I know what you mean. My first "real" job was doing excel macro language. (late 92)
You had gotos that were cells. so you would say: =goto(b1) (and it would go to b1 on the macro sheet). you could do something like a dialog box on the screen and it took data across 7 columns to make the thing.
I ended up with a 300K macro, with dialog boxes etc.
And then they decided they didnt need it.
The thing that was really irritating was that you had to do relative moves: like to move the cursor down on the active pane was something like =select(r[0]c[0]:r[0]c[0],RC[1])
You could also do selections etc.
Quite interesting stuff, but frustrating as hell trying to debug. All there was was a step/iterate function. But even though I never messed with VB macros (in excel 5 and up), I am glad something came to replace the old macro language.
At least they kept me on as the networking person, and then I had an AS400, novell, PCs,macs and a phone system to support.
Hmm heres what I remember of the industry from 10 years ago.
1: Users did not expect to have internet access. 2: Most Users were more tied into novell, and had limited access. It was common to keep things on a file server, especially if they needed to be backed up. Back then, your PC was not backed up. 3: If there was "internet access" it was that they had e-mail. Things like Mosaic were still catching on in popularity. 4: Few users had a TCP stack installed on their machine, in most cases it was IPX/SPX (for novell). In Some cases, users would use SNA to connect to their ibm minicomputers, and in some cases it was TCP/IP. Windows for Workgroups was out at that time as well on Netbeui, but "3.1 Advanced Server" wasnt anything to recon with until 3.5. 5: If you maintained a network, you maintained a 10MB hub/repeater/concentrator. There were a far less amount of routers and configurable switches. You didnt have to worry about full duplex, half duplex (10, 100, 1000) etc. The biggest problem was, what IPX frame type you had, but a well configured server had all of them configured. 5a: In most cases the router was the server. (novell IPX Routing, suns running gated/rdisc etc.) 6: Virus protection was needed, but were not e-mail borne, and were more likely to come from floppys from home.
Now, lets see what has happened over time. 1: The popularization of TCP/IP. Yes, now every desktop has it. All the functionality is delivered by it. 2: the popularization of the internet, the browser etc. Now every tcp/ip enabled desktop wants to get to the internet. 3: The downfall of IPX/SPX based file serving. (sorry novell). 4: The popularization of NT Based file servers, and file serving appliances (Netapp etc.). 5: Concentrators became switches and are more complex.(10/100/1000, half/full duplex,STP). 6: Routers are now common at companies. They are dedicated appliances. They do hsrp/VRRP etc. 7: Greater reliance on PCs. Now you have to provide your users with a higher level of uptime. Due to the higher reliance of the internet and the moving of more features to the network (that was done before in a non computing fashion). 8: The appearance of NAT. 9: The complexity of the users Daily apps. and the PC. Its no longer win.ini and sysedit. Now its the registry HKEY_LOCAL_MACHINE and a good amount more. Its not windows 3.1 with dos 6 running underneath.
So over the last 10 years, the job of maintaining a network and the servers has become more complex.
Now maintaining the switches, requires someone qualified. Now you need someone to understand routing. Now you need an internet connection and security. The File Server now needs more availability. E-mail is now mandatory, and it needs to access the internet. Virus scanning while needed before for checking the floppy that came from home, is now needed to check the internet gateway, each PC, and the file server. Additional complexity on the User PC, The OS etc.
What was once a simple job, where 1 person could have limited knowledge but still do the overall role now requires someone with more experience or more people.
--------------------
So as complexity increases administrators have tried to lighten their workload by getting things streamlined: 1: cookie cutter OS builds (jumpstart/kickstart/ghost etc.) 2: Cookie cutter software installs:.MSI, RPMs,.pkg, Encap, CFEngine etc. 3: DHCP/Policies/Profiles
Then there are installs of necessity: 1: Virus Installs on PCs. 2: The idea of "deny all that is not allowed"
Now, do some things go faster as a result? Yes. - admins no longer have to create a BOOTP entry for your unix box, or assign you an IP. Yes. - A replacement PC can be delivered and set up with a company image quickly
Do some things go slower? Yes. - now you need firewall rules or you need a 1 to 1 NAT.
Overall technology is not getting simpler, it is getting more complex.
In 1992-1996 companies were developing 1.8" technology.
Places like MiniStor, Maxtor and Aerial (SP?). Although since density was a lot less then they were only turning things out in densities of about ~130MB at the end of it.
Some of these were available with a ATA interface, some with a PCMCIA Type III, (11mm high), some were a Type IV (13+mm high). a Type III device will take the space of 2 pcmcia slots. Most standard pcmcia stuff is type II. (5mm)
HP actually had a 1.3" hard-drive out at that time, in 20MB and 40MB configurations. This was called (nicknamed?) the kitty-hawk.
All the products eventually vanished off of the market. MiniStor went bankrupt in 1995, Aerial (SP?) i think folded a bit after it, and maxtor I think just gave up on it.
From a shock perspective, things like compactflash offer a better shock resistance, but less capacity.
Oh, and the difference between 5.25 and 3.5 and 2.5 and 1.8 and 1.3 is that each disk is half the surface area of the other. So assuming the same number of platters and same density, each size drive would have half the capacity.
The 16 port cards are exactly what you said: 1 GB each but 8GB to the backplane.
the port count would probably be something like:
Blades FI1500 1-2 8 GB Management Blades (8 port fiber cards) - Giving redundancy. 3-15 16 port gig blades with hosts attached. (208 user ports)
FI800 1-2 8 GB Management Blades (8 port fiber cards) - Giving redundancy 3-8 16 port gig Blades with hosts attached. (96 User Ports)
You then can link all of blades 1 and 2 together giving you 2 8GB Trunks., or 16GB of bandwidth between them. The interesting part would be load balancing them (if you needed more than 8GB). IF not you could also add in another downstream switch.
Another option would be to do something like 10GB Ethernet and trunk them together. This would block on the backplane at ~8GB.
Outlook is the client. Outlook can act as a POP/IMAP server.
However, outlook acts "better" when talking to exchange.
You can do nifty things with fonts etc. that you cannot do in pop/imap mode.
You can look up users differently (dont need to configure LDAP).
But, if most of your users dont care, or they wont know the difference, you can have outlook talk to a imap/pop +ldap server.
At that point the calendaring becomes the big issue.... as in how do you send calendar requests from outlook in non exchange mode... I dont remember how this works....there might be some method of doing this, but I think not.
Also you lose public folders and depending on your site, this may be in use that you cannot replace it.
now as to having linux boxes talk to exchange, you can do the imap/pop/ldap, but you will still have the calendar/task list/public folders problem.
You could try a metaframe/citrix type application and get all your outlook out of that.
You end up paying for a terminal services+Outlook license+exchange license, but that might be cheaper, (but not by much) that a win2K + outlook + exchange.
To truly see savings you need a unix based server that talks all the exchange protocols.
now on a similar tangent, imagine this:
Your exchange users, on their exchange servers.
you, the linux person(s), set up as a remote mailbox. (ie: it says: deliver joe@foo.com to joe@unix.foo.com).
Then joe@unix.foo.com can be on a mail server running imap/pop/ldap.
then you can get a calendaring package. (suse e-mail server offers most of this).
Then all you need is a way for the calendaring package to talk calendars to exchange....I think this is the part that does not exist..
but this does move the list of tasks from re-implementing everything, to building a calendaring exporter/importer....you might even be able to use the exchange tools to do this. (MS did the same thing to get people off of CCmail, they used the ccmail import/export tools against them).
Public folders could also be tricky, but they do offer replication, and their is a built in replication method for them....but depending on how often you access this, maybe you can do some sort of web interface?!?! or have this be NFS'd in some way?
you will have a problem of maintaining 2 address lists...unless you do something like set the exchange server up as the ldap server....or write some way to keep them in sync.
If you have a web site that has less than a/21 of usable address space. (Yes folks thats 2048 addresses), you are forced to get your address space from an upstream provider.
The rules on arin: http://www.arin.net/policy/ipv4.html#multihomed
say that you need to show that you have used the equivalent of a/21 (2048 addresses) to get a/20 (4096 addressess).
With these 4096 addresses you can then have "portable addresses".
This means that you do not need to get your address space from an upstream provider.
So lets imagine these scenarios:
1: Single homed (1 connection) company. Potential problems:
If upstream goes out of business, then you have nowhere to route to.
To migrate you have to get a BRAND new set of IPs for your company.
