Dear customer...
Ina Faye-Lund
Please, my dear dear customer, do you _have_ to spend your weekend
plotting revenge against all the world in general, and me
specifically?
Do you _have_ to do it in such a way that you're absolutely no
challenge at all in tracking down?
Do you _have_ to botch your mailbombing of your ex-girlfriend,
ex-boss, ex-boyfriend, ex-whatever, so that the several thousand mails
end up in _my_ mailbox?
Do you _have_ to conspire with several others to make certain I get to
close accounts every single Monday?
Do you _have_ to send a mail to several thousand users, to tell them
of this fantastic opportunity to earn money fast?
And do you _have_ to send a complaint to us, because people send you
angry mails, because of your spamming?
As for the rest of you less than clueful people out there, if you
absolutely _have_ to try to break into someone's computer, does it
have to be one on _my_ net?
Do you _have_ to do it in a way that generates thousands of loglines
in _my_ logs?
Do you _have_ to use the most basic, elementary tools, that most
_clueful_ people were aware of three years ago?
I mean, trying to scan port 12345 isn't _in_ anymore. It's boooring!
It is sooooo out!
It is not as if I am ungrateful or something, is it? You make certain
that I still have a job to do, and probably will have for a couple of
millenia more, unless you manage to botch this world as well. All I
ask in return, is that you do this sillyness when I can actually be
there, and stop you before you do much damage.
Preferably, that you sent us a mail in beforehand, to tell us that you
intended to break our AUP in such a way that we'd probably like to be
there, to stop you. That is not asking too much, is it?
Oh, yes. If anyone knows where Athabaska, Peace River and Dwyer are,
please let me know. I am in despearate search for a place where I can
feel welcome...
(And btw, STR. Stig, you're not allowed to try)
--
North of Athabaska. East of Peace River. North of Dwyer.
cdj...@ualberta.ca
> Oh, yes. If anyone knows where Athabaska, Peace River and Dwyer are,
> please let me know. I am in despearate search for a place where I can
> feel welcome...
> North of Athabaska. East of Peace River. North of Dwyer.
That would be "Athabasca", to pick nits. And I know someone from
there. Hmm. I also know someone who works at the University there. I
also know where Peace River is. Never been there, though.
Why, though, do you want to know where they are?
Hmmm. Dwyer. Never heard of it ... And nor has StatsCan.
Interesting. I hear there are great fowl up north. Canada Geese and the
like.
CJ at (53n33 113w28).
Steve VanDevender
> I mean, trying to scan port 12345 isn't _in_ anymore. It's boooring!
> It is sooooo out!
Oh golly, this is just so apropos to the true tale of luserdom I have
for you today.
There was once this luser who posted a message to the local security
mailing list I manage. From a Hotmail account that wasn't subscribed to
the list. Full of some whiny adolescent rant about how 31337 h4X0rs are
doing the world a favor, or somesuch. I approved it to the list anyway,
mainly for amusement value.
Of course, each Hotmail message contains an X-Originating-IP header, and
this one contained the IP of one of our lab computers. So I was able to
determine to a high degree of probability that it was this luser,
because he had logged in to one of our accounts from the same computer
at nearly the same time. He did seem a bit surprised that I could
figure out it was him.
A couple of list subscribers also pointed out that the whiny adolescent
rant had originally appeared in (I think) Phrack. So it wasn't even
original.
Well, today I get email from this very same luser asking me just how
likely it is that a system with TCP port 12345 open is running NetBus.
(I said it's not a strict guarantee that the machine is running anything
in particular.) Then a little later I get another email where he says
that he got bored and scanned the entire /16 belonging to the sniversity
because he was bored, and would that be against our policies?
Before I had even read those messages, several of our more astute admins
around campus had noticed that they had been scanned from his IP, posted
about it to our security list, and our network people had turned off his
network port.
Then I get a phone call from Mr. 31337 h4X0r. I pointed out that we
tend to frown upon portscanning, particularly as it tends to be a
prelude to other security attacks, but that he really ought to come in
and talk to our acceptable use policy person.
I believe they are scheduling an appointment for him to talk to a State
Police officer. No one really thinks it will lead to prosecution, but
I guess they're hoping it might implant The Fear.
--
Steve VanDevender "I ride the big iron" http://jcomm.uoregon.edu/~stevev
ste...@efn.org PGP key fingerprint=929FB79734DF8CC0 210DA447510FF93B
Little things break, circuitry burns / Time flies while my little world turns
Every day comes, every day goes / 100 years and nobody shows -- Happy Rhodes
sharkey (nick) moore
>
> (And btw, STR. Stig, you're not allowed to try)
> --
You are Aaron Boone, and I claim that you're nothing but
meat for the beast.
-----sharks (and a leather jacket with holes in it)
PS: http://terraserver.microsoft.com/image.asp?S=14&T=2&X=212&Y=1308&Z=14&W=0
Caveman Og
<ste...@efn.org> wrote:
> I believe they are scheduling an appointment for him to talk to a State
> Police officer. No one really thinks it will lead to prosecution, but
> I guess they're hoping it might implant The Fear.
And you *really* need to implant THE FEAR!
[note: company, product, and cow-orker names have been removed for your
comfort and canvenience]
$client will null-route certain abused IPs if you ask the NOC nicely.
$customer of $client routinely sets DNS of spam-advertized sites to
127.0.0.1, often before their existance comes to my attention. This
being among the high points of my day. ;)
Spamware and hacking tools posted to $free_web_host on $client's
downstream mysteriously vanish with little more than an "FYI" on my part.
$boss *is* the "Acceptable Use Policy Person", and holds the keys to the
"BIG RED BUTTON". Please do *not* ask to speak to my boss. You will
only regret it. You really should have resolved the issue at *my* level.
$spammer who sent spam to $mailing-list at $university, and was still
spamming 48 hours later (not from $client's network, alas), didn't
actually *have* the website he was spamvertizing anymore. That one, in
fact, took "a phone call". Remember: You do not want "a phone call".
Oh, and I should mention that this is a $client and their @customers who
haven't quite yet learned THE FEAR. You see vague inklings now and
again.
