Bellglobal -- UDP or De-peering?
Lysander Spooner
Can we find a Canadian judge who will issue a restraining order
forbidding any Bellglobal employee from ever coming within 50 meters
of a newsserver -- after sending in a Mountie with wire-cutters to fix
the problem?
There isn't a single functioning brain cell in that whole fucking
organization.
-- Rick
------------
** Hot lead enemas, maybe? **
Rich Sauers
wrote:
>I vote for BOTH!
Had a policy of UDP'ing sites with open news servers been in place, a UDP
would have begun days (weeks?) ago.
That said, UDP now.
We can't wait until the bumbling imcompetents at Bell Global Solutions take
the courses "The ABC's of News Servers" and "How to Configure Your News
Server".
Rich.
Rich Sauers
>Rich Sauers wrote on Sun, 03 Jan 1999 19:05:57 GMT:
>
>> Had a policy of UDP'ing sites with open news servers been in place, a UDP
>>would have begun days (weeks?) ago.
>
>How many would want to keep up with such a UDP list that would change
>daily and would consist of hundreds of entries?
Bellglobal.com has had *days* in which to secure their news server.
Given the rather high probability that bellglobal.com is very much aware
that this has resulted in numerous newsgroups being flooded with "superseded"
messages.
There was some talk awhile back that any ISP whose news server was open and
subsequently used for just this type of abuse would be immediately subject to
a UDP.
News administrators supposedly read news.admin.net-abuse.usenet.
There is no excuse for "we didn't know?"
>> That said, UDP now.
Said one more time, UDP!
>> We can't wait until the bumbling imcompetents at Bell Global Solutions take
>>the courses "The ABC's of News Servers" and "How to Configure Your News
>>Server".
>
>Why do you focus so much of your attention in this incident on
>BellGlobal as compared to the amount of attention you have focused on
>BBN? Seems quite lopsided to me.
Between bellglobal.com (which provided an X-Trace header with the IP address
and exact time of posting) and bbn.com (which has the logs), these two
entities *must* work together to identify and prosecute the individual
responsible.
And then there's sk.sympatico.ca, which dumps their spam onto Usenet through
the news server of bellglobal.com, but that's a story for another time ...
Rich.
Russ Allbery
> Rich Sauers wrote on Sun, 03 Jan 1999 19:05:57 GMT:
>> Had a policy of UDP'ing sites with open news servers been in place, a
>> UDP would have begun days (weeks?) ago.
> How many would want to keep up with such a UDP list that would change
> daily and would consist of hundreds of entries?
*raises hand* I'll happily passively UDP any open server by aliasing them
out. I'm doing that already. If I telnet to port 119 of a server and can
post through it (and it's not one of a small handful of customer support
sites that both know how to control abuse and that are legitimately
propagating their articles to the rest of Usenet), I path alias it. In
the case of standalone customer support servers, no harm done, since they
aren't intentionally propagating their posts to the rest of Usenet anyway.
> Why do you focus so much of your attention in this incident on
> BellGlobal as compared to the amount of attention you have focused on
> BBN? Seems quite lopsided to me.
BellGlobal is responsible for introducing the articles into Usenet.
--
Russ Allbery (r...@stanford.edu) <URL:http://www.eyrie.org/~eagle/>
Russ Allbery
> And then there's sk.sympatico.ca, which dumps their spam onto Usenet
> through the news server of bellglobal.com, but that's a story for
> another time ...
The kindest thing that you can say about sympatico as a whole is that it's
a tangled administrative disaster.
Rich Sauers
>Rich Sauers wrote on Sun, 03 Jan 1999 21:25:50 GMT:
>
>> Between bellglobal.com (which provided an X-Trace header with the IP address
>>and exact time of posting) and bbn.com (which has the logs), these two
>>entities *must* work together to identify and prosecute the individual
>>responsible.
>
>ISP's don't prosecute anyone; that's up to a District Attorney,
Playing semantics I see ... how does "file a civil lawsuit" sound?
>and
>anyway that doesn't explain your current frustration/obsession with
>BellGlobal.
Obsession? Tell me, what is the BI for the messages spewing out of that
news20.bellglobal.com news server? Did it surpass the gazillion threshold
yet?
>You got the Hackensack address and the posting times,
>so BellGlobal has worked to identify the perp as you said it should...
>but enough about them; if they want to give away their services to the
>world it's their money. Meanwhile, if the BBN account is dead then
>just maybe someone got nicked in the wallet where it counts.
If? Tell me?
My e-mail to sup...@bbn.com a few days ago was bounced back because bbn.com
doesn't even maintain a support e-mail address.
Rich.
Russ Allbery
> Then how are you reading my messages here? Every time I post to this
> group I use a different open server; there has never been any scarcity
> of them. You haven't been keeping up if you can read this.
That's very true. I also haven't been trying all that hard. As part of a
cooperative effort, if something like that gets off the ground, I'd be
willing to try harder.
> Are you really going to alias out WCG.net?
Currently connections for me time out. If I could connect to the server
and be able to post without authentication, yes, I would, unless I know
that the people running that server have some measure in place to prevent
it from being abused. I think it's a fairly safe bet that if a server is
open, it's (a) unintentional and (b) going to become a source of either
spam or HipCrime abuse in the very near future. There may be 1% or so
that don't fall into those categories.
> And has been correctly stamping the real posting host on all of them.
BellGlobal is responsible for allowing the posts to be introduced into the
public Usenet. The buck stops there. I don't care what goes on on
private networks; the person responsible for injecting the trash into the
public Usenet is the person who gets to fix it or be passively UDPed.
Russ Allbery
> My e-mail to sup...@bbn.com a few days ago was bounced back because
> bbn.com doesn't even maintain a support e-mail address.
Yes, they do. That's just not it.
Why are you mailing support rather than abuse, anyway? support is
generally for customers.
Rich Sauers
>And has been correctly stamping the real posting host on all of them.
>I realize that the war is fought on all fronts, but the case could be
>made that BellGlobal, by stamping the real posting host and x-trace
>headers, has fulfilled its responsibility to the Usenet community 100%
>in this matter.
Nope. Bellglobal.com is responsible for injecting thousands upon thousands
into Usenet. That is not something that an ISP/network provider does to the
"community".
