nanog mailing list archives

Re: duplicate emails?


From: "Stephen J. Wilcox" <steve () telecomplete co uk>
Date: Tue, 29 Jun 2004 21:10:38 +0100 (BST)



It has been pointed out to me that other people arent seeing the dups, that 
these are being resent directly to my address and that its a MIL host doing it.

Perhaps I dropped phrases about terrorism or porn into my posts and I'm now 
being targeted by eschelon ;-O

Steve (hiding in basement under foil blanket)

On Tue, 29 Jun 2004, Stephen J. Wilcox wrote:

This host appears to be resending nanog posts? :

Received: from e500smtp01.nga.mil(164.214.6.120) by relay5.nga.mil via smap
(V5.5) id xma020150; Tue, 29 Jun 04 10:25:13 -0400

Originally received yesterday sometime...

---------- Forwarded message ----------
Return-path: <MAILER-DAEMON () relay5 nga mil>
Envelope-to: steve () telecomplete net
Delivery-date: Tue, 29 Jun 2004 14:25:46 +0000
Received: from exim by mx-0.telecomplete.net with spam-scanned (Exim 4.22)
      id 1BfJYP-00065u-Li
      for steve () telecomplete net; Tue, 29 Jun 2004 14:25:46 +0000
Received: from exim by mx-0.telecomplete.net with scanned-ok (Exim 4.22)
      id 1BfJYP-00065h-1o
      for steve () telecomplete net; Tue, 29 Jun 2004 14:25:45 +0000
Received: from relay5.nga.mil ([164.214.4.61])
      by mx-0.telecomplete.net with esmtp (Exim 4.22)
      id 1BfJYO-00065C-6w
      for steve () telecomplete co uk; Tue, 29 Jun 2004 14:25:44 +0000
Received: by relay5.nga.mil; id KAA20159; Tue, 29 Jun 2004 10:25:38 -0400 (EDT)
Received: from e500smtp01.nga.mil(164.214.6.120) by relay5.nga.mil via smap
    (V5.5)
      id xma020150; Tue, 29 Jun 04 10:25:13 -0400
Received: from relay2.nga.mil(164.214.6.52) by e1000smtp2.nima.mil via
    csmap 
       id 78e94c8c_c949_11d8_9cac_0002b3c81b76_16242;
      Mon, 28 Jun 2004 17:24:00 -0400 (EDT)
Received: by relay2.nga.mil; id RAA13558; Mon, 28 Jun 2004 17:22:36 -0400 (EDT)
Received: from trapdoor.merit.edu(198.108.1.26) by relay2.nga.mil via smap
    (V5.5)
      id xma010754; Mon, 28 Jun 04 17:14:29 -0400
Received: by trapdoor.merit.edu (Postfix)
      id 6C1A091277; Mon, 28 Jun 2004 17:12:33 -0400 (EDT)
Delivered-To: nanog-outgoing () trapdoor merit edu
Received: by trapdoor.merit.edu (Postfix, from userid 56)
      id 3590491285; Mon, 28 Jun 2004 17:12:33 -0400 (EDT)
Delivered-To: nanog () trapdoor merit edu
Received: from segue.merit.edu (segue.merit.edu [198.108.1.41])
      by trapdoor.merit.edu (Postfix) with ESMTP id 2AB5D91277
      for <nanog () trapdoor merit edu>; Mon, 28 Jun 2004 17:12:26 -0400 (EDT)
Received: by segue.merit.edu (Postfix)
      id 568C759D1B; Mon, 28 Jun 2004 17:12:26 -0400 (EDT)
Delivered-To: nanog () nanog org
Received: from uswgco34.uswest.com (uswgco34.uswest.com [199.168.32.123])
      by segue.merit.edu (Postfix) with ESMTP id 21E1559C56
      for <nanog () nanog org>; Mon, 28 Jun 2004 17:12:26 -0400 (EDT)
Received: from egate-ne2.uswc.uswest.com (egate-ne2.uswc.uswest.com
    [151.117.64.200])
      by uswgco34.uswest.com (8/8) with ESMTP id i5SLCLSu006141;
      Mon, 28 Jun 2004 15:12:21 -0600 (MDT)
Received: from ITDENE2KSM02.AD.QINTRA.COM (localhost [127.0.0.1])
      by egate-ne2.uswc.uswest.com (8.12.10/8.12.10) with ESMTP id
    i5SLCKCx008243;
      Mon, 28 Jun 2004 16:12:20 -0500 (CDT)
Received: from itdene2km08.AD.QINTRA.COM ([10.1.4.107]) by
    ITDENE2KSM02.AD.QINTRA.COM with Microsoft SMTPSVC(5.0.2195.5329);
       Mon, 28 Jun 2004 15:12:20 -0600
X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
      charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: BGP list of phishing sites?
Date: Mon, 28 Jun 2004 15:12:12 -0600
Message-ID:
    <9921AB57EA49D242A076864C5F473D3C650089 () itdene2km08 AD QINTRA COM>
Thread-Topic: BGP list of phishing sites?
Thread-Index: AcRdUpLPcFNCkm3pQvC9Iiw2DaWELgAAelTA
From: "Smith, Donald" <Donald.Smith () qwest com>
To: "Stephen J. Wilcox" <steve () telecomplete co uk>
Cc: "Scott Call" <scall () devolution com>, <nanog () nanog org>
X-OriginalArrivalTime: 28 Jun 2004 21:12:20.0544 (UTC)
    FILETIME=[9965D400:01C45D54]
Sender: owner-nanog () merit edu
Precedence: bulk
Errors-To: owner-nanog-outgoing () merit edu
X-Loop: nanog
X-Virus-Scanned: by Telecomplete
X-Spam-Checker-Version: Telecomplete
X-Spam-Level: 
X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00=-4.9 autolearn=no


I agree phishing bgp feed would disrupt the ip address 
to all ISP's that listened to the bgp server involved.
I was addressing a specific issue with listening to such 
a server and that is the loss of control issue. Sorry if that wasn't
clear.

