- NZNOG - lists.nznog.org

FW: Windows 2000/XP Remote exploit - High Severity
by Barry Murphy 12 Nov '03

12 Nov '03

Thought people would like to be advised. Kindest Regards Barry Murphy Subject: Windows 2000/XP Remote exploit - High Severity Dear Barry Murphy, Summary ------- Products affected: Windows 2000/Windows XP Severity: High (Remote Execution) Ports: 139,445 (TCP) Patch: http://www.microsoft.com/technet/security/bulletin/MS03-049.asp Read more: http://www.eeye.com/html/Research/Advisories/AD20031111.html Discovered by: EEYE Digital Security EEYE Digital Security has discovered a bug in the Windows Workstation Service. This bug can lead to the remote exploitation of any Windows 2000 or Windows XP machines. The attacker needs access to ports 139/445. These ports are by default open on a Windows 2000 or XP host. SensePost has access to a proof of concept script that will determine if a host is vulnerable. For more information about the script please contact research(a)sensepost.com. Let's get this hole plugged before the next worm comes along. Regards, SensePost Research Team. ======================================================= SensePost Research research(a)sensepost.com http://www.sensepost.com (tel) +27 12 667 4737 =======================================================

2 1

For postmaster at asiaonline
by jfp 11 Nov '03

11 Nov '03

I have tried sending this to the proper channels and have been ignored. mail.asiaonline.net.nz's spam filter instead of rejecting emails it doesn't like defers them which mean they sit in our mail queue for a week retrying every 4 hours and clogging our and their mailservers. This seems to me like a rather nonsensical thing to do. > Sep 3 15:26:33 tiny sendmail[26020]: h7V3CIlM028321: > to=<ADDRESSREMOVED>, delay=3+00:13:59, > xdelay=00:00:06, mailer=esmtp, pri=25950368, > relay=mail.asiaonline.net.nz., dsn=4.0.0, stat=Deferred: 450 > <Feeljl(a)163.net>... 163.net,Known spam domain PS: This went thru our mailserver because we are forwarding that email address and obviously have different spam filter's than asiaonline. jfp. ------------------------------------------------------------------------ Jean-Francois Pirus <jfp(a)clearfield.com> Clearfield Software Ltd Phone (+64-9) 358 2081 4th Floor 8-10 Whitaker Place Fax (+64-9) 358 2083 P O Box 2348 Auckland, New Zealand ------------------------------------------------------------------------

2 1

Route announcements on APE and WIX
by Andy Linton 10 Nov '03

10 Nov '03

Citylink are announcing the following networks on APE from AS23755: 202.7.4.0/24, 203.118.144.80/28 and on WIX from AS23755: 202.7.4.0/24 The 202.7.4.0/24 block will be used to host the webcam and MMS sites associated with the Lord of the Rings premiere during the period leading up to 1 December. Last year we moved around 600 Gbytes of data in the fortnight preceding the premiere and around 4 Tbytes on the day itself. To avoid a potentially higher traffic bill this year we are making arrangements to use anycast (for more details see http://www.isc.org/tn/isc-tn-2003-1.html) to make 202.7.4.0/24 available in three locations, North America, Auckland via the APE route servers and in Wellington via the WIX route servers. We will not be advertising this block via any of the ISPs who provide us with transit. If you are not peering locally in New Zealand and your users access this content they will retrieve it from servers in North America with potential overload of your international circuits. You should consider peering with the APE and/or WIX route servers and accepting these prefixes. In addition, the 203.118.144.80/28 network is used to host media content for NZOOM. While this traffic is available via IHUG, listening to this announcement will optimise your customer's experience.

2 1

Re: [nznog] Procedure for making an ISP take responsibility ?
by Ewen McNeill 06 Nov '03

06 Nov '03

In message <003601c3a4f2$449210d0$230515ac(a)JOVE>, "jfp" writes: >Obviously that ISP is not going to do anything, So: >- Permanently block said ISP to your linux box. That and/or properly patching/securing the Windows box would be my first two suggestions. Trying to get "hackers" shut down is a bit like wack a mole even at the best of times. >- I assume you are using ipchains on your linux box, I would recommend >upgrading to iptables which would mean not having to open incoming ports >above 1024 as the session tracking should take care of that. H.323 (and friends), as used by NetMeeting, etc, are rather difficult to firewall well, because it opens connections in arbitrary directions to arbitrary ports (as negotiated through a control channel) -- a bit like FTP, but worse. The control channel is encoded via ASN.1 (ie, binary) rather than being text like FTP. IMHO it's shameful that a "modern" protocol isn't designed for at least easy state tracking if not to work easily with outgoing-only firewalls and NAT boxes. There is an (experimental) H.323 tracking module for Linux iptables which can be downloaded and compiled up (from some of the netfilter development sites), but it's a bit of a hack. I've not tried it, but have read that it works reasonably well for a single H.323 endpoint behind the firewall. Alternatively application layer proxying may be more appropriate. GNU Gatekeeper, Open H.323 Proxy, Asterisk, etc, are capable of proxying H.323 sessions at the application level. Some of them (eg, Asterisk) are pretty much voice only (Asterisk is fundamentally PBX software which supports H.323 amongst other things), and some of them (eg, GNU Gatekeeper) will proxy video as well. Ewen

1 0

Max TNT Two IP Pools
by vashdev talk 06 Nov '03

06 Nov '03

Hi I have Two Dialin Number (UIN) for my two PRIs (E1). I want to assign different ip pool to different UIN Number. Can any one guide me how can i do this on Max TNT Vashdev http://www.malhinet.com --------------------------------- Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard

1 0

Procedure for making an ISP take responsibility ?
by Tikiri Wicks 06 Nov '03

06 Nov '03

Hi Is there a procedure for forcing an ISP to take responsibility for hackers on their network ? I've got this one windows PC hidden behind a unix box. Ports above 1024 are forwarded from the Linux box to the windows box because of netmeeting and a few other things. This PC keeps getting hacked from a subscriber on an Israeli ISP. I've cleaned it 3 times now. Essentially the machine gets compromised with a hacktool and then opens a channel to the IP in Israel after which there is a continous stream at 40 kbps. Dialup modem speed perhaps ? I've emailed the ISP ( barak.net.il ) a couple times and get absolutely no response. Forum messages also indicate that this ISP does not respond to such messages. Norton Antivirus picks up a hack tool only when the pc is scanned but even then cannot identify it beyond stating that it is a hacktool. The filename is disguised as scan.exe in one of the winnt\installer folders If anyone is interested please email me off the list and I'll email you the packet logs. The following is the state of the afected PC when the firewall is not blocking traffic to 82-166-172-38.barak.net.il Example 1 winmgnt.exe:1200 TCP zoo:1337 82-166-172-38.barak.net.il:4241 ESTABLISHED winmgnt.exe:1200 TCP zoo:1336 82-166-172-38.barak.net.il:4273 TIME_WAIT winmgnt.exe:1200 TCP zoo:1336 82-166-172-38.barak.net.il:4276 ESTABLISHED winmgnt.exe:1200 TCP zoo:1337 zoo:0 LISTENING winmgnt.exe:1200 TCP zoo:43958 zoo:0 LISTENING Example 2 winmgnt.exe:1200 TCP zoo:1336 82-166-172-38.barak.net.il:2388 TIME_WAIT winmgnt.exe:1200 TCP zoo:1337 82-166-172-38.barak.net.il:2542 ESTABLISHED winmgnt.exe:1200 TCP zoo:1336 82-166-172-38.barak.net.il:2579 TIME_WAIT winmgnt.exe:1200 TCP zoo:1336 82-166-172-38.barak.net.il:2586 ESTABLISHED winmgnt.exe:1200 TCP zoo:1337 zoo:0 LISTENING winmgnt.exe:1200 TCP zoo:43958 zoo:0 LISTENING Once traffic to 82.166.172.38/24 is blocked then the trojan kept attempting a connection once every few seconds as follows System:8 TCP zoo:1337 82-166-172-38.barak.net.il:4530 SYN_RCVD 3 seconds later System:8 TCP zoo:1337 82-166-172-38.barak.net.il:4569 SYN_RCVD 3 seconds later System:8 TCP zoo:1337 82-166-172-38.barak.net.il:4607 SYN_RCVD 3 seconds later System:8 TCP zoo:1337 82-166-172-38.barak.net.il:4640 SYN_RCVD and so on.

3 2

RE: [nznog] Procedure for making an ISP take responsibility ?
by jfp 06 Nov '03

06 Nov '03

My 2 cents worth. Obviously that ISP is not going to do anything, So: - Permanently block said ISP to your linux box. - I assume you are using ipchains on your linux box, I would recommend upgrading to iptables which would mean not having to open incoming ports above 1024 as the session tracking should take care of that. jfp. ------------------------------------------------------------------------ Jean-Francois Pirus <jfp(a)clearfield.com> Clearfield Software Ltd Phone (+64-9) 358 2081 4th Floor 8-10 Whitaker Place Fax (+64-9) 358 2083 P O Box 2348 Auckland, New Zealand ------------------------------------------------------------------------

1 0

VPN with paq 5500 & pocket pc 2003
by Barry Murphy 05 Nov '03

05 Nov '03

Hi, This may be a bit off-topic but I thought someone on the list may have some idea on this. I've recently purchased an HP ipaq 5500 which comes with Pocket PC 2003 which has a VPN client built in. I'm trying to connect it to the VPN server but can't find the method of authentication it uses. All other windows clients can connect to the poptop VPN with no problem. HP Doesn't know & MS doesn't know where to direct my call to, I'm waiting for someone to call me back still. Server: enable MSCHAPv2 pap set mppe 128 stateless IPaq Client: Slip (Off by default) Software compression (tried with on & off) IP Header compression (tried with on & off) I guess my question is, what authentication method does the pocket pc 2003 use, does it support GRE? It connects but doesn't send any data. <snip from logs> Nov 6 11:08:35 ns pptpd[46749]: CTRL: PTY read or GRE write failed (pty,gre)=(6,5) Nov 6 11:08:35 ns pptpd[46749]: CTRL: Client 210.86.20.17 control connection finished Nov 6 11:08:35 ns ppp[46750]: Phase: deflink: Connect time: 16 secs: 0 octets in, 305 octets out Nov 6 11:08:35 ns ppp[46750]: Phase: deflink: 0 packets in, 5 packets out Nov 6 11:08:35 ns ppp[46750]: Phase: total 19 bytes/sec, peak 24 bytes/sec on Thu Nov 6 11:08:23 2003 </snip> <snip from logs for windows 2003> Nov 6 11:10:13 ns ppp[47125]: Phase: bundle: Authenticate Nov 6 11:10:13 ns ppp[47125]: Phase: deflink: his = none, mine = CHAP 0x81 Nov 6 11:10:13 ns ppp[47125]: Phase: Chap Output: CHALLENGE Nov 6 11:10:13 ns pptpd[47124]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Nov 6 11:10:13 ns ppp[47125]: Phase: Chap Input: RESPONSE (49 bytes from barry) Nov 6 11:10:13 ns ppp[47125]: Phase: Chap Output: SUCCESS </snip> Thanks Kindest Regards Barry Murphy

2 2

Joker nukes SPEWS
by Juha Saarinen 04 Nov '03

04 Nov '03

Domain ID:D74783489-LROR Domain Name:SPEWS.ORG Created On:07-Jul-2001 19:50:12 UTC Last Updated On:03-Nov-2003 15:44:43 UTC Expiration Date:07-Jul-2008 19:50:12 UTC Sponsoring Registrar:R25-LROR Status:INACTIVE Registrant ID:CORG-1195 Registrant Name:chip level domains Registrant Organization:Visit Lake Biakal! Registrant Street1:po box 61, Baikalsk-2 Registrant City:Irkutsk region, -- 665914 Registrant Postal Code:665914 Registrant Country:RU Registrant Phone:+7.3952348335 Registrant FAX:+7.3952348335 Registrant Email:chip(a)sendmail.ru Admin ID:CORG-58588 Admin Name:Sergei ''Chip'' Didorenko Admin Organization:Visit Lake Baikal! ~ http://baikal.irkutsk.org Admin Street1:po box 61, Baikalsk-2 Admin City:Irkutsk region Admin Postal Code:665914 Admin Country:RU Admin Phone:+7.3952348335 Admin Email:chip(a)sendmail.ru Billing ID:CORG-58588 Billing Name:Sergei ''Chip'' Didorenko Billing Organization:Visit Lake Baikal! ~ http://baikal.irkutsk.org Billing Street1:po box 61, Baikalsk-2 Billing City:Irkutsk region Billing Postal Code:665914 Billing Country:RU Billing Phone:+7.3952348335 Billing Email:chip(a)sendmail.ru Tech ID:CORG-58588 Tech Name:Sergei ''Chip'' Didorenko Tech Organization:Visit Lake Baikal! ~ http://baikal.irkutsk.org Tech Street1:po box 61, Baikalsk-2 Tech City:Irkutsk region Tech Postal Code:665914 Tech Country:RU Tech Phone:+7.3952348335 Tech Email:chip(a)sendmail.ru Name Server:INVALID-ADDRESS.JOKER.COM -- Juha

2 1

another phish
by David Miller 03 Nov '03

03 Nov '03

Hi Craig, If it's of interest to you, here's another example (forwarded separately.) This one's a Citibank phish - and where the westpac one was clearly sent direct, this one has a received line which would suggest that it was routed through a relay. I don't believe it. The relay, if that's what it was, appeared to be a student dorm at a french speaking university also in canada. The first received: line alleges to be from "pormexico.com", but the IP address belongs to Hewlett Packard according to whois. I think those URLs are kind of interesting. The citibank one references an IP address belonging in Korea (according to whois). The westpac one refers to at least a URL redirection service in russia (www.da.ru) and to something calling itself jablow.kir.jp, which on the face of it appears to be a legitimate site of some kind. I wonder if this is some kind of worm-like infestation, which would account for the broad number of connection attempts, IP addresses and the apparent lack of relays. A student dorm, a dial up/DSL address and an HP address seem like an unlikely real source for these things. Dave.