>Is the BBN Hackensack account dead or not?
Don't know. Do you?
>If it is,
>then why is there all this continued thrashing around here about not
>being able to close one open news server out of the many that could
>have been used?
All open news servers pose a significant security risk to the "community".
All ISPs running closed news servers should be actively shunning them.
Rich.
Rich Sauers
>Rich Sauers <rsa...@enter.net> writes:
>
>> My e-mail to sup...@bbn.com a few days ago was bounced back because
>> bbn.com doesn't even maintain a support e-mail address.
>
>Yes, they do. That's just not it.
>
>Why are you mailing support rather than abuse, anyway? support is
>generally for customers.
It seems that abuse@* e-mail addresses aren't read until days after the
"event"; support@* e-mail addresses just might get to someone early and they
can notify the necessary personnel to correct problems in short order.
My thoughts anyway.
Rich.
Russ Allbery
> It seems that abuse@* e-mail addresses aren't read until days after the
> "event"; support@* e-mail addresses just might get to someone early and
> they can notify the necessary personnel to correct problems in short
> order.
> My thoughts anyway.
I think someone else already said that BBN's aware of the problem and is
running into the contractual obligation to customer thing, preventing them
from just turning the idiot off. Although it looks like it's slowed down
despite the fact that the last time I checked, the server was still open.
r...@netgate.net
>I vote for BOTH!
Probably have to be UDP: gonna be kinda tough to persuade people to
de-peer the phone company...
>There isn't a single functioning brain cell in that whole fucking
>organization.
That does seem to be the case. Lest anyone think you're being overly
harsh on someone getting victimized over the long holiday weekend:
these are the very same folks who allowed spamzilla to spew hundreds of
megabytes of ads for its new "jam.net" front through yet another open
server, while they spent about a month trying to figure out how to
secure it.
In fact, iirc, that server was used for some HC attack(s), as well.
Ran
Douglas Mackall
rsa...@enter.net says...
> On Sun, 03 Jan 1999 19:00:30 GMT, buch...@cybernex.net (Lysander Spooner)
> wrote:
>
> >I vote for BOTH!
>
> would have begun days (weeks?) ago.
> We can't wait until the bumbling imcompetents at Bell Global Solutions take
> the courses "The ABC's of News Servers" and "How to Configure Your News
> Server".
>
>
I've had them under partial UDP for a couple of days already.
I have no problem at all in expaning it until they plug the hole.
--
SubGenius Police, Usenet Tactical Unit (Mobile), aka S.P.U.T.U.M.
Unit C: "Thou Shalt Not Pass Light Speed!"
The Eternally Recondite Master Interdictor, Network Attack Legion(TERMINAL)
http://www.sputum.com/
Copyright 1999, Douglas E. Mackall
All Rights Reserved
Russ Allbery
> Path: news-feed.inet.tele.dk!bofh.vszbr.cz!news.maxwell.syr.edu
> !news-nyc.telia.net!newsfeed.nyu.edu!newsfeed.gol.com!wnoc-tyo-news
> !titech.ac.jp!ctrl.titech.ac.jp!thaigate.rd.nacsis.ac.jp!afn.org
> !news.ibm.net!forums.borland.com!news1.ntr.net!aol.com!hans0n399
> I can't even be bothered to figure out the open server in that list...
> I'm just gonna pathalias the obvious incorrect entry that I'd know about
> (on this server - I cant get to my work boxes from here without dropping
> this dial session)
Oh, that one. I'd already gotten rid of it, but for the record, the path
matches here up to afn.org, and then it diverges badly. afn.org is not
obviously open, however.
Keith Hermansader
I don't see any of the .jp sites in the paths coming into me.. what I
do see from the path is another wide open server:
$ telnet forums.borland.com 119
Trying 207.105.83.40...
Connected to forums.borland.com.
Escape character is '^]'.
200 forums.borland.com Netscape-Collabra/3.52 17222 NNRP ready (posting
ok).
in the 10 minutes since aliasing out this site I have over 800
rejections.
-keith
--
if($user eq "keith") {($email) = "$user\@hermansader.org"};
Russ Allbery
> I don't see any of the .jp sites in the paths coming into me.. what I
> do see from the path is another wide open server:
> $ telnet forums.borland.com 119
It only carries Borland groups, none of which were in the crosspost. I
suppose there could be more going on than I can figure out, but that part
looked like a preload to me.
Phluffy the Phalse Phake Phuzzy Phorging Ph^Hedophile
> I think someone else already said that BBN's aware of the problem and is
> running into the contractual obligation to customer thing, preventing them
> from just turning the idiot off. Although it looks like it's slowed down
> despite the fact that the last time I checked, the server was still open.
Slowed down? From where I'm sitting, it's just started up again,
with what appear to be severely bogus date headers, and without
doing any research, I'll guess it's being injected at one of these
Japanese sites (could be wrong).
Also, as I compare different articles as they come in, an X-Trace
header has just appeared with bogus information, different between
different posts even...
Path: news-feed.inet.tele.dk!bofh.vszbr.cz!news.maxwell.syr.edu!news-nyc.telia.net!newsfeed.nyu.edu!newsfeed.gol.com!wnoc-tyo-news!titech.ac.jp!ctrl.titech.ac.jp!thaigate.rd.nacsis.ac.jp!afn.org!news.ibm.net!forums.borland.com!news1.ntr.net!aol.com!hans0n399
Message-ID: <gbXgJmBsRjBmjFZ.ncDqS...@ng60.aol.com>
Date: 2 Jan 1999 04:58:54 GMT
X-Trace: news1.ntr.net (sheridan)
Begin ROT-15 Encoded Message
Date: 2 Jan 1999 05:10:08 GMT
Message-ID: <xdUB9jl1i.bNkwwGu...@aist.net>
NNTP-Posting-Host: pppa63-hackensackb4-3r459.saturn.bbn.com
X-Trace: 2 Jan 1999 05:10:11 GMT, 151.0.83.91
X-Trace: news1.ntr.net (sheridan)
Message-ID: <gJzrbhGD.RLV7o2...@news.inreach.com>
X-Trace: 2 Jan 1999 04:34:53 GMT, 32.24.234.161
X-Trace: news1.ntr.net (sheridan)
It could also be that these articles have gotten backlogged somewhere
along the way. I dunno. I haven't been paying attention.
