Discussion:
tacid.org
(too old to reply)
Nick Shank
2008-07-03 10:50:46 UTC
Permalink
Greetings,
My name is Nick, and I have inherited admin duties for tacid.org. For an un-known amount of time (A month or more?) mail.tacid.org has been an open-relay, and sending out large amounts of spam. This should now be fixed. If anyone is having issues with this domain still, please contact me off list.
Thank you,
Nick
Frank Bulk - iNAME
2008-07-05 20:21:55 UTC
Permalink
Nick:

Leaving a domain and IP fallow for such a long time will end up looking like
my garden did this year when I did the same thing -- overrun with weeds.

Sending a blanket e-mail to NANOG is not going to get the attention of those
who manage the e-mail flow (unless you domain belonged to a Fortune 100).

Just like I should have with my garden, rather than replant among the weed
seeds and spend 99% of my time pulling weeds, I would recommend sowing a new
field by moving your outbound e-mail server(s) to some fresh address space
(different /24 to be sure, ideally another section of SWIPed space) and
start monitoring your outgoing servers logs. You'll need to work with each
MTA that blocks your e-mail and ask them to delist you from whatever block
(domain or domain reputation) that they have. At the same time,
systematically go to every RBL that tracks by domain name and check the
status of your domain and request delisting as necessary.

Regards,

Frank

-----Original Message-----
From: Nick Shank [mailto:***@laststop.net]
Sent: Thursday, July 03, 2008 5:51 AM
To: ***@nanog.org
Subject: tacid.org

Greetings,
My name is Nick, and I have inherited admin duties for tacid.org. For an
un-known amount of time (A month or more?) mail.tacid.org has been an
open-relay, and sending out large amounts of spam. This should now be fixed.
If anyone is having issues with this domain still, please contact me off
list.
Thank you,
Nick
Randy Bush
2008-07-05 21:28:55 UTC
Permalink
Post by Frank Bulk - iNAME
Just like I should have with my garden, rather than replant among the weed
seeds and spend 99% of my time pulling weeds, I would recommend sowing a new
field by moving your outbound e-mail server(s) to some fresh address space
(different /24 to be sure, ideally another section of SWIPed space) and
start monitoring your outgoing servers logs. You'll need to work with each
MTA that blocks your e-mail and ask them to delist you from whatever block
(domain or domain reputation) that they have. At the same time,
systematically go to every RBL that tracks by domain name and check the
status of your domain and request delisting as necessary.
if the ipv4 free pool run-out produces a lot of address shifting and
recycling of old address space, will there be a market in clean-up
services such as the above. give them your newly-acquired address space
for two months before you need to use it, and they will test and scrub
and write and beg and whine on nanog? it could be that one or two
reputable clean-up folk could develop history with the various blockers
and be able to get the job done better than we could do it ourselves.

randy
Paul Vixie
2008-07-05 21:56:35 UTC
Permalink
Post by Randy Bush
if the ipv4 free pool run-out produces a lot of address shifting and
recycling of old address space, will there be a market in clean-up
services such as the above. give them your newly-acquired address space
for two months before you need to use it, and they will test and scrub
and write and beg and whine on nanog? it could be that one or two
reputable clean-up folk could develop history with the various blockers
and be able to get the job done better than we could do it ourselves.
reputation-washing is an inherently nonscalable business. dirty blocks
that go back to the washer will be harder and harder to re-clean once the
victims harken to the repeat-business aspects of the activity. dirty users
will go on incorporating a new LLC every week so as to appear to be a new
and different entity as often as they need to, to avoid regulations linked
to one's past reputation.

now, a business whereby small discontugous blocks could be traded in (with
some cash perhaps) for a contiguous block of the same total size, that'd be
interesting.
--
Paul Vixie
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Paul Vixie
2008-07-05 22:25:31 UTC
Permalink
The real solution to the scorched earth problem is for aging from
blacklists to be dynamic.
if we were designing a full internet system with reputation as a feature,
then no doubt it would be like you're describing. however, reputation
systems are a private action by private right of action and each one will
have its own cost:benefit considerations. this means while it might be a
good design overall, blacklist aging has to be in the interests of
particular blacklist operators and subscribers, or it won't happen. it
generally does not happen, since it costs more value than it produces from
the point of view of a given blacklist operator or subscriber.