<rant>
My main beef at the moment revolves around lusers with goober personal
firewall software. A certain popular streaming media provider is the
source of nearly 100% of the "hacking" complaints, all of which
originate on port 80 and are directed towards various high-numbered
ports at the destination IP. Goober personal firwall developers don't
seem to realize that NetBIOS traffic on port 137 is usually just
background noise, or at worst a misconfigured namseserver. And no, that
reporting utility's output is NOT a logfile.
One luser even complained of an attack consisting of four 4-byte UDP
packets on Port 7.
Folks, just last week, I installed a NAT on my home network. It's a
dumb box, does both NAT and DHCP. No logging, doesn't notify me of any
activity. That dumb little NAT is a better damned firewall than
$insert-name-of-goober-product. It closes off EVERYTHIING, including the
"safe" ports, which I had to do port-mapping to make work. Naq qnza vg,
vgv qbrfa'g rira nyybj VPZC cnpxrgf guebhtu! But no, it's not a "real"
firewall. The real firewall is what I'm building to REPLACE the dumb
box (which then gets reconfigured as a bridge). The real firewall runs
BSD. That little box is even too damnably fascist for *my* liking, and
I'm a **fan** of $manufacturer.[1]
</rant>
**Ahem**
--Og
[1] Inasmuch as all hardware sucks, $manufacturer's stuff's pretty good.
--
"The greatest dangers to liberty lurk in insidious encroachment by men of zeal
and wellmeaning but without understanding." -- Justice Louis D. Brandeis
-----------------------------------------------------------------------
Og, Caveman, "imparter of clues"
Dan Holdsworth
<sta...@starcat.rlyeh.net>
>
>Please, my dear dear customer, do you _have_ to spend your weekend
>plotting revenge against all the world in general, and me
>specifically?
>
>Do you _have_ to do it in such a way that you're absolutely no
>challenge at all in tracking down?
[...]
Yes, they _all_ seem to do that.
The usual modus operandi round here seems to be to try something utterly
luserish, then log off quickly in the hope that nobody'll suss that they did
it quickly enough.
Have these berks no idea of what NTP does?
No, I suppose not. Then it is down to yours truly to hunt through the radius
logs to suss when they came on, and laboriously reconstruct who committed
each and every offence. And pass it to my colleagues in the Abuse section to
deal with.
The worst ones are the hammerers. The nitwits who bang away like a demented
bloody woodpecker, thinking that nevermind that $FTP-SITE told 'em to go
forth and multiply dozens of times before, maybe one more time'll do it.
Nevermind that hell shall freeze over, Fenriswolf eat the sun and Entropy
reduce the universe to a barren, freezing waste before a UNIX FTP site
changes its mind on letting $LUSER in if configured not to...
And last week I heard that someone's copy of ELIZA passed the Turing test.
Sheesh, sometimes I despair for the human race; it's about time we gave the
dolphins a go at this $most_intelligent_life_on_planet business...
--
Dan Holdsworth PhD da...@supanet.com
By caffeine alone I set my mind in motion, By the beans of Java
do thoughts acquire speed, hands acquire shaking, the shaking
becomes a warning, By caffeine alone do I set my mind in motion
Rebecca Ore
(Snips)
>
> The worst ones are the hammerers. The nitwits who bang away like a demented
> bloody woodpecker, thinking that nevermind that $FTP-SITE told 'em to go
> forth and multiply dozens of times before, maybe one more time'll do it.
> Nevermind that hell shall freeze over, Fenriswolf eat the sun and Entropy
> reduce the universe to a barren, freezing waste before a UNIX FTP site
> changes its mind on letting $LUSER in if configured not to...
I get the spammers and idiots who think it would be so cool to use my
port 119 for their spam runs or something even though I don't have an
active nntp daemon running. One of my friends who like running
traceroute and whois and telnetting into strange open machines is
aliased to my abuse and security roles and can read my logs.
One known person was hammering from about late January or February to
about two weeks past on sometimes a several times a day basis.
We're not sure whether he finally figured out that while he couldn't
get in, we could get him -- or was busted, went into rehab, or just
lost his accounts and decided to give up.
(Snips)
--
Rebecca Ore
http://www.ogoense.net
sau...@idx.com.au
> Caveman Og wrote on Fri, 06 Oct 2000 05:10:03 GMT:
>
> | <rant>
> | My main beef at the moment revolves around lusers with goober personal
> | firewall software. A certain popular streaming media provider is the
> | source of nearly 100% of the "hacking" complaints, all of which
> | originate on port 80 and are directed towards various high-numbered
> | ports at the destination IP.
>
> Of course, if you see a series of connect attempts from port 80 on a
> remote machine, to IP addresses that don't exist, you're just _slightly_
> likely to be a little suspicious.
What cheeses me off is that the various personal security programs out
there don't seem to be able to run a decent traceroute to save their
lives. So then the weenies^Waggrieved send their reports to the
abuse mailbox demanding that the gigabit ethernet port on our core
routers be disciplined.
I can think of reasons to smack the gigE ports, but "hacking" isn't
one of them.
Saundo
--
Chris "Saundo" Saunderson sau...@idx.com.au
Unix Guy Powered by Linux and the Orb.
Joshua Baker-LePain
> Sheesh, sometimes I despair for the human race; it's about time we gave the
> dolphins a go at this $most_intelligent_life_on_planet business...
Cue:
http://www.theonion.com/onion3630/dolphins_evolve_thumbs.html
--
Joshua Baker-LePain
Department of Biomedical Engineering
Duke University
Dan Holdsworth
<reb...@ogoense.net>
[...]
>I get the spammers and idiots who think it would be so cool to use my
>port 119 for their spam runs or something even though I don't have an
>active nntp daemon running. One of my friends who like running
>traceroute and whois and telnetting into strange open machines is
>aliased to my abuse and security roles and can read my logs.
>
>One known person was hammering from about late January or February to
>about two weeks past on sometimes a several times a day basis.
>
>We're not sure whether he finally figured out that while he couldn't
>get in, we could get him -- or was busted, went into rehab, or just
>lost his accounts and decided to give up.
That's what worries me about things like Chuckmail. Granted, letting some
berk "use" your seemingly open port 25 relay [1] might be fun, especially
when you see how much they throw at it, but there is a real possibility that
the spammer may be a genuine raving lunatic.
The problem here is that whilst telling a nutter to sod off (electronically)
might not get 'em going, giving them access to chuckmail might well annoy
them [2] and lead to physical retribution. Worse, they might well actually
find the right person to kill.
