[RFD] UDP proposal: BLUEYONDER.CO.UK (Telewest Communications PLC): A Request for Remedial Action
David Ritz
This message is being sent, bcc, to a few interested parties.
Posted and mailed
Posted to news.admin.net-abuse.policy, news.admin.net-abuse.misc,
news.admin.net-abuse.bulletins, news.admin.net-abuse.usenet,
uk.telecom.broadband.
Please direct follow ups to news.admin.net-abuse.policy. Please see
<http://www.killfile.org/~tskirvin/nana/nanap-charter.html> prior to
posting to this moderated newsgroup.
===========================================================================
This Request For Discussion comes after much consideration and
significant effort on my part and the part of others to avoid this
action. Unfortunately, I feel the options have been exhausted.
As always, it is my hope that the reasons for remedial action may
be adequately addressed, in order to prevent any UDP action.
While lines of communication exist, response is slow.
Over the past forty five (45) days, a daily average of 16,504
articles, out of 20,147 posted to NEWS.PACBELL.NET, have been
tagged as spam, as indicated in the daily Ultra/Spam Hippo Despam
reports.
Since early March, 2002, a daily average of 6,290 articles have
been posted to news-binary.blueyonder.co.uk. While the Spam Hippo
statistics indicate that not one legitimate article has been
received at their monitoring location since that date, I suspect
this is more an indication that they are already dropping all
traffic originating from this site.
==========================================================================
Top 100 Sites identified by Ultra/Spam Hippo Despam
See news.admin.net-abuse.bulletins
Ultra Hippo - Top 100 Spam News Sites <http://www.spamhippo.com/>
Date n/100 Source total spam %spam KBytes
==========================================================================
2002.03.07 7 news-binary.blueyonder.co.uk 2272 2272 100 207987
2002.03.08 5 news-binary.blueyonder.co.uk 3557 3557 100 350007
2002.03.09 37 news-binary.blueyonder.co.uk 331 331 100 624
2002.03.10 36 news-binary.blueyonder.co.uk 305 305 100 779
2002.03.11 85 news-binary.blueyonder.co.uk 125 125 100 10029
2002.03.12 6 news-binary.blueyonder.co.uk 1512 1512 100 8489
2002.03.13 3 news-binary.blueyonder.co.uk 4486 4486 100 27195
2002.03.14 2 news-binary.blueyonder.co.uk 12415 12415 100 87299
2002.03.15 1 news-binary.blueyonder.co.uk 9622 9622 100 205144
2002.03.16 2 news-binary.blueyonder.co.uk 3587 3587 100 369403
2002.03.17 1 news-binary.blueyonder.co.uk 6791 6791 100 673783
2002.03.18 17 news-binary.blueyonder.co.uk 706 706 100 82157
2002.03.19 37 news-binary.blueyonder.co.uk 447 447 100 3679
2002.03.20 22 news-binary.blueyonder.co.uk 262 262 100 1371
2002.03.22 3 news-binary.blueyonder.co.uk 2719 2719 100 39096
2002.03.23 79 news-binary.blueyonder.co.uk 128 128 100 232
2002.03.24 32 news-binary.blueyonder.co.uk 315 315 100 11671
2002.03.25 33 news-binary.blueyonder.co.uk 428 428 100 18096
2002.03.26 10 news-binary.blueyonder.co.uk 1240 1240 100 47980
2002.03.27 2 news-binary.blueyonder.co.uk 7566 7566 100 320723
2002.03.28 3 news-binary.blueyonder.co.uk 10830 10830 100 474784
2002.03.29 1 news-binary.blueyonder.co.uk 13494 13494 100 558705
2002.03.30 2 news-binary.blueyonder.co.uk 7780 7780 100 320348
2002.03.31 83 news-binary.blueyonder.co.uk 113 113 100 5989
2002.04.01 4 news-binary.blueyonder.co.uk 5422 5422 100 426843
2002.04.02 3 news-binary.blueyonder.co.uk 8245 8245 100 251770
2002.04.03 24 news-binary.blueyonder.co.uk 728 728 100 893
2002.04.04 27 news-binary.blueyonder.co.uk 669 669 100 16302
2002.04.05 2 news-binary.blueyonder.co.uk 4918 4918 100 27364
2002.04.06 49 news-binary.blueyonder.co.uk 387 387 100 818
2002.04.07 26 news-binary.blueyonder.co.uk 689 689 100 44406
2002.04.08 38 news-binary.blueyonder.co.uk 438 438 100 28669
2002.04.09 54 news-binary.blueyonder.co.uk 366 366 100 20074
2002.04.10 8 news-binary.blueyonder.co.uk 1703 1703 100 9485
2002.04.12 19 news-binary.blueyonder.co.uk 1333 1333 100 120239
2002.04.13 5 news-binary.blueyonder.co.uk 2891 2891 100 225472
2002.04.15 11 news-binary.blueyonder.co.uk 1495 1495 100 6314
2002.04.16 14 news-binary.blueyonder.co.uk 893 893 100 2887
2002.04.17 4 news-binary.blueyonder.co.uk 1884 1884 100 5898
2002.04.18 3 news-binary.blueyonder.co.uk 5568 5568 100 31634
2002.04.19 8 news-binary.blueyonder.co.uk 1567 1567 100 10647
2002.04.20 2 news-binary.blueyonder.co.uk 36830 36830 100 209532
2002.04.21 1 news-binary.blueyonder.co.uk 32039 32039 100 324999
2002.04.22 11 news-binary.blueyonder.co.uk 2494 2494 100 70458
2002.04.23 28 news-binary.blueyonder.co.uk 847 847 100 3841
2002.04.24 2 news-binary.blueyonder.co.uk 27610 27610 100 41050
2002.04.25 1 news-binary.blueyonder.co.uk 35606 35606 100 65136
2002.04.26 2 news-binary.blueyonder.co.uk 22129 22129 100 111705
2002.04.27 3 news-binary.blueyonder.co.uk 3150 3150 100 16979
2002.04.28 10 news-binary.blueyonder.co.uk 1010 1010 100 5180
2002.04.29 13 news-binary.blueyonder.co.uk 1183 1183 100 8305
2002.04.30 20 news-binary.blueyonder.co.uk 428 428 100 6002
2002.05.01 1 news-binary.blueyonder.co.uk 39800 39800 100 73436
==========================================================================
TOTAL news-binary.blueyonder.co.uk 333353 333353 100 5991908
==========================================================================
AVERAGE 17 news-binary.blueyonder.co.uk 6290 6290 100 113055
==========================================================================
Like the UDP proposed against the Excite@Home network, in January
2000, the primary issues here deal with overall network security
issues and how they are handled.
As with Excite@Home, Telewest Communications' network is riddled
with open proxies. Until 30 March 2002, this problem was
exacerbated by the omission of host information from the headers
of posts coming through news-binary.blueyonder.co.uk. When this
information was added, it at least allowed the proxies to be
identified, analyzed and reported. It was my hope that this would
finally get things under control. Sadly, it has not.
Virtually all Usenet spam originating from blueyonder.co.uk is
coming through proxy=>nntp hijacking.
Telewest Communications must make a concerted effort to identify
and either secure or disable any open proxy within their realm.
While the abuse may or may not be immediately visible, these
proxies are being used in proxy chains for the purpose of IP
masking. Once an abused open proxy has been identified, they must
disable it with all due haste.
Currently, it is taking multiple reports to get these proxies
secured or disabled. A proxy which should be neutralized within
24 hours of it's being reported, may remain a threat to the entire
online community for several days to over a week or more. It is
this slow response to ongoing security issues which brings me to
the point, where I feel that remedial action is required.
==========================================================================
All outbound traffic from news-binary.blueyonder.co.uk follow a
single Path, through news-hub.cableinet.net.
See
<http://tfeed.maxwell.syr.edu:8080/proc/peers/GetPeers/news-hub.cableinet.net>
Known incoming
feeds(1) Path stamp Known outgoing (12)
news.clara.net 18627 8 42706896
amsnews01.chello.com 4391 6
12958624
demon 3137 5 7439792
newsfeed.wirehub.nl 2792 5
6842000
blueyonder 34618 5 news-hub.cableinet.net Cidera 1985 5 5391952
87112576 34618 6 87112576.0 proxad.net 1543 5 4985568
nntp.giganews.com 279 14 729488
easynet.net 276 5 912800
newsfeed.icl.net 23 16 47328
diablo.theplanet.net 16 5 40144
newsfeed.speedport.net 5 22 8784
newsfeeder.randori.com 1 20 1616
34618 33075
==========================================================================
Proposal
==========================================================================
Proposed: a two phase Usenet Death Penalty of BLUEYONDER.CO.UK
1) a full passive UDP; shunning or Path aliasing
"news-binary.blueyonder.co.uk.POSTED".
2) a full active UDP; cancelling all Usenet posts showing
"news-binary.blueyonder.co.uk.POSTED", by Path stamp.
This proposed UDP action is a boycott and will in no way impinge
upon any service for which the users of Telewest Communications
are paying. These users will be able to continue posting and
reading news, just as they are. The only effect would be on
where articles posted to news-binary.blueyonder.co.uk.POSTED
appear, beyond Telewest Communications' borders.
Please see:
"Usenet Death Penalty FAQ"
<http://www.stopspam.org/usenet/faqs/udp.html>
"Spam Glossary" <http://www.rahul.net/falk/glossary.html#udp>
"Net Abuse FAQ"
<http://www.cybernothing.org/faqs/net-abuse-faq.html#3.19>.
Should an UDP be called, the standard five business day notice
will be provided, so that the UDP target can take whatever
necessary action to alleviate the need for moving to the
enforcement stage of the called UDP.
As with any announced UDP action, all resources will be made
available to the target ISP, in an attempt to limit the necessity
for such drastic steps being taken. It is truly unfortunate that
it has come to this action of last resort.
Respectfully submitted, 02 May 2001.
