Re: .mil dns problems?
On Thu, 2010-05-27 at 21:55 +0200, Florian Weimer wrote: > Looks more like a routing issue. Looks like the .MIL operators put > all their eggs into one basket. 8-( >From .uk, the .pac and .con servers respond fine but the .eur servers don't. Go figure. Graeme
Re: delays to google
On Thu, 2009-05-14 at 12:34 -0400, Justin M. Streiner wrote: > I'm guessing whatever the issue is has been resolved, or the storm has > passed? http://www.google.com/appsstatus#rm:1/di:1/do:1/ddo:0 Not that it would have been much use to you at the time. Graeme
RE: In a bit of bind...
Once upon a time, whilst working for a fairly well-known UK domain registration company, I put together a system built on an early version of the BIND-DLZ patchset against BIND 9.2.5 (If I recall correctly). It used MySQL as the backend database (because that's what the registration system used for CRM purposes) and worked very nicely, thankyou, for well in excess of a million zones and a query rate which I forget but was of the order of several thousand per second, maybe higher at times. We had a custom-written web management toolbox, part of which was exposed to customers through their control panel so they could manage their zones by themselves. The "frontend" nameservers - those actually answering queries - had a "read only" one-way replicated copy of the tables being managed by the CRM system, so all changes were near instantaneous. Copious caching options and indexing in MySQL gave the DB pretty good performance. The frontend servers themselves were load balanced and fault-tolerant and in theory at least a single machine could handle the overall system load. Unfortunately, after I moved on from that job the system broke in some spectacular way (I don't know why) and has since been significantly changed from the original spec, but I couldn't say how... DLZ worked for us - but the DB and management tools were built "in house"; I don't think there's an ideal off-the-shelf solution built around it (yet). Graeme
Re: several messages
On Tue, 2009-07-14 at 10:12 -0500, "Ronald Cotoni" wrote: > And I still have yet to get someone from sorbs to contact me off list. I > wonder if they actually read email (highly doubtful at this point) I can almost guarantee that they don't subscribe to NANOG, so posting here will make next to no difference. As has already been pointed out, if you subscribe to SPAM-L and post there you are far more likely to get a response. That said, given the upheaval that SORBS is going through (which has also been pointed out) I'm not entirely surprised that other matters are more pressing for the proprietors. Graeme
Are you an "unpaid volunteer"?
http://news.bbc.co.uk/1/hi/business/8163190.stm Some of it is right. Some of it is wrong. All of it makes for interesting reading from the point of view of a layperson. We are all, apparently, unsung heroes... Graeme PS Yes, there's plenty to tear apart in the article. Don't shoot the messenger though!
Re: SORBS?
On Tue, 2009-08-25 at 09:35 -0500, Marc Powell wrote: > I don't think they watch here; at least I've never seen Michelle post > here. I've had confirmation from Michelle personally this morning (following a similar question elsewhere) that the SORBS systems are indeed relocating. From a previous message to SPAM-L (reproduced with permission): Michelle Sullivan wrote: > SORBS is not closing. SORBS has received 3 credible offers for the > purchase of SORBS, one of which was not interested in continuing SORBS > but obtaining the IP and spamtraps. SORBS will not be accepting the > latter offer. > > Currently the two offers being considered are with anti-spam vendors > and one of the two have indicated that they will not commercialise > SORBS, but keep it as a community project. The other anti-spam vendor > have indicated they would pursue a split commercial model, where there > would be a free service as well as a 'premium' service (how this would > work I do not know). > > An announcement about which company is successful will be forthcoming > when necessary paperwork has been signed. > > Small outages will occur in the central database when the servers are > moved, this will NOT affect SORBS services globally, only updates > (listing and delisting) and local (Au) services during the outages. As inconvenient as this outage may be, the background to it is one with which a large proportion of this list is probably bearing scars - physical relocation. On a related note, no I don't have any information as to who it is that has taken SORBS on. Regards, Graeme
Re: Are you getting Spam from Crossfire Media?
