Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

There are two kinds of egotists: 1) Those who admit it 2) The rest of us


computers / news.admin.peering / Re: New Neodome flood

SubjectAuthor
* Re: Ongiong flood from NeodomeDavid Ritz
+- Re: Ongiong flood from NeodomeThe Doctor
`* Re: Ongiong flood from NeodomeNeodome Admin
 `* Re: Ongoing flood from NeodomeAdam H. Kerman
  `* Re: Ongoing flood from NeodomeNeodome Admin
   +* Re: Ongoing flood from NeodomeAdam H. Kerman
   |`- Re: Ongoing flood from NeodomeThe Doctor
   `* Re: Ongoing flood from NeodomeDavid Ritz
    +* Re: Ongoing flood from NeodomeThe Doctor
    |`* New Neodome flood (Was: Re: Ongoing flood from Neodome)Sn!pe
    | `* Re: New Neodome floodRay Banana
    |  +* Re: New Neodome floodDavid Ritz
    |  |`- Re: New Neodome floodSn!pe
    |  `* Re: New Neodome floodNeodome Admin
    |   +* Re: New Neodome floodRay Banana
    |   |`* Re: New Neodome floodThe Doctor
    |   | `* Re: New Neodome floodRay Banana
    |   |  +- Re: New Neodome floodThe Doctor
    |   |  `* Re: New Neodome floodbje
    |   |   `* Re: New Neodome floodThomas Hochstein
    |   |    `- Re: New Neodome floodbje
    |   `* Re: New Neodome floodAdam H. Kerman
    |    `* Re: New Neodome floodNeodome Admin
    |     +* Re: New Neodome floodFrank Slootweg
    |     |+* Re: New Neodome floodNeodome Admin
    |     ||+- Re: New Neodome floodFrank Slootweg
    |     ||`- Re: New Neodome floodDan Purgert
    |     |`- Re: New Neodome floodAdam H. Kerman
    |     `- Re: New Neodome floodYK
    +* Re: Ongoing flood from NeodomeAioe
    |`- Re: Ongoing flood from NeodomeDavid Ritz
    `* Re: Ongoing flood from NeodomeNeodome Admin
     +* Re: Ongoing flood from NeodomeFrank Slootweg
     |+- Re: Ongoing flood from NeodomeNeodome Admin
     |`* Re: Ongoing flood from NeodomeAioe
     | `- Re: Ongoing flood from NeodomeFrank Slootweg
     `* Re: Ongoing flood from NeodomeDavid Ritz
      +- Re: Ongoing flood from NeodomeThe Doctor
      `* Re: Ongoing flood from NeodomeNeodome Admin
       +- Re: Ongoing flood from NeodomeFrank Slootweg
       +* Re: Ongoing flood from Neodomeusenet user
       |`- Re: Ongoing flood from Neodomeusenet user
       `- Re: Ongoing flood from Neodomeusenet user

Pages:12
Re: Ongoing flood from Neodome

<s9r9tf$11ng$1@gioia.aioe.org>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=79&group=news.admin.peering#79

 copy link   Newsgroups: news.admin.net-abuse.usenet news.admin.peering
Path: i2pn2.org!i2pn.org!aioe.org!6M26+vKEA1CVD/t06dAhXg.user.gioia.aioe.org.POSTED!not-for-mail
From: est...@aioe.org (Aioe)
Newsgroups: news.admin.net-abuse.usenet,news.admin.peering
Subject: Re: Ongoing flood from Neodome
Date: Wed, 9 Jun 2021 22:56:16 +0200
Organization: Aioe.org NNTP Server
Lines: 17
Message-ID: <s9r9tf$11ng$1@gioia.aioe.org>
References: <1pa80y9.1ntv431sf1rnN%snipeco.2@gmail.com>
<alpine.OSX.2.20.2106031829000.57527@mako.ath.cx> <s9c1gu$29s7$3@neodome.net>
<s9ddnf$q53$2@dont-email.me> <s9fsc2$tk6$1@neodome.net>
<alpine.OSX.2.20.2106052028420.57527@mako.ath.cx> <s9pldp$t8j$1@neodome.net>
<s9ra10.7u8.1@ID-201911.user.individual.net>
NNTP-Posting-Host: 6M26+vKEA1CVD/t06dAhXg.user.gioia.aioe.org
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-15; format=flowed
Content-Transfer-Encoding: 7bit
X-Complaints-To: abuse@aioe.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.8.1
Content-Language: en-US
X-Notice: Filtered by postfilter v. 0.9.2
 by: Aioe - Wed, 9 Jun 2021 20:56 UTC

Il 09/06/21 20:58, Frank Slootweg ha scritto:
> FWIW, sofar I've not been affected by floods from Neodome, but have
> been affected by (10k articles) floods from Aioe.org. Same difference.

have you reported that abuse to aioe.org abuse desk?
newsmasters react when someone alerts them about a running flood.

BTW last time, in march, only a few thousand of nonsense messages were
sent through my server before being stopped. Abuse were blocked as soon
as it was reported (a few hours after the beginning).

you should consider that it is not possible to prevent an user from
flooding a group using a list of open proxies, the only possible
countermeasure is to stop him as soon as possible.

Re: New Neodome flood

<s9rmn4$dp7$1@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=80&group=news.admin.peering#80

 copy link   Newsgroups: news.admin.net-abuse.usenet news.admin.peering
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: ahk...@chinet.com (Adam H. Kerman)
Newsgroups: news.admin.net-abuse.usenet,news.admin.peering
Subject: Re: New Neodome flood
Date: Thu, 10 Jun 2021 00:34:44 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 36
Message-ID: <s9rmn4$dp7$1@dont-email.me>
References: <1pa80y9.1ntv431sf1rnN%snipeco.2@gmail.com> <s9qqel$qsc$2@dont-email.me> <s9r2n2$1boh$1@neodome.net> <s9rauk.7u8.1@ID-201911.user.individual.net>
Injection-Date: Thu, 10 Jun 2021 00:34:44 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="f9f5c48eb8b8048ea466df60bf819fa9";
logging-data="14119"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+oFShpGO3AjlywkxcCyo9LLNtDIFuQyc8="
Cancel-Lock: sha1:mU5Z3EVfwevdRKxpPpd7gCmETIo=
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
 by: Adam H. Kerman - Thu, 10 Jun 2021 00:34 UTC

Frank Slootweg <this@ddress.is.invalid> wrote:
>Neodome Admin <admin@neodome.net> wrote:
>>"Adam H. Kerman" <ahk@chinet.com> writes:

>>>I wish you had the same public spirited sentiment.

>>What makes you think I don't, Adam? Countless of times I've seen the
>>same thing being said over and over: the advantage of Usenet compared to
>>other social media is that it cannot be censored or moderated. This is
>>exactly what I provide to people. Uncensored Usenet, free of charge, in
>>any amounts you want, - more than you ever wanted, probably, but that's
>>another question.

I'm piggy-backing on Frank's article as Neodome Admin's article didn't
appear on e-s.

If a user is allowed to flood a newsgroup, he himself is disrupting the
normal flow of discussion. That's censorship. When floods are large
enough to shut down certain News sites, that's a denial of service
attack.

Quantity for the sake of quantity isn't freedom of the press given that the
effect is shutting down the discussion of others -- their publishing
activity.

>Pull the other one! Abuse of the net - in this case flooding - has
>nothing to do with censorship, quite the contrary.

Yes.

> If you can't be bothered to - try to - prevent the abuse (of the net)
>which originates from your server, then just come out and say so, but
>don't spout this kind of nonsense to an audience which sees right
>through it.

>[...]

