Re: spamassassin hole again?

2014-04-13 Thread Andrew Fried 
Any chance you could provide a *clue* as to what you're seeing, eg
message subject, from, etc???

Andrew Fried
andrew.fr...@gmail.com

On 4/13/14, 1:00 AM, Babak Farrokhi wrote:
> We are not using spamasassin and only major RBLs in place and seeing the same 
> wave of spam. Seems like a new botnot has just appeared. 
> 
> -- Babak
>

Re: spamassassin hole again?

2014-04-13 Thread Paul Thornton 

On 13/04/2014 08:10, Andrew Fried wrote:

Any chance you could provide a *clue* as to what you're seeing, eg
message subject, from, etc???


The subjects seem to vary; but appear to involve animals, sex and cute 
women in various orders (apologies to anyone offended by that).


Content is a one-liner link to porn sites.

I agree with the RIPE DB scrape - the From: line on one of these is

From: "Registry ripenotify" 
and the CC line contains our notify: E-mail (plus a load more of this 
junk to noc|peering|named contacts).


These seem to be botted machines sending mails 'legitimately' ie: 
headers appear to show that the first hop was relayed out through a 
normal route rather than just port 25 spray.  Some are even kindly 
pre-marked as spam.


We've had >250 turn up since 23:34 UTC yesterday (12 April).  Appears to 
have slowed/stopped around 05:00 UTC today (13 April).


Paul.

--
Paul Thornton

Re: responding to DMARC breakage

2014-04-13 Thread Matthew Petach 
On Sat, Apr 12, 2014 at 10:12 AM, Miles Fidelman  wrote:

> valdis.kletni...@vt.edu wrote:
>
>> On Sat, 12 Apr 2014 10:12:09 -0400, Miles Fidelman said:
>>
>>  It occurs to me that Yahoo's deployment of DMARC p=reject, and the
>>> choice of several big mail operators to honor that, has created a
>>> situation not unlike a really routing table or nameserver, snafu ---
>>>
>> It's more like a peering war.  Time for somebody to either bake a cake,
>> or find alternate transit providers.
>>
>
> Aaargghhh - what a horrible, but accurate analogy.  Worse probably - more
> like a peering war with a large broadband carrier, at the edge, where it's
> harder to find alternate transport.
>

So, if we stretch the analogy to near-breaking-point,
would that make Yahoo the Comcast of the email
world... or the Level3?  And depending on that answer,
would the community think that a similar response of
petitioning the government for more oversight and control
would be warranted?  Or would it be just as much out of
line in this case as it is in the Level3-Comcast fight?

I'm genuinely curious, because for most of my 20+ years
in the networking industry, I've felt like we've done a good
job at internally regulating ourselves as an industry, without
needing to bring in outside regulation; but now, it sometimes
starts to feel like the near metastable equilibrium of the system
is wobbling ever-farther from our ability to adequately control
and stabilize it.  Have we potentially hit the point where the
'community' (for whatever definition is appropriate) no longer
has enough input or leverage to bring players back into line
when they stray outside of what is considered appropriate
behaviour?

In spite of the peering cake having been delicious and
moist (I had two pieces, it was so yummy!), that rift
has never closed; Comcast is not changing their model,
in spite of community outcry, and Level3 has taken the
step of summoning the spectre of government intervention.
Cogent seems determined to follow a similar line of
reasoning with respect to interconnections ("if we think
we can get money from you, we'll use our customer
base as leverage; if not, we'll cry foul, and appeal
to the {government, masses, media}").

Have we reached the point as a community where
"rough consensus and running code" is no longer
the rule by which we operate, and fear of opprobrium
no longer holds any weight with operators?
As an engineer, I used to be proud that I helped
build and operate a system that existed and thrived
under its own rules, outside the sphere of any one
particular government or legal system.  I looked to
it as a model of how a bottoms-up planetary ecosystem
might operate, with everyone cooperating towards a
universal goal.  Now, I'm not so sure anymore; I'm
becoming a little bit worried it's more just a simple
reflection of all the conflicting impulses in each of
us.

I don't think there's a clear right or wrong to these
questions; it just seems like the simplicity and
elegant optimism of the early years may have
slipped away while I focused intently on what
was right in front of me.

[drat...i started writing that over breakfast, and
then the day got busy...and here i am, finishing
it up fifteen hours later, and i'm not even sure
if i'm still going in the same direction with it; but
i'll still toss it out, and see in which direction it
floats...]

Matt

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

2014-04-13 Thread Bengt Larsson 
Matt Palmer wrote:

> * The NSA found it *amazingly* quickly (they're very good at what they do,
>   but I don't believe them have superhuman talents); or

It's quite plausible that they watch the changes in open-source projects
to find bugs. They could do nice diffs and everything.

Re: responding to DMARC breakage

2014-04-13 Thread Miles Fidelman 

Matthew Petach wrote:




On Sat, Apr 12, 2014 at 10:12 AM, Miles Fidelman 
mailto:mfidel...@meetinghouse.net>> wrote:


valdis.kletni...@vt.edu  wrote:

On Sat, 12 Apr 2014 10:12:09 -0400, Miles Fidelman said:

It occurs to me that Yahoo's deployment of DMARC p=reject,
and the
choice of several big mail operators to honor that, has
created a
situation not unlike a really routing table or nameserver,
snafu ---

It's more like a peering war.  Time for somebody to either
bake a cake,
or find alternate transit providers.


Aaargghhh - what a horrible, but accurate analogy.  Worse probably
- more like a peering war with a large broadband carrier, at the
edge, where it's harder to find alternate transport.


So, if we stretch the analogy to near-breaking-point,
would that make Yahoo the Comcast of the email
world... or the Level3?  And depending on that answer,
would the community think that a similar response of
petitioning the government for more oversight and control
would be warranted?  Or would it be just as much out of
line in this case as it is in the Level3-Comcast fight?


That's a big concern of mine, and one that's somewhat reflected in 
current discussions re. NTIA stepping away from its oversight role of 
ICANN/IANA.  It strikes me that there are a growing number of issues 
that beg for some kind of institutionalized response and recourse - 
peering, DMARC, others - but we don't have any in place. That's the 
point at which people start suing each other and looking for government 
intervention.  Sigh


In this case:
- if the tv tower 2 miles from here starts interfering with stuff, we 
call the FCC, and it gets fixed (particularly if it starts interfering 
with, for example, police radios)
- various law enforcement agencies go after the bigger spam operations, 
and DDoS exploiters
- but... Yahoo publishes a p=reject DNS record - causing, effectively, a 
massive DDoS - and. what?


Miles


--
In theory, there is no difference between theory and practice.
In practice, there is.    Yogi Berra

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

2014-04-13 Thread Randy Bush 
> It's quite plausible that they watch the changes in open-source
> projects to find bugs. They could do nice diffs and everything.

the point of open source is that the community is supposed to be doing
this.  we failed.

randy

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

2014-04-13 Thread Michael Thomas 

On 04/13/2014 07:30 AM, Randy Bush wrote:

It's quite plausible that they watch the changes in open-source
projects to find bugs. They could do nice diffs and everything.

the point of open source is that the community is supposed to be doing
this.  we failed.




Versus all of the closed source bugs that nobody can know of or do 
anything about?


Bugs are a fact of life. The best we can do is fix, learn and evolve.

Mike

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

2014-04-13 Thread Randy Bush 
>> the point of open source is that the community is supposed to be doing
>> this.  we failed.
> Versus all of the closed source bugs that nobody can know of or do 
> anything about?

for those you can blame the vendor.  this one is owned by the community.
it falls on us to try to lower the probability of a next one by actively
auditing source as our civic duty.

randy

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

2014-04-13 Thread Michael Thomas 

On 04/13/2014 07:52 AM, Randy Bush wrote:

the point of open source is that the community is supposed to be doing
this.  we failed.

Versus all of the closed source bugs that nobody can know of or do
anything about?

for those you can blame the vendor.


Or not.


this one is owned by the community.
it falls on us to try to lower the probability of a next one by actively
auditing source as our civic duty.




And we all know how well civic duty works as a motivator. If we really 
want to do something
constructive, convince the corpro-takers to open their wallets to fund 
those auditing functions.


Mike

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

2014-04-13 Thread Niels Bakker 

* ra...@psg.com (Randy Bush) [Sun 13 Apr 2014, 16:52 CEST]:
the point of open source is that the community is supposed to be 
doing this.  we failed.
Versus all of the closed source bugs that nobody can know of or do 
anything about?
for those you can blame the vendor.  


BSAFE is almost worse if you go by the recent advisories that have 
been released about it.  Many vendors incorporated OpenSSL into their 
products and sold the result for commercial profit without doing 
(in retrospect) enough due diligence.  Besides, having a third party 
to blame doesn't make our data safer...


At least one vendor, Akamai is helping out now: 
http://marc.info/?l=openssl-users&m=139723710923076&w=2

I hope other vendors will follow suit.


this one is owned by the community. it falls on us to try to lower 
the probability of a next one by actively auditing source as our 
civic duty.


I donated some money to the OpenSSL project and hope others will do, 
or have already done, the same.  It's clear that they are internet 
infrastructure and need more support.



-- Niels.

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

2014-04-13 Thread Warren Bailey 
Doesn't OpenSSL even fundraise? Based on the number of dollars they've taken in 
(what I could find online) most of them are better off taking side jobs as 
psychics to pay for audits. I know of at least one thing they could have 
predicted in the future. ;)



Sent from my T-Mobile 4G LTE Device



 Original message 
From: Niels Bakker 
Date: 04/13/2014 10:55 AM (GMT-07:00)
To: nanog@nanog.org
Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]


* ra...@psg.com (Randy Bush) [Sun 13 Apr 2014, 16:52 CEST]:
>>>the point of open source is that the community is supposed to be
>>>doing this.  we failed.
>>Versus all of the closed source bugs that nobody can know of or do
>>anything about?
>for those you can blame the vendor.

BSAFE is almost worse if you go by the recent advisories that have
been released about it.  Many vendors incorporated OpenSSL into their
products and sold the result for commercial profit without doing
(in retrospect) enough due diligence.  Besides, having a third party
to blame doesn't make our data safer...

At least one vendor, Akamai is helping out now:
http://marc.info/?l=openssl-users&m=139723710923076&w=2
I hope other vendors will follow suit.


>this one is owned by the community. it falls on us to try to lower
>the probability of a next one by actively auditing source as our
>civic duty.

I donated some money to the OpenSSL project and hope others will do,
or have already done, the same.  It's clear that they are internet
infrastructure and need more support.


-- Niels.

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

2014-04-13 Thread John Levine 
>And we all know how well civic duty works as a motivator. If we really 
>want to do something
>constructive, convince the corpro-takers to open their wallets to fund 
>those auditing functions.

For once, I agree with Mike.  (Twice in one year?)

Considering how widely openssl is used, and how important it is, it's
shameful how little support it gets.

I'd also point out that auditing security code is hard, and auditing
SSL/TLS code is extremely hard because the spec depends on a lot of
unusually arcane algorithms, and its implementation is almost
perversely complex (that means PKI and ASN.1.)  So random programmer
eyes are much less likely to find useful stuff than people who have
spent a while learning about the technology.

http://jl.ly/Internet/openssl.html

R's,
John