Heath Jones <hj1980@gmail.com> wrote:
Out of curiosity, what led you to this conclusion?
A number of factors, actually. Although I had started to type up a lengthy and elaborate response to your eminently reasonable question, on second thought, I don't think that I actually want to go into detail on this case, as anything I might say as regards to how I detected this would just allow future hijackers to evade me that much more effectively. So I'm sorry to be giving you a non-answer, but actually, I think that's best for now. In any case, further discussion of this particular case now appears to be moot. As of now, it appears that AS11296 is no longer announcing any routes at all, so I'm assuming that Nishant Ramachandran (Xeex/AS27524) and/or whoever else may have been involved in this has now been adequately spanked. (And my personal thanks go out to whoever did that.) Regards, rfg P.S. Yes, I actually _am_ blocking inbound e-mail from google/gmail. Too much spam from there, and far too little action to correct the abundant problem(s). (Can you spell E-V-I-L?) Also blocked here: Yahoo and Hotmail, for the same reasons. (To big to fail? No. Just too big to care. They don't need me, and I sure as hell don't need them.) I guess you don't have a real mail server of your own that you can use. For that, you have my sympathies.
WOW full of yourself much. Many of us use gmail and others to manage the load of mail we received from various lists. I doubt we anyone needs your sympathies, Good luck getting assistance from the list in the future, but I doubt you need it, you see to be able to do everything on your own. -jim On Wed, Sep 29, 2010 at 8:22 AM, Ronald F. Guilmette <rfg@tristatelogic.com>wrote:
Heath Jones <hj1980@gmail.com> wrote:
Out of curiosity, what led you to this conclusion?
A number of factors, actually.
Although I had started to type up a lengthy and elaborate response to your eminently reasonable question, on second thought, I don't think that I actually want to go into detail on this case, as anything I might say as regards to how I detected this would just allow future hijackers to evade me that much more effectively.
So I'm sorry to be giving you a non-answer, but actually, I think that's best for now.
In any case, further discussion of this particular case now appears to be moot. As of now, it appears that AS11296 is no longer announcing any routes at all, so I'm assuming that Nishant Ramachandran (Xeex/AS27524) and/or whoever else may have been involved in this has now been adequately spanked. (And my personal thanks go out to whoever did that.)
Regards, rfg
P.S. Yes, I actually _am_ blocking inbound e-mail from google/gmail. Too much spam from there, and far too little action to correct the abundant problem(s). (Can you spell E-V-I-L?) Also blocked here: Yahoo and Hotmail, for the same reasons. (To big to fail? No. Just too big to care. They don't need me, and I sure as hell don't need them.)
I guess you don't have a real mail server of your own that you can use. For that, you have my sympathies.
On Wed, Sep 29, 2010 at 08:38:17AM -0300, jim deleskie wrote:
WOW full of yourself much. Many of us use gmail and others to manage the load of mail we received from various lists. I doubt we anyone needs your sympathies, Good luck getting assistance from the list in the future, but I doubt you need it, you see to be able to do everything on your own.
Ron is one of the most senior anti-spam people on this planet, and has long since demonstrated not only serious clue, but formidable research and analysis skills. You may safely trust that if he's made the decision to post a message like the referenced one in a public forum that he's done his homework. As to his decision to block Gmail (or any other freemail provider), everyone with sufficient knowledge in the field knows that these operations are prolific and habitual sources of spam (via multiple vectors, not just SMTP; Google accounts for more Usenet spam hitting my filters than all other sources combined). It's thus not at all unreasonable for some operations to revoke (some oor all of) their privileges by way of self-defense. So I think a better response would be to skip the snark and instead reconsider the decision to use a freemail provider for professional (outbound [1]) communications. ---rsk [1] Using one as a sink for mailing list traffic isn't an entirely bad idea; I do some of that myself. Those which provide POP/IMAP service make it relatively easy to do so -- although one should accept that they're, in general, not high-quality mail services, and that incoming mailing list traffic may variously be denied, lost, misclassified or otherwise not handled as expected.
I have no issue with Ron's level of clue or his personal choice to block whichever domain, or blocks of IP space he wishes. That's one of the true beauties of the internet, we can all do as we see fit with out little corner of if. But it goes the same with who we choose to help or which mail systems we choose to use. Ron choose to set the tone, in his last email, I'll choose not offer assistance in the future unless it relates to my bits of the internet. No real issue here. -jim Sent from my BlackBerry device on the Rogers Wireless Network -----Original Message----- From: Rich Kulawiec <rsk@gsp.org> Date: Wed, 29 Sep 2010 08:25:20 To: <nanog@nanog.org> Subject: Re: AS11296 -- Hijacked? On Wed, Sep 29, 2010 at 08:38:17AM -0300, jim deleskie wrote:
WOW full of yourself much. Many of us use gmail and others to manage the load of mail we received from various lists. I doubt we anyone needs your sympathies, Good luck getting assistance from the list in the future, but I doubt you need it, you see to be able to do everything on your own.
Ron is one of the most senior anti-spam people on this planet, and has long since demonstrated not only serious clue, but formidable research and analysis skills. You may safely trust that if he's made the decision to post a message like the referenced one in a public forum that he's done his homework. As to his decision to block Gmail (or any other freemail provider), everyone with sufficient knowledge in the field knows that these operations are prolific and habitual sources of spam (via multiple vectors, not just SMTP; Google accounts for more Usenet spam hitting my filters than all other sources combined). It's thus not at all unreasonable for some operations to revoke (some oor all of) their privileges by way of self-defense. So I think a better response would be to skip the snark and instead reconsider the decision to use a freemail provider for professional (outbound [1]) communications. ---rsk [1] Using one as a sink for mailing list traffic isn't an entirely bad idea; I do some of that myself. Those which provide POP/IMAP service make it relatively easy to do so -- although one should accept that they're, in general, not high-quality mail services, and that incoming mailing list traffic may variously be denied, lost, misclassified or otherwise not handled as expected.
As to his decision to block Gmail (or any other freemail provider), everyone with sufficient knowledge in the field knows that these operations are prolific and habitual sources of spam (via multiple vectors, not just SMTP; Google accounts for more Usenet spam hitting my filters than all other sources combined). It's thus not at all unreasonable for some operations to revoke (some oor all of) their privileges by way of self-defense. So I think a better response would be to skip the snark and instead reconsider the decision to use a freemail provider for professional (outbound [1]) communications.
They are also prolific and habitual sources of people who might want to use email.. By your measure (and everyone that blocks these services), when is it appropriate to have a gmail/hotmail account? Are you saying that the general population are all doing it wrong and that we should all change? Or am I missing your point entirely?
Rich Kulawiec wrote (on Wed, Sep 29, 2010 at 08:25:20AM -0400):
On Wed, Sep 29, 2010 at 08:38:17AM -0300, jim deleskie wrote:
As to his decision to block Gmail (or any other freemail provider), everyone with sufficient knowledge in the field knows that these operations are prolific and habitual sources of spam (via multiple vectors, not just SMTP; Google accounts for more Usenet spam hitting my filters than all other sources combined). It's thus not at all unreasonable for some operations to revoke (some oor all of) their privileges by way of self-defense.
And, even if it *is* unreasonable, well, his network, his rules, right? "I block all SMTP traffic from IPV4 servers (clients?) which have odd numbers in the third octet." might not be a good idea for a high volume mail server with clients, but if it's your network, go for it. -- _________________________________________ Nachman Yaakov Ziskind, FSPA, LLM awacs@ziskind.us Attorney and Counselor-at-Law http://ziskind.us Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants
On 9/29/2010 12:26 PM, N. Yaakov Ziskind wrote:
"I block all SMTP traffic from IPV4 servers (clients?) which have odd numbers in the third octet." might not be a good idea for a high volume mail server with clients, but if it's your network, go for it.
Sadly this method would on average block 97% spam, 3% ham, and statistically be highly effective.
On Wed, Sep 29, 2010 at 9:26 AM, N. Yaakov Ziskind <awacs@ziskind.us> wrote:
And, even if it *is* unreasonable, well, his network, his rules, right?
"I block all SMTP traffic from IPV4 servers (clients?) which have odd numbers in the third octet." might not be a good idea for a high volume mail server with clients, but if it's your network, go for it.
Except that this thread started with a recommendation to block an entire AS, containing a reasonable number of networks. Recommendations such as that are only as credible as the source they are coming from, and knowing that the person making the request also believes that blocking all mail from gmail.com is a valid anti-spam technique probably results in a "different" credibility level than one might otherwise have. Scott.
On Wed, Sep 29, 2010 at 8:25 AM, Rich Kulawiec <rsk@gsp.org> wrote:
On Wed, Sep 29, 2010 at 08:38:17AM -0300, jim deleskie wrote:
WOW full of yourself much. Many of us use gmail and others to manage the load of mail we received from various lists. I doubt we anyone needs your sympathies,
Ron is one of the most senior anti-spam people on this planet, and has long since demonstrated not only serious clue, but formidable research and analysis skills.
Yet he has so much trouble programming his mail filter to differentiate between legitimate and spam email coming out of Google that he feels the need to block all email from Google. Are we to question his skill? Or just his judgment? If Ron's as smart as you say then he's smart enough to take some famous advice: "A decent respect to the opinions of mankind requires that they should declare the causes." If it's good enough for creating a country, it's good enough for a lesser call to action -- like filtering an AS and its netblocks. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Out of curiosity, what led you to this conclusion?
A number of factors, actually. Although I had started to type up a lengthy and elaborate response to your eminently reasonable question, on second thought, I don't think that I actually want to go into detail on this case, as anything I might say as regards to how I detected this would just allow future hijackers to evade me that much more effectively. So I'm sorry to be giving you a non-answer, but actually, I think that's best for now.
Let me reword... What is stopping someone coming on the list, making a claim like you have in an attempt to actually cause a DOS attack, by having some clumsy network engineers starting to block traffic in reaction to your post? I'm sure that you've done your investigation (dont get me wrong) and your might sure be right in your assertions, nevertheless evidence is pretty much needed for a claim like that!
In any case, further discussion of this particular case now appears to be moot.
Ok, but back to my point - what is the evidence and how are people to trust what your saying?
P.S. Yes, I actually _am_ blocking inbound e-mail from google/gmail. Too much spam from there, and far too little action to correct the abundant problem(s). (Can you spell E-V-I-L?) Also blocked here: Yahoo and Hotmail, for the same reasons. (To big to fail? No. Just too big to care. They don't need me, and I sure as hell don't need them.)
Let me get this right.. You use your own mail server and have problems filtering spam. I use gmail and don't have that problem.
I guess you don't have a real mail server of your own that you can use. For that, you have my sympathies.
The only time I have problems is when I try and send an email to some muppet that has blocked gmail & hotmail & god knows what else. Perhaps you should do yourself a favour, turn off your mail server and open up a gmail/hotmail account like the rest of the population.
-----Original Message----- From: Heath Jones Sent: Wednesday, September 29, 2010 5:16 AM To: Ronald F. Guilmette Cc: nanog@nanog.org Subject: Re: AS11296 -- Hijacked?
Let me reword... What is stopping someone coming on the list, making a claim like you have in an attempt to actually cause a DOS attack, by having some clumsy network engineers starting to block traffic in reaction to your post?
There would be several filters for this. Is the person reporting this a known network operator that people trust or is it some Joe Blow out of nowhere that nobody has heard of before? That would make a huge difference. Is the AS assigned to a company that is known to be defunct? That would be another flag. Why would a company that no longer exists have its ASN active and its IPs sending traffic? This would be particularly interesting if the carrier handling the traffic is not a carrier known to have a relationship with that AS in the past. So a pattern of ... AS works for many years, disappears for some period of time, company goes defunct, and some period of time later the AS appears on a completely different carrier without any reassignment from the registrar. Bottom line, there is more to it than someone just popping up on a list saying something. g
Bottom line, there is more to it than someone just popping up on a list saying something.
If you have the time to go and investigate all of that yourself, its good to know you've thought about the metrics you would use. Sometimes, people do this thing called 'referencing'. Its basically where you list your sources of information and associated evidence that led you to your conclusion :) My question is a pretty simple one "Out of curiosity, what led you to this conclusion?", because there were no references.. Apparantly he has super-duper top secret methods that he doesn't want to share. That's fine - I won't waste my time with it anymore.
There would be several filters for this. Is the person reporting this a known network operator that people trust or is it some Joe Blow out of nowhere that nobody has heard of before? That would make a huge difference. Is the AS assigned to a company that is known to be defunct? That would be another flag. Why would a company that no longer exists have its ASN active and its IPs sending traffic? This would be particularly interesting if the carrier handling the traffic is not a carrier known to have a relationship with that AS in the past. So a pattern of ... AS works for many years, disappears for some period of time, company goes defunct, and some period of time later the AS appears on a completely different carrier without any reassignment from the registrar.
Agree, and those are all good filters (except for the perilously fallacious appeal to authority). But none of these claims were made, and that's the source of this extended discussion. If those claims had been made, then this entire discussion could have been circumvented - and those that care could independently validate the claims. There is a LOT of danger to blindly blackholing networks simply because a trusted email address posts on a netops list. In my experience, netops people (NANOG'ers being an especially good example) tend to be largely logical, rational, skeptical beings. So in a nutshell: if the post had included what you're suggesting, we could at least go out and go: "oh, yes, he's right - that AS belongs to a dead company, and is coming from a very different carrier than it did when it was operating" AND "his email address has a history of posting reliable information of a similar nature" AND "his message is validly PGP signed so that we can trust that the owner of the email address sent the message" AND "his email is written in a way that recognizes that clued, skeptical individuals are going to carefully analyze it" THEN I would expect a very different set of responses from the list. But an email that says "I'm going to deliberately withhold all of the vital information I used to come to this conclusion, but request that you take action anyways" is going to consistently be roundfiled. Nathan
-----Original Message----- From: Nathan Eisenberg Sent: Wednesday, September 29, 2010 11:32 AM To: nanog@nanog.org Subject: RE: AS11296 -- Hijacked? from the list.
But an email that says "I'm going to deliberately withhold all of the vital information I used to come to this conclusion, but request that you take action anyways" is going to consistently be roundfiled.
Nathan
Maybe you didn't recognize the original poster, but I did, and I would take what he had to say at least seriously enough to have a look. His followup mail, while not giving people the information they wanted (as if it really matters) did mention that the upstream appears to have cut them off. That is a pretty good indication that *something* was going on there. I don't believe it is anyone's job here to conform to the expectations of anyone else aside from general list etiquette and some level of sanity. He put the information out, it is up to the reader in how they weight it. I don't understand your continued banging on the issue. All he did was put information out there. He doesn't need to meet your criteria, you are free to apply that as you will in the privacy of your own cubicle. G
Maybe you didn't recognize the original poster, but I did, and I would take what he had to say at least seriously enough to have a look. His followup mail, while not giving people the information they wanted (as if it really matters) did mention that the upstream appears to have cut them off. That is a pretty good indication that *something* was going on there.
I don't believe it is anyone's job here to conform to the expectations of anyone else aside from general list etiquette and some level of sanity. He put the information out, it is up to the reader in how they weight it. I don't understand your continued banging on the issue. All he did was put information out there. He doesn't need to meet your criteria, you are free to apply that as you will in the privacy of your own cubicle.
George, Again - appealing to personal authority is a fallacy. It carries no logical weight who the poster is, and has no place in a decision making process of such magnitude. No one has to conform to any standard, and I don't think I suggested otherwise. What I did suggest is what would be required in such an email to convince me personally to take any action. The very point of posting a hijacking notification is to convince people to take action, so it's only reasonable to make such a notification as thorough and supported as possible. And it is in the best interests of the process to review communications issues afterwards - if the OP is genuinely interested in helping the internet by letting us know when an AS has been hijacked, then he should certainly appreciate any feedback on how to make those notifications more effective. I'm also not sure what you mean by 'continued banging on the issue'. This is my first email in this thread... Nathan
-----Original Message----- From: Nathan Eisenberg [mailto:nathan@atlasnetworks.us] Sent: Wednesday, September 29, 2010 12:05 PM To: nanog@nanog.org Subject: RE: AS11296 -- Hijacked?
Maybe you didn't recognize the original poster, but I did, and I would take what he had to say at least seriously enough to have a look. His followup mail, while not giving people the information they wanted (as if it really matters) did mention that the upstream appears to have cut them off. That is a pretty good indication that *something* was going on there.
I don't believe it is anyone's job here to conform to the expectations of anyone else aside from general list etiquette and some level of sanity. He put the information out, it is up to the reader in how they weight it. I don't understand your continued banging on the issue. All he did was put information out there. He doesn't need to meet your criteria, you are free to apply that as you will in the privacy of your own cubicle.
George,
Again - appealing to personal authority is a fallacy. It carries no logical weight who the poster is, and has no place in a decision making process of such magnitude.
Again, nobody said the original poster had any authority over anything. He posted a suspicion. It would be up to the individual entities involved to decide if they actually want to take any action based on that or not. Nobody said anyone had to do anything and anyone who blocks traffic based ONLY on a message to a mailing list is an imbecile anyway. Nobody handing any major amounts of traffic is going to base their filtration on third party mailing list postings so I really don't see what the issue is. I read the original post as a call to look into it and that they were going to be reported to ARIN for further looking into. The original posting said "some folks may wish to blackhole the above" and that is all. But it did strike me as odd that a North Carolina regional ISP would have only a single peer and that peer has no presence that I can determine in North Carolina.
-----Original Message----- From: George Bonser [mailto:gbonser@seven.com] Sent: Wednesday, September 29, 2010 10:44 AM To: Heath Jones; Ronald F. Guilmette Cc: nanog@nanog.org Subject: RE: AS11296 -- Hijacked? Is the person reporting this a known network operator that people trust or is it some Joe Blow out of nowhere that nobody has heard of before? That would make a huge difference.
Going to his website....looks like Joe Blow...Googling his name/email/domain, still nothing that would lead me to believe he is network Savvy. So coming from Joe Blow network Dude....he too is just Joe Blow. Just a little perspective for you from the bottom of the pile. ~J
participants (12)
-
Andrew Kirch
-
deleskie@gmail.com
-
George Bonser
-
Heath Jones
-
jim deleskie
-
Justin Horstman
-
N. Yaakov Ziskind
-
Nathan Eisenberg
-
Rich Kulawiec
-
Ronald F. Guilmette
-
Scott Howard
-
William Herrin