Re: [usenet] UDP status?
William Kronert
I wonder if we could get a summary of the UDP status:
What if any site(s) is currently being UDP'ed via udp cancels as compared
to newsgroup specific cancels for a given hipcrime flood?
When was the last time that the site had been used for a Hipcrime flood?
Has the site been notified?
Has the site responded to the notice?
If so have they taken measures to prevent further hipcrime floods?
Are they in the process of taking measures to prevent these floods?
If the site has taken steps to prevent these hipcrime floods should they
still be UDP'ed (if they are currently being UDP'ed)?
Bill
Xavier Roche
> I wonder if we could get a summary of the UDP status:
highwinds-media (multiple sources through outsourced service): still
being used for floods, but apparently willing to solve the issue.
rr.com: still being used for floods, never replied to complaints (6 sent
so far) ; upstream (newshosting) replied _once_ that something should be
done (..)
qwest.net: (last flood 22/08 ; 5,000 articles), never a single reply to
complaints (7 complaints sent)
cox.net (last flood 09/21 ; less than 1,000 articles): automatic replies
received
twtelecom.net (last flood 09/24 ; 6,000 articles): automatic replies
received
mchsi.com (last flood 11/01): multiple hijacked IP's ; automatic replies
received to complaints (but only automatic ones)
optonline (last flood 09/29 ; 1000 articles): multiple hijacked IP's ;
no replies to complaints
optusnet (last flood 0/30 ; 1000 articles): no replies to complaints
Other minor servers have also been used time to time for hipcrime
attacks, without any reply (t-online.hu, suddenlink.net/newshosting.com,
..) and other minor origins.
Several sites are impacted by the UDP, but of course UDP are wothless
for the (numerous) servers refusing cancels. However many of them
(especially serious ones) have probably taken passive UDP measures
against biggest flood sources.
The lack of seriousness from many news servers is unfortunately a fact..
> Are they in the process of taking measures to prevent these floods?
Highwinds-media is the only one which seems to have started to take
measures.
> If the site has taken steps to prevent these hipcrime floods should they
> still be UDP'ed (if they are currently being UDP'ed)?
No idea. As soon as the filtering will be removed, I suppose that the
floods will start again.
Alexander Bartolich
> William Kronert a écrit :
>> I wonder if we could get a summary of the UDP status:
[ about 50 lines of status report ]
Keep up the good work. :-)
I have one minor quibble, though. Please write date specifications
according to ISO 8601, that is yyyy-mm-dd (the format string for
POSIX' strftime and GNU/date is "%Y-%m-%d").
> [...] qwest.net: (last flood 22/08 ; [...]
^^^^^
I guess that's 2007-08-22.
> [...] cox.net (last flood 09/21 [...]
^^^^^
While this is probably 2007-09-21.
> [...] optusnet (last flood 0/30 ; 1000 articles): [...]
^^^^
Beats me. 30th calendar week in the year 2000?
William Kronert
> William Kronert a écrit :
>> I wonder if we could get a summary of the UDP status:
I might be going out on a limb here and perhaps wrong in my view point
but I feel a need to comment:
> highwinds-media (multiple sources through outsourced service): still
> being used for floods, but apparently willing to solve the issue.
I don't agree with a cancel on site of all articles (UDP) comming out of
Highwinds. Reason, they have clearly responded, they have clearly
plugged and installed posting filters. They have shown they will
plug a machine that they might have forgotten. It doesn't make sense to
cancel on site all articles from highwinds but rather obtain the posting
box servers (if any at all) that need the posting filter so they can
install them.
> rr.com: still being used for floods, never replied to complaints (6 sent
> so far) ; upstream (newshosting) replied _once_ that something should be
> done (..)
rr.com/Newshosting, I agree it currently needs a active UDP till they
finish testing and install their posting filter.
> qwest.net: (last flood 22/08 ; 5,000 articles), never a single reply to
> complaints (7 complaints sent)
This doesn't make sense to me. Granted it is not clear what is going on
with qwest since they haven't responded but the last flood from qwest was
in August. How do we know that they haven't done something. I feel we
either need a clear response from qwest or a more recent flood before a
UDP is called on qwest. I just sent an e-mail to the news admin at
qwest informing them of the UDP and ask them to respond here in the
newsgroup.
> cox.net (last flood 09/21 ; less than 1,000 articles): automatic replies
> received
Cox is using Highwinds, it shouldn't be UDP'ed in my opinion given the
response from Highwinds.
> twtelecom.net (last flood 09/24 ; 6,000 articles): automatic replies
> received
I don't know about this one, I haven't check into yet.
> mchsi.com (last flood 11/01): multiple hijacked IP's ; automatic replies
> received to complaints (but only automatic ones)
mchsi.com is the recent flood coming from worldnet.att.com. In my
opinion, it is premature for a UDP. They haven't been given enough time
to respond. This morning I sent notices to: mchsi and att abuse desk as
well as att.net news admin. It is clear that mchsi.com the ISP will take
action on there user but its the server in question and the flood is too
recent without enough time for a response.
> optonline (last flood 09/29 ; 1000 articles): multiple hijacked IP's ;
> no replies to complaints
I am assuming you mean: Optimum Online? Is so that is cv.net again using
Highwinds and Highwinds clearly has responded and is working to prevent
the floods.
> optusnet (last flood 0/30 ; 1000 articles): no replies to complaints
I don't know about this, I have personally haven't check into this one.
> Other minor servers have also been used time to time for hipcrime
> attacks, without any reply (t-online.hu, suddenlink.net/newshosting.com,
> ..) and other minor origins.
> Several sites are impacted by the UDP, but of course UDP are wothless
> for the (numerous) servers refusing cancels. However many of them
> (especially serious ones) have probably taken passive UDP measures
> against biggest flood sources.
To me issuing a active UDP against a site (canceling on site all articles
from everyone on that site) is serious. It needs a history with no
response, no action, recent and continued abuse. Now canceling hipcrime
floods as they occur without a active UDP is another story and I can see
that for any given site. I just think in many cases the UDP has been too
premature.
Bill
Dan Mason
> qwest.net: (last flood 22/08 ; 5,000 articles), never a single reply to
> complaints (7 complaints sent)
Xavier,
Where were the complaints sent? I didn't hear anything from our Abuse
department about Usenet related complaints. I'd be happy to look into
any news.qwest.net related complaints at ne...@qwest.net.
Dan
--
Daniel Mason
Lead Systems Engineer
Qwest Communications Corp.
Xavier Roche
> Where were the complaints sent? I didn't hear anything from our Abuse
> department about Usenet related complaints. I'd be happy to look into
X-Complaints-To: abuse @ qwest.net
> any news.qwest.net related complaints at ne...@qwest.net.
Okay ; I'm forawding the information sent:
Wed, 22 Aug 2007 13:10:19 +0200
Wed, 22 Aug 2007 11:26:05 +0200
Wed, 22 Aug 2007 10:37:15 +0200
Wed, 22 Aug 2007 08:01:53 +0200
Wed, 22 Aug 2007 08:11:46 +0200
Wed, 22 Aug 2007 08:32:17 +0200
and in the meantime disable the (partial) filtering.
Xavier Roche
> I have one minor quibble, though. Please write date specifications
> according to ISO 8601
Humm, yes, the dates were really badly formatted :p I always mix
US-style and iso/rfc styles dates too..
Xavier Roche
>> highwinds-media (multiple sources through outsourced service): still
>> being used for floods, but apparently willing to solve the issue.
>
> I don't agree with a cancel on site of all articles (UDP) comming out of
The UDP is not currently impacting highwinds (except several sources
where no tracing information can be established) ; I did not enabled it
as replies were being handled. Except, again, for a very limited number
of outsources clients (such as rr.com).
> Reason, they have clearly responded,
Yes, totally agree.
> rr.com/Newshosting, I agree it currently needs a active UDP till they
> finish testing and install their posting filter.
Ok.
> This doesn't make sense to me. Granted it is not clear what is going on
> with qwest since they haven't responded but the last flood from qwest was
> in August.
Well, you're also probably right, and besides the news admin wasn't
apparently properly informed by the abuse desk. Removed too.
Note that neither highwinds nor the other sites have never been under
UDP ; only hijacked machines were.
> I just think in many cases the UDP has been too premature.
Well, the term UDP was incorrect ; partial filtering would have been
less ambiguous I suppose, my mistake.
Anyway this does not solve the problem: there are hundreds of hijacked
IPs and very few servers do actually reply to complaints.
Suggestions welcome ..
Xavier Roche
>> highwinds-media (multiple sources through outsourced service): still
>> being used for floods, but apparently willing to solve the issue.
>
> I don't agree with a cancel on site of all articles (UDP) comming out of
The UDP is not currently impacting highwinds (except several sources
where no tracing information can be established) ; I did not enabled it
as replies were being handled. Except, again, for a very limited number
of outsources clients (such as rr.com).
> Reason, they have clearly responded,
Yes, totally agree.
> rr.com/Newshosting, I agree it currently needs a active UDP till they
> finish testing and install their posting filter.
Ok.
> This doesn't make sense to me. Granted it is not clear what is going on
> with qwest since they haven't responded but the last flood from qwest was
> in August.
Well, you're also probably right, and besides the news admin wasn't
apparently properly informed by the abuse desk. Removed too.
Note that neither highwinds nor the other sites have never been under
UDP ; only hijacked machines were.
> I just think in many cases the UDP has been too premature.
Well, the term UDP was incorrect ; partial filtering would have been
William Kronert
> William Kronert wrote:
>>> highwinds-media (multiple sources through outsourced service): still
>>> being used for floods, but apparently willing to solve the issue.
