Re: WTH does Paul do now?
On Wed, Jan 31, 2007 at 11:09:58PM -0500, Jon Lewis wrote: - The following addresses had permanent fatal errors - [EMAIL PROTECTED] (reason: 553 5.7.1 Service unavailable; Client host [69.28.69.2] blocked using reject-all.vix.com; reason / created) - Transcript of session follows - ... while talking to sa.vix.com.: RCPT To:[EMAIL PROTECTED] 553 5.7.1 Service unavailable; Client host [69.28.69.2] blocked using reject-all.vix.com; reason / created 550 5.1.1 [EMAIL PROTECTED]... User unknown Well... reject-all.vix.com. 3600IN NS ns.lah1.vix.com. reject-all.vix.com. 3600IN NS ns.sql1.vix.com. dig any 2.0.0.127.reject-all.vix.com @ns.sql1.vix.com gives status: REFUSED and as ns.lah1.vix.com does alike all authorative nameservers for this zone are some kind of hmm 'unreachable' thus resulting in a SERVFAIL from your recursive nameserver. It seems like your MTA is not very gracious to SERVFAILs from DNSRBLs. Stefan, Hosthamster -- Portability is for people who cannot write new programs. - Linus Torvalds, 1992
Re: WTH does Paul do now?
On 1-Feb-2007, at 06:50, Stefan Schmidt wrote: Well... reject-all.vix.com. 3600IN NS ns.lah1.vix.com. reject-all.vix.com. 3600IN NS ns.sql1.vix.com. dig any 2.0.0.127.reject-all.vix.com @ns.sql1.vix.com gives status: REFUSED and as ns.lah1.vix.com does alike all authorative nameservers for this zone are some kind of hmm 'unreachable' thus resulting in a SERVFAIL from your recursive nameserver. It seems like your MTA is not very gracious to SERVFAILs from DNSRBLs. ... or alternatively, that this is a private DNSRBL which has access restrictions. Joe
Re: WTH does Paul do now?
On Thu, Feb 01, 2007 at 07:21:19AM -0500, Joe Abley wrote: ... or alternatively, that this is a private DNSRBL which has access restrictions. Yeah i was missing the while talking to sa.vix.com part in Jon's mail, sorry for the confusion. Stefan -- I refuse to answer that question on the grounds that I don't know the answer. - Zaphod Beeblebrox, The Hitchhikers Guide to the Galaxy
Re: what the heck do i do now?
On Wed, Jan 31, 2007 at 07:04:37PM -0800, Matthew Kaufman wrote: (As an example, consider what happens *to you* if a hospital stops getting emailed results back from their outside laboratory service because their email firewall is checking your server, and someone dies as a result of the delay) A hospital which relies on email for laboratory results is obviously negligent. They should know that email is best-effort, no better, and that as a result it's an unreliable transport medium. (And increasingly so given the massive abuse being heaped on it as well as any number of ill-conceived anti-abuse ideas (C/R, callbacks) that actually make the problem worse.) Using it for life-critical data is foolish. There are much better choices available (including offline ones such as FedEx) for the transfer for critical information. ---Rsk
Re: what the heck do i do now?
We've told people for years that when they choose to use a DNSBL or RHSBL that they need to (a) subscribe to the relevant mailing list, if it has one and/or (b) periodically revisit the relevant web site, if it has one, so that they can keep themselves informed about any changes in its status or policies and/or (c) pay attention to what their own logs are telling them. They have not listened, for many values of they. Maybe it's necessary to speak to them in a language they understand, despite the large downside of doing so. As someone who has had his own lapses into denseness, I can certainly understand that this isn't pleasant, but on the other hand, the lessons I've learned that way have been sufficiently clear that I've never made those particular mistakes again. I would argue that among the lessons here are do not hardwire any DNSBL/RHSBL into any piece of software do not blithely use any such piece of software and assume it'll work and if you choose to use a DNSBL/RHSBL, then pay attention. chuckle Perhaps you should list (in the zone) all IP addresses which are repeatedly querying the zone -- after announcing this policy, of course. ;-) More seriously, I'll see what I can do to pass the word along in the faint hope that this will have some effect. ---Rsk
Re: what the heck do i do now?
