Re: Fun new policy at AOL
In the immortal words of Matthew Crocker ([EMAIL PROTECTED]): Shouldn't customers that purchase IP services from an ISP use the ISPs mail server as a smart host for outbound mail? Given the way that most ISP shared resource machines (including but hardly limited to DNS caching/recursive resolves, NNTP servers, web caches, and SMTP smarthosts) are administered, the answer to that question is Only if they don't actually care if that mail is ever delivered. -n [EMAIL PROTECTED] For years, I've been predicting that artists, writers, and filmmakers would be paid by the government not to produce work, just like farmers are paid not to grow food. Or that they'd be paid to make their work, but would then be forced to store it in a silo unshown or unread. But now I see I was a little off in my prediction. The Internet is that silo. (--Slotcar Hatebreath) http://blank.org/memory/
Re: Fun new policy at AOL
On Thu, 28 Aug 2003 13:13:31 -0500, John Palmer wrote: I connect with my laptop from 3 or 4 locations to drop off mail to my servers. I cannot use their mail servers from other locations other than when I am connected to them. I have about 2 dozen e-mail accounts defined in outlook express and would have to change the outbound mail server setting for EACH one ever time I move off the RCN connection to one of the other locations from which I work and then back again when I get back to RCN. Do you mean you SEND from each of the two dozen accounts at the new location each time? (I experience the same inconvenience when travelling with my notebook computer i.e. I need to amend the outgoing SMTP server in my mail client on the fly. But it takes only a moment [admittedly I use only two accounts] but it seems like a reasonable rule.) Jeffrey Race
Re: Fun new policy at AOL
On Fri, 29 Aug 2003, Dr. Jeffrey Race wrote: On Thu, 28 Aug 2003 12:07:30 -0400, Matthew Crocker wrote: It can be built without choke points. ISPs could form trust relationships with each other and bypass the central mail relay. AOL for example could require ISPs to meet certain criteria before they are allowed direct connections. ISPs would need to contact AOL, provide valid contact into and accept some sort of AUP (I shall not spam AOL...) and then be allowed to connect from their IPs. AOL could kick that mail server off later if they determine they are spamming. Now there is an idea! However an improved variant is to make the entire internet a 'trust relationship' using the (obvious) steps you propose. For several months I have been pondering possible details of implementing same; see http://www.camblab.com/misc/univ_std.txt. Comments welcome. Surely it already is ? That is I only announce routes of my customers who I trust, my upstreams and peers trust me and what i announce to them, their upstreams/peers do and so on. And yet we still have hijacked netblocks and ddos's with uncaring sysadmins. Why should email be any different? And if you do implement such a system, the spammers will just adapt.. the recent viruses (sobig) are an example of how spammers can open up end user machines to facilitate sending of email, providing they can control such a host they can simply relay thro the providers' smtps.. they dont need open relays to send out their junk! I think we're still trying to treat the symptom tho not the cause. Most of these spammers are companies based within our countries, if we can make their kind of advertising illegal the spam will reduce (not sure if it will disappear, it could be like tax - companies may open offshore offices to facilitate this, but we need to keep working on the cause... ) Steve
Re: GLBX ICMP rate limiting (was RE: Tier-1 without their own backbone?)
Temkin, David wrote: We've noticed that one of our upstreams (Global Crossing) has introduced ICMP rate limiting 4/5 days ago. This means that any traceroutes/pings through them look awful (up to 60% apparent packet loss). After contacting their NOC, they said that the directive to install the ICMP rate limiting was from the Homeland Security folks and that they would not remove them or change the rate at which they limit in the foreseeable future. rant Are people idiots or do they just not possess equipment capable of trashing 92 byte icmp traffic and letting the small amount of normal traffic through unhindered? They are raising freakin' complaints from users who think the Microsoft ICMP tracert command is just the end all, be all and is of course completely WRONG with rate-limiting in effect. /rant -Jack
Atm-t1 8t1-ima
Hi all. Can anyone tell me if the 8 port IMA network module is supported in the 3640s? I used the Compatibility tool, and it said I'd be good with 12.2.11 YT but I'm having no success. Any advice is appreciated. *Mar 1 00:00:05.211: %PA-2-UNDEFPA: Undefined Port Adaptor type BD in bay 2 Cisco Internetwork Operating System Software IOS (tm) 3600 Software (C3640-I-M), Version 12.2(11)YT2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2003 by cisco Systems, Inc. Compiled Thu 27-Feb-03 16:41 by cmong Ejay Hire ... ln -s /dev/null /dev/clue
Re: Atm-t1 8t1-ima
Even tho this isn't Cisco TAC, provided you have a valid CCO account, go to: http://www.cisco.com/cgi-bin/front.x/Support/HWSWmatrix/hwswmatrix.cgi charles On Thu, Aug 28, 2003 at 07:32:19PM -0500, Ejay Hire wrote: Hi all. Can anyone tell me if the 8 port IMA network module is supported in the 3640s? I used the Compatibility tool, and it said I'd be good with 12.2.11 YT but I'm having no success. Any advice is appreciated. *Mar 1 00:00:05.211: %PA-2-UNDEFPA: Undefined Port Adaptor type BD in bay 2 Cisco Internetwork Operating System Software IOS (tm) 3600 Software (C3640-I-M), Version 12.2(11)YT2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2003 by cisco Systems, Inc. Compiled Thu 27-Feb-03 16:41 by cmong Ejay Hire ... ln -s /dev/null /dev/clue
Re: Atm-t1 8t1-ima
Ejay Hire wrote: Hi all. Can anyone tell me if the 8 port IMA network module is supported in the 3640s? I used the Compatibility tool, and it said I'd be good with 12.2.11 YT but I'm having no success. Any advice is appreciated. *Mar 1 00:00:05.211: %PA-2-UNDEFPA: Undefined Port Adaptor type BD in bay 2 Cisco Internetwork Operating System Software IOS (tm) 3600 Software (C3640-I-M), Version 12.2(11)YT2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2003 by cisco Systems, Inc. Compiled Thu 27-Feb-03 16:41 by cmong Ejay Hire ... ln -s /dev/null /dev/clue Could be that the boot image is complaining and not the run image. Can't tell from your email snippet. Check what version of boot image is the min req't for the module. = bep
Re: GLBX ICMP rate limiting (was RE: Tier-1 without their own bac kbone?)
Once upon a time, Jack Bates [EMAIL PROTECTED] said: Are people idiots or do they just not possess equipment capable of trashing 92 byte icmp traffic and letting the small amount of normal traffic through unhindered? Well, when we used the policy routing example from the Cisco advisory to drop just 92 byte ICMP traffic, we had other random types of traffic dropped as well (possibly an IOS bug, but who knows). -- Chris Adams [EMAIL PROTECTED] Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: GLBX ICMP rate limiting (was RE: Tier-1 without their own backbone?)
Once upon a time, Jack Bates [EMAIL PROTECTED] said: Are people idiots or do they just not possess equipment capable of trashing 92 byte icmp traffic and letting the small amount of normal traffic through unhindered? Well, when we used the policy routing example from the Cisco advisory to drop just 92 byte ICMP traffic, we had other random types of traffic dropped as well (possibly an IOS bug, but who knows). It is cisco. There are no bugs. They are unknown features. When Cisco does figure out what that those packets are, they will document it. Alex
Hey, QWEST clean up your network
Seems like QWEST doesn't have any edge ACL's in place to deal with this lovely worm issue. Count Source Prexix, rounded up to a /16 144 208.46.0.0 199 65.114.0.0 347 208.45.0.0 462 65.118.0.0 486 65.119.0.0 702 208.44.0.0 2340TOTAL Packets out of 2500 for 2 seconds This is ICMP and TCP MS bad traffic for a 2500 packet capture on a DS1 that is directly connected to Qwest. Ergo, Qwest is the transit provider. Capture period was about 2 seconds. ICK According to Qwest Tech/Noc people they can't leave filters up for more than 1 day. Given that this worm has lasted more than 1 day, I'd think its reasonable to leave filters up for say more than one day The other thing I learned from QWEST IP-NOC was that it seems managment decided *NOT TO* filter packets related to this worm issue at the edge.. john brown AS 10480 and others
Re: Fw: GLBX ICMP rate limiting (was RE: Tier-1 without their ownbackbone?)
On Thu, 28 Aug 2003, Christopher L. Morrow wrote: perhaps a change in vendors is in order? I can't see why people would lie about this, or why they'd listen to the 'request' from DHS in the first place ;( Oh well. http://www.wired.com/news/technology/0,1282,57804,00.html Mike Fisher, Pennsylvania's attorney general, has sent letters to an unknown number of ISPs over the past few months demanding that the ISPs block Pennsylvania subscribers' access to at least 423 websites or face a $5,000 fine, according to news reports. [..] How the blocks will affect law enforcement across North America would depend on which ISP their departments are using, among other factors. But Morris pointed out that WorldCom was ordered by a judge to comply with the Pennsylvania law last September. WorldCom owns UUNet, and the U.S. government is one of UUNet's biggest customers.
Re: Hey, QWEST clean up your network
Not sure how many places you intend to post this or related messages, but if you've got a problem vote with your money. Whining to NANOG and a slew of other mailing lists and still giving money to Qwest seems silly to me... Likewise, the Qwest folks likely aren't quite as clueless as you've attempted to portray them over the last few days, silly policies (policies that are clearly in place for a reason) can be fixed -- and I assure you, above all else, money talks... -danny On Thursday, August 28, 2003, at 09:25 PM, John Brown wrote: Seems like QWEST doesn't have any edge ACL's in place to deal with this lovely worm issue. Count Source Prexix, rounded up to a /16 144 208.46.0.0 199 65.114.0.0 347 208.45.0.0 462 65.118.0.0 486 65.119.0.0 702 208.44.0.0 2340TOTAL Packets out of 2500 for 2 seconds This is ICMP and TCP MS bad traffic for a 2500 packet capture on a DS1 that is directly connected to Qwest. Ergo, Qwest is the transit provider. Capture period was about 2 seconds. ICK According to Qwest Tech/Noc people they can't leave filters up for more than 1 day. Given that this worm has lasted more than 1 day, I'd think its reasonable to leave filters up for say more than one day The other thing I learned from QWEST IP-NOC was that it seems managment decided *NOT TO* filter packets related to this worm issue at the edge.. john brown AS 10480 and others
Re: Hey, QWEST clean up your network
The other thing I learned from QWEST IP-NOC was that it seems managment decided *NOT TO* filter packets related to this worm issue at the edge.. an isp of any non-trivial size, has one or more customers who are either in the security business or in security research. also ip behavior business or research. or ... the job of isps is to deliver packets, not to alter or drop them. if a custumer wishes there traffic shaped, dropped, mangled, ... at the edge, that's a nice [sellable] extra service. randy, who is right now trying to chase down what and why an upstream has done to stop some traffic i was measuring, harumph!
Re: Hey, QWEST clean up your network
At 11:36 PM 8/28/2003, Danny McPherson wrote: Not sure how many places you intend to post this or related messages, but if you've got a problem vote with your money. Whining to NANOG and a slew of other mailing lists and still giving money to Qwest seems silly to me... Agreed... Likewise, the Qwest folks likely aren't quite as clueless as you've attempted to portray them over the last few days, silly policies (policies that are clearly in place for a reason) can be fixed -- and I assure you, above all else, money talks... I dunno... in my experience, Qwest is pretty clue-free. Of course money talks, but it takes a LOT of defections to make a significant impact.
Re: Hey, QWEST clean up your network
I dunno... in my experience, isp is pretty clue-free. when folk want to pay $50/mb, how much clue do we think isps can pay for, especially to deal with peak clue loads such as this last week or two? yes, money talks. but in many ways. randy
RE: Fun new policy at AOL
Susan, It just ticks me off because I know there are a lot of others who will be in this boat. Indeed, there are. I have numerous small customers that have either a single static IP or a /29 block from {Pacific Bell | your ISP} and that occasionally are blocked because either the block is marked as residential or the reverse lookup contains the string dsl. However, trying to be pragmatic, this is a situation that will eventually solve by itself: Since having {Pacific Bell | your ISP} do anything about it is not an option, when these customers are trying to email to {AOL | some ISP} and are blocked, they will try first to have if {AOL | some ISP} to whitelist the address; if it can't be done they will say get an ISP that does not suck. There are two sides on this coin; one is that indeed this stinks, but the other one is that AOL receives several billion spams a day, so I can understand that they're trying to control the problem with the tools they have. Curious, have you tried to call AOL to get the IP of the customer whitelisted? Michel.
Re: Hey, QWEST clean up your network
On Thursday, August 28, 2003, at 09:51 PM, John Brown wrote: Given general operational nature, I posted to NANOG, so that: 1. money can talk, others will see one view of this provider Don't talk with other peoples money, talk with your own. If you plan to post to NANOG, it'd be a wise assumption that a significant subset of the folks here reside on other lists you post to as well. 2. operationally maybe something will get done Perhaps. Though if/when it does, it'll be Qwest and you that will be involved, no one here. 3. policy wise maybe this provider will change its policy Perhaps, though given the discussions on this and a hundred other lists in the last three weeks, I'm not sure providers know what to do. As Sean points out, every other email contradicts the previous. If I filter, I'm responsive, clueful saving the Internet. When something breaks as a result, I'm clueless and trying to play netpolice, violating my SLA, plain suck, and need to just worry about delivering packets. 4. Qwest said their people had installed the ACL's properly my evidence is to the contrary. Hence the need to further engage with Qwest, folks here will be of little benefit at the end of the day. The customer that was impacted is certainly considering their options. I suspect they will vote with their checkbook. PS: Slew == 1 Private email list, 1, Well known public list 1 Local Public-ish list. Slew != as large as it may have sounded... Correct me if I'm wrong, but I seem to recall a strikingly similar message posted to several mailing lists regarding very similar topics and the same provider within the past .. 4 days (no, it was 2 days)? Had it not been for that I wouldn't have bothered posting. One attempt to humiliate your provider in order to trigger some action is perhaps arguable, two or more is just plain annoying. Policies are sometimes in place for good reasons, sometimes because the makers of said policy are void clue. To assume they are inplace for good reason is a leap imho. So providers should play netpolice or Internet-Firewall-provider some amount of time, depending on _your gauge of the activity of a given incident? Folks need to realize that if large networks didn't have policies of this sort in place they'd be blocking pretty much every port on every interface by now.. You can't have it both ways... -danny
Re: Fun new policy at AOL
On Thu, Aug 28, 2003 at 09:29:42PM -0700, Michel Py wrote: However, trying to be pragmatic, this is a situation that will eventually solve by itself: Since having {Pacific Bell | your ISP} do anything about it is not an option, when these customers are trying to email to {AOL | some ISP} and are blocked, they will try first to have if {AOL | some ISP} to whitelist the address; if it can't be done they will say get an ISP that does not suck. Of course, it's also possible people will just work around it, like so many other things. Postfix transport maps allow relaying of specific domains through (for example) pacbell's mail server, as does Qmail's smtproute file, no? I'm supporting a handful of smaller sites, and don't have the time to chase down some support drone to request whitelistings. It's just too easy to add aol.com SMTP:mail.sbcglobal.net or whatever. If an incompetently run ISP relay server makes AOL happy, then their customers can enjoy having mail delayed for the extra hours and maybe dropped altogether. Eventually things will implode. Until then, I predict poorly thought out hacks will be answered with other poorly thought out hacks. =) -- Ray Wong [EMAIL PROTECTED]
Re: Fw: GLBX ICMP rate limiting (was RE: Tier-1 without their ownbackbone?)
On Thu, 28 Aug 2003, Sean Donelan wrote: On Thu, 28 Aug 2003, Christopher L. Morrow wrote: perhaps a change in vendors is in order? I can't see why people would lie about this, or why they'd listen to the 'request' from DHS in the first place ;( Oh well. http://www.wired.com/news/technology/0,1282,57804,00.html Mike Fisher, Pennsylvania's attorney general, has sent letters to an unknown number of ISPs over the past few months demanding that the ISPs block Pennsylvania subscribers' access to at least 423 websites or face a $5,000 fine, according to news reports. this is a very old article... [..] How the blocks will affect law enforcement across North America would depend on which ISP their departments are using, among other factors. But Morris pointed out that WorldCom was ordered by a judge to comply with the Pennsylvania law last September. WorldCom owns UUNet, and the U.S. government is one of UUNet's biggest customers. That was a ccourt order, not much any US based corporation can do about that, eh? Oh, yeah, and it didn't help stop any child pornographers, all it did was hide their tracks from the authorities :(
RE: Fun new policy at AOL
Yo All! On Thu, 28 Aug 2003, Michel Py wrote: Indeed, there are. I have numerous small customers that have either a single static IP or a /29 block from {Pacific Bell | your ISP} and that occasionally are blocked because either the block is marked as residential or the reverse lookup contains the string dsl. Maybe if PacBell (and others) actually disciplined their more out of control DSL customers then other ISPs would not feel the need to do it for them. RGDS GARY --- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 [EMAIL PROTECTED] Tel:+1(541)382-8588 Fax: +1(541)382-8676
Re: Hey, QWEST clean up your network
On Fri, 29 Aug 2003, Randy Bush wrote: when folk want to pay $50/mb, how much clue do we think isps can pay for, especially to deal with peak clue loads such as this last week or two? yes, money talks. but in many ways. Doesn't work this way. It is much better to have one clueful guy than to keep three clueless ones. Costs the same, the results are strikingly different. --vadim
Re: Dealing with infected users (Re: ICMP traffic increasing on most backbones Re: GLBX ICMP rate limiting
Vadim Antonov wrote: It should be pointed put that the ISPs have their share of blame for the quick-spreading worms, beause they neglected very simple precautions -- such as giving cutomers pre-configured routers or DSL/cable modems with firewalls disabled by default (instead of the standard end-user, let only outgoing connections thru configuration), and providing insufficient information to end-users on configuring these firewalls. And you´re willing to pay all the helpdesk persons helping these people to adjust their configurations to accommodate for KaZaa, BitTorrent, Quake3, Counter Strike, etc? It would be much easier and more centralized if the networking interfaces in operating systems would not expose services by default. But were already went there. Pete
Re: London Power outage
On Thursday 28 August 2003 22:00, Stephen J. Wilcox wrote: I saw it on CNN but it sounds like it wasnt as bad as they wanted to make out.. frmo what I was told none of the major colos which are all in the East lost utility and I dont know about stuff in the South which is where the power was out.. seems theres not much of interest there from a netork pov. None of our network (mainly west London) was affected. Media reports that it just hit [mainly residential] south London, so didn't affect either Docklands facilities nor the various datacentres in the west (Park Royal etc) and south-west (Heathrow). It did knock out most of the tube system by my experiences. Fights at bus stops; so much for the 'stiff upper lip' ;-)
Sprint NOC? Are you awake now?
I've just upgraded a Cisco 7206 for a customer with a DS3 and we're now ready to take full routes. No one is answering at support, email has gone unanswered for thirty minutes - if someone at the Sprint NOC is awake please call Neal or Mike at 402-426-6136 - we'd really like to get this done before customers start waking up ... -- mailto:[EMAIL PROTECTED] phone:402-301-9555 After all that I've been through, you're the only one who matters, you never left me in the dark here on my own - Widespread Panic
Re: Sprint NOC? Are you awake now?