>> I don't agree with a cancel on site of all articles (UDP) comming out of
> The UDP is not currently impacting highwinds (except several sources
> where no tracing information can be established) ; I did not enabled it
> as replies were being handled. Except, again, for a very limited number
> of outsources clients (such as rr.com).
My only note on this and I had mentioned it in more detail in the e-mail
I just sent you is; requiring NSP's to publish IP's in the headers is not
a realistic goal, it won't happen. They don't publish them for many
reasons but one big reason is the customers don't want them published and
will go elsewhere if they were published.
> Anyway this does not solve the problem: there are hundreds of hijacked
> IPs and very few servers do actually reply to complaints.
That is true, there is a % of places that don't not respond. If the
flooding stops we just don't have any idea if the complaints were acted
on or what happen.
Bill
Peter Pearson
[snip]
> . . . requiring NSP's to publish IP's in the headers is
> not a realistic goal, it won't happen. They don't publish
> them for many reasons but one big reason is the customers
> don't want them published and will go elsewhere if they
> were published.
It's good to have anonymous posting, but wouldn't it be
reasonable to insist that the organization offering anonymous
posting should take responsibility for ensuring that none
of its customers post 1000 messages per hour to any one
newsgroup?
--
To email me, substitute nowhere->spamcop, invalid->net.
Xavier Roche
> It's good to have anonymous posting, but wouldn't it be
Another alternative might be a scrambled NPH (possibly changing
regularly but that could be used to block a flood) hiding the IP.
Frank Slootweg
> William Kronert wrote:
> >> highwinds-media (multiple sources through outsourced service): still
> >> being used for floods, but apparently willing to solve the issue.
> >
> > I don't agree with a cancel on site of all articles (UDP) comming out of
> Note that neither highwinds nor the other sites have never been under
> UDP ; only hijacked machines were.
>
> > I just think in many cases the UDP has been too premature.
>
> Well, the term UDP was incorrect ; partial filtering would have been
> less ambiguous I suppose, my mistake.
A simple question: Are you canceling articles, yes or no?
I know that the word "UDP" can have different meanings, but I find it
very worrying if William talks about "cancel on sight", i.e. canceling
and you say "partial filtering", i.e. *not* canceling. So which is it?
FWIW, I consider canceling to be both improper and ineffective.
Improper because it's very difficult to tell what to cancel and what
not and even harder to tell if a cancel was a valid one and not itself a
forgery [1].
Ineffective, because very few sites - and probably even less rogue
sites - honor cancels.
[1] I think that 'your' cancels have been forged, i.e. invalid [2]
cancels which were made to look if you posted them [3].
[2] I.e. canceling perfectly valid articles.
[3] See <news:1g1clztwjr7vt$.d...@sqwertz.com> and my response
<news:472a0533$0$302$dbd4...@news.wanadoo.nl>.
William Kronert
Personally I think a pseudo type of IP should be assigned to each user and
it should be fix. It makes it much easier for abuse handling and even
abusive nym shifting. It would allow people to filter unwanted posters.
I just don't think it is going to be easy persuading all the various NSP's
and ISP's to do it. It would be nice to get the opinions of the larger
NSP's and ISP's...
Bill
Xavier Roche
> A simple question: Are you canceling articles, yes or no?
Yes. Roadrunner, mostly.
> FWIW, I consider canceling to be both improper and ineffective.
Probably. The best solution is, as many servers did, to filter them.
> Improper because it's very difficult to tell what to cancel and what
> not and even harder to tell if a cancel was a valid one and not itself a
> forgery [1].
That's the problem, and why many servers are now refusing them. NoCeM is
a solution, but unfortunately not really used.
> I think that 'your' cancels have been forged
No. rr.com is still currently under UDP, as it is (still) the source of
endless hipcrime floods (the number of emited spams since august is
something between 150,000 and 500,000 messages), without *any* reaction
from the abuse desk. Not a single reply.
Xavier Roche
> Personally I think a pseudo type of IP should be assigned to each user and
> it should be fix.
Humm, I think this would be difficult for servers such as, say,
highwinds: I suppose that they just accept postings from a range of IPs,
without any account handling ?
Frank Slootweg
> Frank Slootweg a ?crit :
> > A simple question: Are you canceling articles, yes or no?
>
> Yes. Roadrunner, mostly.
Hipcrime (like) floods only or all articles from Road Runner? If the
latter, then I think that's improper (i.e. abuse) and not supported by
this audience.
And what does "mostly" mean?
[...]
> > I think that 'your' cancels have been forged
>
> No. rr.com is still currently under UDP, as it is (still) the source of
> endless hipcrime floods (the number of emited spams since august is
> something between 150,000 and 500,000 messages), without *any* reaction
> from the abuse desk. Not a single reply.
But the example I gave was not a cancel of a rr.com article, but a
cancel of a perfectly valid qwest.net article [1]. Note that the article
is a *reply* to a roadrunner.com article. You are not by any chance
canceling *responses* to Road Runner articles, are you?
In any case: Please look into this and check if this is one of your
cancels or if it is a forgery. If it was one of your cancels, then
please explain *why* this article was canceled.
[1] Discussion of cancel: <news:1g1clztwjr7vt$.d...@sqwertz.com>
Cancel itself: <news:cancel.5d18.4723e1fc$0$502$815e...@news.qwest.net>
Canceled article: <news:4723e1fc$0$502$815e...@news.qwest.net>
Peter Pearson
27 hours or so:
#posts provider complained (GMT) response
------ ---------------------- ------------------ ---------------
416 ab...@mchsi.com 2007-11-05 04:07 04:07 auto
+ 13:55 followup
497 ab...@telia.com 2007-11-04 20:03 delivery failure:
no such destination
731 ab...@bresnan.net 2007-11-05 19:45 none
758 news...@hanaro.com 2007-11-05 00:52 none
787 ab...@videotron.ca 2007-11-05 19:45 19:45 auto
2074 ab...@usenetserver.com 2007-11-04 19:14 19:16 auto
4593 ab...@rr.com 2007-11-04 19:14 none
2007-11-04 16:30 (11-05) 15:17 howto
2007-11-05 19:45 19:46 auto
By "howto" I mean an automatic reply containing instructions
on submitting a complaint. Man, when you have to automate
the process of telling your accidental victims how to scream,
you've really lost control of your business.
Xavier Roche
> Hipcrime (like) floods only or all articles from Road Runner?
All articles, because you can not make the difference between an
hipcrime article and a regular article. That's precisely why hipcrime
attacks are considered as serious denial of service attacks: you can not
filter them easily, and if the upstream abuse desk is dead, the only
solution is to UDP (passively, or actively, such as in this case)
> latter, then I think that's improper (i.e. abuse) and not supported by
> this audience.
Uh ? If the audience agree to unblock roadrunner again and let the
hipcrime floods flow daily, I'll remove the UDP immediately. But
remember than *no one* even replied at roadrunner to complaints, and
since august there have been hundreds of hipcrime messages, weekly.
And if users and unhappy with this situation, I would suggest that they
start to complaint to roadrunner and tell them what's happening.
> But the example I gave was not a cancel of a rr.com article, but a
> cancel of a perfectly valid qwest.net article [1].
Yes, and the UDP has been removed after requests posted here, and the
news admin reply.
> is a *reply* to a roadrunner.com article. You are not by any chance
> canceling *responses* to Road Runner articles, are you?
Of course not.
> In any case: Please look into this and check if this is one of your
> cancels or if it is a forgery. If it was one of your cancels, then
> please explain *why* this article was canceled.
Because qwest was also, with roadrunner, under UDP, very recently.
If you have a better way of handling hipcrime attacks, please let us know.
Alexander Bartolich
> Frank Slootweg wrote:
>> Hipcrime (like) floods only or all articles from Road Runner?
>
> All articles, because you can not make the difference between an
> hipcrime article and a regular article.
This particular case is about a flood to scy.crypt, AFAIK.
So articles not directed to scy.crypt could well be regular.
Hmm.
There really should be combination of bad_paths and poison_groups.
William Kronert
> Xavier Roche wrote:
>> Frank Slootweg wrote:
>>> Hipcrime (like) floods only or all articles from Road Runner?
>>
>> All articles, because you can not make the difference between an
>> hipcrime article and a regular article.
> This particular case is about a flood to scy.crypt, AFAIK.
> So articles not directed to scy.crypt could well be regular.
> Hmm.
The floods are also in: news.admin.net-abuse.email and in the past I have
seen floods in many other newsgroups. sci.crypt seems to be the favorite
by far from being the only flooded newsgroup.
Bill
Alexander Bartolich
> Xavier Roche <xro...@free.fr.nospam.invalid> wrote:
>> Frank Slootweg a ?crit :
>> > A simple question: Are you canceling articles, yes or no?
>>
>> Yes. Roadrunner, mostly.
>
> Hipcrime (like) floods only or all articles from Road Runner? If the
> latter, then I think that's improper (i.e. abuse) and not supported by
> this audience.
>
> And what does "mostly" mean?
Thousands of garbage postings per day make a group unusable.
Removing the garbage in a timely fashion takes off the stress from
the newsspool and makes the group somehow readable again. Users of
off-line newsreader are still hosed, though. And these are the
majority nowadays.
So the alternative is between abandoning a group and abandoning a
remote site. Both are the start of a slippery slope that eventually
could end in a break up of Usenet into isolated hierarchies.
However, in the intermediate future the sites where floods are
originating from are not just a nuisance to all direct and indirect
peers. They are also providing their users unworkable groups. Users
of these sites are thus unlikely to every make benign contributions
to these groups.
