Adam Kerman:
Anton Shepelev:
Shall we assume you have already reported this at the
address abuse@neodome.net, as specified on
http://neodome.net/ ?
What's the point? You think the News administrator of
Neodome doesn't check his logs regularly?
No, he may not be reading them from cover to cover,
which is why they provde a special address for abuse reports. In my
experice with several other servers, abuse reports are
quickly acted upon.
Anton Shepelev <anton.txt@g{oogle}mail.com> wrote:
Adam H. Kerman:
We're in the midst of a hipclone attack through your
server. I've seen 1000 articles thus far, and it's still
ongoing.
Could you LART this shithead?
Shall we assume you have already reported this at the
address abuse@neodome.net, as specified on
http://neodome.net/ ?
What's the point? You think the News administrator of Neodome doesn't
check his logs regularly?
I'm just expressing frustration here.
We're in the midst of a hipclone attack through your server. I've
seen 1000 articles thus far, and it's still ongoing.
Could you LART this shithead?
Adam Kerman:
Anton Shepelev:
Shall we assume you have already reported this at the
address abuse@neodome.net, as specified on
http://neodome.net/ ?
What's the point? You think the News administrator of
Neodome doesn't check his logs regularly?
No, he may not be reading them from cover to cover,
Without introducing exaggeration into this discussion:
A quick glance at the server logs without reading cover-to-cover will
provide evidence of Neodome being used as a relay for the attack.
which is why they provde a special address for abuse reports. In my >>experice with several other servers, abuse reports are
quickly acted upon.
Adam H. Kerman wrote...
Anton Shepelev <anton.txt@g{oogle}mail.com> wrote:
Adam H. Kerman:
We're in the midst of a hipclone attack through your
server. I've seen 1000 articles thus far, and it's still
ongoing.
Could you LART this shithead?
Shall we assume you have already reported this at the
address abuse@neodome.net, as specified on
http://neodome.net/ ?
What's the point? You think the News administrator of Neodome doesn't
check his logs regularly?
I'm just expressing frustration here.
Does anyone actually know who/where the Neodome admin is? BTW I haven't had >any response to previous (recent) complaints to their abuse email addy.
-----BEGIN PGP SIGNED MESSAGE-----
So far as filtering, those reading from servers running INN should be
able to filter based any consistent header provided, as this software
allows pattern matching on any header. In this instance, the
Injection-Info header appears to be static, although it was not in the
past. Even so, the beginning of the header has remained consistent.
Personally, I would recommend anvils from low earth orbit.
- --
David Ritz <dritz@mindspring.com>
"There is nothing worse than having a spare couple of hours and you
can't find an open server to abuse." - Tim Thorne - 26 Dec 1998
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQSc0FU3XAVGYDjSGUhSvCmZGhLe6wUCYGTg0wAKCRBSvCmZGhLe >6znvAJ9jRRMlAib5xp9td4NOLNVb+7tv2wCg3jxQDMGG4lkvfF8OTABA85LPVIM=
=033L
-----END PGP SIGNATURE-----
A quick glance at the server logs without reading cover-to-cover will
provide evidence of Neodome being used as a relay for the attack.
In article <alpine.OSX.2.21.2103311456410.48630@mako.ath.cx>,
David Ritz <dritz@mindspring.com> wrote:
So far as filtering, those reading from servers running INN should
be able to filter based any consistent header provided, as this
software allows pattern matching on any header. In this instance,
the Injection-Info header appears to be static, although it was not
in the past. Even so, the beginning of the header has remained
consistent.
What code should be implemented in cleanfeed?
Personally, I would recommend anvils from low earth orbit.
Please put in coordinates!
On 3/31/21 12:38 PM, Adam H. Kerman wrote:
A quick glance at the server logs without reading cover-to-cover will
provide evidence of Neodome being used as a relay for the attack.
True.
However, I find that most people don't spend /all/ of their time reading >server logs. Usually they are out enjoying their lives and periodically >checking ... wait for it ... email.
Read: They will quite often see an alert email /before/ getting back to
logs to look at.
--
Grant. . . .
unix || die
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wednesday, 31 March 2021 21:37 -0000,
in article <s42q2e$1nap$41@gallifrey.nk.ca>,
The Doctor <doctor@doctor.nl2k.ab.ca> wrote:
In article <alpine.OSX.2.21.2103311456410.48630@mako.ath.cx>,
David Ritz <dritz@mindspring.com> wrote:
So far as filtering, those reading from servers running INN should
be able to filter based any consistent header provided, as this
software allows pattern matching on any header. In this instance,
the Injection-Info header appears to be static, although it was not
in the past. Even so, the beginning of the header has remained
consistent.
