From nanog@merit.edu Mon Nov 17 18:30:54 1997 Received: from www.RVC.CC.IL.US (www.RVC.CC.IL.US [207.142.145.2]) by mozart.lib.uchicago.edu (8.8.5/8.6.4) with SMTP id SAA21563 for <marilyn-request@mozart.lib.uchicago.edu>; Mon, 17 Nov 1997 18:30:54 -0600 Received: from merit.edu (166.72.5.121) by www.RVC.CC.IL.US (EMWAC SMTPRS 0.81) with SMTP id <B0000000018@www.RVC.CC.IL.US>; Mon, 17 Nov 1997 18:44:02 -0600 Date: Mon, 17 Nov 1997 18:44:02 -0600 Message-ID: <B0000000018@www.RVC.CC.IL.US> From: NANOG Mailing List <nanog@merit.edu> Subject: subscribe
In looking at this message that someone forwarded me.. It looks like the message originated at one of our customers web servers.. I have called and left messages for the sysadmins of this school.. We do not have any after hours numbers. Does anyone else have the bounces with headers so that I can verify or not that it is this customer? I will say that it is sorta ironic that I started this thread and it seems to be originating from one of our customers... :-( -------------------------------------------------------------------------- James D. Butt 'J.D.' Network Engineer Voice 319-557-8463 Network Operations Center Fax 319-557-9771 MidWest Communications, Inc. Pager 319-557-6347 241 Main St. noc@mwci.net Dubuque, IA 52001 jbutt@mwci.net --------------------------------------------------------------------------
On Mon, 17 Nov 1997, James D. Butt wrote: ) >From nanog@merit.edu Mon Nov 17 18:30:54 1997 ) >Received: from www.RVC.CC.IL.US (www.RVC.CC.IL.US [207.142.145.2]) by ) mozart.lib.uchicago.edu (8.8.5/8.6.4) with SMTP id SAA21563 for ) <marilyn-request@mozart.lib.uchicago.edu>; Mon, 17 Nov 1997 18:30:54 -0600 ) >Received: from merit.edu (166.72.5.121) by www.RVC.CC.IL.US ^^^^^^^^^^^^ ) > (EMWAC SMTPRS 0.81) with SMTP id <B0000000018@www.RVC.CC.IL.US>; ) > Mon, 17 Nov 1997 18:44:02 -0600 ) >Date: Mon, 17 Nov 1997 18:44:02 -0600 ) >Message-ID: <B0000000018@www.RVC.CC.IL.US> ) >From: NANOG Mailing List <nanog@merit.edu> ) >Subject: subscribe ) ) In looking at this message that someone forwarded me.. It looks like the ) message originated at one of our customers web servers.. I have called ) and left messages for the sysadmins of this school.. We do not have any ) after hours numbers. ) ) Does anyone else have the bounces with headers so that I can verify or ) not that it is this customer? ) ) I will say that it is sorta ironic that I started this thread and it ) seems to be originating from one of our customers... :-( It really is too bad people neglect to note that non-mainstream mail transport agents don't necessarily report messages paths the way mainstream ones. root@narnia:~# host 166.72.5.121 121.5.72.166.IN-ADDR.ARPA domain name pointer slip166-72-5-121.il.us.ibm.net root@narnia:~# I've already contacted abuse@ibm.net and support@ibm.net about this. Unless this is a particularly cunning individual, not only sending a fake host name but also identifying another IP, not associated with that hostname, so as to throw suspicion onto some other provider, I believe it's fairly safe to say an ibm.net dialup user is the purpetrator, and www.RVC.CC.IL.US was used solely as a mail relay. -- Daniel Reed <n@narnia.n.ml.org> System administrator of narnia.n.ml.org (narnia.mhv.net [199.0.0.118]) I personally think we developed language because of our deep inner need to complain. -- Jane Wagner
James D. Butt put this into my mailbox:
In looking at this message that someone forwarded me.. It looks like the message originated at one of our customers web servers.. I have called and left messages for the sysadmins of this school.. We do not have any after hours numbers.
Speaking of after hours contact numbers...do folks as a matter of practice keep these on file, or do people still rely on the 'business phone' method of contacting people? Reason I ask is partly because of this, and partly because of an incident a couple of weeks ago, when one of my servers was getting smurfed; we managed to leave lots of messages on the smurf relay sites' contact numbers, but rarely got ahold of a real person. This was on a Friday night, and of course the smurf continued well into Saturday, and probably would've continued till Monday or later had we not convinced the person to stop. I personally tried calling PSI concerning a couple of their customers; the operator I spoke with only had the phone number that was listed in InterNIC's records for the domain in question, and that number gave the "disconnected or no longer in service" message when called. I left a message on the voice mail of the perpetrator's dialup in Australia, and didn't get a call back till the next Monday. I realize people have to sleep }:> and that 24h contact numbers should not be made public, for fear of one's more inept users finding it and using it for 'tech support', but it seems that there are some emergencies that would require waking up one's sysadmin/network engineer out of bed to help solve a problem. Also, if only for future reference, what's the best way to contact people after hours? Go through their uplinks till I get a human, or what? Most of these problems seem to happen outside of 'normal business hours', and attacks like these end up occurring at times when we simply have to grin and bear it until someone wakes up and checks the night's messages, and that seems to be something of a problem. (This seems to be on topic; if I knew where to find a good cheap (free?) Cisco tutorial, I might even be able to tell you how to configure your router for it }:P .) -dalvenjah -- Dalvenjah FoxFire (aka Sven Nielsen) "If her breath were as terrible as her Founder, the DALnet IRC Network terminations, there were no living near her; she would infect to the North Star!" e-mail: dalvenjah@dal.net WWW: http://www.dal.net/~dalvenjah/ whois: SN90 Try DALnet! http://www.dal.net/
Speaking of after hours contact numbers...do folks as a matter of practice keep these on file, or do people still rely on the 'business phone' method of contacting people?
On leased line customers. We require 3 contacts 1 Admin, 2 tech. We also give the customer the option. Do you want us calling you at 2:00 AM because something is wrong. Some customers could care yet others give us large escalation lists. We have electronic and paper copies of all information just in case. -------------------------------------------------------------------------- James D. Butt 'J.D.' Network Engineer Voice 319-557-8463 Network Operations Center Fax 319-557-9771 MidWest Communications, Inc. Pager 319-557-6347 241 Main St. noc@mwci.net Dubuque, IA 52001 jbutt@mwci.net --------------------------------------------------------------------------
On Nov 17, Dalvenjah FoxFire <dalvenjah@dal.net> wrote:
Speaking of after hours contact numbers...do folks as a matter of practice keep these on file, or do people still rely on the 'business phone' method of contacting people?
For customers, we require contact info; once we've been place a little longer I'll probably send out periodic reminders (one per six months or so, most likely) asking people to check and make sure we've still got current information. Contact information is also required for peers, but for some reason that stuff becomes invalid more often, especially at the "big" backbones. For those, we keep track of what worked last time we needed it, and hope it still works later.
(This seems to be on topic; if I knew where to find a good cheap (free?) Cisco tutorial, I might even be able to tell you how to configure your router for it }:P .)
http://www.cisco.com/ -- dig around, the entire text of all (or at least most of) the books for the classes you'd take towards becoming a CCIE are in there. ********************************************************* J.D. Falk voice: +1-650-482-2840 Supervisor, Network Operations fax: +1-650-482-2844 PRIORI NETWORKS, INC. http://www.priori.net "The People You Know. The People You Trust." *********************************************************
participants (4)
-
Dalvenjah FoxFire -
Daniel Reed -
J.D. Falk -
James D. Butt