Praise to XO's Security/Abuse

John_M_Brown1 · August 30, 2002, 11:36pm

Jason at XO's security/abuse staff. Very helpful chap

Solved a problem with a downstream client of theirs that was
pounding a network I help out....

Yes, I know off topic, but more on topic as this list SHOULD
be about people HELPING people do good in these difficult times.

YMMV, but I'm happy.

Have a great day

John Brown
Chagres Technologies, Inc

JC_Dill3 · August 31, 2002, 12:25am

>
>Jason at XO's security/abuse staff. Very helpful chap

Indeed he is. Which is why I'm totally mystified about why rfc-ignorant insists that my domain doesn't have a working abuse address. I would privately email the admin at rfc-ignorant about this problem, but, well.... (see below)

jc

Simon_Lyall · August 31, 2002, 9:14am

RFC-ignorant is a little agressive sometimes. A while back they were
blocking all of APNIC address ranges because they didn't have a contact
email addresses in ARIN's whois database.

The again such heavy-handed blocking isn't confined small anti-spam
organisations like RFC-ignorant or Spews. New Zealand and Australian ISPs
have to deal all the time with large providers who decide to block large
address ranges.

PBI had a email block for 202/8 a month or 3 back (not sure if it's gone
yet) and another medium sized North American provider (whos name escapes
me) currently blocks mail from 202/7 .

At least with RFC-ignorant you know who to contact and they have proper
records of what they are blocking, with other organisations you usually
have to jump though about half a dozen people till you find someone to
actually look at the filters and realize they were put in by some
nightship admin the week before because he got a spam via some open relay
in Korea.

JC_Dill3 · August 31, 2002, 9:51am

At least with RFC-ignorant you know who to contact

Since rfc-ignorant *uses* rfc-ignorant, I can't directly contact him/them (as the bounce below shows). I refuse to jump thru hoops to inform them of the errors of their ways. If they want to play games pretending that a large ISP with an efficient and responsive abuse desk somehow doesn't get abuse email addressed to one of their many domains, they can stick their head(s) in the sand and pretend. It doesn't mean I have to silently go along with it.

Derek, please don't send me private email unless you are going to accept replies from the address you are sending to (see bounce, below). Sending, but refusing replies, that's rude.

Note on cnchost:

When we launched this service (I worked for Concentric and was the product manager for this service during its development and beta in 1996, and launch in 1997), we offered customers the option of a default mailbox for anyone@theirdomain (with additional restricted mailboxes as desired), or restricting their mailboxes where only email addressed to actual usernames was delivered, all other email bounces. However, an exception was made for the role accounts of abuse, postmaster, and webmaster. If the customer creates user accounts with those names, email is delivered to the appropriate email box. If the customer does not create these accounts, and elects to only receive email addressed to the customer's named accounts, email addressed to postmaster, abuse, and webmaster is still delivered to the primary user account for that domain (while other "non-existant" usernames will still bounce). We did this in 1996, years before rfc-ignorant thought up their listing idea, and when other webhosts were allowing these role accounts to bounce, or hijacking (and then badly handling) all email to those usernames for every hosted domain (no matter what the domain name was) due to less configurable virtual hosting schemes. So the idea that someone believes that cnchost is "rfc-ignorant" REALLY rubs me the wrong way.

