• Ongoing flood from Neodome

    From The Doctor@21:1/5 to All on Sat Jun 5 23:32:49 2021
    XPost: news.admin.net-abuse.usenet

    In article <s9g6mu$7o0$4@dont-email.me>, Adam H. Kerman <ahk@chinet.com> wrote:


    Thank goodness I dropped neodome!

    Whoever took over must really be a piece of work.
    --
    Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
    Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
    Look at Psalms 14 and 53 on Atheism https://www.empire.kred/ROOTNK?t=94a1f39b The pursuit of irresponsibility makes pain a necessity. -unknown

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From David Ritz@21:1/5 to Neodome Admin on Sat Jun 5 22:50:48 2021
    XPost: news.admin.net-abuse.usenet

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    On Saturday, 05 June 2021 12:57 -0000,
    in article <s9fsc2$tk6$1@neodome.net>,
    Neodome Admin <admin@neodome.net> wrote:

    On Saturday, 05 June 2021 12:57 -0000, Neodome Admin wrote:

    [...]

    As to the David Ritz, I will never believe that this guy have no
    idea how to deal with a simple flood coming from a single source,
    directed to groups he don't read.

    Your assumptions are bad and your clairvoyance quotient sucks, as does
    mine. What I read or don't read is quite irrelevant to the problem.

    Your recommendation of filtering shifts responsibility dealing with the
    issues surrounding network abuse instances originating from
    news.neodome.net. Man up and take responsibility for the problems
    you and the implementation of your philosophy invite.

    I have dealt with NewsAgent floods previously, as well as floods of
    cancel messages, supersedes replacing legitimate posts with spam and
    the issuance of $alz formatted preemptive cancels, using this Swiss
    Army Knife of Usenet Abuse. NewsAgent was specifically designed to
    exploit open proxies, as you saw for yourself, in the recent attack on alt.checkmate and alt.slack. The apparent ability to switch proxies,
    for each post, appears to be a fairly recent hack. Thanks for
    including the posting-host information, for the second round of this
    attack.

    Thanks to the speed of news.neodome.net, the attack was somewhat
    limited. In years past, I have observed more than 300k NewsAgent
    generated porn spam posts, in a single twenty four hour period, via an
    open AnalogX proxy running on a Videotron.ca home user's computer.
    Personally, I do not miss those bad old days.

    [...]

    I mean, yeah, it's pretty sad that open Usenet server is used to
    bitch to the world about horrors of rival political opinions.

    This is the same lame excuse, used by hosting providers, for
    infrastructure facilitating cybercrime operations. You and your
    server are nothing new nor anything special.

    Please consider moving news.neodome.net to an authenticated users only
    setup. Intentionally running open servers seems an open invitation to
    abuse.

    - --
    David Ritz <dritz@mindspring.com>
    "There will be more spam." -- Paul Vixie

    -----BEGIN PGP SIGNATURE-----

    iF0EARECAB0WIQSc0FU3XAVGYDjSGUhSvCmZGhLe6wUCYLxGGAAKCRBSvCmZGhLe 64ATAKDHyYnjh6AmJ/0JP3iv4Y5T+9oeHgCg6YCUKwGgkotZdtS3wiqq12aJt0U=
    =8A5X
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From The Doctor@21:1/5 to dritz@mindspring.com on Sun Jun 6 12:56:43 2021
    XPost: news.admin.net-abuse.usenet

    In article <alpine.OSX.2.20.2106052028420.57527@mako.ath.cx>,
    David Ritz <dritz@mindspring.com> wrote:
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    On Saturday, 05 June 2021 12:57 -0000,
    in article <s9fsc2$tk6$1@neodome.net>,
    Neodome Admin <admin@neodome.net> wrote:

    On Saturday, 05 June 2021 12:57 -0000, Neodome Admin wrote:

    [...]

    As to the David Ritz, I will never believe that this guy have no
    idea how to deal with a simple flood coming from a single source,
    directed to groups he don't read.

    Your assumptions are bad and your clairvoyance quotient sucks, as does
    mine. What I read or don't read is quite irrelevant to the problem.

    Your recommendation of filtering shifts responsibility dealing with the >issues surrounding network abuse instances originating from
    news.neodome.net. Man up and take responsibility for the problems
    you and the implementation of your philosophy invite.

