Hi folks,

[apologies for the poor english]

Highwinds-media and roadrunner.com news servers admins have been unable
to (or unwilling to) handle for the past months massive abuses coming
from their own customers, and have been unable to take serious actions
to prevent attacks against Usenet groups (especially sci.crypt), such as
hipcrime denial of service attacks.

Tens of thousands of articles are flooding on a daily basis newsgroups
without any reaction from the originating source.

This is not a question of spam, or off-topic messages, or individual
abuses, but rather massive random garbage articles from automated scripts.
Most floods are caused by probably hijacked personal computers, where
hipcrime bots are running.

Trying to contact highwinds-media admins was unsuccessfull, as they seem
to make promises that they do not plan to repect. And for
roadrunner.com, they simply never replied to any complaint, as this
server seems to be an abandonned ship.

Xavier Roche wrote:

As a Cox user [highwinds] as well as the news admin for San Diego State
University I support such a UDP action against Highwinds and Road Runner.
Thank you for the formal announcement and all the hard work you are doing
for this.

On Tue, 16 Oct 2007 01:44:33 -0500, Xavier Roche wrote:

More than high time to discuss it, it's high time to *do* it.

Any organization (e.g., RoadRunner)
that allows a single IP (66.61.98.209)
to post 974 messages
to a lightly used newsgroup (sci.crypt)
during a 20-minute interval (2007-10-11 21:20 to 21:40 GMT)
is flaunting a complete
indifference to the survival
of Usenet News. If we condone this behavior,
we are acquiescing in our own extinction.

Xavier Roche wrote:

Highwinds-media and roadrunner.com could care less about a UDP
discussion or being de-peer'd. It's up to the individual News server
operators to block them.

My news server, Individual.Net, periodically blocks Highwinds on an as
needed basis. Their efforts are appreciated by users like me.

ISP's these days take the same attitude as eBay. They consider
themselves merely as distribution channels who aren't responsible for
any and everything passing through them.

Peter Pearson a écrit :

The (active) UDP is now in place. But this won't affect users of servers
refusing cancels ; and the only sane solution in this case is to de-peer
and/or poison-path the two servers.

Xavier Roche writes:

Is there a NoCeM feed I could subscribe to for this?

And are you considering any "off-line" actions for the UDP?
Public relations pressure seems to be the most effective tool, really.

- Tim Skirvin (tskirvin@killfile.org)
Moderator, much of news.admin.net-abuse.*

Hi,

Tim Skirvin a écrit :

Nope - I'm not sure that many people are using NoCeM these days (I mean,
even less that people accepting cancels) ; I am mistaken ?

Anyway I'm not really familiar with these things -- is someone can setup
such a feed, it might be useful.

Yes, I know. But what shall be done when nobody cares ?

Highwinds started to reply to the first reports (I mean, with a *real*
human being reading the complaints), which was a rather positive
attitude. But unfortunately it became obvious that they were considering
that abuses from outsourced customers (eg. cox users) were not their
problems. And they just forwarded the reports, without even asking if
the issues were handled. They made very vague promises of flood
detection measures, but without giving any follow-up.

Xavier Roche writes:

There aren't that many, but I'm one of 'em. I'd be a lot happier
accepting the NoCeM feed than the cancel feed. It's not that hard to set
up with News::Article::NoCeM.

I don't, sadly, but I think that the problem is a growing one. We
need to figure out something to actually *do* about abusive sites when
complaints and basic PR don't work.

- Tim Skirvin (tskirvin@killfile.org)

Tim Skirvin a écrit :

The big issue is that most news servers are unable to accept real flow
control.

- cancels are not anymore a good solution, as they are often rejected,
and forgeries can potentially cause other issues

- authenticated cancels are not yet standardized

- NoCeM is not widely used

And anyway, as some providers accept path preload (and/or
nph/x-complaints-to forging) ; how to detect the real source of an
article ? How to authenticate the "path" ?

I'm afraid that NNTP was designed to be a good protocol within
cooperative servers. Handling uncooperative, or unresponsive servers, is
not something trivial.

Xavier Roche a écrit :

Highwinds-media just replied that a "a new post filter" is being tested,
and "should be rolled out by the end of next week".

Wait and se ...