Slashdot Mirror

Its pretty rampant, and we're noticing a gradual increase as weeks go by. More and more "different" attacks, worms, zombies and probes are happening. I can't ban them fast enough, because at this point, there are over 3,200 unique IP addresses that we've found so far.

Reporting it does nothing anymore. Since providers are getting so many abuse@ complaints, many of them are just sending them to /dev/null. Not a smart move.

I've started working on a process to auto-report the trash as it comes in, and for providers that reject the "abuse@" address, I block them too. If your customers are abusing our production services, and you don't allow us to report that abuse, we'll just lock you out. Piss off if you can't control your own customers or your own network.

So far we've done this for about 900 separate IPs, and about 200 full /24s. We also block the entire country of Brazil (the whole 200.0.0.0) on 25, 53 and 80.

Either we'll block the whole Internet, or providers will get so many complaints from their users that they can't get to sites they used to, that they'll begin to investigate.

Its pretty rampant, and we're noticing a gradual increase as weeks go by. More and more "different" attacks, worms, zombies and probes are happening. I can't ban them fast enough, because at this point, there are over 3,200 unique IP addresses that we've found so far.

Reporting it does nothing anymore. Since providers are getting so many abuse@ complaints, many of them are just sending them to /dev/null. Not a smart move.

I've started working on a process to auto-report the trash as it comes in, and for providers that reject the "abuse@" address, I block them too. If your customers are abusing our production services, and you don't allow us to report that abuse, we'll just lock you out. Piss off if you can't control your own customers or your own network.

So far we've done this for about 900 separate IPs, and about 200 full /24s. We also block the entire country of Brazil (the whole 200.0.0.0) on 25, 53 and 80.

Either we'll block the whole Internet, or providers will get so many complaints from their users that they can't get to sites they used to, that they'll begin to investigate.

Its pretty rampant, and we're noticing a gradual increase as weeks go by. More and more "different" attacks, worms, zombies and probes are happening. I can't ban them fast enough, because at this point, there are over 3,200 unique IP addresses that we've found so far.

Reporting it does nothing anymore. Since providers are getting so many abuse@ complaints, many of them are just sending them to /dev/null. Not a smart move.

I've started working on a process to auto-report the trash as it comes in, and for providers that reject the "abuse@" address, I block them too. If your customers are abusing our production services, and you don't allow us to report that abuse, we'll just lock you out. Piss off if you can't control your own customers or your own network.

So far we've done this for about 900 separate IPs, and about 200 full /24s. We also block the entire country of Brazil (the whole 200.0.0.0) on 25, 53 and 80.

Either we'll block the whole Internet, or providers will get so many complaints from their users that they can't get to sites they used to, that they'll begin to investigate.

"But to say people are going to use this to ddos sites is just stupid. Use the network before making such claims and see for yourself how it works. People who ddos sites don't need tor and wouldn't bother, it's too slow, too easy to trace via timing analysis, and the convenience factor alone means it will probably remain slow due to contantly being overloaded."

You may think its stupid, but unfortunately, its reality. The reality is that even though it slower, its still effective.

Here is an example of some log entries of spammers using Tor to forge referers and trackback spam to domains I host. Whatever tool they're using "broke" the url because they lowercased it (the url is valid, if the 'q' is uppercased).

At first I thought it was a new worm hitting us, but its coming too fast from far too many IPs in a very predictable pattern to be a random worm. The list of countries represented is very un-wormlike.

We survived 2 slashdottings 2 days in a row last week, barely a blip on our network radar, bu t a few days later, we were hit with this mountain of traffic from random locations, all within a 10-15 minute span, and only about an hour after I blocked the entire country of Brazil from reaching port 25 (the whole 200.0.0.0). Its definately maliscious, and definately intentional. I'm fending off attacks on our servers almost daily now, from netbios floods to SYN and TIME_WAIT attacks, to other things. I've been using the TARPIT module in iptables to slow things down, but they keep on coming, from thousands of unique IPs, across all range of our open ports (22, 53, 80, 2401, whatever).

