If it takes more than a couple of seconds to process normal emails with spamassassin, you are horribly misconfigured.
I recommend you examine some log files (what a concept!) and do some tests of name resolution. The timeouts you describe are typical of a mailserver with a completely b0rked DNS.
You should always run a local name resolver on a mailserver anyway, with query access limited to 127.0.0.1 (loopback) so others hosts cannot use the machine as a nameserver. That way, you can set up dummy zones for various purposes (like, communicating with sites incapable of managing DNS properly).
Check/etc/nsswitch.conf if your machine runs the name service switch (Sun, HP and most modern unix workalikes); check/etc/resolv.conf if your nsswitch specifies "files" for host lookups; and use dig or nslookup to test.
Spam and worms are so commonplace because of the greed and incompetence of the really big ISPs.
I could knock out every nimda and code red on comcast.net in 48 hours using their existing equipment. A little gawk, netcat, and snort and the manual for their switches is all I'd need.
Similarly, the 100+ virii and spam I receive every weekend are mostly coming from AOL. I can detect them with MailScanner and SpamAssassin, using a P-133 computer running linux - I suspect AOL could do it too.
But the big ISPs are the problem. They will NOT cut off a paying customer's access regardless of how obviously the customer is abusing that access - instead, they are tracking down people running private websites and NNTP nodes, because they want to be content providers and they don't like competition.
I get 6-700 worm attacks a week on my cable modem at home - all identified by snort and stopped by iptables. All cable modem addresses are VLANS. The cable company can easily monitor them from a central point, and these are mostly KNOWN, EASILY IDENTIFIED worm spoor.
The big ISPs are the biggest part of the problem because:
#1 - they don't care about quality of service as long as they get their money
#2 - they have regional monopolies
#3 - they refuse to co-ordinate with each other
Solve these problems and the Internet will start working properly again.
Generally, it's considered desireable to have the DNS functional before getting the rest of the site up and running.
But if you can't get that going for some reason or other, just forward all mail from the new mailserver through the old mailserver.
For example, if you are using sendmail, you set up the new mailserver to use the old one as a "smart hub" and explicitly list the new mailserver's address in the old mailservers access.db as being allowed to relay mail.
I can get more detailed if you want, but only if you use sendmail, because I am an old dinosaur and have never bothered to learn postfix (the only mailer IMnotsoHO that is probably superior).
You can also just play games with MX records... you should always run a local nameserver (accessible from loopback only) on each mailserver anyway, you know - a mailserver pounds the bejabbers out of DNS and consequently should have local DNS caches to reduce network load and mail delivery times.
First off, you can't put inverse zone records (PTRs) in the same zone files as A and MX records.
Second, the guy stated he has a cable modem, and thus he has no access to the inverse zone files for his IP. The cable ISP does not *want* him to have his own domain name, so they will *not* delegate any of the inverse namespace (which they own) to him. They want to force all his mail through their unreliable, virus-plagued, incompetently administered mailservers and not allow him to run his own.
I recommend you read Cricket Liu's book "DNS and Bind in a Nutshell" before you start giving people DNS advice.
Why not just refuse all messages that come from IP addresses that include the number 68?
I have analyzed the vast body of spam (for Bayes purposes) that has come through my mailservers over the last year or so, and I find that a lot of spam is sourced from IP addresses that include this number.
Sometimes it's x.x.68.x, sometimes it's x.n68.x.x, but that evil little 68 just keeps popping up!
According to my numbers, a greater amount of spam comes from IPs containing 68 or 24 than comes from domains with inconsistent PTRs.
So, using your own logic, I should just ban all IPs with 68 in them, and tell people with legitimate Email needs that they will have to find a new ISP.
To paraphrase a previous poster, "The fact that discarding mail from addresses containing the number 68 significantly reduces spam is reason enough that everyone should do so. I too will have to stop using a bunch of numbers I own but, it is worth the effort to stick to this policy. If you have a 68 in your IP, you can't send me mail!"
Note to moderators: Irony is not the same thing as flamebait...
"If you had bought $1000.00 worth of Nortel stock one year ago, it would now be worth $49.00.
With Enron, you would have $16.50 of the original $1,000.00.
With Worldcom, you would have less than $5.00 left.
If you had bought $1,000.00 worth of Budweiser (the beer, not the stock) one year ago, drank all the beer, then turned in the cans for the 10 cent deposit, you would have $214.00.
Based on the above, my current investment advice is to drink heavily and recycle."
Buy a Japanese laptop so she can easily get service here or there, buy a lightweight one for convenience, buy a powerful one so she won't look like a chump to the Japanese... seems to me that all adds up to a Vaio.
You didn't set a price range, so I'm assuming price is no object. Get her the one with the full size keyboard if she doesn't like those silly little chiclet keys.
They can run linux, too. I saw Patrick running Slackware on one a while back.
I wouldn't piss on most of our current politicians if they were on fire, and neither would most people I know.
Dude, I'd love a legal excuse to pee on any of our current politicians, so please set your choice alight ASAP! I've got a friend with a video camera...
GNU software installation procedures are the least user-friendly of all those I've used. They generally go like this:
Download software. Search for documentation - find incomplete and poorly written docs that assume too much. ./configure research and correct 15 badly documented error conditions. ./configure identify 3 totally undocumented errors. join project mailing list and post question. be roundly flamed and referred to FAQ post references showing errors are not documented in FAQ be roundly flamed and referred to list archives search list archives for several days post again asking for specific references to archives Acerbic but kindly guru finds comment written in swahili that is only in the CVS version you can't access, and translates it for you in a private Email. remove a single character from the configure script ./configure edit the makefile to correct unwarranted assumptions about file locations, system capabilities, network architecture, etc. make correct typos introduced by prior editing (D'OH!) make research and correct 7 errors caused by missing libaries (these libraries are normally required only by Welsh Morris dancers, but for some reason your GNU software won't compile without them). make research and attempt to correct 3 errors caused by having a different version of gcc than the software authors. make give up on correcting the errors and go download the precise version of gcc used by the developers. make cheer like nobody's watching, which they aren't because it is five O'clock in the morning. make install
Congratulations! You have sucessfully built your GNU software. This amazingly powerful software will now run incredibly smoothly and accurately for unbelievable lengths of time. (Unless it's a 2.4 linux kernel, in which case it'll be obsolete by Monday when the latest remote root exploit comes out, or whenever Linus decides to replace a major subsystem wholesale in the middle of a "stable" kernel series.)
After a few years of living comfortably with your smoothly running, reliable, low maintenance GNU software, you'll break even on the pain and suffering quotient.
I recently configured heartbeat and I've done most of the uber-GNU utilities that don't deign to have man pages (info is so much better, the only way it could be more user friendly is if it required all input in Common Lisp) so it's just barely possible I might have some idea what I'm talking about. On the other claw, I may be stark raving bonkers from too many./configure;make;make install recursions.
I can only comment on the local area, but this is information I have first-hand knowledge of:
Goodwill Industries wants your old but working computer crap. Check with your local Goodwill organization (the main site can help you with this) to see if they are one of the sites that handles electronic goods and appliances. In Delaware it's the Lea Street facility that takes them.
The State of Delaware will recycle broken electronics for free (sort of mostly free to you, that is - the state's taxes pay for it, but those taxes have not been specifically increased to support this program). You might get harrassed by the DNREC Gestapo if you don't have DE plates on your car, though - this service is for citizens of Delaware.
I think we'll see this type of thing get more common in the future. I usually take as much stuff out of the recycling bin as I put in, personally. I do this quite openly in full view of the guard shack.
Everything else is either based on or pretty similar to those two... well, OK, there's also Ethernet's CD/CSMA paradigm.
THREE things, that's THREE things to learn Cardinal Fang! (And a fanatical devotion to the Pope!)
John Slimick's the guy to learn from at Pitt; he used to teach at the Bradford campus in the frozen north. He's an excellent teacher as well as an all-around nice guy.
Did something new happen in the ME/XP/2k versions of windows? I don't use those, but on my win98 and winNT boxes the netbios ports are 137,138, and 139. Did Microsoft kerberize these services or something?
In/etc/services on all my *nix boxen port 445 is undefined, but IANA says Microsoft does indeed own 445. My samba boxes and NT servers don't show the port live with nmap, though.
The smoothwall firewall SSL admininstration application runs on 445. That's the only thing I know of offhand that uses it.....
DNS is designed to be an extensible, flexible, distributed, and massively scaleable lookup database. It is quite suited to what you propose, and has certainly been used for much lamer ideas already.
I wouldn't use TXT records, though. SRV records might be more appropriate, but people are apparently using SRV for LDAP nowadays so you're probably better off just defining a new type. Use the procedure laid out in the RFCs for designating a new type of "experimental" DNS record, so that everyone will be compatible with you (well, everyone that follows the RFCs, anyway, which might leave out MS and DJB) or figure out how to use one of the obsolete record types.
You can look at some of the other types of records in RFCs 1035, 1183, 1706, 1886, 2672, 2782, and 2874. Most of the important ones (well, other than IPv6 stuff) are in RFC1035.