Re: Ongoing flood from Neodome

<alpine.OSX.2.20.2106092125210.72281@mako.ath.cx>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=81&group=news.admin.peering#81

 copy link   Newsgroups: news.admin.net-abuse.usenet news.admin.peering
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!lilly.ping.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: dri...@mindspring.com (David Ritz)
Newsgroups: news.admin.net-abuse.usenet,news.admin.peering
Subject: Re: Ongoing flood from Neodome
Date: Thu, 10 Jun 2021 00:34:20 -0500
Organization: SpamBusters!
Lines: 294
Message-ID: <alpine.OSX.2.20.2106092125210.72281@mako.ath.cx>
References: <1pa80y9.1ntv431sf1rnN%snipeco.2@gmail.com> <alpine.OSX.2.20.2106031829000.57527@mako.ath.cx> <s9c1gu$29s7$3@neodome.net> <s9ddnf$q53$2@dont-email.me> <s9fsc2$tk6$1@neodome.net> <alpine.OSX.2.20.2106052028420.57527@mako.ath.cx>
<s9pldp$t8j$1@neodome.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
X-Trace: individual.net aG1f6V7BjrVA1WhFRK37ug6fZmM379/eVJhxG7nGybuthEbC/u
X-Orig-Path: not-for-mail
Cancel-Lock: sha1:FaHOIc/AJVLFVipnAn73k4HJYaA=
In-Reply-To: <s9pldp$t8j$1@neodome.net>
OpenPGP: id=9CD055375C05466038D2194852BC29991A12DEEB
X-Comment-1: Spam is bad. <http://trillian.mit.edu/~jc/humor/WhatIsSpam.html>
X-Comment-2: LART a spammer for Dobbs.
X-Comment-3: Invalid assumptions tend to produce invalid conclusions.
X-Comment-4: This message is intended to be read with a monospaced font.
X-Pgp-0x1A12DEEB: 9CD0 5537 5C05 4660 38D2 1948 52BC 2999 1A12 DEEB
X-Face: 7]U0X0dPn}db`BCcCn>y)FeytFj}Qw,m-4#,\oxca5+P%Qh&2UufZ_"#3/`aJo+>oQZErBD'84"2S15SXSF?Sy5ZQcjs4:,S)$TU<Yih_}o{Fsu)d6P4fEGb_I,Y9.XM`Vvl`RT&''$q9.sn);N,Aqq5dM-+~Kdv=Cm^bSj^T|^UEx$<g/]f8QqE_G5X-AG71!BP3=']?v[m_]9Y(2}z*!rL
X-Meow: yes
 by: David Ritz - Thu, 10 Jun 2021 05:34 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday, 09 June 2021 06:00 -0000,
in article <s9pldp$t8j$1@neodome.net>,
Neodome Admin <admin@neodome.net> wrote:

> David Ritz <dritz@mindspring.com> writes:

> > On Saturday, 05 June 2021 12:57 -0000,
> > in article <s9fsc2$tk6$1@neodome.net>,
> > Neodome Admin <admin@neodome.net> wrote:

> > On Saturday, 05 June 2021 12:57 -0000, Neodome Admin wrote:

> > [...]

>>> As to the David Ritz, I will never believe that this guy have no
>>> idea how to deal with a simple flood coming from a single source,
>>> directed to groups he don't read.

>> Your assumptions are bad and your clairvoyance quotient sucks, as
>> does mine. What I read or don't read is quite irrelevant to the
>> problem.

> You're correct. But you were not correct when you claimed that it's
> impossible to filter it on the client side.

You are putting words in my mouth^W fingers. I never claimed it was
impossible to filter. When you recommended client side filtering as a
solution, I replied:

<quote>
Network abuse is not a client side issue. Please take action to
mitigate this NewsAgent spew.
</quote>

I stand by my words. Your loose interpretation is an outright
misrepresentation of the exchange. You assume too much, while
ignoring the the heart of the matter entirely. Only by making
patently false assertions are you able to try to deflect from the
issue of network abuse, through a quite lame attempt at deflection.

>> Your recommendation of filtering shifts responsibility dealing with
>> the issues surrounding network abuse instances originating from
>> news.neodome.net. Man up and take responsibility for the problems
>> you and the implementation of your philosophy invite.

> Are there any, really?

Are there any what? Responsibilities?

Indeed, as it was your recommendation of client side filtering, as a
solution, which prompted me into this discussion. Your failure to
respond immediately upon notification, to shut down the attack, and
instead attempting to shift responsibility to the operators of every
NNTP node on the network, and to their users, is the subject at hand.

> Pretty much all Usenet servers use cleanfeed, and there are very
> simple settings over there:

Please see my header comment regarding assumptions. Your assumptions
are quite simply fallacious. The result of basing your arguments upon
false premises renders them moot. Your assertion regarding the
ubiquity of INN demonstrates a quite parochial perspective and
provincial attitude.

Many servers running INN also run cleanfeed. How well maintained they
are, on any particular site, is open to conjecture.

Too few other NNTP server software solutions are devised to
accommodate cleanfeed. Are you aware, for example, there are still
people out there, who run Microsoft news server enterprise solution
software? These things respond to only the most minimal of NNTP
commands. They do not even support queries of any type.

Do you understand that where many ISPs used to provide NNTP services
using HighWinds server software? Most no longer provide this service.
The server software was incapable of user authentication and were open
to any IP address on their subnets, including hijacked proxies
running on home users computers, most often installed by malware..

What about other leaf node servers?

There are some pretty significant news sites, which do not run
IneterNetNews. Two of the servers I access on a regular basis do not,
including the service from which I primarily read news and the one via
which this post originates.

Then, of course, there is the lowest common denominator of Usenet
access providers, groups.google.com, where you can rest assured the
entire flood is archived. You can find NewsAgent floods similarly
archived in the Google Usenet archive, which date back decades. That
in no way excuses the abuse and points to the importance of
preventing it. Once it begins, it is imperative that it gets shut
down, just as quickly as possible.

[ snip cleanfeed specific comments, as irrelevant to the underlying
abuse issue ]
> Because normally all articles from Neodome have single posting host,

[snip]

This would seem to have been another false assumption, in this case.
Is this your first experience with NewsAgent? The flooding, which
nicked news.neodome.net, has be in progress for at least two decades.

> I'm not sure why E-S is not using such filter, I guess that would be
> the question for Ray.

It's not your place to pose the question. You are out of line.

> The reason you and other Giganews users are seeing it is because
> you're getting "uncensored" Usenet which is basically a stream of
> data with headers that you're free do anything with. You're your own
> "censor", same as me - and considering your experience I'm pretty
> sure you know what to do to get the data you want.

It seems you need to review the definition of 'censor'. Dropping
thousands of word salad NewsAgent posts is not an infringement upon
speech, as it was neither speech nor communication of any kind. It is
just noise. Filtering noise has nothing to do with the suppression of
information or ideas. Flooding of this nature is akin to the state
sponsored jamming of radio signals, to censor broadcasts and prevent
the dissemination of information.

Preventing this crap from ever entering the news stream actually
improves communication. In case you had not noticed, communication --
for some value of communication -- is the primary purpose of text
newsgroups.

I read news from giganews.com servers, as it is included with one of
my ISP accounts. I choose to read from a full feed, specifically so I
can see, recognize and try to deal with network abuse incidents.
That is my choice. It is what I did, when reporting this specific
flooding incident to you. You seemed to shrug it off, as if it was
not your problem.

>> I have dealt with NewsAgent floods previously, as well as floods of
>> cancel messages, supersedes replacing legitimate posts with spam
>> and the issuance of $alz formatted preemptive cancels,

<correction>
These were not cancel messages. Although they were posted to
control.cancel, and include Subjects beginning, "cmsg cancel," they
included no Control header. They were intended to prevent the posting
of cyberspam cancels using $alz M-IDs. This led to the creation of
the $alz2 format. See the Cancel Messages FAQ:
http://wiki.killfile.org/projects/usenet/faqs/cancel/
</correction>

>> using this
>> Swiss Army Knife of Usenet Abuse. NewsAgent was specifically
>> designed to exploit open proxies, as you saw for yourself, in the
>> recent attack on alt.checkmate and alt.slack. The apparent ability
>> to switch proxies, for each post, appears to be a fairly recent
>> hack. Thanks for including the posting-host information, for the
>> second round of this attack.

> It actually was a bad thing. More articles were able to pass the
> filters because of constantly changing injection point.

I hope this was a learning experience.

>> Thanks to the speed of news.neodome.net, the attack was somewhat
>> limited.

> That's intentional. Neodome is constantly slowing the posting rate
> from any single IP address if it keeps posting.

That sounds like the Dave Hayes logarithmic back-off patch. It, too,
was easily defeated by switching IP addresses. In the specific
instance I recall, it was being accomplished from a dial-up, posting
no more than a handful of spammed articles, before disconnecting,
reconnecting and repeating, 24*7.

>> In years past, I have observed more than 300k NewsAgent generated
>> porn spam posts, in a single twenty four hour period, via an open
>> AnalogX proxy running on a Videotron.ca home user's computer.
>> Personally, I do not miss those bad old days.

> It's not the "old days" anymore. 30k messages that came from
> Neodome, 300k messages from Videotron.ca, even 3m messages - all are
> small numbers, barely noticeable, actually. I didn't even bothered
> to run htop, but I bet if I would in the middle of flood, my server
> load would be probably same as usual, which is around 5%. Usual
> amout of messages Neodome receives daily is around
> 500,000-1,000,000, and I expect it to easily handle 10x that amount.
> Commercial Usenet providers can handle hundreds time more, and won't
> even notice the difference.

Frankly, no one give a flying fig about your resource load. Site
operators and users are concerned with your willingness to shift the
load to them.

Old days or not, there is no respectable reason to allow network
abuse, by default, whether with respect to spamming, spewing or
forgery. (It was a forgery of Archimedes Plutonium which first
alerted me to news.neodome.net, although it is unlikely Archie Pu has
the acumen to formulate a cogent or coherent abuse report. See
n.a.n-a.misc.)


Click here to read the complete article
Re: Ongoing flood from Neodome

<s9t1nd$rj7$32@gallifrey.nk.ca>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=82&group=news.admin.peering#82

 copy link   Newsgroups: news.admin.net-abuse.usenet news.admin.peering
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.nk.ca!.POSTED.doctor.nl2k.ab.ca!not-for-mail
From: doc...@doctor.nl2k.ab.ca (The Doctor)
Newsgroups: news.admin.net-abuse.usenet,news.admin.peering
Subject: Re: Ongoing flood from Neodome
Date: Thu, 10 Jun 2021 12:48:45 -0000 (UTC)
Organization: NetKnow News
Message-ID: <s9t1nd$rj7$32@gallifrey.nk.ca>
References: <1pa80y9.1ntv431sf1rnN%snipeco.2@gmail.com> <alpine.OSX.2.20.2106052028420.57527@mako.ath.cx> <s9pldp$t8j$1@neodome.net> <alpine.OSX.2.20.2106092125210.72281@mako.ath.cx>
Injection-Date: Thu, 10 Jun 2021 12:48:45 -0000 (UTC)
Injection-Info: gallifrey.nk.ca; posting-host="doctor.nl2k.ab.ca:204.209.81.1";
logging-data="28263"; mail-complaints-to="usenet@gallifrey.nk.ca"
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
Originator: doctor@doctor.nl2k.ab.ca (The Doctor)
 by: The Doctor - Thu, 10 Jun 2021 12:48 UTC

In article <alpine.OSX.2.20.2106092125210.72281@mako.ath.cx>,
David Ritz <dritz@mindspring.com> wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On Wednesday, 09 June 2021 06:00 -0000,
> in article <s9pldp$t8j$1@neodome.net>,
> Neodome Admin <admin@neodome.net> wrote:
>
>> David Ritz <dritz@mindspring.com> writes:
>
>> > On Saturday, 05 June 2021 12:57 -0000,
>> > in article <s9fsc2$tk6$1@neodome.net>,
>> > Neodome Admin <admin@neodome.net> wrote:
>
>> > On Saturday, 05 June 2021 12:57 -0000, Neodome Admin wrote:
>
>> > [...]
>
>>>> As to the David Ritz, I will never believe that this guy have no
>>>> idea how to deal with a simple flood coming from a single source,
>>>> directed to groups he don't read.
>
>>> Your assumptions are bad and your clairvoyance quotient sucks, as
>>> does mine. What I read or don't read is quite irrelevant to the
>>> problem.
>
>> You're correct. But you were not correct when you claimed that it's
>> impossible to filter it on the client side.
>
>You are putting words in my mouth^W fingers. I never claimed it was
>impossible to filter. When you recommended client side filtering as a
>solution, I replied:
>
><quote>
> Network abuse is not a client side issue. Please take action to
> mitigate this NewsAgent spew.
></quote>
>
>I stand by my words. Your loose interpretation is an outright
>misrepresentation of the exchange. You assume too much, while
>ignoring the the heart of the matter entirely. Only by making
>patently false assertions are you able to try to deflect from the
>issue of network abuse, through a quite lame attempt at deflection.
>
>>> Your recommendation of filtering shifts responsibility dealing with
>>> the issues surrounding network abuse instances originating from
>>> news.neodome.net. Man up and take responsibility for the problems
>>> you and the implementation of your philosophy invite.
>
>> Are there any, really?
>
>Are there any what? Responsibilities?
>
>Indeed, as it was your recommendation of client side filtering, as a
>solution, which prompted me into this discussion. Your failure to
>respond immediately upon notification, to shut down the attack, and
>instead attempting to shift responsibility to the operators of every
>NNTP node on the network, and to their users, is the subject at hand.
>
>> Pretty much all Usenet servers use cleanfeed, and there are very
>> simple settings over there:
>
>Please see my header comment regarding assumptions. Your assumptions
>are quite simply fallacious. The result of basing your arguments upon
>false premises renders them moot. Your assertion regarding the
>ubiquity of INN demonstrates a quite parochial perspective and
>provincial attitude.
>
>Many servers running INN also run cleanfeed. How well maintained they
>are, on any particular site, is open to conjecture.
>
>Too few other NNTP server software solutions are devised to
>accommodate cleanfeed. Are you aware, for example, there are still
>people out there, who run Microsoft news server enterprise solution
>software? These things respond to only the most minimal of NNTP
>commands. They do not even support queries of any type.
>
>Do you understand that where many ISPs used to provide NNTP services
>using HighWinds server software? Most no longer provide this service.
>The server software was incapable of user authentication and were open
>to any IP address on their subnets, including hijacked proxies
>running on home users computers, most often installed by malware..
>
>What about other leaf node servers?
>
>There are some pretty significant news sites, which do not run
>IneterNetNews. Two of the servers I access on a regular basis do not,
>including the service from which I primarily read news and the one via
>which this post originates.
>
>Then, of course, there is the lowest common denominator of Usenet
>access providers, groups.google.com, where you can rest assured the
>entire flood is archived. You can find NewsAgent floods similarly
>archived in the Google Usenet archive, which date back decades. That
>in no way excuses the abuse and points to the importance of
>preventing it. Once it begins, it is imperative that it gets shut
>down, just as quickly as possible.
>
>[ snip cleanfeed specific comments, as irrelevant to the underlying
> abuse issue ]
>
>> Because normally all articles from Neodome have single posting host,
>
>[snip]
>
>This would seem to have been another false assumption, in this case.
>Is this your first experience with NewsAgent? The flooding, which
>nicked news.neodome.net, has be in progress for at least two decades.
>
>> I'm not sure why E-S is not using such filter, I guess that would be
>> the question for Ray.
>
>It's not your place to pose the question. You are out of line.
>
>> The reason you and other Giganews users are seeing it is because
>> you're getting "uncensored" Usenet which is basically a stream of
>> data with headers that you're free do anything with. You're your own
>> "censor", same as me - and considering your experience I'm pretty
>> sure you know what to do to get the data you want.
>
>It seems you need to review the definition of 'censor'. Dropping
>thousands of word salad NewsAgent posts is not an infringement upon
>speech, as it was neither speech nor communication of any kind. It is
>just noise. Filtering noise has nothing to do with the suppression of
>information or ideas. Flooding of this nature is akin to the state
>sponsored jamming of radio signals, to censor broadcasts and prevent
>the dissemination of information.
>
>Preventing this crap from ever entering the news stream actually
>improves communication. In case you had not noticed, communication --
>for some value of communication -- is the primary purpose of text
>newsgroups.
>
>I read news from giganews.com servers, as it is included with one of
>my ISP accounts. I choose to read from a full feed, specifically so I
>can see, recognize and try to deal with network abuse incidents.
>That is my choice. It is what I did, when reporting this specific
>flooding incident to you. You seemed to shrug it off, as if it was
>not your problem.
>
>>> I have dealt with NewsAgent floods previously, as well as floods of
>>> cancel messages, supersedes replacing legitimate posts with spam
>>> and the issuance of $alz formatted preemptive cancels,
>
><correction>
>These were not cancel messages. Although they were posted to
>control.cancel, and include Subjects beginning, "cmsg cancel," they
>included no Control header. They were intended to prevent the posting
>of cyberspam cancels using $alz M-IDs. This led to the creation of
>the $alz2 format. See the Cancel Messages FAQ:
>http://wiki.killfile.org/projects/usenet/faqs/cancel/
></correction>
>
>>> using this
>>> Swiss Army Knife of Usenet Abuse. NewsAgent was specifically
>>> designed to exploit open proxies, as you saw for yourself, in the
>>> recent attack on alt.checkmate and alt.slack. The apparent ability
>>> to switch proxies, for each post, appears to be a fairly recent
>>> hack. Thanks for including the posting-host information, for the
>>> second round of this attack.
>
>> It actually was a bad thing. More articles were able to pass the
>> filters because of constantly changing injection point.
>
>I hope this was a learning experience.
>
>>> Thanks to the speed of news.neodome.net, the attack was somewhat
>>> limited.
>
>> That's intentional. Neodome is constantly slowing the posting rate
>> from any single IP address if it keeps posting.
>
>That sounds like the Dave Hayes logarithmic back-off patch. It, too,
>was easily defeated by switching IP addresses. In the specific
>instance I recall, it was being accomplished from a dial-up, posting
>no more than a handful of spammed articles, before disconnecting,
>reconnecting and repeating, 24*7.
>
>>> In years past, I have observed more than 300k NewsAgent generated
>>> porn spam posts, in a single twenty four hour period, via an open
>>> AnalogX proxy running on a Videotron.ca home user's computer.
>>> Personally, I do not miss those bad old days.
>
>> It's not the "old days" anymore. 30k messages that came from
>> Neodome, 300k messages from Videotron.ca, even 3m messages - all are
>> small numbers, barely noticeable, actually. I didn't even bothered
>> to run htop, but I bet if I would in the middle of flood, my server
>> load would be probably same as usual, which is around 5%. Usual
>> amout of messages Neodome receives daily is around
>> 500,000-1,000,000, and I expect it to easily handle 10x that amount.
>> Commercial Usenet providers can handle hundreds time more, and won't
>> even notice the difference.
>
>Frankly, no one give a flying fig about your resource load. Site
>operators and users are concerned with your willingness to shift the
>load to them.
>
>Old days or not, there is no respectable reason to allow network
>abuse, by default, whether with respect to spamming, spewing or
>forgery. (It was a forgery of Archimedes Plutonium which first
>alerted me to news.neodome.net, although it is unlikely Archie Pu has
>the acumen to formulate a cogent or coherent abuse report. See
>n.a.n-a.misc.)
>
>> There were several attacks on my server in the last few years, for
>> example, just recently someone tried to open hundreds of thousands
>> of connections, but failed miserably because he ran out of resources
>> before I did. I didn't even bother to check his IP address.
>
>The attack you describe is unrelated to the emission of a flood
>originated via news.neodome.net.
>
>> If not for whiners, I would just let it all run and let the filters
>> take care of everything.
>
>That is some kind of attitude you have.
>
>[snip comments regarding Google Groups]
>
>> The only legit complain I heard so far was from Adam, and he was
>> saying that such flood is effectively a DoS attack against smaller
>> servers. I, however, disagree. [...]
>
>Are you suggesting that the reports I sent you were somehow
>illegitimate? These were not complaints. They were reports of an
>ongoing network abuse incident. All that I asked of you, was that you
>please take action. The reports, themself, consisted solely of sample
>spew, with full and complete headers.
>
>>> [...]
>
>>>> I mean, yeah, it's pretty sad that open Usenet server is used to
>>>> bitch to the world about horrors of rival political opinions.
>
>>> This is the same lame excuse, used by hosting providers, for
>>> infrastructure facilitating cybercrime operations. You and your
>>> server are nothing new nor anything special.
>
>>> Please consider moving news.neodome.net to an authenticated users
>>> only setup. Intentionally running open servers seems an open
>>> invitation to abuse.
>
>> Well, at least you're not saying I'm the cybercriminal. That's
>> something.
>
>> I've seen your last email, and I appreciate that you're willing to
>> help. I am, however, is not willing to use outside services such as
>> spamhaus.org, because they will never supply me with their full
>> database, and I'm not going to supply them with IPs of my users to
>> check against their database. That's going against everything I'm
>> standing for.
>
>The Spamhaus data feed, a subscription service, would include those
>items providing 127.0.0.4 DNS responses. These identify the
>compromised hosts used in this specific attack. Again, I'll note, all
>of the IP addresses which I checked, when you provided posting-host
>information in later flood headers, were included in the Spamhaus XBL
>zone.
>
> https://www.spamhaus.org/xbl/
> https://www.spamhaus.org/datafeed/
>
>Using proxies is not a network abuse issue; hijacking compromised
>hosts is, more so to perpetrate attacks on the network's
>infrastructure.
>
>[...]
>
>> Please don't take it wrong. If I realise that Neodome is a source of
>> problem that cannot be simply filtered out I'll probably turn off
>> posting and make Neodome a peering only server. But currently I
>> don't see anything like that. How many seconds did it take for you
>> to filter them out once you opened affected group? 0.1?
>
>news.neodome.net is killfiled in two out of five or six news clients I
>use, but is not for this user agent. In any case, user agents, for
>which killfiles operate, still require downloading all of the overview
>headers, at a bare minimum. Downloading thousands of XOVER headers of
>noise is a waste of my resources and time. That you seem to think
>little of it, suggests you are not a particularly good Usenet
>neighbor.
>
>Be conservative in what you send, be liberal in what you accept.
>
>- --
>David Ritz <dritz@mindspring.com>
> "The first principle of a free society is an untrammeled flow of
> words in an open forum." - Adlai Stevenson (1900-1965)
>
>-----BEGIN PGP SIGNATURE-----
>
>iF0EARECAB0WIQSc0FU3XAVGYDjSGUhSvCmZGhLe6wUCYMGkXAAKCRBSvCmZGhLe
>61nLAKC0iw7Uc7Q1xFjRJ8KPlEaS+QH7EACgqODe2t/2Sm/nubvQL7FO+BzIR9I=
>=eCLL
>-----END PGP SIGNATURE-----