i think there's an argument to be made that this is inevitable. every time
any ISP has enforced any kind of numerical limits on abuse by one of its
customers (like first hit's free, three strikes and you're out, and so on)
the abusers have either rotated through providers or through identities
fast enough to make their business run in spite of the limits, or they have
merely counted these slaps on the wrist as part of the cost of doing
business. this means if blacklist entries all aged out, then abusers and
their ISPs would simply rotate through a long chain of address blocks, and
we'd see a lot of address space consumed on the "waiting for reprieve" list
but it would not change the overall abuse growth rate at all.

that's not in the interests of individual blacklist operators or subscribers,
who want to control abuse growth rate.
includes things like prevalence, persistence, and "badness", with a
Gaussian decay function as to time, to establish cut levels for what
should be blocked.=20
Look at Phil Porras work, and Usenix presentations.
can you tell me, before i invest my own time in it, whether this work
accounts for the inevitable rebalancing and planning adjustments that the
abusers will make if each proposed policy were rolled out? i fear that
most studies in this area treat abuse like it was a natural phenomena and
not the self-organized well-motivated thievery that it is. abusers aren't
going to sit still while we wrap them in a gaussian decay function.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Eric Brunner-Williams
2008-07-06 04:37:18 UTC
Permalink
paul,

in another universe, the inhabitants are attempting to find some policy
for dealing with what i'll call a temporally inconsistent name to
address mapping, at a single, and also a second level of indirection. of
course, just about everything that's ever been written (and re-written)
on nanog about reputation and partition, whether w.r.t. port 25, or
ports 53 and 80, appears to me to be relevant in this other universe.

eric
Post by Paul Vixie
The real solution to the scorched earth problem is for aging from
blacklists to be dynamic.
if we were designing a full internet system with reputation as a feature,
then no doubt it would be like you're describing. however, reputation
systems are a private action by private right of action and each one will
have its own cost:benefit considerations. this means while it might be a
good design overall, blacklist aging has to be in the interests of
particular blacklist operators and subscribers, or it won't happen. it
generally does not happen, since it costs more value than it produces from
the point of view of a given blacklist operator or subscriber.
i think there's an argument to be made that this is inevitable. every time
any ISP has enforced any kind of numerical limits on abuse by one of its
customers (like first hit's free, three strikes and you're out, and so on)
the abusers have either rotated through providers or through identities
fast enough to make their business run in spite of the limits, or they have
merely counted these slaps on the wrist as part of the cost of doing
business. this means if blacklist entries all aged out, then abusers and
their ISPs would simply rotate through a long chain of address blocks, and
we'd see a lot of address space consumed on the "waiting for reprieve" list
but it would not change the overall abuse growth rate at all.
that's not in the interests of individual blacklist operators or subscribers,
who want to control abuse growth rate.
includes things like prevalence, persistence, and "badness", with a
Gaussian decay function as to time, to establish cut levels for what
should be blocked.=20
Look at Phil Porras work, and Usenix presentations.
can you tell me, before i invest my own time in it, whether this work
accounts for the inevitable rebalancing and planning adjustments that the
abusers will make if each proposed policy were rolled out? i fear that
most studies in this area treat abuse like it was a natural phenomena and
not the self-organized well-motivated thievery that it is. abusers aren't
going to sit still while we wrap them in a gaussian decay function.
Suresh Ramasubramanian
2008-07-06 13:49:34 UTC
Permalink
Actually, that's not a bad idea. Of course, there's the larger problem;
verifying that the address space previously sullied is now worthy of being
cleaned up. In Nick Shank's case (and Bravo! to Nick), I would say that he's
off doing the right thing. It would seem that some serious investigation
would be necessary before acting as a third party for others in a similar
boat, of course.
There's already a bunch of companies that have built up a business
model on this.. they call it "deliverability"
Jon Lewis
2008-07-06 14:43:26 UTC
Permalink
Post by Suresh Ramasubramanian
Actually, that's not a bad idea. Of course, there's the larger problem;
verifying that the address space previously sullied is now worthy of being
cleaned up. In Nick Shank's case (and Bravo! to Nick), I would say that he's
off doing the right thing. It would seem that some serious investigation
would be necessary before acting as a third party for others in a similar
boat, of course.
There's already a bunch of companies that have built up a business
model on this.. they call it "deliverability"
There's a big difference though between trying to clean up the reputation
of newly acquired IP space a previous "owner" abused and trying to explain
away an ESP's prior spamming. My limited experience with deliverability
consulting companies recently has largely been the latter.

