?

Log in

No account? Create an account
Fun at work - brad's life [entries|archive|friends|userinfo]
Brad Fitzpatrick

[ website | bradfitz.com ]
[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

Fun at work [May. 3rd, 2006|04:45 pm]
Brad Fitzpatrick
[Tags|]

I like not being involved in operations (sysadmin stuff) lately:

http://q.queso.com/archives/001917

Props to everybody else at work, though.
LinkReply

Comments:
[User Picture]From: midendian
2006-05-03 11:53 pm (UTC)
There were electricians in your cage when it happened to all go down. At first I figured you'd just gotten unplugged...
(Reply) (Thread)
[User Picture]From: lisa
2006-05-04 12:00 am (UTC)
You weren't the only one worried about that.

Though honestly that would have been a lot more recoverable.
(Reply) (Parent) (Thread)
[User Picture]From: valiskeogh
2006-05-03 11:57 pm (UTC)
damn skippy jimminey crickets!!!

despite their boneheadedness (if that article is to be believed) i'm jumping over and installing their lil antispammers app on a couple of my pc's asap... any chance to annoy those bottom feeders is a chance i jump upon
(Reply) (Thread)
[User Picture]From: grumpy_sysadmin
2006-05-04 12:52 am (UTC)
Uh, yeah, because the solution to more than half of the SMTP traffic in the world being email no one wants to receive is clearly to add more SMTP traffic no one wants to receive. GOOD PLAN!
(Reply) (Parent) (Thread)
[User Picture]From: valiskeogh
2006-05-04 01:07 am (UTC)
well, i hadn't read the particulars yet, and it looks like i can't cause their stuff is still unavail...
(Reply) (Parent) (Thread)
[User Picture]From: grumpy_sysadmin
2006-05-04 12:50 pm (UTC)
Reading the PCWorld Article should be just about enough, really.
Here is how Blue Security's Blue Frog software and antispam initiative works: When you sign up for a Blue Frog account, you install a piece of software on your PC and get to submit up to three e-mail addresses to Blue Security's Do-Not-Intrude Registry. The company then opens up multiple e-mail accounts on your behalf--accounts you technically own, but never use. Those e-mail accounts are managed by Blue Security and are designed to attract spam.
For starters, if not against the letter, this is against the intention of the AUP for any company offering free webmail. Then there's what they could possibly mean by "designed to attract spam"... I have some ideas what this implies, how one would put email addresses out there, and I'm not too keen on that, but consider that, if they're doing what the want to do well, they've now quadurpled the amount of unsolicited email that's being sent to "you". That's qaudrupled the amount of network traffic that all the various intervening and innocent service providers have to pass through.

[They check messages received for compliance with CAN-SPAM.]
Blue Security says it will attempt to warn noncompliant spammers to stop sending e-mail to the accounts it has set up for you, as well as to the real e-mail addresses you provided during registration. If Blue Security can't contact the spammer, or the spam doesn't stop, things start getting nasty.
And how will they attempt to contact these companies? Probably by sending email to every email address that might be a source, email to postmaster@ for every domain in the headers or body of the message, and so forth. (Actually, not probably. Definitely. I've gotten some of these from unsolicited email spoofing use of a domain I own.) This generates email to email addresses that are probably not monitored, if they are even valid, and which may very well generate bounce messages, which will then be sent back. In short: it will increase by roughly an order of magntitude the amount of email sent as a result of a single unsolicited email, to and through intervening and innocent service providers.

The getting nasty involves sending bogus responses through a web form. That web form had a unique ID in it, which unique ID is associated with the original unsolicited email, and loading the URL demonstrates to the advertiser that someone read the email and followed the link, even if they didn't proceeed to purchase anything (a soft hit). The advertisers uses the numbers of even soft responses to their advertising campaigns to demonstrate to potential customers that their advertising methods worked. So, Blue Security is also adding to statistics encouraging further unsolicited email.

These people are either massively ignorant of how Internet traffic works, never mind how email headers work and ignorant of how their targets' organizations work, or they're actively bad network citizens. I think that their response to an attack on their network is not to drop the traffic but to redirect it to somebody else's network further demonstrates this point.

You are a fool if you support Blue Security.
(Reply) (Parent) (Thread)
[User Picture]From: valiskeogh
2006-05-04 12:00 am (UTC)
btw, isn't completely applicable to a distributed attack, but just to give you the idea and to pass it on, when one of my domains came under an "attack", albeit from only one ip address, my simple solution was to throw in an http line or two that redirected hits from that ip addy to www.homelandsecurity.gov

i figured they'd be able to take care of the problem ;)
(Reply) (Thread)
[User Picture]From: brad
2006-05-04 12:09 am (UTC)
Uh, that's incredibly stupid. Then homelandsecurity.gov sees you as the HTTP Referer, right?
(Reply) (Parent) (Thread)
[User Picture]From: valiskeogh
2006-05-04 12:09 am (UTC)
referrer=blank was in there somewhere :)
(Reply) (Parent) (Thread)
[User Picture]From: crschmidt
2006-05-04 02:08 am (UTC)
Not neccesarily: with most types of redirects, the original referer is maintained (in my limited experience), although I don't typically do cross-domain redirects, so that could work differently.
(Reply) (Parent) (Thread)
[User Picture]From: mcfnord
2006-05-04 12:21 am (UTC)
Your public response was quite thoughtful.
(Reply) (Thread)
[User Picture]From: grumpy_sysadmin
2006-05-04 12:54 am (UTC)
Oh good grief. Time for a new line item in the Acceptable Use Policy.
(Reply) (Thread)
[User Picture]From: dakus
2006-05-04 01:18 am (UTC)
So basically LJ got fragged.
(Reply) (Thread)
[User Picture]From: mendel
2006-05-04 02:00 pm (UTC)
So now that every SA employee has posted that link to their journal it's not responding -- what's the Reader's Digest version?
(Reply) (Thread)
From: jamesd
2006-05-04 06:26 pm (UTC)
Company that engages in denial of service attacks and other methds against spammers was attacked by a spammer DDOS. Company changed DNS records to redirect the DDOS traffic to Six Apart.

Not clear at present whether they knew that the DDOS was significant in the context of Six Apart capacity. Trivia like Slashdotting isn't.

Company DNS now goes to localhost, which is where it should have been sent originally.
(Reply) (Parent) (Thread)