- NZNOG - lists.nznog.org

Carriers blocking IPSec...official policy?
by rob.edkins＠axon.co.nz 08 May '02

08 May '02

Greetings folks, We have had several instances recently of problems with IPSec VPNs that turned out to be caused by ACL's at the ISP or carrier level blocking ESP traffic, or rather any IP traffic that isn't TCP, UDP, ICMP or routing stuff. There is no one particular network provider involved (one was offshore), and it doesn't seem to be a general practice, but we seem to be getting caught occaisonally by default "deny all IP" catch-all rules of the kind you stick at the bottom of the access list. Sometimes, it's only one interface in a particular direction. We've wasted a large amount of time and effort debugging and trying to get people to check their router configs for us, with varying degrees of co-operation. Has anyone else struck similar issues? Can anyone comment on whether this is a general 'no VPNs on our turf' policy, as one provider's help desk has (not terribly helpfully) suggested? Rgds, Rob Edkins Systems Consultant Axon Computertime email: rob.edkins(a)axon.co.nz -- The information contained in this e-mail message is intended only for the use of the person or entity to whom it is addressed and may contain information that is CONFIDENTIAL and may be exempt from disclosure under applicable laws. If you read this message and are not the addressee you are notified that use, dissemination, distribution, or reproduction of this message is prohibited. If you have received this message in error, please notify us immediately and delete the original message. You should scan this message and any attached files for viruses. Axon Computertime accepts no liability for any loss caused either directly or indirectly by a virus arising from the use of this message or any attached file. - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

2 1

Traffic Magnet At It Again
by Mark Foster 06 May '02

06 May '02

I got hit by Traffic Magnet again.. spamcrawlers are nasty. I noticed a coupla quirks... Firstly, when I traceroute to the IP concerned, clix are sending me to LA first.. whats up with that? :) Next... 26. 202.106.192.222 0% 38 38 418 415 438 469 27. GSR01-ToBTO-02.tynoc.bj.capitalnet 22% 30 38 420 409 442 496 28. RSM04-ToGSR01.TY.bj.capitalnet.com.cn 0% 38 38 441 433 481 542 29. 211.101.236.29 0% 38 38 417 417 438 466 Interesting hostname on hop 27 there.. :) I know this host has been discussed in the past, did anyone make any progress pursuing this? Im about to block capitalnet from connecting to my MTA... Mark. - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

3 3

Mailwasher.
by Simon Lyall 06 May '02

06 May '02

Are other people having problems with customers using this program? It has a function for "bounce" spam which forges bounces from MAILER-DAEMON at the ISP's domain. I seem to only have a very small number of customers using it but the queues on my mail smtp servers are growing a bit with emails to bogus addresses waiting to time out (which is why there is a seperate server for bounces in the first place). I'm really worried that if use of the program takes off I'll have to re-resource ($$$) my mail servers to take account of a few 10,000s emails sitting in the outgoing queues or else the same customers will start blaming me for not delivering their emails in less than 10 seconds. I think the author is from New Zealand, anybody know them , an address where I can send a bill would be great. I also really object to the concept of the program forging email addresses on emails. -- Simon Lyall. | Newsmaster | Work: simon.lyall(a)ihug.co.nz Senior Network/System Admin | Postmaster | Home: simon(a)darkmere.gen.nz ihug, Auckland, NZ | Asst Doorman | Web: http://www.darkmere.gen.nz - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

3 2

RE: Mailwasher.
by Darrin Cooke 06 May '02

06 May '02

-----Original Message----- From: Simon Byrnand [mailto:simon(a)igrin.co.nz] >Maybe the author of the program needs a friendly but firm whack with a clue >stick to remove the offending functions of the program. The last thing we >need is more undeliverable crap sitting in outbound queues. The spammers >themselves provide ample quantity there :) >Regards, >Simon I just dicovered that the Netguide magazine has half a page about mailwasher, They seem to be recommending it; "Mailwasher (insert URL here) analyses each email as is arrives and warns you if it is suspected junkmail or a virus. But not only does it let you delete unwanted emails before you download them, it also bounces them back so it looks like your email address is invalid." etc etc etc. They credit a "Christchurch businessman Nick Bolton" with the idea. <insert comments regarding LART'ing with large clue stick here> Cheers, Darrin - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