3 3

nsp-security
by Joe Abley 03 Nov '03

03 Nov '03

There is an invitation-only list run by Jared Mauch called nsp-security which has an extremely useful membership of enable-wielding ops people who never sleep. It's very useful for things like "I am under attack from address X.X.X.X which is in AS Y", infinitely more so than trying to get action from remote NOCs through the front door. https://puck.nether.net/mailman/listinfo/nsp-security It's a closed list, and you need to be recommended by people who are already on the list before your subscription will be approved. I'd be very happy to recommend anybody here who is interested (that I know). Note that nsp-sec isn't a conversational list; it's a terse, to-the-point, get-work-done list (unlike this one). Joe

1 0

Phishing expedition - Westpac heads-up!
by Andy Gardner 02 Nov '03

02 Nov '03

Had a friend who connect via ihug forward me an email - someone phishing for Westpac user ID's. They're blanket spamming it because he isn't even a Westpac customer. Might be an idea for all your ISP's to send out a warning message to your clients - good PR exercise. >> Reply-To: Westpac <verifyXX(a)westpac.com.nz> >> Sender: Westpac <verifyXX(a)westpac.com.nz> >> MIME-Version: 1.0 >> Content-Type: text/plain >> Content-Transfer-Encoding: 8bit >> >> Dear Westpac Bank Member, >> >> This email was sent by the Westpac server to verify your e-mail >> address. You must complete this process by clicking on the link >> below and entering in the small window your Westpac Banking >> Customer ID and Password. >> This is done for your protection --- because some of >> our members no longer have access to their email addresses and >> we must verify it. >> >> To verify your e-mail address and access your bank account, >> click on the link below. If nothing happens when you click on >> the link, copy and paste the link into the address bar of your >> web browser. >> >> >> http://www.westpac.com.nz:ac-XXXXXXXXXXXXXXXXXX(a)XXXXXXXXX.Da.rU/ >> ?XXXXXXXXXXX >> >> >> -------------------------------------------------- >> Thank you for using Westpac Bank! >> --------------------------------------------------

6 6

Re: [nznog] Phishing expedition - Westpac heads-up!
by Craig Whitmore 02 Nov '03

02 Nov '03

Yes I am seeing those emails as well: Nov 2 17:40:10 dbmail-mx3 sm-mta[26879]: hA24di60026879: ruleset=check_mail, arg1=<martin.williams(a)citibank.net>, relay=c-65-97-16-13.va.client2.attbi.com [65.97.16.13], reject=451 4.1.8 Domain of sender address martin.williams(a)citibank.net does not resolve Nov 3 13:41:28 dbmail-mx3 sm-mta[27391]: hA30ebfg027391: ruleset=check_mail, arg1=<martin.williams(a)citibank.net>, relay=adsl-66-120-247-125.dsl.lsan03.pacbell.net [66.120.247.125], reject=451 4.1.8 Domain of sender address martin.williams(a)citibank.net does not resolve (but not as many of them at all) Thanks Craig ----- Original Message ----- From: "Mark Piper" <Mark.Piper(a)nec.co.nz> To: "Craig Whitmore" <lennon(a)orcon.net.nz> Cc: <nznog(a)list.waikato.ac.nz> Sent: Monday, November 03, 2003 1:35 PM Subject: Re: [nznog] Phishing expedition - Westpac heads-up! > http://lists.insecure.org/lists/fulldisclosure/2003/Oct/1429.html > > Two more banks according to the above URL are having almost identical mailouts (citybank and natwest). >

1 0

The New Zealand Network Operators' Group
by Donald Neal 02 Nov '03

02 Nov '03

The New Zealand Network Operators' Group The New Zealand Network Operators' Group (NZNOG) has no king, president or formal membership. At present it consists of the subscribers to this mailing list, which anyone is free to join. A face-to-face gathering is to take place in Hamilton on January 29 and 30 2004, hosted by the WAND group. See http://www.nznog.org/ for more details, including the Call for Presenters. Also see http://thursdaynightcurry.com/about.html if you live in or near Wellington or Auckland. Operators' Contact List See http://www.usenet.net.nz/noc/ for operational contact details for most New Zealand ISP's. These are intended for use by other network operators rather than by most customers. Internet Exchanges See http://www.ape.net.nz/ for details of the Auckland Peering Exchange and those connected there, http://www.wix.net.nz/ for the Wellington Internet Exchange. About This Mailing List This list has around 550 addresses subscribed. You may only post to the list from a subscribed address. A number of people subscribe addresses which do not receive email purely to allow posting from them. The NZNOG mailing list is provided through a server at The University of Waikato, and is administered by an employee of Alcatel NZ Ltd. Neither of these organisations, nor the administrator, is responsible for its content. NZNOG Mailing List Acceptable Use Policy The NZNOG mailing list exists to provide a forum for the exchange of technical information and the discussion of implementation issues that require cooperation among New Zealand network service providers. In order to continue to provide a useful forum for discussion of relevant technical issues, users of the list are asked to respect the following guidelines. 1. Discussion will focus on Internet operational and technical issues. 2. Discussion related to meetings of network service providers is appropriate. 3. Discussion unrelated to these topics is not appropriate. 4. Postings to multiple mailing lists are discouraged. 5. Postings that include foul language, character assassination, and lack of respect for other participants are unacceptable. 6. Blatant product or service marketing is unacceptable. 7. Postings of a political, philosophical or legal nature are discouraged. 8. Postings to the list should be in ASCII or MIME encoded as text/plain. Attachments should not be sent to the list. To present a document, a suitable URL may be referred to. For documents of general interest, the use of proprietary file formats is discouraged. 9. Breaches of list etiquette should be dealt with privately with the offending list user, and should not result in complaints being sent to the list. 10. A person repeatedly breaching list etiquette shall receive warnings from the list administrator. A further breach after the second such warning within thirty days shall result in the offender being unsubscribed from the list. Other action may also be taken to block postings to the list by the offender. Any such unsubscription is to be immediately announced to the list. Mailing List Archives A full archive is available at http://list.waikato.ac.nz/archives/nznog/ Any message sent to the list will be archived and made available on the web automatically. Changes are not made to the archive on request, though the administrator remains happy to assist the Office of the Privacy Commissioner should any complaint be laid with that office. One way to search the archive is to use google and prefix your search with site:list.waikato.ac.nz . Subscribing to the List See http://list.waikato.ac.nz/mailman/listinfo/nznog to subscribe. Donald Neal NZNOG Mailing List Owner/Administrator/Muggins ------------------------------------------------------------------------------ "This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you." ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ "This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you." ------------------------------------------------------------------------------

1 0

Strange BGP 'problem'
by Nathan Ward 01 Nov '03

01 Nov '03

At the risk of posting something on topic.. I have 2 routers (lets call them A and B), talking to different upstream providers, advertising 202.6.75.0/24 via BGP. 202.6.75.0/24 is subnetted, each subnet is on a different VLAN. These routers talk to each other with iBGP, giving each other everything (including 202.6.75.0/24 le 32). I run HSRP between the 2 routers. Router B prepends my ASN several times before advertising 202.6.75.0. Relevant stuff (on both boxes): router bgp 23729 network 202.6.75.0 no synchronization ! ip route 202.6.75.0 255.255.255.0 Null0 With this config, reachability for 202.6.75.0/24 hosts alternates on and off roughly every minute. 47% total loss over 10 minutes (ie 5 'bursts' of loss). These packets are all hitting my AS at router A. I've turned HSRP off and on again to see if that was causing problems (it wasn't). Several solutions I've found: - Turning the iBGP session to router B off. (uhh..) - Turning syncronization on. My understanding of BGP synchronization, is that BGP will only re-advertise with eBGP prefixes learned via iBGP after learning them via another IGP if one is running. <snip> ec-br-1(config-router)#do sh run | inc router router bgp 23729 bgp router-id 202.6.75.1 </snip> I'm not running any IGPs, so synchronization shouldn't be part of the equation. In any case, I'm not a transit provider. And, there seems to be no relation to readvertising routes here, the packets AFAICT are getting to router A and being dropped. I've got no problem running running with synchronization on at the moment, but thats not the point. :-) Any ideas/thoughts? -- Nathan Ward

3 3

RE: [nznog] Domain Names NZ scam
by Tim John - Domainz 01 Nov '03

01 Nov '03

Yep ! Had calls dribbling in here all morning ... The DNC is aware and I'm sure things will be taken up by her. Tim -----Original Message----- From: jfp [mailto:jfp(a)clearfield.com] Sent: Wednesday, 29 October 2003 10:42 a.m. To: nznog(a)list.waikato.ac.nz Subject: [nznog] Domain Names NZ scam Some of our customers have just received scam domain renewal letters from Domain Names NZ. ($237 for two years) (www.domainnamesnz.com) People might want to warn their customers. jfp. ------------------------------------------------------------------------ Jean-Francois Pirus <jfp(a)clearfield.com> Clearfield Software Ltd Phone (+64-9) 358 2081 4th Floor 8-10 Whitaker Place Fax (+64-9) 358 2083 P O Box 2348 Auckland, New Zealand ------------------------------------------------------------------------ _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog DISCLAIMER: The content of this email is confidential and may contain legally privileged information intended only for the individual or entity named above. Access to this message by anyone else is unauthorised. If you are not the intended recipient, please be advised that the use, distribution and publication of the above information is prohibited. If you have received this email in error, please contact Domainz by returning the email and destroying the original. Thank you.

9 10

RE: [nznog] Domain Names NZ scam
by Geoff Williams 31 Oct '03

31 Oct '03

We have been through this here on the other side of the creek. Some years ago when this guy first started this scam I actually spoke to him trying to recover money that a client had inadvertently paid. Even though the money had not been passed to the sole registrar of .au domains at that time (we had already paid for the domain's renewal) the most that we were able to threaten was a civil action for not refunding monies that had not been applied for the purpose that they were collected. He just didn't give a @#$% about it and continued on his merry way. Unfortunately the problem is that the person paying the money doesn't know enough about what the invoice means and also they don't read the thing in detail. The most success was had here when the registrar used the domain contacts list and emailed a warning to all domain owners. Perhaps your registrar should consider something similar. The warning is probably still on the site at www.inww.com if you need text. The other thing is to get it into the tabloid press, perhaps someone should approach some of your shock jocks to run the story. Maybe Holmes could turn it into a global news story :)) -----Original Message----- From: Tikiri Wicks [mailto:tcwicks(a)maxnet.co.nz] Sent: Saturday, 1 November 2003 3:21 PM To: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] Domain Names NZ scam Re: Domain Names NZ scam Just wondering is anyone on this list a lawyer I just got my second mail from these bastards. It's made out just like an invoice telling me to register my domain.net.nz Unauthorized use of the domain name registry for commercial solicitation perhaps ? New Zealand Privacy law perhaps ? Is there anything like class action lawsuits in New Zealand and Australia? ----- Original Message ----- From: "Juha Saarinen" <juha(a)saarinen.org> To: "Steven Heath" <sheath(a)paradise.net.nz> Cc: <nznog(a)list.waikato.ac.nz>; "'Matthew G Brown'" <Matt(a)Brh.Co.Nz> Sent: Thursday, October 30, 2003 3:09 PM Subject: Re: [nznog] Domain Names NZ scam > Steven Heath wrote: > > > In my opinion it is just more of the many scum aussie operators that just > > extend thier scams to include NZ. > > Was just informed that the AuDA and ACCC court proceedings against > Domain Names Pty Ltd will be heard on the 19th of next month. > > -- > Juha > > _______________________________________________ > NZNOG mailing list > NZNOG(a)list.waikato.ac.nz > http://list.waikato.ac.nz/mailman/listinfo/nznog _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

1 0

Spamcop.net DNS
by Peter Macaulay 31 Oct '03

31 Oct '03

Looks like someone has killed spamcop. Can anyone explain how this happened? I can't see their registrar (joker.com) doing it unless they have been conned. -- Peter Macaulay Executive Director InternetNZ Direct +64 4 495 2113

6 5

elevated icmp traffic
by Anton Smith 29 Oct '03

29 Oct '03

Hi guys, Was just wondering if anyone else has been experiencing a lot of icmp traffic (pings) lately, seems to a lot of pinging of entire ranges going on. Another new worm or the left overs from the last lot? Regards, Anton Smith nzwireless Ltd

2 1

RE: [nznog] New and unacknowledged Exchange / Win2k SMTPvulnerability?
by Geoff Williams 28 Oct '03

28 Oct '03

Right, but due to no SMTP AUTH logging in Exchange 2000, we cannot easily track any attempt to intrude using the brute force password crack method. We only get to see badmail folders filling up and so on. Additionaly we cannot see exactly which account's password has been compromised. A more comprehensive anti-relay option which checked for the existence of the recipient and/or sender in Active Directory, as this ORF thing does, would be beneficial in future releases. I haven't seen Exchange 2003 yet so can't comment on whether it has any such functionality. Regards Geoff Williams -----Original Message----- From: Nathan Mercer [mailto:nmercer(a)microsoft.com] Sent: Wednesday, 29 October 2003 10:27 AM To: Geoff Williams; nznog(a)list.waikato.ac.nz Subject: RE: [nznog] New and unacknowledged Exchange / Win2k SMTPvulnerability? So just to be clear, a new and unacknowledged Exchange or Windows 2000 vulnerability has not been discovered here right? We want to know about vulnerabilities (not mis-configurations) If you do wish to report a suspected security vulnerability please either contact myself directly, log the details on https://s.microsoft.com/technet/security/bulletin/alertus.asp or email secure(a)microsoft.com (PGP key is on https://s.microsoft.com/technet/security/MSRC.asc ) Details of our vulnerability handling processes are on http://microsoft.com/technet/security/bulletin/msrpracs.asp Regards Nathan Technology Specialist Microsoft NZ _____ From: Geoff Williams [mailto:geoff(a)katnet.com.au] Sent: Tuesday, 28 October 2003 11:26 a.m. To: nznog(a)list.waikato.ac.nz Subject: FW: [nznog] New and unacknowledged Exchange / Win2k SMTPvulnerability? Further to my earlier post, Neil G has pointed me correctly to an SMTP AUTH attack. I have used the logs of the ORF tool to pinpoint which accounts have been compromised. Strangely the spammers are trying to work out why, even if they authenticate, they can't relay, so there is a lot of traffic to watch and learn from. A large number of their connections are being blocked by the IP blacklists I have selected. I had originally blocked 2 Class A IP ranges at our router after watching the traffic and finding that they were allocated to a provider in China. But I am not 100% sure that IP addresses are not being spoofed as they seem to have a huge range of Class A and B addresses available to them and I was really chasing my tail trying to block them at that level. So now I have a new password generator and will start training the mind to work with 12 or more character passwords. Hope this is of assistance to others. Geoff Williams -----Original Message----- From: Geoff Williams Sent: Monday, 27 October 2003 11:01 PM To: nznog(a)list.waikato.ac.nz Subject: [nznog] New and unacknowledged Exchange / Win2k SMTP vulnerability? Hi All I have exactly the same open-relay problem, including the sending servers and addresses, and have been struggling to diagnose for a few weeks. I had a hunch that the hack may involve the SystemMailbox account (which of course is disabled), but this was based on checking security logs and seeing who was logged in at the same time as the spam was dumped into the queue. I have got around it for the moment (I hope) by loading the ORF relay and spam tool but I would really like to know how this hack is being perpetrated as I have a whole stack of other Exchange servers to look after and I really don't want this to get out of control... So if anyone has made any progress I would really appreciated you sharing your experience. Thanks ______________ Geoffrey Williams KAT International T: 02 9904 3137 F: 02 9904 0232 M: 0417 281 905 _____ size=2 width="100%" align=center> This email is confidential and intended for the recipient only. If you have received it in error please delete it immediately.

1 0

Re: New and unacknowledged Exchange / Win2k SMTP vulnerability?
by John Rothlisberger 28 Oct '03

28 Oct '03

I would *strongly* recommend against EVER running Exchange as your Internet-facing SMTP server. Use a *nix box as a proxy. There have been too many [unacknowledged] bugs/holes in MS Exchange, and troubleshooting something that hasn't been acknowledged by the manufacturer can have you thinking that you've gone crazy. Using a *proper* SMTP server to sanity check incoming connections is the only way to go with Exchange, even for small customers -- the risks are pretty high otherwise. And while you're at it throw SpamAssassin/Antivirus on it and kill multiple birds, et al. My COP$35.28 --John R?thlisberger

3 2

RE: [nznog] New and unacknowledged Exchange / Win2k SMTPvulnerabi lity?
by Neil Gardner 28 Oct '03

28 Oct '03

Hmm, I guess the extention of your argument is that presumably SCO will give me a discount on my license for any vulnerability I find in any flavour of Linux in the world? :-) Not directed at you, and I too will stop right there :-) -- Cheers - Neil Gardner Networking and Security Support Engineer Renaissance Brands Ltd (09) 968-3681 / (021) 746-345 -----Original Message----- From: Barry Murphy [mailto:barry(a)unix.co.nz] Sent: Wednesday, 29 October 2003 12:52 p.m. To: Nathan Mercer; nznog(a)list.waikato.ac.nz Subject: Re: [nznog] New and unacknowledged Exchange / Win2k SMTPvulnerability? Is there a reward for reporting a vulnrability? Surely if the end user is having to find bugs then MS isn't spending enough to secure it's software. Not directed at you and i'll stop there. Barry

1 0

RE: [nznog] New and unacknowledged Exchange / Win2k SMTPvulnerability?
by Nathan Mercer 28 Oct '03

28 Oct '03

So just to be clear, a new and unacknowledged Exchange or Windows 2000 vulnerability has not been discovered here right? We want to know about vulnerabilities (not mis-configurations) If you do wish to report a suspected security vulnerability please either contact myself directly, log the details on https://s.microsoft.com/technet/security/bulletin/alertus.asp or email secure(a)microsoft.com (PGP key is on https://s.microsoft.com/technet/security/MSRC.asc ) Details of our vulnerability handling processes are on http://microsoft.com/technet/security/bulletin/msrpracs.asp Regards Nathan Technology Specialist Microsoft NZ ________________________________ From: Geoff Williams [mailto:geoff(a)katnet.com.au] Sent: Tuesday, 28 October 2003 11:26 a.m. To: nznog(a)list.waikato.ac.nz Subject: FW: [nznog] New and unacknowledged Exchange / Win2k SMTPvulnerability? Further to my earlier post, Neil G has pointed me correctly to an SMTP AUTH attack. I have used the logs of the ORF tool to pinpoint which accounts have been compromised. Strangely the spammers are trying to work out why, even if they authenticate, they can't relay, so there is a lot of traffic to watch and learn from. A large number of their connections are being blocked by the IP blacklists I have selected. I had originally blocked 2 Class A IP ranges at our router after watching the traffic and finding that they were allocated to a provider in China. But I am not 100% sure that IP addresses are not being spoofed as they seem to have a huge range of Class A and B addresses available to them and I was really chasing my tail trying to block them at that level. So now I have a new password generator and will start training the mind to work with 12 or more character passwords. Hope this is of assistance to others. Geoff Williams -----Original Message----- From: Geoff Williams Sent: Monday, 27 October 2003 11:01 PM To: nznog(a)list.waikato.ac.nz Subject: [nznog] New and unacknowledged Exchange / Win2k SMTP vulnerability? Hi All I have exactly the same open-relay problem, including the sending servers and addresses, and have been struggling to diagnose for a few weeks. I had a hunch that the hack may involve the SystemMailbox account (which of course is disabled), but this was based on checking security logs and seeing who was logged in at the same time as the spam was dumped into the queue. I have got around it for the moment (I hope) by loading the ORF relay and spam tool but I would really like to know how this hack is being perpetrated as I have a whole stack of other Exchange servers to look after and I really don't want this to get out of control... So if anyone has made any progress I would really appreciated you sharing your experience. Thanks ______________ Geoffrey Williams KAT International T: 02 9904 3137 F: 02 9904 0232 M: 0417 281 905 ________________________________ size=2 width="100%" align=center> This email is confidential and intended for the recipient only. If you have received it in error please delete it immediately.

