Released products are targeted to all LSB-compliant systems.
Doesn't that mean a lot of different distributions? Or is the development focus really aimed at various components in the kernel and on the outside that can be "dropped in" onto most distributions (e.g. the LSB-compliant ones)? I'm sure the target customer, being one who is swayed by the RH popularity, wasn't capable of just dropping in the individual components onto a RH (despite the "ease" of RPM) box, hence a whole distribution is needed. While as a geek, a whole distribition isn't of interest to be, I can certainly see how it gives PHBs that warm and cuddly feeling.
Maybe you can clarify. I've read LSB and it certainly comes across to me as vague in this area, and I've heard conflicting interpretations that say yes and say no. Does LSB require the multiple runlevel separated directories of symlinks pointing to the init.d directory? As a security-conscious sysadmin, I do not want packages to touch my system initialization whatsoever (and some have). So I moved things around (and eliminated the symlinks altogether). The old directories are still there as a sort of "honeypot" but changes to them have no effect. Of course, for more security, I'm moving to doing more of the installs from source instead of packages.
BTW, it is chapter 13, in section VII (LSB's weird two parallel section numbering scheme that isn't really hierarchical is certainly confusing), that by itself makes me want to avoid LSB. Why can't they accept other packaging systems? Why do they have to mandate the bloated and goofy one?
Why does that need JSP or EJB? What are these things doing in such a simple server that something else can't do? And why not just run the web server in a jail, virtual machine, vserver, or whatever?
At least with port 25 blocked, there won't be as many open mail relays for spammers to use. Not that any slashdotters would do such a thing, but there are lots of people who do stuff like try to run Exchange Server at home. And you know how trustable that is.
And when will these ISPs start blocking 6bone because of all the trading that's starting to go on there (as well as other less "official" IPv6 nets)? When will RIAA and MPAA discover the real deep dark underground of the Internet?
It's not port numbers, it's protocol numbers. TCP is protocol number 6. UDP is protocol number 17. ESP is protocol number 50. AH is protocol 51. While visiting the RFCs for ESP and AH take note of the domain of the 2nd author of both.
When will they learn that if someone is linking to their site, they can determine that through the HTTP Referer header and stick in some logic to do some of their own redirection or change the dynamic content. They can surely make the link as ineffective as if the original page had made an error in the link and put in the wrong domain. Or are corporate suits just too dumb to realize they can control something like their own web site?
It's not so much that their survey's are flawed, but the fact that THEY are flawed. Since they run user tracking web bugs, they are among a few places that get blocked by a variety of mechanisms. While trying to read the article I found I had blocked them in several places, including DNS. I can't say what the real statistics are, but I know they sure can't, either.
Since they use web bugs in 1x1 pixel images to do user tracking, I've blocked their web site and domains. They also make some of those bugs self-reload every few minutes using a combination of animation and cache control to prevent the image from being cached, causing the reload to go back to the web site again. So I blocked them and so never get their ads, and they never get my info, including what browser and platform I use. I wonder how many other people block them? They do this via the domain hitbox.com.
websidestory.com and statmarket.com are basing their statistics on their web tracking technology through the use of advertising. The problem is, they use web bugs (see here, here, and here) to accomplish this. Windows users typically do not take actions to inhibit these web bugs, but Linux, BSD, and even many other Unix users do. There's software out there to help, too. Those who do block these web bugs, or all the hitbox.com sites, as I do, won't ever be counted.
Statistics based on web bugs should never be counted to determine platform penetration. Instead, actual HTML loads from a wide variety of real sites should be used, and the distribution variations show, too. I'm sure Slashdot gets more Linux and BSD just because of what it is.
Find out what other sites that/.ers visit, then get platform stats from those sites, and only for their main page HTML hits (not for images or ads or anything else). Then check the variation of that.
I had to go remove them from 6 different blocks in my network to just to view the linked page.
Have you ever tried to run more than a handful of LARTS through a web form? It's a nightmare. I have 1200 pieces of Broadwing.net spam that I need to LART tonight. I don't know how I'd LART all of them via a web form.
Your case was not the kind of thing I am targeting. Clearly you need a batch method. But that doesn't mean there shouldn't also be a web form that makes it easy for those with 1 or 2. Surely you didn't mean to exclude web forms just because you'd find them troublesome. Let there be both.