You better hope that your DNS TTL is low, and that all the places out there that cache it honor it and dont set it to something astronomically high. (this does occur).
2: Multi homed (N connection (n>1) company. (running BGP). Potential Problems:
If upstream goes out of business, then you are still routing the address space of your out of business provider out your alternate provider. (good).
You are now at arin's mercy depending on what they do with the upstreams IP space. You can bet that they will not give you a small chunk to stay as who you are.
Other large providers may get crazy ideas and start filtering. Ie: Worldcom has not paid me so I filter their netblock as protest. (see PSI).
The best help in this scenario is your own problem, the small IP range you have. Since you have a small range, you then have a "more specific" route to your network. That will override most things as null routes etc. (it will not override ACLs though).
Pretty much this scenario will keep you on the net for longer, but, should the ISP you have your space from go down and stay down, you will need to migrate address space, dns ttl etc.
3: Multi homed (N connection (n>1) company at multiple datacenters. Potential problems:
Hopefully you have different providers at each datacenter, or at least the address space is given to you by different providers.
In this case, the worst you lose is 1 datacenter. hopefully your site can maintain full traffic out of the remainder of your datacenters.
The biggest problem here is again DNS, but if you are doing multiple datacenters, you can probably remove 1 out of the picture realyl quick.
--- This does not end the list of possible scenarios, there are many others you can do. (for example: you could have address space from 2 carriers at the same datacenter, and multihome/map addresses from each carrier onto them. ) etc.
Now as to the likelyhood, when Exodus went bankrupt for a few months last year, they did not lose all their advertisments, and for the most part they did stay up. I'd guess this would be the same thing as uunet.
Also UUnet has much more traffic than exodus. that hopefully means that most ISPs will not kill their peering with uunet.
That being said, if the rats leave the ship called uunet, uunets peering will fall to low levels, and then ISPs will be able to contractually cancel with uunet. Possible, but not likely.
Now, if you wanted to have multiple carriers, and be truly independent of any of them going away, you have to show effective usage of a/21.
The good part of this is that you can split this into multiple sections: ie: I have 2 datacenters, and each need a/22 ie: I have 4 datacenters, and each need a/23 you can seperate address space out to that, and show use of a/21, and hopefully get a/20. It helps if you show that you are growing.
ie: I have 2 datacenters, and each need a/22 but i'm opening another withing 6 months ie: I have 4 datacenters, and each need a/23 but i'm opening another withing 6 months
What you have to look out for is that you probably should not advertise anything more than a/23 or you may get filtered by other ISPs.
for example take this recent nanog posting: http://www.merit.edu/mail.archives/nanog/msg01717. html
Too many specific routes (/24 and above) add more work to peoples bgp routers, as such limiting accepted routes helps performance of the router, and keeps things more stable.
In summary, if you have 1 carrier, get 2. if you do not have enough address space, be prepared to have to change it. If you have multiple datacenters you should be good to go, but with some exposure as you have to re-ip. if you have enough address space to be portable, you are good to go.
When I worked for a consulting house, they needed people to be certified so they could carry the products. As such they worked with the vendor they were trying to resell for to get the techs discounted/free training.
This worked out really well for some stuff, like the sun training.
Certifications were put as career goals, and incentives were offered to the employees. Things such as raises, nice dinner for getting certs were common.
They had a policy for testing for the certs, that they would pay for the test too.
Also, on certs where the vendor would not offer discount courses, or where you knew the material, it was encouraged to study for the test, and take the test without the courses. This worked out pretty well too:)
The next place I went to, another consulting shop, claimed to be really strong on training, but you could never go while on assignment as then you would not be billable. They would only pay for tests if you passed them.
The last few places have been pretty much the same:
Study on your own time.
Take the test,
If you pass, they will re-imburse you.
Some places will offer to buy the training materials, but usually I buy them and keep them around for reference.
every certificate should indicate the CRL Distribution Point (CDP) - (where a CRL can be found). The VeriSign code-signing certificates issued have no information in the CDP.
Thats what scares me. No comprehension that a cert can be compromised etc. etc.
2: What also scares me is how you circumvent the process:
When I registered my certs (with thawte) [who is now owned by verisign]. You need to provide quite a bunch of things:
1: A piece of paper saying you are authorized (easy)
2: A copy of whois claiming your company you represent owns it (easy)
3: A copy of your articles of incorporation. (I guess this could be easy if you are a public company)
4: If you were incorporated in a different state that where you do business, you need to find a business license.
5: If you changed your name from one company to another, you need to send a copy of that.
They then check this, I believe that they actually check that its on file.
Then they call you back.
Now, Heres the part I am not sure of.
Logic would dictate that they call the main number for the company (from 411, the yellow pages, 3 authorative sources) and call the office.
After calling the head office, they should call HR, and find out
a: If your extension/number matches
b: If your title and position matches what you placed on the certificate request.
(steps a & b should prove that you work at the company)
Now how accurate is the last step where they call HR or the operator and find out? I'm not sure. That would seem like the right way to do it.
I Used to always put my direct extension, but would get calls routed via the operator.
3: Then comes the last thing,
How do you pay for this? I guess since MS is big enough you could say, bill me on net 30 terms, but usually you have to pay to get the cert issued. so with luck theres a credit card to follow. Or would you really trust to issue a cert (for microsoft) based on a money order?
Anyways for a company that relies on trust, this is a big let down.
After reading all this, I'm guessing it all boils down to this
1: There is 1 hosted site by this company that is a spam related site. (makes spam software, supports spam, spams etc).
2: The rbl has blocked 6 class C's belonging to this provider.
3: There are other sites that the provider hosts that have lost connectivity.
In the RBL's defense:
If you are a hosting provider and you were to have the IP address of one of your servers blocked by the RBL, the most sensible thing to do would be to move it to another IP address. This would only make sense. So if the RBL blocks all of your netblocks, then you cannot move your offending site around.
I see the RBL blocking the entire netblock as a good thing. It makes the hosting company try and resolve the problem, rather than just rsying the web site across to another machine, changing DNS and voila the site is up again in just a few minutes.
The best way to make this problem be fixed is to have people take notice.
Rationale:
Now, back in the day, (and still) the rbl is also a BGP feed as well as a DNS based subscription. That being said, what the RBL does is announce the bad netblocks in a BGP feed,and in turn above.net subscribes to that BGP feed and Null routes it (drops the traffic on their exterior routers).
The average companies just use sendmail and you see error messages like "553 see mail.abuse.org". However with a null-route, you will see nothing, traffic going to it, will get dropped, traffic from it, will never have an established session.
As for the RBL being censorware, I do not see that. The message mentions samco and not peacefire or any other sites.
I believe that its more that peacefire has a bad provider that condones spam. Reading the evidence file shows that. The true test of this of course is either for
a: peacefire to move and see if their rbl nomination follows. My guess is not as they are not spam providers.
b: the offending sites to move and see if the RBL nomination follows them and media3 gets lifted.
Vixie has stated many times that the RBL does have its shortcomings, that yes good mail can get lost along with the bad mail. However, it is important to remember that the RBL is a full OPT in list. You can pick a provider that subscribes to it (either via BGP) or by DNS for mail. You as a company can choose to subscribe to it via BGP or by DNS for mail.
In my opinion the RBL is one of the best things out there. I use it, all the customers I work with use it, and I set it up every chance I get.
Ok from reading the links it seems that there should be 2 things uunet could do very easily to get out of this spam problem
Background:
1: The port 25 block. This is mentioned in the article. In a perfect world, a user should only be able to send to their local mail server. Ie: When a user sets up their new ISP, they have to enter the name of their SMTP and their POP server.
With that being said, it should be logical that UU.net should set up their router filters to only accept traffic going to port 25 on their mail servers. Traffic going to port 25 anywhere else should get blocked. If you have a local UU.net account you should use the uu.net mail server.
Now what about road-warriors? the sales people out in the field who need to send mail?
2 things:
1: They probably vpn in, so that does not even matter. otherwise:
2: If you allow any uu.net address to relay via your mail servers, you have a hosed situation.
2: The second option would be for UU.net to provide the IP ranges for its DIAL Up pool to the DUL project run by MAPS.
This project takes Dial up ranges, and blackholes them from connecting to your network. They too follow the idea that you should only connect via your dedicated mail server.
Now the bonus of step 1, is that all of the mail going out of your network goes through mail servers you control, you can do certain checking,
like anyone who is sending mail to 500 BCC'd recipients (multiple RCPT), or if they are using multiple RSET commands to send out the same message but with different subjects, should get rate limited/checked.