Cutting off these sites (and their users) is thus unlikely to lose
benign contributions. Especially if these sites are only partially
cut off. In this particular case that would mean to apply UDP
measures only to postings directed at scy.crypt.
That possible gives you the alternative between completely abandoning
a group and abandoning all contributions of a remote site to this
group.
Of course the originator of the flooding can then switch to other
groups.
Xavier Roche
> Of course the originator of the flooding can then switch to other
> groups.
Yes, and that exactly what happened in august, when other groups were
targeted (more than 30 different groups) after the partial UDP.
Here is just a small sample of one of the a rr floods last august:
243 comp.os.linux.misc
242 comp.robotics.misc
239 rec.arts.books.tolkien
487 rec.arts.poems
241 rec.arts.sf.written
243 rec.audio.car
243 rec.crafts.brewing
240 rec.crafts.distilling
244 rec.games.roguelike.nethack
239 rec.heraldry
245 rec.music.christian
241 rec.music.classical.recordings
243 rec.pyrotechnics
237 rec.skydiving
240 rec.sport.hockey
241 sci.astro.amateur
242 sci.bio.microbiology
241 sci.chem
239 sci.engr.joining.welding
240 sci.engr.lighting
239 sci.lang
I'm still interested for a better solution, but unfortunately
uncooperative servers are hard to handle.
Alexander Bartolich
> Alexander Bartolich wrote:
>> Of course the originator of the flooding can then switch to other
>> groups.
>
> Yes, and that exactly what happened in august, when other groups were
> targeted (more than 30 different groups) after the partial UDP.
> I'm still interested for a better solution, but unfortunately
> uncooperative servers are hard to handle.
Most RBLs targeting origins of email spam have a defined escalation
procedure. Starting with /32 they extend coverage until a complete
network is blocked. Perhaps this can be applied in a similar fashion
to Usenet hierarchies.
Anyway, an ironic twist of fate let cleanfeed filter my own posting.
Nov 6 12:59:15 alpha826 innd: rejecting[perl]
<fgpktd$ibh$1...@news.albasani.net> 437 Bad path (news.highwinds-media.com)
<lines=44 newsgroups=news.admin.net-abuse.policy
<path=newsfeed.freenet.de...news.killfile.org
The implementation of bad_path is straightforward but silly. Since
traffic is no issue it would be better if cleanfeed would just
silently dropped the article, i.e. without entering the message into
history. This way copies of the posting traveling alternative routes
still have a chance. For example:
Path:
news.motzarella.org!motzarella.org!news.glorb.com!news.kjsl.com!newsfeed.sta
nford.edu!news.killfile.org!not-for-mail
Xavier Roche
> The implementation of bad_path is straightforward but silly. Since
> traffic is no issue it would be better if cleanfeed would just
> silently dropped the article
Darn - the matching is not right-anchored ?
In this case you might want to consider
!hw-filter\.lga![^!]*\.lga\.POSTED![^!]*!
William Kronert
> Anyway, an ironic twist of fate let cleanfeed filter my own posting.
For me, it is time consuming and not necessarily for many news admin, I
have been using specific IP's addresses in Cleanfeed's bad_hosts file with
the exception of: roadrunner.com and ukr.net. I am trying hard to
minimize filtering out any legitimate traffic.
Though I am trying to keep with criteria of; 3 or more abusing IP's from
the same site change to a bad_path filter instead of bad_hosts filter and
try to narrow down the bad_path to the least possible source. In cases of
no IP's as is the case with Roadrunner - it goes directly in bad_paths.
IP's that have been closed down and confirmed by the absue desk are
removed from the bad_hosts filter. It is a time consuming thing perhaps
but I don't feel legitimate users should suffer at the expense of
Hipslime.
Bill
William Kronert
> I'm still interested for a better solution, but unfortunately
> uncooperative servers are hard to handle.
I too am interested in hearing solutions to this endless ongoing Hipcrime
attack. It should be clear by now we are facing a completely different
ball game, it's not about just one or two sites being hi-jacked and
trying to work with those sites to prevent such abuse. Any thoughts?
Bill
David Canzi -- non-mailable
Alexander Bartolich <alexander...@gmx.at> wrote:
>Anyway, an ironic twist of fate let cleanfeed filter my own posting.
>
>Nov 6 12:59:15 alpha826 innd: rejecting[perl]
><fgpktd$ibh$1...@news.albasani.net> 437 Bad path (news.highwinds-media.com)
><lines=44 newsgroups=news.admin.net-abuse.policy
><path=newsfeed.freenet.de...news.killfile.org
>
>The implementation of bad_path is straightforward but silly. Since
>traffic is no issue it would be better if cleanfeed would just
>silently dropped the article, i.e. without entering the message into
>history. This way copies of the posting traveling alternative routes
>still have a chance.
Changing cleanfeed so it doesn't add the Message-ID to history
wouldn't make much difference here. We receive our news from
two feeds. If one feed sends us an article that has passed
through news.highwinds-media.com, when the other feeds sends
us another copy of the article it, too, has most likely passed
through news.highwinds-media.com.
bad_paths by its nature has limitations that can't be removed by
tinkering with its implementation. You can't specifically block
a provider that is a major source of abuse by putting a major
transit server operated by that provider in bad_paths. You end
up losing a lot of legitimate articles posted by users at other,
unrelated, providers. You can only use bad_paths to block sites,
like news.uwaterloo.ca, that provide little or no transit for
articles from other sources.
--
David Canzi | Eternal truths come and go. |
David Canzi -- non-mailable
Yesterday, less than an hour after installing some statistics
collection code in cleanfeed.local, I saw over 3,000 articles
arrive from *one* customer of *one* provider -- in *three*
*minutes*.
Yes, it's reasonable to expect providers to rate-limited their
customers.
We should expect more, such as useful NNTP-Posting-Host headers.
To me this means they should meet two conditions: (1) The
NNTP-Posting-Host headers should match a regular expression
designed to recognize IP addresses and domain names, and (2)
NNTP-Posting-Host headers should be the same for any two articles
that came from the same IP address, and different for any two
articles that came from different IP addresses. Aside from these
requirements, the NNTP-Posting-Host can be a work of fiction and
I won't care.
If the NNTP-Posting-Host meets requirement (2), it's possible to
reject articles from an abuser while sparing articles posted by
other customers of the same provider. If the NNTP-Posting-Host
is absent or doesn't meet requirement (2), it is not possible
to spare the articles from customers other than the abuser.
If some providers' NNTP-Posting-Host headers meet requirement
(2) but don't meet requirement (1), it means I have to write
special-purpose code for every provider that produces such
idiosyncratic headers. NON SERVIAM. Instead I'll write code that
treats an idiosyncratic NNTP-Posting-Host header as equivalent
to a missing NNTP-Posting-Host header.
Peter Pearson
From all indications, RoadRunner is indifferent to the demise
of Usenet. A vulnerable medium dominated by such a participant
is doomed. The alternatives are (1) ostracizing RoadRunner,
(2) building a new Usenet, or (3) watching Usenet disappear.
Option 1 makes a huge amount of sense, from a broad economic
point of view. Posts to this newsgroup over the past month
on this subject by people far more competent than me represent
an investment of time an order of magnitude larger than the
effort RoadRunner would have had to spend to fix their part
of the problem.
Option 2 would approximate a free implementation of Supernews.
I love Supernews, I hope they make a zillion dollars, and I
don't at all mind the small fee I pay to use their service.
However, if Usenet dies because all the other participants
can't find Supernews or can't afford (?) the fees, I still
lose. (The question occasionally crosses my mind, How much
would one have to pay Supernews to get them to serve sci.crypt
to the world for free?) One way to get started on Option 2
would be to set up a server that, in effect, required moderator
approval for every group -- moderator approval with cryptographic
teeth, unlike current moderation practices.
Frank Slootweg
> Frank Slootweg wrote:
> > Hipcrime (like) floods only or all articles from Road Runner?
>
> All articles, because you can not make the difference between an
> hipcrime article and a regular article. That's precisely why hipcrime
> attacks are considered as serious denial of service attacks: you can not
> filter them easily, and if the upstream abuse desk is dead, the only
> solution is to UDP (passively, or actively, such as in this case)
I disagree and I don't think I'm the only one.
(As also others have mentioned,) One can and should look at *multiple*
attributes, i.e. the group, the NSP, the NPH, the Path, etc., etc., and
at *combinations* of those attributes. And one should *filter*, not
*cancel*. There really is no excuse for canceling at random, especially
because the hipcrime attacks come from many ISPs/NSPs and are targeted
at many groups. What are you going to do, cancel-UPD *all* those ISPs,
NSPs and groups? No way!
IME and those of others, sites like News.Individual.Net seem to be
able to catch and filter these attacks quickly. I can't remember seeing
them participate in these NANA* groups. Perhaps you - the admins here -
should try to get in touch with them.
> > latter, then I think that's improper (i.e. abuse) and not supported by
> > this audience.
>
> Uh ? If the audience agree to unblock roadrunner again and let the
> hipcrime floods flow daily, I'll remove the UDP immediately. But
> remember than *no one* even replied at roadrunner to complaints, and
> since august there have been hundreds of hipcrime messages, weekly.
AFAIK, there was and is no concensus in this group for an *active*
(i.e. canceling articles) UDP against anybody. I find it telling that
only a few admins participate in this thread and that of the ones that
do, (AFAIK) nobody *specifically* (i.e. by saying so) supports an active
UDP.
So I think it's just you. IMO you a treading on very dangerous ground.