On Jan 31, 2007, at 7:04 PM, Matthew Kaufman wrote: (As an example, consider what happens *to you* if a hospital stops getting emailed results back from their outside laboratory service because their email firewall is checking your server, and someone dies as a result of the delay) Moral issues aside, I'd love to see this litigated. --- Roland Dobbins [EMAIL PROTECTED] // 408.527.6376 voice The telephone demands complete participation. -- Marshall McLuhan
Re: Birmingham UK colocation
You may want to contact Fibernet (now a Global Crossing company), they have some PoPs there with fiber and general connectivity. We are also present there and can provide connectivity, but not co-location. Dave. Andrew Gristina wrote: I have two racks in London UK. The colocation is currently in London. The contract is up soon and most of the feet on the ground in the UK of the company is in the greater Birmingham area. So I'm interested in colocating about two racks of servers to Birmingham. I would need a cage if the space were shared. What is peering like in the Birmingham area? Will getting multiple provider feeds in Birmingham be possible? It was easy in London. And can anyone recommend colocation in Birmingham? The alternative is stick with London (in spite of difficulty for remote hands) so any suggestions on excellent colocation in London? Google search for Birmingham UK colocation only useably yeilds F1 colocation and easy net. Off list is fine. -Andrew No need to miss a message. Get email on-the-go with Yahoo! Mail for Mobile. Get started. http://mobile.yahoo.com/mail
Re: WWPVD (was what the heck do I do know)
Why not write a real-time script and loop the querier right back to his own self... Luzer -- *.vix.com -- Luzer This sort of reminded me of the days of bandwidth raping where others used someone's own bandwidth to their own disadvantage. We've told people for years that when they choose to use a DNSBL or RHSBL that they need to (a) subscribe to the relevant mailing list, if it has one and/or (b) periodically revisit the relevant web site Akin to a mailing list asking someone to configure their options so autoresponding Out of the office replies don't annoy. Rarely works. In the case of system administration/network administration, the industry shifts so much whereas someone who managed a machine is likely not working for that company any more. From my experiences, I've seen the horrible documentation(ing (Bushism?)) companies maintain so its likely unknown to these offenders. Michael Froomkin - U.Miami School of Law wrote: Bottom line is that in the absence of a promise -- explicit or implicit (!) -- to the contrary, you can usually turn off your gear and get on with your life Promissory Estoppel might hinder shutting off the power. http://facstaff.gallaudet.edu/marshall.wick/bus447/promissory_estoppel.html -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo echo @infiltrated|sed 's/^/sil/g;s/$/.net/g' http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 How a man plays the game shows something of his character - how he loses shows all - Mr. Luckey
Re: WWPVD (was what the heck do I do know)
On Thu, 01 Feb 2007 09:29:12 CST, J. Oquendo said: Michael Froomkin - U.Miami School of Law wrote: Bottom line is that in the absence of a promise -- explicit or implicit (!) -- to the contrary, you can usually turn off your gear and get on with your life Promissory Estoppel might hinder shutting off the power. http://facstaff.gallaudet.edu/marshall.wick/bus447/promissory_estoppel.html That could be as interesting to litigate as the hospital example, because: a) it's likely that a lot of the offenders relying on the promise of RBL service are qmail sites that don't even *realize* it. b) I'm pretty sure that Paul wasn't aware of the qmail issue either. So who, exactly, was promising (and to whom) that a given RBL was usable 6 years after it went belly up? If anything, the cited legal definition page would seem to suggest that the person who needs to keep running the RBL would be the person who made qmail reference it.. .:) pgpb4Ib0hUdPF.pgp Description: PGP signature
Re: what the heck do i do now?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Feb 1, 2007, at 6:44 AM, Rich Kulawiec wrote: chuckle Perhaps you should list (in the zone) all IP addresses which are repeatedly querying the zone -- after announcing this policy, of course. ;-) Actually, looking at that list it looks like many of those addresses (including the top vote getter) are just someone's caching proxy. Probably wouldn't hurt much since those machines probably aren't relaying mail but it also wouldn't have the effect you are looking for. Chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (Darwin) iD8DBQFFwgT0ElUlCLUT2d0RAouSAKCADcqbnww+XbOkAriKDq3bz/gaPgCdEmS5 wrNkoPMJQ9gux5dcEQMcLQ4= =/CCE -END PGP SIGNATURE-
Re: WWPVD (was what the heck do I do know)
If no one's been sued before because they've wild carded a defunct RBL, what's the big deal? When someone tries their best, goes out to an intelligent group to get their opinions, and spends a HUGE amount of effort, and incurs measurable monetary damage (bandwidth, time, etc) and when the only reasonable answer (dare I say group consensus?!?!) is shut it off, in a way that could break things to get their attention how can there be grounds for a lawsuit? That's just silly! Pay service or not, it doesn't matter when that period of time has passed. Paul could be found negligent when a server admin was negligent for 6-7 YEARS?! Seriously?! I don't buy it that argument. Now, if he set up the DNS to wild card 1% of packets on day 1, 2% on day 2, 3% on day three, etc, in an attempt to be less disruptive then perhaps, I could see someone being upset about that, because as a clueless person (bad admin) trying to troubleshoot some problem like that, they'd definitely play a good victim. And I bet they would wait until day 80 to call in a consultant. The only sane way is to pick a date, announce it far in advance, and flip the switch at 00:00:00 on that day. I suppose in some universe, it *IS* possible that Paul could be found negligent by some jury trial and ordered to pay millions of dollars. But that's the same universe were swine routinely fly to and fourth across the green sky. Just my humble opinion.
