Back to previous post: Displaced advice, and other sorts

Go to Making Light's front page.

Forward to next post: Aha!

Subscribe (via RSS) to this post's comment thread. (What does this mean? Here's a quick introduction.)

January 15, 2005

Posted by Patrick at 09:19 AM * 43 comments

Panix, our longtime ISP for email, appears to be undergoing some kind of problem with its domain name—possibly a hijacking of the name, possibly just a massive screwup in the domain-name registration system.

As a result, mail sent to our familiar panix addresses may not reach us. For now, please use patricknh at gmail-dot-com and teresanh at gmail-dot-com respectively.

Update: It looks more and more as though there’s some kind of wickedness afoot. Aside from having my mail tampered with—and I leave you to imagine how I feel about that!—I’m indignant on behalf of We’ve had accounts with them for years and years, and they’ve been a conscientious, diligent, and technically savvy ISP.

Comments on Email:
#1 ::: Randolph Fritz ::: (view all by) ::: January 15, 2005, 11:25 AM:

Meantime, they are up at

#2 ::: Jimcat Kasprzak ::: (view all by) ::: January 15, 2005, 06:39 PM:

So it's not just me. I've been a bit worried... every ISP experiences occasional outages, but this is a lot worse than normal for Panix. Hope they get everything straightened out soon.

#3 ::: Dave Kuzminski ::: (view all by) ::: January 15, 2005, 07:06 PM:

It's my understanding that there's also a virus going around that attacks forums. There might be a connection between that and your email.

#4 ::: Teresa Nielsen Hayden ::: (view all by) ::: January 15, 2005, 07:13 PM:

Remember the time one New Year's when they stayed up and running, even though a major city water main had burst underneath the street in front of their building? It washed away so much soil that a huge sinkhole formed, and a good bit of that stretch of Fifth Avenue collapsed into it, and a major gas pipe that ran through that area was undercut and ruptured, so Panix had floods and ruination and an uncontrolled pillar of fire going on directly in front of their building. That mess went on for days. We were sure they'd have to shut down service for a while, but they stayed up the entire time. Perhaps more pertinently, we've also seen them weather some very nasty DOS attacks. I can only trust and hope that they'll deal with whatever is going on this time.

#5 ::: Will "scifantasy" Frank ::: (view all by) ::: January 15, 2005, 08:05 PM:

It appears to be a bad time for Internet services...Livejournal had its data center lose all its power, even the redundant backups, last night. As you can imagine it's been a long day for them.

#6 ::: xeger ::: (view all by) ::: January 15, 2005, 08:11 PM:

TNH wrote:

Remember the time one New Year's when they stayed up and running, even though a major city water main had burst underneath the street in front of their building?

It's very possible that the machines in that building weren't the ones that kept everything running. One of the things that I always forget is that distributed services aren't at all obviously thus.

#7 ::: Bob Webber ::: (view all by) ::: January 15, 2005, 08:40 PM:

Yup, looks like skullduggery at Verisign: whoda thunk it?

Domain Name..........
Creation Date........ 1991-04-22
Registration Date.... 2005-01-15
Expiry Date.......... 2006-04-23
Organisation Name.... vanessa Miranda
Organisation Address. 1010 Grand Cerritos Ave
Organisation Address.
Organisation Address. Las Vegas
Organisation Address. 89123
Organisation Address. NV
Organisation Address. UNITED STATES

Admin Name........... na vanessa Miranda
Admin Address........ 1010 Grand Cerritos Ave
Admin Address........
Admin Address........ Las Vegas
Admin Address........ 89123
Admin Address........ NV
Admin Address........ UNITED STATES
Admin Email..........
Admin Phone.......... +44.702413697
Admin Fax............ +44.7026413697

Tech Name............ Domain Admin
Tech Address......... Burnhill Business Centre
Tech Address.........
Tech Address......... Beckenham
Tech Address......... BR3 3LA
Tech Address......... Kent
Tech Address......... GREAT BRITAIN (UK)
Tech Email...........
Tech Phone........... +44.2082496081
Tech Fax............. +44.2082496076
Name Server..........
Name Server..........

#8 ::: xeger ::: (view all by) ::: January 15, 2005, 09:05 PM:

Bob Webber commented:

Yup, looks like skullduggery at Verisign: whoda thunk it?

Er... panix.[net|org] look about normal though ... Perhaps folks that are on panix might check and see if work as expected...

#9 ::: Larry Brennan ::: (view all by) ::: January 15, 2005, 09:32 PM:

Well, this is disappointing but unsurprising. Panix is one of the traditional white-hats in the ISP world. I hope they get everything sorted out. Unfortunately, in the interim, all of your mail may have gone into the proverbial bit-bucket in the sky.

#10 ::: Beth Meacham ::: (view all by) ::: January 15, 2005, 09:43 PM: is working fine, and they've ported everything over to it, at least temporarily. But that doesn't do a damn bit of good for all the mail that's being addressed to Grump.

Anyone who needs to reach me while panix is down should use bmeacham at gmail dot com.

#11 ::: xeger ::: (view all by) ::: January 15, 2005, 10:00 PM:

Beth grouched: is working fine, and they've ported everything over to it, at least temporarily. But that doesn't do a damn bit of good for all the mail that's being addressed to Grump.

Well, no. OTOH, it's good to know that there's an alternative while things are fouled up, rather than being totally offline.

Interestingly enough, there's some strange things going on with mail delivery. In theory mail to should be directed to (hijacked to?):              54622   IN      MX      200              54622   IN      MX      150 doesn't appear to exist, but does:

telnet 25
Connected to
Escape character is '^]'.
220 ESMTP Postfix

... but that is a panix IP block...

Connected to
Escape character is '^]'.
220 ESMTP Exim 4.41 #1 Sat, 15 Jan 2005 21:50:53 -0500, which shouldn't be in line to get mail is being sent off to a domain parking service with an IP block allocated from Bell Canada, but an address in Melbourne, Australia, and a nameservice pointing off to the same one that's listed for currently...

Kinda makes you wonder...

#12 ::: Dave Weingart ::: (view all by) ::: January 15, 2005, 10:33 PM:

The Panix thing seems to be a major screwup for a great many people.

Oh, and's Usenet server went down a couple three days ago, it's only just come back up.

Online life has been

#13 ::: Beth Meacham ::: (view all by) ::: January 16, 2005, 11:11 AM:

Most oddly, perhaps, I telnetted into this morning, and discovered that while I have no mail waiting in my inbox, there was a ton of new spam in the spam filter box. So things are not as clear-cut as one would like them to be.

I have faith that the clever people who run panix will sort it all out, and smite the miscreants.

#14 ::: Rose ::: (view all by) ::: January 16, 2005, 11:15 AM:

Sigh -- I've got pals who work at Panix who are probably having a Worst Weekend Ever kind of time.

#15 ::: Jacob Sommer ::: (view all by) ::: January 16, 2005, 11:50 AM:

My wife has a Panix account with domain forwarding. The stuff being sent to the domain seems to be downloading fine.

Whoever did this is going to get into major trouble when the dust settles...

#16 ::: Sarah ::: (view all by) ::: January 16, 2005, 11:55 AM: has been officially hijacked, per a front page story on slashdot.

"Status as of Sat Jan 15 22:04:33 EST 2005

Panix's main domain name,, has been hijacked by parties unknown. The ownership of was moved to a company in Australia, the actual DNS records were moved to a company in the United Kingdom, and's mail has been redirected to yet another company in Canada. Panix staff are currently working around the clock to recover our domain, but this may take until Monday, due to the time differences and difficulties in reaching responsible parties over the weekend.

For most customers, accesses to Panix using the domain will not work or will end up at a false site."

From the sounds of the comments on slashdot, the "proper authorities" aren't very helpful.

#17 ::: Jonathan Vos Post ::: (view all by) ::: January 16, 2005, 12:12 PM:


The discussion that you refer to, and correctly summarized, is at:

New York's Oldest ISP Gets Domain-Jacked

Posted by michael on Sunday January 16, @03:03AM
from the no-respect-for-their-elders dept.
Howard Roark writes "Panix, the oldest commercial Internet provider in New York, had its domain name '' hijacked by persons unknown. The main effect on users is that mail sent to panix's customers is being routed to a bogus mail server run by the hijackers."

#18 ::: Beth Meacham ::: (view all by) ::: January 16, 2005, 06:22 PM: has been restored to its proper owners by Melbourne IT, and the correct dns info should be happily propagating its way through the internet. At lest, so they tell me. I started getting mail about an hour ago, though it is sporadic and I wouldn't rely on it getting through for another 24 hours. Fortunately, Monday is a Federal holiday, and there won't be much work email being generated.

#19 ::: Anticorium ::: (view all by) ::: January 16, 2005, 08:57 PM:

It occurs to me that you could write a pretty comprehensive history of malevolent behaviour on the net by just answering the question "What have jerks tried to do to Panix?"

#20 ::: Leva ::: (view all by) ::: January 16, 2005, 10:54 PM:

Out of curiosity, how does one DEFEND against domain hijacking?

I've got a domain that's suddenly and rather unexpectedly become desirable. It's not for sale. People keep trying to buy it. I keep saying no. I expect sooner or later someone will try nefarious means to obtain it for resale.

Anyone have any tips on defending a domain?


#21 ::: Charles Dodgson ::: (view all by) ::: January 16, 2005, 11:38 PM:

It was skulduggery, involving a cut-rate domain registrar in, I think, Australia. However, even after the DNS records were hijacked, some DNS servers still had the old (and correct) address information cached. (So, for instance, Beth's spammers, who had the DNS address cached, were able to get through -- but her legitimate correspondants were not).

#22 ::: clark e myers ::: (view all by) ::: January 17, 2005, 12:06 AM:

"tips on defending a domain?"
See the /. thread mentioned supra - it's full of would have, should have, could have to be sorted through.

The second step is to follow the process to lock transfers so they require positive approval - or should! The first step is to host with a bigger gorilla that doesn't go home on weekends - and stay current with your gorilla both in contact information and payment.

The system currently does a pretty good job of protecting naming rights from being hijacked without due process of law - this being important to the powers of this world.

Denial of service and misdirection has been given less protection. Perhaps as being harder to deal with by traditional rules or perhaps harder to explain to the powers of the world.

Notice the Panix redirection involved over the weekend hard to contact issues on a sort of 3 day weekend in the U.S. of A. - this is not the sort of obtaining for resale most people need worry about.

#23 ::: Richard Parker ::: (view all by) ::: January 17, 2005, 12:45 AM:


I assume the domain of yours that has suddenly attracted interest is FIREFOX.ORG? If so, I checked the status of the FIREFOX.ORG domain with the .ORG registry using 'whois'. It appears that you have already locked your domain - it currently has an EPP domain status of 'clientTransferProhibited' and your current registrar is Network Solutions.

This means that even if you were to go to another registrar and provide them with signed authorization to transfer the domain and assume registrar duties, the .ORG registry would refuse to consummate the transfer from the old registrar to the new registrar. In fact, all transfers should be refused until you explicitly unlock the domain at the original registrar. This is about as good of protection as you can get with the current domain system. Locking your domain does, however, reduce the agility of your domain - you might find yourself in an awkward position and with a non-functional domain if your current registrar unexpectedly goes out of business (since they might not be around to process your unlock request).

I should note that claims that they had a registrar lock on their domain at the time it was transferred away from their registrar to the Melbourne IT registrar. If this is true then many domains may well be vulnerable to a domain name hijack until the mechanism used for the compromise is identified and corrected.

#24 ::: Steve Taylor ::: (view all by) ::: January 17, 2005, 12:51 AM:

> It was skulduggery, involving a cut-rate domain registrar in, I think, Australia.

Melbourne IT, my ex-employer. While I can well believe they could screw up, I don't know about "cut-rate" though - they're not a small shop, and they're not cheap.

I've been reading the slashdot thread trying to work out who screwed up where, and it's still not particularly clear. Should be an interesting one once it's finally sorted.

#25 ::: Beth Meacham ::: (view all by) ::: January 17, 2005, 10:42 AM:

And to be fair, once Panix got in touch with someone with technical understanding at Melbourne IT, they fixed the problem. The issue turned out to be time-zones and weekends, not skullduggery on the part of MIT.

It's clear to me that one issue is that somehow Panix's lock on their domain names, at Dotster, got unlocked.

#26 ::: xeger ::: (view all by) ::: January 17, 2005, 12:46 PM:

Leva asked about protecting domains:

The Young Cybersquatter's Handbook and Patently Obvious's link to an article about protecting your domain might be interesting places to start.

In general, I'd hope that your domain is in use, since it makes life much easier in all forms of domain discussion.

#27 ::: Kelley Shimmin ::: (view all by) ::: January 17, 2005, 02:35 PM:

Those Melbourne IT folks are kind of bothersome. A little over a year ago I got married to a guy with the last name Shimmin. I used to have a nice vanity email for my maiden name ( so I decided to try to get something for my new name, that wasn't totally lame like .biz (my apologies to those who like the .biz domain). I discovered that Melbourne IT owns most of ours, and are selling email forwards and site forwards for our last name's .name domain.

(I don't know a lot about this, so I may be talking about this wrong, but I think that I can make enough sense to at least tell the story intelligibly.)

Anyway, so I can't get except through them. Why they happen to own my married last name, and not my maiden name or any other name that I tried looking for is unknown to me. I just gave up and bought it, and then renewed it this year (although I am paying through the nose for just an email forward). I am considering not bothering for next year, but then I know I'll be kicking myself if I can't ever get a nice vanity email address in the future. Does anyone who reads this know anything helpful for me?

#28 ::: Paul ::: (view all by) ::: January 17, 2005, 08:58 PM:

Kelley - two friends of mine found a good anagram of their two Christian names, and got that (redfelineninja - the two names are left as an exercise for the reader). You could always consider that, if you can find a good anagram.

#29 ::: Tom Whitmore ::: (view all by) ::: January 18, 2005, 03:21 AM:

Jennifer Adeline?

#30 ::: oliviacw ::: (view all by) ::: January 18, 2005, 09:12 AM:

Paul - oh dear, if I were to do that with my name and my husband's, the best option sounds like a porn site (VainOralIdol). Not sure this is a good choice for a vanity domain name.

#31 ::: Andy Perrin ::: (view all by) ::: January 18, 2005, 10:14 AM:

The NYTimes has an article on the Panix hijacking:

#32 ::: Paul ::: (view all by) ::: January 18, 2005, 03:11 PM:

Tom: Jennifer and Daniel. Good try though. :)

Olivia: well, nobody would forget it...

#33 ::: James D. Macdonald ::: (view all by) ::: January 18, 2005, 03:33 PM:

T -- speaking of email, check yours.

#34 ::: Graydon ::: (view all by) ::: January 18, 2005, 06:38 PM:

Got email today from, subject line "Important", contents a very short zip file with the remnants of the self-extraction header and a payload of spaces. (I have a good ISP.)

But I bet I know what part of the motivation for the was.

#35 ::: Patrick Nielsen Hayden ::: (view all by) ::: January 19, 2005, 10:13 AM:

Graydon, please speak more plainly.

#36 ::: Graydon ::: (view all by) ::: January 19, 2005, 10:24 AM:

Sorry, Patrick -- too much technical writing.

I know that Teresa uses a Mac, and that you collectively practise decent network security, so it's not very likely that her home PC has been converted into a spambot.

I think it's even more unlikely Teresa would send me email consisting of the subject line 'Important' and no content but a self-extracting zip file.