What code should be implemented in cleanfeed?
That may be a question better suited to news.software.nntp, where you
are likely to encounter Steve Crooks, the maintainer of cleanfeed.
As Steve's news.mixmin.net is a neodome.net outbound feed, I would not
expect news.neodome.net to be included in the default bad_paths.
Personally, I would recommend anvils from low earth orbit.
Please put in coordinates!
$ dig +short news.neodome.net
neodome.net.
95.216.243.224
$ whois -h whois.ripe.net 95.216.243.224|grep Abuse
% Abuse contact for '95.216.0.0 - 95.217.255.255' is 'abuse@hetzner.com'
Meanwhile, Dave, please fix your trn reply indent string, to include a >trailing space, ie. "> " instead of ">". Thanks.
- --
David Ritz <dritz@mindspring.com>
"We have met the enemy and he is us."
-- Walt Kelly (1913-1973), in the voice of Pogo
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQSc0FU3XAVGYDjSGUhSvCmZGhLe6wUCYGT2ogAKCRBSvCmZGhLe >60zLAJ0Uqo1ZnT0Mw2IKftAMhFyl/iHBvgCeOZ9C+0wm4fUeuGP/zr+sl04qKNU=
=wUzy
-----END PGP SIGNATURE-----
GROUP or.politics
211 13236 621506 644664 or.politics
XPAT INJECTION-INFO 644600-644664 neodome.net;*
Sent abuse@ . Still awaiting a reply!
The Doctor:
Sent abuse@ . Still awaiting a reply!
They list some PGP keys with the address. Could that mean
incoming messages must be PGP-sisnged to deserve
consideration?
--
() ascii ribbon campaign - against html e-mail
/\ http://preview.tinyurl.com/qcy6mjc [archived]
In article <s4259k$dkr$1@dont-email.me>, Adam H. Kerman <ahk@chinet.com> wrote:
Anton Shepelev <anton.txt@g{oogle}mail.com> wrote:
Adam H. Kerman:
We're in the midst of a hipclone attack through your
server. I've seen 1000 articles thus far, and it's still
ongoing.
Could you LART this shithead?
Shall we assume you have already reported this at the
address abuse@neodome.net, as specified on
http://neodome.net/ ?
What's the point? You think the News administrator of Neodome doesn't
check his logs regularly?
I'm just expressing frustration here.
Someone give us a cleenfeed solution
so we can drop this cretin!
Anton Shepelev <anton.txt@g{oogle}mail.com> wrote:
Adam H. Kerman:
We're in the midst of a hipclone attack through your
server. I've seen 1000 articles thus far, and it's still
ongoing.
Could you LART this shithead?
Shall we assume you have already reported this at the
address abuse@neodome.net, as specified on
http://neodome.net/ ?
What's the point? You think the News administrator of Neodome doesn't
check his logs regularly?
I'm just expressing frustration here.
Adam H. Kerman wrote...
Anton Shepelev <anton.txt@g{oogle}mail.com> wrote:
Adam H. Kerman:
We're in the midst of a hipclone attack through your
server. I've seen 1000 articles thus far, and it's still
ongoing.
Could you LART this shithead?
Shall we assume you have already reported this at the
address abuse@neodome.net, as specified on
http://neodome.net/ ?
What's the point? You think the News administrator of Neodome doesn't
check his logs regularly?
I'm just expressing frustration here.
Does anyone actually know who/where the Neodome admin is?
Adam H. Kerman <ahk@chinet.com> wrote:
Anton Shepelev <anton.txt@g{oogle}mail.com> wrote:
Adam H. Kerman:
We're in the midst of a hipclone attack through your
server. I've seen 1000 articles thus far, and it's still
ongoing.
Could you LART this shithead?
Shall we assume you have already reported this at the
address abuse@neodome.net, as specified on
http://neodome.net/ ?
What's the point? You think the News administrator of Neodome doesn't
check his logs regularly?
I mostly do. However, sometimes life gets in the way.
I'm just expressing frustration here.
I’m also not very happy about it. Since Neodome always been an open server, >something like that always been a possibility. Unfortunately.
Adam H. Kerman <ahk@chinet.com> wrote:
Anton Shepelev <anton.txt@g{oogle}mail.com> wrote:
Adam H. Kerman:
We're in the midst of a hipclone attack through your
server. I've seen 1000 articles thus far, and it's still
ongoing.
Could you LART this shithead?
Shall we assume you have already reported this at the
address abuse@neodome.net, as specified on
http://neodome.net/ ?
What's the point? You think the News administrator of Neodome doesn't >>>check his logs regularly?
I mostly do. However, sometimes life gets in the way.
What do your logs show? Can you identify the IP? Was it from an open
proxy or from his own location?
Was it TOR?
Others pointed out that this was the second Hipclone attack through
your server in a short time; I didn't notice the earlier one.
You might be able to figure out who it was.
I'm just expressing frustration here.
I’m also not very happy about it. Since Neodome always been an open server, >>something like that always been a possibility. Unfortunately.
AIOE is an open server, too, but has a hard posting cap to thwart a
Hipclone attack.
Neodome Admin <admin@neodome.net> wrote:
Adam H. Kerman <ahk@chinet.com> wrote:
Anton Shepelev <anton.txt@g{oogle}mail.com> wrote:
Adam H. Kerman:
We're in the midst of a hipclone attack through your
server. I've seen 1000 articles thus far, and it's still
ongoing.
Could you LART this shithead?
Shall we assume you have already reported this at the
address abuse@neodome.net, as specified on
http://neodome.net/ ?
What's the point? You think the News administrator of Neodome doesn't >>check his logs regularly?
I mostly do. However, sometimes life gets in the way.
What do your logs show? Can you identify the IP? Was it from an open
proxy or from his own location?
Was it TOR?
Others pointed out that this was the second Hipclone attack through
your server in a short time; I didn't notice the earlier one.
You might be able to figure out who it was.
I'm just expressing frustration here.
I???m also not very happy about it. Since Neodome always been an open server,
something like that always been a possibility. Unfortunately.
AIOE is an open server, too, but has a hard posting cap to thwart a
Hipclone attack.
Adam H. Kerman <ahk@chinet.com> wrote:
Neodome Admin <admin@neodome.net> wrote:
Adam H. Kerman <ahk@chinet.com> wrote:
Anton Shepelev <anton.txt@g{oogle}mail.com> wrote:
Adam H. Kerman:
We're in the midst of a hipclone attack through your
server. I've seen 1000 articles thus far, and it's still
ongoing.
Could you LART this shithead?
Shall we assume you have already reported this at the
address abuse@neodome.net, as specified on
http://neodome.net/ ?
What's the point? You think the News administrator of Neodome doesn't >>>>check his logs regularly?
I mostly do. However, sometimes life gets in the way.
What do your logs show? Can you identify the IP? Was it from an open
proxy or from his own location?
Was it TOR?
Others pointed out that this was the second Hipclone attack through
your server in a short time; I didn't notice the earlier one.
You might be able to figure out who it was.
I'm just expressing frustration here.
I'm also not very happy about it. Since Neodome always been an open >>>server, something like that always been a possibility. Unfortunately.
AIOE is an open server, too, but has a hard posting cap to thwart a >>Hipclone attack.
Well, recently there were big - thousands of articles - floods of
non-sense posts through aioe.org's server, despite the posting cap. >Apparently the culprit used a VPN to submit artricles from many
different IPs, thereby evading the cap. [1]
I don't know if that was a Hipclone attack. (I've not looked at which
flood is which kind for quite some time, so I don't know whether it was >Hipclone or not.)
Paolo (Amoroso) only closed the attacked groups for some time, but did
not fix the underlying problem(s).
FWIW, AFAIC there's no excuse for server to be 'open'. username/password
should not present a problem for anyone's 'privacy', except for the
stupid (unsolvable) and for those who *really* need privacy (and who can
use other means).
[1] AFAIR, these floods where 'discussed' in the news.* groups >(news.software.nntp or/and news.software.readers or/and this one).
Neodome Admin <admin@neodome.net> wrote:
Adam H. Kerman <ahk@chinet.com> wrote:
Anton Shepelev <anton.txt@g{oogle}mail.com> wrote:
Adam H. Kerman:
We're in the midst of a hipclone attack through your
server. I've seen 1000 articles thus far, and it's still
ongoing.
Could you LART this shithead?
Shall we assume you have already reported this at the
address abuse@neodome.net, as specified on
http://neodome.net/ ?
What's the point? You think the News administrator of Neodome doesn't
check his logs regularly?
I mostly do. However, sometimes life gets in the way.
What do your logs show? Can you identify the IP? Was it from an open
proxy or from his own location?
Was it TOR?
Others pointed out that this was the second Hipclone attack through
your server in a short time; I didn't notice the earlier one.
You might be able to figure out who it was.
I'm just expressing frustration here.
I’m also not very happy about it. Since Neodome always been an open server,
something like that always been a possibility. Unfortunately.
AIOE is an open server, too, but has a hard posting cap to thwart a
Hipclone attack.
Adam H. Kerman <ahk@chinet.com> wrote:
Neodome Admin <admin@neodome.net> wrote:
Adam H. Kerman <ahk@chinet.com> wrote:
Anton Shepelev <anton.txt@g{oogle}mail.com> wrote:
Adam H. Kerman:
We're in the midst of a hipclone attack through your
server. I've seen 1000 articles thus far, and it's still
ongoing.
Could you LART this shithead?
Shall we assume you have already reported this at the
address abuse@neodome.net, as specified on
http://neodome.net/ ?
What's the point? You think the News administrator of Neodome doesn't >>>>check his logs regularly?
I mostly do. However, sometimes life gets in the way.
What do your logs show? Can you identify the IP? Was it from an open
proxy or from his own location?
A lot of open proxies, tens of them.
Was it TOR?
No.
Others pointed out that this was the second Hipclone attack through
your server in a short time; I didn't notice the earlier one.
You might be able to figure out who it was.
I have no interest in that.
I'm just expressing frustration here.
I'm also not very happy about it. Since Neodome always been an open server, >>>something like that always been a possibility. Unfortunately.
AIOE is an open server, too, but has a hard posting cap to thwart a >>Hipclone attack.
When a lot of open proxies are used, posting cap is useless. Each proxy
looks like a different user for such defense system.
The messages in question are actually being filtered on Neodome server, >cleanfeed is good enough at identifying and rejecting this type of flood. >However, Neodome server is keeping rejected articles. The problem is,
Neodome have two types of outgoing feeds, filtered and unfiltered. Some
news administrators specifically asking to send them everything (for
example, binaries in text groups, which are usually rejected), thus the >reason for unfiltered feeds. Those administrators who are running text-only >servers usually expect to receive filtered feed, and that's what I'm doing. >If they are receiving the flood, it's probably not directly from Neodome
but from other servers that are getting unfiltered feeds.
Neodome server is handling all Usenet articles smaller than 64 KBs, which
is around 10-20 GBs a day, so the flood itself is not anywhere close to be
a problem volume-wise. I, however, agree that automated posts are Usenet >abuse. Perhaps I'll turn filtering on on all outgoing feeds for now and see >how it goes. Unfortunately, filtering in INN is not flexible enough to >separate articles rejected for different reasons. Maybe I'll have to write
a custom solution, or I'll have to have two virtual servers, one
specifically to handle unfiltered peering, and another for filtered. Local >posting then will happen on filtered one, and any flood won't enter >unfiltered feed.
Adam H. Kerman <ahk@chinet.com> wrote:
Neodome Admin <admin@neodome.net> wrote:
Adam H. Kerman <ahk@chinet.com> wrote:
Neodome Admin <admin@neodome.net> wrote:
Adam H. Kerman <ahk@chinet.com> wrote:
Anton Shepelev <anton.txt@g{oogle}mail.com> wrote:
Adam H. Kerman:
We're in the midst of a hipclone attack through your
server. I've seen 1000 articles thus far, and it's still >>>>>>>>ongoing.
Could you LART this shithead?
Shall we assume you have already reported this at the
address abuse@neodome.net, as specified on
http://neodome.net/ ?
What's the point? You think the News administrator of Neodome doesn't >>>>>>check his logs regularly?
I mostly do. However, sometimes life gets in the way.
What do your logs show? Can you identify the IP? Was it from an open >>>>proxy or from his own location?
A lot of open proxies, tens of them.
Ok.
Was it TOR?
No.
Others pointed out that this was the second Hipclone attack through >>>>your server in a short time; I didn't notice the earlier one.
You might be able to figure out who it was.
I have no interest in that.
I understand. But you yourself pointed out the consequence of running an >>open server. There are advantages and consequences to being the >>administrator of a server set up in this manner. If a user takes
advantage of the openness you provide to commit abuse of Usenet, isn't
one of the consequences of running an open server that you have to >>discipline a user who took advantage of your good nature?
He's your user. The rest of Usenet cannot take any action beyond blocking >>articles from your server, which would be a loss for Usenet. You forced >>several to block articles originating from your server during the attack, >>at least temporarily. At some point, News sites are just going to tire of >>the abuse originating at your server and block your users permanently.
Flood attacks are actually not that hard to overcome both on server side
and client side (providing that client software have adequate filtering >means.) I suspect most people unhappy with Neodome are unhappy not
because of floods, but because of trolls.
I've seen many online communities that allowed anonymous postings and most >effective attacks on them were slow, and in many cases not automated,
they didn't involve thousands of messages per day. I'm still surprised
how susceptible people are to trolling.
At that point, you'll still be running your open server but you'll
largely be blocked from Usenet.
I mostly agree with everything you said. When I said I'm not interested in >identifying an attacker I didn't mean that I'm somehow agree with them. I >just think that it's probably impossible and mostly pointless. After this >particular attacker there will be another one, and yet another one.
It would be much more effective to accept possibility to be attacked at
any time and look for ways to minimize potential damage. Usenet is an open >system, open for both good parties and bad parties. Trying to moderate >everything leads to slow (or not that slow) death, perfect example of
that is Usenet II: <https://en.m.wikipedia.org/wiki/Usenet_II> I'm pretty >sure server like Neodome would not be allowed to participate in Usenet II.
Neodome Admin <admin@neodome.net> wrote:
Adam H. Kerman <ahk@chinet.com> wrote:
Neodome Admin <admin@neodome.net> wrote:
Adam H. Kerman <ahk@chinet.com> wrote:
Anton Shepelev <anton.txt@g{oogle}mail.com> wrote:
Adam H. Kerman:
We're in the midst of a hipclone attack through your
server. I've seen 1000 articles thus far, and it's still
ongoing.
Could you LART this shithead?
Shall we assume you have already reported this at the
address abuse@neodome.net, as specified on
http://neodome.net/ ?
What's the point? You think the News administrator of Neodome doesn't >>>>> check his logs regularly?
I mostly do. However, sometimes life gets in the way.
What do your logs show? Can you identify the IP? Was it from an open
proxy or from his own location?
A lot of open proxies, tens of them.
Ok.
Was it TOR?
No.
Others pointed out that this was the second Hipclone attack through
your server in a short time; I didn't notice the earlier one.
You might be able to figure out who it was.
I have no interest in that.
I understand. But you yourself pointed out the consequence of running an
open server. There are advantages and consequences to being the
administrator of a server set up in this manner. If a user takes
advantage of the openness you provide to commit abuse of Usenet, isn't
one of the consequences of running an open server that you have to
discipline a user who took advantage of your good nature?
He's your user. The rest of Usenet cannot take any action beyond blocking articles from your server, which would be a loss for Usenet. You forced several to block articles originating from your server during the attack,
at least temporarily. At some point, News sites are just going to tire of
the abuse originating at your server and block your users permanently.
At
that point, you'll still be running your open server but you'll largely
be blocked from Usenet.
Eric@ <nospam@invalid.ca> wrote:
Adam H. Kerman wrote...
Anton Shepelev <anton.txt@g{oogle}mail.com> wrote:
Adam H. Kerman:
We're in the midst of a hipclone attack through your
server. I've seen 1000 articles thus far, and it's still
ongoing.
Could you LART this shithead?
Shall we assume you have already reported this at the
address abuse@neodome.net, as specified on
http://neodome.net/ ?
What's the point? You think the News administrator of Neodome doesn't
check his logs regularly?
I'm just expressing frustration here.
Does anyone actually know who/where the Neodome admin is?
Looks like someone have doxxing urges, huh?
Neodome Admin wrote...
Eric@ <nospam@invalid.ca> wrote:
Adam H. Kerman wrote...
Anton Shepelev <anton.txt@g{oogle}mail.com> wrote:
Adam H. Kerman:
We're in the midst of a hipclone attack through your
server. I've seen 1000 articles thus far, and it's still
ongoing.
Could you LART this shithead?
Shall we assume you have already reported this at the
address abuse@neodome.net, as specified on
http://neodome.net/ ?
What's the point? You think the News administrator of Neodome doesn't
check his logs regularly?
I'm just expressing frustration here.
Does anyone actually know who/where the Neodome admin is?
Looks like someone have doxxing urges, huh?
No. Paranoia?
Serious question: is it possible to publish server logs as AIOE ES do?
Someone give us a cleenfeed solution
so we can drop this cretin!
On 31/03/2021 17:49, The Doctor wrote:
Someone give us a cleenfeed solution
so we can drop this cretin!
The "news.mixmin.net" has been brought down since midnight on 23rd June
and god knows when it will be back by cretins at neodome and dizum or >whatever they call these days. Life's become very interesting these days.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 293 |
Nodes: | 16 (2 / 14) |
Uptime: | 219:55:36 |
Calls: | 6,622 |
Calls today: | 4 |
Files: | 12,171 |
Messages: | 5,317,887 |