0-0.gar1.Miami1.Level3.net (4.68.112.46) 79.211 ms 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * *
Re: Rulesemporium
SARE Webmaster wrote: Daryl C. W. O'Shea wrote: div class=moz-text-flowed style=font-family: -moz-fixedLoren Wilton wrote: Mike Grau [EMAIL PROTECTED] 07/09/07 5:15 PM On 07/09/2007 04:01 PM the voices made Joe Zitnik write: I can't get here: http://www.rulesemporium.com/rules Is rulesemporium having issues again? I can rarely get there (via a browser). So rarely the site is almost useless. I've been having intermittent issues getting there from home for a while. Last time it happened, the site was down. I still can't get there Hum. I just tried again, and didn't have any problems this time either. Guess I'm lucky. Perhaps you are. I get 500 Server closed connection without sending any data back or 500 Can't connect to www.rulesemporium.com:80 (connect: timeout) at least once an hour out of three queries an hour. Ok, so the word is that the telia link is saturated with traffic from the ddos yet.. I'd like some traceroutes to www.rulesemporium.com for anyone that is having problems. darn spammers.. don't they have anything else to do? From both Northern California and N.E. Arkansas, I get nothing beyond 9 so-6-0-0.gar1.Miami1.Level3.net (4.68.112.42) 75.275 ms so-7-0-0.gar1.Miami1.Level3.net (4.68.112.46) 78.995 ms so-6-0-0.gar1.Miami1.Level3.net (4.68.112.42) 81.046 ms Looks like maybe Level3 has dampend the route to you due to the problem. Time to get a mirror in Miami? Ken The issue with the html found in rulesets (the 0.1 refresh page) should be cleared up. If anyone is seeing this, please let me know immediately. Thanks, -- Ken Anderson Pacific.Net
Re: Re: Rulesemporium
On Tue, 10 Jul 2007, Ed Kasky wrote: 6 te-3-4.car3.LosAngeles1.Level3.net (4.68.110.113) 647.873 ms 743.477 ms 1185.795 ms 7 ae-2-56.bbr2.LosAngeles1.Level3.net (4.68.102.161) 1186.617 ms ae-2-54.bbr2.LosAngeles1.Level3.net (4.68.102.97) 1187.442 ms ae-2-52.bbr2.LosAngeles1.Level3.net (4.68.102.33) 1188.649 ms SANS was reporting yesterday that Level3 was having BGP problems in socal which were causing large RTT. Perhaps those problems aren't fully resolved yet? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...every time I sit down in front of a Windows machine I feel as if the computer is just a place for the manufacturers to put their advertising.-- fwadling on Y! SCOX -- 14 days until The 38th anniversary of Apollo 11 landing on the Moon
Re: Re: Rulesemporium
On Tue, 10 Jul 2007 at 07:01 -0700, [EMAIL PROTECTED] confabulated: At 04:57 AM Tuesday, 7/10/2007, SARE Webmaster wrote -= Ok, so the word is that the telia link is saturated with traffic from the ddos yet.. I'd like some traceroutes to www.rulesemporium.com for anyone that is having problems. The issue with the html found in rulesets (the 0.1 refresh page) should be cleared up. If anyone is seeing this, please let me know immediately. From somewhere in sunny southern California: [EMAIL PROTECTED] ~]$ traceroute www.rulesemporium.com traceroute to www.rulesemporium.com (209.200.135.151), 30 hops max, 40 byte packets 1 ns5gt.wrenkasky.com (10.10.10.1) 0.632 ms 0.861 ms 1.193 ms 2 router.wrenkasky.com (216.102.129.41) 635.312 ms 636.093 ms 637.040 ms 3 dist4-vlan60.irvnca.sbcglobal.net (67.114.50.66) 638.464 ms 639.417 ms 640.596 ms 4 bb2-g4-0.irvnca.sbcglobal.net (151.164.43.143) 641.546 ms 642.494 ms 643.673 ms 5 ex1-p2-0.eqlaca.sbcglobal.net (151.164.40.161) 644.560 ms 645.740 ms 646.693 ms 6 te-3-4.car3.LosAngeles1.Level3.net (4.68.110.113) 647.873 ms 743.477 ms 1185.795 ms 7 ae-2-56.bbr2.LosAngeles1.Level3.net (4.68.102.161) 1186.617 ms ae-2-54.bbr2.LosAngeles1.Level3.net (4.68.102.97) 1187.442 ms ae-2-52.bbr2.LosAngeles1.Level3.net (4.68.102.33) 1188.649 ms 8 as-1-0.mp1.Miami1.Level3.net (64.159.0.1) 1313.398 ms 1314.443 ms 1315.393 ms 9 so-6-0-0.gar1.Miami1.Level3.net (4.68.112.42) 1316.574 ms 1317.520 ms so-7-0-0.gar1.Miami1.Level3.net (4.68.112.46) 1354.421 ms 10 * * * While I get the same results as you from Iowa on the last good hop, I can get to the web site from a browser. Perhaps a firewall has ICMP blocked as I can not ping the web site either. - _|_ (_| |
Re: Rulesemporium
dendarii ~ # traceroute www.rulesemporium.com traceroute to unknown.prolexic.com (209.200.135.151), 30 hops max, 38 byte packets 1 athena (10.1.0.254) 0.442 ms 0.258 ms 0.242 ms 2 * * * 3 P6-7.LCR-01.STTLWA.verizon-gni.net (130.81.35.128) 18.870 ms 18.744 ms 18.676 ms 4 so-6-0-0-0.PEER-RTR1.SEA81.verizon-gni.net (130.81.17.137) 19.508 ms 19.068 ms 18.428 ms 5 0.so-7-0-0.XT2.SEA1.ALTER.NET (152.63.104.49) 18.749 ms 19.046 ms 18.414 ms 6 POS7-0.BR2.SEA1.ALTER.NET (152.63.106.5) 18.761 ms 18.857 ms 18.160 ms 7 204.255.169.22 (204.255.169.22) 19.007 ms 20.507 ms 27.932 ms 8 ae-2-52.mp2.Seattle1.Level3.net (4.68.105.33) 62.450 ms ae-2-56.mp2.Seattle1.Level3.net (4.68.105.161) 20.406 ms ae-2-52.mp2.Seattle1.Level3.net (4.68.105.33) 19.734 ms 9 as-0-0.mp2.Miami1.Level3.net (64.159.3.249) 104.696 ms 104.840 ms as-1-0.mp1.Miami1.Level3.net (64.159.0.1) 103.460 ms 10 so-7-0-0.gar1.Miami1.Level3.net (4.68.112.46) 104.180 ms so-6-0-0.gar1.Miami1.Level3.net (4.68.112.42) 105.259 ms so-7-0-0.gar1.Miami1.Level3.net (4.68.112.46) 104.576 ms 11 * * * 12 * * * 13 * * * 14 * * * ...etc -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...every time I sit down in front of a Windows machine I feel as if the computer is just a place for the manufacturers to put their advertising.-- fwadling on Y! SCOX -- 14 days until The 38th anniversary of Apollo 11 landing on the Moon