- --
David Ritz <dr...@suespammers.org>
The suespammers.org mail server is located in California; do not
send unsolicited bulk e-mail or unsolicited commercial e-mail to my
suespammers.org address.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Security 7.0.3
Comment: Finger:dr...@mindspring.com for public keys
iQCVAwUBPNH+JadkAgrqVVPRAQHz+QQAmabGTllcKJ4eGLQAhkbm8jAUkxdBjbwt
VP0Vayfxs1D/M4jqsU1LHUx0YQwec4dVwetesqFm+uhp9QvCH1KGZC2Zifd3V+hz
I4Gc2dEyyObjGAS0syqNLQuUoouSD9tdbq8b7pP2pK37Y5VGa7xLCONVf4xbXEEp
opTzmBk3r4M=
=4V38
-----END PGP SIGNATURE-----
Tim Booth
David Ritz wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> This message is being sent, bcc, to a few interested parties.
>
> Posted and mailed
>
>
> Since early March, 2002, a daily average of 6,290 articles have
> been posted to news-binary.blueyonder.co.uk.
[... snip ...]
So long as this is resticted to news-binary.blueyonder.co.uk,
nil objections - the non-binaries.blueyonder.co.uk has some very
interesting people and discussion emanating...
Webko
Jacob Goense
[snip]
> Top 100 Sites identified by Ultra/Spam Hippo Despam
> See news.admin.net-abuse.bulletins
> Ultra Hippo - Top 100 Spam News Sites <http://www.spamhippo.com/>
The site <http://www.spamhippo.com> seems no longer in use. The top
100 can be found at <http://www.newsadmin.com/cgi-bin/newsspam2>.
--
--- Jacob D. Goense <-> newsm...@kpnqwest.net
--------------------------------------------------------------------->
--- KPNQwest N.V. The Netherlands
--
Dr Ivan D. Reid
wrote in <dritz-5F8685....@news.supernews.com>:
>
> Telewest Communications must make a concerted effort to identify
> and either secure or disable any open proxy within their realm.
> While the abuse may or may not be immediately visible, these
> proxies are being used in proxy chains for the purpose of IP
> masking. Once an abused open proxy has been identified, they must
> disable it with all due haste.
>
> Currently, it is taking multiple reports to get these proxies
> secured or disabled. A proxy which should be neutralized within
> 24 hours of it's being reported, may remain a threat to the entire
> online community for several days to over a week or more. It is
> this slow response to ongoing security issues which brings me to
> the point, where I feel that remedial action is required.
Good luck! Things are probably going to get worse...
http://www.guardian.co.uk/recession/story/0,7369,709186,00.html
--
Ivan Reid, Electronic & Computer Eng., Brunel Uni. Ivan...@brunel.ac.uk
KotPT -- "for stupidity above and beyond the call of duty".
Dave Korn
news:nanau.dritz-5F86...@news.supernews.com...
> Over the past forty five (45) days, a daily average of 16,504
> articles, out of 20,147 posted to NEWS.PACBELL.NET, have been
> tagged as spam, as indicated in the daily Ultra/Spam Hippo Despam
> reports.
It seems a bit unfair to blame blueyonder for that! <g>
DaveK
--
moderator of
alt.talk.rec.soc.biz.news.comp.humanities.meow.misc.moderated.meow
Burn your ID card! http://www.optional-identity.org.uk/
Help support the campaign, copy this into your .sig!
Proud Member of the Exclusive "I have been plonked by Davee because he
thinks I'm interesting" List Member #<insert number here>
Master of Many Meowing Minions
Holder of the exhalted PF Chang's Crab Wonton Award for kook spankage above
and beyond the call of hilarity.
Howard Knight
> 2) a full active UDP; cancelling all Usenet posts showing
> "news-binary.blueyonder.co.uk.POSTED", by Path stamp.
I say post the notice already... for both Blueyonder and Videotron. I
will help enforce this UDP as best I can.
Howard
IRS Agent
> Since early March, 2002, a daily average of 6,290 articles have
> been posted to news-binary.blueyonder.co.uk. While the Spam Hippo
Spam Hippo? Please post the criteria used to generate Spam Hippo
statistics. Hint: It isn't BI>20 and multipart binaries are
included.
> statistics indicate that not one legitimate article has been
> received at their monitoring location since that date, I suspect
> this is more an indication that they are already dropping all
> traffic originating from this site.
There isn't a SINGLE report in the entire month of April 2002 to
news.admin.net-abuse.bulletins demonstrating any spam from this
domain. news.admin.net-abuse.sightings only has a handful of
reports of suspected spam, and again, none of these were followed
up with any evidence in news.admin.net-abuse.bulletins.
David Ritz
In article <jfu6duk76s0thd760...@4ax.com>,
IRS Agent <ta...@yourwallet.empty.gov> wrote:
IRS> David Ritz wrote:
>> Since early March, 2002, a daily average of 6,290 articles have
>> been posted to news-binary.blueyonder.co.uk. While the Spam
>> Hippo
IRS> Spam Hippo? Please post the criteria used to generate Spam
IRS> Hippo statistics. Hint: It isn't BI>20 and multipart binaries
IRS> are included.
I regret that Andrew's "Cancelled Spam Statistics" have only been
available on a sporadic basis, lately. Until they are more
consistent, the best long term statistical information, available
publicly, are represented in the Hippo reports.
While I do not take these statistics as gospel, I am very familiar
with the issues which have placed BlueYonder into the Hippo
reports. They are the very same issues which have necessitated
this proposed UDP.
In the meantime, I'll take your input for what it's worth.
>> statistics indicate that not one legitimate article has been
>> received at their monitoring location since that date, I suspect
>> this is more an indication that they are already dropping all
>> traffic originating from this site.
IRS> There isn't a SINGLE report in the entire month of April 2002
IRS> to news.admin.net-abuse.bulletins demonstrating any spam from
IRS> this domain.
I'm sorry, but you and I seem to be reading a different newsgroup
with the same name. The Spam Hippo stats used in the preparation
of the UDP proposal are posted to nana.bulletins.
You, as an individual, may wish to disregard this useful
information. That's your choice.
Your personal choice, as stilted and based on prejudice as it is,
in no way impinges upon the underlying and pressing reasons for
this UDP discussion.
The statistical information provided is neither for my benefit nor
the benefit of Telewest Communications. Understand, I have been
in contact with this provider on a nearly daily basis for over two
months, regarding the underlying security issues which have led to
this UDP proposal.
Until late March, 2002, no NNTP-Posting-Host information was
provided in articles posted to news-binary.blueyonder.co.uk.
Until that time, it was impossible for an outside observer to
identify the proxies being exploited. Now that this obstical has
been overcome and the proxies can be identified, analyzed and
reported, it is the fact that major security breaches are not
receiving action, even after Telewest has received multiple follow
ups to the initial security alerts, which brings us to the point
where this full UDP procedure seems inevitible.
The Spam Hippo statistical information provided previously, is
there to make it easier for those not so intimately familiar with
the situation to be able to grasp the magnitude of the abuse and
length of time the it has trasnspired, without a reasonable
response to an egregious and ongoing situation.
The following information is taken from Andrew's "Cancelled Spam
Statistics", which also appeared in nana.bulletins. Also note,
"news-binary.blueyonder.co.uk.POSTED" appeared in these reports on
every day for which these statistics were available, in April,
2002.
==========================================================
Cancelled Spam Statistics courtesy of Andrew Gierth
(see news.admin.net-abuse.bulletins)
Date cancels Top Spam Sources by Upstream Site
==========================================================
2002.04.03 5562 news-binary.blueyonder.co.uk.POSTED!
2002.04.04 399 news-binary.blueyonder.co.uk.POSTED!
2002.04.06 3000 news-binary.blueyonder.co.uk.POSTED!
2002.04.07 2648 news-binary.blueyonder.co.uk.POSTED!
2002.04.08 533 news-binary.blueyonder.co.uk.POSTED!
2002.04.12 716 news-binary.blueyonder.co.uk.POSTED!
2002.04.13 3741 news-binary.blueyonder.co.uk.POSTED!
2002.04.14 289 news-binary.blueyonder.co.uk.POSTED!
2002.04.15 1000 news-binary.blueyonder.co.uk.POSTED!
2002.04.16 1155 news-binary.blueyonder.co.uk.POSTED!
2002.04.17 2265 news-binary.blueyonder.co.uk.POSTED!
==========================================================
2002.05.01 36425 news-binary.blueyonder.co.uk.POSTED!
2002.05.02 58729 news-binary.blueyonder.co.uk.POSTED!
2002.05.03 14890 news-binary.blueyonder.co.uk.POSTED!
==========================================================
I'll also direct your attention to the following:
See <news:20020404201134$08...@blackhole.riddles.org.uk>
(<http://howardk.freenix.org/msgid.cgi?ID=102053391100>) and
} From: Andrew Gierth <and...@erlenstar.demon.co.uk>
} Newsgroups: news.admin.net-abuse.bulletins,news.admin.net-abuse.usenet
} Subject: Cancelled Spam Statistics for 27th Mar - 2nd Apr 2002
} Date: Thu, 04 Apr 2002 14:11:34 -0600
} Organization: Cancel Watcher
} Approved: news-admin-bul...@math.psu.edu
} Followup-To: news.admin.net-abuse.usenet
} Message-ID: <20020404201134$08...@blackhole.riddles.org.uk>
}
<...>
} Top Spam Sources by Upstream Site: (total 912562)
} 82164 btnet!
} 51103 news-binary.blueyonder.co.uk.POSTED!
<...>
} Top Spam Sources by Posting-Host: (total 705408)
} 75530 *.in-addr.btopenworld.com
} 27257 *.mc.onolab.com
} 24455 *.blueyonder.co.uk
<...>
} Top Spam Sources by Path Tail: (total 912562)
} 81741 btnet!news.btopenworld.com!*
} 51103 news-binary.blueyonder.co.uk.POSTED!53ab2750!*
<...>
I regret that the following report was not available, at the time
the UDP proposal was drafted. While it didn't appear in the
"month of April 2002", it refers to what transpired within that
time frame.
See <news:20020503050600$ca...@blackhole.riddles.org.uk>
(<http://howardk.freenix.org/msgid.cgi?ID=102044646700>).
