What's wrong with offering pipelining to untrusted hosts? It causes the sending dialogue to happen faster which reduces resource requirements.
Viruses and spammers try to dump the message as quickly as possible and move on. Pipelining assists them in that task.
Also, a lot of them pipeline by default...so if it's not advertised, then they're not permitted to do it but since they don't care about the server responses they do it anyway. The result is the mailer drops the connection from violating RFC rules.
The microseconds and few bytes of data transfer you save isn't worth it compared to the resources consumed by validating, checking and filtering the message...but for mass mail digests and such on a local trusted network, it does add up and it does help to let those trusted hosts pipeline.
If enabled, wouldn't the advertisement appear AFTER the check for the misbehavior in question? In other words, if an untrusted host is going to abuse pipelining, it would have started before it was told it was allowed and would already be filtered.
IP ranges on the local network, such as a box sending message digest mass mailings, are trusted hosts. If I'm a backup or a relay for a specific system, those IP ranges are trusted hosts. The point is that we know the IPs to trust already, so we offer them pipelining.
Well his site is dead, mirrordot chokes on frames, and I'm too lazy to google....so I'll risk getting -1 RTFA and post anyway.
This guy's SMTP server:
220 gate.acme.com ESMTP Sendmail; Wed, 8 Jun 2005 11:53:27 -0700 (PDT) EHLO myhostname 250-gate.acme.com Hello [myip], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250- 8BITMIME 250-SIZE 250-ETRN 250-STARTTLS 250-DE LIVERBY 250 HELP
Pipelining is turned on for untrusted hosts. Nice.
Either way, a good portion of the spam hitting my system never even makes it to EHLO/HELO time because if there's any sort of resolution problems with the dns/rdns or if the hostname contains the IP address in it (RFC violation) I delay the connection 20 seonds before the greeting. RFC states clients WILL NOT send data unless asked to do so, except for pipelining which is not advertised for untrusted hosts. When the MTA sees a bunch of incoming crap, it drops the connection because they violated the RFC rules for handshaking (clients MUST wait for the greeting). This does not affect legit MTAs with temporary problems.
I go through a whole bunch of other checks even before DATA time, delaying at each step if there's a problem. 90% of the spam/viruses never even make it to scanning for spam/viruses because they violate something before that and the connection get drops (or they drop it from waiting). Once again, delaying 20 seconds does NOT affect legit MTAs.
Just another embarrassment to Microsoft's security push.
No, this is a classic case of why outsourcing mission critical systems and/or data is wrong. It also goes to show that it's NECESSARY to patch mission critical hardware (hell, even non-mission critical Spider Solitaire machines).
We all have issues with MS, but this time it isn't directly their fault.
how long before such technology becomes intrusive in our lives?
Story time, kids...gather 'round...
While doing an initial consultation on this woman's PC, I found the usual spyware....and then I found a spyware program which logs EVERYTHING. Keyboard strokes, mouse movement, net traffic, windows open, it takes random screen shots, etc. When I told the woman she had this thing on there, she said "I hoped you wouldn't find that." She uses it to track her husband without him knowing.
I wanted to offer this woman a $5,000 anti-EMF solution for her PC (aka wrapping it in tin foil) but I was in a good mood that day.
Last experienced during the nineties, companies are fighting over which program consumers use to view the internet. (Emphasis added)
I "view the internet" using ssh. Sometimes FTP. Maybe SCP. I do like to view the internet using POP3, too.
The more WE, as people in-the-know, screw up the terminology, the more the sheeple will too. How about we give them the impression that the "interweb" has more than just "that dot com thing"? Maybe, just maaaaaaaybe, if they understand that the INTERNET is a bunch of computers connected together that can talk to each other (and say MANY different things) then they'll also better understand security concerns, patching, etc. Isn't security one of the big factors of the "browser war"?
I love this Microsoft-centric way of thinking. With XP, you only have to reboot once every 7 days and reinstall once every 9 months! The sound quality should be CD quality (since that's what they advertise) ALL the time.
Regardless, my point is that it's absolutely obvious of the quality difference when played directly after actual CD quality sound.
Aside from having to strap an antenna on your head to use this (you'll know what I mean if you've ever used any portable satellite radio), the awful and somewhat embarrassing sound quality will be VERY noticeable when it's played right beside actual CD quality audio. It's gotten so bad with both Sirius and XM that normal non-nerds are complaining about it.
Most of the time you ignore it...but going from a track ripped in Apple lossless format to satellite radio will be like jumping back 10 years in technology.
Turn every release into a big beta test. At least they actually called it a beta with the anti-spyware program....and of course that's the one that didn't have many bugs (since someone else programmed it).
Maybe this is why Commerce asked me weird questions when I called for a balance. Usually it's address and SSN....this time she asked who was giving me direct deposits, the amounts, and the last few debit card transactions, places and amounts.