----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
jamie
2008-07-05 21:41:15 UTC
Permalink
1) I hate plants.
2) I hate analogies involving plants even more.
3) You're suggesting abandonment of "perfectly good" IP space, and that he
employ stealthy and gray-hat thinking to obtain an easy out. Way to pad
ARIN's wallet, btw.

When I saw his e-mail, I thought, how proper of him. He's taking ownership
of his problem.

He wasnt asking for anything specific; infact, it seemed to me more like an
offer of help ("hey, firefighter joe on the scene. i think i've pretty much
pwned this fire, so, lemme know if you still see crap burning! kthx").

I think he knows the drill on what he needs to do.
Don't give him evil thoughts... he'll end up just like the rest of us.

:-)

-j
Post by Frank Bulk - iNAME
Leaving a domain and IP fallow for such a long time will end up looking like
my garden did this year when I did the same thing -- overrun with weeds.
Sending a blanket e-mail to NANOG is not going to get the attention of those
who manage the e-mail flow (unless you domain belonged to a Fortune 100).
Just like I should have with my garden, rather than replant among the weed
seeds and spend 99% of my time pulling weeds, I would recommend sowing a new
field by moving your outbound e-mail server(s) to some fresh address space
(different /24 to be sure, ideally another section of SWIPed space) and
start monitoring your outgoing servers logs. You'll need to work with each
MTA that blocks your e-mail and ask them to delist you from whatever block
(domain or domain reputation) that they have. At the same time,
systematically go to every RBL that tracks by domain name and check the
status of your domain and request delisting as necessary.
Regards,
Frank
-----Original Message-----
Sent: Thursday, July 03, 2008 5:51 AM
Subject: tacid.org
Greetings,
My name is Nick, and I have inherited admin duties for tacid.org. For an
un-known amount of time (A month or more?) mail.tacid.org has been an
open-relay, and sending out large amounts of spam. This should now be fixed.
If anyone is having issues with this domain still, please contact me off
list.
Thank you,
Nick
--
Would you like a little bit of legal advice?
NEVER let a scientist use the words "unanticipated" and "immediate" in the
same sentence.
Okay? Okay.
Nick Shank
2008-07-06 15:09:16 UTC
Permalink
After doing a bit of digging, it doesn't appear the any of the tacid.org ip-space is blacklisted (one less battle I have to fight). Fortune 100? Nope. Just a small non-profit org in Tacoma, WA, that got their exchange box rooted. I'm still trying to figure out the full extent of the damage done, but this point, I believe 99.7% of the outbound mail is legit. In-bound is another story entirely, but that's my own private hell to deal with.
Thanks all for the input
~Nick

