Need help from walmart.com NOC
Hi, We run an Internet filtering service for protecting kids and folks with addiction issues. As of a couple of days ago, walmart.com stopped responding to requests (connection is formed but no response) through our filtering servers. If anyone here from Walmart could contact me off list, that would be greatly appreciated. Thank you in advance. -J
Re: "Unlimited" wireless data...
I would second Nathan's experience. Tried to use them for our corporate office as a life boat when our T1 provider was sold to an outfit that didn't answer the support lines. Clear's NAT is atrocious and can't be turned off, so you can't drop a real firewall behind it on a single static. -J Jason J. W. Williams, COO/CTO DigiTar william...@digitar.com V: 208.343.8520 F: 208.322.8522 M: 208.863.0727 www.digitar.com On Dec 3, 2010, at 4:47 PM, Nathan Eisenberg wrote: > >> This came up in another thread yesterday or today, and I just got the >> solicitation mailer for Clearwire's WiMAX service in Tampa Bay, which they >> call "4G", though the ITU disagrees. >> >> The AUP is here: http://www.clear.com/legal/aup > > I cannot strongly enough discourage you from using their service. My > experience with them has been consistently awful - and given that they're > headquartered in my area, that's unacceptable. I'm informed that my > experience is not at all unique - either to the Seattle area or to their > service at large. Their Wikipedia article tells you pretty much everything > you need to know. > > http://en.wikipedia.org/wiki/Clearwire > > Their definition of unlimited tends to be "barely acceptable throughput > levels, until you start streaming youtube/netflix or doing a long-running > download or using bittorrent to seed files to your work PC and laptop or > using your VPN to retrieve a document, in which case, we won't turn you off, > we'll just silently jail you into a 32-128kbps bandwidth profile. Also, > have some poorly implemented NAT on our ludicrously underpowered CPEs!" > > I also understand that they've been having financial difficulties, so they're > unlikely to address the issues their customers are faced with. > > If I were you, I would keep your backpack offline until another option is > available. You're not going to be able to use VOIP on their service, anyways. > > Nathan > (Speaking as an individual - not as the company I work for.) > > !SIG:4cf9826a241136755510774! >
Re: IPAM
We've been using IPplan for about 5 years pretty effectively. It could use a UI refresh but it's decent. -J ---- Jason J. W. Williams, COO/CTO DigiTar william...@digitar.com V: 208.343.8520 F: 208.322.8522 M: 208.863.0727 www.digitar.com On Apr 26, 2010, at 10:08 AM, Phil Regnauld wrote: > > > > On 26/04/2010, at 17.57, Bryan Fields wrote: > >> Is anyone running IPplan? http://iptrack.sourceforge.net/ I looked at it >> before, and at the time it's support of V6 was lacking. Is anyone running >> this in a SP environment with v6? >> >> Any other OSS tools for this people are using? > > Check out tipp: > > http://tipp.tobez.org/ > > There was a discussion thread on this topic not long ago here. > > Cheers, > Phil > > !SIG:4bd5badd162723911514005! >
Re: useful bgp example
I'd recommend BGP4 Inter-Domain Routing in the Internet by Stewart. Was very helpful when I was learning. -J Jason J. W. Williams, COO/CTO DigiTar william...@digitar.com V: 208.343.8520 F: 208.322.8522 M: 208.863.0727 www.digitar.com On May 17, 2010, at 6:53 PM, Doug Barton wrote: > > On 05/17/10 17:15, Ravi Pina wrote: >> >> I think Internet Routing Architectures (2nd Edition) by Bassam >> Halab is also a must have. Read that and hopefully the scope of >> the work ahead will be brought into focus that you'll hire >> someone to do it correctly and document and possibly train you >> and/or your staff. > > I agree completely, and wish that more people applied that same line of > reasoning to other things, like, oh, say, DNS perhaps? :) > > > Doug > > -- > > ... and that's just a little bit of history repeating. > -- Propellerheads > > Improve the effectiveness of your Internet presence with > a domain name makeover!http://SupersetSolutions.com/ > > !SIG:4bf1e5a8162722700917759! >
RE: large organization nameservers sending icmp packets to dns servers.
Hi Guys, All things being equal (which they're usually not) you could use the ACK response time of the TCP handshake if they've got TCP DNS resolution available. Though again most don't for security reasons... -J -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, August 06, 2007 11:35 AM To: John Levine Cc: nanog@nanog.org Subject: Re: large organization nameservers sending icmp packets to dns servers. On Mon, 06 Aug 2007 17:21:49 -, John Levine said: > > >> Sounds like one of the global-scale load balancers - when you do a > >> (presumably) recursive DNS lookup of one of their hosts, they'll > >> ping the nameserver from several locations and see which one gets > >> an answer the fastest. > > Why would they ping rather than just sending the query to all of the > NS and see which one answers first? It's an IP round trip either way. If you have sites in San Fran, London, and Tokyo, and you launch a ping from all 3 and see which one gets there first, you'll *know* the RTT from each site. If you just send DNS replies from all 3, you don't have a good way of telling which one got to the destination first. Your method works if *I* want to know which one of the 3 sites is closest (assuming I can identify an DNS server at the 3 sites). The problem of the owner of the 3 sites trying to identify which one I'm closest to isn't symmetric to it.
RE: large organization nameservers sending icmp packets to dns servers.
> The answer is simple- because they are supposed to be allowed. By disallowing > them you are breaking the agreed upon rules for the protocol. Before > long it becomes impossible to implement new features because you can't be > sure if someone else hasn't broken something intentionally. I don't really have a dog in this fight about TCP 53. It does seem to me that it's a bit black and white to treat the RFCs as religious texts. It's important to follow them wherever possible, but frankly they don't foresee the bulk of the future security issues that usually materialize. So if a feature of the RFC isn't working for you security-wise, I believe it's your call to break with it there. As someone else said, don't complain when it breaks other things as well however. > If you don't like the rules- then change the damned protocol. Stop just > doing whatever you want and then complaining when other people disagree > with you. I think its possible to disagree without calling other folks stupid... Best Regards, Jason
RE: Criminals, The Network, and You [Was: Something Else]
Hi All, It seems to me reverse DNS just isn't an acceptable anti-spam measure. Too many broken reverses exist with smaller companies (try getting a 3rd party to fix it). It's not that hard for a bot to figure out a DSL's reverse entry and use that for its HELO. And there are a lot more effective pre-processing anti-spam measures, including greylisting (with its own problems) and reputation-based systems. Best Regards, Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stephen Satchell Sent: Wednesday, September 12, 2007 9:55 AM To: nanog@nanog.org Subject: Re: Criminals, The Network, and You [Was: Something Else] My mail servers return 5xx on NXDOMAIN. If my little shop can spend not too much money for three-9s reliability in the DNS servers, other shops can as well. When I first deployed the system, the overwhelming majority of the rejects were from otherwise known spam locations (looking at Spamhaus, Spamcop, and a couple of other well-known DNSBLs). The number of false positives were so small that whitelisting was easy and simple to maintain. If a shop is not multihomed, they can contract with one or more DNS hosts to provide high-availability DNS, particularly for their in-addr.arpa zones. It's not hard. Nor expensive. Paul Ferguson wrote: > Re-sending due to Merit's minor outage. > > - ferg > > > -- Forwarded Message -- > > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > - -- Robert Blayzor <[EMAIL PROTECTED]> wrote: > >> The fact that they're rejecting on a 5xx error based on no DNS PTR is a= > > bit harsh. While I'm all for requiring all hosts to have valid PTR > records, there are times when transient or problem servers can cause a > DNS lookup failure or miss, etc. If anything they should be returning a= > > 4xx to have the remote host"try again later". > > Oh, wait till you realize that some of the HTTP returns are bogus > altogether -- and actually still serve malware. > > It's pretty rampant right now. :-/ > > - - ferg > > -BEGIN PGP SIGNATURE- > Version: PGP Desktop 9.6.2 (Build 2014) > > wj8DBQFGxR1lq1pz9mNUZTMRApQRAKCEOLpuu69A1+B4vCHQTZs+hHLKaACcD1Ak > 9JNwl2i1mL08WNUQSlXBYGM=3D > =3DffuN > -END PGP SIGNATURE- > > > -- > "Fergie", a.k.a. Paul Ferguson > Engineering Architecture for the Internet > fergdawg(at)netzero.net > ferg's tech blog: http://fergdawg.blogspot.com/ > > > > !SIG:46e80d6b62576097418713!
RE: Criminals, The Network, and You [Was: Something Else]
Hi Steve, In my opinion, the first and fourth statements are not necessarily in conflict. A reputation system based purely on reverses is pretty broken. Also, it is not necessary to use it as a factor in calculating a very reliable reputation. I'm having trouble seeing how the first and third are in conflict as well, but I may be indexing statements differently. Regarding the second, you're absolutely right. It's not your responsibility if a 3rd party doesn't have a rDNS entry (at all or non-generic), however the reality is you're going to have to deal with it anyway. If your customers allow you to tell the senders to buzz off and fix it, that's terrific. However, you're in a more authoritarian (IT-wise) environment than most I would suspect. Also, you risk hurting your customers. As an example, it's not a suitable answer to our law firm customers who are critically-dependent on receiving e-mail from hopelessly broken senders. >As for the third, well, now you know why I use generic rDNS detection to >defeat bots. As you say, "It's not that hard for a bot to figure out >[any infected host]'s reverse entry and use that for its HELO". In fact, >that's exactly what many of them do, when they're not forging well known >services or sending unqualified/unresolvable strings in HELO/EHLO. And >that, in itself, is responsible for over a fifth of our SMTP-time spam >detections (and rejections, so there's no outscatter, unlike with a wide >variety of "antispam" appliances, such as Barracudas). It's a sensible >and sane perimeter defense tactic, far better than what I see most doing. It's not disputable that rejecting generic rDNS hits (or failures depending on your point of view) will gain you benefits. What I think is disputable, is the benefit to false positive ratio. About 60% of our botnet analyses show unqualified, or outright out-of-spec HELOs. One can catch the remaining 40% through correlation of certain SMTP factors with the results of content-analysis. Near real-time data mining of both informational inputs shouldn't be underplayed. Lastly, I fully agree one should reject as much as possible before the SMTP session ends. Whether or not rDNS is a good anti-spam measure for you entails a lot of factors. I posit from our own statistical analyses the benefit to pain ratio issue is not high enough. Particularly, when there so many other correlations you can run that have lower false positive rates. Best Regards, Jason
RE: Yahoo! Mail/Sys Admin
Hi Ray, And Yahoo's better than MSN at having a live body resolve the issue... Good luck. Hopefully, someone at Yahoo! Has heard you. :-) -J -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond L. Corbin Sent: Sunday, September 23, 2007 7:37 PM To: Suresh Ramasubramanian Cc: nanog@nanog.org Subject: RE: Yahoo! Mail/Sys Admin I've used those forms. All I get are canned responses :/ -Ray -Original Message- From: Suresh Ramasubramanian [mailto:[EMAIL PROTECTED] Sent: Sunday, September 23, 2007 8:58 PM To: Raymond L. Corbin Cc: nanog@nanog.org Subject: Re: Yahoo! Mail/Sys Admin On 9/24/07, Raymond L. Corbin <[EMAIL PROTECTED]> wrote: > Can a Yahoo! Mail/SysAdmin contact me off list? I am having a problem > with multiple mail servers within our network not being able to send to > Yahoo mail servers. http://help.yahoo.com/l/us/yahoo/mail/yahoomail/postmaster/ -- Suresh Ramasubramanian ([EMAIL PROTECTED]) !SIG:46f7185962571437352537!
RE: Worst Offenders/Active Attackers blacklists
My suggestion would be not even to try iptables. It'll take hours just to load 10 million entries. There's no efficient mass loading interface. -J > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Monday, January 28, 2008 4:23 PM > To: Tomas L. Byrnes > Cc: nanog@nanog.org > Subject: Re: Worst Offenders/Active Attackers blacklists > > On Sun, 27 Jan 2008 12:21:27 PST, "Tomas L. Byrnes" said: > > I'm the CTO and founder of ThreatSTOP (www.threatstop.com), and we're > > currently propagating the DShield, and some other, block lists for > use > > in firewalls. I'm interested in gathering additional threat > > information, and serving additional communities. > > > > Is there any interest in a collaborative platform where anonymized > > candidates for blocking would be submitted by a trusted group, and > > then propagated out to the whole group? > > http://www.ranum.com/security/computer_security/editorials/dumb/ > > This illustrates dumb idea #2. Explain to me how you intend to > enumerate enough of the "bad" hosts out there that such a blocklist > would help, while still having it small enough that you don't blow out > the RAM on whatever device you're installing it on. Have you *tested* > whatever iptables/ipf/ACL for proper operation with 10 million entries? > >
[NANOG] Earthlink Relayed Spam Increase
Hey Y'all, We're seeing a marked increase of spam originating from Earthlink mail servers over the past week and a half. Is anyone else seeing a spike localized to Earthlink as well? Thank you in advance. Best Regards, Jason --- Jason J. W. Williams COO/CTO, DigiTar http://www.digitar.com E: [EMAIL PROTECTED] V: 208-343-8520 M: 208-863-0727 F: 208-322-8520 XMPP: [EMAIL PROTECTED] ___ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
Re: [NANOG] Earthlink Relayed Spam Increase
I believe it. We generate our own list with temporary (6 hour blocks), and Earthlinks servers seem to be rolling on and off regularly. -J --- Jason J. W. Williams COO/CTO, DigiTar http://www.digitar.com E: [EMAIL PROTECTED] V: 208-343-8520 M: 208-863-0727 F: 208-322-8520 XMPP: [EMAIL PROTECTED] -Original Message- From: Kameron Gasso [mailto:[EMAIL PROTECTED] Sent: Monday, May 19, 2008 2:24 PM To: Jason J. W. Williams Cc: [EMAIL PROTECTED] Subject: Re: [NANOG] Earthlink Relayed Spam Increase Jason J. W. Williams wrote: > We're seeing a marked increase of spam originating from Earthlink mail > servers over the past week and a half. Is anyone else seeing a spike > localized to Earthlink as well? We've seen a fair amount lately. Additionally, a couple of people I assist with administration were having issues due to their use of SORBS and several of Earthlink's mail servers being listed for several days. -- Kameron Gasso | Senior Systems Administrator | visp.net Direct: 541-955-6903 | Fax: 541-471-0821 !SIG:4831e28e71591368614419! ___ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
RE: Hughes Network
Has anyone else noticed that the [NANOG] prefix has been missing intermittently from the list traffic over the last couple of days? -J --- Jason J. W. Williams COO/CTO, DigiTar http://www.digitar.com E: [EMAIL PROTECTED] V: 208-343-8520 M: 208-863-0727 F: 208-322-8520 XMPP: [EMAIL PROTECTED] -Original Message- From: rar [mailto:[EMAIL PROTECTED] Sent: Thursday, May 22, 2008 10:04 AM To: Joe Blanchard; nanog@nanog.org Subject: RE: Hughes Network I have tried everything I can think of to get good technical support from Hughesnet. I sent a Fed Ex package outlining a problem to the President. Never heard a word. The people in India where a nightmare. I worked with one of their sales reps and no satisfaction. If you find anyone who can help with technical issues, and they are willing to help another soon to be ex-customer with an issue in Haiti, let me know. Bob Roswell System Source [EMAIL PROTECTED] (410) 771-5544 ext 4336 -Original Message- From: Joe Blanchard [mailto:[EMAIL PROTECTED] Sent: Thursday, May 22, 2008 10:38 AM To: nanog@nanog.org Subject: Hughes Network Pardon the request, Is their anyone on the NANOG list from Hughesnet? I'm facing an issue with reverse DNS (RFC1912) that is difficult at best to resolve in India. ;) Please contact me off list. Regards, Joe Blanchard !SIG:48359a1571591351813437!
RE: Hughes Network
Guess I missed it. I remember the announcement for the move from merit.edu to nanog.org. -J --- Jason J. W. Williams COO/CTO, DigiTar http://www.digitar.com E: [EMAIL PROTECTED] V: 208-343-8520 M: 208-863-0727 F: 208-322-8520 XMPP: [EMAIL PROTECTED] -Original Message- From: Jim Popovitch [mailto:[EMAIL PROTECTED] Sent: Thursday, May 22, 2008 3:47 PM To: nanog Subject: Re: Hughes Network On Thu, May 22, 2008 at 1:39 PM, Jason J. W. Williams <[EMAIL PROTECTED]> wrote: > Has anyone else noticed that the [NANOG] prefix has been missing > intermittently from the list traffic over the last couple of days? This was planned, and then announced approx 5 days ago. You are subscribed to nanog-announce, right? ;-) -Jim P. !SIG:4835ea2f71591632796761!
RE: Hughes Network
Actually, I'm not subscribed to nanog-announce. -J --- Jason J. W. Williams COO/CTO, DigiTar http://www.digitar.com E: [EMAIL PROTECTED] V: 208-343-8520 M: 208-863-0727 F: 208-322-8520 XMPP: [EMAIL PROTECTED] -Original Message- From: Jim Popovitch [mailto:[EMAIL PROTECTED] Sent: Thursday, May 22, 2008 3:47 PM To: nanog Subject: Re: Hughes Network On Thu, May 22, 2008 at 1:39 PM, Jason J. W. Williams <[EMAIL PROTECTED]> wrote: > Has anyone else noticed that the [NANOG] prefix has been missing > intermittently from the list traffic over the last couple of days? This was planned, and then announced approx 5 days ago. You are subscribed to nanog-announce, right? ;-) -Jim P. !SIG:4835ea2f71591632796761!
RE: [Nanog-futures] Announce list: Re: Hughes Network
I'm subscribed to both now. ;-) The advantage to the NANOG subject header was obviously it was resilient to e-mail address changes for the list. A nice attribute given e-mails now come in from both nanog@nanog.org and [EMAIL PROTECTED] addresses. Anyhow, I assume there was compelling reason for the change. -J --- Jason J. W. Williams COO/CTO, DigiTar http://www.digitar.com E: [EMAIL PROTECTED] V: 208-343-8520 M: 208-863-0727 F: 208-322-8520 XMPP: [EMAIL PROTECTED] -Original Message- From: Sam Stickland [mailto:[EMAIL PROTECTED] Sent: Friday, May 23, 2008 7:59 AM To: Joe Abley Cc: nanog; nanog-futures Subject: Re: [Nanog-futures] Announce list: Re: Hughes Network Joe Abley wrote: > > On 22 May 2008, at 23:16, James R. Cutler wrote: > >> The announcement was made to nanog-announce, but not to nanog. I >> would expect that there are scads more readers of nanog than of nanog >> announce. > > When I was sending things to nanog-announce, it was the case that mail > to nanog-announce was sent to people who had specifically subscribed > to that list, plus anybody who hadn't but who was subscribed to nanog > (in other words, it was sent to the union of both lists). > > That might have changed since the transition to mailman. It seemed > like a useful approach, though. > Kinda makes you wonder what the purpose on the announce list is though. Are there actually people subscribed to nanog-annouce that aren't subscribed to nanog? Sam !SIG:4836ce2871591551116042!
Re: austin eats
For BBQ, Rudy's is hard to beat: http://www.rudys.com/ -J Jason J. W. Williams, COO/CTO DigiTar william...@digitar.com V: 208.343.8520 F: 208.322.8522 M: 208.863.0727 www.digitar.com On Feb 16, 2010, at 7:12 PM, Randy Bush wrote: > > is there a nanog austin eats page somewhere? i lost my old link to some > wiki we used to use. > > and, a completely unverified recco from an austin friend (who thinks > chicken fried steak is the meat nearest heaven). > >> I spoke to my colleague who has lived in Austin more recently than I >> have. >> >> He recommends North By Northwest highly, in the Arboretum area. >> >> http://www.nxnwbrew.com/ >> >> When I was a Texan in exile, I would always, on returning, worship at >> the shrine of Chicken Fried Steak. Threadgill's is a timeless classic >> that specializes in it. Ken Threadgill was an Austin legend, who gave >> Janis Joplin one of her first paying gigs. Bonus: Manager Eddie Wilson >> was the Ranch Boss at the Armadillo World Headquarters, and has a shrine >> of posters and pictures from the font of Austin weirdness. >> >> http://www.threadgills.com/ >> >> He also recommends Urbanspoon as an online info source. >> >> http://www.urbanspoon.com/c/11/Austin-restaurants.html >> >> Welcome, y'all. > > !SIG:4b7b50f9162721632411545! >
Re: Best VPN Appliance
We've been running various Fortinet Fortigate appliances since 2003 and have had very good luck with them. Clustering is plug-and-play...boxes act as a single managed unit and do stateful failover of VPN connections. We use the IPsec for site-to-site between our offices and our data centers, the SSL VPN we use for all of our road tunnels. SSL clients work great on WinXP, Win7 and OS X. There's a new iPhone app as well for the web-based VPN. -J ---- Jason J. W. Williams, COO/CTO DigiTar william...@digitar.com V: 208.343.8520 F: 208.322.8522 M: 208.863.0727 www.digitar.com On Mar 5, 2010, at 8:57 AM, Dawood Iqbal wrote: > > Hello All, > > > > Is it possible to get your ideas on what VPN appliances are good to have in > enterprise network? > > > > Requirements are; > > SSL > > IPSec > > Client and Web VPN support (Win/MAC/iPhone/Android) > > If webvpn is used, then when any user connects via webvpn, we should be able > to re-direct him to any and ONLY specific application i.e SAP. > > If 2 boxes are installed then they should replicate data seamlessly. > > > > > > Regards, > > dI > > !SIG:4b912af4162726244877506! >
Re: External sanity checks
We've been pretty happy with Pingdom. They do latency with all the healthchecks...give pretty nice history graphs of latency and uptime. They'll do automatic traceroutes when a check hard fails (I.e. 3 fails from 3 different geographic locations). -J ---- Jason J. W. Williams, COO/CTO DigiTar william...@digitar.com V: 208.343.8520 F: 208.322.8522 M: 208.863.0727 www.digitar.com On 2/3/11 11:04 AM, "Philip Lavine" wrote: > >To all, > >Does any one know a Vendor (NOT Keynote) that can do sanity checks >against your web/smtp/ftp farms with pings, traceroutes, latency checks >as well as application checks (GET, POST, ESMTP, etc) > >Thank you, > >Philip > > > > > >!SIG:4d4af065241134394420122! >
