Re: sudden low spam levels?
On 04/01/11 04:04, Ken Chase wrote: > I have two independent mailservers, and two other customers that run their own > servers, all largely unrelated infrastructures and target domains, suddenly > experiencing low levels of spam. Connection and rejection counts have been going bonkers of late for me. I run filters for a number of small businesses so I don't see huge amounts of traffic, but it's usually fairly regular in volume of mail and rejected attempts. Leading up to the 21nd of December, it was fairly level but low at 60-90% normal volume of rejections per day, then the 22nd went to 200% followed by a low of 30-50% normal for 23-29th. On the 30th through the 1st of Jan, the Storm? bot went nuts and rejections went to at least 500% normal (entirely on cheap checks - HELO, rDNS). After that, I had to go double check the mail servers were actually running all the time as rejection counts hit 2-10% normal. I haven't seen an obvious Storm bot type connection since. Did someone kill the botnet? Or have the the virus writers finally decided to chance tack? Or have they hunted out all the servers that reject every single attempt and no longer send to them? The only thing I can be certain of, is that they'll be back and my spam levels will be back to normal sometime soon.
Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)
On 13/09/11 01:12, Randy Bush wrote: >>> as eliot pointed out, to defeat dane as currently written, you would >>> have to compromise dnssec at the same time as you compromised the CA at >>> the same time as you ran the mitm. i.e. it _adds_ dnssec assurance to >>> CA trust. >> Yes, I saw that. It also drives up complexity too and makes you wonder >> what the added value of those cert vendors is for the money you're >> forking over. Especially when you consider the criticality of dns >> naming for everything except web site host names using tls. And how >> long would it be before browsers allowed >> self-signed-but-ok'ed-using-dnssec-protected-cert-hashes? > > agree I would have thought that was a perfectly acceptable end point. The multiple CA's go away (oops), replaced with everyone being able to publish and authenticate their own certificates. The DNS has to be compromised to publish certificates, but if they've managed to do that, it doesn't matter what certificate you had in the first place. There are already public keys in the DNS for DKIM which work quite well. It lowers the cost for getting an SSL cert for your domain, but certainly not the security. Getting a cert for a domain is laughable these days. It's either too easy, or stupendously hard and ridiculous. EV certs are a joke as demonstrated by the thousands of people still getting phished since end users don't look at the address bar anyway. So long as it's encrypted and in some way secured against the domain, it's good enough isn't it?
Re: Microsoft deems all DigiNotar certificates untrustworthy, releases
On 14/09/11 13:44, Christopher Morrow wrote: > On Tue, Sep 13, 2011 at 11:33 PM, Jima wrote: >> Huh? I'm a bit lost here, since I had two StartSSL certs issued yesterday >> afternoon. > > orly? wierd, they made a press release ~last-june (I think?) stating > they were stopping issuance indefinitely. I do hope they are actually > issuing again :) > > I like my random numbers to be free. As claimed by the DigiNotar hacker - He compromised their servers but Eddy was manually approving certs at the time and so no certs were signed. There was information about it on the site, but it seems to be gone now. Articles still show a screenshot of the message you're talking about [1] , but the site was back alive in July when I needed a certificate. "A separate notice on another part of the company's site says that its services would be unavailable until June 20, " [2] I've certainly been able to issue certificates for myself since then. [1] http://news.netcraft.com/archives/2011/06/22/startssl-suspends-services-after-security-breach.html [2] http://threatpost.com/en_us/blogs/ca-startssl-compromised-says-certificates-not-affected-062111
Re: Request to lease IP space, or things that make you want to go hmmmmm..
