RE: trapdoor.merit.edu and other impatient Postfix mailers everywhere (fwd)
I understand they have a problem notifying everyone since they don't know contact information for the people using the service, but I would have expected to see an announcement here, for example.
Lemesee if I got this right...Paul Vixie doesn't know anybody that can pull my IP addresses out of their logs, look them up on ARIN, send me email. Riiight. GMAB!
How do you think those references got there? Could it be that enough people requested it and asked how to do it with older versions of sendmail that it was made an optional part of the standard configuration?
Probably not. Can you say "bait and switch", boys and girls. Right out of Mad Man Muntz's handbook.
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Larry Sheldon Sent: August 2, 2001 7:44 PM To: nanog@merit.edu Subject: RE: trapdoor.merit.edu and other impatient Postfix mailers everywhere (fwd)
I understand they have a problem notifying everyone since they don't know contact information for the people using the service, but I would have expected to see an announcement here, for example.
Lemesee if I got this right...Paul Vixie doesn't know anybody that can pull my IP addresses out of their logs, look them up on ARIN, send me email.
Do you log every single DNS query to your DNS servers (if you have any)? I'm not aware of anyone who does, simply because the resulting log would be gigantic... especially for a DNS-based service as huge as MAPS. Vivien -- Vivien M. vivienm@dyndns.org Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
On Thu, 2 Aug 2001, Vivien M. wrote:
Lemesee if I got this right...Paul Vixie doesn't know anybody that can pull my IP addresses out of their logs, look them up on ARIN, send me email.
Do you log every single DNS query to your DNS servers (if you have any)?
I'm not aware of anyone who does, simply because the resulting log would be gigantic... especially for a DNS-based service as huge as MAPS.
They've got some really smart people who I'm sure could whip up some code to take named logs on stdin and add IP's to a database and send an email to the appropriate contacts (as found in the regional registry for the IP space). Just because they could have done that, doesn't mean I think they should have taken the time to do it. They should have posted to inet-access and nanog. Clearly the surprise cutoff[1] this morning had a profound operational impact on mail servers all over the world. But no...they're too busy posting ALL CAPS TITLED press releases bragging about things most operators probably couldn't care less about to news.admin.net-abuse.email. MAPS seems to have been taken over by flakey pointy hairs. I wonder how many network operators actually regularly read news.admin.net-abuse.email? I didn't until I heard it was the one place MAPS had officially said anything about this change. [1] Yes...it was a surprise. It didn't happen when they said it would happen. Therefore, there was no way to anticipate when it would really happen. And for those who don't read inet-access, nanog, or nanae, they're probably still wondering why the MAPS BLs are broken and why the MAPS website has been down every time they've tried to go there and see if there's any word about why the BLs are broken. -- ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Fri, Aug 03, 2001 at 03:10:46AM -0400, jlewis@lewis.org wrote:
They should have posted to inet-access and nanog. Clearly the surprise cutoff[1] this morning had a profound operational impact on mail servers all over the world.
Guys, They did post to NANOG when they performed the aforementioned s/vix.com/mail-abuse.org/g: http://www.merit.edu/mail.archives/nanog/2001-04/msg00426.html Seeing as we've all seen people complaining about them not doing this, when they obviously did, I don't see how it would've helped everyone had they posted to NANOG before the July 31 cutoff. I'm not saying that not posting to NANOG was a "good" idea (well, ok, it was stupid) but it seems it wouldn't have helped quite a few. -- Marius Strom <marius@marius.org> Professional Geek/Unix System Administrator URL: http://www.marius.org/ http://www.marius.org/marius.pgp 0xF5D89089 *updated 2001-02-26* It is a natural law. Physics tells us that for every action, there must be an equal and opposite reaction. They hate us, we hate them, they hate us back and so, here we are, victims of mathematics. -- Londo, "A Voice in the Wilderness I"
On Fri, 3 Aug 2001, Marius Strom wrote:
On Fri, Aug 03, 2001 at 03:10:46AM -0400, jlewis@lewis.org wrote:
They should have posted to inet-access and nanog. Clearly the surprise cutoff[1] this morning had a profound operational impact on mail servers all over the world.
Guys, They did post to NANOG when they performed the aforementioned s/vix.com/mail-abuse.org/g:
I was saying anything about that.
Seeing as we've all seen people complaining about them not doing this, when they obviously did, I don't see how it would've helped everyone had they posted to NANOG before the July 31 cutoff.
"Some people don't read or pay attention to nanog...so we won't bother posting there." hmm.... -- ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
John, I wasn't referring to you, and I agree that the policy of not posting to high (net|sys)admin mailing lists is questionable. It's just that I've seen some folks on here complaining about lack of notification when they did switch from vix.com to mail-abuse.org, and I believe that fault should be placed where it needs to be placed. On Fri, Aug 03, 2001 at 03:05:22PM -0400, jlewis@lewis.org wrote:
On Fri, 3 Aug 2001, Marius Strom wrote:
On Fri, Aug 03, 2001 at 03:10:46AM -0400, jlewis@lewis.org wrote:
They should have posted to inet-access and nanog. Clearly the surprise cutoff[1] this morning had a profound operational impact on mail servers all over the world.
Guys, They did post to NANOG when they performed the aforementioned s/vix.com/mail-abuse.org/g:
I was saying anything about that.
Seeing as we've all seen people complaining about them not doing this, when they obviously did, I don't see how it would've helped everyone had they posted to NANOG before the July 31 cutoff.
"Some people don't read or pay attention to nanog...so we won't bother posting there." hmm....
-- ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
-- Marius Strom <marius@marius.org> Professional Geek/Unix System Administrator URL: http://www.marius.org/ http://www.marius.org/marius.pgp 0xF5D89089 *updated 2001-02-26* It is a natural law. Physics tells us that for every action, there must be an equal and opposite reaction. They hate us, we hate them, they hate us back and so, here we are, victims of mathematics. -- Londo, "A Voice in the Wilderness I"
On Fri, 3 Aug 2001, Marius Strom wrote:
John, I wasn't referring to you, and I agree that the policy of not posting to high (net|sys)admin mailing lists is questionable. It's just that I've seen some folks on here complaining about lack of notification when they did switch from vix.com to mail-abuse.org, and I believe that fault should be placed where it needs to be placed.
I'm not sure how that could be handled given the way they ran the service. I'd imagine there are lots of people who looked into the RBL/RSS/DUL issue only when configuring their mail servers, and never checked the web site again, don't read nanae, nanog, or inet-access, and wouldn't find out about the zone name switch until things broke. Way back when the RBL was primarily BGP and they just began allowing zone transfers, you had to fill out paperwork and send it to MAPS. They could have kept that requirement or required you to join a MAPS-announce mailing list as a condition of using the service so that they'd have an easy way to reach tech people for all networks using their service. Sure, they probably wouldn't be able to stop you from unsubscribing or ignoring the email, but then it'd be your fault if you missed the announcements. -- ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Thu, 2 Aug 2001, Larry Sheldon wrote:
I understand they have a problem notifying everyone since they don't know contact information for the people using the service, but I would have expected to see an announcement here, for example.
Lemesee if I got this right...Paul Vixie doesn't know anybody that can pull my IP addresses out of their logs, look them up on ARIN, send me email.
Yes, you can lookup contact information for IP blocks. However, we all know how up-to-date that is, and the person listed there may or may not be involved with the mail server. If there had been a notice here, would you have been as unhappy? Remember this was a free service. If I decided I could no longer make chess endgame databases available for free, I would not feel inclined to look up everyone who had been using them and notify them.
How do you think those references got there? Could it be that enough people requested it and asked how to do it with older versions of sendmail that it was made an optional part of the standard configuration?
Probably not.
Can you say "bait and switch", boys and girls.
Right out of Mad Man Muntz's handbook.
As I recall, the first modifications to use RBL in sendmail were done elsewhere, eventually a link was included on the sendmail site, and then it was part of the configuration. I can see you are bitter about the impact on your mailservers. I am not happy about the way it was done as well, but assuming it was malacious seems excessive. John A. Tamplin jat@jaet.org 770/436-5387 HOME 4116 Manson Ave 770/431-9459 FAX Smyrna, GA 30082-3723
On Thu, 2 Aug 2001, John A. Tamplin wrote:
On Thu, 2 Aug 2001, Larry Sheldon wrote:
How do you think those references got there? Could it be that enough people requested it and asked how to do it with older versions of sendmail that it was made an optional part of the standard configuration?
Probably not.
Can you say "bait and switch", boys and girls.
Right out of Mad Man Muntz's handbook.
As I recall, the first modifications to use RBL in sendmail were done elsewhere, eventually a link was included on the sendmail site, and then it was part of the configuration.
I can see you are bitter about the impact on your mailservers. I am not happy about the way it was done as well, but assuming it was malacious seems excessive.
The modifications were done at Paul Vixie's specific request. So was "best practices" RFC 2505. Any doubt about that? Read the articles: http://www.dotcomeon.com/relay_default.html http://www.dotcomeon.com/allman_sendmail_qa.html Don't believe me. Believe the words of Paul Vixie and Eric Allman. --Mitch NetSide
On Thu, 2 Aug 2001, Mitch Halmu wrote:
The modifications were done at Paul Vixie's specific request. So was "best practices" RFC 2505. Any doubt about that? Read the articles:
Mitch, Your intentionally misleading statements are obnoxious and unprofessional. If you work as hard at running your ISP as you do spreading half-truths, rumors and outright lies about MAPS, I'll sign up with you because your service must be top-notch...
Paul Vixie says he asked for relaying to be turned off by default. There's nothing wrong with that. No mention of sendmail using the MAPS RBL in any way, shape or form.
And in this message Eric Allman basically echoes what Paul says, that Paul asked for relaying to be turned off by default and that he initially didn't want to do it. Again, nothing about the RBL. You're wrong, and you're intentionally being dishonest in an effort to prove you're right, which won't work because you're wrong.
Don't believe me. Believe the words of Paul Vixie and Eric Allman.