} From: Andrew Gierth <and...@erlenstar.demon.co.uk>
} Newsgroups: news.admin.net-abuse.bulletins,news.admin.net-abuse.usenet
} Subject: Cancelled Spam Statistics for 24th - 30th Apr 2002
} Date: Fri, 03 May 2002 00:06:00 -0500
} Organization: Cancel Watcher
} Approved: news-admin-bul...@math.psu.edu
} Followup-To: news.admin.net-abuse.usenet
} Message-ID: <20020503050600$ca...@blackhole.riddles.org.uk>
} Lines: 323
}
<...>
} Top Spam Sources by Upstream Site: (total 1214879)
} 105001 news-binary.blueyonder.co.uk.POSTED!
<...>
} Top Spam Sources by Posting-Host: (total 1020339)
} 185679 210.0.186.*
} 105003 *.blueyonder.co.uk
<...>
} Top Spam Sources by Path Tail: (total 1214879)
} 105000 news-binary.blueyonder.co.uk.POSTED!53ab2750!*
<...>
IRS> news.admin.net-abuse.sightings only has a handful of reports of
IRS> suspected spam, and again, none of these were followed up with
IRS> any evidence in news.admin.net-abuse.bulletins.
I'll point you in the right direction, since you clearly require
some help in this respect:
Look at Richard Leslie's sightings reports, referencing
unseenteens.com and bobbiespage.com. You should be intimately
familiar with the spam-ware used in this ongoing attack on the
network's infrastructure. Also note, Richard's reports have their
follow ups appropriately directed to nana.usenet, for the purpose
of discussion, as per the nana.sightings charter, not
nana.bulletins.
Andrew's "Cancelled Spam Statistics for 03 May 2002" indicate that
307,847 cancelled articles were examined. This is the highest
single day total, since these reports began appearing, on 09
October 1997, surpassing the next highest daily total of 294,844
on 02 February 1998.
Since I have a pretty good idea of what is being cancelled and
why, I can conservatively state that well over half (and probably
over two thirds) of these cancels were issued against spam coming
through open proxies. To say that the situation is clearly out of
control, is gross understatement.
Until providers begin to institute readily available proactive
measures to curb this abuse, you should expect to see an increase
in the number of UDP proposals which appear here.
As noted previously, this proposed UDP is an action of last
resort.
- --
David Ritz <dr...@suespammers.org>
The suespammers.org mail server is located in California; do not
send unsolicited bulk e-mail or unsolicited commercial e-mail to my
suespammers.org address.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Security 7.0.3
Comment: Finger:dr...@mindspring.com for public keys
iQCVAwUBPNRPw6dkAgrqVVPRAQGoxAP/ZMb2DftOeevsJrckz7uIxB/vdLDb5YSs
lk+f5HuKLyR1kJCey/1GIe+fm4zpLNgB9mOcPvF+Zlk6XOXCX1gPSxwHrq7q2ItR
biCcgGhpqdHklsKrpYMp5mTayOpM7oQbLXIfqaGFy0pqxcpJjUfbBcWfIay33b8K
9Rsxf+4ZfDc=
=O2NC
-----END PGP SIGNATURE-----
IRS Agent
> -----BEGIN PGP SIGNED MESSAGE-----
>
> In article <jfu6duk76s0thd760...@4ax.com>,
> IRS Agent <ta...@yourwallet.empty.gov> wrote:
>
> IRS> David Ritz wrote:
>
> >> Since early March, 2002, a daily average of 6,290 articles have
> >> been posted to news-binary.blueyonder.co.uk. While the Spam
> >> Hippo
>
> IRS> Spam Hippo? Please post the criteria used to generate Spam
> IRS> Hippo statistics. Hint: It isn't BI>20 and multipart binaries
> IRS> are included.
>
> I regret that Andrew's "Cancelled Spam Statistics" have only been
> available on a sporadic basis, lately.
Those also are merely one person's opinion. Where's the beef?
Nobody has posted a SINGLE report to news.admin.net-abuse.bulletins
with any evidence of abuse from blueyonder.
I'm not asking just to be a PITA, but rather because I'm an
interested party and I've yet to see any evidence. Sure you can
trot out some spam; you can do that with any provider. Long term
spam sources such as Supernews also never seem to have reports
filed in news.admin.net-abuse.bulletins.
But NOBODY feels blueyonder is enough of a spam source to file
reports in news.admin.net-abuse.bulletins, just like Supernews.
> While I do not take these statistics as gospel
You and I both.
> IRS> There isn't a SINGLE report in the entire month of April 2002
> IRS> to news.admin.net-abuse.bulletins demonstrating any spam from
> IRS> this domain.
>
> I'm sorry, but you and I seem to be reading a different newsgroup
> with the same name. The Spam Hippo stats used in the preparation
> of the UDP proposal are posted to nana.bulletins.
You still refuse to describe the criteria for their preparation.
Newsguy is well known for dumping non-spam posts and culling then
into their statistics.
> The statistical information provided is neither for my benefit nor
> the benefit of Telewest Communications.
Nor is it meaningful in the slightest degree. You can't even
describe what it is included or excluded.
> IRS> news.admin.net-abuse.sightings only has a handful of reports of
> IRS> suspected spam, and again, none of these were followed up with
> IRS> any evidence in news.admin.net-abuse.bulletins.
>
> I'll point you in the right direction, since you clearly require
> some help in this respect:
>
> Look at Richard Leslie's sightings reports, referencing
> unseenteens.com and bobbiespage.com.
Richard did post a handful of sightings of suspected spam. See my
previous post where I noted a handful of posts of suspected spam
were shown in .sightings and none were shown in .bulletins.
> Andrew's "Cancelled Spam Statistics for 03 May 2002" indicate that
> 307,847 cancelled articles were examined.
Again, there is no evidence and no postings of evidence to
.sightings. Are you going to ask me to trust Ken Lucke and the
infallibality of his fucked-up bot whcich constantly misfires?
Puh-leeze. Spare me from such ridiculous scenarios.
> This is the highest
> single day total, since these reports began appearing, on 09
> October 1997, surpassing the next highest daily total of 294,844
> on 02 February 1998.
How well is Ken's bot (mis)firing? I've noticed he is reluctant to
post any examples of his cancels to news.admin.net-abuse.bulletins.
Do you think he is just lazy or he just doesn't want to expose his
rogue cancels? I've observed plenty of examples where the latter
is the case, including my own articles which Lucke cancelled as
"off-topic" in rec.crafts.glass because he didn't like the content.
IOW, any statistics which include rogue canceller Ken Lucke are
suspect. This doesn't even delve into the fact that any statistics
without evidence or even definition (which you are using) are
entirely useless and self-serving.
David Ritz
In article <2lm8dus15dshdorr8...@4ax.com>,
IRS Agent <ta...@yourwallet.empty.gov> wrote:
IRS> Those also are merely one person's opinion. Where's the beef?
IRS> Nobody has posted a SINGLE report to
IRS> news.admin.net-abuse.bulletins with any evidence of abuse from
IRS> blueyonder.
I'm sorry, troll-boy. I have neither the time nor energy for you
stupid games.
PLONK!
- --
David Ritz <dr...@suespammers.org>
The suespammers.org mail server is located in California; do not
send unsolicited bulk e-mail or unsolicited commercial e-mail to my
suespammers.org address.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Security 7.0.3
Comment: Finger:dr...@mindspring.com for public keys
iQCVAwUBPNRrOqdkAgrqVVPRAQE4rQQAhddfGUFh6R6uchhtdiodePIY56h+VN3P
zWVljx1bLkIwrGfgocNSpj1hXcKahkJtRLVBr9566PPR9+I+BuEgQ6IAZPO8upG4
7s3HWkDVoMyOD4+mP57HOZr9D25kU/Kt7SwNavzv/E0mgsDl/CvBS3nH3CFE9F8h
TDxPnjhVYlA=
=nGcs
-----END PGP SIGNATURE-----
IRS Agent
> IRS> Those also are merely one person's opinion. Where's the beef?
> IRS> Nobody has posted a SINGLE report to
> IRS> news.admin.net-abuse.bulletins with any evidence of abuse from
> IRS> blueyonder.
>
> I'm sorry, troll-boy. I have neither the time nor energy for you
> stupid games.
>
> PLONK!
Whatever. You call for UDP's with no evidence and your response to
requests for evidence is to be unresponsive. No surprise. This is
your normal modus operandi.
YAWN!
rfgdxm/Robert F. Golaszewski
F617DB.161...@news.supernews.com
> -----BEGIN PGP SIGNED MESSAGE-----
>
> In article <jfu6duk76s0thd760...@4ax.com>,
> IRS Agent <ta...@yourwallet.empty.gov> wrote:
>
> IRS> David Ritz wrote:
>
>>> Since early March, 2002, a daily average of 6,290 articles have
>>> been posted to news-binary.blueyonder.co.uk. While the Spam
>>> Hippo
>
> IRS> Spam Hippo? Please post the criteria used to generate Spam
> IRS> Hippo statistics. Hint: It isn't BI>20 and multipart binaries
> IRS> are included.
>
> I regret that Andrew's "Cancelled Spam Statistics" have only been
> available on a sporadic basis, lately. Until they are more
> consistent, the best long term statistical information, available
> publicly, are represented in the Hippo reports.
>
> While I do not take these statistics as gospel, I am very familiar
> with the issues which have placed BlueYonder into the Hippo
> reports. They are the very same issues which have necessitated
> this proposed UDP.
>
> In the meantime, I'll take your input for what it's worth.
I have to agree with IRS here. Your original UDP proposal presented
only data from Spam Hippo. Spam Hippo is GARBAGE. It is using criteria
other than BI > 20. I consider any UDP proposal based on demonstratably
bad data to be so defective that it should be dismissed. As such I also
oppose the UDP at this time. I suspect the truth is that if reliable and
credible data were provided that you could make an argument that could
convince me a UDP is justified. However, I feel you have not provided
adequate proof. I suggest that you make a new proposal with supporting
data from credible sources.
--
ANNOUNCEMENT: URL change for my website.
http://www.dextromethorphan.ws/. My "Beginner's Guide to DXM",
and other DXM related material can be accessed from there.
Added bonus: crude onsite message board. ;)
Andrew Gierth
David> I regret that Andrew's "Cancelled Spam Statistics" have
David> only been available on a sporadic basis, lately.
