Anybody else observed that bigben gained about 19 years at about 1:25pm
Tue Jan 1 14:54:33 NZDT 2002
$ /usr/sbin/ntpdate -q truechimer.waikato.ac.nz
server 18.104.22.168, stratum 2, offset -0.001089, delay 0.04276
1 Jan 14:49:38 ntpdate: adjust time server 22.214.171.124 offset
$ /usr/sbin/ntpdate -q bigben.clix.net.nz
server 126.96.36.199, stratum 1, offset 619315199.998172, delay 0.03613
1 Jan 14:49:55 ntpdate: step time server 188.8.131.52 offset
To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz
where the body of your message reads:
Notice of the sale of Domainz is being sent by post to ISPs, but a
quick e-mail here may also prove effective in reaching any interested
The advert relating to the sale of Domainz is at
http://www.internetnz.net.nz/sale-of-domainz-nbr-ad.pdf, as per the
announcement below. All inquiries are best directed to Tim Russell of
Deloitte Corporate Finance at the details below.
On Fri, 30 May 2003 13:35:44 +1200, Peter Macaulay
>Further to our earlier announcements, the public aspect of the sale of
>Domainz is under way. An advertisement is in today's (Friday 29 May)
>National Business Review. A copy will be posted on the web site at 1830
>Feel free to pass on this information to any parties that may have a
>genuine interest. The contact is
>+64 9 303 0857
>Direct +64 4 495 2113
At the risk of posting something on topic..
I have 2 routers (lets call them A and B), talking to different upstream
providers, advertising 184.108.40.206/24 via BGP.
220.127.116.11/24 is subnetted, each subnet is on a different VLAN.
These routers talk to each other with iBGP, giving each other everything
(including 18.104.22.168/24 le 32).
I run HSRP between the 2 routers.
Router B prepends my ASN several times before advertising 22.214.171.124.
Relevant stuff (on both boxes):
router bgp 23729
ip route 126.96.36.199 255.255.255.0 Null0
With this config, reachability for 188.8.131.52/24 hosts alternates on and off
roughly every minute. 47% total loss over 10 minutes (ie 5 'bursts' of loss).
These packets are all hitting my AS at router A.
I've turned HSRP off and on again to see if that was causing problems (it
Several solutions I've found:
- Turning the iBGP session to router B off. (uhh..)
- Turning syncronization on.
My understanding of BGP synchronization, is that BGP will only re-advertise
with eBGP prefixes learned via iBGP after learning them via another IGP if
one is running.
ec-br-1(config-router)#do sh run | inc router
router bgp 23729
bgp router-id 184.108.40.206
I'm not running any IGPs, so synchronization shouldn't be part of the
equation. In any case, I'm not a transit provider.
And, there seems to be no relation to readvertising routes here, the packets
AFAICT are getting to router A and being dropped.
I've got no problem running running with synchronization on at the moment, but
thats not the point. :-)
Yep ! Had calls dribbling in here all morning ...
The DNC is aware and I'm sure things will be taken up by her.
From: jfp [mailto:firstname.lastname@example.org]
Sent: Wednesday, 29 October 2003 10:42 a.m.
Subject: [nznog] Domain Names NZ scam
Some of our customers have just received scam domain renewal letters
from Domain Names NZ. ($237 for two years) (www.domainnamesnz.com)
People might want to warn their customers.
Jean-Francois Pirus <jfp(a)clearfield.com> Clearfield Software Ltd
Phone (+64-9) 358 2081 4th Floor 8-10 Whitaker Place
Fax (+64-9) 358 2083 P O Box 2348 Auckland, New Zealand
NZNOG mailing list
DISCLAIMER: The content of this email is confidential and may contain
legally privileged information intended only for the individual or entity
named above. Access to this message by anyone else is unauthorised. If you
are not the intended recipient, please be advised that the use, distribution
and publication of the above information is prohibited. If you have received
this email in error, please contact Domainz by returning the email and
destroying the original. Thank you.
We have been through this here on the other side of the creek. Some
years ago when this guy first started this scam I actually spoke to him
trying to recover money that a client had inadvertently paid. Even
though the money had not been passed to the sole registrar of .au
domains at that time (we had already paid for the domain's renewal) the
most that we were able to threaten was a civil action for not refunding
monies that had not been applied for the purpose that they were
collected. He just didn't give a @#$% about it and continued on his
Unfortunately the problem is that the person paying the money doesn't
know enough about what the invoice means and also they don't read the
thing in detail.
The most success was had here when the registrar used the domain
contacts list and emailed a warning to all domain owners.
Perhaps your registrar should consider something similar. The warning is
probably still on the site at www.inww.com if you need text.
The other thing is to get it into the tabloid press, perhaps someone
should approach some of your shock jocks to run the story. Maybe Holmes
could turn it into a global news story :))
From: Tikiri Wicks [mailto:email@example.com]
Sent: Saturday, 1 November 2003 3:21 PM
Subject: Re: [nznog] Domain Names NZ scam
Re: Domain Names NZ scam
Just wondering is anyone on this list a lawyer
I just got my second mail from these bastards. It's made out just like
an invoice telling me to register my domain.net.nz
Unauthorized use of the domain name registry for commercial solicitation
perhaps ? New Zealand Privacy law perhaps ? Is there anything like class
action lawsuits in New Zealand and Australia?