I do believe their words. Problem is, there's no mention of the RBL in either of those discussions. Further, I don't believe anyone at the Sendmail Project actually wrote the dnsbl macro (though I could be wrong about that). It was eventually adopted by them, but I'm pretty sure they didn't write it, and I'll bet a boatload of money that *no one* wrote it simply because Vixie forced them to. I'll be happy to start listening to you again when you have something of worth to contribute. -- JustThe.net LLC - Steve "Web Dude" Sobol, CTO - sjsobol@JustThe.net Donate a portion of your monthly ISP bill to your favorite charity or non-profit organization! E-mail me for details.
I'll be happy to start listening to you again when you have something of worth to contribute.
I think Mitch's whole beef is that his server is listed in RSS: Aug 3 08:47:57 minbar sm-mta[15972]: f73FluWn015972: ruleset=check_rcpt, arg1=< dredd@megacity.org>, relay=[205.159.140.2], reject=553 5.3.0 <dredd@megacity.org
... Site 205.159.140.2 listed on MAPS RSS - http://www.mail-abuse.org/rss Aug 3 08:47:57 minbar sm-mta[15972]: f73FluWn015972: from=<mitch@netside.net>, size=1170, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=[205.159.140.2]
So now that we've seen what Mitch has said is bogus, and we can see his motivation for spreading the FUD, let's kill this thread and move on. D -- +---------------------+-----------------------------------------+ | dredd@megacity.org | "Conan! What is best in life?" | | Derek J. Balling | "To crush your enemies, see them | | | driven before you, and to hear the | | | lamentation of their women!" | +---------------------+-----------------------------------------+
I'll be happy to start listening to you again when you have something of worth to contribute.
He would have a point if (and only if) those associated with MAPS induced others to support their abuse prevention system by promising (or at least implying) that it would be free forever. It would certainly be deceptive and dishonest to build support and a client base for a service by offering it for free with the secret intention of suddenly switching to a fee-based system after support was widely available and relied upon. DS
Would y'all please leave me off the "Cc: " list--especially of nanog is on it. Thanks a lot. Peace.
On Thu, 02 Aug 2001 18:44:21 CDT, Larry Sheldon <lsheldon@creighton.edu> said:
Lemesee if I got this right...Paul Vixie doesn't know anybody that can pull my IP addresses out of their logs, look them up on ARIN, send me email.
A long time ago, in a galaxy far far away, the hostname 'black-ice.cc.vt.edu' was listed as an NTP stratum-2 server. Then the building got re-subnetted, and its IP address changed. THen a CNAME for ntp-2.vt.edu was added that pointed there. Then the CNAME was moved to point to a different machine. Then I turned off NTP service to the outside world. WHen the recent NTP query-packet security problem was found, that host had not been answering NTP queries off-campus for *6 months*. It hadn't been in clocks.txt for *2 years*. Our router guy put in a filter on our main router to log NTP packets. 5 minutes later he took it off, because that host was *STILL* getting pounded to the level of 100 packets *per second*, courtesy of several freeware packages that had lived on TUCOWS a long time ago. In 5 minutes, we also got 15 or 20 hits on an IP address that it hadn't had for *8 years*. I'm sure that their packet flux is a lot higher than 100 packets per second. So you get to log them, sort out which ones are in duplicate subnets (remembering that since CIDR, you *DONT* know where subnets start and end - are 128.173.x.x and 128.174.x.x 2 /16s or a /15? Are 198.82.251.x and 198.82.250.x /24s that belong to different companies, or part of a CIDR block belonging to one organization? Remember in your analysis that NSI's whois is *notoriously* inaccurate, and quite often the "owner of record" of a /16 is a service provider, and the person you WANT to send the mail to is the admin of the company that bought a /22 from that provider's /16. Hint: You ever had a hack-in attempt at your site, and tried to figure out who owned the IP address? How long did it take you? Have you ever come up empty-handed? Good - now design a way to do that look-up several hundred times *a second*. But yeah, with a little bit of hand-waving, they could get the mail to the right admin at the right company. Valdis Kletnieks Operating Systems Analyst Virginia Tech
Remember in your analysis that NSI's whois is *notoriously* inaccurate, and quite often the "owner of record" of a /16 is a service provider, and the person you WANT to send the mail to is the admin of the company that bought a /22 from that provider's /16.
Hint: You ever had a hack-in attempt at your site, and tried to figure out who owned the IP address? How long did it take you? Have you ever come up empty-handed? Good - now design a way to do that look-up several hundred times *a second*.
But yeah, with a little bit of hand-waving, they could get the mail to the right admin at the right company.
This isn't NSI's fault !!! Every ISP that I have worked for that assigned a block of 8 or more IPs properly swipped their IPs with ARIN. If people get lazy and just swip(spelling ?) a /16 instead of individual blocks, ARIN cannot be blamed. Even the IP's for the /25 that I am on on my cable modem at home are properly swipped to reflect the geographic region as well as my MSO.
participants (11)
-
David Schwartz
-
Derek Balling
-
jlewis@lewis.org
-
John A. Tamplin
-
Larry Sheldon
-
Marius Strom
-
Mitch Halmu
-
Steven J. Sobol
-
Valdis.Kletnieks@vt.edu
-
Vivien M.
-
Wojtek Zlobicki