Click here to read the complete article
Re: Ongoing flood from Neodome

<s9tcjt$2i57$1@neodome.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=83&group=news.admin.peering#83

 copy link   Newsgroups: news.admin.net-abuse.usenet news.admin.peering
Path: i2pn2.org!i2pn.org!news.neodome.net!.POSTED!not-for-mail
From: adm...@neodome.net (Neodome Admin)
Newsgroups: news.admin.net-abuse.usenet,news.admin.peering
Subject: Re: Ongoing flood from Neodome
Date: Thu, 10 Jun 2021 15:54:38 -0000 (UTC)
Organization: Neodome
Message-ID: <s9tcjt$2i57$1@neodome.net>
References: <1pa80y9.1ntv431sf1rnN%snipeco.2@gmail.com>
<alpine.OSX.2.20.2106031829000.57527@mako.ath.cx>
<s9c1gu$29s7$3@neodome.net>
<s9ddnf$q53$2@dont-email.me>
<s9fsc2$tk6$1@neodome.net>
<alpine.OSX.2.20.2106052028420.57527@mako.ath.cx>
<s9pldp$t8j$1@neodome.net>
<alpine.OSX.2.20.2106092125210.72281@mako.ath.cx>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Injection-Date: Thu, 10 Jun 2021 15:54:38 -0000 (UTC)
Injection-Info: neodome.net; mail-complaints-to="abuse@neodome.net"
User-Agent: NewsTap/5.5 (iPhone/iPod Touch)
Cancel-Lock: sha1:4GeqIBIjul/aDqXBK5DiidftyqE=
 by: Neodome Admin - Thu, 10 Jun 2021 15:54 UTC

David Ritz <dritz@mindspring.com> wrote:

> news.neodome.net is killfiled in two out of five or six news clients I
> use, but is not for this user agent. In any case, user agents, for
> which killfiles operate, still require downloading all of the overview
> headers, at a bare minimum. Downloading thousands of XOVER headers of
> noise is a waste of my resources and time. That you seem to think
> little of it, suggests you are not a particularly good Usenet
> neighbor.
>
> Be conservative in what you send, be liberal in what you accept.

I’m not going to comment on everything you said, at least not now.

However, I would like to say that since so many people are determined that
it’s a DoS attack, I have no choice but to admit that my idea of what
Usenet is is apparently quite different than what most people think.

I’ll turn the posting off, for now partially, and then completely.

--
Neodome

Re: New Neodome flood

<s9tn7c.71c.1@ID-201911.user.individual.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=84&group=news.admin.peering#84

 copy link   Newsgroups: news.admin.net-abuse.usenet news.admin.peering
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!4.us.feeder.erje.net!2.eu.feeder.erje.net!feeder.erje.net!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: thi...@ddress.is.invalid (Frank Slootweg)
Newsgroups: news.admin.net-abuse.usenet,news.admin.peering
Subject: Re: New Neodome flood
Date: 10 Jun 2021 16:55:53 GMT
Organization: NOYB
Lines: 58
Message-ID: <s9tn7c.71c.1@ID-201911.user.individual.net>
References: <1pa80y9.1ntv431sf1rnN%snipeco.2@gmail.com> <1pacv1v.elgb842oz82qN%snipeco.2@gmail.com> <m25yyrm3pz.fsf@raybanana.net> <s9pdfj$cln$1@neodome.net> <s9qqel$qsc$2@dont-email.me> <s9r2n2$1boh$1@neodome.net> <s9rauk.7u8.1@ID-201911.user.individual.net> <s9r61e$1boh$2@neodome.net>
X-Trace: individual.net mcMLyo2pRYINhDULNXgzPA4r5WLq93luVG7658Oo9Ys4EBbJkK
X-Orig-Path: not-for-mail
Cancel-Lock: sha1:uGoALmHeSbDzh9d4iDu+tmcHN1U=
User-Agent: tin/1.6.2-20030910 ("Pabbay") (UNIX) (CYGWIN_NT-6.3-WOW/2.8.0(0.309/5/3) (i686)) Hamster/2.0.2.2
X-Antivirus: Avast (VPS 210609-10, 06/09/2021), Outbound message
X-Antivirus-Status: Clean
 by: Frank Slootweg - Thu, 10 Jun 2021 16:55 UTC

Neodome Admin <admin@neodome.net> wrote:
> Frank Slootweg <this@ddress.is.invalid> writes:
>
> > Neodome Admin <admin@neodome.net> wrote:
> >> "Adam H. Kerman" <ahk@chinet.com> writes:
> >>
> >> > I wish you had the same public spirited sentiment.
> >>
> >> What makes you think I don't, Adam? Countless of times I've seen the
> >> same thing being said over and over: the advantage of Usenet compared to
> >> other social media is that it cannot be censored or moderated. This is
> >> exactly what I provide to people. Uncensored Usenet, free of charge, in
> >> any amounts you want, - more than you ever wanted, probably, but that's
> >> another question.
> >
> > Pull the other one! Abuse of the net - in this case flooding - has
> > nothing to do with censorship, quite the contrary.
>
> Are you sure, Frank? There's a good amount of people who want to post
> via anonymous proxies for whatever reason, you might want to ask them
> why, because I'm not going to. Paolo, for example, think that preventing
> "abuse" is more important than letting legit messages in. I think
> otherwise. There are similar polarised opinions on death penalty.

You might want to put some consistency in your 'arguments'! First you
mix net-abuse (abuse *of* the net) with censorship and now you mix
non-censorship with anonimity. Guess what? You can have all three: No
net-abuse *and* no censorship *and* anonimity. But yes, it takes
effort. Effort which you apparently are not willing to spend.

> From the very beginning I said that it's a moral problem, not a
> technical one.

It's clearly both and the moral problem is mainly - if not fully - on
your side.

> > If you can't be bothered to - try to - prevent the abuse (of the net)
> > which originates from your server, then just come out and say so, but
> > don't spout this kind of nonsense to an audience which sees right
> > through it.
>
> Stop it, Frank. All you do it trying to make me feel uncofomrtable, accusing
> me to be not professional. That's not going to bring you any
> results. It's not that complicated to sign up for a service such as
> spamhaus.org, and it's even simpler to just start banning IP
> addresses. But it's never going to completely eliminate things you don't
> want to see.

You tried that fallacy already on David and it failed. What makes you
think it works the second (third?) time around?

As David and Adam also mentioned, it's *not* about our capability to
filter the abuse (of the net) originating from your server, but about
*you* facilitating said abuse, doing little to prevent it, shrugging it
off when it happens and putting the burden of your failings on others.

AFAIC, we're done. It's clear you're not willing to take
responsibility for the net-abuse originating from your server.

Re: Ongoing flood from Neodome

<s9tpdo.8ek.1@ID-201911.user.individual.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=85&group=news.admin.peering#85

 copy link   Newsgroups: news.admin.net-abuse.usenet news.admin.peering
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!3.eu.feeder.erje.net!feeder.erje.net!news-2.dfn.de!news.dfn.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: thi...@ddress.is.invalid (Frank Slootweg)
Newsgroups: news.admin.net-abuse.usenet,news.admin.peering
Subject: Re: Ongoing flood from Neodome
Date: 10 Jun 2021 17:33:22 GMT
Organization: NOYB
Lines: 26
Message-ID: <s9tpdo.8ek.1@ID-201911.user.individual.net>
References: <1pa80y9.1ntv431sf1rnN%snipeco.2@gmail.com> <alpine.OSX.2.20.2106031829000.57527@mako.ath.cx> <s9c1gu$29s7$3@neodome.net> <s9ddnf$q53$2@dont-email.me> <s9fsc2$tk6$1@neodome.net> <alpine.OSX.2.20.2106052028420.57527@mako.ath.cx> <s9pldp$t8j$1@neodome.net> <alpine.OSX.2.20.2106092125210.72281@mako.ath.cx> <s9tcjt$2i57$1@neodome.net>
X-Trace: individual.net oapais/mbgl2y32PpimQGwGi3ptnVdynSgLz+EyJXYKP02D09Q
X-Orig-Path: not-for-mail
Cancel-Lock: sha1:KaWVCuOa/ZT97GYVs1OXap4xzxQ=
User-Agent: tin/1.6.2-20030910 ("Pabbay") (UNIX) (CYGWIN_NT-6.3-WOW/2.8.0(0.309/5/3) (i686)) Hamster/2.0.2.2
X-Antivirus: Avast (VPS 210610-16, 06/10/2021), Outbound message
X-Antivirus-Status: Clean
 by: Frank Slootweg - Thu, 10 Jun 2021 17:33 UTC

Neodome Admin <admin@neodome.net> wrote:
> David Ritz <dritz@mindspring.com> wrote:
>
> > news.neodome.net is killfiled in two out of five or six news clients I
> > use, but is not for this user agent. In any case, user agents, for
> > which killfiles operate, still require downloading all of the overview
> > headers, at a bare minimum. Downloading thousands of XOVER headers of
> > noise is a waste of my resources and time. That you seem to think
> > little of it, suggests you are not a particularly good Usenet
> > neighbor.
> >
> > Be conservative in what you send, be liberal in what you accept.
>
> I?m not going to comment on everything you said, at least not now.
>
> However, I would like to say that since so many people are determined that
> it?s a DoS attack, I have no choice but to admit that my idea of what
> Usenet is is apparently quite different than what most people think.
>
> I?ll turn the posting off, for now partially, and then completely.

I'm sorry. My previous post and your above one crossed eachother. If I
had seen your above post, I would not have written/posted my previous
one.

Good luck.

Re: Ongoing flood from Neodome

<s9tq6a.8ek.1@ID-201911.user.individual.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=86&group=news.admin.peering#86

 copy link   Newsgroups: news.admin.net-abuse.usenet news.admin.peering
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!news.mixmin.net!news2.arglkargh.de!news.karotte.org!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: thi...@ddress.is.invalid (Frank Slootweg)
Newsgroups: news.admin.net-abuse.usenet,news.admin.peering
Subject: Re: Ongoing flood from Neodome
Date: 10 Jun 2021 17:46:35 GMT
Organization: NOYB
Lines: 29
Message-ID: <s9tq6a.8ek.1@ID-201911.user.individual.net>
References: <1pa80y9.1ntv431sf1rnN%snipeco.2@gmail.com> <alpine.OSX.2.20.2106031829000.57527@mako.ath.cx> <s9c1gu$29s7$3@neodome.net> <s9ddnf$q53$2@dont-email.me> <s9fsc2$tk6$1@neodome.net> <alpine.OSX.2.20.2106052028420.57527@mako.ath.cx> <s9pldp$t8j$1@neodome.net> <s9ra10.7u8.1@ID-201911.user.individual.net> <s9r9tf$11ng$1@gioia.aioe.org>
X-Trace: individual.net CsjuWGP10nPg30/mTbYvXAk3VvauxgjMxs1BJTBSCdeKLfG6PG
X-Orig-Path: not-for-mail
Cancel-Lock: sha1:MSV3PnFlhxxRRQhE4Uh1jbTR7sg=
User-Agent: tin/1.6.2-20030910 ("Pabbay") (UNIX) (CYGWIN_NT-6.3-WOW/2.8.0(0.309/5/3) (i686)) Hamster/2.0.2.2
X-Antivirus: Avast (VPS 210610-16, 06/10/2021), Outbound message
X-Antivirus-Status: Clean
 by: Frank Slootweg - Thu, 10 Jun 2021 17:46 UTC

Aioe <estasi@aioe.org> wrote:
> Il 09/06/21 20:58, Frank Slootweg ha scritto:
> > FWIW, sofar I've not been affected by floods from Neodome, but have
> > been affected by (10k articles) floods from Aioe.org. Same difference.
>
> have you reported that abuse to aioe.org abuse desk?
> newsmasters react when someone alerts them about a running flood.

I didn't report it, because it was already reported to you.

> BTW last time, in march, only a few thousand of nonsense messages were
> sent through my server before being stopped. Abuse were blocked as soon
> as it was reported (a few hours after the beginning).

Yes, it was in March and there were multiple floods. AFAIC, it was at
least two floods of some 5k articles each, hence my '10k articles'.
Anyway, it doesn't matter if it was "a few thousand" or 10k, both are
way, way too much.

> you should consider that it is not possible to prevent an user from
> flooding a group using a list of open proxies, the only possible
> countermeasure is to stop him as soon as possible.

It should not - at least not only - be stopped after the fact, but
prevented, at least for the future. Especially for text groups - which
was the case - throttling posting (to the same group(s)) would be an
obvious counter measure.

Bottom line: Responsibly running an open server comes at a 'price'.

Re: New Neodome flood

<m2im2alb4o.fsf@raybanana.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=87&group=news.admin.peering#87

 copy link   Newsgroups: news.admin.net-abuse.usenet news.admin.peering
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!raybanana.net!.POSTED!not-for-mail
From: ray...@raybanana.net (Ray Banana)
Newsgroups: news.admin.net-abuse.usenet,news.admin.peering
Subject: Re: New Neodome flood
Date: Sat, 19 Jun 2021 06:41:11 +0200
Organization: A noiseless patient spider
Lines: 25
Message-ID: <m2im2alb4o.fsf@raybanana.net>
References: <1pa80y9.1ntv431sf1rnN%snipeco.2@gmail.com>
<m25yyrm3pz.fsf@raybanana.net> <s9pdfj$cln$1@neodome.net>
<m2mtrzz2f2.fsf@raybanana.net> <s9qhun$80u$60@gallifrey.nk.ca>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: raybanana.net; posting-host="11011175aa82e494a8d80197c07072de";
logging-data="16784"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19Z4Vhxh06U5AM+hNdRnZCUx2/5wgKT6U4="
User-Agent: Plonkenlights
Cancel-Lock: sha1:WAFDhAMt0AvSTYTMhe3pKVGHq+c=
sha1:pMb6BcSEJjREtN741eMgCE4mEbM=
X-Attribution: Ray Banana
 by: Ray Banana - Sat, 19 Jun 2021 04:41 UTC

Thus spake doctor@doctor.nl2k.ab.ca (The Doctor)
>>Thank you for your concern, but I'm aware of the pitfalls of Cleanfeed's
>>bad_path configuration file and I know how to filter based on the
>>rightmost host name in the Path: header.
>
>
> Not my solution. Someone gave it to me.

I know by now. However, adding the hostname to the ME: site definition
in the newsfeeds file causes the same collateral damage as Cleanfeed's
bad_path:
/-------------------------------------------------------------------
| If the "ME" entry has an exclusion sub-field, incoming articles are
| rejected completely if any of the names specified in that
| exclusion sub-field appear in their Path: headers.
\___________________________________________________________________

i.e. it rejects all articles that contain the excluded hostname *anywhere*
in the Path: rather than rejecting just the articles that originate from
that host (which is what you really want to do).

--
Time flies like an arrow, fruit flies like a Banana.
http://www.eternal-september.org

Re: New Neodome flood

<sakppe$g9n$73@gallifrey.nk.ca>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=88&group=news.admin.peering#88

 copy link   Newsgroups: news.admin.net-abuse.usenet news.admin.peering
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.nk.ca!.POSTED.doctor.nl2k.ab.ca!not-for-mail
From: doc...@doctor.nl2k.ab.ca (The Doctor)
Newsgroups: news.admin.net-abuse.usenet,news.admin.peering
Subject: Re: New Neodome flood
Date: Sat, 19 Jun 2021 13:00:30 -0000 (UTC)
Organization: NetKnow News
Message-ID: <sakppe$g9n$73@gallifrey.nk.ca>
References: <1pa80y9.1ntv431sf1rnN%snipeco.2@gmail.com> <m2mtrzz2f2.fsf@raybanana.net> <s9qhun$80u$60@gallifrey.nk.ca> <m2im2alb4o.fsf@raybanana.net>
Injection-Date: Sat, 19 Jun 2021 13:00:30 -0000 (UTC)
Injection-Info: gallifrey.nk.ca; posting-host="doctor.nl2k.ab.ca:204.209.81.1";
logging-data="16695"; mail-complaints-to="usenet@gallifrey.nk.ca"
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
Originator: doctor@doctor.nl2k.ab.ca (The Doctor)
 by: The Doctor - Sat, 19 Jun 2021 13:00 UTC

In article <m2im2alb4o.fsf@raybanana.net>,
Ray Banana <rayban@raybanana.net> wrote:
>Thus spake doctor@doctor.nl2k.ab.ca (The Doctor)
>
>>>Thank you for your concern, but I'm aware of the pitfalls of Cleanfeed's
>>>bad_path configuration file and I know how to filter based on the
>>>rightmost host name in the Path: header.
>>
>>
>> Not my solution. Someone gave it to me.
>
>I know by now. However, adding the hostname to the ME: site definition
>in the newsfeeds file causes the same collateral damage as Cleanfeed's
>bad_path:
> /-------------------------------------------------------------------
> | If the "ME" entry has an exclusion sub-field, incoming articles are
> | rejected completely if any of the names specified in that
> | exclusion sub-field appear in their Path: headers.
> \___________________________________________________________________
>
>i.e. it rejects all articles that contain the excluded hostname *anywhere*
>in the Path: rather than rejecting just the articles that originate from
>that host (which is what you really want to do).
>
>--
>Time flies like an arrow, fruit flies like a Banana.
>http://www.eternal-september.org

Limit open server! make you customers pay for access.
--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
Look at Psalms 14 and 53 on Atheism https://www.empire.kred/ROOTNK?t=94a1f39b
When we love ideology more than the truth, we cannot help but err. -unknown

Re: New Neodome flood

<sakqv9$moe$1@remote6hme0.ripco.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=89&group=news.admin.peering#89

 copy link   Newsgroups: news.admin.net-abuse.usenet news.admin.peering
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!news.ripco.com!.POSTED.shell3.ripco.com!not-for-mail
From: bje...@ripco.com
Newsgroups: news.admin.net-abuse.usenet,news.admin.peering
Subject: Re: New Neodome flood
Date: Sat, 19 Jun 2021 13:20:41 -0000 (UTC)
Organization: Ripco Communications Inc.
Message-ID: <sakqv9$moe$1@remote6hme0.ripco.com>
References: <1pa80y9.1ntv431sf1rnN%snipeco.2@gmail.com> <m25yyrm3pz.fsf@raybanana.net> <s9pdfj$cln$1@neodome.net> <m2mtrzz2f2.fsf@raybanana.net> <s9qhun$80u$60@gallifrey.nk.ca> <m2im2alb4o.fsf@raybanana.net>
Injection-Date: Sat, 19 Jun 2021 13:20:41 -0000 (UTC)
Injection-Info: remote6hme0.ripco.com; posting-host="shell3.ripco.com:66.146.219.74";
logging-data="23310"; mail-complaints-to="usenet@remote6hme0.ripco.com"
User-Agent: tin/2.4.2-20171224 ("Lochhead") (UNIX) (SunOS/5.10 (i86pc))
 by: bje...@ripco.com - Sat, 19 Jun 2021 13:20 UTC

In news.admin.net-abuse.usenet Ray Banana <rayban@raybanana.net> wrote:

> i.e. it rejects all articles that contain the excluded hostname *anywhere*
> in the Path: rather than rejecting just the articles that originate from
> that host (which is what you really want to do).

So?

Any system using neodome as their single outbound feed deserves what they
get.

Most news systems have multiple outbound feeds and if the one fed into
neodome gets dropped, it goes on its merry way to one of the others.

No loss, fuck neodome.

-bruce
bje@ripco.com

Re: New Neodome flood

<sba7m4$1mpb$1@gioia.aioe.org>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=93&group=news.admin.peering#93

 copy link   Newsgroups: news.admin.net-abuse.usenet news.admin.peering
Path: i2pn2.org!i2pn.org!aioe.org!dprTWF6hs9a0aqhtr64ZLQ.user.gioia.aioe.org.POSTED!not-for-mail
From: youkidd...@yahoo.com (YK)
Newsgroups: news.admin.net-abuse.usenet,news.admin.peering
Subject: Re: New Neodome flood
Date: Sun, 27 Jun 2021 13:36:35 -0230
Organization: Aioe.org NNTP Server
Lines: 24
Message-ID: <sba7m4$1mpb$1@gioia.aioe.org>
References: <1pa80y9.1ntv431sf1rnN%snipeco.2@gmail.com> <1pacv1v.elgb842oz82qN%snipeco.2@gmail.com> <m25yyrm3pz.fsf@raybanana.net> <s9pdfj$cln$1@neodome.net> <s9qqel$qsc$2@dont-email.me> <s9r2n2$1boh$1@neodome.net>
NNTP-Posting-Host: dprTWF6hs9a0aqhtr64ZLQ.user.gioia.aioe.org
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Complaints-To: abuse@aioe.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:78.0) Gecko/20100101 Thunderbird/78.10.2
X-Notice: Filtered by postfilter v. 0.9.2
Content-Language: en-US
 by: YK - Sun, 27 Jun 2021 16:06 UTC

On 6/9/2021 6:53 PM, Neodome Admin wrote:
> What makes you think I don't, Adam? Countless of times I've seen the
> same thing being said over and over: the advantage of Usenet compared to
> other social media is that it cannot be censored or moderated. This is
> exactly what I provide to people. Uncensored Usenet, free of charge, in
> any amounts you want, - more than you ever wanted, probably, but that's
> another question.

I, for one, am just a lowly user but I commend the Neodome admin for
providing the service that I can use simply to post to Usenet to ask
questions and get answers to those questions.

That's gone now (I ask questions of the operating system newsgroups only).

My one request, which I realize is unrealistic since the floodgates may be
opened, is to at least allow the operating system newsgroups to be available
(Mac, iOS, Windows, Linux, & Android).

alt.comp.os.windows-10
alt.os.linux
comp.mobile.android
comp.mobile.ipad
comp.sys.mac.system
misc.phone.mobile.iphone

Re: New Neodome flood

<1r1qm8r3erdfu$.dlg@djph.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=94&group=news.admin.peering#94

 copy link   Newsgroups: news.admin.net-abuse.usenet news.admin.peering
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: dan...@djph.net (Dan Purgert)
Newsgroups: news.admin.net-abuse.usenet,news.admin.peering
Subject: Re: New Neodome flood
Date: Sun, 27 Jun 2021 16:11:20 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 35
Message-ID: <1r1qm8r3erdfu$.dlg@djph.net>
References: <1pa80y9.1ntv431sf1rnN%snipeco.2@gmail.com> <1pacv1v.elgb842oz82qN%snipeco.2@gmail.com> <m25yyrm3pz.fsf@raybanana.net> <s9pdfj$cln$1@neodome.net> <s9qqel$qsc$2@dont-email.me> <s9r2n2$1boh$1@neodome.net> <s9rauk.7u8.1@ID-201911.user.individual.net> <s9r61e$1boh$2@neodome.net>
Injection-Date: Sun, 27 Jun 2021 16:11:20 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="ee5ac8b5b06cd686ab78af209c2c8bdc";
logging-data="5111"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/ck8RkHrx/gcjuF+yxVdRf"
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:x2cAW/ls/pE6HdqwMXqyQfWF9cQ=
 by: Dan Purgert - Sun, 27 Jun 2021 16:11 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Neodome Admin wrote:
> Are you sure, Frank? There's a good amount of people who want to post
> via anonymous proxies for whatever reason, you might want to ask them
> why, because I'm not going to. Paolo, for example, think that preventing
> "abuse" is more important than letting legit messages in. I think
> otherwise. There are similar polarised opinions on death penalty.

Neodome admins should be given an award for PROTECTING our free speech.
Frank Slootweg always wants to prevent anyone from ever being anonymous.

They do things differently in his Netherlands than we do in the USA.
Frank ran his own nntp server from the Netherlands so he hates free speech.

Tell us it's not true, Frank.

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEBcqaUD8uEzVNxUrujhHd8xJ5ooEFAl5nnnYACgkQjhHd8xJ5
ooFFQgf/Wd/67GaYp/s/5FtSCJl83OCTllraWmP6piWqk4qRe9NQnHswlNs8jWch
CtGPGLndzYGyR27n/mCiHcINNFPgLqfOtryU8Hgm7MAh9M9sEwFZpvFnOaM3k/IF
zaAWrJAV631vHFpWiLrM93EzCBHakHJvFyjtqv3fBH+rfjaCokGo8y65lmYSIqCD
s5gNd7lBjnMQ33jX6aH5W6b4mJbX4BHmw8KKwg5M6kbYrSrDIhrN1r368Wcu711X
qnKAiKD/RP0IHRMV7b/HUGBgoXt1Lo+y8+lknW41gau3JAKNPCz/UFGGyIt+qDXO
Qr1Bxgc82+hRTTrOlzkZbN27ftn3LA==
=dibe
-----END PGP SIGNATURE-----

--
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5 4AEE 8E11 DDF3 1279 A281

Re: New Neodome flood

<nap.20210718111738.2013@scatha.ancalagon.de>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=111&group=news.admin.peering#111

 copy link   Newsgroups: news.admin.peering
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!news.szaf.org!thangorodrim.ancalagon.de!.POSTED.scatha.ancalagon.de!not-for-mail
From: thh...@thh.name (Thomas Hochstein)
Newsgroups: news.admin.peering
Subject: Re: New Neodome flood
Date: Sun, 18 Jul 2021 11:17:40 +0200
Message-ID: <nap.20210718111738.2013@scatha.ancalagon.de>
References: <1pa80y9.1ntv431sf1rnN%snipeco.2@gmail.com> <m25yyrm3pz.fsf@raybanana.net> <s9pdfj$cln$1@neodome.net> <m2mtrzz2f2.fsf@raybanana.net> <s9qhun$80u$60@gallifrey.nk.ca> <m2im2alb4o.fsf@raybanana.net> <sakqv9$moe$1@remote6hme0.ripco.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Injection-Info: thangorodrim.ancalagon.de; posting-host="scatha.ancalagon.de:10.0.1.1";
logging-data="23298"; mail-complaints-to="abuse@th-h.de"
User-Agent: ForteAgent/8.00.32.1272
Cancel-Lock: sha1:KJnVf9iPaABTJvAYcO8/zHnSRWs=
X-Clacks-Overhead: GNU Terry Pratchett
X-NNTP-Posting-Date: Sun, 18 Jul 2021 11:17:38 +0200
X-Face: *OX>R5kq$7DjZ`^-[<HL?'n9%\ZDfCz/_FfV0_tpx7w{Vv1*byr`TC\[hV:!SJosK'1gA>1t8&@'PZ-tSFT*=<}JJ0nXs{WP<@(=U!'bOMMOH&Q0}/(W_d(FTA62<r"l)J\)9ERQ9?6|_7T~ZV2Op*UH"2+1f9[va
 by: Thomas Hochstein - Sun, 18 Jul 2021 09:17 UTC

bje@ripco.com wrote:

> In news.admin.net-abuse.usenet Ray Banana <rayban@raybanana.net> wrote:
>
> > i.e. it rejects all articles that contain the excluded hostname *anywhere*
> > in the Path: rather than rejecting just the articles that originate from
> > that host (which is what you really want to do).
>
> So?

So all articles that pass "the excluded hostname" are permanently
rejected.

> Any system using neodome as their single outbound feed deserves what they
> get.
>
> Most news systems have multiple outbound feeds and if the one fed into
> neodome gets dropped, it goes on its merry way to one of the others.

No, it doesn't - at least it won't reach you when you path-exclude
news.neodome.net. The rejected article's Message-ID is logged to
history and rejected as duplicate further on.

This means that if your server gets the posting that went through
news.neodome.net offered first, it will reject it because of the ME
entry. If it the posting is offered again later via another route, it
will reject it because of the history entry.

-thh

Re: New Neodome flood

<sd43mm$pgl$1@remote6hme0.ripco.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=112&group=news.admin.peering#112

 copy link   Newsgroups: news.admin.peering
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!news.ripco.com!.POSTED.shell3.ripco.com!not-for-mail
From: bje...@ripco.com
Newsgroups: news.admin.peering
Subject: Re: New Neodome flood
Date: Mon, 19 Jul 2021 14:54:14 -0000 (UTC)
Organization: Ripco Communications Inc.
Message-ID: <sd43mm$pgl$1@remote6hme0.ripco.com>
References: <1pa80y9.1ntv431sf1rnN%snipeco.2@gmail.com> <m25yyrm3pz.fsf@raybanana.net> <s9pdfj$cln$1@neodome.net> <m2mtrzz2f2.fsf@raybanana.net> <s9qhun$80u$60@gallifrey.nk.ca> <m2im2alb4o.fsf@raybanana.net> <sakqv9$moe$1@remote6hme0.ripco.com> <nap.20210718111738.2013@scatha.ancalagon.de>
Injection-Date: Mon, 19 Jul 2021 14:54:14 -0000 (UTC)
Injection-Info: remote6hme0.ripco.com; posting-host="shell3.ripco.com:66.146.219.74";
logging-data="26133"; mail-complaints-to="usenet@remote6hme0.ripco.com"
User-Agent: tin/2.4.2-20171224 ("Lochhead") (UNIX) (SunOS/5.10 (i86pc))
 by: bje...@ripco.com - Mon, 19 Jul 2021 14:54 UTC

Thomas Hochstein <thh@thh.name> wrote:

> This means that if your server gets the posting that went through
> news.neodome.net offered first, it will reject it because of the ME
> entry. If it the posting is offered again later via another route, it
> will reject it because of the history entry.

Oh, boo-hoo.

It's cheap insurance against the retard who runs it deciding to test the
waters again by opening up anonymous posting.

