From mallen at gibraltarsoft.com Thu Jan 3 14:17:17 2002 From: mallen at gibraltarsoft.com (Mark Allen) Date: 03 Jan 2002 14:17:17 -0800 Subject: Beta site wanted Message-ID: <1010096237.20585.44.camel@mrhat.gibraltarsoft.com> Hi all. I'm looking for a guinea pig company (a.k.a a beta site) to run our "flagship" product, Everguard. My company, Gibraltar Software, has been in stealth mode now for about 6 months writing all the code and testing our product, but we're ready now to start testing it in customer sites outside of our QA Lab and our internal network. What is Everguard? Everguard is a software security management tool. Using a simple software agent on a customer computer (a "target" system in our lexicon) a software and hardware inventory of the target is collected and transmitted to a central server which resides behind the cutomer's (i.e., your) firewall. That customer server periodically downloads from us (Gibraltar Software) a list of all known software vulnerabilities for each supported operating system flavor. Then the customer server matches your software inventory with the vulnerability index and (if desired) sends notification to the administrator responsible for any system with a detected vulnerability. These action items can be dispensed with in a variety of ways: you can patch the computer (we point you to the patch file), you can ignore the problem, you can mark it as "fixed" (i.e., false positive -- this shouldn't happen much), or you can "defer" it. A deferral means that you don't want to ignore a problem forever; just for a couple days while you fight some other fire. The customer server collects metrics about all of the target systems including: all of its known vulnerabilities, software installed, hardware installed and other data. (Like, my favorite, the average "Window of Exposure" time from detection to correction). In addition to notification of vulnerabilities, Everguard can create very professional looking reports for management (i.e., your boss) which precisely shows why you deserve a raise at review time. What are we looking for? Our three initial target operating systems are: Red Hat Linux 6.2 or later, Microsoft Windows 2000 (only -- for the moment), and Solaris 2.7 or later. We're looking for a shop with approximately 100 computers with some sample of each OS we're supporting (although larger shops wouldn't necessarily be bad) and some kind of laboratory environment on site. The lab is so we can prove our software isn't malware before we roll it out to a production box or network. What do you get out of this? My eternal gratitude for starters. But if that's not enough, we are offering "substantially" discounted licenses for our final release product. (Final release will be in six to eight weeks or so.) The cost to participate in the beta site will be minimal: your (or your team's) time. We will pay for the server at your site and all of the professional services of installing and rolling out the product at your site on your schedule for deployment. What do we expect out of this? 1. Good solid feedback on current product implementation 2. Good solid feedback on future product features 3. Good bug reports (if any -- very unlikely, though -- ha ha) 4. And, if all goes well, a customer reference. Sound interesting? You may direct further questions and/or comments to me by phone (below) or via email. Yes, we are fully buzzword compliant here at Gibraltar. :-) Thank you for your time, Mark Allen 408-585-3420 ext. 20 -- mallen at gibraltarsoft.com -- http://www.gibraltarsoft.com "If you can dream it, you can do it." -- Walt Disney "This is false." -- Larry Wall -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: This is a digitally signed message part URL: From windsor at warthog.com Fri Jan 4 13:24:45 2002 From: windsor at warthog.com (Rob Windsor) Date: Fri, 04 Jan 2002 15:24:45 -0600 Subject: Solaris boot question In-Reply-To: Your message of "Thu, 27 Dec 2001 13:53:18 PST." <20011227135318.C4895@deer-run.com> Message-ID: <200201042124.g04LOma14015@warthog.com> On Thu, 27 Dec 2001 13:53:18 PST, verily did Hal Pomeranz write: >> I have an old Ultra1 that has a 10Mbit le0 interface on the >> motherboard and a 100Mbit hme0 interface on an SBUS card. I would >> like to jumpstart the machine off of its hme0 interface rather than >> the default le0. >> I realize that this is going to require my figuring out the device >> path for the hme0 interface so that I can change the devalias for >> the "net" boot device. Unfortunately, I have no idea how to figure >> out the correct device path -- i.e., the thing that looks like >> /sbus/ledma at e,8400010/le at e,8c00000 (which is the device path for >> the le0 interface). > Turns out I'm sitting next to another member of this email list (John > Detke) who knew the answer-- "check the output of the dmesg command". > This is the correct answer, and I'm happily booting off my hme0 > interface now (aka /sbus at 1f,0/SUNW,hme at 0,8c00000). Thanks, John! In the OBP, aside from "show-devs", you can also "cd" and "ls" around in the device tree and then "pwd" to get the full path once you're convinced you've found what you want. Rob++ (another former Synopsoid, "hi Dave, Stu") -- Internet: windsor at warthog.com __o Life: Rob at Carrollton.Texas.USA.Earth _`\<,_ (_)/ (_) The weather is here, wish you were beautiful. From star at betelgeuse.starshine.org Fri Jan 4 16:44:02 2002 From: star at betelgeuse.starshine.org (Heather) Date: Fri, 4 Jan 2002 16:44:02 -0800 (PST) Subject: Meeting 17 Jan 2002, 7:30 pm Message-ID: <200201050044.g050i2429862@betelgeuse.starshine.org> Greetings, fellow sysadmins, netadmins, and other folk interested in large scale sysadmin matters. This month's topic is: New Technologies for Network Monitoring Our speaker is: Vicka Corey, a lead programmer on NetIntercept While NetIntercept itself is a product of Sandstorm Enterprises, The nuts and bolts of monitoring at the large scale, keeping track of it all, and reporting will be discussed at length. Our apologies to those of you who expected Simson Garfinkel. He has conflicting travel arrangements, but is expected to be available later this year. We're at the usual place (Incyte Genomics HQ) with the usual goodies (snacks, sodas, $6 pint glasses) amd the usual time: 7:30 pm to 9:30 pm -* Heather Stern * Arch (secretary) BayLISA Board * http://www.baylisa.org/ *- From strata at virtual.net Fri Jan 4 17:26:21 2002 From: strata at virtual.net (Strata Rose Chalup) Date: Fri, 04 Jan 2002 17:26:21 -0800 Subject: a bit of lovely news about spam in California Message-ID: <3C36563D.AF70CACA@virtual.net> Court upholds anti-spam law Unsolicited e-mail not protected, judges say Bob Egelko, Kelly St. John, Chronicle Staff Writers Friday, January 4, 2002 ... The state Court of Appeal ruled Wednesday that California can require Internet "spammers" to identify their e-mails as advertisements. The court also said they must provide ways for recipients to get off their mailing lists. The unanimous decision by a three-judge First Appellate District court in San Francisco reversed a lower court's ruling that the law is unconstitutional. Wednesday's decision is the first higher court decision on the validity of the law. Today, similar laws are in effect in 18 states and have been proposed in Congress since 1994. ... http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2002/01/04/MN228257.DTL -- ======================================================================== Strata Rose Chalup [KF6NBZ] strata "@" virtual.net VirtualNet Consulting http://www.virtual.net/ ** Project Management & Architecture for ISP/ASP Systems Integration ** ========================================================================= From david at catwhisker.org Fri Jan 4 18:19:28 2002 From: david at catwhisker.org (David Wolfskill) Date: Fri, 4 Jan 2002 18:19:28 -0800 (PST) Subject: a bit of lovely news about spam in California In-Reply-To: <3C36563D.AF70CACA@virtual.net> Message-ID: <200201050219.g052JSU52785@bunrab.catwhisker.org> >Date: Fri, 04 Jan 2002 17:26:21 -0800 >From: Strata Rose Chalup >Court upholds anti-spam law >Unsolicited e-mail not protected, judges say >Bob Egelko, Kelly St. John, Chronicle Staff Writers >Friday, January 4, 2002 >http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2002/01/04/MN228257.DTL Yes, I'd consider that encouraging, though I do rather wish that a citation for *which* law had made it into the article. (Ref. the SMTP greeting from mail.catwhisker.org.) The other thing that kinda bugs me about the