Don't ask me the significance of the current apparent target:
Reply-To: sher...@ntr.net (Eric David McDonald)
(and in other headers as well)
Guess I'm not a PEDOPHILE any longer. *sigh* UDP BBN!!! UDP BBN!@!1!
John Payne
>On 3 Jan 1999, Russ Allbery wrote:
>
>> I think someone else already said that BBN's aware of the problem and is
>> running into the contractual obligation to customer thing, preventing them
>> from just turning the idiot off. Although it looks like it's slowed down
>> despite the fact that the last time I checked, the server was still open.
>
>Slowed down? From where I'm sitting, it's just started up again,
>with what appear to be severely bogus date headers, and without
>doing any research, I'll guess it's being injected at one of these
>Japanese sites (could be wrong).
>
>Also, as I compare different articles as they come in, an X-Trace
>header has just appeared with bogus information, different between
>different posts even...
>
>Path: news-feed.inet.tele.dk!bofh.vszbr.cz!news.maxwell.syr.edu!news-nyc.telia.net!newsfeed.nyu.edu!newsfeed.gol.com!wnoc-tyo-news!titech.ac.jp!ctrl.titech.ac.jp!thaigate.rd.nacsis.ac.jp!afn.org!news.ibm.net!forums.borland.com!news1.ntr.net!aol.com!hans0n399
I can't even be bothered to figure out the open server in that list...
I'm just gonna pathalias the obvious incorrect entry that I'd know about
(on this server - I cant get to my work boxes from here without dropping
this dial session)
--
John Payne http://www.sackheads.org/jpayne/ jo...@sackheads.org
Sarcasm by request Fax: +44 870 0547954
My mail provider doesn't welcome UBE - http://www.sackheads.org/uce/
Phluffy the Phalse Phake Phuzzy Phorging Ph^Hedophile
> >Path: news-feed.inet.tele.dk!bofh.vszbr.cz!news.maxwell.syr.edu!news-nyc.telia.net!newsfeed.nyu.edu!newsfeed.gol.com!wnoc-tyo-news!titech.ac.jp!ctrl.titech.ac.jp!thaigate.rd.nacsis.ac.jp!afn.org!news.ibm.net!forums.borland.com!news1.ntr.net!aol.com!hans0n399
>
> I can't even be bothered to figure out the open server in that list...
> I'm just gonna pathalias the obvious incorrect entry that I'd know about
HEY!!!@!!! bofh.vszbr.cz is a LEGITIMATE ENTRY DAMMIT!!!1!!
Are you seeing these? I'm not, I have to go hunt them down when
they start cluttering up my logs. If you are, then watch your
mailbox for an incoming datagram.
> (on this server - I cant get to my work boxes from here without dropping
> this dial session)
The fascist paranoid security people got you tied down too?
Well, tell you what, we'll get together one of these days
and REVOLT! THE NEWSADMINS ARE REVOLTING !!!
Rich Sauers
>Rich Sauers wrote on Sun, 03 Jan 1999 23:40:40 GMT:
>
>>On Sun, 03 Jan 1999 22:56:58 GMT, bhk...@gj.net (Brian Kraft) wrote:
>
>>>Is the BBN Hackensack account dead or not?
>>
>> Don't know. Do you?
>
>I know that someone may have pushed the right button somewhere:
>
>:Scott R. Keszler
>:From: kes...@rrnet.com
>:Date: [1999/01/02]
>:Subject: Re: latest spew source: bellglobal.com
>:Newsgroups: news.admin.net-abuse.email
>:Message-ID: <76kgnf$g...@enews1.newsguy.com>
>
>:And bbn.com (GTE) already had a ticket open regarding this - 320888.
>:They claim its a "Priority One Security Issue".
>
>http://search.dejanews.com/msgid.xp?MID=%3c76kgnf$g...@enews1.newsguy.com%3e
Thanks. That bit of news is not on my ISPs server for whatever reason.
>Of course, it's the old whack-a-mole game either way, but where is the
>most effective pressure point? Open servers are free and plentiful,
>while throw-away accounts cost more time and (usually) money.
>I'm certainly not against alerting news admins to what they would view
>as a security problem, but I looked at these nana groups and saw a lot
>of complaining about BellGlobal and very little complaining about BBN,
>and I wondered why.
Bellglobal.com has a security problem, an open server.
Bnn.com has a spammer (and probably a whole lot more given the nature of the
"substantively identical" nature of the messages) problem.
Rich.
John Payne
>HEY!!!@!!! bofh.vszbr.cz is a LEGITIMATE ENTRY DAMMIT!!!1!!
For varying terms of legitimate ;-)
>Are you seeing these? I'm not, I have to go hunt them down when
>they start cluttering up my logs. If you are, then watch your
>mailbox for an incoming datagram.
Unfortunately, yes... my work boxen are slipping out of my hands
as I move towards routing to continue my "technical roundness" (my
manager's words... I was wondering if he was gonna add: "to match
your physical roundness") - and I haven't kicked my replacement yet.
This server I hadn't done, because its pretty much only me and
(possibly 2 others... Brian, Tim?) who are reading the groups that
are suffering this. Besides, once the work boxes are strapped down
I probably won't see them anyway.
Thanks for the inbox clue tho... 1st thing in the morning I'll be
explaining what it means to the new guy.
>The fascist paranoid security people got you tied down too?
Sort of... I just haven't bothered putting my static IP in the
acl's... the facist paranoid security people don't have /that/
much access to my boxen ;-)
>Well, tell you what, we'll get together one of these days
>and REVOLT! THE NEWSADMINS ARE REVOLTING !!!
But then a couple of people have told me that already
Rich Sauers
>Rich Sauers wrote on Sun, 03 Jan 1999 23:25:25 GMT:
>
>> Obsession? Tell me, what is the BI for the messages spewing out of that
>>news20.bellglobal.com news server? Did it surpass the gazillion threshold
>>yet?
>
>Unlike advertising spam messages, BI is of no use here. Just as soon
>as a BI can be measured, a vandalbot can be re-programmed to vary what
>ever needs to be varied to escape BI detection. BI doesn't have
>anything to do with whether a server is open or not; the same
>vandalbot spew could have come from a closed news server.
