Re: well-known NTP?
[I just happened to see this, browsing at high speed, so please forgive me, if I'm out of context.] [EMAIL PROTECTED]: AS112-style NTP service, anyone? That would be cooperative and possibly even useful. That is actually not necessarily such a good idea. With the current AS112 stuff, we only provide DNS reverse service for network for which there should essentially be no queries. Hence, replying with doesn't exist is kind of OK. Should an anycast instance go rouge and give false answers, that is still within the bounds of acceptable, since the query shouldn't be there in the first place. If you create a disparate anycast system of NTP server, you run into a security issue, since many security protocols have accurate time as an important parameter, and a rouge anycast NTP server could create substantial amounts of harm from security and other standpoints by giving out incorrect time. Nope, you want your NTP to come from an appropriate source ... preferrably with signatures. Cheers, /Liman #-- # There are 10 kinds of people in the world. Those who understand # binary numbers, and those who don't. #-- # Lars-Johan Liman, M.Sc. ! E-mail: [EMAIL PROTECTED] # Senior Systems Specialist ! HTTP : //www.autonomica.se/ # Autonomica AB, Stockholm ! Voice : +46 8 - 615 85 72 #--
Re: FW: The worst abuse e-mail ever, sverige.net
[EMAIL PROTECTED]: Most DSL providers that hand out static addressing also have the means to delegate the rDNS. Sounds like it is time to get your own DNS on. They have the means (by definition). They don't have the willingness. Cheers, /Liman
Re: FW: The worst abuse e-mail ever, sverige.net
[EMAIL PROTECTED]: You block port 25 until a customer says that they're claim to have setup a responsible mail submission agent and demonstrate the necessary clue density. Then in all fairness block also port 80. A comparable amount of junk is sent using port 80. This can be readily determined by having customer support mail a short form with relevant questions such as Is your mail server RFC2505 compliant?, Please list the mechanism used to secure mail submission to your server?, and Are you prepared to handle SPAM reports for all email originated or relayed? No problem for someone who knows what they're doing but enough to deter the random end user. Ditto | sed -e 's/25/80/' -e 's/SMTP/HTTP/' -e 's/MIME/HTML/' :-) Cheers, /Liman
Re: FW: The worst abuse e-mail ever, sverige.net
[EMAIL PROTECTED]: Congrats. Ask your ISP for non-generic rDNS, in your domain, so I know where to send the abuse reports. I did. Reverse *what*? Just to clue you in. They used to have the only two authoritative servers for their reverse zone sitting on the same LAN with the IP#s next to each other. Then that LAN goes out (happens from time to time) ther is *NO* rDNS, with the obvious lame delegation time-outs from servers I (as a customer of theirs) try to access. (In all fairness, I just checked my facts, and it seems as they have recently improved on that situation.) Like I said, I barely trust them to move bits to my box. I don't mind at all. Get rDNS that provides a clue that you have a clue, and I'm happy as all get out to accept mail from you. Otherwise, you're functionally identical to fifty million spam zombies, as far as I have time to determine. Understand me? You're the /rare exception/. I *understand* that I'm a rare exception. The problem is that the world *won't let me* be a well functioning exception. My ISP won't let me have my own rDNS, and you won't let me use port 25 properly. Because that's how things are today. You're a 1-in-50-million chance, as far as I can tell from my mail server. With that attitude you're never going to improve things ... Cheers, /Liman
Re: The worst abuse e-mail ever, sverige.net
[EMAIL PROTECTED]: The solution I am working toward is quickly identifying user infections. We are almost there. I collect and record all traffic Umm ... you mean you wire-tap all my email messages? (Anyone still wonders why I don't trust my ISP?) I wonder if my Teclo listens in on all my telephone conversations too? And the post office! My letters? (Oops, sorry, shouldn't make analogies. ;-) from the users going to dark space Umm ... please define dark space. and am almost finished with the system that will identify who held that IP at a specific time. It is all in SQL so that is easy. Mmm. User privacy in its glory? [EMAIL PROTECTED]: Our system is similar, except we block port 25 completely via RADIUS after we detect an outgoing virus or spam, Detect how? then notify the customer. This eliminates the ACL's on the border routers. The user can still surf freely to download patches while not causing further damage. Some users just don't want to be bothered and just use webmail to send E-mail and keep the block forever. This latter part is OK. It opens up a way out for those who want to, and a different service for those who don't. Cheers, /Liman
Re: The worst abuse e-mail ever, sverige.net
[EMAIL PROTECTED]: Correction, the world *can't* let you be a well functioning exception. People always scream 'no censorship', but there is only that many more mail servers and preprocessing machines you can throw at a $20/month account. Hmm. You get what you pay for., you mean? I can If you mean that if I pay enough money, I can get a DSL (or even leased line) service with fixed IP address, and proper rDNS, that is not filtered by recipient MTAs. Sure. I probably could - theoretically. the real question is, how much money is it worth it for you. But don't put to blame on us for not adding another rack of mailservers so people like you can get their mail out. I'm opposed to marketing systems that actively (means it costs them money) put in restrictions in systems to make me pay more to have them remove it again. It's not worth the 5-fold amount that they will charge me, but if I can't use the 'net propersly, it might not be worth connecting to at all, so they'll lose me as customer. One port blocked is not much to quarrel over in practice, but this is a trend. Mail goes first. Web comes next (we funnel all your web traffic through our cache). VOIP is around the corner. It's like a phone system where the won't let you call anyone on the phone system. If you want to call to this part of the world, you will have to call through our listening station, and if you don't want to do that, you can buy our premium service for $200 per minute. Sorry, it doesn't strike me as tempting at all. The cost cannot be motivated in a personal budget - and it becomes a class thing. We could only afford limited Internet. No, I don't like it. But then again, I'm just the rare exception ... Correction, the world *can't* let you be a well functioning exception. [EMAIL PROTECTED]: not true. it can but many have decided not to. Well, what Paul's saying (in my understanding) is the world *can't* let you be a well functioning exception ... *FOR THAT SMALL AMOUNT OF MONEY*, because their ends will not meet (... with enough overlap ;-). ... which is probably what you mean too. (Correct me if I'm wrong, Paul.) Cheers, /Liman
Re: FW: The worst abuse e-mail ever, sverige.net
I cannot agree to the block port 25 line of action. I am a Unix sysadmin, with 15 years of experience as sendmail and DNS expert. I have a DSL line at home, with static IP, and generic rDNS provided by my ISP. Behind it I have a serious Unix server, configured to roughly the same standard that I use at work. I know enough about this business to not trust my ISP with anything more than moving packets to and from my server (and even that is streching it ;-). I don't want to pay for their lousy mail service, I can do it better myself. And you don't want to let me? Now, *why* should *I* be punished because the rest of my neighbours have chosen to jump into the commercial bed of an operating system that is a walking invitation to cracking? The Internet is designed to be end-to-end. I know of ISPs that try to filter out IP telephony to force the users to use and pay for the ISP's VOIP service. Is that OK? No, I thought not. But remember - when VOIP gets deployed really wide and far (like e-mail today), you'll start to receive a lot more abusive phone calls. Why? This all boils down to cost and cost model. In the real world, the sender pays for the (paper) mail message. In the electronic world, the bigger cost is carried by the recipient. This model will break in the future. It's too d---ned cheap to send out spam, and it'll be too d---ned cheap to sell your stuff over VOIP in the future. We could fight all this, but it takes manpower and competence, and manpower and competence cost real money - money that the customer is not willing to spend ... yet. This is a market problem. It will eventually sort itself out, but stopping serious and sesnsible people from using the Internet as it is designed, is not the right way to do it. If the Internet is going to survive - the cost model has to change. Or, there's another future, where the Internet as we know it, is just a packet transport system, on which we build our own (several) virtual networks which are only reachable by the community (-ies) that we choose. Configuration nightmare. But someone will make money by providing software tools to help us make our worlds as complex as possible (see NAT in your dictionary ...) (Hmm. Maybe I should start a BGP feed that blacklists all ISPs that block port 25? Hmm. Hmm. Any takers? :-) Cheers, /Liman #-- # There are 10 kinds of people in the world. Those who understand # binary numbers, and those who don't. #-- # Lars-Johan Liman, M.Sc. ! E-mail: [EMAIL PROTECTED] # Senior Systems Specialist ! HTTP : //www.autonomica.se/ # Autonomica AB, Stockholm ! Voice : +46 8 - 615 85 72 #--
AS number for i.root-servers.net.
-BEGIN PGP SIGNED MESSAGE- Friends, Those of you who treat routing to the root DNS servers in a special way, can you please verify that you treat the routing to i.root-servers.net (the NORDUnet/Autonomica server administrated from Stockholm) the way you intend. Prefix: 192.36.148.0/24 Originating AS: 29216 NOTE: This prefix is anycast from several locations on the net (currently Stockholm, Helsinki, London, and Milan), but in all cases, the originating AS should be 29216. The source AS was changed in October 2003, but we suspect that the change from the old AS (8674) hasn't quite been communicated to all dark corners of the net. Please help us convey that information. Best regards, /Liman [EMAIL PROTECTED] #-- # There are 10 kinds of people in the world. Those who understand # binary numbers, and those who don't. #-- # Lars-Johan Liman, M.Sc. ! E-mail: [EMAIL PROTECTED] # Senior Systems Specialist ! HTTP : //www.autonomica.se/ # Autonomica AB, Stockholm ! Voice : +46 8 - 615 85 72 #-- -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iQCVAwUBQA+gLzySCHj+AqGZAQF32QP9E5ZfmpXVuU9jZULHtOE30sG0SyBBImFK lP90UgKjIj9yFsLtqwzKf8NcwgRDzAfUtiiMNUPCbhItHZPT8dYiEuBXM/96fH/t TqSoG+LfJb5lHfo8BKE1257g/3VC+EKZwYDOyr3O+ceWfl3hL86qXxzqxUxs0Xj7 BY8T6YEy4pc= =SlP3 -END PGP SIGNATURE-