Re: Re: Rulesemporium
On Tue, 10 Jul 2007 at 14:15 -, [EMAIL PROTECTED] confabulated: On Tue, 10 Jul 2007 at 07:01 -0700, [EMAIL PROTECTED] confabulated: At 04:57 AM Tuesday, 7/10/2007, SARE Webmaster wrote -= Ok, so the word is that the telia link is saturated with traffic from the ddos yet.. I'd like some traceroutes to www.rulesemporium.com for anyone that is having problems. The issue with the html found in rulesets (the 0.1 refresh page) should be cleared up. If anyone is seeing this, please let me know immediately. From somewhere in sunny southern California: [EMAIL PROTECTED] ~]$ traceroute www.rulesemporium.com traceroute to www.rulesemporium.com (209.200.135.151), 30 hops max, 40 byte packets 1 ns5gt.wrenkasky.com (10.10.10.1) 0.632 ms 0.861 ms 1.193 ms 2 router.wrenkasky.com (216.102.129.41) 635.312 ms 636.093 ms 637.040 ms 3 dist4-vlan60.irvnca.sbcglobal.net (67.114.50.66) 638.464 ms 639.417 ms 640.596 ms 4 bb2-g4-0.irvnca.sbcglobal.net (151.164.43.143) 641.546 ms 642.494 ms 643.673 ms 5 ex1-p2-0.eqlaca.sbcglobal.net (151.164.40.161) 644.560 ms 645.740 ms 646.693 ms 6 te-3-4.car3.LosAngeles1.Level3.net (4.68.110.113) 647.873 ms 743.477 ms 1185.795 ms 7 ae-2-56.bbr2.LosAngeles1.Level3.net (4.68.102.161) 1186.617 ms ae-2-54.bbr2.LosAngeles1.Level3.net (4.68.102.97) 1187.442 ms ae-2-52.bbr2.LosAngeles1.Level3.net (4.68.102.33) 1188.649 ms 8 as-1-0.mp1.Miami1.Level3.net (64.159.0.1) 1313.398 ms 1314.443 ms 1315.393 ms 9 so-6-0-0.gar1.Miami1.Level3.net (4.68.112.42) 1316.574 ms 1317.520 ms so-7-0-0.gar1.Miami1.Level3.net (4.68.112.46) 1354.421 ms 10 * * * While I get the same results as you from Iowa on the last good hop, I can get to the web site from a browser. Perhaps a firewall has ICMP blocked as I can not ping the web site either. Oops! Forgot to hit paste: [EMAIL PROTECTED] ~]$ traceroute www.rulesemporium.com traceroute to www.rulesemporium.com (209.200.135.151), 64 hops max, 40 byte packets 1 core.duane.dbq.yournetplus.com (192.168.1.1) 0.525 ms 0.533 ms 0.344 ms 2 core (65.124.230.193) 3.948 ms 3.189 ms 3.175 ms 3 kcm-edge-09.inet.qwest.net (72.165.150.185) 16.721 ms 16.496 ms 16.366 ms 4 kcm-core-01.inet.qwest.net (205.171.29.77) 17.046 ms 16.968 ms 16.674 ms 5 dal-core-02.inet.qwest.net (67.14.2.10) 27.716 ms 27.647 ms 27.589 ms 6 dap-brdr-02.inet.qwest.net (205.171.225.5) 27.709 ms 27.824 ms 27.831 ms 7 * * * 8 ae-1-55.bbr1.Dallas1.Level3.net (4.68.122.129) 28.442 ms ae-1-53.bbr1.Dallas1.Level3.net (4.68.122.65) 28.428 ms ae-1-51.bbr1.Dallas1.Level3.net (4.68.122.1) 28.264 ms 9 as-0-0.mp2.Miami1.Level3.net (64.159.3.249) 70.632 ms 113.651 ms 70.556 ms 10 so-6-0-0.gar1.Miami1.Level3.net (4.68.112.42) 71.200 ms 74.815 ms so-7-0-0.gar1.Miami1.Level3.net (4.68.112.46) 71.135 ms 11 * * * 12 * * * ... - _|_ (_| |
Re: Rulesemporium
Duane Hill wrote: On Tue, 10 Jul 2007 at 07:01 -0700, [EMAIL PROTECTED] confabulated: At 04:57 AM Tuesday, 7/10/2007, SARE Webmaster wrote -= Ok, so the word is that the telia link is saturated with traffic from the ddos yet.. I'd like some traceroutes to www.rulesemporium.com for anyone that is having problems. The issue with the html found in rulesets (the 0.1 refresh page) should be cleared up. If anyone is seeing this, please let me know immediately. From somewhere in sunny southern California: [EMAIL PROTECTED] ~]$ traceroute www.rulesemporium.com traceroute to www.rulesemporium.com (209.200.135.151), 30 hops max, 40 byte packets 1 ns5gt.wrenkasky.com (10.10.10.1) 0.632 ms 0.861 ms 1.193 ms 2 router.wrenkasky.com (216.102.129.41) 635.312 ms 636.093 ms 637.040 ms 3 dist4-vlan60.irvnca.sbcglobal.net (67.114.50.66) 638.464 ms 639.417 ms 640.596 ms 4 bb2-g4-0.irvnca.sbcglobal.net (151.164.43.143) 641.546 ms 642.494 ms 643.673 ms 5 ex1-p2-0.eqlaca.sbcglobal.net (151.164.40.161) 644.560 ms 645.740 ms 646.693 ms 6 te-3-4.car3.LosAngeles1.Level3.net (4.68.110.113) 647.873 ms 743.477 ms 1185.795 ms 7 ae-2-56.bbr2.LosAngeles1.Level3.net (4.68.102.161) 1186.617 ms ae-2-54.bbr2.LosAngeles1.Level3.net (4.68.102.97) 1187.442 ms ae-2-52.bbr2.LosAngeles1.Level3.net (4.68.102.33) 1188.649 ms 8 as-1-0.mp1.Miami1.Level3.net (64.159.0.1) 1313.398 ms 1314.443 ms 1315.393 ms 9 so-6-0-0.gar1.Miami1.Level3.net (4.68.112.42) 1316.574 ms 1317.520 ms so-7-0-0.gar1.Miami1.Level3.net (4.68.112.46) 1354.421 ms 10 * * * While I get the same results as you from Iowa on the last good hop, I can get to the web site from a browser. Perhaps a firewall has ICMP blocked as I can not ping the web site either. - _|_ (_| | You are 100% correct. Works from here as well, though not real quick at the moment. I should have tried tcptraceroute instead; works nice for stuff like this! Ken -- Ken Anderson Pacific.Net
Re: Re: Rulesemporium