2 1

RE: [nznog] Domain Names NZ scam
by Paul Adshead 28 Oct '03

28 Oct '03

Deja vu anyone: http://www.domainz.net.nz/Domainz.asp?Content=news21 http://www.dnc.org.nz/story/30127-32-1.html http://www.comcom.govt.nz/publications/display_mr.cfm?mr_id=1219 Paul Adshead OTL Software Ltd www.otl.co.nz paul.adshead(a)otl.co.nz Tel +64 9 373 9920 Fax +64 9 303 9129 -----Original Message----- From: jfp [mailto:jfp(a)clearfield.com] Sent: Wednesday, 29 October 2003 10:42 To: nznog(a)list.waikato.ac.nz Subject: [nznog] Domain Names NZ scam Some of our customers have just received scam domain renewal letters from Domain Names NZ. ($237 for two years) (www.domainnamesnz.com) People might want to warn their customers. jfp. ------------------------------------------------------------------------ Jean-Francois Pirus <jfp(a)clearfield.com> Clearfield Software Ltd Phone (+64-9) 358 2081 4th Floor 8-10 Whitaker Place Fax (+64-9) 358 2083 P O Box 2348 Auckland, New Zealand ------------------------------------------------------------------------ _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

1 0

Domain Names NZ scam
by jfp 28 Oct '03

28 Oct '03

Some of our customers have just received scam domain renewal letters from Domain Names NZ. ($237 for two years) (www.domainnamesnz.com) People might want to warn their customers. jfp. ------------------------------------------------------------------------ Jean-Francois Pirus <jfp(a)clearfield.com> Clearfield Software Ltd Phone (+64-9) 358 2081 4th Floor 8-10 Whitaker Place Fax (+64-9) 358 2083 P O Box 2348 Auckland, New Zealand ------------------------------------------------------------------------

1 0

How to get deliberately attacked?
by Neil Gardner 28 Oct '03

28 Oct '03

Hi guys, I am testing a firewall here at work with a DHCP spoofing ADSL router and I wanted to check the integrity of the reporting with the attacks it can recognise... I don't really want to spend too much work time jumping into hacky IRC channels and annoying people to generate some attack traffic (plus I don't want to be attacked for too long :-) so I thought I'd ask here to see if anyone knows of any web based attack generators or could indulge me and hit me with a few things (short of classic DOS - I'm testing the firewall, not my ADSL line :-) Anyway - answers on the back of a postcard please, or email me direct. Oh, it's not this IP, so please don't just start attacking - please contact me and we'll work something out :-) -- Cheers - Neil Gardner Networking and Security Support Engineer Renaissance Brands Ltd (09) 968-3681 / (021) 746-345

4 3

Orcon Internet Prefix List Update (2003-10-19)
by Craig Whitmore 28 Oct '03

28 Oct '03

For all those peering with Orcon Internet (AS17746) Nationally, please update your prefix lists with the following networks as in attached file. Thanks Craig Whitmore Systems Administrator Orcon Internet http://www.orcon.net.nz

1 0

RE: [nznog] New and unacknowledged Exchange / Win2k SMTP vulnerability?
by Geoff Williams 27 Oct '03

27 Oct '03

Thanks Matt I haven't started on the 218's as some of those are here in Australia also. Geoff Williams -----Original Message----- From: Matt Camp [mailto:gargoyle(a)noise.net.nz] Sent: Tuesday, 28 October 2003 9:59 PM To: Geoff Williams Cc: Joe Abley; nznog(a)list.waikato.ac.nz Subject: RE: [nznog] New and unacknowledged Exchange / Win2k SMTP vulnerability? On Tue, 28 Oct 2003, Geoff Williams wrote: > The bulk of the 218.0.0.0 Class A range is allocated to provincial > entities in the PRC. Except for the /17's out of this class A which are allocated to NZ entities such as TelstraClear. Blocking this would be inadvisable. --- Matt Camp This email is confidential and intended for the recipient only. If you receive it in error please delete it immediately.

1 0

RE: [nznog] New and unacknowledged Exchange / Win2k SMTP vulnerability?
by Geoff Williams 27 Oct '03

27 Oct '03

The bulk of the 218.0.0.0 Class A range is allocated to provincial entities in the PRC. The other big source of addresses I have seen is the 61.0.0.0 subnet which is spread between India and the PRC, again in the PRC it seems to be allocated to provincial entities. The 61.11 range in India has been very active trying to fish passwords but strangely whoever is doing it is coming from right across the whole A range. Snip of repeated ORF event below: NOTIFICATION - Open Relay Filter Enterprise Edition =================================================================== The following event has occurred: Class : Block Severity : Info Source : SMTPSVC-1 Related IP : 61.11.47.52 Text description: ================= Blocked. Recipient address (user3(a)989888.com) is not listed in the Active Directory. Sender: test(a)yahoo.com. SMTP response: End snip. This particular event just won't stop. Geoff Williams -----Original Message----- From: Joe Abley [mailto:jabley(a)isc.org] Sent: Tuesday, 28 October 2003 12:41 PM To: Geoff Williams Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] New and unacknowledged Exchange / Win2k SMTP vulnerability? On 27 Oct 2003, at 17:25, Geoff Williams wrote: > I had originally blocked 2 Class A IP ranges at our router after > watching the traffic and finding that they were allocated to a > provider in China. Which class A networks do you think are allocated to a provider in China? This email is confidential and intended for the recipient only. If you receive it in error please delete it immediately.

3 2

FW: [nznog] New and unacknowledged Exchange / Win2k SMTP vulnerability?
by Geoff Williams 27 Oct '03

27 Oct '03

Further to my earlier post, Neil G has pointed me correctly to an SMTP AUTH attack. I have used the logs of the ORF tool to pinpoint which accounts have been compromised. Strangely the spammers are trying to work out why, even if they authenticate, they can't relay, so there is a lot of traffic to watch and learn from. A large number of their connections are being blocked by the IP blacklists I have selected. I had originally blocked 2 Class A IP ranges at our router after watching the traffic and finding that they were allocated to a provider in China. But I am not 100% sure that IP addresses are not being spoofed as they seem to have a huge range of Class A and B addresses available to them and I was really chasing my tail trying to block them at that level. So now I have a new password generator and will start training the mind to work with 12 or more character passwords. Hope this is of assistance to others. Geoff Williams -----Original Message----- From: Geoff Williams Sent: Monday, 27 October 2003 11:01 PM To: nznog(a)list.waikato.ac.nz Subject: [nznog] New and unacknowledged Exchange / Win2k SMTP vulnerability? Hi All I have exactly the same open-relay problem, including the sending servers and addresses, and have been struggling to diagnose for a few weeks. I had a hunch that the hack may involve the SystemMailbox account (which of course is disabled), but this was based on checking security logs and seeing who was logged in at the same time as the spam was dumped into the queue. I have got around it for the moment (I hope) by loading the ORF relay and spam tool but I would really like to know how this hack is being perpetrated as I have a whole stack of other Exchange servers to look after and I really don't want this to get out of control... So if anyone has made any progress I would really appreciated you sharing your experience. Thanks ______________ Geoffrey Williams KAT International T: 02 9904 3137 F: 02 9904 0232 M: 0417 281 905 _____ This email is confidential and intended for the recipient only. If you have received it in error please delete it immediately.

2 1

httpd traffic with ie 5.5
by Barry Murphy 27 Oct '03

27 Oct '03

Howdy, Anyone noticing a lot of traffic in the httpd-access logs? I have had the following unique hits to my catch domain: August: 5401 September: 10950 October: 18535 Can't see much in tcpdump but they all seem to be windows 98 IE 5.5. 65.95.18.179 - - [28/Oct/2003:11:11:33 +1300] "GET / HTTP/1.1" 200 3677 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)" 82.37.50.69 - - [28/Oct/2003:11:11:45 +1300] "GET / HTTP/1.1" 200 3677 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)" 24.125.71.52 - - [28/Oct/2003:11:11:52 +1300] "GET / HTTP/1.1" 200 3677 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)" 24.85.14.211 - - [28/Oct/2003:11:12:03 +1300] "GET / HTTP/1.1" 200 3677 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)" 24.207.23.172 - - [28/Oct/2003:11:12:22 +1300] "GET / HTTP/1.1" 200 3677 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)" 68.117.32.241 - - [28/Oct/2003:11:12:30 +1300] "GET / HTTP/1.1" 200 3677 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)" 68.114.179.170 - - [28/Oct/2003:11:12:37 +1300] "GET / HTTP/1.1" 200 3677 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)" Cheers Barry

2 1

Re: [nznog] Cloaked SPAM hosting service
by Richard Cox 26 Oct '03

26 Oct '03

On 25 Oct 2003 12:00:07 +1300 (NZDT) Simon Byrnand <simon(a)igrin.co.nz> asked NZ-NOG: > Correct me if I'm wrong but isn't this idea just a reverse proxy farm? >From what investigators have seen there is more to this exploit than just a reverse-proxy. I'm reluctant to say too much, even here, since investigations are continuing. The previous well-reported exploit which was known as "Super-Zonda" simply packaged reverse-proxying with a set of custom DNS tricks designed so that only the designated proxies could get the IP address of the real source of the website. Two strains of virus - "Fizzer" and "Sobig" each deliver a payload that compromises the infected computer, and in many cases the compromise can survive normal "cleansing" operations. This leaves a suite of abusive tools on the victim's computer that can, without the owner's knowledge or permission, be used by the attacker. Fizzer is known to install a spam sender and Denial-of-Service module, both of which "phone home" and listen for remote instructions. This means they can lie dormant for days, even weeks, without being activated. When they are activated to spam, they will usually only send out a small quantity of messages at one time, and then become silent again; the whole point is that as there are so many of them available to the spammer, there is no need for any one infected machine to send any great quantity. This, in turn, means that it is unlikely to trigger any traffic-based alarms, and any spam reports which reach abuse desks - if they even get that far - will often be treated as either misdirected or ill-informed, because "if it really was a spam source there would inevitably be many more complaints" That is exactly what the malware-writer intended ISPs to think, so don't be caught by it! Some Abuse desks may even go as far as looking for any open ports, and finding none, will take the view that the machines are secure. Not so! As all the trojans "phone home" for their instructions, there will not be any need for open ports, and none to find. The trojan may open some ports when ordered to, but generally will appear to be completely locked down (well, as much as any Windows machine can be!). There is one thing I want to stress here, as many of you will have no doubt read about the various DDoS attacks on various targets - Cisco, and some of the anti-spam resources being the ones that got publicity. If you get (a small number of) reports of spamming from a customer IP and you are tempted to disbelieve or ignore those reports, please don't. Regardless of your views on spam, those reports may be the only warning you will get that you have a malware-attacked box on your netblock, and that box is then fully equipped and ready to take part in a Distributed Denial of Service (DDoS) attack on a target at a moment's notice. | Sounds like the author of the article doesn't understand round robin | dns, expressing surprise that every time they checked the site the ip | address was different...(well duh :) Er, no. That's not the primary point of this exploit, even though Round Robin DNS is certainly used in it. Remember - we are talking about large quantities of boxes here, and a different zombie can be activated in seconds. The compromised machines are able to act as DNS servers as well as web servers - and they do. The key is that the DNS servers are in the .biz TLD and that registry offers its customers the ability to update their DNS in real time, rather than having to wait for a timed update as with the .com/.net environment. Thus as machines are booted, come online, and "phone home", some of them are put in the queue for their IPs to be sent to the root .biz servers. Anyone monitoring the zonefiles for the latest .biz domain that these spammers are using (they change domains regularly, of course ...) will see the IPs of both the nameservers and A records change on a regular basis, and the location of those IPs will tend to follow the sunrise - so at one time of day there will be some in Europe, a few hours later they will mostly be on the US East Coast, later the US West Coast, and some hours after that NZ, then Australia, then Japan, and so on. > In other words said spammers host the actual site on a real server > somewhere, use round robin dns with hundreds (?) of dns entries > pointing to different hijacked computers, that then forward the > requests to the real servers as a reverse proxy. If they did that, the operation could be closed down by terminating (or bogussing) all the DNS servers that hold the round-robin DNS list. As ordinary user machines (mainly broadband) are being used as these servers, they can change almost as often as the A records do, and so any that are disabled are immediately replaceable. While admittedly tempting, it is hardly practical to bogus out the entire .biz root! The contact details for the domains used in this exploit vary from "suspicious" to "proven fake" but you could say the same about rather a lot of domains at the moment. The ICANN promises of a clean-up have not materialised, and given ICANN's (lack of) authority in general, some would say that any clean-up can only be cosmetic until there is general international agreement to enforce new rules. What may be of interest is that quite a few of these domains we've looked into turned out to have been registered with "DomainDiscover" in San Diego, USA (http://www.domaindiscover.com/) Even if DomainDiscover closed down all those domains immediately, the spammers would just move across to another Registrar and carry on. The only effective way to stop THIS particular exploit would need the root .biz registry to be persuaded to withdraw the real-time DNS updating feature in .biz. You may well conjecture on the likelihood of that ever happening! The zombies installed by the SoBig series of viruses also install an FTP server (TFTP) on first infection, which is used to fetch the rest of the SoBig payload some days later, and that means that absolutely anything can be subsequently downloaded to those machines - so unless you actually remove the infection and compromise, a machine that scans as completely clean today may be a Webserver serving up kiddie-porn by this time tomorrow. Yes, Tikiri, this one *is* more alarming. -- Richard Cox Mandarin

2 1

New and unacknowledged Exchange / Win2k SMTP vulnerability?
by Geoff Williams 26 Oct '03

26 Oct '03

Hi All I have exactly the same open-relay problem, including the sending servers and addresses, and have been struggling to diagnose for a few weeks. I had a hunch that the hack may involve the SystemMailbox account (which of course is disabled), but this was based on checking security logs and seeing who was logged in at the same time as the spam was dumped into the queue. I have got around it for the moment (I hope) by loading the ORF relay and spam tool but I would really like to know how this hack is being perpetrated as I have a whole stack of other Exchange servers to look after and I really don't want this to get out of control... So if anyone has made any progress I would really appreciated you sharing your experience. Thanks ______________ Geoffrey Williams KAT International T: 02 9904 3137 F: 02 9904 0232 M: 0417 281 905 This email is confidential and intended for the recipient only. If you receive it in error please delete it immediately.