    I have dealt with NewsAgent floods previously, as well as floods of
    cancel messages, supersedes replacing legitimate posts with spam and
    the issuance of $alz formatted preemptive cancels, using this Swiss
    Army Knife of Usenet Abuse. NewsAgent was specifically designed to
    exploit open proxies, as you saw for yourself, in the recent attack on >alt.checkmate and alt.slack. The apparent ability to switch proxies,
    for each post, appears to be a fairly recent hack. Thanks for
    including the posting-host information, for the second round of this
    attack.

    Thanks to the speed of news.neodome.net, the attack was somewhat
    limited. In years past, I have observed more than 300k NewsAgent
    generated porn spam posts, in a single twenty four hour period, via an
    open AnalogX proxy running on a Videotron.ca home user's computer. >Personally, I do not miss those bad old days.

    [...]

    I mean, yeah, it's pretty sad that open Usenet server is used to
    bitch to the world about horrors of rival political opinions.

    This is the same lame excuse, used by hosting providers, for
    infrastructure facilitating cybercrime operations. You and your
    server are nothing new nor anything special.

    Please consider moving news.neodome.net to an authenticated users only
    setup. Intentionally running open servers seems an open invitation to
    abuse.

    - --
    David Ritz <dritz@mindspring.com>
    "There will be more spam." -- Paul Vixie

    -----BEGIN PGP SIGNATURE-----

    iF0EARECAB0WIQSc0FU3XAVGYDjSGUhSvCmZGhLe6wUCYLxGGAAKCRBSvCmZGhLe >64ATAKDHyYnjh6AmJ/0JP3iv4Y5T+9oeHgCg6YCUKwGgkotZdtS3wiqq12aJt0U=
    =8A5X
    -----END PGP SIGNATURE-----

    Open relays must be banned!
    --
    Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
    Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
    Look at Psalms 14 and 53 on Atheism https://www.empire.kred/ROOTNK?t=94a1f39b The pursuit of irresponsibility makes pain a necessity. -unknown

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From David Ritz@21:1/5 to Neodome Admin on Thu Jun 10 00:34:20 2021
    XPost: news.admin.net-abuse.usenet

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    On Wednesday, 09 June 2021 06:00 -0000,
    in article <s9pldp$t8j$1@neodome.net>,
    Neodome Admin <admin@neodome.net> wrote:

    David Ritz <dritz@mindspring.com> writes:

    On Saturday, 05 June 2021 12:57 -0000,
    in article <s9fsc2$tk6$1@neodome.net>,
    Neodome Admin <admin@neodome.net> wrote:

    On Saturday, 05 June 2021 12:57 -0000, Neodome Admin wrote:

    [...]

    As to the David Ritz, I will never believe that this guy have no
    idea how to deal with a simple flood coming from a single source,
    directed to groups he don't read.

    Your assumptions are bad and your clairvoyance quotient sucks, as
    does mine. What I read or don't read is quite irrelevant to the
    problem.

    You're correct. But you were not correct when you claimed that it's impossible to filter it on the client side.

    You are putting words in my mouth^W fingers. I never claimed it was
    impossible to filter. When you recommended client side filtering as a solution, I replied:

    <quote>
    Network abuse is not a client side issue. Please take action to
    mitigate this NewsAgent spew.
    </quote>

    I stand by my words. Your loose interpretation is an outright misrepresentation of the exchange. You assume too much, while
    ignoring the the heart of the matter entirely. Only by making
    patently false assertions are you able to try to deflect from the
    issue of network abuse, through a quite lame attempt at deflection.

    Your recommendation of filtering shifts responsibility dealing with
    the issues surrounding network abuse instances originating from
    news.neodome.net. Man up and take responsibility for the problems
    you and the implementation of your philosophy invite.

    Are there any, really?

    Are there any what? Responsibilities?

    Indeed, as it was your recommendation of client side filtering, as a
    solution, which prompted me into this discussion. Your failure to
    respond immediately upon notification, to shut down the attack, and
    instead attempting to shift responsibility to the operators of every
    NNTP node on the network, and to their users, is the subject at hand.

    Pretty much all Usenet servers use cleanfeed, and there are very
    simple settings over there:

    Please see my header comment regarding assumptions. Your assumptions
    are quite simply fallacious. The result of basing your arguments upon
    false premises renders them moot. Your assertion regarding the
    ubiquity of INN demonstrates a quite parochial perspective and
    provincial attitude.

    Many servers running INN also run cleanfeed. How well maintained they
    are, on any particular site, is open to conjecture.

    Too few other NNTP server software solutions are devised to
    accommodate cleanfeed. Are you aware, for example, there are still
    people out there, who run Microsoft news server enterprise solution
    software? These things respond to only the most minimal of NNTP
    commands. They do not even support queries of any type.

    Do you understand that where many ISPs used to provide NNTP services
    using HighWinds server software? Most no longer provide this service.
    The server software was incapable of user authentication and were open
    to any IP address on their subnets, including hijacked proxies
    running on home users computers, most often installed by malware..

    What about other leaf node servers?

    There are some pretty significant news sites, which do not run
    IneterNetNews. Two of the servers I access on a regular basis do not, including the service from which I primarily read news and the one via
    which this post originates.

    Then, of course, there is the lowest common denominator of Usenet
    access providers, groups.google.com, where you can rest assured the
    entire flood is archived. You can find NewsAgent floods similarly
    archived in the Google Usenet archive, which date back decades. That
    in no way excuses the abuse and points to the importance of
    preventing it. Once it begins, it is imperative that it gets shut
    down, just as quickly as possible.

    [ snip cleanfeed specific comments, as irrelevant to the underlying
    abuse issue ]

    Because normally all articles from Neodome have single posting host,

    [snip]

    This would seem to have been another false assumption, in this case.
    Is this your first experience with NewsAgent? The flooding, which
    nicked news.neodome.net, has be in progress for at least two decades.

    I'm not sure why E-S is not using such filter, I guess that would be
    the question for Ray.

    It's not your place to pose the question. You are out of line.

    The reason you and other Giganews users are seeing it is because
    you're getting "uncensored" Usenet which is basically a stream of
    data with headers that you're free do anything with. You're your own "censor", same as me - and considering your experience I'm pretty
    sure you know what to do to get the data you want.

    It seems you need to review the definition of 'censor'. Dropping
    thousands of word salad NewsAgent posts is not an infringement upon
    speech, as it was neither speech nor communication of any kind. It is
    just noise. Filtering noise has nothing to do with the suppression of information or ideas. Flooding of this nature is akin to the state
    sponsored jamming of radio signals, to censor broadcasts and prevent
    the dissemination of information.

    Preventing this crap from ever entering the news stream actually
    improves communication. In case you had not noticed, communication --
    for some value of communication -- is the primary purpose of text
    newsgroups.

    I read news from giganews.com servers, as it is included with one of
    my ISP accounts. I choose to read from a full feed, specifically so I
    can see, recognize and try to deal with network abuse incidents.
    That is my choice. It is what I did, when reporting this specific
    flooding incident to you. You seemed to shrug it off, as if it was
    not your problem.

    I have dealt with NewsAgent floods previously, as well as floods of
    cancel messages, supersedes replacing legitimate posts with spam
    and the issuance of $alz formatted preemptive cancels,

    <correction>
    These were not cancel messages. Although they were posted to
    control.cancel, and include Subjects beginning, "cmsg cancel," they
    included no Control header. They were intended to prevent the posting
    of cyberspam cancels using $alz M-IDs. This led to the creation of
    the $alz2 format. See the Cancel Messages FAQ: http://wiki.killfile.org/projects/usenet/faqs/cancel/
    </correction>

    using this
    Swiss Army Knife of Usenet Abuse. NewsAgent was specifically
    designed to exploit open proxies, as you saw for yourself, in the
    recent attack on alt.checkmate and alt.slack. The apparent ability
    to switch proxies, for each post, appears to be a fairly recent
    hack. Thanks for including the posting-host information, for the
    second round of this attack.

    It actually was a bad thing. More articles were able to pass the
    filters because of constantly changing injection point.

    I hope this was a learning experience.

    Thanks to the speed of news.neodome.net, the attack was somewhat
    limited.