On 09/03/12 09:40, Matthew Huff wrote: > Just got an email today to our account associated with our legacy > ARIN address space. A firm "Precision Management of Texas" is > interested in subleasing some of our IP space for "on-demand > solutions for brand marketers and website promotion chiefly through > email marketing". > > The one thing clear within the large amount of marketing-speach is > they want "As is the nature of this business PM seeks to obtain as > much diversity in the allocated IP space as possible, however the > most important thing is the Subnets need to have no abuse history." > > Anyone else get solicited? > > They seem to be flexible "We can take the IPs via GRE or BGP or other > such tunneling solution to where you have them announced. > Alternatively we can advertise them ourselves on our network, saving > you the back-haul. As a third solution we can take a server on your > network with the following specs:..." Translation of their request: "We'd like to use your IP address reputation to bypass spam filters by spreading our footprint out as much as possible and spam a few million people into the ground because we've ruined the reputation of every other IP address we've ever used. May we destroy your reputation?"
Re: Dear Linkedin,
On 09/06/12 05:48, Michael Thomas wrote: > Linkedin has a blog post that ends with this sage advice: > > * Make sure you update your password on LinkedIn (and any site that you > visit on the Web) at least once every few months. > > I have accounts at probably 100's of sites. Am I to understand that I am > supposed to remember > each one of them and dutifully update them every month or two? > > * Do not use the same password for multiple sites or accounts. > > So the implication is that I have 100's of passwords all unique and that > I must > change every one of them to be something new and unique every few months. > And remember each of them. And not write them down. > > * Create a strong password for your account, one that includes letters, > numbers, and other characters. > > And that each of those passwords needs to be really hard to guess that I > change to every > few months on 100's of web sites. > > I'm sorry, my brain doesn't hold that many passwords. Unless you're a > savant, neither does > yours. So what you're telling me and the rest of the world is impossible. > > What's most pathetic about this is that somebody actually believes that > we all really > deserve this finger wagging. They have some things correct in this and some are complete hogwash. Changing your password does not provide any additional security. It is meant to give protection against your credentials having being discovered, but if they have been compromised in that way, they'll have the one you change it to in next to no time too. If the hashes have been compromised, then yes, it's time to change the password. Having a different password for every website is very important though, as demonstrated many times when these lists of passwords and associated usernames turn up. Anyone who uses the same password on multiple sites will find that they have their accounts on multiple services accessed instead of just the original. What is needed are unique, highly difficult to guess passwords for each of them and that's where something like a password safe comes in. KeePassX is a cross platform and can be configured so that it needs a key file and password. I keep several of them with varying levels of importance. My banking details safe is only opened on a very secure computer. What LinkedIn need to do is improve their security so that they don't leak hashed passwords. Giving mostly correct advice like this shouldn't need to be prompted by a large security event.
Re: Craigslist hacked?
On 24/11/14 13:41, Brian Henson wrote: > Is anyone else seeing their local craigslist redirected to another site > other than craigslist? I see it loading http://digitalgangster.com/5um. > Over on [dns-operations]: > On 24/11/14 13:38, Brad Volz wrote:> >> The craigslist account at one of our registrars was compromised and the >> NS records migrated away from their rightful home. That issue has since >> been corrected, but the various caches around the Internet are still >> holding the old data. >> >> If you could take a look at your caches to see if craigslist.org >> has the following NS records: >> >> ns1p.craigslist.org >> ns2p.craigslist.org >> ns1f.craigslist.org >> ns2f.craigslist.org >> >> If you see something else there, then you have a poisoned cache. >> >> Thank you for your assistance in this matter. >> >> Brad Volz >> Network Engineer
Re: Searching for a quote
On 13/03/15 10:20, Jason Iannone wrote: > There was once a fairly common saying attributed to an early > networking pioneer that went something like, "be generous in what you > accept, and send only the stuff that should be sent." Does anyone > know what I'm talking about or who said it? > Jon Postel's Robustness Principal. http://en.wikipedia.org/wiki/Jon_Postel
Re:
On 08/05/15 11:58, Mike Hammett via NANOG wrote: > I've seen the same over here and also considered it weird. It looks exactly like the the DMARC senders treatment - I think there's something wiggy and everyone is being treated as a DMARC encumbered sender.
Re: .nyc - here we go...
On 03/07/13 11:12, Scott Weeks wrote: > "As of July 2, 2013, .nyc has been approved by ICANN as a > city-level top-level domain (TLD) for New York City" Do they have DNSSEC from inception? It would seem a sensible thing to do for a virgin TLD.
Re: comcast ipv6 PTR
On 10/10/13 03:30, Constantine A. Murenin wrote: > Yet, apparently, Google has very recently completely stopped accepting > email with no PTR records. They also don't try very hard to get the PTR record. If the packet is lost, has a routing issue, or a DDoS prevents reliable access to the name servers, you will also get emails hard rejected until it resolves again. I'd always had correct rDNS so it took quite some head scratching to figure out the hiccup.
Re: gmail.com - 550 error for ipv6/PTR ?
On 15/01/14 10:06, Brandon Applegate wrote: > Off-list replies are fine to minimize noise, and if there is an answer > or any meaningful correlation I will reply on-list. Thanks in advance > for any info/feedback. I have been running into these a lot also and have so far concluded that it is an error within Google. The PTR/, SPF and DKIM are all matched up and tested as working. It also occurring on domains using google apps to handle their email so it is platform wide. All of the emails are personal emails, but coming from multiple domains/senders. The exact same email will be rejected when sent to any google IPv6 server for minutes/hours, but 3-4 hours later it will be accepted without error. The fact that it is being hard rejected is really quite annoying and generating a lot more support work. Unfortunately, my only fix at present is to turn off IPv6 delivery for all google hosted domains as I encounter them. It would be really nice if it was fixed. My theory is that they are failing PTR lookups.
Re: iabelle francois
On Thu, 2010-04-22 at 23:22 -0400, Eric Carroll wrote: > On 10-04-21 06:59 PM, Jeroen van Aart wrote: > > The url redirects to a Canadian med site. > Just FYI, it's not a real Canadian med site. It is high probability > not > even Canadian. Posting so many URLs which either are or should be listed in domain block lists to a list with as many subscribers as this is probably not wise. I'm guessing you just caused a wonderful bounce storm as the NANOG servers attempted to send that out, depending of course on how many people whitelist NANOG to URI filtering. yourtabletrxhealth[dot]com - URIBL black 2010-04-22 00:07:14 GMT superstorepills[dot]net - URLBL black 2010-04-21 20:47:31 GMT bargainpillsstore[dot]net - URLBL black 2010-04-15 20:41:59 GMT losspillssite[dot]net - URLBL black 2010-04-21 20:45:09 GMT The analysis of the domain is solid though, so good work there. Perhaps NANOG is not the correct forum though? Spam-L seems like a better fit.
Re: iabelle francois
On Fri, 2010-04-23 at 01:04 -0500, John Palmer (NANOG Acct) wrote: > Spam-watch.com >From the website: About Spam-watch - This list is meant as a replacement for the SPAM-L list which was abruptly shut down in May 2009. On the contrary - Spam-l.com continues on different hosting with different moderators with an emphasis on collegial behaviour of participants. >From the website: Spam-L.com was created as a cooperative effort to replace the original Spam-L forum which ran for a decade and a half on L-Soft servers. When the original was abandoned on 11 May 2009, this list was set up to keep the forum alive. Hopefully this might now point some people in the right direction? Fin for me.
Re: ANTI-TERRORIST AND MONITARY CRIMES DIVISION
Quinn Kuzmich wrote: > lol WHAT > > I can honestly say of all the emails I could have imagined to get from > NANOG, this was not one of them. I'm trying to figure out why the FBI is trying to smuggle $8 million in terrorist funds to me through diplomatic channels? Then again, it looks like the FBI stopped a _debit_ of $8 million from my account :P Do these scams ever make sense? How the hell do people fall for this crap. As for how it ended up on the list ... I'd say that Ray Thom @ ATT may have a compromised computer :P
