On 7/28/2015 22:57, Bryan Tong wrote:
Yes I have followed all of the procedures. I will continue to wait to see if there is any change.
Would you please send me the address range in question--I would like to see what they told you to do. -- sed quis custodiet ipsos custodes? (Juvenal)
On Tue, Jul 28, 2015 at 11:13:02PM -0500, Larry Sheldon wrote:
On 7/28/2015 22:57, Bryan Tong wrote:
Yes I have followed all of the procedures. I will continue to wait to see if there is any change.
Would you please send me the address range in question--I would like to see what they told you to do.
I suspect that http://www.spamhaus.org/query/ip/199.87.233.245 may be part of it (although it indicates a /21 blocked, not a /17). - Matt -- One of the Rules Of Flight is, or should be: Pullout Altitude Is Not A Signed Quantity. -- Anthony de Boer, in the monastery
Yes that is part of it. There are other blocks they listed as well. On Tue, Jul 28, 2015 at 11:37 PM, Matt Palmer <mpalmer@hezmatt.org> wrote:
On Tue, Jul 28, 2015 at 11:13:02PM -0500, Larry Sheldon wrote:
On 7/28/2015 22:57, Bryan Tong wrote:
Yes I have followed all of the procedures. I will continue to wait to see if there is any change.
Would you please send me the address range in question--I would like to see what they told you to do.
I suspect that http://www.spamhaus.org/query/ip/199.87.233.245 may be part of it (although it indicates a /21 blocked, not a /17).
- Matt
-- One of the Rules Of Flight is, or should be: Pullout Altitude Is Not A Signed Quantity. -- Anthony de Boer, in the monastery
-- eSited LLC (701) 390-9638
On Tue, Jul 28, 2015 at 11:41:08PM -0600, Bryan Tong wrote:
Yes that is part of it.
There are other blocks they listed as well.
Well, http://www.spamhaus.org/sbl/query/SBL263089 has a fair amount of shady stuff going on, and http://www.spamhaus.org/sbl/listings/esited.com gives a pretty decent history of what Spamhaus has been doing. Note the "(escalation)" entries in there, which indicates a lack of interest on esited.com's part in fixing any of the problems. - Matt
Would be nice to have an RBL service that attended NANOG meetings. Would make for a more trusted RBL we can tell customers to make use. Spamhaus ever attend a NANOG meetings ? Thank You Bob Evans CTO
On Tue, Jul 28, 2015 at 11:41:08PM -0600, Bryan Tong wrote:
Yes that is part of it.
There are other blocks they listed as well.
Well, http://www.spamhaus.org/sbl/query/SBL263089 has a fair amount of shady stuff going on, and http://www.spamhaus.org/sbl/listings/esited.com gives a pretty decent history of what Spamhaus has been doing. Note the "(escalation)" entries in there, which indicates a lack of interest on esited.com's part in fixing any of the problems.
- Matt
<delurk> They come to M3AAWG on a regular basis and there’s the M3AAWG hosting SIG that you might want to participate in. NANOG doesn’t always have a mail abuse (and not very many network abuse) session on the agenda, plus just how many people doing routing or DNS seem to even care what their colleagues down the hall in the abuse team are doing or which conferences they attend? I remember a time (under the previous list management) when discussing spam here was deemed OT and non operational - off list warnings, suspensions and such. Ancient history I guess, but still .. </delurk> —srs
On 29-Jul-2015, at 10:06 AM, Bob Evans <bob@FiberInternetCenter.com> wrote:
Would be nice to have an RBL service that attended NANOG meetings. Would make for a more trusted RBL we can tell customers to make use. Spamhaus ever attend a NANOG meetings ? Thank You Bob Evans CTO
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 <m3aawg technical committee co-chair hat> I agree with Suresh here -- NANOG used to almost be somewhat hostile to anyone who started discussions regarding anti-abuse and/or security issues which didn't involve routing backbone engineers. A lot of us old-timers took the hint and basically started lurking, not participating in meetings, or simply checked out of NANOG altogether . A lot of time has passed sine those days, so perhaps attitudes have changed a bit with regards to operational anti-abuse issues? - - ferg </m3aawg technical committee co-chair hat> On 7/29/2015 10:14 AM, Suresh Ramasubramanian wrote:
<delurk>
They come to M3AAWG on a regular basis and there’s the M3AAWG hosting SIG that you might want to participate in.