I have re-posted a number of recent ones that didn't make it out at
the time. The reliability should improve now.
--
Andrew.
"I believe we've been over this before. There isn't need for any sort
of security feature unless some asshole wants to make a nuisance of
himself." Matt (ARPAVAX:glickman) in net.rumor, Dec 1981
David Ritz
In article <87elgrt...@erlenstar.demon.co.uk>,
Andrew Gierth <and...@erlenstar.demon.co.uk> wrote:
AG> I have re-posted a number of recent ones that didn't make it out
AG> at the time. The reliability should improve now.
Thank you for the extra effort, Andrew. This allows me to paint
yet another rather dismal portrait of what appears to be a
worsening trend.
================================================================
Cancelled Spam Statistics courtesy of Andrew Gierth
(see news.admin.net-abuse.bulletins)
Date spam source
================================================================
<no stats>
2002.03.07 3352 news-binary.blueyonder.co.uk.POSTED!
2002.03.08 4477 news-binary.blueyonder.co.uk.POSTED!
2002.03.09 481 news-binary.blueyonder.co.uk.POSTED!
2002.03.11 156 news-binary.blueyonder.co.uk.POSTED!
2002.03.12 1558 news-binary.blueyonder.co.uk.POSTED!
2002.03.13 2201 news-binary.blueyonder.co.uk.POSTED!
2002.03.14 9391 news-binary.blueyonder.co.uk.POSTED!
2002.03.15 5651 news-binary.blueyonder.co.uk.POSTED!
2002.03.16 2941 news-binary.blueyonder.co.uk.POSTED!
2002.03.17 5118 news-binary.blueyonder.co.uk.POSTED!
2002.03.18 1269 news-binary.blueyonder.co.uk.POSTED!
2002.03.19 492 news-binary.blueyonder.co.uk.POSTED!
2002.03.20 2261 news-binary.blueyonder.co.uk.POSTED!
2002.03.21 622 news-binary.blueyonder.co.uk.POSTED!
2002.03.22 2381 news-binary.blueyonder.co.uk.POSTED!
2002.03.25 493 news-binary.blueyonder.co.uk.POSTED!
2002.03.26 1913 news-binary.blueyonder.co.uk.POSTED!
2002.03.27 5802 news-binary.blueyonder.co.uk.POSTED!
2002.03.28 14105 news-binary.blueyonder.co.uk.POSTED!
<no stats>
2002.04.03 5562 news-binary.blueyonder.co.uk.POSTED!
2002.04.04 399 news-binary.blueyonder.co.uk.POSTED!
2002.04.06 3000 news-binary.blueyonder.co.uk.POSTED!
2002.04.07 2648 news-binary.blueyonder.co.uk.POSTED!
2002.04.08 533 news-binary.blueyonder.co.uk.POSTED!
2002.04.12 716 news-binary.blueyonder.co.uk.POSTED!
2002.04.13 3741 news-binary.blueyonder.co.uk.POSTED!
2002.04.14 289 news-binary.blueyonder.co.uk.POSTED!
2002.04.15 1000 news-binary.blueyonder.co.uk.POSTED!
2002.04.16 1155 news-binary.blueyonder.co.uk.POSTED!
2002.04.17 2265 news-binary.blueyonder.co.uk.POSTED!
2002.04.20 30544 news-binary.blueyonder.co.uk.POSTED!
2002.04.21 52440 news-binary.blueyonder.co.uk.POSTED!
2002.04.22 4380 news-binary.blueyonder.co.uk.POSTED!
2002.04.23 742 news-binary.blueyonder.co.uk.POSTED!
2002.04.24 16136 news-binary.blueyonder.co.uk.POSTED!
2002.04.25 50676 news-binary.blueyonder.co.uk.POSTED!
2002.04.26 28951 news-binary.blueyonder.co.uk.POSTED!
2002.04.27 3666 news-binary.blueyonder.co.uk.POSTED!
2002.04.28 3673 news-binary.blueyonder.co.uk.POSTED!
2002.04.29 1599 news-binary.blueyonder.co.uk.POSTED!
2002.05.01 36425 news-binary.blueyonder.co.uk.POSTED!
2002.05.02 58729 news-binary.blueyonder.co.uk.POSTED!
2002.05.03 14890 news-binary.blueyonder.co.uk.POSTED!
================================================================
Total 388823 news-binary.blueyonder.co.uk.POSTED!
================================================================
Average 9042 news-binary.blueyonder.co.uk.POSTED!
================================================================
I have received email responses from five of BlueYonder's upstream
news peers, stating their support of this Usenet Death Penalty, as
originally proposed. One such message was posted here. See
<news:Pine.WNT.4.44.020...@bigben.wirehub.net>
(<http://howardk.freenix.org/msgid.cgi?ID=102049809300>). At
least one peer is already dropping all traffic with the indicated
Path stamp.
These peers do not have to rely on any statistical information I
organized and provided, either in the original UDP proposal or as
presented here. They're seeing the abuse traffic directly
associated with long standing and too long ignored security issues
at Telewest Communications.
As for Telewest Communications, 20,474 byte-for-byte identical
javascript traps pointing to bobbiespage.com, were spammed
through one of two *.blueyonder.co.uk proxies hijacked by this
operation on 04 May 2002 CDT (-0500). The most frustrating part
of this is, I sent an initial security report and analysis
regarding this specific proxy, on 18 Apr 2002 15:54:02 -0500.
This report received two additional follow ups, dated 24 Apr 2002
11:31:16 -0500 and 02 May 2002 13:21:57 -0500. See
<http://dsrs.nntp.sol.net/reports/custom.20021804203719.html>,
<http://dsrs.nntp.sol.net/reports/custom.20021804203836.html>,
<http://dsrs.nntp.sol.net/reports/custom.20022404161846.html> and
<http://dsrs.nntp.sol.net/reports/custom.20020505061010.html>.
This proposed UDP is an action of last resort.
- --
David Ritz <dr...@suespammers.org>
The suespammers.org mail server is located in California; do not
send unsolicited bulk e-mail or unsolicited commercial e-mail to my
suespammers.org address.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Security 7.0.3
Comment: Finger:dr...@mindspring.com for public keys
iQCVAwUBPNTYyadkAgrqVVPRAQF00wP+NMM4Rceswpu1JsgB0SrrX/VWuEQP0B+A
+NDsHHia99RtqtCVcy172TXeKo1YG6TG24IdDcWgb3XP1tTRNbTi/XvybMZKvYpM
DRw/p+etC8tIfiF9x4XqsE3rbOBeUD5dxKu3Jp3JpPo7UDxTTBHiDsrptpKvsNxO
Vwa12GB5dgM=
=hqDF
-----END PGP SIGNATURE-----
Kathy I. Morgan
> I have to agree with IRS here. Your original UDP proposal presented
> only data from Spam Hippo. Spam Hippo is GARBAGE. It is using criteria
> other than BI > 20.
So? Spam is still spam, even when BI<20 - it just isn't _cancellable_
spam. While it's true NewsGuy drops some articles which aren't spam and
therefore SpamHippo reports may not be an accurate gauge of actual spam,
they are a good indicator of where the greatest amount of spam is coming
from.
--
Kathy
visit news:news.groups.reviews to read reviews of other newsgroups
help for new users of newsgroups at <http://www.aptalaska.net/~kmorgan/>
Good Net Keeping Seal of Approval at <http://www.gnksa.org/>
Bob Cox
<dritz-5F8685....@news.supernews.com>, David Ritz
<dr...@suespammers.org> wrote:
> As with any announced UDP action, all resources will be made
> available to the target ISP, in an attempt to limit the necessity
> for such drastic steps being taken. It is truly unfortunate that
> it has come to this action of last resort.
Looks as though BY are at last trying to do something about this. I have
been seeing about 20 scans/day from scanner.abuse.blueyonder.co.uk on port
119 over the last few days.
Bob (non-binary-using BY customer)
--
Bob Cox. Stoke Gifford, near Bristol, UK.
http://pippin.co.uk/
The Reply-To address is valid.
David Ritz
In article <t8d5ba...@gaia.bobcox.net>, Bob Cox <ne...@bobcox.org>
wrote:
BC> On Fri, 3 May 2002 03:05:27 +0000 (UTC), in article
BC> <dritz-5F8685....@news.supernews.com>, David Ritz
BC> <dr...@suespammers.org> wrote:
>> As with any announced UDP action, all resources will be made
>> available to the target ISP, in an attempt to limit the necessity
>> for such drastic steps being taken. It is truly unfortunate that
>> it has come to this action of last resort.
BC> Looks as though BY are at last trying to do something about
BC> this. I have been seeing about 20 scans/day from
BC> scanner.abuse.blueyonder.co.uk on port 119 over the last few
BC> days.
Bob,
Thanks for the update. This is good news, indeed.
I have received word from Telewest Communications that they have
begun such scanning of their net-space. Unfortunately, they may
have missed something in the details.
While some percentage of the promiscuous proxies operating in BY
net-blocks will respond at port 119, not one I've encountered and
reported to them, to date, has been exploitable at this port.
By far, the most frequently open and exploitable proxies I've
reported over the past several months have been socks proxies -
port 1080.
The case holds true for BY, where I was telling them that specific
Usenet spam was coming through open socks proxies, long before the
originating IP addresses began appearing in their headers. On 30
Mar 2002 10:30:16 -0600, as part of the series of exchanges, which
led directly to the inclusion of Posting-Host information in the
headers of posts coming through news-binary.blueyonder.co.uk, I
wrote:
I will also strongly suggest that you initiate router blocking
all port 1080 traffic at your borders, largely because of the
popularity of AnalogX, which uses the SOCKS 4 protocol
exclusively. SOCKS is primarily an intranet protocol. AnalogX
defaults to wide open at the SOCKS port, and, as you'll see, many
others. SOCKS 4 uses no authentication beyond an allowable IP
access list. Normally, this would be limited to internal IP
addresses on a LAN. Most AnalogX lusers seem to be far to
clue-free to get their proxies securely configured.