At 04:57 AM 7/10/2007, SARE Webmaster wrote: Ok, so the word is that the telia link is saturated with traffic from the ddos yet.. I'd like some traceroutes to www.rulesemporium.com for anyone that is having problems. From my Windows machine... Tracing route to www.rulesemporium.com [209.200.135.151] over a maximum of 30 hops: 1 2 ms 10 ms 10 ms 192.168.0.1 229 ms22 ms22 ms L100.DSL-01.SNFCCA.verizon-gni.net [71.116.64.1] 323 ms23 ms23 ms at-4-2-0-134.CORE-RTR1.SJC01.verizon-gni.net [130.81.36.76] 424 ms26 ms30 ms so-0-3-0-0.BB-RTR1.SJC01.verizon-gni.net [130.81.20.44] 523 ms24 ms35 ms so-6-0-0-0.PEER-RTR1.SJC80.verizon-gni.net [130.81.17.133] 623 ms24 ms23 ms POS1-0.GW3.SJC7.ALTER.NET [152.63.48.21] 724 ms23 ms23 ms POS2-0.XR2.SJC7.ALTER.NET [152.63.56.166] 824 ms33 ms24 ms 0.so-7-0-0.BR1.SJC7.ALTER.NET [152.63.48.253] 923 ms29 ms23 ms OC-48-6-1-0-edge5.SanJose1.Level3.net [4.68.63.49] 1024 ms24 ms24 ms ge-1-3-0-89.bbr1.SanJose1.Level3.net [4.68.18.129] 11 105 ms 104 ms 105 ms as-1-0.mp1.Miami1.Level3.net [64.159.0.1] 12 104 ms 105 ms 104 ms so-7-0-0.gar1.Miami1.Level3.net [4.68.112.46] 13 *** Request timed out. 14 *** Request timed out. 15 *** Request timed out. 16 *** Request timed out. 17 *** Request timed out. 18 *** Request timed out. 19 ^C -- Jerry Durand, Durand Interstellar, Inc. www.interstellar.com tel: +1 408 356-3886, USA toll free: 1 866 356-3886 Skype: jerrydurand
Re: Rulesemporium
From: Robert - eLists [EMAIL PROTECTED]
I can rarely get there (via a browser). So rarely the site is almost
useless.
Mike,
Almost???
Bwahh... that is a good one.
You are far too kind...
- rh
Gee, it just worked for me tickety-boo. But then I have fixed my tool.
which uses wget, to pause a second between each file it fetches. I use
a don't fetch if the file isn't new strategy.
By the way, don't worry very much. I run about 50 external rulesets and
none of them have been updated for nearly a month.
{^_^} Joanne, doesn't let a crummy DoS filter get in my way. (It would
if I didn't have that delay, experience indicates.)
Re: Rulesemporium
From: Loren Wilton [EMAIL PROTECTED]
Mike Grau [EMAIL PROTECTED] 07/09/07 5:15 PM
On 07/09/2007 04:01 PM the voices made Joe Zitnik write:
I can't get here:
http://www.rulesemporium.com/rules
Is rulesemporium having issues again?
I can rarely get there (via a browser). So rarely the site is almost
useless.
I've been having intermittent issues getting there from home for a
while. Last time it happened, the site was down. I still can't get
there
Hum. I just tried again, and didn't have any problems this time either.
Guess I'm lucky.
Loren
As I said, we use a trick that makes the fetches work. It does not get
us tarred by the DoS filter. So access to the web site is really easy.
I also check when I feel like it rather than hourly as I've heard some
people work. Weekly is more than enough unless you see a notification
here. I got annoyed at the failed fetch one day and looked at the logs I
make. I saw the timeout errors. I worked to eliminate them. Why whine when
you can fix it, eh love?
{^_-} - one stubborn bitch.
Re: Rulesemporium
From: Daryl C. W. O'Shea [EMAIL PROTECTED]
Loren Wilton wrote:
Mike Grau [EMAIL PROTECTED] 07/09/07 5:15 PM
On 07/09/2007 04:01 PM the voices made Joe Zitnik write:
I can't get here:
http://www.rulesemporium.com/rules
Is rulesemporium having issues again?
I can rarely get there (via a browser). So rarely the site is almost
useless.
I've been having intermittent issues getting there from home for a
while. Last time it happened, the site was down. I still can't get
there
Hum. I just tried again, and didn't have any problems this time either.
Guess I'm lucky.
Perhaps you are. I get 500 Server closed connection without sending
any data back or 500 Can't connect to www.rulesemporium.com:80
(connect: timeout) at least once an hour out of three queries an hour.
Daryl, I've tried before to tell you and other people RDJ is broken. Put
a 1 second sleep between each file fetch and see if that improves things.
It keeps you from looking like a DoS attack.
Since I put that hack in my GetRule.sh script has never failed me.
{O.O}
Re: Rulesemporium
jdow wrote: From: Loren Wilton [EMAIL PROTECTED] Mike Grau [EMAIL PROTECTED] 07/09/07 5:15 PM On 07/09/2007 04:01 PM the voices made Joe Zitnik write: I can't get here: http://www.rulesemporium.com/rules Is rulesemporium having issues again? I can rarely get there (via a browser). So rarely the site is almost useless. I've been having intermittent issues getting there from home for a while. Last time it happened, the site was down. I still can't get there Hum. I just tried again, and didn't have any problems this time either. Guess I'm lucky. Loren As I said, we use a trick that makes the fetches work. It does not get us tarred by the DoS filter. So access to the web site is really easy. I also check when I feel like it rather than hourly as I've heard some people work. Weekly is more than enough unless you see a notification here. I got annoyed at the failed fetch one day and looked at the logs I make. I saw the timeout errors. I worked to eliminate them. Why whine when you can fix it, eh love? Joanne, The errors have nothing to do with the DoS protection, but saturated links. The insertion of a few seconds of delay between queries, or a 20 minute delay in my case, will do nothing to resolve the issue. Daryl
Re: Rulesemporium
From: Ken A [EMAIL PROTECTED]
SARE Webmaster wrote:
Daryl C. W. O'Shea wrote:
div class=moz-text-flowed style=font-family: -moz-fixedLoren
Wilton wrote:
Mike Grau [EMAIL PROTECTED] 07/09/07 5:15 PM
On 07/09/2007 04:01 PM the voices made Joe Zitnik write:
I can't get here:
http://www.rulesemporium.com/rules
Is rulesemporium having issues again?
