> Once this subject took off on nanog, I have been oversaturated with people
> trying to "sell" me ip space. I have had offers for several /16's for
> 10,000.00 each that are no longer in use by the companies who "own" lol
> them. I want to say to those people that made those offers to me
> The first one goes up and down more than it probably should. :-)
Make your secondary mx aware of all the valid recipient addresses.
Adi
> Overwriting the tos flags is not "best effort", it is "degraded service"
So how do you propose to control the use of TOS flags within a network? If
I have an application that receives specific treatment because of its TOS
flags, I need to prevent non-compliant traffic from using this TOS flag a
> And what about garbage pouring out of RJ-11 sockets?
Hmmm... so because we have garbage coming out of the RJ-11 we might as
well have garbage coming out of the RJ-45, too? 4 wires vs. 8 wires,
twices the garabe out of the RJ-45.
> So I do I obtain your permission to send you a packet?
By repl
> And how exactly does that translate to the online world?
It doesn't. There is none or very little punishment for lawlessness and
missbehaviour in the online world.
> Despite the safety and environmental regulations and the fact that
> you have to have a driver's license and insurance (at least
> Its not up to the ISP to determine outbound malicious traffic, but its up
> to the ISP to respond in a timely manner to complaints. Many (most?) do not.
If they did their support costs would explode. It is block the customer,
educate the customer why they were blocked, exterminate the customers
> As somebody who picked a DSL provider specifically because it allows me to
> run any kind of server I want, I'm not highly in favor of blocking
> traffic from broadband users and killing the end-to-end principle that
> makes the Internet work,
When I sign up for an internet account, does the fi
> Hey, if you've got customes willing to shell out for that, then more
> power to you. However, I'm not (and won't be) one of those customers.
> I'm willing to take responsibility for protecting my systems and choosing
> what traffic I do and don't want. I don't want someone else doing it
> for
> Frankly, I'm fine with 911 not working on VoIP lines; I have a cell phone
> for that when needed. Now that I think about it, I'm not sure I've ever
> actually dialed 911 from a land line.
You're lying on the floor incapacitated and in agony, suffering from some
acute and life threatening medic
> Personally, I'm quite glad for government regulations
> regarding food safety, home inspection, and lots of
> other things which are safety related. There are
> other restrictions which I'm not thrilled about, but I
> have yet to hear a compelling reason (which does not
> inherently boil down t
On Sat, 26 Mar 2005, Eric Gauthier wrote:
> Hrm... Isn't a VoIP call realtively low bandwidth? I haven't studied
> this, but Vonage's site seems to imply that the maximum data rate is 90Kbps
> (http://www.vonage.com/help_knowledgeBase_article.php?article=190). I
> typically see speeds greater th
> If VOIP doesn't run on your network because you've oversold your capacity,
> no amount of QoS is going to put the quality back into your service.
> People will find better ISPs. If you deliberately set QoS to favor your
> services over a competitor, whom your customers are also paying for
> serv
So who's going to be the IP cop that decided which actions are
anti-competitive and which actions are 'customer care'?
How many service providers oversubscribe their internet feed. Just because
the advertisement says 384k upstream and 2Mbps downstream doesn't mean
this is a guaranteed rate availa
> When that happens, if VOIP access to 911/112 is still problematic, we
> can expect standards for it to be mandated by governments - and they
> WILL do it - there is nothing politicians hate more than an avoidable
> fatality where the blame can be attributed to their failure to act.
So what is l
> Actually, anticompetitive, and restraint-of-trade come in as better
> arguments. They go along with blocking port 587/110, keeping users from
> getting at legitimate, well-run remote mail servers. The end user paid for
> packet service, and the Internet generally permits any protocol to be run.
> > > On Tue, Feb 15, 2005 at 11:53:59AM -0600, Adi Linden wrote:
> > >> How is this any different then blocking port 25 or managing the bandwidth
> > >> certain applications use.
>
> Something else to consider. We block TFTP at our border for secur
> http://advancedippipeline.com/60400413
>
> The FCC is investigating -- it's not even clear if it's illegal to do
> that.
How is this any different then blocking port 25 or managing the bandwidth
certain applications use.
Adi
> Please explain how the "trust chain" does not verify the sending user.
