Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="0-593512929-1222225655=:9145" --0-593512929-1222225655=:9145 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Hello All,=0A=A0=0AIt seems you all missed the memo.=0AAs of about 11PM PST= Last night 09/22/08, Esthost has been ENTIRELY Shutdown. They no longer ha= ve ANY Machine on my network.=0A=A0=0AI'm currently starting to monitor som= e of the public media, such as google, DroneBL, as well as several Anti-Mal= ware community websites for abuse.=0A=A0=0ABeing that Esthost is now entire= ly GONE, we should not have any further issues.=0AIn the case that somethin= g=A0does arise, such as an exploited host, we're currently developing a gam= e plan for=A0response to=A0the issues.=0ATo make the best effort towards co= mbatting=A0abuse on our network, here's what I have planned so far for ANY = Type of abuse:=0AStep 1,=A0Suspend Power to the affected machine.=0AStep 2,= Call/Email the client whom the affected machine is leased to.=0AStep 3, Al= low the client=A0the option to=A0investigate the machine further (Nullroute= access via KVM)=0AStep=A04, Verify the=A0reported content, domain, user, o= r exploit=A0is patched/eliminated from the machine.=0AStep 5,=A0Remove the = Nullroute. Allow the machine to return to the network.=0A=A0=0AAny comments= ? =0A=A0=0AThis is=A0the result of a zero tolerance policy regarding abuse.= If it's clear that the server owner is the cause of the abusive material e= tc, the client will then be immediately cancelled. No questions.=A0=0A=0A= =0AIt seems that this approach will be the best supported by the anti-abuse= communities, so please let me know your input.=0A=0AThank you for your tim= e. Have a great day.=0A=A0---=0ARussell Mitchell=0A=0AInterCage, Inc.=0A=0A= =0A=0A----- Original Message ----=0AFrom: Paul Wall <pauldotwall@gmail.com>= =0ATo: Mark Foo <mark.foo.dog@gmail.com>=0ACc: nanog@nanog.org=0ASent: Tues= day, September 23, 2008 5:46:58 PM=0ASubject: Re: YAY! Re: Atrivo/Intercage= : NO Upstream depeer=0A=0AHold the rejoicing, Atrivo is back, this time on = UnitedLayer.=0A=0AI'd contact them, only they seem to change CTOs every mon= th or two,=0Adoes anybody know who's currently in charge?=0A=0AThank you, a= nd Drive Slow,=0APaul Wall=0A=0A=0A --0-593512929-1222225655=:9145 Content-Type: text/html; charset=us-ascii <html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman, new york, times, serif;font-size:12pt"><P>Hello All,</P> <P> </P> <P>It seems you all missed the memo.<BR>As of about 11PM PST Last night 09/22/08, Esthost has been ENTIRELY Shutdown. They no longer have ANY Machine on my network.</P> <P> </P> <P>I'm currently starting to monitor some of the public media, such as google, DroneBL, as well as several Anti-Malware community websites for abuse.</P> <P> </P> <P>Being that Esthost is now entirely GONE, we should not have any further issues.</P> <P>In the case that something does arise, such as an exploited host, we're currently developing a game plan for response to the issues.</P> <P>To make the best effort towards combatting abuse on our network, here's what I have planned so far for ANY Type of abuse:</P> <P>Step 1, Suspend Power to the affected machine.</P> <P>Step 2, Call/Email the client whom the affected machine is leased to.</P> <P>Step 3, Allow the client the option to investigate the machine further (Nullroute access via KVM)</P> <P>Step 4, Verify the reported content, domain, user, or exploit is patched/eliminated from the machine.</P> <P>Step 5, Remove the Nullroute. Allow the machine to return to the network.</P> <P> </P> <P>Any comments? </P> <P> </P> <P>This is the result of a zero tolerance policy regarding abuse. If it's clear that the server owner is the cause of the abusive material etc, the client will then be immediately cancelled. No questions. </P> <DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> <DIV></DIV> <DIV> </DIV> <DIV>It seems that this approach will be the best supported by the anti-abuse communities, so please let me know your input.</DIV> <DIV> </DIV> <DIV>Thank you for your time. Have a great day.<BR> </DIV>---<BR>Russell Mitchell<BR> <DIV>InterCage, Inc.<BR></DIV> <DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><BR> <DIV style="FONT-SIZE: 13px; FONT-FAMILY: arial, helvetica, sans-serif">----- Original Message ----<BR>From: Paul Wall <pauldotwall@gmail.com><BR>To: Mark Foo <mark.foo.dog@gmail.com><BR>Cc: nanog@nanog.org<BR>Sent: Tuesday, September 23, 2008 5:46:58 PM<BR>Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer<BR><BR>Hold the rejoicing, Atrivo is back, this time on UnitedLayer.<BR><BR>I'd contact them, only they seem to change CTOs every month or two,<BR>does anybody know who's currently in charge?<BR><BR>Thank you, and Drive Slow,<BR>Paul Wall<BR><BR></DIV></DIV></DIV></div><br> </body></html> --0-593512929-1222225655=:9145--