Re: Best way to supply colo customer with specific provider
Just curious, the customer wants to purchase cogent bandwidth through you instead of going directly? Wouldn't it be easier just to have Cogent run another connection to the Meet Me Room in your facility and just extend it to their cage or rack? This seems like a lot of over engineering to me to provide a customer with Cogent bandwidth. Andrew Gristina wrote: another way is tunnel them to a border router that interfaces with Cogent and deal with it at the border router. QinQ tunnel, GRE, IPSec, or whatever tunnel type you can support and will service the type of traffic your customer needs (L2 or L3). If you have multiple Cogent connections you might even be able to DMVPN to the relevant points. MPLS is another elegant way to handle it, but if you have MPLS infrastructure, you probably would have said so. --- Steve Gibbard [EMAIL PROTECTED] wrote: If you actually want to do this, you've got four choices: - Policy route, as mentioned below. - Get the customer their own connection to Cogent. - Have a border router that only talks to Cogent and doesn't receive full routes from your core, and connect the customer directly to that. - Do something involving route servers and switches outside your border routers, a-la-Equinix Direct. The policy routing idea will work, for some definition of work. I forget whether Cisco now has a fast (non-processor-switched) path for policy routed traffic; they didn't yet when somebody convinced me to try this many years ago. If nothing else, it will make a mess of configuration and troubleshooting. Getting the customer their own Cogent connection is likely the least trouble, but may not save you as much on the bandwidth cost as aggregating the customer's traffic into the rest of your traffic would. Connecting the customer to a Cogent-only border router works fine if you already have such a border router. If not, it may require significant reengineering. The route server suggestion is thrown out mainly as a conceptual exercise. It would require a lot of design work. All that said, if you're paying your engineers and operations people developed world salaries, and paying major well-connected city bandwidth rates, none of these suggestions should make your accountants or your customer's accountants happy. You'll be saving a bit on bandwidth costs while putting in large amounts of engineering time that at best will do nothing useful for your other customers. Any way you do this, you'll probably find that it costs you considerably more than it would to give the customer your standard product. -Steve On Tue, 30 Jan 2007, Rick Kunkel wrote: Hello all, Being relatively new to the colocation business, we run into a fair number of issues that we've never run into before. Got a new one today, and although I can think of kludgey ways to accomplish what he wants, I'd rather get some other ideas first... We just had our first customer that's requesting bandwidth exclusively through a particular provider of ours (Cogent) at less expensive pricing. The money people here are up for it, but obviously, they want to make sure that he's confined to that Cogent connection. So now of course we're attempting to figure out the best way to do this, and I figured that rather than reinventing the wheel, I'd check to see how others accomplish things like this. The way I can imagine doing it is by using route-maps to steer all of this customer's traffic out the Cogent pipe, and modifying our BGP announcements by AS prepending on whatever block or blocks we set aside to be Cogent-exclusive. Again though, this seems to me to lack a certain amount of, for lack of a better word, grace. Any other suggestions? Thanks, Rick Kunkel Never miss an email again! Yahoo! Toolbar alerts you the instant new Mail arrives. http://tools.search.yahoo.com/toolbar/features/mail/
NANOG 39 IPv6 Network Operations BOF
Hi, I'm going to be running the IPv6 Network Operations BOF at NANOG 39 in Toronto. The BOF will be held in Sheraton Hall B/C, 2pm to 3.30pm on Tuesday February 6th. A basic list of topics is available via the agenda page. If you have any other (relevant) issues you'd like to raise about IPv6, let me know and I'll try to get them in. I'd also be interested to know if people are definitely coming, just so I know I'm not going to be sitting there by myself :) If you're around and not going to either the BGP tutorial or the Peering BOF (part I) and are interested in IPv6, please drop in. Hopefully it won't just be about how awful IPv6 is and how multihoming is broken! Regards, Stewart Bamford -- Stewart Bamford (Posting as an individual) Level3 Snr IP Engineer *** Views expressed are my own and not necessarily those of Level3 *** Primary email [EMAIL PROTECTED] Secondary email [EMAIL PROTECTED] Personal website http://www.stewartb.com/
Re: WWPVD
I suppose in some universe, it *IS* possible that Paul could be found negligent by some jury trial and ordered to pay millions of dollars. But that's the same universe were swine routinely fly to and fourth across the green sky. Apparently you've never been in a jury trial and hopefully you won't have to be. The problems (to some this is the solution) with jury trials is, define peer. You're under the impression - if on a worst case scenario there was a jury trial - that, Paul would be sitting with a jury of his peers. Peers in the sense that those hearing the case would be in his demographic range: Computer Engineer (heck even an avid user) of some form, around his age, hopefully in the same profession. Often what will happen is some poor shmoe will be sitting on the case, bored by the fact he won't understand anything, the explanation of it all will be convoluted, aggravated that he/she has to sit at a jury trial (how many people loathe jury duty). Couple this with moronic logic: If I was suing I would want someone to have mercy on my pockets ... So GUILTY! So while Chivalry may be dead frivolry (Yes another Bushism/craptabulous/butchery of a word) isn't... What I would do is offer a warning of sorts for the duration of 90 days and pull the plug with copies of messages that were sent forewarning (l)users of impending changes. This to some degree exonerates you from possible repercussions. Now before you take my advice, this is based of logic not factual law as (obviously) IANAL.