1 0

Cisco ISDN config
by Michael Hallager 25 Oct '03

25 Oct '03

Hi all. I am after configurations for running a point-to-point link using two Cisco ISDN routers. At one end will be 192.168.1.0/24 and the other end will be 192.168.2.0/24 Tested configs only please. Thanks. Michael Hallager Managing Director Networkstuff Limited URL: http://www.networkstuff.co.nz Networkstuff, NZ's leading supplier of high quality used networking equipment. E-Mail: michael @ networkstuff.co.nz Member of the NZ Open Source Society. Member of the Auckland VHF Group. Amateur radio callsign: ZL1VMH.

1 0

The fraudsters used email forwarding and routing via a New Zealand-based service provider to cover their tracks.
by Andy Gardner 25 Oct '03

25 Oct '03

http://www.theregister.co.uk/content/55/33582.html NatWest customers targeted in 'phishing' scam "At the time of writing, the site, which seems to have been run off the servers of Hotbox hosting in Russia, has been replaced by a holding page. The fraudsters used email forwarding and routing via a New Zealand-based service provider to cover their tracks." Who was that, then?

1 0

Current Jetstream 'Deal'...
by Dan Clark 23 Oct '03

23 Oct '03

OK, we've all seen the $99.00 install fee for JetStream waived before but currently it would seem Telecom are only offering the free install if you connect via XTRA? http://www.telecom.co.nz/chm/0,5123,203191-202534,00.html I think if I was a consumer, I would find it a little hard to use another ISP's JetStream service via Telecom's website, it seems a bit anti-competitive. Fair enough it's Telecom's network but basicly forcing the consumer to use XTRA as an ISP? Regards Dan Clark Network Manager Scarfies.Net Ltd

7 7

Slasdot update: AT&T Blocking All Incoming Mail
by Jeff Williams 23 Oct '03

23 Oct '03

All, >From slashdot, See: http://www.sosdg.org/attmail.txt Regards, -- Jeffrey A. Williams Spokesman for INEGroup LLA. - (Over 134k members/stakeholders strong!) "Be precise in the use of words and expect precision from others" - Pierre Abelard =============================================================== CEO/DIR. Internet Network Eng. SR. Eng. Network data security Information Network Eng. Group. INEG. INC. E-Mail jwkckid1(a)ix.netcom.com Contact Number: 214-244-4827 or 214-244-3801

2 1

Re: [nznog] Current Jetstream 'Deal'...
by Richard Parkinson 23 Oct '03

23 Oct '03

I fail to see how raising a simple and valid question of possibly "biased" operators in this list has anything to do with my integrity. Frankly, you just raised a BIG question about your own "Integrity" in simply responding with a public attack on mine, when I have a valid point, being that other issues in this list go unnoticed and unchallenged for days, unless they are matters relating to Telecom's monopolistic way of doing business, in which case we are told to discontinue the thread. In my opinion, this thread had some valid content, perhaps some not, but the request for it to be stopped came far too quickly, Telecom staff member or not. I agree with Tikiri, it's time Telecom explained a few things like why no static IP's for jetstart instead of the " because it's a residential service " routine which simply reminds me of the childish answer you get from angry parents " ....because I said so ". I also agree that there is probably no point in saying much more in here, as it would be a better waste of time to put it all in a letter to someone at the appropriate government department. -----Original Message----- From: mark.harris(a)ssc.govt.nz [mailto:mark.harris(a)ssc.govt.nz] Sent: Friday, 24 October 2003 1:19 p.m. To: nznog(a)list.waikato.ac.nz Subject: RE: [nznog] (no subject) Richard Parkinson wrote: > > I agree with Donald, this thread doesn't seem entirely appropriate, > however I have seen less appropriate threads go on longer, and can't > help but notice the @telecom.co.nz after Donald's address. :). > I realise there's a smiley on the end of that, but sugar-coating an question to Donald's integrity says more about your own than I suspect you realise. Regards Mark Harris Moderator *.govt.nz State Services Commission PO Box 329, Wellington, NZ Tel: 64 4 495 2844 Email: moderator(a)ssc.govt.nz _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

1 0

(no subject)
by Richard Parkinson 23 Oct '03

23 Oct '03

I agree with Donald, this thread doesn't seem entirely appropriate, however I have seen less appropriate threads go on longer, and can't help but notice the @telecom.co.nz after Donald's address. :). >From a technical stand point, I would like to know the technical reasons as to why Telecom cannot provide other ISP's with the same level of national connectivity that Xtra have been getting, but then this probably isn't a technical issue. More like anti-competitive and predatory market tactics. -----Original Message----- From: Juha Saarinen [mailto:juha(a)saarinen.org] Sent: Friday, 24 October 2003 12:20 p.m. To: Donald Neal Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] Current Jetstream 'Deal'... Donald.Neal(a)telecom.co.nz wrote: > People, > > As you may recall, our AUP requires that > > 1. Discussion will focus on Internet operational and technical > issues. > > This thread should, in my view, either acquire some operational or > technical content or go away. > > - Donald Neal Doesn't ISPs discussing operational issues surrounding the provision of DSL to customers count? -- Juha _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

2 1

Research paper on the effects of spam
by Simon Byrnand 23 Oct '03

23 Oct '03

Interesting reading.... http://www.pewinternet.org/reports/toc.asp?Report=102 (Click "summary of findings", whose link is too big to post in email without wrapping :) Regards, Simon

2 2

RE: [nznog] Cloaked SPAM hosting service
by Donald Neal 23 Oct '03

23 Oct '03

> From: Tikiri Wicks [mailto:tcwicks(a)maxnet.co.nz] > Sent: Friday, 24 October 2003 12:59 > To: nznog(a)list.waikato.ac.nz > Subject: [nznog] Cloaked SPAM hosting service > > > This one is more alarming > > Cloaked SPAM hosting via hijacked computers > It's being sold by a Polish Hacker group > http://www.wired.com/news/business/0,1367,60747,00.html Nothing very new there, alas. This subject was among those discussed by Barry Ravendran Greene at the conference in July. Donald Neal | "They are not mistaken about Technical Specialist | what they want. It just Operations Engineering | conflicts with what they are Integration & Services Divn. | going to get." - [quoted Alcatel NZ Ltd | by Cathy Wittbrodt] All opinions mine only. | ------------------------------------------------------------------------------ "This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you." ------------------------------------------------------------------------------

1 0

RE: [nznog] (no subject)
by mark.harris＠ssc.govt.nz 23 Oct '03

23 Oct '03

Richard Parkinson wrote: > > I agree with Donald, this thread doesn't seem entirely appropriate, > however I have seen less appropriate threads go on longer, and can't > help but notice the @telecom.co.nz after Donald's address. :). > I realise there's a smiley on the end of that, but sugar-coating an question to Donald's integrity says more about your own than I suspect you realise. Regards Mark Harris Moderator *.govt.nz State Services Commission PO Box 329, Wellington, NZ Tel: 64 4 495 2844 Email: moderator(a)ssc.govt.nz

1 0

What can I say to this
by Tikiri Wicks 23 Oct '03

23 Oct '03

Hi Folks I'm just wondering if anyone has any feedback regarding this situation. I maintain a multi homed Linux router in the Seychelles Islands for the Seychelles government and the CTO of one of the ISP's wants me to use an IP of 217.161.116.143 with a netmask of 255.255.255.255 and a default gateway of 217.161.116.8. To explain it further they are running a fibre optic link to my linux router and at the other end of it they've got a cisco 2500 with an IP of 217.161.116.8. What I get is ethernet and they want me to use the IP 217.161.116.143 with a netmask of 255.255.255.255 on my linux router. I do not want to run IP unnumbered and anyway I cannot think of how anything but a CISCO can talk IP unnumbered to another CISCO. Everything I know and everything I ever learned says this is mission impossible. I am at a loss of words on what to say to this. Am I missing something here perhaps ? Can anyone think of anything to say to this. This ISP is called Atlas and their URL is http://www.seychelles.net They also happen to be the operators of the .sc ccTLD I would greatly appreciate any feedback from anyone as to what I could possibly say to these people. Then again maybe I missed something and maybe I am wrong ? Cheers Tikiri

5 9

RE: [nznog] Current Jetstream 'Deal'...
by Donald Neal 23 Oct '03

23 Oct '03

People, As you may recall, our AUP requires that 1. Discussion will focus on Internet operational and technical issues. This thread should, in my view, either acquire some operational or technical content or go away. - Donald Neal > -----Original Message----- > From: Richard Parkinson [mailto:Richard(a)sigel.co.nz] > Sent: Friday, 24 October 2003 11:29 > Cc: nznog(a)list.waikato.ac.nz > Subject: RE: [nznog] Current Jetstream 'Deal'... [...] > Not to mention their less than THIN excuses for not allowing ISP's to > control IP address assignment on Jetstart. Do they even still have a > reason? > > Telecom are way overdue for a big slap in the face over these issues. Donald Neal | "They are not mistaken about Technical Specialist | what they want. It just Operations Engineering | conflicts with what they are Integration & Services Divn. | going to get." - [quoted Alcatel NZ Ltd | by Cathy Wittbrodt] All opinions mine only. | ------------------------------------------------------------------------------ "This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you." ------------------------------------------------------------------------------

3 2

RE: [nznog] Current Jetstream 'Deal'...
by Richard Parkinson 23 Oct '03

23 Oct '03

More than once I have had to explain to clients that Jetstream isn't just Xtra. On one recent occasion one of my customers ordered Jetstream, and wasn't even consulted regarding their choice of ISP. They were simply given their Xtra login and password when the installer came onsite to install the jack and filter. Clearly Xtra have an unfair advantage over other ISP's when it comes to signups. Speaking of unfair advantages, I don't see any other ISP's having the ability to incorporate the monthly charges onto the Telecom phone bill? What about National traffic... Is it not true that Telecom's network routes and handles Xtra's national data way more efficiently, and that such data travels much more directly between points, as opposed to how it does for other ISP's whom have all the National data piped in on one PVC, then feed back out on another? Should other ISP's not be getting the same unbiased treatment? Not to mention their less than THIN excuses for not allowing ISP's to control IP address assignment on Jetstart. Do they even still have a reason? Telecom are way overdue for a big slap in the face over these issues. -----Original Message----- From: Simon Byrnand [mailto:simon(a)igrin.co.nz] Sent: Friday, 24 October 2003 9:52 a.m. To: Dan Clark; Juha Saarinen; David Mill Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] Current Jetstream 'Deal'... At 09:26 24/10/2003 +1300, Dan Clark wrote: >my point exactly. >I did not expect to call Telecom when I shift house recently and get >asked if I am already an XTRA customer then get told they will set that >up in a jiffy, I had to explain to the operator that I had no intention >of shifting ISP's and the operator was puzzled that I wouldn't want to >go with XTRA and above all he wasn't entirely aware that other ISP's >were offering JetStream! > >Regards >Dan Same thing happened to me a year ago when I moved house and needed the phone connected up, (first phone line in my name) and the guy at the other end started asking lots of leading questions about if I was likely to use the line for internet access, how many hours I currently used a month on the intenet etc, and then proceeded to try and sell me Xtra + Jetstream, so this is nothing new. (Remember, I just rang up to get the phone hooked up) Even after clearly saying that I knew what Jetstream was and how it worked, and wasn't interested in it at this time *AND* that I worked for an ISP and therefore already had a free dialup connection anyway, he was still trying to sell me on Xtra, and explain to me what Jetstream was and why its so wonderful.... I think I had to repeat myself two or three times before he gave up....so obviously the telecom staff are instructed to put the hard sell on everyone that rings up, pretty much regardless of what you're ringing about... Regards, Simon _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

2 1

RE: [nznog] Cisco 2948G-L3
by Craig Spiers 23 Oct '03

23 Oct '03

So what would you deam appropriate for this list? I have a wheelbarrow im looking to sell.. $30 ono.. Networking equipment for sale, on a networking related list.. Seems appropriate to me.. Ive seen many people offer sales and wanted's on this list before! Including Michael Hallager! -----Original Message----- From: Drazen Babich [mailto:Drazen.Babich(a)gen-i.co.nz] Sent: Thursday, October 23, 2003 7:15 PM To: 'Craig Spiers' Subject: RE: [nznog] Cisco 2948G-L3 Still, not the right place for things like those Craig, you have to admit... regards, Drazen -----Original Message----- From: Craig Spiers [mailto:craig(a)concept.net.nz] Sent: Thursday, 23 October 2003 3:57 p.m. To: michael(a)networkstuff.co.nz; 'Philip D'Ath' Cc: nznog(a)list.waikato.ac.nz Subject: RE: [nznog] Cisco 2948G-L3 Michael, Ive seen you post messages similar to this, to this list many many times. I think you need to take a chill pill. -----Original Message----- From: Michael Hallager [mailto:michael(a)networkstuff.co.nz] Sent: Thursday, October 23, 2003 2:01 PM To: Philip D'Ath Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] Cisco 2948G-L3 Do you think that you are special that you are excused from the list rules? This is not a trading forum. Advertise your item on Trademe or something. Michael Hallager Networkstuff Limited > I'm currently liquidating a Cisco 2948G-L3. The unit is new with > original packaging manuals and cables, and has only been used for demo > purposes. It will ship with a new warranty. > > RRP=$17,710+GST > Normal dealer buy would be=$12,928=GST > > Looking for around $10.5k+GST, or near offers. > > Offlist replies only please. > > > Philip D'Ath > CCNP, CCDA, BCMS > http://www.ifm.net.nz/ -- Michael Hallager Managing Director Networkstuff Limited URL: http://www.networkstuff.co.nz Networkstuff, NZ's leading supplier of high quality used networking equipment. E-Mail: michael @ networkstuff.co.nz Member of the NZ Open Source Society. Member of the Auckland VHF Group. Amateur radio callsign: ZL1VMH. _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog ###################################################################### This e-mail message has been scanned and cleared by MailMarshal at http://www.gen-i.co.nz ######################################################################

3 3

Cisco 2948G-L3
by Philip D'Ath 22 Oct '03

22 Oct '03

I'm currently liquidating a Cisco 2948G-L3. The unit is new with original packaging manuals and cables, and has only been used for demo purposes. It will ship with a new warranty. RRP=$17,710+GST Normal dealer buy would be=$12,928=GST Looking for around $10.5k+GST, or near offers. Offlist replies only please. Philip D'Ath CCNP, CCDA, BCMS http://www.ifm.net.nz/

3 2

FW: Heads-up: AT&T apparently going to whitelist-only inbound mai l
by Bowden, Terry 22 Oct '03

22 Oct '03

AT&T STATEMENT - CURRENT SPAM ATTACK - 22/10/03 AT&T and a number of other large companies have seen a marked increase in the amount of incoming SPAM in recent days. A team of experts that includes members from AT&T Labs, Network Services, and Corporate Security has implemented a number of procedures to remediate this situation and minimize its impact on those trying to send e-mail to "att.com" addresses. As of this morning - Wednesday, October 22nd - the level of incoming e-mail messages is returning to normal and the situation appears to be well in hand. Although all AT&T e-mail servers are fully operational at this time, some incoming messages are experiencing intermittent delays as SPAM filtering continues at all network gateways. Customers who received e-mail bulletins from AT&T Monday and Tuesday requesting specific information are advised to disregard those messages. They were inadvertently sent out in error and we apologize for any confusion or inconvenience they may have caused. Network reliability is one of our top priorities at AT&T, so for obvious reasons we will not be providing more detailed information regarding the specific security procedures implemented to curb this SPAM attack. We have no intention of helping those who generate this type of computer and Internet mischief. Terry Bowden

1 0

Heads-up: AT&T apparently going to whitelist-only inbound mail
by Simon Lyall 21 Oct '03