NANOG doesn’t always have a mail abuse (and not very many network abuse) session on the agenda, plus just how many people doing routing or DNS seem to even care what their colleagues down the hall in the abuse team are doing or which conferences they attend?
I remember a time (under the previous list management) when discussing spam here was deemed OT and non operational - off list warnings, suspensions and such. Ancient history I guess, but still ..
</delurk>
—srs
On 29-Jul-2015, at 10:06 AM, Bob Evans <bob@FiberInternetCenter.com> wrote:
Would be nice to have an RBL service that attended NANOG meetings. Would make for a more trusted RBL we can tell customers to make use. Spamhaus ever attend a NANOG meetings ? Thank You Bob Evans CTO
- -- Paul Ferguson PGP Public Key ID: 0x54DC85B2 Key fingerprint: 19EC 2945 FEE8 D6C8 58A1 CE53 2896 AC75 54DC 85B2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlW5C/oACgkQKJasdVTchbJ3OwD9FhTx7QQ42UGIAjd6e9ajhQ2U Z0I8gOqO32xZACwVaEYBAJwZujweC+fiSk4uSEtgDkIXpbQFWSfvkjpzB96fkI4y =4qS3 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 <m3aawg technical committee co-chair hat> I agree with Suresh here -- NANOG used to almost be somewhat hostile to anyone who started discussions regarding anti-abuse and/or security issues which didn't involve routing backbone engineers. A lot of us old-timers took the hint and basically started lurking, not participating in meetings, or simply checked out of NANOG altogether . A lot of time has passed since those days, so perhaps attitudes have changed a bit with regards to operational anti-abuse issues? - - ferg </m3aawg technical committee co-chair hat> On 7/29/2015 10:14 AM, Suresh Ramasubramanian wrote:
<delurk>
They come to M3AAWG on a regular basis and there’s the M3AAWG hosting SIG that you might want to participate in.
NANOG doesn’t always have a mail abuse (and not very many network abuse) session on the agenda, plus just how many people doing routing or DNS seem to even care what their colleagues down the hall in the abuse team are doing or which conferences they attend?
I remember a time (under the previous list management) when discussing spam here was deemed OT and non operational - off list warnings, suspensions and such. Ancient history I guess, but still ..
</delurk>
—srs
On 29-Jul-2015, at 10:06 AM, Bob Evans <bob@FiberInternetCenter.com> wrote:
Would be nice to have an RBL service that attended NANOG meetings. Would make for a more trusted RBL we can tell customers to make use. Spamhaus ever attend a NANOG meetings ? Thank You Bob Evans CTO
- -- Paul Ferguson PGP Public Key ID: 0x54DC85B2 Key fingerprint: 19EC 2945 FEE8 D6C8 58A1 CE53 2896 AC75 54DC 85B2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlW5DBsACgkQKJasdVTchbIznQD/ac/bMc2uzpkqgFNlMpP9V8Qk yJylbEqt3Nzxt2qFF7ABALwN56oZzdgL4iFFDVh6lHUjJSgcltu9xZIvEv8qbg3c =M2x5 -----END PGP SIGNATURE-----
I see that point - however, spamhaus has become a haus-hold word these days and everyone runs into these issues....its not malware or bots we block from a network level blackhole. Yet it is basic network operations these days to have to deal with someone complaining about their hacked mail server is now fixed yet they cant get mail. We usually tell them the quickest way is to address spamhaus to get it removed and in parallel also move the mail server to a new IP and change the dns and rDNS to the new one. It gets us out of having to help with these RBL issues. When an RBL sends a notice we jump on it and get it to the customer...however, they usually dont send us or the customer anything. Thank You Bob Evans CTO
<delurk>
They come to M3AAWG on a regular basis and thereâs the M3AAWG hosting SIG that you might want to participate in.