It's a freaking LIBRARY. How about authenticating people using their LIBRARY CARD NUMBER and verifying their ID at the time they sign up? In fact, I hear there's this new technology called a PRINTER...when coupled with a digital camera, you can even print someone's face on their ID card.
I bet that's much cheaper, less confusing and less intrusive than a $40,000+ biometric ID system.
Sure, MoFo can get out patches quicker and take other actions quicker because they don't have to pass through tons of quality control....but the point is that the everyday user doesn't update it.
If Firefox is going to win in the Browser Security Wars, they need to make the "critical update" thingy from the toolbar pop up, raise hell, close the browser, have someone check a disclaimer to skip it, etc. It needs to be ABSOLUTELY clear to the user that ignoring a critical update is a Bad Thing(tm).
They also need to release PATCHES against the official builds, not full installs. Full installs take a while to download and take a while to install. A patch is small, is quickly applied, and the browser just restarts. Leave the full installs for newbies, milestones or for when a patch fails.
Ignoring all complaints about Windows, the root of the problem goes back to having access to the network in the first place. If ISPs would spent a few bucks on implementing passive traffic analyzers to search for the viral/trojan patterns and null route offenders, we'd clean things up pretty quick. Why do we have all these piracy probes going on to sue people and no infected probes going on to cut people's access?
Now, stepping back to the Windows complaints...wouldn't the ISP turning off your access motivate you to get a BASIC education in computing and maintain your PC?
To make an analogy, in most states you need to have your car inspected (and some require emissions inspection, too). PUBLIC roadways means you share it with other people...an unsafe car affects more than just you. When you're connected to the net, your PC affects everyone else. I'm not suggesting the ISPs make an inspection system or a law passes to force ISPs to monitor traffic, but the same logic applies....someone should be doing checkups and flagging the offenders.
Slashdot Mirror
What's wrong with offering pipelining to untrusted hosts? It causes the sending dialogue to happen faster which reduces resource requirements.
Viruses and spammers try to dump the message as quickly as possible and move on. Pipelining assists them in that task.
Also, a lot of them pipeline by default...so if it's not advertised, then they're not permitted to do it but since they don't care about the server responses they do it anyway. The result is the mailer drops the connection from violating RFC rules.
The microseconds and few bytes of data transfer you save isn't worth it compared to the resources consumed by validating, checking and filtering the message...but for mass mail digests and such on a local trusted network, it does add up and it does help to let those trusted hosts pipeline.
Forbidden /index.php on this server.
You don't have permission to access
If enabled, wouldn't the advertisement appear AFTER the check for the misbehavior in question? In other words, if an untrusted host is going to abuse pipelining, it would have started before it was told it was allowed and would already be filtered.
IP ranges on the local network, such as a box sending message digest mass mailings, are trusted hosts. If I'm a backup or a relay for a specific system, those IP ranges are trusted hosts. The point is that we know the IPs to trust already, so we offer them pipelining.
This guy's SMTP server:Pipelining is turned on for untrusted hosts. Nice.
Either way, a good portion of the spam hitting my system never even makes it to EHLO/HELO time because if there's any sort of resolution problems with the dns/rdns or if the hostname contains the IP address in it (RFC violation) I delay the connection 20 seonds before the greeting. RFC states clients WILL NOT send data unless asked to do so, except for pipelining which is not advertised for untrusted hosts. When the MTA sees a bunch of incoming crap, it drops the connection because they violated the RFC rules for handshaking (clients MUST wait for the greeting). This does not affect legit MTAs with temporary problems.
I go through a whole bunch of other checks even before DATA time, delaying at each step if there's a problem. 90% of the spam/viruses never even make it to scanning for spam/viruses because they violate something before that and the connection get drops (or they drop it from waiting). Once again, delaying 20 seconds does NOT affect legit MTAs.
Big writeup on SPAM filtering
My MTA
Just another embarrassment to Microsoft's security push.
No, this is a classic case of why outsourcing mission critical systems and/or data is wrong. It also goes to show that it's NECESSARY to patch mission critical hardware (hell, even non-mission critical Spider Solitaire machines).
We all have issues with MS, but this time it isn't directly their fault.
This just goes to show that no one knows where spam and zombies reside. Everyone's "research" (obviously riddled with bias) says it's some place else.
how long before such technology becomes intrusive in our lives?
Story time, kids...gather 'round...
While doing an initial consultation on this woman's PC, I found the usual spyware....and then I found a spyware program which logs EVERYTHING. Keyboard strokes, mouse movement, net traffic, windows open, it takes random screen shots, etc. When I told the woman she had this thing on there, she said "I hoped you wouldn't find that." She uses it to track her husband without him knowing.
I wanted to offer this woman a $5,000 anti-EMF solution for her PC (aka wrapping it in tin foil) but I was in a good mood that day.
That unique processor ID thing worked out real well, too.
Last experienced during the nineties, companies are fighting over which program consumers use to view the internet. (Emphasis added)
I "view the internet" using ssh. Sometimes FTP. Maybe SCP. I do like to view the internet using POP3, too.
The more WE, as people in-the-know, screw up the terminology, the more the sheeple will too. How about we give them the impression that the "interweb" has more than just "that dot com thing"? Maybe, just maaaaaaaybe, if they understand that the INTERNET is a bunch of computers connected together that can talk to each other (and say MANY different things) then they'll also better understand security concerns, patching, etc. Isn't security one of the big factors of the "browser war"?
Buy something $10 or greater....authorize your MAC and/or receive a login/pass for 3 hours.
Next problem?
or you tuned in at just the wrong time.
I love this Microsoft-centric way of thinking. With XP, you only have to reboot once every 7 days and reinstall once every 9 months! The sound quality should be CD quality (since that's what they advertise) ALL the time.
Regardless, my point is that it's absolutely obvious of the quality difference when played directly after actual CD quality sound.
Aside from having to strap an antenna on your head to use this (you'll know what I mean if you've ever used any portable satellite radio), the awful and somewhat embarrassing sound quality will be VERY noticeable when it's played right beside actual CD quality audio. It's gotten so bad with both Sirius and XM that normal non-nerds are complaining about it.
Most of the time you ignore it...but going from a track ripped in Apple lossless format to satellite radio will be like jumping back 10 years in technology.
Turn every release into a big beta test. At least they actually called it a beta with the anti-spyware program....and of course that's the one that didn't have many bugs (since someone else programmed it).
Maybe this is why Commerce asked me weird questions when I called for a balance. Usually it's address and SSN....this time she asked who was giving me direct deposits, the amounts, and the last few debit card transactions, places and amounts.
It's a freaking LIBRARY. How about authenticating people using their LIBRARY CARD NUMBER and verifying their ID at the time they sign up? In fact, I hear there's this new technology called a PRINTER...when coupled with a digital camera, you can even print someone's face on their ID card.
I bet that's much cheaper, less confusing and less intrusive than a $40,000+ biometric ID system.
We have social security in crisis, the educational system in shambles, we need to move to IPv6 quickly, there's terminal illness rampant....
Instead we're spending time developing something so that the kids can't watch Toy Story because I bought it and used my fingerprint.
This is the stupidest piece of crap yet...frankly, I'm embarrassed for the entire human race over this.
$1000 for a video card when Dell is selling entire desktop systems for $299 now.
From McAfee...
;)
--snip--
WARNING: SRL_Worm_Simulator.msi is infected with the W32/WormSimulator.B@mm virus!
ACTION: Clean/Delete threat.
It looks like you're attempting to run a competitor's program. Stop it, you insensitive clod.
--snip--
That was a weird virus warning I got when I downloaded that
Sure, MoFo can get out patches quicker and take other actions quicker because they don't have to pass through tons of quality control....but the point is that the everyday user doesn't update it.
If Firefox is going to win in the Browser Security Wars, they need to make the "critical update" thingy from the toolbar pop up, raise hell, close the browser, have someone check a disclaimer to skip it, etc. It needs to be ABSOLUTELY clear to the user that ignoring a critical update is a Bad Thing(tm).
They also need to release PATCHES against the official builds, not full installs. Full installs take a while to download and take a while to install. A patch is small, is quickly applied, and the browser just restarts. Leave the full installs for newbies, milestones or for when a patch fails.
Not only do we get MS ads at the top claiming the same stuff as the article...now we get articles promoting it.
If it helps keep slashdot online...fine...but this better be a rare thing.
1) Attempt to gain publicity by pissing everyone off.
2) ???
3) PROFIT!!!111ONEONE11
Looks exactly like XP using an OS X theme...but remember kids, It Just Works!(tm)
Although I'm glad they've decided to use technology created in the late 60s (which SCO owns and Al Gore invented) as well as a lovely new password scheme guaranteed to create jobs in the IT support workforce from all the clueless office lemmings. Not to mention how IE7 won't be exclusive to Longhorn nor will WinFS be included.
So like I said...we're paying $299 for XP with an OS X theme.
Clippy to the rescue (not work safe)
Ignoring all complaints about Windows, the root of the problem goes back to having access to the network in the first place. If ISPs would spent a few bucks on implementing passive traffic analyzers to search for the viral/trojan patterns and null route offenders, we'd clean things up pretty quick. Why do we have all these piracy probes going on to sue people and no infected probes going on to cut people's access?
Now, stepping back to the Windows complaints...wouldn't the ISP turning off your access motivate you to get a BASIC education in computing and maintain your PC?
To make an analogy, in most states you need to have your car inspected (and some require emissions inspection, too). PUBLIC roadways means you share it with other people...an unsafe car affects more than just you. When you're connected to the net, your PC affects everyone else. I'm not suggesting the ISPs make an inspection system or a law passes to force ISPs to monitor traffic, but the same logic applies....someone should be doing checkups and flagging the offenders.