- NZNOG - lists.nznog.org

Re: New and unacknowledged Exchange / Win2k SMTP vulnerability?
by John Rothlisberger 28 Oct '03

28 Oct '03

I would *strongly* recommend against EVER running Exchange as your Internet-facing SMTP server. Use a *nix box as a proxy. There have been too many [unacknowledged] bugs/holes in MS Exchange, and troubleshooting something that hasn't been acknowledged by the manufacturer can have you thinking that you've gone crazy. Using a *proper* SMTP server to sanity check incoming connections is the only way to go with Exchange, even for small customers -- the risks are pretty high otherwise. And while you're at it throw SpamAssassin/Antivirus on it and kill multiple birds, et al. My COP$35.28 --John R?thlisberger

3 2

RE: [nznog] New and unacknowledged Exchange / Win2k SMTPvulnerabi lity?
by Neil Gardner 28 Oct '03

28 Oct '03

Hmm, I guess the extention of your argument is that presumably SCO will give me a discount on my license for any vulnerability I find in any flavour of Linux in the world? :-) Not directed at you, and I too will stop right there :-) -- Cheers - Neil Gardner Networking and Security Support Engineer Renaissance Brands Ltd (09) 968-3681 / (021) 746-345 -----Original Message----- From: Barry Murphy [mailto:barry(a)unix.co.nz] Sent: Wednesday, 29 October 2003 12:52 p.m. To: Nathan Mercer; nznog(a)list.waikato.ac.nz Subject: Re: [nznog] New and unacknowledged Exchange / Win2k SMTPvulnerability? Is there a reward for reporting a vulnrability? Surely if the end user is having to find bugs then MS isn't spending enough to secure it's software. Not directed at you and i'll stop there. Barry

1 0

RE: [nznog] New and unacknowledged Exchange / Win2k SMTPvulnerability?
by Nathan Mercer 28 Oct '03

28 Oct '03

So just to be clear, a new and unacknowledged Exchange or Windows 2000 vulnerability has not been discovered here right? We want to know about vulnerabilities (not mis-configurations) If you do wish to report a suspected security vulnerability please either contact myself directly, log the details on https://s.microsoft.com/technet/security/bulletin/alertus.asp or email secure(a)microsoft.com (PGP key is on https://s.microsoft.com/technet/security/MSRC.asc ) Details of our vulnerability handling processes are on http://microsoft.com/technet/security/bulletin/msrpracs.asp Regards Nathan Technology Specialist Microsoft NZ ________________________________ From: Geoff Williams [mailto:geoff(a)katnet.com.au] Sent: Tuesday, 28 October 2003 11:26 a.m. To: nznog(a)list.waikato.ac.nz Subject: FW: [nznog] New and unacknowledged Exchange / Win2k SMTPvulnerability? Further to my earlier post, Neil G has pointed me correctly to an SMTP AUTH attack. I have used the logs of the ORF tool to pinpoint which accounts have been compromised. Strangely the spammers are trying to work out why, even if they authenticate, they can't relay, so there is a lot of traffic to watch and learn from. A large number of their connections are being blocked by the IP blacklists I have selected. I had originally blocked 2 Class A IP ranges at our router after watching the traffic and finding that they were allocated to a provider in China. But I am not 100% sure that IP addresses are not being spoofed as they seem to have a huge range of Class A and B addresses available to them and I was really chasing my tail trying to block them at that level. So now I have a new password generator and will start training the mind to work with 12 or more character passwords. Hope this is of assistance to others. Geoff Williams -----Original Message----- From: Geoff Williams Sent: Monday, 27 October 2003 11:01 PM To: nznog(a)list.waikato.ac.nz Subject: [nznog] New and unacknowledged Exchange / Win2k SMTP vulnerability? Hi All I have exactly the same open-relay problem, including the sending servers and addresses, and have been struggling to diagnose for a few weeks. I had a hunch that the hack may involve the SystemMailbox account (which of course is disabled), but this was based on checking security logs and seeing who was logged in at the same time as the spam was dumped into the queue. I have got around it for the moment (I hope) by loading the ORF relay and spam tool but I would really like to know how this hack is being perpetrated as I have a whole stack of other Exchange servers to look after and I really don't want this to get out of control... So if anyone has made any progress I would really appreciated you sharing your experience. Thanks ______________ Geoffrey Williams KAT International T: 02 9904 3137 F: 02 9904 0232 M: 0417 281 905 ________________________________ size=2 width="100%" align=center> This email is confidential and intended for the recipient only. If you have received it in error please delete it immediately.

2 1

RE: [nznog] Domain Names NZ scam
by Paul Adshead 28 Oct '03

28 Oct '03

Deja vu anyone: http://www.domainz.net.nz/Domainz.asp?Content=news21 http://www.dnc.org.nz/story/30127-32-1.html http://www.comcom.govt.nz/publications/display_mr.cfm?mr_id=1219 Paul Adshead OTL Software Ltd www.otl.co.nz paul.adshead(a)otl.co.nz Tel +64 9 373 9920 Fax +64 9 303 9129 -----Original Message----- From: jfp [mailto:jfp(a)clearfield.com] Sent: Wednesday, 29 October 2003 10:42 To: nznog(a)list.waikato.ac.nz Subject: [nznog] Domain Names NZ scam Some of our customers have just received scam domain renewal letters from Domain Names NZ. ($237 for two years) (www.domainnamesnz.com) People might want to warn their customers. jfp. ------------------------------------------------------------------------ Jean-Francois Pirus <jfp(a)clearfield.com> Clearfield Software Ltd Phone (+64-9) 358 2081 4th Floor 8-10 Whitaker Place Fax (+64-9) 358 2083 P O Box 2348 Auckland, New Zealand ------------------------------------------------------------------------ _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

1 0

Domain Names NZ scam
by jfp 28 Oct '03

28 Oct '03

Some of our customers have just received scam domain renewal letters from Domain Names NZ. ($237 for two years) (www.domainnamesnz.com) People might want to warn their customers. jfp. ------------------------------------------------------------------------ Jean-Francois Pirus <jfp(a)clearfield.com> Clearfield Software Ltd Phone (+64-9) 358 2081 4th Floor 8-10 Whitaker Place Fax (+64-9) 358 2083 P O Box 2348 Auckland, New Zealand ------------------------------------------------------------------------

1 0

How to get deliberately attacked?
by Neil Gardner 28 Oct '03

28 Oct '03

Hi guys, I am testing a firewall here at work with a DHCP spoofing ADSL router and I wanted to check the integrity of the reporting with the attacks it can recognise... I don't really want to spend too much work time jumping into hacky IRC channels and annoying people to generate some attack traffic (plus I don't want to be attacked for too long :-) so I thought I'd ask here to see if anyone knows of any web based attack generators or could indulge me and hit me with a few things (short of classic DOS - I'm testing the firewall, not my ADSL line :-) Anyway - answers on the back of a postcard please, or email me direct. Oh, it's not this IP, so please don't just start attacking - please contact me and we'll work something out :-) -- Cheers - Neil Gardner Networking and Security Support Engineer Renaissance Brands Ltd (09) 968-3681 / (021) 746-345

4 3

Orcon Internet Prefix List Update (2003-10-19)
by Craig Whitmore 28 Oct '03

28 Oct '03

For all those peering with Orcon Internet (AS17746) Nationally, please update your prefix lists with the following networks as in attached file. Thanks Craig Whitmore Systems Administrator Orcon Internet http://www.orcon.net.nz

1 0

RE: [nznog] New and unacknowledged Exchange / Win2k SMTP vulnerability?
by Geoff Williams 27 Oct '03

27 Oct '03

Thanks Matt I haven't started on the 218's as some of those are here in Australia also. Geoff Williams -----Original Message----- From: Matt Camp [mailto:gargoyle(a)noise.net.nz] Sent: Tuesday, 28 October 2003 9:59 PM To: Geoff Williams Cc: Joe Abley; nznog(a)list.waikato.ac.nz Subject: RE: [nznog] New and unacknowledged Exchange / Win2k SMTP vulnerability? On Tue, 28 Oct 2003, Geoff Williams wrote: > The bulk of the 218.0.0.0 Class A range is allocated to provincial > entities in the PRC. Except for the /17's out of this class A which are allocated to NZ entities such as TelstraClear. Blocking this would be inadvisable. --- Matt Camp This email is confidential and intended for the recipient only. If you receive it in error please delete it immediately.

1 0

RE: [nznog] New and unacknowledged Exchange / Win2k SMTP vulnerability?
by Geoff Williams 27 Oct '03

27 Oct '03

The bulk of the 218.0.0.0 Class A range is allocated to provincial entities in the PRC. The other big source of addresses I have seen is the 61.0.0.0 subnet which is spread between India and the PRC, again in the PRC it seems to be allocated to provincial entities. The 61.11 range in India has been very active trying to fish passwords but strangely whoever is doing it is coming from right across the whole A range. Snip of repeated ORF event below: NOTIFICATION - Open Relay Filter Enterprise Edition =================================================================== The following event has occurred: Class : Block Severity : Info Source : SMTPSVC-1 Related IP : 61.11.47.52 Text description: ================= Blocked. Recipient address (user3(a)989888.com) is not listed in the Active Directory. Sender: test(a)yahoo.com. SMTP response: End snip. This particular event just won't stop. Geoff Williams -----Original Message----- From: Joe Abley [mailto:jabley(a)isc.org] Sent: Tuesday, 28 October 2003 12:41 PM To: Geoff Williams Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] New and unacknowledged Exchange / Win2k SMTP vulnerability? On 27 Oct 2003, at 17:25, Geoff Williams wrote: > I had originally blocked 2 Class A IP ranges at our router after > watching the traffic and finding that they were allocated to a > provider in China. Which class A networks do you think are allocated to a provider in China? This email is confidential and intended for the recipient only. If you receive it in error please delete it immediately.

3 2

FW: [nznog] New and unacknowledged Exchange / Win2k SMTP vulnerability?
by Geoff Williams 27 Oct '03

27 Oct '03

Further to my earlier post, Neil G has pointed me correctly to an SMTP AUTH attack. I have used the logs of the ORF tool to pinpoint which accounts have been compromised. Strangely the spammers are trying to work out why, even if they authenticate, they can't relay, so there is a lot of traffic to watch and learn from. A large number of their connections are being blocked by the IP blacklists I have selected. I had originally blocked 2 Class A IP ranges at our router after watching the traffic and finding that they were allocated to a provider in China. But I am not 100% sure that IP addresses are not being spoofed as they seem to have a huge range of Class A and B addresses available to them and I was really chasing my tail trying to block them at that level. So now I have a new password generator and will start training the mind to work with 12 or more character passwords. Hope this is of assistance to others. Geoff Williams -----Original Message----- From: Geoff Williams Sent: Monday, 27 October 2003 11:01 PM To: nznog(a)list.waikato.ac.nz Subject: [nznog] New and unacknowledged Exchange / Win2k SMTP vulnerability? Hi All I have exactly the same open-relay problem, including the sending servers and addresses, and have been struggling to diagnose for a few weeks. I had a hunch that the hack may involve the SystemMailbox account (which of course is disabled), but this was based on checking security logs and seeing who was logged in at the same time as the spam was dumped into the queue. I have got around it for the moment (I hope) by loading the ORF relay and spam tool but I would really like to know how this hack is being perpetrated as I have a whole stack of other Exchange servers to look after and I really don't want this to get out of control... So if anyone has made any progress I would really appreciated you sharing your experience. Thanks ______________ Geoffrey Williams KAT International T: 02 9904 3137 F: 02 9904 0232 M: 0417 281 905 _____ This email is confidential and intended for the recipient only. If you have received it in error please delete it immediately.

2 1

httpd traffic with ie 5.5
by Barry Murphy 27 Oct '03

27 Oct '03

Howdy, Anyone noticing a lot of traffic in the httpd-access logs? I have had the following unique hits to my catch domain: August: 5401 September: 10950 October: 18535 Can't see much in tcpdump but they all seem to be windows 98 IE 5.5. 65.95.18.179 - - [28/Oct/2003:11:11:33 +1300] "GET / HTTP/1.1" 200 3677 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)" 82.37.50.69 - - [28/Oct/2003:11:11:45 +1300] "GET / HTTP/1.1" 200 3677 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)" 24.125.71.52 - - [28/Oct/2003:11:11:52 +1300] "GET / HTTP/1.1" 200 3677 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)" 24.85.14.211 - - [28/Oct/2003:11:12:03 +1300] "GET / HTTP/1.1" 200 3677 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)" 24.207.23.172 - - [28/Oct/2003:11:12:22 +1300] "GET / HTTP/1.1" 200 3677 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)" 68.117.32.241 - - [28/Oct/2003:11:12:30 +1300] "GET / HTTP/1.1" 200 3677 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)" 68.114.179.170 - - [28/Oct/2003:11:12:37 +1300] "GET / HTTP/1.1" 200 3677 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)" Cheers Barry