> "Malware will steal username/password" is not a valid answer, as the
> same can apply equally to crypto keys.
Now that we have established a "trust chain" an verify the sending user we
have an easy way (shuffling through m
> > You should know all your users email addresses.
>
> You have got to be kidding.
Not kidding.
I have a mail system that handles mail for the example.com domain. I use
SMTP AUTH as the only means to relay through the server. My expectation
from my customers is that they will utilize this mail
> > How about using SMTP AUTH and verifying the envelope MAIL FROM to match
> > the actual user authenticating?
>
> that doesn't work if you have more than one email address.
You should know all your users email addresses. It shouldn't be too
difficult to match the 'mail from' address with the us
> > How about using SMTP AUTH and verifying the envelope MAIL FROM to match
> > the actual user authenticating? This will make SPAM traceable and
> > hopefully ultimately users aware that their PC is sending junk.
>
> Ouch .. Then spammers may start using a From: matching the SMTP auth
> user, an
How about using SMTP AUTH and verifying the envelope MAIL FROM to match
the actual user authenticating? This will make SPAM traceable and
hopefully ultimately users aware that their PC is sending junk.
Adi
> > How come it is always about controlling the symptoms and not the
> > illness?
> >
> The illness is the user. That is uncontrollable.
A product that doesn't work as advertised has much to do with it as well.
Adi
> 0) for the love of God, Montresor, just block port 25 outbound already.
What is wrong with dedicating port 25 to server to server communication
with some means of authentication (DNS?) to ensure that it is indeed a
vaild mail server. Mail clients should be using port 587 to submit
messages to t
We currently have two /19 that we advertise on a single ASN. A client
would like to obtain /23 or /22 from us. This is not a problem, except
that their primary internet provider is someone else, other than us.
I think that they would need to have their own ASN to advertise their
portion of our ip
> > Locally-generated ULAs meet a need, like RFC 1918, that the RIRs will
> > never (and probably should never) meet -- cost-free and paperwork-free
> > addresses. Local ULAs also have the benefit that it's easy to explain to
> > customers why ISPs won't route them, which has been cited as a probl
> > About half of the devices within my on private network are statically
> > defined and for local use only. They will never need global access.
> > Because they are awkward to configure I do not want to renumber, ever.
> > My
> > solution is to use RFC1918 address space for this network.
>
> Use
> > There are a number of good and reasonable uses for RFC1918 addresses. Just
> > assume a individual/business/corporate LAN with client/server applications
> > and statically configured ip numbering. RFC1918 addresses are perfect. NAT
> > allows this network to be connected through any provider(
> I don't know of any applications that require RFC1918 addresses to be
> deployed. (Clearly, this is not to say there are none.)
There are a number of good and reasonable uses for RFC1918 addresses. Just
assume a individual/business/corporate LAN with client/server applications
and statically co
I am looking for ideas/suppliers for placing network equipment and
satellite earth station equipment in remote locations. There are no
suitable facilities to colocate but single phase power is available. Any
ideas where to find a secure steel clad building, that fits a couple of
rack, has environm
> It's not crap. Infected machines are no more the fault of the internet than
> junkmail in your mailbox is the fault of the post office. There's literally
> no difference to the model. The post office delivers mail that is addressed
> to you. They don't care if it's junk mail or not. They de
> > And that is a problem. Unlike your electricity, where the supplier has an
> > obligation to provide a certain level of clean energy, there is nothing
> > like it with internet bandwidth. All the crud and exploits are dutyfully
> > forwarded to the customer.
> >
> Clean internet service is inte
> > My arguments are in respect to broadband connections to homes and offices
> > without IT department, firewalls or cluefulness. If you own your own IP
> > space you'd be considered an ISP, buying transit rather than broadband
> > home DSL. What the physical wire looks like the service is delive
> So, who's checking these local LAN's to make sure they don't melt or
> burst into flame once hooked up?
Who's checking that no evil packets are sent to the LAN that cause it to
go up in flames?