Or you can put additional IP information in the message envelope, so that they can be detected easier.
The win with the DUL, is it lets the rest of the net be able to only accept mail from uu.nets mail servers, and takes the cpu overhead of additional filtering off of their routers.
turns out from looking at the OpenBSD, suse, redhat man pages that chroot is only invokable as root.
Now I know the idea of chroot is so that programs you do not necessarily trust can be run in a smaller box than that of the entire system and you can put only the necessary tools needed for it to run in this box.
What I would like to do is take a program that I run chrooted and also have it run as a lower priviledge user (than root). I believe this to be a good idea.
Programs like apache and bind have support for this.
However there are quite a few programs that do not has support or understanding of "run_as_user or a "-u" flag etc.
Since I can only launch chroot as root, the program I spawn is run as root, granted its in a chrooted shell, but I would like the program to run chrooted and be run as a low priv user. I certainly dont want to put something like su in the chrooted directory (and maybe even a shell) to have to make this run as another user.
What is your take on this? Should there be something like a "-u user" flag to chroot?
1: There are 2 choices with exchange right now, 5.5 and exchange 2000.
I'll give some 5.5 background.
1: If you are using this in an enterprise, you will need Exchange Enterprise server. This will let you have a message store greater than 16GB's. (Unlimited)
2: If you want things like clustering etc. beware with exchange 5.5. it does not do it very well at all. Its an active, standby config. (1 is active, the other is standby). When the first one fails, the second pops up and has to start the services. So you may have between 30seconds - 5 minutes of downtime for "clustered failover". Also, for your clustered servers to work, you need shared disk. (They need to share the same array). This would mean you would need to buy a pretty massive compaq or something.
3: 5.5 offers ldap/pop3 and webmail.
The downsides of webmail. It is recommended (by microsoft) that you move webmail to different servers and have your users connect to that. They recommend you do 2 (IIS 4.0)web servers for every exchange 5.5 server.
If you run IMAP/POP3, your users must connect to the server they are homed on. They cannot connect to 1 server and in the backend be connected to the server their files are on. So if you migrate servers with pop/imap users, you need to change each clients PC.
4: If you want resources like conference rooms, that do automatic accepts etc. in my experience you need to devote a dedicated conference server to do accepts for this. This requires that the machine is always logged in running outlook. Ok well there are technotes saying you dont need this. Too bad I couldnt get it to work.
5: Exchange will NOT install without a true domain controller. That means you need a PDC installed on your net and your exchange server as a member server. (Samba will not cut it) (at least not 2.0.7)
6: Now lets analyze the cost, assuming this is an enterprise.
You have:
2 Big main servers
1 Shared disk array
1 Tape backup server
1 Tape backup software
1 Exchange plugin for the backup software
2-4 Pc's for webmail
1-2 Conference room servers.
2 NT Enterprise server softwares.
1 NT Server software (backup server)
4 NT Server software (webmail)
2 NT Server software (conf rooms)
Now there is also the licensing for every user you need to pay for. EVEN for your pop users etc. The rule is "if they have a password, they need a license".
Now it is not all doom and gloom. You do get some cool calendaring and stuff that people like. Is it worth it? Depends on how important things like calendaring and reliability are to upper management.
There are also some weird bugs with 5.5 SP3. (Sp4 was released this week, but I havent tested it yet)
a: When you migrate users from 1 server to another, mail to the user during this migration gets bounced (User does not exist). Moving large mailboxes can take up to an hour (or longer).
b: You cannot migrate users from 1 site to another. (You have to copy to PST, and then import to the other site). (If you didnt appreciate rsync, this will make you wish you had it.)
Now lets go to Exchange 2000.
Note: This is infromation gained from speeches, and grilling MS reps, not from practical experience!
1: You need an active directory server. That means you need to be running a MS Active Directory server for your network. This could potentially become a win if you had your unix servers authenticate against it via ldap. But then again, it could also be a nightmare. Just a hypothetical.
2: It now supports active/active clustering. (So if 1 fails you still keep chugging along.) The bad thing is to get 2 way clusters you need 2000 Advanced server. To get 4 way clusters you need 2000 Datacenter server. (not cheap) Again these machines need to be connected to the same array. So that would mean some big hardware (compaq etc.)
3: As part of AD, you can move users across sites now.
4: You need less frontend IIS servers (according to MS its now 1 for 2 (as opposed to 2 for 1)). However now every frontend IIS server needs to have a license for Exchange 2000 server. (did not in 5.5)
5: Improved ways for backup. (You can now have multiple backup types for your server, so that different types of users, can be backed up with different frequency.)
6: If you have pop3/imap users on different servers, they can get to them by going through 1 server.
The plus for 2k would be the active/active clustering and the fixes. But then again, you have a lot of changes to make to fit it in.
Conclusion
Depending on what your internal architecture consists of, you may have a lot more to change than just adding an exchange server. You might have to add in a PDC, or AD server. You will have to put all your users in there for authentication.
Be careful with trusts, sometimes they are not your friend.
Make sure you set up a new account to be the exchange server manager.
If you run 5.5, run the Mailbox Manager. It allows you to clean up mailboxes over time.
If you have legal or compliance issues, you can have exchange be like big brother and copy all mail (to anyone) to an account for review. This is called message journaling.
The costs will mount up quick. Depending how much you have in your existing infrastructure, a figure with costs for a reliable solution, with certain uptime requirements may be prohibitive.
That may be something to ask of management. "what are the uptime requirements for the e-mail system".
Oh and last and final: Whatever you do, frontend your exchange servers with dedicated unix servers for outgoing and incoming smtp mail. That way you have things like support for things like the RBL/DUL/RSS, as well as aliases, redirection to things like mailman lists, and many more.
Good chunks:
. "They insist on using dirty email lists, which contain the email addresses of people who do not want to receive their email, and who did not themselves sign up to receive email from Harris".
Ahh - so they are buying internet lists and sending them to people. Now thats not even single opt-in. Ok so thats a BIG problem. I dont want my e-mail address reaped just because I posted to slashdot once.
Another good snippet:
We are absolutely fine with Hotmail and AOL deciding to let Harris email enter their system" continued Thompson. "In fact this is how our system was designed to work, and it confirms our position in this lawsuit! MAPS does not dictate policy to anybody - we simply publish a list of Internet addresses known to originate or enable spam - what the individual Internet service providers ("ISPs")choose do with that information is up to them. They can choose to block email from those addresses, or, as AOL and Hotmail have done, they can choose to accept it. Perhaps now that Harris sees that MAPS does not control whether their email is accepted or rejected by the ISPs, they will realize that suing us makes very little sense indeed. We are entitled to publish our opinion, and in fact are guaranteed a right to do so by the First Amendment."
-- Thats right, *I* choose what I want to accept on my mail system, and I trust maps to be an introducer of what I want (or do not want) to receive. And yes I can choose to accept mail from RBL'd sites, but I would not want someone to force me to accept their mail. That smacks too much of losing my rights.
If I dont want to listen to what someone has to say, why should I be forced to? If i dont want someone to send me files that fill up *my* disk, take cpu resources, why should I have to?
I think maps is great in what they do, and I hope they win,
Harris already lost their request of a Temporary restraining order agains maps, and I hope its the first of a long line of losses against them. Link:
http://mail-abuse.org/pressreleases/2000-08-08.h tml
You can show your support for maps by
mailing comments@mail-abuse.org (see http://www.mail-abuse.org) for info.
I think maps is doing a GREAT service, and I hope Paul and Nick, and the others keep fighting and dont give in.
-- C
Re:MAPS != ORBS = is blocked
on
MAPS vs. ORBS
·
· Score: 1
Well, First off I should say I am a strong fan of maps. And I actually used to follow the squabbles about maps vs orbs.
However let me show you an traceroute from a box in above net (SJ1):
nslookup www.orbs.org Name: www.orbs.org Address: 202.36.147.16 % traceroute 202.36.147.16 traceroute to 202.36.147.16 (202.36.147.16), 30 hops max, 40 byte packets 1 main2-133-3.sjc.above.net (209.133.3.3) 1 ms 1 ms 1 ms 2 core1-main2-oc3-1.sjc.above.net (209.133.31.186) 1 ms !H 1 ms !H 1 ms !H
It actually gets hosed still in san jose, maybe it is null routed [as mentioned in the linked articles])
% traceroute 202.36.148.65 traceroute to 202.36.148.65 (202.36.148.65), 30 hops max, 40 byte packets 1 main2-133-3.sjc.above.net (209.133.3.3) 2 ms 1 ms 1 ms
Hrm...it doesnt get as far as the first. (the others are ok)
Now I'm NOT a bgp expert...but I'm guessing (and only guessing) [did I say I'm guessing?] that if this is not going this far because it might be null routed. Of course, considering above.net does use some cool/strange routing tricks, it might actually be reaching an exterior/border router that just has no idea how to get there.... but if this is the case, the it is only above.net and not from other places (like exodus and globalcenter [which I checked]). Therefore it would sound like an above.net problem.
