Need Contact at RoadRunner
I need to speak with someone at RR about blocking issues. Apparently they've decided to block mail from Apache.org and some of our other customers without any notice to UL. I've followed their instructions and e-mailed the listed addresses, I've waited quite a while (over 24 hours) and have yet to be contacted with information about why we were blocked. UL is very responsive to abuse issues, so this is a little concerning. Please contact me or the NOC. Thank You --- Tom UnitedLayer Office: 415-294-4111 AS23342
So, I got an e-mail back from RR after I posted here. They claim to have no specific record of why we were blocked, so they removed it. They said it was probably DOS or a Mailbomb, both of which we would have squelched IMMEDIATELY. Frankly, I think that its pretty poor practice to block someone and not tell them, especially when contact information is clearly available everywhere. We've got e-mail, various phones, and INOC-DBA, so its not that hard to get ahold of us :) --- Tom UnitedLayer Office: 415-294-4111 AS23342
Tom (UnitedLayer) wrote:
Frankly, I think that its pretty poor practice to block someone and not tell them, especially when contact information is clearly available everywhere. We've got e-mail, various phones, and INOC-DBA, so its not that hard to get ahold of us :)
When you're introducing thousands of IP blocks per day, it's pretty hard to notify them all.
: When you're introducing thousands of IP blocks per day, it's pretty hard : to notify them all. I may be reaching here but I think perl scripting can do this. James Edwards Routing and Security jamesh@cybermesa.com At the Santa Fe Office: Internet at Cyber Mesa Store hours: 9-6 Monday through Friday 505-988-9200 SIP:1(747)669-1965
On Fri, 05 Dec 2003 14:30:57 MST, james <hackerwacker@cybermesa.com> said:
: When you're introducing thousands of IP blocks per day, it's pretty hard : to notify them all. I may be reaching here but I think perl scripting can do this.
Yes, a perl script can send thousands of warning e-mails to bogus addresses. If you've got a way for a perl script to get it right, when the WHOIS data is broken, the address block is a /25 sold out of a /22 sold out of a /19 sold out of a /16, and some of the address space is hijacked to boot, please let us know....
james wrote:
: When you're introducing thousands of IP blocks per day, it's pretty hard : to notify them all.
I may be reaching here but I think perl scripting can do this.
I wish. I've been experimenting with doing exactly that for years. Problems: - WHOIS data is often incomplete, wrong, or deliberately misleading. Heck, I see legitimate IP space which simply isn't registered _anywhere_. - there is no standard way to indicate notification addresses - some use comments, many different potential field names. Why couldn't this have been standardized? - Inadequate delegation - Notifying too far down the chain The experiments I've done got to about 10% accuracy. But it's the 90% that are completely erroneous and potentially cause mailing entirely the wrong person. There's no way you can let one of these things run unattended. I have something running doing this - but the IP -> email address database is compiled by hand. Coverage is abysmal - maybe 20% on good days for spam reports. Probably be 0% on reasonably clean IP ranges. abuse.net maintains a domain -> abuse address database. It's the best data, _if_ the domain owner has registered. There is nothing analogous for IP addresses. Or even AS's. Man it would be nice if there was an IP or AS -> notification address service out there (ie: by DNS, ala DNSBL TXT records).
: > I may be reaching here but I think perl scripting can do this. : : I wish. I've been experimenting with doing exactly that for years. That is what I ment by "reaching", it was not intended to be a smart a** comment. How about mailing to abuse/postmaster@<domain> ? I realize that the postmaster/abuse account is often non-existent but at least you made the effort. To me the important thing is at least trying to notify. So the clueless miss out. Tuff. Those of us that care would like to know there is a problem, so we can solve it. James Edwards Routing and Security jamesh@cybermesa.com At the Santa Fe Office: Internet at Cyber Mesa Store hours: 9-6 Monday through Friday 505-988-9200 SIP:1(747)669-1965
On Fri, 5 Dec 2003, james wrote:
To me the important thing is at least trying to notify. So the clueless miss out. Tuff. Those of us that care would like to know there is a problem, so we can solve it.
Thank you James, thats my point exactly :) The people who care or have a clue will have what they need, and those who don't will get left behind. When people decide to clean up their act, they will start to care.
james wrote:
: > I may be reaching here but I think perl scripting can do this. : : I wish. I've been experimenting with doing exactly that for years.
That is what I ment by "reaching", it was not intended to be a smart a** comment. How about mailing to abuse/postmaster@<domain> ? I realize that the postmaster/abuse account is often non-existent but at least you made the effort. To me the important thing is at least trying to notify. So the clueless miss out. Tuff. Those of us that care would like to know there is a problem, so we can solve it.
I have been laid off for a while now so I may be out of touch, but for all of the attacks I worked on, the only think we could know (emphasis "could") was which interface the attack vehicle arrived on, as a maximum. Everything else was forged, spoofed, or unintelligble. I was probably not filtering off traffic from you (for any value of "you"), I was filtering off stuff with your IP address in it.
On Fri, 2003-12-05 at 16:05, Laurence F. Sheldon, Jr. wrote:
Everything else was forged, spoofed, or unintelligble.
I was probably not filtering off traffic from you (for any value of "you"), I was filtering off stuff with your IP address in it.
I was not aware one can fake everything in the mail headers, including the sending mail server. -- James Edwards Routing and Security jamesh@cybermesa.com At the Santa Fe Office: Internet at Cyber Mesa 505-988-9200 SIP:747-669-1965
On 5 Dec 2003, james wrote: On Fri, 2003-12-05 at 16:05, Laurence F. Sheldon, Jr. wrote:
Everything else was forged, spoofed, or unintelligble.
I was probably not filtering off traffic from you (for any value of "you"), I was filtering off stuff with your IP address in it.
I was not aware one can fake everything in the mail headers, including the sending mail server. Where have you been for the last year? The sending "mail server" is some chump's infected Windows box on DSL. Boy, tracking that host down is going to do a whole lot of good! Then start working on the other 9,999 hosts the same spammer is abusing as well. gg matto --mghali@snark.net------------------------------------------<darwin>< Flowers on the razor wire/I know you're here/We are few/And far between/I was thinking about her skin/Love is a many splintered thing/Don't be afraid now/Just walk on in. #include <disclaim.h>
On Fri, 2003-12-05 at 21:20, just me wrote:
On 5 Dec 2003, james wrote:
On Fri, 2003-12-05 at 16:05, Laurence F. Sheldon, Jr. wrote:
Everything else was forged, spoofed, or unintelligble.
I was probably not filtering off traffic from you (for any value of "you"), I was filtering off stuff with your IP address in it.
I was not aware one can fake everything in the mail headers, including the sending mail server.
Where have you been for the last year? The sending "mail server" is some chump's infected Windows box on DSL. Boy, tracking that host down is going to do a whole lot of good! Then start working on the other 9,999 hosts the same spammer is abusing as well.
gg matto
What is your point ? It is still the server that sent it. james
james wrote:
On Fri, 2003-12-05 at 16:05, Laurence F. Sheldon, Jr. wrote:
Everything else was forged, spoofed, or unintelligble.
I was probably not filtering off traffic from you (for any value of "you"), I was filtering off stuff with your IP address in it.
I was not aware one can fake everything in the mail headers, including the sending mail server.
Just to clarify--I didn't realize we were talking about just email, that is sort of frowned upon here. I was talking about all attack vehicles, I think, including email, spam, worm castings, and viral debris.
james writes on 12/5/2003 11:09 PM:
I was not aware one can fake everything in the mail headers, including the sending mail server.
