Request for participation - Arbor 2010 Worldwide Infrastructure Security Report.
Request for participation - Arbor 2010 Worldwide Infrastructure Security Report.
-----
Folks,
We're in the process of collecting feedback for the 2010 Worldwide Infrastructure Security Report (WWISR); this is the Sixth Edition of the report, and we'd really be grateful for your participation! This is the only security-focused survey we're aware of which is specifically oriented towards those who design, build, operate, and defend public-facing network infrastructure/applications/services, and provides the opportunity to share your experiences and perspectives with your peers in the operational community, as well as to benefit from their experiences and perspectives.
The 2010 Infrastructure Security Survey is up and available for your input. You can register to complete the survey via this URL, which will redirect your browser to the survey tool (the survey is accessed via http/s):
http://www.arbornetworks.com/survey/ISR2010
Once again, we've added several insightful questions from past participants. Feedback collection will end as soon as we've reached the desired number of respondents (ideally, 100+).
The results will be published in the 2010 Worldwide Infrastructure Security Report in January of 2011. Also, please note that NO personally- or organizationally-identifiable information will be shared in any manner.
The 2009 edition of the survey is available here (registration required):
http://www.arbornetworks.com/report
Thanks in advance!
-----
-----------------------------------------------------------------------
Roland Dobbins
Hey all, Anyone have an issue yesterday with mail being categorized as spam due to SORBS listing 127.0.0.1 in their DNS BL DB? Had a few complaints from internal customers that mail was not getting through, and a cursory inspection of the logs shows SORBS reporting this address as an open relay (I'm not sure if this a common occurence??). Would like to hear if anyone else had a similar experience. Cheers, Andre VFNZ
Hi Andre, Yes, we had a major problem with that on our Barracuda spambox yesterday. We have disabled the SORBS list until we figure out why/if it’s going to happen again. Every now and then we get one or two ranges on the SORBS list, but never half our clients at once. (on a large range of ISPs aswell). Brad From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Andre Van Niekerk Sent: Friday, 8 October 2010 9:53 a.m. To: nznog(a)list.waikato.ac.nz Subject: [nznog] SORBS had loopback listed in dnsbl? Hey all, Anyone have an issue yesterday with mail being categorized as spam due to SORBS listing 127.0.0.1 in their DNS BL DB? Had a few complaints from internal customers that mail was not getting through, and a cursory inspection of the logs shows SORBS reporting this address as an open relay (I'm not sure if this a common occurence??). Would like to hear if anyone else had a similar experience. Cheers, Andre VFNZ
Hi Brad, List,
On Thu, 7 Oct 2010 20:56:26 +0000, Brad Pearpoint
Hi Andre,
Yes, we had a major problem with that on our Barracuda spambox yesterday. We have disabled the SORBS list until we figure out why/if it’s going to happen again.
<snip> Can anyone enlighten me as to how having 127.0.0.1 in SORBS is causing issues? Surely DNSBLs are only checked against the source IP of the connecting machine, and I don't imagine it's worth checking DNSBLs for localhost connections? I guess I'm probably missing something obvious here... -- -Michael Fincham System Administrator, Unleash www.unleash.co.nz Phone: 0800 750 250 DDI: 03 978 1223 Mobile: 027 666 4482
Hi Michael,
AFAIK if a domain is listed as "bad" on SORBS it returns a 127.0.0.1 result when queried by the spambox, which causes it to class the mail as bad.
Cheers,
Brad
-----Original Message-----
From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Michael Fincham
Sent: Friday, 8 October 2010 10:05 a.m.
To: nznog(a)list.waikato.ac.nz
Subject: Re: [nznog] SORBS had loopback listed in dnsbl?
Hi Brad, List,
On Thu, 7 Oct 2010 20:56:26 +0000, Brad Pearpoint
Hi Andre,
Yes, we had a major problem with that on our Barracuda spambox yesterday. We have disabled the SORBS list until we figure out why/if it’s going to happen again.