I can rarely get there (via a browser). So rarely the site is almost
useless.
I've been having intermittent issues getting there from home for a
while. Last time it happened, the site was down. I still can't get
there
Hum. I just tried again, and didn't have any problems this time
either.
Guess I'm lucky.
Perhaps you are. I get 500 Server closed connection without sending
any data back or 500 Can't connect to www.rulesemporium.com:80
(connect: timeout) at least once an hour out of three queries an hour.
Ok, so the word is that the telia link is saturated with traffic from the
ddos yet.. I'd like some traceroutes to www.rulesemporium.com for
anyone that is having problems.
darn spammers.. don't they have anything else to do?
From both Northern California and N.E. Arkansas, I get nothing beyond
9 so-6-0-0.gar1.Miami1.Level3.net (4.68.112.42) 75.275 ms
so-7-0-0.gar1.Miami1.Level3.net (4.68.112.46) 78.995 ms
so-6-0-0.gar1.Miami1.Level3.net (4.68.112.42) 81.046 ms
Looks like maybe Level3 has dampend the route to you due to the problem.
Time to get a mirror in Miami?
Ken
The issue with the html found in rulesets (the 0.1 refresh page) should
be cleared up. If anyone is seeing this, please let me know immediately.
I am in the Los Angeles area. The mtr utility reports:
My traceroute [v0.71]
morticia.wizardess.wiz (0.0.0.0) Tue Jul 10 19:05:13
2007
Keys: Help Display mode Restart statistics Order of fields quit
Packets Pings
HostLoss% Snt Last Avg Best Wrst
StDev
1. netblock-68-183-128-1.dslextreme 0.0% 3 23.3 23.4 23.3 23.4
0.0
2. LAX1.CR1.Gig9-0-3.dslextreme.com 0.0% 3 23.7 24.3 23.7 25.3
0.9
3. ge-5-1-115.ipcolo1.LosAngeles1.L 0.0% 3 23.6 24.2 23.6 24.6
0.5
4. ae-2-54.bbr2.LosAngeles1.Level3. 0.0% 3 24.2 24.4 24.2 24.6
0.2
5. as-1-0.mp1.Miami1.Level3.net 0.0% 3 87.8 98.4 87.2 120.1
18.8
6. so-7-0-0.gar1.Miami1.Level3.net 0.0% 3 87.6 87.6 87.6 87.6
0.0
7. ???
So as you see there already is a mirror in the Miami area. (It is probably
the one that just worked. For the mtr check I probably got the address out
of the DNS cache.)
Put A DelayBetweenEachFileYouFetchor
attempttofetch.
Maybe typing slowly so you guys can read will help.
{o.o}
Re: Rulesemporium
From: Daryl C. W. O'Shea [EMAIL PROTECTED]
jdow wrote:
From: Loren Wilton [EMAIL PROTECTED]
Mike Grau [EMAIL PROTECTED] 07/09/07 5:15 PM
On 07/09/2007 04:01 PM the voices made Joe Zitnik write:
I can't get here:
http://www.rulesemporium.com/rules
Is rulesemporium having issues again?
I can rarely get there (via a browser). So rarely the site is almost
useless.
I've been having intermittent issues getting there from home for a
while. Last time it happened, the site was down. I still can't get
there
Hum. I just tried again, and didn't have any problems this time either.
Guess I'm lucky.
Loren
As I said, we use a trick that makes the fetches work. It does not get
us tarred by the DoS filter. So access to the web site is really easy.
I also check when I feel like it rather than hourly as I've heard some
people work. Weekly is more than enough unless you see a notification
here. I got annoyed at the failed fetch one day and looked at the logs I
make. I saw the timeout errors. I worked to eliminate them. Why whine
when
you can fix it, eh love?
Joanne,
The errors have nothing to do with the DoS protection, but saturated
links. The insertion of a few seconds of delay between queries, or a 20
minute delay in my case, will do nothing to resolve the issue.
It fixed it like magic here and since then I've never seen a problem.
Go figure.
{^_^}
Re: Rulesemporium
jdow wrote: From: Daryl C. W. O'Shea [EMAIL PROTECTED] Loren Wilton wrote: Mike Grau [EMAIL PROTECTED] 07/09/07 5:15 PM On 07/09/2007 04:01 PM the voices made Joe Zitnik write: I can't get here: http://www.rulesemporium.com/rules Is rulesemporium having issues again? I can rarely get there (via a browser). So rarely the site is almost useless. I've been having intermittent issues getting there from home for a while. Last time it happened, the site was down. I still can't get there Hum. I just tried again, and didn't have any problems this time either. Guess I'm lucky. Perhaps you are. I get 500 Server closed connection without sending any data back or 500 Can't connect to www.rulesemporium.com:80 (connect: timeout) at least once an hour out of three queries an hour. Daryl, I've tried before to tell you and other people RDJ is broken. Actually, you've not, and if you did it would be a waste of time given that I don't use RDJ and actually provide the sa-update channels for SARE rules. Put a 1 second sleep between each file fetch and see if that improves things. If you weren't in a hurry to make 3 posts about the same thing to the same thread, you'd see that I wrote that I'm seeing the timeout in 1 (or more) of ONLY THREE QUERIES AN **HOUR**. I've already got a 20 minute delay between queries. I'll try adding a 1 second delay to that though. :) It keeps you from looking like a DoS attack. Since I put that hack in my GetRule.sh script has never failed me. As has been noted already, by Dallas, it's a problem with at least one of their network links being saturated by the DoS, not the DoS protection. Daryl
Re: Rulesemporium
jdow wrote: From: Daryl C. W. O'Shea [EMAIL PROTECTED] jdow wrote: From: Loren Wilton [EMAIL PROTECTED] Mike Grau [EMAIL PROTECTED] 07/09/07 5:15 PM On 07/09/2007 04:01 PM the voices made Joe Zitnik write: I can't get here: http://www.rulesemporium.com/rules Is rulesemporium having issues again? I can rarely get there (via a browser). So rarely the site is almost useless. I've been having intermittent issues getting there from home for a while. Last time it happened, the site was down. I still can't get there Hum. I just tried again, and didn't have any problems this time either. Guess I'm lucky. Loren As I said, we use a trick that makes the fetches work. It does not get us tarred by the DoS filter. So access to the web site is really easy. I also check when I feel like it rather than hourly as I've heard some people work. Weekly is more than enough unless you see a notification here. I got annoyed at the failed fetch one day and looked at the logs I make. I saw the timeout errors. I worked to eliminate them. Why whine when you can fix it, eh love? Joanne, The errors have nothing to do with the DoS protection, but saturated links. The insertion of a few seconds of delay between queries, or a 20 minute delay in my case, will do nothing to resolve the issue. It fixed it like magic here and since then I've never seen a problem. Go figure. I've figured. I've even rubbed my head against every network engineering degree, diploma and certificate that I've got laying around and the best that I have come up with is the crazy idea that it's possible that not every link to Prolexic is suffering from periodic saturation. Go figure. Daryl
RE: Rulesemporium
As I said, we use a trick that makes the fetches work. It does not get
us tarred by the DoS filter. So access to the web site is really easy.
