In article <alpine.OSX.2.20.2106092125210.72281@mako.ath.cx>,
David Ritz <dritz@mindspring.com> wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On Wednesday, 09 June 2021 06:00 -0000,
> in article <s9pldp$t8j$1@neodome.net>,
> Neodome Admin <admin@neodome.net> wrote:
>
>> David Ritz <dritz@mindspring.com> writes:
>
>> > On Saturday, 05 June 2021 12:57 -0000,
>> > in article <s9fsc2$tk6$1@neodome.net>,
>> > Neodome Admin <admin@neodome.net> wrote:
>
>> > On Saturday, 05 June 2021 12:57 -0000, Neodome Admin wrote:
>
>> > [...]
>
>>>> As to the David Ritz, I will never believe that this guy have no
>>>> idea how to deal with a simple flood coming from a single source,
>>>> directed to groups he don't read.
>
>>> Your assumptions are bad and your clairvoyance quotient sucks, as
>>> does mine. What I read or don't read is quite irrelevant to the
>>> problem.
>
>> You're correct. But you were not correct when you claimed that it's
>> impossible to filter it on the client side.
>
>You are putting words in my mouth^W fingers. I never claimed it was
>impossible to filter. When you recommended client side filtering as a
>solution, I replied:
>
><quote>
> Network abuse is not a client side issue. Please take action to
> mitigate this NewsAgent spew.
></quote>
>
>I stand by my words. Your loose interpretation is an outright
>misrepresentation of the exchange. You assume too much, while
>ignoring the the heart of the matter entirely. Only by making
>patently false assertions are you able to try to deflect from the
>issue of network abuse, through a quite lame attempt at deflection.
>
>>> Your recommendation of filtering shifts responsibility dealing with
>>> the issues surrounding network abuse instances originating from
>>> news.neodome.net. Man up and take responsibility for the problems
>>> you and the implementation of your philosophy invite.
>
>> Are there any, really?
>
>Are there any what? Responsibilities?
>
>Indeed, as it was your recommendation of client side filtering, as a
>solution, which prompted me into this discussion. Your failure to
>respond immediately upon notification, to shut down the attack, and
>instead attempting to shift responsibility to the operators of every
>NNTP node on the network, and to their users, is the subject at hand.
>
>> Pretty much all Usenet servers use cleanfeed, and there are very
>> simple settings over there:
>
>Please see my header comment regarding assumptions. Your assumptions
>are quite simply fallacious. The result of basing your arguments upon
>false premises renders them moot. Your assertion regarding the
>ubiquity of INN demonstrates a quite parochial perspective and
>provincial attitude.
>
>Many servers running INN also run cleanfeed. How well maintained they
>are, on any particular site, is open to conjecture.
>
>Too few other NNTP server software solutions are devised to
>accommodate cleanfeed. Are you aware, for example, there are still
>people out there, who run Microsoft news server enterprise solution
>software? These things respond to only the most minimal of NNTP
>commands. They do not even support queries of any type.
>
>Do you understand that where many ISPs used to provide NNTP services
>using HighWinds server software? Most no longer provide this service.
>The server software was incapable of user authentication and were open
>to any IP address on their subnets, including hijacked proxies
>running on home users computers, most often installed by malware..
>
>What about other leaf node servers?
>
>There are some pretty significant news sites, which do not run
>IneterNetNews. Two of the servers I access on a regular basis do not,
>including the service from which I primarily read news and the one via
>which this post originates.
>
>Then, of course, there is the lowest common denominator of Usenet
>access providers, groups.google.com, where you can rest assured the
>entire flood is archived. You can find NewsAgent floods similarly
>archived in the Google Usenet archive, which date back decades. That
>in no way excuses the abuse and points to the importance of
>preventing it. Once it begins, it is imperative that it gets shut
>down, just as quickly as possible.
>
>[ snip cleanfeed specific comments, as irrelevant to the underlying
> abuse issue ]
>
>> Because normally all articles from Neodome have single posting host,
>
>[snip]
>
>This would seem to have been another false assumption, in this case.
>Is this your first experience with NewsAgent? The flooding, which
>nicked news.neodome.net, has be in progress for at least two decades.
>
>> I'm not sure why E-S is not using such filter, I guess that would be
>> the question for Ray.
>
>It's not your place to pose the question. You are out of line.
>
>> The reason you and other Giganews users are seeing it is because
>> you're getting "uncensored" Usenet which is basically a stream of
>> data with headers that you're free do anything with. You're your own
>> "censor", same as me - and considering your experience I'm pretty
>> sure you know what to do to get the data you want.
>
>It seems you need to review the definition of 'censor'. Dropping
>thousands of word salad NewsAgent posts is not an infringement upon
>speech, as it was neither speech nor communication of any kind. It is
>just noise. Filtering noise has nothing to do with the suppression of
>information or ideas. Flooding of this nature is akin to the state
>sponsored jamming of radio signals, to censor broadcasts and prevent
>the dissemination of information.
>
>Preventing this crap from ever entering the news stream actually
>improves communication. In case you had not noticed, communication --
>for some value of communication -- is the primary purpose of text
>newsgroups.
>
>I read news from giganews.com servers, as it is included with one of
>my ISP accounts. I choose to read from a full feed, specifically so I
>can see, recognize and try to deal with network abuse incidents.
>That is my choice. It is what I did, when reporting this specific
>flooding incident to you. You seemed to shrug it off, as if it was
>not your problem.
>
>>> I have dealt with NewsAgent floods previously, as well as floods of
>>> cancel messages, supersedes replacing legitimate posts with spam
>>> and the issuance of $alz formatted preemptive cancels,
>
><correction>
>These were not cancel messages. Although they were posted to
>control.cancel, and include Subjects beginning, "cmsg cancel," they
>included no Control header. They were intended to prevent the posting
>of cyberspam cancels using $alz M-IDs. This led to the creation of
>the $alz2 format. See the Cancel Messages FAQ:
>http://wiki.killfile.org/projects/usenet/faqs/cancel/
></correction>
>
>>> using this
>>> Swiss Army Knife of Usenet Abuse. NewsAgent was specifically
>>> designed to exploit open proxies, as you saw for yourself, in the
>>> recent attack on alt.checkmate and alt.slack. The apparent ability
>>> to switch proxies, for each post, appears to be a fairly recent
>>> hack. Thanks for including the posting-host information, for the
>>> second round of this attack.
>
>> It actually was a bad thing. More articles were able to pass the
>> filters because of constantly changing injection point.
>
>I hope this was a learning experience.
>
>>> Thanks to the speed of news.neodome.net, the attack was somewhat
>>> limited.
>
>> That's intentional. Neodome is constantly slowing the posting rate
>> from any single IP address if it keeps posting.
>
>That sounds like the Dave Hayes logarithmic back-off patch. It, too,
>was easily defeated by switching IP addresses. In the specific
>instance I recall, it was being accomplished from a dial-up, posting
>no more than a handful of spammed articles, before disconnecting,
>reconnecting and repeating, 24*7.
>
>>> In years past, I have observed more than 300k NewsAgent generated
>>> porn spam posts, in a single twenty four hour period, via an open
>>> AnalogX proxy running on a Videotron.ca home user's computer.
>>> Personally, I do not miss those bad old days.
>
>> It's not the "old days" anymore. 30k messages that came from
>> Neodome, 300k messages from Videotron.ca, even 3m messages - all are
>> small numbers, barely noticeable, actually. I didn't even bothered
>> to run htop, but I bet if I would in the middle of flood, my server
>> load would be probably same as usual, which is around 5%. Usual
>> amout of messages Neodome receives daily is around
>> 500,000-1,000,000, and I expect it to easily handle 10x that amount.
>> Commercial Usenet providers can handle hundreds time more, and won't
>> even notice the difference.
>
>Frankly, no one give a flying fig about your resource load. Site
>operators and users are concerned with your willingness to shift the
>load to them.
>
>Old days or not, there is no respectable reason to allow network
>abuse, by default, whether with respect to spamming, spewing or
>forgery. (It was a forgery of Archimedes Plutonium which first
>alerted me to news.neodome.net, although it is unlikely Archie Pu has
>the acumen to formulate a cogent or coherent abuse report. See
>n.a.n-a.misc.)
>
>> There were several attacks on my server in the last few years, for
>> example, just recently someone tried to open hundreds of thousands
>> of connections, but failed miserably because he ran out of resources
>> before I did. I didn't even bother to check his IP address.
>
>The attack you describe is unrelated to the emission of a flood
>originated via news.neodome.net.
>
>> If not for whiners, I would just let it all run and let the filters
>> take care of everything.
>
>That is some kind of attitude you have.
>
>[snip comments regarding Google Groups]
>
>> The only legit complain I heard so far was from Adam, and he was
>> saying that such flood is effectively a DoS attack against smaller
>> servers. I, however, disagree. [...]
>
>Are you suggesting that the reports I sent you were somehow
>illegitimate? These were not complaints. They were reports of an
>ongoing network abuse incident. All that I asked of you, was that you
>please take action. The reports, themself, consisted solely of sample
>spew, with full and complete headers.
>
>>> [...]
>
>>>> I mean, yeah, it's pretty sad that open Usenet server is used to
>>>> bitch to the world about horrors of rival political opinions.
>
>>> This is the same lame excuse, used by hosting providers, for
>>> infrastructure facilitating cybercrime operations. You and your
>>> server are nothing new nor anything special.
>
>>> Please consider moving news.neodome.net to an authenticated users
>>> only setup. Intentionally running open servers seems an open
>>> invitation to abuse.
>
>> Well, at least you're not saying I'm the cybercriminal. That's
>> something.
>
>> I've seen your last email, and I appreciate that you're willing to
>> help. I am, however, is not willing to use outside services such as
>> spamhaus.org, because they will never supply me with their full
>> database, and I'm not going to supply them with IPs of my users to
>> check against their database. That's going against everything I'm
>> standing for.
>
>The Spamhaus data feed, a subscription service, would include those
>items providing 127.0.0.4 DNS responses. These identify the
>compromised hosts used in this specific attack. Again, I'll note, all
>of the IP addresses which I checked, when you provided posting-host
>information in later flood headers, were included in the Spamhaus XBL
>zone.
>
> https://www.spamhaus.org/xbl/
> https://www.spamhaus.org/datafeed/
>
>Using proxies is not a network abuse issue; hijacking compromised
>hosts is, more so to perpetrate attacks on the network's
>infrastructure.
>
>[...]
>
>> Please don't take it wrong. If I realise that Neodome is a source of
>> problem that cannot be simply filtered out I'll probably turn off
>> posting and make Neodome a peering only server. But currently I
>> don't see anything like that. How many seconds did it take for you
>> to filter them out once you opened affected group? 0.1?
>
>news.neodome.net is killfiled in two out of five or six news clients I
>use, but is not for this user agent. In any case, user agents, for
>which killfiles operate, still require downloading all of the overview
>headers, at a bare minimum. Downloading thousands of XOVER headers of
>noise is a waste of my resources and time. That you seem to think
>little of it, suggests you are not a particularly good Usenet
>neighbor.
>
>Be conservative in what you send, be liberal in what you accept.
>
>- --
>David Ritz <dritz@mindspring.com>
> "The first principle of a free society is an untrammeled flow of
> words in an open forum." - Adlai Stevenson (1900-1965)
>
>-----BEGIN PGP SIGNATURE-----
>
>iF0EARECAB0WIQSc0FU3XAVGYDjSGUhSvCmZGhLe6wUCYMGkXAAKCRBSvCmZGhLe
>61nLAKC0iw7Uc7Q1xFjRJ8KPlEaS+QH7EACgqODe2t/2Sm/nubvQL7FO+BzIR9I=
>=eCLL
>-----END PGP SIGNATURE-----

Here is the lastest

Unwanted sites in Path [Top 20]:
Site Count
news.neodome.net 827

TOTAL: 1 827

FYI.

--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
Look at Psalms 14 and 53 on Atheism https://www.empire.kred/ROOTNK?t=94a1f39b
The pursuit of irresponsibility makes pain a necessity. -unknown