decision, though, is that the cost of sending the junk (i.e., the cost of transmission/storage/relaying) doesn't seem to have been considered -- and it is my perception (the value of such tools as Catherine Hampton's spam bouncer notwithstanding) that as soon as a system has accepted responsibility for delivering spam to its ultimate recipient(s), the spammers have begun to "win" (at the expense of the rest of us). In other words, I believe it is best to stop spam as early in the game as possible, pushing responsibility for dealing with the mess closer and closer to the spammers themselves, so that the ISPs who host them will perceive that there is a real cost to allowing their resources to be thus abused. To that end, I am working on a glimmer of an idea.... :-} Cheers, david -- David H. Wolfskill david at catwhisker.org I believe it would be irresponsible (and thus, unethical) for me to advise, recommend, or support the use of any product that is or depends on any Microsoft product for any purpose other than personal amusement. From jxh at jxh.com Fri Jan 4 19:41:35 2002 From: jxh at jxh.com (Jim Hickstein) Date: Fri, 04 Jan 2002 19:41:35 -0800 Subject: a bit of lovely news about spam in California In-Reply-To: <200201050219.g052JSU52785@bunrab.catwhisker.org> References: <200201050219.g052JSU52785@bunrab.catwhisker.org> Message-ID: <72826187.1010173295@[10.9.18.6]> > To that end, I am working on a glimmer of an idea.... :-} A Nobel Prize in Economics awaits the person who solves this one, IMO. Go for it. From star at betelgeuse.starshine.org Fri Jan 4 21:22:18 2002 From: star at betelgeuse.starshine.org (Heather) Date: Fri, 4 Jan 2002 21:22:18 -0800 (PST) Subject: a bit of lovely news about spam in California In-Reply-To: <72826187.1010173295@[10.9.18.6]> from Jim Hickstein at "Jan 4, 2002 07:41:35 pm" Message-ID: <200201050522.g055MIS30520@betelgeuse.starshine.org> > > To that end, I am working on a glimmer of an idea.... :-} > > A Nobel Prize in Economics awaits the person who solves this one, IMO. Go > for it. Hmmm, I think we have a replacement for that old final-exam joke, you know, the PhD graduation exam from World's Toughest U, for economics. Although I'd probably rather replace the "wild bull elephant will be let into the room" with ravening spammer, and have the disassembled elephant rifle have its way with the fellow. Hmm, I like to convert the heathens though, if possible. Such tough ethics decisions. But while we're on antispam I have an interesting question - what are your preferred methods of proving-beyond-shadow-of-a-doubt to Pointy Haired Boss types, that a given site is *not* an open relay / spambait? And are your answers any dif't for internal "bossberts" vs external troublemakers? -* Heather Stern * Starshine Technical Services * star at starshine.org *- From jxh at jxh.com Fri Jan 4 23:46:19 2002 From: jxh at jxh.com (Jim Hickstein) Date: Fri, 04 Jan 2002 23:46:19 -0800 Subject: a bit of lovely news about spam in California In-Reply-To: <200201050522.g055MIS30520@betelgeuse.starshine.org> References: <200201050522.g055MIS30520@betelgeuse.starshine.org> Message-ID: <73707198.1010187979@[10.9.18.6]> > But while we're on antispam I have an interesting question - what are your > preferred methods of proving-beyond-shadow-of-a-doubt to Pointy Haired > Boss types, that a given site is *not* an open relay / spambait? And are > your answers any dif't for internal "bossberts" vs external troublemakers? Mirapoint's documentation says it isn't an open relay (show the documentation): a hitherto underappreciated aspect of the appliance benefit! (I'll tell Sales tomorrow.) And I can conduct an experiment on the spot with TELNET. For external queries, I say we've run the audit; for internal ones, they get to watch. From chaos at chaostrophy.org Sat Jan 5 00:51:38 2002 From: chaos at chaostrophy.org (Ronald Pottol) Date: 05 Jan 2002 00:51:38 -0800 Subject: a bit of lovely news about spam in California In-Reply-To: <200201050522.g055MIS30520@betelgeuse.starshine.org> References: <200201050522.g055MIS30520@betelgeuse.starshine.org> Message-ID: > > To that end, I am working on a glimmer of an idea.... :-} > > A Nobel Prize in Economics awaits the person who solves this one, IMO. Go > for it. The only thing I've thought of is to put the Unibomber on work furlough. Send a few letterbombs out, and get some good press coverage about it, and it might stop, but I'm not sure what less would work. Ron -- Ronald Pottol, Unix/Linux/Solaris sysadmin seeks work in Santa Barbera/ San Luis Obispo area, or San Francisco and San Franicsco Bay area. www.chaostrophy.org/resume/ rpottol at chaostrophy.org 415-982-1259 From david at catwhisker.org Sat Jan 5 05:39:15 2002 From: david at catwhisker.org (David Wolfskill) Date: Sat, 5 Jan 2002 05:39:15 -0800 (PST) Subject: a bit of lovely news about spam in California In-Reply-To: <200201050522.g055MIS30520@betelgeuse.starshine.org> Message-ID: <200201051339.g05DdFn56573@bunrab.catwhisker.org> >From: Heather >Date: Fri, 4 Jan 2002 21:22:18 -0800 (PST) >But while we're on antispam I have an interesting question - what are your >preferred methods of proving-beyond-shadow-of-a-doubt to Pointy Haired Boss >types, that a given site is *not* an open relay / spambait? And are your >answers any dif't for internal "bossberts" vs external troublemakers? First, I'll admit that for the last (one month shy of) 4 years, I've not really needed to deal with PHBs much, let alone in the contxt of the posed query. (That's because I've been fortunate enough to support a development group, and nearly everything I do is well below the notice of the PHB types in any case. It helps a great deal that I'm able to "get away with" responding to queries about Microsoft-environment- related things by some variation on "You'll need to talk with the folks who support that, of whom I am not one" or "I could install FreeBSD on the machine, if you like." Of course, since the company that bought my employer had decided to destroy the organization, that's all coming to an end Real Soon Now. In any case, it's been long enough ago that I've dealt with PHBs that I have a little trouble visualizing a PHB who would have as much as a faint clue what an "open relay" really is. Thus, to address the question, it would be necessary to discern what the PHB *thinks* an "open relay" (or "spambait") is. And no, I'm not writing this (just) to be perverse, because: * I have a little trouble with the implicit "guilty until proven innocent" assumption -- even if we're discussing spammers. * It's not clear to me that the assertion is actually provable to someone who has sufficient clue (thereby, I presume, excluding a PHB) as to the nature of (E)SMTP conversations. Now, that last statement may seem a little weird, especially given that I'm not exactly inclined to try to make spammers' lives easier. But consider such things as a site providing secondary MX for another site; this is an (intentional) mail relay. And consider that MX records, like anything else in DNS, are mutable (though it is fairly usual for changes to propagate somewhat irregularly). So you can determine, to some extent, what site(s) a given (other) one relayed for at some point(s) in time, but making the characterization "this site is an open relay" is, while somewhat subjective, a great deal easier than actually proving "this site is not an open relay". For example, it is possible in principle to set up a mail relay that only acts as an open relay for some select group of spammers. Granted, I think of nothing positive about someone who would do such a thing, but my belief that such a thing is possible colors my perception of your query, and thus, my response(s). As for the distinction between "internal Bossberts" vs. "external troublemakers," that is something I've rarely dealt with (lucky me). The few times I've dealt with outsiders at all, I merely pointed out the facts. As for insiders, my answers tend toward the category of "if you don't want those answers, don't ask those questions." Then again, I may be failing to grasp your intent, too.... :-} Cheers, david (http://www.catwhisker.org/~david for pointers to my resume) -- David H. Wolfskill david at catwhisker.org I believe it would be irresponsible (and thus, unethical) for me to advise, recommend, or support the use of any product that is or depends on any Microsoft product for any purpose other than personal amusement. From mke at turbolift.com Sat Jan 5 07:59:41 2002 From: mke at turbolift.com (Michael J. Miller Jr.) Date: Sat, 5 Jan 