1 0

RE: Mailwasher.
by Gordon Smith 06 May '02

06 May '02

Hi Simon, I had a couple of customers using it, until I informed them that technically they were breaching our AUP (forging headers). I don't care if they want to use it for filtering, but trying to bounce to domains with bogus MX pointers just causes me problems. Once they understood the issue, they were quite happy to just use the filtering functions. Cheers, Gordon - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

2 1

Re: FW: Walker Wireless attacking other ISPs?
by Steve Phillips 04 May '02

04 May '02

Sorry, this was supposed to hit the list Friday, but due to posting restrictions it never made it through :-) -- As the owner of this IP block, we were made aware of the issue, we requested that we be given until the end of the working day to obtain a response from the customer involved. We personally appreciate Gordon's restraint in agreeing not to post details on this until such time as the deadline was met or the formal response was obtained. Sadly, we did not manage to get a formal response to Gordon about this issue. The customer in question was null routed at the time, the block was removed pending comment from the customer but if this causes an issue for anyone else in the Internet community then please let us know and the null will be re-instated. Thanks, -- Steve. Systems Admin, ICONZ At 16:15 3/05/2002, Juha Saarinen wrote: >On 3 May 2002, Dean Pemberton wrote: > > > > > I REALLY hope that you made Walker Wireless aware of this before you > > posted it to the whole list. > >That would've spoilt the ensuing flame war though, wouldn't it? > >-- >Juha Saarinen > >- >To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz >where the body of your message reads: >unsubscribe nznog -- Steve Systems Admin, ICONZ - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

1 0

FW: Walker Wireless attacking other ISPs?
by Gordon Smith 02 May '02

02 May '02

Hi all, Has anyone else been seeing mail1.walkerwireless.com attempting to break in to their border routers? Picked this up on a routine log audit. Although we actively block and log this sort of activity, others may not be aware of it. Of particular concern is the attempted use of the ILMI exploit, detailed at http://www.kb.cert.org/vuls/id/976280 which has no legitimate reason to be seen. Attacking machine is running Checkpoint FW-1 mail server! Cheers, Gordon Smith CCNA Network Operations Manager MoreNet Ltd. Fingerprint: 4093 91BC 0055 46B9 1B1A EDBA 45AD 2381 7B1D E4BE Log extract (multiple occurrances of this): 04/23/2002 15:38.24 <WARN:SNMP> last message repeated 2 times 04/23/2002 15:38.14 <WARN:SNMP> SNMP request received from 210.54.139.178 with unknown community "ILMI" 04/23/2002 15:38.14 <WARN:SNMP> last message repeated 2 times 04/23/2002 15:38.02 <WARN:SNMP> SNMP request received from 210.54.139.178 with unknown community "DHdW7tr5nP" 04/23/2002 15:38.02 <WARN:SNMP> last message repeated 2 times 04/23/2002 15:37.52 <WARN:SNMP> SNMP request received from 210.54.139.178 with unknown community "P8nD8l1n7" 04/23/2002 15:37.52 <WARN:SNMP> last message repeated 2 times 04/23/2002 15:37.44 <WARN:SNMP> SNMP request received from 210.54.139.178 with unknown community "wd1h2dt2d" 04/23/2002 15:37.44 <WARN:SNMP> last message repeated 2 times 04/23/2002 15:37.34 <WARN:SNMP> SNMP request received from 210.54.139.178 with unknown community "private" 04/23/2002 15:37.34 <WARN:SNMP> last message repeated 2 times 04/23/2002 15:37.24 <WARN:SNMP> SNMP request received from 210.54.139.178 with unknown community "public" 04/23/2002 11:37.42 <WARN:SNMP> last message repeated 2 times 04/23/2002 11:37.32 <WARN:SNMP> SNMP request received from 210.54.139.178 with unknown community "ILMI" 04/23/2002 11:37.32 <WARN:SNMP> last message repeated 2 times 04/23/2002 11:37.18 <WARN:SNMP> SNMP request received from 210.54.139.178 with unknown community "DHdW7tr5nP" 04/23/2002 11:37.18 <WARN:SNMP> last message repeated 2 times 04/23/2002 11:37.10 <WARN:SNMP> SNMP request received from 210.54.139.178 with unknown community "P8nD8l1n7" - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

