Information re: Cyberpromo
Can someone verify that this is the interface facing cyberpromo from AGIS? I called AGIS' NOC and they refused to tell me, so I want to make sure I'm cutting just them... a0.1.philadelphia1.agis.net (206.185.158.237) Regards, -- Martin Hannigan (hannigan@firefly.net) Voice: 617.528.1099 Firefly Network, Inc. - Network Operations Network Engineer www.firefly.net Semper Cabalis
Martin J. Hannigan put this into my mailbox:
Can someone verify that this is the interface facing cyberpromo from AGIS?
I called AGIS' NOC and they refused to tell me, so I want to make sure I'm cutting just them...
a0.1.philadelphia1.agis.net (206.185.158.237)
Well, AGIS appears to be hijacking its own netblocks for CyberPromo, as it were. I blocked out the CP netblocks, and still got spam from other netblocks through AGIS. I finally went ahead and blocked this: # cyberpromo ALL: 205.199.212. 205.199.4. 206.27.86.210 207.124.161.50 # Cyberpromo through IDCI ALL: 207.124.161.0/255.255.255.0 # AGIS ALL: 205.254.160.0/255.255.224.0, 205.137.48.0/255.255.240.0, \ 204.157.0.0/255.255.0.0, 206.84.0.0/255.254.0.0, \ 206.42.0.0/255.254.0.0, 205.198.0.0/255.254.0.0, \ 206.62.0.0/255.255.0.0, 206.148.0.0/255.254.0.0, \ 206.185.0.0/255.255.0.0, 206.249.0.0/255.254.0.0, \ 204.137.128.0/255.255.192.0, 204.137.192.0/255.255.224.0, \ 205.164.64.0/255.255.192.0, 205.164.128.0/255.255.192.0, \ 205.164.192.0/255.255.192.0, 204.130.243., 209.14.0.0/255.255.0.0 \ 207.142.0.0/255.255.0.0 Two months with these filters, and no complaints yet. -dalvenjah -- Dalvenjah FoxFire (aka Sven Nielsen) "Isn't it wrong that there's only Founder, the DALnet IRC Network one company that makes the game Monopoly?" -Steven Wright e-mail: dalvenjah@dal.net WWW: http://www.dal.net/~dalvenjah/ whois: SN90 Try DALnet! http://www.dal.net/
Martin J. Hannigan put this into my mailbox:
[ snip ]
Two months with these filters, and no complaints yet.
Was that some wrappered service? Looked like tcp_wrappers. I think a router with enough memory would be a better performer for filtering activies at that layer. I did go ahead and install the relay denial rulesets published on sendmail.org for 8.8.x and they work fine. Cyberpromo appears to have been using "Cyberbomber" on our ports. I guess I'm naive, but I thought NAPS wanted to stop this kind of thing, and most had explicit rules about it. Guess not. Back to the clue-store with me. :-/ Regards, -- Martin Hannigan (hannigan@firefly.net) Voice: 617.528.1099 Firefly Network, Inc. - Network Operations Network Engineer www.firefly.net Semper Cabalis
Martin J. Hannigan put this into my mailbox:
Martin J. Hannigan put this into my mailbox:
[ snip ]
Two months with these filters, and no complaints yet.
Was that some wrappered service? Looked like tcp_wrappers. I think a router with enough memory would be a better performer for filtering activies at that layer.
What I actually did was take sendmail 8.8.5, #define TCPWRAPPERS, and then modify the code so that it calls hosts_ctl (the function that checks /etc/hosts.deny) on connect, not just on MAIL FROM. Yes, this causes remote sites to churn if they get denied, but from the syslogs, there really aren't that many people who try for that long. The exact patch was posted to bugtraq a while back. If you're interested, please mail me privately. -dalvenjah -- Dalvenjah FoxFire (aka Sven Nielsen) "The weapon which causes the most Founder, the DALnet IRC Network damage to the Internet is the keyboard." e-mail: dalvenjah@dal.net WWW: http://www.dal.net/~dalvenjah/ whois: SN90 Try DALnet! http://www.dal.net/
I find this very interesting. Some people claim that AGIS is quite large... (I don't think I believe them) and if you don't peer with agis you really don't reach all the net. yet here is a case where someone else cuts them off with no complaints.... I have seen similar statements from others. any consensus on whether connectivity to them is irrelevant to doing reasonable business on the net or not now a days? one wonders how long they will hang on. (Watching sergio heker's antics with GES (jvncnet) i used to wonder the same. Sergio however had one major major customer called princeton university left at the end.) AGIS has the spammers.....surely they will meet their well deserved fate before long? ************************************************************************ The COOK Report on Internet For subsc. pricing & more than 431 Greenway Ave, Ewing, NJ 08618 USA ten megabytes of free material (609) 882-2572 (phone & fax) visit http://cookreport.com/ Internet: cook@cookreport.com On line speech of critics under attack by Ewing NJ School Board, go to http://cookreport.com/sboard.shtml ************************************************************************ On Mon, 2 Jun 1997, Dalvenjah FoxFire wrote:
Martin J. Hannigan put this into my mailbox:
Can someone verify that this is the interface facing cyberpromo from AGIS?
I called AGIS' NOC and they refused to tell me, so I want to make sure I'm cutting just them...
a0.1.philadelphia1.agis.net (206.185.158.237)
Well, AGIS appears to be hijacking its own netblocks for CyberPromo, as it were. I blocked out the CP netblocks, and still got spam from other netblocks through AGIS. I finally went ahead and blocked this:
# cyberpromo ALL: 205.199.212. 205.199.4. 206.27.86.210 207.124.161.50 # Cyberpromo through IDCI ALL: 207.124.161.0/255.255.255.0 # AGIS ALL: 205.254.160.0/255.255.224.0, 205.137.48.0/255.255.240.0, \ 204.157.0.0/255.255.0.0, 206.84.0.0/255.254.0.0, \ 206.42.0.0/255.254.0.0, 205.198.0.0/255.254.0.0, \ 206.62.0.0/255.255.0.0, 206.148.0.0/255.254.0.0, \ 206.185.0.0/255.255.0.0, 206.249.0.0/255.254.0.0, \ 204.137.128.0/255.255.192.0, 204.137.192.0/255.255.224.0, \ 205.164.64.0/255.255.192.0, 205.164.128.0/255.255.192.0, \ 205.164.192.0/255.255.192.0, 204.130.243., 209.14.0.0/255.255.0.0 \ 207.142.0.0/255.255.0.0
Two months with these filters, and no complaints yet.
-dalvenjah
-- Dalvenjah FoxFire (aka Sven Nielsen) "Isn't it wrong that there's only Founder, the DALnet IRC Network one company that makes the game Monopoly?" -Steven Wright e-mail: dalvenjah@dal.net WWW: http://www.dal.net/~dalvenjah/ whois: SN90 Try DALnet! http://www.dal.net/
AGIS has some 175 or so reseller customers, some of whom are largeish. A number of those are dual-homed or peer with "nearly everyone" at one or more exchange points, though. In the last few weeks, I've seen over 10 midsized ISPs announce they were leaving AGIS, many more are talking about doing so. Both because of ongoing spam support and their low quality of service (some inherent, some apparently people attacking Cyberpromo and/or AGIS after being spammed, unfortunately) I now recommend to all the ISPs I do or have consulted with that are AGIS customers that they leave. I've never actually seen a large network kill itself before. It looks like they've got circa 6 months to live at this rate. This is an interesting process... -george william herbert gherbert@crl.com Disclaimer: I speak for nobody, not even my cats.
I have to concur somewhat. I've blocked major chunks of AGIS' address space, and 22 networks worldwide now mirror my personal black hole list, and though I receive periodic forwarded complaints from folks who can't reach someplace which shares address space with a spammer, noone has EVER complained to me at not being able to reach a blocked AGIS customer. AGIS proved this case by heavily restricting their peering policy a while back. Several companies I know of chose not to seek transit just to reach AGIS, and so far none of them has felt any pain at all from their decision. I'm going to stop now since those are the operational/connectivity issues and I don't want to grab your attention and then start ranting about AGIS's "new" opt-out formulae, or about spam in general.
-----BEGIN PGP SIGNED MESSAGE----- On Mon, 2 Jun 1997, Dalvenjah FoxFire wrote:
Well, AGIS appears to be hijacking its own netblocks for CyberPromo, as it were. I blocked out the CP netblocks, and still got spam from other netblocks through AGIS. I finally went ahead and blocked this:
# cyberpromo ALL: 205.199.212. 205.199.4. 206.27.86.210 207.124.161.50 # Cyberpromo through IDCI ALL: 207.124.161.0/255.255.255.0 # AGIS ALL: 205.254.160.0/255.255.224.0, 205.137.48.0/255.255.240.0, \ 204.157.0.0/255.255.0.0, 206.84.0.0/255.254.0.0, \
204.157.36.0/23 is used by a company completely unrelated to AGIS other than having gotten address blocks from Net99 at one point in the long past. AFAIK they don't spam.
206.42.0.0/255.254.0.0, 205.198.0.0/255.254.0.0, \
Ditto for 205.199.64.0/20. Don't know about them spamming (haven't heard any complaints anyhow). - -- \/\ Lab.NET| Ryan Smith-Roberts <rsr@lab.net> | finger/www for /\/ we do | "Consistency requires you to be as | PGP key \/\ stuff | ignorant today as you were a year ago" - Bernard Berenson 89 FC 59 49 D3 DD 20 20 54 0D B0 C5 81 32 01 CC -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBM5Ts493Nb6QEQgMlAQEswgf/VFzJ6ATBZintfMArJReJw6+A8fxYqFSH Op5jRumPLSbS596GOISU2/oX+GbkzMbCfDdOP1n/pe6UD9Xgg4maHrvML+BaUYn1 vrcWMiT//Nnd73QK/l7mKItJIrwy342Bl5WgGoze6cx5Xutx4UpsfnoaQ+J4h+DV Xo1BJ3eBrydSQdKLlsd71KIf4AI0x4ZlqAqOABccjKcGLngKxH9YP1D+WIDXfPxf tTR+5v9Iv1S9uM/PaeKzAXgnDwQIxUvR0ZQytZWOdgDypx9jvmLS20lwhw35k2V4 xDiNnRCA22UOos/+9iWuSF7sF14lupU5xIQRGAMxJWrqcIJTa801aw== =oi79 -----END PGP SIGNATURE-----
Okay, I've got a question actually related to North American Network Operations...here goes: I'm currently the Network Admin for a medium sized ISP in Cincinnati Ohio. We are currently multi-homed through US Sprint (Sprintlink), one connection in DC one in Chicago. We are interested in diversifying across another Network Service Provider backbone. We currently run BGP4 with Sprint, and will be running it to our additional NSP. We're working on getting our own netblock to have us be able to announce our AS via both NSPs. My question is twofold: 1) Are there recommendations on which NSP I should go with now, based on the fact that I currently have Sprintlink? Our Sprint connections are a full DS3 and a full T1 (DS3 to Chicago, T1 to DC). I want to buy another DS3. We've placed an order for UUNet, however, they have now taken 160 days (they gave me a 120 day due date and missed it), and cannot give me a firm due date, and I'm not convinced they will ever be able to deliver. I'm tired of waiting. I looked at MCI, but the "InternetMCI voice mail system" is "Full". So you can't even leave a message to have someone call you back (800.582.1253, kinda funny since they spend all that money on advertising and customer's can't even contact them). 2) What is the best way to handle the AS announcements? I've got three netblocks from Sprint, but Sprint won't announce my more specific routes (nor should they), so people will just route to the blocks Sprint is advertising. If I announce the more specific routes out UUNet (for lack of another example), I'll start getting all my inbound traffic down that pipe. From what I can tell, I'd be better off getting my own netblock from the InterNIC, and annoucing my own routes through both NSPs. That way the Internet will make it's own routing decisions based on the "closeness" of the routes (AS Path length, etc.). I'd then renumber my internal network, and give Sprint their IPs back. Does that sound right? Thanks in advance. I've learned a great deal being on this list, and I'm going to put up with the signal-to-noise ratio for a while as long as there's still information I can glean. -- Robert A. Pickering Jr. Internet Services Manager Cincinnati Bell Telephone rob@fuse.net A Rough Whimper of Insanity (Information Superhighway) PGP key ID: 75CAFF7D 1995/05/09 PGP Fingerprint: B1 63 0C 09 D8 2E 5D 69 BB 61 A2 92 22 37 63 C3
Well, that was interesting. Thanks to everyone who has responded thus far. I've gotten a lot of "sale" types of email, but also a lot of really good information. It appears as if I was right in my assumption that I needed to get my own IP block of PI space from the InterNIC. So, my follow-up question is this: What exact documentation and formats does the InterNIC need to see. I've been told network diagrams and IP allocations, but that to me means diagrams, and that means I have to ship them some drawing format. What do they use? Or, can I just great a table of IP addresses and hosts and how my IPs are allocated to customers, etc. I want to make sure that I'm somewhat successful in securing some reasonable amount of IP space from the NIC, and would like some advice from people who have gone through this process. Thank You Again. -Rob -- Robert A. Pickering Jr. Internet Services Manager Cincinnati Bell Telephone rob@fuse.net A Rough Whimper of Insanity (Information Superhighway) PGP key ID: 75CAFF7D 1995/05/09 PGP Fingerprint: B1 63 0C 09 D8 2E 5D 69 BB 61 A2 92 22 37 63 C3
Hi, Robert A. Pickering Jr. wrote:
What exact documentation and formats does the InterNIC need to see. I've been told network diagrams and IP allocations, but that to me means diagrams, and that means I have to ship them some drawing format. What do they use?
It would be great to have some software that your customers would just fill out, so you could present the reports in the format your upstream IP allocation body could use. I don't know about the InterNIC; I get my space from the APNIC and the hardest part to fill out in the forms there is the series of projections: host counts in 3/6 months, 1/2 years. Sometimes your customers can be too optimistic :) -- miguel a.l. paraz <map@iphil.net> +63-2-893-0850 iphil communications, makati city, philippines <http://www.iphil.net>
On Wed, 4 Jun 1997, Robert A. Pickering Jr. wrote:
means diagrams, and that means I have to ship them some drawing format. What do they use?
You can be certain that everybody can accept diagrams via fax or in a GIF file, preferably delivered by emailling a URL.
I want to make sure that I'm somewhat successful in securing some reasonable amount of IP space from the NIC, and would like some advice from people who have gone through this process.
You can't give them too much information. Make sure you apply far enough in advance that you have time to answer any questions that arise. Read RFC2050 http://www.internic.net/rfc/rfc2050.txt and the Internic policy guidelines at ftp://rs.internic.net/policy/internic/internic-ip-1.txt The application template is at ftp://rs.internic.net/templates/isp-ip-template.txt If you feel that some of the information the Internic requires is confidential and are reluctant to disclose it, there is an NDA that the Internic will sign. You can get a copy of the actual NDA at ftp://rs.internic.net/policy/internic/internic-ip-2.txt You sign two copies and courier it to them, they sign them and send one copy back to you. If there are still some parts of the policies or reequirements that are confusing, go to http://www.arin.net and read through the stuff in the Recommended Reading section. And if you do not meet the requirements for an IP netblock, be aware that the single biggest reason why this cannot be changed at this point in time is because the White House Interagency Task Force is stalling on letting an industry run consortium (ARIN) take over the task of managing North America's IPv4 address space. Let your congress person, and senator know that the administration's actions are hurting your business and are the exact opposite of their claims to support industry self regulation initiatives. If you are Canadian, talk to your federal MP and ask Industry Canada and the Dept of Foreign Affairs to pressure the White House to move this forward. Since ARIN also will serve South Africa and Latin America in it's early stages, people in those countries could ask their governments to place some pressure on the American White House. Unfortunately, even in the USA, the politicians do not realize how fast the Internet moves and how necessary it is to cut through the bureaucratic red tabpe in order for it to flourish. And many Internet companies and individuals have not in the past taken time to get involved in the political process by educating politicians about the political and economic realities of the Internet. It's time to change this, IMHO. ********************************************************* Michael Dillon voice: +1-415-482-2840 Senior Systems Architect fax: +1-415-482-2844 PRIORI NETWORKS, INC. http://www.priori.net "The People You Know. The People You Trust." *********************************************************
I looked at MCI, but the "InternetMCI voice mail system" is "Full". So you can't even leave a message to have someone call you back (800.582.1253, kinda funny since they spend all that money on advertising and customer's can't even contact them).
And heaven help you if you should have a problem dealing with the local branch MCI office for MCI installation. We placed an order last January, dealt with the salesguy extensively for about 6 weeks at which point he left the company and it turned out had never placed the order. The guy who took over from him has given us a runaround, requiring us to spend money on wiring contractors (upon which we'd be turned up "within 2 days"), thereafter requiring increasing amounts of documents and signatures and then nothing. Neither he nor his supervisor will return phone calls, even though I've been nothing but polite. (Perhaps that's the problem.) You have to practically hire a private detective to find an MCI contact outside of the branch office who will help (I haven't yet found one, although I've found direct line customer support, InternetMCI customer support, scads of other numbers, and the above-mentioned voice mail box that was also full when I tried it). They have an email address which eventually responds with the suggestion that you should call your branch office. The kicker: we're now getting billed, even though we've yet to get service. The bill includes an "expedite" charge plus CPE that we never asked for nor received. I suppose this is only peripherally (at best) an operations note. If there was an "internet-bureaucracy" list, I'd rant there. :-) -mm-
On Wed, 4 Jun 1997 16:48:36 -0400 (EDT) "Mark E. Mallett" wrote:
The kicker: we're now getting billed, even though we've yet to get service. The bill includes an "expedite" charge plus CPE that we never asked for nor received.
Ha! I can top that. MCI billed us for 9 months for a line which had never been installed. They had given us the run around similar to yours, but the day before the line was to be installed, the sales person called when he knew I was going to be out of the office and left a message saying that MCI was indefinitely delaying all T1 installations (this was spring of 1996). He never, ever returned my phone calls after that. We had already installed and paid for the Nynex local loop. We switched to AT&T, but MCI billed us for the non-existent line anyhow... Did I ever tell you about the time the MCI sales-critter forged my signature on a contract, but didn't even spell my name right? OK, so you're all sick of that story... regards, fletcher
participants (11)
-
Dalvenjah FoxFire -
Fletcher E Kittredge -
George Herbert -
Gordon Cook -
Mark E. Mallett -
Martin J. Hannigan -
Michael Dillon -
Miguel A.L. Paraz -
Paul A Vixie -
Robert A. Pickering Jr. -
Ryan Smith-Roberts