That was just an analogy to demonstrate that bbn.com has a big problem on
their hands when their subscriber(s) abuse Usenet to this extent.
Rich.
Phluffy the Phalse Phake Phuzzy Phorging Ph^Hedophile
> > Path: news-feed.inet.tele.dk!bofh.vszbr.cz!news.maxwell.syr.edu
> > !news-nyc.telia.net!newsfeed.nyu.edu!newsfeed.gol.com!wnoc-tyo-news
> > !titech.ac.jp!ctrl.titech.ac.jp!thaigate.rd.nacsis.ac.jp!afn.org
> > !news.ibm.net!forums.borland.com!news1.ntr.net!aol.com!hans0n399
>
> > I can't even be bothered to figure out the open server in that list...
>
> Oh, that one. I'd already gotten rid of it, but for the record, the path
> matches here up to afn.org, and then it diverges badly. afn.org is not
> obviously open, however.
Well, I probably shouldn't do this, but the latest messages just in
seem to be coming from elsewhere, so anyone who is trying to rely on
pathhost shunning is going to have a bit of difficulty without giving
up and aliasing out the real legitimate sites that our Pet Vandal
probably wants to get widely passively UDPed.
Without comment,
Path: news-feed.inet.tele.dk!bofh.vszbr.cz!newspeer.monmouth.com!newsfeed.cwix.com!128.174.5.49!vixen.cso.uiuc.edu!afn.org!news.ibm.net!forums.borland.com!news1.ntr.net!primenet.com!hbae
Newsgroups: soc.culture.thai,news.software.nntp,alt.god.grubor,news.admin.net-abuse.usenet,comp.dcom.net-analysis
Date: 4 Jan 1999 05:36:58 GMT
[ isn't that like, later? oops, I said I wouldn't comment ]
Message-ID: <owbGuRjMGYWN.Jb3...@nnrp03.primenet.com>
NNTP-Posting-Host: jaka.ece.uiuc.edu
X-Trace: 4 Jan 1999 05:37:01 GMT, 68.206.231.154
NNTP-Proxy-Relay: afn23950.afn.org
X-NNTP-Posting-Host: afn23950.afn.org
X-Trace: news1.ntr.net (sheridan)
Author: tski...@uiuc.edu (Tim Skirvin, Jr.)
Apart from alt.god.grubor, none of these groups require moderator
approval. And the listed Hosting-Post is a Linux box, not a WinGate.
Now, if these times are correct, I need to be heading home soon...
Jeremy
> I think someone else already said that BBN's aware of the problem and is
> running into the contractual obligation to customer thing, preventing them
> from just turning the idiot off. Although it looks like it's slowed down
> despite the fact that the last time I checked, the server was still open.
If BBN is so amazingly, unbelievably incompetent that they locked
themselves into a position where they can't cut off someone who is
generating huge amounts of spam, then perhaps they need to be cut
off themselves.
I suppose dropping my peering with them wouldn't do much good,
unfortunately.
--
Jeremy | jer...@exit109.com
"The sky would not fall if an American President spoke the truth."
--Ronald Reagan
r...@netgate.net
>You got the Hackensack address and the posting times,
>so BellGlobal has worked to identify the perp as you said it should...
And your evidence of this is? There is absolutely no reason to give
*any* credibility to anything except the leading part of the Path line
in the header of an article posted through an open server, unless and
until someone comes up with some reason to believe that the server's
software precludes the forgery of some part(s).
>but enough about them; if they want to give away their services to the
>world it's their money.
No, it's not: they're also giving away the money spent on the tens of
thousands of other servers around the world. And the time and/or money
of the millions of individuals whose communications are being disrupted
by the results of their complete lack of responsibility.
Ran
Phluffy the Phalse Phake Phuzzy Phorging Ph^Hedophile
> > I don't see any of the .jp sites in the paths coming into me.. what I
> > do see from the path is another wide open server:
> > $ telnet forums.borland.com 119
>
> It only carries Borland groups, none of which were in the crosspost. I
> suppose there could be more going on than I can figure out, but that part
> looked like a preload to me.
In this case, there's nothing fishy, it's a preload. Look for the
message on the suspect site, and check the path if present.
Path: news-feed.inet.tele.dk!bofh.vszbr.cz!newspeer.monmouth.com!newsfeed.cwix.com!128.174.5.49!vixen.cso.uiuc.edu!afn.org!news.ibm.net!forums.borland.com!news1.ntr.net!aol.com!janmor823
Message-ID: <beaKHgZcgRGssITN.DD...@ng-cf1.aol.com>
ne...@news-feed.inet.tele.dk:/news/spool/out>telnet forums.borland.com. 119
Trying 207.105.83.40...
Connected to forums.borland.com.
Escape character is '^]'.
200 forums.borland.com Netscape-Collabra/3.52 17222 NNRP ready (posting ok).
head <beaKHgZcgRGssITN.DD...@ng-cf1.aol.com>
430 No such article
quit
205
Connection closed by foreign host.
Further, I believe that news.ibm.net, like bofh.vszbr.cz, is a
pseudosite that only appears separate from its related swervers
when it's been preloaded like here. Unless that's not true for
the US news machines, I know it's true for the UK and DE IBM
Swerveren.
I'm still puzzling a bit over this massage, but I'm not going to
worry about it much since I can't see it.
brian moore
> worry about it much since I can't see it.
Look for this site:
NNTP-Proxy-Relay: afn23950.afn.org
X-NNTP-Posting-Host: afn23950.afn.org
That smells funny to me, though it has no DNS entry by that name.
My bet is someone is running an open proxy somewhere at afn.org.
--
Brian Moore | "The Zen nature of a spammer resembles
Sysadmin, C/Perl Hacker | a cockroach, except that the cockroach
Usenet Vandal | is higher up on the evolutionary chain."
Netscum, Bane of Elves. Peter Olson, Delphi Postmaster
Fluffy
> On Mon, 4 Jan 1999 05:16:56 +0100,
> Phluffy the Phalse Phake Phuzzy Phorging Ph^Hedophile <flu...@vszbr.cz> wrote:
> > I'm still puzzling a bit over this massage, but I'm not going to
> > worry about it much since I can't see it.