On Tue, 2009-01-13 at 14:43 -0500, Reynold Guerrier wrote: > My subscription to NANOG aged 3 months ago and I am receiving this spam too. > And this is my first post. I effectively think that someone might have crack > the email database of the Nanog list. Funny; I'm not in that sort of business and I haven't received that sort of spam. Funny also that both Reynold and JC have quite significant online presences (as determined from a quick Google) which reveal lots of interesting info - if you were a person interested in selling them something, anyway. Especially wireless kit. I think there's far less to this than meets the eye, personally. Just a predictably asinine salesperson believing that your presence online provides your consent for bulk email... have you contacted their CEO? Graeme
Re: Are you getting Spam from Crossfire Media?
On Tue, 2009-01-13 at 17:19 -0800, JC Dill wrote: > The particular email address ceased being used (by me) over a year ago, > but suddenly 4 weeks ago I was "subscribed" to their mailing list. > Apparently the common theme is that we all registered for the VON > conference at one point. Aha, list re-purposing. That's something completely different - I cannot speak for your local or federal laws on spam, but in the UK we could fairly well go to town on a company doing that (not in law, sadly, but certainly in terms of professional shame through whichever organisations they belong to). > I really can't understand why all of you are saying it's no big deal! Er... we're not. I'm not, certainly, and I haven't read anyone else as having done so. What we're saying is that there's nothing sinister (as the original reply to your message thought), that there's a simple explanation. As I said originally - if this is a company with any professional pride whatsoever, contact their CEO. Going from the top down can be instructive at the very least, if not actually productive. Graeme
Re: isprime DOS in progress
On Tue, 2009-01-20 at 14:55 -0600, Todd T. Fries forwarded: > From: ISPrime Support > These are the result of a spoofed dns recursion attack against our servers. > The actual packets in question (the ones reaching your servers) do NOT > originate from our network as such there is no way for us to filter things > from our end. > If you are receiving queries from 76.9.31.42/76.9.16.171 neither of these > machines make legitimate outbound dns requests so an inbound filter of > packets to udp/53 from either of these two sources is perfect. > If you are receiving queries from 66.230.128.15/66.230.160.1 these servers > are authoritative nameservers. Please do not blackhole either of these IPs as > they host many domains. However, these IPs do not make outbound DNS requests > so filtering requests to your IPs from these ips with a destination port of > 53 should block any illegitimate requests. I've been seeing a lot of noise from the latter two addresses after switching on query logging (and finishing an application of Team Cymru's excellent template) so I decided to DROP traffic from the addresses (with source port != 53) at the hosts in question. Well, blow me down if they didn't completely stop talking to me. Four dropped packets each, and they've gone away. Something smells "not quite right" here - if the traffic is spoofed, and my "Refused" responses have been flying right back to the *real* IP addresses, how are the spoofing hosts to know that I'm dropping the traffic? Even if I used a REJECT policy, I'd expect the ICMP messages to go back to the appropriate - as in real - hosts, rather than the spoofing sources. Something here is very odd, very odd indeed... or I'm being dumb. It's happened before. Graeme
Re: isprime DOS in progress
On Wed, 2009-01-21 at 12:27 -0500, Phil Rosenthal wrote: > Representing ISPrime here. Well... representing myself and nobody else, so if that stretches my credibility thin so be it. > It's somewhat absurd to suggest that we are attacking our own > nameservers, I assure you, we didn't spend many hours looking for your > specific nameserver to start sending 10 requests per second for the > root zone, and our nameservers serve many popular domains. I just checked to make sure I did not make that assertion. I did not. I observed something odd, and stated as much to see if anyone else did. I apologise if you read my message as insinuating what you stated, but I assure you that wasn't the intention. I did say "maybe I'm being dumb", and that is indeed the answer - I applied a temporary netfilter ruleset, then made it permanent - and it switched the DROP and LOG statements round so that... the packet got dropped first and the log statements never got hit. Schoolboy error (and interesting that someone else has observed this behaviour before!)... Normal service has been resumed. I should write a haiku here (sorry, MLC, poor joke). > Given the attack is still in progress, I can't really say much more > publicly, but suffice to say, we're working on the situation. In a previous job I've been on the receiving end of similar attacks so I have a large degree of understanding of the pressure you're under at the moment. I wish you the best of luck sorting it out. Graeme
Re: Mcast mpeg2 and unicast h.264 for NANOG-45
On Mon, 2009-01-26 at 16:01 +0100, marc wrote: > well the server is not the problem ;) > > but where can i get the .sdp file ;) http://nanog.org/streaming.php
Re: Tightened DNS security question re: DNS amplification attacks.