I didn't know their NOC number, puck.nether.net is down, normal phone channels lead to voicemail jail. Sorry to disturb your morning but its much easier to complete by 0600 than to have five counties worth of users dialing a phone right next to where you're working. Simon Lockhart wrote: On Fri Aug 29, 2003 at 04:10:27AM -0500, neal rauhauser wrote: I've just upgraded a Cisco 7206 for a customer with a DS3 and we're now ready to take full routes. No one is answering at support, email has gone unanswered for thirty minutes - if someone at the Sprint NOC is awake please call Neal or Mike at 402-426-6136 - we'd really like to get this done before customers start waking up ... Since when was nanog a way to get in touch with NOCs? Simon -- Simon Lockhart | Tel: +44 (0)1628 407720 (x37720) | Si fractum Technology Manager | Fax: +44 (0)1628 407701 (x37701) | non sit, noli BBC Internet Operations | Email: [EMAIL PROTECTED]| id reficere BBC Technology, Maiden House, Vanwall Road, Maidenhead. SL6 4UB. UK -- mailto:[EMAIL PROTECTED] phone:402-301-9555 After all that I've been through, you're the only one who matters, you never left me in the dark here on my own - Widespread Panic
Apology to the list
I apologize to the list for including a subject line in all caps regarding my attempt to contact someone at Qwest to fix this pro active monitoring issue I have. I hope that someone from that network contacts me since all other normal channels of communication that they provide to their customers has not provided a solution in the months that this issue has been going on. So far, opening tickets, calling the NOC, escalating to managers, and the local Qwest team have provided no solution to these erroneous alarms. I am just given the ol' We took care of it until the next 2 AM pro active ticket gets opened, and once again am roused from my sleep because of a false alarm that they could not bother veryfing first. My apologies for the All Caps subject line. Rico Gerardo Gregory writes: Anyone that works for Qwest (Spirit of Service.HA HA HA HA HA) and can actually stop having your clueless NOC personnel from calling me at the flipping early hours of the morning because your non working proactive monitoring system keeps opening pro active tickets. No one has yet to verify that at any of the countless times (yes this little ordeal has been going on for months now) that your so called pro active monitoring system opens a ticket that it has ever been right. Ever heard of false positives Funny that your pro active ticket has never really detected an actual issue, because when these do happen it takes over a couple of hours to get anyone to begin the troubleshooting process. Is it customary for Qwest to call customers at 2, 3, 4, or 5 AM to tell them that they have a ticket opened by their pro active system? Here is a conceptget the proactive ticket, pull the interface, or look at the circuit before calling your customers...now that would be a Spirit of Service. What you are doing now is the spirit of laziness Gerardo A. Gregory Manager Network Administration and Security 402-970-1463 (Direct) 402-850-4008 (Cell) Affinitas - Latin for Relationship Helping Businesses Acquire, Retain, and Cultivate Customers Visit us at http://www.affinitas.net Gerardo A. Gregory Manager Network Administration and Security 402-970-1463 (Direct) 402-850-4008 (Cell) Affinitas - Latin for Relationship Helping Businesses Acquire, Retain, and Cultivate Customers Visit us at http://www.affinitas.net
DShield reports by AS for 'Blaster' and other issues
I setup a 'real time' report by AS to assist networks in finding infected systems. The URL: http://www.dshield.org/asreport.php This report is intended for automated parsing, so it comes as a simple tab delimited table with brief 'usage' header. You can filter by target port, protocol and AS. The AS number is required. The AS lookup is somewhat experimental. So feedback is appreciated. -- SANS - Internet Storm Center http://isc.sans.org PGP Key: http://isc.sans.org/jullrich.txt signature.asc Description: This is a digitally signed message part
Paypal off-the-air?
It seems that PayPal is off-the-air. We're seeing all connections die via uunet and sprint routes. Anyone know what's going on? -John -- John Ferriby - PGP Key: www.ferriby.com/pgpkey Fingerprint: 3B78 10AF A1B2 20D0 A5D9 983F 96FF D5BB CF11 BA97
Re: Paypal off-the-air?
I dont think so...been doing a few paypal transactions since around 6 AM, actually just finished one a few minutes ago, and actually just logged into my account before sending this out It's not paypal Rico John Ferriby writes: It seems that PayPal is off-the-air. We're seeing all connections die via uunet and sprint routes. Anyone know what's going on? -John -- John Ferriby - PGP Key: www.ferriby.com/pgpkey Fingerprint: 3B78 10AF A1B2 20D0 A5D9 983F 96FF D5BB CF11 BA97 Gerardo A. Gregory Manager Network Administration and Security 402-970-1463 (Direct) 402-850-4008 (Cell) Affinitas - Latin for Relationship Helping Businesses Acquire, Retain, and Cultivate Customers Visit us at http://www.affinitas.net
Re: Paypal off-the-air?
On Fri, 2003-08-29 at 09:45, John Ferriby wrote: It seems that PayPal is off-the-air. We're seeing all connections die via uunet and sprint routes. Anyone know what's going on? I recall they were going offline from 12:30am to 3:00am Pacific Time for maintenance. I'm not seeing any problems with the site right now, from the east coast. Traceroutes timeout in San Jose AlterNet (starting on EC), but http works fine. -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
Re: Fun new policy at AOL
Gary E. Miller wrote: Maybe if PacBell (and others) actually disciplined their more out of control DSL customers then other ISPs would not feel the need to do it for them. It doesn't matter. A large percentage of open proxies are on dynamic DSL. Since a lot of ISPs will not handle proxy reports and take care of the problem, and the blacklists are about useless since the open proxy will switch IPs, it's just best to wipe out the entire dynamic range. -Jack
Re: Sprint NOC? Are you awake now?
On Fri, Aug 29, 2003 at 05:14:49AM -0500, neal rauhauser wrote: I didn't know their NOC number, puck.nether.net is down, normal phone Uh, puck is fine. http://puck.nether.net/netops/nocs.cgi?ispname=sprint channels lead to voicemail jail. Sorry to disturb your morning but its much easier to complete by 0600 than to have five counties worth of users dialing a phone right next to where you're working. - Jared -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
RE: Fun new policy at AOL
Michel Py writes eating some email from no reason, having limits in attachment size, you can't have a mailing list that way, etc. Roland Perry wrote: Isn't this where we started? One ISP I know decided to limit customers to 200 outgoing recipients a day. Great for stopping spammers, great for stopping anyone running a mailing list, It is where we started indeed. Today it does not really matter if you have 80 persons in the cc: field or if you send 80 individual emails; the individual ones will have the same from: and the same subject and will be blocked as well. And yes I also send email from my mail server with a subject line that contains the name of that drug that everyone wants to sell me or the name of the organ that everyone wants me to enlarge because I want to test the anti-spam system I just configured at some customer site and I don't want that to be blocked either. If ISPs don't want people to run SMTP servers on their DSL line they should provide a top-notch smarthost, which most don't. Michel.
Re: Fun new policy at AOL
Michel Py wrote: If ISPs don't want people to run SMTP servers on their DSL line they should provide a top-notch smarthost, which most don't. The one's that don't provide a top-notch smarthost usually don't handle abuse complaints either. Just what do they do for their customers? I'm curious. -Jack
port 554 scans?
Anyone know what the source of the recent increase in scans of port 554 are? http://isc.incidents.org/port_details.html?port=554 I cant find any related virus/worms using this? Maybe its nothing, just some abuse complaints we got from port 554 scanning... Steve
RE: Fun new policy at AOL
Michel Py wrote: If ISPs don't want people to run SMTP servers on their DSL line they should provide a top-notch smarthost, which most don't. Jack Bates wrote: The one's that don't provide a top-notch smarthost usually don't handle abuse complaints either. True. sigh. Just what do they do for their customers? I'm curious. They provide the local loop and IP transit, which are the only two things a significant part of non-dial-up customers care about. Michel.
RE: Measured Internet good v. bad traffic
At 02:45 AM 8/28/2003, David Schwartz wrote: No that wouldnt work, that was be an analogy to non-usage based eg I buy a 10Mb port from you and you dont charge me extra for unwanted bandwidth across your network.. The point is that 'usage' is supposed to be 'what you use', not what somebody else uses. 'My' traffic is the traffic I want, not the traffic you try to give me that I don't want. An Internet-connected line is like an 800 phone line. You get connected, you advertise your presence, you have no control over who calls, you pay the bill for the incoming calls. That's just *how it is*. jc
Blaster author identified, about to be arrested...
(08-28) 20:31 PDT WASHINGTON (AP) -- The FBI has identified a teenager as the author of a damaging virus-like infection unleashed on the Internet and plans to arrest him early Friday, a U.S. official confirmed Thursday. The 18-year-old, whose name and hometown was not immediately available, was accused of writing one version of the damaging Blaster infection, which spread quickly across the Internet weeks ago, the official said, speaking on condition of anonymity. http://sfgate.com/cgi-bin/article.cgi?file=/news/archive/2003/08/28/national2331EDT0797.DTLtype=printable
RE: dry pair
Neither do we. Could you include some more details? -Greg -Original Message- From: Austad, Jay [mailto:[EMAIL PROTECTED] Sent: 29 August 2003 17:08 To: [EMAIL PROTECTED] Subject: dry pair Does anyone know to go about getting Qwest or a CLEC to patch through a dry pair between two buildings connected to the same CO? When I called to order one, no one knew what I was talking about. -jay Vodafone Global Content Services Limited Registered Office: Vodafone House, The Connection, Newbury, Berkshire RG14 2FN Registered in England No. 4064873 This e-mail is for the addressee(s) only. If you are not an addressee, you must not distribute, disclose, copy, use or rely on this e-mail or its contents, and you must immediately notify the sender and delete this e-mail and all copies from your system. Any unauthorised use may be unlawful. The information contained in this e-mail is confidential and may also be legally privileged.
Re: dry pair
Have you tried ordering it as an alarm circuit? Also, it seems like telcos are less willing to provide dry pair anymore. On Fri, 29 Aug 2003, Austad, Jay wrote: : :Does anyone know to go about getting Qwest or a CLEC to patch through a dry :pair between two buildings connected to the same CO? : :When I called to order one, no one knew what I was talking about. : :-jay :
Re: port 554 scans?
554 is a port associated with rtsp... There is a real helix server vulnerability that may be associated with those probes... http://www.securityfocus.com/archive/75/334900/2003-08-19/2003-08-25/0 yeah: http://www.k-otik.com/exploits/08.25.THCREALbad.c.php int main(int argc, char *argv[]) { unsigned short realport=554; unsigned int sock,addr,os,rc; unsigned char *finalbuffer,*osbuf; struct sockaddr_in mytcp; struct hostent * hp; WSADATA wsaData; joelja On Fri, 29 Aug 2003, Stephen J. Wilcox wrote: Anyone know what the source of the recent increase in scans of port 554 are? http://isc.incidents.org/port_details.html?port=554 I cant find any related virus/worms using this? Maybe its nothing, just some abuse complaints we got from port 554 scanning... Steve -- -- Joel Jaeggli Unix Consulting [EMAIL PROTECTED] GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
Re: Fun new policy at AOL
On Thu, Aug 28, 2003 at 10:06:10AM -0400, Roland Perry wrote: Here's another tale of undeliverable email. It seems that [at least] one of those organisations you mention assigns IP addresses for its ADSL customers from the same blocks as dial-up. Which means that organisations using MAPS-DUL reject email from teleworkers (or indeed people running businesses with an ADSL connection) who run their own SMTP servers. In which case, the telecommuters should use their organization's mail servers with SMTP authentication (yes, authentication, not pop-before-smtp). If I'm a corporation, and you're my employee, you should be using my VPN, not sending mail from your unsupported remote installation running sendmail, qmail, exim, postfix, or whatever. As for the business people, can't give you any advice there. Maybe it's time to invest in some mail services from mail.com, Critical Path, or maybe even your ISP.
Re: Fun new policy at AOL
At 08:37 AM 8/29/2003, Jack Bates wrote: Michel Py wrote: If ISPs don't want people to run SMTP servers on their DSL line theyshould provide a top-notch smarthost, which most don't. The one's that don't provide a top-notch smarthost usually don't handle abuse complaints either. Just what do they do for their customers? I'm curious. They provide a low priced connection between the customer's location and a router connected to the Internet. The biggest problem is that to most customers, there's not a lot of obvious difference between a poorly supported cheap DSL line from ISP A and a well supported more expensive DSL line from ISP B. So they don't see the point in paying anything more than the rock-bottom-lowest-price for DSL service. The fact that they get what they pay for is overlooked. jc
RE: dry pair
He's looking for two wires between two buildings with no switching equipment on them. You'll have better luck if you ask for an Alarm Pair, but everyone's nomenclature is different. -Ejay -Original Message- From: Pendergrass, Greg [mailto:[EMAIL PROTECTED] Sent: Friday, August 29, 2003 11:14 AM To: 'Austad, Jay'; [EMAIL PROTECTED] Subject: RE: dry pair Neither do we. Could you include some more details? -Greg -Original Message- From: Austad, Jay [mailto:[EMAIL PROTECTED] Sent: 29 August 2003 17:08 To: [EMAIL PROTECTED] Subject: dry pair Does anyone know to go about getting Qwest or a CLEC to patch through a dry pair between two buildings connected to the same CO? When I called to order one, no one knew what I was talking about. -jay Vodafone Global Content Services Limited Registered Office: Vodafone House, The Connection, Newbury, Berkshire RG14 2FN Registered in England No. 4064873 This e-mail is for the addressee(s) only. If you are not an addressee, you must not distribute, disclose, copy, use or rely on this e-mail or its contents, and you must immediately notify the sender and delete this e-mail and all copies from your system. Any unauthorised use may be unlawful. The information contained in this e-mail is confidential and may also be legally privileged.
RE: dry pair
I also tried asking for an Alarm Circuit. I even explained to them what it was, but they still didn't understand. All of the people I talked to wondered why in the world I would want a pair with no dialtone. Too bad a I can't just bribe a qwest tech with a few beers to patch it through for me. :) -Original Message- From: Ejay Hire [mailto:[EMAIL PROTECTED] Sent: Friday, August 29, 2003 11:22 AM To: Pendergrass, Greg; Austad, Jay; [EMAIL PROTECTED] Subject: RE: dry pair He's looking for two wires between two buildings with no switching equipment on them. You'll have better luck if you ask for an Alarm Pair, but everyone's nomenclature is different. -Ejay -Original Message- From: Pendergrass, Greg [mailto:[EMAIL PROTECTED] Sent: Friday, August 29, 2003 11:14 AM To: 'Austad, Jay'; [EMAIL PROTECTED] Subject: RE: dry pair Neither do we. Could you include some more details? -Greg -Original Message- From: Austad, Jay [mailto:[EMAIL PROTECTED] Sent: 29 August 2003 17:08 To: [EMAIL PROTECTED] Subject: dry pair Does anyone know to go about getting Qwest or a CLEC to patch through a dry pair between two buildings connected to the same CO? When I called to order one, no one knew what I was talking about. -jay Vodafone Global Content Services Limited Registered Office: Vodafone House, The Connection, Newbury, Berkshire RG14 2FN Registered in England No. 4064873 This e-mail is for the addressee(s) only. If you are not an addressee, you must not distribute, disclose, copy, use or rely on this e-mail or its contents, and you must immediately notify the sender and delete this e-mail and all copies from your system. Any unauthorised use may be unlawful. The information contained in this e-mail is confidential and may also be legally privileged.
RE: dry pair
Order it as an alarm circuit... At least that's how VZ recognizes it in NY. -Dave -Original Message- From: Austad, Jay [mailto:[EMAIL PROTECTED] Sent: Friday, August 29, 2003 12:08 PM To: [EMAIL PROTECTED] Subject: dry pair Does anyone know to go about getting Qwest or a CLEC to patch through a dry pair between two buildings connected to the same CO? When I called to order one, no one knew what I was talking about. -jay
RE: dry pair
Perhaps because smart engineers are sticking $50 CellPipe 50S units on each end and running 2.3mbps across them for less than a third the cost of same-co T1? -Original Message- From: Rick Ernst [mailto:[EMAIL PROTECTED] Sent: Friday, August 29, 2003 11:19 AM To: Austad, Jay Cc: [EMAIL PROTECTED] Subject: Re: dry pair Have you tried ordering it as an alarm circuit? Also, it seems like telcos are less willing to provide dry pair anymore. On Fri, 29 Aug 2003, Austad, Jay wrote: : :Does anyone know to go about getting Qwest or a CLEC to patch through a dry :pair between two buildings connected to the same CO? : :When I called to order one, no one knew what I was talking about. : :-jay :
Re: Fun new policy at AOL
On donderdag, aug 28, 2003, at 20:10 Europe/Amsterdam, Paul Vixie wrote: Play with DNS MX records like QMTP does. here are at least two problems with this approach. one is that an mx priority is a 16 bit unsigned integer, not like your example. another is that spammers do not follow the MX protocol, they deliberately dump on higher cost relays in order to make the victim's own inbounds carry more of the total workload of delivery. (additionally, many hosts do more spam filtering on their lower cost MX's than on their higher cost (backup?) MX's, and the spammers know this, and take advantage of it.) Yes, that's why I don't use my ISP's servers as MX for my domains anymore. Having fallback MXes that only queue the mail for a while don't provide any real benefits anyway. But how about this: in addition to MX hosts, every domain also has one or more MO (mail originator) hosts. Mail servers then get to check the address of the SMTP server they're talking to against the DNS records for the domain in the sender's address. Then customers who use an email address under their ISP's domain have to use the ISP's relay, while people with their own (sub) domain get to use their own. For AOL and the likes this would also help against spam as they can rate limit incoming mail from unknown domains. Spammers are forced to register new domains all the time in addition to having to find abusable IP addresses so hopefully life for them will be a little more miserable too. (Could reuse MX for this if a new RR is too much hassle, but large ISPs don't use the same SMTP servers for incoming as for outgoing.)
RE: dry pairs
It's genrally called a lads circuit. joelja On Fri, 29 Aug 2003, Pendergrass, Greg wrote: Neither do we. Could you include some more details? -Greg -Original Message- From: Austad, Jay [mailto:[EMAIL PROTECTED] Sent: 29 August 2003 17:08 To: [EMAIL PROTECTED] Subject: dry pair Does anyone know to go about getting Qwest or a CLEC to patch through a dry pair between two buildings connected to the same CO? When I called to order one, no one knew what I was talking about. -jay Vodafone Global Content Services Limited Registered Office: Vodafone House, The Connection, Newbury, Berkshire RG14 2FN Registered in England No. 4064873 This e-mail is for the addressee(s) only. If you are not an addressee, you must not distribute, disclose, copy, use or rely on this e-mail or its contents, and you must immediately notify the sender and delete this e-mail and all copies from your system. Any unauthorised use may be unlawful. The information contained in this e-mail is confidential and may also be legally privileged. -- -- Joel Jaeggli Unix Consulting [EMAIL PROTECTED] GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
Re: Fun new policy at AOL
But how about this: in addition to MX hosts, every domain also has one or more MO (mail originator) hosts. Mail servers then get to check the address of the SMTP server they're talking to against the DNS records for the domain in the sender's address. Then customers who use an email address under their ISP's domain have to use the ISP's relay, while people with their own (sub) domain get to use their own. a fine idea. thank jim miller for it if you see him. For AOL and the likes this would also help against spam as they can rate limit incoming mail from unknown domains. Spammers are forced to register new domains all the time in addition to having to find abusable IP addresses so hopefully life for them will be a little more miserable too. (Could reuse MX for this if a new RR is too much hassle, but large ISPs don't use the same SMTP servers for incoming as for outgoing.) see below. IndependentPaul Vixie (Ed.) Request for Comments: Category: Experimental June 6, 2002 Repudiating MAIL FROM Status of this Memo This memo describes an experimental procedure for handling received e-mail. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2002). All Rights Reserved. Abstract At the time of this writing, more than half of all e-mail received by the author has a forged return address, due to the total absence of address authentication in SMTP (see [RFC2821]). We present a simple and backward compatible method whereby cooperating e-mail senders and receivers can detect forged source/return addresses in e-mail. 1 - Introduction and Overview 1.1. Internet e-mail return addresses are nonrepudiable by design of the relevant transport protocols (see [RFC2821]). Simply put, there is no cause for ANY confidence in the proposition this e-mail came from where it says it came from. 1.2. Irresponsible actors who wish to transmit unwanted bulk e-mail routinely use this designed-in lack of source/return authenticity to hide their point of origin, which usually involves forging a valid return address belonging to some highly visible and popular ISP (for example, HOTMAIL.COM). 1.3. Recipients who wish to reject unwanted bulk e-mail containing forged source/return addresses are prevented from doing so since the addresses, as presented, are nonrepudiable by design. Simply put, there would be too many false positives, and too much valid e-mail rejected, if one were to program an e-mail relay to reject all e-mail claiming to be from HOTMAIL.COM since, statistically, most e-mail claiming to be from HOTMAIL.COM is actually from somewhere else. HOTMAIL.COM, in this example, is a victim of forgery. Vixie Experimental [Page 1] RFC Repudiating MAIL FROM May 26, 2002 1.4. What's needed is a way to guaranty that each received e-mail message did in fact come from some mail server or relay which can rightfully originate or relay messages from the purported source/return address. 1.5. Approaches of the form use PGP and use SSL are not scalable in the short term since they depend on end-to-end action and there are just too many endpoints. An effective solution has to be applicable to mail relay, not just final delivery. 1.6. Valid (wanted) e-mail must not be rejected by side effect or partial adoption of this proposal. Source/return authenticity must be a confidence effector, as in we can be sure that this did not come from where it claims and simple uncertainty must remain in effect otherwise. 2 - Behaviour 2.1. Domain owners who wish their mail source/return information to be repudiable will enter stylized MX RR's into their DNS data, whose owner name is MAIL-FROM, whose priority is zero, and whose servername registers an outbound (border) relay for the domain. For example, to tell the rest of the Internet who they should believe when they receive mail claiming to be from [EMAIL PROTECTED], the following DNS MX RR's should be entered: $ORIGIN isc.org. MAIL-FROM MX 0 rc MX 0 rc1 In this example, hosts RC.ISC.ORG, and RC1.ISC.ORG are given as appropriate places to originate mail from @ISC.ORG. Note that this differs from the normal inbound MX RRset for this example domain: $ORIGIN isc.org. @ MX 0 rc MX 0 isrv4 So, the inbound mail server set partially overlaps with, but differs from, the example outbound mail server set. This is quite common in the Internet, and is the reason why the normal inbound mail server set described by a domain's apex MX RRset cannot be
Re: dry pair
Good luck getting one from anything but and old-bell. New LECs tend to think only in terms of the switch side, since the last mile belongs to the ILEC anyway. Even the ones that know it don't want to support it, as they can't do any remote testing when it dies, requiring local wire and cable staff. Use old-bell terms, dry pair is very much a network admin's term. alarm circuit, off-premise extension line, (like if you had your own PBX and need another office to run off it), series 1100 line, or maybe LADS. On Fri, Aug 29, 2003 at 11:08:10AM -0500, Austad, Jay wrote: Does anyone know to go about getting Qwest or a CLEC to patch through a dry pair between two buildings connected to the same CO? When I called to order one, no one knew what I was talking about. -jay -- Ray Wong [EMAIL PROTECTED]
RE: dry pair
In Canada they are sometimes referred to as c-loops. You could try that... But, they are hard to get.. And impossible to get repaired :). Mark -- Mark Segal Director, Network Planning FCI Broadband Tel: 905-284-4070 Fax: 416-987-4701 http://www.fcibroadband.com Futureway Communications Inc. is now FCI Broadband -Original Message- From: Temkin, David [mailto:[EMAIL PROTECTED] Sent: August 29, 2003 12:29 PM To: 'Austad, Jay'; [EMAIL PROTECTED] Subject: RE: dry pair Order it as an alarm circuit... At least that's how VZ recognizes it in NY. -Dave -Original Message- From: Austad, Jay [mailto:[EMAIL PROTECTED] Sent: Friday, August 29, 2003 12:08 PM To: [EMAIL PROTECTED] Subject: dry pair Does anyone know to go about getting Qwest or a CLEC to patch through a dry pair between two buildings connected to the same CO? When I called to order one, no one knew what I was talking about. -jay
Re: Fun new policy at AOL
trusted-mx.crocker.com uses DNSRTTL (Real Time Trust List) to only accept connections from IPs it trusts. Hate to break up your envisionary experiences and insight into reinventing the wheel, but what happened to consideration of SMTP authentication?
Re: dry pairs
It's genrally called a lads circuit. BTW, LADS == Local Area Data Service. Dave joelja On Fri, 29 Aug 2003, Pendergrass, Greg wrote: Neither do we. Could you include some more details? -Greg -Original Message- From: Austad, Jay [mailto:[EMAIL PROTECTED] Sent: 29 August 2003 17:08 To: [EMAIL PROTECTED] Subject: dry pair Does anyone know to go about getting Qwest or a CLEC to patch through a dry pair between two buildings connected to the same CO? When I called to order one, no one knew what I was talking about. -jay Vodafone Global Content Services Limited Registered Office: Vodafone House, The Connection, Newbury, Berkshire RG14 2FN Registered in England No. 4064873 This e-mail is for the addressee(s) only. If you are not an addressee, you must not distribute, disclose, copy, use or rely on this e-mail or its contents, and you must immediately notify the sender and delete this e-mail and all copies from your system. Any unauthorised use may be unlawful. The information contained in this e-mail is confidential and may also be legally privileged. -- -- Joel JaeggliUnix Consulting [EMAIL PROTECTED] GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
Re: Fun new policy at AOL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Omachonu Ogali wrote: |trusted-mx.crocker.com uses DNSRTTL (Real Time Trust List) to only |accept connections from IPs it trusts. | | | Hate to break up your envisionary experiences and insight into | reinventing the wheel, but what happened to consideration of | SMTP authentication? It's only as good as the strength of your user community's passwords. A friend of mine supports a school's servers and they were brute forced the other day resulting in essentially an open relay for the spammers. Auth is nice, but not enough. = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (MingW32) iD8DBQE/T5N3E1XcgMgrtyYRAhEqAJ0WiFj5AsQ/PxVngx2UGglN9QkPfACg3rKY gr9y5pQalwSdaqKVgkuJKQM= =UF7i -END PGP SIGNATURE-
Re: Fun new policy at AOL
In article [EMAIL PROTECTED], Iljitsch van Beijnum [EMAIL PROTECTED] wrote: But how about this: in addition to MX hosts, every domain also has one or more MO (mail originator) hosts. Mail servers then get to check the address of the SMTP server they're talking to against the DNS records for the domain in the sender's address. Then customers who use an email address under their ISP's domain have to use the ISP's relay, while people with their own (sub) domain get to use their own. Google for RMX DNS. There's a few other proposals too; see for example http://spf.pobox.com/ Mike. -- RAND USR 16514
Re: Fun new policy at AOL
But how about this: in addition to MX hosts, every domain also has one or more MO (mail originator) hosts. Mail servers then get to check the address of the SMTP server they're talking to against the DNS records for the domain in the sender's address. Then customers who use an email address under their ISP's domain have to use the ISP's relay, while people with their own (sub) domain get to use their own. I travel around. I read my email by POP3/IMAP, I use local ISP's SMTP server for outgoing - surely that means I can't use my own domain for email? Simon -- Simon Lockhart | Tel: +44 (0)1628 407720 (x37720) | Si fractum Technology Manager | Fax: +44 (0)1628 407701 (x37701) | non sit, noli BBC Internet Operations | Email: [EMAIL PROTECTED]| id reficere BBC Technology, Maiden House, Vanwall Road, Maidenhead. SL6 4UB. UK
Trusecure estimate: one in three companies infected by blaster
http://reuters.com/newsArticle.jhtml?type=businessNewsstoryID=3359768 One in three North American companies are estimated to have had at least some of their computers infected since Blaster emerged in early August, according to new data from Internet security laboratory ICSA.
Re: Fun new policy at AOL
On Fri, 29 Aug 2003, Simon Lockhart wrote: I travel around. I read my email by POP3/IMAP, I use local ISP's SMTP server for outgoing - surely that means I can't use my own domain for email? Time to switch to SMTP AUTH and use the same relay always. -- Mikael Abrahamssonemail: [EMAIL PROTECTED]
RE: dry pair
Here is the Qwest Tariff (assuming your in Colorado.) http://tariffs.uswest.com:8000/docs/TARIFFS/Colorado/COAC/co_a_c_s007p00 1.pdf#USW-TOC00 See sheet 16, near the bottom of the page... It looks like you want an NB3 circuit with DC continuity. -R -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Austad, Jay Sent: August 29, 2003 12:08 PM To: [EMAIL PROTECTED] Subject: dry pair Does anyone know to go about getting Qwest or a CLEC to patch through a dry pair between two buildings connected to the same CO? When I called to order one, no one knew what I was talking about. -jay
RE: Fun new policy at AOL
[Note: I posted something else on this topic, but it doesn't appear to have made it through yet...] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mikael Abrahamsson Sent: August 29, 2003 3:20 PM To: [EMAIL PROTECTED] Subject: Re: Fun new policy at AOL On Fri, 29 Aug 2003, Simon Lockhart wrote: I travel around. I read my email by POP3/IMAP, I use local ISP's SMTP server for outgoing - surely that means I can't use my own domain for email? Time to switch to SMTP AUTH and use the same relay always. And what do you do if you're not the admin for the relay? And what about if the admin tells you This is why we installed some webmail package. Use that instead.? Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
Re: Fun new policy at AOL
I travel around. I read my email by POP3/IMAP, I use local ISP's SMTP server for outgoing - surely that means I can't use my own domain for email? Your ISP should support SMTP_AUTH with TLS for you. You would continue to use their mail servers no matter where you are or how you are connected to the Internet. -Matt Simon -- Simon Lockhart | Tel: +44 (0)1628 407720 (x37720) | Si fractum Technology Manager | Fax: +44 (0)1628 407701 (x37701) | non sit, noli BBC Internet Operations | Email: [EMAIL PROTECTED]| id reficere BBC Technology, Maiden House, Vanwall Road, Maidenhead. SL6 4UB. UK
RE: Fun new policy at AOL
On Fri, 29 Aug 2003, Vivien M. wrote: And what do you do if you're not the admin for the relay? And what about if the admin tells you This is why we installed some webmail package. Use that instead.? You switch service provider or give them a whack with the cluebat. -- Mikael Abrahamssonemail: [EMAIL PROTECTED]
RE: Fun new policy at AOL
-Original Message- From: Mikael Abrahamsson [mailto:[EMAIL PROTECTED] Sent: August 29, 2003 3:44 PM To: Vivien M. Cc: [EMAIL PROTECTED] Subject: RE: Fun new policy at AOL On Fri, 29 Aug 2003, Vivien M. wrote: And what do you do if you're not the admin for the relay? And what about if the admin tells you This is why we installed some webmail package. Use that instead.? You switch service provider or give them a whack with the cluebat. And if the service provider is your employer/educational institution? You quit your job? Drop out of school? Swallow your pride and suffer with webmail? Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
Re: Fun new policy at AOL
Mikael Abrahamsson wrote: You switch service provider or give them a whack with the cluebat. Some providers don't support auth do to the insecure passwords their users have. Having your server opened up to relay spam because your user had a bad password is not a good prospect. -Jack
RE: Fun new policy at AOL
At 12:32 PM 8/29/2003, Vivien M. wrote: Time to switch to SMTP AUTH and use the same relay always. And what do you do if you're not the admin for the relay? And what about if the admin tells you This is why we installed some webmail package. Use that instead.? Either the webmail solution meets your needs, or you need to obtain service from a company that offers a solution that meets your needs. Why is this so hard to understand? jc
Re: Fun new policy at AOL
You switch service provider or give them a whack with the cluebat. And if the service provider is your employer/educational institution? You quit your job? Drop out of school? Swallow your pride and suffer with webmail? Spend $19.95 getting a dialup account for an ISP with a clue and use their mail servers. If employed charge the $20/month on your expense report.
RE: Fun new policy at AOL
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Crocker Sent: August 29, 2003 3:58 PM To: Vivien M. Cc: 'Mikael Abrahamsson'; [EMAIL PROTECTED] Subject: Re: Fun new policy at AOL You switch service provider or give them a whack with the cluebat. And if the service provider is your employer/educational institution? You quit your job? Drop out of school? Swallow your pride and suffer with webmail? Spend $19.95 getting a dialup account for an ISP with a clue and use their mail servers. If employed charge the $20/month on your expense report. You seem to be misunderstanding the issue. Let's say you work at someplace.edu. You want to send mail from home. With the SPF-type schemes being discussed, your mail MUST come from someplace.edu's server. If someplace.edu won't set up an SMTP AUTH relay, what do you do? Your dialup account will let you use the dialup ISP's mail server... But your mail will get bounced because it's not something from someplace.edu. Hence, if no SMTP AUTH relay, you're screwed. Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
RE: Fun new policy at AOL
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JC Dill Sent: August 29, 2003 3:43 PM To: [EMAIL PROTECTED] Subject: RE: Fun new policy at AOL At 12:32 PM 8/29/2003, Vivien M. wrote: Time to switch to SMTP AUTH and use the same relay always. And what do you do if you're not the admin for the relay? And what about if the admin tells you This is why we installed some webmail package. Use that instead.? Either the webmail solution meets your needs, or you need to obtain service from a company that offers a solution that meets your needs. Why is this so hard to understand? Because you're not understanding the issue... If you get an email account from your employer/educational institution/etc and have to access it from home and send mail from it, you can't obtain service from a company that offers a solution that meets your needs. If you can't convince your admins (and good luck if you don't work in the IT department) that they need to set up SMTP AUTH, then you are screwed... Get used to dialing into your employer/educational institution/etc's network to do email, simply to comply with these things, or hello webmail. And how will you explain to people who quite happily have their POP3 clients set up to get mail from their work's POP3 server, and SMTP to their local ISP that suddenly they can't do it that way anymore? If this solution had been implemented 5 years ago instead of the no third party relays system now in place, I wouldn't be opposed to it... But the issue is that the use the local SMTP server to send model is the main one deployed in the field today, and if you start staying NOW that mail must be relayed through a domain's particular SMTP server and that server doesn't support SMTP AUTH relaying, you're now screwed... Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
RE: Fun new policy at AOL
At 12:45 PM 8/29/2003, Vivien M. wrote: On Fri, 29 Aug 2003, Vivien M. wrote: And what do you do if you're not the admin for the relay? And what about if the admin tells you This is why we installed some webmail package. Use that instead.? You switch service provider or give them a whack with the cluebat. And if the service provider is your employer/educational institution? You quit your job? Drop out of school? Swallow your pride and suffer with webmail? You do the same thing you do when they implement other stupid policies - you live with the policy, or you work around it. If your school makes a stupid policy that you can't park your car between the hours of 8 am and 9 am, you get there before 8 or after 9, or you have a friend drop you off, or take the bus, or you pay to park in the lot across the street. jc
Re: Fun new policy at AOL
On Fri, 29 Aug 2003 14:47:50 CDT, Jack Bates said: Mikael Abrahamsson wrote: You switch service provider or give them a whack with the cluebat. Some providers don't support auth do to the insecure passwords their users have. Having your server opened up to relay spam because your user had a bad password is not a good prospect. So the provider allows the user to pick an insecure password, and then complains that they can't support a security measure because of their poor policy choices/enforcement? Hey Mikael, hand me that cluebat.. pgp0.pgp Description: PGP signature
Re: Fun new policy at AOL
You seem to be misunderstanding the issue. Let's say you work at someplace.edu. You want to send mail from home. With the SPF-type schemes being discussed, your mail MUST come from someplace.edu's server. If someplace.edu won't set up an SMTP AUTH relay, what do you do? Your dialup account will let you use the dialup ISP's mail server... But your mail will get bounced because it's not something from someplace.edu. Hence, if no SMTP AUTH relay, you're screwed. Port forward 127.0.0.1:25 through to someplace.edu:25 using SSH. Or VPN. Or ... More than one way to skin this cat. -matt
RE: Fun new policy at AOL
-Original Message- From: Matthew Crocker [mailto:[EMAIL PROTECTED] Sent: August 29, 2003 4:16 PM To: Vivien M. Cc: 'Mikael Abrahamsson'; [EMAIL PROTECTED] Subject: Re: Fun new policy at AOL Port forward 127.0.0.1:25 through to someplace.edu:25 using SSH. Or VPN. Or ... More than one way to skin this cat. If you have a shell account on someplace.edu, yes, I agree, that's probably the best way (and if anyone looks at the headers of this message, that's how I've been doing SMTP for like three years now... Too lazy to set up SMTP AUTH somewhere where I'm the admin). But if you have no shell account, or you're not technologically clueful, you're still hopeless... So, the conclusion still seems to be that SPF and such things will break your email, unless i) SMTP AUTH is available ii) You're sufficiently clueful (and required things like VPN, SSH, etc are available) that you can implement a workaround. Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
Re: Fun new policy at AOL
Is this being added to a bind 9 rewrite? If so, when can we expected it to be released? :) On Fri, Aug 29, 2003 at 04:47:58PM +, Paul Vixie wrote: But how about this: in addition to MX hosts, every domain also has one or more MO (mail originator) hosts. Mail servers then get to check the address of the SMTP server they're talking to against the DNS records for the domain in the sender's address. Then customers who use an email address under their ISP's domain have to use the ISP's relay, while people with their own (sub) domain get to use their own. a fine idea. thank jim miller for it if you see him. For AOL and the likes this would also help against spam as they can rate limit incoming mail from unknown domains. Spammers are forced to register new domains all the time in addition to having to find abusable IP addresses so hopefully life for them will be a little more miserable too. (Could reuse MX for this if a new RR is too much hassle, but large ISPs don't use the same SMTP servers for incoming as for outgoing.) see below. IndependentPaul Vixie (Ed.) Request for Comments: Category: Experimental June 6, 2002 Repudiating MAIL FROM Status of this Memo This memo describes an experimental procedure for handling received e-mail. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2002). All Rights Reserved. Abstract At the time of this writing, more than half of all e-mail received by the author has a forged return address, due to the total absence of address authentication in SMTP (see [RFC2821]). We present a simple and backward compatible method whereby cooperating e-mail senders and receivers can detect forged source/return addresses in e-mail. 1 - Introduction and Overview 1.1. Internet e-mail return addresses are nonrepudiable by design of the relevant transport protocols (see [RFC2821]). Simply put, there is no cause for ANY confidence in the proposition this e-mail came from where it says it came from. 1.2. Irresponsible actors who wish to transmit unwanted bulk e-mail routinely use this designed-in lack of source/return authenticity to hide their point of origin, which usually involves forging a valid return address belonging to some highly visible and popular ISP (for example, HOTMAIL.COM). 1.3. Recipients who wish to reject unwanted bulk e-mail containing forged source/return addresses are prevented from doing so since the addresses, as presented, are nonrepudiable by design. Simply put, there would be too many false positives, and too much valid e-mail rejected, if one were to program an e-mail relay to reject all e-mail claiming to be from HOTMAIL.COM since, statistically, most e-mail claiming to be from HOTMAIL.COM is actually from somewhere else. HOTMAIL.COM, in this example, is a victim of forgery. Vixie Experimental [Page 1] RFC Repudiating MAIL FROM May 26, 2002 1.4. What's needed is a way to guaranty that each received e-mail message did in fact come from some mail server or relay which can rightfully originate or relay messages from the purported source/return address. 1.5. Approaches of the form use PGP and use SSL are not scalable in the short term since they depend on end-to-end action and there are just too many endpoints. An effective solution has to be applicable to mail relay, not just final delivery. 1.6. Valid (wanted) e-mail must not be rejected by side effect or partial adoption of this proposal. Source/return authenticity must be a confidence effector, as in we can be sure that this did not come from where it claims and simple uncertainty must remain in effect otherwise. 2 - Behaviour 2.1. Domain owners who wish their mail source/return information to be repudiable will enter stylized MX RR's into their DNS data, whose owner name is MAIL-FROM, whose priority is zero, and whose servername registers an outbound (border) relay for the domain. For example, to tell the rest of the Internet who they should believe when they receive mail claiming to be from [EMAIL PROTECTED], the following DNS MX RR's should be entered: $ORIGIN isc.org. MAIL-FROM MX 0 rc MX 0 rc1 In this example, hosts RC.ISC.ORG, and RC1.ISC.ORG are given as appropriate places to originate mail from @ISC.ORG. Note that this differs from the normal inbound MX RRset for this example domain: $ORIGIN isc.org. @ MX 0 rc MX 0 isrv4
Re: Fun new policy at AOL
In article [EMAIL PROTECTED], Omachonu Ogali [EMAIL PROTECTED] writes In which case, the telecommuters should use their organization's mail servers with SMTP authentication (yes, authentication, not pop-before-smtp). I'm a telecommuter, I'm also a freelance, so my organisation is me. I like the idea of running a reliable mail server with authentication, at my home base. Which is my home. I just have to get AOL not to define it as residential. -- Roland Perry
RE: dry pair
From: [EMAIL PROTECTED] From what I recall there is no guarentee that the Qwest tarrif for NB3 is actually a straight-through copper pair [section 7.3.1.B.2.a.(4)]... note the restriction of signaling frequency see the Terms Conditions in section 7.3.1.B.2.a.(2). By requesting a circuit that offers 60Hz and/or DC signalling that pretty much requires them to use Copper, if they have it available. The only way to know if they have it available is to order the circuit. After a few days the order will hit their design department which will look at the order and determine if facilities exist to provison the circuit. Some newer office towers and subdivisons/developments may be fed with fiber using Digital Loop Carrier(DLC/SLC) equipment in a CEV hut. While there is still a copper loop to each home or business from the CEV/Hut, the loop ends at the SLC and the voice is converted to PCM over fiber to extend to the C.O. Our Telco uses a slightly different wording in their Tariff for this lack of DC continuity disclaimer...: The provisioning of metallic or DC continuity applied until 1993 12 31. Thereafter, the provisioning of metallic or DC continuity is provided only where metallic facilities currently exist, following normal provisioning practices. Where capacity is exhausted, or where appropriate facilities do not exist, the Company will evaluate all requests and only provide end-to-end metallic facilities at the customer's expense based on the cost incurred by the Company. The largest concern is usually the length of the circuit because how they route the circuit is not always intuitive and the cable may take a circuitous route between your two locations. Usually they can estimate the loop length when the do the design. The limitation on frequency/pulses is largely administrative verbiage. I highly doubt they will install a filter on the circuit to prevent higher speed. (Although it is possible) At one time I think the different speed circuits where priced differently. I suppose a few decades ago the differnce between 30 bits per second and 75 bits per second was considered a large amount of difference. ;-) -Randy
Re: Blaster author identified, about to be arrested...
In article [EMAIL PROTECTED], JC Dill [EMAIL PROTECTED] writes The FBI has identified a teenager as the author of a damaging virus-like infection unleashed on the Internet and plans to arrest him early Friday, a U.S. official confirmed Thursday. It always worries me when law enforcement send out a press statement that they are going to arrest a particular individual in the future. Where is he now and why won't he remove himself to somewhere a long way away, overnight? Obviously, there is something more complex happening here. -- Roland Perry
RE: Fun new policy at AOL
Then why not just pay a Virtual Mail hosting company to host a mail server for you via Imail or one of the other virtual email service packages out there. It is very inexpensive most of the time. That way you have the flexibility of having your own mail server, plus (most of the time) the server is hosted in a controlled environment (ie power, AC, network) et cetera, the benefits are endless. Thanks, -Drew -Original Message- From: Roland Perry [mailto:[EMAIL PROTECTED] Sent: Friday, August 29, 2003 4:42 PM To: [EMAIL PROTECTED] Subject: Re: Fun new policy at AOL In article [EMAIL PROTECTED], Omachonu Ogali [EMAIL PROTECTED] writes In which case, the telecommuters should use their organization's mail servers with SMTP authentication (yes, authentication, not pop-before-smtp). I'm a telecommuter, I'm also a freelance, so my organisation is me. I like the idea of running a reliable mail server with authentication, at my home base. Which is my home. I just have to get AOL not to define it as residential. -- Roland Perry
Re: dry pair
I have been following the thread very intensly since I read the article that William Warren posted. I also have two locations that I wish to connect, and we were looking at 802.11b with cantennas. This may not work because it looks like there are a lot of trees between the two locations, and they may be just out of range. We weren't sure what our other options where till this came along (we really can't afford t1 connections). Qwest has stated that one of the two locations has the fiber connectivity Randy Neals mentioned below. That does put a damper on the homebrew dsl connectivity. How would an alarm company get around this? Would Qwest need to run copper into the neighborhood if any one of the people purchased an alarm? If not, how would the alarm company get the signal pushed through the fiber, and could that be done with the dsl signal? pat - Original Message - From: Randy Neals (ORION) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: 'Austad, Jay' [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, August 29, 2003 2:46 PM Subject: RE: dry pair From: [EMAIL PROTECTED] From what I recall there is no guarentee that the Qwest tarrif for NB3 is actually a straight-through copper pair [section 7.3.1.B.2.a.(4)]... note the restriction of signaling frequency see the Terms Conditions in section 7.3.1.B.2.a.(2). By requesting a circuit that offers 60Hz and/or DC signalling that pretty much requires them to use Copper, if they have it available. The only way to know if they have it available is to order the circuit. After a few days the order will hit their design department which will look at the order and determine if facilities exist to provison the circuit. Some newer office towers and subdivisons/developments may be fed with fiber using Digital Loop Carrier(DLC/SLC) equipment in a CEV hut. While there is still a copper loop to each home or business from the CEV/Hut, the loop ends at the SLC and the voice is converted to PCM over fiber to extend to the C.O. Our Telco uses a slightly different wording in their Tariff for this lack of DC continuity disclaimer...: The provisioning of metallic or DC continuity applied until 1993 12 31. Thereafter, the provisioning of metallic or DC continuity is provided only where metallic facilities currently exist, following normal provisioning practices. Where capacity is exhausted, or where appropriate facilities do not exist, the Company will evaluate all requests and only provide end-to-end metallic facilities at the customer's expense based on the cost incurred by the Company. The largest concern is usually the length of the circuit because how they route the circuit is not always intuitive and the cable may take a circuitous route between your two locations. Usually they can estimate the loop length when the do the design. The limitation on frequency/pulses is largely administrative verbiage. I highly doubt they will install a filter on the circuit to prevent higher speed. (Although it is possible) At one time I think the different speed circuits where priced differently. I suppose a few decades ago the differnce between 30 bits per second and 75 bits per second was considered a large amount of difference. ;-) -Randy
Re: Fun new policy at AOL
JC Dill wrote: Either the webmail solution meets your needs, or you need to obtain service from a company that offers a solution that meets your needs. Why is this so hard to understand? Or people implement a protocol that doesn't break existing uses of the system (let's not forget the issues with many mailing-lists and .forward files). Personally, I like the idea of verifying that an IP address that is sending mail is allowed to send mail according to domain X, which is either verified by the mail from rhs or by the (he|eh)lo parameter. One or the other should be able to be verified; mail from rhs when at the home network and (he|eh)lo parameter at remote sites. Checking the MX records for each would make a good portion of the current mail servers compliant (except those with seperate outbound/inbound servers) and having a different tag (txt, new DNS record, special dns tag like outmail.fqdn) would allow outbound only servers to quickly meet compliance. It's quicker and more simplistic than any proposal I've read. It doesn't break anonymous forwarding or sending mail through other provider's smtp servers. What it does do is verify that someone is responsible for that mail connection and that someone is domain X without arguement. I don't care if envelopes appear to be forged. It's done regularly in production. What I do care about is being able to say that someone is responsible for the email. If domain X said that a server can send mail outbound and it's not the mail I wanted, holder of domain X is liable and lawyers can do the dirty work they are paid for. Or at a minimum, I can block domain X and not feel bad about it. -Jack
RE: Measured Internet good v. bad traffic
At 02:45 AM 8/28/2003, David Schwartz wrote: No that wouldnt work, that was be an analogy to non-usage based eg I buy a 10Mb port from you and you dont charge me extra for unwanted bandwidth across your network.. The point is that 'usage' is supposed to be 'what you use', not what somebody else uses. 'My' traffic is the traffic I want, not the traffic you try to give me that I don't want. An Internet-connected line is like an 800 phone line. You get connected, you advertise your presence, you have no control over who calls, you pay the bill for the incoming calls. That's just *how it is*. jc The last time I went looking for more bandwidth from a new provider (5 months ago or so), I talked to five major providers. I told each one that we would not pay for attack traffic after we notified them of the problem but were willing to pay a reasonable 'per-incident' fee (say $500). Not one of these providers had any problem with that. So it's not how it is. DS
RE: Blaster author identified, about to be arrested...
Or possibly a scare tactic so the real offender will relax. Luke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roland Perry Sent: Friday, August 29, 2003 1:52 PM To: [EMAIL PROTECTED] Subject: Re: Blaster author identified, about to be arrested... In article [EMAIL PROTECTED], JC Dill [EMAIL PROTECTED] writes The FBI has identified a teenager as the author of a damaging virus-like infection unleashed on the Internet and plans to arrest him early Friday, a U.S. official confirmed Thursday. It always worries me when law enforcement send out a press statement that they are going to arrest a particular individual in the future. Where is he now and why won't he remove himself to somewhere a long way away, overnight? Obviously, there is something more complex happening here. -- Roland Perry
Re: Blaster author identified, about to be arrested...
Roland Perry wrote: In article [EMAIL PROTECTED], JC Dill [EMAIL PROTECTED] writes The FBI has identified a teenager as the author of a damaging virus-like infection unleashed on the Internet and plans to arrest him early Friday, a U.S. official confirmed Thursday. It always worries me when law enforcement send out a press statement that they are going to arrest a particular individual in the future. Where is he now and why won't he remove himself to somewhere a long way away, overnight? Obviously, there is something more complex happening here. --- Scanning mail for operational content... -^H\^H|^H/^H-^H\ --- Operational content: 0.00% Many accused offenders pre-arrange, often through laywers, times to surrender themselves to authorities. This is a Good Thing. A lot less dangerous to both law enforcement personnel and the accused, not to mention a lot cheaper. However, none of the artciles I have seen mention whether teekid surrendered himself or was picked up off the street. But he must have known the Feds were on to him already. They questioned him, searched his house, and seized several of his computers on the 19th. -- Crist J. Clark [EMAIL PROTECTED] Globalstar Communications(408) 933-4387 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact [EMAIL PROTECTED]
Re: Fun new policy at AOL
In article [EMAIL PROTECTED], Drew Weaver [EMAIL PROTECTED] writes Then why not just pay a Virtual Mail hosting company to host a mail server for you via Imail or one of the other virtual email service packages out there. It is very inexpensive most of the time. That way you have the flexibility of having your own mail server, plus (most of the time) the server is hosted in a controlled environment (ie power, AC, network) et cetera, the benefits are endless. I do that for POP3, but suppliers of a similar service for outbound mail clearly need a new marketing department. -- Roland Perry
Re: Fun new policy at AOL
[EMAIL PROTECTED] wrote: So the provider allows the user to pick an insecure password, and then complains that they can't support a security measure because of their poor policy choices/enforcement? You have an easy way to change password enforcement of an existing user base? Dealing with people infected with the latest worms has increased workloads across the board. That's only a small percentage of the user base. Password enforcement on an existing user base will cause problems for a majority of the user base. Proprietary dialers help, but have their own problems. If you use the mail interface to change the dialup passwords, you'll get calls from users that can no longer dial in; otherwise you fragment passwords on an account and add overhead that's unnecessary. Adding the policy and waiting for it to rotate out would take over a decade. I wouldn't recommend a policy change like that for any user base over 10,000. -Jack
Re: Blaster author identified, about to be arrested...
Or possibly a scare tactic so the real offender will relax. Maybe he is hiding with the WMD ;) Neil.
Re: Blaster author identified, about to be arrested...
Where is he now and why won't he remove himself to somewhere a long way away, overnight? Obviously, there is something more complex happening here. don't give that lamer credit for my code. Doh!
Re: Fun new policy at AOL
On Fri, 29 Aug 2003 16:19:28 CDT, Jack Bates said: I wouldn't recommend a policy change like that for any user base over 10,000. So you're saying that because you've got too many users with dumb passwords, that's justification for not fixing it? ;) /Valdis (and yes, we're in the middle of a multi-month deployment of better password policies for some 40K entities, so been there, done that) pgp0.pgp Description: PGP signature
Re: dry pair
On Fri, 29 Aug 2003, Patrick Felt wrote: I have been following the thread very intensly since I read the article that William Warren posted. I also have two locations that I wish to connect, and we were looking at 802.11b with cantennas. This may not work because it looks like there are a lot of trees between the two locations, and they may be just out of range. We weren't sure what our other options where till this came along (we really can't afford t1 connections). Qwest has stated that one of the two locations has the fiber connectivity Randy Neals mentioned below. That does put a damper on the homebrew dsl connectivity. How would an alarm company get around this? Probably the alarm company would use slightly different gear and settle for what in qwest terminology is a plt (private line transport) ds0, or maybe dds, which is a syncronous serial service) Would Qwest need to run copper into the neighborhood if any one of the people purchased an alarm? not likely. if it's a feasable buildout they'll be happy to charge you for the construction involved in delivering the service. but that will push out the delivery date and probably increase the cost to the point where it's not really affordable... most adt style home alarms systems use your existing pots telephone line anyway. most alarms circuit applications are to insure that things like the door on your bank vault or the cryogenic refrigerator in your sperm bank don't fail without someone noticing. If not, how would the alarm company get the signal pushed through the fiber, and could that be done with the dsl signal? The alarm companies need to deliver extremely small amounts of data which can range from make or break circuits to 60 300 or 2400bps data for things like building control systems, that's a considerably different problem than try to ram 1-7mb/s through a 25,000 foot long piece of wire. pat - Original Message - From: Randy Neals (ORION) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: 'Austad, Jay' [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, August 29, 2003 2:46 PM Subject: RE: dry pair From: [EMAIL PROTECTED] From what I recall there is no guarentee that the Qwest tarrif for NB3 is actually a straight-through copper pair [section 7.3.1.B.2.a.(4)]... note the restriction of signaling frequency see the Terms Conditions in section 7.3.1.B.2.a.(2). By requesting a circuit that offers 60Hz and/or DC signalling that pretty much requires them to use Copper, if they have it available. The only way to know if they have it available is to order the circuit. After a few days the order will hit their design department which will look at the order and determine if facilities exist to provison the circuit. Some newer office towers and subdivisons/developments may be fed with fiber using Digital Loop Carrier(DLC/SLC) equipment in a CEV hut. While there is still a copper loop to each home or business from the CEV/Hut, the loop ends at the SLC and the voice is converted to PCM over fiber to extend to the C.O. Our Telco uses a slightly different wording in their Tariff for this lack of DC continuity disclaimer...: The provisioning of metallic or DC continuity applied until 1993 12 31. Thereafter, the provisioning of metallic or DC continuity is provided only where metallic facilities currently exist, following normal provisioning practices. Where capacity is exhausted, or where appropriate facilities do not exist, the Company will evaluate all requests and only provide end-to-end metallic facilities at the customer's expense based on the cost incurred by the Company. The largest concern is usually the length of the circuit because how they route the circuit is not always intuitive and the cable may take a circuitous route between your two locations. Usually they can estimate the loop length when the do the design. The limitation on frequency/pulses is largely administrative verbiage. I highly doubt they will install a filter on the circuit to prevent higher speed. (Although it is possible) At one time I think the different speed circuits where priced differently. I suppose a few decades ago the differnce between 30 bits per second and 75 bits per second was considered a large amount of difference. ;-) -Randy -- -- Joel Jaeggli Unix Consulting [EMAIL PROTECTED] GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
RE: dry pair
How would an alarm company get around this? Would Qwest need to run copper into the neighborhood if any one of the people purchased an alarm? If not, how would the alarm company get the signal pushed through the fiber, and could that be done with the dsl signal? Most home/small business alarm systems use a digital dialer and use a regular dial up phone line. The alarm system dials the alarm monitoring station then uses a low speed data protocol to report the alarm. Of course if the line is cut the alarm can't get through. For businesses that are required to have a monitored/dedicated line on their alarm there is a newer technology called DVACS which uses a low speed Frequency Shift F1/F2 modem to communicate alarms over a voice-band private line. Voice-band (300-3000Hz) private lines as well as 56K/64K DDS and ISDN digital lines can be provisoned over most DLC/SLC fiber systems. -Randy