For now, I'd like to concentrate on the most commonly and frequently
hijacked proxy ports. Besides the socks proxies, which use port
1080, other common non-nntp proxy exploits use ports 80, 3128 and
8080.
Other recommendations include posting rate limiting, spam
filtering, encoded HTML filtering (which is available with some
spam filtering systems), setting up a proxy checker for all new
connections to news.blueyonder.co.uk, and the use of AUTHINFO
authentication on their nntp servers.
I'd like BY to establish protocols for expediting proxy hijacking
incidents. A week or more is far too long for an identified,
reported, heavily abused open proxy to receive attention. This
is as true for smtp relay, as for nntp incursions.
The following was provided by Wirehub.nl, which began dropping all
traffic showing news-binary.blueyonder.co.uk.POSTED, on the day
they received this RFD. BlueYonder received a copy of this
information in the message, dated 5 May 2002 19:47:38 +0200 (DST).
It refers specifically to email spam, being relayed through BY
open proxies.
May 4 20:02:57 mrouter1 sm-mta[85790]: g44I2ssA085790:
ruleset=check_rcpt, arg1=<xxx>,
relay=pc-62-31-54-172-hf.blueyonder.co.uk [62.31.54.172], reject=571
5.7.1 ACCESS DENIED to <sender...@aol.com> thru OPEN PROXY
SERVER pc-62-31-54-172-hf.blueyonder.co.uk
(http://www.monkeys.com/anti-spam/filtering/proxies.html)
May 4 20:52:10 ns-rt sm-mta[88396]: g44Iq6bw088396:
ruleset=check_rcpt, arg1=<xxx>,
relay=pc-62-31-33-16-hy.blueyonder.co.uk [62.31.33.16], reject=571
5.7.1 ACCESS DENIED to <raja_intan...@yahoo.com> thru OPEN
PROXY SERVER pc-62-31-33-16-hy.blueyonder.co.uk
(http://www.monkeys.com/anti-spam/filtering/proxies.html)
May 5 18:50:18 ns-rt sm-mta[39418]: g45GoHbw039418:
ruleset=check_rcpt, arg1=<xxx>,
relay=pc-62-30-160-85-hw.blueyo nder.co.uk [62.30.160.85],
reject=571 5.7.1 ACCESS DENIED to <beginne...@linux.org> thru
OPEN PROXY SERVER pc-62-30-160-85-hw.b lueyonder.co.uk
(http://www.monkeys.com/anti-spam/filtering/proxies.html)
All of these proxies are still wide open. All allow HTTP CONNECT
exploits at various common ports. As it happens, none are socks
proxies.
I am available to BY, to assist them in any way I can. If I
cannot provide them with answers myself, I can usually find
someone who can.
- --
David Ritz <dr...@suespammers.org>
The suespammers.org mail server is located in California; do not
send unsolicited bulk e-mail or unsolicited commercial e-mail to my
suespammers.org address.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Security 7.0.3
Comment: Finger:dr...@mindspring.com for public keys
iQCVAwUBPNbzX6dkAgrqVVPRAQHALgP/X+umcwuBykjbEu2JCVv63ejgFKbHXbfc
FFwdcFkNZp64Drd1sELInU1XF2Xj3So07D8ac1H4k1RtSqddIHRmU2biN5NCp+un
iGBE1Gbo8F07nmLEx3qlbWw3MQzNrFNO9FyIglBv7bh0JlJSnBl19fQnIJztoEq3
T7gClO9yThU=
=dsdO
-----END PGP SIGNATURE-----
rfgdxm/Robert F. Golaszewski
> rfgdxm/Robert F. Golaszewski <rfg...@mochamailKILLSPAMMERS.com> wrote:
>
>> I have to agree with IRS here. Your original UDP proposal
>> presented only data from Spam Hippo. Spam Hippo is GARBAGE. It is
>> using criteria other than BI > 20.
>
> So? Spam is still spam, even when BI<20 - it just isn't _cancellable_
> spam. While it's true NewsGuy drops some articles which aren't spam
> and therefore SpamHippo reports may not be an accurate gauge of
> actual spam, they are a good indicator of where the greatest amount
> of spam is coming from.
Around here, BI<20 is all that counts. I leave that to Newsguy, where
I'd never post from.
Ronald F. Guilmette
62.30.66.189:3128:hc
62.30.67.23:1080:s4
62.30.127.192:6588:hc
62.30.127.192:1080:s4
62.30.127.192:1080:s5
62.30.160.85:8080:hc
62.30.221.65:1080:s4
62.31.33.16:3128:hc
62.31.38.118:1080:s4
62.31.38.118:1080:s5
62.31.38.118:6588:hc
62.31.54.172:8080:hc
62.31.127.27:8081:hc
62.31.127.27:8080:hc
62.31.127.27:1080:s5
62.31.127.27:1080:s4
62.31.151.215:6588:hc
62.31.233.43:3128:hc
62.31.250.168:1080:s4
213.48.73.38:80:hc
213.48.150.98:1080:s4
(Note: "s4" == SOCKS4, "s5" == SOCKS5, "hc" == HTTP CONNECT.)
Please submit open proxies to <pro...@monkeys.com>. Submissions should
be in the form:
ip:port
ip:port
ip:port
...
Please DO NOT submit spam with proxy submissions.
P.S. If anyone would like to begin issuing automated USENET spam cancels
for news articles posted with an NNTP-Posting-Host that is listed on the
Monkeys.Com open proxies list (now covering over 13,000 proxies worldwide)
please contact me and I'll be happy to coordinate with you.
Jeffery J. Leader
<dr...@suespammers.org> wrote:
>I have neither the time nor energy for you
> stupid games.
You have as usual presented a great deal of evidence in a
well-organized manner. You're obviously investing a lot of time trying
to make things better. I certainly don't see any need for you to
respond to a lengthy, continuing diatribe against Ken Lucke.
David Ritz
In article <aacf586.02050...@posting.google.com>,
Ronald F. Guilmette <r...@monkeys.com> wrote:
rfg> Additional blueyonder.co.uk (ASN 5462) open proxies, just
rfg> re-verified:
Thanks, Ron,
Only two of the listed proxies appear in my Usenet notes, from the
last month or so. That these proxies have been reported,
sometimes repeatedly, and are still open, is indicative of the
reasons that this UDP discussion was requested.
==========================================================================
rfg> 62.31.38.118:1080:s4
rfg> 62.31.38.118:1080:s5
rfg> 62.31.38.118:6588:hc
Reported:
} Date: Sun, 28 Apr 2002 23:17:45 -0500
} To: ab...@blueyonder.co.uk
} From: David Ritz <dr...@suespammers.org>
} Subject: [security] hijacking of news.blueyonder.co.uk via open
} AnalogX proxy at pc-62-31-38-118-hy.blueyonder.co.uk [62.31.38.118]
} Cc: abuse...@blueyonder.co.uk, iha...@blueyonder.co.uk
Included DSRS static report:
<http://dsrs.nntp.sol.net/reports/custom.20022904041320.html>
Follow up report sent:
} Date: Thu, 2 May 2002 13:17:19 -0500
} To: ab...@blueyonder.co.uk
} From: David Ritz <dr...@suespammers.org>
} Subject: Re: [security] hijacking of news.blueyonder.co.uk via open
} AnalogX proxy at pc-62-31-38-118-hy.blueyonder.co.uk [62.31.38.118]
} Cc: abuse...@blueyonder.co.uk, iha...@blueyonder.co.uk
Search: exact NNTP-Posting-Host: for "62.31.38.118" from 2002/04/26
00:00:00 CDT to 2002/05/07 22:52:49 CDT
<...>
27800: 3555 1.0000 62.31.38.118
TOTALS ------- -------
27800: 155189482 27965.0540
* The second number in each line is the number of bytes for the
article. The third is the Breidbart Index, defined as the square
root of the number of groups posted to.
==========================================================================
rfg> 62.31.151.215:6588:hc
Reported:
} Date: Fri, 26 Apr 2002 11:39:31 -0500
} To: ab...@blueyonder.co.uk
} From: David Ritz <dr...@suespammers.org>
} Subject: [security] hijacking of news.blueyonder.co.uk via open
} AnalogX proxy at pc-62-31-151-215-fn.blueyonder.co.uk
} [62.31.151.215]
} Cc: abuse...@blueyonder.co.uk
Included DSRS static report:
<http://dsrs.nntp.sol.net/reports/custom.20022604163327.html>
Search: exact NNTP-Posting-Host: for "62.31.151.215" from 2002/04/26
00:00:00 to 2002/04/26 23:59:59 CDT
<...>
447: 74190 1.7321 62.31.151.215
TOTALS ------- -------
447: 32221326 530.4538
* The second number in each line is the number of bytes for the
article. The third is the Breidbart Index, defined as the square
root of the number of groups posted to.
==========================================================================
A third proxy, at 62.31.5.52, is still open, as of Wed, 08 May
2002 00:26:57 CDT, just under three weeks after I sent an initial
security alert. As of Tue, 7 May 2002 17:32:00 +0100, I was told,
"62.31.5.52 should be being shutdown or educated as we speak." I
guess someone missed some detail along the way.
Reported:
} Date: Thu, 18 Apr 2002 15:54:02 -0500
} To: ab...@blueyonder.co.uk
} From: David Ritz <dr...@suespammers.org>
} Subject: [security] hijacking of news.blueyonder.co.uk via open
} AnalogX proxy at [62.31.5.52]
} Cc: iha...@blueyonder.co.uk
Included DSRS static reports:
<http://dsrs.nntp.sol.net/reports/custom.20021804203719.html>
<http://dsrs.nntp.sol.net/reports/custom.20021804203836.html>
Follow up report sent:
} Date: Wed, 24 Apr 2002 11:31:16 -0500
} To: ab...@blueyonder.co.uk
} From: David Ritz <dr...@suespammers.org>
} Subject: Re: [security] hijacking of news.blueyonder.co.uk via open
} AnalogX proxy at pc-62-31-5-52-bf.blueyonder.co.uk [62.31.5.52]
} Cc: iha...@blueyonder.co.uk
Included DSRS static report:
<http://dsrs.nntp.sol.net/reports/custom.20022404161846.html>
Additional follow up reports sent:
} Date: Thu, 2 May 2002 13:21:57 -0500
} To: ab...@blueyonder.co.uk
} From: David Ritz <dr...@suespammers.org>
} Subject: Re: [security] hijacking of news.blueyonder.co.uk via open
} AnalogX proxy at pc-62-31-5-52-bf.blueyonder.co.uk [62.31.5.52]
} Cc: iha...@blueyonder.co.uk, abuse...@blueyonder.co.uk
} Date: Tue, 7 May 2002 02:09:42 -0500
} To: ab...@blueyonder.co.uk, abuse...@blueyonder.co.uk
} From: David Ritz <dr...@suespammers.org>
} Subject: Re: [security] hijacking of news.blueyonder.co.uk via open
} AnalogX proxy at pc-62-31-5-52-bf.blueyonder.co.uk [62.31.5.52]
} Cc: iha...@blueyonder.co.uk
Please note, the following only shows spam received at the DSRS
monitoring site, since 26 April 2002 -0500, which originated
through this proxy. A full eight days worth of data is therefore
omitted.