Hello All,=0A=A0=0AIt seems you all missed the memo.=0AAs of about 11PM PST= Last night 09/22/08, Esthost has been ENTIRELY Shutdown. They no longer ha= ve ANY Machine on my network.=0A=A0=0AI'm currently starting to monitor som= e of the public media, such as google, DroneBL, as well as several Anti-Mal= ware community websites for abuse.=0A=A0=0ABeing that Esthost is now entire= ly GONE, we should not have any further issues.=0AIn the case that somethin= g=A0does arise, such as an exploited host, we're currently developing a gam= e plan for=A0response to=A0the issues.=0ATo make the best effort towards co= mbatting=A0abuse on our network, here's what I have planned so far for ANY = Type of abuse:=0AStep 1,=A0Suspend Power to the affected machine.=0AStep 2,= Call/Email the client whom the affected machine is leased to.=0AStep 3, Al= low the client=A0the option to=A0investigate the machine further (Nullroute= access via KVM)=0AStep=A04, Verify the=A0reported content, domain, user, o= r exploit=A0is patched/eliminated from the machine.=0AStep 5,=A0Remove the = Nullroute. Allow the machine to return to the network.=0A=A0=0AAny comments= ? =0A=A0=0AThis is=A0the result of a zero tolerance policy regarding abuse.= If it's clear that the server owner is the cause of the abusive material e= tc, the client will then be immediately cancelled. No questions.=A0=0A=0A= =0AIt seems that this approach will be the best supported by the anti-abuse= communities, so please let me know your input.=0A=0AThank you for your tim= e. Have a great day.=0A=A0---=0ARussell Mitchell=0A=0AInterCage, Inc.=0A=0A= =0A=0A----- Original Message ----=0AFrom: Paul Wall <pauldotwall@gmail.com>= =0ATo: Mark Foo <mark.foo.dog@gmail.com>=0ACc: nanog@nanog.org=0ASent: Tues= day, September 23, 2008 5:46:58 PM=0ASubject: Re: YAY! Re: Atrivo/Intercage= : NO Upstream depeer=0A=0AHold the rejoicing, Atrivo is back, this time on = UnitedLayer.=0A=0AI'd contact them, only they seem to change CTOs every mon= th or two,=0Adoes anybody know who's currently in charge?=0A=0AThank you, a= nd Drive Slow,=0APaul Wall=0A=0A=0A
Speaking of missing memos... mailing lists are not highly compatible with HTML or some clients that like to encode list mail. The above is what your mail looked like to some people. I would suggest a different Step 1. Instead of killing power, simply isolate the affected machine. This might be as simple as putting up a firewall rule or two, if it is simply sending outgoing SMTP spam, or for more complex issues, downing the port facing the machine in question. Killing the power may destroy useful forensic clues about what happened to the system, and may damage the system. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On Tue, Sep 23, 2008 at 11:20 PM, Joe Greco <jgreco@ns.sol.net> wrote:
I would suggest a different Step 1. Instead of killing power, simply isolate the affected machine. This might be as simple as putting up a firewall rule or two, if it is simply sending outgoing SMTP spam, or
it's probably easiest (depending on the network gear of course) to just put the lan port into an isolated VLAN. It's not the 100% solution (some badness rm's itself once it loses connectivity to the internets) but it'd make things simpler for the client/LEA when they need to figure out what happened. -chris
using bolt cutters on cables has a certain satisfaction... On Tue, Sep 23, 2008 at 8:23 PM, Christopher Morrow <christopher.morrow@gmail.com> wrote:
On Tue, Sep 23, 2008 at 11:20 PM, Joe Greco <jgreco@ns.sol.net> wrote:
I would suggest a different Step 1. Instead of killing power, simply isolate the affected machine. This might be as simple as putting up a firewall rule or two, if it is simply sending outgoing SMTP spam, or
it's probably easiest (depending on the network gear of course) to just put the lan port into an isolated VLAN. It's not the 100% solution (some badness rm's itself once it loses connectivity to the internets) but it'd make things simpler for the client/LEA when they need to figure out what happened.
-chris
NANOG: Look, the people posting here who are trashing Intercage are pure security analysts -- they know and understand the evil that is Intercage. STOP TRYING TO ASSIST INTERCAGE -- you are effectively aiding and abetting the enemy. Intercage/Atrivo hosts the malware c&c botnets that DDoS your systems and networks. Intercage/Atrivo hosts the spyware that compromises your users' passwords. Intercage/Atrivo hosts the adware that slows your customers' machines. Don't take my word for it, DO YOUR OWN RESEARCH: http://www.google.com/search?hl=en&q=intercage+malware You don't get called the ***American RBN*** for hosting a couple bad machines. They have and will continue to host much of the malware pumped out of America. THEY ARE NOT YOUR COMRADES. These people represent the most HIGHLY ORGANZIED CRIME you will ever come across. Most people were afraid to speak out against them until this recent ground swell. This is the MALWARE CARTEL. GET THE PICTURE? Many links have been posted here that prove this already -- instead of asking what customers they cut off, let them show WHAT CUSTOMERS ARE LEGIT-- because there are NONE.
I would suggest a different Step 1. Instead of killing power, simply isolate the affected machine. This might be as simple as putting up a firewall rule or two, if it is simply sending outgoing SMTP spam, or it's probably easiest (depending on the network gear of course) to just put the lan port into an isolated VLAN. It's not the 100% solution (some badness rm's itself once it loses connectivity to the internets) but it'd make things simpler for the client/LEA when they need to figure out what happened.
-chris
In article <200809240320.m8O3KIw0019735@aurora.sol.net> you write:
Hello All,=0A=A0=0AIt seems you all missed the memo.=0AAs of about 11PM PST= Last night 09/22/08, Esthost has been ENTIRELY Shutdown. They no longer ha= ve ANY Machine on my network.=0A=A0=0AI'm currently starting to monitor som= e of the public media, such as google, DroneBL, as well as several Anti-Mal= ware community websites for abuse.=0A=A0=0ABeing that Esthost is now entire=
[snipped]
Speaking of missing memos... mailing lists are not highly compatible with HTML or some clients that like to encode list mail. The above is what your mail looked like to some people.
Most email from Yahoo is like this. Yahoo doesn't know how to do quoted-printable properly. It displays ok if you speak mime but not if you don't. The intent of quoted-printable is to display ASCII nicely if you don't have a mime compliant reader. Mark RFC 2045. The Quoted-Printable encoding is intended to represent data that largely consists of octets that correspond to printable characters in the US-ASCII character set. It encodes the data in such a way that the resulting octets are unlikely to be modified by mail transport. If the data being encoded are mostly US-ASCII text, the encoded form of the data remains largely recognizable by humans. A body which is entirely US-ASCII may also be encoded in Quoted-Printable to ensure the integrity of the data should the message pass through a character-translating, and/or line-wrapping gateway. also (4) (Line Breaks) A line break in a text body, represented as a CRLF sequence in the text canonical form, must be represented by a (RFC 822) line break, which is also a CRLF sequence, in the Quoted-Printable encoding. Since the canonical representation of media types other than text do not generally include the representation of line breaks as CRLF sequences, no hard line breaks (i.e. line breaks that are intended to be meaningful and to be displayed to the user) can occur in the quoted-printable encoding of such types. Sequences like "=0D", "=0A", "=0A=0D" and "=0D=0A" will routinely appear in non-text data represented in quoted- printable, of course.