TorIX Tours on Tuesday February 6
[Apologies for the following non-operational content; if you are not coming to Toronto next week, hit delete now] For those attending NANOG 39 in Toronto next week who don't already see enough generic data centre space in their normal work week, there will be a TorIX tour on Tuesday February 6, some time after the last BOF/Tutorial finishes. There's a limit to the number of people we can practically haul through building security without causing trouble, so first-come, first-served. If for some bizarre reason there is an unexpectedly large number of people who think touring 151 Front is the right way to spend a Tuesday evening, we might try and do two trips, find people to open more than one suite, etc. If you're interested, sign up here: http://nanog.cluepon.net/index.php/NANOG39TorIXTour Joe
the authors of RFC 2317 have a question for att worldnet
(this must be my week for past-sins pennance related to RBL's.) today someone whose e-mail was blocked when they tried to send it to an att customer, asked the authors of RFC 2317 to please unblock their address. as the only such author whose e-mail address hasn't changed since RFC publication i pretty much assumed that the other two guys weren't hearing this, and so i investigated. the complainer showed me this text: [EMAIL PROTECTED]: host gateway2.att.net[12.102.240.23] said: 550-24.248.126.43 blocked by ldap:ou=rblmx,dc=worldnet,dc=att,dc=net 550 Blocked for abuse. See http://www.att.net/general-info/rblinquiry.html; (in reply to MAIL FROM command) i looked at the URL thus indicated, and the link for Information for end-users whose messages have been blocked. is http://www.att.net/general-info/mail_info/block_enduser.html which says: What to do: Ask your system administrator to submit identifying information to the DNS. For more information, your administrator should refer to http://www.faqs.org/rfcs/rfc2317.html In the meantime, you should use a fully registered domain for sending your messages, such as the mail system from an ISP or one of the major free e-mail services. now, i count myself as a master of the obscure reference, but this is over the top. can someone from att worldnet please contact me for the purpose of explaining what RFC 2317 could possibly have to do with spam complaints? (and btw, if you're going to block inbound e-mail, you need to give senders some idea of how to get unblocked. not for fairness, just for practicality. and this parenthesized paragraph is why i count this screed as not-off-topic.)
Re: the authors of RFC 2317 have a question for att worldnet
I'm not from ATT, but that page contains three errors and three What to do sections. The section referring to RFC 2317 is for DNS errors: “550 Error. Blocked for status: unknown sender”: This error indicates that no identifying information has been entered into the DNS (Domain Name System) for this sending system. The ATT Worldnet mail system, like many others, does not accept messages from mail systems with no DNS records. The Spam complaint section has a different What to do: What to do: Ask the administrator of your mail system to contact us through our System Administrators' page and provide the information we need to investigate the problem. Paul Vixie wrote: What to do: Ask your system administrator to submit identifying information to the DNS. For more information, your administrator should refer to http://www.faqs.org/rfcs/rfc2317.html In the meantime, you should use a fully registered domain for sending your messages, such as the mail system from an ISP or one of the major free e-mail services. now, i count myself as a master of the obscure reference, but this is over the top. can someone from att worldnet please contact me for the purpose of explaining what RFC 2317 could possibly have to do with spam complaints?
Re: Best way to supply colo customer with specific provider
Rick Kunkel wrote: Hello all, Being relatively new to the colocation business, we run into a fair number of issues that we've never run into before. Got a new one today, and although I can think of kludgey ways to accomplish what he wants, I'd rather get some other ideas first... We just had our first customer that's requesting bandwidth exclusively through a particular provider of ours (Cogent) at less expensive pricing. The money people here are up for it, but obviously, they want to make sure that he's confined to that Cogent connection. Unless your customer is paying more for the privilege, your money people are probably making a very big mistake here. What happens when all your customers decide they want to only buy the cheaper bandwidth from you?