2002 07:59:41 -0800 (PST) Subject: a bit of lovely news about spam in California In-Reply-To: Message-ID: On 5 Jan 2002, Ronald Pottol wrote: > > > To that end, I am working on a glimmer of an idea.... :-} > > > > A Nobel Prize in Economics awaits the person who solves this one, IMO. Go > > for it. The real world equiv. of SPAM is of course junk mail. The fundamental difference of course is that the post office gets payed to deliver it and makes a tidy profit, thus they don't mind. While on the email side of things the majority of the cost is on the delivery end and nobody gets compensated. This leads to an extreme economic imbalance that benifits the spammer and hurts ISP's and large companies. One possible solution that occurs to me is to start a second email infrastructure that would eventually replace the first. The new one would have in place mechanisms for limiting or eliminating SPAM. There are ways to do this. Rate limiting outgoing email from users/systems/domains is one possibility. Another is requiring very stringent registration and identity requirements for people/entities allowed to send email on this new system. I'm sure there are many other potential methods that could be put in place if a new infrastructure was put in place. Some of which could be retrofitted on the current system, some of which couldn't... All very expensive of course. The question is, would this be more expensive then the current and future cost of SPAM? If the answer is yes, then we should all just get used to SPAM and the never ending escalation between spammers and those who try stop/slow them down. If it isn't more expensive, than what are people waiting for? :-) -- Mike Miller mke @ turbolift.com From david at catwhisker.org Sat Jan 5 09:01:49 2002 From: david at catwhisker.org (David Wolfskill) Date: Sat, 5 Jan 2002 09:01:49 -0800 (PST) Subject: a bit of lovely news about spam in California In-Reply-To: Message-ID: <200201051701.g05H1nV57052@bunrab.catwhisker.org> >Date: Sat, 5 Jan 2002 07:59:41 -0800 (PST) >From: "Michael J. Miller Jr." >One possible solution that occurs to me is to start a second email >infrastructure that would eventually replace the first.... >All very expensive of course. The question is, would this be more expensive >then the current and future cost of SPAM? If the answer is yes, then we >should all just get used to SPAM and the never ending escalation between >spammers and those who try stop/slow them down. If it isn't more expensive, >than what are people waiting for? :-) As you know, there are both "one-time" and "ongoing" expenses to most expenditures, and this is a case where the one-time expenses are considerable. (The ongoing ones could be significant, as well, of course.) It is not clear to me that this is the only way to go. :-} Cheers, david -- David H. Wolfskill david at catwhisker.org I believe it would be irresponsible (and thus, unethical) for me to advise, recommend, or support the use of any product that is or depends on any Microsoft product for any purpose other than personal amusement. From mke at turbolift.com Sat Jan 5 09:18:52 2002 From: mke at turbolift.com (Michael J. Miller Jr.) Date: Sat, 5 Jan 2002 09:18:52 -0800 (PST) Subject: a bit of lovely news about spam in California In-Reply-To: <200201051701.g05H1nV57052@bunrab.catwhisker.org> Message-ID: On Sat, 5 Jan 2002, David Wolfskill wrote: > As you know, there are both "one-time" and "ongoing" expenses to most > expenditures, and this is a case where the one-time expenses are > considerable. (The ongoing ones could be significant, as well, of > course.) True, but I tend to think that a lot of these one time expenses could be mitigated if the new system were setup initially in parallel. Obviously it would take several years before client programs on peoples PC's would start to support such a protocol, but we've seen new email technologies such as IMAP slowly make their way out into the "real" world. > It is not clear to me that this is the only way to go. :-} Cool. Personally I'm just anxious to see some solutions put in place, and I don't think the current methods being employed are likely to do anything but hold the line at best. Email transport as currently constituted is far to trusting and I'm not sure that the system can be fixed without being replaced. -- Mike Miller mke @ turbolift.com From strata at virtual.net Sat Jan 5 10:49:32 2002 From: strata at virtual.net (Strata Rose Chalup) Date: Sat, 05 Jan 2002 10:49:32 -0800 Subject: a bit of lovely news about spam in California References: Message-ID: <3C374ABC.5E2FF9C8@virtual.net> "Michael J. Miller Jr." wrote: > The real world equiv. of SPAM is of course junk mail. The fundamental > difference of course is that the post office gets payed to deliver it and > makes a tidy profit, thus they don't mind. While on the email side of > things the majority of the cost is on the delivery end and nobody gets > compensated. ... I recently became aware of an annoying "feature" of USMail delivery, namely that one cannot opt out of the neighborhood flyers, catalogs, grocery ads, etc that come in the mailbox almost daily. They are addressed to "resident" at one's address, and the companies that put them together contract directly with the post office for delivery. I pursued the query up to my local Postmaster (Sunnyvale, main branch) and was told that there is no mechanism whereby one can choose not to receive this material. It is too much work for the mail delivery workers to keep lists of who is and isn't getting it, and there is no accounting mechanism to reflect that some customers might opt out. Given that the US Postal Service is busily working on a plan to allow email delivery to US residential addresses, this is a very disturbing precedent. Since physical-world arrangements tend to be translated into online arrangements as part of setting up new kinds of service, I find it very plausible that we could end up with "official" post office spam in our emailboxes down the road. This is a windmill I have yet to try tilting at, though it's been on my to-do list for a while. I'll be happy to brief any volunteers on the approach I was going to take, if anyone is foolish^H^H^H^H brave enough to step forward. ;-) cheers, Strata -- ======================================================================== Strata Rose Chalup [KF6NBZ] strata "@" virtual.net VirtualNet Consulting http://www.virtual.net/ ** Project Management & Architecture for ISP/ASP Systems Integration ** ========================================================================= From dredd at megacity.org Sat Jan 5 11:32:22 2002 From: dredd at megacity.org (Derek J. Balling) Date: Sat, 5 Jan 2002 11:32:22 -0800 Subject: a bit of lovely news about spam in California In-Reply-To: <3C374ABC.5E2FF9C8@virtual.net> References: <3C374ABC.5E2FF9C8@virtual.net> Message-ID: >I recently became aware of an annoying "feature" of USMail delivery, >namely that one cannot opt out of the neighborhood flyers, catalogs, >grocery ads, etc that come in the mailbox almost daily. They are >addressed to "resident" at one's address, and the companies that put >them together contract directly with the post office for delivery. Mark it "return to sender" and put it back. Make the post office deliver it twice, once to you, once to them. Hmm, now that I think of that, I wonder if anyone's done that on a regular basis. The USPS would have a legal obligation to return it to the sender, but do they actually do that in practice? >Given that the US Postal Service is busily working on a plan to >allow email delivery to US residential addresses, this is a very >disturbing precedent. Since physical-world arrangements tend to >be translated into online arrangements as part of setting up new >kinds of service, I find it very plausible that we could end up >with "official" post office spam in our emailboxes down the road. Only if your mail server accepts mail from the USPS/E-mail mail server, which I know mine certainly won't. ;) D -- +---------------------+-----------------------------------------+ | dredd at megacity.org | "Thou art the ruins of the noblest man | | Derek J. Balling | That ever lived in the tide of times. | | | Woe to the hand that shed this costly | | | blood" - Julius Caesar Act 3, Scene 1 | +---------------------+-----------------------------------------+ From strata at virtual.net Sat Jan 5 11:50:01 2002 From: strata at virtual.net (Strata Rose Chalup) Date: Sat, 05 Jan 2002 11:50:01 -0800 Subject: a bit of lovely news about spam in California References: <3C374ABC.5E2FF9C8@virtual.net> Message-ID: <3C3758E9.D25753EB@virtual.net> I appreciate the thought, but... "Derek J. Balling" wrote: > Mark it "return to sender" and put it back. Make the post office > deliver it twice, once to you, once to them. That merely creates an extra obligation on my part, beyond simply recycling it or throwing it away. Also amounts to trying to start a denial-of-service attack on the USPS rather than approaching the problem by lobbying. Not really a solution. > Only if your mail server accepts mail from the USPS/E-mail mail > server, which I know mine certainly won't. ;) If "universal" (I put it in quotes for a reason!) emailboxes for residential addresses, or residents, ever take hold, there are a number of different scenarios which would make USPS E-mail blocking a poor choice. Two of the most plausible are that other gov't agencies begin to use that delivery method by default in order to realize significant cost savings, and that the USPS contracts out the actual end-delivery to major ISPs. Blocking would probably be against one's own best interests in both those cases. YMMV, of course. cheers, Strata -- ======================================================================== Strata Rose Chalup [KF6NBZ] strata "@" virtual.net VirtualNet Consulting http://www.virtual.net/ ** Project Management & Architecture for ISP/ASP Systems Integration ** ========================================================================= From dredd at megacity.org Sat Jan 5 12:35:00 2002 From: dredd at megacity.org (Derek J. Balling) Date: Sat, 5 Jan 2002 12:35:00 -0800 Subject: a bit of lovely news about spam in California In-Reply-To: <3C3758E9.D25753EB@virtual.net> References: <3C374ABC.5E2FF9C8@virtual.net> <3C3758E9.D25753EB@virtual.net> Message-ID: >That merely creates an extra obligation on my part, beyond >simply recycling it or throwing it away. Also amounts to trying >to start a denial-of-service attack on the USPS rather than >approaching the problem by lobbying. Not really a solution. A DoS?! how is this any more of a DoS than configuring your router to reject packets from $REMOTE_NETWORK instead of simply dropping them? >If "universal" (I put it in quotes for a reason!) emailboxes for >residential addresses, or residents, ever take hold, there are a >number of different scenarios which would make USPS E-mail blocking >a poor choice. Two of the most plausible are that other gov't >agencies begin to use that delivery method by default in order to >realize significant cost savings, and that the USPS contracts out >the actual end-delivery to major ISPs. Blocking would probably >be against one's own best interests in both those cases. YMMV, >of course. I don't seriously conceive of any USER actually using USPS e-mail addressing. This is one of those ideas that you'll probably see decline now that the dot-com boom is over. :-) I think it was USPS going "hey, thar's gold in them thar hills!" D -- +---------------------+-----------------------------------------+ | dredd at megacity.org | "Thou art the ruins of the noblest man | | Derek J. Balling | That ever lived in the tide of times. | | | Woe to the hand that shed this costly | | | blood" - Julius Caesar Act 3, Scene 1 | +---------------------+-----------------------------------------+ From Carl.Baltrunas at concert.com Mon Jan 7 07:21:45 2002 From: Carl.Baltrunas at concert.com (Baltrunas, Carl (CRTUSW)) Date: Mon, 7 Jan 2002 07:21:45 -0800 Subject: a bit of lovely news about spam in California Message-ID: <8DDE29B2ED2AAF4CAAA8A3CB5ED767EE330822@sjaexpst01.sanjose-c.concert.com> [MIME/HTML stuff elided by approver -- dhw] > I don't seriously conceive of any USER actually using USPS e-mail > addressing. This is one of those ideas that you'll probably see > decline now that the dot-com boom is over. :-) I think it was USPS > going "hey, thar's gold in them thar hills!" Yes... any USER wouldn't think of doing this, but any member of the direct marketing association (junk mailers :-) would. And yes, the USPS would be obligated to maintain an OPT-OUT list, and YES !!!!! the spammers would have to PAY to use this service. So, to stop the spammers, all we would need to do is make this service COST, and force all spammers to use this service by LAW. ;-) -Carl From strata at virtual.net Mon Jan 7 14:20:54 2002 From: strata at virtual.net (Strata Rose Chalup) Date: Mon, 07 Jan 2002 14:20:54 -0800 Subject: a bit of lovely news about spam in California References: <3C374ABC.5E2FF9C8@virtual.net> <3C3758E9.D25753EB@virtual.net> Message-ID: <3C3A1F46.60631A53@virtual.net> If your stated goal is gumming up the works at USPS by returning this mail and getting everyone else to return it also, how is this *not* a coordinated multi-source DoS attempt against a service provider with multiple points of presence? Packets or physical letters, the concept is the same. cheers, SRC "Derek J. Balling" wrote: > A DoS?! how is this any more of a DoS than configuring your router to > reject packets from $REMOTE_NETWORK instead of simply dropping them? -- ======================================================================== Strata Rose Chalup [KF6NBZ] strata "@" virtual.net VirtualNet Consulting http://www.virtual.net/ ** Project Management & Architecture for ISP/ASP Systems Integration ** ========================================================================= From dredd at megacity.org Mon Jan 7 15:16:57 2002 From: dredd at megacity.org (Derek J. Balling) Date: Mon, 7 Jan 2002 15:16:57 -0800 Subject: a bit of lovely news about spam in California In-Reply-To: <3C3A1F46.60631A53@virtual.net> References: <3C374ABC.5E2FF9C8@virtual.net> <3C3758E9.D25753EB@virtual.net> <3C3A1F46.60631A53@virtual.net> Message-ID: At 2:20 PM -0800 1/7/02, Strata Rose Chalup wrote: >If your stated goal is gumming up the works at USPS by returning >this mail and getting everyone else to return it also, how is this >*not* a coordinated multi-source DoS attempt against a service >provider with multiple points of presence? Packets or physical >letters, the concept is the same. It's called an "autoLART". They LART themselves. The more junk they insist on sending me, the more they get back. D -- +---------------------+-----------------------------------------+ | dredd at megacity.org | "Thou art the ruins of the noblest man | | Derek J. Balling | That ever lived in the tide of times. | | | Woe to the hand that shed this costly | | | blood" - Julius Caesar Act 3, Scene 1 | +---------------------+-----------------------------------------+ From strata at virtual.net Mon Jan 7 15:40:06 2002 From: strata at virtual.net (Strata Rose Chalup) Date: Mon, 07 Jan 2002 15:40:06 -0800 Subject: a bit of lovely news about spam in California References: <3C374ABC.5E2FF9C8@virtual.net> <3C3758E9.D25753EB@virtual.net> <3C3A1F46.60631A53@virtual.net> Message-ID: <3C3A31D5.FED739FC@virtual.net> Sorry, I think this kind of attitude just adds to the problem. Traffic is traffic. Saying one kind of traffic is "spam" and therefore bad, and the other is "autoLART" and therefore good and/or justified is just moral window dressing on having spam cost 2*X bandwidth instead of just X bandwidth to the net community. Speaking of which, editing headers to remove the extra cc only takes a moment and is much more appreciated than getting two copies. cheers, Strata "Derek J. Balling" wrote: > It's called an "autoLART". They LART themselves. The more junk they > insist on sending me, the more they get back. > > D -- ======================================================================== Strata Rose Chalup [KF6NBZ] strata "@" virtual.net VirtualNet Consulting http://www.virtual.net/ ** Project Management & Architecture for ISP/ASP Systems Integration ** ========================================================================= From wambold at pobox.com Mon Jan 7 16:16:23 2002 From: wambold at pobox.com (Sandra Wambold) Date: Mon, 7 Jan 2002 19:16:23 -0500 (EST) Subject: a bit of lovely news about spam in California In-Reply-To: <3C3A31D5.FED739FC@virtual.net> Message-ID: I think the big problem is that you can't refuse mail -- either to resident or yourself. I'm not especially concerned about the postal system...if it starts to cause a problem for the postal system, they'll find a way to surcharge it. -sew From dredd at megacity.org Mon Jan 7 16:27:47 2002 From: dredd at megacity.org (Derek J. Balling) Date: Mon, 7 Jan 2002 16:27:47 -0800 Subject: a bit of lovely news about spam in California In-Reply-To: <3C3A31D5.FED739FC@virtual.net> References: <3C374ABC.5E2FF9C8@virtual.net> <3C3758E9.D25753EB@virtual.net> <3C3A1F46.60631A53@virtual.net> <3C3A31D5.FED739FC@virtual.net> Message-ID: At 3:40 PM -0800 1/7/02, Strata Rose Chalup wrote: >Sorry, I think this kind of attitude just adds to the problem. >Traffic is traffic. Saying one kind of traffic is "spam" and >therefore bad, and the other is "autoLART" and therefore good >and/or justified is just moral window dressing on having spam >cost 2*X bandwidth instead of just X bandwidth to the net >community. Wait... they (the USPS) gets paid by the sender to send me stuff. They don't cut me in for a percentage of the cash. They INSIST that I accept it, don't give me any way of avoiding having my mailbox cluttered with stuff. They (both the USPS and the sender) force ME, the recipient, to pay for its disposal cost (or risk the littering fine if I just drop it on the ground by my mailbox), and you think that sending it back to them as "unwanted" is somehow out of line?! Any way that you cut it, if I accept the junk-mail, I have to incur the cost of disposal. The only way for the recipient NOT to accept the disposal cost is to hand it back to the USPS for disposal. But since they won't "dispose" of junk mail for you, you have to tell them to send it back where it came from. D -- +---------------------+-----------------------------------------+ | dredd at megacity.org | "Thou art the ruins of the noblest man | | Derek J. Balling | That ever lived in the tide of times. | | | Woe to the hand that shed this costly | | | blood" - Julius Caesar Act 3, Scene 1 | +---------------------+-----------------------------------------+ From chuck+baylisa at snew.com Mon Jan 7 18:02:59 2002 From: chuck+baylisa at snew.com (Chuck Yerkes) Date: Mon, 7 Jan 2002 18:02:59 -0800 Subject: a bit of lovely news about spam in California In-Reply-To: ; from dredd@megacity.org on Mon, Jan 07, 2002 at 04:27:47PM -0800 References: <3C374ABC.5E2FF9C8@virtual.net> <3C3758E9.D25753EB@virtual.net> <3C3A1F46.60631A53@virtual.net> <3C3A31D5.FED739FC@virtual.net> Message-ID: <20020107180259.B13301@snew.com> It gets better. I used to have a (fairly small) postal box. I needed a permanent address at the time as was traveling quite a bit. There were times when it got checked every 3-4 (or 6) weeks. It would be STUFFED with supermarket flyers and the like. And perhaps 6 letters/bills/important stuff. Then I got a note from them demanding that I buy a larger box because it was always full. My first action was to save 3 months of junk, and envelopes from 3 months of useful mail; point out that the useful stuff, that had a NAME on it (not resident) fit in my hand and jacket pocket. The flyers needed a box. I went into the postmaster's office to get them to stop sending the crap. They wouldn't let me out of junk mail. So my juvenile retaliation was to turn over the box and leave (it was a good box and I had never wanted it). My more measured action was to toss stacks of the flyers (the trash was full of them) into the office of the supermarket manager. Frankly, the technique was more useful when my whole neighborhood did that with menu's to a nearby chinese restaurant in NYC. Quoting Derek J. Balling (dredd at megacity.org): > At 3:40 PM -0800 1/7/02, Strata Rose Chalup wrote: > >Sorry, I think this kind of attitude just adds to the problem. > >Traffic is traffic. Saying one kind of traffic is "spam" and > >therefore bad, and the other is "autoLART" and therefore good > >and/or justified is just moral window dressing on having spam > >cost 2*X bandwidth instead of just X bandwidth to the net > >community. > > Wait... they (the USPS) gets paid by the sender to send me stuff. > They don't cut me in for a percentage of the cash. They INSIST that I > accept it, don't give me any way of avoiding having my mailbox > cluttered with stuff. They (both the USPS and the sender) force ME, > the recipient, to pay for its disposal cost (or risk the littering > fine if I just drop it on the ground by my mailbox), and you think > that sending it back to them as "unwanted" is somehow out of line?! > > Any way that you cut it, if I accept the junk-mail, I have to incur > the cost of disposal. The only way for the recipient NOT to accept > the disposal cost is to hand it back to the USPS for disposal. But > since they won't "dispose" of junk mail for you, you have to tell > them to send it back where it came from. > > D > > > -- > +---------------------+-----------------------------------------+ > | dredd at megacity.org | "Thou art the ruins of the noblest man | > | Derek J. Balling | That ever lived in the tide of times. | > | | Woe to the hand that shed this costly | > | | blood" - Julius Caesar Act 3, Scene 1 | > +---------------------+-----------------------------------------+ From claw at kanga.nu Mon Jan 7 19:59:32 2002 From: claw at kanga.nu (J C Lawrence) Date: Mon, 07 Jan 2002 19:59:32 -0800 Subject: a bit of lovely news about spam in California In-Reply-To: Message from Strata Rose Chalup of "Mon, 07 Jan 2002 15:40:06 PST." <3C3A31D5.FED739FC@virtual.net> References: <3C374ABC.5E2FF9C8@virtual.net> <3C3758E9.D25753EB@virtual.net> <3C3A1F46.60631A53@virtual.net> <3C3A31D5.FED739FC@virtual.net> Message-ID: <28489.1010462372@kanga.nu> On Mon, 07 Jan 2002 15:40:06 -0800 Strata Rose Chalup wrote: > Speaking of which, editing headers to remove the extra cc only > takes a moment and is much more appreciated than getting two > copies. Err, you could also set Reply-To on your list postings and handle the problem terminatedly.. -- J C Lawrence ---------(*) Satan, oscillate my metallic sonatas. claw at kanga.nu He lived as a devil, eh? http://www.kanga.nu/~claw/ Evil is a name of a foeman, as I live. From bill at linuxcare.com Tue Jan 8 06:39:09 2002 From: bill at linuxcare.com (Bill) Date: Tue, 08 Jan 2002 06:39:09 -0800 Subject: a bit of lovely news about spam in California References: <3C374ABC.5E2FF9C8@virtual.net> <3C3758E9.D25753EB@virtual.net> <3C3A1F46.60631A53@virtual.net> <3C3A31D5.FED739FC@virtual.net> Message-ID: <3C3B048D.A58EEF34@linuxcare.com> "Derek J. Balling" wrote: > Any way that you cut it, if I accept the junk-mail, I have to incur > the cost of disposal. The only way for the recipient NOT to accept > the disposal cost is to hand it back to the USPS for disposal. But > since they won't "dispose" of junk mail for you, you have to tell > them to send it back where it came from. I guess I've been lucky to have a PO Box and sort all the junk at the Post Office (trash can), but trust me I've been tempted to place "return to sender" an loop it back into the mailbox. On a side note, I once registered something on the net, I think it was WP for Linux and accidentally hit the "l" in Willliam three times and thought nothing of it after seeing my confirmation. It's now a joke of sorts for I can see all the companies that now send me junk mail to "Willliam Schoolcraft" Since then I've send in for rebate(s) on computer stuff with variances of my first name and now marvel at the way they sell our identities. I wish I would have kept an exact tracking of the mispelled first names I've used to trace the sales of my identity. -- Bill Schoolcraft Linux/Unix System Engineer 650 Townsend Street San Francisco, CA 94103 SF (415) 354-4878 http://www.linuxcare.com "Linux/Unix, A Way Of Life." From star at betelgeuse.starshine.org Wed Jan 9 16:25:15 2002 From: star at betelgeuse.starshine.org (Heather) Date: Wed, 9 Jan 2002 16:25:15 -0800 (PST) Subject: a bit of lovely news about spam in California In-Reply-To: <3C374ABC.5E2FF9C8@virtual.net> from Strata Rose Chalup at "Jan 5, 2002 10:49:32 am" Message-ID: <200201100025.g0A0PFc23292@betelgeuse.starshine.org> > "Michael J. Miller Jr." wrote: > > > The real world equiv. of SPAM is of course junk mail. The fundamental > > difference of course is that the post office gets payed to deliver it and > > makes a tidy profit, thus they don't mind. While on the email side of > > things the majority of the cost is on the delivery end and nobody gets > > compensated. ... > > I recently became aware of an annoying "feature" of USMail delivery, > namely that one cannot opt out of the neighborhood flyers, catalogs, > grocery ads, etc that come in the mailbox almost daily. They are > addressed to "resident" at one's address, and the companies that put > them together contract directly with the post office for delivery. It'd be nice to see a plan which clarifies that -nobody- "resides" at a PO Box itself, nor "occupies" it -- I imagine little dollhouse furniture carefully arranged to dodge the letter path, urgh -- so mail to "resident" and "occupant" should not be accepted at PO Boxes proper. But it would have to be legislated, so I don't see it happening soon. > I pursued the query up to my local Postmaster (Sunnyvale, main branch) > and was told that there is no mechanism whereby one can choose not to > receive this material. It is too much work for the mail delivery > workers to keep lists of who is and isn't getting it, and there is no > accounting mechanism to reflect that some customers might opt out. I think my description, while not nailing -all- snail-spam, would clobber a fair chunk of it. > Given that the US Postal Service is busily working on a plan to > allow email delivery to US residential addresses, this is a very > disturbing precedent. Since physical-world arrangements tend to > be translated into online arrangements as part of setting up new > kinds of service, I find it very plausible that we could end up > with "official" post office spam in our emailboxes down the road. We still get the home court advantage, when we can use milters and the like to turn it away at the SMTP gate. The analogy would be like just happening to open your box at the moment your friendly post-office man is about to slip mail in. "No occupant or resident mail please" "okay" he says. If you're lucky. > This is a windmill I have yet to try tilting at, though it's been > on my to-do list for a while. I'll be happy to brief any volunteers > on the approach I was going to take, if anyone is foolish^H^H^H^H > brave enough to step forward. ;-) > > cheers, > Strata I do know of some companies offering PMB arrangements where they accept all mail, and if you pay extra + provide a waiver, they'll follow your instructions for snail-mail-filtering. Obviously the fee+waiver is a CYA against the feds claiming they are messing with mail... you're designating them your recipient, then enforcing a contract about what mail -should- be passed along to you. -* Heather Stern * Arch (secretary) BayLISA Board * http://www.baylisa.org/ *- From david at catwhisker.org Fri Jan 11 08:03:53 2002 From: david at catwhisker.org (David Wolfskill) Date: Fri, 11 Jan 2002 08:03:53 -0800 (PST) Subject: What to do when mail to a netblock coordinator bounces.... Message-ID: <200201111603.g0BG3rE43612@bunrab.catwhisker.org> Yesterday morning, as I was reviewing the mail from the preceding night, I noticed that someone tried (once) to contact an SSH server on my mother's (grandfathered static) DSL installation. (It happens that there is an SSH server, but I block access to it from nearly all IP addresses; I don't see any point in increasing exposure.) Now, this isn't all that rare an occurrence: we're all human, and all make mistakes from time to time (and I fully expect to live long enough to make a few more). But there was a moderately-recent exploit re: SSH, and I expect that that are still some twits with nothing better to do than try to cause trouble for others. What got my attention, though, was that this also happened for my firewall (also a grandfathered static DSL), from the same IP address. So... accidents happen, sure, but the coincidence (within a rather short timeframe) seemed to me to be unlikely to be accidental. The IP address didn't (reverse-)resolve, who I queried WHOIS re: the netblock. Turns out it's a class B, assigned to an academic institution over in the UK. So I figured that someone might need a bit more homework... or that a box on that net had been cracked... or some such thing -- in any case, that it might be a Good Idea to mention this to someone who might be in a position to do something arguably constructive about the situation. After all, when I have ben in such situations myself, I have appreciated it when someone let me know about such things (in a civil way, of course). So I put together a little note, explaining what I had seen, copying the log entries, pointing out that there was no evidence of damage or actual intrusion in this case, but that the pattern seemed a tad suspicious. I got a bounce-o-gram for my trouble. OK, OK; this isn't all that big a deal, right? Folks let WHOIS entries lapse routinely. And were the present situation somethig that seemed to warrant it, I suppose I could try calling (much as I dislike using telephones). But this was certainly not an emergency. As I write this, it occurred to me that I probably should have run a traceroute, and tried to contact whatever site provides the connectivity to the class B (OK, OK -- /16) in question. It turns out that I did something else... but before I mention it, I'll ask my colleagues on the list for suggestions. Thoughts? Thanks, david -- David H. Wolfskill david at catwhisker.org I believe it would be irresponsible (and thus, unethical) for me to advise, recommend, or support the use of any product that is or depends on any Microsoft product for any purpose other than personal amusement. From wolfgang+gnus20020111T100313 at wsrcc.com Fri Jan 11 11:02:32 2002 From: wolfgang+gnus20020111T100313 at wsrcc.com (Wolfgang Rupprecht) Date: 11 Jan 2002 11:02:32 -0800 Subject: What to do when mail to a netblock coordinator bounces.... References: <200201111603.g0BG3rE43612@bunrab.catwhisker.org> Message-ID: david at catwhisker.org (David Wolfskill) writes: > Yesterday morning, as I was reviewing the mail from the preceding night, > I noticed that someone tried (once) to contact an SSH server on my > mother's (grandfathered static) DSL installation. (It happens that there > is an SSH server, but I block access to it from nearly all IP addresses; > I don't see any point in increasing exposure.) One thing to remember is that if the intrusion log comes from a firewall logfile where the firewall blocked the first SYN packet then you may not have a truthful IP address to work with. Some of the script-kiddie programs will allow a list of *source* IP's to be specified. Clearly they won't get a reply back for any probe that doesn't have an IP which routes to them, but burying their real probe in a flurry of forged-IP probes will create a real mess for the admins that are trying to unravel the attack. Forged source-IP packets like this can also be used for pranks, ("Why is www.cert.org trying to connect to tcp/23 ?" To get stronger proof of the IP that the attacks are coming from, you really want to establish a full-duplex communication with the attacker. While even then it is sometimes possible for them to simulate a full-duplex connection, it is not very easy since they would have to predict what you are going to send and pretend that they got it. If the attack is on a tcp port, the TCP-ISN-randomization done in modern kernel is pretty darn hard to guess at correctly. The simplest way to force a full-duplex communication for tcp ports is to have inetd start a "hello world" type program that outputs a line or two of information and then closes the TCP connection. By the time inetd spawns your program TCP has already gone through the 3-way handshake (syn, syn-ack, ack). Just to add frosting to the cake, the program can also optionally log the IP and even rebuild the firewall block list after adding this IP address. If the attacker is at all clever then the attack is going to come from a compromised machine (open socks proxy, remote-root bug, snooped password etc). Alerting the remote org's admin would be the friendly thing to do. If the IP that the attacks are coming from reverse maps I'll send a message to abuse at their.domain . I have just recently started doing "jwhois ip-address" lookups. The ARIN's whois now does the correct CIDR-type lookup and will give you the nested info. Of course if that info is wrong, we are back to your real question, and I'm not sure I'd do more than just block the IP and move on. -wolfgang -- Wolfgang Rupprecht http://www.wsrcc.com/wolfgang/ Coming soon: GPS mapping tools for Open Systems. http://www.gnomad-mapping.com/ From star at betelgeuse.starshine.org Sat Jan 12 00:02:29 2002 From: star at betelgeuse.starshine.org (Heather) Date: Sat, 12 Jan 2002 00:02:29 -0800 (PST) Subject: What to do when mail to a netblock coordinator bounces.... In-Reply-To: from Wolfgang Rupprecht at "Jan 11, 2002 11:02:32 am" Message-ID: <200201120802.g0C82TR06462@betelgeuse.starshine.org> > > david at catwhisker.org (David Wolfskill) writes: > > Yesterday morning, as I was reviewing the mail from the preceding night, > > I noticed that someone tried (once) to contact an SSH server on my > > mother's (grandfathered static) DSL installation. (It happens that there > > is an