1. HELO forged in the first header where the connecting IP hands off to your MX 2. All other headers below that can be, and are, heavily forged. -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
I think part of the problem is not only to notify but provide information for techs at another ISP to know what kind of problem they have (and if you block them, they may not be able to reach you to even ask). I would remind that this thread started from Tom telling us that roadrunner did not even record whey thy blocked him. Not only should they have recorded it but perhaps had a location where Tom could find that: 1. He's being blocked 2. Why he is being blocked with particular example of abuse that caused it 3. How long will block last or what steps he should take if he corrected the problem to notify and get the block removed Since its difficult to maintain tracking system like this for every ISP, perhaps a more centralized abuse clearing house could be developed (by centralized does not mean it should involve in these disputes just provide forum for one ISP to record filtering policies that are being applied to another one). In fact more then one system like this can exist and ISPs may choose which system they use or run their own system, what would be important is to let everyone know what system they are using and how to get information from it, preferably in real time. On Fri, 5 Dec 2003, james wrote:
: > I may be reaching here but I think perl scripting can do this. : : I wish. I've been experimenting with doing exactly that for years.
That is what I ment by "reaching", it was not intended to be a smart a** comment. How about mailing to abuse/postmaster@<domain> ? I realize that the postmaster/abuse account is often non-existent but at least you made the effort. To me the important thing is at least trying to notify. So the clueless miss out. Tuff. Those of us that care would like to know there is a problem, so we can solve it.
James Edwards Routing and Security jamesh@cybermesa.com At the Santa Fe Office: Internet at Cyber Mesa Store hours: 9-6 Monday through Friday 505-988-9200 SIP:1(747)669-1965
william@elan.net writes on 12/5/2003 7:24 PM:
did not even record whey thy blocked him. Not only should they have recorded it but perhaps had a location where Tom could find that: 1. He's being blocked 2. Why he is being blocked with particular example of abuse that caused it 3. How long will block last or what steps he should take if he corrected the problem to notify and get the block removed
Roadrunner bounce messages are quite verbose and explanatory. And http://security.rr.com has a lot more. [micah mcneily]
I have also had some blocking taking place. Mail was sent to spamblock @ rr.com two days ago without any response although we did have ticket generation.
They say to email removal@security.rr.com at http://security.rr.com/mail_blocks.htm I do guess they should automate a lot of their unblocking process as well - especially unblocking the open relay / open proxy type blocks, that can be trivially automated (click here to schedule a retest of your IP, etc). That might cut down on a whole lot of their load. srs -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
"Tom (UnitedLayer)" wrote:
So, I got an e-mail back from RR after I posted here. They claim to have no specific record of why we were blocked, so they removed it. They said it was probably DOS or a Mailbomb, both of which we would have squelched IMMEDIATELY.
Frankly, I think that its pretty poor practice to block someone and not tell them, especially when contact information is clearly available everywhere. We've got e-mail, various phones, and INOC-DBA, so its not that hard to get ahold of us :)
I have no idea wahta the facts are here, but as a general statement I'd point out that some of us have recently been in a free-fire zone with more than we can handle coming at us from everywhere. A reasonable reaction to protect own-turf is to plug up holes as you identify the local end of it and wait to see if anybody cares about it after the fire-fight. The likelyhood of being able to contact anybody competent and sympathetic is not worth the time and effort the attempt takes. The usual response back when I thought I should try was "you are not our customer...." with the common alternative being "Please reboot and see if that clears it up." YMMV
On Fri, 5 Dec 2003, Laurence F. Sheldon, Jr. wrote:
A reasonable reaction to protect own-turf is to plug up holes as you identify the local end of it and wait to see if anybody cares about it after the fire-fight.
So block a /30, not a /24
The likelyhood of being able to contact anybody competent and sympathetic is not worth the time and effort the attempt takes.
So next time I get portscanned from someone from RR, I should just blackhole their IP space and wait till someone complains about not being able to get to www.apache.org or www.archive.org? Thats totally irresponsible. Unless you like playing whack-a-mole, you need a smarter hammer, not a bigger one.
participants (8)
-
Chris Lewis
-
james
-
just me
-
Laurence F. Sheldon, Jr.
-
Suresh Ramasubramanian
-
Tom (UnitedLayer)
-
Valdis.Kletnieks@vt.edu
-
william@elan.net