3 2

RE: Walker Wireless attacking other ISPs?
by Richard Watson 02 May '02

02 May '02

We have noticed this and have taken action to stop these SNMP polls from reaching other ISPs. The polling of addresses blocks managed by other ISPs was purely accidental and should not happen again. Walker Wireless is more than willing to investigate incidents like this directly. If anyone has concerns about unusual activity orginating from anywhere in the Walker Wireless network please contact our Network Operations Centre on 0800-WWCARE or myself directly. Thank you, Richard Watson Network Infrastructure Engineer WALKER WIRELESS LIMITED Tel: +64 (9) 522 3674 Fax: +64 (9) 520 3447 Mob: +6427 286 6681 Email: rwatson(a)walkerwireless.com 0800 NO NETLAG Get high speed wireless internet and private network connectivity with Walker Wireless. Visit www.walkerwireless.com for information. The information in this electronic mail and its attachments is legally privileged and confidential. If the reader of this electronic mail and attachments is not the intended recipient, you are hereby notified that any use, dissemination or reproduction of this electronic mail its contents and attachments is prohibited. This email is personal and may not reflect Walker Wireless', Walker Corporation's subsidiaries or affiliated companies' position. -----Original Message----- From: Gordon Smith [mailto:gordons(a)morenet.net.nz] Sent: Friday, 3 May 2002 4:09 p.m. To: Nznog Subject: FW: Walker Wireless attacking other ISPs? Hi all, Has anyone else been seeing mail1.walkerwireless.com attempting to break in to their border routers? Picked this up on a routine log audit. Although we actively block and log this sort of activity, others may not be aware of it. Of particular concern is the attempted use of the ILMI exploit, detailed at http://www.kb.cert.org/vuls/id/976280 which has no legitimate reason to be seen. Attacking machine is running Checkpoint FW-1 mail server! Cheers, Gordon Smith CCNA Network Operations Manager MoreNet Ltd. Fingerprint: 4093 91BC 0055 46B9 1B1A EDBA 45AD 2381 7B1D E4BE Log extract (multiple occurrances of this): 04/23/2002 15:38.24 <WARN:SNMP> last message repeated 2 times 04/23/2002 15:38.14 <WARN:SNMP> SNMP request received from 210.54.139.178 with unknown community "ILMI" 04/23/2002 15:38.14 <WARN:SNMP> last message repeated 2 times 04/23/2002 15:38.02 <WARN:SNMP> SNMP request received from 210.54.139.178 with unknown community "DHdW7tr5nP" 04/23/2002 15:38.02 <WARN:SNMP> last message repeated 2 times 04/23/2002 15:37.52 <WARN:SNMP> SNMP request received from 210.54.139.178 with unknown community "P8nD8l1n7" 04/23/2002 15:37.52 <WARN:SNMP> last message repeated 2 times 04/23/2002 15:37.44 <WARN:SNMP> SNMP request received from 210.54.139.178 with unknown community "wd1h2dt2d" 04/23/2002 15:37.44 <WARN:SNMP> last message repeated 2 times 04/23/2002 15:37.34 <WARN:SNMP> SNMP request received from 210.54.139.178 with unknown community "private" 04/23/2002 15:37.34 <WARN:SNMP> last message repeated 2 times 04/23/2002 15:37.24 <WARN:SNMP> SNMP request received from 210.54.139.178 with unknown community "public" 04/23/2002 11:37.42 <WARN:SNMP> last message repeated 2 times 04/23/2002 11:37.32 <WARN:SNMP> SNMP request received from 210.54.139.178 with unknown community "ILMI" 04/23/2002 11:37.32 <WARN:SNMP> last message repeated 2 times 04/23/2002 11:37.18 <WARN:SNMP> SNMP request received from 210.54.139.178 with unknown community "DHdW7tr5nP" 04/23/2002 11:37.18 <WARN:SNMP> last message repeated 2 times 04/23/2002 11:37.10 <WARN:SNMP> SNMP request received from 210.54.139.178 with unknown community "P8nD8l1n7" - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

2 1

The New Zealand Network Operators' Group
by Donald Neal 30 Apr '02

30 Apr '02

The New Zealand Network Operators' Group The New Zealand Network Operators' Group (NZNOG) has no king, president or formal membership. At present it consists of the subscribers to this mailing list, which anyone is free to join. This posting, or one like it, is sent to all subscribers each month, except those who work for the Ministry for Economic Development. NZNOG 2002 Work is now under way towards a conference and social gathering to be held in Auckland on 11 and 12 July 2002. Abstracts are sought _this week_ from prospective speakers, with the aim that a draft programme will appear not later than 8 May. If you wish to add your name as a possible presenter, please email nznog2002(a)deanpemberton.com without delay. If you wish to act a sponsor and have not already discussed this either with me or the Convenor, please contact me at this email address. My thanks to 2Day Internet Ltd, Cisco and Juniper. Operators' Contact List See http://www.usenet.net.nz/noc/ for operational contact details for most New Zealand ISP's. These are intended for use by other network operators rather than by most customers. Auckland Peering Exchange See http://www.ape.net.nz/ for details of the Auckland Peering Exchange and those connected there. About This Mailing List This list has around 320 subscribers, a number which isn't changing much at present. You may only post to the list from an address subscribed to one of the lists described below. (There's nowadays more spam bounced than non-member postings.) The NZNOG mailing list is provided through a server at The University of Waikato, and is administered by an employee of Telecom NZ Ltd. Neither of these organisations, nor the administrator, is responsible for its content. NZNOG Mailing List Acceptable Use Policy The NZNOG mailing list exists to provide a forum for the exchange of technical information and the discussion of implementation issues that require cooperation among New Zealand network service providers. In order to continue to provide a useful forum for discussion of relevant technical issues, users of the list are asked to respect the following guidelines. 1. Discussion will focus on Internet operational and technical issues. 2. Discussion related to meetings of network service providers is appropriate. 3. Discussion unrelated to these topics is not appropriate. 4. Postings to multiple mailing lists are discouraged. 5. Postings that include foul language, character assassination, and lack of respect for other participants are unacceptable. 6. Blatant product or service marketing is unacceptable. 7. Postings of a political, philosophical or legal nature are discouraged. 8. Postings to the list should be in ASCII or MIME encoded as text/plain. Attachments should not be sent to the list. To present a document, a suitable URL may be referred to. For documents of general interest, the use of proprietary file formats is discouraged. 9. Breaches of list etiquette should be dealt with privately with the offending list user, and should not result in complaints being sent to the list. 10. A person repeatedly breaching list etiquette shall receive warnings from the list administrator. A further breach after the second such warning within thirty days shall result in the offender being unsubscribed from the list. Other action may also be taken to block postings to the list by the offender. Any such unsubscription is to be immediately announced to the list. Mailing List Archives A full archive is available at http://list.waikato.ac.nz/archives/nznog/ Any message sent to the list will be archived and made available on the web automatically. Changes are not made to the archive on request, though the administrator remains happy to assist the Office of the Privacy Commissioner should any complaint be laid with that office. Subscribing to the List To subscribe to the NZNOG list, send email to majordomo(a)list.waikato.ac.nz, where the body of the message reads subscribe nznog Digest Mailing List If you don't wish to receive postings as they are sent, you can instead subscribe to the nznog-digest mailiing list, on which all postings are sent out in a single "digest" every couple of days. Post-only Mailing List An address from which you wish to post, but which will not receive messages from the list, may be subscribed to nznog-postonly. You will presumably want to have another address subscribed to the main nznog list. Donald Neal NZNOG Mailing List Owner/Administrator/Muggins This email message is a public document. I don't speak for Telecom and they don't speak for me. ------------------------------------------------------------------------------ "This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you." ============================================================================== - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

1 0

RE: dyndns
by Darrin Cooke 28 Apr '02

28 Apr '02

-----Original Message----- From: Juha Saarinen [mailto:juha(a)saarinen.org] Sent: Monday, 29 April 2002 1:49 p.m. >On Mon, 29 Apr 2002, Jean-Francois Pirus wrote: >> >> Is there any publicly (& free) accessible dyndns server in NZ? >> (Ignoring dyndns.co.nz) >> >> I'd like to use a local one, and was thinking of setting one up, but >> there no point in reinventing the wheel. > http://www.comtek.co.nz/dyndns/ > Not free though. No, not free, but cheap enough to warrant looking at and the support seems to make it definatly worthwhile. - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

1 0