List,
It seems that browsing to ticketmaster.com or any of the associated IP addresses results in a 403 Forbidden for our customers today. Is anyone else having this issue?
If anyone from Ticketmaster could reach out to me off-list, it would be helpful.
Charles Manser | Principal Engineer I, Network Security
Charles.Manser@charter.com
E-MAIL CONFIDENTIALITY NOTICE:
The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.
Can get to them fine from Florida via level3.
Tom’
Can get to them from Equinox connected Peer.
403 forbidden from as12306 via level3.
No Issues from AS26269 via HE NYC (AS6939)
*Ben Hatton*
Network Engineer
Haefele TV Inc.
d:(607)589-8000
bhatton@htva.net
www.htva.net
* Charles.Manser@charter.com (Manser, Charles J) [Mon 06 Feb 2017, 16:21 CET]:
It seems that browsing to ticketmaster.com or any of the associated IP addresses results in a 403 Forbidden for our customers today. Is anyone else having this issue?
http://help.ticketmaster.com/why-am-i-getting-a-blocked-forbidden-or-403-error-message/
-- Niels.
It gives me a Forbidden error.
It has for over a year.
There support says they are not allowed to me why by their policy.
it is across an entire /19.
I gave up after the fifth time and encourage the customers to call them individually.
Yup, i have a /22 that has the same problem. Support is useless...
My guess is you have or had sometime in the long distant past a scalper operating on your network, using automated ticket purchase bots.
If you still have that scalper around, you might want to turf him. If he’s ancient history, saying so might induce them to remove the block.
--srs
Yup, i have a /22 that has the same problem. Support is useless...
Another way to get on their block list is to have a lot of users behind a
single NAT or proxy IP address. In my experience they blocked single IPs.
The first time it was easy to explain that there were 30,000 users behind
the single address and get the block cleared. After that it became more
difficult to get someone to listen. In one case I gave up because we were
about to make a data center change and the blocked address would no longer
be used.
However, I don't believe that the problem ever came back, maybe because we
had fewer users behind individual IP addresses, or because they finally
note that the netblocks were owned by $LARGE_CORPORATION.
So their policy says, if an ISP has one scalper, we'll block their entire subnet and not tell them why?
Honestly, I'm surprised they don't try and charge a 'convenience fee' while
implementing the block! 
Ken
I'm interested to see if any one has beat this.
Seems to me this random prefix-based blocking by major sites,
then let's-use-nanog-to-fix-it, is not a great methodology.
I block whole /18s and such to deal with .cn/.ru botnets too, but luckily my
cxs' cxs are mostly North American, few complaints yet. Sledgehammer style -
indelicate.
Is there a better method other than us sheep bleating helplessly at behemoths
who might not even have a presence on Nanog-l?
This sledgehammer blacklisting results in a filter where smaller than /16
doesnt get addressed due to time cost of dealing with fewer revenue-generating
eyeballs per ticket.
Result: big ISPs win though sieve effect.
Google has adopted a 'blacklist for a while' policy with their spam control,
which mostly works but can leave you in the dark as to why you're continually
relisted for no obvious reason - no humans out there to help directly, so it's
back to bleating on nanog by Nate and friends.
What more 'official' and formalized mechanisms can we use?
/kc
Seems to me this random prefix-based blocking by major sites,
then let's-use-nanog-to-fix-it, is not a great methodology.
You're correct. It's not.
What more 'official' and formalized mechanisms can we use?
RFC 2142 stipulates role addresses for a variety of functions, many of
which were in common use and some of which were considered best practices
even before they were formalized 20 years ago. A *lot* of the traffic
here (and on other mailing lists) winds up here (and on other mailing lists)
because some incompetent/negligent operations don't support those.
---rsk
My guess is you have or had sometime in the long distant past a scalper operating on your network, using automated ticket purchase bots.
If you still have that scalper around, you might want to turf him. If he’s ancient history, saying so might induce them to remove the block.
Note that scalper bots benefit from pools of residential ip addresses to
work with in subverting the anti-bot countermeasures of ticket sale
platforms. so there are the legitimate possibility that subverted hosts
are being used for that sort of thing.
All,
Thank you for the suggestions. All (3) of the e-mail addresses associated with their ARIN records bounced back.
Remote Server returned '< #5.7.133 smtp;550 5.7.133 RESOLVER.RST.SenderNotAuthenticatedForGroup; authentication required; Delivery restriction check failed because the sender was not authenticated when sending to this group>'
It can be difficult for consumers to work these issues individually, so we reached out to the NANOG community for an assist. The problem seemed widespread and not isolated to single customers and referring them to a web form did not seem like an option.
Good news: I am making some progress with the Live Nation/Ticketmaster team.
"Thank you for bringing this to our attention. We are conducting an investigation on suspicious activity that has been observed on the range of IP's are associated to your connectivity and will make every effort to do this as fast as possible."
Thank you all again for the help and I will keep the archive updated if we reach a repeatable resolution.
Regards,
Charles Manser | Principal Engineer I, Network Security
Charles.Manser@charter.com
Has anyone found a resolution to this? Our network has been blocked and I had a customer mention it to me the other day, so I would like to get it resolved.
Thank you!
Best Regards,
They don't care at all.
They are not interested in helping in any way.
All four times I contacted they were extremely rude.