please to not email in html format... yikes! Russ, could you re-mail whatever content you just sent, in plain text? On Tue, Sep 23, 2008 at 11:07 PM, Russell Mitchell <russm2k8@yahoo.com> wrote:
MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="0-593512929-1222225655=:9145"
--0-593512929-1222225655=:9145 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable
Hello All,=0A=A0=0AIt seems you all missed the memo.=0AAs of about 11PM PST= Last night 09/22/08, Esthost has been ENTIRELY Shutdown. They no longer ha= ve ANY Machine on my network.=0A=A0=0AI'm currently starting to monitor som= e of the public media, such as google, DroneBL, as well as several Anti-Mal= ware community websites for abuse.=0A=A0=0ABeing that Esthost is now entire= ly GONE, we should not have any further issues.=0AIn the case that somethin= g=A0does arise, such as an exploited host, we're currently developing a gam= e plan for=A0response to=A0the issues.=0ATo make the best effort towards co= mbatting=A0abuse on our network, here's what I have planned so far for ANY = Type of abuse:=0AStep 1,=A0Suspend Power to the affected machine.=0AStep 2,= Call/Email the client whom the affected machine is leased to.=0AStep 3, Al= low the client=A0the option to=A0investigate the machine further (Nullroute= access via KVM)=0AStep=A04, Verify the=A0reported content, domain, user, o= r exploit=A0is patched/eliminated from the machine.=0AStep 5,=A0Remove the = Nullroute. Allow the machine to return to the network.=0A=A0=0AAny comments= ? =0A=A0=0AThis is=A0the result of a zero tolerance policy regarding abuse.= If it's clear that the server owner is the cause of the abusive material e= tc, the client will then be immediately cancelled. No questions.=A0=0A=0A= =0AIt seems that this approach will be the best supported by the anti-abuse= communities, so please let me know your input.=0A=0AThank you for your tim= e. Have a great day.=0A=A0---=0ARussell Mitchell=0A=0AInterCage, Inc.=0A=0A= =0A=0A----- Original Message ----=0AFrom: Paul Wall <pauldotwall@gmail.com>= =0ATo: Mark Foo <mark.foo.dog@gmail.com>=0ACc: nanog@nanog.org=0ASent: Tues= day, September 23, 2008 5:46:58 PM=0ASubject: Re: YAY! Re: Atrivo/Intercage= : NO Upstream depeer=0A=0AHold the rejoicing, Atrivo is back, this time on = UnitedLayer.=0A=0AI'd contact them, only they seem to change CTOs every mon= th or two,=0Adoes anybody know who's currently in charge?=0A=0AThank you, a= nd Drive Slow,=0APaul Wall=0A=0A=0A --0-593512929-1222225655=:9145 Content-Type: text/html; charset=us-ascii
<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman, new york, times, serif;font-size:12pt"><P>Hello All,</P> <P> </P> <P>It seems you all missed the memo.<BR>As of about 11PM PST Last night 09/22/08, Esthost has been ENTIRELY Shutdown. They no longer have ANY Machine on my network.</P> <P> </P> <P>I'm currently starting to monitor some of the public media, such as google, DroneBL, as well as several Anti-Malware community websites for abuse.</P> <P> </P> <P>Being that Esthost is now entirely GONE, we should not have any further issues.</P> <P>In the case that something does arise, such as an exploited host, we're currently developing a game plan for response to the issues.</P> <P>To make the best effort towards combatting abuse on our network, here's what I have planned so far for ANY Type of abuse:</P> <P>Step 1, Suspend Power to the affected machine.</P> <P>Step 2, Call/Email the client whom the affected machine is leased to.</P> <P>Step 3, Allow the client the option to investigate the machine further (Nullroute access via KVM)</P> <P>Step 4, Verify the reported content, domain, user, or exploit is patched/eliminated from the machine.</P> <P>Step 5, Remove the Nullroute. Allow the machine to return to the network.</P> <P> </P> <P>Any comments? </P> <P> </P> <P>This is the result of a zero tolerance policy regarding abuse. If it's clear that the server owner is the cause of the abusive material etc, the client will then be immediately cancelled. No questions. </P> <DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> <DIV></DIV> <DIV> </DIV> <DIV>It seems that this approach will be the best supported by the anti-abuse communities, so please let me know your input.</DIV> <DIV> </DIV> <DIV>Thank you for your time. Have a great day.<BR> </DIV>---<BR>Russell Mitchell<BR> <DIV>InterCage, Inc.<BR></DIV> <DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><BR> <DIV style="FONT-SIZE: 13px; FONT-FAMILY: arial, helvetica, sans-serif">----- Original Message ----<BR>From: Paul Wall <pauldotwall@gmail.com><BR>To: Mark Foo <mark.foo.dog@gmail.com><BR>Cc: nanog@nanog.org<BR>Sent: Tuesday, September 23, 2008 5:46:58 PM<BR>Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer<BR><BR>Hold the rejoicing, Atrivo is back, this time on UnitedLayer.<BR><BR>I'd contact them, only they seem to change CTOs every month or two,<BR>does anybody know who's currently in charge?<BR><BR>Thank you, and Drive Slow,<BR>Paul Wall<BR><BR></DIV></DIV></DIV></div><br>
</body></html> --0-593512929-1222225655=:9145--
participants (6)
-
Bruce Williams
-
Christopher Morrow
-
Joe Greco
-
Mark Andrews
-
Mark Foo
-
Russell Mitchell