21 Oct '03

Forwarded from nanog. Apparantly this is already in place according to one person. I called the number listed and they advised sending details in. You can ask questions to the email address listed. The Callcenter person said they had been flooded with calls. -- Simon J. Lyall | Very Busy | Web: http://www.darkmere.gen.nz/ "To stay awake all night adds a day to your life" - Stilgar | eMT. ---------- Forwarded message ---------- Return-Path: <rm-antiattspam(a)ems.att.com> Message-ID: <3F80414B002D0EC2(a)attrh0i.attrh.att.com> (added by postmaster(a)attrh1i.attrh.att.com) Content-Disposition: inline Content-Transfer-Encoding: binary Content-Type: text/plain MIME-Version: 1.0 X-Mailer: MIME::Lite 2.102 (B2.12; Q2.03) Date: Tue, 21 Oct 2003 20:21:50 UT Subject: *** ACTION: IP Address of Outbound SMTP Server Requested (Updated 10/21/03) From: rm-antiattspam(a)ems.att.com AT&T Business Partners & Customers AT&T has received many of the requested IP addresses in response to an e-mail originally broadcast yesterday to our business partners and clients. However, we have also received many concerned responses to the original request. This 2nd e-mail is to let you know that this is a legitimate AT&T request asking for your cooperation, which will let us improve the service that AT&T offers you and that our partnership requires. We have provided a toll-free number below to help you confirm the legitimacy of this request. We have assembled the distribution list for this e-mail by looking up the administrative contacts for each of the known e-mail domains we currently exchange e-mail with, referencing WHOIS and other such services available via the Internet. What AT&T is asking is for you to help AT&T to restrict incoming mail to just our known and trusted sources (e.g., business partners, clients and customers). Therefore, we need to know which IP address(es) are used by your outbound e-mail service so we can selectively permit them. Please send this information to the following e-mail address (rm-antiattspam(a)ems.att.com) If you need assistance determining what these IP addresses are, please contact your company's administrative e-mail server support / network administration personnel. We regret that AT&T is burdening you with this request, but our AT&T security team is advising that we take this step to help safeguard our e-mail systems, which ultimately will help us serve you better. Please contact us with any concerns or questions: AT&T Security Help Desk 1-800-456-4230, prompt 4 (8am - 10pm est) Thank you for your prompt attention to this matter. We appreciate your cooperation. Sincerely, Brian Williams, IP Network Services Tim Scholl - District Manager, IP Network Services Kevin O'Connell - Division Manager, Information Technology Services Engineering Bill O'Hern - Division Manager, Network Security ----- Original Message (Sent Monday, 10/20/03) ----- AT&T has an urgent situation with our anti-spam list. In order to continue to allow email to AT&T you need to provide the IP addresses of all your outbound email gateways. If you do not respond immediately, your access may not continue. The required information should be sent to rm-antiattspam(a)ems.att.com. ----- End forwarded message -----

4 4

APE Peering - JSR.COM
by J S Russell 20 Oct '03

20 Oct '03

jsr.com (AS9897) is a new ISP/hosting provider/etc, designed primarily as a testbed platform for various new and developing technologies. Dialup/ADSL/wireless/etc Internet access through jsr.com is currently limited to a small and select customer-base. However, immediately upon launch jsr.com will be hosting a variety of very content-rich servers and websites. At this time, the vast majority of traffic from AS9897 is expected to be outbound from jsr.com netblocks to other "domestic" New Zealand providers. jsr.com is greatly interested in hearing from any other APE-connected entities who would like to set up a BGP peering session over the APE. Replies to jsr(a)jsr.com please. In the interest of network efficiency, jsr.com's official peering policy is "If you have an AS#, you are welcome to peer with us." JSR -- John S Russell | Big Geek | Doing geek stuff.

1 0

could maxnet contact me plz
by Simon Blake 15 Oct '03

15 Oct '03

Could whomever is responsible for APE peering for Maxnet please contact me off list. Cheers Si

1 0

domainz
by Dan Clark 14 Oct '03

14 Oct '03

Would someone at Domainz please contact me as soon as possible offlist. Kind Regards Dan Clark Network Manager Wickliffe Ltd Scarfies.Net Ltd

1 0

Re: [nznog] Paradise.net is on MX.RBl" spam blacklist
by Steve Phillips 13 Oct '03

13 Oct '03

Was bound to happen sooner or later with their "just press delete" policy toward abuse complaints about their customers spamming. -- Steve. At 09:15 p.m. 14/10/2003, Steve Withers wrote: >Anyone on paradise.net.nz trying to send mail to attglobal.net will have >no success due to paradise.net.nz being on the "MX.RBL" blacklist.....if >there is such a beast. The entry is dated october 2nd...... > >If MX.RBL is a widely used list, paradise users may have some trouble. > >I have reported this to paradise. > >-- >Steve Withers <swithers(a)mmp.org.nz> > >_______________________________________________ >NZNOG mailing list >NZNOG(a)list.waikato.ac.nz >http://list.waikato.ac.nz/mailman/listinfo/nznog

1 0

Paradise.net is on MX.RBl" spam blacklist
by Steve Withers 13 Oct '03

13 Oct '03

Anyone on paradise.net.nz trying to send mail to attglobal.net will have no success due to paradise.net.nz being on the "MX.RBL" blacklist.....if there is such a beast. The entry is dated october 2nd...... If MX.RBL is a widely used list, paradise users may have some trouble. I have reported this to paradise. -- Steve Withers <swithers(a)mmp.org.nz>

1 0

Cunning Vicodin SPAM Practice
by tltoh＠attglobal.net 13 Oct '03

13 Oct '03

Hi, Lately I would say majority of people have been bombarded with Vicodin SPAM as I've been getting about 30 a day for the last month. My delete key have been whinging at me asking for a holiday. And they are sending their SPAM email out through other networks which does not happen to be housing their websites. In my case the Vicodin websites which they are referring me to are as follows: www.medscheap.biz www.rxpalace.biz I manage to track down that both domain's happen to be registered to this person, Pio Lage (peterwolf1239(a)yahoo.com) Both sites are hosted in China which I have inform his network providers which houses both of his websites on his activity but I'm not sure what is the success rate and outcome of it. However so far for the last 6 days I haven't receive any Vicodin SPAM for www.medscheap.biz site at this stage, could be a good start. I could send an email if that is still a valid email account to the Domain owner but I don't want to be ended up in any other of their mailing scam. I thought of forwarding all his SPAM email back to him but I don't believe that is an appropriate practice at all. Any suggestion as to what else can be done to stop this kind of practice ? Thanks. Cheers, Leon

2 1

Re: [nznog] High volumes of ICMP echo request (type 8)
by Ewen McNeill 13 Oct '03

13 Oct '03

In message <20031013102226.GQ14751(a)citylink.co.nz>, Simon Blake writes: >On Mon, Oct 13, 2003 at 04:51:08PM +1300, Ewen McNeill said: >> And snooping on Citylink (which is implemented as a big LAN) shows >> much-higher-than-I'd-normally-expect volumes of ICMP echo requests > >Just a small point of protest here, there isn't higher volumes of >anything floating around Citylink And to be fair, it's ages since I've had reason to look, so "higher than I'd expect" is probably a pretty low standard. And a chunk of the volume was definitely NAT'd traffic outgoing; but not all of it. So these various worms are clearly still drifting about. You may well be right however that it was (mostly|just) stuff that was routed to/from that 'net; the volumes were such that it was difficult to get an accurate picture of exactly which addresses were involved it at the time. Sorry for implying otherwise. >Increased worm probing tends to manifest as increased ARP requests, >rather than ICMP packets. That, FWIW, is why 95% of all the >noise-to-every-port on Citylink is ARP requests to unused IP numbers. Likewise on the TelstraClear cable network -- there's a steady background level of ARP requests all the time, good for keeping the incoming data light flickering away to itself. Ewen

1 0

High volumes of ICMP echo request (type 8)
by Ewen McNeill 12 Oct '03

12 Oct '03

Hi, Is anyone else seeing very high volumes of ICMP echo requests today (ie, in the order of hundreds/thousands per second)? At one client I've been seeing in the order of 2000+ ICMP echo requests per minute from each of four different desktops (desktop support is tracking down the relevant desktops now) to IP addresses all over the net. And snooping on Citylink (which is implemented as a big LAN) shows much-higher-than-I'd-normally-expect volumes of ICMP echo requests flying around from all sorts of random addresses to all sorts of other random addresses. I'm aware that some worms use this as part of their probing/spreading (eg, MS Blaster) but not of any newly released worm (or worm due to make a comeback at present), so I'm a bit puzzled at it's "sudden" appearance. Ewen

5 4

Re: [nznog] High volumes of ICMP echo request (type 8)
by Ewen McNeill 12 Oct '03

12 Oct '03

In message <20031013045849.5E4DE3C486EB(a)basilica.la.naos.co.nz>, Ewen McNeill wr ites: >In message <874qyd4v8f.fsf(a)it029205.massey.ac.nz>, James Riden writes: >>Ewen McNeill <ewen(a)naos.co.nz> writes: >>> Is anyone else seeing very high volumes of ICMP echo requests today (ie, >>> in the order of hundreds/thousands per second)? [....] >> >>What do the ping packets look like? > >block in on ste7: [internal ip] > [victim ip]: icmp: echo request > 4500 005c 58fa 0000 7f01 4929 0a04 0102 > 3df3 5085 0800 c9c8 0200 d6e1 aaaa aaaa > aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa > aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa > aaaa aaaa As James pointed out, that's a truncated packet (to tcpdump's default snaplen). The real packet is 92 octets, with 64 octets of payload (0xaa octets). Which is what the Welchia/Nachi worm sends out. Desktop support at the client has found several of the machines generating these ICMP streams to be infected with the Welchia/Nachi worm, and are busy checking the rest. They also believe they've identified the source (a laptop that arrived back today IIRC). It has, however, highlighted which machines didn't get put into the default policy for lock downs, updates, etc .... So nothing new, it seems. Just another infection with another windows worm. Sorry to trouble you all. Ewen

1 0

Re: [nznog] High volumes of ICMP echo request (type 8)
by Ewen McNeill 12 Oct '03

12 Oct '03

In message <874qyd4v8f.fsf(a)it029205.massey.ac.nz>, James Riden writes: >Ewen McNeill <ewen(a)naos.co.nz> writes: >> Is anyone else seeing very high volumes of ICMP echo requests today (ie, >> in the order of hundreds/thousands per second)? [....] > >Welchia used pings, not Blaster.A IIRC. I've seen Welchia at around >180 packets/second on a LAN and it seems to do a strictly linear scan, >so it doesn't sound like that either. > >What do the ping packets look like? block in on ste7: [internal ip] > [victim ip]: icmp: echo request 4500 005c 58fa 0000 7f01 4929 0a04 0102 3df3 5085 0800 c9c8 0200 d6e1 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa Not very exciting. All the ones I've looked contain the same thing (ie IP and ICMP headers, and then filled to minimum packet size with 0xaa bytes). And the addresses aren't always as random as I first thought. When I narrow my scope down to one of the "infected" machines as a source, I sometimes see it walking netblocks sequentially (eg, one internal ip just walked all (most?) of 61.243/16). But when it got to the end of that, the pattern got less predictable again, hitting IPs in at about a dozen different /24s in an overlappped fashion (from the same internal IP). (Perhaps it's getting upset at getting no replies; I've been dropping it at the firewall since I noticed it happening.) I'm seeing around 6000 per second from a single IP address (ie, around 100/second) outgoing hitting the firewall. (It's easy to track a single IP address as these are internal ips; obviously tracking it from the "other end" would be considerably harder.) So I'm pretty much convinced those desktops have "caught" something, I'm just not sure what it is. (And since this client does mail filtering for spam/viruses/etc it's less likely to be a known email virus/worm.) Ewen

1 0

Brightmail Spam Performance
by Mark Frater 12 Oct '03

12 Oct '03

With a sample size of 1015 spam messages over 4 weeks and using a pop mailbox from a provider that recently announced free spam protection (but have been a bit quieter about it only being free 'till xmas), 709 spam messages were detected as spam and 308 spam messages were let through. ie Brightmail (as per the default settings used by this provider) lets through about 30% of spam. How does thing compare to other providers? I guess one woman's spam is another man's v1agra! Mark

3 2

Re: [nznog] ICMP and port 80 traffic
by Blair Harrison 09 Oct '03

09 Oct '03

On 10 Oct 2003 08:57:01 +1300 Donovan Jones <d.jones(a)comnet.co.nz> wrote: > We are seeing the same thing here its currently hitting some of our > unused address space. Yay, not just me! > > Have you found out anything more about it? > Heard a rumour of a variant of Welchia/Nachi.a but nothing more... Still seeing it streaming in... :( Cheers, Blair

2 1

ICMP and port 80 traffic
by Blair Harrison 08 Oct '03

08 Oct '03

Hi All Is anyone else seeing a massive increase in ICMP and traffic to port 80? I started noticing this last night on one of my subnets that is mostly unused, just a huge amount of packets to random addresses. It's still going flat tack.. I've grabbed a quick packet dump if any of you want to see what I mean - it's in tcpdump format. http://blair.wise.net.nz/~blair/icmpandport80.gz Is this some worm variant that nobody's figured out yet? Cheers, Blair Harrison Systems Administrator WISE Net http://wise.net.nz

1 0

Intermittent Problems with web
by Peter Youngquest 06 Oct '03

06 Oct '03

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello All Is anyone else having intermittent problems getting to such sites as theregister.co.uk, msn.com, and openbsd.org. Regards Peter Youngquest Prophecy Networks -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE/gjts4jYAySTLDnsRAjEwAJ4la3MWi/5zW4wLSoekc71dV+r3yQCeIcFa cVHpbYU4iMrg988iffOhe/Y= =281E -----END PGP SIGNATURE-----

1 0

SANOG III Announcement
by Joe Abley 04 Oct '03

04 Oct '03

> South Asian Network Operators Group (SANOG) III Annoucement > > SANOG III: 15-22 January, 2004, Bangalore, India > > SANOG III will be colocated with the South Asian IPv6 Summit in the > silicon city of India. As in the past, the SANOG program will feature > workshops, tutorials and presentations on operational areas of interest > to the South Asian Internet community. The meeting will be hosted by > IPv6 Forum India. The program structure will be as follows > > 15-18 January, 2004 -- Workshops > 19-20 January, 2004 -- Tutorials > 21-22 January, 2004 -- SANOG Meeting / IPv6 Summit > > We welcome presentations during the Meeting. We would like to hear > about your own experiences and research on making sure the Internet > works the way it is intended to. > > Please write to gaurab at lahai.com with your expression of interest. > More information at www.sanog.org

1 0

[Fwd: [RegistrarsList] VeriSign NDS Response to Suspension of Site Finder Service (KMM1024708V22161L0KM)]
by Peter Mott 03 Oct '03

03 Oct '03

A partial victory! -------- Original Message -------- Subject: [RegistrarsList] VeriSign NDS Response to Suspension of Site Finder Service (KMM1024708V22161L0KM) Resent-Date: Sat, 4 Oct 2003 11:15:16 +1200 Resent-From: peter(a)2day.com Resent-To: peter.mott(a)2day.com Date: Fri, 03 Oct 2003 16:08:23 -0700 From: VeriSign Customer Service <info(a)verisign-grs.com> Reply-To: VeriSign Customer Service <info(a)verisign-grs.com> To: <registrars(a)verisign-grs.com> To All Registrars, I am writing to update you on VeriSigns Site Finder service. On Friday, October 3rd, the Internet Corporation for Assigned Names and Numbers (ICANN) directed VeriSign, Inc., to temporarily suspend service no later than 6PM PST, Saturday, October 4. VeriSign requested an extension from ICANN for 3 additional days for the shut down in order to provide the technical community time to make any necessary system changes. Unfortunately, ICANN refused this request. Accordingly, in response to this demand, VeriSign is temporarily suspending the Site Finder service as of Saturday, October 4 at 6PM PST. In suspending the service, VeriSign will remove the wildcard A records from the .com and .net zones and revert to the former behavior for these zones which is returning Name Error/RCODE=3 in response to queries for nonexistent domain names. VeriSign remains committed to improving the Internet user experience. We look forward to providing the Site Finder service following this suspension. Thank you for your business. We greatly value our relationship with you. Best Regards, Chris Sheridan Manager, Customer Service VeriSign, Inc. www.verisign.com --------- Participants on the VeriSign registrars list are requested to not cross-post messages. -- Peter Mott Chief Enthusiast 2DAY INTERNET LIMITED http://www.2day.com "Hell, there are no rules here - we're trying to accomplish something!" Thomas A Edison