-----Original Message-----
Sent: Jul 5, 2008 1:21 PM
Subject: RE: tacid.org
Leaving a domain and IP fallow for such a long time will end up looking like
my garden did this year when I did the same thing -- overrun with weeds.
Sending a blanket e-mail to NANOG is not going to get the attention of those
who manage the e-mail flow (unless you domain belonged to a Fortune 100).
Just like I should have with my garden, rather than replant among the weed
seeds and spend 99% of my time pulling weeds, I would recommend sowing a new
field by moving your outbound e-mail server(s) to some fresh address space
(different /24 to be sure, ideally another section of SWIPed space) and
start monitoring your outgoing servers logs. You'll need to work with each
MTA that blocks your e-mail and ask them to delist you from whatever block
(domain or domain reputation) that they have. At the same time,
systematically go to every RBL that tracks by domain name and check the
status of your domain and request delisting as necessary.
Regards,
Frank
-----Original Message-----
Sent: Thursday, July 03, 2008 5:51 AM
Subject: tacid.org
Greetings,
My name is Nick, and I have inherited admin duties for tacid.org. For an
un-known amount of time (A month or more?) mail.tacid.org has been an
open-relay, and sending out large amounts of spam. This should now be fixed.
If anyone is having issues with this domain still, please contact me off
list.
Thank you,
Nick
Jim Popovitch
2008-07-06 18:55:45 UTC
Permalink
Post by Nick Shank
After doing a bit of digging, it doesn't appear the any of the tacid.org ip-space is blacklisted (one less
battle I have to fight). Fortune 100? Nope. Just a small non-profit org in Tacoma, WA, that got their
exchange box rooted. I'm still trying to figure out the full extent of the damage done, but this point,
I believe 99.7% of the outbound mail is legit. In-bound is another story entirely, but that's my own
private hell to deal with.
This in no way is a negative assumption on your skills. There is
some important information missing from the above details. You wrote
that your Exchange box was rooted, but you didn't indicate what you
did to resolve that. I'm not looking for the details of what you did,
just an overall statement about how you rectified it. You also
indicate that you are still assessing the full extent of the damage,
is that to the Exchange box or to the IP space?

Thanks,

-Jim P.
Jo Rhett
2008-07-09 18:41:44 UTC
Permalink
Post by Jim Popovitch
that your Exchange box was rooted, but you didn't indicate what you
did to resolve that. I'm not looking for the details of what you did,
just an overall statement about how you rectified it. You also
Can you please take this to a mailing list which cares about mail
servers? I can think of nearly 50 without trying. Thanks.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
Nick Shank
2008-07-06 19:55:17 UTC
Permalink
Jim,
ATM I have exchange set to dis-allow outbound mail, just to be safe. I want to have something more then just a simple home-level nat box before I allow anything more out, pending a full while and re-load. The damage done was to the box itself. The few pieces of email that needed to go out this weekend (seven or eight, I think) used my personal mail server as the outbound. Forgive me if I'm not making any sense, I've been burning the candle at both ends...
~Nick


-----Original Message-----
Sent: Jul 6, 2008 11:55 AM
Subject: Re: tacid.org
Post by Nick Shank
After doing a bit of digging, it doesn't appear the any of the tacid.org ip-space is blacklisted (one less
battle I have to fight). Fortune 100? Nope. Just a small non-profit org in Tacoma, WA, that got their
exchange box rooted. I'm still trying to figure out the full extent of the damage done, but this point,
I believe 99.7% of the outbound mail is legit. In-bound is another story entirely, but that's my own
private hell to deal with.
This in no way is a negative assumption on your skills. There is
that your Exchange box was rooted, but you didn't indicate what you
did to resolve that. I'm not looking for the details of what you did,
just an overall statement about how you rectified it. You also
indicate that you are still assessing the full extent of the damage,
is that to the Exchange box or to the IP space?
Thanks,
-Jim P.
Jim Popovitch
2008-07-06 20:01:43 UTC
Permalink
Post by Nick Shank
Jim,
ATM I have exchange set to dis-allow outbound mail
Hi Nick,

I (personally) don't think that is enough. If the box was rooted,
there could be bots (i.e. other processes) sending outbound email.
Those processes could be persistent or periodic, and they could be
additional services or sub-processes of known-good services. Further,
the bots could be dynamically loaded via on-box applications (i.e.
Internet Explorer, Firefox, etc.)

You would need an off-box firewall to successfully block outbound SMTP
connections. With most, if not all, rooted boxs there really is no
safe way of securing it. Your best path forward is to (IMHO) buy an
new harddrive and start from scratch, manually copying only known-good
files to the new drive, preferably using an intermediate box to virus
scan each moved file.

Best wishes,

-Jim P.
Loading...