-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday, 09 June 2021 06:00 -0000,
in article <s9pldp$t8j$1@neodome.net>,
Neodome Admin <admin@neodome.net> wrote:

> David Ritz <dritz@mindspring.com> writes:

> > On Saturday, 05 June 2021 12:57 -0000,
> > in article <s9fsc2$tk6$1@neodome.net>,
> > Neodome Admin <admin@neodome.net> wrote:

> > On Saturday, 05 June 2021 12:57 -0000, Neodome Admin wrote:

> > [...]

>>> As to the David Ritz, I will never believe that this guy have no
>>> idea how to deal with a simple flood coming from a single source,
>>> directed to groups he don't read.

>> Your assumptions are bad and your clairvoyance quotient sucks, as
>> does mine. What I read or don't read is quite irrelevant to the
>> problem.

> You're correct. But you were not correct when you claimed that it's
> impossible to filter it on the client side.

You are putting words in my mouth^W fingers. I never claimed it was
impossible to filter. When you recommended client side filtering as a
solution, I replied:

<quote>
Network abuse is not a client side issue. Please take action to
mitigate this NewsAgent spew.
</quote>

I stand by my words. Your loose interpretation is an outright
misrepresentation of the exchange. You assume too much, while
ignoring the the heart of the matter entirely. Only by making
patently false assertions are you able to try to deflect from the
issue of network abuse, through a quite lame attempt at deflection.

>> Your recommendation of filtering shifts responsibility dealing with
>> the issues surrounding network abuse instances originating from
>> news.neodome.net. Man up and take responsibility for the problems
>> you and the implementation of your philosophy invite.

> Are there any, really?

Are there any what? Responsibilities?

Indeed, as it was your recommendation of client side filtering, as a
solution, which prompted me into this discussion. Your failure to
respond immediately upon notification, to shut down the attack, and
instead attempting to shift responsibility to the operators of every
NNTP node on the network, and to their users, is the subject at hand.

> Pretty much all Usenet servers use cleanfeed, and there are very
> simple settings over there:

Please see my header comment regarding assumptions. Your assumptions
are quite simply fallacious. The result of basing your arguments upon
false premises renders them moot. Your assertion regarding the
ubiquity of INN demonstrates a quite parochial perspective and
provincial attitude.

Many servers running INN also run cleanfeed. How well maintained they
are, on any particular site, is open to conjecture.

Too few other NNTP server software solutions are devised to
accommodate cleanfeed. Are you aware, for example, there are still
people out there, who run Microsoft news server enterprise solution
software? These things respond to only the most minimal of NNTP
commands. They do not even support queries of any type.

Do you understand that where many ISPs used to provide NNTP services
using HighWinds server software? Most no longer provide this service.
The server software was incapable of user authentication and were open
to any IP address on their subnets, including hijacked proxies
running on home users computers, most often installed by malware..

What about other leaf node servers?

There are some pretty significant news sites, which do not run
IneterNetNews. Two of the servers I access on a regular basis do not,
including the service from which I primarily read news and the one via
which this post originates.

Then, of course, there is the lowest common denominator of Usenet
access providers, groups.google.com, where you can rest assured the
entire flood is archived. You can find NewsAgent floods similarly
archived in the Google Usenet archive, which date back decades. That
in no way excuses the abuse and points to the importance of
preventing it. Once it begins, it is imperative that it gets shut
down, just as quickly as possible.

[ snip cleanfeed specific comments, as irrelevant to the underlying
abuse issue ]
> Because normally all articles from Neodome have single posting host,

[snip]

This would seem to have been another false assumption, in this case.
Is this your first experience with NewsAgent? The flooding, which
nicked news.neodome.net, has be in progress for at least two decades.

> I'm not sure why E-S is not using such filter, I guess that would be
> the question for Ray.

It's not your place to pose the question. You are out of line.

> The reason you and other Giganews users are seeing it is because
> you're getting "uncensored" Usenet which is basically a stream of
> data with headers that you're free do anything with. You're your own
> "censor", same as me - and considering your experience I'm pretty
> sure you know what to do to get the data you want.

It seems you need to review the definition of 'censor'. Dropping
thousands of word salad NewsAgent posts is not an infringement upon
speech, as it was neither speech nor communication of any kind. It is
just noise. Filtering noise has nothing to do with the suppression of
information or ideas. Flooding of this nature is akin to the state
sponsored jamming of radio signals, to censor broadcasts and prevent
the dissemination of information.

Preventing this crap from ever entering the news stream actually
improves communication. In case you had not noticed, communication --
for some value of communication -- is the primary purpose of text
newsgroups.

I read news from giganews.com servers, as it is included with one of
my ISP accounts. I choose to read from a full feed, specifically so I
can see, recognize and try to deal with network abuse incidents.
That is my choice. It is what I did, when reporting this specific
flooding incident to you. You seemed to shrug it off, as if it was
not your problem.

>> I have dealt with NewsAgent floods previously, as well as floods of
>> cancel messages, supersedes replacing legitimate posts with spam
>> and the issuance of $alz formatted preemptive cancels,

<correction>
These were not cancel messages. Although they were posted to
control.cancel, and include Subjects beginning, "cmsg cancel," they
included no Control header. They were intended to prevent the posting
of cyberspam cancels using $alz M-IDs. This led to the creation of
the $alz2 format. See the Cancel Messages FAQ:
http://wiki.killfile.org/projects/usenet/faqs/cancel/
</correction>

>> using this
>> Swiss Army Knife of Usenet Abuse. NewsAgent was specifically
>> designed to exploit open proxies, as you saw for yourself, in the
>> recent attack on alt.checkmate and alt.slack. The apparent ability
>> to switch proxies, for each post, appears to be a fairly recent
>> hack. Thanks for including the posting-host information, for the
>> second round of this attack.

> It actually was a bad thing. More articles were able to pass the
> filters because of constantly changing injection point.

I hope this was a learning experience.

>> Thanks to the speed of news.neodome.net, the attack was somewhat
>> limited.

> That's intentional. Neodome is constantly slowing the posting rate
> from any single IP address if it keeps posting.

That sounds like the Dave Hayes logarithmic back-off patch. It, too,
was easily defeated by switching IP addresses. In the specific
instance I recall, it was being accomplished from a dial-up, posting
no more than a handful of spammed articles, before disconnecting,
reconnecting and repeating, 24*7.

>> In years past, I have observed more than 300k NewsAgent generated
>> porn spam posts, in a single twenty four hour period, via an open
>> AnalogX proxy running on a Videotron.ca home user's computer.
>> Personally, I do not miss those bad old days.

> It's not the "old days" anymore. 30k messages that came from
> Neodome, 300k messages from Videotron.ca, even 3m messages - all are
> small numbers, barely noticeable, actually. I didn't even bothered
> to run htop, but I bet if I would in the middle of flood, my server
> load would be probably same as usual, which is around 5%. Usual
> amout of messages Neodome receives daily is around
> 500,000-1,000,000, and I expect it to easily handle 10x that amount.
> Commercial Usenet providers can handle hundreds time more, and won't
> even notice the difference.

Frankly, no one give a flying fig about your resource load. Site
operators and users are concerned with your willingness to shift the
load to them.

Old days or not, there is no respectable reason to allow network
abuse, by default, whether with respect to spamming, spewing or
forgery. (It was a forgery of Archimedes Plutonium which first
alerted me to news.neodome.net, although it is unlikely Archie Pu has
the acumen to formulate a cogent or coherent abuse report. See
n.a.n-a.misc.)

> There were several attacks on my server in the last few years, for
> example, just recently someone tried to open hundreds of thousands
> of connections, but failed miserably because he ran out of resources
> before I did. I didn't even bother to check his IP address.

The attack you describe is unrelated to the emission of a flood
originated via news.neodome.net.

> If not for whiners, I would just let it all run and let the filters
> take care of everything.

That is some kind of attitude you have.

[snip comments regarding Google Groups]

> The only legit complain I heard so far was from Adam, and he was
> saying that such flood is effectively a DoS attack against smaller
> servers. I, however, disagree. [...]

Are you suggesting that the reports I sent you were somehow
illegitimate? These were not complaints. They were reports of an
ongoing network abuse incident. All that I asked of you, was that you
please take action. The reports, themself, consisted solely of sample
spew, with full and complete headers.

>> [...]

>>> I mean, yeah, it's pretty sad that open Usenet server is used to
>>> bitch to the world about horrors of rival political opinions.

>> This is the same lame excuse, used by hosting providers, for
>> infrastructure facilitating cybercrime operations. You and your
>> server are nothing new nor anything special.

>> Please consider moving news.neodome.net to an authenticated users
>> only setup. Intentionally running open servers seems an open
>> invitation to abuse.

> Well, at least you're not saying I'm the cybercriminal. That's
> something.

> I've seen your last email, and I appreciate that you're willing to
> help. I am, however, is not willing to use outside services such as
> spamhaus.org, because they will never supply me with their full
> database, and I'm not going to supply them with IPs of my users to
> check against their database. That's going against everything I'm
> standing for.

The Spamhaus data feed, a subscription service, would include those
items providing 127.0.0.4 DNS responses. These identify the
compromised hosts used in this specific attack. Again, I'll note, all
of the IP addresses which I checked, when you provided posting-host
information in later flood headers, were included in the Spamhaus XBL
zone.

https://www.spamhaus.org/xbl/
https://www.spamhaus.org/datafeed/

Using proxies is not a network abuse issue; hijacking compromised
hosts is, more so to perpetrate attacks on the network's
infrastructure.

[...]

> Please don't take it wrong. If I realise that Neodome is a source of
> problem that cannot be simply filtered out I'll probably turn off
> posting and make Neodome a peering only server. But currently I
> don't see anything like that. How many seconds did it take for you
> to filter them out once you opened affected group? 0.1?

news.neodome.net is killfiled in two out of five or six news clients I
use, but is not for this user agent. In any case, user agents, for
which killfiles operate, still require downloading all of the overview
headers, at a bare minimum. Downloading thousands of XOVER headers of
noise is a waste of my resources and time. That you seem to think
little of it, suggests you are not a particularly good Usenet
neighbor.

Be conservative in what you send, be liberal in what you accept.

- --
David Ritz <dritz@mindspring.com>
"The first principle of a free society is an untrammeled flow of
words in an open forum." - Adlai Stevenson (1900-1965)

-----BEGIN PGP SIGNATURE-----

iF0EARECAB0WIQSc0FU3XAVGYDjSGUhSvCmZGhLe6wUCYMGkXAAKCRBSvCmZGhLe
61nLAKC0iw7Uc7Q1xFjRJ8KPlEaS+QH7EACgqODe2t/2Sm/nubvQL7FO+BzIR9I=
=eCLL
-----END PGP SIGNATURE-----