You have been slapped on the wrist recently and apologized, but now
you're basically doing the same thing again. I don't know why the other
admins keep quiet. Perhaps they just gave up and are filtering (and not
propagating) your cancels.
FWIW, I applaud your *intentions* - i.e. fighting net-abuse - but IMO
you're going about it in totally the wrong way.
> And if users and unhappy with this situation, I would suggest that they
> start to complaint to roadrunner and tell them what's happening.
Joe User only sees the mess, she hardly knows how and where to
complain and if she does - as you say - hir complaint falls on deaf
ears.
[...]
> If you have a better way of handling hipcrime attacks, please let us know.
Well, *anything* is better than canceling (more or less) at random.
For the rest, see above.
Xavier Roche
> Where were the complaints sent?
(I just replied to your mail <2007110617...@qwest.net> in
private regarding this issue ; apparently the mail to news@ did not arrive)
Xavier Roche
> (As also others have mentioned,) One can and should look at *multiple*
> attributes, i.e. the group, the NSP, the NPH, the Path, etc.
Yes, yes, that's precisely what was done at the begining. Then IPs and
groups were changing. And playing this little game for *months* is not
reasonnable.
> There really is no excuse for canceling at random
Not random. roadrunner.com.
> What are you going to do, cancel-UPD *all* those ISPs,
> NSPs and groups? No way!
None of these ISP is having a (1) dead abuse desk and (2) the
possibility to start denial of service attacks by sending thousands of
messages in few minutes.
> You have been slapped on the wrist recently and apologized
Yes, because basically doing the same thing on supernews was utterly
stupid. But roadrunner is a realy different situation.
> you're basically doing the same thing again
No. You can not compare rr.com and supernews. rr.com has been the source
of floods for *five* months, without even a *single* reply to
complaints. Thousands of messages at once, regularly, making sci.crypt
and other targeted groups unreadable.
> I don't know why the other admins keep quiet.
Mmm, because they already filtered roadrunner, making these cancels
useless ? I would be curious to know how many newsmasters reading this
group already filtered roadrunner, and how many are still trying to let
it through.
> Well, *anything* is better than canceling (more or less) at random.
Not random, again.
Peter Pearson
> Xavier Roche <xro...@free.fr.nospam.invalid> wrote:
>> Frank Slootweg wrote:
>> > Hipcrime (like) floods only or all articles from Road Runner?
>> All articles, because you can not make the difference
>> between an hipcrime article and a regular article. That's
>> precisely why hipcrime attacks are considered as serious
>> denial of service attacks: you can not filter them
>> easily, and if the upstream abuse desk is dead, the only
>> solution is to UDP (passively, or actively, such as in
>> this case)
>
> I disagree and I don't think I'm the only one.
Frank is probably right about not being the only one, but with
plenty of respect for Frank, I'm siding with Xavier on this one.
(Is there any meaningful way to take a survey or a vote? I'm
curious. I could volunteer to tally emails semi-anonymously.)
> (As also others have mentioned,) One can and should look
> at *multiple* attributes, i.e. the group, the NSP, the
> NPH, the Path, etc., etc., and at *combinations* of those
> attributes. And one should *filter*, not *cancel*. There
> really is no excuse for canceling at random, especially
> because the hipcrime attacks come from many ISPs/NSPs and
> are targeted at many groups. What are you going to do,
> cancel-UPD *all* those ISPs, NSPs and groups? No way!
It's perhaps overly aggressive to accuse Xavier of
cancelling "at random", if he's cancelling posts from a
particular source with an abysmal signal-to-noise ratio.
Maybe "wholesale" is the term you want.
Various posts have lightly advocated "filtering", but from
an end-user standpoint this is an expensive proposition.
While my news client (slrn) will easily let me killfile on
the basis of "From", "Subject", or "References", those are
useless for hipcrime floods. The offender's
NNTP-Posting-Host, if present at all, changes daily, and
filtering on either that or Path requires an extra message
to and from the server, thus taking minutes to throw out
thousands of messages. Suggesting that we should all incur
this daily expense in order to spare RoadRunner the trouble
of (e.g.) limiting post rates is economically outrageous. (I
admit, though, that it might be practically inevitable.)
> IME and those of others, sites like News.Individual.Net seem to be
> able to catch and filter these attacks quickly.
I agree that the likes of news.individual.net provide great
relief for the symptoms, but if crapfloods chase away everybody
except the news.individual.net and supernews users, Usenet
will die.
> AFAIK, there was and is no concensus in this group for an *active*
> (i.e. canceling articles) UDP against anybody. I find it telling that
> only a few admins participate in this thread and that of the ones that
> do, (AFAIK) nobody *specifically* (i.e. by saying so) supports an active
> UDP.
Andrew of Supernews sometimes posts here, and in fact it was
his posts that alerted me to the possible existence of competently
managed commercial news servers. Like Frank, I would love to hear
the thoughts of many Usenet admins, but having grown up in the
United States, I expect that fear of lawyers will inhibit their
participation.
Frank raises a good question about consensus [n.b., FS]: What
is it? Can we measure it? Does it matter? Am I, an ignorant
end user, qualified to vote?
> FWIW, I applaud your *intentions* - i.e. fighting
> net-abuse - but IMO you're going about it in totally the
> wrong way.
. . . and a tip of the hat to Frank for preserving civility
in trying times.
Frank Slootweg
[...]
Thanks for your response, Xavier. I will just comment on the main
point.
> > There really is no excuse for canceling at random
>
> Not random. roadrunner.com.
Yes, *now*, but before that also qwest. Any others?
Anyway my point - which you mostly snipped - was:
> > There really is no excuse for canceling at random, especially
> > because the hipcrime attacks come from many ISPs/NSPs and are targeted
> > at many groups. What are you going to do, cancel-UPD *all* those ISPs,
> > NSPs and groups? No way!
As others - especially William - have pointed out, the hipcrime
attacks - both current and past ones - come from *many* NSPs, *many*
ISPs and *many* client hosts. IMO it is both impractical an unfair to
single-out one (Road Runner) or a few NSPs, when the abuse is
omni-present and *hardly any* of those NSPs (really) responds.
So I think that unless/untill you get *specific* support for your
cancels from this group (mainly from admins, but users also count), I
think you should stop sending them.
Julien ÉLIE
> Frank is probably right about not being the only one, but with
> plenty of respect for Frank, I'm siding with Xavier on this one.
+1
> (Is there any meaningful way to take a survey or a vote? I'm
> curious. I could volunteer to tally emails semi-anonymously.)
It would be very amusing to have recourse to UseVote for each
UDP request :)
> having grown up in the
> United States, I expect that fear of lawyers will inhibit their
> participation.
Really?
--
Julien ÉLIE
« -- C'est joli cette avenue le long de la mer... Ça s'appelle comment ?
-- La promenade des Bretons. » (Astérix)
William Kronert
> Frank Slootweg a écrit :
>> I don't know why the other admins keep quiet.
> Mmm, because they already filtered roadrunner, making these cancels
> useless ? I would be curious to know how many newsmasters reading this
> group already filtered roadrunner, and how many are still trying to let
> it through.
Roadrunner.com is and has been filtered entirely on our site. Given the
the long history with roadrunner on these hipcrime floods, I have and do
support a full and active UDP against roadrunner. I will continue to
support a full UDP of roadrunner till they respond and give notice of
measures they have taken to prevent these hipcrime floods.
Roadrunner is the only site I support an active UDP.
If anyone knows of a NSP/ISP who has been able to easily filter out these
floods (without filtering out legitimate traffic) under these
circumstances please ask them to respond here and if any news amin's are
reading this please respond here. Otherwise, (I could be wrong) I
haven't read anything to make these floods any easier to deal with.
Bill
William Kronert
> As others - especially William - have pointed out, the hipcrime
> attacks - both current and past ones - come from *many* NSPs, *many*
> ISPs and *many* client hosts. IMO it is both impractical an unfair to
> single-out one (Road Runner) or a few NSPs, when the abuse is
> omni-present and *hardly any* of those NSPs (really) responds.
I don't think its unfair given the long and endless history of these
floods coming from roadrunner. In my mind they aren't being singled out,
because thus far no other abusing site has the long history of abuse as
roadrunner has.
Yes, if we encounter other sites that develop into a long history like
roadrunner I would have to also agree with a UDP. Though to be honest I
am hoping and hoping that something can be done before any other site has
a chance to develop a long history like roadrunner has.
Bill
Frank Slootweg
> On Tue, 06 Nov 2007 12:53:51 -0600, Frank Slootweg wrote:
> > I disagree and I don't think I'm the only one.
>
> Frank is probably right about not being the only one, but with
> plenty of respect for Frank,
<blush> :-)
> I'm siding with Xavier on this one.
Good.
> (Is there any meaningful way to take a survey or a vote? I'm
> curious. I could volunteer to tally emails semi-anonymously.)
Any method is fine by me. In the group is probably most transparent
and not too big a nuisance. Probably a 'vote' should include some
background of the voter, i.e. admin or 'only' user, experience, some
indication of the 'size' of their server(s), etc..
[...]
> It's perhaps overly aggressive to accuse Xavier of
> cancelling "at random", if he's cancelling posts from a
> particular source with an abysmal signal-to-noise ratio.
> Maybe "wholesale" is the term you want.
See my response to Xavier. I'm worried that it's not just one
"particular source", which got canceled or 'should' get canceled.
> Various posts have lightly advocated "filtering", but from
> an end-user standpoint this is an expensive proposition.