So yes, Tor is most-definately being used to spam and DDoS sites, that is a fact and reality, which I can consistently prove with graphs, logs, and charts.

But it does serve a valid purpose, so I don't block the Tor IP range... yet.

"But to say people are going to use this to ddos sites is just stupid. Use the network before making such claims and see for yourself how it works. People who ddos sites don't need tor and wouldn't bother, it's too slow, too easy to trace via timing analysis, and the convenience factor alone means it will probably remain slow due to contantly being overloaded."

You may think its stupid, but unfortunately, its reality. The reality is that even though it slower, its still effective.

Here is an example of some log entries of spammers using Tor to forge referers and trackback spam to domains I host. Whatever tool they're using "broke" the url because they lowercased it (the url is valid, if the 'q' is uppercased).

At first I thought it was a new worm hitting us, but its coming too fast from far too many IPs in a very predictable pattern to be a random worm. The list of countries represented is very un-wormlike.

We survived 2 slashdottings 2 days in a row last week, barely a blip on our network radar, bu t a few days later, we were hit with this mountain of traffic from random locations, all within a 10-15 minute span, and only about an hour after I blocked the entire country of Brazil from reaching port 25 (the whole 200.0.0.0). Its definately maliscious, and definately intentional. I'm fending off attacks on our servers almost daily now, from netbios floods to SYN and TIME_WAIT attacks, to other things. I've been using the TARPIT module in iptables to slow things down, but they keep on coming, from thousands of unique IPs, across all range of our open ports (22, 53, 80, 2401, whatever).

So yes, Tor is most-definately being used to spam and DDoS sites, that is a fact and reality, which I can consistently prove with graphs, logs, and charts.

But it does serve a valid purpose, so I don't block the Tor IP range... yet.

"But to say people are going to use this to ddos sites is just stupid. Use the network before making such claims and see for yourself how it works. People who ddos sites don't need tor and wouldn't bother, it's too slow, too easy to trace via timing analysis, and the convenience factor alone means it will probably remain slow due to contantly being overloaded."

You may think its stupid, but unfortunately, its reality. The reality is that even though it slower, its still effective.

Here is an example of some log entries of spammers using Tor to forge referers and trackback spam to domains I host. Whatever tool they're using "broke" the url because they lowercased it (the url is valid, if the 'q' is uppercased).

At first I thought it was a new worm hitting us, but its coming too fast from far too many IPs in a very predictable pattern to be a random worm. The list of countries represented is very un-wormlike.

We survived 2 slashdottings 2 days in a row last week, barely a blip on our network radar, bu t a few days later, we were hit with this mountain of traffic from random locations, all within a 10-15 minute span, and only about an hour after I blocked the entire country of Brazil from reaching port 25 (the whole 200.0.0.0). Its definately maliscious, and definately intentional. I'm fending off attacks on our servers almost daily now, from netbios floods to SYN and TIME_WAIT attacks, to other things. I've been using the TARPIT module in iptables to slow things down, but they keep on coming, from thousands of unique IPs, across all range of our open ports (22, 53, 80, 2401, whatever).

So yes, Tor is most-definately being used to spam and DDoS sites, that is a fact and reality, which I can consistently prove with graphs, logs, and charts.

But it does serve a valid purpose, so I don't block the Tor IP range... yet.

"But to say people are going to use this to ddos sites is just stupid. Use the network before making such claims and see for yourself how it works. People who ddos sites don't need tor and wouldn't bother, it's too slow, too easy to trace via timing analysis, and the convenience factor alone means it will probably remain slow due to contantly being overloaded."

You may think its stupid, but unfortunately, its reality. The reality is that even though it slower, its still effective.

Here is an example of some log entries of spammers using Tor to forge referers and trackback spam to domains I host. Whatever tool they're using "broke" the url because they lowercased it (the url is valid, if the 'q' is uppercased).

At first I thought it was a new worm hitting us, but its coming too fast from far too many IPs in a very predictable pattern to be a random worm. The list of countries represented is very un-wormlike.