2 1

Re: [nznog] Cloaked SPAM hosting service
by Richard Cox 26 Oct '03

26 Oct '03

On 25 Oct 2003 12:00:07 +1300 (NZDT) Simon Byrnand <simon(a)igrin.co.nz> asked NZ-NOG: > Correct me if I'm wrong but isn't this idea just a reverse proxy farm? >From what investigators have seen there is more to this exploit than just a reverse-proxy. I'm reluctant to say too much, even here, since investigations are continuing. The previous well-reported exploit which was known as "Super-Zonda" simply packaged reverse-proxying with a set of custom DNS tricks designed so that only the designated proxies could get the IP address of the real source of the website. Two strains of virus - "Fizzer" and "Sobig" each deliver a payload that compromises the infected computer, and in many cases the compromise can survive normal "cleansing" operations. This leaves a suite of abusive tools on the victim's computer that can, without the owner's knowledge or permission, be used by the attacker. Fizzer is known to install a spam sender and Denial-of-Service module, both of which "phone home" and listen for remote instructions. This means they can lie dormant for days, even weeks, without being activated. When they are activated to spam, they will usually only send out a small quantity of messages at one time, and then become silent again; the whole point is that as there are so many of them available to the spammer, there is no need for any one infected machine to send any great quantity. This, in turn, means that it is unlikely to trigger any traffic-based alarms, and any spam reports which reach abuse desks - if they even get that far - will often be treated as either misdirected or ill-informed, because "if it really was a spam source there would inevitably be many more complaints" That is exactly what the malware-writer intended ISPs to think, so don't be caught by it! Some Abuse desks may even go as far as looking for any open ports, and finding none, will take the view that the machines are secure. Not so! As all the trojans "phone home" for their instructions, there will not be any need for open ports, and none to find. The trojan may open some ports when ordered to, but generally will appear to be completely locked down (well, as much as any Windows machine can be!). There is one thing I want to stress here, as many of you will have no doubt read about the various DDoS attacks on various targets - Cisco, and some of the anti-spam resources being the ones that got publicity. If you get (a small number of) reports of spamming from a customer IP and you are tempted to disbelieve or ignore those reports, please don't. Regardless of your views on spam, those reports may be the only warning you will get that you have a malware-attacked box on your netblock, and that box is then fully equipped and ready to take part in a Distributed Denial of Service (DDoS) attack on a target at a moment's notice. | Sounds like the author of the article doesn't understand round robin | dns, expressing surprise that every time they checked the site the ip | address was different...(well duh :) Er, no. That's not the primary point of this exploit, even though Round Robin DNS is certainly used in it. Remember - we are talking about large quantities of boxes here, and a different zombie can be activated in seconds. The compromised machines are able to act as DNS servers as well as web servers - and they do. The key is that the DNS servers are in the .biz TLD and that registry offers its customers the ability to update their DNS in real time, rather than having to wait for a timed update as with the .com/.net environment. Thus as machines are booted, come online, and "phone home", some of them are put in the queue for their IPs to be sent to the root .biz servers. Anyone monitoring the zonefiles for the latest .biz domain that these spammers are using (they change domains regularly, of course ...) will see the IPs of both the nameservers and A records change on a regular basis, and the location of those IPs will tend to follow the sunrise - so at one time of day there will be some in Europe, a few hours later they will mostly be on the US East Coast, later the US West Coast, and some hours after that NZ, then Australia, then Japan, and so on. > In other words said spammers host the actual site on a real server > somewhere, use round robin dns with hundreds (?) of dns entries > pointing to different hijacked computers, that then forward the > requests to the real servers as a reverse proxy. If they did that, the operation could be closed down by terminating (or bogussing) all the DNS servers that hold the round-robin DNS list. As ordinary user machines (mainly broadband) are being used as these servers, they can change almost as often as the A records do, and so any that are disabled are immediately replaceable. While admittedly tempting, it is hardly practical to bogus out the entire .biz root! The contact details for the domains used in this exploit vary from "suspicious" to "proven fake" but you could say the same about rather a lot of domains at the moment. The ICANN promises of a clean-up have not materialised, and given ICANN's (lack of) authority in general, some would say that any clean-up can only be cosmetic until there is general international agreement to enforce new rules. What may be of interest is that quite a few of these domains we've looked into turned out to have been registered with "DomainDiscover" in San Diego, USA (http://www.domaindiscover.com/) Even if DomainDiscover closed down all those domains immediately, the spammers would just move across to another Registrar and carry on. The only effective way to stop THIS particular exploit would need the root .biz registry to be persuaded to withdraw the real-time DNS updating feature in .biz. You may well conjecture on the likelihood of that ever happening! The zombies installed by the SoBig series of viruses also install an FTP server (TFTP) on first infection, which is used to fetch the rest of the SoBig payload some days later, and that means that absolutely anything can be subsequently downloaded to those machines - so unless you actually remove the infection and compromise, a machine that scans as completely clean today may be a Webserver serving up kiddie-porn by this time tomorrow. Yes, Tikiri, this one *is* more alarming. -- Richard Cox Mandarin

2 1

New and unacknowledged Exchange / Win2k SMTP vulnerability?
by Geoff Williams 26 Oct '03

26 Oct '03

Hi All I have exactly the same open-relay problem, including the sending servers and addresses, and have been struggling to diagnose for a few weeks. I had a hunch that the hack may involve the SystemMailbox account (which of course is disabled), but this was based on checking security logs and seeing who was logged in at the same time as the spam was dumped into the queue. I have got around it for the moment (I hope) by loading the ORF relay and spam tool but I would really like to know how this hack is being perpetrated as I have a whole stack of other Exchange servers to look after and I really don't want this to get out of control... So if anyone has made any progress I would really appreciated you sharing your experience. Thanks ______________ Geoffrey Williams KAT International T: 02 9904 3137 F: 02 9904 0232 M: 0417 281 905 This email is confidential and intended for the recipient only. If you receive it in error please delete it immediately.

1 0

Cisco ISDN config
by Michael Hallager 25 Oct '03

25 Oct '03

Hi all. I am after configurations for running a point-to-point link using two Cisco ISDN routers. At one end will be 192.168.1.0/24 and the other end will be 192.168.2.0/24 Tested configs only please. Thanks. Michael Hallager Managing Director Networkstuff Limited URL: http://www.networkstuff.co.nz Networkstuff, NZ's leading supplier of high quality used networking equipment. E-Mail: michael @ networkstuff.co.nz Member of the NZ Open Source Society. Member of the Auckland VHF Group. Amateur radio callsign: ZL1VMH.

1 0

The fraudsters used email forwarding and routing via a New Zealand-based service provider to cover their tracks.
by Andy Gardner 25 Oct '03

25 Oct '03

http://www.theregister.co.uk/content/55/33582.html NatWest customers targeted in 'phishing' scam "At the time of writing, the site, which seems to have been run off the servers of Hotbox hosting in Russia, has been replaced by a holding page. The fraudsters used email forwarding and routing via a New Zealand-based service provider to cover their tracks." Who was that, then?

1 0

Current Jetstream 'Deal'...
by Dan Clark 23 Oct '03

23 Oct '03

OK, we've all seen the $99.00 install fee for JetStream waived before but currently it would seem Telecom are only offering the free install if you connect via XTRA? http://www.telecom.co.nz/chm/0,5123,203191-202534,00.html I think if I was a consumer, I would find it a little hard to use another ISP's JetStream service via Telecom's website, it seems a bit anti-competitive. Fair enough it's Telecom's network but basicly forcing the consumer to use XTRA as an ISP? Regards Dan Clark Network Manager Scarfies.Net Ltd

7 7

Slasdot update: AT&T Blocking All Incoming Mail
by Jeff Williams 23 Oct '03

23 Oct '03

All, >From slashdot, See: http://www.sosdg.org/attmail.txt Regards, -- Jeffrey A. Williams Spokesman for INEGroup LLA. - (Over 134k members/stakeholders strong!) "Be precise in the use of words and expect precision from others" - Pierre Abelard =============================================================== CEO/DIR. Internet Network Eng. SR. Eng. Network data security Information Network Eng. Group. INEG. INC. E-Mail jwkckid1(a)ix.netcom.com Contact Number: 214-244-4827 or 214-244-3801

2 1

Re: [nznog] Current Jetstream 'Deal'...
by Richard Parkinson 23 Oct '03

23 Oct '03

I fail to see how raising a simple and valid question of possibly "biased" operators in this list has anything to do with my integrity. Frankly, you just raised a BIG question about your own "Integrity" in simply responding with a public attack on mine, when I have a valid point, being that other issues in this list go unnoticed and unchallenged for days, unless they are matters relating to Telecom's monopolistic way of doing business, in which case we are told to discontinue the thread. In my opinion, this thread had some valid content, perhaps some not, but the request for it to be stopped came far too quickly, Telecom staff member or not. I agree with Tikiri, it's time Telecom explained a few things like why no static IP's for jetstart instead of the " because it's a residential service " routine which simply reminds me of the childish answer you get from angry parents " ....because I said so ". I also agree that there is probably no point in saying much more in here, as it would be a better waste of time to put it all in a letter to someone at the appropriate government department. -----Original Message----- From: mark.harris(a)ssc.govt.nz [mailto:mark.harris(a)ssc.govt.nz] Sent: Friday, 24 October 2003 1:19 p.m. To: nznog(a)list.waikato.ac.nz Subject: RE: [nznog] (no subject) Richard Parkinson wrote: > > I agree with Donald, this thread doesn't seem entirely appropriate, > however I have seen less appropriate threads go on longer, and can't > help but notice the @telecom.co.nz after Donald's address. :). > I realise there's a smiley on the end of that, but sugar-coating an question to Donald's integrity says more about your own than I suspect you realise. Regards Mark Harris Moderator *.govt.nz State Services Commission PO Box 329, Wellington, NZ Tel: 64 4 495 2844 Email: moderator(a)ssc.govt.nz _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

1 0

(no subject)
by Richard Parkinson 23 Oct '03

23 Oct '03

I agree with Donald, this thread doesn't seem entirely appropriate, however I have seen less appropriate threads go on longer, and can't help but notice the @telecom.co.nz after Donald's address. :). >From a technical stand point, I would like to know the technical reasons as to why Telecom cannot provide other ISP's with the same level of national connectivity that Xtra have been getting, but then this probably isn't a technical issue. More like anti-competitive and predatory market tactics. -----Original Message----- From: Juha Saarinen [mailto:juha(a)saarinen.org] Sent: Friday, 24 October 2003 12:20 p.m. To: Donald Neal Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] Current Jetstream 'Deal'... Donald.Neal(a)telecom.co.nz wrote: > People, > > As you may recall, our AUP requires that > > 1. Discussion will focus on Internet operational and technical > issues. > > This thread should, in my view, either acquire some operational or > technical content or go away. > > - Donald Neal Doesn't ISPs discussing operational issues surrounding the provision of DSL to customers count? -- Juha _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

2 1

Research paper on the effects of spam
by Simon Byrnand 23 Oct '03

23 Oct '03

Interesting reading.... http://www.pewinternet.org/reports/toc.asp?Report=102 (Click "summary of findings", whose link is too big to post in email without wrapping :) Regards, Simon

2 2

RE: [nznog] Cloaked SPAM hosting service
by Donald Neal 23 Oct '03

23 Oct '03

> From: Tikiri Wicks [mailto:tcwicks(a)maxnet.co.nz] > Sent: Friday, 24 October 2003 12:59 > To: nznog(a)list.waikato.ac.nz > Subject: [nznog] Cloaked SPAM hosting service > > > This one is more alarming > > Cloaked SPAM hosting via hijacked computers > It's being sold by a Polish Hacker group > http://www.wired.com/news/business/0,1367,60747,00.html Nothing very new there, alas. This subject was among those discussed by Barry Ravendran Greene at the conference in July. Donald Neal | "They are not mistaken about Technical Specialist | what they want. It just Operations Engineering | conflicts with what they are Integration & Services Divn. | going to get." - [quoted Alcatel NZ Ltd | by Cathy Wittbrodt] All opinions mine only. | ------------------------------------------------------------------------------ "This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you." ------------------------------------------------------------------------------

1 0

RE: [nznog] (no subject)
by mark.harris＠ssc.govt.nz 23 Oct '03

23 Oct '03

Richard Parkinson wrote: > > I agree with Donald, this thread doesn't seem entirely appropriate, > however I have seen less appropriate threads go on longer, and can't > help but notice the @telecom.co.nz after Donald's address. :). > I realise there's a smiley on the end of that, but sugar-coating an question to Donald's integrity says more about your own than I suspect you realise. Regards Mark Harris Moderator *.govt.nz State Services Commission PO Box 329, Wellington, NZ Tel: 64 4 495 2844 Email: moderator(a)ssc.govt.nz

1 0

What can I say to this
by Tikiri Wicks 23 Oct '03

23 Oct '03

Hi Folks I'm just wondering if anyone has any feedback regarding this situation. I maintain a multi homed Linux router in the Seychelles Islands for the Seychelles government and the CTO of one of the ISP's wants me to use an IP of 217.161.116.143 with a netmask of 255.255.255.255 and a default gateway of 217.161.116.8. To explain it further they are running a fibre optic link to my linux router and at the other end of it they've got a cisco 2500 with an IP of 217.161.116.8. What I get is ethernet and they want me to use the IP 217.161.116.143 with a netmask of 255.255.255.255 on my linux router. I do not want to run IP unnumbered and anyway I cannot think of how anything but a CISCO can talk IP unnumbered to another CISCO. Everything I know and everything I ever learned says this is mission impossible. I am at a loss of words on what to say to this. Am I missing something here perhaps ? Can anyone think of anything to say to this. This ISP is called Atlas and their URL is http://www.seychelles.net They also happen to be the operators of the .sc ccTLD I would greatly appreciate any feedback from anyone as to what I could possibly say to these people. Then again maybe I missed something and maybe I am wrong ? Cheers Tikiri

5 9

RE: [nznog] Current Jetstream 'Deal'...
by Donald Neal 23 Oct '03

23 Oct '03

People, As you may recall, our AUP requires that 1. Discussion will focus on Internet operational and technical issues. This thread should, in my view, either acquire some operational or technical content or go away. - Donald Neal > -----Original Message----- > From: Richard Parkinson [mailto:Richard(a)sigel.co.nz] > Sent: Friday, 24 October 2003 11:29 > Cc: nznog(a)list.waikato.ac.nz > Subject: RE: [nznog] Current Jetstream 'Deal'... [...] > Not to mention their less than THIN excuses for not allowing ISP's to > control IP address assignment on Jetstart. Do they even still have a > reason? > > Telecom are way overdue for a big slap in the face over these issues. Donald Neal | "They are not mistaken about Technical Specialist | what they want. It just Operations Engineering | conflicts with what they are Integration & Services Divn. | going to get." - [quoted Alcatel NZ Ltd | by Cathy Wittbrodt] All opinions mine only. | ------------------------------------------------------------------------------ "This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you." ------------------------------------------------------------------------------

3 2

RE: [nznog] Current Jetstream 'Deal'...
by Richard Parkinson 23 Oct '03

23 Oct '03

More than once I have had to explain to clients that Jetstream isn't just Xtra. On one recent occasion one of my customers ordered Jetstream, and wasn't even consulted regarding their choice of ISP. They were simply given their Xtra login and password when the installer came onsite to install the jack and filter. Clearly Xtra have an unfair advantage over other ISP's when it comes to signups. Speaking of unfair advantages, I don't see any other ISP's having the ability to incorporate the monthly charges onto the Telecom phone bill? What about National traffic... Is it not true that Telecom's network routes and handles Xtra's national data way more efficiently, and that such data travels much more directly between points, as opposed to how it does for other ISP's whom have all the National data piped in on one PVC, then feed back out on another? Should other ISP's not be getting the same unbiased treatment? Not to mention their less than THIN excuses for not allowing ISP's to control IP address assignment on Jetstart. Do they even still have a reason? Telecom are way overdue for a big slap in the face over these issues. -----Original Message----- From: Simon Byrnand [mailto:simon(a)igrin.co.nz] Sent: Friday, 24 October 2003 9:52 a.m. To: Dan Clark; Juha Saarinen; David Mill Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] Current Jetstream 'Deal'... At 09:26 24/10/2003 +1300, Dan Clark wrote: >my point exactly. >I did not expect to call Telecom when I shift house recently and get >asked if I am already an XTRA customer then get told they will set that >up in a jiffy, I had to explain to the operator that I had no intention >of shifting ISP's and the operator was puzzled that I wouldn't want to >go with XTRA and above all he wasn't entirely aware that other ISP's >were offering JetStream! > >Regards >Dan Same thing happened to me a year ago when I moved house and needed the phone connected up, (first phone line in my name) and the guy at the other end started asking lots of leading questions about if I was likely to use the line for internet access, how many hours I currently used a month on the intenet etc, and then proceeded to try and sell me Xtra + Jetstream, so this is nothing new. (Remember, I just rang up to get the phone hooked up) Even after clearly saying that I knew what Jetstream was and how it worked, and wasn't interested in it at this time *AND* that I worked for an ISP and therefore already had a free dialup connection anyway, he was still trying to sell me on Xtra, and explain to me what Jetstream was and why its so wonderful.... I think I had to repeat myself two or three times before he gave up....so obviously the telecom staff are instructed to put the hard sell on everyone that rings up, pretty much regardless of what you're ringing about... Regards, Simon _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