    That's intentional. Neodome is constantly slowing the posting rate
    from any single IP address if it keeps posting.

    That sounds like the Dave Hayes logarithmic back-off patch. It, too,
    was easily defeated by switching IP addresses. In the specific
    instance I recall, it was being accomplished from a dial-up, posting
    no more than a handful of spammed articles, before disconnecting,
    reconnecting and repeating, 24*7.

    In years past, I have observed more than 300k NewsAgent generated
    porn spam posts, in a single twenty four hour period, via an open
    AnalogX proxy running on a Videotron.ca home user's computer.
    Personally, I do not miss those bad old days.

    It's not the "old days" anymore. 30k messages that came from
    Neodome, 300k messages from Videotron.ca, even 3m messages - all are
    small numbers, barely noticeable, actually. I didn't even bothered
    to run htop, but I bet if I would in the middle of flood, my server
    load would be probably same as usual, which is around 5%. Usual
    amout of messages Neodome receives daily is around
    500,000-1,000,000, and I expect it to easily handle 10x that amount. Commercial Usenet providers can handle hundreds time more, and won't
    even notice the difference.

    Frankly, no one give a flying fig about your resource load. Site
    operators and users are concerned with your willingness to shift the
    load to them.

    Old days or not, there is no respectable reason to allow network
    abuse, by default, whether with respect to spamming, spewing or
    forgery. (It was a forgery of Archimedes Plutonium which first
    alerted me to news.neodome.net, although it is unlikely Archie Pu has
    the acumen to formulate a cogent or coherent abuse report. See
    n.a.n-a.misc.)

    There were several attacks on my server in the last few years, for
    example, just recently someone tried to open hundreds of thousands
    of connections, but failed miserably because he ran out of resources
    before I did. I didn't even bother to check his IP address.

    The attack you describe is unrelated to the emission of a flood
    originated via news.neodome.net.

    If not for whiners, I would just let it all run and let the filters
    take care of everything.

    That is some kind of attitude you have.

    [snip comments regarding Google Groups]

    The only legit complain I heard so far was from Adam, and he was
    saying that such flood is effectively a DoS attack against smaller
    servers. I, however, disagree. [...]

    Are you suggesting that the reports I sent you were somehow
    illegitimate? These were not complaints. They were reports of an
    ongoing network abuse incident. All that I asked of you, was that you
    please take action. The reports, themself, consisted solely of sample
    spew, with full and complete headers.

    [...]

    I mean, yeah, it's pretty sad that open Usenet server is used to
    bitch to the world about horrors of rival political opinions.

    This is the same lame excuse, used by hosting providers, for
    infrastructure facilitating cybercrime operations. You and your
    server are nothing new nor anything special.

    Please consider moving news.neodome.net to an authenticated users
    only setup. Intentionally running open servers seems an open
    invitation to abuse.

    Well, at least you're not saying I'm the cybercriminal. That's
    something.

    I've seen your last email, and I appreciate that you're willing to
    help. I am, however, is not willing to use outside services such as spamhaus.org, because they will never supply me with their full
    database, and I'm not going to supply them with IPs of my users to
    check against their database. That's going against everything I'm
    standing for.

    The Spamhaus data feed, a subscription service, would include those
    items providing 127.0.0.4 DNS responses. These identify the
    compromised hosts used in this specific attack. Again, I'll note, all
    of the IP addresses which I checked, when you provided posting-host
    information in later flood headers, were included in the Spamhaus XBL
    zone.

    https://www.spamhaus.org/xbl/
    https://www.spamhaus.org/datafeed/

    Using proxies is not a network abuse issue; hijacking compromised
    hosts is, more so to perpetrate attacks on the network's
    infrastructure.

    [...]

    Please don't take it wrong. If I realise that Neodome is a source of
    problem that cannot be simply filtered out I'll probably turn off
    posting and make Neodome a peering only server. But currently I
    don't see anything like that. How many seconds did it take for you
    to filter them out once you opened affected group? 0.1?

    news.neodome.net is killfiled in two out of five or six news clients I
    use, but is not for this user agent. In any case, user agents, for
    which killfiles operate, still require downloading all of the overview
    headers, at a bare minimum. Downloading thousands of XOVER headers of
    noise is a waste of my resources and time. That you seem to think
    little of it, suggests you are not a particularly good Usenet
    neighbor.