I also check when I feel like it rather than hourly as I've heard some
people work. Weekly is more than enough unless you see a notification
here. I got annoyed at the failed fetch one day and looked at the logs I
make. I saw the timeout errors. I worked to eliminate them. Why whine when
you can fix it, eh love?
{^_-} - one stubborn bitch.
Whoa whoa whoa... Tickety-boo is way to high tech for me. Does not compute.
Slow down lady or we are gonna have to put the smack down on ya. ;-)
And it isn't so much that we cannot solve the simple gimme updates issue
as you have...
The issue is when you cannot reliably browse a website from a *browser* like
a normal human being does and/or would... ...and then get cut off after
several page views while *browsing* or doing *research* for future
implementation.
That is one thing that frustrates some folks I know and tells of ummm that
the DDOS filters and/or programming are not as intelligent or fine tuned as
they could be...
- rh
RE: Rulesemporium
The errors have nothing to do with the DoS protection, but saturated links. The insertion of a few seconds of delay between queries, or a 20 minute delay in my case, will do nothing to resolve the issue. Daryl Daryl, Saturdated? You gotta be kidding me... In this day and age... Is it really the size of the pipe(s) or the network processing horsepower or the new topology. It appears that the topology to reach rulesemporium has changed since they took over the site transport and transit. - rh
RE: Rulesemporium
As has been noted already, by Dallas, it's a problem with at least one of their network links being saturated by the DoS, not the DoS protection. Daryl Daryl Wouldn't you say the DDOS protection theory and/or implementation is broken if topology and routing is not taken into account? You know, we are not posting to this list to rag on them, we just wanna be able to hit the website for info when necessary and without being tossed in the crapper after a few page views etc. - rh
RE: Rulesemporium
Praise God Almighty! We were able to spend more than a few seconds and many click on the rulesemporium website. Awesome. As it says, was it moved over to vr.org ??? - rh
Rulesemporium
I can't get here: http://www.rulesemporium.com/rules Is rulesemporium having issues again?
Re: Rulesemporium
I can't get here: http://www.rulesemporium.com/rules Is rulesemporium having issues again? Just worked for me. Loren
Re: Rulesemporium
On 07/09/2007 04:01 PM the voices made Joe Zitnik write: I can't get here: http://www.rulesemporium.com/rules Is rulesemporium having issues again? I can rarely get there (via a browser). So rarely the site is almost useless.
Re: Rulesemporium
At 02:01 PM Monday, 7/9/2007, Joe Zitnik wrote -= I can't get here: http://www.rulesemporium.com/rules Is rulesemporium having issues again? I have one server that is fine but a second that keeps stalling on different rules. On the first attempt it froze on 99_FVGT_Tripwire.cf and the second time on 70_sare_adult.cf. Weird... Ed Kasky ~ Randomly Generated Quote (128 of 568): Law of Drunkedness You can't fall off the floor.
Re: Rulesemporium
Mike Grau [EMAIL PROTECTED] 07/09/07 5:15 PM On 07/09/2007 04:01 PM the voices made Joe Zitnik write: I can't get here: http://www.rulesemporium.com/rules Is rulesemporium having issues again? I can rarely get there (via a browser). So rarely the site is almost useless. I've been having intermittent issues getting there from home for a while. Last time it happened, the site was down. I still can't get there
RE: Rulesemporium
I can rarely get there (via a browser). So rarely the site is almost useless. Mike, Almost??? Bwahh... that is a good one. You are far too kind... - rh
Re: Rulesemporium
Mike Grau [EMAIL PROTECTED] 07/09/07 5:15 PM On 07/09/2007 04:01 PM the voices made Joe Zitnik write: I can't get here: http://www.rulesemporium.com/rules Is rulesemporium having issues again? I can rarely get there (via a browser). So rarely the site is almost useless. I've been having intermittent issues getting there from home for a while. Last time it happened, the site was down. I still can't get there Hum. I just tried again, and didn't have any problems this time either. Guess I'm lucky. Loren
Re: Rulesemporium
Loren Wilton wrote: Mike Grau [EMAIL PROTECTED] 07/09/07 5:15 PM On 07/09/2007 04:01 PM the voices made Joe Zitnik write: I can't get here: http://www.rulesemporium.com/rules Is rulesemporium having issues again? I can rarely get there (via a browser). So rarely the site is almost useless. I've been having intermittent issues getting there from home for a while. Last time it happened, the site was down. I still can't get there Hum. I just tried again, and didn't have any problems this time either. Guess I'm lucky. Perhaps you are. I get 500 Server closed connection without sending any data back or 500 Can't connect to www.rulesemporium.com:80 (connect: timeout) at least once an hour out of three queries an hour. Daryl
Re: Rulesemporium
On Fri, 29 Jun 2007 16:30:25 +0100, --[ UxBoD ]-- [EMAIL PROTECTED] wrote: Same here :( On Fri, 29 Jun 2007 11:28:51 -0400, Joe Zitnik [EMAIL PROTECTED] wrote: Is it having troubles again? I'm having problems reaching the site. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] Is it worth adding mirrors for the rules? I'm more than happy to do so and can probably rope in a few others. I should imagine a fair few others on list would be prepared to act as mirrors too. Just a thought. Kind regards Nigel
Re: Rulesemporium
On Jun 29, 2007, at 8:30 AM, -- [ UxBoD ] -- wrote: Same here :( He announces a new, super dandy spam killing plugin and you think he wouldn't get a DoS attack? That's what happens when you do good work. :(
Re: Rulesemporium
On Fri, 29 Jun 2007 08:38:48 -0700, Jerry Durand [EMAIL PROTECTED] wrote: On Jun 29, 2007, at 8:30 AM, -- [ UxBoD ] -- wrote: Same here :( He announces a new, super dandy spam killing plugin and you think he wouldn't get a DoS attack? That's what happens when you do good work. :( True - but there's more of us than there are of them. OK, we play catch-up, but the user base is worldwide and there are some very, very sharp people doing the hard work. I guess the best we can do is support them however we can... unless we want to be inundated with spam. Ha! - my stats for year to date run at 82 ish% spam. Since that's spam stopped I reckon SA isn't doing too badly at all - admittedly not as much gets through to SA - a lot is stopped by various 'toys' my MTA has but SA still accounts for a hell of a lot. Even so - life without SA? McDonalds applications anyone? :-D Kind regards Nigel
Re: Rulesemporium
On 6/29/2007 5:38 PM, Jerry Durand wrote: On Jun 29, 2007, at 8:30 AM, -- [ UxBoD ] -- wrote: Same here :( He announces a new, super dandy spam killing plugin and you think he wouldn't get a DoS attack? That's what happens when you do good work. :( nah... he DOS'd himself will be back in a few
Rulesemporium
Is it having troubles again? I'm having problems reaching the site.
Re: Rulesemporium
Same here :( On Fri, 29 Jun 2007 11:28:51 -0400, Joe Zitnik [EMAIL PROTECTED] wrote: Is it having troubles again? I'm having problems reaching the site. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Rulesemporium
On 6/29/2007 5:53 PM, Nigel Frankcom wrote: On Fri, 29 Jun 2007 08:38:48 -0700, Jerry Durand [EMAIL PROTECTED] wrote: On Jun 29, 2007, at 8:30 AM, -- [ UxBoD ] -- wrote: Same here :( He announces a new, super dandy spam killing plugin and you think he wouldn't get a DoS attack? That's what happens when you do good work. :( True - but there's more of us than there are of them. OK, we play catch-up, but the user base is worldwide and there are some very, very sharp people doing the hard work. I guess the best we can do is support them however we can... unless we want to be inundated with spam. Y'all press those Paypal buttons - every cent goes to hardware.
Re: Rulesemporium
On Fri, 2007-06-29 at 16:36 +0100, Nigel Frankcom wrote: Is it worth adding mirrors for the rules? I'm more than happy to do so and can probably rope in a few others. I should imagine a fair few others on list would be prepared to act as mirrors too. It's worth mentioning that, as someone pointed out to me yesterday, there's a mirroring service for SARE rules at http://saupdates.openprotect.com, along with instructions on incorporating these into sa-update, thus avoiding problems with rules_du_jour altogether. -- Lindsay Haisley |Fighting against human | PGP public key FMP Computer Services | creativity is like | available at 512-259-1190 | trying to eradicate |http://pubkeys.fmp.com http://www.fmp.com| dandelions | | (Pamela Jones) |
Re: Rulesemporium
On 6/29/2007 5:53 PM, Nigel Frankcom wrote: On Fri, 29 Jun 2007 08:38:48 -0700, Jerry Durand [EMAIL PROTECTED] wrote: On Jun 29, 2007, at 8:30 AM, -- [ UxBoD ] -- wrote: Same here :( He announces a new, super dandy spam killing plugin and you think he wouldn't get a DoS attack? That's what happens when you do good work. :( True - but there's more of us than there are of them. OK, we play catch-up, but the user base is worldwide and there are some very, very sharp people doing the hard work. I guess the best we can do is support them however we can... unless we want to be inundated with spam.
Re: Rulesemporium down?
On Jun 9, 2007, at 12:19, Dallas Engelken wrote: Rulesemporium.com will be coming back online at approximately 1800 GMT. Special thanks to Prolexic (http://www.prolexic.com) for the DDoS protection. It looks like rules_du_jour had some trouble with the downtime: [2753] warn: config: failed to parse line, skipping: AUTOBAN: Over 500 *.cf requests in 48 hours period - Check your CRON [2753] warn: config: failed to parse line, skipping: CONTACT: [EMAIL PROTECTED] Questions this brings up: 1) do systems get un-AUTOBAN'ned after a time interval or should I request a delisting of each? 2) I see from the archives this was also a problem when the rulesemporium domain wasn't renewed last year - has anybody implemented auto back-off behavior for rules_du_jour? It seems to be too aggressive in these cases. 3) I didn't have a cronjob in to do updates ... would this be fired off when MailScanner instantiates a new child process and loads SpamAssassin? That's the only thing I can think of that might have such a high frequency. 4) is openprotect's channel generally considered better practice now? Thanks, -Bill - Bill McGonigle, Owner Work: 603.667.4000 BFC Computing, LLC Home: 603.448.1668 [EMAIL PROTECTED] Cell: 603.252.2606 http://www.bfccomputing.com/Page: 603.442.1833 Blog: http://blog.bfccomputing.com/ VCard: http://bfccomputing.com/vcard/bill.vcf
Re: Rulesemporium down?
On 6/10/2007 11:23 PM, Bill McGonigle wrote: On Jun 9, 2007, at 12:19, Dallas Engelken wrote: Rulesemporium.com will be coming back online at approximately 1800 GMT. Special thanks to Prolexic (http://www.prolexic.com) for the DDoS protection. It looks like rules_du_jour had some trouble with the downtime: [2753] warn: config: failed to parse line, skipping: AUTOBAN: Over 500 *.cf requests in 48 hours period - Check your CRON [2753] warn: config: failed to parse line, skipping: CONTACT: [EMAIL PROTECTED] Questions this brings up: 1) do systems get un-AUTOBAN'ned after a time interval or should I request a delisting of each? 2) I see from the archives this was also a problem when the rulesemporium domain wasn't renewed last year - has anybody implemented auto back-off behavior for rules_du_jour? It seems to be too aggressive in these cases. 3) I didn't have a cronjob in to do updates ... would this be fired off when MailScanner instantiates a new child process and loads SpamAssassin? That's the only thing I can think of that might have such a high frequency. Pls don't automate RDJ. atm there no updates and when there are, they will be announced banging rulesemporium.com just increases the load on the *DONATED* DDOS protection. PLEASE HELP keep the traffic down as much as possible. 4) is openprotect's channel generally considered better practice now? yes
Re: Rulesemporium down?
Yet Another Ninja wrote: On 6/7/2007 2:52 PM, Jake Vickers wrote: Steven Stern wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 My systems all were unable to connect for their daily RDJ update yesterday. I time out trying to reach http://rulesemporium.com. Does anyone know what's happening? - -- Same issue here. 404 errors. Pls Disable all RDJ till further notice... Rulesemporium.com will be coming back online at approximately 1800 GMT. Special thanks to Prolexic (http://www.prolexic.com) for the DDoS protection. -- Dallas Engelken [EMAIL PROTECTED] http://uribl.com
Re: Rulesemporium down?
At 09:19 AM 6/9/2007, Dallas Engelken wrote: Rulesemporium.com will be coming back online at approximately 1800 GMT. Special thanks to Prolexic (http://www.prolexic.com) for the DDoS protection. Great news and good work! I assume we can re-enable sa-update for tonight's run. Thanks for keeping this running. -- Jerry Durand, Durand Interstellar, Inc. www.interstellar.com tel: +1 408 356-3886, USA toll free: 1 866 356-3886 Skype: jerrydurand
Re: Rulesemporium down?
On Saturday 09 June 2007, Jerry Durand wrote: At 09:19 AM 6/9/2007, Dallas Engelken wrote: Rulesemporium.com will be coming back online at approximately 1800 GMT. Special thanks to Prolexic (http://www.prolexic.com) for the DDoS protection. Great news and good work! I assume we can re-enable sa-update for tonight's run. Thanks for keeping this running. Oh oh, I wasn't aware we were supposed to disable that too, so mine has been contributing to the noise. My apologies. -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Anybody want a binary telemetry frame editor written in Perl? -- Larry Wall in [EMAIL PROTECTED]
Re: Rulesemporium down?
On 6/9/2007 6:50 PM, Jerry Durand wrote: At 09:19 AM 6/9/2007, Dallas Engelken wrote: Rulesemporium.com will be coming back online at approximately 1800 GMT. Special thanks to Prolexic (http://www.prolexic.com) for the DDoS protection. Great news and good work! I assume we can re-enable sa-update for tonight's run. Thanks for keeping this running. Guys There's really no need to automate RDJ SARE rules aren't being updated too frequently and any rule change will be announced on the list. Each RDJ empty hit adds to traffic, which, atm , is a precious luxury. Pls be considerate and help SARE keep the site alive. Thanks SARE Co.
Re: Rulesemporium down?
Yet Another Ninja wrote: On 6/9/2007 6:50 PM, Jerry Durand wrote: At 09:19 AM 6/9/2007, Dallas Engelken wrote: Rulesemporium.com will be coming back online at approximately 1800 GMT. Special thanks to Prolexic (http://www.prolexic.com) for the DDoS protection. Great news and good work! I assume we can re-enable sa-update for tonight's run. Thanks for keeping this running. Guys There's really no need to automate RDJ SARE rules aren't being updated too frequently and any rule change will be announced on the list. Each RDJ empty hit adds to traffic, which, atm , is a precious luxury. Pls be considerate and help SARE keep the site alive. Prolexic will be providing proper caching of the rules shortly, so this shouldnt be much of an issue going forward. As long as people would keep their automation at 1-2 times a day, its cool. -- Dallas Engelken [EMAIL PROTECTED] http://uribl.com
Re: Rulesemporium down?
Jerry Durand wrote: At 09:19 AM 6/9/2007, Dallas Engelken wrote: Rulesemporium.com will be coming back online at approximately 1800 GMT. Special thanks to Prolexic (http://www.prolexic.com) for the DDoS protection. Great news and good work! I assume we can re-enable sa-update for tonight's run. Thanks for keeping this running. Yes, I just verified http://www.rulesemporium.com/rules/ is serving data now. -- Dallas Engelken [EMAIL PROTECTED] http://uribl.com
Re: Rulesemporium down?
On Saturday 09 June 2007, Dallas Engelken wrote: Yet Another Ninja wrote: On 6/9/2007 6:50 PM, Jerry Durand wrote: At 09:19 AM 6/9/2007, Dallas Engelken wrote: Rulesemporium.com will be coming back online at approximately 1800 GMT. Special thanks to Prolexic (http://www.prolexic.com) for the DDoS protection. Great news and good work! I assume we can re-enable sa-update for tonight's run. Thanks for keeping this running. Guys There's really no need to automate RDJ SARE rules aren't being updated too frequently and any rule change will be announced on the list. Each RDJ empty hit adds to traffic, which, atm , is a precious luxury. Pls be considerate and help SARE keep the site alive. Prolexic will be providing proper caching of the rules shortly, so this shouldnt be much of an issue going forward. As long as people would keep their automation at 1-2 times a day, its cool. And I've moved my sa-update script from /etc/cron.daily, to /etc/cron.weekly, plus added a day field valid number to the crontab that runs rdj that is not sunday. I hope this helps. If everyone did this, your load should go down quite a bit. I really appreciate the service and I thank this group very much. Between this and some really aggressive procmail rules, I'm getting only 2 to 4 trash messages a day squeeking through. -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Things are more like they used to be than they are now.
Re: Rulesemporium down?
Gene Heskett schrieb: On Saturday 09 June 2007, Dallas Engelken wrote: Yet Another Ninja wrote: On 6/9/2007 6:50 PM, Jerry Durand wrote: At 09:19 AM 6/9/2007, Dallas Engelken wrote: Rulesemporium.com will be coming back online at approximately 1800 GMT. Special thanks to Prolexic (http://www.prolexic.com) for the DDoS protection. Great news and good work! I assume we can re-enable sa-update for tonight's run. Thanks for keeping this running. Guys There's really no need to automate RDJ SARE rules aren't being updated too frequently and any rule change will be announced on the list. Each RDJ empty hit adds to traffic, which, atm , is a precious luxury. Pls be considerate and help SARE keep the site alive. Prolexic will be providing proper caching of the rules shortly, so this shouldnt be much of an issue going forward. As long as people would keep their automation at 1-2 times a day, its cool. And I've moved my sa-update script from /etc/cron.daily, to /etc/cron.weekly, plus added a day field valid number to the crontab that runs rdj that is not sunday. I hope this helps. If everyone did this, your load should go down quite a bit. I really appreciate the service and I thank this group very much. Between this and some really aggressive procmail rules, I'm getting only 2 to 4 trash messages a day squeeking through. http://saupdates.openprotect.com/ is made for automation - sa-update is also more efficient for empty hits
Rulesemporium down?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 My systems all were unable to connect for their daily RDJ update yesterday. I time out trying to reach http://rulesemporium.com. Does anyone know what's happening? - -- Steve -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGZ/oCeERILVgMyvARAn97AJ9l8c5quPSKjAKNpM6/teMD5MK7bQCfcf+q G9D0bJrX/gOz4yx7MDUNq6s= =uEUU -END PGP SIGNATURE-
Re: Rulesemporium down?
On Thu, 2007-06-07 at 07:28 -0500, Steven Stern wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 My systems all were unable to connect for their daily RDJ update yesterday. I time out trying to reach http://rulesemporium.com. Does anyone know what's happening? Apparently a DDOS attack. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com
Re: Rulesemporium down?
Steven Stern wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 My systems all were unable to connect for their daily RDJ update yesterday. I time out trying to reach http://rulesemporium.com. Does anyone know what's happening? - -- Same issue here. 404 errors. smime.p7s Description: S/MIME Cryptographic Signature
Re: Rulesemporium down?
On 6/7/2007 2:52 PM, Jake Vickers wrote: Steven Stern wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 My systems all were unable to connect for their daily RDJ update yesterday. I time out trying to reach http://rulesemporium.com. Does anyone know what's happening? - -- Same issue here. 404 errors. Pls Disable all RDJ till further notice... Thx
RE: rulesemporium
jp wrote: Does anyone know how to get the replacements for the 88_FVGT* rules? I was trying to update them and the ones at www.rulesemporium.com refer to a new numbering system that starts with 00_FVGT. Those files don't exist. Rulesemporium is the master site for the the files according to the comments in the top of the cf files. These new smiley subject suffixed spams seem to be picked up by those rules, so I am getting them as up to date as possible. Thanks, Jason I'm using the following with sa-update: 88_fvgt_body.cf.sare.sa-update.dostech.net 88_fvgt_rawbody.cf.sare.sa-update.dostech.net 88_fvgt_subject.cf.sare.sa-update.dostech.net 88_fvgt_headers.cf.sare.sa-update.dostech.net 88_fvgt_uri.cf.sare.sa-update.dostech.net (Along with a bunch of others). VERY effective set that I have now. -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 512-248-2683 E-Mail: ler@lerctr.org US Mail: 430 Valona Loop, Round Rock, TX 78681-3893
RE: Rulesemporium rules
Title: RE: Rulesemporium rules -Original Message- From: Duncan Findlay [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 11, 2006 1:38 AM To: Dan Horne Cc: users@spamassassin.apache.org Subject: Re: Rulesemporium rules On Tue, Oct 10, 2006 at 04:43:58PM -0400, Dan Horne wrote: 10) Making top ten lists. Hilarious. Can I subscribe to those top ten lists with RDJ? Are they going to be licensed with the Apache license? /me ducks LOL, well played sir! Well played! :) --Chris
Rulesemporium rules
Just out of curiosity, is there a reason why the updates on the rulesmporium rules have dropped so drastically lately? I understand that the authors all have other things to do, and I am EXTREMELY GRATEFUL for all their hard work. I was just wondering if there were any other reasons.
RE: Rulesemporium rules
Title: RE: Rulesemporium rules -Original Message- From: Joe Zitnik [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 10, 2006 1:39 PM To: users@spamassassin.apache.org Subject: Rulesemporium rules Just out of curiosity, is there a reason why the updates on the rulesmporium rules have dropped so drastically lately? I understand that the authors all have other things to do, and I am EXTREMELY GRATEFUL for all their hard work. I was just wondering if there were any other reasons. Many possible reasons: 1) I was pulling some ticks off my Siberian Husky. 2) Ninja Convention? 3) Hockey Season Started 4) Halloween costumes don't make themselves! 5) We're waiting for the Yankees head coach to be fired. 6) The Vista Beta is so secure it won't let us in our own machines! 7) We have not yet closed all the gates to Oblivion! 8) Apple Pickin! 9) 1 beer turned out to be 10! 10) Making top ten lists. Thanks, Chris Santerre SysAdmin and Spamfighter www.rulesemporium.com www.uribl.com
RE: Rulesemporium rules
A simple no would have sufficed. On 10/10/2006 at 4:25 PM, Chris Santerre [EMAIL PROTECTED] wrote: -Original Message- From: Joe Zitnik [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 10, 2006 1:39 PM To: users@spamassassin.apache.org Subject: Rulesemporium rules Just out of curiosity, is there a reason why the updates on the rulesmporium rules have dropped so drastically lately? I understand that the authors all have other things to do, and I am EXTREMELY GRATEFUL for all their hard work. I was just wondering if there were any other reasons. Many possible reasons: 1) I was pulling some ticks off my Siberian Husky. 2) Ninja Convention? 3) Hockey Season Started 4) Halloween costumes don't make themselves! 5) We're waiting for the Yankees head coach to be fired. 6) The Vista Beta is so secure it won't let us in our own machines! 7) We have not yet closed all the gates to Oblivion! 8) Apple Pickin! 9) 1 beer turned out to be 10! 10) Making top ten lists. Thanks, Chris Santerre SysAdmin and Spamfighter www.rulesemporium.com www.uribl.com
Re: Rulesemporium rules
Joe Zitnik wrote: A simple no would have sufficed. It wouldn't have been as amusing though :) -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239
RE: Rulesemporium rules
Title: RE: Rulesemporium rules Joe Zitnik wrote: A simple no would have sufficed. It wouldn't have been as amusing though :) LOL, Joe don't get upset. You obviously haven't seen enough of my posts to know what I'm like. :) We have been testing new stuff all the time. There just isn't much new to go on. I'm working on a set, but $dayjob is keeping me a bit busy. But rest assurd that the SARE people are always testing new ideas. --Chris
RE: Rulesemporium rules
10) Making top ten lists. Hilarious. Can I subscribe to those top ten lists with RDJ? CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. SPAM-FREE 1.0(2476)
Re: Rulesemporium rules
Joe Zitnik wrote: A simple no would have sufficed. But I so enjoyed the answer. What was the question again? DAve On 10/10/2006 at 4:25 PM, Chris Santerre [EMAIL PROTECTED] wrote: -Original Message- From: Joe Zitnik [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 10, 2006 1:39 PM To: users@spamassassin.apache.org Subject: Rulesemporium rules Just out of curiosity, is there a reason why the updates on the rulesmporium rules have dropped so drastically lately? I understand that the authors all have other things to do, and I am EXTREMELY GRATEFUL for all their hard work. I was just wondering if there were any other reasons. Many possible reasons: 1) I was pulling some ticks off my Siberian Husky. 2) Ninja Convention? 3) Hockey Season Started 4) Halloween costumes don't make themselves! 5) We're waiting for the Yankees head coach to be fired. 6) The Vista Beta is so secure it won't let us in our own machines! 7) We have not yet closed all the gates to Oblivion! 8) Apple Pickin! 9) 1 beer turned out to be 10! 10) Making top ten lists. Thanks, Chris Santerre SysAdmin and Spamfighter www.rulesemporium.com www.uribl.com -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible.
Re: Rulesemporium rules
Just out of curiosity, is there a reason why the updates on the rulesmporium rules have dropped so drastically lately? I understand that the authors all have other things to do, and I am EXTREMELY GRATEFUL for all their hard work. I was just wondering if there were any other reasons. Nope, that's the reason. Bob was doing most of the updates and has the biggest masscheck corpus and automated scoring tools. He was doing most of the rule testing/merging/releasing. Unfortunately his $dayjob is now also eating virtually all of his time day and night, so he rarely gets time to do anything but work and sleep. The rest of us have also had similar problems, with work overcoming any useful part of our lives. A couple of us are still managing to update the stock rules. Which fortunately is one of the most active spam areas. Hopefully life will calm down in a while and we will be able to get time to do some useful stuff again. Loren
