Remember the time one New Year's when they stayed up and running, even though a major city water main had burst underneath the street in front of their building?

It's very possible that the machines in that building weren't the ones that kept everything running. One of the things that I always forget is that distributed services aren't at all obviously thus.

Domain Name.......... panix.com

  Creation Date........ 1991-04-22

  Registration Date.... 2005-01-15

  Expiry Date.......... 2006-04-23

  Organisation Name.... vanessa Miranda

  Organisation Address. 1010 Grand Cerritos Ave

  Organisation Address.

  Organisation Address. Las Vegas

  Organisation Address. 89123

  Organisation Address. NV

  Organisation Address. UNITED STATES

Admin Name........... na vanessa Miranda
Admin Address........ 1010 Grand Cerritos Ave
Admin Address........
Admin Address........ Las Vegas
Admin Address........ 89123
Admin Address........ NV
Admin Address........ UNITED STATES
Admin Email.......... jzoh@yahoo.com
Admin Phone.......... +44.702413697
Admin Fax............ +44.7026413697

Tech Name............ Domain Admin
Tech Address......... Burnhill Business Centre
Tech Address.........
Tech Address......... Beckenham
Tech Address......... BR3 3LA
Tech Address......... Kent
Tech Address......... GREAT BRITAIN (UK)
Tech Email........... admin@powerhost.co.uk
Tech Phone........... +44.2082496081
Tech Fax............. +44.2082496076
Name Server.......... ns1.ukdnsservers.co.uk
Name Server.......... ns2.ukdnsservers.co.uk

Yup, looks like skullduggery at Verisign: whoda thunk it?

Er... panix.[net|org] look about normal though ... Perhaps folks that are on panix might check and see if panix.org/panix.net work as expected...

Anyone who needs to reach me while panix is down should use bmeacham at gmail dot com.

panix.net is working fine, and they've ported everything over to it, at least temporarily. But that doesn't do a damn bit of good for all the mail that's being addressed to panix.com. Grump.

Well, no. OTOH, it's good to know that there's an alternative while things are fouled up, rather than being totally offline.

Interestingly enough, there's some strange things going on with mail delivery. In theory mail to panix.com should be directed to (hijacked to?):

panix.com.              54622   IN      MX      200 mailhost-l2.panix.com.
panix.com.              54622   IN      MX      150 mailhost.panix.com.

mailhost.panix.com doesn't appear to exist, but mailhost-l2.panix.com does:

telnet mailhost-l2.panix.com 25
Trying 166.84.1.75...
Connected to l2mail1.panix.com.
Escape character is '^]'.
220 l2mail1.panix.com ESMTP Postfix

... but that is a panix IP block...

Trying 207.61.90.202...
Connected to mail.panix.com.
Escape character is '^]'.
220 mailforward.freeparking.com ESMTP Exim 4.41 #1 Sat, 15 Jan 2005 21:50:53 -0500

mail.panix.com, which shouldn't be in line to get mail is being sent off to a domain parking service with an IP block allocated from Bell Canada, but an address in Melbourne, Australia, and a nameservice pointing off to the same one that's listed for panix.com currently...

Kinda makes you wonder...

Oh, and ggn.net's Usenet server went down a couple three days ago, it's only just come back up.

Online life has been quite...interesting...today.

I have faith that the clever people who run panix will sort it all out, and smite the miscreants.

Whoever did this is going to get into major trouble when the dust settles...

"Status as of Sat Jan 15 22:04:33 EST 2005

Panix's main domain name, panix.com, has been hijacked by parties unknown. The ownership of panix.com was moved to a company in Australia, the actual DNS records were moved to a company in the United Kingdom, and panix.com's mail has been redirected to yet another company in Canada. Panix staff are currently working around the clock to recover our domain, but this may take until Monday, due to the time differences and difficulties in reaching responsible parties over the weekend.

For most customers, accesses to Panix using the panix.com domain will not work or will end up at a false site."

From the sounds of the comments on slashdot, the "proper authorities" aren't very helpful.

The discussion that you refer to, and correctly summarized, is at:

New York's Oldest ISP Gets Domain-Jacked
Posted by michael on Sunday January 16, @03:03AM
from the no-respect-for-their-elders dept.
Howard Roark writes "Panix, the oldest commercial Internet provider in New York, had its domain name 'panix.com' hijacked by persons unknown. The main effect on users is that mail sent to panix's customers is being routed to a bogus mail server run by the hijackers."

I've got a domain that's suddenly and rather unexpectedly become desirable. It's not for sale. People keep trying to buy it. I keep saying no. I expect sooner or later someone will try nefarious means to obtain it for resale.

Anyone have any tips on defending a domain?

Leva

The second step is to follow the process to lock transfers so they require positive approval - or should! The first step is to host with a bigger gorilla that doesn't go home on weekends - and stay current with your gorilla both in contact information and payment.

The system currently does a pretty good job of protecting naming rights from being hijacked without due process of law - this being important to the powers of this world.

Denial of service and misdirection has been given less protection. Perhaps as being harder to deal with by traditional rules or perhaps harder to explain to the powers of the world.

Notice the Panix redirection involved over the weekend hard to contact issues on a sort of 3 day weekend in the U.S. of A. - this is not the sort of obtaining for resale most people need worry about.

I assume the domain of yours that has suddenly attracted interest is FIREFOX.ORG? If so, I checked the status of the FIREFOX.ORG domain with the .ORG registry using 'whois'. It appears that you have already locked your domain - it currently has an EPP domain status of 'clientTransferProhibited' and your current registrar is Network Solutions.

This means that even if you were to go to another registrar and provide them with signed authorization to transfer the domain and assume registrar duties, the .ORG registry would refuse to consummate the transfer from the old registrar to the new registrar. In fact, all transfers should be refused until you explicitly unlock the domain at the original registrar. This is about as good of protection as you can get with the current domain system. Locking your domain does, however, reduce the agility of your domain - you might find yourself in an awkward position and with a non-functional domain if your current registrar unexpectedly goes out of business (since they might not be around to process your unlock request).

I should note that panix.com claims that they had a registrar lock on their domain at the time it was transferred away from their registrar Dotster.com to the Melbourne IT registrar. If this is true then many domains may well be vulnerable to a domain name hijack until the mechanism used for the panix.com compromise is identified and corrected.

Melbourne IT, my ex-employer. While I can well believe they could screw up, I don't know about "cut-rate" though - they're not a small shop, and they're not cheap.

I've been reading the slashdot thread trying to work out who screwed up where, and it's still not particularly clear. Should be an interesting one once it's finally sorted.

It's clear to me that one issue is that somehow Panix's lock on their domain names, at Dotster, got unlocked.

The Young Cybersquatter's Handbook and Patently Obvious's link to an article about protecting your domain might be interesting places to start.

In general, I'd hope that your domain is in use, since it makes life much easier in all forms of domain discussion.

(I don't know a lot about this, so I may be talking about this wrong, but I think that I can make enough sense to at least tell the story intelligibly.)

Anyway, so I can't get myfirstname@mylastname.name except through them. Why they happen to own my married last name, and not my maiden name or any other name that I tried looking for is unknown to me. I just gave up and bought it, and then renewed it this year (although I am paying through the nose for just an email forward). I am considering not bothering for next year, but then I know I'll be kicking myself if I can't ever get a nice vanity email address in the future. Does anyone who reads this know anything helpful for me?

http://tinyurl.com/3m29l

Olivia: well, nobody would forget it...

But I bet I know what part of the motivation for the panix.com-hijack was.

I know that Teresa uses a Mac, and that you collectively practise decent network security, so it's not very likely that her home PC has been converted into a spambot.

I think it's even more unlikely Teresa would send me email consisting of the subject line 'Important' and no content but a self-extracting zip file.

So if I get spam from Teresa's Panix address with pretty much authentic headers, I am faced with either an astonishing co-incidence -- and I'm not getting any other spam putatively from Making Light posters, making an unconnected harvesting from the blog seem unlikely -- or the idea that part of the reason for the Panix grab was to harvest not just authentic addresses but also active conversations, people who are expecting to get email from this other person right here. (Which is not that plausible in the particular instance, but that's what getting that particular email brought to mind, shortly followed by 'the evil, evil people'.)

Man-in-the-middle is a traditional approach to getting around whitelist filters, after all, and the message did sail through spamassassin.

Many spam emails purport to be from some random real person; this is why one occasionally gets a grumpy gram from some mail server somewhere telling you that they couldn't deliver the message you didn't send.

Generally, the spammer has faked just the From line, and the remaining headers provide a spam filter with information -- the date is in the future, there's a message path that doesn't match the address or which matches a known spamhaus, and so on.

For example, if Teresa were to actually send me mail, the full headers would include a set of Received lines that indicated that it started at Teresa's machine, went to a machine at Panix, maybe another machine at Panix, perhaps another machine on the route to my ISP, a machine at my ISP, and then my machine. Spam doesn't get these right, and the good spam checkers have rules based on that -- if the address is Fred@ISP.com, and none of the Received lines mention ISP.com, something's not right.

What I recall from that message is that it had plausible headers for something that came from Panix, rather than the usual 'oh, this is spam' headers. Having all of the Panix mail traffic to use as a template would presumably help with getting the headers right.

[*] I get final say over what it junks and see it all before it does.

The panix FAQ currently says that it thinks the redirected mail went to an innocent third party, but I imagine they'll be keeping a close eye on that.