<snip> Can anyone enlighten me as to how having 127.0.0.1 in SORBS is causing issues? Surely DNSBLs are only checked against the source IP of the connecting machine, and I don't imagine it's worth checking DNSBLs for localhost connections? I guess I'm probably missing something obvious here... -- -Michael Fincham System Administrator, Unleash www.unleash.co.nz Phone: 0800 750 250 DDI: 03 978 1223 Mobile: 027 666 4482 _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
Hi Andre, We have had about 10 customers yesterday that were having this issue and it seems to have self cleared its self. We still are unsure why it's done it though. Had just about every IP range around here too. Regards Justin Lewis Gen - I NZ Managed Customer Care - Support Services ________________________________ From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Andre Van Niekerk Sent: Friday, 8 October 2010 9:53 a.m. To: nznog(a)list.waikato.ac.nz Subject: [nznog] SORBS had loopback listed in dnsbl? Hey all, Anyone have an issue yesterday with mail being categorized as spam due to SORBS listing 127.0.0.1 in their DNS BL DB? Had a few complaints from internal customers that mail was not getting through, and a cursory inspection of the logs shows SORBS reporting this address as an open relay (I'm not sure if this a common occurence??). Would like to hear if anyone else had a similar experience. Cheers, Andre VFNZ Mgate3.telecom.co.nz made the following annotations --------------------------------------------------------------------- This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. ---------------------------------------------------------------------
SORBS had major problems within the past 24 hours, with large areas around
the internet being marked as being Dynamic IPs (including the /10 which we
are a part of).
Apparently it's all cleared up now. As you'd expect of SORBS there hasn't
been any public announcement, but the nearest you can find is at
http://isc.sans.edu/diary.html?storyid=9685#comment
Scott.
On Thu, Oct 7, 2010 at 1:53 PM, Andre Van Niekerk
Hey all,
Anyone have an issue yesterday with mail being categorized as spam due to SORBS listing 127.0.0.1 in their DNS BL DB? Had a few complaints from internal customers that mail was not getting through, and a cursory inspection of the logs shows SORBS reporting this address as an open relay (I'm not sure if this a common occurence??).
Would like to hear if anyone else had a similar experience.
Cheers,
Andre VFNZ
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
On 8/10/2010, at 9:53 AM, Andre Van Niekerk wrote:
Anyone have an issue yesterday with mail being categorized as spam due to SORBS listing 127.0.0.1 in their DNS BL DB? Had a few complaints from internal customers that mail was not getting through, and a cursory inspection of the logs shows SORBS reporting this address as an open relay (I'm not sure if this a common occurence??).
127.0.0.1 has been listed in SORBS since 2008, according to their database lookup tool, although I can't seem to verify that with a DNS lookup. I guess it maybe makes some sense since if your frontend MTAs (the ones which should be checking incoming connections against DNSBLs) are getting mail from 127.0.0.1 you might want to know about it? I use Spamhaus who seem to have more rigorous policies around what leads to IPs being listed. Also, I'd suggest that if 127.0.0.1 being listed in SORBS can break your mail system, it might be worth tweaking the configuration so that doesn't happen. In particular, connections from localhost probably shouldn't be subjected to a DNSBL lookup. Jasper
http://isc.incidents.org/diary.html?storyid=9685 -----Original Message----- From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Jasper Bryant-Greene Sent: Friday, 8 October 2010 10:24 a.m. To: Andre Van Niekerk Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] SORBS had loopback listed in dnsbl? On 8/10/2010, at 9:53 AM, Andre Van Niekerk wrote:
Anyone have an issue yesterday with mail being categorized as spam due to SORBS listing 127.0.0.1 in their DNS BL DB? Had a few complaints from internal customers that mail was not getting through, and a cursory inspection of the logs shows SORBS reporting this address as an open relay (I'm not sure if this a common occurence??).
127.0.0.1 has been listed in SORBS since 2008, according to their database lookup tool, although I can't seem to verify that with a DNS lookup. I guess it maybe makes some sense since if your frontend MTAs (the ones which should be checking incoming connections against DNSBLs) are getting mail from 127.0.0.1 you might want to know about it? I use Spamhaus who seem to have more rigorous policies around what leads to IPs being listed. Also, I'd suggest that if 127.0.0.1 being listed in SORBS can break your mail system, it might be worth tweaking the configuration so that doesn't happen. In particular, connections from localhost probably shouldn't be subjected to a DNSBL lookup. Jasper _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog ========================================================= This e-mail has been scanned for Viruses and Content and cleared by Mail Marshal
"Problem located (not the 127.0.0.1 issue) and is being resolved. More of an
update when we locate the originating cause, but it appears the migration from
SORBS1 to SORBS2 was to blame for the actual listing problems."
"Problem located. Historical entries were migrated as current (historical is
not identical to 'previously delisted' but the effect is the same.)"
Looks like some tweeking to have a weighting on RBL rather than relying on a
single RBL, but then the there may be trade off for effectiveness?
Interesting vector for a denial of service though :)
Thanks everyone.
Cheers,
Andre
VFNZ
________________________________
From: Jasper Bryant-Greene
Anyone have an issue yesterday with mail being categorized as spam due to SORBS listing 127.0.0.1 in their DNS BL DB? Had a few complaints from internal customers that mail was not getting through, and a cursory inspection of the logs shows SORBS reporting this address as an open relay (I'm not sure if this a common occurence??).
127.0.0.1 has been listed in SORBS since 2008, according to their database lookup tool, although I can't seem to verify that with a DNS lookup. I guess it maybe makes some sense since if your frontend MTAs (the ones which should be checking incoming connections against DNSBLs) are getting mail from 127.0.0.1 you might want to know about it? I use Spamhaus who seem to have more rigorous policies around what leads to IPs being listed. Also, I'd suggest that if 127.0.0.1 being listed in SORBS can break your mail system, it might be worth tweaking the configuration so that doesn't happen. In particular, connections from localhost probably shouldn't be subjected to a DNSBL lookup. Jasper
It made The Register http://www.theregister.co.uk/2010/10/07/sorbs_cockup/ TelstraClear. Simple Solutions. Everyday Residential 0508 888 800 Business 0508 555 500 Enterprise & Government 0508 400 300 This email contains information which may be confidential and subject to copyright. If you are not the intended recipient you must not use, distribute or copy this email or attachments. If you have received this email in error please notify us immediately by return email and delete this email and any attachments. TelstraClear Limited accepts no responsibility for changes made to this email or to any attachments after transmission from TelstraClear Limited. It is your responsibility to check this email and any attachments for viruses. Emails are not secure. They can be intercepted, amended, lost or destroyed and may contain viruses. Anyone who communicates with TelstraClear Limited by email is taken to accept these risks.
On 8/10/2010, at 11:08 AM, Michael Newbery wrote:
It made The Register
Maybe I shouldn't be, but I'm always surprised to see anyone using SORBS. Never struck me as being particularly useful in any capacity. -- Juha
On Fri, Oct 8, 2010 at 11:11 AM, Juha Saarinen
Maybe I shouldn't be, but I'm always surprised to see anyone using SORBS. Never struck me as being particularly useful in any capacity.
What is it about SORBS that you don't value? Blacklists in general, or specifically the SORBS policies? (And by extension, if it is the policies, is there any provider that you do value?) -jim
Hi All, Just a heads-up - had a customer magically re-appear on the sorbs duhl list for no apparent reason. This time, I managed to get into their de-listing tool to remove it. I suspect they still may be having a few issues... Cheers Martin
participants (12)
-
Andre Van Niekerk -
Brad Pearpoint -
Dobbins, Roland -
Jasper Bryant-Greene -
Jim Cheetham -
Juha Saarinen -
Justin Lewis -
Martin Wilkinson -
Michael Fincham -
Michael Newbery -
Scott Howard -
Steve Brorens