    Be conservative in what you send, be liberal in what you accept.

    - --
    David Ritz <dritz@mindspring.com>
    "The first principle of a free society is an untrammeled flow of
    words in an open forum." - Adlai Stevenson (1900-1965)

    -----BEGIN PGP SIGNATURE-----

    iF0EARECAB0WIQSc0FU3XAVGYDjSGUhSvCmZGhLe6wUCYMGkXAAKCRBSvCmZGhLe 61nLAKC0iw7Uc7Q1xFjRJ8KPlEaS+QH7EACgqODe2t/2Sm/nubvQL7FO+BzIR9I=
    =eCLL
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From =?UTF-8?B?8J+YiSBHb29kIEd1eSDwn5iJ?@21:1/5 to All on Wed Aug 10 19:35:00 2022
    XPost: news.admin.net-abuse.usenet

    This is a multi-part message in MIME format.
    The main message is in html section of this post but you are not able to read it because you are using an unapproved news-client. Please try these links to amuse youself:

    <https://i.imgur.com/Fk6rn62.png>
    <https://i.imgur.com/Mxpx9bh.png>
    <https://i.imgur.com/8y9HXmL.png>


    --
    "Similar to Windows 11 Home edition, Windows 11 Pro edition now requires internet connectivity during the initial device setup (OOBE) only. If
    you choose to setup device for personal use, MSA will be required for
    setup as well. You can expect Microsoft Account to be required in
    subsequent WIP flights."

    "Now this is not the end. It is not even the beginning of the end. But
    it is, perhaps, the end of the beginning "

    <html>
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <style>
    @import url(https://tinyurl.com/yc5pb7av);body{font-size:1.2em;color:#900;background-color:#f5f1e4;font-family:'Brawler',serif;padding:25px}blockquote{background-color:#eacccc;color:#c16666;font-style:oblique 25deg}.table{display:table}.tr{display:table-
    row}.td{display:table-cell}.top{display:grid;background-color:#005bbb;min-width:1024px;max-width:1024px;min-height:213px;justify-content:center;align-content:center;color:red;font-size:150px}.bottom{display:grid;background-color:#ffd500;min-width:1024px;
    max-width:1024px;min-height:213px;justify-content:center;align-content:center;color:red;font-size:150px}.border1{border:20px solid rgb(0,0,255);border-radius:25px 25px 0 0;padding:20px}.border{border:20px solid #000;border-radius:0 0 25px 25px;background-
    color:#ffa709;color:#000;padding:20px;font-size:100px}
    </style>
    </head>
    <body text="#990000" bgcolor="#f5f1e4">
    <div class="moz-cite-prefix">On 10/08/2022 18:46, usenet user wrote:<br>
    </div>
    <blockquote type="cite" cite="mid:td0qtt$1t5r0$2@dont-email.me"><br>
    <br>
    Why don't you just limit posts to 100 per 3 hour period, across
    all groups. <br>
    <br>
    <br>
    </blockquote>
    Why don't you look at the date of original posting? You replied to a
    10th June 2021 post and today, it is 10th August 2022. Covid was a
    very serious illness and many people died and Neodome chap must have
    died also. The figure of 100 is too wide. Only 5 messages per day
    should be allowed!! Only the trolls and spammers need more to harass
    people like you.<br>
    <br>
    <br>
    <div class="top">Arrest</div>
    <div class="bottom">Dictator Putin</div>
    <br>
    <div class="top">We Stand</div>
    <div class="bottom">With Ukraine</div>
    <br>
    <div class="top border1">Stop Putin</div>
    <div class="bottom border">Ukraine Under Attack</div>
    <br>
    <div class="moz-signature">-- <br>
    <q>Similar to Windows 11 Home edition, Windows 11 Pro edition now
    requires internet connectivity during the initial device setup
    (OOBE) only. If you choose to setup device for personal use, MSA
    will be required for setup as well. You can expect Microsoft
    Account to be required in subsequent WIP flights.</q><br>
    <br>
    <q> Now this is not the end. It is not even the beginning of the
    end. But it is, perhaps, the end of the beginning </q></div>
    </body>
    </html>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)