----- Original Message -----
From: "Juha Saarinen" <juha(a)saarinen.org>
To: "Steven Heath" <sheath(a)paradise.net.nz>
Cc: <nznog(a)list.waikato.ac.nz>; "'Matthew G Brown'" <Matt(a)Brh.Co.Nz>
Sent: Thursday, October 30, 2003 3:09 PM
Subject: Re: [nznog] Domain Names NZ scam
> Steven Heath wrote:
> > In my opinion it is just more of the many scum aussie operators that
> > extend thier scams to include NZ.
> Was just informed that the AuDA and ACCC court proceedings against
> Domain Names Pty Ltd will be heard on the 19th of next month.
> NZNOG mailing list
NZNOG mailing list
Looks like someone has killed spamcop. Can anyone explain how this
happened? I can't see their registrar (joker.com) doing it unless they
have been conned.
Direct +64 4 495 2113
Was just wondering if anyone else has been experiencing a lot of icmp traffic (pings) lately, seems to a lot of pinging of entire ranges going on. Another new worm or the left overs from the last lot?
Right, but due to no SMTP AUTH logging in Exchange 2000, we cannot
easily track any attempt to intrude using the brute force password crack
method. We only get to see badmail folders filling up and so on.
Additionaly we cannot see exactly which account's password has been
A more comprehensive anti-relay option which checked for the existence
of the recipient and/or sender in Active Directory, as this ORF thing
does, would be beneficial in future releases.
I haven't seen Exchange 2003 yet so can't comment on whether it has any
From: Nathan Mercer [mailto:firstname.lastname@example.org]
Sent: Wednesday, 29 October 2003 10:27 AM
To: Geoff Williams; nznog(a)list.waikato.ac.nz
Subject: RE: [nznog] New and unacknowledged Exchange / Win2k
So just to be clear, a new and unacknowledged Exchange or Windows 2000
vulnerability has not been discovered here right?
We want to know about vulnerabilities (not mis-configurations) If you do
wish to report a suspected security vulnerability please either contact
myself directly, log the details on
https://s.microsoft.com/technet/security/bulletin/alertus.asp or email
secure(a)microsoft.com (PGP key is on
Details of our vulnerability handling processes are on
From: Geoff Williams [mailto:email@example.com]
Sent: Tuesday, 28 October 2003 11:26 a.m.
Subject: FW: [nznog] New and unacknowledged Exchange / Win2k
Further to my earlier post, Neil G has pointed me correctly to an SMTP
AUTH attack. I have used the logs of the ORF tool to pinpoint which
accounts have been compromised.
Strangely the spammers are trying to work out why, even if they
authenticate, they can't relay, so there is a lot of traffic to watch
and learn from. A large number of their connections are being blocked by
the IP blacklists I have selected. I had originally blocked 2 Class A IP
ranges at our router after watching the traffic and finding that they
were allocated to a provider in China. But I am not 100% sure that IP
addresses are not being spoofed as they seem to have a huge range of
Class A and B addresses available to them and I was really chasing my
tail trying to block them at that level.
So now I have a new password generator and will start training the mind
to work with 12 or more character passwords.
Hope this is of assistance to others.
From: Geoff Williams
Sent: Monday, 27 October 2003 11:01 PM
Subject: [nznog] New and unacknowledged Exchange / Win2k SMTP
I have exactly the same open-relay problem, including the sending
servers and addresses, and have been struggling to diagnose for a few
I had a hunch that the hack may involve the SystemMailbox account (which
of course is disabled), but this was based on checking security logs and
seeing who was logged in at the same time as the spam was dumped into
I have got around it for the moment (I hope) by loading the ORF relay
and spam tool but I would really like to know how this hack is being
perpetrated as I have a whole stack of other Exchange servers to look
after and I really don't want this to get out of control...
So if anyone has made any progress I would really appreciated you
sharing your experience.
T: 02 9904 3137
F: 02 9904 0232
M: 0417 281 905
size=2 width="100%" align=center>
This email is confidential and intended for the recipient only. If you
have received it in error please delete it immediately.
I would *strongly* recommend against EVER running Exchange as your Internet-facing SMTP server. Use a *nix box as a proxy.
There have been too many [unacknowledged] bugs/holes in MS Exchange, and troubleshooting something that hasn't been acknowledged by the manufacturer can have you thinking that you've gone crazy.
Using a *proper* SMTP server to sanity check incoming connections is the only way to go with Exchange, even for small customers -- the risks are pretty high otherwise. And while you're at it throw SpamAssassin/Antivirus on it and kill multiple birds, et al.
Hmm, I guess the extention of your argument is that presumably SCO will give
me a discount on my license for any vulnerability I find in any flavour of
Linux in the world? :-)
Not directed at you, and I too will stop right there :-)
Cheers - Neil Gardner
Networking and Security Support Engineer
Renaissance Brands Ltd
(09) 968-3681 / (021) 746-345
From: Barry Murphy [mailto:firstname.lastname@example.org]
Sent: Wednesday, 29 October 2003 12:52 p.m.
To: Nathan Mercer; nznog(a)list.waikato.ac.nz
Subject: Re: [nznog] New and unacknowledged Exchange / Win2k
Is there a reward for reporting a vulnrability? Surely if the end user is
having to find bugs then MS isn't spending enough to secure it's software.
Not directed at you and i'll stop there.