North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: duplicate emails?
It has been pointed out to me that other people arent seeing the dups, that these are being resent directly to my address and that its a MIL host doing it. Perhaps I dropped phrases about terrorism or porn into my posts and I'm now being targeted by eschelon ;-O Steve (hiding in basement under foil blanket) On Tue, 29 Jun 2004, Stephen J. Wilcox wrote: > This host appears to be resending nanog posts? : > > Received: from e500smtp01.nga.mil(164.214.6.120) by relay5.nga.mil via smap > (V5.5) id xma020150; Tue, 29 Jun 04 10:25:13 -0400 > > Originally received yesterday sometime... > > ---------- Forwarded message ---------- > Return-path: <[email protected]> > Envelope-to: [email protected] > Delivery-date: Tue, 29 Jun 2004 14:25:46 +0000 > Received: from exim by mx-0.telecomplete.net with spam-scanned (Exim 4.22) > id 1BfJYP-00065u-Li > for [email protected]; Tue, 29 Jun 2004 14:25:46 +0000 > Received: from exim by mx-0.telecomplete.net with scanned-ok (Exim 4.22) > id 1BfJYP-00065h-1o > for [email protected]; Tue, 29 Jun 2004 14:25:45 +0000 > Received: from relay5.nga.mil ([164.214.4.61]) > by mx-0.telecomplete.net with esmtp (Exim 4.22) > id 1BfJYO-00065C-6w > for [email protected]; Tue, 29 Jun 2004 14:25:44 +0000 > Received: by relay5.nga.mil; id KAA20159; Tue, 29 Jun 2004 10:25:38 -0400 (EDT) > Received: from e500smtp01.nga.mil(164.214.6.120) by relay5.nga.mil via smap > (V5.5) > id xma020150; Tue, 29 Jun 04 10:25:13 -0400 > Received: from relay2.nga.mil(164.214.6.52) by e1000smtp2.nima.mil via > csmap > id 78e94c8c_c949_11d8_9cac_0002b3c81b76_16242; > Mon, 28 Jun 2004 17:24:00 -0400 (EDT) > Received: by relay2.nga.mil; id RAA13558; Mon, 28 Jun 2004 17:22:36 -0400 (EDT) > Received: from trapdoor.merit.edu(198.108.1.26) by relay2.nga.mil via smap > (V5.5) > id xma010754; Mon, 28 Jun 04 17:14:29 -0400 > Received: by trapdoor.merit.edu (Postfix) > id 6C1A091277; Mon, 28 Jun 2004 17:12:33 -0400 (EDT) > Delivered-To: [email protected] > Received: by trapdoor.merit.edu (Postfix, from userid 56) > id 3590491285; Mon, 28 Jun 2004 17:12:33 -0400 (EDT) > Delivered-To: [email protected] > Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) > by trapdoor.merit.edu (Postfix) with ESMTP id 2AB5D91277 > for <[email protected]>; Mon, 28 Jun 2004 17:12:26 -0400 (EDT) > Received: by segue.merit.edu (Postfix) > id 568C759D1B; Mon, 28 Jun 2004 17:12:26 -0400 (EDT) > Delivered-To: [email protected] > Received: from uswgco34.uswest.com (uswgco34.uswest.com [199.168.32.123]) > by segue.merit.edu (Postfix) with ESMTP id 21E1559C56 > for <[email protected]>; Mon, 28 Jun 2004 17:12:26 -0400 (EDT) > Received: from egate-ne2.uswc.uswest.com (egate-ne2.uswc.uswest.com > [151.117.64.200]) > by uswgco34.uswest.com (8/8) with ESMTP id i5SLCLSu006141; > Mon, 28 Jun 2004 15:12:21 -0600 (MDT) > Received: from ITDENE2KSM02.AD.QINTRA.COM (localhost [127.0.0.1]) > by egate-ne2.uswc.uswest.com (8.12.10/8.12.10) with ESMTP id > i5SLCKCx008243; > Mon, 28 Jun 2004 16:12:20 -0500 (CDT) > Received: from itdene2km08.AD.QINTRA.COM ([10.1.4.107]) by > ITDENE2KSM02.AD.QINTRA.COM with Microsoft SMTPSVC(5.0.2195.5329); > Mon, 28 Jun 2004 15:12:20 -0600 > X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0 > Content-class: urn:content-classes:message > MIME-Version: 1.0 > Content-Type: text/plain; > charset="us-ascii" > Content-Transfer-Encoding: quoted-printable > Subject: RE: BGP list of phishing sites? > Date: Mon, 28 Jun 2004 15:12:12 -0600 > Message-ID: > <[email protected]> > Thread-Topic: BGP list of phishing sites? > Thread-Index: AcRdUpLPcFNCkm3pQvC9Iiw2DaWELgAAelTA > From: "Smith, Donald" <[email protected]> > To: "Stephen J. Wilcox" <[email protected]> > Cc: "Scott Call" <[email protected]>, <[email protected]> > X-OriginalArrivalTime: 28 Jun 2004 21:12:20.0544 (UTC) > FILETIME=[9965D400:01C45D54] > Sender: [email protected] > Precedence: bulk > Errors-To: [email protected] > X-Loop: nanog > X-Virus-Scanned: by Telecomplete > X-Spam-Checker-Version: Telecomplete > X-Spam-Level: > X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00=-4.9 autolearn=no > > > I agree phishing bgp feed would disrupt the ip address > to all ISP's that listened to the bgp server involved. > I was addressing a specific issue with listening to such > a server and that is the loss of control issue. Sorry if that wasn't > clear. > > So would ISP's block an phishing site if it was proven > to be a phishing site and reported by their customers? > > > [email protected] GCIA > pgpFingerPrint:9CE4 227B B9B3 601F B500 D076 43F1 0767 AF00 EDCC > Brian Kernighan jokingly named it the Uniplexed Information and > Computing System (UNICS) as a pun on MULTICS. > > > -----Original Message----- > > From: Stephen J. Wilcox [mailto:[email protected]] > > Sent: Monday, June 28, 2004 2:58 PM > > To: Smith, Donald > > Cc: Scott Call; [email protected] > > Subject: RE: BGP list of phishing sites? > > > > > > Hi Donald, > > the bogon feed is not supposed to be causing any form of > > disruption, the > > purpose of a phishing bgp feed is to disrupt the IP address.. > > thats a major > > difference and has a lot of