2 1

RE: [nznog] Cisco 2948G-L3
by Craig Spiers 23 Oct '03

23 Oct '03

So what would you deam appropriate for this list? I have a wheelbarrow im looking to sell.. $30 ono.. Networking equipment for sale, on a networking related list.. Seems appropriate to me.. Ive seen many people offer sales and wanted's on this list before! Including Michael Hallager! -----Original Message----- From: Drazen Babich [mailto:Drazen.Babich(a)gen-i.co.nz] Sent: Thursday, October 23, 2003 7:15 PM To: 'Craig Spiers' Subject: RE: [nznog] Cisco 2948G-L3 Still, not the right place for things like those Craig, you have to admit... regards, Drazen -----Original Message----- From: Craig Spiers [mailto:craig(a)concept.net.nz] Sent: Thursday, 23 October 2003 3:57 p.m. To: michael(a)networkstuff.co.nz; 'Philip D'Ath' Cc: nznog(a)list.waikato.ac.nz Subject: RE: [nznog] Cisco 2948G-L3 Michael, Ive seen you post messages similar to this, to this list many many times. I think you need to take a chill pill. -----Original Message----- From: Michael Hallager [mailto:michael(a)networkstuff.co.nz] Sent: Thursday, October 23, 2003 2:01 PM To: Philip D'Ath Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] Cisco 2948G-L3 Do you think that you are special that you are excused from the list rules? This is not a trading forum. Advertise your item on Trademe or something. Michael Hallager Networkstuff Limited > I'm currently liquidating a Cisco 2948G-L3. The unit is new with > original packaging manuals and cables, and has only been used for demo > purposes. It will ship with a new warranty. > > RRP=$17,710+GST > Normal dealer buy would be=$12,928=GST > > Looking for around $10.5k+GST, or near offers. > > Offlist replies only please. > > > Philip D'Ath > CCNP, CCDA, BCMS > http://www.ifm.net.nz/ -- Michael Hallager Managing Director Networkstuff Limited URL: http://www.networkstuff.co.nz Networkstuff, NZ's leading supplier of high quality used networking equipment. E-Mail: michael @ networkstuff.co.nz Member of the NZ Open Source Society. Member of the Auckland VHF Group. Amateur radio callsign: ZL1VMH. _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog ###################################################################### This e-mail message has been scanned and cleared by MailMarshal at http://www.gen-i.co.nz ######################################################################

3 3

Cisco 2948G-L3
by Philip D'Ath 22 Oct '03

22 Oct '03

I'm currently liquidating a Cisco 2948G-L3. The unit is new with original packaging manuals and cables, and has only been used for demo purposes. It will ship with a new warranty. RRP=$17,710+GST Normal dealer buy would be=$12,928=GST Looking for around $10.5k+GST, or near offers. Offlist replies only please. Philip D'Ath CCNP, CCDA, BCMS http://www.ifm.net.nz/

3 2

FW: Heads-up: AT&T apparently going to whitelist-only inbound mai l
by Bowden, Terry 22 Oct '03

22 Oct '03

AT&T STATEMENT - CURRENT SPAM ATTACK - 22/10/03 AT&T and a number of other large companies have seen a marked increase in the amount of incoming SPAM in recent days. A team of experts that includes members from AT&T Labs, Network Services, and Corporate Security has implemented a number of procedures to remediate this situation and minimize its impact on those trying to send e-mail to "att.com" addresses. As of this morning - Wednesday, October 22nd - the level of incoming e-mail messages is returning to normal and the situation appears to be well in hand. Although all AT&T e-mail servers are fully operational at this time, some incoming messages are experiencing intermittent delays as SPAM filtering continues at all network gateways. Customers who received e-mail bulletins from AT&T Monday and Tuesday requesting specific information are advised to disregard those messages. They were inadvertently sent out in error and we apologize for any confusion or inconvenience they may have caused. Network reliability is one of our top priorities at AT&T, so for obvious reasons we will not be providing more detailed information regarding the specific security procedures implemented to curb this SPAM attack. We have no intention of helping those who generate this type of computer and Internet mischief. Terry Bowden

1 0

Heads-up: AT&T apparently going to whitelist-only inbound mail
by Simon Lyall 21 Oct '03

21 Oct '03

Forwarded from nanog. Apparantly this is already in place according to one person. I called the number listed and they advised sending details in. You can ask questions to the email address listed. The Callcenter person said they had been flooded with calls. -- Simon J. Lyall | Very Busy | Web: http://www.darkmere.gen.nz/ "To stay awake all night adds a day to your life" - Stilgar | eMT. ---------- Forwarded message ---------- Return-Path: <rm-antiattspam(a)ems.att.com> Message-ID: <3F80414B002D0EC2(a)attrh0i.attrh.att.com> (added by postmaster(a)attrh1i.attrh.att.com) Content-Disposition: inline Content-Transfer-Encoding: binary Content-Type: text/plain MIME-Version: 1.0 X-Mailer: MIME::Lite 2.102 (B2.12; Q2.03) Date: Tue, 21 Oct 2003 20:21:50 UT Subject: *** ACTION: IP Address of Outbound SMTP Server Requested (Updated 10/21/03) From: rm-antiattspam(a)ems.att.com AT&T Business Partners & Customers AT&T has received many of the requested IP addresses in response to an e-mail originally broadcast yesterday to our business partners and clients. However, we have also received many concerned responses to the original request. This 2nd e-mail is to let you know that this is a legitimate AT&T request asking for your cooperation, which will let us improve the service that AT&T offers you and that our partnership requires. We have provided a toll-free number below to help you confirm the legitimacy of this request. We have assembled the distribution list for this e-mail by looking up the administrative contacts for each of the known e-mail domains we currently exchange e-mail with, referencing WHOIS and other such services available via the Internet. What AT&T is asking is for you to help AT&T to restrict incoming mail to just our known and trusted sources (e.g., business partners, clients and customers). Therefore, we need to know which IP address(es) are used by your outbound e-mail service so we can selectively permit them. Please send this information to the following e-mail address (rm-antiattspam(a)ems.att.com) If you need assistance determining what these IP addresses are, please contact your company's administrative e-mail server support / network administration personnel. We regret that AT&T is burdening you with this request, but our AT&T security team is advising that we take this step to help safeguard our e-mail systems, which ultimately will help us serve you better. Please contact us with any concerns or questions: AT&T Security Help Desk 1-800-456-4230, prompt 4 (8am - 10pm est) Thank you for your prompt attention to this matter. We appreciate your cooperation. Sincerely, Brian Williams, IP Network Services Tim Scholl - District Manager, IP Network Services Kevin O'Connell - Division Manager, Information Technology Services Engineering Bill O'Hern - Division Manager, Network Security ----- Original Message (Sent Monday, 10/20/03) ----- AT&T has an urgent situation with our anti-spam list. In order to continue to allow email to AT&T you need to provide the IP addresses of all your outbound email gateways. If you do not respond immediately, your access may not continue. The required information should be sent to rm-antiattspam(a)ems.att.com. ----- End forwarded message -----

4 4

APE Peering - JSR.COM
by J S Russell 20 Oct '03

20 Oct '03

jsr.com (AS9897) is a new ISP/hosting provider/etc, designed primarily as a testbed platform for various new and developing technologies. Dialup/ADSL/wireless/etc Internet access through jsr.com is currently limited to a small and select customer-base. However, immediately upon launch jsr.com will be hosting a variety of very content-rich servers and websites. At this time, the vast majority of traffic from AS9897 is expected to be outbound from jsr.com netblocks to other "domestic" New Zealand providers. jsr.com is greatly interested in hearing from any other APE-connected entities who would like to set up a BGP peering session over the APE. Replies to jsr(a)jsr.com please. In the interest of network efficiency, jsr.com's official peering policy is "If you have an AS#, you are welcome to peer with us." JSR -- John S Russell | Big Geek | Doing geek stuff.

1 0

could maxnet contact me plz
by Simon Blake 15 Oct '03

15 Oct '03

Could whomever is responsible for APE peering for Maxnet please contact me off list. Cheers Si

1 0

domainz
by Dan Clark 14 Oct '03

14 Oct '03

Would someone at Domainz please contact me as soon as possible offlist. Kind Regards Dan Clark Network Manager Wickliffe Ltd Scarfies.Net Ltd

1 0

Re: [nznog] Paradise.net is on MX.RBl" spam blacklist
by Steve Phillips 13 Oct '03

13 Oct '03

Was bound to happen sooner or later with their "just press delete" policy toward abuse complaints about their customers spamming. -- Steve. At 09:15 p.m. 14/10/2003, Steve Withers wrote: >Anyone on paradise.net.nz trying to send mail to attglobal.net will have >no success due to paradise.net.nz being on the "MX.RBL" blacklist.....if >there is such a beast. The entry is dated october 2nd...... > >If MX.RBL is a widely used list, paradise users may have some trouble. > >I have reported this to paradise. > >-- >Steve Withers <swithers(a)mmp.org.nz> > >_______________________________________________ >NZNOG mailing list >NZNOG(a)list.waikato.ac.nz >http://list.waikato.ac.nz/mailman/listinfo/nznog

1 0

Paradise.net is on MX.RBl" spam blacklist
by Steve Withers 13 Oct '03

13 Oct '03

Anyone on paradise.net.nz trying to send mail to attglobal.net will have no success due to paradise.net.nz being on the "MX.RBL" blacklist.....if there is such a beast. The entry is dated october 2nd...... If MX.RBL is a widely used list, paradise users may have some trouble. I have reported this to paradise. -- Steve Withers <swithers(a)mmp.org.nz>

1 0

Cunning Vicodin SPAM Practice
by tltoh＠attglobal.net 13 Oct '03

13 Oct '03

Hi, Lately I would say majority of people have been bombarded with Vicodin SPAM as I've been getting about 30 a day for the last month. My delete key have been whinging at me asking for a holiday. And they are sending their SPAM email out through other networks which does not happen to be housing their websites. In my case the Vicodin websites which they are referring me to are as follows: www.medscheap.biz www.rxpalace.biz I manage to track down that both domain's happen to be registered to this person, Pio Lage (peterwolf1239(a)yahoo.com) Both sites are hosted in China which I have inform his network providers which houses both of his websites on his activity but I'm not sure what is the success rate and outcome of it. However so far for the last 6 days I haven't receive any Vicodin SPAM for www.medscheap.biz site at this stage, could be a good start. I could send an email if that is still a valid email account to the Domain owner but I don't want to be ended up in any other of their mailing scam. I thought of forwarding all his SPAM email back to him but I don't believe that is an appropriate practice at all. Any suggestion as to what else can be done to stop this kind of practice ? Thanks. Cheers, Leon

2 1

Re: [nznog] High volumes of ICMP echo request (type 8)
by Ewen McNeill 13 Oct '03

13 Oct '03

In message <20031013102226.GQ14751(a)citylink.co.nz>, Simon Blake writes: >On Mon, Oct 13, 2003 at 04:51:08PM +1300, Ewen McNeill said: >> And snooping on Citylink (which is implemented as a big LAN) shows >> much-higher-than-I'd-normally-expect volumes of ICMP echo requests > >Just a small point of protest here, there isn't higher volumes of >anything floating around Citylink And to be fair, it's ages since I've had reason to look, so "higher than I'd expect" is probably a pretty low standard. And a chunk of the volume was definitely NAT'd traffic outgoing; but not all of it. So these various worms are clearly still drifting about. You may well be right however that it was (mostly|just) stuff that was routed to/from that 'net; the volumes were such that it was difficult to get an accurate picture of exactly which addresses were involved it at the time. Sorry for implying otherwise. >Increased worm probing tends to manifest as increased ARP requests, >rather than ICMP packets. That, FWIW, is why 95% of all the >noise-to-every-port on Citylink is ARP requests to unused IP numbers. Likewise on the TelstraClear cable network -- there's a steady background level of ARP requests all the time, good for keeping the incoming data light flickering away to itself. Ewen

1 0

High volumes of ICMP echo request (type 8)
by Ewen McNeill 12 Oct '03

12 Oct '03

Hi, Is anyone else seeing very high volumes of ICMP echo requests today (ie, in the order of hundreds/thousands per second)? At one client I've been seeing in the order of 2000+ ICMP echo requests per minute from each of four different desktops (desktop support is tracking down the relevant desktops now) to IP addresses all over the net. And snooping on Citylink (which is implemented as a big LAN) shows much-higher-than-I'd-normally-expect volumes of ICMP echo requests flying around from all sorts of random addresses to all sorts of other random addresses. I'm aware that some worms use this as part of their probing/spreading (eg, MS Blaster) but not of any newly released worm (or worm due to make a comeback at present), so I'm a bit puzzled at it's "sudden" appearance. Ewen

5 4

Re: [nznog] High volumes of ICMP echo request (type 8)
by Ewen McNeill 12 Oct '03

12 Oct '03

In message <20031013045849.5E4DE3C486EB(a)basilica.la.naos.co.nz>, Ewen McNeill wr ites: >In message <874qyd4v8f.fsf(a)it029205.massey.ac.nz>, James Riden writes: >>Ewen McNeill <ewen(a)naos.co.nz> writes: >>> Is anyone else seeing very high volumes of ICMP echo requests today (ie, >>> in the order of hundreds/thousands per second)? [....] >> >>What do the ping packets look like? > >block in on ste7: [internal ip] > [victim ip]: icmp: echo request > 4500 005c 58fa 0000 7f01 4929 0a04 0102 > 3df3 5085 0800 c9c8 0200 d6e1 aaaa aaaa > aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa > aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa > aaaa aaaa As James pointed out, that's a truncated packet (to tcpdump's default snaplen). The real packet is 92 octets, with 64 octets of payload (0xaa octets). Which is what the Welchia/Nachi worm sends out. Desktop support at the client has found several of the machines generating these ICMP streams to be infected with the Welchia/Nachi worm, and are busy checking the rest. They also believe they've identified the source (a laptop that arrived back today IIRC). It has, however, highlighted which machines didn't get put into the default policy for lock downs, updates, etc .... So nothing new, it seems. Just another infection with another windows worm. Sorry to trouble you all. Ewen

1 0

Re: [nznog] High volumes of ICMP echo request (type 8)
by Ewen McNeill 12 Oct '03

12 Oct '03

In message <874qyd4v8f.fsf(a)it029205.massey.ac.nz>, James Riden writes: >Ewen McNeill <ewen(a)naos.co.nz> writes: >> Is anyone else seeing very high volumes of ICMP echo requests today (ie, >> in the order of hundreds/thousands per second)? [....] > >Welchia used pings, not Blaster.A IIRC. I've seen Welchia at around >180 packets/second on a LAN and it seems to do a strictly linear scan, >so it doesn't sound like that either. > >What do the ping packets look like? block in on ste7: [internal ip] > [victim ip]: icmp: echo request 4500 005c 58fa 0000 7f01 4929 0a04 0102 3df3 5085 0800 c9c8 0200 d6e1 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa Not very exciting. All the ones I've looked contain the same thing (ie IP and ICMP headers, and then filled to minimum packet size with 0xaa bytes). And the addresses aren't always as random as I first thought. When I narrow my scope down to one of the "infected" machines as a source, I sometimes see it walking netblocks sequentially (eg, one internal ip just walked all (most?) of 61.243/16). But when it got to the end of that, the pattern got less predictable again, hitting IPs in at about a dozen different /24s in an overlappped fashion (from the same internal IP). (Perhaps it's getting upset at getting no replies; I've been dropping it at the firewall since I noticed it happening.) I'm seeing around 6000 per second from a single IP address (ie, around 100/second) outgoing hitting the firewall. (It's easy to track a single IP address as these are internal ips; obviously tracking it from the "other end" would be considerably harder.) So I'm pretty much convinced those desktops have "caught" something, I'm just not sure what it is. (And since this client does mail filtering for spam/viruses/etc it's less likely to be a known email virus/worm.) Ewen

