Re: Some odd harvesting going on?
On Tue, Oct 07, 2008 at 04:16:22PM -0400, Howard C. Berkowitz wrote: > To prove that your message was sent by a human and not a computer, please > visit the URL below and type in the alphanumeric text you will see in the > image. You will be asked to do this only once for this recipient. This doesn't look to me like phishing (although I can see the similarities); it looks like yet another severely clueless site engaged in challenge-response spamming. (C-R has long since been not only completely discredited as an anti-spam tactic, but has been recognized as a spam vector. Hosts emitting it are subject to blacklisting, in the same way and for much the same reason that hosts emitting backscatter/outscatter are.) ---Rsk
Re: Nanog 44 Hockey Event -- Last Call
Just no self-styled hockey moms, please...
Re: NANOG 44 (Los Angeles): ISP Security BOF
Hi all, Well, Esthost has decided that they no longer wish to present their side of the story, and so their talk has been removed from the agenda :-) This also means that that the more, erm, operational talks have been lengthened and so won't feel quite as rushed... The revised agenda is below: 4:30 - 4:50: "Stealing the Internet" -- Anton Kapela -- 4:50 - 5:10: "An interim solution to the threat of DNS cache poisoning while waiting for DNSSEC". -- Rodney Joffe -- 5:10 - 5:30: "Next steps in IRR/X509" --Barry Raveendran Greene, Jason Schiller. -- 5:30 - 5:50: "Early Survey Results and Some Attack Statistics" -- Danny McPherson. I will get this (with some abstracts) posted on the NANOG 44 site soon. Thanks to everyone who will be presenting, and I look forward to seeing y'all there! W On Oct 6, 2008, at 2:05 PM, Warren Kumari wrote: Hello all, NANOG 44 is now less than a week away. Here is the current program for the ISP Security BOF (NANOG 44, October 13, 2008, 4:30 PM - 6:00 PM) -- as always, the program at this point is still somewhat fluid and subject to change. 16:30 - 16:45: "Stealing the Internet" -- Anton Kapela In "Stealing the Internet" Kapela will describe a method where an attacker exploits the BGP routing system to facilitate transparent interception of IP packets. The method will be shown to function at a scale previously thought by many as unavailable. The talk highlights a new twist in sub-prefix hijacking that he demonstrated at Defcon 16: using intrinsic BGP logic to hijack network traffic and simultaneously create a 'bgp shunt towards the target network. This method will be shown to preserve end-to-end reachability while creating a virtual 'wire tap' at the attackers network. He'll cover additive TTL modification and transparent-origin-AS as a means for the attacker to obscure the interception. There will not be a live demonstration of the hijack or interception methods. -- 16:45 - 17:00: "An interim solution to the threat of DNS cache poisoning while waiting for DNSSEC". -- Rodney Joffe -- 17:00 - 17:15: "Next steps in IRR/X509" --Barry Raveendran Greene, Jason Schiller. - 17:15 - 17:30: "Esthost's response to the 'Hostexploit report'" -- Konstantin Poltev (Esthost, Inc). We are still waiting for the official title / abstract for this talk, so this is a temporary title 17:30 - 17:45: "Early Survey Results and Some Attack Statistics" -- Danny McPherson. - There are 15 minutes left over at the end of the agenda as I'm sure some talks will run over their alloted time. Hopefully this agenda is interesting and you are looking forward to the BOF See you there, W
Re: Some odd harvesting going on?
On Wed, 8 Oct 2008 07:21:22 -0400 Rich Kulawiec <[EMAIL PROTECTED]> wrote: > This doesn't look to me like phishing (although I can see the > similarities); it looks like yet another severely clueless site engaged > in challenge-response spamming. (C-R has long since been not only > completely discredited as an anti-spam tactic, but has been recognized > as a spam vector. Hosts emitting it are subject to blacklisting, > in the same way and for much the same reason that hosts emitting > backscatter/outscatter are.) C-R *is* spam. Interestingly, proponents use the same argument for it that spammers do. It works for them. Spammers feel that .0001% response is reason enough to load the rest of us with with work for no pay. Proponents of C-R feel that reducing their spam load justifies having the rest of us work as their spam filter for free. It's the "I got mine, Jack" mentality which is sadly way too ubiquitous. Personally I think that the answer to this problem is to simply reply automatically to these challenges positively no matter what. Puts the job of filtering spam back on the first person. -- D'Arcy J.M. Cain <[EMAIL PROTECTED]> | Democracy is three wolves http://www.druid.net/darcy/| and a sheep voting on +1 416 425 1212 (DoD#0082)(eNTP) | what's for dinner.
Re: Nanog 44 Hockey Event -- Last Call
On Wed, Oct 8, 2008 at 09:06, Steven M. Bellovin <[EMAIL PROTECTED]> wrote: > Just no self-styled hockey moms, please... You Maverick you. ;-) -Jim P.
UltraDNS mail admin around?
I'm getting bombarded by these Received: from 80.224.33.155.static.user.ono.com ([80.224.33.155])by mxb2eqsj.ultradns.net with esmtp (Exim 4.43)id 1J7YZc-0007qU-4ifor [EMAIL PROTECTED]; Wed, 26 Dec 2007 15:53:36 + Message-ID: <[EMAIL PROTECTED]> From: "Handbags" <[EMAIL PROTECTED]> To: "Replica Watches" <[EMAIL PROTECTED]> - Andrey Gordon [EMAIL PROTECTED]
Re: UltraDNS mail admin around?