So if I get spam from Teresa's Panix address with pretty much authentic headers, I am faced with either an astonishing co-incidence -- and I'm not getting any other spam putatively from Making Light posters, making an unconnected harvesting from the blog seem unlikely -- or the idea that part of the reason for the Panix grab was to harvest not just authentic addresses but also active conversations, people who are expecting to get email from this other person right here. (Which is not that plausible in the particular instance, but that's what getting that particular email brought to mind, shortly followed by 'the evil, evil people'.)

Man-in-the-middle is a traditional approach to getting around whitelist filters, after all, and the message did sail through spamassassin.

#37 ::: Kate Nepveu ::: (view all by) ::: January 19, 2005, 10:31 AM:

Graydon, what do you mean by "pretty much authentic headers"? I get spam and viruses all the time claiming to be from people here, people I've had conversations with -- what's distinguishing this one from all those others, and how would the hijack have helped with that?

#38 ::: Graydon ::: (view all by) ::: January 19, 2005, 11:30 AM:

Kate --

Many spam emails purport to be from some random real person; this is why one occasionally gets a grumpy gram from some mail server somewhere telling you that they couldn't deliver the message you didn't send.

Generally, the spammer has faked just the From line, and the remaining headers provide a spam filter with information -- the date is in the future, there's a message path that doesn't match the address or which matches a known spamhaus, and so on.

For example, if Teresa were to actually send me mail, the full headers would include a set of Received lines that indicated that it started at Teresa's machine, went to a machine at Panix, maybe another machine at Panix, perhaps another machine on the route to my ISP, a machine at my ISP, and then my machine. Spam doesn't get these right, and the good spam checkers have rules based on that -- if the address is, and none of the Received lines mention, something's not right.

What I recall from that message is that it had plausible headers for something that came from Panix, rather than the usual 'oh, this is spam' headers. Having all of the Panix mail traffic to use as a template would presumably help with getting the headers right.

#39 ::: Kate Nepveu ::: (view all by) ::: January 19, 2005, 11:55 AM:

Oh. Hmm, well, I've never inquired very closely of my spam filter what criteria it uses [*], so spoofing wouldn't have occured to me as a criteria.

[*] I get final say over what it junks and see it all before it does.

The panix FAQ currently says that it thinks the redirected mail went to an innocent third party, but I imagine they'll be keeping a close eye on that.

#40 ::: Clark E Myers ::: (view all by) ::: January 19, 2005, 03:28 PM:

View the headers: see what clever/cute/twee names some people give computers.

#41 ::: CHip ::: (view all by) ::: January 19, 2005, 05:13 PM:

Clark -- headers may be all that can give that info now, but I remember when there were surveys that gave overall info. (Late 1980's, when -"you at this 4-byte #: what are you calling yourself?"- was a legitimate and safe query.) For some time, the most popular name on the net was "hobbes".

#43 ::: Clifton Royston sees comment spam ::: (view all by) ::: May 08, 2007, 02:35 AM:

Not even sure what it is spamming for, but...

Welcome to Making Light's comment section. The moderators are Avram Grumer, Teresa & Patrick Nielsen Hayden, and Abi Sutherland. Abi is the moderator most frequently onsite. She's also the kindest. Teresa is the theoretician. Are you feeling lucky?

Comments containing more than seven URLs will be held for approval. If you want to comment on a thread that's been closed, please post to the most recent "Open Thread" discussion.

You can subscribe (via RSS) to this particular comment thread. (If this option is baffling, here's a quick introduction.)

Post a comment.
(Real e-mail addresses and URLs only, please.)

HTML Tags:
<strong>Strong</strong> = Strong
<em>Emphasized</em> = Emphasized
<a href="">Linked text</a> = Linked text

Spelling reference:
Tolkien. Minuscule. Gandhi. Millennium. Delany. Embarrassment. Publishers Weekly. Occurrence. Asimov. Weird. Connoisseur. Accommodate. Hierarchy. Deity. Etiquette. Pharaoh. Teresa. Its. Macdonald. Nielsen Hayden. It's. Fluorosphere. Barack. More here.

(You must preview before posting.)

Dire legal notice
Making Light copyright 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017 by Patrick & Teresa Nielsen Hayden. All rights reserved.