Where I sit:
Well I guess it had to come to something, there were a lot of complaints about being probed from orbs, people being on orbs and being unable to get off. etc. etc.
Having seen vixie talk (twice), I still fall on his side, and I think he's trying to stop mail-abuse the best he can. And while orbs may do something to stop abuse, they create their own in doing massive probes against secured boxes.
3rd party spam: My take on it was: 1: If you get a $20 generic account and spam hundreds of thousands of people at a different web address your web address will be blackholed.
IE: 1: you log onto earthlink and spam advertising www.myspamsite.com. 2: your earthlink account will get banished, due to earthlink's aup. 3: Your website will be pontentially RBL'ed as you are advertising it through spam... even if that site never sent spam in itself.
Again, there is usually a extensive review that goes into being rbl'ed, so its usually not instantaneous, and you usually have to be an ass about it. ie: "I will sue you" are usually the appropriate words, for a nice listing.
As for the scenario described above, with 3rd party sites being blacklisted for spammers as clients, well I havent seen that.
related: I had a friend of mine who works at a online payment service actually speak to maps, in advance (as people were trying to spam others to use their service, so the users could get referral bonuses. He was told pretty much the same thing as the web site says:
If people are promoting spam, relating to your site, please discontinue the account, in a prompt fashion. This is my friend's company's standard policy and so everything was fine.
Sounds like Ibill just does not care, but i'm not familiar with it.
A: First off, maps represents 3 types of blocking lists. 1: The RBL, which contains IP addresses of spammers 2: The DUL, which contains IP addresses of machines that should not be able to send mail to your server directly. Ie: a user at earthlink should always send mail to their mail server and then it should be routed to you. If they have a system that connects straight to you, it most likely is spam, 3: the RSS (relay spam stopper) that contains a list of open relays. This is a nice trick of spammers to send mail through someone else's machine and have them do the job of mailing everything out.
B. Getting your address. Now, my take on the philosophy of MAPS, is that you should only receive what you elect to receive. ie: getting mail-bombed from 100's-1000's of companies just because you once posted to usenet without masquerading your e-mail address just should not happen. (This is not an exaggeration).
So, if you sign up for a newsletter, you receive the newsletter. Also, you should have a clear way on how to be removed from the newsletter. etc.
You also should have a choice in that they should not sell the e-mail addresses on the newsletter.
C: Legality, from the receiver's point of view As to the legality of maps? Personally, I like it. Its 100% opt in, and you choose for yourself what list(s) you want to subscribe to, and away you go.
If you go to an ISP, you can usually find out very quickly if they subscribe to MAPS, and which particular lists.
D: Legality from the sender's point of view. The basic idea, is that if you do nothing wrong, you have nothing to worry about.
To actually be listed on the RBL is not a slam dunk. You will be contacted more than once and you will have ample opportunity to make changes.
Ok so some of the changes may be considered completely rude by some, lets give examples: 1: the ability to unsubscribe yourself 2: The ability to make sure that only you sign yourself up, and not someone with a bogus e-mail address 3: Not to add users by a "buy 50million users on cdrom for $20" import utility. 4: if you are an ISP, not willing to do anything about people complaining you have spammers. Usually, you can get by #4 by having a strong AUP against spam, and kicking user accounts that send UBE
E: Legal arguments 1: Restraint of trade? Not in my opinion. I consider and trust MAPS to be a meta-introducer. I want them to let me know who I should talk (receive e-mail from) to and who not to. Its my/my companies/my ISP's choice, as its their machine.
2: Malicious Not hardly, You will receive every chance not to make the RBL list. The DUL list is usually contributed by the ISP themselves the RSS is contributed by vitcims. Usually the Sysadmin of the victim's machine will ask for help to get it fixed, and maps will help do that. Harly what I would consider malicious, when they help upgrade a victim's sendmail.
F: how to use it, if you know how to make your own sendmail.mc insert these lines:
FEATURE(rbl) FEATURE(rbl, `dul.maps.vix.com', `Dialup - see http://www.mail-abuse.org/dul/')d nl FEATURE(rbl, `relays.mail-abuse.org', `Open spam relay - see http://www.mail-abu se.org/rss')dnl
Reasons to get rid of 4.0 tests: 1: The MCSE is becoming rapidly devalued. There are ads/banners for "become a fully fledged MCSE in x weeks". Microsoft needs a way to block off all the people who have their MCSE with no training and actually get the perception that having an MCSE is worth something again. As it is now, if someone says they have it, you have no idea if they achieved it from years of hard work, or from a few thousand dollars and a study guide. My guess is that the idea is that the 2000 tests are supposed to jettison the bootcamp MCSE's and keep the good ones. Personally I dont think that will work as there are too many companies out there making up "practice exams" etc. such that all the bootcampers will just go back for 2000 training and keep getting their cert.
2: nt 4.0 is EOL. (end of lifed) Well I disagree with that too. I'm pretty sure that people will still be running it well into 2002, if just for the fact that it runs relatively stable on lower end systems (aka 1997/8 higher end systems). Not to mention the pricetag of upgrading software.
Reasons to keep 4.0 tests: 1: It shows the person has some knowledge of microsoft products. Well yes, it does show "some measure" of understanding. However the entry point for that can be significantly low. 2: Good PR. 3: Like the man said, not a lot of people will have converted over to 2000 by the cutoff date: 12/31/01 (or 6/30 if you tested on IIS3.0)
Some notes: 1: No cert can be made "bootcamp" proof, people go in, smuggle out thier questions, post them as braindumps on web sites etc. (no matter how much legalese they have to click on)
The RBL works not only via DNS (which is how sendmail and most mail packages kill it) but it also is available as a BGP4 AS route (the original way it was done). If you look at http://www.mail-abuse.net/rbl/usage.html#BGP it details it.
Well if you were really serious, Maps offers 3 type of spam reduction
1: RBL (based upon net numbers of known spammers) 2: DUL (Dial up pools of users cannot send mail directly to your SMTP server. (Instead they should send it through their ISP's smtp server instead and it will send it along) 3: RSS (Similar to ORBS, in that it restricts open relays, but an entry in the RSS is because someone received relay spam from your domain and referred you to the RSS, where as ORBS, iirc, they go and try every address out on the net to see if its an open relay. (This might have changed)
A combination of all 3 of these can do wonders. RBL: Stops most hardcore spammers who spam directly DUL: Stops the dial up trespassers, RSS: Stops the people with open relays who wont fix them.
Anyways most of this is documented on: http://www.mail-abuse.net/
Slashdot Mirror
I know what you mean.
My first "real" job was doing excel macro language. (late 92)
You had gotos that were cells.
so you would say:
=goto(b1) (and it would go to b1 on the macro sheet).
you could do something like a dialog box on the screen and it took data across 7 columns to make the thing.
I ended up with a 300K macro, with dialog boxes etc.
And then they decided they didnt need it.
The thing that was really irritating was that you had to do relative moves:
like to move the cursor down on the active pane was something like =select(r[0]c[0]:r[0]c[0],RC[1])
You could also do selections etc.
Quite interesting stuff, but frustrating as hell trying to debug. All there was was a step/iterate function.
But even though I never messed with VB macros (in excel 5 and up), I am glad something came to replace the old macro language.
At least they kept me on as the networking person, and then I had an AS400, novell, PCs,macs and a phone system to support.
Hmm heres what I remember of the industry from 10 years ago.
.MSI, RPMs, .pkg, Encap, CFEngine etc.
1: Users did not expect to have internet access.
2: Most Users were more tied into novell, and had limited access. It was common to keep things on a file server, especially if they needed to be backed up. Back then, your PC was not backed up.
3: If there was "internet access" it was that they had e-mail. Things like Mosaic were still catching on in popularity.
4: Few users had a TCP stack installed on their machine, in most cases it was IPX/SPX (for novell). In Some cases, users would use SNA to connect to their ibm minicomputers, and in some cases it was TCP/IP. Windows for Workgroups was out at that time as well on Netbeui, but "3.1 Advanced Server" wasnt anything to recon with until 3.5.
5: If you maintained a network, you maintained a 10MB hub/repeater/concentrator. There were a far less amount of routers and configurable switches. You didnt have to worry about full duplex, half duplex (10, 100, 1000) etc. The biggest problem was, what IPX frame type you had, but a well configured server had all of them configured.
5a: In most cases the router was the server. (novell IPX Routing, suns running gated/rdisc etc.)
6: Virus protection was needed, but were not e-mail borne, and were more likely to come from floppys from home.
Now, lets see what has happened over time.
1: The popularization of TCP/IP. Yes, now every desktop has it. All the functionality is delivered by it.
2: the popularization of the internet, the browser etc. Now every tcp/ip enabled desktop wants to get to the internet.
3: The downfall of IPX/SPX based file serving. (sorry novell).
4: The popularization of NT Based file servers, and file serving appliances (Netapp etc.).
5: Concentrators became switches and are more complex.(10/100/1000, half/full duplex,STP).
6: Routers are now common at companies. They are dedicated appliances. They do hsrp/VRRP etc.
7: Greater reliance on PCs. Now you have to provide your users with a higher level of uptime. Due to the higher reliance of the internet and the moving of more features to the network (that was done before in a non computing fashion).
8: The appearance of NAT.
9: The complexity of the users Daily apps. and the PC. Its no longer win.ini and sysedit. Now its the registry HKEY_LOCAL_MACHINE and a good amount more. Its not windows 3.1 with dos 6 running underneath.
So over the last 10 years, the job of maintaining a network and the servers has become more complex.
Now maintaining the switches, requires someone qualified.
Now you need someone to understand routing.
Now you need an internet connection and security.
The File Server now needs more availability.
E-mail is now mandatory, and it needs to access the internet.
Virus scanning while needed before for checking the floppy that came from home, is now needed to check the internet gateway, each PC, and the file server.
Additional complexity on the User PC, The OS etc.
What was once a simple job, where 1 person could have limited knowledge but still do the overall role now requires someone with more experience or more people.
--------------------
So as complexity increases administrators have tried to lighten their workload by getting things streamlined:
1: cookie cutter OS builds (jumpstart/kickstart/ghost etc.)
2: Cookie cutter software installs:
3: DHCP/Policies/Profiles
Then there are installs of necessity:
1: Virus Installs on PCs.
2: The idea of "deny all that is not allowed"
Now, do some things go faster as a result?
Yes. - admins no longer have to create a BOOTP entry for your unix box, or assign you an IP.
Yes. - A replacement PC can be delivered and set up with a company image quickly
Do some things go slower?
Yes. - now you need firewall rules or you need a 1 to 1 NAT.
Overall technology is not getting simpler, it is getting more complex.
In 1992-1996 companies were developing 1.8" technology.
Places like MiniStor, Maxtor and Aerial (SP?). Although since density was a lot less then they were only turning things out in densities of about ~130MB at the end of it.
Some of these were available with a ATA interface, some with a PCMCIA Type III, (11mm high), some were a Type IV (13+mm high). a Type III device will take the space of 2 pcmcia slots. Most standard pcmcia stuff is type II. (5mm)
HP actually had a 1.3" hard-drive out at that time, in 20MB and 40MB configurations. This was called (nicknamed?) the kitty-hawk.
All the products eventually vanished off of the market. MiniStor went bankrupt in 1995, Aerial (SP?) i think folded a bit after it, and maxtor I think just gave up on it.
From a shock perspective, things like compactflash offer a better shock resistance, but less capacity.
Oh, and the difference between 5.25 and 3.5 and 2.5 and 1.8 and 1.3 is that each disk is half the surface area of the other. So assuming the same number of platters and same density, each size drive would have half the capacity.
-- C
The 16 port cards are exactly what you said:
1 GB each but 8GB to the backplane.
the port count would probably be something like:
Blades
FI1500
1-2 8 GB Management Blades (8 port fiber cards)
- Giving redundancy.
3-15 16 port gig blades with hosts attached. (208 user ports)
FI800
1-2 8 GB Management Blades (8 port fiber cards)
- Giving redundancy
3-8 16 port gig Blades with hosts attached. (96 User Ports)
You then can link all of blades 1 and 2 together giving you 2 8GB Trunks., or 16GB of bandwidth between them. The interesting part would be load balancing them (if you needed more than 8GB). IF not you could also add in another downstream switch.
Another option would be to do something like 10GB Ethernet and trunk them together. This would block on the backplane at ~8GB.
The snapshots on ftp.usa.openbsd.org are still 10/3/2002.....
But, I'll also grant you that that seems weird in that it usually changes more often.
If all else fails, wait 3 days and you can find it at:
ftp://ftp.usa.openbsd.org/pub/OpenBSD/3.2
(THIS LINK WILL NOT WORK UNTIL FRIDAY)
(this is posted in PST, so Friday is still 3 days away).
Yeah the best way would be to grab 3.1
ftp://ftp.usa.openbsd.org/pub/OpenBSD/3.1
install it
and then src code upgrade
-- C
Its already out there in the source tree... and has been for a while (beginning of october).
.tgzs from:i 386
/usr
You can grab the main
ftp.usa.openbsd.org/pub/OpenBSD/snapshots/
I'm pretty sure you can do this install by getting the floppys (.fs) files and selecting FTP install.
If you have 3.1 (or any other version) you can upgrade the source tree (this is how I did it)
set your cvsroot:
setenv CVSROOT anoncvs@anoncvs.usa.openbsd.org:/cvs
cd
cvs -q get -rOPENBSD_3_2 -P src
You can then follow along here:
http://www.openbsd.org/faq/upgrade-minifaq.html
Make sure you do all the steps,
Be especially sure you do 1.5, 1.8, 3.1.* before you do a make build..
(note: if you are doing it from something earlier than 3.1 you should do the other changes (3.0.* etc. etc.)
-- C
Outlook is the client.
Outlook can act as a POP/IMAP server.
However, outlook acts "better" when talking to exchange.
You can do nifty things with fonts etc. that you cannot do in pop/imap mode.
You can look up users differently (dont need to configure LDAP).
But, if most of your users dont care, or they wont know the difference, you can have outlook talk to a imap/pop +ldap server.
At that point the calendaring becomes the big issue.... as in how do you send calendar requests from outlook in non exchange mode... I dont remember how this works....there might be some method of doing this, but I think not.
Also you lose public folders and depending on your site, this may be in use that you cannot replace it.
now as to having linux boxes talk to exchange, you can do the imap/pop/ldap, but you will still have the calendar/task list/public folders problem.
You could try a metaframe/citrix type application and get all your outlook out of that.
You end up paying for a terminal services+Outlook license+exchange license, but that might be cheaper, (but not by much) that a win2K + outlook + exchange.
To truly see savings you need a unix based server that talks all the exchange protocols.
now on a similar tangent, imagine this:
Your exchange users, on their exchange servers.
you, the linux person(s), set up as a remote mailbox. (ie: it says: deliver joe@foo.com to joe@unix.foo.com).
Then joe@unix.foo.com can be on a mail server running imap/pop/ldap.
then you can get a calendaring package. (suse e-mail server offers most of this).
Then all you need is a way for the calendaring package to talk calendars to exchange....I think this is the part that does not exist..
but this does move the list of tasks from re-implementing everything, to building a calendaring exporter/importer....you might even be able to use the exchange tools to do this.
(MS did the same thing to get people off of CCmail, they used the ccmail import/export tools against them).
Public folders could also be tricky, but they do offer replication, and their is a built in replication method for them....but depending on how often you access this, maybe you can do some sort of web interface?!?! or have this be NFS'd in some way?
you will have a problem of maintaining 2 address lists...unless you do something like set the exchange server up as the ldap server....or write some way to keep them in sync.
-- C
the problem is address space.
/21 of usable address space. (Yes folks thats 2048 addresses), you are forced to get your address space from an upstream provider.
/21 (2048 addresses) to get a /20 (4096 addressess).
/21.
/22 /23 /21, and hopefully get a /20. It helps if you show that you are growing.
/22 but i'm opening another withing 6 months /23 but i'm opening another withing 6 months
/23 or you may get filtered by other ISPs.