1 0

Brightmail Spam Performance
by Mark Frater 12 Oct '03

12 Oct '03

With a sample size of 1015 spam messages over 4 weeks and using a pop mailbox from a provider that recently announced free spam protection (but have been a bit quieter about it only being free 'till xmas), 709 spam messages were detected as spam and 308 spam messages were let through. ie Brightmail (as per the default settings used by this provider) lets through about 30% of spam. How does thing compare to other providers? I guess one woman's spam is another man's v1agra! Mark

3 2

Re: [nznog] ICMP and port 80 traffic
by Blair Harrison 09 Oct '03

09 Oct '03

On 10 Oct 2003 08:57:01 +1300 Donovan Jones <d.jones(a)comnet.co.nz> wrote: > We are seeing the same thing here its currently hitting some of our > unused address space. Yay, not just me! > > Have you found out anything more about it? > Heard a rumour of a variant of Welchia/Nachi.a but nothing more... Still seeing it streaming in... :( Cheers, Blair

2 1

ICMP and port 80 traffic
by Blair Harrison 08 Oct '03

08 Oct '03

Hi All Is anyone else seeing a massive increase in ICMP and traffic to port 80? I started noticing this last night on one of my subnets that is mostly unused, just a huge amount of packets to random addresses. It's still going flat tack.. I've grabbed a quick packet dump if any of you want to see what I mean - it's in tcpdump format. http://blair.wise.net.nz/~blair/icmpandport80.gz Is this some worm variant that nobody's figured out yet? Cheers, Blair Harrison Systems Administrator WISE Net http://wise.net.nz

1 0

Intermittent Problems with web
by Peter Youngquest 06 Oct '03

06 Oct '03

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello All Is anyone else having intermittent problems getting to such sites as theregister.co.uk, msn.com, and openbsd.org. Regards Peter Youngquest Prophecy Networks -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE/gjts4jYAySTLDnsRAjEwAJ4la3MWi/5zW4wLSoekc71dV+r3yQCeIcFa cVHpbYU4iMrg988iffOhe/Y= =281E -----END PGP SIGNATURE-----

1 0

SANOG III Announcement
by Joe Abley 04 Oct '03

04 Oct '03

> South Asian Network Operators Group (SANOG) III Annoucement > > SANOG III: 15-22 January, 2004, Bangalore, India > > SANOG III will be colocated with the South Asian IPv6 Summit in the > silicon city of India. As in the past, the SANOG program will feature > workshops, tutorials and presentations on operational areas of interest > to the South Asian Internet community. The meeting will be hosted by > IPv6 Forum India. The program structure will be as follows > > 15-18 January, 2004 -- Workshops > 19-20 January, 2004 -- Tutorials > 21-22 January, 2004 -- SANOG Meeting / IPv6 Summit > > We welcome presentations during the Meeting. We would like to hear > about your own experiences and research on making sure the Internet > works the way it is intended to. > > Please write to gaurab at lahai.com with your expression of interest. > More information at www.sanog.org

1 0

[Fwd: [RegistrarsList] VeriSign NDS Response to Suspension of Site Finder Service (KMM1024708V22161L0KM)]
by Peter Mott 03 Oct '03

03 Oct '03

A partial victory! -------- Original Message -------- Subject: [RegistrarsList] VeriSign NDS Response to Suspension of Site Finder Service (KMM1024708V22161L0KM) Resent-Date: Sat, 4 Oct 2003 11:15:16 +1200 Resent-From: peter(a)2day.com Resent-To: peter.mott(a)2day.com Date: Fri, 03 Oct 2003 16:08:23 -0700 From: VeriSign Customer Service <info(a)verisign-grs.com> Reply-To: VeriSign Customer Service <info(a)verisign-grs.com> To: <registrars(a)verisign-grs.com> To All Registrars, I am writing to update you on VeriSigns Site Finder service. On Friday, October 3rd, the Internet Corporation for Assigned Names and Numbers (ICANN) directed VeriSign, Inc., to temporarily suspend service no later than 6PM PST, Saturday, October 4. VeriSign requested an extension from ICANN for 3 additional days for the shut down in order to provide the technical community time to make any necessary system changes. Unfortunately, ICANN refused this request. Accordingly, in response to this demand, VeriSign is temporarily suspending the Site Finder service as of Saturday, October 4 at 6PM PST. In suspending the service, VeriSign will remove the wildcard A records from the .com and .net zones and revert to the former behavior for these zones which is returning Name Error/RCODE=3 in response to queries for nonexistent domain names. VeriSign remains committed to improving the Internet user experience. We look forward to providing the Site Finder service following this suspension. Thank you for your business. We greatly value our relationship with you. Best Regards, Chris Sheridan Manager, Customer Service VeriSign, Inc. www.verisign.com --------- Participants on the VeriSign registrars list are requested to not cross-post messages. -- Peter Mott Chief Enthusiast 2DAY INTERNET LIMITED http://www.2day.com "Hell, there are no rules here - we're trying to accomplish something!" Thomas A Edison

1 0

NZNOG 2004 - Call for Presenters
by Donald Neal 02 Oct '03

02 Oct '03

Call for Presenters NZNOG'04 a.k.a. Big Geek Programme 04 (BGP-04) The next meeting of the New Zealand Network Operators' Group is to be held in Hamilton on January 29th and 30th 2004. Our hosts are the University of Waikato's WAND Network research group. NZNOG meetings provide opportunities for the exchange of technical information and discussion of issues relating to the operation of network services, with particular emphasis on New Zealand. NZNOG invites presentations on relevant topics. Suitable topics include, but are not limited to: Operation of the DNS in New Zealand; Carrier IP network structures; Internet exchange activities; VoIP deployment; IP Routing theory or practice; Access technologies; Network management tools and practices. Presentations from researchers and from practitioners are welcomed. Presentations don't need to fit any particular fixed length. In addition to more substantiative talks we hope to include a session of very short presentations this year as a forum for floating an idea or reporting on a discovery in a less formal manner. The possibility exists that the meeting might be extended beyond two days to accommodate suitable material. Suggestions for topics for presentations or discussions are also welcome. Prospective presenters should in the first case send email to talks(a)nznog.org describing their intended presentation topic, and giving some idea of the level of detail and length of presentation which would suit them. We'd prefer to receive offers to present sooner rather than later, but the deadline is 23 November 2003, with the last acceptances to be notified not later than 30 November. Further information, as it becomes available, will be posted at: www.nznog.org Donald Neal | "Stucco - A hitherto Technical Specialist | unknown Marx brother." Operations Engineering | [Barry Cryer] Integration & Services Divn. | Alcatel NZ Ltd | All opinions mine only. | ------------------------------------------------------------------------------ "This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you." ------------------------------------------------------------------------------

1 0

Fwd: Second Level Domains Policy Review
by Steven Heath 30 Sep '03

30 Sep '03

I think all the members of this WG are on NZNOG. I am sure they would agree with me in saying that we welcome any and all feedback. Summary: Read background paper that we wrote at: http://dnc.org.nz/content/2ld_background.pdf And complete online form at: http://dnc.org.nz/2ldFeedback.php Or email policies(a)dnc.org.nz with your comments/ideas/thinking. Steven Heath Second Level Domains Policy Review Published at 01 Oct 2003 14:13 InternetNZ, through the Office of the Domain Name Commissioner, is reviewing the existing Second Level Domains policy (http://dnc.org.nz/content/second_level_domains.pdf) A Working Group was established by the .nz Oversight Committee earlier this year to conduct the review. The Working Group is seeking public input to assist in developing a revised draft policy, which will also be subject to public consultation. The current Second Level Domains policy deals with three critical areas: the structure of the existing Second Level Domains, the moderation of Second Level Domains, and the process for establishing new Second Level Domains. Debate so far in the Working Group has identified two major areas for reform: Whether the process for creating new second level domains should be modified and whether that modification should simplify the process. The existing process lacks adequate criteria for decisions about the addition of new Second Level domains and has generated concern in the past. Whether there should be direct public registrations allowed at the second level in the .nz space. This has a number of implications which need to be considered around dealing with the existing second level domains after any change; dealing with conflicts between existing third level registrants if the second level is opened and others. In addition to these two key areas, the Working Group is seeking feedback on the existing Second Level Domains and their ongoing relevance, and would also like to receive comments and suggestions about any other aspect of the existing policy. To assist with this consultation a background paper has been produced. This outlines the current policy, expands on the issues for consideration and poses some more specific questions for consideration. It is available at: http://dnc.org.nz/content/2ld_background.pdf Public comment, on the specific issues identified above and in the accompanying background paper - or any other issues relating to the Second Level Domains policy - is sought by Monday 10 November 2003. To assist with the feedback process, you can use an online feedback form. The questions in the form are those presented in the background paper. The form is available at: http://dnc.org.nz/2ldFeedback.php InternetNZ also maintains a public email list for discussion of the review. To subscribe, send a blank email to nz-review-subscribe(a)internetnz.net.nz. Please email comments to policies(a)dnc.org.nz, fax them to +64 4 495 2115, or post them to the Office of the Domain Name Commissioner, PO Box 11-881, Wellington. NB: Notice of all comments will be published on this page, as they are received. Comments will be published on the site in PDF format. Confidential comments can be made on application; people wishing to make a confidential comment should forward a request with reasons to the submission address above. ----- End forwarded message ----- Steven Heath .nz news & views www.nznews.org.nz

1 0

Crimes Amendment Act 2003
by david＠farrar.com 30 Sep '03

30 Sep '03

Nznogers may want to note that as of today (1st October) the Crimes Amendment Act 2003 (previously the Crimes Amendment Bill no 6) came into force. This Act, amending the 1961 Crimes Act, may potentially affect many internet users and providers (esp the unauthorised access provisions). It has been commonly known as the anti-hacking bill. InternetNZ in July prepared a brief paper on aspects of the Act which may affect internet users and providers. The paper is at http://www.internetnz.net.nz/public/committee-reports/ctte-legal-and-regula… or http://tinyurl.com/g9vj The revised Crimes Act is not yet online but I have the key clauses in electronic format if anyone would like a copy. DPF

1 0

The New Zealand Network Operators' Group
by Donald Neal 30 Sep '03

30 Sep '03

The New Zealand Network Operators' Group The New Zealand Network Operators' Group (NZNOG) has no king, president or formal membership. At present it consists of the subscribers to this mailing list, which anyone is free to join. A face-to-face gathering is to take place in Hamilton on January 29 and 30 next year, hosted by the WAND group. Suggestions for content you'd like to see are welcome, and a Call for Presenters should be issued shortly. Also see http://thursdaynightcurry.com/about.html if you live in or near Wellington or Auckland. Operators' Contact List See http://www.usenet.net.nz/noc/ for operational contact details for most New Zealand ISP's. These are intended for use by other network operators rather than by most customers. Auckland Peering Exchange See http://www.ape.net.nz/ for details of the Auckland Peering Exchange and those connected there. About This Mailing List This list has around 530 addresses subscribed. You may only post to the list from a subscribed address. A number of people subscribe addresses which do not receive email purely to allow posting from them. The NZNOG mailing list is provided through a server at The University of Waikato, and is administered by an employee of Alcatel NZ Ltd. Neither of these organisations, nor the administrator, is responsible for its content. NZNOG Mailing List Acceptable Use Policy The NZNOG mailing list exists to provide a forum for the exchange of technical information and the discussion of implementation issues that require cooperation among New Zealand network service providers. In order to continue to provide a useful forum for discussion of relevant technical issues, users of the list are asked to respect the following guidelines. 1. Discussion will focus on Internet operational and technical issues. 2. Discussion related to meetings of network service providers is appropriate. 3. Discussion unrelated to these topics is not appropriate. 4. Postings to multiple mailing lists are discouraged. 5. Postings that include foul language, character assassination, and lack of respect for other participants are unacceptable. 6. Blatant product or service marketing is unacceptable. 7. Postings of a political, philosophical or legal nature are discouraged. 8. Postings to the list should be in ASCII or MIME encoded as text/plain. Attachments should not be sent to the list. To present a document, a suitable URL may be referred to. For documents of general interest, the use of proprietary file formats is discouraged. 9. Breaches of list etiquette should be dealt with privately with the offending list user, and should not result in complaints being sent to the list. 10. A person repeatedly breaching list etiquette shall receive warnings from the list administrator. A further breach after the second such warning within thirty days shall result in the offender being unsubscribed from the list. Other action may also be taken to block postings to the list by the offender. Any such unsubscription is to be immediately announced to the list. Mailing List Archives A full archive is available at http://list.waikato.ac.nz/archives/nznog/ Any message sent to the list will be archived and made available on the web automatically. Changes are not made to the archive on request, though the administrator remains happy to assist the Office of the Privacy Commissioner should any complaint be laid with that office. One way to search the archive is to use google and prefix your search with site:list.waikato.ac.nz . Subscribing to the List See http://list.waikato.ac.nz/mailman/listinfo/nznog to subscribe. Donald Neal NZNOG Mailing List Owner/Administrator/Muggins ------------------------------------------------------------------------------ "This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you." ------------------------------------------------------------------------------

1 0

RE: [nznog] Argghhh.... [Fwd: Your e-mail message was blocked]
by Frank March 29 Sep '03

29 Sep '03

This IS an interesting, if somewhat prolonged, discussion and, needless to say perhaps, I agree with Donald that spam filtering is an operational issue of relevance to this list. But it is also a policy issue of interest to the NZ Government, which is what my job is about. To say that I can change my job as suggested by Joe (clearly I can and maybe in the fullnss of time I will, but that IS irrelevant) somewhat misses the point of why I am on this list... it is because of my *present* job that I think it important. There are many issues of possible government policy relevance that emerge on this list in different ways, spam is just one. Which irony has been pointed out to those who dictate the operational policy for this Ministry. Unfortunately, they do not subscribe to NZNOG as far as I can determine. -- Frank March Telephone (+64 4) 474 2908 Senior Specialist Advisor Fax (+64 4) 474 2659 Information Technology Policy Group Mobile: (+64) 21 042 9205 Ministry of Economic Development, Wellington, New Zealand -----Original Message----- From: Donald Neal [mailto:Donald.Neal(a)telecom.co.nz] Sent: Monday, 29 September 2003 10:11 To: nznog(a)list.waikato.ac.nz Subject: RE: [nznog] Argghhh.... [Fwd: Your e-mail message was blocked] > From: Simon Byrnand [mailto:simon(a)igrin.co.nz] > Sent: Monday, 29 September 2003 09:21 > To: Joe Abley; Russell Fulton > Cc: nznog > Subject: Re: [nznog] Argghhh.... [Fwd: Your e-mail message > was blocked] > >> >He also has the option of finding a new job, if the policies of his > >employer don't suit him. > > C'mon people (not just Joe) this thread is now getting *way* > off topic, > (I'm surprised Donald hasn't stepped in yet) although > admitedly my original > message was somewhat off topic as well. This is a list for network operators, which doesn't just mean telcos and ISP's. My view is that discussion of spam filtering is appropriate. Granted, by the time we get onto what employees should be allowed to do we may indeed have wandered a bit. http://www.govt.nz - connecting you to New Zealand central & local government services Any opinions expressed in this message are not necessarily those of the Ministry of Economic Development. This message and any files transmitted with it are confidential and solely for the use of the intended recipient. If you are not the intended recipient or the person responsible for delivery to the intended recipient, be advised that you have received this message in error and that any use is strictly prohibited. Please contact the sender and delete the message and any attachment from your computer.

4 3

RE: [nznog] Argghhh.... [Fwd: Your e-mail message was blocked]
by Donald Neal 28 Sep '03

28 Sep '03

> From: Simon Byrnand [mailto:simon(a)igrin.co.nz] > Sent: Monday, 29 September 2003 09:21 > To: Joe Abley; Russell Fulton > Cc: nznog > Subject: Re: [nznog] Argghhh.... [Fwd: Your e-mail message > was blocked] > > > At 13:48 28/09/2003 -0400, Joe Abley wrote: > > >On Saturday, Sep 27, 2003, at 14:59 Canada/Eastern, Russell > Fulton wrote: > > > >>However, some employers also have policies that forbid access to > >>alternate mail sources (hotmail & ISP accounts) for > legitimate reasons. > >>This leaves some one like Frank having to follow work > related lists that > >>run foul of the corporate filter in their own time from home. > > > >He also has the option of finding a new job, if the policies of his > >employer don't suit him. > > C'mon people (not just Joe) this thread is now getting *way* > off topic, > (I'm surprised Donald hasn't stepped in yet) although > admitedly my original > message was somewhat off topic as well. This is a list for network operators, which doesn't just mean telcos and ISP's. My view is that discussion of spam filtering is appropriate. Granted, by the time we get onto what employees should be allowed to do we may indeed have wandered a bit. Donald Neal | "And if you think virus Technical Specialist | writers are scary, you Operations Engineering | have clearly never met a Integration & Services Divn. | tort lawyer." Alcatel NZ Ltd | - The Economist 28/8/03 All opinions mine only. | ------------------------------------------------------------------------------ "This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you." ------------------------------------------------------------------------------

1 0

RE: [nznog] Argghhh.... [Fwd: Your e-mail message was blocked]
by Frank March 28 Sep '03

28 Sep '03

Apologies for not getting onto this yesterday as I was involved in a meeting offsite all day. This Ministry uses MailMarshall. I am not responsible for the way it is set up and I have complained frequently about the type of email that gets blocked by it. In the past, it has blocked, inter alia, the monthly messages outlining this list's AUP and other matters from the redoubtable Donald Neal. Given Donald's care with language and his email courtesy the mind fairly boggles at the thought. On average Mailmarshal as configured here seems to catch 50% of genuine spam 'aimed' at me (but is getting better) and about 25% of the blocking messages are false positives (despite recent problems with this list, I think this might also be improving incrementally). Nevertheless, personally, I would much rather have the spam. The record with virus filtering is, however, exemplary. Although I seldom post to this list (and when I do it is arguably off-topic on occasions), and most of the traffic is of marginal direct interest to me, I do find this list useful as a gauge of the temperature and general health of the Net in NZ which is immensely valuable for my job. However, if the problem persists, and complaints persist, I will remove myself from the list. I would regard this as being a very unfortunate outcome. And, by the way, and anticipating a message later in the thread from Juha, I dont ever recall his swearing at me (about me perhaps....) -- Frank March Telephone (+64 4) 474 2908 Senior Specialist Advisor Fax (+64 4) 474 2659 Information Technology Policy Group Mobile: (+64) 21 042 9205 Ministry of Economic Development, Wellington, New Zealand -----Original Message----- From: Simon Byrnand [mailto:simon(a)igrin.co.nz] Sent: Wednesday, 24 September 2003 23:17 To: nznog(a)list.waikato.ac.nz Subject: [nznog] Argghhh.... [Fwd: Your e-mail message was blocked] Sigh... Could the owner of this charming little content filter please see if it has an option to NOT reply to messages that aren't specifically addressed to the recipient. (EG messages comming in through mailing lists etc) Or perhaps consider subscribing via another address that isn't filtered. It gets a little tiring to have every second message I send to this list get a bounce from an overactive content filter because it might have "bad words" in it or in this case might be a "hoax and/or chain letter"..... (Huh ??? What in my message looks like a hoax ?) Regards, Simon ---------------------------- Original Message ---------------------------- Subject: Your e-mail message was blocked From: Actionline(a)med.govt.nz Date: Wed, September 24, 2003 11:09 pm To: simon(a)igrin.co.nz Cc: Frank.March(a)med.govt.nz -------------------------------------------------------------------------- MailMarshal (an automated content monitoring gateway) has stopped the following e-mail as it is likely to be a Hoax and/or Chain Letter. Message: B00013c776.00000001.mml From: simon(a)igrin.co.nz To: Frank.March(a)med.govt.nz Subject: Re: [nznog] SPAM (Fw: PLEASE ASSIST) If you believe the above e-mail to be business related please contact Actionline(a)med.govt.nz to arrange for the message to be released to its intended recipients. The blocked e-mail will be automatically deleted after 30 days. _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog http://www.govt.nz - connecting you to New Zealand central & local government services Any opinions expressed in this message are not necessarily those of the Ministry of Economic Development. This message and any files transmitted with it are confidential and solely for the use of the intended recipient. If you are not the intended recipient or the person responsible for delivery to the intended recipient, be advised that you have received this message in error and that any use is strictly prohibited. Please contact the sender and delete the message and any attachment from your computer.

18 34

Re: [nznog] New Team Cymru IP2ASN whois server
by Simon Lyall 25 Sep '03

25 Sep '03

A similar thing that people might like is the recent new service from routeviews.org. They have a little route server to DNS gateway so you can do things like: $ host -t txt 252.109.203.asn.routeviews.org 252.109.203.asn.routeviews.org text "7657" "203.109.252.0" "22" $ host -t txt 252.109.203.aspath.routeviews.org 252.109.203.aspath.routeviews.org text "2914 4565 7657 7657 7657" "203.109.252.0" "22" $ host -t txt 132.92.96.203.asn.routeviews.org 132.92.96.203.asn.routeviews.org text "4648" "203.96.64.0" "19" $ host -t txt 132.92.96.203.aspath.routeviews.org 132.92.96.203.aspath.routeviews.org text "2914 1239 4648" "203.96.64.0" "19" Very cool imho. -- Simon J. Lyall | Very Busy | Web: http://www.darkmere.gen.nz/ "To stay awake all night adds a day to your life" - Stilgar | eMT. I've seen things you people can't imagine. Chimneysweeps on fire over the roofs of London. I've watched kite-strings glitter in the sun at Hyde Park Gate. All these things will be lost in time, like chalk-paintings in the rain. Time for my nap. -- Julie Andrews, Bladestroller ( by Peter da Silva )

1 0

New Team Cymru IP2ASN whois server
by Rob Thomas 25 Sep '03

25 Sep '03

Fellow networkers, Team Cymru is happy to announce the availability of a public whois server dedicated to mapping IP numbers to ASNs, located at whois.cymru.com. You can find the link to this tool at: http://www.cymru.com/BGP/whois.html This link has been added to our main BGP data page available at: http://www.cymru.com/BGP/index.html We have also extended the functionality of this daemon to support BULK IP submissions for those who wish to further optimize their queries with netcat. Following is a quick overview of how to use it: $ whois -h whois.cymru.com <IP> Where <IP> is replaced by the IP you'd like to map, like so: $ whois -h whois.cymru.com 4.2.2.1 ASN | IP | Name 3356 | 4.2.2.1 | LEVEL3 Level 3 Communications You can also include port information, and/or timestamps in your queries. Be sure to include quotes around your queries, or the daemon will interpret your request as multiple lines: $ whois -h whois.cymru.com "4.2.2.1 -0600 GMT" ASN | IP | Info | Name 3356 | 4.2.2.1 | -0600 GMT | LEVEL3 Level 3 Communications For instructions on how to submit BULK queries via netcat, simply issue the following command: $ whois -h whois.cymru.com help We hope you find this tool useful. Stay tuned for more features! If you have any comments or suggestions as to how we might improve this service, feel free to let us know! Thanks, Rob, for Team Cymru. -- Rob Thomas http://www.cymru.com ASSERT(coffee != empty);

1 0

Re: [nznog] MS viruses
by Ewen McNeill 25 Sep '03

25 Sep '03

In message <006c01c383e5$51ffe4a0$6403c80a(a)uranus.clear.co.nz>, "Barry Murphy" writes: >Hmm, I just had one of the MS update viruses slip through, how many >variants of this are there? 1Kb file ;/ I've seen several copies of Swen which have come through in "neutered" form, with the executable atachment either completely missing, or the MIME headers there for it but no encoded body, or a very short encoded body. (The only reason they're getting through is because of that: I'm filtering on the executable's MIME encoding, amongst other things.) As far as I can tell they're not varients so much as the email having been through some sort of (transparent?) email filter which stripped off the executable attachement. One of my clients had a bit of a panic over one of those "neutered" versions getting in (with a 78 byte attachement instead of the executable), but it all turned out to be harmless. That said, they were planning on adding more filter rules, just to avoid confused users (and the resulting flood of calls into the helpdesk). Of course I suspect there'll be a few more copycats before the year is out. Ewen

1 0

MS viruses
by Barry Murphy 25 Sep '03

25 Sep '03

Hmm, I just had one of the MS update viruses slip through, how many variants of this are there? 1Kb file ;/ Barry

3 3

19" Server Rack in Auckland area?
by Dan Clark 25 Sep '03

25 Sep '03

Hi Guys, Does anyone have a spare 2nd hand 19" server rack in the Auckland area (or there abouts). Please contact me off list. Kind Regards, Dan Clark Network Manager Scarfies.Net Ltd Wickliffe Ltd

1 0

Re: [nznog] IP / domain blocking for SPAM prevention
by david＠farrar.com 25 Sep '03

25 Sep '03

> On Fri, 2003-09-26 at 14:00, david(a)farrar.com wrote: > > > Oh I agree they do - but at the scale of the ISPs with > > 10 million+ customers or products that are in wide use. > > I can't see a spammer adjusting anything just because > > they read on a website that Ihug with 80,000 customers > > uses Spam Assassin. > > The key phrase there is "I can't see", it doesn't matter > what you can't see, it matters what the people (the ISP > industry) see, if they aren't comfortable giving out the > measures they take then any central page where people can > easily see what people are using will be useless. Well I don't think I have suggested it is going to be compulsory or anything. In fact it is only one of hundreds of possible aspects of an overall anti spam campaign. Of course it is up to ISPs to list whatever details they want. If no-one lists anything then we just have a very short page. I would suggest that more and more consumers will pick an ISP on the basis of services like spam filtering. I have helped several people swap ISPs from those who do not have anti spam technology to those who do. Ihug's spam assassin (free plug) has been a huge benefit to me and it's the best $2.50/mth I spend. Anyway enough bandwidth wasted on this. My last post on the topic. DPF

1 0

Re: [nznog] IP / domain blocking for SPAM prevention
by david＠farrar.com 25 Sep '03

25 Sep '03

Quite the opposite. It is because they are in wide use spammers will try and get past them. But the NZ market is so miniscule that a list of what NZ ISP uses what is going to have IMO zero effect on what products spammers try to work around. I have never said that spammers do not try to get around anti spam filters. I have just said that publicising what anti spam filter a NZ ISP uses, is not going to affect the behaviour of the spammer (Unless they were for some reason targetting that ISP as a revenge thing). DPF > Hi David, > > So are you saying that in your estimation, products like > spam assassin are not in wide use? > > jamie > > >>> <david(a)farrar.com> 26/9/2003 2:00:38 PM >>> > > david(a)farrar.com wrote: > > > > > I actually think it is highly unlikely that with the > > > way spammers work they would try to tailor spam > > > individually for each ISP to get past what they think > > > are its filters. We are not big enough for that. > > > They just throw out 100 million of them and hope say > > > 10 million of them get through and are not too worried > > > if it is 10.0 million or 10.05 million. > > > > Spammers do try to get past filtering, and use different > > methods for AOL, Hotmail, etc. Some try to poison > > auto-learning filters as well. > > Oh I agree they do - but at the scale of the ISPs with 10 > million+ customers or products that are in wide use. I > can't see a spammer adjusting anything just because they > read on a website that Ihug with 80,000 customers uses > Spam Assassin. > > DPF > _______________________________________________ > NZNOG mailing list > NZNOG(a)list.waikato.ac.nz > http://list.waikato.ac.nz/mailman/listinfo/nznog > >

1 0

Re: [nznog] IP / domain blocking for SPAM prevention
by david＠farrar.com 25 Sep '03

25 Sep '03

> david(a)farrar.com wrote: > > > Oh I agree they do - but at the scale of the ISPs with > > 10 million+ customers or products that are in wide use. > > I can't see a spammer adjusting anything just because > > they read on a website that Ihug with 80,000 customers > > uses Spam Assassin. > > And yes, spammers do try to get past Spam Assassin as > well. This is probably getting to the point of off topic, but I never said they didn't. But they try to get past spam assassin because it is a widely used spam filter, not because they are going to go a NZ website, read that hey Black Albatross use Spam Assassin, so hey I'd better try and get around it. DPF

1 0

Re: [nznog] IP / domain blocking for SPAM prevention
by david＠farrar.com 25 Sep '03

25 Sep '03

> david(a)farrar.com wrote: > > > I actually think it is highly unlikely that with the way > > spammers work they would try to tailor spam individually > > for each ISP to get past what they think are its > > filters. We are not big enough for that. They just > > throw out 100 million of them and hope say 10 million of > > them get through and are not too worried if it is 10.0 > > million or 10.05 million. > > Spammers do try to get past filtering, and use different > methods for AOL, Hotmail, etc. Some try to poison > auto-learning filters as well. Oh I agree they do - but at the scale of the ISPs with 10 million+ customers or products that are in wide use. I can't see a spammer adjusting anything just because they read on a website that Ihug with 80,000 customers uses Spam Assassin. DPF

3 2

Re: [nznog] IP / domain blocking for SPAM prevention
by Jamie Baddeley 25 Sep '03

25 Sep '03

Hi David, So are you saying that in your estimation, products like spam assassin are not in wide use? jamie >>> <david(a)farrar.com> 26/9/2003 2:00:38 PM >>> > david(a)farrar.com wrote: > > > I actually think it is highly unlikely that with the way > > spammers work they would try to tailor spam individually > > for each ISP to get past what they think are its > > filters. We are not big enough for that. They just > > throw out 100 million of them and hope say 10 million of > > them get through and are not too worried if it is 10.0 > > million or 10.05 million. > > Spammers do try to get past filtering, and use different > methods for AOL, Hotmail, etc. Some try to poison > auto-learning filters as well. Oh I agree they do - but at the scale of the ISPs with 10 million+ customers or products that are in wide use. I can't see a spammer adjusting anything just because they read on a website that Ihug with 80,000 customers uses Spam Assassin. DPF _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