> While my news client (slrn) will easily let me killfile on
> the basis of "From", "Subject", or "References", those are
> useless for hipcrime floods. The offender's
> NNTP-Posting-Host, if present at all, changes daily, and
> filtering on either that or Path requires an extra message
> to and from the server, thus taking minutes to throw out
> thousands of messages. Suggesting that we should all incur
> this daily expense in order to spare RoadRunner the trouble
> of (e.g.) limiting post rates is economically outrageous. (I
> admit, though, that it might be practically inevitable.)
I *primarily* advocate filtering on the *server* side, but *because*
not all servers filter or do not filter efficiently/quickly, I *also*
advocate to provide filtering *information*, so that *end-users* can
filter if they want.
FWIW, I use a 'small', 'personal'', 'local' News server - Hamster -
for that (filtering) purpose. If you want, you could run something like
leafnode, Noffle (?), etc.. Not a solution to all problems, but every
little bit helps.
> Frank raises a good question about consensus [n.b., FS]: What
> is it? Can we measure it? Does it matter? Am I, an ignorant
> end user, qualified to vote?
It's of course still "My server, my rules!" so admins decide what they
do on their servers. But for things which affect *other* servers, i.e.
in this case cancels, it's not just the admins' opinions which count.
(FYI, as I mentioned before, I'm a ex-admin of two decades. Now I'm
'only' a user.)
> > FWIW, I applaud your *intentions* - i.e. fighting
> > net-abuse - but IMO you're going about it in totally the
> > wrong way.
>
> . . . and a tip of the hat to Frank for preserving civility
> in trying times.
<another blush>
Seriously: I try rather hard not to offend. Xavier is one of the good
guys and I've already defended him in another group. I only disagree
with some of his methods. AFAICT, we're just two guys, trying to fight
the same battle.
William Kronert
> Seriously: I try rather hard not to offend. Xavier is one of the good
> guys and I've already defended him in another group. I only disagree
> with some of his methods. AFAICT, we're just two guys, trying to fight
> the same battle.
Xavier in my opinion is the only one here who has tried very hard to
initiate and do something from the start (I could be wrong) but I haven't
seen anyone else stick their necks out and try to do something about
these floods...or am I wrong.
Xavier tends to be a bit agressive and a bit premature in his methods,
and maybe a little messy about it but he is trying hard to do
something about these floods when others with more experience haven't
offered much help...in my opinion.
Bill
Frank Slootweg
[...]
> Roadrunner.com is and has been filtered entirely on our site. Given the
> the long history with roadrunner on these hipcrime floods, I have and do
> support a full and active UDP against roadrunner. I will continue to
> support a full UDP of roadrunner till they respond and give notice of
> measures they have taken to prevent these hipcrime floods.
>
> Roadrunner is the only site I support an active UDP.
Thanks. I think we're getting somewhere, i.e. knowing who does support
or not support what.
Not to bash Xavier, but just to get things clear and in the open, what
is your opinion of Xavier's earlier active UDP of qwest? Was that also
called for? Do you support that as well? Etc.. Thanks.
FWIW, I'd *love* to be 'wrong', i.e. if most of you support Xavier's
actions, then so much the better. Better me - who just talks - being
'wrong', then he - who cancels.
> If anyone knows of a NSP/ISP who has been able to easily filter out these
> floods (without filtering out legitimate traffic) under these
> circumstances please ask them to respond here and if any news amin's are
> reading this please respond here. Otherwise, (I could be wrong) I
> haven't read anything to make these floods any easier to deal with.
As I said, News.Individual.Net (same web address) seems to be very on
top of this. However I do not have any (admin) contact with them, and as
an ex-admin, I don't want to (try to) be a go-between.
FYI, I use News.Individual.Net as my backup NSP and my ISPs News
server (news.wanadoo.nl) as my primary. That probably makes me kind of a
masochist, but I like to be informed about what Joe User has to suffer.
Call me silly, everyone does! :-)
William Kronert
> William Kronert <wkro...@sunstroke.sdsu.edu> wrote:
> Not to bash Xavier, but just to get things clear and in the open, what
> is your opinion of Xavier's earlier active UDP of qwest? Was that also
> called for? Do you support that as well? Etc.. Thanks.
I think it was wrong in all honesty. As I mentioned before Xavier tends
to be a bit premature and that is why I called for the UDP status to open
up things that I did think were right. Roadrunner is the only full
active UDP I support at this time.
>> If anyone knows of a NSP/ISP who has been able to easily filter out these
>> floods (without filtering out legitimate traffic) under these
> As I said, News.Individual.Net (same web address) seems to be very on
> top of this. However I do not have any (admin) contact with them, and as
> an ex-admin, I don't want to (try to) be a go-between.
It seems to me if they are on top of this they should also be reading
this group and helping out. We peer with them, I will send them a
note. I know you can stay on top of it if you filter a lot (including
legitmate stuff) and really speed a *huge* amount of time keeping track
of the when and where these hipcrime floods come but that is not a
realistic solution for a one person staff :-). If my memory is correct,
individual.net uses cleanfeed, and I don't think they use any other
special type filtering.
Bill
Xavier Roche
> Yes, *now*, but before that also qwest. Any others?
No. Only very temporary ones previously (during the time needed to
cleanup and install more clever detection measures, such as for
suddenlink.net, bresnan.net and others), and of course highwinds-media
during some time (removed as soon as the abuse desk confirmed that they
were going to handle the issue)
qwest and supernews were two notable exceptions ; qwest for not having
replied at the begining (but the abuse desk is now wortking on the
issue), and supernews for having (too quickly) being caught in the
middle of another important flood cleaning, causing its very temporary
listing.
William Kronert
> William Kronert <wkro...@sunstroke.sdsu.edu> wrote:
>> floods (without filtering out legitimate traffic) under these
>> circumstances please ask them to respond here and if any news amin's are
> As I said, News.Individual.Net (same web address) seems to be very on
> top of this. However I do not have any (admin) contact with them, and as
> an ex-admin, I don't want to (try to) be a go-between.
Just to say I did send a e-mail yesterday to the admin at individual.net
asking them to stop by this newsgroup and offer any suggestions.
Bill
Charles Lindsey
Path: chl
From: "Charles Lindsey" <c...@clerew.man.ac.uk>
Subject: Re: [usenet] UDP status?
Message-ID: <Jr4v4...@clerew.man.ac.uk>
X-Newsreader: NN version 6.5.2 (NOV)
References: <fgkqfr$akk$1...@gondor.sdsu.edu> <fgktbo$pqh$1...@news.httrack.net>
<fglgpa$huo$1...@gondor.sdsu.edu> <fgmh9e$rcc$2...@news.httrack.net>
<<472f637a$0$73721$dbd4...@news.wanadoo.nl>
<<<fgnqov$n4$4...@news.httrack.net>
<<<<472f7b99$0$63552$dbd4...@news.wanadoo.nl>
<<<<<fgp3it$14o$1...@news.httrack.net>
<4730b83f$0$56049$dbd4...@news.wanadoo.nl>
Date: Wed, 7 Nov 2007 11:12:16 GMT
Lines: 31
In <4730b83f$0$56049$dbd4...@news.wanadoo.nl> Frank Slootweg
<th...@ddress.is.invalid> writes:
> IME and those of others, sites like News.Individual.Net seem to be
> able to catch and filter these attacks quickly. I can't remember seeing
> them participate in these NANA* groups. Perhaps you - the admins here -
> should try to get in touch with them.
Not always. Yes, I often see reports of floods without seeing the floods
first, so I suppose NIN have filtered them out.
But I saw both of the two most recent NANAE floods in full, so they don't
always catch them.
What I would really like to see is some smart watcher out there who would
issue NOCEMs for these floods as soon as they are detected, and publish
them in some prominent place. There is a good chance that I will be able
to pick up the NOCEMs before I start my daily news download.
Andrew used to publish such NOCEMs a few years back, and they worked a
treat, but sadly he stopped sending them.
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Web: http://www.cs.man.ac.uk/~chl
Email: c...@clerew.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
Francois Petillon
> Another alternative might be a scrambled NPH (possibly changing
> regularly but that could be used to block a flood) hiding the IP.
In the earlies 200x, I managed to get a scrambled NPH from an NSP (don't
remember which one) but users complained (I think even if it is changing
frequently, you may make a link between several articles posted from
apparently different users) and it was dropped.
François
Xavier Roche
> What I would really like to see is some smart watcher out there who would
> issue NOCEMs for these floods as soon as they are detected, and publish
Some of them are detected, actually (see news.lists.filters)
Peter Pearson
>
>> having grown up in the
>> United States, I expect that fear of lawyers will inhibit their
>> participation.
>
> Really?
Yes. In the United States, if person or company X sues you
and you win the suit, X is not required to compensate you for
the costs of defending yourself. (In theory, you can demand
compensation if the suit is blatantly silly, but such demands
almost never succeed.) Result #1: We have many lawyers eager to
undertake speculative lawsuits in exchange for a share (usually
1/3) of any jackpot. Result #2: Every company with visible
assets fears all lawsuits, not just justified lawsuits.
In the case under discussion, any US-based commercial Usenet
access provider would reasonably worry that one of their
sysadmins might call for a UDP against X and that X would
then sue for $10M in lost business, resulting in $200K in
legal bills even if X loses the suit as quickly as possible.
Peter Pearson
Pity. What we need for flood defense is exactly that: a link
between several articles posted from apparently different users.
Peter Pearson
> Peter Pearson <ppea...@nowhere.invalid> wrote:
>
>> (Is there any meaningful way to take a survey or a vote? I'm
>> curious. I could volunteer to tally emails semi-anonymously.)
>
> Any method is fine by me. In the group is probably most transparent
> and not too big a nuisance. Probably a 'vote' should include some
> background of the voter, i.e. admin or 'only' user, experience, some
> indication of the 'size' of their server(s), etc..
OK, here goes.
Reply by email, filling out this form and emailing it to me.
Trimming off the rest of this post is unnecessary.
Participation is limited to those who can figure out how to
substitute "net" and "spamcop" into
"ppea...@nowhere.invalid" so as to get my email address.
I will guarantee anonymity except in cases of blatant abuse.
I will achieve anonymity by tallying the results in
uncorrelated tabulations and then deleting the emails.
(I know this loses interesting correlation data, but if
resondents want anonymity it's hard to avoid.)
I know that this anonymity promise depends on trust and that
you have no particular reason to trust me. Someday, I hope.
I will post results Saturday.
xxxxxxxx beginning of survey xxxxxxxx
yes( ) ( )no Should RoadRunner be subjected to some kind of UDP?
yes( ) ( )no ... active UDP (cancels) ?
yes( ) ( )no ... passive UDP (drop messages) ?
yes( ) ( )no ... all-groups UDP? (as opposed to specific groups)
yes( ) ( )no Are you a Usenet sysadmin? How big:_ How long:_
yes( ) ( )no Should another server be subjected to UDP? Who:_
yes( ) ( )no Should UDPs be used more often?
yes( ) ( )no Should UDPs be used less often?
yes( ) ( )no Would you have answered this survey without anonymity?
xxxxxxxx end of survey xxxxxxxx
Peter J Ross
Frank Slootweg <th...@ddress.is.invalid> wrote:
> Peter Pearson <ppea...@nowhere.invalid> wrote:
>
>> (Is there any meaningful way to take a survey or a vote? I'm
>> curious. I could volunteer to tally emails semi-anonymously.)
>
> Any method is fine by me. In the group is probably most transparent
> and not too big a nuisance. Probably a 'vote' should include some
> background of the voter, i.e. admin or 'only' user, experience, some
> indication of the 'size' of their server(s), etc..
I ran a small server for a few net.friends last year (mainly in order
to provide them with a HipCrime-free source of articles that was
otherwise unfiltered), but I'm writing here as a "mere user". I have
seven years' experience of Usenet, and the recent floods are by far
the worst I've seen, even though I tend to read flood-prone groups
like NAN-AU, alt.config and AUK.
I can deal with the spew quite easily myself, but I'm tired of trying
to explain to other "mere users" how to do it, expecially since their
starting point for learning about filtering is usually OE, Thunderbird
or Agent. If those users were asked, I'm sure they'd rather have
somebody else do the filtering for them.
Another reason why they and I would rather have the filtering done for
us is that it's much easier to explain that I didn't see somebody's
post because it didn't reach me than to explain why I filtered it
myself. The *only* efficient way of filtering the recent spew I've
found is to block a few regexes in the Path, which means in effect
that we users are required to apply personal, private "UDP"s that
affect innocent users. The responsibility for taking such a step
should be collective, not individual.
So I vote in favour of taking action against at least RoadRunner until
they come to their senses (if they have any).
I'm just not sure that cancelling is an efficient form of action.
Dropping every article that originates from RoadRunner might be
better.
--
PJR :-)
Charles Lindsey
Path: chl
From: "Charles Lindsey" <c...@clerew.man.ac.uk>
Subject: Re: [usenet] UDP status?
Message-ID: <Jr77...@clerew.man.ac.uk>
Content-Transfer-Encoding: 8bit
X-Newsreader: NN version 6.5.2 (NOV)
<fgsn58$j50$1...@news.httrack.net>
Mime-Version: 1.0
Date: Thu, 8 Nov 2007 17:45:32 GMT
Lines: 21
In <fgsn58$j50$1...@news.httrack.net> Xavier Roche
<xro...@free.fr.NOSPAM.invalid> writes:
I looked, but nothing to cover the recent floods (at least, not the ones
in news.admin.net-abuse.*).
Peter Pearson
[snip]
> I will post results Saturday.
>
> xxxxxxxx beginning of survey xxxxxxxx
>
> yes( ) ( )no Should RoadRunner be subjected to some kind of UDP?
> yes( ) ( )no ... active UDP (cancels) ?
> yes( ) ( )no ... passive UDP (drop messages) ?
> yes( ) ( )no ... all-groups UDP? (as opposed to specific groups)
> yes( ) ( )no Are you a Usenet sysadmin? How big:_ How long:_
> yes( ) ( )no Should another server be subjected to UDP? Who:_
> yes( ) ( )no Should UDPs be used more often?
> yes( ) ( )no Should UDPs be used less often?
> yes( ) ( )no Would you have answered this survey without anonymity?
>
> xxxxxxxx end of survey xxxxxxxx
Well, there's not much Saturday left, so here's the scoop:
I am very disappointed to report that I received so few
responses to this questionnaire that it was probably
useless. The respondents were unanimous on the following
points:
Should RoadRunner be subjected to some kind of UDP? Yes
Should another server be subjected to UDP? No
Should UDPs be used more often? Yes
Given the small sample size, I think further analysis of
these data is unwarranted. Sorry.
Peter J Ross
Peter Pearson <ppea...@nowhere.invalid> wrote:
> I am very disappointed to report that I received so few
> responses to this questionnaire that it was probably
> useless.
As a newbie to the struggle against abuse of the net, I'm sorry that
there are so few interested oldbies from whom I can learn.
And even I would be more comfortable discussing these issues in
unmoderated NANAU than here.
> The respondents were unanimous on the following
> points:
>
> Should RoadRunner be subjected to some kind of UDP? Yes
> Should another server be subjected to UDP? No
> Should UDPs be used more often? Yes
>
> Given the small sample size, I think further analysis of
> these data is unwarranted. Sorry.
FWIW, I endorse the unanimity, except that an active UDP against
the exclusively abusive suddenlink.net might also be useful.
--
PJR :-)
Tim Skirvin
> I am very disappointed to report that I received so few
> responses to this questionnaire that it was probably
> useless.
You solicited for email responses to a poll with an invalid
address. I know that I stopped at that point.
- Tim Skirvin (tski...@killfile.org)
--
http://www.killfile.org/~tskirvin/nana/ news.admin.net-abuse.*
http://www.killfile.org/donations.html killfile.org donations
Peter J Ross
Skirvin <tski...@killfile.org> wrote:
> Peter Pearson <ppea...@nowhere.invalid> writes:
>
>> I am very disappointed to report that I received so few
>> responses to this questionnaire that it was probably
>> useless.
>
> You solicited for email responses to a poll with an invalid
> address. I know that I stopped at that point.
'Participation is limited to those who can figure out how to
substitute "net" and "spamcop" into "ppea...@nowhere.invalid" so as
to get my email address.'
It was a kind of reading comprehension test. At least fourth or fifth
grade reading skills were required.
--
PJR :-)
Kathy Morgan
> Well, there's not much Saturday left, so here's the scoop:
>
> I am very disappointed to report that I received so few
> responses to this questionnaire that it was probably
> useless. The respondents were unanimous on the following
> points:
>
> Should RoadRunner be subjected to some kind of UDP? Yes
> Should another server be subjected to UDP? No
> Should UDPs be used more often? Yes
Sorry for being so late to chime in--I haven't had time to read NANAP
for a couple of days. I'm just a user, not an admin, but I would have
answered same as the other respondents.
--
Kathy
Peter Pearson
>
>> I am very disappointed to report that I received so few
>> responses to this questionnaire that it was probably
>> useless.
>
> You solicited for email responses to a poll with an invalid
> address. I know that I stopped at that point.
I'm sincerely sorry to have missed your input. I thought
the small annoyance (to the respondents) of having to type
my email address would be smaller than the (small) annoyance
of having my spam load rise severalfold for a week or two,
but I guess I called it wrong. If I every try such a thing
again, I'll dispense with the address peek-a-boo.
William Kronert
> FWIW, I endorse the unanimity, except that an active UDP against
> the exclusively abusive suddenlink.net might also be useful.
It appears that hipcrime used suddenlink and roadrunner yesterday,
11/10/07 for his floods which hit a large range of newsgroups. Both
suddenlink and roadrunner out source to newshosting. In addition it
appears there is an ongoing spam flood by MI5 posting through:
news.newsdemon.com. It appears news.newsdemon.com also out sources to
newshosting.
I think news admins could consider server side filtering for all of
newshosting out sourced sites, such as roadrunner and suddenlink. UDP
wise I think most can agree that roadrunner should be UDP'ed and I would
even consider suddenlink.
Filter wise taking inpaths data over the last 6 months I have found the
following sites that appear to out source from newshosting:
roadrunner.com:
newshosting.com!post02.iad01!roadrunner.com!not-for-mail
news.suddenlink.net:
newshosting.com!post01.iad01!news.suddenlink.net!not-for-mail
news.newsdemon.com:
newshosting.com!post01.iad01!news.newsdemon.com!not-for-mail
news.aliant.net:
newshosting.com!post01.iad01!news.aliant.net!not-for-mail
As far as I can tell there is only two posting server paths used in
newshostings posting servers: post01.iad01 and post02.iad01 So there are
a number of "paths" a news admin can filter on based on the above
information and what you want to filter.
My last e-mail communication with Highwinds was this Friday, 11/9/07 in
which they stated:
---------------------
"Please be patient with us. Getting the postfilter installed on
Newshosting will take some time as the code has to be modified due to the
different software that runs on the Newshosting farm. Please be assured
that we are working hard to get this implement as soon as we can."