Adi
> > The reason this isn't economical today is because ISP lack any
> > responsiblity. It is cheaper for an ISP to buy more bandwidth and pass the
> > worms and viruses customers PCs spew to the internet than it is to deal
> > with the problem. Seriously, if I send an ISP reasonable proof that a
> Sorry, that doesn't hold up entirely. My ADSL connections to my ISP are
> being used to route IP addresses that belong to me. It's a home DSL
> service coming into my house, but, I have my own portable address space
> and enough clue to manage my own systems, firewall(s), etc. Why should
> The better analogy is what happens when you leave your oven on for 8 days
> straight? Assuming your house doesn't burn down, should you have to pay the
> electric bill for those 8 days? Hell yeah. It's impossible to separate what
> was "legit" energy use and what was from the oven, and it's n
> If we would properly follow the analogy above, ISPs should provide a
> "security fuse" which would disconnect the user when blown. Paul called
> this "cyberjail" if I follow his thoughts. All efforts above this should
> be charged separately or be part of "better general level of service".
>
> That's like saying provide safe electricity. If someone has a toaster where
> the wire cracks and they electrocute themselves, or a hair dryer that isn't
> safe in the bathtub, do you complain that the electric company should
> provide safe electricity?
The problem with all the comparisions is
> The problem with this is one of who pays for it.
The customer.
> You are talking about an environment where the newcomers and non-experts
> require significantly more intervention in how things are done and what they
> can do than the more experienced hands.
I am talking about an environmen
> Been there, done that. Got any new ideas?
Provide a safe network connection. I believe an ISP should provide a safe
environment to play, assuming the customer is innocent granny. Your
average DSL network connection should be safe by default, so a default
Win98 (or any other OS) can be conne
> If your child borrows your credit card, and makes lots of unathorized
> charges, you may not have to pay more than $50; but the bank can go after
> your son or daughter for the money. Most parents end up paying, even if
> they didn't authorize their children to use the credit card.
So the cred
This thread is quite amusing and interesting at the same time. If I read
the original post right, Mr. Mike Bierstock was informed that he was
generating an unusual amount of traffic, traffic he would have to pay for.
He got the bill and had to deal with the consequences. What is wrong with
tha
Does anyone know how the latest email worms assemble the email addresses
they use? I am getting a large amount of junk destined for non-existant
(never existant) email accounts. So the address cannot be taken from the
various address books on the compromised PC's.
Adi
> As for the specifics of your comments, I could not disagree more, but it
> is a philosophy of life that distinguishes our views, not the analysis of
> the problem. I believe (like a lot of other New Englanders and even
> some from California) that people must assume responsibility for their
>
> >Think globally. Even though this forum has NA as its heading, we need to
> >think globally when suggesting solutions. You'll never get any sort of
> >licensing globally nor will you EVER get end users (globally) educated
> >enough to stop doing the things that they do which allow these events
I am looking for insight on how to handle mail addressed to postmaster. I
guess a human being is supposed to read these? Some months ago mail to
postmaster went from nearly zero to 10,000 a day in a very short time
(hours). Ever since then postmaster email has been filed in /dev/null.
These da
> Forcing it through a server doesn't automagically add the ability to throttle
> abusive behavior. It's merely the obvious sledgehammer fix.
It's a means to deal with smtp traffic.
> Now consider a router that's instrumented to collect flow data, feeding a
> real-time system that throttles th
> When you get bored fighting the fire with a leaking bucket of water,
> technology exists that automates detection, redirection, posting
> information to the end users and eventually re-enabling the subscribers
> without any manual intervention. Makes days significantly less dull, but
> I mig
> On the other hand, it's probably more effective to find some way of making the
> Cisco gear block outbound 25 from abusive machines. Transparently redirecting
> the traffic is evil unless you plan to take all responsibility for relaying the
> mail (including mail that has MAIL FROM/RCPT TO that
Thank you for all the information. It gives me a few choices to maul over.
Right now the single largest issue are compromised PCs that are abused for
sending SPAM and also send viruses. I am seriously considering the idea of
forcing all smtp traffic through a mail relay of some sort.
The newes
Does anyone have any resources on building a mail relay that would limit
the amount of email a single user or ip address can relay over a given
time period?
I have a spam/virus problem that is getting out of hand.
Adi
> Anyone else seeing an error getting to www.cisco.com?
Maybe I missed to renew a service contract? They don't like me either.
Adi
> We're a medium sized regional MSO/broadband provider with 200k+
> mailboxes, strongly considering enabling SMTP authentication on our
> customer-facing SMTP mail servers.