Re: the authors of RFC 2317 have a question for att worldnet
On 2/1/07, Paul Vixie [EMAIL PROTECTED] wrote: (and btw, if you're going to block inbound e-mail, you need to give senders some idea of how to get unblocked. not for fairness, just for practicality. and this parenthesized paragraph is why i count this screed as not-off-topic.) Putting on my sender hat, I see that the URL you link to leads one to: http://www.att.net/general-info/mail_info/block_admin.html I've had some client issues in the past that have necessitated use of that process. I have found that ATT is fairly responsive regarding sender blocking issues. There are many other ISPs whom I wish were as good at publishing info and offering a contact channel. Al Iverson -- Al Iverson on Spam and Deliverabilty, see http://www.spamresource.com Message copyright 2007 by Al Iverson. For posts to SPAM-L, permission is granted only to this lists's owners to redistribute to their sub- scribers and to archive this message on site(s) under their control.
Re: what the heck do i do now?
[EMAIL PROTECTED] wrote:--- From: Michael Froomkin - U.Miami School of Law [EMAIL PROTECTED] As an, ahem, lawyer, I think what you do and how you do it matter a lot ... Pulling a plug after reasonable/lots of warnings (did you miss anyone? how do you know for sure?) is on the safer end of the legal spectrum. Matters a lot? In what country's legal spectrum? Or did you assume the queries are US-based only? Or are you suggesting he treat US-based queries differently than the rest of the world? Or are you speaking from US-centric tunnel vision? scott
Re: what the heck do i do now?
[EMAIL PROTECTED] (Brian Wallingford) writes: ... Considering the time passed since maps went defunct, Paul is entirely justified in doing whatever is necessary to cluebat the offending networks, imho. thanks for those supportive words. note that MAPS is not defunct. the domain MAPS.VIX.COM is defunct, in favour of MAIL-ABUSE.ORG, which was originally an asset of MAPS LLC, then Kelkea, and lately Trend Micro. i've received some excellent private suggestions due to this thread. my two leading candidates are (a) ask dan bernstein to take over MAPS.VIX.COM and run his own RBL there; vs (b) hack up a BIND server so that it can return a positive answer 1% of the time (chosen randomly). -- Paul Vixie
internet idealism (Re: what the heck do i do now?)
[EMAIL PROTECTED] (Brian Wallingford) writes: Ultimately, the problem is that the idealism which was more or less the rule a decade ago has taken a backseat to commercialism ... i dunno about that. i see a lot of idealism still. volunteers at spamhaus, and within the da/mwp community, and at cymru, are still going quite strong. and in an odd twist of fate's knife, i still hold the cix.net domain which was very quiet until COX went into the internet business a few years back. since i and o are adjacent in qwertyland, i get a whole lotta misdirected e-mail, including a lot of 1x1 correspondance from folks who mistyped their source-email-address in their e-mail reader and then proceeded to correspond. rather than bounce it all, i answer it with the following template: there is no such person here at cix.net. try cox.net. re: and then i include-all the mail they sent to me by mistake. eventually i got tired of explaining to the senders why [EMAIL PROTECTED] was answering their e-mail, and so i started forging the source of my response to be the cix.net address they were trying to reach. i've got it all down to a couple of MH-E keystrokes and macros and e-lisp functions now. i just don't like the idea of bouncing the stuff outright, since a lot of the senders will never guess what went wrong. (i also appreciate the extra spam, for robot-training use.) it's only a dozen messages a day, on average, and thus: idealism isn't dead. -- Paul Vixie
Re: WTH does Paul do now?
[EMAIL PROTECTED] (Jon Lewis) writes: Why do I even bother? (reason: 553 5.7.1 Service unavailable; \ Client host [69.28.69.2] blocked using reject-all.vix.com; \ reason / created) here's what you ran into. *.69.28.69.reject-all.vix.com. 1800 IN TXT reason sa.vix.com \ watchmaillog sqlgrey \ [EMAIL PROTECTED] - \ [EMAIL PROTECTED] \ at 2006-11-09 17:55:26.932919 obviously, autoblackholing /24's based on a single greylist failure (mail not retried within 24 hours after receiving the initial 4XX) was over the top. i've disabled that part of the inbound processing robotics, and i've removed your /24 from the list. -- Paul Vixie
Re: what the heck do i do now?
