Re: williams spamhaus blacklist
On Wed, 24 Sep 2003, Leo Bicknell wrote:
What you're missing in my argument is that it doesn't matter. I have no idea who Eddy Marin is, nor do I care. Blocking wcg's corporate mail servers is not the solution. Sure, it may get someone's attention at wcg, but it may also harm a lot of "innocent" communications, sales talking to clients, other wiltel customers requesting support, heck, the secretary ordering lunch to be delivered.
But it's ok when AboveNet does it?...or actually does much worse by secretly and arbitrarily blackholing various networks at will, while advertising connectivity to those networks to their BGP customers and peers? This means anyone connected to AboveNet will be unable to reach those blackholed victims if the routes to those destinations propogated by AboveNet appear to be their "best route" to the affected networks. This breaks connectivity even though we have multiple other transit providers. This is much worse than a Spamhaus (or any other DNSBL) listing since anyone using such services does so by choice and can decide for themself what action to take, if any, for listed addresses. With AboveNet blackhole routing, our only option, once we're aware of the problem, is to make changes to our routing policy and force traffic away from AboveNet and onto one of our other transit providers. We only find out about such AboveNet blackhole routes when we open a ticket with AboveNet to ask why your network is broken when our customers complain of networks they can't reach when using our service (i.e. banks that can't reach their staff training web sites), but they can reach from other service providers, so they inform us that our network is broken. Who's attention is AboveNet trying to get? Anyone taking BGP routes from AboveNet, or worse yet, single homed to AboveNet, ought to be aware of this policy. At the very least, you should make sure whoever does your BGP is aware of it and knows how to reroute traffic when the "best route" doesn't actually work. You also might bring it up with your sales person when it's time to renew. The central image on www.above.net boasts of "Unconstrained Information Exchange". I wish that were true. ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
But it's ok when AboveNet does it?...or actually does much worse by secretly and arbitrarily blackholing various networks at will, while advertising connectivity to those networks to their BGP customers and peers?
So why keep connectivity to them? A contract term? Now that you know of the policy and aren't very happy about it, why not change providers -- you already have a few. :) I think anyone who blackholes sites within their own network should take the specifics with a community that clueful customers can use to route-around them, but obviously its their network, and whoever is setting up the blackholes can decide that for themselves. Just a suggestion. This way, blackholes designed to protect clue-light customers can be used with little detriment to clueful customers (once the communities are used and well-described/published). Just my idea. Deepak Jain AiNET
On 9/25/2003 at 2:19 PM, "Deepak Jain" <deepak@ai.net> wrote:
But it's ok when AboveNet does it?...or actually does much worse by secretly and arbitrarily blackholing various networks at will, while advertising connectivity to those networks to their BGP customers and peers?
So why keep connectivity to them? A contract term? Now that you know of the policy and aren't very happy about it, why not change providers -- you already have a few. :)
I think anyone who blackholes sites within their own network should take the specifics with a community that clueful customers can use to route-around them, but obviously its their network, and whoever is setting up the blackholes can decide that for themselves. Just a suggestion.
Travis Haymore, Director of Security at AboveNet, has reportedly (see Spam-L a couple weeks back) made telephoned threats to at least one system owner (digistar.com), threatening (and then following up on that threat) to null-route that particular system (/32) on all of AboveNet/MFNX's routers, for no other reason than a user of that system making unfavorable public statements about AboveNet in public forums - while not disputing the truth of such statements made; he just wanted "that user gone, or else". Unfortunately for Travis, that happened to be the backup outgoing MX for a mailing list of quite some importance to a few ISPs and RIRs: Hijacked-L. As far as my own case is concerned, presumably the same individual null-routed the machine this mail originates from (208.241.101.2), for reasons not explained and not justified with internal documentation whatsoever (that much I got from an AboveNet manager; causing removal of this IP from their BL, for lack of documentation, and the unnamed individual responsible for its entry (Travis was never mentioned by name to me by this AboveNet person, but everyone else who has reported similar experiences with AboveNet seems to be pointing back to him at this point) never contested it). Indeed, quite a bit of mail to abuse@above.net has been sent from this IP (we are talking of maybe a few hundred since Jan 2003, a fraction of the number of actual incidents observed) - and that appeared to be the one and only reason why this machine would appear on his/their radar at all. Legitimate, persistent and continuing complaints about illegal trespassing originating from AboveNet's (or their customer's) IP space into your servers apparently can get you transit-blackholed at AboveNet, rather than getting yourself blocked from accessing *AboveNet OWNED AND OPERATED* machines - while AboveNet, knowingly and willingly, does nothing to stop the illegal activity by itself. If null0-routing the complainant shields that complainant from the illegal activity (in order to make him shut up), I become quite suspicious that the remaining illegal activity against the other 99.99999999999% of the Internet is not just being ignored, but endorsed and shielded from further discovery by the complainant. That's called "collusion", in my I-am-not-a-lawyer-way of expressing this. Add the secrecy on AboveNet's side and the unusual paths it takes to even partially uncover any of this, then tell me: would you rather be SBL-listed for everyone to see, or secretly null0'd at a transit point, with no public or privately accessible record, until you randomly find out about it, because some customer-used services (websites, email, etc.) have been failing randomly for a couple of weeks (blame the Internet!) ?
This way, blackholes designed to protect clue-light customers can be used with little detriment to clueful customers (once the communities are used and well-described/published).
Funny as it is, none of the definitions found at http://www.above.net/antispam.html (section (3) and (8)) ever seem to apply to the cases that we are hearing and reading about here, making the interception and redirection of this traffic NOT AIMED AT AboveNET quite unlawful under federal wiretapping statutes - and all of this is happening with AboveNet managers being well-aware - less the details on the legalities, I am sure. And this one is for Deepak: how exactly would a single host (e.g.: any prefix longer than a /24) evade the giant traffic vacuum cleaner (AboveNet, busy cleansing the Internet of "unwanted by anyone" packets) when your route, as seem from most of the Internet, is a /10, rather than a /22, /23 or /24? And last but not least: Infrastructure failures as a result of operator behavior are on-topic, the last time I checked. bye,Kai
participants (3)
-
Deepak Jain
-
jlewis@lewis.org
-
Kai Schlichting