We're relying exclusively on SMTP AUTH for SMTP relaying. The single
biggest issue is that it requires ongoing user educa
> There is nothing wrong with a user who thinks they should not have to know
> how to protect their computer from virus infections.
Thank you, you made my day! Now I know that my judgement isn't clouded by
the severe chest cold I am suffering from.
Adi
> If stricter laws on computers forced even 50% of people to start caring a
> little more, wouldn't that be progress? The day a couple of grandmothers get
> taken away in handcuffs because a script kiddie took up residence in her
> computer is the day a few people will wake up to the fact that com
> Not to be argumentative, but by that logic, I guess it is okay to drive my
> 1948 Ford which doesn't have brakes if I don't have the cash to fix it.
This is a matter of opinion. While this was my initial first thought, I
can't agree with it. An old PC is by no means a threat to others. The
i
> > There are valid reasons not to run antivirus software,
>
> And they are?
P90w/32MB running Win95 used for email only... or insufficient finances
to purchase anti virus software... to name a couple.
Adi
I am looking for ideas to stop the spam created by compromised Windows
PC's. This is not about the various worms and viruses replicating but
these boxes acting as open relays or open proxies.
There are valid reasons not to run antivirus software, coupled with
clueless users, this results in ma
> I think we have all agreed in previous threads that if a mail anti virus
> scanner does not know how to differentiate between a virus that spoofs
> the sender and one that doesnt, it should silently discard all virus
> infected email -- OR notify the local administrator/user at their
> choos
> So what does the PKI actually buy you that using a throwaway self-signed cert
> doesn't provide?
No popup box on the browser asking to accept the certificate.
Adi
While the ssl certificate is meant to verify the owners identity, as a
consumer I would never trust a ssl certificate for that purpose. It does
provide a reasonable effort to keep information between me and the server
confidential. That's worth something, I guess.
Adi
> If ISPs charged customers $0.01/email message, would it cure spam or
> would the spammers just continue to use third-party victims to spam and
> there would be lots of news stories about grandmothers and orphans getting
> huge ISP bills? IANAL, but many spammers are already breaking a law b
The problem with ICMP is that it is ICMP today. What will it be tomorrow?
It'll aways be putting out fires, controlling packet floods matching
whatever signature.
One solution is to get away from unlimited bandwidth. Once there is a cost
associated to having a PC source Nachi or Welchi traffic, c
> AOL says the PTR record needs to be assigned. It doesn't specify it
> has to match the @domain.com in the MAIL FROM: header. Wouldn't it be
> enough to make sure every IP address you announce has a PTR and
> matching A record? Hasn't this been a requirement for MANY services
> for MANY ye
Reading about the various ways universities deal with ill behaved client
PCs, is there documentation on how to quarantaine devices on a network?
Adi
Anyone has any idea what is carried on tcp and udp port 41170?
Adi
Hi,
Is there a place to discuss and find solutions for email related security
issues?
I've just receives a nice email from my banker (ok, it claims to be from
my banker) asking me to visit my banks website and confirm my email
address. This email is by far the most convincing piece of fraud
> > Obviously they didn't filter 135, 137-139, 445, and inbound
>
> Not obvious. I know of several sites that were infected even though they
> had filters in place, due to infected laptops being brought on-site.
Filtering ports 135, 137-139, 445, and only delays the inevitable...
> However the new microsoft policy will help protect the network from Joe
> and Jane average who buy a PC from the closest "big box" store and hook it
> up to their cable modem so they can exchange pictures of the kids with the
> grandparents in Fla. This is the class of users who botnet builders
> Absolutely. All of the NetBIOS ports: 135, 137, 138, 139, 445.
Ports 137, 138, 139, 445 have been blocked for a long time. But port 135
wasn't until today...
Thanks!
Adi
http://www.cert.org/advisories/CA-2003-19.html
Would blocking port 135 at the network edge be a prudent preventative
measure?
> The unanswered question is what should be considered reasonable? And
> how much of a burden should the end-user carry?
Plugging into the network is like owning a house. You're at the edge of a
public network, whether it be a road or a wire. Just as you lock your
front door, there needs to be
73 matches
Mail list logo