No, I prefer the standard systems, that just say "No. Youse ain't coming in.
Deal with it". Less entertaining, but in a world where lusers can
comprehensively fail the Turing Test with Mailer Daemon [3] I don't intend
to give them a chance...
[1] Chuckmail is a direct line to /dev/null. Therefore, whilst you may be
able to spam Lord Lucan, Shergar and Elvis, you can't spam anyone who might
give a flying fsck through it.
[2] "You've been wasting my time, you ****!".
[3] Failing the Turing Test on something intended to do this is one thing,
but failing on a piece of software that was never intended to sound human in
the first place is some new depth of luserishnes, IMHO.
Ina Faye-Lund
> You are Aaron Boone, and I claim that you're nothing but meat for
> the beast.
You have to admin, though, that it would have been far easier life
than the one we're living? :)
--
I have seen things you people wouldn't believe. Attack ships on fire
off the shoulder of Orion. I watched C-beams glitter in the dark
near the Tannhauser Gate. All those moments will be lost in time,
like tears in rain. Time to die.
Ina Faye-Lund
> And last week I heard that someone's copy of ELIZA passed the Turing
> test. Sheesh, sometimes I despair for the human race; it's about
> time we gave the dolphins a go at this
> $most_intelligent_life_on_planet business...
I cannot help it, but the part about the dolphins just swimming around
in the sea, having fun, seems pretty attractive to me right now, even
if it's bloody cold in the water. If that means escaping all those
morons who think that they get _better_ and _faster_ service if they:
- Write all in CAPS.
- Forget to include non-vital information like IP-address, time, date,
and...oh, well, just say logs.
- Keep swearing at _us_ when complaining at a customer.
- Threaten to sue, blacklist, mailbomb, hack into our servers, if they
haven't received reply from us within an hour (actually it was
closer to 50 minutes).
- Keep reminding us of who occupied our country during the war. Oh
yes, I do remember, but some of us do not carry grudges for half a
century.
- Consider one single ICPM Unreachable as a hack-attempt.
- Send messages like: "I won't bother to tell you why, but I think you
should close $USER's account."
Ina Faye-Lund
> What cheeses me off is that the various personal security programs
> out there don't seem to be able to run a decent traceroute to save
> their lives. So then the weenies^Waggrieved send their reports to
> the abuse mailbox demanding that the gigabit ethernet port on our
> core routers be disciplined.
Not to mention people who wonder why $IP is trying to connect to them
from port 110, when $IP is the mailserver?
I really loathe those "neat" little firewall programs. Especially
those that alert the user of "hacking attempt" from port 80 on various
webservers, to their computer while they're just surfing.
*doh*
Rob Partington
Ina Faye-Lund <sta...@starcat.rlyeh.net> wrote:
>You have to admin, though
YKYBHTLW...
--
r...@frottage.org
Ina Faye-Lund
> On 10 Oct 2000 09:43:53 +0200,
> Ina Faye-Lund <sta...@starcat.rlyeh.net> wrote:
> >You have to admin, though
>
> YKYBHTLW...
You don't say...
Does anyone have some spare time I can borrow? I _do_ have the right
to take three weeks of vacation this year, but I cannot seem to find
the time... And I am in desperate need of it right now, I think.
Garrett Wollman
Caveman Og <NoSp...@CaveHome.example.org.invalid> wrote:
>My main beef at the moment revolves around lusers with goober personal
>One luser even complained of an attack consisting of four 4-byte UDP
>packets on Port 7.
A few months ago, we had a luser file a complaint that our public
stratum-1 NTP server was trying to ``hack in to their machine'' on
port 123.
Yeah, right.
Of course, no response on our part could explain to him what an NTP
server is and why he was receiving these packets.
-GAWollman
--
Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same
wol...@lcs.mit.edu | O Siem / The fires of freedom
Opinions not those of| Dance in the burning flame
MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick
Joe Moore
Ina Faye-Lund <sta...@starcat.rlyeh.net> wrote:
>
>- Consider one single ICPM Unreachable as a hack-attempt.
An ICBM-unreachable packet is one hell of a hack-attempt.
--Joe
--
"It is unlikely that the world is ever going to move to one operating
environment. There are always going to be three or four commonly used
operating environments." - Paul Maritz, Interview with CrossTalk,
http://www.stsc.hill.af.mil/CrossTalk/2000/sep/maritz.asp
Lurking Girl
Garrett Wollman <wol...@lcs.mit.edu> wrote:
>In article <NoSpamOg-F59C2E...@news.bremtn1.wa.home.com>,
>
>A few months ago, we had a luser file a complaint that our public
>stratum-1 NTP server was trying to ``hack in to their machine'' on
>port 123.
>
>server is and why he was receiving these packets.
One of the many reasons I hate doing postmaster stuff: trying to
explain to rabid idiots (many of whom claim to be sysadmins/network
engineers/etc.; or, Cthulhu love us, postmasters) that any ankle-
biting moron, including themselves, can easily forge a From: address.
--
Victoria Swann to...@cugc.org
A friend in need is a friend indeed, a friend with weed is better;
A friend with breasts and all the rest, a friend who's dressed in leather.
--Placebo, "Pure Morning"
Greg Andrews
>In article <7irsnq5...@opus.nextel.no>,
>Ina Faye-Lund <sta...@starcat.rlyeh.net> wrote:
>>
>>- Consider one single ICPM Unreachable as a hack-attempt.
>
>An ICBM-unreachable packet is one hell of a hack-attempt.
>
It's the One True Winnuke, innit?
-Greg
--
::::::::::::::::::: Greg Andrews ge...@panix.com :::::::::::::::::::
Don't *MAKE* me sing the JCL song, in its *ENITRETY*, with the
accompanying *GESTURES*.
-- Adam J. Thornton admonishes the scary devil monastery
Tanuki the Raccoon-dog
>In article <7irsnq5...@opus.nextel.no>,
>Ina Faye-Lund <sta...@starcat.rlyeh.net> wrote:
>>
>>- Consider one single ICPM Unreachable as a hack-attempt.
>
>An ICBM-unreachable packet is one hell of a hack-attempt.
In which case I want to implement a robust network
infrastructure that can issue ICBM-redirects.