On Thu, 1 Feb 2007, Scott Weeks wrote: [EMAIL PROTECTED] wrote:--- From: Michael Froomkin - U.Miami School of Law [EMAIL PROTECTED] As an, ahem, lawyer, I think what you do and how you do it matter a lot ... Pulling a plug after reasonable/lots of warnings (did you miss anyone? how do you know for sure?) is on the safer end of the legal spectrum. Matters a lot? In what country's legal spectrum? Or did you assume the queries are US-based only? Or are you suggesting he treat US-based queries differently than the rest of the world? Or are you speaking from US-centric tunnel vision? scott Indeed, I was thinking of the US system, since (1) that's what I know well, and (2) it has the most trigger happy plaintiff's lawyers (although in my experience, jurors tend to take their responsibilities very seriously, contrary to what someone earlier in the thread suggested), and (3) Vixie is AFAIK located in the US, meaning that he'd be susceptible to suit here. It's not so obvious he could be sued elsewhere on these facts although I can't rule it out; even if he were, the court might decide choice-of-law dictated US law anyway. Despite the above, it's of course right to ask what foreign legal systems might say about this. Alas, I can't answer the question, except to say that in matters of commerce the answers often do tend to converge. [I think it's time to go back to lurking...] -- http://www.icannwatch.org Personal Blog: http://www.discourse.net A. Michael Froomkin |Professor of Law| [EMAIL PROTECTED] U. Miami School of Law, P.O. Box 248087, Coral Gables, FL 33124 USA +1 (305) 284-4285 | +1 (305) 284-6506 (fax) | http://www.law.tm --It's warm here.--
Re: what the heck do i do now?
[EMAIL PROTECTED] (Jon Lewis) writes: As for trying to make it stop, the two methods thought to be most successful are: 1) maps.vix.com. 604800 IN NS . i've tried that. the retry rate actually goes up rather than down. 2) maps.vix.com. 604800 IN NS u1.vix.com. maps.vix.com. 604800 IN NS u2.vix.com. maps.vix.com. 604800 IN NS u3.vix.com. ... [as many as you like] u1.vix.com. 604800 IN A 192.0.2.1 u2.vix.com. 604800 IN A 192.0.2.2 u3.vix.com. 604800 IN A 192.0.2.3 ... [as many as you like] i hadn't thought of that. i'll think seriously about it, thanks. Successful here doesn't necessarily mean the traffic stopped but rather the traffic has been mitigated as much as is possible without actually getting people to fix their systems and stop querying the dead zone. right you are. it sort of goes against my personal grain to cause folks' mail to bounce when their only offense against the community is not reading the qmail man page and understanding the what the defaults are. -- Paul Vixie
Re: what the heck do i do now?
Just add to your services price list high-reliability electronic mail service: $10,000/month or whatever with some general wording about how suitable it is for customers who rely on email for critical and high-dollar business dealings, life and death situations, and similar. Point to it from your general email services menu item. If someone nibbles you could always say you're not taking on new high-reliability email customers for a few months due to demand (theirs.) If what you describe happens you can point to how if they were so concerned they could have purchased the high-reliability email option. They aren't likely to be successful suing you for failure to deliver a service they haven't purchased. Remember the rule: If it isn't worth much to you, it certainly isn't worth much to me. -- -Barry Shein The World | [EMAIL PROTECTED] | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Login: Nationwide Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: what the heck do i do now?
David Ulevitch wrote: Not offering a solution but a bit of an explanation perhaps... From: http://cr.yp.to/ucspi-tcp/rblsmtpd.html If you do not supply any -r options, rblsmtpd tries an RBL source of rbl.maps.vix.com. This will be changed in subsequent versions. So checking the last released version: /ucspi-tcp-0.88# grep -hn maps.vix.com rblsmtpd.c 193: if (flagwantdefaultrbl) rbl(rbl.maps.vix.com); Looks like that could be a cause of some of your pain... Not everyone runs rblsmptd on their mailserver, but I know lots of large mail servers that run rblsmptd (qmail). The fact that the option is the default without being explicit means that at least some folks don't even know maps.vix.com zones are no longer present and the current failure case is not impacting them. The solution then: maps.vix.com. IN NS a.ns.yp.to. maps.vix.com. IN NS b.ns.yp.to. / Mat
Re: what the heck do i do now?
On Thu, 1 Feb 2007, Paul Vixie wrote: 1) maps.vix.com.604800 IN NS . i've tried that. the retry rate actually goes up rather than down. That's pretty messed up. I've tested both the strategies I suggested, and at least with both bind9 and DJB's dnscache, the caching name server will cache the NS, and in this (.) case, it won't ask the auth server(s) again for any subsequent queries in the former DNSBL zone (until the data expires from the cache). You must be getting hit by some seriously broken DNS caches. I don't have them handy to test, but I wonder what bind8 and bind4 do? After all, the sorts of people who setup servers to use a DNSBL 8 years ago and forgot about it, are the sorts who might still be running really old DNS server software. 2) maps.vix.com.604800 IN NS u1.vix.com. maps.vix.com. 604800 IN NS u2.vix.com. maps.vix.com. 604800 IN NS u3.vix.com. ... [as many as you like] u1.vix.com. 604800 IN A 192.0.2.1 u2.vix.com. 604800 IN A 192.0.2.2 u3.vix.com. 604800 IN A 192.0.2.3 ... [as many as you like] i hadn't thought of that. i'll think seriously about it, thanks. I prefer this method since it's non-destructive, but much more likely to be noticed than the immediate failure the queriers get with the . method. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: what the heck do i do now?
On Thu, Feb 01, 2007 at 12:08:32PM -0800, Scott Weeks wrote: [EMAIL PROTECTED] wrote:--- From: Michael Froomkin - U.Miami School of Law [EMAIL PROTECTED] As an, ahem, lawyer, I think what you do and how you do it matter a lot ... Pulling a plug after reasonable/lots of warnings (did you miss anyone? how do you know for sure?) is on the safer end of the legal spectrum. Matters a lot? In what country's legal spectrum? Or did you assume the queries are US-based only? Or are you suggesting he treat US-based queries differently than the rest of the world? Or are you speaking from US-centric tunnel vision? scott One might infer that since the service Paul offered and is considering making changes to might reside in the US, and that (presumably) Paul is a US national, that US legal interpretation might have some sway in the matter. Or not. --bill quoting Jamie... I reject your reality and subsitute my own.
Lightning talks at NANOG 39!
We have reserved one hour of the NANOG 39 agenda for Lightning Talks. A lightning talk is a very short presentation or speech by any attendee on any topic relevant to the NANOG audience. These are limited to ten minutes; this will be strictly enforced. If you have a topic that's timely, interesting, or even a crackpot idea you want to share, we encourage you to consider presenting it. The Program Committee will decide which submissions are relevant (using criteria based on the NANOG mailing list AUP) and choose the best six to be presented. Use of slides is optional. All slides must be in PDF or Powerpoint format, and will be loaded in advance onto the speaker laptop on the podium. There is a good overview of the use of lightning talks at the Perl conference at http://www.perl.com/pub/a/2004/07/30/lightningtalk.html. Although their format is slightly different, many of their ideas will apply here. To submit a lightning talk proposal for NANOG 39, go to http://www.nanogpc.org/lightning/ See you in Toronto! Steve Feldman PC Chair
Re: what the heck do i do now?
On February 1, 2007 at 05:34 [EMAIL PROTECTED] (Roland Dobbins) wrote: On Jan 31, 2007, at 7:04 PM, Matthew Kaufman wrote: (As an example, consider what happens *to you* if a hospital stops getting emailed results back from their outside laboratory service because their email firewall is checking your server, and someone dies as a result of the delay) Moral issues aside, I'd love to see this litigated. About 20 years ago, probably a little more, I got a call at Boston University from an IT admin working at a hospital in Rhode Island. He told me IBM was making a competitive bid for the hospital's campuswide network and was pushing hard for their own token-ring solutions against his preferred ethernet solutions. What he wanted me to help him think through was that IBM had told the hospital's administration that because ethernet is designed to drop packets (i.e., collisions, let's not quibble my quick description you all know what I mean) that data could be LOST and a patient could DIE and the hospital could be held LIABLE! He said that thus far explaining TCP/IP's reliability had gone right over their heads and all they could see were the materials about ethernet's lossiness IBM had left with them. I forget what I advised, I think I tried to get some other similar players already using ethernet in touch as reference sites. It was 20+ years ago. My only point is that this unreliability could cause children to die, and, worse, lawsuits! is awfully old grist for the mill. -- -Barry Shein The World | [EMAIL PROTECTED] | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Login: Nationwide Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: what the heck do i do now?
On Thu, 1 Feb 2007, Paul Vixie wrote: thanks for those supportive words. note that MAPS is not defunct. the domain MAPS.VIX.COM is defunct, in favour of MAIL-ABUSE.ORG, which was originally an asset of MAPS LLC, then Kelkea, and lately Trend Micro. They seem to have preferred mail-abuse.com since summer 2004 - at least that's about when the lookup CGI at mail-abuse.org stopped working. Tony. -- f.a.n.finch [EMAIL PROTECTED] http://dotat.at/ IRISH SEA: SOUTHWEST VEERING NORTHEAST 3 OR 4, INCREASING 5 OR 6 FOR A TIME. SLIGHT OCCASIONALLY MODERATE. OCCASIONAL DRIZZLE, FAIR LATER. GOOD, OCCASIONALLY MODERATE OR POOR.
Re: what the heck do i do now?