1 0

Re: [nznog] IP / domain blocking for SPAM prevention
by david＠farrar.com 25 Sep '03

25 Sep '03

> On Fri, 2003-09-26 at 12:19, david(a)farrar.com wrote: > > > Probably an appropriate time for me to mention that one > > of the activities that the InternetNZ Spam Taskforce is > > looking at is an easy to access website where ISPs and > > others can list what spam technologies they use and have > > available (both at server level and for clients to use). > > So the spammers can see what systems that have to beat to > get their crap through, no thanks. > > I'd happily list on a page that said "These guys do > spam/anti virus filtering" so long as I didn't have to say > in detail what we did. People can give as much detail as they want. I would agree you would not want to list for example the exact filters in place (however noting that at http://www.mirror.ac.uk/sites/spamassassin.taint.org/spamassassin.org/tests… they do list the exact filters and SA works pretty damn well IMO), but detail such as "Use Brightmail", "Use Bayesian Filtering", "Use Spews blacklist" may be useful for consumer choice. Other details I would see as useful if whether the ISP actually filters or just labels so users can filter on the labels. Is the spam filter compulsory or opt-in. Does it cost extra. If they filter is there a spam recovery folder you can check for false positives etc. I actually think it is highly unlikely that with the way spammers work they would try to tailor spam individually for each ISP to get past what they think are its filters. We are not big enough for that. They just throw out 100 million of them and hope say 10 million of them get through and are not too worried if it is 10.0 million or 10.05 million. DPF

2 1

RE: [nznog] IP / domain blocking for SPAM prevention
by Michael Bordignon 25 Sep '03

25 Sep '03

> So the spammers can see what systems that have to beat to get > their crap through, no thanks. How are others supposed to learn then? trial and error? Michael

1 0

Re: [nznog] IP / domain blocking for SPAM prevention
by david＠farrar.com 25 Sep '03

25 Sep '03

> At 10:38 a.m. 26/09/2003, Claire wrote: > > Actually, at least one ISP in the NZ market already has a > 'Virtual Mail Server' ASP product out there, with Spam > and Content Control features coming in the next few > weeks. Probably an appropriate time for me to mention that one of the activities that the InternetNZ Spam Taskforce is looking at is an easy to access website where ISPs and others can list what spam technologies they use and have available (both at server level and for clients to use). Another aspect may be some sort of guide to commercial solutions. Want to avoid it being an "INZ says this is good or bad" but something where users can rate and review solutions so more people are aware of the limitations of Mail Marshall (as one example) or Mailwasher (great product, but bounce facility is inappropriate as it forges) as another example. Consumers Institute is also looking at doing a survey in the near future, and we may team up with them to do one combined survey. DPF

2 1

Xtra outage?
by Juha Saarinen 25 Sep '03

25 Sep '03

So what was the deal there? The Xtra network status page is indecipherable. No idea what "Period: inactive" means, but it looks like customers in 03, 06, 07 and 09 areas couldn't dial into Xtra. Did this affect other ISPs too? -- Juha Saarinen

3 6

FW: Your e-mail message was blocked
by Richard Parkinson 25 Sep '03

25 Sep '03

I tend to turn all this notification stuff off though, so MM doesn't harass the sender for a legitimate email :) -----Original Message----- From: Actionline(a)med.govt.nz [mailto:Actionline(a)med.govt.nz] Sent: Friday, 26 September 2003 11:42 a.m. To: Richard Parkinson Cc: Frank.March(a)med.govt.nz Subject: Your e-mail message was blocked MailMarshal (an automated content monitoring gateway) has stopped the following e-mail as it may contain Inappropriate Content. Message: B00013e871.00000001.mml From: Richard(a)sigel.co.nz To: Frank.March(a)med.govt.nz Subject: RE: [nznog] IP / domain blocking for SPAM prevention If you believe the above e-mail to be business related please contact Actionline(a)med.govt.nz to arrange for the message to be released to its intended recipients. The blocked e-mail will be automatically deleted after 30 days.

1 0

RE: [nznog] IP / domain blocking for SPAM prevention
by Richard Parkinson 25 Sep '03

25 Sep '03

If in saying "filters" you mean, delivers it to a folder along with hoards of other junk for some poor admin to check to ensure there is no legitimate mail in the pile... Yep. I don't find this a great task though. A quick sort by subject, or sender and you quickly wipe out all the crap, leaving a handful of legitimate emails to let through. This might be a painful task for larger sites such as Massey or an ISP. Cheers, Richard. -----Original Message----- From: Steve Withers [mailto:swithers(a)mmp.org.nz] Sent: Friday, 26 September 2003 10:39 a.m. To: NZ NOG Subject: [nznog] IP / domain blocking for SPAM prevention Further comments on IP and domain blocking for *personal* mail servers: Just checked my maillog from yesterday. 70% of rejected mail connects came from hotmail, yahoo, earthlink and aol. 30% came from the 61.* and 218.* Korean IP spaces 10% was rejected by ordb / relay denied / other blocked domains I have wondered if ISPs want to encourage customers to set up individually customisable mailservers on broadband connections - some sort of appliance - that acts as their mail server. Let the business and competent private users decide what they will and won't receive....with benefits to the ISP in terms of reduced bandwidth consumed as spam isn't deliverable to these people. Just lots of rejected connect attempts. This may even be a managed service an ISP could offer a customer / business. If payment is on data-volume, this could help reduce such charges - offsetting any service fee to some extent. Am I right in thinking Mailmarshall still allows the spam to be delivered? It just filters it. The method above prevents delivery. It would be impossible to do this at ISP level....but it may be a service line an ISP might like to offer a client who wants to define what they do and do not receive. -- Steve Withers <swithers(a)mmp.org.nz> _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

1 0

RE: [nznog] Argghhh.... [Fwd: Your e-mail message was blocked]
by Richard Parkinson 25 Sep '03

25 Sep '03

Happy with MailMarshal here :) Works fine if you put the effort into setting it up properly. -----Original Message----- From: Juha Saarinen [mailto:juha(a)saarinen.org] Sent: Friday, 26 September 2003 10:12 a.m. To: Frank March Cc: ActionLine; nznog(a)list.waikato.ac.nz; Jennifer Mortimer Subject: Re: [nznog] Argghhh.... [Fwd: Your e-mail message was blocked] Frank March wrote: > Although I seldom post to this list (and when I do it is arguably > off-topic on occasions), and most of the traffic is of marginal direct > interest to me, I do find this list useful as a gauge of the > temperature and general health of the Net in NZ which is immensely > valuable for my job. However, if the problem persists, and complaints > persist, I will remove myself from the list. I would regard this as > being a very unfortunate outcome. > > And, by the way, and anticipating a message later in the thread from > Juha, I dont ever recall his swearing at me (about me perhaps....) $&@)#*&$@!!! Did you delete the message??? ;-) No, seriously, use a Hotmail account for the list instead of your MED one. Mail Marshal is a blunderbuss approach for dealing with an admittedly difficult problem and I don't know anyone "protected" by it who is happy with it. There's an important issue here to consider as well: as a civil servant, you presumably need to be accessible to the public. Using a filtering system with a high false positive rate prevents that. Oh hi, Donald. Yes, yes, I know, it's OT for the list... -- Juha _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

1 0

Argghhh.... [Fwd: Your e-mail message was blocked]]
by Steve Withers 25 Sep '03

25 Sep '03

On Fri, 2003-09-26 at 09:39, Frank March wrote: > On average Mailmarshal as configured here seems to catch 50% of genuine spam > 'aimed' at me (but is getting better) and about 25% of the blocking messages > are false positives (despite recent problems with this list, I think this > might also be improving incrementally). Nevertheless, personally, I would > much rather have the spam. The record with virus filtering is, however, > exemplary. I had to stop using the junk filter in Outlook because it decided that ALL mail from my boss was spam. I still don't know why. I don't use any server-based spam detection. Because my mailserver is for our family only I do block entire IP ranges and about 450 domain names. We get perhaps 2 spam e-mails through each day between the 4 of us. However...I block all mail from hotmail, yahoo, aol and a few others. That killed a HUGE amount of dross. Senders get a reject message explaining that their domains are the source of too much spam and would they mind resending from a responsible ISP. This also means I often don't see e-mail from people on mailing lists who use these "junk" domains....though this depends on how the list server is configured. -- Steve Withers swithers(a)mmp.org.nz -- Steve Withers <swithers(a)mmp.org.nz>

1 0

RE: [nznog] Argghhh.... [Fwd: Your e-mail message was blocked]
by Simon Lyall 25 Sep '03

25 Sep '03

On Fri, 26 Sep 2003, Frank March wrote: > On average Mailmarshal as configured here seems to catch 50% of genuine spam > 'aimed' at me (but is getting better) and about 25% of the blocking messages > are false positives (despite recent problems with this list, I think this > might also be improving incrementally). Nevertheless, personally, I would > much rather have the spam. The record with virus filtering is, however, > exemplary. A 25% false positive rate for Spam is bad to the point of being incompetent. Anything worse than a 1% FP rate except where someone is specifically after "aggressive" filtering is very bad. That sort of rate forces people to constantly check their spam folders (I assume they can) to find incorrectly identified email. I'd hate to think how many important emails are being lost. Blocking just 50% of spam isn't very good either, especially considering the amount of legit email dropped. I would guess it's another case of the govt paying peanuts and getting monkeys. Probably they have just installed the software "out of the box" rather than engaging brain and actually trying to set it to the appropriate level for the site. -- Simon J. Lyall. | Very Busy | Mail: simon(a)darkmere.gen.nz "To stay awake all night adds a day to your life" - Stilgar | eMT.

1 0

California cracks down on spam
by Barry Murphy 24 Sep '03

24 Sep '03

"California will prohibit Internet advertisers from sending unsolicited emails under the toughest law of its kind in the United States, providing for fines of up to $1-million (about R7-million). Governor Gray Davis signed legislation this week that targets not only the firms that package and send spam to consumers, but also the companies whose products and services are being advertised" I especially like the last setence above. full story at: http://www.iol.co.za/index.php?click_id=79&art_id=vn20030925032433274C67959… Barry

2 1

Nokia Firewall Appliance Specials
by Steve Rielly 24 Sep '03

24 Sep '03

Hi All, We are offering for sale, the following brand new, unused, equipment with full warranties, at heavily reduced prices, as a result of a cancelled order. You may already have one of these Nokia security appliances installed, and at the reduced price may be interested in purchasing a second unit as a spare. Alternatively, with the new Check Point Express licenses offering high availability (HA) software at reasonable prices, you may wish to consider installing a second firewall for HA using one of these appliances We have not put prices on them we are looking for offers on the equipment starting at 50% of their normal RRP. The products are... Nokia BIG-IP HA+540 Firewall Appliance Nokia BIG-IP 5000 Firewall Appliance Nokia IP440 Firewall Appliance Nokia IP330 Firewall Appliance Nokia IP71 Firewall Appliance We are offering the appliance hardware only and not the Check Point software licenses that go with them. These will need to be purchased through the normal channels, or we can provide a quote for you. Please email your offers to steve.rielly(a)extranet.co.nz The highest or any offer may not necessarily be accepted. Cheers, Steve Rielly Security Engineer Extranet Technologies Limited Level 1, 60 Cook St, Auckland, New Zealand P.O. Box 7726, Wellesley Street, Auckland, New Zealand Ph: +64 9 3771122, Mob: 025 835530 Fax: +64 9 3771109

1 0

Spam systems
by Barry Murphy 24 Sep '03

24 Sep '03

Thanks to NZNog I have had my first valid emails pushed to the spam folder. I hadn't as yet had one email get marked as spam where it was intended for me, however with the last couple of emails from Jamie, David and Dan, all 3 of these got marked. I have now allowed nznog through without filtering, so this shouldn't happen again, but thanks once again for brining my ratios down!! Only jokes :) Barry

1 0

Our friends Verisign...
by Simon Byrnand 24 Sep '03

24 Sep '03

Hi all, After the discussion a few days ago about the stunt Verisign has pulled recently, and most people expressing outrage over it, I wonder how many network operators/ISP's etc are actually willing to go as far as running the patches that are surfacing for the various nameserver software that will return NXDOMAIN when a root server tries to return an A record directly instead of a referal ? (Effectively reverting the behaviour to what it was before for your customers, and fixing issues with mailservers trying to look up non-existant domains in the aid of spam detection etc etc) I guess some people that might consider doing so could be waiting for "official" patches to come out first (like the one recently released as an rc for BIND 9) rather than hacks before implementing it, but what is the general feeling about this kind of action ? Anyone want to 'fess up to doing it already ? :) (on a medium to large scale) Regards, Simon Byrnand iGRIN Internet

11 14

[Fwd: Message Stopped by: Junk Mail Inbound]
by Simon Byrnand 23 Sep '03

23 Sep '03

Ok, everyone must have it in for me tonight. I'm off to bed :) Night all.. ;) Regards, Simon ---------------------------- Original Message ---------------------------- Subject: Message Stopped by: Junk Mail Inbound From: admin(a)safecom.co.nz Date: Wed, September 24, 2003 11:17 pm To: simon(a)igrin.co.nz -------------------------------------------------------------------------- The Safecom SMTP Relay has quarantined this email due to the triggering of the Junk Mail policy. The email has been forwarded to the Mail Administrator of the intended recipients company. This Mail Administrator will forward the mail to the recipient should it be deemed as legitimate email i.e not Chainmail, Virus Hoax or Jokes. Message: BB0027f6d5.00000001.mml From: simon(a)igrin.co.nz To: Ivan.Walker(a)hpac.govt.nz Subject: [nznog] Argghhh.... [Fwd: Your e-mail message was blocked] This is an automated response. Do not reply to this message. If you have any further questions please contact the intended recipient to confirm whether they received the email.