Something for Cisco to implement in IOS13.x perhaps?
--
!Raised Tails! -:Tanuki:-
http://www.canismajor.demon.co.uk/index.htm
"OK Smartass. What's the homeopathic treatment for gunshot wounds?"
Pim van Riezen
> - Consider one single ICPM Unreachable as a hack-attempt.
+--- [ C:\PROGRA~1\WINFIR~1\FIREWALL.EXE ] ---+
| |
| THIS EVALUATION COPY WILL EXPLODE |
| IN 21 DAYS. |
| |
E---------------------------------------------3
| |
| Possible Hack Attempt!!!!! Dude, they are |
| out h4xx0ring yout Gibson and stuff!!!! |
| |
| The Hackers: |
| ns.someisp.net 53 |
| |
| They Hacked At: |
| udp port 1321 |
| |
| And they did it right after you tried to |
| load their webpage in IE! They are |
| trying to plant a virus through udp, |
| which is evil! |
| |
| [X] Send email to abuse and postmaster |
| [X] Send bcc copy to uplink |
| [X] Include firewall log as a Word2000 |
| document containing a grab of this |
| window as a .BMP file |
| [X] Send an extra copy after five minutes |
| asking if they read your mail yet. |
| [X] Prepend the message subject with the |
| priority string "Urgent!!!!!!!!" |
| |
| +----+ |
| |[OK]| [REBOOT] |
| +----+ |
+---------------------------------------------+
HTH. HAND.
Pi
--
A mouse is a device used to focus xterms.
Mike Andrews
: I wish I had $NICETHING for the number of times that I've sent an email
: to postmaster@$DOMAIN and had a "user unknown" bounce. Seems like many
: ISPs haven't read RFC822.
Solely, I'm convinced, because they're unable to.
--
Today's target: 47.639963 N; 122.130295 W. Fire at Will!!
Today's Excuse: Decreasing electron flux
Paul Kelleher
news:slrn8u6j...@manlap.zetnet.co.uk...
> In article <8rvf4c$4o$1...@amoeba.cugc.org>,
> Lurking Girl wrote:
>
> >One of the many reasons I hate doing postmaster stuff: trying to
> >explain to rabid idiots (many of whom claim to be sysadmins/network
> >engineers/etc.; or, Cthulhu love us, postmasters) that any ankle-
> >biting moron, including themselves, can easily forge a From: address.
>
> to postmaster@$DOMAIN and had a "user unknown" bounce. Seems like many
> ISPs haven't read RFC822.
>
Sexchange server in work. Of course, it didn't have one set up by
default, nor did it have an 'abuse@' alias, so last week I fished a
complaint out of our Administrator mailbox (this was not set up by me)
from sometime in August about what appears to be our dial-on-demand
router spamming someone. Our mailsever I could understand, but our
_router_? I didn't think it even had an SMTP port to itself, let alone
an open one. Unless it is Sexchange playing up, but fixing that would
require grovelling through fifty-four MSExchange Admin dialog boxes. My
will to live can't handle that. I think I'll just unplug it and blame
it on our head office.
Kelloggs
--
| Paul Kelleher, kelloggs@ | You are in a maze of twisty dialog boxes, |
| pkelleher.freeserve.co.uk | all of them alike. It is very dark. If you |
| mudhole.spodnet.uk.com | continue you are likely to be eaten by a |
| Amongst other places... | GUI. |
Paul G
In my experience, it's more like they're planning to Get Very Rich On That
Internet Thing by sending out $(LARGE_QUANTITY)loads of UCE and they think I
don't know how to find the administrative contact for their domain, or at
least their netblock coordinator, from the SMTP headers, so if they disable
the postmaster mailbox they're suddenly in stealth mode. Kinda like
two-year-olds hiding just their faces behind the couch while leaving their
bottoms in plain view: "if I can't see them, they can't see me ..."
Ignatios Souvatzis
mi...@mikea.ath.cx (Mike Andrews) writes:
> Today's target: 47.639963 N; 122.130295 W. Fire at Will!!
Nooooo... not THAT cartoon again.
-is
Stig Sandbeck Mathisen
> - Forget to include non-vital information like IP-address, time, date,
> and...oh, well, just say logs.
- Send the logs in the following format:
1. File: .doc, word document.[0]
2. said document contains a picture
3. The picture is a snapshot of a notepad window.
4. the notepad window contains the log text.
[0] - Yes, you _do_ want to be reminded.
--
SSM - Stig Sandbeck Mathisen
Trust the Computer, the Computer is your Friend
Stig Sandbeck Mathisen
> In which case I want to implement a robust network
> infrastructure that can issue ICBM-redirects.
>
> Something for Cisco to implement in IOS13.x perhaps?
Something for Uncle Sam?
Stig Sandbeck Mathisen
> One of the many reasons I hate doing postmaster stuff: trying to
> explain to rabid idiots (many of whom claim to be sysadmins/network
> engineers/etc.; or, Cthulhu love us, postmasters) that any ankle-
> biting moron, including themselves, can easily forge a From:
> address.
I usually tell them "Do not believe any mail header". I really should
add "unless I tell you to".
Ina Faye-Lund
Let me guess, you're doing abuse-work?
Nice one, but I had to make a few improvements:
+--- [ C:\PROGRA~1\WINFIR~1\FIREWALL.EXE ] ---+
| |
| THIS EVALUATION COPY WILL EXPLODE |
| IN 21 DAYS. |
| |
E---------------------------------------------3
| |
| Possible Hack Attempt!!!!! Dude, they are |
| out h4xx0ring yout Gibson and stuff!!!! |
| |
| The Hackers: |
| ns.someisp.net 53 |
| |
| They Hacked At: |
| udp port 1321 |
| |
| And they did it right after you tried to |
| load their webpage in IE! They are |
| trying to plant a virus through udp, |
| which is evil! |
| |
| [X] Send email to abuse and postmaster, |
| hostmaster, admin-c, tech-c, and any |
| other address found for every host |
| found by doing a traceroute. |
| [X] Send bcc copy to uplink |
| [X] Include firewall log as a Word2000 |
| document containing a grab of this |
| window as a .BMP file |
| [X] Send an extra copy after five minutes |
| asking if they read your mail yet. |
| [X] Prepend the message subject with the |
| priority string "URGENT!!!!!!!!" |
| [X] Use the polite version of the mail |
| where the words fuck, moron, lawyer, |
| and sue is only used up to three times |
| each. |
| |
| +----+ |
| |[OK]| [REBOOT] |
| +----+ |
+---------------------------------------------+
--
Stig Sandbeck Mathisen
> | [X] Send bcc copy to uplink |
Claim that if you appear on their traceroute, they[0] are your
customer, and demand that you take action.
[0] either one.
Ina Faye-Lund
> ... and the snapshot was done with a digital camera, so screen glare is
> washing out the text.
>
> Yes, we've had that, why do you ask?
Ok, you win.
David Scheidt
: Alan Bellingham <al...@lspace.org> writes:
:> ... and the snapshot was done with a digital camera, so screen glare is
:> washing out the text.
:>
:> Yes, we've had that, why do you ask?
: Ok, you win.
I had someone fax my polaroids of Netscape's Java console, because they
couldn't cut and paste them into mail. Scary thing is, I suggested it.
ObASR: Replacing new system with a newer one, when the original one worked.
And make me do all their fscking planning.
--
dsch...@enteract.com
"[C]ows are extremely mammalian." -- Dr I. A. York
Lurking Girl
Stig Sandbeck Mathisen <s...@rlyeh.net> wrote:
>to...@cugc.org (Lurking Girl) writes:
>
>> One of the many reasons I hate doing postmaster stuff: trying to
>> explain to rabid idiots (many of whom claim to be sysadmins/network
>> engineers/etc.; or, Cthulhu love us, postmasters) that any ankle-
>> biting moron, including themselves, can easily forge a From:
>> address.
>
>I usually tell them "Do not believe any mail header". I really should
>add "unless I tell you to".
You seem to be operating under the misapprehension that the ravening
hordes who call themselves anti-spammers listen to reason. If you
answer a complaint with anything but "yep, that account is toast", you
are _obviously_ a spammer sympathizer. :-/
On the bright side, today I came in to find a request from some guy
wanting postmaster to help translate a "satanic bible" into Turkish.
There are so many ways to answer this, I'm having problems making up
my mind; but redirecting him to satan (it exists--it's my cow orker's
test account) is winning out so far.
Ralph Wade Phillips
Lurking Girl <to...@cugc.org> wrote in message
news:8rvf4c$4o$1...@amoeba.cugc.org...
>
> One of the many reasons I hate doing postmaster stuff: trying to
> explain to rabid idiots (many of whom claim to be sysadmins/network
> engineers/etc.; or, Cthulhu love us, postmasters) that any ankle-
> biting moron, including themselves, can easily forge a From: address.
You can add to that a "WebMeister" (so says his business card!) that
doesn't understand what a FQDN is ... sigh.
This fell out when he was asking why he couldn't get back to his
server at another site for $VBAC. Turns out he wasn't quite aware that
$VBAC uses multiple subdomains ... as in he wanted
payroll.myoffice.bigcompany.com and was used to just using payroll .
One of the onlookers said that this is the first time they've seen
me speechless for longer than 5 seconds. Said it was about 2 minutes of my
staring blankly at the aforesaid pseudoWebMeister. I don't remember
anything but "Y'know, that fire last Saturday was better and more fun ... "
RwP
Lionel
Stig Sandbeck Mathisen <s...@rlyeh.net> said:
>Ina Faye-Lund <sta...@starcat.rlyeh.net> writes:
>
>> | [X] Send bcc copy to uplink |
>
>Claim that if you appear on their traceroute, they[0] are your
>customer, and demand that you take action.
Well, I often CC the complaint to the admin of the first hop outside the
culprit's domain, on the basis that very few[1] spammers are multihomed.
[1] In fact, I don't know of any, but it's bound to happen sooner or
later.
--
W
. | ,. w , "Some people are alive only because
\|/ \|/ it is illegal to kill them." Perna condita delenda est
---^----^---------------------------------------------------------------
Jan Ingvoldstad
said:
> - Send the logs in the following format:
[Unmentionable mentioned horrors snipped]
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
--
ASR: We took both pills.
dgr...@cs.csuabk.edu
> In article <90l8zrv...@sunray1.nextra.no>,
> Stig Sandbeck Mathisen <s...@rlyeh.net> wrote:
>>to...@cugc.org (Lurking Girl) writes:
>>
>>> explain to rabid idiots (many of whom claim to be sysadmins/network
>>> engineers/etc.; or, Cthulhu love us, postmasters) that any ankle-
>>> biting moron, including themselves, can easily forge a From:
>>> address.
>>
>>add "unless I tell you to".
> You seem to be operating under the misapprehension that the ravening
> hordes who call themselves anti-spammers listen to reason. If you
> answer a complaint with anything but "yep, that account is toast", you
> are _obviously_ a spammer sympathizer. :-/
Even more amusing is when you notice some WebTV machine repeatedly trying
to relay through one of your mailswervers and the WebTV goofs suggest that
you call your ISP to request a static IP.
--
David Griffith
dgr...@cs.csubak.edu
Jenny Holmberg
> Even more amusing is when you notice some WebTV machine repeatedly trying
> to relay through one of your mailswervers and the WebTV goofs suggest that
> you call your ISP to request a static IP.
My annoyance list is currently topped by the luser who built a wap
site, where wap lusers could request to have their e-mail checked. The
wap site in question checked a certain luser's e-mail via POP 30 times
per minute... "route add luserip 127.0.0.1" is my friend.
--
Jenny With the Axe, and the Temper http://www.algonet.se/~jenny-h/
#include <std_disclaimer.h>
"You are in front of me. If you value your lives, be somewhere else."
--Ambassador Delenn, B5
Ina Faye-Lund
> You seem to be operating under the misapprehension that the ravening
> hordes who call themselves anti-spammers listen to reason. If you
> answer a complaint with anything but "yep, that account is toast",
> you are _obviously_ a spammer sympathizer. :-/
Of course! I mean, unless you're willing to do _everything_ [0] to
prevent spam [1], including ignoring what the received-headers tell you,
you're a spammer yourself.
I mean, no _way_ the mail address in question is forged, unless it
belongs to one of the [2]famous antispammers. Everyone and his
grandma should understand that.
After all, if you answer anything but "Account closed", you're
suggesting that the _antispammer_ is in wrong! Either you are saying
that he cannot read headers [3], you're saying that this isn't spam
[5] [6], or _you_ are a _spammer_ or a spammer sympathiser.
I wonder, would it be terribly wrong of me to send a complaint to the
antispammer's provider every time he sends a copy to 20 addresses or
more? Most completely unrelated...
I don't envy RIPE and NORID (those who deal with Norwegian domain
names). I wonder how much spam complaints those people get because
_their_ domain is mentioned somewhere in the whois of at least one of
the many steps on the traceroute.
[0] Yes, _everything_.
[1] Or prevent spam to be sent [2]
[2] Regardless of whether it comes from your customers, your net or not.
[3] It is not that difficult, is it? It says who the mail comes from
in the From-field. [4]
[4] And message-ID is of course not forgable either. If it says
<your domain> in the message-ID somewhere, of _course_ it is from you!
[5] "What do you mean by sending complaints about security incidents
to abuse@<stupid luser's domain>? You are a spammer!" Or "Yes, I
_do_ have my address on my web-pages, and encourage people to mail me
with comments, but I didn't _mean_ for people to send me mails where
they tell me what they think of it!"
[6] And since an anti-spammer is never wrong, those two possibilities
aren't.
Ina Faye-Lund
> Well, I often CC the complaint to the admin of the first hop outside
> the culprit's domain, on the basis that very few[1] spammers are
> multihomed.
That's different. If you CC it to postmaster, hostmaster, root,
admin, abuse, and any technial and administrative contact person you
can find, for _every_ step on the traceroute, starting with your own
ISP, then shame on you.
David P. Murphy
> My annoyance list is currently topped by the luser who built a wap
> site, where wap lusers could request to have their e-mail checked. The
> wap site in question checked a certain luser's e-mail via POP 30 times
> per minute... "route add luserip 127.0.0.1" is my friend.
You win. I thought once every ten minutes was bad enough to call
my friend and tell him to cut back. This of course is why I only
let friends have POP accounts, and why I don't ask for or take money.
ok
dpm
--
David P. Murphy http://www.myths.com/~dpm/
systems programmer ftp://ftp.myths.com
mailto:d...@myths.com (personal)
COGITO ERGO DISCLAMO mailto:Murphy...@emc.com (work)
Måns Nilsson
>I don't envy RIPE and NORID (those who deal with Norwegian domain
>names). I wonder how much spam complaints those people get because
>_their_ domain is mentioned somewhere in the whois of at least one of
>the many steps on the traceroute.
Lots.
At least in .SE.
--
Måns, NIC-SE.
Ina Faye-Lund
Shmuel (Seymour J.) Metz
In <slrn8u6j...@manlap.zetnet.co.uk>, on 10/10/2000
at 05:25 PM, p...@zetnet.net (Paul Martin) said:
>Seems like many ISPs haven't read RFC822.
Read it? Some of them don't know what an RFC is :-( To say nothing of
autoresponders sending incorrect instructions on reading headers.
--
Shmuel (Seymour J.) Metz, SysProg and JOAT
Reply to domain acm dot org user shmuel to contact me.
Francesco Benvenuto
Alan Bellingham <al...@lspace.org> wrote:
>ab...@icann.org recently received this:
While I do feel sorry for Mr or Mrs Abuse I can't force myself to feel
likewise for ICANN itself.
>>Even though you list
>> 192.168.0.0-192.168.255.255
>> 172.16.0.0-172.31.255.255
>> 10.0.0.0-10.255.255.255 as being reserved for private use. They
>>are showing up in the public Internet.
For some unclear reason this reminds me about certain LAT service
advertisings from $SITE1 showing up on the LAT LAN at $SITE2.
<OLD FART MODE>
This happened back when $NATIONAL_BACKBONE had a total bandwidth of 256kbps
statically subdivided into 128kbps DECNET, 64kbps SNA and 64kbps TCP/IP.
Strangely enough these memories are not as painful as they should be.
Those were the days: dare to send a non-work related email to all users
on our VAX and $BOFH would kill your account, personally hunt you around
$BUILDING (we had shared accounts: luser[1] hunting was moderately nontrivial)
and impart you a not-so-metaphorical bashing in front of your peers.
</OLD FART MODE>
[1] At said time me==luser [2] but at least I never sent such an email.
[2] I made the same mistake twice, once.
--
fB
Greg Andrews
>mans...@igloo.df.lth.se (Måns Nilsson) writes:
>
>> In article <7irr95m...@opus.nextel.no>, Ina Faye-Lund wrote:
>>>I don't envy RIPE and NORID (those who deal with Norwegian domain
>>>names). I wonder how much spam complaints those people get because
>>>_their_ domain is mentioned somewhere in the whois of at least one
>>>of the many steps on the traceroute.
>>
>> Lots.
>>
>> At least in .SE.
>
>My condolances.
>
Not that's a monk. His sympathy is a clutch of pointy
sharp things around five feet long. <wink>
-Greg
--
::::::::::::::::::: Greg Andrews ge...@panix.com :::::::::::::::::::
Sex is the mathematics urge sublimated.
-- M. C. Reed.
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Garrett Wollman
Alan Bellingham <al...@lspace.org> wrote:
>ab...@icann.org recently received this:
>>[RFC 1918 private networks] They are showing up in the public
>>Internet. You are listed as the organization in charge of these
>>addresses and they are being used to send out spam, that is why I
>>have brought them to your attention.
I'm not sure what gives more cause for pessimism: messages like that,
or statistics like these:
deny ip 192.0.2.0 0.0.0.255 any (71 matches)
deny ip 10.0.0.0 0.255.255.255 any (416369 matches)
deny ip 172.16.0.0 0.15.255.255 any (362917 matches)
deny ip 192.168.0.0 0.0.255.255 any (714793 matches)
deny ip 169.254.0.0 0.0.255.255 any (119540 matches)
(Hmmm. Wasn't 192.0.2/24 one Sun's old networks? The one that every
machine came configured by default in?)