Search: exact NNTP-Posting-Host: for "62.31.5.52" from 2002/04/26
00:00:00 CDT to 2002/05/07 23:29:41 CDT
1: 100353 1.0000 Mel...@ypokn.edu.ua 62.31.5.52
alt.hillary-c.newt-g QVYQB GENVAVAT GRRA Tue, 7 May 2002 07:0
<...>
126485 1142 1.0000 62.31.5.52
TOTALS ------- -------
126485: 308293461 126749.2685
* The second number in each line is the number of bytes for the
article. The third is the Breidbart Index, defined as the square
root of the number of groups posted to.
==========================================================================
The problems at BlueYonder are not just the number of proxies open
on their network, it is that they stay open, even when acting as
conduits for attacks on the network's infrastructure. That they
are reported promptly and repeatedly, seems to have little or no
effect in getting them secured or disabled.
Of those proxies being addressed here, I have been waiting to see
the proxy used for the heaviest abuse on Usenet locked down, since
18 Apr 2002. It is this inaction, with respect to this specific
proxy, which led directly to this RFD. That it remains open is
more than slightly ironic, as Telewest is paying lip service to
understanding and reacting to this proposed UDP in private
correspondence.
As with the proxies used in the hijacking of
news-binary.blueyonder.co.uk, those used in various email relay
exploits for UBE need to be given top priority BY. I'd like to
see these fifteen (15) previously exploited open proxies secured
or disabled, before the end of business in the UK, on Wednesday,
08 May 2002.
62.31.5.52:1080:s4
rfg> 62.30.66.189:3128:hc
rfg> 62.30.67.23:1080:s4
rfg> 62.30.127.192:6588:hc
rfg> 62.30.127.192:1080:s4
rfg> 62.30.127.192:1080:s5
rfg> 62.30.160.85:8080:hc
rfg> 62.30.221.65:1080:s4
rfg> 62.31.33.16:3128:hc
rfg> 62.31.38.118:1080:s4
rfg> 62.31.38.118:1080:s5
rfg> 62.31.38.118:6588:hc
rfg> 62.31.54.172:8080:hc
rfg> 62.31.127.27:8081:hc
rfg> 62.31.127.27:8080:hc
rfg> 62.31.127.27:1080:s5
rfg> 62.31.127.27:1080:s4
rfg> 62.31.151.215:6588:hc
rfg> 62.31.233.43:3128:hc
rfg> 62.31.250.168:1080:s4
rfg> 213.48.73.38:80:hc
rfg> 213.48.150.98:1080:s4
The failure of BY (Telewest) to address these issues led to this
UDP discussion. Their continued failure to address them, at this
late date, is leading to a formal UDP announcement.
I dearly wish this were not the case.
- --
David Ritz <dr...@suespammers.org>
The suespammers.org mail server is located in California; do not
send unsolicited bulk e-mail or unsolicited commercial e-mail to my
suespammers.org address.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Security 7.0.3
Comment: Finger:dr...@mindspring.com for public keys
iQCVAwUBPNi7nqdkAgrqVVPRAQHl0QP/cw7KyJ7cYouQgPw8FRV2FHY9pS9Ev2qO
H9uu2eAglgU0KYL9D73XiRiXK73iTjJNC2Fw6VJBHV3vSZRAajKw88VyRyHLH+e5
Tl5URQz65OuoProi4NDF6sf/0Z28OkKhsyyAEQzINz/gd+ub/QYo4zepAbm6I490
3xJKRQf3W7Q=
=TbQP
-----END PGP SIGNATURE-----
Ronald F. Guilmette
805...@news.supernews.com>...
> -----BEGIN PGP SIGNED MESSAGE-----
>
> In article <aacf586.02050...@posting.google.com>,
> Ronald F. Guilmette <r...@monkeys.com> wrote:
>
> rfg> Additional blueyonder.co.uk (ASN 5462) open proxies, just
> rfg> re-verified:
>
> Thanks, Ron
Don't thank me. Just see if you can find somebody clued who also has
the authority and the inclination to kill those proxies.
Oh yea, and while we are on the subject, if you want to go around
UDPing networks for open proxies, start with PacBell. They got like
way more than blueyonder.
In fact my guess is that I probably could name for you several dozen
networks that have way more open proxies than Blueyonder. (I have in
excess of 13,000 open proxies on my list, at present.)
In my opinion, the problem isn't so much that this network or that
network has open proxies. It is that open proxies are tolerated at
all, anywhere on the Internet. To say that these things are a HUGE
secirity risk would be an understatement.
Why isn't EVERBODY using my proxies.relays.monkeys.com zone to block
incoming e-mail from these travesties?
Why isn't anybody issuing automated USENET news cancels for any and
all postings that originate on any of the open proxies that I have
already cataloged?
Why hasn't anybody created a BGP blackhole feed based on my data, so
that lots and lots of Internet sites could totally disconnect from
these massively insecure open proxy servers?
Want to solve the USENET news spam problem?
Want to solve the e-mail spam problem?
Want to stop banned IRC users from sneaking back on?
Want to eliminate ``anonymous'' hacking on the net?
Forget it. You can't do any of these things until we get rid of ALL
of the open proxies.
Other than viruses and worms, this open proxies problem is THE most
serious security problem facing the net, and sometimes I think that
I'm the only one who even gives a damn about it.
I tell you, honestly, I spend a good deal of my time thinking about
how much I would like to smack a whole lot of network operators upside
the head with a two-by-four. (The little guy with one little server
out on the end of a DSL line can't be expected to solve this problem
because by and large, he doesn't even know that there IS a problem.
The network operators have to get involved, and they have to start
scanning their own networks. I wish they would get off their collec-
tive duffs and start doing it.)
David Ritz
This message is being sent, bcc, to a few interested parties.
Posted and mailed.
Posted to news.admin.net-abuse.policy, news.admin.net-abuse.misc,
news.admin.net-abuse.bulletins, news.admin.net-abuse.usenet,
uk.net, uk.telecom.broadband.
Please direct follow ups to news.admin.net-abuse.policy. Please see
<http://www.killfile.org/~tskirvin/nana/nanap-charter.html> prior to
posting to this moderated newsgroup.
========================================================================
Over the past few months, Telewest Communications PLC has been the
source of vast quantities of Usenet spam. Despite countless
complaints, reports, and follow ups, Telewest Communications PLC
seems unwilling to take the necessary active and proactive steps
to curb this ongoing abuse. By May, 2002, the situation reached
and maintained unconscionable levels of abuse.
The underlying issue facing,Telewest Communications PLC is one
which many broadband and business providers are currently facing:
the hijacking of their equipment via open proxies operating within
their net-space.
When proxies do get hijacked, some providers have worked in a
fairly conscientious fashion, to contact their users and help them
secure or disable these open proxies. When the customer cannot be
contacted, the proxy is taken down. (I've watched packets stop
being returned, within fifteen (15) minutes of alerting them to
the security breach.)
Other providers don't seem to recognize or respond to these
ongoing attacks on the networks infrastructure, even following
repeated reports and follow up messages.
That is most certainly the case with Telewest Communications PLC.
Almost nothing seems to get through to them. Heavily and openly
abused proxies may get some attention, but it can take three or
more weeks. These proxies, which should be disabled as a highest
priority, continue to provide access to news.blueyonder.co.uk, as
well as for a wide variety of attacks on the whole network's
infrastructure.
On Tue, 7 May 2002 23:01:47 +0000 (UTC), in message
<news:aacf586.02050...@posting.google.com>
(<http://howardk.freenix.org/msgid.cgi?ID=102091938000>), Ron
Guilmette, the operator of proxies.relays.monkeys.com (see
<http://www.monkeys.com/anti-spam/filtering/proxies.html>),
provided a list from his database, showing fourteen (14) openly
abused open proxies operating in Telewest net-space. Among other
things, all of these proxies have open access to the
blueyonder.co.uk news servers, without authentication beyond IP
range.
Of the fourteen proxies listed, only two had been used in the
recent hijackings of the news-binary.blueyonder.co.uk, which
precipitated the original UDP proposal. I provided additional
details of these attacks. See
<news:dritz-2B387D....@news.supernews.com>
(<http://howardk.freenix.org/msgid.cgi?ID=102091998800>).
In the same message, I provided information on a proxy which did
not appear on Ron's list, through which 126,485 posts had been
spammed to Usenet, over the previous two weeks. That it was, at
that writing, still open, though originally reported on 18 Apr
2002, is indicative of just how seriously Telewest appears to be
taking this UDP proposal.
While the port scans originating from
scanner.abuse.blueyonder.co.uk are a good sign, they are, in and
of themselves, insufficient. That abused open proxies which have
been identified remain open, is a far stronger argument for
proceeding with a formal UDP notice.
Of the fourteen proxies referenced in Ron's article, not one has
been locked down, even through two of them were among those
heavily abused open proxies which led to this UDP discussion. The
only proxy which I've seen adequately addressed, since this UDP
discussion began two weeks ago, is the proxy at [62.31.5.52],
which finally appears to be configured securely, after three
persistent weeks of attempting to get the issue addressed.
This is unacceptable.
