Re: well-known NTP?

[Lars-Johan Liman]

[I just happened to see this, browsing at high speed, so please
forgive me, if I'm out of context.]

[EMAIL PROTECTED]:
 AS112-style NTP service, anyone?  That would be cooperative and
 possibly even useful.

That is actually not necessarily such a good idea.

With the current AS112 stuff, we only provide DNS reverse service for
network for which there should essentially be no queries. Hence,
replying with doesn't exist is kind of OK. Should an anycast
instance go rouge and give false answers, that is still within the
bounds of acceptable, since the query shouldn't be there in the
first place.

If you create a disparate anycast system of NTP server, you run into a
security issue, since many security protocols have accurate time as
an important parameter, and a rouge anycast NTP server could create
substantial amounts of harm from security and other standpoints by
giving out incorrect time.

Nope, you want your NTP to come from an appropriate source ...
preferrably with signatures.

Cheers,
  /Liman
#--
# There are 10 kinds of people in the world. Those who understand
# binary numbers, and those who don't.
#--
# Lars-Johan Liman, M.Sc.   ! E-mail: [EMAIL PROTECTED]
# Senior Systems Specialist ! HTTP  : //www.autonomica.se/
# Autonomica AB, Stockholm  ! Voice : +46 8 - 615 85 72
#--

Re: FW: The worst abuse e-mail ever, sverige.net

[Lars-Johan Liman]

[EMAIL PROTECTED]:
  Most DSL providers that hand out static addressing also have the means
 to delegate the rDNS. Sounds like it is time to get your own DNS on.

They have the means (by definition). They don't have the willingness.

Cheers,
  /Liman

Re: FW: The worst abuse e-mail ever, sverige.net

[Lars-Johan Liman]

[EMAIL PROTECTED]:
 You block port 25 until a customer says that they're claim to have
 setup a responsible mail submission agent and demonstrate the
 necessary clue density.

Then in all fairness block also port 80. A comparable amount of junk
is sent using port 80.

 This can be readily determined by having customer support mail
 a short form with relevant questions such as Is your mail server
 RFC2505 compliant?, Please list the mechanism used to secure
 mail submission to your server?, and Are you prepared to handle
 SPAM reports for all email originated or relayed?   No problem for
 someone who knows what they're doing but enough to deter the
 random end user.

Ditto  | sed  -e 's/25/80/' -e 's/SMTP/HTTP/' -e 's/MIME/HTML/'

:-)

Cheers,
  /Liman

Re: FW: The worst abuse e-mail ever, sverige.net

[Lars-Johan Liman]

[EMAIL PROTECTED]:
 Congrats. Ask your ISP for non-generic rDNS, in your domain, so I know
 where to send the abuse reports.

I did.

Reverse *what*?

Just to clue you in. They used to have the only two authoritative
servers for their reverse zone sitting on the same LAN with the IP#s
next to each other. Then that LAN goes out (happens from time to time)
ther is *NO* rDNS, with the obvious lame delegation time-outs from
servers I (as a customer of theirs) try to access. (In all fairness,
I just checked my facts, and it seems as they have recently improved
on that situation.)

Like I said, I barely trust them to move bits to my box.

 I don't mind at all. Get rDNS that provides a clue that you have a clue,
 and I'm happy as all get out to accept mail from you. Otherwise, you're
 functionally identical to fifty million spam zombies, as far as I have
 time to determine.

 Understand me? You're the /rare exception/.

I *understand* that I'm a rare exception.

The problem is that the world *won't let me* be a well functioning
exception. My ISP won't let me have my own rDNS, and you won't let
me use port 25 properly.

 Because that's how things are today. You're a 1-in-50-million chance,
 as far as I can tell from my mail server.

With that attitude you're never going to improve things ...

Cheers,
  /Liman

Re: The worst abuse e-mail ever, sverige.net

[Lars-Johan Liman]

[EMAIL PROTECTED]:
 The solution I am working toward is quickly identifying user
 infections.  We are almost there. I collect and record all traffic

Umm ... you mean you wire-tap all my email messages? (Anyone
still wonders why I don't trust my ISP?)

I wonder if my Teclo listens in on all my telephone conversations
too? And the post office! My letters?

(Oops, sorry, shouldn't make analogies. ;-)

 from the users going to dark space

Umm ... please define dark space.

 and am almost finished with the system that will identify who held
 that IP at a specific time. It is all in SQL so that is easy.

Mmm. User privacy in its glory?

[EMAIL PROTECTED]:
 Our system is similar, except we block port 25 completely via RADIUS
 after we detect an outgoing virus or spam,

Detect how?

 then notify the customer.  This eliminates the ACL's on the border
 routers.  The user can still surf freely to download patches while
 not causing further damage.  Some users just don't want to be
 bothered and just use webmail to send E-mail and keep the block
 forever.

This latter part is OK. It opens up a way out for those who want to,
and a different service for those who don't.

Cheers,
  /Liman

Re: The worst abuse e-mail ever, sverige.net

[Lars-Johan Liman]

[EMAIL PROTECTED]:
 Correction, the world *can't* let you be a well functioning
 exception.
 People always scream 'no censorship', but there is only that many more
 mail servers and preprocessing machines you can throw at a $20/month
 account.

Hmm. You get what you pay for., you mean? I can 

If you mean that if I pay enough money, I can get a DSL (or even
leased line) service with fixed IP address, and proper rDNS, that is
not filtered by recipient MTAs. Sure. I probably could -
theoretically.

 the real question is, how much money is it worth it for you. But
 don't put to blame on us for not adding another rack of mailservers
 so people like you can get their mail out.

I'm opposed to marketing systems that actively (means it costs them
money) put in restrictions in systems to make me pay more to have
them remove it again.

It's not worth the 5-fold amount that they will charge me, but if I
can't use the 'net propersly, it might not be worth connecting to at
all, so they'll lose me as customer.

One port blocked is not much to quarrel over in practice, but this is
a trend. Mail goes first. Web comes next (we funnel all your web
traffic through our cache). VOIP is around the corner. It's like a
phone system where the won't let you call anyone on the phone
system. If you want to call to this part of the world, you will have
to call through our listening station, and if you don't want to do
that, you can buy our premium service for $200 per minute. Sorry, it
doesn't strike me as tempting at all.

The cost cannot be motivated in a personal budget - and it becomes a
class thing. We could only afford limited Internet.

No, I don't like it. But then again, I'm just the rare exception ...

 Correction, the world *can't* let you be a well functioning exception.

[EMAIL PROTECTED]:
 not true.  it can but many have decided not to.

Well, what Paul's saying (in my understanding) is

  the world *can't* let you be a well functioning exception ... *FOR
  THAT SMALL AMOUNT OF MONEY*, because their ends will not meet
  (... with enough overlap ;-).

... which is probably what you mean too.

(Correct me if I'm wrong, Paul.)

Cheers,
  /Liman

Re: FW: The worst abuse e-mail ever, sverige.net

[Lars-Johan Liman]

I cannot agree to the block port 25 line of action.

I am a Unix sysadmin, with 15 years of experience as sendmail and DNS
expert. I have a DSL line at home, with static IP, and generic rDNS
provided by my ISP. Behind it I have a serious Unix server, configured
to roughly the same standard that I use at work.
 
I know enough about this business to not trust my ISP with anything
more than moving packets to and from my server (and even that is
streching it ;-). I don't want to pay for their lousy mail service,
I can do it better myself.

And you don't want to let me?

Now, *why* should *I* be punished because the rest of my neighbours
have chosen to jump into the commercial bed of an operating system
that is a walking invitation to cracking?

The Internet is designed to be end-to-end.

I know of ISPs that try to filter out IP telephony to force the users
to use and pay for the ISP's VOIP service. Is that OK?  No, I thought
not. But remember - when VOIP gets deployed really wide and far (like
e-mail today), you'll start to receive a lot more abusive phone
calls. Why?

This all boils down to cost and cost model. In the real world, the
sender pays for the (paper) mail message. In the electronic world,
the bigger cost is carried by the recipient. This model will break in
the future.

It's too d---ned cheap to send out spam, and it'll be too d---ned
cheap to sell your stuff over VOIP in the future.

We could fight all this, but it takes manpower and competence, and
manpower and competence cost real money - money that the customer is
not willing to spend ... yet.

This is a market problem. It will eventually sort itself out, but
stopping serious and sesnsible people from using the Internet as it is
designed, is not the right way to do it. If the Internet is going to
survive - the cost model has to change. Or, there's another future,
where the Internet as we know it, is just a packet transport system,
on which we build our own (several) virtual networks which are only
reachable by the community (-ies) that we choose. Configuration
nightmare. But someone will make money by providing software tools to
help us make our worlds as complex as possible (see NAT in your
dictionary ...)

(Hmm. Maybe I should start a BGP feed that blacklists all ISPs that
block port 25? Hmm. Hmm. Any takers? :-)

Cheers,
  /Liman
#--
# There are 10 kinds of people in the world. Those who understand
# binary numbers, and those who don't.
#--
# Lars-Johan Liman, M.Sc.   ! E-mail: [EMAIL PROTECTED]
# Senior Systems Specialist ! HTTP  : //www.autonomica.se/
# Autonomica AB, Stockholm  ! Voice : +46 8 - 615 85 72
#--

AS number for i.root-servers.net.

[Lars-Johan Liman]

-BEGIN PGP SIGNED MESSAGE-

Friends,

Those of you who treat routing to the root DNS servers in a special
way, can you please verify that you treat the routing to
i.root-servers.net (the NORDUnet/Autonomica server administrated from
Stockholm) the way you intend.

Prefix: 192.36.148.0/24
Originating AS: 29216

NOTE: This prefix is anycast from several locations on the net
(currently Stockholm, Helsinki, London, and Milan), but in all cases,
the originating AS should be 29216.

The source AS was changed in October 2003, but we suspect that the
change from the old AS (8674) hasn't quite been communicated to all
dark corners of the net. Please help us convey that information.

Best regards,
  /Liman
  [EMAIL PROTECTED]
#--
# There are 10 kinds of people in the world. Those who understand
# binary numbers, and those who don't.
#--
# Lars-Johan Liman, M.Sc.   ! E-mail: [EMAIL PROTECTED]
# Senior Systems Specialist ! HTTP  : //www.autonomica.se/
# Autonomica AB, Stockholm  ! Voice : +46 8 - 615 85 72
#--
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (Darwin)

iQCVAwUBQA+gLzySCHj+AqGZAQF32QP9E5ZfmpXVuU9jZULHtOE30sG0SyBBImFK
lP90UgKjIj9yFsLtqwzKf8NcwgRDzAfUtiiMNUPCbhItHZPT8dYiEuBXM/96fH/t
TqSoG+LfJb5lHfo8BKE1257g/3VC+EKZwYDOyr3O+ceWfl3hL86qXxzqxUxs0Xj7
BY8T6YEy4pc=
=SlP3
-END PGP SIGNATURE-