2 1

SPAM (Fw: PLEASE ASSIST)
by Dan Clark 23 Sep '03

23 Sep '03

Hi Guys, Just wondering if it is just me that is receiving an influx of these kind of messages relating to offshore accounts and foreign money etc? These used to be common then they stopped, but now they are back. Maybe my SPAM filter has broken. Regards, Dan Clark Network Manager Scarfies.Net Ltd Wickliffe Ltd ----- Original Message ----- From: "JULIUS J BALA" <j_bala2003(a)gawab.com> To: <dan(a)scarfies.net> Sent: Wednesday, September 24, 2003 4:09 PM Subject: PLEASE ASSIST > FROM: DR. JULIUS JUBRIL BALA, > FEDERAL SECRETARIAT COMPLEX, > IKOYI. > > Best wishes of good health and success in your pursuits particularly through my proposal as contained in this letter.Before going into details of my proposal to you, I must first solicit you to treat with the utmost confidentiality, as this is required for its success. > > INTRODUCTION: > > My colleagues and I are senior officials of the Federal Government of Nigeria's Contracts Review Panel who are interested in investing some funds that are presently floating in the accounts of the Central Bank of Nigeria.In order to commence this transaction, we solicit your assistance to enable us transfer into your account the said floating funds. > > We are determined to conclude the transfer before the end of this quarter of 2003. The source of the funds are as follows: During the last military regime,government officials awarded contracts that were grossly over-invoiced to Contractors.The present civilian government set up the Contract Review Panel, which has the mandate to use the instruments of payments made available to it by the decree setting up > the panel, to review these contracts and if necessary pay those who are being owed outstanding amounts. My colleagues and I have identified quite a huge sum of these funds which are presently floating in the Central Bank of Nigeria ready for disbursement and would like to invest some of it for our own purposes. > > However, by virtue of our positions as civil servants and members of this panel,we cannot acquire these funds in our names or in the names of companies that are based in Nigeria. I have therefore been mandated, as a matter of trust by my colleagues in the panel, to look for a reliable overseas partner into whose account we can transfer the sum of U.S.$16,500,000.00(sixteen million,five hundred thousand U.S. Dollars). That is why I am writing you this letter. > > We have agreed to share the money to be transferred into your account,if you agree with our proposition as follows; (i) 10% to the account owner (you). (ii) 80% for us (the panel officials). (iii) 10% to be used in settling all expenses (by both you and us )incidental to the actualisation of this project. We wish to invest our share of the proceeds of this project in foreign stock markets and other business till we are > ready and able to have access to them without raising any eyebrows here at home. > > Please note that this transaction is 100% safe. We intend to effect the transfer within fourteen(14) banking days from the date of receipt of the following information: Your name, company's name, address,telephone and fax numbers . The above information will enable us write letters of claim and job description respectively. This way, we will use your company's name to apply for the payment and backdate the award of the contract to your company. We are looking forward to carrying out this transaction with you and we solicit your utmost confidentiality in its execution. > > Please acknowledge the receipt of this email by replying urgently. Also,endeavour to furnish me with your phone number so that I can call you and bring you into a more detailed picture of this transaction when I hear from you. > > Best regards, > > Dr Julius Bala. > > > >

4 4

Argghhh.... [Fwd: Your e-mail message was blocked]
by Simon Byrnand 23 Sep '03

23 Sep '03

Sigh... Could the owner of this charming little content filter please see if it has an option to NOT reply to messages that aren't specifically addressed to the recipient. (EG messages comming in through mailing lists etc) Or perhaps consider subscribing via another address that isn't filtered. It gets a little tiring to have every second message I send to this list get a bounce from an overactive content filter because it might have "bad words" in it or in this case might be a "hoax and/or chain letter"..... (Huh ??? What in my message looks like a hoax ?) Regards, Simon ---------------------------- Original Message ---------------------------- Subject: Your e-mail message was blocked From: Actionline(a)med.govt.nz Date: Wed, September 24, 2003 11:09 pm To: simon(a)igrin.co.nz Cc: Frank.March(a)med.govt.nz -------------------------------------------------------------------------- MailMarshal (an automated content monitoring gateway) has stopped the following e-mail as it is likely to be a Hoax and/or Chain Letter. Message: B00013c776.00000001.mml From: simon(a)igrin.co.nz To: Frank.March(a)med.govt.nz Subject: Re: [nznog] SPAM (Fw: PLEASE ASSIST) If you believe the above e-mail to be business related please contact Actionline(a)med.govt.nz to arrange for the message to be released to its intended recipients. The blocked e-mail will be automatically deleted after 30 days.

1 0

Re: [nznog] SPAM (Fw: PLEASE ASSIST)
by Jamie Baddeley 23 Sep '03

23 Sep '03

Dan, It might have something to do with what verisign have been doing. The sitefinder service basically validates what were invalid domains. Evil Spammers Who Must Die (tm) now can get the spam through. What's failing is you used to be able to refuse bogus domains. ..or something like that. (although in this case gawab.com appears to be valid) jamie ------- cat 'The Internet'|sed 's/verisign/scum/g' >>> "Dan Clark" <dan(a)scarfies.net> 24/9/2003 4:13:45 PM >>> Hi Guys, Just wondering if it is just me that is receiving an influx of these kind of messages relating to offshore accounts and foreign money etc? These used to be common then they stopped, but now they are back. Maybe my SPAM filter has broken. Regards, Dan Clark Network Manager Scarfies.Net Ltd Wickliffe Ltd ----- Original Message ----- From: "JULIUS J BALA" <j_bala2003(a)gawab.com> To: <dan(a)scarfies.net> Sent: Wednesday, September 24, 2003 4:09 PM Subject: PLEASE ASSIST > FROM: DR. JULIUS JUBRIL BALA, > FEDERAL SECRETARIAT COMPLEX, > IKOYI. > > Best wishes of good health and success in your pursuits particularly through my proposal as contained in this letter.Before going into details of my proposal to you, I must first solicit you to treat with the utmost confidentiality, as this is required for its success. > > INTRODUCTION: > > My colleagues and I are senior officials of the Federal Government of Nigeria's Contracts Review Panel who are interested in investing some funds that are presently floating in the accounts of the Central Bank of Nigeria.In order to commence this transaction, we solicit your assistance to enable us transfer into your account the said floating funds. > > We are determined to conclude the transfer before the end of this quarter of 2003. The source of the funds are as follows: During the last military regime,government officials awarded contracts that were grossly over-invoiced to Contractors.The present civilian government set up the Contract Review Panel, which has the mandate to use the instruments of payments made available to it by the decree setting up > the panel, to review these contracts and if necessary pay those who are being owed outstanding amounts. My colleagues and I have identified quite a huge sum of these funds which are presently floating in the Central Bank of Nigeria ready for disbursement and would like to invest some of it for our own purposes. > > However, by virtue of our positions as civil servants and members of this panel,we cannot acquire these funds in our names or in the names of companies that are based in Nigeria. I have therefore been mandated, as a matter of trust by my colleagues in the panel, to look for a reliable overseas partner into whose account we can transfer the sum of U.S.$16,500,000.00(sixteen million,five hundred thousand U.S. Dollars). That is why I am writing you this letter. > > We have agreed to share the money to be transferred into your account,if you agree with our proposition as follows; (i) 10% to the account owner (you). (ii) 80% for us (the panel officials). (iii) 10% to be used in settling all expenses (by both you and us )incidental to the actualisation of this project. We wish to invest our share of the proceeds of this project in foreign stock markets and other business till we are > ready and able to have access to them without raising any eyebrows here at home. > > Please note that this transaction is 100% safe. We intend to effect the transfer within fourteen(14) banking days from the date of receipt of the following information: Your name, company's name, address,telephone and fax numbers . The above information will enable us write letters of claim and job description respectively. This way, we will use your company's name to apply for the payment and backdate the award of the contract to your company. We are looking forward to carrying out this transaction with you and we solicit your utmost confidentiality in its execution. > > Please acknowledge the receipt of this email by replying urgently. Also,endeavour to furnish me with your phone number so that I can call you and bring you into a more detailed picture of this transaction when I hear from you. > > Best regards, > > Dr Julius Bala. > > > > _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

1 0

Netlantis -- seeking for sponsors and peers
by Pascal Gloor 22 Sep '03

22 Sep '03

Hello .nz ! Perhaps some of you already heard about netlantis... The purpose of the netlantis project is to offer "human readable" output of the global BGP table status (as most realtime as possible, most of the time <2 min delay to reality). There are different tools on the website you can discover by yourself. There is also a whois and a telnet interface. We're actually running 5 RouteCollectors (including one in common with the RIS project of RIPE NCC), 2 in USA and 3 in Europe. There should be a new RouteCollector soon in south africa and one in greece. We've got now 78 BGP peers (including large and small ISP from all around the world), which makes almost 7'200'000 prefixes stored in the central database. Netlantis has been presented at the last RIPE meeting in Amsterdam, NL http://www.ripe.net/ripe/meetings/ripe-46/presentations/ripe46-routing-netl… Netlantis will be presented at the next SWINOG meeting (22oct 2003) in Bern, CH Indeed netlantis is FREE and only done by private people investing their free time, there is nothing to buy nor to sell at netlantis :-) Now, and that's why I mail you, I'm looking for sponsors in NZ. The "best" would be to have a RouteCollector on the APE lan. A typical RouteCollector is a P3 1Ghz with 1Gbyte of ram. The sponsors will be, indeed, listed on the netlantis.org website and in any presenation of netlantis. But hosting a RouteCollector at an ISP is also possible. For people who would like to peer with netlantis, please fill up the form at http://www.netlantis.org/index.html?menu=5&page=newpeer If you have any question / remark / ideas for new tools / whatever, feel free to drop me a mail or reply to the list. Kind Regards, Pascal Gloor The Netlantis Project

1 0

Could be of some use to stop Swen
by Juha Saarinen 22 Sep '03

22 Sep '03

vbl.messagelabs.com Seems to catch quite a few here, but not of course the ones sent from ISP smarthosts. -- Juha Saarinen

1 0

RE: [nznog] Verisign grabs *.net and *.com
by Robert Purdy (DSL AK) 21 Sep '03

21 Sep '03

Quick question - If you don't implement a patch are you leaving yourself exposed to a DOS attack? A simple perl script enumerating random domains and digging at an ISP server could probably fill a DNS cache over a period of time. (It would eventually fall over I guess...) Rob -----Original Message----- From: Nic Bellamy [mailto:nic(a)bellamy.co.nz] Sent: Wednesday, 17 September 2003 10:25 a.m. To: nznog(a)list.waikato.ac.nz On Wed, 2003-09-17 at 09:29, Joe Abley wrote: > > On Monday, Sep 15, 2003, at 23:58 Canada/Eastern, Juha Saarinen wrote: > > > Brent McDowell wrote: > >> For those of you who use djbdns, a patch has been released that > >> rejects A records that resolve to 64.94.110.11. It'll return > >> NXDOMAIN. > >> http://tinydns.org/djbdns-1.05-ignoreip.patch > > > > Anything for BIND 9? > > I am told an official patch is being tested right now. In the interim, there's a patch floating around for bind9 - haven't found an official site for it, so I've chucked it up at: http://www.bellamy.co.nz/stuff/bind9-antiverisign.patch I can confirm it Works For Me(tm) (even if it's done in a rather ugly manner). Cheers, Nic. -- Nic Bellamy <nic(a)bellamy.co.nz> Bellamy Consulting (NZ) Limited. +64-6-377-4957 Mobile: +64-21-251-8954 Internet Software & Security Consulting -- http://www.bellamy.co.nz/ -- _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

4 3

Re: [nznog] Iworm.Swen
by Ewen McNeill 21 Sep '03

21 Sep '03

In message <001501c380a4$fe004bd0$fd00a8c0(a)morpheus>, "Matthew G Brown" writes: >Is anyone seeing large influx of Iworm.Swen & >Exploit.IFrame.FileDownloadMessage over the last few days. Im getting >over 200 a day, All for some reason addressed to me , very few to any >other users. The discussion in ASR suggests that it's mainly grabbing addresses to use from Usenet archives/news servers. So people who have posted frequently are getting considerably more than those who haven't. I'm blocking perhaps 100/day at present (due to their included Microsoft Executables). Some people in ASR were getting many dozens per _hour_ (I think one person was seeing hundreds per hour), so I'm grateful that this one doesn't seem to have hit me as hard as SoBig.F was (I was seeing thousands of copies of SoBig.F per day). Ewen

2 1

Re: [nznog] Iworm.Swen
by Mark Davies 21 Sep '03

21 Sep '03

From: Ewen McNeill <ewen(a)naos.co.nz> Date: Mon, 22 Sep 2003 13:14:59 +1200 > Some people in ASR were getting many dozens per _hour_ (I think one > person was seeing hundreds per hour), so I'm grateful that this one > doesn't seem to have hit me as hard as SoBig.F was (I was seeing > thousands of copies of SoBig.F per day). We threw away 4500 over the weekend, mostly to two particular addresses, but a sprinkling to others. Don't know why those two addresses were so hard done by. mark

1 0

Iworm.Swen
by Matthew G Brown 21 Sep '03

21 Sep '03

Is anyone seeing large influx of Iworm.Swen & Exploit.IFrame.FileDownloadMessage over the last few days. Im getting over 200 a day, All for some reason addressed to me , very few to any other users. I seem to be the only one I know having this problem, I feel very special. Best regards Matthew G Brown B & R Holdings LIMITED Nelson, New Zealand DDI: + 64 3 544 9116 MOB: 027 4807731 http://www.brh.co.nz http://www.backupserver.co.nz

3 2

where, o where, has my little switch gone.
by Simon Blake 21 Sep '03

21 Sep '03

If anybody finds a Cisco 2912 switch that's, cough, fallen off the back of a truck, please sing out - we had one five fingered last night. Ripped the rack of the wall, dropped the power, the whole nine yards. Still, our none-to-bright crims took the cheap switch and left the rack of far more valuable media convertors sitting above it, so I guess we can be thankful for small mercies! Thankfully, not a very common occurence. Cheers Si

2 1

VeriSign Sued
by Hugh Lilly 19 Sep '03

19 Sep '03

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 VeriSign Sued Over Controversial Web Service Thu September 18, 2003 09:13 PM ET By Elinor Mills Abreu SAN FRANCISCO (Reuters) - An Internet search company on Thursday filed a $100 million antitrust lawsuit against VeriSign Inc., accusing the Web address provider of hijacking misspelled and unassigned Web addresses with a service it launched this week. http://www.reuters.com/printerFriendlyPopup.jhtml?type=internetNews&storyID… - -- (C) 2003 Hugh Lilly mail: h.lilly(a)gmx.net blog: http://hugh.orcon.net.nz Registered Linux User # 295486, register @ http://counter.li.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/auF89hi2EvY06qgRAmGmAKCTLqkXIJag46oQLDq1od0PFIHXqQCglYeI svtZjEX42+BJbhPx1/yoiSc= =P+4f -----END PGP SIGNATURE-----

3 2

Prefix list update for Net4U Limited (AS23746)
by Michael Jager 19 Sep '03

19 Sep '03

Hi all, For those of you peering with Net4U, please update your filters to allow 210.55.110.0/24. A complete prefix list is attached for your reference. -michael Network Operations Net4u Limited

1 0

Fwd: [ga] ICANN Advisory to Verisign: Voluntarily suspend Sitefinder
by david＠farrar.com 19 Sep '03

19 Sep '03

Even ICANN has arisen to life and has asked Verisign to suspend their sitefinder service. Will be useful to read what their Security and Stability Advisory Committee says on the wildcard issue. DPF ----- Message Forwarded on 20/09/03 ----- From: George Kirikos <gkirikos(a)yahoo.com> To: ga(a)dnso.org Cc: discuss-list(a)opensrs.org Subject: [ga] ICANN Advisory to Verisign: Voluntarily suspend Sitefinder Date: Fri, 19 Sep 2003 19:26:56 -0700 (PDT) See the advisory at: http://www.icann.org/announcements/advisory-19sep03.htm I doubt Verisign has the inkling to stop.... Sincerely, George Kirikos http://www.kirikos.com/ P.S. Sign the updated petition at: http://www.whois.sc/verisign-dns/

1 0

ll stuff
by Thomas Salmen 18 Sep '03

18 Sep '03

looks like i'm going to have to dump my tel stock... http://www.nzherald.co.nz/business/businessstorydisplay.cfm?storyID=3524244& thesection=business&thesubsection=telecommunications&thesecondsubsection=gen eral&thetickercode=TEL my tls shares should do okay though

