[Coco] Internet practices (was: I'm back)

John E. Malmberg wb8tyw at qsl.net
Mon Feb 16 09:46:28 EST 2004 

Roger Taylor wrote:

> But getting to your response to Boisy about why he was having trouble, I 
> trust that he knows what he's talking about.

I ran into another former COCO user on a different forum, and he stated 
that Charter had announced that they were phasing in those blocks on a 
region by region basis.

It is a case of ISPs not wanting to deal with abuse reports, and have 
determined that ignoring them does not solve the problem, so instead of 
shutting off the offenders, have decided to just ban servers and shut 
off the ports.

And in my area, there is no other option.  If I want to operate a server 
on the internet, I will have to find a remote location to host it.


I used to have Charter.net, and they made a lot of errors on my account 
and refused to admit to any of them in writing.  Reports that would be 
reviewed by others would indicate that all the problems were induced by 
the customer.

A repeatable trick the ISP that Charter purchased would use is when 
migrating to a new mail server, they would apparently do the following:

1. Remove the old mail server from the internet.

2. Connect the new mail server to the internet with out any account 
information on it.

3. While the new mail server is live and rejecting all incoming e-mail 
with "NO SUCH USER - DO NOT RETRY" codes, they would load in the new 
accounts.


Charter.net also changed the default gateway out from under me when I 
was out of town for a month so that my wife could not get e-mail from 
me.  After I found out what they did, and verified that it was an error 
by Charter.net and got things working, the Charter.net technician closed 
the call with "Customer misconfigured Equipment.".  Which was of course 
not true.  My equipment was configured exactly as the last e-mail from 
Charter.net said to configure it.  The only record of the new 
configuration that I have is what I wrote down when I asked what the 
current settings were after going around in circles for a month with 
Charter support.

When I was on Charter.net, I was also on a static I.P. address, and 
servers were permitted.  They apparently changed their policies and 
prohibited servers unless you upgraded your internet connection.

I have no idea of which of these things happened to Boisy.


Many of the users that are now on Adelphia used to be allowed to run 
servers, but lost that privilege after Adelphia bought their ISPs. 
Adelphia gave them about a grace period before they announced 
enforcement in their TOS.


According to the local paper, Comcast.net has been cutting off users 
when they go over excessive downloads/uploads.  According to the 
interviews in the paper, the people cut off are claiming that Comcast 
will not tell them what those limits are, and apparently the reporter 
could not find that out either.


When I was with an ISP that Charter bought, another customer of that ISP 
told me that he was told that the limit was 4G/month, but not enforced 
at the time.  I could not find this referenced in any paper 
documentation that I had, or on the web site for the ISP.

 > Nothing in his announcement made me want to go study the customer
 > policy book to see if he was wrong or to put him on the spot.

I have the link handy to the charter.net policy book for a different reason.

The following ISPs are known to prohibit servers, including mail servers 
on their residential connections:

Adelphia, Charter, Comcast, Earthlink/Mindspring, Rogers, RoadRunner, 
Verizon, and Videotron.

As it is known that these I.P. addresses are prohibited by their ISP's 
from operating mail servers, many mail servers will not accept e-mail 
from them as they become known as DHCP pools.

If you are operating a web site or other server off of a broadband 
connection, check your current terms of service.  They could have 
changed since you initially got connected.

Or your ISP could have misclassified your service as they report it to 
others.

If you want to check to see how your own ISP is classifying your 
service, you can go to the service below.

Be aware before you go to this link that you will always be listed in at 
least 2 lists, and if you are on a major ISP, you will probably be 
listed on at least 5 lists.

For this purpose, the only lists that count are SORBS DUL and the 
MAPS-DUL.  The MAPS-DUL needs a manual check by clicking on the link.

http://www.moensted.dk/spam/

If you have a DHCP address, you should show up in the 
dul.dnsbl.sorbs.net listing, and the MAPS-DUL, and a few old copies of 
the dynablock list.

That is normal and expected.

If you are on a static I.P. address, you still may be on the DHCP 
listing as your ISP may not have guaranteed that you will have that I.P. 
address for any fixed length of time.

The SORBS DUL is running about 8 weeks behind in removing misclassified 
STATIC addresses from it's list.  The previous policy was to only remove 
if the ISP requested the correction, but SORBS now has a policy of 
removing I.P. addresses when you show them a working rDNS entry for the 
I.P. address.

A working rDNS entry is required by RFC for a mail server.

But remember, if you are in the SORBS DUL, and should not be, it was 
your ISP that published that your I.P. address was dynamic to the rest 
of the world.


If your I.P. address shows up in an open relay list, or an open proxy 
list, then if you have a fixed I.P. address, you need request a retest 
for it, to make sure it is not an old listing.

If the retest still shows a problem, then it indicates that your machine 
has been compromised.  LINUX and other UNIX systems have been 
compromised in this way.

In general, the lists to take seriously are:

ORDB - Open Relay database.
CBL - CBL.ABUSEAT.ORG also known as XBL.SPAMHAUS.ORG
         Confirmed compromised computers.
SBL - SBL.SPAMHAUS.ORG. Domains known to be controlled by spammers.
DSBLLIST - Confirmed open relays.
OPN - OPM.BLITZED.ORG
SORBSHTTP - HTTP open proxies. (Broken web proxies)
SORBSSOCKS - SOCKS open proxies. (reversed firewall config)
SORBSMISC - More open proxies.
SORBSSMTP - Open Relays
MAPS-* - Needs manual check.  Using any one checks all the MAPS zones.

Any of these means that either your system is compromised, or a system 
that used to have your I.P. address is compromised.

-John
wb8tyw at qsl.net
Personal Opinion Only

More information about the Coco mailing list