Andrey Gordon wrote: > I'm getting bombarded by these > > Received: from 80.224.33.155.static.user.ono.com ([80.224.33.155])by > mxb2eqsj.ultradns.net with esmtp (Exim 4.43)id 1J7YZc-0007qU-4ifor > [EMAIL PROTECTED]; Wed, 26 Dec 2007 15:53:36 + > Message-ID: <[EMAIL PROTECTED]> > From: "Handbags" <[EMAIL PROTECTED]> > To: "Replica Watches" <[EMAIL PROTECTED]> get a clue 155.33.224.80.in-addr.arpa domain name pointer 80.224.33.155.static.user.ono.com. randy
Re: UltraDNS mail admin around?
Randy Bush wrote: > Andrey Gordon wrote: >> I'm getting bombarded by these >> >> Received: from 80.224.33.155.static.user.ono.com ([80.224.33.155])by >> mxb2eqsj.ultradns.net with esmtp (Exim 4.43)id 1J7YZc-0007qU-4ifor >> [EMAIL PROTECTED]; Wed, 26 Dec 2007 15:53:36 + >> Message-ID: <[EMAIL PROTECTED]> >> From: "Handbags" <[EMAIL PROTECTED]> >> To: "Replica Watches" <[EMAIL PROTECTED]> > > get a clue > > 155.33.224.80.in-addr.arpa domain name pointer > 80.224.33.155.static.user.ono.com. sorry. first cuppa. was ultra really the next hop? randy
Re: UltraDNS mail admin around?
Randy Bush wrote: > Randy Bush wrote: >> Andrey Gordon wrote: >>> I'm getting bombarded by these >>> >>> Received: from 80.224.33.155.static.user.ono.com ([80.224.33.155])by >>> mxb2eqsj.ultradns.net with esmtp (Exim 4.43)id 1J7YZc-0007qU-4ifor >>> [EMAIL PROTECTED]; Wed, 26 Dec 2007 15:53:36 + >>> Message-ID: <[EMAIL PROTECTED]> >>> From: "Handbags" <[EMAIL PROTECTED]> >>> To: "Replica Watches" <[EMAIL PROTECTED]> > was ultra really the next hop? Either Ultradns is Andrey's mail server, or he appears to have left out his perimeter's Received line. More likely the latter. Without seeing the final received line, can't tell whether this really went thru UltraDNS. Many BOTS forge headers. It's not at all unusual to see: Received: from a by b (b is my server) Received: from c by d where d != a. Meaning the second Received line is entirely fabricated.
Re: UltraDNS mail admin around?
we are actually not using ultraDNS for email. DNS only. It does awfully close to some local host spamming. tx for the help to y'all - Andrey Gordon [EMAIL PROTECTED] On Wed, Oct 8, 2008 at 1:34 PM, Randy Bush <[EMAIL PROTECTED]> wrote: > Rodney Joffe wrote: > > I suspect that Andrey/his $workplace uses UltraDNS and uses the Ultra > > mail forwarder, which forwards and does not filter. > > > > I can't tell from the minimal headers what his workplace is, so can't > > really conform for him. > > in private email, andrey said no received: line above that one. so, > unless his mail spool is on one of your servers, it's a local forge. > > randy > >
Re: Nanog 44 Hockey Event -- Last Call
On Oct 7, 2008, at 9:20 PM, Ralph E. Whitmore, III wrote: For those that are attending NANOG 44 and interested in catching the: Hi Everyone A new list has been created for NANOG 44 attendees called nanog- attendee. You are automatically joined to this list if you registered for the conference (unless you selected to opt-out). If you would like to join manually you can do so here: http://mailman.nanog.org/mailman/listinfo/nanog-attendee Please help to keep the NANOG list operational in nature, and post other topics related to NANOG 44 (especially social events) to the nanog-attendee list. Thanks Kris Mail List Committee Los Angeles Kings vs. the San Jose Sharks NHL Hockey game If you are interested in going and have not already contacted me about the game please be sure to do so Before 3PM today Wednesday Oct. 8th at either 310-856-0550. You may speak to Myself Ralph or my Assistant Nancy. Tickets are $90.50 each and we will be sitting In sections 112-114 based on the total number of people that go. Thus far we have a group of 10 people going to the game. Be sure to let me ASAP. Ralph Whitmore InterWorld Communications, Inc. 310-856-0550 M-F 9A-6P
Re: OK, who's the idiot using tcwireless.us?
On Tue, 07 Oct 2008 15:05:20 PDT, Christopher LILJENSTOLPE said:
> I agree with Howard here, I don't think this is a mis-configuration,
> but a harvest attempt. The "mailserver" is in different messages, and
> I can't see how that could get misconfigured in a honest validation
> server.
Turns out it was indeed a C/R system rather than a harvest attempt, and
after seeing several other people's versions of the message, it was pretty
obvious what was wrong - some fool programmer coded:
printf("has just been received by %s mailserver\n", from->domain);
when they wanted our->domain instead. So that's a double-whammy - (a) they
didn't use their own server's domain, and (b) they used the From: address
rather than the Return-Path: address (which is why it showed up as the poster's
mailserver rather than nanog.org as the source).
When you test it from your own domain, source->domain and from->domain are the
same as our->domain so you don't notice. Presumably, nobody ever carefully
tested from outside the local domain, which means their QA process isn't the
strictest either - makes one wonder what other bugs and vulnerabilities are in
there.
pgpTdxEzH0GvD.pgp
Description: PGP signature