1 0

RE: [nznog] stream of Orcon spam
by Seeby Woodhouse 18 Sep '03

18 Sep '03

I wasn't aware that there was any 'constant stream of spam' coming from us. However - I've been following up since seeing your email the other day. My understanding from the tech team is that we are on top of this and do respond to such things - if you have previously tried to get us to take action and nothing has happened, then I'd be keen to know about it. Cheers Seeby Woodhouse Managing Director Orcon Internet Limited - www.orcon.net.nz Mob +64 (0) 21 366 666 / Wk +64 (9) 444 4414 ext 700 -----Original Message----- From: Tony Wicks [mailto:nzog(a)road.gen.nz] Sent: Friday, September 19, 2003 6:25 AM To: Liz Q Cc: nznog(a)list.waikato.ac.nz Subject: RE: [nznog] stream of Orcon spam They don't respond. -----Original Message----- From: Liz Q [mailto:liz(a)debian.co.nz] Sent: Friday, 19 September 2003 12:20 a.m. To: nzog(a)road.gen.nz Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] stream of Orcon spam Perhaps you should take it up with them, I'm fairly sure they will be happy to find whos account it is and remove it. Liz Q On Wed, 2003-09-17 at 21:36, Tony Wicks wrote: > Hi all, is anyone else seeing a constant stream of spam **again** emanating > from Orcon ? > > > ( now added to "hosts.deny" ) > > > > Received: from dbmail-mx1.orcon.co.nz (loadbalancer-VIP.orcon.net.nz > [219.88.242.2]) > by *removed* (8.12.8/8.12.8) with ESMTP id h8H63EcG011226 > for <*removed*>; Wed, 17 Sep 2003 18:03:34 +1200 > Received: from 219.88.242.10 ([218.63.107.253]) > by dbmail-mx1.orcon.co.nz (8.12.6/8.12.6/Debian-7) with SMTP id > h8H61d2d006264 > for <*removed*>; Wed, 17 Sep 2003 18:02:25 +1200 > Received: from uvd.cixzx.net (HELO jk0) ([103.212.63.23]) by 219.88.242.10 > id <2581790-60199> for <*removed*>; Wed, 17 Se > p 2003 14:54:17 +0600 > Message-ID: <b-1$-f$oj422x(a)c9n.dl4l.2h3y> > From: "Iris Oliver" <q2djix5co3u(a)eguo.com> > Reply-To: "Iris Oliver" <q2djix5co3u(a)eguo.com> > To: <*removed*> > Subject: Develop a Larger Penis in Weeks > > > Received: from dbmail-mx3.orcon.co.nz (loadbalancer-VIP.orcon.net.nz > [219.88.242.2]) > by *removed* (8.12.8/8.12.8) with ESMTP id h8H5UvcG011061 > for <*removed*>; Wed, 17 Sep 2003 17:30:58 +1200 > Received: from modemcable084.162-202-24.hull.mc.videotron.ca > (modemcable084.162-202-24.hull.mc.videotron.ca [24.202.162.84]) > by dbmail-mx3.orcon.co.nz (8.12.6/8.12.6/Debian-7) with SMTP id > h8H5Tho7008819 > for <*removed*>; Wed, 17 Sep 2003 17:29:45 +1200 > Received: from [150.94.211.109] > by modemcable084.162-202-24.hull.mc.videotron.ca; > Wed, 17 Sep 2003 00:27:00 -0600 > Message-ID: <u$1eo2yj-u36$gq(a)1sbkl8.s.c6l2y> > From: "Brianna Avery" <25mypdms(a)gateway.com> > Reply-To: "Brianna Avery" <25mypdms(a)gateway.com> > To: *removed* > Subject: *removed* male enhancement patch 3 qchywrehm > > > > _______________________________________________ > NZNOG mailing list > NZNOG(a)list.waikato.ac.nz > http://list.waikato.ac.nz/mailman/listinfo/nznog -- This PC runs Linux. If you find a virus apparently from me, it has forged the e-mail headers on someone else's machine. Please do not notify me when this occurs. Thanks. _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

1 0

Re: [nznog] Email for domains hosted by 2day.com
by Ewen McNeill 18 Sep '03

18 Sep '03

In message <Pine.WNT.4.55.0309172108560.696(a)den3>, Juha Saarinen writes: >On Wed, 17 Sep 2003, Ewen McNeill wrote: >> And if nothing else it's probably useful to have a single document to >> wave at people saying "these are all the bad things you've caused by >> doing this". > >That's been documented already, as in the 2day.com case. To reinforce the "one list with which to beat people up", this post on NANOG: http://www.merit.edu/mail.archives/nanog/msg13728.html points out that Verisign are in an interesting position with HTTPS access: not only do they have the wildcard DNS entry to draw traffic their way (apparently consuming one AS and two /24s on the way past), they've also got the trusted CA certificates to sign any SSL certificates needed (on the fly if they wish). The little "trusted site" closed lock on, eg: https://www.placetobuystuff.com/ is (amazinginly) a little less meaningful than it was before. (I'm also amazed that, apparently, no one has registered that domain name. It seems such an obvious one for the type-stuff-in-and-see-what-happens crowd.) FWIW, these: http://www.haque.net/verisign_dns_rant.php http://www.merit.edu/mail.archives/nanog/msg13682.html aren't a bad (early) start at a summary of problems (from Tuesday). Ewen

5 5

Re: [nznog] Email for domains hosted by 2day.com
by david＠farrar.com 18 Sep '03

18 Sep '03

Bob Gray wrote: > On 19 Sep 2003 at 9:17, Antonio Broughton wrote: > > > So if i was to say "ihug.net" has bad data.... that will > > mean ihug.net will get deleted also? :) > > More to the point if someone said that the nz record is > bad: > > [snip] > Technical Contact: > Name: ITS Operators > Organization: The University of Waikato > Address1: Private Bag 3105 > [snip] > > would that get deleted too? InternetNZ has been trying to get that changed for, well around four years now. There has been many a fight with ICANN about them refusing to update details for .nz zone despite it being inaccurate. What was ironic was that one year their request for a fee/donation didn't get through because they sent it to the old mailing address which they had refused to change. They have got more responsive of late and as I understand it there is an attempt underway to get this final piece of incorrect information fixed. DPF

1 0

Re: [nznog] Email for domains hosted by 2day.com
by Peter Mott 18 Sep '03

18 Sep '03

Antonio Broughton wrote: > So if i was to say "ihug.net" has bad data.... that will mean ihug.net > will get deleted also? :) Who knows :-( Looks like our record in the DomainDiscover database got screwed at some time after we transferred 2day.com to them from Verisign. In case anybody is wondering, Dan Halloran <halloran(a)icann.org> knows who I am. As do most ICANN folk. So the NZ person who complained did not tell us, nor did ICANN. That sucks. ... Dear Registrar, Please find below here a report concerning inaccurate Whois data for 2day.com. As you are aware, section 3.7.8 of your Registrar Accreditation Agreement obligates you to take reasonable steps to investigate each such report you receive. After you have completed your investigation and taken any appropriate action, please record the disposition of this report by submitting a Registrar Whois Correction Report at: http://www.internic.net/cgi/rpt_whois/update.cgi?rid=jo0tpjmLcZfyT3tE5CmCIg Thank you for your cooperation. If you have any questions, please feel free to contact Dan Halloran <halloran(a)icann.org>. BestRegards, ICANN Whois Problem Reports --------------------------- Name:INFORMANT_DELETED_BY_PETER_MOTT Email:INFORMANT_EMAIL_DELETED_BY_PETER_MOTT Domain:2day.com Registrar:DOMAINDISCOVER Errors in Registrant Information: Address:INCORRECT Phone:INCORRECT Description: No address or telephone number given. Errors in Administrative Contact Information: Address:INCORRECT Phone:INCORRECT Description: No address or telephone number given. Errors in Technical Contact Information: Address:INCORRECT Phone:INCORRECT Description: No address or telephone number given --------------------------- Whois Server Version 1.3 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: 2DAY.COM Registrar: DOMAINDISCOVER Whois Server: whois.domaindiscover.com Referral URL: http://www.domaindiscover.com Name Server: NS3.2DAY.COM Name Server: NS1.2DAY.COM Name Server: NS2.2DAY.COM Status: ACTIVE Updated Date: 22-may-2003 Creation Date: 24-oct-1997 Expiration Date: 23-oct-2004 This WHOIS database is provided for information purposes only. We do not guarantee the accuracy of this data. The following uses of this system are expressly prohibited: (1) use of this system for unlawful purposes; (2) use of this system to collect information used in the mass transmission of unsolicited commercial messages in any medium; (3) use of high volume, automated, electronic processes against this database. By submitting this query, you agree to abide by this policy. Registrant: 2Day Internet Limited , US Domain Name: 2DAY.COM Administrative Contact, Technical Contact, Zone Contact: 2Day Internet Limited Mott, Peter , US peter(a)2DAY.COM Domain created on 23-Oct-1997 Domain expires on 22-Oct-2004 Last updated on 22-May-2003 Domain servers in listed order: NS1.2DAY.COM NS3.2DAY.COM NS2.2DAY.COM -- Peter Mott Chief Enthusiast 2DAY INTERNET LIMITED http://www.2day.com "Hell, there are no rules here - we're trying to accomplish something!" Thomas A Edison

2 1

stream of Orcon spam
by Tony Wicks 18 Sep '03

18 Sep '03

Hi all, is anyone else seeing a constant stream of spam **again** emanating from Orcon ? ( now added to "hosts.deny" ) Received: from dbmail-mx1.orcon.co.nz (loadbalancer-VIP.orcon.net.nz [219.88.242.2]) by *removed* (8.12.8/8.12.8) with ESMTP id h8H63EcG011226 for <*removed*>; Wed, 17 Sep 2003 18:03:34 +1200 Received: from 219.88.242.10 ([218.63.107.253]) by dbmail-mx1.orcon.co.nz (8.12.6/8.12.6/Debian-7) with SMTP id h8H61d2d006264 for <*removed*>; Wed, 17 Sep 2003 18:02:25 +1200 Received: from uvd.cixzx.net (HELO jk0) ([103.212.63.23]) by 219.88.242.10 id <2581790-60199> for <*removed*>; Wed, 17 Se p 2003 14:54:17 +0600 Message-ID: <b-1$-f$oj422x(a)c9n.dl4l.2h3y> From: "Iris Oliver" <q2djix5co3u(a)eguo.com> Reply-To: "Iris Oliver" <q2djix5co3u(a)eguo.com> To: <*removed*> Subject: Develop a Larger Penis in Weeks Received: from dbmail-mx3.orcon.co.nz (loadbalancer-VIP.orcon.net.nz [219.88.242.2]) by *removed* (8.12.8/8.12.8) with ESMTP id h8H5UvcG011061 for <*removed*>; Wed, 17 Sep 2003 17:30:58 +1200 Received: from modemcable084.162-202-24.hull.mc.videotron.ca (modemcable084.162-202-24.hull.mc.videotron.ca [24.202.162.84]) by dbmail-mx3.orcon.co.nz (8.12.6/8.12.6/Debian-7) with SMTP id h8H5Tho7008819 for <*removed*>; Wed, 17 Sep 2003 17:29:45 +1200 Received: from [150.94.211.109] by modemcable084.162-202-24.hull.mc.videotron.ca; Wed, 17 Sep 2003 00:27:00 -0600 Message-ID: <u$1eo2yj-u36$gq(a)1sbkl8.s.c6l2y> From: "Brianna Avery" <25mypdms(a)gateway.com> Reply-To: "Brianna Avery" <25mypdms(a)gateway.com> To: *removed* Subject: *removed* male enhancement patch 3 qchywrehm

2 2

Email for domains hosted by 2day.com
by Stephen Sheehan 17 Sep '03

17 Sep '03

Hi, Does anybody have a workaround. for .nz MX records I would not have thought it would have been possible to break the MX DNS for a .NZ via a .com fuckup. I would think it can be fitted domestically untill the .com situation is sorted, it is afterall in the .nz namespace see below Thanks Stephen --- MAILER-DAEMON(a)yahoo.com wrote: > Date: 16 Sep 2003 23:46:40 -0000 > From: MAILER-DAEMON(a)yahoo.com > To: axpunix(a)yahoo.com > Subject: failure delivery > > Message from yahoo.com. > Unable to deliver message to the following > address(es). > > <erkel(a)eaudio.co.nz>: > 64.94.110.11 does not like recipient. > Remote host said: 550 User domain does not exist. > Giving up on 64.94.110.11. > > --- Original message follows. > > Return-Path: <axpunix(a)yahoo.com> > Message-ID: > <20030916234640.38894.qmail(a)web13601.mail.yahoo.com> > Received: from [165.84.100.16] by > web13601.mail.yahoo.com via HTTP; Tue, 16 Sep 2003 > 16:46:40 PDT > Date: Tue, 16 Sep 2003 16:46:40 -0700 (PDT) > From: Stephen Sheehan <axpunix(a)yahoo.com> > Subject: test > To: erkel(a)eaudio.co.nz > MIME-Version: 1.0 > Content-Type: text/plain; charset=us-ascii > > test > > __________________________________ > Do you Yahoo!? > Yahoo! SiteBuilder - Free, easy-to-use web site > design software > http://sitebuilder.yahoo.com __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com

16 34

RE: [nznog] Email for domains hosted by 2day.com
by Michael Sutton 17 Sep '03

17 Sep '03

http://www.alexa.com/data/details/traffic_details?q=&url=verisign.com I support what ever can be done to bring Verisign into line... I have reviewed the link (above) showing the dramatic effect of Verisigns "e-jack" and wonder whether there may be a parallel to the similar situation were Worldcom highjacked telephone traffic in the US to route it via Canada in order to "deceive and defraud AT&T into paying termination fees." Doesn't this action unnecessarily generate revenue and costs for networks which send and receive traffic to/from verisign.com site... Who is winning here anyone besides Verisign... MSS INZ Councillor -----Original Message----- From: Keith Davidson [mailto:keith(a)wise.net.nz] Sent: Wednesday, September 17, 2003 08:30 To: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] Email for domains hosted by 2day.com Juha wrote: > Was thinking more about ICANN, actually. There doesn't appear to be any > mechanism to guard against the mistake that affected 2day.com. I realise > it's .com we're talking about, but it did affect .nz users as well. What Veri$ign wants, ICANN provides - and I've never seen the reverse occur. > Is it really a good idea to have a single point of failure like this? Definitely not. Keith Davidson _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

1 0

RE: [nznog] Email for domains hosted by 2day.com
by Michael Bordignon 17 Sep '03

17 Sep '03

> Don't forget that up until now Microsoft owned the World Wide Web. But Microsoft's implementation didn't break mail :) Michael

1 0

Vote Verisign CEO down
by Andy Gardner 17 Sep '03

17 Sep '03

http://www.forbes.com/2003/05/01/cx_ceointernetpoll.html Let's give him a 1% approval rating for September.

6 7

Domainz/SRS registrant data inaccuracies
by Juha Saarinen 17 Sep '03

17 Sep '03

Isn't there a requirement for registrants in .nz to provide accurate information? Look up: pheer.net.nz die.net.nz Does that look like a NZ phone number? Then there's waiariki.ac.nz, which was joe-jobbed by a spammer recently. The registrant and admin email bounces. -- Juha Saarinen

3 3