In addition to the article posted to news.admin.net-abuse.policy,
from wirehub.nl, (see
<news:Pine.WNT.4.44.020...@bigben.wirehub.net>
[<http://howardk.freenix.org/msgid.cgi?ID=102049809300>]), I
have received email replies from easynet.net, cidera.com,
randori.com and proxad.net, stating they will support this UDP at
any level. Wirehub, Randori and Cidera began dropping articles
showing "news-binary.blueyonder.co.uk.POSTED" almost as soon as
the request for discussion was posted.
On Tue, 7 May 2002 15:34:02 -0400 (EDT),
Mike Donovan <ne...@cidera.com> wrote:
> Since Friday, when I started the auto-blackhole of
> news-binary.blueyonder.co.uk, I've seen 64,782 messages blocked.
> Nothing from news-binary.blueyonder.co.uk should be coming via us
> anymore.
I would request that those remaining upstream peers begin
passively filtering this traffic at this time. Should things get
straightened out, these outbound newsfeeds may be re-enabled.
================================UDP NOTICE===============================
Because of the limited response to serious ongoing problems, even
when they have been pointed out repeatedly, a full active Usenet
Death Penalty targeting Telewest Communications PLC will go
into effect at the close of business, on Wednesday, 15 May
2002 17:00 PDT, (16 May 2002 00:00:00 GMT).
Please see:
"Usenet Death Penalty FAQ"
<http://www.stopspam.org/usenet/faqs/udp.html>
"The Cancel FAQ"
<http://www.killfile.org/faqs/cancel.html#VIII.D.>
"Spam Glossary"
<http://www.rahul.net/falk/glossary.html#udp>
"Net Abuse FAQ"
<http://www.cybernothing.org/faqs/net-abuse-faq.html#3.19>.
It is sincerely hoped that Telewest Communications PLC will
take appropriate measures to stem the flow of abuse from their
network before this time. Any assistance which they may require
will be gladly provided.
Should this action become unavoidable, sites not wishing to
participate may alias out the pseudosite Path stamp,
"blueyonderudp".
Sites not wishing to participate in any active UDP may alias out
the pseudosite Path stamp, "udpcancel".
- --
David Ritz <dr...@suespammers.org>
The suespammers.org mail server is located in California; do not
send unsolicited bulk e-mail or unsolicited commercial e-mail to my
suespammers.org address.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Security 7.0.3
Comment: Finger:dr...@mindspring.com for public keys
iQCVAwUBPNoPsKdkAgrqVVPRAQE8+AP9HNjKcvCW78+yc47VGHEZ46NhSMW0TauD
+bQaYbSxStfPpJKAheJIpLh1HVvbDioJDo/FhhGU6FoFZW/NhF1N2lkHjbT8+Pq+
+TRga9HfTk3k3PvJdtyQ20AElg+PxXk228WY25rdlnPxLj+CQzii3f+NkxELP1mZ
hcW4v2ouWQg=
=gKIl
-----END PGP SIGNATURE-----
Graham Drabble
C24B9B.005...@news.supernews.com:
> Because of the limited response to serious ongoing problems, even
> when they have been pointed out repeatedly, a full active Usenet
> Death Penalty targeting Telewest Communications PLC will go
> into effect at the close of business, on Wednesday, 15 May
> 2002 17:00 PDT, (16 May 2002 00:00:00 GMT).
Can someone confirm whether or not this is all of blueyonder.co.uk's
servers or just news-binary.blueyonder.co.uk?
--
Graham Drabble
If you're interested in what goes on in other groups or want to find
an interesting group to read then check news.groups.reviews for what
others have to say or contribute a review for others to read.
Ian Hagon
news:dritz-C24B9B....@news.supernews.com...
Some things that cannot be denied.
-----Snipped-----
David,
Blueyonder will support and enforce this UDP as we do with all others.
Posts containing a path entry of
news-binary.blueyonder.co.uk.POSTED
are currently being dropped at our borders. This will continue until the
proxy situation has been cleaned up to a point when the Usenet community is
satisfied that we are a responsible ISP and our abuse processes are
sufficient and timely.
Cheers
Ian Hagon
Internet Systems Manager
Telewest Broadband
Howard Knight
> Blueyonder will support and enforce this UDP as we do with all others.
> Posts containing a path entry of news-binary.blueyonder.co.uk.POSTED
> are currently being dropped at our borders.
You're gonna UDP yourself? Cool.
Howard
Peter Ibbotson
news:lmwC8.27413$Li1.19...@news-text.cableinet.net...
> "David Ritz" <dr...@suespammers.org> wrote in message
> news:dritz-C24B9B....@news.supernews.com...
> Some things that cannot be denied.
> -----Snipped-----
>
>
> David,
> Blueyonder will support and enforce this UDP as we do with all
others.
> Posts containing a path entry of
> news-binary.blueyonder.co.uk.POSTED
> are currently being dropped at our borders. This will continue until the
> proxy situation has been cleaned up to a point when the Usenet community
is
> satisfied that we are a responsible ISP and our abuse processes are
> sufficient and timely.
>
Wow! UDPing yourself! see url below for more details:
http://status.blueyonder.co.uk/announcements/announcement.html
I do use them at home, sounds like it will get fixed up soon...
--
Work pet...@lakeview.co.uk.plugh.org | remove magic word .org to reply
Home pe...@ibbotson.co.uk.plugh.org | I own the domain but theres no MX
Marc Bissonnette
news:1020964563.15502....@news.demon.co.uk:
> "Ian Hagon" <iha...@blueyonder.co.uk> wrote in message
> news:lmwC8.27413$Li1.19...@news-text.cableinet.net...
>> "David Ritz" <dr...@suespammers.org> wrote in message
>> news:dritz-C24B9B....@news.supernews.com...
>> Some things that cannot be denied.
>> -----Snipped-----
>>
>>
>> David,
>> Blueyonder will support and enforce this UDP as we do with all
> others.
>> Posts containing a path entry of
>> news-binary.blueyonder.co.uk.POSTED
>> are currently being dropped at our borders. This will continue until
>> the proxy situation has been cleaned up to a point when the Usenet
>> community
> is
>> satisfied that we are a responsible ISP and our abuse processes are
>> sufficient and timely.
>>
>
>
> Wow! UDPing yourself! see url below for more details:
> http://status.blueyonder.co.uk/announcements/announcement.html
>
> I do use them at home, sounds like it will get fixed up soon...
I've gotta admit, it's a classy thing for an ISP to do, even though it
took being clubbed near to death with a cluestick to get them to notice
their own problem :)
--
-----------------------------
Marc Bissonnette
Internalysis - Intelligence in Internet Communications
http://www.internalysis.com
IRS Agent
> You have as usual presented a great deal of evidence in a
> well-organized manner. You're obviously investing a lot of time trying
> to make things better. I certainly don't see any need for you to
> respond to a lengthy, continuing diatribe against Ken Lucke.
Obviously you haven't cared to understand what constitutes the
statistics. Below are examples of what is included using the
standard Lucke blurb which I found in a math group:
|This article was canceled for one or more of the foillowing reasons:
|Spam (ECP/EMP) - excessively cross-posted/excessively multi-posted article
| exceeding BI=20 (see <http://www.uiuc.edu/ph/www/tskirvin/faqs/spam.html>)
This is what I would expect in such statistics and nothing more.
|Make Money Fast (MMF) chain letter or lookalike
WTF is a lookalike?
|Reposting or quoting significant portions of one of the above
So even single posted replies are now spam? What is "significant"?
|Binary posting in non-binary newsgroup
Not spam at all. This is a different issue and no consensus has
been achieved. If servers don't want large articles, they can have
their feeds configured to not send large articles.
|Open Proxy abuse
More undefined terms. This is just a way to say cancel anything I
want to cancel regardless of whether it is spam or not.
|Retromoderation by request of legitimate group moderator or due
| to charter violation
He saves the best for here. Retromoderation because a charter is
violated looks like serious net abuse.
|Forgery canceled by request of forged individual or organization
Again, another thing which does not belong in spam statistics
absent being spam.
Clearly, statistics generated from the above which purport to
respresent spam cancelations are misleading and inaccurate.
Kathy I. Morgan
> "David Ritz" <dr...@suespammers.org> wrote in message
> news:dritz-C24B9B....@news.supernews.com...
> Some things that cannot be denied.
> -----Snipped-----
>
>
> David,
> Blueyonder will support and enforce this UDP as we do with all others.
> Posts containing a path entry of
> news-binary.blueyonder.co.uk.POSTED
> are currently being dropped at our borders. This will continue until the
> proxy situation has been cleaned up to a point when the Usenet community is
> satisfied that we are a responsible ISP and our abuse processes are
> sufficient and timely.
Wow! I'm impressed!
Tim Skirvin
> Blueyonder will support and enforce this UDP as we do with all others.
Wow.
- Tim Skirvin (tski...@killfile.org)
--
<URL:http://www.killfile.org/~tskirvin/> Skirv's Homepage <FISH><
<URL:http://www.killfile.org/dungeon/> The Killfile Dungeon <*>
Rebecca Ore
> Ian Hagon <iha...@blueyonder.co.uk> writes:
>
> > Blueyonder will support and enforce this UDP as we do with all others.
>
> Wow.
>
I think we all did double-takes.
--
Rebecca Ore
Jeffery J. Leader
<kmo...@spamcop.net> wrote:
>Wow! I'm impressed!
Ditto!
Robert E A Harvey
98BE6E3CD1dragn...@206.172.150.14>...
...
> I've gotta admit, it's a classy thing for an ISP to do, even though it
> took being clubbed near to death with a cluestick to get them to notice
> their own problem :)
So, now how do we stop all the NTL clients cross-posting and
advertising outside charters?
Andy McLennan
news:Xns920985707578Dgr...@ID-77355.user.dfncis.de...
| On 09 May 2002 David Ritz <dr...@suespammers.org> wrote in news:dritz-
| C24B9B.005...@news.supernews.com:
|
| > Because of the limited response to serious ongoing problems, even
| > when they have been pointed out repeatedly, a full active Usenet
| > Death Penalty targeting Telewest Communications PLC will go
| > into effect at the close of business, on Wednesday, 15 May
| > 2002 17:00 PDT, (16 May 2002 00:00:00 GMT).
|
| Can someone confirm whether or not this is all of blueyonder.co.uk's
|
| --
| Graham Drabble
| If you're interested in what goes on in other groups or want to find
| an interesting group to read then check news.groups.reviews for what
| others have to say or contribute a review for others to read.
AFAIK as a BY client it is just news-binary.blueyonder.co.uk.
In BYs favour though, they have been scanning across multiple ports for
open proxies (numerous times per 24hr period) over BYs domain. Blueyonder
(Telewest) do appear to be trying hard to lock this down, due to the
embarresement caused by the UDP Call.
HTH
Andy
Bob Brenchley.
As another customer I can confirm BY's efforts to solve the problems.
Now I know the question asked is "Why didn't they do it before?" And
of course we all know they should have. But with the level of spam
coming from many other sources I think it may have been a case at
Board level of "when others start to get their house in order then so
will we."
--
Bob.
The facts expressed here belong to everybody, the opinions to me. The
distinction is yours to draw...
David Ritz
This message is being sent, bcc, to a few interested parties.
Posted and mailed.
Posted to news.admin.net-abuse.policy, news.admin.net-abuse.misc,
news.admin.net-abuse.bulletins, news.admin.net-abuse.usenet,
uk.net, uk.telecom.broadband.
Please direct follow ups to news.admin.net-abuse.policy. Please see
<http://www.killfile.org/~tskirvin/nana/nanap-charter.html> prior to
posting to this moderated newsgroup.
========================================================================
With nine (9) of the fourteen (14) open proxies secured, which
were discussed prior to issuing the UDP announcement, a twenty
four (24) extension on the UDP deadline is being granted, to allow
Telewest sufficient time to address the remaining five (5) openly
abused proxies.
The extended deadline for a full active Usenet Death Penalty
targeting Telewest Communications PLC is the close of business, on
Thursday, 16 May 2002 17:00 PDT, (17 May 2002 00:00:00 GMT).
With no traffic propagating from news-binary.blueyonder.co.uk, no
udpcancels would be issued, even if this deadline is not met. I
must thank Ian Hagon for his actions in support of the called UDP.
It is my most sincere hope that this is this new deadline is met.
- --
David Ritz <dr...@suespammers.org>
The suespammers.org mail server is located in California; do not
send unsolicited bulk e-mail or unsolicited commercial e-mail to my
suespammers.org address.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Security 7.0.3
Comment: Finger:dr...@mindspring.com for public keys
iQCVAwUBPOL1qqdkAgrqVVPRAQEzMQP+Kw95pfa5DSOvCCboVWxSGyHy1hO+ObDj
rgMuDGbZgaKXmpwTQ3lTY/MWsJy5e8S04Xe2ZYmCR6kxng97Ilf7F6SvOyQ3lk3r
KXj4QXxDNkuZQZjFQc0mykeiAfvFJ0YXsBUT5C8S4NS5EPzPJ1uvAlz2BWp3uO/C
vCeQhEHEg0A=
=o9Or
-----END PGP SIGNATURE-----
rfgdxm/Robert F. Golaszewski
> > With nine (9) of the fourteen (14) open proxies secured, which
> were discussed prior to issuing the UDP announcement, a twenty
> four (24) extension on the UDP deadline is being granted, to allow
> Telewest sufficient time to address the remaining five (5) openly
> abused proxies.
>
> The extended deadline for a full active Usenet Death Penalty
> targeting Telewest Communications PLC is the close of business, on
> Thursday, 16 May 2002 17:00 PDT, (17 May 2002 00:00:00 GMT).
>
> With no traffic propagating from news-binary.blueyonder.co.uk, no
> udpcancels would be issued, even if this deadline is not met. I
> must thank Ian Hagon for his actions in support of the called UDP.
>
> It is my most sincere hope that this is this new deadline is met.
Is Telewest still being naughty boys? Shame on them. And they posted
they were going to be nice.
Bob Brenchley.
Golaszewski" <rfg...@mochamailKILLSPAMMERS.com> wrote:
>David Ritz wrote:
>
>> > With nine (9) of the fourteen (14) open proxies secured, which
>> were discussed prior to issuing the UDP announcement, a twenty
>> four (24) extension on the UDP deadline is being granted, to allow
>> Telewest sufficient time to address the remaining five (5) openly
>> abused proxies.
>>
>> The extended deadline for a full active Usenet Death Penalty
>> targeting Telewest Communications PLC is the close of business, on
>> Thursday, 16 May 2002 17:00 PDT, (17 May 2002 00:00:00 GMT).
>>
>> With no traffic propagating from news-binary.blueyonder.co.uk, no
>> udpcancels would be issued, even if this deadline is not met. I
>> must thank Ian Hagon for his actions in support of the called UDP.
>>
>> It is my most sincere hope that this is this new deadline is met.
>
>
> Is Telewest still being naughty boys? Shame on them. And they posted
>they were going to be nice.
Where do you see ANY indication in the ABOVE that Blueyonder are
"still being naughty boys"?
The self imposed UDP is still in force, it would be totally wrong for
a real UDP to be enforced until BY have removed the in-house UDP and
reopened their news server. Then, and only then, if a gross problem
still remains, should there be any talk of a real UDP.
Ian Hagon
"rfgdxm/Robert F. Golaszewski" <rfg...@mochamailKILLSPAMMERS.com> wrote in
message news:CkDE8.306$Mc6....@news4.aus1.giganews.com...
We are being nice. We just overlooked a couple of people, for the people we
missed we got another 20+, so it's not all bad news just a bit of a cock up
we could have really done without :o(
They should all be sorted now and we've another 170 odd to educate / suspend
/ terminate.
Add to that the fact we've got much better processes in place, active
scanning and a promise of extra resource and things are actually looking a
lot better here than they did a week ago.
Tim Booth
> We are being nice.
By far and away the best response I have seen in over 6 years
of watching this group
Webko
g00se
> a twenty four (24) extension on the UDP deadline is being granted, to
allow
> Telewest sufficient time to address the remaining five (5) openly
> abused proxies.
24 Hours?
24 Days?
24 Months?
24 Years?
24 baboons?
??? :o)
rfgdxm/Robert F. Golaszewski
If a server has a self-imposed UDP, obviously there is no
justification for a real UDP. If outgoing posts are zero, then surely
they won't be spamming.
rfgdxm/Robert F. Golaszewski
> "rfgdxm/Robert F. Golaszewski" <rfg...@mochamailKILLSPAMMERS.com>
wrote in
> message news:CkDE8.306$Mc6....@news4.aus1.giganews.com...
>> Is Telewest still being naughty boys? Shame on them. And they
>> posted they were going to be nice.
>
> We are being nice. We just overlooked a couple of people, for the
> people we missed we got another 20+, so it's not all bad news just a
> bit of a cock up we could have really done without :o(
> They should all be sorted now and we've another 170 odd to educate /
> suspend / terminate.
> Add to that the fact we've got much better processes in place, active
> scanning and a promise of extra resource and things are actually
> looking a lot better here than they did a week ago.
OK, I'll accept that. So long as no abuse is coming from your server,
however you achieve that, there is no beef.
David Ritz
This message is being sent, bcc, to a few interested parties.
Posted and mailed.
Posted to news.admin.net-abuse.policy, news.admin.net-abuse.misc,
news.admin.net-abuse.bulletins, news.admin.net-abuse.usenet,
uk.net, uk.telecom.broadband.
Please direct follow ups to news.admin.net-abuse.policy. Please see
<http://www.killfile.org/~tskirvin/nana/nanap-charter.html> prior to
posting to this moderated newsgroup.
========================================================================
All of the open proxies which were discussed under this UDP
proposal and call are either secured or unable to access
news.blueyonder.co.uk, the conditions for lifting the called UDP
have been met. That three of the proxies remain open at this late
date remains a concern, but I fully expect these, too, will be
secured or disabled within the next business day in the UK.
With no traffic propagating from news-binary.blueyonder.co.uk, the
remedial action sought through this UDP has been achieved. As the
purpose of the UDP is to seek remedy, rather than as a punitive
action, the called active Usenet Death Penalty is being lifted.
It will remain up to those providers upstream of BY, as to whether
they wish to reestablish those outbound newsfeeds which are being
null routed.
While this Usenet Death Penalty is lifted, a probationary period
of 30 days is being imposed. Should major increases in the volume
of Usenet abuse begin to show a significant upward swing, the
active UDP may be initiated at any time, without further
discussion or notice, within this probationary period.
It is sincerely hoped that Telewest Communications PLC will
continue be a conscientious and trusted member of the Usenet
community.
- --
David Ritz <dr...@suespammers.org>
The suespammers.org mail server is located in California; do not
send unsolicited bulk e-mail or unsolicited commercial e-mail to my
suespammers.org address.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Security 7.0.3
Comment: Finger:dr...@mindspring.com for public keys
iQCVAwUBPORA9qdkAgrqVVPRAQG0cAP/aG+JkWAXtU2A4Ci8HDgX+VfjvHTGMM1y
XEzCiWg0xqhmnT+BJ7ZkSy8cEoUGKsSYjMz5B6jWtbTpodmQRMVJJsI0/6z1hrJ/
62hRfjWLEzW4OsDuG/J/a/dOla3W2fx16IRMRjI0bRNjbaClP0uq6ztx+0fOxdFq
95W9Gr+ksGg=
=SY1a
-----END PGP SIGNATURE-----
Mod 1
ASSHOLES AND KOOKS is more like it.
On Thu, 16 May 2002 18:30:21 -0500, David Ritz <dr...@suespammers.org>
wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>This message is being sent, bcc, to a few interested parties.
>
>Posted and mailed.
WHO DOES GIVE A S.....?
YEAH, I AM SURE THEY WILL JUMP TO DO THIS FOR *YOU*
Mod 1
ASSHOLES AND KOOKS is more like it.
On Thu, 16 May 2002 18:30:21 -0500, David Ritz <dr...@suespammers.org>
wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>This message is being sent, bcc, to a few interested parties.
>
>Posted and mailed.
WHO DOES GIVE A S.....?
>