Patterns aren't something that the average Joe would pick up on anyhow. Few people noticed that recently more and more spam uses a spoofed From: in the form of BSUser@yourowndomain.tld. If they do want to look for patterns, they could easily view thousands of spam reports in news.admin.net-abuse.sightings. Numerous people post their spam to it.
I don't expect the average Joe to worry about patterns. Let him post the spam as he gets it and the software behind the scenes then looks for patterns in multiple postings and determines when there's a lot of the same spam, and how to recognize it.
Many DNS blacklist authors do just this. MAPS is a good example. You have the DUL which lists dial-up IPs only. The RSS which lists known && abused open relays. The RBL contains ISPs that are known to harbor spammers or at least be neutral to their abuse and ignore abuse complaints. The RBL+ is a combination of those 3. All 4 of those are their own zones.
MAPS is part of the problem. These different zone you describe are still abused. They also list whole ISPs that happen to host web sites that spammers happen to be promoting. And this is a dangerous thing to be doing because it is possible for someone to do spamming that appears to be promoting some site when their intention is to cause it harm through blacklisting. I do not want to be a part of that kind of activity. While I am certainly opposed to web sites that provide spamming software, I won't even go so far as to ban those because I don't want to set the precendent of banning on the basis of content. It's not the content of spam that's the problem, it's the volume.
And then there's the issue that MAPS is commercialized and totally uninterested in providing services to the little guy. I know because I wrote to them 3 times, twice right before they cut off at the end of July 2001, and once after, and got absolutely zero response. They aren't interested. They have been assimilated by the dollar signs.
SPEWS lists/24's from which spam originates. Occasionally they'll even list a whole provider that harbors spammers or spamware sites, repeated lies to people that mail abuse@, or are known to bit bucket abuse complaints.
And this is also part of the problem, and is why I stopped using SPEWS, in addition to the fact that no feedback mechanisms even exist. If you are looking for a way to get more people on board stopping spammers, SPEWS is NOT it.
Show me a DNS blacklist that has a zone to block ONLY the actual spam sources, and which will NEVER block anything else except in an attempt to actually block a spam source. Blocking a whole ISP is justified for this zone ONLY when they are trying to help a spam source move around to evade blocking. It should NOT have collateral damage unless there is no way to otherwise distinguish between spam being sent and other mail. It should NEVER attempt to block mail from some source that isn't spamming just because the operators of the blacklist are pissed off at the source for some reason, including things like hosting spamware web sites. Things like spamware websites should be in their own zone. That way those who do agree and want to block them can, and those who don't won't have to give up on DNS blacklisting to keep from causing collateral damage.
In a small way I agree. I used to feel like you do now. I was very leary about blocking an entire ISP just because of the possibility of lossing legit mail. I quickly came to realize that blocking just a small piece of that ISP that's know to spam wasn't solving the problem. They'd just move elsewhere within that ISP.
When it is clear that the ISP is helping them do that, then it is OK to block the entire network the ISP is using, and if the ISP has moved the spammers over to another network, block that. In such a case, it is the ISP that has become the bad buy by helping spammers. However, if the ISP puts a spammer on a dedicated circuit with a dedicated subnet address space that does not change, then the ISP should absolutely NOT be included in the blacklist zone; only that assigned dedicated network should be. Let the ISP actually act to move the spammer before expanding the target.
This doesn't accomplish anything in the long term and little in the short term. Sure you block some spam from a spammer for a couple of weeks but they'll quickly figure that out and move to another block. If the ISP facilitates their move then they are supporting spammers. It's an all or nothing deal. You can't have your cake and eat it too.
Sure it does. It presents the idea that anti-spammers are well focused on what they are doing and avoids devaluing the blacklisting zone the addresses are in. Of course I know spammers do move on. And if they move on to new address space at the same ISP, then (and NOT before) we have cause against that ISP. I do not want to use a blacklisting zone that includes the ISP before the ISP acts to help spammers.
Personally I block entire ISPs myself, in my personal access lists that are independant of group maintainted DNS blacklists, that are known to harbor spammers and ignore complaints. A perfect example of this is Broadwing.net. I have blacklisted every IP they have registered to them. That includes 3/14's, a/24, and a/28. That's a lot of IPs. I have never seen anything but spam come directly from them. They harbor Alan Ralsky and many other well known spammers. They ignore spam complaints. They simply don't care. Whenever I LART their spam, I also LART their upstreams because I believe someone there will eventually notice. I know that no one at Broadwing will.
Why LART the upstream? Let's assume for a moment that Broadwing is a co-spammer ISP. That justifies them to be blocked. But if you get the upstream to kick them off, now you'll find them pop up again somewhere else. Sure, let the upstream know what's going on. Let them know you blacklisted the address space, since if Broadwing does leave, the address space might be used by someone else, next, and the upstream could (as if they would) let you know about it. Still, the official formality of it is the thing to do.
But don't encourage an ISP to cut off a content spammer that you have successfully blocked. That goes for upstreams of ISPs that are aiding spammers and have to be included. If you've got the spammer cut off for now, don't try to get them to move on any sooner. The sooner they move on, the sooner you get spam from them again and have to send more LARTs and block more addresses. Sure, they won't stay there forever, but let them stay there as long as they will if you have "there" cut off.
"Some of the anti-spammers are on the wrong crusade and not very many people will follow them."
This I have to strongly disagree with.
I happen to think you'll get more people on board, people like me, if the crusade gets better focused, and isn't about trying to stop mail from ISPs that host web sites that are supported by spam, or at least distinguishes zones that let people have a choice. If you want to choose to block more sites than I would block, that's fine. That's your choice and I support your right to do it. What I am trying to encourage is for there to be blacklist zones that a focused on a surgical strike against exactly spam sources and limit collateral damage to whatever cannot be distinguished from the spam. Focus on the volume abuse of the spam, not the message or content in the spam.
One of the reasons I don't want to support anything but blocking the volume spam is because I want to leave the notion of anonymous email open on the internet. If we stoop to blocking anything based on the content, we risk opening up blocking anything else based on content, and de-facto censorship could follow. You can do that if you want, but I don't want to be a part of it and that's because that's what I want. If there are blacklist zones available to block exactly that and no more, I'll use them. If there aren't, I'll have to work out what I can do to block spam without the risks I fear. And I believe there are a lot of people who believe as I do, who hate spam as much as anyone, but aren't going to let that hatred drive them to ruining the internet. You can get them on board if you realize that not everyone agrees with you about everything.
What if every time you get spam from some source, especially a direct delivery from a dialup, DSL, or cable luser, you launch a background process like:
ping -c 86400 ${spammeraddress} &
Of course you're only trying to see when the spammer goes away, right? But if everyone does this... just for 24 hours after receipt of spam, what do you think will happen?
People won't use it. As you say, it is complicated, and a lot of hassle to use. Any anti-spam methods must be simple and easy to use, otherwise the "d" key becomes the attractive alternative. And we already know that's not good enough.
If the operators of the DNS blacklists would operate them properly, maybe more people would use them, and submit spam reports to them. These things include:
Have a place to submit spam incidents, such as a web form. Then process them to look for patterns.
Provide separate zones for blocking sources of spam, and blocking web sites and ISPs where spammers might be hosting a web page. Not everyone wants to block the latter; I only want to block the source of spam.
Some anti-spammers are on a crusade to maximize collateral damage. I am not. I won't block a whole ISP because of a spammer unless that ISP is making it difficult to isolate and focus on the spammer. If they corner the spammer operation to a specific static subnet, I'll gladly block that, and I'd want to use a DNS blacklist that is equally focused. Likewise, if they set up reverse DNS to identify their dynamic customer pool addresses in its own zone, I can block that to prevent the direct spam and some of the home open relays.
Most people hate spam and don't want it coming in. But not everyone is wanting to come out swinging at everything in sight as a result of that. Some of the anti-spammers are on the wrong crusade and not very many people will follow them.
After visiting that same site myself, I decided not to use PayPal any longer. I had never lost any money through PayPal, though I've used it only a few times to buy stuff on Ebay. I went to cancel my PayPal account to simply be sure nothing would happen (it had zero, but it could have potentially be used). However, I could not log in on the site, and got an error message saying I did not have cookies enabled, even though I did (and confirmed it by logging in to here and a couple other places that use session tracking with cookies). I sent email to their various support addresses the web site indicated. The reply on those said I needed to submit the request on the website. But I needed to login to do that, which I could not. I called them on the phone but got stuck in menu hell and voice mail hell. No one ever returned my calls.
A few months later I got email from PayPal. It was promotional. Technically it was not spam, since my account was still active, but now I really wanted it canceled. I tried the web site again, and it had not yet been fixed. I tried mail again and got the same stupidity. I tried calling a few phone numbers. I actually got someone on the phone, but it sounded like the phone system redirected incorrectly as they were not expecting an inbound call. As soon as I explained what I wanted, they said I needed customer support, and forwarded me to menu hell. After spending at least $5 for long distance calls I gave up calling.
I then proceeded to "get attention". Since the email was on an automatic bounce, I set up an automatic system to send them email. It was adjusted to send every 2 minutes so as not to cause damage, but perhaps get attention. After a couple hours of this, it did indeed get attention. I got email back from someone with a direct phone number. I cut off the process and called them. Although this person was in the technical area, he did promise to get my account closed out. He was unaware of the technical problems, and I tried to convince him he needed to get them fixed, although I didn't know what the cause was. We tried a few things, but it didn't fix it.
It's a shame that the only way to communicate with a company is by tactics like this, but this is not the first place this kind of thing has had to be done.
I have since found the problem and I know what fix is needed on their server(s) to correct it, although obviously that's not my job to do, so I won't.
My whole point is, this is a company that does not give a damn about customers, only about money. If they cared about customers, they would have much better customer support. If they had better customer support, they might be able to deal with some of the fraud problems people have a little better. Instead, they seem to be trying to cut back on staffing costs by cutting out customer support and trying to discourage customers from calling them. I even read in one of the various news articles that were linked from here that the president of the company had actually said they don't want to deal with people calling in to complain. To me that means they don't want their service to get better.
This is definitely a company that needs to go into bankruptcy. Just be sure your money is out before that happens. And if you have any reason to send me money for anything, please read my/. signature first.
Have you actually read through some of those documents? Sure, they are mostly stuffy and full of starch. But there's some scary stuff, when you consider who they are really targeting it to. Let me quote from one of them:
...harder to collect customer data, due to lack of control over users.
Some sites are so vast, that spidering them is a technical problem. I once was diagnosing a problem for someone to determine why their site wasn't getting a listing in google. So I spidered their site myself. The next morning when I got up, I found that the spider was still running and had downloaded over 1.6 gigabytes. Well, now I know why they didn't get listed. Some of the pages were so totally dynamic that they were effectively infinite. There were lots of redundancies in the pages that site generated, but they were all uniquely different, too.
I once made a spider trap by having a bunch of pages where an added path component was a 128 bit random number converted to hexadecimal. It was really a CGI script that ignored the number which came in on PATH_INFO. It then generated 20 new 128-bit random numbers and produced some HTML with links to them. Any stupid robot would just keep following until the galaxy was sucked into a black hole.
Still, not wanting to be spidered, and not wanting even your home page to be linked to are two different things. You can't very easily control having your site spidered, so the robots.txt thing was invented to let you have some control. But for blocking links, that's easy. The HTTP request comes in with an extra line called "Referer:" (yes, it's misspelled in the standard, so we're stuck with it that way). All KPMG needs to do is to just test for "Referer:" by whatever programming mechanisms they use (their web server is IIS/4.0 for anyone who didn't notice). And they already do have something programmed in to check what browser you are using and redirect to their browser whining page. And they even have a robots.txt file, so it's not like they are totally clueless, as it might otherwise seem.
"Yes folks, we have a deep understanding of Web technologies. BTW, you can't link to us without a prior agreement..."
...or even view their site in some browsers. Of course that's probably another one of their policies: you must use a "KPMG approved" browser to view their site.
If KPMG can enforce their policy easily enough by simply not delivering content when the HTTP request comes in asking for their site. They say they are "e-business savvy", so they should have no trouble setting this up in just a few minutes.
The web is about linking. That's why they call it "The Web". If KPMG doesn't want to join in, then they should just stay out. And there are many ways to do that, including still having a site served by HTTP to send content to whoever types their name in manually, or links from sites theyapprove of. They should just do it and prove their competence in running their sitetheir way.
But why the hell would I want to link to their site anyway. It sucks! The whole damn thing is a morass of lame Javascript. They can't even put plain HTML in and have to have Javascript generate it. It's clear to me that they don't know how to do things on the server side.
Not everyone does this. Some companies do, and some companies don't You can get better support with your hard when your run FreeBSD on it from places like penguincomputing.com than you can from places like dell.com.
When one of these big corporations offers specific Linux distributions, they generally deny support... even support for the hardware itself... unless you run not just that distribution (or one of, if more than one offered), but also run only the copy they provide to you. When it is the case that the choices they make are not all that diverse (well, Debian is a bit different than Redhat or SuSE, but not in everything), then the customers are basically limited.
The best hardware vendor will be one that offers OS support for whatever OS they want to offer support for, but also offers _hardware_ support for plain hardware. And they also make sure that hardware is sufficiently standardized enough to work not only virtually every Linux distribution that uses a stock kernel, but also with the big three open source BSDs as well.
Ultimately, I don't want their distribution anyway. I can put my own on there. But I do know that when the vendors are offering an OS like this, they are declining support for the hardware when alternatives are used. That is the problem.
Doesn't that mean a lot of different distributions? Or is the development focus really aimed at various components in the kernel and on the outside that can be "dropped in" onto most distributions (e.g. the LSB-compliant ones)? I'm sure the target customer, being one who is swayed by the RH popularity, wasn't capable of just dropping in the individual components onto a RH (despite the "ease" of RPM) box, hence a whole distribution is needed. While as a geek, a whole distribition isn't of interest to be, I can certainly see how it gives PHBs that warm and cuddly feeling.
Maybe you can clarify. I've read LSB and it certainly comes across to me as vague in this area, and I've heard conflicting interpretations that say yes and say no. Does LSB require the multiple runlevel separated directories of symlinks pointing to the init.d directory? As a security-conscious sysadmin, I do not want packages to touch my system initialization whatsoever (and some have). So I moved things around (and eliminated the symlinks altogether). The old directories are still there as a sort of "honeypot" but changes to them have no effect. Of course, for more security, I'm moving to doing more of the installs from source instead of packages.
BTW, it is chapter 13, in section VII (LSB's weird two parallel section numbering scheme that isn't really hierarchical is certainly confusing), that by itself makes me want to avoid LSB. Why can't they accept other packaging systems? Why do they have to mandate the bloated and goofy one?
Why does that need JSP or EJB? What are these things doing in such a simple server that something else can't do? And why not just run the web server in a jail, virtual machine, vserver, or whatever?
And it takes less for them to have some lawyer file the paperwork for a lawsuit? Oh wait, lawyers don't have anything better to do. N/M.
At least with port 25 blocked, there won't be as many open mail relays for spammers to use. Not that any slashdotters would do such a thing, but there are lots of people who do stuff like try to run Exchange Server at home. And you know how trustable that is.
And when will these ISPs start blocking 6bone because of all the trading that's starting to go on there (as well as other less "official" IPv6 nets)? When will RIAA and MPAA discover the real deep dark underground of the Internet?
It's not port numbers, it's protocol numbers. TCP is protocol number 6. UDP is protocol number 17. ESP is protocol number 50. AH is protocol 51. While visiting the RFCs for ESP and AH take note of the domain of the 2nd author of both.
Go ahead. I dare you. I've always wanted to know where Anonymous Coward lives. :)
When will they learn that if someone is linking to their site, they can determine that through the HTTP Referer header and stick in some logic to do some of their own redirection or change the dynamic content. They can surely make the link as ineffective as if the original page had made an error in the link and put in the wrong domain. Or are corporate suits just too dumb to realize they can control something like their own web site?
It's not so much that their survey's are flawed, but the fact that THEY are flawed. Since they run user tracking web bugs, they are among a few places that get blocked by a variety of mechanisms. While trying to read the article I found I had blocked them in several places, including DNS. I can't say what the real statistics are, but I know they sure can't, either.
Since they use web bugs in 1x1 pixel images to do user tracking, I've blocked their web site and domains. They also make some of those bugs self-reload every few minutes using a combination of animation and cache control to prevent the image from being cached, causing the reload to go back to the web site again. So I blocked them and so never get their ads, and they never get my info, including what browser and platform I use. I wonder how many other people block them? They do this via the domain hitbox.com.
websidestory.com and statmarket.com are basing their statistics on their web tracking technology through the use of advertising. The problem is, they use web bugs (see here, here, and here) to accomplish this. Windows users typically do not take actions to inhibit these web bugs, but Linux, BSD, and even many other Unix users do. There's software out there to help, too. Those who do block these web bugs, or all the hitbox.com sites, as I do, won't ever be counted.
Statistics based on web bugs should never be counted to determine platform penetration. Instead, actual HTML loads from a wide variety of real sites should be used, and the distribution variations show, too. I'm sure Slashdot gets more Linux and BSD just because of what it is.
Find out what other sites that /.ers visit, then get platform stats from those sites, and only for their main page HTML hits (not for images or ads or anything else). Then check the variation of that.
I had to go remove them from 6 different blocks in my network to just to view the linked page.
Both capitalism and communism expoit the worker. The difference is in what you get from the stock options.
Only the smallest ISP would ever notice. And the ISP at the target would have thousands of those to deal with if it got their attention.
Your case was not the kind of thing I am targeting. Clearly you need a batch method. But that doesn't mean there shouldn't also be a web form that makes it easy for those with 1 or 2. Surely you didn't mean to exclude web forms just because you'd find them troublesome. Let there be both.
I don't expect the average Joe to worry about patterns. Let him post the spam as he gets it and the software behind the scenes then looks for patterns in multiple postings and determines when there's a lot of the same spam, and how to recognize it.
MAPS is part of the problem. These different zone you describe are still abused. They also list whole ISPs that happen to host web sites that spammers happen to be promoting. And this is a dangerous thing to be doing because it is possible for someone to do spamming that appears to be promoting some site when their intention is to cause it harm through blacklisting. I do not want to be a part of that kind of activity. While I am certainly opposed to web sites that provide spamming software, I won't even go so far as to ban those because I don't want to set the precendent of banning on the basis of content. It's not the content of spam that's the problem, it's the volume.
And then there's the issue that MAPS is commercialized and totally uninterested in providing services to the little guy. I know because I wrote to them 3 times, twice right before they cut off at the end of July 2001, and once after, and got absolutely zero response. They aren't interested. They have been assimilated by the dollar signs.
And this is also part of the problem, and is why I stopped using SPEWS, in addition to the fact that no feedback mechanisms even exist. If you are looking for a way to get more people on board stopping spammers, SPEWS is NOT it.
Show me a DNS blacklist that has a zone to block ONLY the actual spam sources, and which will NEVER block anything else except in an attempt to actually block a spam source. Blocking a whole ISP is justified for this zone ONLY when they are trying to help a spam source move around to evade blocking. It should NOT have collateral damage unless there is no way to otherwise distinguish between spam being sent and other mail. It should NEVER attempt to block mail from some source that isn't spamming just because the operators of the blacklist are pissed off at the source for some reason, including things like hosting spamware web sites. Things like spamware websites should be in their own zone. That way those who do agree and want to block them can, and those who don't won't have to give up on DNS blacklisting to keep from causing collateral damage.
When it is clear that the ISP is helping them do that, then it is OK to block the entire network the ISP is using, and if the ISP has moved the spammers over to another network, block that. In such a case, it is the ISP that has become the bad buy by helping spammers. However, if the ISP puts a spammer on a dedicated circuit with a dedicated subnet address space that does not change, then the ISP should absolutely NOT be included in the blacklist zone; only that assigned dedicated network should be. Let the ISP actually act to move the spammer before expanding the target.
Sure it does. It presents the idea that anti-spammers are well focused on what they are doing and avoids devaluing the blacklisting zone the addresses are in. Of course I know spammers do move on. And if they move on to new address space at the same ISP, then (and NOT before) we have cause against that ISP. I do not want to use a blacklisting zone that includes the ISP before the ISP acts to help spammers.
Why LART the upstream? Let's assume for a moment that Broadwing is a co-spammer ISP. That justifies them to be blocked. But if you get the upstream to kick them off, now you'll find them pop up again somewhere else. Sure, let the upstream know what's going on. Let them know you blacklisted the address space, since if Broadwing does leave, the address space might be used by someone else, next, and the upstream could (as if they would) let you know about it. Still, the official formality of it is the thing to do.
But don't encourage an ISP to cut off a content spammer that you have successfully blocked. That goes for upstreams of ISPs that are aiding spammers and have to be included. If you've got the spammer cut off for now, don't try to get them to move on any sooner. The sooner they move on, the sooner you get spam from them again and have to send more LARTs and block more addresses. Sure, they won't stay there forever, but let them stay there as long as they will if you have "there" cut off.
I happen to think you'll get more people on board, people like me, if the crusade gets better focused, and isn't about trying to stop mail from ISPs that host web sites that are supported by spam, or at least distinguishes zones that let people have a choice. If you want to choose to block more sites than I would block, that's fine. That's your choice and I support your right to do it. What I am trying to encourage is for there to be blacklist zones that a focused on a surgical strike against exactly spam sources and limit collateral damage to whatever cannot be distinguished from the spam. Focus on the volume abuse of the spam, not the message or content in the spam.
One of the reasons I don't want to support anything but blocking the volume spam is because I want to leave the notion of anonymous email open on the internet. If we stoop to blocking anything based on the content, we risk opening up blocking anything else based on content, and de-facto censorship could follow. You can do that if you want, but I don't want to be a part of it and that's because that's what I want. If there are blacklist zones available to block exactly that and no more, I'll use them. If there aren't, I'll have to work out what I can do to block spam without the risks I fear. And I believe there are a lot of people who believe as I do, who hate spam as much as anyone, but aren't going to let that hatred drive them to ruining the internet. You can get them on board if you realize that not everyone agrees with you about everything.
What if every time you get spam from some source, especially a direct delivery from a dialup, DSL, or cable luser, you launch a background process like:
ping -c 86400 ${spammeraddress} &Of course you're only trying to see when the spammer goes away, right? But if everyone does this ... just for 24 hours after receipt of spam, what do you think will happen?
People won't use it. As you say, it is complicated, and a lot of hassle to use. Any anti-spam methods must be simple and easy to use, otherwise the "d" key becomes the attractive alternative. And we already know that's not good enough.
If the operators of the DNS blacklists would operate them properly, maybe more people would use them, and submit spam reports to them. These things include:
Some anti-spammers are on a crusade to maximize collateral damage. I am not. I won't block a whole ISP because of a spammer unless that ISP is making it difficult to isolate and focus on the spammer. If they corner the spammer operation to a specific static subnet, I'll gladly block that, and I'd want to use a DNS blacklist that is equally focused. Likewise, if they set up reverse DNS to identify their dynamic customer pool addresses in its own zone, I can block that to prevent the direct spam and some of the home open relays.
Most people hate spam and don't want it coming in. But not everyone is wanting to come out swinging at everything in sight as a result of that. Some of the anti-spammers are on the wrong crusade and not very many people will follow them.
After visiting that same site myself, I decided not to use PayPal any longer. I had never lost any money through PayPal, though I've used it only a few times to buy stuff on Ebay. I went to cancel my PayPal account to simply be sure nothing would happen (it had zero, but it could have potentially be used). However, I could not log in on the site, and got an error message saying I did not have cookies enabled, even though I did (and confirmed it by logging in to here and a couple other places that use session tracking with cookies). I sent email to their various support addresses the web site indicated. The reply on those said I needed to submit the request on the website. But I needed to login to do that, which I could not. I called them on the phone but got stuck in menu hell and voice mail hell. No one ever returned my calls.
A few months later I got email from PayPal. It was promotional. Technically it was not spam, since my account was still active, but now I really wanted it canceled. I tried the web site again, and it had not yet been fixed. I tried mail again and got the same stupidity. I tried calling a few phone numbers. I actually got someone on the phone, but it sounded like the phone system redirected incorrectly as they were not expecting an inbound call. As soon as I explained what I wanted, they said I needed customer support, and forwarded me to menu hell. After spending at least $5 for long distance calls I gave up calling.
I then proceeded to "get attention". Since the email was on an automatic bounce, I set up an automatic system to send them email. It was adjusted to send every 2 minutes so as not to cause damage, but perhaps get attention. After a couple hours of this, it did indeed get attention. I got email back from someone with a direct phone number. I cut off the process and called them. Although this person was in the technical area, he did promise to get my account closed out. He was unaware of the technical problems, and I tried to convince him he needed to get them fixed, although I didn't know what the cause was. We tried a few things, but it didn't fix it.
It's a shame that the only way to communicate with a company is by tactics like this, but this is not the first place this kind of thing has had to be done.
I have since found the problem and I know what fix is needed on their server(s) to correct it, although obviously that's not my job to do, so I won't.
My whole point is, this is a company that does not give a damn about customers, only about money. If they cared about customers, they would have much better customer support. If they had better customer support, they might be able to deal with some of the fraud problems people have a little better. Instead, they seem to be trying to cut back on staffing costs by cutting out customer support and trying to discourage customers from calling them. I even read in one of the various news articles that were linked from here that the president of the company had actually said they don't want to deal with people calling in to complain. To me that means they don't want their service to get better.
This is definitely a company that needs to go into bankruptcy. Just be sure your money is out before that happens. And if you have any reason to send me money for anything, please read my /. signature first.
Have you actually read through some of those documents? Sure, they are mostly stuffy and full of starch. But there's some scary stuff, when you consider who they are really targeting it to. Let me quote from one of them:
Some sites are so vast, that spidering them is a technical problem. I once was diagnosing a problem for someone to determine why their site wasn't getting a listing in google. So I spidered their site myself. The next morning when I got up, I found that the spider was still running and had downloaded over 1.6 gigabytes. Well, now I know why they didn't get listed. Some of the pages were so totally dynamic that they were effectively infinite. There were lots of redundancies in the pages that site generated, but they were all uniquely different, too.
I once made a spider trap by having a bunch of pages where an added path component was a 128 bit random number converted to hexadecimal. It was really a CGI script that ignored the number which came in on PATH_INFO. It then generated 20 new 128-bit random numbers and produced some HTML with links to them. Any stupid robot would just keep following until the galaxy was sucked into a black hole.
Still, not wanting to be spidered, and not wanting even your home page to be linked to are two different things. You can't very easily control having your site spidered, so the robots.txt thing was invented to let you have some control. But for blocking links, that's easy. The HTTP request comes in with an extra line called "Referer:" (yes, it's misspelled in the standard, so we're stuck with it that way). All KPMG needs to do is to just test for "Referer:" by whatever programming mechanisms they use (their web server is IIS/4.0 for anyone who didn't notice). And they already do have something programmed in to check what browser you are using and redirect to their browser whining page. And they even have a robots.txt file, so it's not like they are totally clueless, as it might otherwise seem.
...or even view their site in some browsers. Of course that's probably another one of their policies: you must use a "KPMG approved" browser to view their site.
They probably don't realize that "e-business" has anything to do with making an accessible web site.
If KPMG can enforce their policy easily enough by simply not delivering content when the HTTP request comes in asking for their site. They say they are "e-business savvy", so they should have no trouble setting this up in just a few minutes.
The web is about linking. That's why they call it "The Web". If KPMG doesn't want to join in, then they should just stay out. And there are many ways to do that, including still having a site served by HTTP to send content to whoever types their name in manually, or links from sites they approve of. They should just do it and prove their competence in running their site their way.
But why the hell would I want to link to their site anyway. It sucks! The whole damn thing is a morass of lame Javascript. They can't even put plain HTML in and have to have Javascript generate it. It's clear to me that they don't know how to do things on the server side.
Not everyone does this. Some companies do, and some companies don't You can get better support with your hard when your run FreeBSD on it from places like penguincomputing.com than you can from places like dell.com.
When one of these big corporations offers specific Linux distributions, they generally deny support ... even support for the hardware itself ... unless you run not just that distribution (or one of, if more than one offered), but also run only the copy they provide to you. When it is the case that the choices they make are not all that diverse (well, Debian is a bit different than Redhat or SuSE, but not in everything), then the customers are basically limited.
The best hardware vendor will be one that offers OS support for whatever OS they want to offer support for, but also offers _hardware_ support for plain hardware. And they also make sure that hardware is sufficiently standardized enough to work not only virtually every Linux distribution that uses a stock kernel, but also with the big three open source BSDs as well.
Ultimately, I don't want their distribution anyway. I can put my own on there. But I do know that when the vendors are offering an OS like this, they are declining support for the hardware when alternatives are used. That is the problem.