implications. > > > > Steve > > > > On Mon, 28 Jun 2004, Smith, Donald wrote: > > > > > Some are making this too hard. > > > Of the lists I know of they only blackhole KNOWN active > > attacking or > > > victim sites (bot controllers, know malware download locations etc) > > > not porn/kiddie porn/pr/choose-who-you-hate-sites ... clients > > > (infected > > > pc's) > > > are usually not included but could make it on the list given enough > > > attacks. > > > It does mean giving up some control of your network which may not be > > > acceptable to some ISP's. > > > Its not much different then listening to an automated bogon feed. > > > > > > > > > [email protected] GCIA > > > pgpFingerPrint:9CE4 227B B9B3 601F B500 D076 43F1 0767 AF00 EDCC > > > Brian Kernighan jokingly named it the Uniplexed Information and > > > Computing System (UNICS) as a pun on MULTICS. > > > > > > > -----Original Message----- > > > > From: [email protected] [mailto:[email protected]] On > > > > Behalf Of Stephen J. Wilcox > > > > Sent: Monday, June 28, 2004 11:56 AM > > > > To: Scott Call > > > > Cc: [email protected] > > > > Subject: Re: BGP list of phishing sites? > > > > > > > > > > > > > > > > On Sun, 27 Jun 2004, Scott Call wrote: > > > > > > > > > On the the things the article mentioned is that ISP/NSPs > > > > are shutting > > > > > off > > > > > access to the web site in russia where the malware is being > > > > downloaded > > > > > from. > > > > > > > > > > Now we've done this in the past when a known target of > > a DDOS was > > > > > upcoming > > > > > or a known website hosted part of a malware package, and it > > > > is fairly > > > > > effective in stopping the problems. > > > > > > > > > > So what I was curious about is would there be interest in a > > > > BGP feed > > > > > (like > > > > > the DNSBLs used to be) to null route known malicious sites > > > > like that? > > > > > > > > > > Obviously, both operational guidelines, and trust of > > the operator > > > > > would > > > > > have to be established, but I was thinking it might be > > > > useful for a few > > > > > purposes: > > > > > > > > > > 1> IP addresses of well known sources of malicious code > > (like in > > > > > 1> the > > > > > example above) > > > > > 2> DDOS mitigation (ISP/NSP can request a null route of a > > > > prefix which > > > > > will save the "Internet at large" as well as the NSP from > > > > the traffic > > > > > flood > > > > > 3> etc > > > > > > > > > > Since the purpose of this list would be to identify and > > > > mitigate large > > > > > scale threats, things like spammers, etc would be outside > > > > of it's charter. > > > > > > > > > > If anyone things this is a good (or bad) idea, please > > let me know. > > > > > Obviously it's not fully cooked yet, but I wanted to throw > > > > it out there. > > > > > > > > Personally - bad. > > > > > > > > So what do you want to include in this list.. phishing? But > > > > why not add bot C&C, > > > > bot clients, spam sources, child porn, warez sites. Or if you > > > > live in a censored > > > > region add foreign political sites, any porn, or other > > > > messages deemed bad. > > > > > > > > Who maintains the feed, who checks the sites before adding > > > > them, who checks them > > > > before removing them. > > > > > > > > What if the URL is a subdir of a major website such as > > > > aol.com or ebay.com or angelfire.com ... what if the URL is a > > > > subdir of a minor site, such as yours or > > > > mine? > > > > > > > > What if there is some other dispute over a null'ed IP, > > > > suppose they win, can > > > > they be compensated? > > > > > > > > Does this mean the banks and folks dont have to continue to > > > > remove these threats now if the ISP does it? Does it mean the > > > > bank can sue you if you fail to do it? > > > > > > > > What if you leak the feed at your borders, I may not want to > > > > take this from you and now I'm accidentally null routing it > > > > to you. Should you leak this to downstream ASNs? Should you > > > > insist your Tier1 provides it and leaks it to you?.. > > > > just you or all customers? > > > > > > > > What if someone mistypes an IP and accidentally nulls > > > > something real bad(TM)? > > > > What if someone compromises the feeder and injects prefixes > > > > maliciously? > > > > > > > > What about when the phishers adapt and start changing DNS to > > > > point to different IPs quickly, will the system react > > > > quicker? Does that mean you apply less checks > > > > in order to get the null route out quicker? Is it just /32s > > > > or does it need to > > > > be larger prefixes in the future? Are there other ways > > > > conceivable to beat such > > > > a system if it became widespread (compare to spammer tactics) > > > > > > > > What if this list gets to be large? Do we want huge amounts > > > > of /32s in our > > > > internal routing tables? > > > > > > > > What if the feeder becomes a focus of attacks by those > > > > wishing to carry out > > > > phishing or other illegal activities? This has certainly > > > > become a hazard with > > > > spam RBLs. > > > > > > > > > > > > Any other thoughts? > > > > > > > > Steve > > > > > > > > > > > > > > > > > > > > > >
|