At 11:19 PM -0500 1/31/07, Michael Froomkin - U.Miami School of Law wrote: As an, ahem, lawyer, I think what you do and how you do it matter a lot here. And it would be prudent to talk to someone who understood your facts and situation before doing some of the things discussed in this thread. (I won't be more specific for fear of sounding like I'm giving legal advice, YMMV, probably not admitted where you live, if this were advice it would trigger a bill, see generally disclaimers at http://www.law.tm/disclaimers.html .) Pulling a plug after reasonable/lots of warnings (did you miss anyone? how do you know for sure?) is on the safer end of the legal spectrum. Trying something that has the noble intention of directing cluebat to cranial density... well, that's different. It has the ability to be spun as malicious. Will the judge and jury get it? Who will pay for the lawyer who will explain it to them? What if it was a government computer that got hosed? Will this be civil or criminal liability? Bottom line is that in the absence of a promise -- explicit or implicit (!) -- to the contrary, you can usually turn off your gear and get on with your life (but would you want to if it was a hospital that got hosed? how would you feel in the morning?). The more your actions deviate from that, the more likely you are taking on some level of risk. In some scenarios it's an acceptable level, but it all depends. That would seem to apply to the original decision to stop the service in 1999, water under the bridge. The current users of the service haven't gotten service since then. Does that change the promise any? It is impossible to know with any confidence without knowing more details, but from the face of it, it is far from obvious to me that Mark Foster's lawyer got this wrong. (Meanwhile, this will make a great exam question some day.) On Wed, 31 Jan 2007, Chris Owen wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Jan 31, 2007, at 9:16 PM, Mark Foster wrote: list... I talked to my lawyer. And while I am not a lawyer, I can tell you that my lawyer pointed out several interesting legal theories under which I could have some serious liability, and so I don't do that any more. (As an example, consider what happens *to you* if a hospital stops getting emailed results back from their outside laboratory service because their email firewall is checking your server, and someone dies as a result of the delay) So while I think you'd be justified in doing it, I think you'd find that 1) lots of people wouldn't change their configs at all, and 2) you might find that your liability insurance doesn't cover deliberate acts. Uhm. I don't follow? I my experience, people who tell stories like this really just need to get a better lawyer. I've had several lawyers contact us on things about this lame and have found that that the one sentence reply letter is often the most effective: Dear Sir: Kiss my what? Never hear from them again. Chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (Darwin) iD8DBQFFwV6ZElUlCLUT2d0RArP9AKC4JaEP5QJiB70SfrCWGkI9eTdxBwCcC+wA +DFKKXKMUqluFDF1DNCBJ0o= =sndk -END PGP SIGNATURE- -- http://www.icannwatch.org Personal Blog: http://www.discourse.net A. Michael Froomkin |Professor of Law| [EMAIL PROTECTED] U. Miami School of Law, P.O. Box 248087, Coral Gables, FL 33124 USA +1 (305) 284-4285 | +1 (305) 284-6506 (fax) | http://www.law.tm --It's warm here.-- -- Ken Eddings, Hostmaster, IST, [EMAIL PROTECTED], [EMAIL PROTECTED] Work:+1 408 974-4286, Cell: +1 408 425-3639, Fax: +1 408 974-3103 Apple Computer, Inc., 1 Infinite Loop, M/S 60-MS Cupertino, CA 95014 The Prudent Mariner never relies solely on any single aid to navigation.
BellSouth OC192 Fiber Cut
I'm hearing reports of a Fiber Cut between College Park, GA and Tallahassee, FL. Can anyone chime in on specifics? thanks Pablo
Re: BellSouth OC192 Fiber Cut
Just received some individual threads with feedback. Thanks for the replies! On 2/1/07, Pablo Espinosa [EMAIL PROTECTED] wrote: I'm hearing reports of a Fiber Cut between College Park, GA and Tallahassee, FL. Can anyone chime in on specifics? thanks Pablo
SRI-NIC.ARPA 26.0.0.73
Do old packets ever go away on the Internet? How many DNS packets still wander towards SRI-NIC.ARPA's old root server at 26.0.0.73? At some point, regardless of what the lawyers say, you've got to make your own decision and move on. Things change on the Internet, if you don't maintain your systems they will become obsolete. Conversely, no matter how many ways, how many times you try to inform people about changes someone will miss it, ignore it, misunderstand it, etc. And someone may even sue you over it.
Re: BellSouth OC192 Fiber Cut
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Pablo Espinosa [EMAIL PROTECTED] wrote: Just received some individual threads with feedback. Thanks for the replies! Individual threads? Sweet. Send us pictures. ;-) - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFFws1Nq1pz9mNUZTMRAsvcAJsGHNfQg/1Yx3ZvGP+3BbgPh+tPXwCg1/BE WVppnPDxnhY9zrXg6mDQY+Y= =2Heq -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: what the heck do i do now?
Set up a nameserver there. Configure it to return 127.0.0.2 (or whatever the old MAPS reply for spam was) to all queries. Let it run for a week. See if anything changes in terms of it getting hammered. -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV