From: security curmudgeon (jericho@attrition.org)
To: Greg A. Woods (woods@weird.com), abuse@planix.com
Cc: Jon Klein (klein@wkeys.com), Jay Dyson (jdyson@treachery.net), andreas@planix.com, peter.0101@planix.com
Date: Fri, 30 Jan 2004 00:34:23 -0500 (EST)
Subject: Re: NOTICE! VERY IMPORTANT DNS problem with attrition.org and mail.attrition.org


Jon Klein: Could you verify if you received Mr. Woods' email sent to
           root@wkeys.com since he is concerned about our mail records?

Planix: One of your employees is sending us glorified form mail that
        indirectly suggests that your company are experts at DNS while we
        are not. This is essentially a commercial solicitation and not
        wanted. Based on Mr. Woods response (or lack their of), we may be
        reporting you to your upstream ISP and relevant parties that track
        UCE.

: The host 'mail.attrition.org' is being used as the target of one or more
: MX records, including: 'attrition.org'
:
:       $ host -t mx attrition.org
:     attrition.org             MX      0 mail.attrition.org
:      *** attrition.org MX host mail.attrition.org is not canonical
:
: Unfortunately as you can see this host is a CNAME (an alias) for the
: real host (attrition.org).
:
: This is quite wrong and does cause problems for e-mail sent and received
: using the domain attrition.org.

So far I don't notice any problems related to this. Since 07-Oct-1998 the
only mail problems we have had (which account for probably 0.001% of our
time) were due to other problems that we diagnosed after the fact. In over
five years, you are the first to experience problems with this and notify
us.

: The target domain name of an MX record _MUST_NOT_ be a CNAME.

This makes it sound very serious, but I have to wonder if five years of
basically no mail problems offers evidence that it is a nice
recommendation, but not a MUST HAVE?

: PLEASE correct this problem as soon as you possibly can!
:
: Mail destined to this host really is bouncing now, or has recently,
: bounced because of this problem.  No kidding.  Fix your DNS!

It has? Can you send me a copy of the bounce w/ headers so I can see?

:     Effect:  This can cause mail delivery problems.  Some mail servers
:     will understand this, but some will not.  In essence, some mail will
:     arrive and some will not, and the zone administrator may never notice
:     this fact.

This is interesting, but please let me jump ahead in your email. You sent
this to *NINE* e-mail addresses and then justify your actions with the
following:

  If you feel you got too many copies of this notice, especially to the
  same mailbox, then please consider switching to a mailer (reader or
  transport as appropriate) that suppresses multiple copies.

So if your solution to avoid reading the same mail 9 times is to "use a
reader that suppresses multiple copies", I submit to you that you may use
mail software that recognizes our DNS records since according to your own
citations, "some mail servers will understand this, but some will not".
Further, since my first hand experience tells me that over 99.9% of mail
servers handle this without a problem, I further submit to you that your
sending me nine copies and suggesting my mail reader be one that
"suppressess multiple copies" is much more troublesome. You certainly
wouldn't be very good on the anti-spam front.

: For the simple cases I suggest changing the mail.attrition.org record to
: be an A record, and adding another new PTR for it in the appropriate
: reverse zone too of course.

Since you already contacted both of my DNS servers, I will let them
determine the best course of action. One of them has already asked
me to relay an obscene message involving your tongue and his ass.
Hopefully the other replies too.

: Note:  This message has been sent to the following addresses:

Ok... before we get to that, let's refresh our memory here on what you
said above:

  Mail destined to this host really is bouncing now, or has recently,
  bounced because of this problem.  No kidding.  Fix your DNS!

So at least one of the following test addresses should bounce.

:     hostmaster@KaosOL.net

I'll have to ask the admin if he received the mail. Did you get a bounce?

:     hostmaster@[66.80.146.7]

Received: from fractal.kaosol.net (fractal.kaosol.net [66.151.160.11])
        by forced.attrition.org (8.11.6/3.8.9) with ESMTP id i0U4iZC18762
        for (hostmaster@[66.80.146.7]); Thu, 29 Jan 2004 23:44:35 -0500
Message-Id: (2YOKRPC0FBB664JD1QK05BRL31HDKI.4019ef46@smoof)
Subject: kook1-Fwd: NOTICE! VERY IMPORTANT DNS problem with attrition.org

:     hostmaster@attrition.org

Received: from fractal.kaosol.net (fractal.kaosol.net [66.151.160.11])
        by forced.attrition.org (8.11.6/3.8.9) with ESMTP id i0U4iwC18774
        for (hostmaster@attrition.org); Thu, 29 Jan 2004 23:44:58 -0500
Message-Id: (JEZTJDA7KGNK51PNCAMHRQA5KWU32HD.4019ef5c@smoof)
Subject: kook2-Fwd: NOTICE! VERY IMPORTANT DNS problem with attrition.org

:     hostmaster@mail.attrition.org

Received: from fractal.kaosol.net (fractal.kaosol.net [66.151.160.11])
        by forced.attrition.org (8.11.6/3.8.9) with ESMTP id i0U4jOC18870
        for (hostmaster@attrition.org); Thu, 29 Jan 2004 23:45:29 -0500
Received: from smoof (p130.atm.dyn.kaosol.net [66.151.161.130])
        by fractal.kaosol.net (8.12.8/8.12.7) with SMTP id i0U4j9Ih022154
        for (hostmaster@mail.attrition.org); Thu, 29 Jan 2004 21:45:09 -0700 (MST)
Message-Id: (ICXWIFVRUPRPVPQKOM8B71WQJICAWQ.4019ef77@smoof)
Subject: kook3-Fwd: NOTICE! VERY IMPORTANT DNS problem with attrition.org

:     jericho@kaosol.net

Received:
from proven.weird.com (proven.weird.com [204.92.254.15]) by
fractal.kaosol.net (8.12.8/8.12.7) with ESMTP id i0TKNVIh024180; Thu, 29
Jan 2004 13:23:32 -0700 (MST)

:     postmaster@[66.80.146.7]

Received: from fractal.kaosol.net (fractal.kaosol.net [66.151.160.11])
        by forced.attrition.org (8.11.6/3.8.9) with ESMTP id i0U4jdC18887
        for (postmaster@[66.80.146.7]); Thu, 29 Jan 2004 23:45:40 -0500
Message-Id: (Q3VC0A5JFNIWQPHFPLSQS05EBW2Z.4019ef86@smoof)
Subject: kook4-Fwd: NOTICE! VERY IMPORTANT DNS problem with attrition.org

:     postmaster@attrition.org

Received: from fractal.kaosol.net (fractal.kaosol.net [66.151.160.11])
        by forced.attrition.org (8.11.6/3.8.9) with ESMTP id i0U4k3C18907
        for (postmaster@attrition.org); Thu, 29 Jan 2004 23:46:03 -0500
Message-Id: (P4264WSLIKHGEC072JFMKC04ZEDEA84.4019ef9d@smoof)
Subject: kook5-Fwd: NOTICE! VERY IMPORTANT DNS problem with attrition.org

:     postmaster@mail.attrition.org

Received: from fractal.kaosol.net (fractal.kaosol.net [66.151.160.11])
        by forced.attrition.org (8.11.6/3.8.9) with ESMTP id i0U4kGC18927
        for (postmaster@attrition.org); Thu, 29 Jan 2004 23:46:16 -0500
Received: from smoof (p130.atm.dyn.kaosol.net [66.151.161.130])
        by fractal.kaosol.net (8.12.8/8.12.7) with SMTP id i0U4k0Ih022204
        for (postmaster@mail.attrition.org); Thu, 29 Jan 2004 21:46:00 -0700 (MST)
Message-Id: (3ZK43F0JFXWSQLGURPORPVQLGOKXS.4019efaa@smoof)
Subject: kook6-Fwd: NOTICE! VERY IMPORTANT DNS problem with attrition.org

:     root@wkeys.com

I'll definitely ask if the Wkeys staff got it as well.

: Please verify that _all_ of these addresses work properly!

Well, that was an interesting test. Pine only displayed two of the
messages you sent to the six related addresses. I'm guessing our MTA
suppressed multiple copies since when I altered the subject line a tad,
all six copies came through without a problem. All of the addresses seem
to be working just fine.

I am curious however, why you mailed hostmaster@kaosol.net and not
root@treachery.net about these problems. Any explanation why you missed an
important address related to our DNS records? KaosOL only provides NIC
record service for us, while treachery is actually a DNS server
controlling our DNS records.

: They have been derived from the related DNS and ARIN WHOIS records for
: these domains, hosts, and their addresses, and as such they are all
: _REQUIRED_ to work properly!  If you feel one or more of these addresses
: should not have received this message then you need to update your
: contact information to reflect this desire.

This is sounding a lot like a form letter. Further, your signature
includes a company name. Checking your web page (which doesn't work
unless i put in "www.") it says:

 The Company

 Planix is a partnership specializing in networking and Unix system
 administration

This leads me to believe that you are spamming various domains with DNS
records that don't match certain RFC standards, counting on them to
consult with you to fix them. In short, this is UCE (Unsolicited
Commercial E-mail, aka spam). Since you mailed multiple addresses by your
own admission, you include a company name and web site, suggest that we
are doing something wrong and you are qualified to fix it, and don't
provide an opt-out link, this mail violates the recent CAN-SPAM act and
subjects you to criminal penalties if you live in the US. However, since
you appear to be based in Canada, i'd have to research the SPAM laws of
Canada and see how they apply to you. If there is any doubt about this, we
can read the last line of your mail:

: If you feel you got too many copies of this notice, especially to the
: same mailbox, then please consider switching to a mailer (reader or
: transport as appropriate) that suppresses multiple copies.

This is a standard type of pre-emptive warning spammers use to justify
sending so many copies of their mail. I'd imagine that like most spammers,
you are new to this whole "internet thing" since you opted to mail this to
nine addresses, instead of following a fairly accepted chain of command
for such problems, thta begin with one or two addresses on the offending
site. When that doesn't work, you send it to a few others and CC any
related addresses such as the upstream ISP or in this case, the
administrators of the DNS servers (which you should have pulled out of
whois records).

In the mean time, i'll go ahead and send over the copies of your mail to
the egate.net and nac.net abuse admins and let them know they are
providing services to clever spammers.

--

Cliff notes: Answer the following questions or I will consider this e-mail
nothing but clever spam.

1. Why didn't you contact treachery.net (since you contacted wkeys.com)?

2. Where is a copy of mail (with headers) showing these DNS records caused
   a bounce (since you clearly said it IS causing problems)?

If you opt not include all of the details I have been made aware of
regarding issue #1, or if you can not provide a copy of bounced mail
showing this problem is legitimate, this will guarantee my suspicions that
this is nothing but cleverly worded spam.

Brian

From: security curmudgeon (jericho@kaosol.net)
To: Greg A. Woods (woods@weird.com)
Date: Thu, 29 Jan 2004 23:17:31 -0800
Subject: Re: NOTICE! VERY IMPORTANT DNS problem with attrition.org and mail.attrition.org

Since weird.com is the only system in the world that has ever bounced
mail due to this issue.. since mail to other planix.com addresses
happily accepted my mail.. I assume this is some personal crusade or
some techno geeklust for the most strict of RFC compliant systems. Anyway,
since you made it a point to bounce mail from horrible broken evil systems
like attrition.org, figured i'd give you a chance to reply by mailing from
here to explain your spam before I forward it on.

[copy of last mail]

From: security curmudgeon (jericho@attrition.org)
To: Greg A. Woods (woods@weird.com)
Date: Fri, 30 Jan 2004 23:53:50 -0500 (EST)
Subject: Re: NOTICE! VERY IMPORTANT DNS problem with attrition.org and mail.attrition.org

: I just knew you'd be one of those types who responded with such a poorly
: considered complaint as you have.  I could just see it coming when I
: first send that message to you.  :-)

Which confirms suspicion that you mailed only to provoke, not help. Given
your first mail to me, I really don't understand how you imagine yourself
somehow better than me when it comes to this thread. The only thing that
made it more interesting than the usual "CANCEL MY A0L ACCOUNT" message
was you could spell words correctly.

: : So far I don't notice any problems related to this.
:
: Well, how could you -- it can't affect you directly.  You're only on the
: end of a communications link that never gets established in the first
: place because of this problem.

Are you really this dense? I might notice when someone mails me from an
alternate network to complain about not being able to mail from the first
place they tried. Or, presumably the same type of situation that lead you
to mail me. Oh wait, technical and DNS issues had nothing to do with you
mailing us.

: : It has? Can you send me a copy of the bounce w/ headers so I can see?
:
: Sorry, I can't do that.  I only monitor mailer logs to find errors such
: as this.

Great, send me some logs so I can get a feel for how often this is
happening. Oh wait, those are going to be private aren't they?

: : I'll have to ask the admin if he received the mail. Did you get a
: : bounce?
:
: Damned if I know -- I've processed many thousands of bounces over the
: past few days.  I could try to find it in my incoming logs, but what's
: the point?

Exactly, the point is you had no intention of trying to help us in any
way. You were more focused on a poor attempt at harassment.

: : Well, that was an interesting test. Pine only displayed two of the
: : messages you sent to the six related addresses. I'm guessing our MTA
: : suppressed multiple copies
:
: You're "guessing"!?!?!?!  You mean you don't know?  HAH HAH HAH!  ROTFL!

I'll try to make the sarcasm a tad more obvious next time.

: : since when I altered the subject line a tad,
: : all six copies came through without a problem.
:
: That's probably got more to do with your MUA than your MTA.  Of course
: if you read your mailer logs as you should have in the first place then
: you'd already know that.

Duck and cover! Evade! Point is, the mail worked fine.

: You might be surprised at how many domains don't have a working
: "hostmaster" alias, and I was surprised by how many mailers don't know
: their own hostnames.  I wasn't so surprised by how many mailers refuse
: domain literals, though this has exacerbated my efforts somewhat.

Want to tell me the real reason you didn't mail treachery.net?

: : 1. Why didn't you contact treachery..net (since you contacted
: : wkeys.com)?
:
: Why would I contact a secondary nameserver?  They're not responsible for
: your DNS -- _you_ are.  :-)

By that logic, you shouldn't have contacted wkeys.com then. And if
wkeys.com disappears, doesn't treachery kick in? If not, what's the
purpose of a secondary DNS server?

Evade! Dodge!

: : 2. Where is a copy of mail (with headers) showing these DNS records caused
: :    a bounce (since you clearly said it IS causing problems)?
:
: Sorry, my client's mailer logs are their private information.  Since
: you've been so bloody-minded about this I'm not even going to give you a
: hint about their domain name.

Wow, didn't see that one coming. (That's sarcasm)

: (of course this particular incident was no doubt sparked off by some
: lame luser with a worm-infested PC, but never the less....)

From our perspective, this whole incident was sparked by a luser, that is
for sure.

From: security curmudgeon (jericho@attrition.org)
To: Greg A. Woods (woods@weird.com)
Date: Sat, 31 Jan 2004 14:22:56 -0500 (EST)
Subject: Re: NOTICE! VERY IMPORTANT DNS problem with attrition.org and mail.attrition.org


: : Which confirms suspicion that you mailed only to provoke, not help.
:
: You obviously don't want any help.

From someone branded a net kook, who only mailed us for harassment and
entertainment? No, we don't want that "help".

Too bad you still won't come clean about why you really mailed. Do you
think there is no communication between treachery.net and us or something?

: I was guessing that would be the case given what prior knowledge I had
: of you and your domain, but it's been worth the entertainment anyway.
: :-)

I guess we were both warned.

: You really aren't able to pay attention, are you?

You really aren't able to follow simple logic, are you?

From: security curmudgeon (jericho@attrition.org)
To: Greg A. Woods (woods@weird.com)
Date: Sat, 31 Jan 2004 23:41:10 -0500 (EST)
Subject: Re: NOTICE! VERY IMPORTANT DNS problem with attrition.org and mail.attrition.org

: Well you fixed your DNS so I guess you must actually know why I sent you
: that notice.  BTW, Thanks!  ;-)

Oh you are most welcome. I am sure this will help you in your daily e-mail
and dealing with attrition.org! And of course I didn't fix it, the people
who handle my DNS did.

: You've been extremely predictable (which unfortunately has detracted
: somewhat from your entertainment value), but this is one thing I don't
: quite get.

Ok simple logic.. read the above..

: Ah, I know!  You're just trying (now unsuccessfully) to goad me on!

.. and this.

If you predicted I would keep asking about treachery.net, then you clearly
know why I am asking, else it would be completely arbitrary to keep
mentioning that specific site and I would never insist on you coming clean
about your real intentions. You are so entirely transparent here.

--

I'm not trying to goad you. I'm trying to get you to admit a very basic
truth to all of this, but you are apparently too dense to realize that I
was warned about you and informed of your past "conflict" with certain
people at treachery.net. Since you never mail us, I can't imagine you
would have any interest in our MX records unless you thought that pointing
it out (due to our connection to treachery.net) was some way to get back
at him, attempt to give us grief indirectly, or some other childish
notion. Your first mail was written like those junior admins who found a
little quirk in a system and were jerking off furiosly while typing a mail
to the senior admin to prove they were indeed "Alpha" material. GOOD JOB
GREG! YOU SUCH A GOOD BOY! SO PROUD OF YOU!!

It's ok though Greg, you are just as predictable as me it seems. And since
I am so predictable, what will I do next? Put all of this up on Postal,
block mail from weird.com, or 'all of the above'? I know, let's cut out
the back and forth games since your intentions were clear, you likely got
showed up by Dyson (and others), and are still holding a now 2 year grudge
(or is it 3?) Either way it's pretty pathetic.

From: security curmudgeon (jericho@attrition.org)
To: Greg A. Woods (woods@weird.com)
Date: Sun, 1 Feb 2004 14:32:56 -0500 (EST)
Subject: Re: NOTICE! VERY IMPORTANT DNS problem with attrition.org and mail.attrition.org

: You are _way_ too paranoid.  You should get that looked at.  It'll be
: the end of you some day.

Denial. Look it up.