So would ISP's block an phishing site if it was proven 
to be a phishing site and reported by their customers?


Donald.Smith () qwest com GCIA
pgpFingerPrint:9CE4 227B B9B3 601F B500  D076 43F1 0767 AF00 EDCC
Brian Kernighan jokingly named it the Uniplexed Information and
Computing System (UNICS) as a pun on MULTICS.

-----Original Message-----
From: Stephen J. Wilcox [mailto:steve () telecomplete co uk] 
Sent: Monday, June 28, 2004 2:58 PM
To: Smith, Donald
Cc: Scott Call; nanog () nanog org
Subject: RE: BGP list of phishing sites?


Hi Donald,
 the bogon feed is not supposed to be causing any form of 
disruption, the 
purpose of a phishing bgp feed is to disrupt the IP address.. 
thats a major 
difference and has a lot of implications.

Steve

On Mon, 28 Jun 2004, Smith, Donald wrote:

Some are making this too hard.
Of the lists I know of they only blackhole KNOWN active 
attacking or 
victim sites (bot controllers, know malware download locations etc) 
not porn/kiddie porn/pr/choose-who-you-hate-sites ... clients 
(infected
pc's)
are usually not included but could make it on the list given enough
attacks.
It does mean giving up some control of your network which may not be
acceptable to some ISP's.
Its not much different then listening to an automated bogon feed.


Donald.Smith () qwest com GCIA
pgpFingerPrint:9CE4 227B B9B3 601F B500  D076 43F1 0767 AF00 EDCC 
Brian Kernighan jokingly named it the Uniplexed Information and 
Computing System (UNICS) as a pun on MULTICS.

-----Original Message-----
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On
Behalf Of Stephen J. Wilcox
Sent: Monday, June 28, 2004 11:56 AM
To: Scott Call
Cc: nanog () nanog org
Subject: Re: BGP list of phishing sites?



On Sun, 27 Jun 2004, Scott Call wrote:

On the the things the article mentioned is that ISP/NSPs
are shutting
off
access to the web site in russia where the malware is being
downloaded
from.

Now we've done this in the past when a known target of 
a DDOS was
upcoming
or a known website hosted part of a malware package, and it 
is fairly
effective in stopping the problems.

So what I was curious about is would there be interest in a
BGP feed
(like
the DNSBLs used to be) to null route known malicious sites
like that?

Obviously, both operational guidelines, and trust of 
the operator
would
have to be established, but I was thinking it might be 
useful for a few
purposes:

1> IP addresses of well known sources of malicious code 
(like in 
1> the
example above)
2> DDOS mitigation (ISP/NSP can request a null route of a
prefix which
will save the "Internet at large" as well as the NSP from
the traffic
flood
3> etc

Since the purpose of this list would be to identify and
mitigate large
scale threats, things like spammers, etc would be outside
of it's charter.

If anyone things this is a good (or bad) idea, please 
let me know. 
Obviously it's not fully cooked yet, but I wanted to throw
it out there.

Personally - bad.

So what do you want to include in this list.. phishing? But
why not add bot C&C, 
bot clients, spam sources, child porn, warez sites. Or if you 
live in a censored 
region add foreign political sites, any porn, or other 
messages deemed bad.

Who maintains the feed, who checks the sites before adding
them, who checks them 
before removing them. 

What if the URL is a subdir of a major website such as
aol.com or ebay.com or angelfire.com ... what if the URL is a 
subdir of a minor site, such as yours or 
mine? 

What if there is some other dispute over a null'ed IP,
suppose they win, can 
they be compensated?

Does this mean the banks and folks dont have to continue to
remove these threats now if the ISP does it? Does it mean the 
bank can sue you if you fail to do it? 

What if you leak the feed at your borders, I may not want to
take this from you and now I'm accidentally null routing it 
to you. Should you leak this to downstream ASNs? Should you 
insist your Tier1 provides it and leaks it to you?.. 
just you or all customers?

What if someone mistypes an IP and accidentally nulls
something real bad(TM)? 
What if someone compromises the feeder and injects prefixes 
maliciously?

What about when the phishers adapt and start changing DNS to
point to different IPs quickly, will the system react 
quicker? Does that mean you apply less checks 
in order to get the null route out quicker? Is it just /32s 
or does it need to 
be larger prefixes in the future? Are there other ways 
conceivable to beat such 
a system if it became widespread (compare to spammer tactics)

What if this list gets to be large? Do we want huge amounts
of /32s in our 
internal routing tables?

What if the feeder becomes a focus of attacks by those
wishing to carry out 
phishing or other illegal activities? This has certainly 
become a hazard with 
spam RBLs.


Any other thoughts?

Steve











Current thread: