It Continues...Sprint Is played the fool...
Sorry if some of you are losing patience with this, I'm truly sorry, but this is amazingly evil. I get email from someone in Sprint Security, a new person, I'll be decent enough to leave his name out, around 10:30PM EST. The gist of it is that they've spoken with this guy who has been sending these thousands of msgs, and he's a reasonable fellow, and I'm inflating all this and perhaps even partly to blame, some wild and ridiculous story about how my refusing his mail with a 550 error is making his software do this, ridiculous if you know how mail actually works, that's like getting a User Unknown error, you just throw it on the floor, he runs sendmail 8.7 under Unix, telnet to his SMTP port at iq-internet.com. AT ABOUT 1AM EST THE MAIL LOOPING STARTS AGAIN, AFTER A FEW HOURS HIATUS. HE STARTED IT UP AGAIN! Unbelievable, I'm sorry, but this sort of behavior is going to destroy these networks, and I mean behavior on the part of people like Sprint. Bad people will happen, I know that, we all know that, but the people at Sprint have absolutely no excuse for their behavior other than sheer gullibility or abrogation of any shred responsibility. Is there anyone here, who Sprint will believe, who can tell them that they are dealing with a known evil person who is feeding them complete bull? Obviously they don't believe me and will give this execrable person more than every benefit of the doubt as he disrupts the network for his own vicious purposes, this is going into the third full day of this. -- -Barry Shein Software Tool & Die | bzs@world.std.com | http://www.std.com Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD The World | Public Access Internet | Since 1989
Barry, There's nothing NANOG can do about your problem, or about the fact that this is the new 1996 style screw-your-neighbor Internet. It's not that I'm unsympathetic -- I blackholed the fools at IQ-INTERNET in the first 10 minutes of their spam, as did the folks who take my blackhole feed. As I see it you have two choices. You can route them to hell and get on with something that matters more to you than IQ-INTERNET (I'm sure your to-do list is as long as mine.) Or you can file lawsuits or take some other non-Internet action against IQ-INTERNET. Either way, NANOG does not need to know. Paul
On Sat, 4 Jan 1997, Barry Shein wrote:
ridiculous story about how my refusing his mail with a 550 error is making his software do this, ridiculous if you know how mail actually works, that's like getting a User Unknown error, you just throw it on the floor, he runs sendmail 8.7 under Unix, telnet to his SMTP port at iq-internet.com.
Spammers don't send mail using sendmail or any other standard mailer. They use special custom-built spamming programs that are geared to sending huge quantities of the same message to LARGE mailing lists quickly and efficiently. It's possible that his software has a bug that isn't dealing with errors properly or it's possible that the mechanism to deal with replies is recting badly to your mailer. When I say "replies" I am referring to the fact that spammers do not want you to reply to their email. If they receive replies, they process them with some sort of robot. In the simplest case, all replies are sent to the bit bucket. Now because Sprint's spam policy states that spamming is OK as long as you remove people's addresses form your list if they request it, their robot has to deal with that case and all spam from iq-internet informs people that they can reply with "NO MAIL" in the subject to be removed from the list. But spammers have another problem and they are getting more sophisticated in dealing with that. I refer to the problem created by irate spam recipients who then mailbomb the spammer. Spammers are learning to deal with this by returning the messages to the source with an error. I suspect that their spam software is screwing up and treating your reject messages as a mail bombe and they are thus returning them back to you creating a classic email loop.
AT ABOUT 1AM EST THE MAIL LOOPING STARTS AGAIN, AFTER A FEW HOURS HIATUS. HE STARTED IT UP AGAIN!
Unbelievable, I'm sorry, but this sort of behavior is going to destroy these networks, and I mean behavior on the part of people like Sprint. Bad people will happen, I know that, we all know that, but the people at Sprint have absolutely no excuse for their behavior other than sheer gullibility or abrogation of any shred responsibility.
Barry, I agree with everyon on this list that this is NOT the place to be discussing the problem. Please take this to the proper forum. If you would post an account of your troubles along with the MX records for sprint.com, sprintlink.net, etc. to the alt.2600 newsgroup then this problem would not be occurring. Are you a SPRINT customer? If not, you should be reporting this flood attack to your upstream provider who appears to be Alternet from my vantage point. It doesn't matter whether it is a ping flood, SYN flood or mailbomb attack, your provider can work their way up the channels to the source of the problem. In the interim they can install filters on their router port to you that will block port 25 from the offending site. This takes the load off your shoulders and also frees up the bandwidth that you are paying your upstream provider for. Michael Dillon - Internet & ISP Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com
From: Michael Dillon <michael@memra.com>
I suspect that their spam software is screwing up and treating your reject messages as a mail bombe and they are thus returning them back to you creating a classic email loop.
I suppose that's why the four digit account number he uses keeps changing, they look like this: <80122@data.iq-internet.com> <80122@data.iq-internet.com> <80113@data.iq-internet.com> <80113@data.iq-internet.com> <80122@data.iq-internet.com> <80122@data.iq-internet.com> <80123@data.iq-internet.com> <80123@data.iq-internet.com> <80123@data.iq-internet.com> <80123@data.iq-internet.com> That's his id for each spam source, each customer of his essentially, that's an actual cut+paste stream of addresses. C'mon, this is silly, why when confronted with an actual problem do people get such an urge to play devil's advocate and spin wild possibilities? Are you just amusing yourself, just in deep denial, what? I don't mean to get sarcastic but why is this attack the victim stuff helpful or desireable? Maybe my point is that maybe Sprint shouldn't be a NANO much longer, they're rogue and irresponsible. I know, you find that too much to wrap your head around and would prefer to just spin bizarre devil's advocate remarks for your own amusement, this is really sorry, no wonder the spammers are kicking everyone's butts. Pardon me but this has been going on three days and I'm getting awfully cranky and absolutely staggered at how eager people are to leap up and say "why bother us with this, it's not our problem!", it's kinda like dealing with dead people. Oh well, ok, maybe you win, maybe we're fucked, get used to it, on Jan 4, 1997 everybody just gave up and decided everything was someone else's problem. -- -Barry Shein Software Tool & Die | bzs@world.std.com | http://www.std.com Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD The World | Public Access Internet | Since 1989
On Sat, 4 Jan 1997, Barry Shein wrote:
I suppose that's why the four digit account number he uses keeps changing, they look like this:
So what?
C'mon, this is silly, why when confronted with an actual problem do people get such an urge to play devil's advocate and spin wild possibilities? Are you just amusing yourself, just in deep denial, what?
Well so far you haven't said what is really happening other than a vague claim about an excessively high rate of email messages. Have you inspected any of these messages to determine if, in fact, this is merely his normal message stream, or if, in fact, there is some kind of loop set up by your mailer's refusals? Obviously, if your mailer's behavior is perpetuating the flood, then you have a moral and a legal obligation to fix that behavior. And if you are going to post something on a technical list like this then you also have an obligation to provide details. Otherwise, there is no point in posting it here because your words won't help other operators who might find themselves in a similar situation.
I don't mean to get sarcastic but why is this attack the victim stuff helpful or desireable?
Damn right it's desirable. This isn't a list for victims to whine and moan. If there is a technical problem then please explain the details because people on this list might be able to help. So far there have been two good suggestions related to blackholing at your router and to joining the spam filter distribution via OSPF.
Oh well, ok, maybe you win, maybe we're fucked, get used to it, on Jan 4, 1997 everybody just gave up and decided everything was someone else's problem.
This sounds remarkably like your own attitude. Here you are posting on this list asking us to fix the problem. A more productive attitude would be to ask what *YOU* can do to solve the problem and then to implement some of the suggestions. And all the emotional language you have posted to the list has obscured the fact that you have given remarkably little technical detail as to what is happening and why this is making you so frazzled. Contrast this with the SYN flood attacks a few months back when people explained what was happening to them and others on the list joined in to assist them in alleviating and ultimately fixing the problem. Michael Dillon - Internet & ISP Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com
On Sat, 4 Jan 1997, Barry Shein wrote: [snip]
Pardon me but this has been going on three days and I'm getting awfully cranky and absolutely staggered at how eager people are to leap up and say "why bother us with this, it's not our problem!", it's kinda like dealing with dead people.
I have to concur with Barry in this. An excerpt from the NANOG charter states:- "Discuss specific implementation issues which require cooperation and coordination among network service providers to ensure the stability of overall service to the network users. " I believe Barry's problem falls into this category. -- Regards, Tom ________________________________________________________________________ | "The Egg Domain" | "And all you touch and all you see, | | tomg@egg.com | is all your life will ever be." | | http://www.egg.com/ | (Pink Floyd) |
I've been on Sprint's side of this problem before so I'd like to add a few words to this discussion. Let's assume for the sake of argument that the Sprint people are neither incompetent or malicious. Once Sprint's operational people realized that they had a problem on their hands they started to push the issue up corporate food chain. It could take them weeks before they are actually able to get the issue in front of someone with enough authority and interest in solving the problem. Once it reaches that point it could take several more weeks before the problem is actually solved. The wheels of large corporations and our legal system do indeed turn very slowly. In the case I was involved in I short-circuited the corporate hierarchy and went right to the legal department. It took them several weeks to come up with a plan that was legally viable and then 30 days to execute it. The whole time this was going on we couldn't say anything to the public. In the meantime, I believe that is worthwhile to keep the pressure on Sprint, however some avenues other than operations may prove more fruitful. Perhaps letters/faxes to Sprint's public relations department, internet marketing and the President of the company might have some effect. It probably wouldn't hurt to let the editor at InfoWorld (do I have the name right? -- you know, the tabloid that Metcalf works for) know about this situation. And black-hole IQ's IP datagrams at your router while you wait for our legal system to work. Regards, Joel Gallun
participants (5)
-
Barry Shein
-
Joel Gallun
-
Michael Dillon
-
Paul A Vixie
-
Tom Glover