RE: trapdoor.merit.edu and other impatient Postfix mailers everywhere (fwd)

I understand they have a problem notifying everyone since they don't
know contact information for the people using the service, but I would
have expected to see an announcement here, for example.

Lemesee if I got this right...Paul Vixie doesn't know anybody that can
pull my IP addresses out of their logs, look them up on ARIN, send me email.

Riiight.

GMAB!

How do you think those references got there? Could it be that enough
people requested it and asked how to do it with older versions of
sendmail that it was made an optional part of the standard configuration?

Probably not.

Can you say "bait and switch", boys and girls.

Right out of Mad Man Muntz's handbook.

Do you log every single DNS query to your DNS servers (if you have any)?

I'm not aware of anyone who does, simply because the resulting log would be
gigantic... especially for a DNS-based service as huge as MAPS.

Vivien

> I understand they have a problem notifying everyone since they don't
> know contact information for the people using the service, but I would
> have expected to see an announcement here, for example.

Lemesee if I got this right...Paul Vixie doesn't know anybody that can
pull my IP addresses out of their logs, look them up on ARIN, send me email.

Yes, you can lookup contact information for IP blocks. However, we all
know how up-to-date that is, and the person listed there may or may not
be involved with the mail server.

If there had been a notice here, would you have been as unhappy? Remember
this was a free service. If I decided I could no longer make chess endgame
databases available for free, I would not feel inclined to look up everyone
who had been using them and notify them.

> How do you think those references got there? Could it be that enough
> people requested it and asked how to do it with older versions of
> sendmail that it was made an optional part of the standard configuration?

Probably not.

Can you say "bait and switch", boys and girls.

Right out of Mad Man Muntz's handbook.

As I recall, the first modifications to use RBL in sendmail were done
elsewhere, eventually a link was included on the sendmail site, and then
it was part of the configuration.

I can see you are bitter about the impact on your mailservers. I am not
happy about the way it was done as well, but assuming it was malacious
seems excessive.

John A. Tamplin jat@jaet.org
770/436-5387 HOME 4116 Manson Ave
770/431-9459 FAX Smyrna, GA 30082-3723

The modifications were done at Paul Vixie's specific request. So was
"best practices" RFC 2505. Any doubt about that? Read the articles:

http://www.dotcomeon.com/relay_default.html
http://www.dotcomeon.com/allman_sendmail_qa.html

Don't believe me. Believe the words of Paul Vixie and Eric Allman.

--Mitch
NetSide

A long time ago, in a galaxy far far away, the hostname 'black-ice.cc.vt.edu'
was listed as an NTP stratum-2 server. Then the building got re-subnetted,
and its IP address changed. THen a CNAME for ntp-2.vt.edu was added that
pointed there. Then the CNAME was moved to point to a different machine.
Then I turned off NTP service to the outside world.

WHen the recent NTP query-packet security problem was found, that host
had not been answering NTP queries off-campus for *6 months*. It hadn't
been in clocks.txt for *2 years*. Our router guy put in a filter on our
main router to log NTP packets.

5 minutes later he took it off, because that host was *STILL* getting
pounded to the level of 100 packets *per second*, courtesy of several
freeware packages that had lived on TUCOWS a long time ago.

In 5 minutes, we also got 15 or 20 hits on an IP address that it hadn't
had for *8 years*.

I'm sure that their packet flux is a lot higher than 100 packets
per second. So you get to log them, sort out which ones are in duplicate
subnets (remembering that since CIDR, you *DONT* know where subnets
start and end - are 128.173.x.x and 128.174.x.x 2 /16s or a /15?
Are 198.82.251.x and 198.82.250.x /24s that belong to different companies,
or part of a CIDR block belonging to one organization?

Remember in your analysis that NSI's whois is *notoriously* inaccurate,
and quite often the "owner of record" of a /16 is a service provider, and
the person you WANT to send the mail to is the admin of the company that
bought a /22 from that provider's /16.

Hint: You ever had a hack-in attempt at your site, and tried to figure
out who owned the IP address? How long did it take you? Have you ever
come up empty-handed? Good - now design a way to do that look-up several
hundred times *a second*.

But yeah, with a little bit of hand-waving, they could get the mail
to the right admin at the right company.

        Valdis Kletnieks
        Operating Systems Analyst
        Virginia Tech

They've got some really smart people who I'm sure could whip up some code
to take named logs on stdin and add IP's to a database and send an email
to the appropriate contacts (as found in the regional registry for the IP
space). Just because they could have done that, doesn't mean I think they
should have taken the time to do it.

They should have posted to inet-access and nanog. Clearly the surprise
cutoff[1] this morning had a profound operational impact on mail servers
all over the world.

But no...they're too busy posting ALL CAPS TITLED press releases bragging
about things most operators probably couldn't care less about to
news.admin.net-abuse.email. MAPS seems to have been taken over by flakey
pointy hairs.

I wonder how many network operators actually regularly read
news.admin.net-abuse.email? I didn't until I heard it was the one place
MAPS had officially said anything about this change.

[1] Yes...it was a surprise. It didn't happen when they said it would
happen. Therefore, there was no way to anticipate when it would really
happen. And for those who don't read inet-access, nanog, or nanae,
they're probably still wondering why the MAPS BLs are broken and why the
MAPS website has been down every time they've tried to go there and see if
there's any word about why the BLs are broken.