We survived 2 slashdottings 2 days in a row last week, barely a blip on our network radar, bu t a few days later, we were hit with this mountain of traffic from random locations, all within a 10-15 minute span, and only about an hour after I blocked the entire country of Brazil from reaching port 25 (the whole 200.0.0.0). Its definately maliscious, and definately intentional. I'm fending off attacks on our servers almost daily now, from netbios floods to SYN and TIME_WAIT attacks, to other things. I've been using the TARPIT module in iptables to slow things down, but they keep on coming, from thousands of unique IPs, across all range of our open ports (22, 53, 80, 2401, whatever).

So yes, Tor is most-definately being used to spam and DDoS sites, that is a fact and reality, which I can consistently prove with graphs, logs, and charts.

But it does serve a valid purpose, so I don't block the Tor IP range... yet.

GPL violations are a lot more common than most people think.

Just because it doesn't hit the mainstream media doesn't mean that thousands (yes, thousands of OSS projects out there are being actively violated by commercial enterprises). A few years ago I caught Sony doing this and reported about it (picked up by Slashdot here based on my account).

But that was relatively small potatoes to another GPL violation we've had to deal with. The CEO of a mobile company (who shall remain nameless, thousands know who he is) took our code, stripped our names and attribution out, removed the COPYING file (our copy of the GPL license), put his name all over it, and claimed he wrote it. He also waffled and lied over the years about which parts of our project he was and was not using. His stories changed back and forth (and I have all of the emails confirming these wishy-washy statements).

When we started seeing companies giving away binary versions of an application that looked suspisciously like ours (and I mean pixel-for-pixel identical) without any source, attribution or links back to the GPL, we started calling those companies and requesting the source for compliance. Since these companies had no idea who we were, they referred us back to the company they bought it from.. the original one who took our code from us outside of compliance with the GPL.

Then the threats started coming in... from the CEO of the company that originally took our source. My favorite quote from him:

"...if we end up in court, I'll bankrupt these guys..."

We were appointed an amazing attorney by the FSF, and she represented us well. I even went to NYC to meet with this CEO with Wendy to discuss how they could bring themselves into compliance. The CEO insisted that "..the GPL is not a license, its subject to interpretation... it was never reviewed by real attorneys or tested in court", and then proceeded to tell me to fire my attorney, right in front of her, because he said she wasn't giving me correct information about the law. Yeah ok, except she TEACHES law, and this CEO does what again? Oh yeah, steals other people's products for his own profitous gain.

He continued to threaten us for contacting his "partners" (who were also not transferred the GPL when he sold them "his" product [using our code]). Of course his threats fell on deaf ears, since it is our duty to require compliance with our code no matter who uses it.

The case goes on now, 4+ years later, but some interesting facts have come to light and we may have some official corporate backing from someone he believes is a partner of his... this is FAR from over, and he has absolutely no idea what mountain of legal stress is heading his way.

Wendy has moved on to the EFF now, and we have some new legal contacts at the FSF to try persue this further, but they're busy with lots of other cases.

If anyone is interested in hearing more details, feel free to contact me. If you want to support our case against companies like this, please visit our donation page and contribute to help us fund more legal support (or just because your appreciate our work: Don't forget to check out our Plucker eye-candy page).

<input type>
<html>
...
</html>

Doubt me? go here with MSIE and see for yourself. Yes, it even crashes MSIE running in Wine.

I do this for quite a few other pieces of work (the Gentoo handbook, PHP Documentation (in 21 languages, it looks spectacular in color), the Creating XPCOM book is even available in Plucker format, as well as many others.

These are not straight conversions, they require actual human eyes to look over them, test them, add navigation and other elements. For example, look at the Plucker version of the 9/11 Report that I did. I added a LOT of functionality that wasn't there in the original version. (I also put my pristine HTML source version online for anyone to read. You can see the additional features I've added in that copy).

I'll be making a lot more of my stealth works public soon.

When they're finished with the Slackware Handbook, I'd be more than happy to look it over, do the conversion, and provide it in a mobile format for our user community.

"Actually, Bush has been flexible on strategy and tactics, but has been firm on his goal; which is to rid us of the threat of terrorism. That's what a good leader is supposed to do."