Hi On Wed, 2009-01-28 at 13:16 +0100, fredrik danerklint wrote: > At 12:07:16 local time here in sweden, I saw a new address 70.86.80.98. > At 12:09:36 another new address 64.57.246.123 > At 12:20:10 the address 70.86.80.98 started to ask for funny domain name like: > "pjphcdfwudgaaabaaacboinf". This ended at 12:55:01 when it was back > to > just ask for the .NS records again. Same here - times different, though, in that it appeared at 1120 UTC and disappeared at 1159 UTC. There were 194 entries. Every query was the same format - a 32-byte lower case alphanumeric string, differing at the following positions marked with a period: ..fw.d.aaabaaa.. I expect that others will have seen similar patterns with differing fixed strings. I'm also starting to wonder if this is something to with the downadup/conficker worm, or another botnet. Graeme
Re: Charter.net email routing issues
Meta: I'm one of the mailop list admins... On Tue, 2009-02-24 at 07:50 +0530, Suresh Ramasubramanian wrote: > Anybody actually on that list? Most of the serious mailops work is on > some other, entirely different lists. There are almost 400 on the list now, and it grows with every single mention here and on other lists. The reason Andy created it was in response to the plethora of "any ISP XYZ mail admins contact me off list" messages NANOG used to see, along with several threads which some posters saw as non-operational. I'd be very pleased to know about the other lists, especially as in previous years I've always come up against brick walls - "you're not big enough, go away" or "we don't know you, go away". Not especially helpful, especially as the latter case would be resolved by allowing more open subscription. > And why do people have to think nanog is solely for packet pushing > related ops? Email is operational, and its often the first ops > failure that your users notice, right after the ones that go "I cant > get to my pr0n". Email is operational, yes. But there are many on NANOG who feel that it isn't, judging by the reaction in the past to long-running threads about it. Graeme
Re: [NANOG] attempt to capture nominet board
On Thu, 2008-04-24 at 19:30 +0900, Randy Bush wrote: > if you are a nomintet voting member or know someone who is, i strongly > encourage you to read these two documents, Results are that of the two new board members, one was a candidate campaigning for change within the organisation (Randy used other terminology), and the specific special resolution put forward by the board in order to allow themselves to strengthen the board with non-exec directors was not passed. The fact that only 15% of the registered members voted (carrying 60% of the votes) is perhaps the single most sobering point. Graeme ___ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
Re: Fake-alert: VERIFY YOUR MERIT.EDU WEBMAIL ACCOUNT
On Sat, 2008-05-24 at 17:02 +0200, Peter Dambier wrote: > I dont trust it: Quite right too, it's a spear-phishing attack. This is currently an almost daily occurrence for .edu domains. The compromised accounts are frequently abused via webmail systems, being used to send out more scams. The scammers responsible are also targeting UK higher ed institutions, with a limited degree of success. I can't really speak for my US counterparts with regards the success of the attacks, but one would surmise that it's more or less the same. To paraphrase badly: All users are gullible, but some are more gullible than others. -g
Re: Exploit for DNS Cache Poisoning - RELEASED
On Fri, 2008-07-25 at 18:14 -0400, Pete Carah wrote: > I saw much more than this *from the same address* starting two days ago, > and from several other blocks belonging to the same university starting > last week, to my home router and another server. So far my better > connected servers haven't been hit hard. (and no non-auto answer from > "security" at that university...) I saw this earlier in the week, along with queries for a domain name which happens to have been registered by Dan Kaminsky, so I emailed him about it. The addresses in question at Georgia Tech appear to be in use as part of Doxpara's scan for unpatched systems, which he confirmed. For those who are bothered, look out for queries from the same netblock of the form: rB6CIo_XgRlScY5K0iGISAAvygwAACujBAA=.ports.dns-integrity-scan.com/A/IN It's probably obvious to one and all what they should be for. And the fact that the queries are denied by correctly configured (ie. non-open) resolvers makes it even less of a panic. The sky isn't falling... yet. Graeme
Re: Exploit for DNS Cache Poisoning - RELEASED
On Fri, 2008-07-25 at 23:25 +0100, Graeme Fowler wrote: > I saw this earlier in the week, along with queries for a domain name > which happens to have been registered by Dan Kaminsky, so I emailed him > about it. The addresses in question at Georgia Tech appear to be in use > as part of Doxpara's scan for unpatched systems, which he confirmed. And for extra points, can anyone with access to the raw un-logwatched log entries tell us what's rather odd about the queries, given the current furore over... well, that'd give the answer ;-) Graeme
RE: SPF Configurations
On Fri, 2009-12-04 at 11:45 -0500, Jeffrey Negro wrote: > Thanks for your input on this. My main concern is mail filters at the > end users side thinking that our mail servers are spoofing our > customer's domain. If you really feel that SPF is going to help, then keep all the mail in your domain's control by using VERP addresses as the envelope sender address (like most decent modern MLM packages do). That way you can have a "From: " header in the customer domain (or of your choosing), and the envelope sender in your own. The benefit here is that not only does it make the usage of SPF a lot less complex, but it also means that all bounces come back to the originating system and can be handled accordingly. Have a look at the headers of this message for a well-formed example. Of course, this does depend upon people believing that SPF is actually useful... Graeme
Re: D/DoS mitigation hardware/software needed.
On Wed, 2010-01-06 at 17:00 +0200, Hank Nussbacher wrote: > In that case, how do you run your current service: > http://www.vialtus.com/en/Solutions/Hosting-and-Datacentre-Services/Security-Solutions/Distributed-Denial-of-Service-Protection.aspx It says how, right on that page. Not Arbor. Graeme (ex PIPEX employee who had first hand experience of just how good the aforementioned Cisco Guard kit was in production)
Re: Default Passwords for World Wide Packets/Lightning Edge Equipment
On Wed, 2010-01-13 at 15:12 -0500, Steven Bellovin wrote: > Lots of gear has a button/jumper/pop_the_CMOS > battery/other_physical_presence_magic to reset things to factory state, > including the default pw. The threat went on to why default passwords are > bad, to passwords on the bottom of the device, to RFIDs because the devices > of interest to this community are racked and stacked -- and back to theme #2: > default passwords are bad... And somewhere in the dim and distant past (Jan 6th), Nathan announced that he'd sorted out his original problem and now had the defaults. What a peculiar bunch we are. And this from the group lauded as anonymously and peacefully co-existing to hold the Internet together, eh? Graeme
Re: Spamhaus...
On Sun, 2010-02-21 at 06:27 +, John Levine wrote: > In my experience, they're pretty reasonable. I would talk to them (or > one of their datafeed sales agents) before assuming that they won't > sell you the service you need. They are indeed. In my day job, a large group of related members of different institutions approached our umbrella networking organisation to speak to Spamhaus for the specific reason that we were concerned that; a) between us we were making millions (if not billions) of queries a day to the mirror servers, and b) collective negotiation would make a service available for all of us for far less than individual orgs paying for their own. We now have a "private" mirror, which is accessible only from within the same AS in which we all sit. The load is therefore not on the Spamhaus servers or public mirrors, and we're collectively paying for the service so the service is supported. Everyone wins. Unfortunately (for this discussion) I don't know how much it cost, but I would assume it wasn't much because the lead time between request and service implementation was pretty short. Personally I think Spamhaus are entirely correct to identify and block, or request payment, from heavy users of their _free_ service. A little like the organisations paying many other members of this list will do for heavy data users in a residential or mobile context, in fact - but that's far too controversial an issue to be conflated with this one (oh dear). Graeme
Re: Spamhaus and Barracuda Networks BRBL
On Mon, 2010-02-22 at 14:40 -0500, Dave Sparro wrote: > Their list, their rules; but it is indeed strange to me. Not too strange: Little Bobby probably does one or two jobs and goes away, leaving the system to run by itself. the SpamAssassin people receive nothing from his choice of software. If Bob decides he wants to buy a commercial appliance from a profit-making company (presumption being made here) who are in turn making significant use of a "free" resource such as the SpamHaus lists in their appliance's configuration, and those appliances become very popular (as I understand they might be), then the infrastructure costs associated with the appliance are shifted away from both the vendor and the end-user onto the provider. If said provider gets a bit shirty about this and decides that they're going to analyse and block traffic from those appliances if they haven't paid for a service... If you stand back and look at this dispassionately then I would expect a large majority of this list would probably act in a similar way (or their companies or employers would) given a similar situation with their services. TANSTAAFL. Really. Someone has to pay for the meal; why should it be the chef? Graeme
Re: Spamcop Blocks Facebook?
On Thu, 2010-03-04 at 23:27 -0800, Shon Elliott wrote: > So really, my customers, and myself are victims of > Spamcop's blocking of Facebook. I forget how far back in this thread someone said: Spamcop *listed* Facebook for valid reasons according to their published listing criteria. Other people blocked it. Not Spamcop. FWIW outright blocking on a Spamcop listing is a particularly risky business; best to use a listing as an intelligence point towards a decision whether to block a given message or not. That's why Spamcop is referred to by the default SpamAssassin ruleset, but not in a big enough way to block outright. Fresh operational content: one of the reasons services like Spamcop occasionally list services like Facebook is that they don't honour 5xx responses to RCPT TO:. I'd offer some statistics but I'm concerned that the legal brigade will jump down my throat, but I suggest that anyone running a system like an academic mail platform take a look at the number of invalid recipients services like Facebook try to deliver. If they stopped doing that they'd be a long way towards better behaviour, IMO. Graeme
Re: Spamcop Blocks Facebook?
On Fri, 2010-03-05 at 09:08 -0600, David E. Smith wrote: > As long as we're going off-topic, might as well go all the way :V Well, the conversation has continued here despite repeated mentions of mai...@mailop.org so unless the MLC deem it off-topic and squash the thread I guess it'll rumble on. My reply below, although based on email, is most definitely on-topic as it covers "good neighbo(u)r" behaviour and could just as easily apply to all manner of bits and protocols which members of this list shovel around daily. Anyway: > How long should a sender (say, Facebook) retain a database of 5xx SMTP > responses? Just because jim...@school.edu doesn't exist today, doesn't > mean that James Robert Jones won't enroll in the fall and get jimbob@ > as his school-provided email address. Then that would be spam, would it not? The incoming jimbob isn't the one who left. The incoming jimbob doesn't want to hear about the old jimbob's friends "fun night out", or be invited to their stag parties, or receive discriminatory, lewd or offensive material. Context: in $dayjob we have a delay before re-using usernames. Student email addresses are never re-used, but many students use the "short" form - u...@domain - of their email address to register with Facebook. [As a consequence of this problem alone, their ability to do so is being phased out] This academic year alone I have had to request Facebook strip an address from an account several times, 2 of which were for accounts which expired here over 12 months previously. In each of those cases, Facebook had been repeatedly attempting delivery of notifications/invitations and so on since the account had expired. *That's* why I mentioned it. If they had any decency they would trap those 5xx errors and do something to the account with the failing address after some period/number of failures. You know, a bit like Mailman, Sympa and other decent mailing list applications do. And yes, in at least one of the aforementioned cases the incoming recipient was clearly very upset at the emails they were receiving. So it isn't that surprising that they occasionally hit spamtraps or have complaints made against them which result in DNSBL entries. If they played nicely and observed the responses to their outgoing email stream, then it would be far less likely to happen. I guess the return question is: how long should a given operator return 5xx responses to increasing numbers of Facebook emails before trying to do something about it? Graeme
