A number of factors, actually.
Although I had started to type up a lengthy and elaborate response to
your eminently reasonable question, on second thought, I don't think
that I actually want to go into detail on this case, as anything I
might say as regards to how I detected this would just allow future
hijackers to evade me that much more effectively.
So I'm sorry to be giving you a non-answer, but actually, I think that's
best for now.
In any case, further discussion of this particular case now appears to
be moot. As of now, it appears that AS11296 is no longer announcing any
routes at all, so I'm assuming that Nishant Ramachandran (Xeex/AS27524)
and/or whoever else may have been involved in this has now been adequately
spanked. (And my personal thanks go out to whoever did that.)
Regards,
rfg
P.S. Yes, I actually _am_ blocking inbound e-mail from google/gmail.
Too much spam from there, and far too little action to correct the
abundant problem(s). (Can you spell E-V-I-L?) Also blocked here:
Yahoo and Hotmail, for the same reasons. (To big to fail? No. Just
too big to care. They don't need me, and I sure as hell don't need
them.)
I guess you don't have a real mail server of your own that you can use.
For that, you have my sympathies.
WOW full of yourself much. Many of us use gmail and others to manage the
load of mail we received from various lists. I doubt we anyone needs
your sympathies,
Good luck getting assistance from the list in the future, but I doubt you
need it, you see to be able to do everything on your own.
-jim
Out of curiosity, what led you to this conclusion?
A number of factors, actually.
Although I had started to type up a lengthy and elaborate response to
your eminently reasonable question, on second thought, I don't think
that I actually want to go into detail on this case, as anything I
might say as regards to how I detected this would just allow future
hijackers to evade me that much more effectively.
So I'm sorry to be giving you a non-answer, but actually, I think that's
best for now.
Let me reword...
What is stopping someone coming on the list, making a claim like you
have in an attempt to actually cause a DOS attack, by having some
clumsy network engineers starting to block traffic in reaction to your
post?
I'm sure that you've done your investigation (dont get me wrong) and
your might sure be right in your assertions, nevertheless evidence is
pretty much needed for a claim like that!
In any case, further discussion of this particular case now appears to
be moot.
Ok, but back to my point - what is the evidence and how are people to
trust what your saying?
P.S. Yes, I actually _am_ blocking inbound e-mail from google/gmail.
Too much spam from there, and far too little action to correct the
abundant problem(s). (Can you spell E-V-I-L?) Also blocked here:
Yahoo and Hotmail, for the same reasons. (To big to fail? No. Just
too big to care. They don't need me, and I sure as hell don't need
them.)
Let me get this right.. You use your own mail server and have problems
filtering spam.
I use gmail and don't have that problem.
I guess you don't have a real mail server of your own that you can use.
For that, you have my sympathies.
The only time I have problems is when I try and send an email to some
muppet that has blocked gmail & hotmail & god knows what else.
Perhaps you should do yourself a favour, turn off your mail server and
open up a gmail/hotmail account like the rest of the population.
Ron is one of the most senior anti-spam people on this planet, and
has long since demonstrated not only serious clue, but formidable
research and analysis skills. You may safely trust that if he's
made the decision to post a message like the referenced one in
a public forum that he's done his homework.
As to his decision to block Gmail (or any other freemail provider),
everyone with sufficient knowledge in the field knows that these
operations are prolific and habitual sources of spam (via multiple
vectors, not just SMTP; Google accounts for more Usenet spam hitting
my filters than all other sources combined). It's thus not at all
unreasonable for some operations to revoke (some oor all of) their
privileges by way of self-defense. So I think a better response
would be to skip the snark and instead reconsider the decision to
use a freemail provider for professional (outbound [1]) communications.
---rsk
[1] Using one as a sink for mailing list traffic isn't an entirely
bad idea; I do some of that myself. Those which provide POP/IMAP
service make it relatively easy to do so -- although one should
accept that they're, in general, not high-quality mail services,
and that incoming mailing list traffic may variously be denied,
lost, misclassified or otherwise not handled as expected.
I have no issue with Ron's level of clue or his personal choice to block whichever domain, or blocks of IP space he wishes. That's one of the true beauties of the internet, we can all do as we see fit with out little corner of if.
But it goes the same with who we choose to help or which mail systems we choose to use. Ron choose to set the tone, in his last email, I'll choose not offer assistance in the future unless it relates to my bits of the internet. No real issue here.
-jim
As to his decision to block Gmail (or any other freemail provider),
everyone with sufficient knowledge in the field knows that these
operations are prolific and habitual sources of spam (via multiple
vectors, not just SMTP; Google accounts for more Usenet spam hitting
my filters than all other sources combined). It's thus not at all
unreasonable for some operations to revoke (some oor all of) their
privileges by way of self-defense. So I think a better response
would be to skip the snark and instead reconsider the decision to
use a freemail provider for professional (outbound [1]) communications.
They are also prolific and habitual sources of people who might want
to use email..
By your measure (and everyone that blocks these services), when is it
appropriate to have a gmail/hotmail account?
Are you saying that the general population are all doing it wrong and
that we should all change?
Or am I missing your point entirely?
Rich Kulawiec wrote (on Wed, Sep 29, 2010 at 08:25:20AM -0400):
Sadly this method would on average block 97% spam, 3% ham, and
statistically be highly effective.
There would be several filters for this. Is the person reporting this a
known network operator that people trust or is it some Joe Blow out of
nowhere that nobody has heard of before? That would make a huge
difference. Is the AS assigned to a company that is known to be
defunct? That would be another flag. Why would a company that no longer
exists have its ASN active and its IPs sending traffic? This would be
particularly interesting if the carrier handling the traffic is not a
carrier known to have a relationship with that AS in the past. So a
pattern of ... AS works for many years, disappears for some period of
time, company goes defunct, and some period of time later the AS appears
on a completely different carrier without any reassignment from the
registrar.
Bottom line, there is more to it than someone just popping up on a list
saying something.
g
Bottom line, there is more to it than someone just popping up on a list
saying something.
If you have the time to go and investigate all of that yourself, its
good to know you've thought about the metrics you would use.
Sometimes, people do this thing called 'referencing'. Its basically
where you list your sources of information and associated evidence
that led you to your conclusion 
My question is a pretty simple one "Out of curiosity, what led you to
this conclusion?", because there were no references..
Apparantly he has super-duper top secret methods that he doesn't want
to share. That's fine - I won't waste my time with it anymore.
There would be several filters for this. Is the person reporting this a known
network operator that people trust or is it some Joe Blow out of nowhere
that nobody has heard of before? That would make a huge difference. Is
the AS assigned to a company that is known to be defunct? That would be
another flag. Why would a company that no longer exists have its ASN active
and its IPs sending traffic? This would be particularly interesting if the carrier
handling the traffic is not a carrier known to have a relationship with that AS
in the past. So a pattern of ... AS works for many years, disappears for some
period of time, company goes defunct, and some period of time later the AS
appears on a completely different carrier without any reassignment from the
registrar.
Agree, and those are all good filters (except for the perilously fallacious appeal to authority). But none of these claims were made, and that's the source of this extended discussion. If those claims had been made, then this entire discussion could have been circumvented - and those that care could independently validate the claims. There is a LOT of danger to blindly blackholing networks simply because a trusted email address posts on a netops list. In my experience, netops people (NANOG'ers being an especially good example) tend to be largely logical, rational, skeptical beings.
So in a nutshell: if the post had included what you're suggesting, we could at least go out and go:
"oh, yes, he's right - that AS belongs to a dead company, and is coming from a very different carrier than it did when it was operating"
AND
"his email address has a history of posting reliable information of a similar nature"
AND
"his message is validly PGP signed so that we can trust that the owner of the email address sent the message"
AND
"his email is written in a way that recognizes that clued, skeptical individuals are going to carefully analyze it"
THEN
I would expect a very different set of responses from the list.
But an email that says "I'm going to deliberately withhold all of the vital information I used to come to this conclusion, but request that you take action anyways" is going to consistently be roundfiled.
Nathan
Maybe you didn't recognize the original poster, but I did, and I would
take what he had to say at least seriously enough to have a look. His
followup mail, while not giving people the information they wanted (as
if it really matters) did mention that the upstream appears to have cut
them off. That is a pretty good indication that *something* was going
on there.
I don't believe it is anyone's job here to conform to the expectations
of anyone else aside from general list etiquette and some level of
sanity. He put the information out, it is up to the reader in how they
weight it. I don't understand your continued banging on the issue. All
he did was put information out there. He doesn't need to meet your
criteria, you are free to apply that as you will in the privacy of your
own cubicle.
G
Yet he has so much trouble programming his mail filter to
differentiate between legitimate and spam email coming out of Google
that he feels the need to block all email from Google.
Are we to question his skill? Or just his judgment?
If Ron's as smart as you say then he's smart enough to take some
famous advice: "A decent respect to the opinions of mankind requires
that they should declare the causes."
If it's good enough for creating a country, it's good enough for a
lesser call to action -- like filtering an AS and its netblocks.
Regards,
Bill Herrin
From: George Bonser [mailto:gbonser@seven.com]
Sent: Wednesday, September 29, 2010 10:44 AM
To: Heath Jones; Ronald F. Guilmette
Cc: nanog@nanog.org
Subject: RE: AS11296 -- Hijacked?
Is the person reporting this
a
known network operator that people trust or is it some Joe Blow out of
nowhere that nobody has heard of before? That would make a huge
difference.
Going to his website....looks like Joe Blow...Googling his name/email/domain, still nothing that would lead me to believe he is network Savvy. So coming from Joe Blow network Dude....he too is just Joe Blow. Just a little perspective for you from the bottom of the pile.
~J
Maybe you didn't recognize the original poster, but I did, and I would take
what he had to say at least seriously enough to have a look. His followup
mail, while not giving people the information they wanted (as if it really
matters) did mention that the upstream appears to have cut them off. That
is a pretty good indication that *something* was going on there.
I don't believe it is anyone's job here to conform to the expectations of
anyone else aside from general list etiquette and some level of sanity. He
put the information out, it is up to the reader in how they weight it. I don't
understand your continued banging on the issue. All he did was put
information out there. He doesn't need to meet your criteria, you are free to
apply that as you will in the privacy of your own cubicle.
George,
Again - appealing to personal authority is a fallacy. It carries no logical weight who the poster is, and has no place in a decision making process of such magnitude.
No one has to conform to any standard, and I don't think I suggested otherwise. What I did suggest is what would be required in such an email to convince me personally to take any action. The very point of posting a hijacking notification is to convince people to take action, so it's only reasonable to make such a notification as thorough and supported as possible. And it is in the best interests of the process to review communications issues afterwards - if the OP is genuinely interested in helping the internet by letting us know when an AS has been hijacked, then he should certainly appreciate any feedback on how to make those notifications more effective.
I'm also not sure what you mean by 'continued banging on the issue'. This is my first email in this thread...
Nathan
From: Nathan Eisenberg [mailto:nathan@atlasnetworks.us]
Sent: Wednesday, September 29, 2010 12:05 PM
To: nanog@nanog.org
Subject: RE: AS11296 -- Hijacked?
> Maybe you didn't recognize the original poster, but I did, and I
would take
> what he had to say at least seriously enough to have a look. His
followup
> mail, while not giving people the information they wanted (as if it
really
> matters) did mention that the upstream appears to have cut them off.
That
> is a pretty good indication that *something* was going on there.
>
> I don't believe it is anyone's job here to conform to the
expectations of
> anyone else aside from general list etiquette and some level of
sanity. He
> put the information out, it is up to the reader in how they weight
it. I don't
> understand your continued banging on the issue. All he did was put
> information out there. He doesn't need to meet your criteria, you
are free to
> apply that as you will in the privacy of your own cubicle.
George,
Again - appealing to personal authority is a fallacy. It carries no
logical weight who the poster is, and has no place in a decision
making
process of such magnitude.
Again, nobody said the original poster had any authority over anything.
He posted a suspicion. It would be up to the individual entities
involved to decide if they actually want to take any action based on
that or not. Nobody said anyone had to do anything and anyone who
blocks traffic based ONLY on a message to a mailing list is an imbecile
anyway. Nobody handing any major amounts of traffic is going to base
their filtration on third party mailing list postings so I really don't
see what the issue is. I read the original post as a call to look into
it and that they were going to be reported to ARIN for further looking
into. The original posting said "some folks may wish to blackhole the
above" and that is all. But it did strike me as odd that a North
Carolina regional ISP would have only a single peer and that peer has no
presence that I can determine in North Carolina.
Except that this thread started with a recommendation to block an entire
AS, containing a reasonable number of networks.
Recommendations such as that are only as credible as the source they are
coming from, and knowing that the person making the request also believes
that blocking all mail from gmail.com is a valid anti-spam technique
probably results in a "different" credibility level than one might otherwise
have.
Scott.