jc

>From: Mail Delivery Subsystem <MAILER-DAEMON@tonnant.cnchost.com>
>Subject: Returned mail: User unknown
>Message-ID: <200208310927.FAA08746@tonnant.cnchost.com>
>Errors-To: <MAILER-DAEMON@tonnant.cnchost.com>
>To: <jcdill@vo.cnchost.com>
>Auto-Submitted: auto-generated (failure)
>X-UIDL: 30537
>
>The original message was received at Sat, 31 Aug 2002 05:27:57 -0400 (EDT)
>from adsl-208-201-244-240.sonic.net [208.201.244.240]
>
> ----- The following addresses had permanent fatal errors -----
><dredd@megacity.org>
>
> ----- Transcript of session follows -----
>... while talking to mail.megacity.org.:
>>>> RCPT To:<dredd@megacity.org>
><<< 550 5.7.1 <dredd@megacity.org>... Message rejected because the
>connecting host (tonnant.concentric.net) does not have abuse contact - see
>www.rfc-ignorant.org
>550 <dredd@megacity.org>... User unknown
>
> ----- Original message follows -----
>
>Return-Path: <jcdill@vo.cnchost.com>
>Received: from Erwin.vo.cnchost.com (adsl-208-201-244-240.sonic.net
>[208.201.244.240])
> by tonnant.cnchost.com
> id FAA08735; Sat, 31 Aug 2002 05:27:57 -0400 (EDT)
> [ConcentricHost SMTP Relay 1.14]
>Errors-To: <jcdill@vo.cnchost.com>
>Message-Id: <5.0.0.25.2.20020831022838.040be1f0@pop3.vo.cnchost.com>
>X-Sender: jcdill%vo.cnchost.com@pop3.vo.cnchost.com
>X-Mailer: QUALCOMM Windows Eudora Version 5.0
>Date: Sat, 31 Aug 2002 02:29:27 -0700
>To: "Derek J. Balling" <dredd@megacity.org>
>From: JC Dill <jcdill@vo.cnchost.com>
>Subject: Re: Praise to XO's Security/Abuse
>In-Reply-To: <F7DD5CF3-BC85-11D6-A43D-00039384A830@megacity.org>
>References: <Pine.LNX.4.41.0208302149180.3717-100000@amethyst.nstc.com>
>Mime-Version: 1.0
>Content-Type: text/plain; charset="us-ascii"; format=flowed
>
> >I don't show a listing at all for cnchost.com ... (or vo.cnchost.com,
> >which we wouldn't list anyway).
> >
> >what hostname does your mail server's IP address in-addr to?
>
> cnchost runs off a server cluster, you can get different IP addresses
>each time you query (or at least, you are supposed to), as it does
>automatic load balancing.
<snip>

Kai_Schlichting · September 9, 2002, 8:49pm

>
>
>Jason at XO's security/abuse staff. Very helpful chap

Indeed he is. Which is why I'm totally mystified about why rfc-ignorant
insists that my domain doesn't have a working abuse address. I would
privately email the admin at rfc-ignorant about this problem, but, well....
(see below)

jc

I don't think rfc-ignorant.org tests entries at a later time, ever.
I have brought the concentric.net case to their attention today.

Speaking of Concentric domains: cnc.net has not had a working abuse@
address for several YEARS, and I have brought that to Concentric's
attention, oh, 3-4 years ago?

I consider this a reckless way of operating: some people have
interpreted RFC822 in such a way that you only have to accept mail
to "postmaster@FQDN" if you actually accept any mail for the domain
at all. I wonder who's smart idea within Concentric it was to use
cnc.net for a bazillion FQDN's and in-addr.arpa records, but create
an MX record for the domain and not accept postmaster and abuse@cnc.net .
If I wouldn't know better (the whole incompetent vs. malevolent logic),
I'd outright describe this as being "evasive".

Speaking of evading: I wish to remind the readers of this thread
(a subset of NANOG readers) that the good deeds of a few cannot
make up for the colossal, corrupt policy failures of a bankrupt
organization as a whole, or else I wouldn't currently be in
possession of about 90 complaints (and corresponding 90 auto-replies,
with exactly ZERO human-generated replies) from xo.com
regarding spam-spewing factories of crime in their IP space,
with such complaints sent to them in the short, short period of
the last 2.5 months, based on an amazingly small swath of IP
space at the receiving end of this Internet crime.

Examples of XO customers who can't tell right from wrong, and
"220 DO ME HARD" from "550 NO TRESPASSING, CRIMINAL SCUM", and
who continue to criminally trespass onto other people's property
after being told to stay away:

Sep 9 08:13:25 sonet sendmail[895]: IAA00895: from=<Reply@ContentWatch.com>, size=0, class=0, pri=0, nrcpts=0, proto=SMTP,
relay=gw.iaccess.com [64.221.226.129]

Sep 9 02:19:51 saturn sendmail[5229]: NOQUEUE: ruleset=check_relay, arg1=lsv-004.cynergen.net, arg2=66.239.204.53,
relay=lsv-004.cynergen.net [66.239.204.53], reject=550 no access for OIN - Spammers must die.

Sep 9 00:35:21 saturn sendmail[1729]: NOQUEUE: ruleset=check_relay, arg1=host28.anglcorp.com, arg2=67.105.80.91, relay=host28.anglcorp.com
[67.105.80.91], reject=550 no access for list-washing twits at anglcorp.com - Spammers must die.

Sep 8 00:13:57 saturn sendmail[12484]: NOQUEUE: ruleset=check_relay, arg1=lsv-001.cynergen.net, arg2=66.239.204.50,
relay=lsv-001.cynergen.net [66.239.204.50], reject=550 no access for OIN - Spammers must die.

Sep 7 20:58:36 saturn sendmail[6541]: NOQUEUE: ruleset=check_relay, arg1=host24.anglcorp.com, arg2=67.105.80.87, relay=host24.anglcorp.com
[67.105.80.87], reject=550 no access for list-washing twits at anglcorp.com - Spammers must die.

Sep 7 16:26:39 sonet sendmail[11480]: NOQUEUE: ruleset=check_relay, arg1=lsv-002.cynergen.net, arg2=66.239.204.51,
relay=lsv-002.cynergen.net [66.239.204.51], reject=550 no access for OIN - Spammers must die.

Sep 7 05:01:49 saturn sendmail[2655]: FAA02655: <X>... User unknown - user never existed - single-opt-in is spam - and
Spammers must die.
Sep 7 05:01:49 saturn sendmail[2655]: FAA02655:
from=<102338940173691-7090200001-X?X@bounce.tilw.net>, size=0, class=0,
pri=0, nrcpts=0, proto=SMTP, relay=ul1.tilw.net [209.164.4.171]

Sep 6 20:55:27 saturn sendmail[14573]: NOQUEUE: ruleset=check_relay, arg1=lsv-001.cynergen.net, arg2=66.239.204.50,
relay=lsv-001.cynergen.net [66.239.204.50], reject=550 no access for OIN - Spammers must die.

Sep 5 20:10:41 sonet sendmail[18779]: UAA18779: from=<reply@contentwatch.com>, size=0, class=0, pri=0, nrcpts=0, proto=SMTP,
relay=host228.iaccess.com [64.221.226.228] (may be forged)

Sep 5 18:44:45 saturn sendmail[9560]: NOQUEUE: ruleset=check_relay, arg1=lsv-002.cynergen.net, arg2=66.239.204.51,
relay=lsv-002.cynergen.net [66.239.204.51], reject=550 no access for OIN - Spammers must die.

Sep 5 14:30:19 saturn sendmail[26113]: NOQUEUE: ruleset=check_relay, arg1=thething.emailfactory.com, arg2=64.35.34.30,
relay=thething.emailfactory.com [64.35.34.30], reject=550 NO TRESPASSING for emailfactory.com/newc.com - Spammers must die.

Sep 4 16:20:57 saturn sendmail[817]: NOQUEUE: ruleset=check_relay, arg1=lsv-001.cynergen.net, arg2=66.239.204.50,
relay=lsv-001.cynergen.net [66.239.204.50], reject=550 no access for OIN - Spammers must die.

There is no doubt in my mind that XO is fully aware of the criminal trespass
committed by their customers, and continues to aid and abet these criminal
activities on a daily basis by knowingly and willingly providing service and
/dev/null'ing complaints about them - kinda like Sprintlink/Sprint aiding
and abetting their criminals^Wcustomers while committing acts of forgery,
false declaration of goods, false declaration of goods in interstate and
international commerce, criminal impersonation, falsification of business
records and business and wire fraud across state lines - only more passively.

I could point the finger in almost any direction from here.

From UnSavvy to APiss&Pee. From Uh-Oh!Net to Clueless&Witless.
From FraudLynx to VeryUglio, From Exorcism to Worldcunt.

The bigger, the more bankrupt, the more aiding and abetting.

It's 5pm: do you know who you work for?