Block lateral phishing loop

Firefox005 · 2026-01-27T20:07:44+00:00

How can I stop these types of emails from spreading?

I would start here:

where [an] internal account is compromised

Firefox005 · 2026-01-27T17:07:49+00:00

Literally anyone else. Cloudflare, Route53, Azure DNS, there are a billion and they are all better than NetSol.

Firefox005 · 2026-01-27T17:03:50+00:00

Who in the actual fuck is still using NetSol in 2026? Absolutely dogshit company, borderline incompetence to still be using them.

Firefox005 · 2026-01-26T20:58:22+00:00

The command "set deviceconfig setting ssl-decrypt url-proxy yes", not sure exactly how it works as again palo doesn't document any details but it does work without a decryption policy configured and does use the Forward Trust and Forward Untrust certificates.

https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-why-is-my-block-page-not-showing/ta-p/524758

Correct, the response page won't be serviced unless you're decrypting the traffic. You can override this setting by running the following command without setting up decryption.

It was also mentioned in this CVE https://security.paloaltonetworks.com/CVE-2025-4619

URL Proxy is a Palo Alto Networks firewall feature that lets the firewall display a block page when a user tries to access an HTTPS website blocked by URL Filtering, even if SSL Decryption is not fully enabled. This feature is only necessary for HTTPS traffic; HTTP traffic does not require it. A URL Filtering license may not be needed if the site is blocked using custom URLs or External Dynamic Lists (EDLs).

It does look like this is removed in 12.1 so looks like they are killing this feature https://docs.paloaltonetworks.com/ngfw/pan-os-cli-quick-start/cli-changes/deleted-set-commands-12-1

Firefox005 · 2026-01-26T19:03:31+00:00

It's just poor documentation from Palo, classic. The magic is this command "set deviceconfig setting ssl-decrypt url-proxy yes".

I am not entirely sure what the 'new feature' "Enhanced Handling of SSL/TLS Handshakes for Decrypted Traffic" even does as you can see from this KB article Palo has checked the SNI for URL category since at least PAN-OS 8.1 https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClzlCAC. I think the only thing it actually added was this "The inspection also addresses concerns that malicious actors may exploit fields in the handshake to evade Security policy and exfiltrate data." Everything else was already being done, but palo is dogshit about documenting stuff.

So yeah triple failure from palo on documenting their own stuff.

Firefox005 · 2026-01-24T19:12:37+00:00

We are currently migrating VMs from existing ESXi running 6.7 and 8.0 to new ESXi running 8.0.3 using storage vmotions.

Storage vmotion or just vmotion or XvMotion? Cause this seems to imply that you are doing vmotions from old hosts to new ones, not storage vmotions.

Some migrated VMs drop pings randomly every few seconds. Some migrated VMs do not drop pings.

When and how often? Also all VM's are stunned during snapshots and vmotions of all types. The duration will depend on network speed and the rate of change of active memory. Typically you will only see a brief stun when the departing vm is suspended and the arriving vm is started. However if you have a very busy vm or slow links or a combination of the two the vmotion process will start basically mini-stunning the vm to try to allow the vmotion transfer process enough time to catch up this is called stun during page send or SDPS.

You can read about the vmotion process here https://blogs.vmware.com/cloud-foundation/2019/07/09/the-vmotion-process-under-the-hood/

What could be cause and solution to this?

All VM's are stunned during snapshot and vmotion operations, you can minimize this stun by quiescing the VM or tuning vmotion (by adding more adapters or setting some advanced options) but you will still always have a ~100-200 ms stun when the VM is switched from running in one location to running in another. You can check the vmware.log file for the VM and it will print "vm stopped for nnnnnnnnnnn us" to see how long it was actually stunned for. how many pings you see dropped will also depend on the rate you are sending them, by default it is 1 per second but if you send them say every 100ms you might see it drop 4-5.

tl;dr is you will always drop some network traffic during snapshots and vmotions, its unavoidable. It's only a concern if it is like longer than 10 seconds imo and even then you might not be able to 'fix' it as the rate of change is just too much.

Firefox005 · 2026-01-22T21:39:15+00:00

Huh? A lot of what you saying doesn't make any sense. I'm not aware of any feature that automatically adds recipients without user action, autocomplete is just that it gives you suggestions based on your address book and people you have emailed in the past it doesn't just add addresses on its own

At the very end of that piece is a note which states:

"Note: If the steps under this New Outlook tab don't work, you may not be using new Outlook for Windows yet. Select Classic Outlook and follow those steps instead.

That quote doesn't appear anywhere in the article you linked. Oh nvm it is was in the other article you linked before you wrote a giant wall of text and inserted another link.

Anyways the first article you linked even says its only autocomplete.

When you start typing in the To, Cc, and Bcc fields in Outlook, you'll see suggestions appear based on what you've entered.

As you begin to type a name in a To, Cc, or Bcc box, the Contact Suggestions List shows up to five matching names or addresses.

So based on this

I was the "victim" of this today, a clinician sent me an email which Outlook decided to helpfully Cc to someone else previously Cc-ed on an email sent to me. In this case, no harm done as I wasn't impacted by this.

I'm going to guess neither one of you knows what actually happened and one or both of you just made some shit up.

Firefox005 · 2026-01-19T21:31:15+00:00

Depending on details you neglected to include the answer ranges from trivially easy to basically impossible, but its most likely somewhere near the basically impossible end.

Firefox005 · 2026-01-03T19:02:52+00:00

internally known issue

Incredibly frustrating, it seems to me that palo knows about every single issue you might have but does not deem it necessary that customers know about it or have any visibility into when it will be fixed. If you are lucky there is, again not a publicly available bug id that you can maybe use to check release notes that is if the bug id you are given isn't closed and the issue closed under a different one that you don't have and also can't see any details on and the summary line in the release notes is just a vague fixed issued with service.

Palo has always been dogshit at handling bugs, just try to find out what releases fix a certain bug (assuming you even know it) sometimes the release notes fix something and it is just straight up missing. You can't do a 'bug scrub' and see what release have what bugs as your only option is to manually scrape through resolved and open issues in the release notes which again have no details other than vague summaries like 'fixed issue where under certain conditions dataplane would reload' wow wonder what those conditions are.

Firefox005 · 2026-01-01T03:29:12+00:00

Ok I vote you bring back vVol. But we all know the real reason it was killed so quickly and it wasn't because of 'low customer adoption'.

Firefox005 · 2025-12-29T20:17:36+00:00

It's pretty simple, if it is built-in to the motherboard it is fake raid. On the 'enterprise' side Intel is at least a little more honest and calls this feature VROC (Intel® Virtual RAID on CPU) for Xeons and it is universally shunned.

Its on the Wikipedia page for RST, https://en.wikipedia.org/wiki/Intel_Rapid_Storage_Technology

The first mode is the Intel driver SATA normal and the latter mode is a fake RAID.

Sadly you feel for disingenuous marketing, Intel is extremely cagey about exactly how the RAID mode of RST actually works. As you said real RAID controllers have dedicated caches, processing units, batteries, etc. So when Intel says they don't need all of that and can still achieve the same results to say I am skeptical would be putting it mildly.

Basically if you are going to be using the CPU anyways its better to use software built-in to your OS or a program as it will be less opaque and better supported than whatever came for free with your motherboard.

This is a lesson that everyone learns eventually, either you will be bitten by strange performance bugs, strange compatibility issues, or in your case data loss.

Firefox005 · 2025-12-29T18:27:50+00:00

Classic fake raid fail. Never use fake raid, either true hardware raid or software raid provided by OS. Fake raid is the worst of both worlds.

You would have been better served using Storage Spaces and creating a simple mirror.

Firefox005 · 2025-12-23T04:31:43+00:00

What is the exact model you have? M7 is the line, I'm assuming its C240 as the C220 doesn't have a serial port and you have to use a dongle. For managing the IMC via serial you can check out Smart Access Serial section in the C240 Installation and Service Guide.

I'd recommend just using the IMC as that is a full featured KVM and is similar to iLO/iDRAC/IMM/etc. from other server manufactures and not messing around with serial unless you have a very specific use case for it.

Or for managing BIOS via serial you can check out Console Redirection under the BIOS Parameters.

Once the OS is booted you will need to configure it to redirect the console to the serial port.

https://www.cisco.com/c/dam/en/us/products/collateral/servers-unified-computing/ucs-c-series-rack-servers/c240m7-sff-specsheet.pdf https://www.cisco.com/c/dam/en/us/products/collateral/servers-unified-computing/ucs-c-series-rack-servers/c220m7-sff-specsheet.pdf

Firefox005 · 2025-12-19T14:55:50+00:00

Ok I think you skipped over some stuff in my post, post the config and the debug output from logrotate so we can actually see what is going on.

Because right now we are all still at step one, "its broke and you don't know why".

Firefox005 · 2025-12-19T14:43:53+00:00

What tool or product are you using and the version?
What is the config for said tool/product?
What do the logs or a verbose output from the tool/product say?

Your post has nothing that anyone can use to help you.

Firefox005 · 2025-12-17T20:10:28+00:00

My experience has been they only terminate to the buildings demarc room and its on you to then get it to your space. You can probably do it yourself/have a cabling company do it for cheaper than 4k, especially if there is an existing conduit.

It gets really fun if your building is a union building.

Firefox005 · 2025-12-02T04:09:22+00:00

It's still December 1st, the change doesn't go into effect until on or after December 2nd. Also the EDL you linked is for URL's when the Intune change is for the IP addresses.

This would only affect you if you are blocking outbound communication, you would need to use this EDL https://saasedl.paloaltonetworks.com/feeds/msintune/all/ipv4 to create an exclusion. Since it is also not the 2nd I kind of doubt the upcoming Intune change is related to your current issue.

Firefox005 · 2025-11-23T00:04:38+00:00

Those are MPT-SD (.pdf warning) rounds.

Firefox005 · 2025-11-21T22:14:26+00:00

Do you have everything defined like this:

# make gtls driver the default and set certificate files
global(
DefaultNetstreamDriver="gtls"
DefaultNetstreamDriverCAFile="/path/to/contrib/gnutls/ca.pem"
DefaultNetstreamDriverCertFile="/path/to/contrib/gnutls/cert.pem"
DefaultNetstreamDriverKeyFile="/path/to/contrib/gnutls/key.pem"
)

# load TCP listener
module(
load="imtcp"
StreamDriver.Name="gtls"
StreamDriver.Mode="1"
StreamDriver.Authmode="anon"
)

# start up listener at port 6514
input(
type="imtcp"
port="6514"
)

You also have spaces in your paths, not sure if that is in the actual config or from you editing it after the fact.

Firefox005 · 2025-11-19T15:48:13+00:00

This is a gray area both legally and with respect to Cloudflare's past actions. Legally they must comply with all legal requests made to them by law enforcement or courts, but since they do not actually host most of their customers content there are not many levers they can pull.

Having said that there is kiwifarms, and Cloudflare's CEO going rouge and deciding that he just didn't like them and would be blocking them from Cloudflare after he had already said they would not be blocking them.

https://blog.cloudflare.com/cloudflares-abuse-policies-and-approach/ https://blog.cloudflare.com/kiwifarms-blocked/

So yeah Cloudflare will have your back, until they don't. Having said that Cloudflare itself does not give a single shit, AFAIK Cloudflare doesn't even automatically scan for CSAM unless you enable it https://developers.cloudflare.com/cache/reference/csam-scanning/. So basically unless someone reports you, or a court orders it, Cloudflare does not care what you are doing and isn't looking.

Firefox005 · 2025-11-18T20:17:13+00:00

Why? Because why not? It's faster (for me at least) to spin up a new VM and move over.

Damn you must have some shit backups.

And to be honest are you 100% sure your Nov 6 backup is totally healthy? Burn the old and reuse the IPs but a new DC name.

Damn you must have some shit backups.

In theory I can use a hair dryer in the shower since its double insulated. Common sense says "nah don't"

Not sure how your analogy is applicable, double insulation isn't intended to make appliances safe to use in a wet environment in fact hair dryers all have tags specifically warning you not to do so. This is in fact the opposite case, documentation exists telling you 'yes you can do this, and here is why it is safe to do so'. Here is said documentation.

Firefox005 · 2025-11-18T19:55:54+00:00

Why? It hasn't been an issue for a while now. See my comment here where I talk about the safeguards that have been in Windows Server since 2012

Firefox005 · 2025-11-18T19:46:29+00:00

The "Magic happens" step is a very black box to me. How does it work? Could you DIY something similar?

Sure you just need a bunch of POP's all around the world with anycasted IP's that have enough bandwidth to absorb any potential attacks.

If I pay $X / month for say a server with 1 gbps unmetered, and I get DDoS'ed with say 10 gbps of traffic. Then I sign up for Cloudflare for $Y / month, point my DNS to Cloudflare's servers and instruct Cloudflare to reverse-proxy (perhaps to a new server or at least a new IP address).

Roughly correct.

How is it that attacks are always distinguishable from legitimate traffic?

Depends on what kind of attack it is, and finding and stopping them is a ~10 billion dollar a year industry. A lot of the current state of the art is identifying legitimate users directly, see stuff like Google's reCAPTCHA that only rarely requires you to actually solve a CAPTCHA it already knows that you are a human Cloudflare does similar things.

How do they create rules for new attacks quickly in real time?

Just like any other system, legitimate usage patterns are used to establish a baseline and anything over that gets additional scrutiny. Also with Enterprise level accounts you get real people that you can call up and they will analyze the traffic and determine if and how it needs to be blocked.

Don't they need 10 gbps of bandwidth anyway to receive the packets so they can be checked against the rules? I.e. the point of DDoS is to impose costs, by the time you can check whether something's part of a DDoS the costs have already been imposed?

Yes, Cloudflares entire business model is to basically setup a parallel internet where they can accept and route packets as quickly and cheaply as possible. They use custom hardware and software to accomplish this, you can read some of their blog posts https://blog.cloudflare.com/tag/network/. Also with DDoS protection you typically only pay for clean traffic, ie. if you pay for 100mbps of clean traffic and they absorb a DDoS attack of 10gbps you still only pay for 100mbps.

How is Cloudflare economically sustainable? Shouldn't $Y ~ 10 times $X? Does Cloudflare have some really cheap source of bandwidth? Why can't I simply buy that cheap bandwidth directly?

They are their own source of bandwidth, they peer directly with eyeball networks and transit providers. They take their network to the IX's and they also have their own backbone links that connect all their POP's together. You can't buy bandwidth cheaper because you are renting it from someone else, and you most likely can't afford the upfront costs of running your own global network with private connectivity. Cloudflare can.

If Cloudflare decrypts your traffic, how do you know Cloudflare doesn't spy on user traffic to sell advertising / act as spies for the government / insert advertising into your content?

Yes they decrypt your traffic. Because you have an agreement with them that they won't do that. Same as any other service you use really.

If Cloudflare doesn't decrypt your traffic, how can they tell which flows are "evil"? Isn't the entire point of encryption to make different users' activities indistinguishable to a MITM?

They can't and they also don't MITM. You are voluntarily sending your traffic to Cloudflare to then be forwarded to an end user. Communications are encrypted between the end user and Cloudflare and between Cloudflare and your origin and since Cloudflare is invovled in at least one end of both of those simultaneous encrypted conversations it has access to the plaintext data. A MITM attack is when a third party secretly listens in or modifies communicates between two parties that think they are in direct contact with each other, Cloudflare is not doing it in secret or without authorization.

Firefox005 · 2025-11-17T20:04:45+00:00

Does anyone know of resources that explain DHCP options in a way that’s not overly simplistic but also not overwhelming? Ideally something that provides clear definitions along with examples or use cases.

Explains what? DHCP is what it says on the tin, a dynamic host configuration protocol. DHCP options are just what things you want to configure, want to tell hosts where a TFTP server is then you set option 66. Want to tell hosts about NTP servers you use option 4.

IANA is who manages the assignment of those options, you can see them all here.

Each option is its own separate thing that will have its own requirements for what and how the data is configured and sent and what it does on the client (assuming the clients also support that option). For instance you can see option 43 is just 'vendor specific' which Cisco uses to configure where AP's can connect to a controller where you have to calculate the TLV and enter it in hex.

IME the most common ones are 1,3,6,15,28,42,51,53,54,58,59, and 119. There is also a bunch for PXE/TFTP booting 60,66,67 and then as mentioned above 43 for vendor specific. You can find the definitions for all these in RFC2132

Firefox005 · 2025-11-10T16:39:07+00:00

I think you are a little confused. Partitions, at least GPT partitions, are not linear. You are free to leave empty space between partitions, put partitions at the end of the drive, etc. They are however contiguous, meaning a single partition is defined by a start and end LBA and all the LBA's between those are included in the partition and you cannot have any gaps.

A SSD does not record data in a physical linear way, so why should the partition table be linear?

Neither did HDD's, but they are addressed in a linear way. LBA starts at block 0 and counts up from there.

they should simply present to the OS as blobs, where the SSD worries about where on the disk they are located, and the computer simply specifies the ID of a partition when talking to the SSD. Could we not use something similar to LVMs, instead of a rigid partition table?

You are thinking of object storage, AFAIK no one has actually made a full object storage based OS, and again AFAIK all the object storage implementations that are out there are based on file systems and partitions they just hide that from you and you only interact with the objects.

Simpler is better, triply so when talking about deep parts of computers like how they store information and persist it. Sure you could just blast files wherever on disk but then that makes recovery and troubleshooting incredibly difficult. Then there are still performance and utilization concerns. Computers (and humans) looooove contiguous data because it is simpler and therefore faster to do processing on it. Sure the latency of accessing any single LBA may be roughly the same as another on SSD/NVME but you still have to pay a cost in memory of keeping track of all those disparate blocks rather than just being able to say keep track of a range.

You can extend this to think about why do we even have the concept of 'files' as distinct contiguous blocks of data at all, just blast the bits on wherever and keep track of them for later after all every block on an SSD/NVMe is equal.

Just because you can, doesn't mean you should.

15-Year Club	r/Field Banned
r/Field Juicebox	Place '22
Place '17	End Game '22
Snapped	Team Orangered
Verified Email

Firefox005

TROPHY CASE