>
> Look for this site:
>
> NNTP-Proxy-Relay: afn23950.afn.org
> X-NNTP-Posting-Host: afn23950.afn.org
>
> That smells funny to me, though it has no DNS entry by that name.
>
> My bet is someone is running an open proxy somewhere at afn.org.
Nope. Remember that Windigo character? That is/was her email address.
The ntr.net address in other headers also belongs/ed to one of the
alt.barney people.
It looks more like was being injected at UIUC through a proxy that
exits through jaka.ece.uiuc.edu, though it's not exactly obvious where
it's getting *in*.
--
"REMEMBER TO WATER YOUR CAMEL AT LEAST EVERY THREE
WEEKS OR IT WILL DIE!!!1!" -B. Eable
John Payne
>pseudosite that only appears separate from its related swervers
>when it's been preloaded like here. Unless that's not true for
>the US news machines, I know it's true for the UK and DE IBM
>Swerveren.
Actually, its not used at all by the ibm.net machines (or shouldn't be)
ibm.net is less typing for me ;-)
Arjan Hulsebos
>> !news-nyc.telia.net!newsfeed.nyu.edu!newsfeed.gol.com!wnoc-tyo-news
>> !titech.ac.jp!ctrl.titech.ac.jp!thaigate.rd.nacsis.ac.jp!afn.org
>> !news.ibm.net!forums.borland.com!news1.ntr.net!aol.com!hans0n399
>
>> I can't even be bothered to figure out the open server in that list...
>> this dial session)
>
>matches here up to afn.org, and then it diverges badly. afn.org is not
>obviously open, however.
It's thaigate. Somebody care to sick Godzilla on 'em? I don't know
enough Japanese, unfortunately.
Arjan H
--
Disclaimer? Whaddayamean, disclaimer? This is 1998!
Arjan Hulsebos -- arj...@cs.vu.nl
For more info (last updated October 22,1998): finger -l arj...@top.cs.vu.nl
Albert Koellner
>
> In article <yl67an7...@windlord.stanford.edu>,
> Russ Allbery <r...@stanford.edu> wrote:
> >John Payne <john+...@sackheads.org> writes:
> >
> >> Path: news-feed.inet.tele.dk!bofh.vszbr.cz!news.maxwell.syr.edu
> >> !news-nyc.telia.net!newsfeed.nyu.edu!newsfeed.gol.com!wnoc-tyo-news
> >> !titech.ac.jp!ctrl.titech.ac.jp!thaigate.rd.nacsis.ac.jp!afn.org
> >> !news.ibm.net!forums.borland.com!news1.ntr.net!aol.com!hans0n399
> >
> >> I can't even be bothered to figure out the open server in that list...
> >> I'm just gonna pathalias the obvious incorrect entry that I'd know about
> >> (on this server - I cant get to my work boxes from here without dropping
> >> this dial session)
> >
> >Oh, that one. I'd already gotten rid of it, but for the record, the path
> >matches here up to afn.org, and then it diverges badly. afn.org is not
> >obviously open, however.
>
> It's thaigate.
Why? Yes it's an open server, but at least when I checked it shortly
after the attack it only had a few groups (mostly local ones).
> Somebody care to sick Godzilla on 'em? I don't know
> enough Japanese, unfortunately.
Albert
--
Sind Fremdcancels strafbar? -> http://www.tahina.priv.at/bincancel/
Heute mal Lust auf Zensur? -> http://www.hotline.ispa.at/
Andrew Gierth
Albert> Why? Yes it's an open server, but at least when I checked it
Albert> shortly after the attack it only had a few groups (mostly
Albert> local ones).
It only takes one postable group to launch a crossposted attack, on
most servers.
--
Andrew.
Albert Koellner
Ah, that's it. Now I know why soc.cultur.thai was included in the
supersedes, it's one of the few available groups on
thaigate.rd.nacsis.ac.jp
Phluffy the Phalse Phake Phuzzy Phorging Ph^Hedophile
> >Further, I believe that news.ibm.net, like bofh.vszbr.cz, is a
> >pseudosite that only appears separate from its related swervers
>
> Actually, its not used at all by the ibm.net machines (or shouldn't be)
> ibm.net is less typing for me ;-)
WELL EXCUSE ME FOR NOT KNOWING WHAT I'M TALKING ABOUT. Heck, just
!IBM!... would be still easier. Although it would be more appropriate
to use something like !EDB5CF01!PCSS/SPI2 FLDS/innd SIG/11 FLDS/_doprnt VALU/404 FLDS/ARTpost!DFHCC4B1!DISK_ERR1!IBM!...
That makes it easier, for those who are relying on pathhost shunning
in a vain effort to deal with this child's-play.
Oh, and watch your mail spool for another incoming datagram once I
get back from drinking beer.
Arjan Hulsebos
Albert Koellner <cr...@cryogen.com> wrote:
>Arjan Hulsebos wrote:
>>
>> It's thaigate.
>
>Why? Yes it's an open server, but at least when I checked it shortly
>after the attack it only had a few groups (mostly local ones).
That doesn't mean a thing, if you're allowed to x-post to other groups.
Tried it, but haven't seen it on my spool (yet?).
Albert Koellner
>
> In article <3690D42B...@cryogen.com>,
> Albert Koellner <cr...@cryogen.com> wrote:
> >Arjan Hulsebos wrote:
> >>
> >> It's thaigate.
> >
> >Why? Yes it's an open server, but at least when I checked it shortly
> >after the attack it only had a few groups (mostly local ones).
>
> That doesn't mean a thing, if you're allowed to x-post to other groups.
Yes. Our server doesn't allow cross-posts to unavailable groups, that
> Tried it, but haven't seen it on my spool (yet?).
Did the same. The articles were accepted, but didn't show up yet. Could
be that all messages from thaigate are already being dropped somewhere
in between.