1 0

NZNOG 2004 - Call for Presenters
by Donald Neal 02 Oct '03

02 Oct '03

Call for Presenters NZNOG'04 a.k.a. Big Geek Programme 04 (BGP-04) The next meeting of the New Zealand Network Operators' Group is to be held in Hamilton on January 29th and 30th 2004. Our hosts are the University of Waikato's WAND Network research group. NZNOG meetings provide opportunities for the exchange of technical information and discussion of issues relating to the operation of network services, with particular emphasis on New Zealand. NZNOG invites presentations on relevant topics. Suitable topics include, but are not limited to: Operation of the DNS in New Zealand; Carrier IP network structures; Internet exchange activities; VoIP deployment; IP Routing theory or practice; Access technologies; Network management tools and practices. Presentations from researchers and from practitioners are welcomed. Presentations don't need to fit any particular fixed length. In addition to more substantiative talks we hope to include a session of very short presentations this year as a forum for floating an idea or reporting on a discovery in a less formal manner. The possibility exists that the meeting might be extended beyond two days to accommodate suitable material. Suggestions for topics for presentations or discussions are also welcome. Prospective presenters should in the first case send email to talks(a)nznog.org describing their intended presentation topic, and giving some idea of the level of detail and length of presentation which would suit them. We'd prefer to receive offers to present sooner rather than later, but the deadline is 23 November 2003, with the last acceptances to be notified not later than 30 November. Further information, as it becomes available, will be posted at: www.nznog.org Donald Neal | "Stucco - A hitherto Technical Specialist | unknown Marx brother." Operations Engineering | [Barry Cryer] Integration & Services Divn. | Alcatel NZ Ltd | All opinions mine only. | ------------------------------------------------------------------------------ "This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you." ------------------------------------------------------------------------------

1 0

Fwd: Second Level Domains Policy Review
by Steven Heath 30 Sep '03

30 Sep '03

I think all the members of this WG are on NZNOG. I am sure they would agree with me in saying that we welcome any and all feedback. Summary: Read background paper that we wrote at: http://dnc.org.nz/content/2ld_background.pdf And complete online form at: http://dnc.org.nz/2ldFeedback.php Or email policies(a)dnc.org.nz with your comments/ideas/thinking. Steven Heath Second Level Domains Policy Review Published at 01 Oct 2003 14:13 InternetNZ, through the Office of the Domain Name Commissioner, is reviewing the existing Second Level Domains policy (http://dnc.org.nz/content/second_level_domains.pdf) A Working Group was established by the .nz Oversight Committee earlier this year to conduct the review. The Working Group is seeking public input to assist in developing a revised draft policy, which will also be subject to public consultation. The current Second Level Domains policy deals with three critical areas: the structure of the existing Second Level Domains, the moderation of Second Level Domains, and the process for establishing new Second Level Domains. Debate so far in the Working Group has identified two major areas for reform: Whether the process for creating new second level domains should be modified and whether that modification should simplify the process. The existing process lacks adequate criteria for decisions about the addition of new Second Level domains and has generated concern in the past. Whether there should be direct public registrations allowed at the second level in the .nz space. This has a number of implications which need to be considered around dealing with the existing second level domains after any change; dealing with conflicts between existing third level registrants if the second level is opened and others. In addition to these two key areas, the Working Group is seeking feedback on the existing Second Level Domains and their ongoing relevance, and would also like to receive comments and suggestions about any other aspect of the existing policy. To assist with this consultation a background paper has been produced. This outlines the current policy, expands on the issues for consideration and poses some more specific questions for consideration. It is available at: http://dnc.org.nz/content/2ld_background.pdf Public comment, on the specific issues identified above and in the accompanying background paper - or any other issues relating to the Second Level Domains policy - is sought by Monday 10 November 2003. To assist with the feedback process, you can use an online feedback form. The questions in the form are those presented in the background paper. The form is available at: http://dnc.org.nz/2ldFeedback.php InternetNZ also maintains a public email list for discussion of the review. To subscribe, send a blank email to nz-review-subscribe(a)internetnz.net.nz. Please email comments to policies(a)dnc.org.nz, fax them to +64 4 495 2115, or post them to the Office of the Domain Name Commissioner, PO Box 11-881, Wellington. NB: Notice of all comments will be published on this page, as they are received. Comments will be published on the site in PDF format. Confidential comments can be made on application; people wishing to make a confidential comment should forward a request with reasons to the submission address above. ----- End forwarded message ----- Steven Heath .nz news & views www.nznews.org.nz

1 0

Crimes Amendment Act 2003
by david＠farrar.com 30 Sep '03

30 Sep '03

Nznogers may want to note that as of today (1st October) the Crimes Amendment Act 2003 (previously the Crimes Amendment Bill no 6) came into force. This Act, amending the 1961 Crimes Act, may potentially affect many internet users and providers (esp the unauthorised access provisions). It has been commonly known as the anti-hacking bill. InternetNZ in July prepared a brief paper on aspects of the Act which may affect internet users and providers. The paper is at http://www.internetnz.net.nz/public/committee-reports/ctte-legal-and-regula… or http://tinyurl.com/g9vj The revised Crimes Act is not yet online but I have the key clauses in electronic format if anyone would like a copy. DPF

1 0

The New Zealand Network Operators' Group
by Donald Neal 30 Sep '03

30 Sep '03

The New Zealand Network Operators' Group The New Zealand Network Operators' Group (NZNOG) has no king, president or formal membership. At present it consists of the subscribers to this mailing list, which anyone is free to join. A face-to-face gathering is to take place in Hamilton on January 29 and 30 next year, hosted by the WAND group. Suggestions for content you'd like to see are welcome, and a Call for Presenters should be issued shortly. Also see http://thursdaynightcurry.com/about.html if you live in or near Wellington or Auckland. Operators' Contact List See http://www.usenet.net.nz/noc/ for operational contact details for most New Zealand ISP's. These are intended for use by other network operators rather than by most customers. Auckland Peering Exchange See http://www.ape.net.nz/ for details of the Auckland Peering Exchange and those connected there. About This Mailing List This list has around 530 addresses subscribed. You may only post to the list from a subscribed address. A number of people subscribe addresses which do not receive email purely to allow posting from them. The NZNOG mailing list is provided through a server at The University of Waikato, and is administered by an employee of Alcatel NZ Ltd. Neither of these organisations, nor the administrator, is responsible for its content. NZNOG Mailing List Acceptable Use Policy The NZNOG mailing list exists to provide a forum for the exchange of technical information and the discussion of implementation issues that require cooperation among New Zealand network service providers. In order to continue to provide a useful forum for discussion of relevant technical issues, users of the list are asked to respect the following guidelines. 1. Discussion will focus on Internet operational and technical issues. 2. Discussion related to meetings of network service providers is appropriate. 3. Discussion unrelated to these topics is not appropriate. 4. Postings to multiple mailing lists are discouraged. 5. Postings that include foul language, character assassination, and lack of respect for other participants are unacceptable. 6. Blatant product or service marketing is unacceptable. 7. Postings of a political, philosophical or legal nature are discouraged. 8. Postings to the list should be in ASCII or MIME encoded as text/plain. Attachments should not be sent to the list. To present a document, a suitable URL may be referred to. For documents of general interest, the use of proprietary file formats is discouraged. 9. Breaches of list etiquette should be dealt with privately with the offending list user, and should not result in complaints being sent to the list. 10. A person repeatedly breaching list etiquette shall receive warnings from the list administrator. A further breach after the second such warning within thirty days shall result in the offender being unsubscribed from the list. Other action may also be taken to block postings to the list by the offender. Any such unsubscription is to be immediately announced to the list. Mailing List Archives A full archive is available at http://list.waikato.ac.nz/archives/nznog/ Any message sent to the list will be archived and made available on the web automatically. Changes are not made to the archive on request, though the administrator remains happy to assist the Office of the Privacy Commissioner should any complaint be laid with that office. One way to search the archive is to use google and prefix your search with site:list.waikato.ac.nz . Subscribing to the List See http://list.waikato.ac.nz/mailman/listinfo/nznog to subscribe. Donald Neal NZNOG Mailing List Owner/Administrator/Muggins ------------------------------------------------------------------------------ "This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you." ------------------------------------------------------------------------------

1 0

RE: [nznog] Argghhh.... [Fwd: Your e-mail message was blocked]
by Frank March 29 Sep '03

29 Sep '03

This IS an interesting, if somewhat prolonged, discussion and, needless to say perhaps, I agree with Donald that spam filtering is an operational issue of relevance to this list. But it is also a policy issue of interest to the NZ Government, which is what my job is about. To say that I can change my job as suggested by Joe (clearly I can and maybe in the fullnss of time I will, but that IS irrelevant) somewhat misses the point of why I am on this list... it is because of my *present* job that I think it important. There are many issues of possible government policy relevance that emerge on this list in different ways, spam is just one. Which irony has been pointed out to those who dictate the operational policy for this Ministry. Unfortunately, they do not subscribe to NZNOG as far as I can determine. -- Frank March Telephone (+64 4) 474 2908 Senior Specialist Advisor Fax (+64 4) 474 2659 Information Technology Policy Group Mobile: (+64) 21 042 9205 Ministry of Economic Development, Wellington, New Zealand -----Original Message----- From: Donald Neal [mailto:Donald.Neal(a)telecom.co.nz] Sent: Monday, 29 September 2003 10:11 To: nznog(a)list.waikato.ac.nz Subject: RE: [nznog] Argghhh.... [Fwd: Your e-mail message was blocked] > From: Simon Byrnand [mailto:simon(a)igrin.co.nz] > Sent: Monday, 29 September 2003 09:21 > To: Joe Abley; Russell Fulton > Cc: nznog > Subject: Re: [nznog] Argghhh.... [Fwd: Your e-mail message > was blocked] > >> >He also has the option of finding a new job, if the policies of his > >employer don't suit him. > > C'mon people (not just Joe) this thread is now getting *way* > off topic, > (I'm surprised Donald hasn't stepped in yet) although > admitedly my original > message was somewhat off topic as well. This is a list for network operators, which doesn't just mean telcos and ISP's. My view is that discussion of spam filtering is appropriate. Granted, by the time we get onto what employees should be allowed to do we may indeed have wandered a bit. http://www.govt.nz - connecting you to New Zealand central & local government services Any opinions expressed in this message are not necessarily those of the Ministry of Economic Development. This message and any files transmitted with it are confidential and solely for the use of the intended recipient. If you are not the intended recipient or the person responsible for delivery to the intended recipient, be advised that you have received this message in error and that any use is strictly prohibited. Please contact the sender and delete the message and any attachment from your computer.

4 3

RE: [nznog] Argghhh.... [Fwd: Your e-mail message was blocked]
by Donald Neal 28 Sep '03

28 Sep '03

> From: Simon Byrnand [mailto:simon(a)igrin.co.nz] > Sent: Monday, 29 September 2003 09:21 > To: Joe Abley; Russell Fulton > Cc: nznog > Subject: Re: [nznog] Argghhh.... [Fwd: Your e-mail message > was blocked] > > > At 13:48 28/09/2003 -0400, Joe Abley wrote: > > >On Saturday, Sep 27, 2003, at 14:59 Canada/Eastern, Russell > Fulton wrote: > > > >>However, some employers also have policies that forbid access to > >>alternate mail sources (hotmail & ISP accounts) for > legitimate reasons. > >>This leaves some one like Frank having to follow work > related lists that > >>run foul of the corporate filter in their own time from home. > > > >He also has the option of finding a new job, if the policies of his > >employer don't suit him. > > C'mon people (not just Joe) this thread is now getting *way* > off topic, > (I'm surprised Donald hasn't stepped in yet) although > admitedly my original > message was somewhat off topic as well. This is a list for network operators, which doesn't just mean telcos and ISP's. My view is that discussion of spam filtering is appropriate. Granted, by the time we get onto what employees should be allowed to do we may indeed have wandered a bit. Donald Neal | "And if you think virus Technical Specialist | writers are scary, you Operations Engineering | have clearly never met a Integration & Services Divn. | tort lawyer." Alcatel NZ Ltd | - The Economist 28/8/03 All opinions mine only. | ------------------------------------------------------------------------------ "This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you." ------------------------------------------------------------------------------

1 0

RE: [nznog] Argghhh.... [Fwd: Your e-mail message was blocked]
by Frank March 28 Sep '03

28 Sep '03

Apologies for not getting onto this yesterday as I was involved in a meeting offsite all day. This Ministry uses MailMarshall. I am not responsible for the way it is set up and I have complained frequently about the type of email that gets blocked by it. In the past, it has blocked, inter alia, the monthly messages outlining this list's AUP and other matters from the redoubtable Donald Neal. Given Donald's care with language and his email courtesy the mind fairly boggles at the thought. On average Mailmarshal as configured here seems to catch 50% of genuine spam 'aimed' at me (but is getting better) and about 25% of the blocking messages are false positives (despite recent problems with this list, I think this might also be improving incrementally). Nevertheless, personally, I would much rather have the spam. The record with virus filtering is, however, exemplary. Although I seldom post to this list (and when I do it is arguably off-topic on occasions), and most of the traffic is of marginal direct interest to me, I do find this list useful as a gauge of the temperature and general health of the Net in NZ which is immensely valuable for my job. However, if the problem persists, and complaints persist, I will remove myself from the list. I would regard this as being a very unfortunate outcome. And, by the way, and anticipating a message later in the thread from Juha, I dont ever recall his swearing at me (about me perhaps....) -- Frank March Telephone (+64 4) 474 2908 Senior Specialist Advisor Fax (+64 4) 474 2659 Information Technology Policy Group Mobile: (+64) 21 042 9205 Ministry of Economic Development, Wellington, New Zealand -----Original Message----- From: Simon Byrnand [mailto:simon(a)igrin.co.nz] Sent: Wednesday, 24 September 2003 23:17 To: nznog(a)list.waikato.ac.nz Subject: [nznog] Argghhh.... [Fwd: Your e-mail message was blocked] Sigh... Could the owner of this charming little content filter please see if it has an option to NOT reply to messages that aren't specifically addressed to the recipient. (EG messages comming in through mailing lists etc) Or perhaps consider subscribing via another address that isn't filtered. It gets a little tiring to have every second message I send to this list get a bounce from an overactive content filter because it might have "bad words" in it or in this case might be a "hoax and/or chain letter"..... (Huh ??? What in my message looks like a hoax ?) Regards, Simon ---------------------------- Original Message ---------------------------- Subject: Your e-mail message was blocked From: Actionline(a)med.govt.nz Date: Wed, September 24, 2003 11:09 pm To: simon(a)igrin.co.nz Cc: Frank.March(a)med.govt.nz -------------------------------------------------------------------------- MailMarshal (an automated content monitoring gateway) has stopped the following e-mail as it is likely to be a Hoax and/or Chain Letter. Message: B00013c776.00000001.mml From: simon(a)igrin.co.nz To: Frank.March(a)med.govt.nz Subject: Re: [nznog] SPAM (Fw: PLEASE ASSIST) If you believe the above e-mail to be business related please contact Actionline(a)med.govt.nz to arrange for the message to be released to its intended recipients. The blocked e-mail will be automatically deleted after 30 days. _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog http://www.govt.nz - connecting you to New Zealand central & local government services Any opinions expressed in this message are not necessarily those of the Ministry of Economic Development. This message and any files transmitted with it are confidential and solely for the use of the intended recipient. If you are not the intended recipient or the person responsible for delivery to the intended recipient, be advised that you have received this message in error and that any use is strictly prohibited. Please contact the sender and delete the message and any attachment from your computer.

