Re: UK gov get onboard the security notification train
Also it's shame there's no sign-up confirmation email/SMS on these. Heck should I wish I could get all the spam trojans to sign up to this with interesting email/mobile-numbers and really annoy alot of people. Sigh - reinventing the wheel (badly) again. Wonders what's wrong with MailMan (etc) and just patch in an SMS system to it...??? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Colin Johnston wrote: See http://news.bbc.co.uk/1/hi/technology/4291005.stm Now maybe if we can persude UK Gov to configure mailing lists correctly to not send virus content before it is scanned then maybe we can all sleep safe at night :) Colin Johnston ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: UK gov get onboard the security notification train
On Thu, 2005-02-24 at 09:43 +, Alex Bligh wrote: --On 24 February 2005 09:37 + Martin Hepworth [EMAIL PROTECTED] wrote: Also it's shame there's no sign-up confirmation email/SMS on these. I am betting they don't PGP sign anything, so that it's entirely possible for some miscreant to provide spoof attacks. On the other hand, they let you specify a ITSafe word which I gather they put in all the subjects, personally I'd prefer PGP though. -- Simon Dick [EMAIL PROTECTED]
Who is watching the watchers?
Former chief privacy officer of Gator has been appointed to the Data Privacy and Integrity Advisory Committee of the Department of Homeland Security. http://www.salon.com/politics/war_room/2005/02/23/gator/index.html?source=RSS --Michael Dillon
Re: Who is watching the watchers?
Was it part of a plea agreement?! Maybe this is like the FBI employing forgers and burglars to get advice on stopping crime? Well, probably not... :( - Dan On 2/24/05 9:30 AM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Former chief privacy officer of Gator has been appointed to the Data Privacy and Integrity Advisory Committee of the Department of Homeland Security. http://www.salon.com/politics/war_room/2005/02/23/gator/index.html?source=RSS --Michael Dillon
FW: [MPLS-OPS]: Toolbox for Traffic Engineering freely available
Thought I'd pass this along in case anyone is interested: -- Forwarded Message From: Skivee Fabian [EMAIL PROTECTED] Date: Thu, 24 Feb 2005 16:22:13 +0100 (CET) To: [EMAIL PROTECTED] Subject: [MPLS-OPS]: Toolbox for Traffic Engineering freely available Resent-From: [EMAIL PROTECTED] Resent-Date: Thu, 24 Feb 2005 10:22:29 -0500 The first release of the open-source TOolbox for Traffic Engineering Methods (TOTEM) is now freely available. This toolbox integrates a series of tools for intra-domain and inter-domain traffic engineering of IP and MPLS networks. It allows network operators to traffic engineer their network, and also researchers to compare their techniques to methods already in the toolbox. Release 1.0 includes features like: - IP metric optimisation - MPLS LSP path computation supporting preemption and DiffServ-TE - MPLS backup LSP path computation with bandwidth sharing - BGP decision process simulations - Flexible simulation scenarios such as link/node failures - Interoperable XML format for topology and traffic matrix representation - ... You can find additional information, binaries, source codes and user guide at: http://totem.run.montefiore.ulg.ac.be TOTEM project home page: http://totem.info.ucl.ac.be/ Best regards, The TOTEM team PS: To be informed about new releases of the toolbox, subscribe to our mailing list at http://mailman.info.ucl.ac.be/mailman/listinfo/totem-announce -- Making the impossible possible, the possible easy, the easy elegant ... Fabian Skivee Tel : +32 4 366 26 10 Universite de Liege Secr : +32 4 366 26 91 Reseaux Informatiques Fax : +32 4 366 29 89 Research Unit in Networking (RUN) [EMAIL PROTECTED] Institut d'Electricite Montefiore, B 28, B-4000 LIEGE 1, BELGIUM CoNEXT 2005 - The E-NEXT NoE conference - http://www.co-next.net/ --- The MPLS-OPS Mailing List Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml Archive: http://www.mplsrc.com/mpls-ops_archive.shtml -- End of Forwarded Message
AOL scomp
Can AOL's this is spam feedback loop be abused with a single person responding to a single message many, many times? Inquiring minds want to know. Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita DO NOT send mail to the following addresses: [EMAIL PROTECTED] -*- [EMAIL PROTECTED] -*- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.
Re: AOL scomp
On Feb 24, 2005, at 11:52 AM, Edward B. Dreger wrote: Can AOL's this is spam feedback loop be abused with a single person responding to a single message many, many times? Inquiring minds want to know. No it can't be abused [by the average AOL user] - when you click the Report Spam button the message disappears from your mailbox. I tested this from within AOL version 10.3 for Mac OS X. -- Jeff Wheeler Postmaster, Network Admin US Institute of Peace
Re: AOL scomp
It's too bad that about 1/3 of the reported mails are valid opt-in lists. Ahh well -- this is a nice mechanism that AOL provides, IMO. Matt Taber Network Admin WMIS Internet - www.wmis.net -- If you really want something in this life, you have to work for it. Now, quiet! They're about to announce the lottery numbers... - Homer Simpson Jeff Wheeler wrote: On Feb 24, 2005, at 11:52 AM, Edward B. Dreger wrote: Can AOL's this is spam feedback loop be abused with a single person responding to a single message many, many times? Inquiring minds want to know. No it can't be abused [by the average AOL user] - when you click the Report Spam button the message disappears from your mailbox. I tested this from within AOL version 10.3 for Mac OS X. -- Jeff Wheeler Postmaster, Network Admin US Institute of Peace
Re: AOL scomp
On Thu, 24 Feb 2005 12:28:58 EST, Matt Taber said: It's too bad that about 1/3 of the reported mails are valid opt-in lists. Proof that any network management or security or anti-spam scheme that implies end users with functional neurons is doomed from the get-go. pgpLOEVtdkX3M.pgp Description: PGP signature
Re: Who is watching the watchers?
Former chief privacy officer of Gator has been appointed to the Data Privacy and Integrity Advisory Committee of the Department of Homeland Security. http://www.salon.com/politics/war_room/2005/02/23/gator/index.html as president bush (jr) said on tv in the days following 9/11, america is open for business! -- Paul Vixie
Re: AOL scomp
It's too bad that about 1/3 of the reported mails are valid opt-in lists. The other 1/3rd are actual spam, but legitimately forwarded as the user requested from a personal or business domain to an AOL account. Any server in the path gets tagged as a spam source. And the remaining third seems to be just plain old normal personal correspondence ... which I find weird. Ahh well -- this is a nice mechanism that AOL provides, IMO. Agreed, though maybe they should look at SpamAssasin or Postini. Take their end-users out of the filtering mechanism somehow. --chuck -- __ There's only so much stupidity you can compensate for; there comes a point where you compensate for so much stupidity that it starts to cause problems for the people who actually think in a normal way. -Bill, digital.forest tech support
Re: Who is watching the watchers?
Former chief privacy officer of Gator has been appointed to the Data Privacy and Integrity Advisory Committee of the Department of Homeland Security. http://www.salon.com/politics/war_room/2005/02/23/gator/index.html as president bush (jr) said on tv in the days following 9/11, america is open for business! You don't want to know who is the CPO for DHS. Its FUBAR all the way up. Eric
Re: AOL scomp
--On Thursday, February 24, 2005 10:18 AM -0800 chuck goolsbee [EMAIL PROTECTED] wrote: It's too bad that about 1/3 of the reported mails are valid opt-in lists. The other 1/3rd are actual spam, but legitimately forwarded as the user requested from a personal or business domain to an AOL account. Any server in the path gets tagged as a spam source. Actually only the server that connected to AOL and relayed the mail into them. I have this same kind of gripe/complaint. Only for me about 2/3rds of my scomp reports are this. The other third are the below...only vry rarely is an actual spam reported from our system, except in the case of where we occasionally have a fraudulent signup come through and then start spamming. And the remaining third seems to be just plain old normal personal correspondence ... which I find weird. This happens because, atleast in many versions I don't know about currently, DELETE and SPAM buttons were right next to eachother, causing mis-clicks.
RE: AOL scomp
The other 1/3rd are actual spam, but legitimately forwarded as the user requested from a personal or business domain to an AOL account. Any server in the path gets tagged as a spam source. Actually only the server that connected to AOL and relayed the mail into them. I have this same kind of gripe/complaint. Only for me about 2/3rds of my scomp reports are this. I see the same thing. At least 2/3rds are spam forwarded along as described above. I have to give some credit to AOL WRT handling that type of situation -- they're much better than MSN/Hotmail who do not have a whitelist or feedback loop and simply stop accepting mail for 12+ hours from any server that reaches a particular spam threshhold. They refuse to do anything about it, even after trying to explain the situation because It's the Symantec software that does it. Of course that fact they're causing affected servers to get their mail queues backed up with mail awaiting delivery to MSN/Hotmail isn't their problem either. Grrr... Andrew
RE: AOL scomp
Postini is my friend :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of chuck goolsbee Sent: Thursday, February 24, 2005 1:19 PM To: [EMAIL PROTECTED] Subject: Re: AOL scomp It's too bad that about 1/3 of the reported mails are valid opt-in lists. The other 1/3rd are actual spam, but legitimately forwarded as the user requested from a personal or business domain to an AOL account. Any server in the path gets tagged as a spam source. And the remaining third seems to be just plain old normal personal correspondence ... which I find weird. Ahh well -- this is a nice mechanism that AOL provides, IMO. Agreed, though maybe they should look at SpamAssasin or Postini. Take their end-users out of the filtering mechanism somehow. --chuck -- __ There's only so much stupidity you can compensate for; there comes a point where you compensate for so much stupidity that it starts to cause problems for the people who actually think in a normal way. -Bill, digital.forest tech support
Re: AOL scomp
All, Thanks for the many on- and off-list replies. Things begin to make a bit more sense. We recently began hosting a list with several AOL subscribers, and this week's complaint volume is five times what it was last week. With one complaint per ~4 AOL subscribers (who are but 4.6% of the total list) this time around, and _zero_ complaints from anywhere else, I thought something was amiss. 'tis a pity AOLers can't tell delete from unsubscribe from spam. Time to VERPify the list and unsubscribe people mercilessly. *grumble* On the cynical side: Has anyone considered an inverted blacklist -- i.e., a _destination_-based mail blocking mechanism? Rejecting mail to parties with excessive bogus complaint rates certainly might simplify life for those tasked with handling abuse incidents. ;-) On a more positive note: One AOL user unsubscribed correctly. I don't mean to bash all AOLers... just the ones who are a bit... confused. Thanks to all, Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita DO NOT send mail to the following addresses: [EMAIL PROTECTED] -*- [EMAIL PROTECTED] -*- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.
Re: AOL scomp
chuck goolsbee wrote: It's too bad that about 1/3 of the reported mails are valid opt-in lists. The other 1/3rd are actual spam, but legitimately forwarded as the user requested from a personal or business domain to an AOL account. Any server in the path gets tagged as a spam source. I believe one has an extra duty to be as strict as possible about accepting email to be forwarded to external parties: Read: Setup for every usuable blocklist, including you own, which rejects email outright. And spamassassin setup to reject any reasonable low FP score threshold. And none of that tag em all and let the user sort it out business. Its not legitimate to cover your eyes and forward probable garbage to someone else. You want it on your system, thats your decision. AOL blocklisting high percentage garbage senders, including those merely forwarding, is perfectly valid in my book. To blocklist all servers in the path or just the most recent one is a local decision
RE: AOL scomp
Date: Thu, 24 Feb 2005 13:46:20 -0500 From: [EMAIL PROTECTED] I see the same thing. At least 2/3rds are spam forwarded along as described above. I have to give some credit to AOL WRT handling that type of situation -- they're much better than MSN/Hotmail who do not have a whitelist or feedback loop and simply stop accepting mail for 12+ hours from any server that reaches a particular spam threshhold. We now refuse to forward mail that's almost certainly spam. Users may POP it, but forwarding is out. Jared [if you're listening], care to provide an scomp POC-type database on puck? Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita DO NOT send mail to the following addresses: [EMAIL PROTECTED] -*- [EMAIL PROTECTED] -*- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.
Re: AOL scomp
JM Date: Thu, 24 Feb 2005 14:17:24 -0500 JM From: Joe Maimon JM To blocklist all servers in the path or just the most recent one is JM a local decision Want to DoS someone? Have fun with bogus Received: headers in actual junk mail. Developing heuristics to try detecting this is interesting. It's not impossible, but it's hardly an exact science. Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita DO NOT send mail to the following addresses: [EMAIL PROTECTED] -*- [EMAIL PROTECTED] -*- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.
Re: AOL scomp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Joe Maimon wrote: | I believe one has an extra duty to be as strict as possible about | accepting email to be forwarded to external parties: | | Read: Setup for every usuable blocklist, including you own, which | rejects email outright. And spamassassin setup to reject any | reasonable low FP score threshold. And none of that tag em all | and let the user sort it out business. | | Its not legitimate to cover your eyes and forward probable garbage | to someone else. You want it on your system, thats your decision. | AOL blocklisting high percentage garbage senders, including those | merely forwarding, is perfectly valid in my book. | | To blocklist all servers in the path or just the most recent one is | a local decision Now here I would disagree. These are specific requests by individuals to forward mail to from one of their own accounts to another one of their own accounts. I do not think AOL (or anyone) should consider mail forwarded at the customers request as indicating that our mail servers are sending spam. As that is apparently not the case I have seriously considered as a matter of policy refusing to install mail forwards to AOL customers. Mark Radabaugh Amplex -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCHjCqg0PQSWMG2wsRAnnfAJ9IE+GIuYnBrDKrE3OlpAvZIuuXbQCfSEAS GSSlg8c0AHPh044rMDauHyI= =OjDT -END PGP SIGNATURE-
Re: AOL scomp
Due to AOL scomp and SPF we have stopped forwarding all together. Existing accounts are grandfathered and we are working on migrating them all to IMAP-SSL. ALL new accounts have to IMAP their mail from our servers. I get WAY too much junk from forwarded mail going to AOL. I also get way too many tech support calls about forwarded mail being rejected because of SPF -Matt
Re: AOL scomp
On Thu, Feb 24, 2005 at 07:08:07PM +, Edward B. Dreger wrote: [...] On the cynical side: Has anyone considered an inverted blacklist -- i.e., a _destination_-based mail blocking mechanism? Rejecting mail to parties with excessive bogus complaint rates certainly might simplify life for those tasked with handling abuse incidents. ;-) It's interesting that you should ask that today. A few days ago we started throwing around an idea along these lines: - N = # of bogus abuse/spam reports for a given destination - X = # of reports where we stop delivering mail to a given destination - for 0 N X -- deliver the mail, but also inform the sender that the destination address has reported spam/abuse coming from our network, and that if it continues, we won't deliver mail to that destination anymore. - for N X -- tell the sender that we aren't delivering the mail because it is likely to get us put on a blacklist. We haven't fleshed things out completely, because we're not sure the cure is better than the disease yet... -- John Osmon
Re: Who is watching the watchers?
I like how Good Morning Silicon Valley phrased it: In other news, Ken Lay was appointed Director of the Treasury http://www.siliconvalley.com/mld/siliconvalley/business/columnists/gmsv/10981910.htm - ferg -- Adam Jacob Muller [EMAIL PROTECTED] wrote: This would be like having Ken Lay write our energy policy... wait, we already did that Adam On Feb 24, 2005, at 9:28 AM, Eric Brunner-Williams in Portland Maine wrote: Former chief privacy officer of Gator has been appointed to the Data Privacy and Integrity Advisory Committee of the Department of Homeland Security. http://www.salon.com/politics/war_room/2005/02/23/gator/index.html as president bush (jr) said on tv in the days following 9/11, america is open for business! You don't want to know who is the CPO for DHS. Its FUBAR all the way up. Eric
Re: Who is watching the watchers?
On Thu, 2005-02-24 at 15:10 -0500, Adam Jacob Muller wrote: This would be like having Ken Lay write our energy policy... wait, we already did that What?!? We have an energy policy? (who is we?) -Jim P.
Spoofing and Internet Filtering
Hi all, I'm working on a project designed to determine the extent of ingress and egress filtering on the Internet. Specifically interested in the ability to forge headers and source spoofed packets. The project relies on clients running an active measurement program from as wide a distribution of netblocks as possible. If you're curious about your connection, your upstream or how prevalent filtering is on other's networks, try out the source or one of the binaries from: http://momo.lcs.mit.edu/spoofer/ Many more details of the program, methodology and current results are on the web site as well. Thanks! rob
Re: Why do so few mail providers support Port 587?
On Tue, Feb 15, 2005 at 09:00:11PM -0500, Sean Donelan wrote: Although RFC2476 was published in December 1998, its amazing how few mail providers support the Message Submission protocol for e-mail on Port 587. Even odder, some mail providers use other ports such as 26 or 2525, but not the RFC recommended Port 587 for remote authenticated mail access for users. I can not say anything about other providers, but I don't do it for a simple reason: I think it is completely pointless. What can be done to encourage universities and other mail providers with large roaming user populations to support RFC2476/Port 587? Give a good reason. That is still the missing part. Nils
informal survey -- have you submitted a talk to nanog been refused?
i'm trying to understand the supposed dearth of submissions, but i've never been on the programme committee and so i need some data. if you've submitted a paper to nanog that was refused -- ever! -- and are willing to share details (ideally including the reasons you were given for the refusal, and what you were asked to do to fix them, and what you actually did) please send me e-mail.
Re: AOL scomp
Postini is my friend too. But the more we can do to get rid of spam on our own, the less we have to pay Postini each month. What we pay to Postini a year could pay a persons salary! -- If you really want something in this life, you have to work for it. Now, quiet! They're about to announce the lottery numbers... - Homer Simpson Drew Weaver wrote: Postini is my friend :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of chuck goolsbee Sent: Thursday, February 24, 2005 1:19 PM To: [EMAIL PROTECTED] Subject: Re: AOL scomp It's too bad that about 1/3 of the reported mails are valid opt-in lists. The other 1/3rd are actual spam, but legitimately forwarded as the user requested from a personal or business domain to an AOL account. Any server in the path gets tagged as a spam source. And the remaining third seems to be just plain old normal personal correspondence ... which I find weird. Ahh well -- this is a nice mechanism that AOL provides, IMO. Agreed, though maybe they should look at SpamAssasin or Postini. Take their end-users out of the filtering mechanism somehow. --chuck
Re: Why do so few mail providers support Port 587?
* Nils Ketelsen: What can be done to encourage universities and other mail providers with large roaming user populations to support RFC2476/Port 587? Give a good reason. That is still the missing part. From the MTA perspective, 25/TCP is the you are responsible for the message port, 587/TCP is the I will be responsible for the message port. In other words, the implied abuse management contracts differ significantly. However, this is mostly theory. I'm not sure if mail providers will try to pass responsibility for spam injected on 587/TCP to the ISP from whose address space the message was submitted. (They already do so for some parts of the abuse management process, e.g. law enforcement requests.)
Forwarding spam (was Re: AOL scomp)
On 02/24/05, Edward B. Dreger [EMAIL PROTECTED] wrote: I see the same thing. At least 2/3rds are spam forwarded along as described above. I have to give some credit to AOL WRT handling that type of situation -- they're much better than MSN/Hotmail who do not have a whitelist or feedback loop and simply stop accepting mail for 12+ hours from any server that reaches a particular spam threshhold. We now refuse to forward mail that's almost certainly spam. Users may POP it, but forwarding is out. Very good idea, given the lack of any standard way for a receiving ISP to know that the mail was forwarded. -- J.D. Falk uncertainty is only a virtue [EMAIL PROTECTED]when you don't know the answer yet
Re: Why do so few mail providers support Port 587?
On Thu, Feb 24, 2005 at 04:20:33PM -0500, [EMAIL PROTECTED] wrote: On Thu, 24 Feb 2005 16:08:42 EST, Nils Ketelsen said: On Tue, Feb 15, 2005 at 09:00:11PM -0500, Sean Donelan wrote: What can be done to encourage universities and other mail providers with large roaming user populations to support RFC2476/Port 587? Give a good reason. That is still the missing part. If you're a roaming user from that provider, and you're at some other site that blocks or hijacks port 25, you can still send mail by tossing it to your main provider's 587. If that's not a good enough reason to And if I am a roaming user at some other site, that blocks or hijacks port 587? motivate the provider to support it, nothing will (except maybe when the users show up en masse with pitchforks and other implements of destruction...) Then, I believe, nothing will motivate me. Nils
Re: Why do so few mail providers support Port 587?
On Thu, 24 Feb 2005 16:08:42 EST, Nils Ketelsen said: On Tue, Feb 15, 2005 at 09:00:11PM -0500, Sean Donelan wrote: What can be done to encourage universities and other mail providers with large roaming user populations to support RFC2476/Port 587? Give a good reason. That is still the missing part. If you're a roaming user from that provider, and you're at some other site that blocks or hijacks port 25, you can still send mail by tossing it to your main provider's 587. If that's not a good enough reason to motivate the provider to support it, nothing will (except maybe when the users show up en masse with pitchforks and other implements of destruction...) pgpSLtn68COiD.pgp Description: PGP signature
RE: Why do so few mail providers support Port 587?
[EMAIL PROTECTED] wrote: On Thu, 24 Feb 2005 16:08:42 EST, Nils Ketelsen said: On Tue, Feb 15, 2005 at 09:00:11PM -0500, Sean Donelan wrote: What can be done to encourage universities and other mail providers with large roaming user populations to support RFC2476/Port 587? Give a good reason. That is still the missing part. If you're a roaming user from that provider, and you're at some other site that blocks or hijacks port 25, you can still send mail by tossing it to your main provider's 587. If that's not a good enough reason to motivate the provider to support it, nothing will (except maybe when the users show up en masse with pitchforks and other implements of destruction...) There seem to be many who feel there is no overwhelming reason to support 587. I can certainly see that point of view, but I guess my question is what reasons do those of you with that viewpoint have *not* to implement it? I just don't see the harm in either configuring your MTA to listen on an extra port, or just forward port 587 to 25 at the network level. Other than a few man-hours for implementation what are the added costs/risks that make you so reluctant? What am I missing? Andrew
Re: UN Panel Aims to End Internet Tug of War by July
If the UN wants control of the INET WE invented. Let them build their own. Fergie (Paul Ferguson) wrote: My favorite quote(s) from this very brief article: Right now, the most recognizable Internet governance body is a California-based non-profit company, the International Corporation for Assigned Names and Numbers (ICANN). But developing countries want an international body, such as the U.N.'s International Telecommunication Union (ITU), to have control over governance -- from distributing Web site domains to fighting spam. http://today.reuters.com/news/newsArticle.aspx?type=internetNewsstoryID=2005-02-21T171326Z_01_N21644703_RTRIDST_0_NET-TECH-UN-DC.XML - ferg -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] -- My Foundation verse: Isa 54:17 No weapon that is formed against thee shall prosper; and every tongue that shall rise against thee in judgment thou shalt condemn. This is the heritage of the servants of the LORD, and their righteousness is of me, saith the LORD. -- carpe ductum -- Grab the tape CDTT (Certified Duct Tape Technician) Linux user #322099 Machines: 206822 256638 276825 http://counter.li.org/
Re: Why do so few mail providers support Port 587?
[EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: On Thu, 24 Feb 2005 16:08:42 EST, Nils Ketelsen said: On Tue, Feb 15, 2005 at 09:00:11PM -0500, Sean Donelan wrote: What can be done to encourage universities and other mail providers with large roaming user populations to support RFC2476/Port 587? Give a good reason. That is still the missing part. If you're a roaming user from that provider, and you're at some other site that blocks or hijacks port 25, you can still send mail by tossing it to your main provider's 587. If that's not a good enough reason to motivate the provider to support it, nothing will (except maybe when the users show up en masse with pitchforks and other implements of destruction...) There seem to be many who feel there is no overwhelming reason to support 587. I can certainly see that point of view, but I guess my question is what reasons do those of you with that viewpoint have *not* to implement it? I just don't see the harm in either configuring your MTA to listen on an extra port, or just forward port 587 to 25 at the network level. Other than a few man-hours for implementation what are the added costs/risks that make you so reluctant? What am I missing? Andrew What man hours? Thats the default setup for most sendmails!
Re: AOL scomp
At 03:08 PM 2/24/2005, Matthew Crocker wrote: Due to AOL scomp and SPF we have stopped forwarding all together. Existing accounts are grandfathered and we are working on migrating them all to IMAP-SSL. ALL new accounts have to IMAP their mail from our servers. I get WAY too much junk from forwarded mail going to AOL. I also get way too many tech support calls about forwarded mail being rejected because of SPF -Matt Forwarded mail shouldn't be rejected as a result of SPF if your mail server is using SRS to rewrite the from addresses in the mail from part of the SMTP transaction of the forwarded emails... as long as your SPF record isn't messed up of course. :) Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN Courage is resistance to fear, mastery of fear - not absence of fear -- Mark Twain
RE: Why do so few mail providers support Port 587?
If supporting one port is y hours of time and headache, then two ports is closer to y*2 than y (some might argue y-squared). 587 has some validity for providers of roaming services, but who else? Why not implement 587 behavior (auth from the outside coming in, and accept all where destin == this system) on 25 and leave the rest alone? -Jim P. On Thu, 2005-02-24 at 16:51 -0500, [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: On Thu, 24 Feb 2005 16:08:42 EST, Nils Ketelsen said: On Tue, Feb 15, 2005 at 09:00:11PM -0500, Sean Donelan wrote: What can be done to encourage universities and other mail providers with large roaming user populations to support RFC2476/Port 587? Give a good reason. That is still the missing part. If you're a roaming user from that provider, and you're at some other site that blocks or hijacks port 25, you can still send mail by tossing it to your main provider's 587. If that's not a good enough reason to motivate the provider to support it, nothing will (except maybe when the users show up en masse with pitchforks and other implements of destruction...) There seem to be many who feel there is no overwhelming reason to support 587. I can certainly see that point of view, but I guess my question is what reasons do those of you with that viewpoint have *not* to implement it? I just don't see the harm in either configuring your MTA to listen on an extra port, or just forward port 587 to 25 at the network level. Other than a few man-hours for implementation what are the added costs/risks that make you so reluctant? What am I missing? Andrew
Re: Why do so few mail providers support Port 587?
On Thu, Feb 24, 2005 at 04:51:50PM -0500, [EMAIL PROTECTED] wrote: There seem to be many who feel there is no overwhelming reason to support 587. I can certainly see that point of view, but I guess my question is what reasons do those of you with that viewpoint have *not* to implement it? I just don't see the harm in either configuring your Oh thats easy: It creates costs (for implementing it on the servers and clients) and produces no benefit. MTA to listen on an extra port, or just forward port 587 to 25 at the network level. Other than a few man-hours for implementation what are the added costs/risks that make you so reluctant? What am I missing? You are missing the operational costs (has to be included in the regular failover tests, has to be monitored, has to be fixed if something breaks etc.) Any system I introduce is increasing risks and costs. If there is no benefit to justify these, I won't do it. Nils
Re: Why do so few mail providers support Port 587?
On Tue, Feb 15, 2005 at 09:00:11PM -0500, Sean Donelan wrote: Although RFC2476 was published in December 1998, its amazing how few mail providers support the Message Submission protocol for e-mail on Port 587. Even odder, some mail providers use other ports such as 26 or 2525, but not the RFC recommended Port 587 for remote authenticated mail access for users. well, in sbc-dsl-land, port 25 and port 587 are blocked, but port 26 gets through. it seems bizarre that port 587 would ever be blocked, but when i encountered it, port 26 was my next choice. perhaps other e-mail providers had the same problem and used the same plan-b. What can be done to encourage universities and other mail providers with large roaming user populations to support RFC2476/Port 587? Give a good reason. That is still the missing part. it's smtp that only works if you can authenticate. thus it's only useful for your own user population, and completely safe to leave open to the world (as long as your user population keeps their passwords safe, that is.) -- Paul Vixie
RE: Why do so few mail providers support Port 587?
On Thu, 2005-02-24 at 17:14 -0500, Jim Popovitch wrote: If supporting one port is y hours of time and headache, then two ports is closer to y*2 than y (some might argue y-squared). 587 has some validity for providers of roaming services, but who else? Why not implement 587 behavior (auth from the outside coming in, and accept all where destin == this system) on 25 and leave the rest alone? I did run into a case where supporting port 587 was useful. I found out the hard way that one Internet service provider for hotels blocked outbound port 25, but not 587. So sending outbound mail to my mail relay would have been impossible without support for port 587. -- Smoot Carl-Mitchell System/Network Architect email: [EMAIL PROTECTED] cell: +1 602 421 9005 home: +1 480 922 7313
Finding useful/pertinent IP reallocation WHOIS info
Can anyone provide a better way to find, say, the appropriate contact information for address blocks that are further rellocated from the regional registries? I've about reached my frustration levels over the course of the past year on the issue. Example: Trying to find the approriate contact info for an abuse@ address responsible for a malicious host that (may) reside within an address block in Brazil (not meaning to pick on Brazil by no means). Checking the WHOIS database at: http://lacnic.net/cgi-bin/lacnic/whois?lg=EN ...you can find that: #These addresses have been further assigned to Brazilian users. #Contact information can be found at the WHOIS server located #at whois.registro.br and at http://whois.nic.br No, it can't. At least not that I can ascertain. And when arriving at either of these web pages, the only lookup available to the user is a CGI form for domain-only registry lookups, not for IP address allocation info. I was also hoping that the Referral WHOIS (RWhois) database might provide some assiatance, I am informed only that the responsible registry is the Latin American and Caribbean IP address Regional Registry. I have tried many times to solicit a response via e-mail from someone at the Brazilian registry to no avail. Very frustrating. The system is broken and needs to be fixed. Registries: Are you listening? - ferg -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED]
Re: Why do so few mail providers support Port 587?
On Thu, 24 Feb 2005 16:51:50 EST, [EMAIL PROTECTED] said: There seem to be many who feel there is no overwhelming reason to support 587. I can certainly see that point of view, but I guess my question is what reasons do those of you with that viewpoint have *not* to implement it? I just don't see the harm in either configuring your MTA to listen on an extra port, or just forward port 587 to 25 at the network level. Other than a few man-hours for implementation what are the added costs/risks that make you so reluctant? What am I missing? You *don't* want to just forward 587 to 25. You want to to use SMTP AUTH or similar on 587 to make sure only *your* users connect to it as a mail injection service (unless, of course, you *want* to be a spam relay ;) The *real* problem is usually that the site is too clueless to figure out how to enable AUTH on 587, actually authenticate the user (which might involve something really complicated, like LDAP or RADIUS), and tell the script monkeys at first-level support what to tell the users. pgpLNA7xg8EjF.pgp Description: PGP signature
Re: Why do so few mail providers support Port 587?
Paul == Paul Vixie [EMAIL PROTECTED] writes: Paul well, in sbc-dsl-land, port 25 and port 587 are blocked, but Paul port 26 gets through. I have a port-587 relay on my network which is used by some sbc-dsl-land users... they don't appear to be blocked -- Andrew, Supernews http://www.supernews.com
Re: Finding useful/pertinent IP reallocation WHOIS info
Thanks to all who responded privately off-list. What I was looking for: http://registro.br/cgi-bin/nicbr/whois ..which wasn't exactly intuitive from the main page: http://registro.br/index.html Also, I liked the alternative suggestion of: telnet rwhois.whatever.foo 4321 enter dotted quad or other item of interest ..however, one thing that I didn't mention in my original post is that what I was looking for was a _simple_ method for our staff to use which didn't require a maze of thought challenges (or a Captain Midnight Decoder Ring) -- something they could just point a web broswer at and find correct contact information for IP reallocation data. Unfortunately, everyone in a particluar organization has access to a CLI WHOIS client, or even a Windoze WHOIS client that provides detailed information with a variety of options. Is it the case that SPAM purveyors have put us in the unfortunate position where there isn't readily available access to SWIP/reallocation information? What a shame. Thanks to one and all, - ferg -- Fergie (Paul Ferguson) [EMAIL PROTECTED] wrote: Can anyone provide a better way to find, say, the appropriate contact information for address blocks that are further rellocated from the regional registries? I've about reached my frustration levels over the course of the past year on the issue. Example: Trying to find the approriate contact info for an abuse@ address responsible for a malicious host that (may) reside within an address block in Brazil (not meaning to pick on Brazil by no means). Checking the WHOIS database at: http://lacnic.net/cgi-bin/lacnic/whois?lg=EN ...you can find that: #These addresses have been further assigned to Brazilian users. #Contact information can be found at the WHOIS server located #at whois.registro.br and at http://whois.nic.br No, it can't. At least not that I can ascertain. And when arriving at either of these web pages, the only lookup available to the user is a CGI form for domain-only registry lookups, not for IP address allocation info. I was also hoping that the Referral WHOIS (RWhois) database might provide some assiatance, I am informed only that the responsible registry is the Latin American and Caribbean IP address Regional Registry. I have tried many times to solicit a response via e-mail from someone at the Brazilian registry to no avail. Very frustrating. The system is broken and needs to be fixed. Registries: Are you listening? - ferg -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED]
Re: AOL scomp
- Original Message - From: Matt Taber [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, February 24, 2005 2:15 PM Subject: Re: AOL scomp Postini is my friend too. But the more we can do to get rid of spam on our own, the less we have to pay Postini each month. Postini's admin. interface is always slow (we have been a customer for 3 years) and as of 20 mins. ago quit working altogether. Users cannot log into their message centers. The new contract we just got, with increase, does not sit well at present. James H. Edwards Routing and Security Administrator At the Santa Fe Office: Internet at Cyber Mesa [EMAIL PROTECTED] [EMAIL PROTECTED] http://www.cybermesa.com/ContactCM (505) 795-7101
Re: UN Panel Aims to End Internet Tug of War by July
yOn Thu, 24 Feb 2005, William Warren wrote: If the UN wants control of the INET WE invented. Let them build their own. I think people get confused about who the stake holders in internet operation/governance really are... certainly ICANN allways was when I was actively observing it. The stake holders with the most to lose are ordinary enduser consumers of interenet services. They just want to get their work / entertainment / communication done, and to the extent that technocrats, bureaucrats , crimnals , extremely greedy businesses , and rogue governments setup barriers that impede them from doing that they lose. Fergie (Paul Ferguson) wrote: My favorite quote(s) from this very brief article: Right now, the most recognizable Internet governance body is a California-based non-profit company, the International Corporation for Assigned Names and Numbers (ICANN). But developing countries want an international body, such as the U.N.'s International Telecommunication Union (ITU), to have control over governance -- from distributing Web site domains to fighting spam. http://today.reuters.com/news/newsArticle.aspx?type=internetNewsstoryID=2005-02-21T171326Z_01_N21644703_RTRIDST_0_NET-TECH-UN-DC.XML - ferg -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] -- -- Joel Jaeggli Unix Consulting [EMAIL PROTECTED] GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
Re: AOL scomp
Forwarded mail shouldn't be rejected as a result of SPF if your mail server is using SRS to rewrite the from addresses in the mail from part of the SMTP transaction of the forwarded emails... as long as your SPF record isn't messed up of course. :) I know but that just wreaks of a hack which I'm not currently willing to do. It works better for us to terminate the forwarding and sell the customer full mail service. My SPF record isn't messed up as far as I know. -Matt
Re: AOL scomp
On Thu, Feb 24, 2005 at 02:53:14PM -0500, Mark Radabaugh wrote: Now here I would disagree. These are specific requests by individuals to forward mail to from one of their own accounts to another one of their own accounts. But a request to forward mail is not a request to facilitate abuse by forwarding spam. I do not think AOL (or anyone) should consider mail forwarded at the customers request as indicating that our mail servers are sending spam. Why not? Did it come from your servers? On your network? If yes, then it's YOUR spam, and you should expect to held fully accountable for it. If that's an unpleasant notion, and I'll stipulate that it sure is for me, then you need to do whatever you need to do in order to put a sock in it. We are long past the time when excuses for relaying/forwarding/bouncing spam were acceptable. The techniques for mitigating these -- at least to cut down a torrent to a trickle -- are well-known, well-understood, well-documented and readily available in a variety of implementations. More generally, the best place to stop spam is as near its source as possible. So if you're the forwarder, you're at least one hop closer to the source than the place you're forwarding to -- thus you should have a better chance than they do of stopping it. And you should at least make a credible try: nobody expects perfection (though we certainly hope for it) but doing _nothing_ isn't acceptable, either. So, for instance: take advantage of the AOL feedback loop. Anything that they're catching -- that you're not -- indicates an area where you can improve what you're doing. Find it, figure it out, and do it. Everyone benefits -- including all your users who aren't having their mail forwarded. ---Rsk
Re: Why do so few mail providers support Port 587?
On Thu, 24 Feb 2005 17:14:17 EST, Jim Popovitch said: If supporting one port is y hours of time and headache, then two ports is closer to y*2 than y (some might argue y-squared). 587 has some validity for providers of roaming services, but who else? Why not implement 587 behavior (auth from the outside coming in, and accept all where destin == this system) on 25 and leave the rest alone? Well, OK. If you know for a *fact* that your users *never* roam, and you have sufficiently good control of your IP addresses that you can always safely decide if a given connection is inside or outside and allow them to relay based on that, then no, you don't need to support 587. The rest of us run mail services in the real world, where lots of users buy laptops, and then actually gasp, shock *use* the portability and thus often end up behind some other ISP's port-25 block. pgpoyKPFNoFtR.pgp Description: PGP signature
Re: Why do so few mail providers support Port 587?
On Thu, 2005-02-24 at 23:36 -0500, [EMAIL PROTECTED] wrote: The rest of us run mail services in the real world, where lots of users buy laptops, and then actually gasp, shock *use* the portability and thus often end up behind some other ISP's port-25 block. Why not a VPN solution. If you have mail servers that your users need, chances are that you also have file servers, internal web servers. calender servers, etc. Should file/web/calender servers all open one port or internal access and a second port for authenticated external access? -Jim P.
Re: AOL scomp
From [EMAIL PROTECTED] Thu Feb 24 23:19:15 2005 Date: Thu, 24 Feb 2005 22:46:13 -0500 From: Rich Kulawiec [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: AOL scomp On Thu, Feb 24, 2005 at 02:53:14PM -0500, Mark Radabaugh wrote: Now here I would disagree. These are specific requests by individuals to forward mail to from one of their own accounts to another one of their own accounts. But a request to forward mail is not a request to facilitate abuse by forwarding spam. I do not think AOL (or anyone) should consider mail forwarded at the customers request as indicating that our mail servers are sending spam. Why not? Because the recipient *expressly* requested that all mail which would reach my inbox on your system be sent to me at AOL (or any other somewhere else). This means that every such message from the 'forwarding' system to the destination system is, BY DEFINITON, solicited. The mailbox owner has expressly and explicictly requested those messages be sent to him at the receiving system. If that person then reports such messages -- that they have EXPRESSLY requested be sent to the receiving system -- as spam, to the operator of the receiving system, then that person is *indisputably* IN THE WRONG for doing so. The _person_ who issued the directive causing that message to end up in the recipient's inbox is the *recipient*himself*. If he reports the message as spam, then it can be logically held that *he* is the spammer. And his access on *both* systems (forwarding and receiving) should be terminated for AUP violation. Now, if the recipient wants to report it to the forwarding system -- so that they can block any further inbound attempts -- that's a whole nother story. Of course, this requires that the person involved be smart enough to read and understand the headers on the message. In actuality, *I* am not QUITE as draconian as suggested a couple of paragraphs previously. If I forward somebody's mail and get a complaint from the reciveing system about spam to that user, originating from my system, that user *permanently* loses any forwarding privileges/capabilities. No appeal, no _notice_ no 'second chance', no nothing -- forwarding just stops working for them. They _were_ told of this down-side risk, with regard to such an error, *before* the forwarding was enabled. They get to live with the consequences.
Re: Why do so few mail providers support Port 587?
On Fri, Feb 25, 2005, Jim Popovitch wrote: On Thu, 2005-02-24 at 23:36 -0500, [EMAIL PROTECTED] wrote: The rest of us run mail services in the real world, where lots of users buy laptops, and then actually gasp, shock *use* the portability and thus often end up behind some other ISP's port-25 block. Why not a VPN solution. If you have mail servers that your users need, chances are that you also have file servers, internal web servers. calender servers, etc. Should file/web/calender servers all open one port or internal access and a second port for authenticated external access? It'd be nice. :) Although, its different for ISP access. An office, sure, a VPN is possibly the right solution. But your ISP email account? Why VPN to your ISP just for that? Adrian -- Adrian ChaddYou don't have a TV? Then what's [EMAIL PROTECTED] all your furniture pointing at?