For today, since midnight, there is a total of 63 rejects based on "Unwanted
site" and more than half of those show a message-id using @neodome.net.

It's not significant. Not missing anything of importance.

-bruce
bje@ripco.com

Re: Ongoing flood from Neodome

<td0qtt$1t5r0$2@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=413&group=news.admin.peering#413

 copy link   Newsgroups: news.admin.net-abuse.usenet news.admin.peering
Path: i2pn2.org!i2pn.org!eternal-september.org!reader01.eternal-september.org!.POSTED!not-for-mail
From: usenetus...@net.com (usenet user)
Newsgroups: news.admin.net-abuse.usenet,news.admin.peering
Subject: Re: Ongoing flood from Neodome
Date: Wed, 10 Aug 2022 10:46:46 -0700
Organization: -
Lines: 26
Message-ID: <td0qtt$1t5r0$2@dont-email.me>
References: <1pa80y9.1ntv431sf1rnN%snipeco.2@gmail.com>
<alpine.OSX.2.20.2106031829000.57527@mako.ath.cx> <s9c1gu$29s7$3@neodome.net>
<s9ddnf$q53$2@dont-email.me> <s9fsc2$tk6$1@neodome.net>
<alpine.OSX.2.20.2106052028420.57527@mako.ath.cx> <s9pldp$t8j$1@neodome.net>
<alpine.OSX.2.20.2106092125210.72281@mako.ath.cx> <s9tcjt$2i57$1@neodome.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Wed, 10 Aug 2022 17:46:37 -0000 (UTC)
Injection-Info: reader01.eternal-september.org; posting-host="cdd1b82aa8e8744dbfc1019c1cd66f1f";
logging-data="2004832"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19FZX7W7SOro8LDHi5GzHWOXd3dIJgTh2w="
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101
Thunderbird/45.7.1
Cancel-Lock: sha1:WTOljj1vQgw5XfiuWFy0gbHkD9g=
In-Reply-To: <s9tcjt$2i57$1@neodome.net>
 by: usenet user - Wed, 10 Aug 2022 17:46 UTC

On 6/10/2021 8:54 AM, Neodome Admin wrote:
> David Ritz <dritz@mindspring.com> wrote:
>
>> news.neodome.net is killfiled in two out of five or six news clients I
>> use, but is not for this user agent. In any case, user agents, for
>> which killfiles operate, still require downloading all of the overview
>> headers, at a bare minimum. Downloading thousands of XOVER headers of
>> noise is a waste of my resources and time. That you seem to think
>> little of it, suggests you are not a particularly good Usenet
>> neighbor.
>>
>> Be conservative in what you send, be liberal in what you accept.
>
> I’m not going to comment on everything you said, at least not now.
>
> However, I would like to say that since so many people are determined that
> it’s a DoS attack, I have no choice but to admit that my idea of what
> Usenet is is apparently quite different than what most people think.
>
> I’ll turn the posting off, for now partially, and then completely.
>

Why don't you just limit posts to 100 per 3 hour period, across all groups.

Or even more.

Re: Ongoing flood from Neodome

<td0rst$1t9ef$2@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=414&group=news.admin.peering#414

 copy link   Newsgroups: news.admin.net-abuse.usenet news.admin.peering
Path: i2pn2.org!i2pn.org!eternal-september.org!reader01.eternal-september.org!.POSTED!not-for-mail
From: usenetus...@net.com (usenet user)
Newsgroups: news.admin.net-abuse.usenet,news.admin.peering
Subject: Re: Ongoing flood from Neodome
Date: Wed, 10 Aug 2022 11:03:18 -0700
Organization: -
Lines: 30
Message-ID: <td0rst$1t9ef$2@dont-email.me>
References: <1pa80y9.1ntv431sf1rnN%snipeco.2@gmail.com>
<alpine.OSX.2.20.2106031829000.57527@mako.ath.cx> <s9c1gu$29s7$3@neodome.net>
<s9ddnf$q53$2@dont-email.me> <s9fsc2$tk6$1@neodome.net>
<alpine.OSX.2.20.2106052028420.57527@mako.ath.cx> <s9pldp$t8j$1@neodome.net>
<alpine.OSX.2.20.2106092125210.72281@mako.ath.cx> <s9tcjt$2i57$1@neodome.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Wed, 10 Aug 2022 18:03:09 -0000 (UTC)
Injection-Info: reader01.eternal-september.org; posting-host="cdd1b82aa8e8744dbfc1019c1cd66f1f";
logging-data="2008527"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19ZPnub25vJ/5p24QBzc++L0jNLiIgjBrw="
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101
Thunderbird/45.7.1
Cancel-Lock: sha1:ZschHqQ8nSSPYK4GI51kfttc85I=
In-Reply-To: <s9tcjt$2i57$1@neodome.net>
 by: usenet user - Wed, 10 Aug 2022 18:03 UTC

On 8/10/2022 10:46 AM, usenet user wrote:
> On 6/10/2021 8:54 AM, Neodome Admin wrote:
>> David Ritz <dritz@mindspring.com> wrote:
>>
>>> news.neodome.net is killfiled in two out of five or six news clients I
>>> use, but is not for this user agent. In any case, user agents, for
>>> which killfiles operate, still require downloading all of the overview
>>> headers, at a bare minimum. Downloading thousands of XOVER headers of
>>> noise is a waste of my resources and time. That you seem to think
>>> little of it, suggests you are not a particularly good Usenet
>>> neighbor.
>>>
>>> Be conservative in what you send, be liberal in what you accept.
>>
>> I’m not going to comment on everything you said, at least not now.
>>
>> However, I would like to say that since so many people are determined that
>> it’s a DoS attack, I have no choice but to admit that my idea of what
>> Usenet is is apparently quite different than what most people think.
>>
>> I’ll turn the posting off, for now partially, and then completely.
>>
>
>
> Why don't you just limit posts to 100 per 3 hour period, across all groups.
>
> Or even more.

Alternatively make up an account to post.

Re: Ongoing flood from Neodome

<teqd6e$p6j$1@gioia.aioe.org>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=421&group=news.admin.peering#421

 copy link   Newsgroups: news.admin.net-abuse.usenet news.admin.peering
Path: i2pn2.org!i2pn.org!aioe.org!OHBJRG6X8sXDqlvBAB+HEw.user.46.165.242.75.POSTED!not-for-mail
From: usenetus...@net.com (usenet user)
Newsgroups: news.admin.net-abuse.usenet,news.admin.peering
Subject: Re: Ongoing flood from Neodome
Date: Thu, 1 Sep 2022 06:47:58 -0700
Organization: Aioe.org NNTP Server
Message-ID: <teqd6e$p6j$1@gioia.aioe.org>
References: <1pa80y9.1ntv431sf1rnN%snipeco.2@gmail.com>
<alpine.OSX.2.20.2106031829000.57527@mako.ath.cx> <s9c1gu$29s7$3@neodome.net>
<s9ddnf$q53$2@dont-email.me> <s9fsc2$tk6$1@neodome.net>
<alpine.OSX.2.20.2106052028420.57527@mako.ath.cx> <s9pldp$t8j$1@neodome.net>
<alpine.OSX.2.20.2106092125210.72281@mako.ath.cx> <s9tcjt$2i57$1@neodome.net>
<td0qtt$1t5r0$2@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Info: gioia.aioe.org; logging-data="25811"; posting-host="OHBJRG6X8sXDqlvBAB+HEw.user.gioia.aioe.org"; mail-complaints-to="abuse@aioe.org";
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101
Thunderbird/45.7.1
X-Notice: Filtered by postfilter v. 0.9.2
X-Mozilla-News-Host: news://nntp.aioe.org
 by: usenet user - Thu, 1 Sep 2022 13:47 UTC

On 6/10/2021 8:54 AM, Neodome Admin wrote:
> David Ritz <dritz@mindspring.com> wrote:
>
>> news.neodome.net is killfiled in two out of five or six news clients I
>> use, but is not for this user agent. In any case, user agents, for
>> which killfiles operate, still require downloading all of the overview
>> headers, at a bare minimum. Downloading thousands of XOVER headers of
>> noise is a waste of my resources and time. That you seem to think
>> little of it, suggests you are not a particularly good Usenet
>> neighbor.
>>
>> Be conservative in what you send, be liberal in what you accept.
>
> I’m not going to comment on everything you said, at least not now.
>
> However, I would like to say that since so many people are determined that
> it’s a DoS attack, I have no choice but to admit that my idea of what
> Usenet is is apparently quite different than what most people think.
>
> I’ll turn the posting off, for now partially, and then completely.

What if you just make it turn off for everybody if so many messages are posted
within a certain time.

Pages:12
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor