NOC contact at OLM?
Can anybody help me with a NOC or SOC contact for OLM? It appears OLM.Net is blocking all traffic from some/all of my employer's network space as it enters their network, including DNS lookup of domains hosted on fastdns.net and sylint.com. The last IP seen on traceroutes is 4.68.97.40 or other 4.68.97.X addresses. Thanks, Kevin Kadow (P.S. I've been on hold with their technical support line for the past forty minutes.)
Is it just me or the level of spam coming from ASIA (region) has just increased 10 fold in the past week? And naturally abuse emails are left unanwsered. ----- I could see Peer stopping annoncement of the routes of ISP's that do not comply with abuse (I mean high volume of abuse here) after 12h... Or why not having the registrar blackhole the domain if the abuse level gets too high? Right now I see that most of our clients are blacklisting emails from China since it looks like they just dont care about fixing their security/spam issues... ------ That new bunch of spam is hard to tag on digest alone... And I dont believe in regexing the content to see if a url is listed (too many false positive). -- Alain Hebert ahebert@pubnix.net PubNIX Inc. P.O. Box 175 Beaconsfield, Quebec H9W 5T7 tel 514-990-5911 http://www.pubnix.net fax 514-990-9443
On 2/10/06, Alain Hebert <ahebert@pubnix.net> wrote:
That new bunch of spam is hard to tag on digest alone... And I dont believe in regexing the content to see if a url is listed (too many false positive).
Then you're doing it wrong. And you'd discover for yourself that its a dumb move to nullroute or depeer with everything you can think of, trying to block spam Shouldnt be too hard to find that out even if you run a small local ISP in montreal, given the huge number of chinese / vietnamese people I saw there (they'd probably all use shaw and bell anyway) If you didnt attend the MAAWG mtg in montreal late last year you missed out on learning quite a lot of really operational spam filtering, none of which included "nullroute whatever you can" -- Suresh Ramasubramanian (ops.lists@gmail.com)
Should have been clearer, most of the abuse emails I send to ISP's operating in the APNIC are ineffective. (Well it compares to local tyrant like MaBell or Cable Distributor) Maybe they dont put any priority into what a "small ISP in Montreal" think because the relation between the APNIC community and ARIN's are not as strong. Except for the for mention tyrant, ISP's in ARIN are pretty quick in fixing the issues. For APNIC, we also includes all their peers up-to (if possible) to a ARIN one. But we only do that on extreme case of network flooding. (No sense on wasting operator time on spam related incidents) ----- I wont comment more on the comments bellow except to say that I dont like the undertone. A lot of our clients/partners/friends are asian and are from the Montreal community. ... as for being dumb ... stupidity is a planet wide illness. (; Suresh Ramasubramanian wrote:
On 2/10/06, Alain Hebert <ahebert@pubnix.net> wrote:
That new bunch of spam is hard to tag on digest alone... And I dont believe in regexing the content to see if a url is listed (too many false positive).
Then you're doing it wrong.
And you'd discover for yourself that its a dumb move to nullroute or depeer with everything you can think of, trying to block spam
Shouldnt be too hard to find that out even if you run a small local ISP in montreal, given the huge number of chinese / vietnamese people I saw there (they'd probably all use shaw and bell anyway)
If you didnt attend the MAAWG mtg in montreal late last year you missed out on learning quite a lot of really operational spam filtering, none of which included "nullroute whatever you can"
-- Suresh Ramasubramanian (ops.lists@gmail.com)
-- Alain Hebert ahebert@pubnix.net PubNIX Inc. P.O. Box 175 Beaconsfield, Quebec H9W 5T7 tel 514-990-5911 http://www.pubnix.net fax 514-990-9443
On 2/10/06, Alain Hebert <ahebert@pubnix.net> wrote:
For APNIC, we also includes all their peers up-to (if possible) to a ARIN one. But we only do that on extreme case of network flooding. (No sense on wasting operator time on spam related incidents)
I agree you have a problem there - but try using something like spamhaus.org's sbl and xbl first. And then a few other well chosen blocklists (not the "block all traffic from a country" variety at all) You wont get any productive results from blocking apnic space the way you do. -srs
Hi, Yes, those are already in place and do a really good job (about 40% from the daily stats). Another 40% get caught by razor, pyzor, our own local spam election database and spamassassin. (less than 1% are viruses) Its the other 20% which is buggin the hell of our clients... (Mostly New spam format and the dynamic spam with generated images) ----- I think its more a responsability problem than a technology one. All our clients sign a U]sage A]cceptable U]se P]olicy. Anybody caught spamming, spam advertising, warezing, illegal downloaded (when BayTSP notify us) get a $500 CDN fine (about $1US) or get disconnected. So we take it seriously (and we applied it at least 15 times last year). Most ARIN ISP's also take it somewhat seriously (legal issues and such)... Except for those big ones, big lawyers thrump reality/truth anytime. In summary for now: The situation is pretty much statu-quo. Suresh Ramasubramanian wrote:
On 2/10/06, Alain Hebert <ahebert@pubnix.net> wrote:
For APNIC, we also includes all their peers up-to (if possible) to a ARIN one. But we only do that on extreme case of network flooding. (No sense on wasting operator time on spam related incidents)
I agree you have a problem there - but try using something like spamhaus.org's sbl and xbl first. And then a few other well chosen blocklists (not the "block all traffic from a country" variety at all)
You wont get any productive results from blocking apnic space the way you do.
-srs
-- Alain Hebert ahebert@pubnix.net PubNIX Inc. P.O. Box 175 Beaconsfield, Quebec H9W 5T7 tel 514-990-5911 http://www.pubnix.net fax 514-990-9443
On 2/10/06, Alain Hebert <ahebert@pubnix.net> wrote:
Its the other 20% which is buggin the hell of our clients... (Mostly New spam format and the dynamic spam with generated images)
Try a few of the cheaper tricks - HELO checks, for example, or greetpause (I'd say graylisting but that has interesting consequences when it comes up against another "cool antispam trick" - sender address callbacks). They'll cut down on a ton of this stuff. AUPs etc are good but believing in the "be generous in what you accept" part of that old saw never got you anywhere... though a certain amount of generosity is called for all right.
Most ARIN ISP's also take it somewhat seriously (legal issues and such)... Except for those big ones, big lawyers thrump reality/truth anytime.
Asiapac ISPs have a rather worse problem but well - theyre not the only ones. Like I said try maawg - the next one is later this month in SFO - www.maawg.org -- Suresh Ramasubramanian (ops.lists@gmail.com)
Most ARIN ISP's also take it somewhat seriously (legal issues and such)... Except for those big ones, big lawyers thrump reality/truth anytime.
Asiapac ISPs have a rather worse problem but well - theyre not the only ones. -- Yes. Especially when people outside of the Asia-Pac region decide that a blanket policy reflecting the whole region is appropriate, and forget about the collateral damage. *.nz and *.au both come to mind. Mark, Speaking for himself, as usual, but that said, i'm still a New Zealander...
On Fri, 10 Feb 2006, Suresh Ramasubramanian wrote:
And then a few other well chosen blocklists (not the "block all traffic from a country" variety at all)
These days, a lot of smallish ISP's are blocking CNNIC and/or KRNIC space wholesale. As for CN, the truth of the matter is, the Golden Shield is a very internally oriented (not just xenophobic) filter. CN cares a whole bunch what the rest of the world does to its people. CN doesn't care nearly at all what its people do to the rest of the world. Quite the double standard. The social problem will not be fixed in the foreseeable future, so we have to settle for an imperfect technical solution -- for now. For some operations, the spew level is so high that blanket blocking CNNIC is the only reasonably maintainable option. -- -- Todd Vierling <tv@duh.org> <tv@pobox.com> <todd@vierling.name>
--On February 10, 2006 11:29:36 AM -0500 Todd Vierling <tv@duh.org> wrote:
On Fri, 10 Feb 2006, Suresh Ramasubramanian wrote:
And then a few other well chosen blocklists (not the "block all traffic from a country" variety at all)
These days, a lot of smallish ISP's are blocking CNNIC and/or KRNIC space wholesale.
As for CN, the truth of the matter is, the Golden Shield is a very internally oriented (not just xenophobic) filter. CN cares a whole bunch what the rest of the world does to its people. CN doesn't care nearly at all what its people do to the rest of the world. Quite the double standard.
The social problem will not be fixed in the foreseeable future, so we have to settle for an imperfect technical solution -- for now. For some operations, the spew level is so high that blanket blocking CNNIC is the only reasonably maintainable option.
I'm not (yet) blanket blocking the entire IP space in those countries, but I am blocking huge swaths at the mailserver. Not network wide though. It won't be long before they collectively earn such large blocking at the mailservers I control. On the larger of them we reject anywhere from 6-20k attempts/day per inbound server. Almost all of them do exact numbers of attempts (15, 20, and 50 are very common per ip number attempts). I haven't looked into it any further but we haven't heard any customer complaints.
--- Alain Hebert <ahebert@pubnix.net> wrote:
Is it just me or the level of spam coming from ASIA (region) has just increased 10 fold in the past week?
(snip) it comes and goes like the wind, and the tides.
I could see Peer stopping annoncement of the routes of ISP's that do not comply with abuse (I mean high volume of abuse here) after 12h...
Much as I would like to see an ISP level response about security issues/spam/foo pollution on the internet, I am not in favor for the balkanization of the internet. We know that those people with OWNED boxes (via virus,bot, or layer 8) take up a large amount of bandwidth (relative to revinue), and therefore add expenses to an isp. Smart people know this. The people on the list know this. Stopping inbound packets except for Common Well Known Services, might be a good option for an isp to add, BUT that takes up a lot of router CPU. That does not do the rest of us any good at this point, people will pollute until trashing the environment _ becomes inconvenient _ for them. A way to make things inconvenient, is to not allocate any more ip addresses to historical polluters (or ipv6 only). If this is done at the arin/ripe/apnic/etc level, I believe that problem children will find it in their best interest to start putting outbound filters in place, and getting rid of people who can not be bothered to manage their own machines. The data is in place right now http://isc.incidents.org/source_report.php You can drill down to an ip address, such as http://www.dshield.org/ipinfo.php?ip=024.000.003.075 http://www.dshield.org/ipinfo.php?ip=221.004.061.168 increasing the level of reporting so that common pollution, such as port 1025-1030, 135,445, etc would be pretty easy. Perhaps a BOF at NANOG Dallas might be in order.
Or why not having the registrar blackhole the domain if the abuse level gets too high?
Then you only have no DNS, that does not stop a port scan/spam spew. This is not a problem limited to a region of the world, stupidity is a planet wide illness. ( and I am guilty of being ill from time to time) -charles Pick two: good, fast, or cheap. (fixed scope,fixed timeframe,or fixed budget) (Elegant, documented, on time)(Privacy, accuracy, security) (Have fun, do good, stay out of trouble)(Study, socialize, sleep)(Diverse, free, equal)(Fast, efficient, useful) (Cheap, healthy, tasty)(Secure, usable, affordable) (Short, memorable, unique)(Cheap, light, strong)
participants (7)
-
Alain Hebert
-
Charles Cala
-
Kevin
-
Mark Foster
-
Michael Loftis
-
Suresh Ramasubramanian
-
Todd Vierling