Brian Edmonds
>> Further, I believe that news.ibm.net, like bofh.vszbr.cz, is a
>> pseudosite
Does that mean it would be reasonable to path alias news.ibm.net to
avoid some of these morons? :)
--
o Brian Edmonds <bedm...@cs.ubc.ca>, Team Jubal Mech Labs
\\_/\_, Moderator: rec.arts.anime.creative, rec.music.info/reviews
(*) (*) Are you tired of spam? Visit http://www.spam.abuse.net/spam/
Brian Edmonds
> Then how are you reading my messages here? Every time I post to this
> group I use a different open server; there has never been any scarcity
> of them.
My filter imposes a BI of 2 on known open servers, so your posts get
through fine, but spam is choked off ASAP. They also go under an
automatic dynamic UDP very easily, but as long as you're not posting
through an actively abused server, that won't hit you.
> Are you really going to alias out WCG.net?
I'd be happy to make sure they're in my open host database if you could
provide me with an actual hostname. I can't get a response out of the
usual permutations on that name. I'll certainly keep a closer eye on
your paths in the future. :)
Andrew Gierth
>> Are you really going to alias out WCG.net?
Brian> I'd be happy to make sure they're in my open host database if
Brian> you could provide me with an actual hostname. I can't get a
Brian> response out of the usual permutations on that name. I'll
Brian> certainly keep a closer eye on your paths in the future. :)
Um, what's hard about guessing this one?
$ telnet news.wcg.net 119
Trying 151.142.223.50...
Connected to news-reader2.wcg.net.
Escape character is '^]'.
200 Welcome to 'That Williams News Reader^2' - Fire All Phasers! (Typhoon v1.1.8)
post
340 Send Article to be Posted
.
441 Posting Failed (Article was Empty)
--
Andrew.
Russ Allbery
> Um, what's hard about guessing this one?
> $ telnet news.wcg.net 119
> Trying 151.142.223.50...
> Connected to news-reader2.wcg.net.
windlord:~> telnet news.wcg.net 119
Trying 151.142.220.10...
telnet: Unable to connect to remote host: Connection refused
Rich Sauers
>Andrew Gierth <and...@erlenstar.demon.co.uk> writes:
>
>> Um, what's hard about guessing this one?
>
>> $ telnet news.wcg.net 119
>> Trying 151.142.223.50...
>> Connected to news-reader2.wcg.net.
>
>windlord:~> telnet news.wcg.net 119
>Trying 151.142.220.10...
>telnet: Unable to connect to remote host: Connection refused
Newsgroups: alt.test
Subject: open news server
From: rsa...@enter.net (Rich Sauers)
Organization: Organized? At one time, but not now.
X-Newsreader: WinVN 0.99.9 (Released Version) (x86 32bit)
MIME-Version: 1.0
Content-Type: Text/Plain; charset=US-ASCII
Lines: 4
Message-ID: <t08k2.3$df2.57@WCG-Reader>
Date: Mon, 04 Jan 1999 18:46:49 GMT
NNTP-Posting-Host: 192.204.98.38
X-Trace: WCG-Reader 915475609 192.204.98.38 (Mon, 04 Jan 1999 12:46:49 CDT)
NNTP-Posting-Date: Mon, 04 Jan 1999 12:46:49 CDT
Path:
news3.enter.net!newsserver.jvnc.net!newshub.northeast.verio.net!newspeer.monmouth.com!
news.idt.net!WCG!WCG-Reader.POSTED!not-for-mail
Xref: news3.enter.net alt.test:1086003
test
open news server
news-reader2.wcg.net
Phluffy the Phalse Phake Phuzzy Phorging Ph^Hedophile
> Andrew Gierth <and...@erlenstar.demon.co.uk> writes:
> > Um, what's hard about guessing this one?
>
> > $ telnet news.wcg.net 119
> > Trying 151.142.223.50...
> > Connected to news-reader2.wcg.net.
>
> windlord:~> telnet news.wcg.net 119
> Trying 151.142.220.10...
> telnet: Unable to connect to remote host: Connection refused
Note the IP numbers...
I'm not sure how Andrew got the ...223.50 IP number, unless they
changed their DNS info recently, but the SOA doesn't indicate it.
I get a single host with Russ' IP address consistently...
(I do know they used to have an open reader box, though)
Mark Burkley
Strange. I get Andrew's address if I do a ping....
ping -a news.wcg.net
Pinging news-reader2.wcg.net [151.142.223.50] with 32 bytes of data:
>(I do know they used to have an open reader box, though)
Seems they still do....
Connected to news.wcg.net,119
200 Welcome to 'That Williams News Reader^2' - Fire All Phasers!
(Typhoon v1.1.8)
--
Mark Burkley -> mbur...@iol.ie
PGP Public Key -> http://www.iol.ie/~mburkley/pgp.html
News filter -> http://www.iol.ie/~mburkley/nfilter/nfilter.html
BLOATED BEER-BINGING BELLIGERENT BOHEMIAN BED-WARMER BARRY BOUWSMA BUSTS BRAINLESS BBN BANDITS
> On Mon, 4 Jan 1999 02:12:42 +0100, Phluffy the Phalse Phake Phuzzy Phorging Ph^Hedophile <flu...@vszbr.cz> wrote:
> >HEY!!!@!!! bofh.vszbr.cz is a LEGITIMATE ENTRY DAMMIT!!!1!!
>
> For varying terms of legitimate ;-)
Define `entry'.
> >Are you seeing these? I'm not, I have to go hunt them down when
>
> Unfortunately, yes... my work boxen are slipping out of my hands
Ah, so that explains everything, how suddenly I'm seeing no more
backlogs to you, and vastly improved performance overall. EXCEPT
FOR THE GODDAMN BOGUS RESPONSES YOU KEEP RETURNING THAT CAUSES OUR
SWERVER TO TOSS ITS COOKIES, which I'm sure is costing us more than
a few Freenix points. Furrfu.
Jan 4 21:16:11 news-feed innfeed[353]: ibm:4 cxnsleep unexpected streaming response for non-streaming connection: 239 <cancel.0401...@aegina.com>
Jan 4 21:16:20 news-feed innfeed[353]: ibm:3 cxnsleep unexpected streaming response for non-streaming connection: 239 <cancel.0901...@cotterel.net>
Jan 4 21:16:21 news-feed innfeed[353]: ibm:2 cxnsleep unexpected streaming response for non-streaming connection: 239 <cancel.0901...@tamein.com>
Jan 4 21:16:32 news-feed innfeed[353]: ibm:4 cxnsleep unexpected streaming response for non-streaming connection: 239 <cancel.0901...@lagger.com>
Jan 4 21:16:34 news-feed innfeed[353]: ibm:1 cxnsleep unexpected streaming response for non-streaming connection: 239 <cancel.0901...@behorror.net>
Are you trying to tell me I should alias out cyberspam? You know,
I really hope your replacement is processing NoCeMs, since
I can't scour your spool and see if it's any good or not.
> as I move towards routing to continue my "technical roundness" (my
Ah, so that explains everything, how my path to you now goes by way
of our thinnest and most expensive link to the US and then via a slow
satellite hop to somewhere in Asia before it takes a few more scenic
detours on its way to you.
> Thanks for the inbox clue tho... 1st thing in the morning I'll be
> explaining what it means to the new guy.
Just explain a bit about me and how I am a pedophile and all that
and watch as any futher clues get handled with the asbestos glove
treatment that they deserve straight to /dev/null which must be
immediately makedev'ed anew.
Andrew Gierth
>> > $ telnet news.wcg.net 119
>> > Trying 151.142.223.50...
>> > Connected to news-reader2.wcg.net.
>>
>> windlord:~> telnet news.wcg.net 119
>> Trying 151.142.220.10...
>> telnet: Unable to connect to remote host: Connection refused
Phluffy> Note the IP numbers...
Phluffy> I'm not sure how Andrew got the ...223.50 IP number,
DNS gave it to me; I didn't look to see where it was getting it from.
Could be a cacheing thing or some change in the data, I dunno.
Anyway, news-reader2.wcg.net is at 151.142.223.50, and appears to be
open.
--
Andrew.
BLOATED BELLIGERENT BOHEMIAN-BREW BEER-BINGING BED-WARMER BARRY BOUWSMA BUSTS BRAINLESS BBN BANDITS BIGTIME
> Phluffy> I'm not sure how Andrew got the ...223.50 IP number,
>
> DNS gave it to me; I didn't look to see where it was getting it from.
> Could be a cacheing thing or some change in the data, I dunno.
'Tis, and I just spent ten minutes learning that all my DNS
queries outside the local net from the machine outside the
firewall I was using are blocked, whilst from my cage, where
I have no access to whois and whatnot, I can get what I'm
looking for... *sigh* (sometimes I hate paranoid security
bastards)
> wcg.net
Server: ns3.inet.tele.dk
Address: 193.162.153.164
Non-authoritative answer:
wcg.net nameserver = NS.DIGEX.net
wcg.net nameserver = NS2.DIGEX.net
wcg.net nameserver = SECURIT.TWC.COM
[...]
> news.wcg.net
Server: SECURIT.TWC.COM
Address: 209.48.216.1
Non-authoritative answer:
Name: news-reader2.wcg.net
Address: 151.142.223.50
Aliases: news.wcg.net, news-reader.wcg.net
> news.wcg.net
Server: ns.digex.net
Address: 164.109.1.3
Non-authoritative answer:
Name: news-reader.wcg.net
Address: 151.142.220.10
Aliases: news.wcg.net
> news.wcg.net
Server: ns2.digex.net
Address: 164.109.10.23
Non-authoritative answer:
Name: news-reader.wcg.net
Address: 151.142.220.10
Aliases: news.wcg.net
That's how different people get different answers, as they
are rotated between the three nameswervers for the initial
query, only one of which gives the answer that works.
For the non-technical people out there whose eyes are sort of
glazing over now, I'll translate: something's b0rkened.
Rich Sauers
wrote:
>Anyway, news-reader2.wcg.net is at 151.142.223.50, and appears to be
>open.
I received an e-mail message from Jeff Mohler <gemo...@wcg.net> earlier
this afternoon informing me that news-reader2.wcg.net would be closed.
I haven't checked to see if it has been closed.
Rich.
John Payne
>On 4 Jan 1999, John Payne wrote:
>
>>
>> Actually, its not used at all by the ibm.net machines (or shouldn't be)
>> ibm.net is less typing for me ;-)
>
>WELL EXCUSE ME FOR NOT KNOWING WHAT I'M TALKING ABOUT. Heck, just
No, sorry... fluffy's are supposed to know everything dammit ;-)
>Oh, and watch your mail spool for another incoming datagram once I
>get back from drinking beer.
Received danke
Cheers
John
John Payne
>John Payne <john+...@sackheads.org> writes:
>avoid some of these morons? :)
Today, yes. Given the AT&T announcement, I'd *guess* that it'll be safe
tomorrow. But it took aaages to decide on ibm.net and not news.ibm.net,
so who can really tell?
That said, I'm shunning... but then I'll know if we change our minds ;-)
(at least I *hope* I will...)
John Payne
>Ah, so that explains everything, how suddenly I'm seeing no more
>backlogs to you, and vastly improved performance overall. EXCEPT
Erm, that may have something to do with replacing the passive 8228 token ring
(at 90% capacity) with a switched environment... although the server may just
be playing favourites with the new guy (who I suspect is feeding it chocolate
or alcohol when I'm not around)
>FOR THE GODDAMN BOGUS RESPONSES YOU KEEP RETURNING THAT CAUSES OUR
>SWERVER TO TOSS ITS COOKIES, which I'm sure is costing us more than
>a few Freenix points. Furrfu.
Dammit... to be fixed... honest
>Are you trying to tell me I should alias out cyberspam? You know,
>I really hope your replacement is processing NoCeMs, since
>I can't scour your spool and see if it's any good or not.
Nope.. its only refusing cancels for articles that cleanfeed rejected
>> as I move towards routing to continue my "technical roundness" (my
>
>Ah, so that explains everything, how my path to you now goes by way
>of our thinnest and most expensive link to the US and then via a slow
>satellite hop to somewhere in Asia before it takes a few more scenic
>detours on its way to you.
We do? Erk... can you drop a traceroute in my inbox pls?
Fluffy
> On Mon, 4 Jan 1999 12:53:53 +0100, Phluffy the Phalse Phake Phuzzy Phorging Ph^Hedophile <flu...@vszbr.cz> wrote:
> >WELL EXCUSE ME FOR NOT KNOWING WHAT I'M TALKING ABOUT. Heck, just
>
> No, sorry... fluffy's are supposed to know everything dammit ;-)
What? Why only today I learned that slrn considers Kitty-Pornographer:
to be worthy of inclusion amongst the default display headers.