SSH server, but I block access to it from nearly all IP addresses; > > I don't see any point in increasing exposure.) > > One thing to remember is that if the intrusion log comes from a > firewall logfile where the firewall blocked the first SYN packet then > you may not have a truthful IP address to work with. Some of the > script-kiddie programs will allow a list of *source* IP's to be > specified. Clearly they won't get a reply back for any probe that > doesn't have an IP which routes to them, but burying their real probe > in a flurry of forged-IP probes will create a real mess for the admins > that are trying to unravel the attack. > > Forged source-IP packets like this can also be used for pranks, ("Why > is www.cert.org trying to connect to tcp/23 ?" > > To get stronger proof of the IP that the attacks are coming from, you > really want to establish a full-duplex communication with the > attacker. While even then it is sometimes possible for them to > simulate a full-duplex connection, it is not very easy since they > would have to predict what you are going to send and pretend that they > got it. If the attack is on a tcp port, the TCP-ISN-randomization > done in modern kernel is pretty darn hard to guess at correctly. > > The simplest way to force a full-duplex communication for tcp ports is > to have inetd start a "hello world" type program that outputs a line > or two of information and then closes the TCP connection. By the time > inetd spawns your program TCP has already gone through the 3-way > handshake (syn, syn-ack, ack). Just to add frosting to the cake, the > program can also optionally log the IP and even rebuild the firewall > block list after adding this IP address. Interesting you should mention that; a long while back the Linux Gazette Answer Gang had a thread about answering the telnet port with an ascii art banner "GO AWAY." It was rather cute :) (If it were *me* I would have used "TRY SSH." but it wasn't, and the thread was mostly answered before I got to it.) What they were actually asking for help about, was making sure the whole banner was sent, without turning the beastie into something that might have to make decisions and lead to security holes too. I seem to recall a brief sleep interval was considered sufficient. And if your firewall logs completed connections as the handshake settles in, that should keep it from having to write anything. > If the attacker is at all clever then the attack is going to come from > a compromised machine (open socks proxy, remote-root bug, snooped > password etc). Alerting the remote org's admin would be the friendly > thing to do. If the IP that the attacks are coming from reverse maps > I'll send a message to abuse at their.domain . I have just recently > started doing "jwhois ip-address" lookups. The ARIN's whois now does > the correct CIDR-type lookup and will give you the nested info. Of > course if that info is wrong, we are back to your real question, and > I'm not sure I'd do more than just block the IP and move on. > > -wolfgang If the ownership data is wrong that high up, it might have had a hole for quite a while, but who would be the recipient of the bad news? From dredd at megacity.org Sat Jan 12 01:23:09 2002 From: dredd at megacity.org (Derek J. Balling) Date: Sat, 12 Jan 2002 01:23:09 -0800 Subject: What to do when mail to a netblock coordinator bounces.... In-Reply-To: <200201111603.g0BG3rE43612@bunrab.catwhisker.org> References: <200201111603.g0BG3rE43612@bunrab.catwhisker.org> Message-ID: >So I put together a little note, explaining what I had seen, copying the >log entries, pointing out that there was no evidence of damage or actual >intrusion in this case, but that the pattern seemed a tad suspicious. > >I got a bounce-o-gram for my trouble. > >OK, OK; this isn't all that big a deal, right? Folks let WHOIS entries >lapse routinely. And were the present situation somethig that seemed to >warrant it, I suppose I could try calling (much as I dislike using >telephones). But this was certainly not an emergency. > >As I write this, it occurred to me that I probably should have run a >traceroute, and tried to contact whatever site provides the connectivity >to the class B (OK, OK -- /16) in question. It turns out that I did >something else... but before I mention it, I'll ask my colleagues on the >list for suggestions. > >Thoughts? ipwhois.rfc-ignorant.org zone is your friend. :) www.rfc-ignorant.org for more info, but we wield a stick which some people help us swing (by blacklisting mail/etc. from those networks) and occasionally they catch a ticket on the cluetrain and fix them. :) D -- +---------------------+-----------------------------------------+ | dredd at megacity.org | "Thou art the ruins of the noblest man | | Derek J. Balling | That ever lived in the tide of times. | | | Woe to the hand that shed this costly | | | blood" - Julius Caesar Act 3, Scene 1 | +---------------------+-----------------------------------------+ From claw at kanga.nu Sat Jan 12 01:30:45 2002 From: claw at kanga.nu (J C Lawrence) Date: Sat, 12 Jan 2002 01:30:45 -0800 Subject: Spam and baylisa-jobs -- once more, with feeling In-Reply-To: Message from Heather of "Sat, 12 Jan 2002 00:20:14 PST." <200201120820.g0C8KF206851@betelgeuse.starshine.org> References: <200201120820.g0C8KF206851@betelgeuse.starshine.org> Message-ID: <849.1010827845@kanga.nu> On Sat, 12 Jan 2002 00:20:14 -0800 (PST) star wrote: > thought #2: > split into sublists -joboffers and -jobswanted, hiring types recv > the wanteds, and wanteds members recv the offers? With perhaps, > that offers people can't unsub for N days? Or possibly, can't > unsub without permission? > Unfortunately it doesn't let -wanteds people help each other very > well. Probably wanteds should recv all postings, and offers folks > recv only wanteds. There are three distinct needs: 1) Members want to be employed. 2) Members can cooperate in becoming employed. 3) Employers and agencies want to fill positions. BayLISA is really only interested in the first two, and the third only to the extent that it services #1. A standard list server configuration is for all new members to have a probation period during which all their posts are vetted by the moderator. This is typically expressed in terms of number of approved posts and seems an idea approach for BayLISA in this case. Much in line with your suggestion, create _three_ lists: 1) Jobs-offers. Employers and agencies posting jobs. First 5 posts require moderator approval. Posters are requested to not post the same position more than once a fortnight. All posts are required to have a From: address from a real live responsive human (eg no resumes at foo.dom). Abusers will be slapped and may be removed from the list. 2) Jobs-wanted. Members may post resumes, and are requested to not post them more than once a week, and to post no more than two variations of their resume within a given week. First 2 posts are moderated. The list should be configured to insert a Reply-To of the poster's address (may be anonymised ala craigslist). 3) Jobs-discuss. First 3 posts require moderator approval. Employers/HR/Agencies may not post jobs to this list except as part of further any discussion. Abuse will result in being banned from all lists. Members may network, and may discuss positions they know of. All lists accept posts from members only. Jobs-offers will be the noisy one, and the source of pain. Sorry. Part of the territory. Jobs-wanted should pretty well run itself. Jobs-discuss should mostly run itself until rogue agencies try and creep in, but they should be fairly easy to detect and slap down within the 3 post moderation period. ObNote: Mailman 2.1 (currently in Alpha) can support exactly this sort of list configuration. ObDisclosure: I like, run, and contribute time and code to Mailman. -- J C Lawrence ---------(*) Satan, oscillate my metallic sonatas. claw at kanga.nu He lived as a devil, eh? http://www.kanga.nu/~claw/ Evil is a name of a foeman, as I live. From strata at virtual.net Mon Jan 14 00:16:21 2002 From: strata at virtual.net (Strata Rose Chalup) Date: Mon, 14 Jan 2002 00:16:21 -0800 Subject: spam increase: fivefold, according to Brightmail Message-ID: <3C4293D5.C66E52C5@virtual.net> With some of the recent discussions, I found this interesting: "Brightmail, a San Francisco company that sells spam-catching software, says there has been a five-fold increase in the volume of spam in the past 18 months." Excerpt from an article about Bennet Haselton pursuing small-claims judgements on spammers