----------------------
My only comment to this is; Newshosting uses Diablo software compared to
the standard Highwinds software. So yes, the code has to be modified.
Bill
Xavier Roche
> It appears that hipcrime used suddenlink and roadrunner yesterday,
> 11/10/07 for his floods which hit a large range of newsgroups. Both
> suddenlink and roadrunner out source to newshosting.
I'm putting suddenlink on UDP until something is done to limit these floods.
(Anyway suddenlink does not seems to used that much, except for spamming
and flooding)
Tim Skirvin
> I admin a small server (few dozen groups) which has been affected by the
> hipcrime sporge. I disagree with any UDPs as the result of that sporge.
Is there anything that would make you accept a UDP for a site at
all?
How important would it be to you to have a way to opt out of a UDP?
Or would that be unacceptable on its face, and you'd need to opt in?
Chika
Black Dragon <b...@nomail.invalid> wrote:
> I admin a small server (few dozen groups) which has been affected by the
> hipcrime sporge. I disagree with any UDPs as the result of that sporge.
You do? Why?
--
//\ // Chika <miyuki><at><crashnet><org><uk>
// \// "Word to the wise guy; be nice or be dog food!"
.... Anything worth doing is worth overdoing.
William Kronert
> William Kronert a écrit :
>> It appears that hipcrime used suddenlink and roadrunner yesterday,
> I'm putting suddenlink on UDP until something is done to limit these floods.
I'll agree with that.
> (Anyway suddenlink does not seems to used that much, except for spamming
> and flooding)
I too, haven't been able any traffic coming from suddenlink except for
hipcrime floods.
Bill
William Kronert
> I admin a small server (few dozen groups) which has been affected by the
> hipcrime sporge. I disagree with any UDPs as the result of that sporge.
There are many ways to set your server up to opt-out of any UDP's given
that the path for these UDP's is: UDP-BOT!udp!hip-crime-udp!cyberspam
Bill
William Kronert
> Please correct me if I am wrong. There is more to a UDP than running a
> cancel-bot against a specific host, and that involves de-peering a
> usually rogue host. Which, or how many, servers are honoring this
> alleged UDP against RoadRunner via de-peering Newshosting?
I haven't heard anyone mention a de-peering campaign against Newshosting.
In fact I haven't even cut our feed with Newshosting. De-peering
campaigns against a major transient server requires a huge amount of work
with a long and problematic out come.
> All I see is a cancel-bot running and some admins dropping posts from
> Roadrunner with Cleanfeed. As for filtering, your server, your rules, no
> harm, no foul. Running a cancel-bot against everything posted from
> RoadRunner is itself Usenet abuse. Legitimate traffic is being canceled
> without good justification as far as I'm concerned.
This is where we are going to agree to disagree. There has been 6 months
of justification against roadrunner. With daily floods ranging up to
20,000 articles/day and in a wide range of newsgroups - I haven't seen a
better justification.
Bill
William Kronert
> William Kronert wrote:
OK.
> Suggest these addresses:
> <secu...@rr.com>
> <ne...@rr.com>
> Your best bet is with security@, news@ seems to be a black hole as of late.
Another justification; every e-mail I have sent (and others have tried
too) has gone un-answered by roadrunner and yes, mine have been sent to
abuse, security, news, etc. There isn't anyone home at roadrunner.
Bill
Tim Skirvin
> There are many ways to set your server up to opt-out of any UDP's given
> that the path for these UDP's is: UDP-BOT!udp!hip-crime-udp!cyberspam
This *must* be advertised better if we're going to keep it up.
Again, the five points that I think are necessary for a UDP:
1. A "public" explanation of what is going on and why, suitable
for somebody to easily turn into a press release (if it isn't already a
press release).
2. A more detailed explanation, also public, that includes copies
of the evidence and information about what kinds of actions are being
taken.
3. A technical explanation of what a given news site can do to
join the UDP, including (potentially) how to advertise the fact that they
are doing so; and, if possible, how to opt-out of the UDP as well.
4. A technical explanation to the site in question explaining
what it will take to get the UDP to be lifted.
5. Some kind of "official consensus" to proceed with the UDP.
Most of the effort to this point has been put into #5; but I don't
think it's reasonable at this point to continue if we don't also have #1-4
completed, and probably posted to places like news.admin.announce, with
pointers ready for those groups that are being affected (sci.crypt, for
instance).
I also think we may also want to, in this case, add another point:
6. Examples showing what difference the UDP makes. This could be
as easy as putting together a read-only interface for a few of the affected
groups that acts on the UDP. (That is, show what sci.crypt looks like
"before" and "after".)
- Tim Skirvin (tski...@killfile.org)
Moderator, much of news.admin.net-abuse.*
Peter Pearson
>
> Again, the five points that I think are necessary for a UDP:
>
> 1. A "public" explanation of what is going on and why, suitable
> for somebody to easily turn into a press release (if it isn't already a
> press release).
Google Docs is a great tool for collaborating on a document,
although only GMail users can participate. If there's interest,
I'll start a document there and share it with people.
Frank Slootweg
> On Sun, 11 Nov 2007 00:10:32 -0600, Kathy Morgan <kmo...@spamcop.net>
> wrote:
[...]
> >Sorry for being so late to chime in--I haven't had time to read NANAP
> >for a couple of days. I'm just a user, not an admin, but I would have
> >answered same as the other respondents.
>
Give her a break, Gary! At least *she* used actual text to get past
the "The message must have less than 70% quoted text." rule. :-(
Frank Slootweg
> As a newbie to the struggle against abuse of the net, I'm sorry that
> there are so few interested oldbies from whom I can learn.
>
> And even I would be more comfortable discussing these issues in
> unmoderated NANAU than here.
Why is that? The audience? The moderation? Other?
FWIW, IMO the low signal / high noise of NANAU makes it useless for
any substantial discussion. That's why nowadays 'we' hang out here.
And, AFAIC, you're no "newbie to the struggle against abuse of the
net". But we *do* admire your modesty! :-)
William Kronert
> William Kronert <wkro...@sunstroke.sdsu.edu> writes:
>> There are many ways to set your server up to opt-out of any UDP's given
>> that the path for these UDP's is: UDP-BOT!udp!hip-crime-udp!cyberspam
> This *must* be advertised better if we're going to keep it up.
What would you suggest for advertising it?
And just for the record, my notices to Highwinds/Newshosting and Road
Runner have clearly informed them of the UDP action and the ongoing
discussion in nanap and have encouraged them to take part here. I have
never received a reply from Roadrunner nor Newshosting directly but only
indirectly from Highwinds. I have posted here the most recent response
from Highwinds regarding that status of there solution, which is a
posting filter that is being developed for there Newshosting posting
servers.
> Again, the five points that I think are necessary for a UDP:
> 1. A "public" explanation of what is going on and why, suitable
> for somebody to easily turn into a press release (if it isn't already a
> press release).
Perhaps some examples would be helpful and are there any volunteers? It
sounds like Peter is willing to try.
> 2. A more detailed explanation, also public, that includes copies
> of the evidence and information about what kinds of actions are being
> taken.
A more detailed explanation can easily be obtained from the public
explanation but with additional information. Copies of evidence should
easily be obtained from any user or admin who is not cleaning out these
infected groups. At the end I will copy over a few examples that I
obtained.
> 3. A technical explanation of what a given news site can do to
> join the UDP, including (potentially) how to advertise the fact that they
> are doing so; and, if possible, how to opt-out of the UDP as well.
> 4. A technical explanation to the site in question explaining
> what it will take to get the UDP to be lifted.
I think the technical explanations should be started by Xavier and we
could all help out in the development of it.
> I also think we may also want to, in this case, add another point:
> 6. Examples showing what difference the UDP makes. This could be
> as easy as putting together a read-only interface for a few of the affected
> groups that acts on the UDP. (That is, show what sci.crypt looks like
> "before" and "after".)
What are the chances of having a read only setup on killfile.org for this
purpose?
A few examples/evidence of recent flooding from roadrunner:
Path:...!newshosting.com!post01.iad01!roadrunner.com!not-for-mail
From: but...@SHRILLY.EDU.CY (Lt. G. Sondergaard)
Message-ID: <40466gQmPaGY4Jp...@SHRILLY.EDU.CY>
Newsgroups: sci.crypt
Subject: do not prompt the borders hatefully, persuade them little
Date: Mon, 12 Nov 2007 19:25:21 GMT
Organization: if you will frame Hussein's office prior to arms, it will
greatly gaze the enjoyment
Lines: 66
NNTP-Posting-Host: 65.189.142.176
X-Complaints-To: ab...@rr.com
Path:...!newshosting.com!post01.iad01!roadrunner.com!not-for-mail
From: inte...@SUPPLY.CO.JP (O. R. Precissi-Ivester)
Message-ID: <26952coyd0ImKG...@SUPPLY.CO.JP>
Newsgroups: news.admin.net-abuse.email
Subject: Re: to be delicate or dead will enjoy australian Lakes to
usually admit
Date: Mon, 12 Nov 2007 19:38:18 GMT
Organization: just sharing once again a decade between the mountain is
too european for Youssef to shoot it
Lines: 66
NNTP-Posting-Host: 65.189.142.176
X-Complaints-To: ab...@rr.com
Path:...!newshosting.com!post01.iad01!post02.iad01!roadrunner.com!not-for-mail
From: math...@SPECIFICALLY.ORG
Message-ID: <84MY3BP29ENGQOcXAOGqn...@SPECIFICALLY.ORG>
Newsgroups: sci.crypt
Subject: Re: i was disliking to perform you some of my boring capitalisms
Date: Sat, 10 Nov 2007 18:05:51 GMT
Organization: Sheri in addition to Basksh Abu AL-Bar
Lines: 39
NNTP-Posting-Host: 74.74.194.165
X-Complaints-To: ab...@rr.com
Path:....!newshosting.com!post02.iad01!roadrunner.com!not-for-mail
From: Roxanna...@res.rr.com
Message-ID: <85RSJgsa....@res.rr.com>
Newsgroups: sci.crypt
Subject: mainly exceed this mean mm
Date: Tue, 5 Nov 2007 20:09:34 GMT
Organization: integral soldier
Lines: 75
NNTP-Posting-Host: 76.183.225.92
X-Complaints-To: ab...@rr.com
Path:....!newshosting.com!post02.iad01!roadrunner.com!not-for-mail
From: crit...@sentence.fm.us (Neil)
Message-ID: <yHk8gqfKcQ866MKl8LhFK...@sentence.fm.us>
Newsgroups: news.admin.net-abuse.email
Subject: Re: you won't amount me signaling as well as your eastern
jurisdiction
Date: Sat, 10 Nov 2007 18:38:07 GMT
Organization: Blanche under Waleed AL-Sheikh
Lines: 38
NNTP-Posting-Host: 74.74.194.165
X-Complaints-To: ab...@rr.com
Tim Skirvin
>>> There are many ways to set your server up to opt-out of any UDP's given
>>> that the path for these UDP's is: UDP-BOT!udp!hip-crime-udp!cyberspam
>> This *must* be advertised better if we're going to keep it up.
> What would you suggest for advertising it?
news.admin.announce, for starters. news.announce.important might
be interesting, though I don't know if it'd be accepted (and I'm probably
one of the co-moderators lately anyway). The rest of news.admin.net-abuse.*.
But that's just to announce the individual UDP. I think that it's
imperative that a FAQ be written up and regularly posted explaining the
concept of a UDP and why such a thing would happen; how sites can opt-out
(or opt-in); and as much of the generic information from 1-5 as possible.
And this FAQ should be posted to news.answers, linked from major Usenet
documentation pages, and so forth.
All of this should also be on a clear webpage, but that's not
really that difficult.
This didn't happen before; instead, things happened behind the
scenes. That doesn't seem to be an option here; there aren't enough news
admins left here in nana.*
> And just for the record, my notices to Highwinds/Newshosting and Road
> Runner have clearly informed them of the UDP action and the ongoing
> discussion in nanap and have encouraged them to take part here.
I don't know that it's really quite as vital to tell *them* what's
going on, as opposed to the rest of the world. By the time it gets to a
UDP stage, it needs to be clear to the abusing providers what's going on;
we need to encourage others to sign up, and we need to be up front about
what we're asking for.
>> 1. A "public" explanation of what is going on and why, suitable
>> for somebody to easily turn into a press release (if it isn't already a
>> press release).
> Perhaps some examples would be helpful and are there any volunteers? It
> sounds like Peter is willing to try.
The best I can say is to look at the public announcements of the
UUNet UDP back in the day.
>> I also think we may also want to, in this case, add another point:
>> 6. Examples showing what difference the UDP makes. This could be
>> as easy as putting together a read-only interface for a few of the affected
>> groups that acts on the UDP. (That is, show what sci.crypt looks like
>> "before" and "after".)
> What are the chances of having a read only setup on killfile.org for this
> purpose?
Done.
http://news.killfile.org/index.cgi?group=sci.crypt
Note that, if anybody has some filters to clean it up faster, it'd
be appreciated.
Xavier Roche
> discussion in nanap and have encouraged them to take part here. I have
> never received a reply from Roadrunner nor Newshosting directly but only
> indirectly from Highwinds.
I directly informed roadrunner (through twcable) of the ongoing UDP.
Can anyone try (again) to contact abuse at rr.com ? This address
"should" be monitored, according to twcable.
>> 1. A "public" explanation of what is going on and why, suitable
>> for somebody to easily turn into a press release (if it isn't already a
>> press release).
> Perhaps some examples would be helpful and are there any volunteers? It
> sounds like Peter is willing to try.
This would help, yes. The summary is plain simple, unfortunately: a
bunch of hijacked domestic machines (and/or open proxies), collected on
various script-kiddie websites, are being used by a moron from Ukraine
to connect to various news servers, and start denial of service attacks,
using a scipt-kiddie client called "Hipcrime" (a java-based piece of
crap aimed to randomly generate forged articles that are very difficulty
to filter). The moron also ripped the Hipcrime client code and forked a
new version, called "newsmaestro".
Many news servers are involved in the attack, but none of them was as
unresponsive, as permissive (allowing to send tens of thousands of
articles per hour), and as abuse-friendly as roadrunner.
The problem behind these attacks is more general: hijacked personal
machines have never been considered as a serious issue by internet
service providers (and their abuse desks). This is unfortunate, because
their users are generally unaware of the illegal use of their machine,
even if they _are_ responsible.
(apologies for the very approximative english)
You may want to check out sci.crypt, and/or news.admin.net-abuse.email,
on a server not processing cancels like giganews, and see the articles
emited from rr. You can also check the various NoCeM notices emited in
the last weeks.
>> 3. A technical explanation of what a given news site can do to
>> join the UDP, including (potentially) how to advertise the fact that they
- accepting cancels, or filtering roadrunner as passive UDP (the path
can be filtered using "!roadrunner.com!" -- this is a leaf and you won't
block other articles in transit), and/or inform neighbour feeds not to
feed anymore roadrunner articles
- emit canceld against roadrunner using a standard $alz cancel mechanism
(but it might be blocked by hipcrime ?) to increase UDP reactivity, and
using a pseudo path, such as "udp-against-roadrunner", and the official
announcement as cancel message body with a link to nanap
>> 4. A technical explanation to the site in question explaining
>> what it will take to get the UDP to be lifted.
- a reply from the rr abuse desk ? a sign of life ?
Matija Nalis
> Chika wrote:
>> Black Dragon <b...@nomail.invalid> wrote:
>>> I admin a small server (few dozen groups) which has been affected by the
>>> hipcrime sporge. I disagree with any UDPs as the result of that sporge.
>
>> You do? Why?
>
There is much collateral, that is true.
But situation is very bad (and bound to get worse), and only doable solutions
are either:
1) accept that Usenet is ruined, and turn off news servers as they had
become useless under sporge floods
2) kill out offending sites, reducing (but far from totally killing)
its usability. [that one is what UDP would do]
There is also two un-doable "solutions" (due to non-humanly extreme amounts
of work needed):
3) require your users to read thousands of sporge posts to find one that
is an actual human post. (no one would do it)
4) require your stuff to read tens of thousands of sporge posts and cancel
them one by one before they approve other posts for your users. (you
don't have that amount of money to pay them, especially when sporge
floods become stronger)
there is also mythical:
5) make an bot that would automagically distinguish sporge flood posts from
genuine posts and cancels only sporge. While such animals theoretically
could exist at this moment, their accuracy is questionable, and minimum
changes to hipcrime tools would make them completely useless.
That is because NNTP as a protocol does not carry enough data needed to
securely isolate the offender and kill just his posts; so s/he is not
possible to determine (we're using flaky heuristics at best).
> I feel the sporge isn't as much of an Usenet abuse issue as it is a
> security [lack of] issue. As long as some news servers (typically ISP
> services) continue to use IP address based authentication there will
> always be some form of abuse from open socks proxies and suchlike.
I don't think using username/password instead of IP-address based
authentication would help at all. If luser's machine is taken over, it is as
easy (especially on windows machine) to send sporge floods if user is
authenticated via IP, as it is authenticated via username/password over SSL.
> IMO, this needs to dealt with at a security level, not a Usenet admin
> level.
No, it is not. When machine becomes zombie, it can do automatically under
control of attached do *anything* it's user could do which does not require
off-computer manual intervention (like plugging the cable in, or entering
pin on smartcard reader with detached keyboard or using token device not
connected to computer like for secure banking etc). Which conveniently
covers *ALL* of current methods to access usenet.
The best that can be done at ISP/NSP side is throttling maximum number of
posts that user can post in a time unit. But it only protects from this
ISP/NSP users -- if some ISP/NSP doesn't want to do it (like the one
recommended for UDP), other news servers has no other defense then to refuse
to carry bad site's articles.
--
Opinions above are GNU-copylefted.
Peter Pearson
> William Kronert wrote:
>>> 1. A "public" explanation of what is going on and why, suitable
>>> for somebody to easily turn into a press release (if it isn't already a
>>> press release).
>> Perhaps some examples would be helpful and are there any volunteers? It
>> sounds like Peter is willing to try.
A skeletal start is at http://docs.google.com/Doc?id=dhkx7nsg_2z3zgsr .
Comments are welcome. Help is very welcome: I will be happy to
"share" the document with you, but you have to be a Gmail user to
play.
Einstein
there is about 50,000 legit posts on sci.crypt, but there is 450,000
spam posts. This is getting so extreme as to destroy any chance for
reading, learning, and otherwise.
William Kronert
I think its a great start. In the summary section I might suggest adding
in the point that customer machines are being hi-jack through open
proxies for the purpose of DoS attacks or something to that affect.
Bill
Edward A. Falk
Peter Pearson <ppea...@nowhere.invalid> wrote:
>
>By "howto" I mean an automatic reply containing instructions
>on submitting a complaint. Man, when you have to automate
>the process of telling your accidental victims how to scream,
>you've really lost control of your business.
OK, that's going straight into my quotes file.
--
-Ed Falk, fa...@despams.r.us.com
http://thespamdiaries.blogspot.com/