> >Oh, and watch your mail spool for another incoming datagram once I
> >get back from drinking beer.
Oh yeah, and I also learned today that for over a month I've been
ditching your mail in with sundry bounces and notifications. I suppose
I should go and read them now, after I learn how to type.
John Payne
>Oh yeah, and I also learned today that for over a month I've been
>ditching your mail in with sundry bounces and notifications. I suppose
>I should go and read them now, after I learn how to type.
And I thought you just didn't like me ;-) Let me know if its anything
broken my way... one of the e-mail addresses in my header is slightly,
erm broken (you know, the header that most things use to bounce errors
to)
r...@netgate.net
>I realize that the war is fought on all fronts, but the case could be
>made that BellGlobal, by stamping the real posting host and x-trace
>headers, has fulfilled its responsibility to the Usenet community 100%
>in this matter.
Really? Let's see you try to make it.
>It's as if someone walking down the street gets hit by a Ford, and
>instead of writing down the license plate number the injured party
>writes letters to Dearborn demanding that they close the factory.
No, it's more like someone walking down the street getting hit by a
stolen bus and, instead of going to every parent of every teenager in
town to make sure they teach their kids not to steal buses, going to the
bus company and insisting that they put a lock on the storage yard gate
and not leave the ignition key in every bus.
Ran
Christopher Biow
>I think someone else already said that BBN's aware of the problem and is
>running into the contractual obligation to customer thing, preventing them
>from just turning the idiot off.
There needs to be a bound on this excuse. Something about mitigating but
not affecting guilt. Business contracts should and sometimes must be
broken. If they turn out to have granted the other party a "license to
steal", that's pretty well into the "must" category.
Now a court order requiring specific performance might get some degree of
sympathy. But not a stupidly conceived contractual obligation.
Arjan Hulsebos
Well, I could post on it a few minutes ago (that'd be about 09:20 GMT, Jan 5).
news-reader.wcg.net is indeed closed.
Arjan H
--
Disclaimer? Whaddayamean, disclaimer? This is 1999!
Arjan Hulsebos
>In article <36915032...@news.enter.net>,
>Rich Sauers <rsa...@enter.net> wrote:
>>On 04 Jan 1999 22:09:12 +0000, Andrew Gierth <and...@erlenstar.demon.co.uk>
>>wrote:
>>
>>>Anyway, news-reader2.wcg.net is at 151.142.223.50, and appears to be
>>>open.
>>
>> I received an e-mail message from Jeff Mohler <gemo...@wcg.net> earlier
>>this afternoon informing me that news-reader2.wcg.net would be closed.
>> I haven't checked to see if it has been closed.
>>
>>Rich.
>
>Well, I could post on it a few minutes ago (that'd be about 09:20 GMT, Jan 5).
>news-reader.wcg.net is indeed closed.
And the message I posted made it to my spool, as well as to the autoresponder.
Otmar Lendl
>
>Well, I could post on it a few minutes ago (that'd be about 09:20 GMT, Jan 5).
>news-reader.wcg.net is indeed closed.
At Tue Jan 5 14:28:26 UTC 1999, it's open.
/ol
--
/ Otmar Lendl (O.L...@Austria.EU.net) | Phone: +43 1 89933-0 (-533 fax) \
\ EUnet tech staff | Diefenbachgasse 35 A-1150 Wien /
Nico Kadel-Garcia
>Russ Allbery <r...@stanford.edu> wrote:
>
>>I think someone else already said that BBN's aware of the problem and is
>>running into the contractual obligation to customer thing, preventing them
>>from just turning the idiot off.
>
>There needs to be a bound on this excuse. Something about mitigating but
>not affecting guilt. Business contracts should and sometimes must be
>broken. If they turn out to have granted the other party a "license to
>steal", that's pretty well into the "must" category.
It didn't used to be a problem for them. Picture, if you will,
one of Cyberpromo's back-door network hookups getting a call from
BBN.
"Hello, this ISP-Sucker-Of-The-Day!"
"Hi, this is BBNplanet. We have a problem."
"What's up?"
"You've sold an IP address to Cyberpromo, number 10.0.0.0."
"Umm, let me check... No, that's for Sanford Wallace."
"Right. That's the head of Cyberpromo. We want you to disconnect
it now."
"But he's a customer, and he hasn't violated your AUP."
"He will. And you are violating ours by selling that connectivity
to him."
"I'll call our lawyer."
"No, you'll call your engineers first. Because my hand is on the cable
that connects you to our routers, and if you don't disconnect them
now, I will disconnect your site until further notice."
"Oh...."
It was *fun* passing along spam complaints to BBN where appropriate,
but with their purchase by GTE, expect some changes...
Cameron Kaiser
>>Well, I could post on it a few minutes ago (that'd be about 09:20 GMT, Jan 5).
>>news-reader.wcg.net is indeed closed.
>At Tue Jan 5 14:28:26 UTC 1999, it's open.
grue:/home/spectre/% telnet news-reader.wcg.net 119
Trying...
telnet: connect: A remote host refused an attempted connect operation.
grue:/home/spectre/% telnet news-reader2.wcg.net 119
Trying...
Connected to news-reader2.wcg.net.
Escape character is '^]'.
201 Welcome to 'That Williams News Reader^2' - Fire All Phasers! (Typhoon v1.1.8
mode reader
201 Welcome to 'That Williams News Reader^2' - Fire All Phasers! (Typhoon v1.1.8
post
440 Posting Not Allowed
cool!
500 Syntax Error or Unknown Command
quit
205 GoodBye
Connection closed.
grue:/home/spectre/% date
Tue Jan 5 07:48:36 PST 1999
--
Cameron Kaiser * cdkaiser.cris@com * powered by eight bits * operating on faith
-- supporting the Commodore 64/128: http://www.armory.com/~spectre/cwi/ --
head moderator comp.binaries.cbm * cbm special forces unit $ea31 (tincsf)
personal page http://calvin.ptloma.edu/~spectre/ * "when in doubt, take a pawn"