NANOG doesnât always have a mail abuse (and not very many network abuse) session on the agenda, plus just how many people doing routing or DNS seem to even care what their colleagues down the hall in the abuse team are doing or which conferences they attend?
I remember a time (under the previous list management) when discussing spam here was deemed OT and non operational - off list warnings, suspensions and such. Ancient history I guess, but still ..
</delurk>
âsrs
On 29-Jul-2015, at 10:06 AM, Bob Evans <bob@FiberInternetCenter.com> wrote:
Would be nice to have an RBL service that attended NANOG meetings. Would make for a more trusted RBL we can tell customers to make use. Spamhaus ever attend a NANOG meetings ? Thank You Bob Evans CTO
Er - a couple of ways 1. If you run a farm of mail servers, something like splunk for your logs is kind of necessary. How difficult is it going to be to trigger a splunk alert on whatever looks like an administrative block? Either by a large provider, or by a DNS block list. 2. You can rsync spamhaus and grep for mentions of your ASN, get ISP feedback loops etc. On a larger topic - NANOG and M3AAWG (also RIPE and M3AAWG’s summer meeting in Europe) really ought to collocate or at least be back to back in the same city somewhere down the line - maybe with a day’s worth of joint sessions on topics of mutual interest (malware detection and mitigation, DDoS filtering .. there’s a lot going on in M3AAWG that’s not plain old mail or even messaging) It still won’t solve the larger problem that a lot of routing and DNS folks won’t find it of interest, but well, over the decade ++ I’ve been around M3AAWG I see an ever increasing number of (security focused, mainly) *nog regulars turn up there. —srs
On 29-Jul-2015, at 10:37 AM, Bob Evans <bob@FiberInternetCenter.com> wrote:
I see that point - however, spamhaus has become a haus-hold word these days and everyone runs into these issues....its not malware or bots we block from a network level blackhole. Yet it is basic network operations these days to have to deal with someone complaining about their hacked mail server is now fixed yet they cant get mail. We usually tell them the quickest way is to address spamhaus to get it removed and in parallel also move the mail server to a new IP and change the dns and rDNS to the new one. It gets us out of having to help with these RBL issues.
When an RBL sends a notice we jump on it and get it to the customer...however, they usually dont send us or the customer anything.
On Wed, 29 Jul 2015, Bob Evans wrote:
I see that point - however, spamhaus has become a haus-hold word these days and everyone runs into these issues....its not malware or bots we block from a network level blackhole. Yet it is basic network operations these days to have to deal with someone complaining about their hacked mail server is now fixed yet they cant get mail.
If their mail server was SBL'd due to being compromised by spammers, they likely can't send mail / get remote mail delivered. They should still be able to "get mail", i.e. receive mail.
We usually tell them the quickest way is to address spamhaus to get it removed and in parallel also move the mail server to a new IP and change the dns and rDNS to the new one. It gets us out of having to help with these RBL issues.
That (moving them to another IP) should really be a last resort if the DNSBL(s) they're on are not responsive to being told the issue has been resolved. Moving them without having resolved the issue would be even worse, as it'll make it look like you're complicit with the spammer who compromised the server (since you're helping them get around the DNSBLs). I did that once that I can remember, when one of $work's main SMTP servers was blocked by AOL, and when we reached out to AOL to ask why, their response was basically "Someone from our postmaster group will let you know why we're blocking you. It'll be at least a week before they can get to your ticket." ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Wed, 29 Jul 2015, Bob Evans wrote:
Would be nice to have an RBL service that attended NANOG meetings. Would make for a more trusted RBL we can tell customers to make use.
How do you know they don't? Most of them keep a low profile due to things like http://www.bizjournals.com/southflorida/stories/2003/05/12/story1.html?page=... ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
participants (7)
-
Bob Evans
-
Bryan Tong
-
Jon Lewis
-
Larry Sheldon
-
Matt Palmer
-
Paul Ferguson
-
Suresh Ramasubramanian