-GAWollman
--
Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same
wol...@lcs.mit.edu | O Siem / The fires of freedom
Opinions not those of| Dance in the burning flame
MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick
Tanuki the Raccoon-dog
<wol...@lcs.mit.edu> said
>I'm not sure what gives more cause for pessimism: messages like that,
>or statistics like these:
>
> deny ip 192.0.2.0 0.0.0.255 any (71 matches)
> deny ip 10.0.0.0 0.255.255.255 any (416369 matches)
> deny ip 172.16.0.0 0.15.255.255 any (362917 matches)
> deny ip 192.168.0.0 0.0.255.255 any (714793 matches)
> deny ip 169.254.0.0 0.0.255.255 any (119540 matches)
<UI>
If that's the inbound log on one of your outward-facing
routers, I suggest deploying a maxi-LART to your upstream,
since they clearly have more upstream bandwidth than they
know how to manage.
</UI>
For additional BOFH-points you could always call your
upstream and claim one of the RFC1918-address-ranges as
the source of random DoS attacks. Then watch them spin
their wheels...
--
!Raised Tails! -:Tanuki:-
"OK Slutgirl - load the Quote Gun with Pansy Division and set the controls
for _Maximum Profanity_ - I'll distract them with these fishnets and this
pile of cheap lipgloss. Squidboy - your eyeliner needs touching up..."
Philip Armstrong
Garrett Wollman <wol...@lcs.mit.edu> wrote:
>(Hmmm. Wasn't 192.0.2/24 one Sun's old networks? The one that every
>machine came configured by default in?)
192.9.200.0 possibly?
Phil
--
http://www.kantaka.co.uk/ .oOo. public key: http://www.kantaka.co.uk/gpg.txt
Kai Henningsen
> In article <90l8zrv...@sunray1.nextra.no>,
> Stig Sandbeck Mathisen <s...@rlyeh.net> wrote:
> >to...@cugc.org (Lurking Girl) writes:
> >
> >> One of the many reasons I hate doing postmaster stuff: trying to
> >> explain to rabid idiots (many of whom claim to be sysadmins/network
> >> engineers/etc.; or, Cthulhu love us, postmasters) that any ankle-
> >> biting moron, including themselves, can easily forge a From:
> >> address.
> >
> >I usually tell them "Do not believe any mail header". I really should
> >add "unless I tell you to".
>
> You seem to be operating under the misapprehension that the ravening
> hordes who call themselves anti-spammers listen to reason. If you
> answer a complaint with anything but "yep, that account is toast", you
> are _obviously_ a spammer sympathizer. :-/
I haven't got a complaint yet over "no such account ever existed; in fact,
"fadeke" is obviously a pun on "faked". It never passed our machines, as
you can easily see from the headers".
Kai
--
http://www.westfalen.de/private/khms/
"... by God I *KNOW* what this network is for, and you can't have it."
- Russ Allbery (r...@stanford.edu)
sau...@idx.com.au
> Lionel <n...@alt.net> writes:
>
> > Well, I often CC the complaint to the admin of the first hop outside
> > the culprit's domain, on the basis that very few[1] spammers are
> > multihomed.
>
> That's different. If you CC it to postmaster, hostmaster, root,
> admin, abuse, and any technial and administrative contact person you
> can find, for _every_ step on the traceroute, starting with your own
> ISP, then shame on you.
I got a complaint from an idiot yesterday asking why we didn't list
"technical contact information" on our webpages. Me telling him
that the suite of RFC-mandated addresses was supported got a response
to the effect of "why should I have to look up the RFC?"
That mail is going into my personal kook archives.
Saundo
--
Chris "Saundo" Saunderson sau...@idx.com.au
Unix Guy Powered by Linux and the Orb.
Kirrily 'Skud' Robert
>
>[1] Chuckmail is a direct line to /dev/null. Therefore, whilst you may be
>able to spam Lord Lucan, Shergar and Elvis, you can't spam anyone who might
>give a flying fsck through it.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Riiiight.
K.
--
Kirrily 'Skud' Robert - sk...@infotrope.net - http://infotrope.net/
Is it weird in here, or is it me?
Måns Nilsson
>My condolances.
OTOH I get to write things like these officially. Some relief is gotten
from this LARTing, at least.
"You are in extreme error. You should not try to hide your incompetence
in spamstomping behind indignated utterings. I would gladly help you in
tracking this spammer down, could you only provide me with the relevant
information, even if it is not my work to do so (and that is a fact,
mind you.). However, given just a mail adress I can do no more than
assume that it was forged, and let it be. You must understand that I need
something to work with if I am to be able to help you in this matter. If
you are able to extract more information from your email program than
just the (probably forged) email adress please send it to me. If not,
I would appreciate if this communication could be suspended until you
have gained sufficent clue."
This particular luser has been quiet since.
--
Måns Nilsson MN1334-RIPE
http://vvv.besserwisser.org GSM 070 9174840
Lionel
skud+...@infotrope.net (Kirrily 'Skud' Robert) said:
>In article <slrn8u18c...@localhost.localdomain>, Dan Holdsworth wrote:
>>
>>[1] Chuckmail is a direct line to /dev/null. Therefore, whilst you may be
>>able to spam Lord Lucan, Shergar and Elvis, you can't spam anyone who might
>>give a flying fsck through it.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
>Riiiight.
Mommmmmmeeeeeeee! - She's baaaaaack!
Matthew Crosby
>Alan Bellingham <al...@lspace.org> wrote:
>>ab...@icann.org recently received this:
>
>>>[RFC 1918 private networks] They are showing up in the public
>>>Internet. You are listed as the organization in charge of these
>>>addresses and they are being used to send out spam, that is why I
>>>have brought them to your attention.
>
>or statistics like these:
>
> deny ip 192.0.2.0 0.0.0.255 any (71 matches)
> deny ip 10.0.0.0 0.255.255.255 any (416369 matches)
> deny ip 172.16.0.0 0.15.255.255 any (362917 matches)
> deny ip 192.168.0.0 0.0.255.255 any (714793 matches)
> deny ip 169.254.0.0 0.0.255.255 any (119540 matches)
>
>machine came configured by default in?)
See, that's why you when you need an address space you just pick one at
random. That way elitests like yourselves won't block them!
(Some brilliant geniuses in my current company ended up using a chunk
of 144.51 at one point[1], apparantly by mistake. I suppose there are worse
blocks to use, but not many.)
[1] You can look up who it belongs to.
--
Matthew Crosby cro...@cs.colorado.edu
Disclaimer: It was in another country, and besides, the wench is dead.
Jay Maynard
wrote:
>(Some brilliant geniuses in my current company ended up using a chunk
>of 144.51 at one point[1], apparantly by mistake. I suppose there are worse
>blocks to use, but not many.)
I've been doing frequency coordination stuff too long. My first thought was
to wonder who had that pair.
UI request: Abj gung lbh pna'g qb "jubvf arg 144.51" nal zber, ubj qb lbh
ybbx hc jub bjaf na VC nqqerff oybpx vs erirefr QAF vf oebxra?
Red Drag Diva
:On 16 Oct 2000 23:40:34 GMT, Matthew Crosby <cro...@nagina.cs.colorado.edu>
:wrote:
<ui>
Hfr gur jubvf gung pbzrf jvgu qrovna. "jubvf 144.51.0.0" jvyy cerggl zhpu
QGEG. "jubvf neovgenel.qbznva.kkk" QGEG gbb. Jevggra ol Znepb q'Vgev, jub
serdhragf gur bgure cynpr.
sgc.qrovna.bet/qrovna/qvfgf/jbbql/znva/fbhepr/arg/jubvf_4.5.0.gne.tm
</ui>
--
http://thingy.apana.org.au/~fun/ http://www.caube.org.au/
"The pluses in my current job include laughing in the face of Nobel laureates
who have just lost the only copy of their data. (Hey, I'm still a BOFH.)"
(Bob Dowling)
Måns Nilsson
znaffnkry@arxb /ubzr/znafnkry$ jubvf -u jubvf.neva.arg 144.51.0.0
Angvbany Pbzchgre Frphevgl Pragre (ARG-APFP2)
9800 Fnintr Ebnq
Sbeg Trbetr T. Zrnqr, ZQ 20755-6000
...
Gung vf ba Fbynevf, naq NVK. Ba 386 OFQra, qb jubvf -n 144.51.0.0
Ina Faye-Lund
> "You are in extreme error.
[..]
*sniff*
Beautiful. Just beautiful. *sniff*
Philip 'Yes, that's my address' Newton
> Jay Maynard wrote:
> >UI request: Abj gung lbh pna'g qb "jubvf arg 144.51" nal zber, ubj qb lbh
> >ybbx hc jub bjaf na VC nqqerff oybpx vs erirefr QAF vf oebxra?
>
> znaffnkry@arxb /ubzr/znafnkry$ jubvf -u jubvf.neva.arg 144.51.0.0
^^ ^
Interesting; do you spell Znaffnkry with one F or two?
And as for the jubvf.neva.arg bit, substitute with jubvf.evcr.arg,
jubvf.ncavp.arg, jubvf nhavp.arg, etc. as appropriate (though jubvf.neva.arg
will tell you if gur argoybpx unf orra qryrtngrq gb nabgure ertvfgel, but it'll
save you a step).
Cheers,
Philip
Peter da Silva
Ignatios Souvatzis <igna...@cauchy.cs.uni-bonn.de> wrote:
>In article <nLKE5.909$ln6.1...@news.flash.net>,
> mi...@mikea.ath.cx (Mike Andrews) writes:
>> Today's target: 47.639963 N; 122.130295 W. Fire at Will!!
>Nooooo... not THAT cartoon again.
I claim my nifty pirate's costume and flying airbase. You can keep the super
glue.
--
Rev. Peter da Silva, ULC. WWFD?
"Be conservative in what you generate, and liberal in what you accept"
-- Matthew 10:16 (l.trans)
Peter da Silva
addresses. This range is separate from the private addresses, and they
are intended for even more private use... to be precise, for use between
computers on a LAN or point-to-point link. They are not to be routed
anwhere. If you are going to build a communication protocol between two
directly connected devices these are the address ranges you're supposed
to use.
Microsoft Windows knows about and uses these. Very good, Microsoft, that's
the right thing to do.
Microsoft ActiveSync doesn't. Instead it seems to arbitrarily pick
192.168.55/24.
Guess what happens if you're already using that address space?
Jan Ingvoldstad
> Guess what happens if you're already using that address space?
*BPWAaaoohhuuuuwww....*
--
ASR: We took both pills.
Robert Moir
@citadel.in.taronga.com>:
>There exists an RFC describing what are known as "link local" network
>addresses. This range is separate from the private addresses, and they
>are intended for even more private use... to be precise, for use between
>computers on a LAN or point-to-point link. They are not to be routed
>anwhere. If you are going to build a communication protocol between two
>directly connected devices these are the address ranges you're supposed
>to use.
>
>Microsoft Windows knows about and uses these. Very good, Microsoft, that's
>the right thing to do.
>
>Microsoft ActiveSync doesn't. Instead it seems to arbitrarily pick
>192.168.55/24.
>
>Guess what happens if you're already using that address space?
>
You do know you can change this right? (Not like that excuses getting it
wrong in the first place I know, but)
Ba gur unaquryq crrprr guvatl vgfrys, fgneg zrah, frggvatf, pbaarpgvbaf
gno. bcra "CP" naq pyvpx nqinaprq, gura tb gb GPC/VC gno. Zhggre fbzr zber
nobhg guvatf jura lbh frr lbhe uhapu vf pbeerpg. Rqvg gur qnza guvat gb
fbzr fnsr nqqerff. Pyvpx BX.
Rob
frank paulsen
> Microsoft ActiveSync doesn't. Instead it seems to arbitrarily pick
> 192.168.55/24.
>
> Guess what happens if you're already using that address space?
Nothing serious?
--
frobnicate foo
Alistair J. R. Young
Peter da Silva <pe...@taronga.com> praised Shub-Internet thus:
[link-local addresses]
> Microsoft Windows knows about and uses these. Very good, Microsoft, that's
> the right thing to do.
> Microsoft ActiveSync doesn't. Instead it seems to arbitrarily pick
> 192.168.55/24.
> Guess what happens if you're already using that address space?
A very similar thing to what happens when you dial into an ISP who
issue addresses in 172.16/16 to the poor hapless bastards stuck with
them?
Alistair
--
Computational Thaumaturge, Deus Machinarum. -- Cerebrate of the Silicon Swarm.
e-mail: avata...@arkane.demon.co.uk WWW: http://www.arkane.demon.co.uk/
"I stopped at Land's End, because to go any further would have been Scilly."
-- Robert Billing