Can I suggest OpenVZ or Linux VServer ? If you do want to seperate them of maintainability. Not if it's overkill ofcourse (like DNS and DHCP can run fine on the same machine).
Also the real reason is VServer or OpenVZ doesn't use any resources extra resources or require the right hardware like, Xen, KVM, etc. It's just a container like FreeBSD jails or Solaris containers.
We use Debian with Linux-VServer but it's basically the same kind of thing. For a few years now they are moving this as general infrastructure into the Linux kernel (because OpenVC and Linux VServer are still 'third-party kernel patches'). I hope they'll get it done soon.
Have datacenters relatively close means less latency. Why else do you think CDN's exist ? Yes, Manhattan is actually a good example. Lots of company which handle bids for shares on companies actually place their servers near the NYSE, etc.
That was on the lines of what I wanted to mention. I don't understand why people think the world should end if a calendar ends. I mean, noone expects the world to end at the end of the month, just because the month ends. If I understood correctly the Mayan thought a new cycle would start. As in: history repeating it self in some form.
We use a scoring system, we have a number of checks on the systems which only mailservers should be talking to, like: - is the SMTP-client adhering to the standard. using an EHLO/HELO and is the hostname used with the HELO a FQDN - is the IP-address on a number of DNS-BL's - is the IP-address sending a lot of messages in a _very_ short time - does the FQDN match with the rev. DNS hostname of the IP-address - does the IP-address have a dynamic IP-address in the rev. DNS hostname, like 123.123.123.123.dyn.dsl.provider
if the score is to high, trow it at greylisting, if everything seems mostly ok, let it try to deliver a message.
have a look at: postfix, postfwd and postscreen
We don't use postscreen yet, but we will add it later. Postscreen also checks what spamd from OpenBSD already can do for years: is the SMTP-client waiting for replies from the SMTP-server. And similair checks. If not, it's probably a spammer just trying to stream all the SMTP-commands as fast as possible.
You obviously don't work for an ISP, we have to drop SMTP-connections on everything which looks to much like a bot just because of the large number of connection that we get, so we're able to have the legit connections and because scanning all the content would just be to much to handle.
You would be amazed at the volumes of e-mail ISP's get. More then 98% of it is crap you don't want to receive.
I think IE also uses the zlib-library for gzip- and deflate-decompression. Their was a bug-report for zlib Unix-like systems and shortly after an IE update with similair sounding description. I have some doubts they follow other vendors security updates that closely, so most likely they have they use the same library.
Not only that, but so much more is possible these days with a browser that supports proper standards.
Flash became populair by the web-development community when you had to do a lot of web-programming to get things done and the performance wasn't optimised for those kind of things.
Actually no, it was because HE's Leber mentioned on NANOG the following: “we stop short of baking cakes” to encourage peering. That got the ball rolling.
Slashdot Mirror
Not really, the image is still in your head.
Most infrastructure for it is already in the kernel, I actually tried it, it works mostly ok, it's called: Linux Containers:
http://lxc.sf.net/
Can I suggest OpenVZ or Linux VServer ? If you do want to seperate them of maintainability. Not if it's overkill ofcourse (like DNS and DHCP can run fine on the same machine).
Also the real reason is VServer or OpenVZ doesn't use any resources extra resources or require the right hardware like, Xen, KVM, etc. It's just a container like FreeBSD jails or Solaris containers.
Ofcourse, it's always the same OS.
Atleast he got one thing right. He didn't know what to do and asked someone (or actually lots of someones: slashdot)
We use Debian with Linux-VServer but it's basically the same kind of thing. For a few years now they are moving this as general infrastructure into the Linux kernel (because OpenVC and Linux VServer are still 'third-party kernel patches'). I hope they'll get it done soon.
VM's are not a security feature. More code means more bugs, which increases the chance of more security problems.
Even worse, statistically speaking the chance of failure will increase the longer things don't have a failure.
Everything will fail eventually. If something hasn't failed yet, the chance it will happen 'soon' increases.
Duplicity does encryption/librsync. Duplicaty for windows. Very similair (but not compatible !)
Have datacenters relatively close means less latency. Why else do you think CDN's exist ? Yes, Manhattan is actually a good example. Lots of company which handle bids for shares on companies actually place their servers near the NYSE, etc.
That was on the lines of what I wanted to mention. I don't understand why people think the world should end if a calendar ends. I mean, noone expects the world to end at the end of the month, just because the month ends. If I understood correctly the Mayan thought a new cycle would start. As in: history repeating it self in some form.
We use a scoring system, we have a number of checks on the systems which only mailservers should be talking to, like:
:-)
- is the SMTP-client adhering to the standard. using an EHLO/HELO and is the hostname used with the HELO a FQDN
- is the IP-address on a number of DNS-BL's
- is the IP-address sending a lot of messages in a _very_ short time
- does the FQDN match with the rev. DNS hostname of the IP-address
- does the IP-address have a dynamic IP-address in the rev. DNS hostname, like 123.123.123.123.dyn.dsl.provider
if the score is to high, trow it at greylisting, if everything seems mostly ok, let it try to deliver a message.
have a look at: postfix, postfwd and postscreen
We don't use postscreen yet, but we will add it later. Postscreen also checks what spamd from OpenBSD already can do for years: is the SMTP-client waiting for replies from the SMTP-server. And similair checks. If not, it's probably a spammer just trying to stream all the SMTP-commands as fast as possible.
I think that's enough to get started.
The spammers were the first to adopt dkim/spf and put in DNS some of the IP-adddresses of the botnet.
You have to remember it's not a fix. It's a workaround, it just disables part of the protocol.
Their are also new packages for Apache2 for Debian for some other parts that needed to be disabled/changed, but it too is just a workaround.
Their isn't yet a real fix, because it's problem with the protocol it self.
Only if the update software was disabled. A browser that doesn't need updates, it's obviously the most secure.
You obviously don't work for an ISP, we have to drop SMTP-connections on everything which looks to much like a bot just because of the large number of connection that we get, so we're able to have the legit connections and because scanning all the content would just be to much to handle.
You would be amazed at the volumes of e-mail ISP's get. More then 98% of it is crap you don't want to receive.
I thought SSH was created to add more safety. ;-)
I think IE also uses the zlib-library for gzip- and deflate-decompression. Their was a bug-report for zlib Unix-like systems and shortly after an IE update with similair sounding description. I have some doubts they follow other vendors security updates that closely, so most likely they have they use the same library.
Not only that, but so much more is possible these days with a browser that supports proper standards.
Flash became populair by the web-development community when you had to do a lot of web-programming to get things done and the performance wasn't optimised for those kind of things.
But that is ages (in internet time) ago.
Supposedly netbooks with an ARM-chip are called Smartbooks. ;-)
Try this article and other posts on the same blog:
http://www.renesys.com/blog/2005/12/peering_the_fundamental_archit.shtml
This hasn't happend with HE just yet. But it might, yes.
Also I don't think Google would do transit for anyone, it's not in their interrest (normally).
Actually no, it was because HE's Leber mentioned on NANOG the following:
“we stop short of baking cakes” to encourage peering. That got the ball rolling.
Maybe that's why their is now a Debian/kFreeBSD. So upgrades are easier.
The problem with this is, certificates expire.