Remember in your analysis that NSI's whois is *notoriously* inaccurate,
and quite often the "owner of record" of a /16 is a service provider, and
the person you WANT to send the mail to is the admin of the company that
bought a /22 from that provider's /16.

Hint: You ever had a hack-in attempt at your site, and tried to figure
out who owned the IP address? How long did it take you? Have you ever
come up empty-handed? Good - now design a way to do that look-up several
hundred times *a second*.

But yeah, with a little bit of hand-waving, they could get the mail
to the right admin at the right company.

This isn't NSI's fault !!! Every ISP that I have worked for that assigned a
block of 8 or more IPs properly swipped their IPs with ARIN. If people get
lazy and just swip(spelling ?) a /16 instead of individual blocks, ARIN
cannot be blamed. Even the IP's for the /25 that I am on on my cable modem
at home are properly swipped to reflect the geographic region as well as my
MSO.

Guys,
They did post to NANOG when they performed the aforementioned
s/vix.com/mail-abuse.org/g:

http://www.merit.edu/mail.archives/nanog/2001-04/msg00426.html

Seeing as we've all seen people complaining about them not doing this,
when they obviously did, I don't see how it would've helped everyone had
they posted to NANOG before the July 31 cutoff.

I'm not saying that not posting to NANOG was a "good" idea (well, ok, it
was stupid) but it seems it wouldn't have helped quite a few.

> They should have posted to inet-access and nanog. Clearly the surprise
> cutoff[1] this morning had a profound operational impact on mail servers
> all over the world.
>

Guys,
They did post to NANOG when they performed the aforementioned
s/vix.com/mail-abuse.org/g:

I was saying anything about that.

Seeing as we've all seen people complaining about them not doing this,
when they obviously did, I don't see how it would've helped everyone had
they posted to NANOG before the July 31 cutoff.

"Some people don't read or pay attention to nanog...so we won't bother
posting there." hmm....

John,
I wasn't referring to you, and I agree that the policy of not posting to
high (net|sys)admin mailing lists is questionable. It's just that I've
seen some folks on here complaining about lack of notification when they
did switch from vix.com to mail-abuse.org, and I believe that fault
should be placed where it needs to be placed.

I'm not sure how that could be handled given the way they ran the service.
I'd imagine there are lots of people who looked into the RBL/RSS/DUL issue
only when configuring their mail servers, and never checked the web site
again, don't read nanae, nanog, or inet-access, and wouldn't find out
about the zone name switch until things broke.

Way back when the RBL was primarily BGP and they just began allowing zone
transfers, you had to fill out paperwork and send it to MAPS. They could
have kept that requirement or required you to join a MAPS-announce mailing
list as a condition of using the service so that they'd have an easy way
to reach tech people for all networks using their service. Sure, they
probably wouldn't be able to stop you from unsubscribing or ignoring the
email, but then it'd be your fault if you missed the announcements.

The modifications were done at Paul Vixie's specific request. So was
"best practices" RFC 2505. Any doubt about that? Read the articles:

Mitch,

Your intentionally misleading statements are obnoxious and unprofessional.
If you work as hard at running your ISP as you do spreading half-truths,
rumors and outright lies about MAPS, I'll sign up with you because your
service must be top-notch...

Re: BGP blackholing spam [was Spammer Bust]

Paul Vixie says he asked for relaying to be turned off by default. There's
nothing wrong with that. No mention of sendmail using the MAPS RBL in any
way, shape or form.

sendmail.net: interview001

And in this message Eric Allman basically echoes what Paul says, that Paul
asked for relaying to be turned off by default and that he initially
didn't want to do it. Again, nothing about the RBL.

You're wrong, and you're intentionally being dishonest in an effort to
prove you're right, which won't work because you're wrong.

Don't believe me. Believe the words of Paul Vixie and Eric Allman.

I do believe their words. Problem is, there's no mention of the RBL in
either of those discussions. Further, I don't believe anyone at the
Sendmail Project actually wrote the dnsbl macro (though I could be wrong
about that). It was eventually adopted by them, but I'm pretty sure they
didn't write it, and I'll bet a boatload of money that *no one* wrote it
simply because Vixie forced them to.

I'll be happy to start listening to you again when you have something of
worth to contribute.

I'll be happy to start listening to you again when you have something of
worth to contribute.

I think Mitch's whole beef is that his server is listed in RSS:

Aug 3 08:47:57 minbar sm-mta[15972]: f73FluWn015972: ruleset=check_rcpt, arg1=<
dredd@megacity.org>, relay=[205.159.140.2], reject=553 5.3.0 <dredd@megacity.org

... Site 205.159.140.2 listed on MAPS RSS - ERS - Home Page  | Trend Micro Service Central

Aug 3 08:47:57 minbar sm-mta[15972]: f73FluWn015972: from=<mitch@netside.net>,
size=1170, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=[205.159.140.2]

So now that we've seen what Mitch has said is bogus, and we can see his motivation for spreading the FUD, let's kill this thread and move on.

D

I'll be happy to start listening to you again when you have something of
worth to contribute.

  He would have a point if (and only if) those associated with MAPS induced
others to support their abuse prevention system by promising (or at least
implying) that it would be free forever. It would certainly be deceptive and
dishonest to build support and a client base for a service by offering it
for free with the secret intention of suddenly switching to a fee-based
system after support was widely available and relied upon.

  DS