. html
If you have a web site that has less than a
The rules on arin: http://www.arin.net/policy/ipv4.html#multihomed
say that you need to show that you have used the equivalent of a
With these 4096 addresses you can then have "portable addresses".
This means that you do not need to get your address space from an upstream provider.
So lets imagine these scenarios:
1: Single homed (1 connection) company.
Potential problems:
If upstream goes out of business, then you have nowhere to route to.
To migrate you have to get a BRAND new set of IPs for your company.
You better hope that your DNS TTL is low, and that all the places out there that cache it honor it and dont set it to something astronomically high. (this does occur).
2: Multi homed (N connection (n>1) company. (running BGP).
Potential Problems:
If upstream goes out of business, then you are still routing the address space of your out of business provider out your alternate provider. (good).
You are now at arin's mercy depending on what they do with the upstreams IP space. You can bet that they will not give you a small chunk to stay as who you are.
Other large providers may get crazy ideas and start filtering. Ie: Worldcom has not paid me so I filter their netblock as protest. (see PSI).
The best help in this scenario is your own problem, the small IP range you have. Since you have a small range, you then have a "more specific" route to your network. That will override most things as null routes etc. (it will not override ACLs though).
Pretty much this scenario will keep you on the net for longer, but, should the ISP you have your space from go down and stay down, you will need to migrate address space, dns ttl etc.
3: Multi homed (N connection (n>1) company at multiple datacenters.
Potential problems:
Hopefully you have different providers at each datacenter, or at least the address space is given to you by different providers.
In this case, the worst you lose is 1 datacenter. hopefully your site can maintain full traffic out of the remainder of your datacenters.
The biggest problem here is again DNS, but if you are doing multiple datacenters, you can probably remove 1 out of the picture realyl quick.
--- This does not end the list of possible scenarios, there are many others you can do. (for example: you could have address space from 2 carriers at the same datacenter, and multihome/map addresses from each carrier onto them. ) etc.
Now as to the likelyhood, when Exodus went bankrupt for a few months last year, they did not lose all their advertisments, and for the most part they did stay up. I'd guess this would be the same thing as uunet.
Also UUnet has much more traffic than exodus. that hopefully means that most ISPs will not kill their peering with uunet.
That being said, if the rats leave the ship called uunet, uunets peering will fall to low levels, and then ISPs will be able to contractually cancel with uunet. Possible, but not likely.
Now, if you wanted to have multiple carriers, and be truly independent of any of them going away, you have to show effective usage of a
The good part of this is that you can split this into multiple sections:
ie: I have 2 datacenters, and each need a
ie: I have 4 datacenters, and each need a
you can seperate address space out to that, and show use of a
ie: I have 2 datacenters, and each need a
ie: I have 4 datacenters, and each need a
What you have to look out for is that you probably should not advertise anything more than a
for example take this recent nanog posting: http://www.merit.edu/mail.archives/nanog/msg01717
Too many specific routes (/24 and above) add more work to peoples bgp routers, as such limiting accepted routes helps performance of the router, and keeps things more stable.
In summary,
if you have 1 carrier, get 2.
if you do not have enough address space, be prepared to have to change it.
If you have multiple datacenters you should be good to go, but with some exposure as you have to re-ip.
if you have enough address space to be portable, you are good to go.
My experiences:
:)
When I worked for a consulting house, they needed people to be certified so they could carry the products. As such they worked with the vendor they were trying to resell for to get the techs discounted/free training.
This worked out really well for some stuff, like the sun training.
Certifications were put as career goals, and incentives were offered to the employees. Things such as raises, nice dinner for getting certs were common.
They had a policy for testing for the certs, that they would pay for the test too.
Also, on certs where the vendor would not offer discount courses, or where you knew the material, it was encouraged to study for the test, and take the test without the courses. This worked out pretty well too
The next place I went to, another consulting shop, claimed to be really strong on training, but you could never go while on assignment as then you would not be billable. They would only pay for tests if you passed them.
The last few places have been pretty much the same:
Study on your own time.
Take the test,
If you pass, they will re-imburse you.
Some places will offer to buy the training materials, but usually I buy them and keep them around for reference.
-- C
Well theres 3 things
1. Paraphrasing the FAQ that MS posted:
every certificate should indicate the CRL Distribution Point (CDP) - (where a CRL can be found). The VeriSign code-signing certificates issued have no information in the CDP.
Thats what scares me. No comprehension that a cert can be compromised etc. etc.
2: What also scares me is how you circumvent the process:
When I registered my certs (with thawte) [who is now owned by verisign]. You need to provide quite a bunch of things:
1: A piece of paper saying you are authorized (easy)
2: A copy of whois claiming your company you represent owns it (easy)
3: A copy of your articles of incorporation. (I guess this could be easy if you are a public company)
4: If you were incorporated in a different state that where you do business, you need to find a business license.
5: If you changed your name from one company to another, you need to send a copy of that.
They then check this, I believe that they actually check that its on file.
Then they call you back.
Now, Heres the part I am not sure of.
Logic would dictate that they call the main number for the company (from 411, the yellow pages, 3 authorative sources) and call the office.
After calling the head office, they should call HR, and find out
a: If your extension/number matches
b: If your title and position matches what you placed on the certificate request.
(steps a & b should prove that you work at the company)
Now how accurate is the last step where they call HR or the operator and find out? I'm not sure. That would seem like the right way to do it.
I Used to always put my direct extension, but would get calls routed via the operator.
3: Then comes the last thing,
How do you pay for this? I guess since MS is big enough you could say, bill me on net 30 terms, but usually you have to pay to get the cert issued. so with luck theres a credit card to follow. Or would you really trust to issue a cert (for microsoft) based on a money order?
Anyways for a company that relies on trust, this is a big let down.
After reading all this, I'm guessing it all boils down to this
1: There is 1 hosted site by this company that is a spam related site. (makes spam software, supports spam, spams etc).
2: The rbl has blocked 6 class C's belonging to this provider.
3: There are other sites that the provider hosts that have lost connectivity.
In the RBL's defense:
If you are a hosting provider and you were to have the IP address of one of your servers blocked by the RBL, the most sensible thing to do would be to move it to another IP address. This would only make sense. So if the RBL blocks all of your netblocks, then you cannot move your offending site around.
I see the RBL blocking the entire netblock as a good thing. It makes the hosting company try and resolve the problem, rather than just rsying the web site across to another machine, changing DNS and voila the site is up again in just a few minutes.
The best way to make this problem be fixed is to have people take notice.
Rationale:
Now, back in the day, (and still) the rbl is also a BGP feed as well as a DNS based subscription. That being said, what the RBL does is announce the bad netblocks in a BGP feed,and in turn above.net subscribes to that BGP feed and Null routes it (drops the traffic on their exterior routers).
The average companies just use sendmail and you see error messages like "553 see mail.abuse.org". However with a null-route, you will see nothing, traffic going to it, will get dropped, traffic from it, will never have an established session.
As for the RBL being censorware, I do not see that. The message mentions samco and not peacefire or any other sites.
I believe that its more that peacefire has a bad provider that condones spam. Reading the evidence file shows that. The true test of this of course is either for
a: peacefire to move and see if their rbl nomination follows. My guess is not as they are not spam providers.
b: the offending sites to move and see if the RBL nomination follows them and media3 gets lifted.
Vixie has stated many times that the RBL does have its shortcomings, that yes good mail can get lost along with the bad mail. However, it is important to remember that the RBL is a full OPT in list. You can pick a provider that subscribes to it (either via BGP) or by DNS for mail. You as a company can choose to subscribe to it via BGP or by DNS for mail.
In my opinion the RBL is one of the best things out there. I use it, all the customers I work with use it, and I set it up every chance I get.
I wish Paul and Nick and Crew only the best.
-- C
Ok from reading the links it seems that there should be 2 things uunet could do very easily to get out of this spam problem
Background:
1: The port 25 block. This is mentioned in the article. In a perfect world, a user should only be able to send to their local mail server. Ie: When a user sets up their new ISP, they have to enter the name of their SMTP and their POP server.
With that being said, it should be logical that UU.net should set up their router filters to only accept traffic going to port 25 on their mail servers. Traffic going to port 25 anywhere else should get blocked. If you have a local UU.net account you should use the uu.net mail server.
Now what about road-warriors? the sales people out in the field who need to send mail?
2 things:
1: They probably vpn in, so that does not even matter. otherwise:
2: If you allow any uu.net address to relay via your mail servers, you have a hosed situation.
2: The second option would be for UU.net to provide the IP ranges for its DIAL Up pool to the DUL project run by MAPS.
This project takes Dial up ranges, and blackholes them from connecting to your network. They too follow the idea that you should only connect via your dedicated mail server.
Now the bonus of step 1, is that all of the mail going out of your network goes through mail servers you control, you can do certain checking,
like anyone who is sending mail to 500 BCC'd recipients (multiple RCPT), or if they are using multiple RSET commands to send out the same message but with different subjects, should get rate limited/checked.
Or you can put additional IP information in the message envelope, so that they can be detected easier.
The win with the DUL, is it lets the rest of the net be able to only accept mail from uu.nets mail servers, and takes the cpu overhead of additional filtering off of their routers.
-- C
Question about chroot:
turns out from looking at the OpenBSD, suse, redhat man pages that chroot is only invokable as root.
Now I know the idea of chroot is so that programs you do not necessarily trust can be run in a smaller box than that of the entire system and you can put only the necessary tools needed for it to run in this box.
What I would like to do is take a program that I run chrooted and also have it run as a lower priviledge user (than root). I believe this to be a good idea.
Programs like apache and bind have support for this.
However there are quite a few programs that do not has support or understanding of "run_as_user or a "-u" flag etc.
Since I can only launch chroot as root, the program I spawn is run as root, granted its in a chrooted shell, but I would like the program to run chrooted and be run as a low priv user. I certainly dont want to put something like su in the chrooted directory (and maybe even a shell) to have to make this run as another user.
What is your take on this? Should there be something like a "-u user" flag to chroot?
Why would this be a good/bad idea?
First a bit of background about exchange.
1: There are 2 choices with exchange right now, 5.5 and exchange 2000.
I'll give some 5.5 background.
1: If you are using this in an enterprise, you will need Exchange Enterprise server. This will let you have a message store greater than 16GB's. (Unlimited)
2: If you want things like clustering etc. beware with exchange 5.5. it does not do it very well at all. Its an active, standby config. (1 is active, the other is standby). When the first one fails, the second pops up and has to start the services. So you may have between 30seconds - 5 minutes of downtime for "clustered failover". Also, for your clustered servers to work, you need shared disk. (They need to share the same array). This would mean you would need to buy a pretty massive compaq or something.
3: 5.5 offers ldap/pop3 and webmail.
The downsides of webmail. It is recommended (by microsoft) that you move webmail to different servers and have your users connect to that. They recommend you do 2 (IIS 4.0)web servers for every exchange 5.5 server.
If you run IMAP/POP3, your users must connect to the server they are homed on. They cannot connect to 1 server and in the backend be connected to the server their files are on. So if you migrate servers with pop/imap users, you need to change each clients PC.
4: If you want resources like conference rooms, that do automatic accepts etc. in my experience you need to devote a dedicated conference server to do accepts for this. This requires that the machine is always logged in running outlook. Ok well there are technotes saying you dont need this. Too bad I couldnt get it to work.
5: Exchange will NOT install without a true domain controller. That means you need a PDC installed on your net and your exchange server as a member server. (Samba will not cut it) (at least not 2.0.7)
6: Now lets analyze the cost, assuming this is an enterprise.
You have:
2 Big main servers
1 Shared disk array
1 Tape backup server
1 Tape backup software
1 Exchange plugin for the backup software
2-4 Pc's for webmail
1-2 Conference room servers.
2 NT Enterprise server softwares.
1 NT Server software (backup server)
4 NT Server software (webmail)
2 NT Server software (conf rooms)
Now there is also the licensing for every user you need to pay for. EVEN for your pop users etc. The rule is "if they have a password, they need a license".
Now it is not all doom and gloom. You do get some cool calendaring and stuff that people like. Is it worth it? Depends on how important things like calendaring and reliability are to upper management.
There are also some weird bugs with 5.5 SP3. (Sp4 was released this week, but I havent tested it yet)
a: When you migrate users from 1 server to another, mail to the user during this migration gets bounced (User does not exist). Moving large mailboxes can take up to an hour (or longer).
b: You cannot migrate users from 1 site to another. (You have to copy to PST, and then import to the other site). (If you didnt appreciate rsync, this will make you wish you had it.)
Now lets go to Exchange 2000.
Note: This is infromation gained from speeches, and grilling MS reps, not from practical experience!
1: You need an active directory server. That means you need to be running a MS Active Directory server for your network. This could potentially become a win if you had your unix servers authenticate against it via ldap. But then again, it could also be a nightmare. Just a hypothetical.
2: It now supports active/active clustering. (So if 1 fails you still keep chugging along.) The bad thing is to get 2 way clusters you need 2000 Advanced server. To get 4 way clusters you need 2000 Datacenter server. (not cheap) Again these machines need to be connected to the same array. So that would mean some big hardware (compaq etc.)
3: As part of AD, you can move users across sites now.
4: You need less frontend IIS servers (according to MS its now 1 for 2 (as opposed to 2 for 1)). However now every frontend IIS server needs to have a license for Exchange 2000 server. (did not in 5.5)
5: Improved ways for backup. (You can now have multiple backup types for your server, so that different types of users, can be backed up with different frequency.)
6: If you have pop3/imap users on different servers, they can get to them by going through 1 server.
The plus for 2k would be the active/active clustering and the fixes. But then again, you have a lot of changes to make to fit it in.
Conclusion
Depending on what your internal architecture consists of, you may have a lot more to change than just adding an exchange server. You might have to add in a PDC, or AD server. You will have to put all your users in there for authentication.
Be careful with trusts, sometimes they are not your friend.
Make sure you set up a new account to be the exchange server manager.
If you run 5.5, run the Mailbox Manager. It allows you to clean up mailboxes over time.
If you have legal or compliance issues, you can have exchange be like big brother and copy all mail (to anyone) to an account for review. This is called message journaling.
The costs will mount up quick. Depending how much you have in your existing infrastructure, a figure with costs for a reliable solution, with certain uptime requirements may be prohibitive.
That may be something to ask of management. "what are the uptime requirements for the e-mail system".
Oh and last and final: Whatever you do, frontend your exchange servers with dedicated unix servers for outgoing and incoming smtp mail. That way you have things like support for things like the RBL/DUL/RSS, as well as aliases, redirection to things like mailman lists, and many more.
Hope this helps
-- C
Actually maps has a press release they sent out yesterday:
h tml
h tml
http://mail-abuse.org/pressreleases/2000-09-08.
Good chunks:
. "They insist on using dirty email lists, which contain the email addresses of people who do not want to receive their email, and who did not themselves sign up to receive email from Harris".
Ahh - so they are buying internet lists and sending them to people. Now thats not even single opt-in. Ok so thats a BIG problem. I dont want my e-mail address reaped just because I posted to slashdot once.
Another good snippet:
We are absolutely fine with Hotmail and AOL deciding to let Harris email enter their system" continued Thompson. "In fact this is how our system was designed to work, and it confirms our position in this lawsuit! MAPS does not dictate policy to anybody - we simply publish a list of Internet addresses known to originate or enable spam - what the individual Internet service providers ("ISPs")choose do with that information is up to them. They can choose to block email from those addresses, or, as AOL and Hotmail have done, they can choose to accept it. Perhaps now that Harris sees that MAPS does not control whether their email is accepted or rejected by the ISPs, they will realize that suing us makes very little sense indeed. We are entitled to publish our opinion, and in fact are guaranteed a right to do so by the First Amendment."
-- Thats right, *I* choose what I want to accept on my mail system, and I trust maps to be an introducer of what I want (or do not want) to receive. And yes I can choose to accept mail from RBL'd sites, but I would not want someone to force me to accept their mail. That smacks too much of losing my rights.
If I dont want to listen to what someone has to say, why should I be forced to? If i dont want someone to send me files that fill up *my* disk, take cpu resources, why should I have to?
I think maps is great in what they do, and I hope they win,
Harris already lost their request of a Temporary restraining order agains maps, and I hope its the first of a long line of losses against them. Link:
http://mail-abuse.org/pressreleases/2000-08-08.
You can show your support for maps by
mailing comments@mail-abuse.org (see http://www.mail-abuse.org) for info.
I think maps is doing a GREAT service, and I hope Paul and Nick, and the others keep fighting and dont give in.
-- C
Well,
First off I should say I am a strong fan of maps.
And I actually used to follow the squabbles about maps vs orbs.
However let me show you an traceroute from a box in above net (SJ1):
nslookup www.orbs.org
Name: www.orbs.org
Address: 202.36.147.16
% traceroute 202.36.147.16
traceroute to 202.36.147.16 (202.36.147.16), 30 hops max, 40 byte packets
1 main2-133-3.sjc.above.net (209.133.3.3) 1 ms 1 ms 1 ms
2 core1-main2-oc3-1.sjc.above.net (209.133.31.186) 1 ms !H 1 ms !H 1 ms !H
It actually gets hosed still in san jose, maybe it is null routed [as mentioned in the linked articles])
lets see whois:
> whois -h whois.networksolutions.com orbs.org
NS1.MANAWATU.NET.NZ 202.36.148.65
NS1.ABS.NET 207.114.0.130
SKYNET.SIMKIN.COM 199.175.137.111
DOUBTFUL.SIMKIN.COM 207.6.128.246
NS3.AUSTRIA.EU.NET 193.154.160.110
% traceroute 202.36.148.65
traceroute to 202.36.148.65 (202.36.148.65), 30 hops max, 40 byte packets
1 main2-133-3.sjc.above.net (209.133.3.3) 2 ms 1 ms 1 ms
Hrm...it doesnt get as far as the first.
(the others are ok)
Now I'm NOT a bgp expert...but I'm guessing (and only guessing) [did I say I'm guessing?] that if this is not going this far because it might be null routed. Of course, considering above.net does use some cool/strange routing tricks, it might actually be reaching an exterior/border router that just has no idea how to get there....
but if this is the case, the it is only above.net and not from other places (like exodus and globalcenter [which I checked]). Therefore it would sound like an above.net problem.
Where I sit:
Well I guess it had to come to something, there were a lot of complaints about being probed from orbs, people being on orbs and being unable to get off. etc. etc.
Having seen vixie talk (twice), I still fall on his side, and I think he's trying to stop mail-abuse the best he can. And while orbs may do something to stop abuse, they create their own in doing massive probes against secured boxes.
-- C
3rd party spam:
My take on it was:
1: If you get a $20 generic account and spam hundreds of thousands of people at a different web address your web address will be blackholed.
IE:
1: you log onto earthlink and spam advertising www.myspamsite.com.
2: your earthlink account will get banished, due to earthlink's aup.
3: Your website will be pontentially RBL'ed as you are advertising it through spam... even if that site never sent spam in itself.
Again, there is usually a extensive review that goes into being rbl'ed, so its usually not instantaneous, and you usually have to be an ass about it. ie: "I will sue you" are usually the appropriate words, for a nice listing.
As for the scenario described above, with 3rd party sites being blacklisted for spammers as clients, well I havent seen that.
related:
I had a friend of mine who works at a online payment service actually speak to maps, in advance (as people were trying to spam others to use their service, so the users could get referral bonuses. He was told pretty much the same thing as the web site says:
If people are promoting spam, relating to your site, please discontinue the account, in a prompt fashion. This is my friend's company's standard policy and so everything was fine.
Sounds like Ibill just does not care, but i'm not familiar with it.
-- C
Yes, those are taken from my 8.9.3 MC file -- C p.s. in 8.9.10 its not called rbl, but dnsbl.
A: First off, maps represents 3 types of blocking lists.
1: The RBL, which contains IP addresses of spammers
2: The DUL, which contains IP addresses of machines that should not be able to send mail to your server directly. Ie: a user at earthlink should always send mail to their mail server and then it should be routed to you. If they have a system that connects straight to you, it most likely is spam,
3: the RSS (relay spam stopper) that contains a list of open relays. This is a nice trick of spammers to send mail through someone else's machine and have them do the job of mailing everything out.
B. Getting your address.
Now, my take on the philosophy of MAPS, is that you should only receive what you elect to receive. ie: getting mail-bombed from 100's-1000's of companies just because you once posted to usenet without masquerading your e-mail address just should not happen. (This is not an exaggeration).
So, if you sign up for a newsletter, you receive the newsletter. Also, you should have a clear way on how to be removed from the newsletter. etc.
You also should have a choice in that they should not sell the e-mail addresses on the newsletter.
C: Legality, from the receiver's point of view
As to the legality of maps?
Personally, I like it.
Its 100% opt in, and you choose for yourself what list(s) you want to subscribe to, and away you go.
If you go to an ISP, you can usually find out very quickly if they subscribe to MAPS, and which particular lists.
D: Legality from the sender's point of view.
The basic idea, is that if you do nothing wrong, you have nothing to worry about.
To actually be listed on the RBL is not a slam dunk. You will be contacted more than once and you will have ample opportunity to make changes.
Ok so some of the changes may be considered completely rude by some, lets give examples:
1: the ability to unsubscribe yourself
2: The ability to make sure that only you sign yourself up, and not someone with a bogus e-mail address
3: Not to add users by a "buy 50million users on cdrom for $20" import utility.
4: if you are an ISP, not willing to do anything about people complaining you have spammers.
Usually, you can get by #4 by having a strong AUP against spam, and kicking user accounts that send UBE
E: Legal arguments
1: Restraint of trade?
Not in my opinion.
I consider and trust MAPS to be a meta-introducer. I want them to let me know who I should talk (receive e-mail from) to and who not to.
Its my/my companies/my ISP's choice, as its their machine.
2: Malicious
Not hardly, You will receive every chance not to make the RBL list.
The DUL list is usually contributed by the ISP themselves
the RSS is contributed by vitcims. Usually the Sysadmin of the victim's machine will ask for help to get it fixed, and maps will help do that.
Harly what I would consider malicious, when they help upgrade a victim's sendmail.
F: how to use it,
if you know how to make your own sendmail.mc insert these lines:
FEATURE(rbl)
FEATURE(rbl, `dul.maps.vix.com', `Dialup - see http://www.mail-abuse.org/dul/')d
nl
FEATURE(rbl, `relays.mail-abuse.org', `Open spam relay - see http://www.mail-abu
se.org/rss')dnl
and away you go.
-- C
Reasons to get rid of 4.0 tests:
1: The MCSE is becoming rapidly devalued.
There are ads/banners for "become a fully fledged MCSE in x weeks". Microsoft needs a way to block off all the people who have their MCSE with no training and actually get the perception that having an MCSE is worth something again.
As it is now, if someone says they have it, you have no idea if they achieved it from years of hard work, or from a few thousand dollars and a study guide.
My guess is that the idea is that the 2000 tests are supposed to jettison the bootcamp MCSE's and keep the good ones.
Personally I dont think that will work as there are too many companies out there making up "practice exams" etc. such that all the bootcampers will just go back for 2000 training and keep getting their cert.
2: nt 4.0 is EOL. (end of lifed)
Well I disagree with that too. I'm pretty sure that people will still be running it well into 2002, if just for the fact that it runs relatively stable on lower end systems (aka 1997/8 higher end systems). Not to mention the pricetag of upgrading software.
Reasons to keep 4.0 tests:
1: It shows the person has some knowledge of microsoft products.
Well yes, it does show "some measure" of understanding. However the entry point for that can be significantly low.
2: Good PR.
3: Like the man said, not a lot of people will have converted over to 2000 by the cutoff date: 12/31/01 (or 6/30 if you tested on IIS3.0)
Some notes:
1: No cert can be made "bootcamp" proof, people go in, smuggle out thier questions, post them as braindumps on web sites etc. (no matter how much legalese they have to click on)
Just a few thoughts
-- C
Just a small followup:
The RBL works not only via DNS (which is how sendmail and most mail packages kill it) but it also is available as a BGP4 AS route (the original way it was done).
If you look at
http://www.mail-abuse.net/rbl/usage.html#BGP
it details it.
-- C
Well if you were really serious,
Maps offers 3 type of spam reduction
1: RBL (based upon net numbers of known spammers)
2: DUL (Dial up pools of users cannot send mail directly to your SMTP server. (Instead they should send it through their ISP's smtp server instead and it will send it along)
3: RSS (Similar to ORBS, in that it restricts open relays, but an entry in the RSS is because someone received relay spam from your domain and referred you to the RSS, where as ORBS, iirc, they go and try every address out on the net to see if its an open relay. (This might have changed)
A combination of all 3 of these can do wonders.
RBL: Stops most hardcore spammers who spam directly
DUL: Stops the dial up trespassers,
RSS: Stops the people with open relays who wont fix them.
Anyways most of this is documented on:
http://www.mail-abuse.net/
-- C
because MSN has already been on the rbl and subsequently taken off. They actually conformed to the RBL!
I think hotmail had a few quick stints on the RBL as well.
--C