I need to speak with someone at RR about blocking issues.
Apparently they've decided to block mail from Apache.org and some of our
other customers without any notice to UL.
I've followed their instructions and e-mailed the listed addresses,
I've waited quite a while (over 24 hours) and have yet to be contacted
with information about why we were blocked.
UL is very responsive to abuse issues, so this is a little concerning.
Please contact me or the NOC.
Thank You
So, I got an e-mail back from RR after I posted here.
They claim to have no specific record of why we were blocked, so they
removed it. They said it was probably DOS or a Mailbomb, both of which we
would have squelched IMMEDIATELY.
Frankly, I think that its pretty poor practice to block someone and not
tell them, especially when contact information is clearly available
everywhere. We've got e-mail, various phones, and INOC-DBA, so its not
that hard to get ahold of us 
Tom (UnitedLayer) wrote:
Frankly, I think that its pretty poor practice to block someone and not
tell them, especially when contact information is clearly available
everywhere. We've got e-mail, various phones, and INOC-DBA, so its not
that hard to get ahold of us
When you're introducing thousands of IP blocks per day, it's pretty hard to notify them all.
: When you're introducing thousands of IP blocks per day, it's pretty hard
: to notify them all.
I may be reaching here but I think perl scripting can do this.
James Edwards
Routing and Security
jamesh@cybermesa.com
At the Santa Fe Office: Internet at Cyber Mesa
Store hours: 9-6 Monday through Friday
505-988-9200 SIP:1(747)669-1965
"Tom (UnitedLayer)" wrote:
So, I got an e-mail back from RR after I posted here.
They claim to have no specific record of why we were blocked, so they
removed it. They said it was probably DOS or a Mailbomb, both of which we
would have squelched IMMEDIATELY.Frankly, I think that its pretty poor practice to block someone and not
tell them, especially when contact information is clearly available
everywhere. We've got e-mail, various phones, and INOC-DBA, so its not
that hard to get ahold of us
I have no idea wahta the facts are here, but as a general statement
I'd point out that some of us have recently been in a free-fire zone
with more than we can handle coming at us from everywhere.
A reasonable reaction to protect own-turf is to plug up holes as
you identify the local end of it and wait to see if anybody cares
about it after the fire-fight.
The likelyhood of being able to contact anybody competent and
sympathetic is not worth the time and effort the attempt takes.
The usual response back when I thought I should try was "you are not
our customer...." with the common alternative being "Please reboot
and see if that clears it up."
YMMV
A reasonable reaction to protect own-turf is to plug up holes as
you identify the local end of it and wait to see if anybody cares
about it after the fire-fight.
So block a /30, not a /24
The likelyhood of being able to contact anybody competent and
sympathetic is not worth the time and effort the attempt takes.
So next time I get portscanned from someone from RR, I should
just blackhole their IP space and wait till someone complains about not
being able to get to www.apache.org or www.archive.org?
Thats totally irresponsible.
Unless you like playing whack-a-mole, you need a smarter hammer, not a
bigger one.
Yes, a perl script can send thousands of warning e-mails to bogus addresses.
If you've got a way for a perl script to get it right, when the WHOIS data is
broken, the address block is a /25 sold out of a /22 sold out of a /19 sold out of
a /16, and some of the address space is hijacked to boot, please let us know....
james wrote:
: When you're introducing thousands of IP blocks per day, it's pretty hard : to notify them all.
I may be reaching here but I think perl scripting can do this.
I wish. I've been experimenting with doing exactly that for years.
Problems:
- WHOIS data is often incomplete, wrong, or deliberately
misleading. Heck, I see legitimate IP space which simply
isn't registered _anywhere_.
- there is no standard way to indicate notification addresses -
some use comments, many different potential field names. Why
couldn't this have been standardized?
- Inadequate delegation
- Notifying too far down the chain
The experiments I've done got to about 10% accuracy. But it's the 90% that are completely erroneous and potentially cause mailing entirely the wrong person. There's no way you can let one of these things run unattended.
I have something running doing this - but the IP -> email address database is compiled by hand. Coverage is abysmal - maybe 20% on good days for spam reports. Probably be 0% on reasonably clean IP ranges.
abuse.net maintains a domain -> abuse address database. It's the best data, _if_ the domain owner has registered. There is nothing analogous for IP addresses. Or even AS's.
Man it would be nice if there was an IP or AS -> notification address service out there (ie: by DNS, ala DNSBL TXT records).
: > I may be reaching here but I think perl scripting can do this.
:
: I wish. I've been experimenting with doing exactly that for years.
That is what I ment by "reaching", it was not intended to be a smart a** comment.
How about mailing to abuse/postmaster@<domain> ? I realize that the postmaster/abuse
account is often non-existent but at least you made the effort. To me the important
thing is at least trying to notify. So the clueless miss out. Tuff. Those of us that care
would like to know there is a problem, so we can solve it.
James Edwards
Routing and Security
jamesh@cybermesa.com
At the Santa Fe Office: Internet at Cyber Mesa
Store hours: 9-6 Monday through Friday
505-988-9200 SIP:1(747)669-1965
Thank you James, thats my point exactly
The people who care or have a clue will have what they need, and those who
don't will get left behind.
When people decide to clean up their act, they will start to care.
james wrote:
: > I may be reaching here but I think perl scripting can do this.
:
: I wish. I've been experimenting with doing exactly that for years.That is what I ment by "reaching", it was not intended to be a smart a** comment.
How about mailing to abuse/postmaster@<domain> ? I realize that the postmaster/abuse
account is often non-existent but at least you made the effort. To me the important
thing is at least trying to notify. So the clueless miss out. Tuff. Those of us that care
would like to know there is a problem, so we can solve it.
I have been laid off for a while now so I may be out of touch, but
for all of the attacks I worked on, the only think we could know
(emphasis "could") was which interface the attack vehicle arrived on,
as a maximum.
Everything else was forged, spoofed, or unintelligble.
I was probably not filtering off traffic from you (for any value of
"you"), I was filtering off stuff with your IP address in it.
I think part of the problem is not only to notify but provide information
for techs at another ISP to know what kind of problem they have (and if
you block them, they may not be able to reach you to even ask).
I would remind that this thread started from Tom telling us that roadrunner
did not even record whey thy blocked him. Not only should they have recorded
it but perhaps had a location where Tom could find that:
1. He's being blocked
2. Why he is being blocked with particular example of abuse that caused it
3. How long will block last or what steps he should take if he corrected
the problem to notify and get the block removed
Since its difficult to maintain tracking system like this for every ISP,
perhaps a more centralized abuse clearing house could be developed (by
centralized does not mean it should involve in these disputes just provide
forum for one ISP to record filtering policies that are being applied to
another one). In fact more then one system like this can exist and ISPs
may choose which system they use or run their own system, what would be
important is to let everyone know what system they are using and how to
get information from it, preferably in real time.
william@elan.net writes on 12/5/2003 7:24 PM:
did not even record whey thy blocked him. Not only should they have recorded
it but perhaps had a location where Tom could find that:
1. He's being blocked
2. Why he is being blocked with particular example of abuse that caused it
3. How long will block last or what steps he should take if he corrected
the problem to notify and get the block removed
Roadrunner bounce messages are quite verbose and explanatory. And http://security.rr.com has a lot more.
[micah mcneily]
I have also had some blocking taking place. Mail was sent to spamblock @
rr.com two days ago without any response although we did have ticket
generation.
They say to email removal@security.rr.com at http://security.rr.com/mail_blocks.htm
I do guess they should automate a lot of their unblocking process as well - especially unblocking the open relay / open proxy type blocks, that can be trivially automated (click here to schedule a retest of your IP, etc). That might cut down on a whole lot of their load.
srs
I was not aware one can fake everything in the mail headers, including
the sending mail server.
I was not aware one can fake everything in the mail headers, including
the sending mail server.
Where have you been for the last year? The sending "mail server" is
some chump's infected Windows box on DSL. Boy, tracking that host down
is going to do a whole lot of good! Then start working on the other
9,999 hosts the same spammer is abusing as well.
gg
matto
--mghali@snark.net------------------------------------------<darwin><
Flowers on the razor wire/I know you're here/We are few/And far
between/I was thinking about her skin/Love is a many splintered
thing/Don't be afraid now/Just walk on in. #include <disclaim.h>
What is your point ? It is still the server that sent it.
james
james wrote:
> Everything else was forged, spoofed, or unintelligble.
>
> I was probably not filtering off traffic from you (for any value of
> "you"), I was filtering off stuff with your IP address in it.I was not aware one can fake everything in the mail headers, including
the sending mail server.
Just to clarify--I didn't realize we were talking about just email,
that is sort of frowned upon here.
I was talking about all attack vehicles, I think, including email,
spam, worm castings, and viral debris.
james writes on 12/5/2003 11:09 PM:
I was not aware one can fake everything in the mail headers, including
the sending mail server.
1. HELO forged in the first header where the connecting IP hands off to your MX
2. All other headers below that can be, and are, heavily forged.