Where is the international support? Where is the coalition? Where is the backing from the UN? Where are the other countries' troops on the ground helping us? Nowhere.

"Kerry just waves in the political wind like a willow (I'm for the war, I'm against the war, I'm shopping at Pottery Barn...)"

Kerry is for the war, and always has been. He supported a properly-executed solution to ridding the terrorists from their countries of origin. He supported the president's choice to make the right decision. He just didn't support the decision itself. Those are not the same thing.

"I remember watching T.V. on September 11th and seeing people faced with the decision to stay in the building and burn to death, or to leap from the building to their death."

The day it happened, hundreds of us were on irc, and I started collecting the photos from the event. There were people in dorms, offices, their apartments, all hanging out their windows with cameras, taking pictures of their TV sets, watching the news, etc. Hundreds of these pictures have never been seen in public before. There are even some closeups of those jumpers to push those nails deeper into your heart.

"I want a leader who will do everything in his power to make sure nobody on US soil will ever have to make a decision like that again. John Kerry is NOT that leader."

Bush isn't that leader either, so who do we have left? Nader, even if by a miracle, could win the election, would have no power, because he has no representation in the House or the Senate.

So who do you propose as an alternative?

1. Spam isn't primarily coming from legitimate SMTP relays like Yahoo or Hotmail

At least 80% of our incoming spam, brute-force attacks, and other SMTP violations are coming from behind legitimate hosts like AOL, Verizon, Blueyonder, RoadRunner, and so on. Not forged IPs that pretend to be those hosts, but actual IPs that return to those MXs.

Look at today's list of brute-force attacks so far.. (as of Mon Apr 12 17:55:53 EDT 2004)

Every single one of these lists gets collected and reported, per day, per provider, and to date, not a single one of them has done anything to stop the abuse. In fact, it keeps increasing every day. The more we block, the faster they come at us.

1. Spam isn't primarily coming from legitimate SMTP relays like Yahoo or Hotmail

At least 80% of our incoming spam, brute-force attacks, and other SMTP violations are coming from behind legitimate hosts like AOL, Verizon, Blueyonder, RoadRunner, and so on. Not forged IPs that pretend to be those hosts, but actual IPs that return to those MXs.

Look at today's list of brute-force attacks so far.. (as of Mon Apr 12 17:55:53 EDT 2004)

Every single one of these lists gets collected and reported, per day, per provider, and to date, not a single one of them has done anything to stop the abuse. In fact, it keeps increasing every day. The more we block, the faster they come at us.

1. Spam isn't primarily coming from legitimate SMTP relays like Yahoo or Hotmail

At least 80% of our incoming spam, brute-force attacks, and other SMTP violations are coming from behind legitimate hosts like AOL, Verizon, Blueyonder, RoadRunner, and so on. Not forged IPs that pretend to be those hosts, but actual IPs that return to those MXs.

Look at today's list of brute-force attacks so far.. (as of Mon Apr 12 17:55:53 EDT 2004)

Every single one of these lists gets collected and reported, per day, per provider, and to date, not a single one of them has done anything to stop the abuse. In fact, it keeps increasing every day. The more we block, the faster they come at us.

This is from the last 6 days of mail logs here, and filtered for only one domain we host. Multiply that by about 20 for the domains we host, and then multiply that by the number of hacked providers (comcast.net, cox.com, verizon.net, etc.) and you begin to see an enormous amount of abuse and bandwidth being consumed by these hosts.

Report it to Carl Hutzler (cdhutzler at aol dot com) and let him know your concerns. He is the director of AOL's anti-spam measures.

I even emailed Carl Hutzler, Director of Anti-spam at AOL, and he hasn't returned my emails or my calls. The same goes for the hundreds of thousands of spams we get from *.verizon.net, comcast.net, voyager.net, compaq.com, and others. Clearly people inside the business infrastructure have infected systems propagating spam on the weekends, using the corporate bandwidth to do it.

At this point, this is what I do:

1. Sendmail as my MTA, blocks a significant amount of spam, before receiving it, with some custom antispam rulesets I've cooked up.
2. I also have triple-RBL set up in the MTA (ordb.org, mail-abuse.org, and so on).
3. blackholes.us is set to block known-spammers from Argentina, Brazil, China, HongKong, Japan, Korea, Russia and Taiwan.
4. virtusertable in the MTA chain blocks attempts at some common internal system accounts.
5. SpamAssassin is tuned down to 3.5, and catches a significant portion of the emails that make it past the above measures.
6. AV is done through procmailrc, with some custom heuristics in the recipes (contact me if you want these)
7. Anything that SA catches, is tagged and put into /var/spool/mail/SPAM
   1. I manually go through that SPAM folder, and report every entry there to the 'abuse@address' for the resolved provider (not the forged provider in the From: line, of course)
   2. For hosts that do not resolve, they are permanently blocked at the firewall.
   3. For providers that do not support the 'abuse@address' address, they are permanently blocked at the firewall.
8. I then go through the mail logs themselves, and catch the brute-force attempts at sending mail to the dozen-or-so domains I host, and block them at the firewall.

So far, the more I block, the faster the spam comes in, and the more I block, ad nauseum.

Here is today's counts. At 5:30am, this was 164 hosts, and now it is 109 more than that.

iptables-save | grep "dport 25" | wc -l
273

Spam is definately getting worse, as more and more machines are hijacked for the purposes of propagating it, with these trojans.

The more I block, the more incoming spam we get.

1. Project Sites

   1. gnu-designs, inc.
      Plucker
      Plucker Wiki
      OpenURLs PDA Portal
      pilot-link
      pilot-link Portal
      J-Pilot
      J-Pilot Wiki
      

   HOWTO Documents

   1. Syncronize your PalmOS(R) Handheld with Evolution
      Synchronize your PalmOS(R) Handheld over Bluetooth in Linux
      Syncronizing your PalmOS(R) handheld device over Infrared (IrDA)
      Connecting your PalmOS(R) handheld device to the Internet via PPP
      

As you can see in this Outlook task entry, everything looks kosher. That hash in the Note field is for DateBk5's icons.

When I sync to Yahoo!'s Calendar, I see something that looks like this. Opening the Tasks form, I see this output. No titles for any tasks.

Let's focus in on the 9/18 task. Opening that one, shows this form, where you can see the Note field is in the Title field of the Task. That's a problem. It showed an empty title in the main Tasks screen, but now shows the Note field instead of the Title.

It works fine in Outlook. It works fine in J-Pilot. Why does Yahoo!'s Calendar screw it up? (I await the reply from their maintainer).

If they had an API that was public, I could write a conduit to sync directly to it, from Linux. Judging by the fact that Intellisync is a Pumasoft product, and Pumasoft holds many patents on SyncML technologies (some of which have recently been rejected by the USPTO), I can assume that this is SyncML + authentication.

I'd rather write the conduit using a documented API, than a sniffer, however.

So you see, all is not as easy as it seems.

As you can see in this Outlook task entry, everything looks kosher. That hash in the Note field is for DateBk5's icons.

When I sync to Yahoo!'s Calendar, I see something that looks like this. Opening the Tasks form, I see this output. No titles for any tasks.

Let's focus in on the 9/18 task. Opening that one, shows this form, where you can see the Note field is in the Title field of the Task. That's a problem. It showed an empty title in the main Tasks screen, but now shows the Note field instead of the Title.

It works fine in Outlook. It works fine in J-Pilot. Why does Yahoo!'s Calendar screw it up? (I await the reply from their maintainer).

If they had an API that was public, I could write a conduit to sync directly to it, from Linux. Judging by the fact that Intellisync is a Pumasoft product, and Pumasoft holds many patents on SyncML technologies (some of which have recently been rejected by the USPTO), I can assume that this is SyncML + authentication.

I'd rather write the conduit using a documented API, than a sniffer, however.

So you see, all is not as easy as it seems.

As you can see in this Outlook task entry, everything looks kosher. That hash in the Note field is for DateBk5's icons.

When I sync to Yahoo!'s Calendar, I see something that looks like this. Opening the Tasks form, I see this output. No titles for any tasks.

Let's focus in on the 9/18 task. Opening that one, shows this form, where you can see the Note field is in the Title field of the Task. That's a problem. It showed an empty title in the main Tasks screen, but now shows the Note field instead of the Title.

It works fine in Outlook. It works fine in J-Pilot. Why does Yahoo!'s Calendar screw it up? (I await the reply from their maintainer).

If they had an API that was public, I could write a conduit to sync directly to it, from Linux. Judging by the fact that Intellisync is a Pumasoft product, and Pumasoft holds many patents on SyncML technologies (some of which have recently been rejected by the USPTO), I can assume that this is SyncML + authentication.

I'd rather write the conduit using a documented API, than a sniffer, however.

So you see, all is not as easy as it seems.

As you can see in this Outlook task entry, everything looks kosher. That hash in the Note field is for DateBk5's icons.

When I sync to Yahoo!'s Calendar, I see something that looks like this. Opening the Tasks form, I see this output. No titles for any tasks.

Let's focus in on the 9/18 task. Opening that one, shows this form, where you can see the Note field is in the Title field of the Task. That's a problem. It showed an empty title in the main Tasks screen, but now shows the Note field instead of the Title.

It works fine in Outlook. It works fine in J-Pilot. Why does Yahoo!'s Calendar screw it up? (I await the reply from their maintainer).

If they had an API that was public, I could write a conduit to sync directly to it, from Linux. Judging by the fact that Intellisync is a Pumasoft product, and Pumasoft holds many patents on SyncML technologies (some of which have recently been rejected by the USPTO), I can assume that this is SyncML + authentication.

I'd rather write the conduit using a documented API, than a sniffer, however.

So you see, all is not as easy as it seems.

There is no such word ' virii ', and in fact, the plural of ' virus ' is ' viruses ', not 'virii'. Read on for more details about the proper way to use the word ' virus '.</fud>

I'm not sure what, if any action, the FSF ever took. The POSE author's account is here. Since then, the released source to an older version of their modifications. On this page, Sony is taken to task for withholding source to their modifications until a "final" version--while distributing a not-so-final version.

I also wrote my own kernel HOWTO that thousands of people use daily. I've been doing kernels for almost a decade at over 400 a year, sometimes more. It surpasses the linuxdoc one in simplicity. It also uses an incredibly simple solution to the annoying "/usr/src/linux" being a real directory problem.

This is nothing new...

I recently bought myself the Motorola Timeport 250 (Euro model), 3 band phone, only to find that the I-R capability was lousy. Not only is there no way to use the I-R port to beam numbers off, I have never been able to get it to successfully sync with my Handspring Visor or portable computer.

Well I've got the same phone and I disagree, you can quite easily beam the numbers off using the simple command line tools distributed with GSMlib, see http://www.pxh.de/fs/gsmlib/. From there its a simple shell script away from my PalmIII using pilot-link, see http://www.gnu-designs.com/pilot-link/. Going in the reverse direction is just as easy.

I've not had any trouble at all using the IR on the phone to talk to either my laptop, Plam or FIR module on my desktop.

Never mind proprietary, inflexible semi-solutions like DigitalPaths's Palm Query App (which works only over the grossly overpriced Palm VII Internet-access service). Nor do you need the equally proprietary and inflexible AvantSlow (AvantGo). How about some open-source software, for a change?

Justin Mason's SiteScooper and David A. Desrosiers's Plucker are the options that come immediately to mind.

Both of those, and hundreds of other open-source packages, either for PalmOS or for other OSes working with PalmOS, are also carried in my repository of PalmOS open-source code and information.

---

pilot link

You can get pilot link from this website http://www.gnu-designs.com/pilot-link/

If you are targeting PalmOS devices and you're not concered with controlling copying, you could consider using Plucker. I have successfully used to it to place the HTML edition of O'Reilly's DocBook reference on my Palm, as well as Engines of Creation and some programming manuals.

The snapshot of Plucker I am using supports multiple databases, images (I haven't tested this) and most of the HTML tags you'll need. The width of the Palm screen can cause problems with things such as tables, however.

--
"Where, where is the town? Now, it's nothing but flowers!"