*** MAKE SPAM@INTERRAMP.COM DIE FAST!!! *** (fwd)
I see the following kind of message on a regular basis. How long before this kind of thing starts to cause significant problems? And lest you say that xmission.com is only a small unimportant provider, I've seen much larger ones also saying they do this and not everybody is as selective about only blocking one port. Michael Dillon - ISP & Internet Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com ---------- Forwarded message ---------- Date: Wed, 21 Aug 1996 15:38:19 -0600 (MDT) From: Pete Ashdown <pashdown@xmission.com> Reply-To: inet-access@earth.com To: inet-access@earth.com Subject: *** MAKE SPAM@INTERRAMP.COM DIE FAST!!! *** Resent-Date: Wed, 21 Aug 1996 15:39:02 -0600 (MDT) Resent-From: inet-access@earth.com We have seen an inordinate amount of spam email sourcing from Interramp.com and their customers. Despite frequent attempts to notify KEN ANDREWS, PSI, or any living soul at Interramp, our pleas have gone unanswered. As a result, *ALL* SMTP mail traffic from Interramp's networks has been blocked at the router level here. I would encourage *EVERY* responsible ISP to do the same. Interramp does not appear to care about spam problems, and in fact has become a haven for this type of crap due to their complicity. The following is instructions on how to block Interramp SMTP traffic on a Cisco: Make an extended IP access list: access-list 120 deny tcp 38.8.23.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.8.31.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.8.45.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.8.65.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.9.51.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.10.1.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.10.2.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.10.3.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.10.4.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.10.5.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.10.220.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.11.72.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.11.122.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.11.183.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.11.189.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.11.194.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.11.207.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.11.208.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.11.209.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.11.210.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.11.215.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.11.217.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.11.224.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.11.226.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.11.227.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.11.229.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.11.230.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.11.231.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.11.237.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.11.243.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.11.244.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.12.81.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.12.93.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.12.126.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.12.128.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.12.138.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.12.140.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.12.156.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.12.157.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.12.158.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.12.178.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.12.179.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.12.190.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.12.205.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.12.206.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.12.208.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.12.209.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.12.234.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.12.243.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.14.101.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.14.110.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.14.126.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.14.128.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.14.138.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.14.140.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.14.142.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.14.35.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.14.36.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.14.37.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.14.40.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.14.45.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.14.74.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.14.79.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.14.82.0 0.0.0.255 eq smtp any access-list 120 deny tcp 38.26.44.0 0.0.0.255 eq smtp any access-list 120 ip permit all all Due to the fact that Interramp's networks are not contiguous in any apparent way, you have to block each one on a class C basis. If anyone sees any evidence otherwise, please let me know. Of course, it wouldn't be a bad idea to block all of 38.0.0.0 because PSI hasn't been cooperative either. After the list is created, add it to your incoming interfaces with: ip access-group 120 in The 120 is arbitrary, it can be anything in the extended IP access-list range. ============================== ISP Mailing List ============================== Email ``unsubscribe'' to inet-access-request@earth.com to be removed. Don't post messages that just say ``me too''.
Personally I'm all for it. My company, ACES Research, uses the mailer from Innosoft International, PMDF. It does application level refusals *PRIOR* to reception of the mail. (Unlike sendmail which would accept the mail, then return it). Try sending mail from *@aol.com to *@aces.com, and see what you get :) :-) Ehud p.s. We do application-level filter as opposed to router-level filtering because we want to log the connects/refusals as they occur. (with sender/recipient attempted address)
The following is instructions on how to block Interramp SMTP traffic on a Cisco:
Make an extended IP access list:
After the list is created, add it to your incoming interfaces with:
ip access-group 120 in
The 120 is arbitrary, it can be anything in the extended IP access-list range.
I doubt many (esp. large providers) will start filtering IP/SMTP traffic because (1) filters suck precious CPU, (2) they'd have to maintain frequently changing filter lists, (3) and they'd increase potential liability for traffic monitoring/filtering. Note: Below is a long non-operational, non-routing rant. Don't say I didn't warn you. You may also want to followup to me personally rather than the list (thus the Reply-To header). I personally have been disappointed at PSI's unwillingness to police its trial members. It's more than Usenet or mailing lists. I get InterRamp spam directly to misspelled user accounts at a domain I manage. For the first incident, I sent repeated mail to postmaster@interramp.com - no reply. For another I tried to additionally involve CERT because the message content advertised special SPAMing software that might bring on more clever SPAMers. I believe CERT's attitude (perhaps rightly so) was to sit on the sidelines. While I've given up on chasing down SPAM (not my job) and usually just delete them, I sometimes forward them on to people who might care to know about them (too-good-to-be-true deals go to an SEC friend, trademark violations are forwarded to a companys' whois contacts). ... but it's more than just SPAM. People are going to use trial accounts for more sinister problems: anonymous hacking and anonymous credit card fraud. The following true is a true story: In July my bank company called me to ask if I knew anything about multiple $39.95 purchases. "Uh no, why?" It turns out that someone was using my credit card to access "Club Love", a Web-based porn service. "What!?!" (Yes, this not something I do.) They racked up over $1100 in charges. I quickly had my card cancelled (great, no Visa/ATM for a week) and then at the advice of my bank called "Club Love" to ask for a credit. They didn't credit me until they had a threat of a charge-back on them. I wanted to help them chase the ba&tard down too. They had Web logs, and they knew from where the requests came, apparently some pool-address dialup account. It's happened before, and in a previous occurence the ISP refused to track down the caller. I'm assuming it was a trial or anonymous account since crime is grounds for dismissal in anyone's service. I know that it's possible that IP addresses can be traced back to PPP interfaces which can be traced back to calls which (with some dialup manufacturers) can be traced back to the caller's ANI info, but I've hit a brick wall. To get any of this info out of an ISP would require a court order at a minimum. I have no recourse because I haven't lost any money, and I'm told that felony credit card fraud has a $2500 minimum so my local DA won't care. My bank is concerned, but they have no recourse since they didn't lose money. Only "Club Love" has lost money, and I use "lost" loosely because like the First Virtual risk model (*) there is no tangible loss from a person's downloading bits from a Web site. (*) http://www.fv.com/info/overview.html#insights Mostly-victimless crimes like this are likely to become more common as users see that no one is inclined to catch them. SPAM is nothing in comparison to a presidential e-mail death threat or hacking into some online bank's financial system - but it'll likely happen one day which is why some might want to think twice about their trial account offering. So how does this apply to NANOG? We're just Internet jockeys, right? In addition to being the routing resource for your company, your marketing people probably ask your opinion about new products or at least force new products down your (or your coworkers') throats. One day you'll be asked/told about the idea of mailing out drink coasters (er, I mean "trial account floppies") to people. Here are some considerations you may want your marketing people to ponder if/when that happens: SPAM - How many support man-hours will be spent chasing, responding to, removing, and in general dealing with customer SPAM? - What policies will you have in place to discourage SPAM? - ... or (like some) do you just take the PR hit and not deal with it? Logging - How much data can you have about every session or transaction? - Of that data, what's public information and what's private? Most would consider dial ANI info, account information, E-mail, Web transactions, and IP packets contents to be private data. Some would consider IP packet headers and e-mail headers to be public. Usenet postings are certainly public. - How much of that data do you maintain? All of it? None? Some, but not all? If you choose not to maintain some data, how liable are you? Do you have enough disk space? How do you manage offline storage/backups? - How willing are you to research through that information for a third party? Some third parties to consider: A hacker, your employees, another customer, a sysadmin at another service provider, local law enforcement (court order required?), federal law enforcement, secret service. Services - Do you provide limited or unlimited Internet access? Do you enable your customers (access to news poster, Web/FTP accessable disk space)? At least with online services, their trial customers' effected only other customers, not 30+ million people around the world. For potential SPAMers, consider keeping your trial customers from using a non-local posting distrbution (how will they know the difference? ;^), and limiting them to only e-mail to a fixed number of messages (20?) or keep it inside your service. For hackers, consider firewalling your customers so that they can only use popular ports like Web, Netrek, and Kali, and not Telnet, X-Windows, SMTP, etc... - When your trial customers access the internet, whose domain name shows up on the PTR records or the e-mail address? This is important because the person in the Whois database as a technical or administrative contact is usually the one that's called or e-mailed when there are problems. - Do your potential customers know up front that they're liable for how they use their account? Do they know you're not (willing to be) liable for their actions? If you give these questions to your marketing people and if you're lucky, they will have more than enough to chew on to keep them busy for a couple months so that you can get back to router configurations and peering problems. If they insists on going ahead with the trial subscriber disks anyway, insist that they need to hire a team of at least two FTE support people per 800 customers who are at least as smart as you (good luck :^), hire a couple system administrators who are also programmers (whee!), and put an online-savvy attorney on retainer (even harder to find!). Oh yeah, they'll have to buy you the RAID farms you've always wanted and buy into your previously ignored security philosophies since you can no longer trust your customers to be good people. If that doesn't work, perhaps only Dogbert can help. -- Eric Ziegast ziegast@im.gte.com
As bill manning once put it so eloquently:
Axel Boldt's Blacklist of Internet Advertisers can be found at: http://math-www.uni-paderborn.de/~axel/BL/blacklist.html -CB
Axel Boldt's Blacklist of Internet Advertisers can be found at:
There's a US mirror at http://www.cco.caltech.edu/~cbrown/BL/ -- Dick St.Peters, Gatekeeper, Pearly Gateway, Ballston Spa, NY stpeters@NetHeaven.com Owner, NetHeaven 518-885-1295/800-910-6671 Albany/Saratoga/Glens Falls/North Creek/Lake Placid/Blue Mountain Lake First Internet service based in the 518 area code
On Thu, 22 Aug 1996, Paul A Vixie wrote:
One good thing about point (2) above is that if there is an authoritative list of bad nets run by a respected and clueful admin such as Paul is, then it becomes much easier for admins everywhere to just download his router config parameters automatically every week like (dare I say it?) transferring a DNS zone file. And since the person maintaining the list of bad nets is both clueful and respected we could be reasonably assured that if a bad net turns good it will promptly be removed from the list. What concerned me was that if people add blockages to their routers when a very visible problem occurs, over time more and more sites get blocked but nobody will ever go in and clean them up or even check if they should be cleaned up. And if the net that is blocked ends up being transferred to another owner at some point in time, then that owner now has a "contaminated" Internet address. And the upstream NSP who allocates this address block also has a the contamination to deal with. However, if there is some kind of public and coordinated effort to deal with this issue then perhaps we can avoid the contamination (by the weekly updates) or we can at least maintain some records of who is blocking what. If a bad site turns good then admins can be emailled or notified somehow to remove the blockages. Michael Dillon - ISP & Internet Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com
A recent article in Network World ("Shared Logic: How free should the Internet be?" by Marc Myers, 8/12/96, p. 28), drew an analogy from early "townships" and how they relate to the Internet. Nathaniel Hawthorne once observed that all successful townships built a church and a jail prior to any other construction as tools for enabling others in the community to pursue their belief systems out of "harm's way." If Usenet, mailing lists & conferences (such as "nanog") are the equivalent of the early churches (places to congregate and learn how to apply one's belief system to everyday life), then perhaps such an authoritative "blacklist" would be the equivalent of a "jail" for those that insist on violating the principles that the majority of us feel make the Internet successful... Of course that brings up all sorts of issues of defamation (being on the list unfairly could hurt one's reputation with customers, etc.), due- process (how do you get off the list or on in the first place), etc. I would imagine that getting somebody to just "volunteer" to do such a list "officially" might be difficult! It _is_ appealing though... $0.02 (YMMV) Ed On Thu, 22 Aug 1996, Michael Dillon wrote:
Ed Morin Northwest Nexus Inc. (206) 455-3505 (voice) Professional Internet Services edm@nwnexus.WA.COM
Of course that brings up all sorts of issues of defamation (being on the list unfairly could hurt one's reputation with customers, etc.),
I'll be including pointers to the evidence in each case.
due-process (how do you get off the list or on in the first place), etc.
I'll use my own judgement. SOMEBODY has to use some judgement.
I would imagine that getting somebody to just "volunteer" to do such a list "officially" might be difficult!
My difficulty has been in keeping the activity separate from my role in CIX, in the ISC, and in my own consulting company. I'm waiting to hear back from my lawyer about the disclaimers I proposed, before I go live.
participants (9)
-
bmanning@isi.edu
-
Chris Bongaarts
-
Dick St.Peters
-
dvv@sprint.net
-
Ed Morin
-
Ehud Gavron
-
Eric Ziegast
-
Michael Dillon
-
Paul A Vixie