under the WA law: http://seattletimes.nwsource.com/html/localnews/134390118_spam12m.html -- ======================================================================== Strata Rose Chalup [KF6NBZ] strata "@" virtual.net VirtualNet Consulting http://www.virtual.net/ ** Project Management & Architecture for ISP/ASP Systems Integration ** ========================================================================= From david at weekly.org Mon Jan 14 09:09:23 2002 From: david at weekly.org (David E. Weekly) Date: Mon, 14 Jan 2002 09:09:23 -0800 Subject: spam increase: fivefold, according to Brightmail References: <3C4293D5.C66E52C5@virtual.net> Message-ID: <007d01c19d1e$36db3580$0201000a@speakeasy.net> Interestingly enough, the *majority* of spam mail I receive is in Chinese. I'm not Chinese myself, nor have I visited Chinese sites, so I don't think I've been specially selected or anything. Has anyone else also seen this? It's to the point where I just delete all non-Roman-character email now. ~10-20 Chinese messages a day, maybe more. -david ----- Original Message ----- From: Strata Rose Chalup To: Sent: Monday, January 14, 2002 12:16 AM Subject: spam increase: fivefold, according to Brightmail > > With some of the recent discussions, I found this interesting: > > "Brightmail, a San Francisco company that sells spam-catching software, > says there has been a five-fold increase in the volume of spam in the > past 18 months." > > Excerpt from an article about Bennet Haselton pursuing small-claims > judgements on spammers under the WA law: > > http://seattletimes.nwsource.com/html/localnews/134390118_spam12m.html > > -- > ======================================================================== > Strata Rose Chalup [KF6NBZ] strata "@" virtual.net > VirtualNet Consulting http://www.virtual.net/ > ** Project Management & Architecture for ISP/ASP Systems Integration ** > ========================================================================= > From star at betelgeuse.starshine.org Mon Jan 14 23:25:49 2002 From: star at betelgeuse.starshine.org (Heather) Date: Mon, 14 Jan 2002 23:25:49 -0800 (PST) Subject: BayLISA meets Thurs, 7:30 pm Message-ID: <200201150725.g0F7PnU18823@betelgeuse.starshine.org> Hello everybody, just figured it'd be worth reminding you that the BayLISA meeting is later this week. So if you're interested in the topic, "New Technologies for Network Monitoring", from a programmer who has some experience in that regard, join us and maybe bring a few colleagues along to see Vicka Corey. We're at the usual place, Incyte Genomics HQ: http://www.baylisa.org/locations/current.html And the usual time: 7:30 pm to 9ish, maybe 10 pm Don't forget you can buy as many pint glasses or black t-shirts as you want, we have all the pens your cube-mates can steal (for free), and corporate sponsors get to display their banners on our website as well as a big Thank You! at the mike. -* Heather Stern * Arch (secretary) BayLISA Board * http://www.baylisa.org/ *- From strata at virtual.net Tue Jan 15 16:01:24 2002 From: strata at virtual.net (Strata Rose Chalup) Date: Tue, 15 Jan 2002 16:01:24 -0800 Subject: You couldn't pay someone to think of these things! Message-ID: <3C44C2D4.AC3940CB@virtual.net> Isn't spontaneity wonderful? ]From the Scott McNealy profile (http://news.com): ``But if CEO Scott McNealy is troubled, he's not letting on. In a recent interview with CNET News.com, the 47-year-old co-founder exuded his trademark cockiness. "We're not in a hole. A lot of companies would love to be in our hole," he said.'' -- ======================================================================== Strata Rose Chalup [KF6NBZ] strata "@" virtual.net VirtualNet Consulting http://www.virtual.net/ ** Project Management & Architecture for ISP/ASP Systems Integration ** ========================================================================= From dannyman at toldme.com Wed Jan 16 20:16:14 2002 From: dannyman at toldme.com (Danny Howard) Date: Wed, 16 Jan 2002 20:16:14 -0800 Subject: spam increase: fivefold, according to Brightmail In-Reply-To: <007d01c19d1e$36db3580$0201000a@speakeasy.net>; from david@weekly.org on Mon, Jan 14, 2002 at 09:09:23AM -0800 References: <3C4293D5.C66E52C5@virtual.net> <007d01c19d1e$36db3580$0201000a@speakeasy.net> Message-ID: <20020116201614.R17573@pianosa.catch22.org> On Mon, Jan 14, 2002 at 09:09:23AM -0800, David E. Weekly wrote: > Interestingly enough, the *majority* of spam mail I receive is in Chinese. > I'm not Chinese myself, nor have I visited Chinese sites, so I don't think > I've been specially selected or anything. > > Has anyone else also seen this? It's to the point where I just delete all > non-Roman-character email now. ~10-20 Chinese messages a day, maybe more. I get plenty more ASCII than otherwise. The other day I was thinking it'd be neat to pass a law providing for 1 year in jail, and/or $100,000 fine for anyone convicted of sending UCE. The idea is someone might get parole, but have to sheepishly admit to their "business associate" that they can't actually send or receive e-mail for the next n months as a term of their parole. Ahhh, such lovely dreams I have. I'm not talking about IMPLENTATION, so don't try to debate me, it's just that "I have a dream" ... Uhmmm, back to your own manual mail-filtering, now. :) -danny -- http://dannyman.toldme.com/ From qkstart at ix.netcom.com Wed Jan 16 21:38:04 2002 From: qkstart at ix.netcom.com (David Dull) Date: Wed, 16 Jan 2002 21:38:04 -0800 Subject: spam increase: fivefold, according to Brightmail Message-ID: <004f01c19f19$2364ec60$1dd2efd1@qkstart> I find that incoming spam is closely related to registration on web sites. I was taken aback, however, when I installed Yahoo! Messenger, and a couple of days later found an ad messaged to me when I fired it up! The spammers are keeping up with the technology. --David R. Dull ddull at ieee.org http://home.netcom.com/~qkstart From star at betelgeuse.starshine.org Thu Jan 17 13:37:56 2002 From: star at betelgeuse.starshine.org (Heather) Date: Thu, 17 Jan 2002 13:37:56 -0800 (PST) Subject: BayLISA meets tonight, 7:30 pm Message-ID: <200201172137.g0HLbuc30119@betelgeuse.starshine.org> Figured that some folks might want a heads-up! If you're interested in new network monitoring methods don't miss Vicka speaking tonight ... for those who let their boxes pile up, "tonight" is Thursday, January 17th and it's about 1:30 pm right now... Anyways, *I* plan to be there :D ... there = Incyte Genomics HQ in Palo Alto, see http://www.baylisa.org/locations/current.html for details. . | . Heather Stern | star at starshine.org --->*<--- Starshine Technical Services - * - consulting at starshine.org ' | ` Sysadmin Support and Training | (800) 938-4078 From ann at usenix.org Tue Jan 22 13:48:33 2002 From: ann at usenix.org (Ann Tsai) Date: Tue, 22 Jan 2002 13:48:33 -0800 Subject: LISA 2001: Conference Highlights Video Package -- NOW AVAILABLE! Message-ID: ATTN: Bay LISA LISA 2001: Conference Highlights Video Package -- NOW AVAILABLE! USENIX has teamed up with Dr. Dobb's to offer you this exclusive opportunity to view more than 13 hours of conference sessions taped from this year's 15th Systems Administration Conference (LISA) held in San Diego, Dec. 2-7, 2001. FEATURED TALKS INCLUDE: Greg Bear, multiple-Hugo and Nebula winner, best-selling author of Eon, Slant and Darwin's Radio "Slime vs. Silicon--Life's a Bitch, But Would You Want to Be a Computer?" Avi Rubin, AT&T Research security guru "Secure E-Voting" Peter Salus, Unix, Internet historian and author "2001: A Communications Anniversary" Take advantage of this unique learning opportunity today! http://www.technetcast.com/usenix/lisa2001/ -- From strata at virtual.net Tue Jan 22 14:30:26 2002 From: strata at virtual.net (Strata Rose Chalup) Date: Tue, 22 Jan 2002 14:30:26 -0800 Subject: slides available from January meeting Message-ID: <3C4DE802.E3D80EA4@virtual.net> Hi folks, I just posted the slides from last month's meeting. You can access them from the Past Events library: http://www.baylisa.org/events/past/ For those folks who didn't manage to snag one of the whitepaper copies, Vicka sent me the URL: http://www.sandstorm.net/products/netintercept/niwhitepaper.pdf enjoy, Strata -- ======================================================================== Strata Rose Chalup [KF6NBZ] strata "@" virtual.net VirtualNet Consulting http://www.virtual.net/ ** Project Management & Architecture for ISP/ASP Systems Integration ** =========================================================================