18 34

Re: [nznog] New Team Cymru IP2ASN whois server
by Simon Lyall 25 Sep '03

25 Sep '03

A similar thing that people might like is the recent new service from routeviews.org. They have a little route server to DNS gateway so you can do things like: $ host -t txt 252.109.203.asn.routeviews.org 252.109.203.asn.routeviews.org text "7657" "203.109.252.0" "22" $ host -t txt 252.109.203.aspath.routeviews.org 252.109.203.aspath.routeviews.org text "2914 4565 7657 7657 7657" "203.109.252.0" "22" $ host -t txt 132.92.96.203.asn.routeviews.org 132.92.96.203.asn.routeviews.org text "4648" "203.96.64.0" "19" $ host -t txt 132.92.96.203.aspath.routeviews.org 132.92.96.203.aspath.routeviews.org text "2914 1239 4648" "203.96.64.0" "19" Very cool imho. -- Simon J. Lyall | Very Busy | Web: http://www.darkmere.gen.nz/ "To stay awake all night adds a day to your life" - Stilgar | eMT. I've seen things you people can't imagine. Chimneysweeps on fire over the roofs of London. I've watched kite-strings glitter in the sun at Hyde Park Gate. All these things will be lost in time, like chalk-paintings in the rain. Time for my nap. -- Julie Andrews, Bladestroller ( by Peter da Silva )

1 0

New Team Cymru IP2ASN whois server
by Rob Thomas 25 Sep '03

25 Sep '03

Fellow networkers, Team Cymru is happy to announce the availability of a public whois server dedicated to mapping IP numbers to ASNs, located at whois.cymru.com. You can find the link to this tool at: http://www.cymru.com/BGP/whois.html This link has been added to our main BGP data page available at: http://www.cymru.com/BGP/index.html We have also extended the functionality of this daemon to support BULK IP submissions for those who wish to further optimize their queries with netcat. Following is a quick overview of how to use it: $ whois -h whois.cymru.com <IP> Where <IP> is replaced by the IP you'd like to map, like so: $ whois -h whois.cymru.com 4.2.2.1 ASN | IP | Name 3356 | 4.2.2.1 | LEVEL3 Level 3 Communications You can also include port information, and/or timestamps in your queries. Be sure to include quotes around your queries, or the daemon will interpret your request as multiple lines: $ whois -h whois.cymru.com "4.2.2.1 -0600 GMT" ASN | IP | Info | Name 3356 | 4.2.2.1 | -0600 GMT | LEVEL3 Level 3 Communications For instructions on how to submit BULK queries via netcat, simply issue the following command: $ whois -h whois.cymru.com help We hope you find this tool useful. Stay tuned for more features! If you have any comments or suggestions as to how we might improve this service, feel free to let us know! Thanks, Rob, for Team Cymru. -- Rob Thomas http://www.cymru.com ASSERT(coffee != empty);

1 0

Re: [nznog] MS viruses
by Ewen McNeill 25 Sep '03

25 Sep '03

In message <006c01c383e5$51ffe4a0$6403c80a(a)uranus.clear.co.nz>, "Barry Murphy" writes: >Hmm, I just had one of the MS update viruses slip through, how many >variants of this are there? 1Kb file ;/ I've seen several copies of Swen which have come through in "neutered" form, with the executable atachment either completely missing, or the MIME headers there for it but no encoded body, or a very short encoded body. (The only reason they're getting through is because of that: I'm filtering on the executable's MIME encoding, amongst other things.) As far as I can tell they're not varients so much as the email having been through some sort of (transparent?) email filter which stripped off the executable attachement. One of my clients had a bit of a panic over one of those "neutered" versions getting in (with a 78 byte attachement instead of the executable), but it all turned out to be harmless. That said, they were planning on adding more filter rules, just to avoid confused users (and the resulting flood of calls into the helpdesk). Of course I suspect there'll be a few more copycats before the year is out. Ewen

1 0

MS viruses
by Barry Murphy 25 Sep '03

25 Sep '03

Hmm, I just had one of the MS update viruses slip through, how many variants of this are there? 1Kb file ;/ Barry

3 3

19" Server Rack in Auckland area?
by Dan Clark 25 Sep '03

25 Sep '03

Hi Guys, Does anyone have a spare 2nd hand 19" server rack in the Auckland area (or there abouts). Please contact me off list. Kind Regards, Dan Clark Network Manager Scarfies.Net Ltd Wickliffe Ltd

1 0

Re: [nznog] IP / domain blocking for SPAM prevention
by david＠farrar.com 25 Sep '03

25 Sep '03

> On Fri, 2003-09-26 at 14:00, david(a)farrar.com wrote: > > > Oh I agree they do - but at the scale of the ISPs with > > 10 million+ customers or products that are in wide use. > > I can't see a spammer adjusting anything just because > > they read on a website that Ihug with 80,000 customers > > uses Spam Assassin. > > The key phrase there is "I can't see", it doesn't matter > what you can't see, it matters what the people (the ISP > industry) see, if they aren't comfortable giving out the > measures they take then any central page where people can > easily see what people are using will be useless. Well I don't think I have suggested it is going to be compulsory or anything. In fact it is only one of hundreds of possible aspects of an overall anti spam campaign. Of course it is up to ISPs to list whatever details they want. If no-one lists anything then we just have a very short page. I would suggest that more and more consumers will pick an ISP on the basis of services like spam filtering. I have helped several people swap ISPs from those who do not have anti spam technology to those who do. Ihug's spam assassin (free plug) has been a huge benefit to me and it's the best $2.50/mth I spend. Anyway enough bandwidth wasted on this. My last post on the topic. DPF

1 0

Re: [nznog] IP / domain blocking for SPAM prevention
by david＠farrar.com 25 Sep '03

25 Sep '03

Quite the opposite. It is because they are in wide use spammers will try and get past them. But the NZ market is so miniscule that a list of what NZ ISP uses what is going to have IMO zero effect on what products spammers try to work around. I have never said that spammers do not try to get around anti spam filters. I have just said that publicising what anti spam filter a NZ ISP uses, is not going to affect the behaviour of the spammer (Unless they were for some reason targetting that ISP as a revenge thing). DPF > Hi David, > > So are you saying that in your estimation, products like > spam assassin are not in wide use? > > jamie > > >>> <david(a)farrar.com> 26/9/2003 2:00:38 PM >>> > > david(a)farrar.com wrote: > > > > > I actually think it is highly unlikely that with the > > > way spammers work they would try to tailor spam > > > individually for each ISP to get past what they think > > > are its filters. We are not big enough for that. > > > They just throw out 100 million of them and hope say > > > 10 million of them get through and are not too worried > > > if it is 10.0 million or 10.05 million. > > > > Spammers do try to get past filtering, and use different > > methods for AOL, Hotmail, etc. Some try to poison > > auto-learning filters as well. > > Oh I agree they do - but at the scale of the ISPs with 10 > million+ customers or products that are in wide use. I > can't see a spammer adjusting anything just because they > read on a website that Ihug with 80,000 customers uses > Spam Assassin. > > DPF > _______________________________________________ > NZNOG mailing list > NZNOG(a)list.waikato.ac.nz > http://list.waikato.ac.nz/mailman/listinfo/nznog > >

1 0

Re: [nznog] IP / domain blocking for SPAM prevention
by david＠farrar.com 25 Sep '03

25 Sep '03

> david(a)farrar.com wrote: > > > Oh I agree they do - but at the scale of the ISPs with > > 10 million+ customers or products that are in wide use. > > I can't see a spammer adjusting anything just because > > they read on a website that Ihug with 80,000 customers > > uses Spam Assassin. > > And yes, spammers do try to get past Spam Assassin as > well. This is probably getting to the point of off topic, but I never said they didn't. But they try to get past spam assassin because it is a widely used spam filter, not because they are going to go a NZ website, read that hey Black Albatross use Spam Assassin, so hey I'd better try and get around it. DPF

1 0

Re: [nznog] IP / domain blocking for SPAM prevention
by david＠farrar.com 25 Sep '03

25 Sep '03

> david(a)farrar.com wrote: > > > I actually think it is highly unlikely that with the way > > spammers work they would try to tailor spam individually > > for each ISP to get past what they think are its > > filters. We are not big enough for that. They just > > throw out 100 million of them and hope say 10 million of > > them get through and are not too worried if it is 10.0 > > million or 10.05 million. > > Spammers do try to get past filtering, and use different > methods for AOL, Hotmail, etc. Some try to poison > auto-learning filters as well. Oh I agree they do - but at the scale of the ISPs with 10 million+ customers or products that are in wide use. I can't see a spammer adjusting anything just because they read on a website that Ihug with 80,000 customers uses Spam Assassin. DPF

3 2

Re: [nznog] IP / domain blocking for SPAM prevention
by Jamie Baddeley 25 Sep '03

25 Sep '03

Hi David, So are you saying that in your estimation, products like spam assassin are not in wide use? jamie >>> <david(a)farrar.com> 26/9/2003 2:00:38 PM >>> > david(a)farrar.com wrote: > > > I actually think it is highly unlikely that with the way > > spammers work they would try to tailor spam individually > > for each ISP to get past what they think are its > > filters. We are not big enough for that. They just > > throw out 100 million of them and hope say 10 million of > > them get through and are not too worried if it is 10.0 > > million or 10.05 million. > > Spammers do try to get past filtering, and use different > methods for AOL, Hotmail, etc. Some try to poison > auto-learning filters as well. Oh I agree they do - but at the scale of the ISPs with 10 million+ customers or products that are in wide use. I can't see a spammer adjusting anything just because they read on a website that Ihug with 80,000 customers uses Spam Assassin. DPF _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

1 0

Re: [nznog] IP / domain blocking for SPAM prevention
by david＠farrar.com 25 Sep '03

25 Sep '03

> On Fri, 2003-09-26 at 12:19, david(a)farrar.com wrote: > > > Probably an appropriate time for me to mention that one > > of the activities that the InternetNZ Spam Taskforce is > > looking at is an easy to access website where ISPs and > > others can list what spam technologies they use and have > > available (both at server level and for clients to use). > > So the spammers can see what systems that have to beat to > get their crap through, no thanks. > > I'd happily list on a page that said "These guys do > spam/anti virus filtering" so long as I didn't have to say > in detail what we did. People can give as much detail as they want. I would agree you would not want to list for example the exact filters in place (however noting that at http://www.mirror.ac.uk/sites/spamassassin.taint.org/spamassassin.org/tests… they do list the exact filters and SA works pretty damn well IMO), but detail such as "Use Brightmail", "Use Bayesian Filtering", "Use Spews blacklist" may be useful for consumer choice. Other details I would see as useful if whether the ISP actually filters or just labels so users can filter on the labels. Is the spam filter compulsory or opt-in. Does it cost extra. If they filter is there a spam recovery folder you can check for false positives etc. I actually think it is highly unlikely that with the way spammers work they would try to tailor spam individually for each ISP to get past what they think are its filters. We are not big enough for that. They just throw out 100 million of them and hope say 10 million of them get through and are not too worried if it is 10.0 million or 10.05 million. DPF

2 1

RE: [nznog] IP / domain blocking for SPAM prevention
by Michael Bordignon 25 Sep '03

25 Sep '03

> So the spammers can see what systems that have to beat to get > their crap through, no thanks. How are others supposed to learn then? trial and error? Michael

1 0

Re: [nznog] IP / domain blocking for SPAM prevention
by david＠farrar.com 25 Sep '03

25 Sep '03

> At 10:38 a.m. 26/09/2003, Claire wrote: > > Actually, at least one ISP in the NZ market already has a > 'Virtual Mail Server' ASP product out there, with Spam > and Content Control features coming in the next few > weeks. Probably an appropriate time for me to mention that one of the activities that the InternetNZ Spam Taskforce is looking at is an easy to access website where ISPs and others can list what spam technologies they use and have available (both at server level and for clients to use). Another aspect may be some sort of guide to commercial solutions. Want to avoid it being an "INZ says this is good or bad" but something where users can rate and review solutions so more people are aware of the limitations of Mail Marshall (as one example) or Mailwasher (great product, but bounce facility is inappropriate as it forges) as another example. Consumers Institute is also looking at doing a survey in the near future, and we may team up with them to do one combined survey. DPF

2 1

Xtra outage?
by Juha Saarinen 25 Sep '03

25 Sep '03

So what was the deal there? The Xtra network status page is indecipherable. No idea what "Period: inactive" means, but it looks like customers in 03, 06, 07 and 09 areas couldn't dial into Xtra. Did this affect other ISPs too? -- Juha Saarinen

3 6

FW: Your e-mail message was blocked
by Richard Parkinson 25 Sep '03

25 Sep '03

I tend to turn all this notification stuff off though, so MM doesn't harass the sender for a legitimate email :) -----Original Message----- From: Actionline(a)med.govt.nz [mailto:Actionline(a)med.govt.nz] Sent: Friday, 26 September 2003 11:42 a.m. To: Richard Parkinson Cc: Frank.March(a)med.govt.nz Subject: Your e-mail message was blocked MailMarshal (an automated content monitoring gateway) has stopped the following e-mail as it may contain Inappropriate Content. Message: B00013e871.00000001.mml From: Richard(a)sigel.co.nz To: Frank.March(a)med.govt.nz Subject: RE: [nznog] IP / domain blocking for SPAM prevention If you believe the above e-mail to be business related please contact Actionline(a)med.govt.nz to arrange for the message to be released to its intended recipients. The blocked e-mail will be automatically deleted after 30 days.

1 0

RE: [nznog] IP / domain blocking for SPAM prevention
by Richard Parkinson 25 Sep '03

25 Sep '03

If in saying "filters" you mean, delivers it to a folder along with hoards of other junk for some poor admin to check to ensure there is no legitimate mail in the pile... Yep. I don't find this a great task though. A quick sort by subject, or sender and you quickly wipe out all the crap, leaving a handful of legitimate emails to let through. This might be a painful task for larger sites such as Massey or an ISP. Cheers, Richard. -----Original Message----- From: Steve Withers [mailto:swithers(a)mmp.org.nz] Sent: Friday, 26 September 2003 10:39 a.m. To: NZ NOG Subject: [nznog] IP / domain blocking for SPAM prevention Further comments on IP and domain blocking for *personal* mail servers: Just checked my maillog from yesterday. 70% of rejected mail connects came from hotmail, yahoo, earthlink and aol. 30% came from the 61.* and 218.* Korean IP spaces 10% was rejected by ordb / relay denied / other blocked domains I have wondered if ISPs want to encourage customers to set up individually customisable mailservers on broadband connections - some sort of appliance - that acts as their mail server. Let the business and competent private users decide what they will and won't receive....with benefits to the ISP in terms of reduced bandwidth consumed as spam isn't deliverable to these people. Just lots of rejected connect attempts. This may even be a managed service an ISP could offer a customer / business. If payment is on data-volume, this could help reduce such charges - offsetting any service fee to some extent. Am I right in thinking Mailmarshall still allows the spam to be delivered? It just filters it. The method above prevents delivery. It would be impossible to do this at ISP level....but it may be a service line an ISP might like to offer a client who wants to define what they do and do not receive. -- Steve Withers <swithers(a)mmp.org.nz> _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

1 0

RE: [nznog] Argghhh.... [Fwd: Your e-mail message was blocked]
by Richard Parkinson 25 Sep '03

25 Sep '03

Happy with MailMarshal here :) Works fine if you put the effort into setting it up properly. -----Original Message----- From: Juha Saarinen [mailto:juha(a)saarinen.org] Sent: Friday, 26 September 2003 10:12 a.m. To: Frank March Cc: ActionLine; nznog(a)list.waikato.ac.nz; Jennifer Mortimer Subject: Re: [nznog] Argghhh.... [Fwd: Your e-mail message was blocked] Frank March wrote: > Although I seldom post to this list (and when I do it is arguably > off-topic on occasions), and most of the traffic is of marginal direct > interest to me, I do find this list useful as a gauge of the > temperature and general health of the Net in NZ which is immensely > valuable for my job. However, if the problem persists, and complaints > persist, I will remove myself from the list. I would regard this as > being a very unfortunate outcome. > > And, by the way, and anticipating a message later in the thread from > Juha, I dont ever recall his swearing at me (about me perhaps....) $&@)#*&$@!!! Did you delete the message??? ;-) No, seriously, use a Hotmail account for the list instead of your MED one. Mail Marshal is a blunderbuss approach for dealing with an admittedly difficult problem and I don't know anyone "protected" by it who is happy with it. There's an important issue here to consider as well: as a civil servant, you presumably need to be accessible to the public. Using a filtering system with a high false positive rate prevents that. Oh hi, Donald. Yes, yes, I know, it's OT for the list... -- Juha _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

1 0

Argghhh.... [Fwd: Your e-mail message was blocked]]
by Steve Withers 25 Sep '03

25 Sep '03

On Fri, 2003-09-26 at 09:39, Frank March wrote: > On average Mailmarshal as configured here seems to catch 50% of genuine spam > 'aimed' at me (but is getting better) and about 25% of the blocking messages > are false positives (despite recent problems with this list, I think this > might also be improving incrementally). Nevertheless, personally, I would > much rather have the spam. The record with virus filtering is, however, > exemplary. I had to stop using the junk filter in Outlook because it decided that ALL mail from my boss was spam. I still don't know why. I don't use any server-based spam detection. Because my mailserver is for our family only I do block entire IP ranges and about 450 domain names. We get perhaps 2 spam e-mails through each day between the 4 of us. However...I block all mail from hotmail, yahoo, aol and a few others. That killed a HUGE amount of dross. Senders get a reject message explaining that their domains are the source of too much spam and would they mind resending from a responsible ISP. This also means I often don't see e-mail from people on mailing lists who use these "junk" domains....though this depends on how the list server is configured. -- Steve Withers swithers(a)mmp.org.nz -- Steve Withers <swithers(a)mmp.org.nz>

1 0

RE: [nznog] Argghhh.... [Fwd: Your e-mail message was blocked]
by Simon Lyall 25 Sep '03

25 Sep '03

On Fri, 26 Sep 2003, Frank March wrote: > On average Mailmarshal as configured here seems to catch 50% of genuine spam > 'aimed' at me (but is getting better) and about 25% of the blocking messages > are false positives (despite recent problems with this list, I think this > might also be improving incrementally). Nevertheless, personally, I would > much rather have the spam. The record with virus filtering is, however, > exemplary. A 25% false positive rate for Spam is bad to the point of being incompetent. Anything worse than a 1% FP rate except where someone is specifically after "aggressive" filtering is very bad. That sort of rate forces people to constantly check their spam folders (I assume they can) to find incorrectly identified email. I'd hate to think how many important emails are being lost. Blocking just 50% of spam isn't very good either, especially considering the amount of legit email dropped. I would guess it's another case of the govt paying peanuts and getting monkeys. Probably they have just installed the software "out of the box" rather than engaging brain and actually trying to set it to the appropriate level for the site. -- Simon J. Lyall. | Very Busy | Mail: simon(a)darkmere.gen.nz "To stay awake all night adds a day to your life" - Stilgar | eMT.

1 0

California cracks down on spam
by Barry Murphy 25 Sep '03

25 Sep '03

"California will prohibit Internet advertisers from sending unsolicited emails under the toughest law of its kind in the United States, providing for fines of up to $1-million (about R7-million). Governor Gray Davis signed legislation this week that targets not only the firms that package and send spam to consumers, but also the companies whose products and services are being advertised" I especially like the last setence above. full story at: http://www.iol.co.za/index.php?click_id=79&art_id=vn20030925032433274C67959… Barry

2 1

Nokia Firewall Appliance Specials
by Steve Rielly 24 Sep '03

24 Sep '03

Hi All, We are offering for sale, the following brand new, unused, equipment with full warranties, at heavily reduced prices, as a result of a cancelled order. You may already have one of these Nokia security appliances installed, and at the reduced price may be interested in purchasing a second unit as a spare. Alternatively, with the new Check Point Express licenses offering high availability (HA) software at reasonable prices, you may wish to consider installing a second firewall for HA using one of these appliances We have not put prices on them we are looking for offers on the equipment starting at 50% of their normal RRP. The products are... Nokia BIG-IP HA+540 Firewall Appliance Nokia BIG-IP 5000 Firewall Appliance Nokia IP440 Firewall Appliance Nokia IP330 Firewall Appliance Nokia IP71 Firewall Appliance We are offering the appliance hardware only and not the Check Point software licenses that go with them. These will need to be purchased through the normal channels, or we can provide a quote for you. Please email your offers to steve.rielly(a)extranet.co.nz The highest or any offer may not necessarily be accepted. Cheers, Steve Rielly Security Engineer Extranet Technologies Limited Level 1, 60 Cook St, Auckland, New Zealand P.O. Box 7726, Wellesley Street, Auckland, New Zealand Ph: +64 9 3771122, Mob: 025 835530 Fax: +64 9 3771109

1 0

Spam systems
by Barry Murphy 24 Sep '03

24 Sep '03

Thanks to NZNog I have had my first valid emails pushed to the spam folder. I hadn't as yet had one email get marked as spam where it was intended for me, however with the last couple of emails from Jamie, David and Dan, all 3 of these got marked. I have now allowed nznog through without filtering, so this shouldn't happen again, but thanks once again for brining my ratios down!! Only jokes :) Barry

1 0

Our friends Verisign...
by Simon Byrnand 24 Sep '03

24 Sep '03

Hi all, After the discussion a few days ago about the stunt Verisign has pulled recently, and most people expressing outrage over it, I wonder how many network operators/ISP's etc are actually willing to go as far as running the patches that are surfacing for the various nameserver software that will return NXDOMAIN when a root server tries to return an A record directly instead of a referal ? (Effectively reverting the behaviour to what it was before for your customers, and fixing issues with mailservers trying to look up non-existant domains in the aid of spam detection etc etc) I guess some people that might consider doing so could be waiting for "official" patches to come out first (like the one recently released as an rc for BIND 9) rather than hacks before implementing it, but what is the general feeling about this kind of action ? Anyone want to 'fess up to doing it already ? :) (on a medium to large scale) Regards, Simon Byrnand iGRIN Internet

11 14

[Fwd: Message Stopped by: Junk Mail Inbound]
by Simon Byrnand 23 Sep '03

23 Sep '03

Ok, everyone must have it in for me tonight. I'm off to bed :) Night all.. ;) Regards, Simon ---------------------------- Original Message ---------------------------- Subject: Message Stopped by: Junk Mail Inbound From: admin(a)safecom.co.nz Date: Wed, September 24, 2003 11:17 pm To: simon(a)igrin.co.nz -------------------------------------------------------------------------- The Safecom SMTP Relay has quarantined this email due to the triggering of the Junk Mail policy. The email has been forwarded to the Mail Administrator of the intended recipients company. This Mail Administrator will forward the mail to the recipient should it be deemed as legitimate email i.e not Chainmail, Virus Hoax or Jokes. Message: BB0027f6d5.00000001.mml From: simon(a)igrin.co.nz To: Ivan.Walker(a)hpac.govt.nz Subject: [nznog] Argghhh.... [Fwd: Your e-mail message was blocked] This is an automated response. Do not reply to this message. If you have any further questions please contact the intended recipient to confirm whether they received the email.

2 1

SPAM (Fw: PLEASE ASSIST)
by Dan Clark 23 Sep '03

23 Sep '03

Hi Guys, Just wondering if it is just me that is receiving an influx of these kind of messages relating to offshore accounts and foreign money etc? These used to be common then they stopped, but now they are back. Maybe my SPAM filter has broken. Regards, Dan Clark Network Manager Scarfies.Net Ltd Wickliffe Ltd ----- Original Message ----- From: "JULIUS J BALA" <j_bala2003(a)gawab.com> To: <dan(a)scarfies.net> Sent: Wednesday, September 24, 2003 4:09 PM Subject: PLEASE ASSIST > FROM: DR. JULIUS JUBRIL BALA, > FEDERAL SECRETARIAT COMPLEX, > IKOYI. > > Best wishes of good health and success in your pursuits particularly through my proposal as contained in this letter.Before going into details of my proposal to you, I must first solicit you to treat with the utmost confidentiality, as this is required for its success. > > INTRODUCTION: > > My colleagues and I are senior officials of the Federal Government of Nigeria's Contracts Review Panel who are interested in investing some funds that are presently floating in the accounts of the Central Bank of Nigeria.In order to commence this transaction, we solicit your assistance to enable us transfer into your account the said floating funds. > > We are determined to conclude the transfer before the end of this quarter of 2003. The source of the funds are as follows: During the last military regime,government officials awarded contracts that were grossly over-invoiced to Contractors.The present civilian government set up the Contract Review Panel, which has the mandate to use the instruments of payments made available to it by the decree setting up > the panel, to review these contracts and if necessary pay those who are being owed outstanding amounts. My colleagues and I have identified quite a huge sum of these funds which are presently floating in the Central Bank of Nigeria ready for disbursement and would like to invest some of it for our own purposes. > > However, by virtue of our positions as civil servants and members of this panel,we cannot acquire these funds in our names or in the names of companies that are based in Nigeria. I have therefore been mandated, as a matter of trust by my colleagues in the panel, to look for a reliable overseas partner into whose account we can transfer the sum of U.S.$16,500,000.00(sixteen million,five hundred thousand U.S. Dollars). That is why I am writing you this letter. > > We have agreed to share the money to be transferred into your account,if you agree with our proposition as follows; (i) 10% to the account owner (you). (ii) 80% for us (the panel officials). (iii) 10% to be used in settling all expenses (by both you and us )incidental to the actualisation of this project. We wish to invest our share of the proceeds of this project in foreign stock markets and other business till we are > ready and able to have access to them without raising any eyebrows here at home. > > Please note that this transaction is 100% safe. We intend to effect the transfer within fourteen(14) banking days from the date of receipt of the following information: Your name, company's name, address,telephone and fax numbers . The above information will enable us write letters of claim and job description respectively. This way, we will use your company's name to apply for the payment and backdate the award of the contract to your company. We are looking forward to carrying out this transaction with you and we solicit your utmost confidentiality in its execution. > > Please acknowledge the receipt of this email by replying urgently. Also,endeavour to furnish me with your phone number so that I can call you and bring you into a more detailed picture of this transaction when I hear from you. > > Best regards, > > Dr Julius Bala. > > > >

4 4

Argghhh.... [Fwd: Your e-mail message was blocked]
by Simon Byrnand 23 Sep '03

23 Sep '03

Sigh... Could the owner of this charming little content filter please see if it has an option to NOT reply to messages that aren't specifically addressed to the recipient. (EG messages comming in through mailing lists etc) Or perhaps consider subscribing via another address that isn't filtered. It gets a little tiring to have every second message I send to this list get a bounce from an overactive content filter because it might have "bad words" in it or in this case might be a "hoax and/or chain letter"..... (Huh ??? What in my message looks like a hoax ?) Regards, Simon ---------------------------- Original Message ---------------------------- Subject: Your e-mail message was blocked From: Actionline(a)med.govt.nz Date: Wed, September 24, 2003 11:09 pm To: simon(a)igrin.co.nz Cc: Frank.March(a)med.govt.nz -------------------------------------------------------------------------- MailMarshal (an automated content monitoring gateway) has stopped the following e-mail as it is likely to be a Hoax and/or Chain Letter. Message: B00013c776.00000001.mml From: simon(a)igrin.co.nz To: Frank.March(a)med.govt.nz Subject: Re: [nznog] SPAM (Fw: PLEASE ASSIST) If you believe the above e-mail to be business related please contact Actionline(a)med.govt.nz to arrange for the message to be released to its intended recipients. The blocked e-mail will be automatically deleted after 30 days.

1 0

Re: [nznog] SPAM (Fw: PLEASE ASSIST)
by Jamie Baddeley 23 Sep '03

23 Sep '03

Dan, It might have something to do with what verisign have been doing. The sitefinder service basically validates what were invalid domains. Evil Spammers Who Must Die (tm) now can get the spam through. What's failing is you used to be able to refuse bogus domains. ..or something like that. (although in this case gawab.com appears to be valid) jamie ------- cat 'The Internet'|sed 's/verisign/scum/g' >>> "Dan Clark" <dan(a)scarfies.net> 24/9/2003 4:13:45 PM >>> Hi Guys, Just wondering if it is just me that is receiving an influx of these kind of messages relating to offshore accounts and foreign money etc? These used to be common then they stopped, but now they are back. Maybe my SPAM filter has broken. Regards, Dan Clark Network Manager Scarfies.Net Ltd Wickliffe Ltd ----- Original Message ----- From: "JULIUS J BALA" <j_bala2003(a)gawab.com> To: <dan(a)scarfies.net> Sent: Wednesday, September 24, 2003 4:09 PM Subject: PLEASE ASSIST > FROM: DR. JULIUS JUBRIL BALA, > FEDERAL SECRETARIAT COMPLEX, > IKOYI. > > Best wishes of good health and success in your pursuits particularly through my proposal as contained in this letter.Before going into details of my proposal to you, I must first solicit you to treat with the utmost confidentiality, as this is required for its success. > > INTRODUCTION: > > My colleagues and I are senior officials of the Federal Government of Nigeria's Contracts Review Panel who are interested in investing some funds that are presently floating in the accounts of the Central Bank of Nigeria.In order to commence this transaction, we solicit your assistance to enable us transfer into your account the said floating funds. > > We are determined to conclude the transfer before the end of this quarter of 2003. The source of the funds are as follows: During the last military regime,government officials awarded contracts that were grossly over-invoiced to Contractors.The present civilian government set up the Contract Review Panel, which has the mandate to use the instruments of payments made available to it by the decree setting up > the panel, to review these contracts and if necessary pay those who are being owed outstanding amounts. My colleagues and I have identified quite a huge sum of these funds which are presently floating in the Central Bank of Nigeria ready for disbursement and would like to invest some of it for our own purposes. > > However, by virtue of our positions as civil servants and members of this panel,we cannot acquire these funds in our names or in the names of companies that are based in Nigeria. I have therefore been mandated, as a matter of trust by my colleagues in the panel, to look for a reliable overseas partner into whose account we can transfer the sum of U.S.$16,500,000.00(sixteen million,five hundred thousand U.S. Dollars). That is why I am writing you this letter. > > We have agreed to share the money to be transferred into your account,if you agree with our proposition as follows; (i) 10% to the account owner (you). (ii) 80% for us (the panel officials). (iii) 10% to be used in settling all expenses (by both you and us )incidental to the actualisation of this project. We wish to invest our share of the proceeds of this project in foreign stock markets and other business till we are > ready and able to have access to them without raising any eyebrows here at home. > > Please note that this transaction is 100% safe. We intend to effect the transfer within fourteen(14) banking days from the date of receipt of the following information: Your name, company's name, address,telephone and fax numbers . The above information will enable us write letters of claim and job description respectively. This way, we will use your company's name to apply for the payment and backdate the award of the contract to your company. We are looking forward to carrying out this transaction with you and we solicit your utmost confidentiality in its execution. > > Please acknowledge the receipt of this email by replying urgently. Also,endeavour to furnish me with your phone number so that I can call you and bring you into a more detailed picture of this transaction when I hear from you. > > Best regards, > > Dr Julius Bala. > > > > _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

1 0

Netlantis -- seeking for sponsors and peers
by Pascal Gloor 22 Sep '03

22 Sep '03

Hello .nz ! Perhaps some of you already heard about netlantis... The purpose of the netlantis project is to offer "human readable" output of the global BGP table status (as most realtime as possible, most of the time <2 min delay to reality). There are different tools on the website you can discover by yourself. There is also a whois and a telnet interface. We're actually running 5 RouteCollectors (including one in common with the RIS project of RIPE NCC), 2 in USA and 3 in Europe. There should be a new RouteCollector soon in south africa and one in greece. We've got now 78 BGP peers (including large and small ISP from all around the world), which makes almost 7'200'000 prefixes stored in the central database. Netlantis has been presented at the last RIPE meeting in Amsterdam, NL http://www.ripe.net/ripe/meetings/ripe-46/presentations/ripe46-routing-netl… Netlantis will be presented at the next SWINOG meeting (22oct 2003) in Bern, CH Indeed netlantis is FREE and only done by private people investing their free time, there is nothing to buy nor to sell at netlantis :-) Now, and that's why I mail you, I'm looking for sponsors in NZ. The "best" would be to have a RouteCollector on the APE lan. A typical RouteCollector is a P3 1Ghz with 1Gbyte of ram. The sponsors will be, indeed, listed on the netlantis.org website and in any presenation of netlantis. But hosting a RouteCollector at an ISP is also possible. For people who would like to peer with netlantis, please fill up the form at http://www.netlantis.org/index.html?menu=5&page=newpeer If you have any question / remark / ideas for new tools / whatever, feel free to drop me a mail or reply to the list. Kind Regards, Pascal Gloor The Netlantis Project

1 0