Incidentally, you're going to get dozens (if not hundreds) of posts here that will say "You shouldn't do that with DNS!". Pretty much any question you ask around here that even mentions DNS will get the same result, so just ignore them. I think these people are a lot more interested in shooting down ideas than in actually testing them, which is the only real way to find out if they will work.
If you write an applications program, you should gain intimate knowledge of the application and the environment in which it will be executed. If you don't, your code will usually suck (but you won't even know it until the users come up the road to the castle waving pitchforks and torches).
By applying that knowledge, a good analyst can potentially abuse the system and gain access to whatever s/he wants or needs.
This assumes the co-operation of the system owners, but even if you are a shady type you could just pose as a janitor and do the deed.
It's a bit different for systems programmers; they aren't constrained by application hardware and stupid management policies to the same degree that apps programmers are. But even with system utilities, it's always possible to get full access with a quick jaunt into single-user mode. For example, in my building, you could just cut power to the building, saunter in to the computer room as everyone else floods out (conveniently opening the doors for you) and re-boot your chosen node on UPS power with a Linux BBC. Create a new root-group or wheel account, reboot and whistle as you walk back out. Knowledge of the operating environment - who is in the server room when, for example - will tell you who needs to get a touch of salmonella in their sandwich twenty minutes before the big event.
The crackers like to say "knowledge is power", but that's not really the crux of the biscuit - knowledge is potential, and how well you can use your knowledge determines the power that you exert. People who write backdoors are either ignorant or insufficiently imaginative.
Your own glowing testimonial is not exactly a balanced review of the real product.
But perhaps people like yourself, who are willing to give the X developers the accolades they so richly deserve, are necessary to counterbalance the people who only see the bad points of X.
There are good and bad things that can be said about X-windows, but I don't think anybody that is paying attention would have anything but praise for the people who have worked so hard to make it as useable as it is.
On the other hand, I can honestly say that Xwindows is the only piece of software that ever caused my monitor to literally catch on fire. Gave me a very strong incentive to RTFM, I must say.
OK, I see that you've got principles behind your statements, and that you are not simply being contrarian. I retract any accusations I might have made to that effect, with apologies.
But I still think your argument in invalid; all the indirect costs you keep bringing up are the costs of overpopulation, not the costs of meat production.
Our ideas of what a healthy population of humans would be are probably quite different; as a meat-eater, I would prefer to be near the top of the food chain. Top predators in a balanced ecosystem should have very low population density, like tigers or bears.
I share your concerns over the unsustainable nature of the western world's agriculture. But, if we're going to deal with true root causes, I would take them back to burgeoning population, the culture of excessive consumption, and an economic system that insists only unlimited, continuous growth can be healthy.
Your evasiveness has become tedious to me. You know perfectly well that the Bush family and their friends are heavily invested in dirty energy, both at home and abroad, and that prior knowledge of US military intentions is to their financial advantage.
I suppose I can simply listen to the Limbaugh hour if I wish to hear any more of your views.
Goodbye, and I thank you for some interesting insights into what passes for reasoned discourse among some Americans.
So no documentation is valid unless it supports your views; a single newspaper article conforming to your expectations is sufficient, but it's clear that the videotape of Saddam conversing with the US ambassador would not be "a fact".
Slashdot Mirror
I bet you could support a couple of small central African villages for $300 a year...
"When I was a boy, you could get a Baby Ruth bar for a nickel, and it was as big around as your leg."
If it takes more than a couple of seconds to process normal emails with spamassassin, you are horribly misconfigured.
/etc/nsswitch.conf if your machine runs the name service switch (Sun, HP and most modern unix workalikes); check /etc/resolv.conf if your nsswitch specifies "files" for host lookups; and use dig or nslookup to test.
I recommend you examine some log files (what a concept!) and do some tests of name resolution. The timeouts you describe are typical of a mailserver with a completely b0rked DNS.
You should always run a local name resolver on a mailserver anyway, with query access limited to 127.0.0.1 (loopback) so others hosts cannot use the machine as a nameserver. That way, you can set up dummy zones for various purposes (like, communicating with sites incapable of managing DNS properly).
Check
and Creatures of Light and Darkness, both by Zelazny and both blurring the boundaries of fantasy and SF.
Spam and worms are so commonplace because of the greed and incompetence of the really big ISPs.
I could knock out every nimda and code red on comcast.net in 48 hours using their existing equipment. A little gawk, netcat, and snort and the manual for their switches is all I'd need.
Similarly, the 100+ virii and spam I receive every weekend are mostly coming from AOL. I can detect them with MailScanner and SpamAssassin, using a P-133 computer running linux - I suspect AOL could do it too.
But the big ISPs are the problem. They will NOT cut off a paying customer's access regardless of how obviously the customer is abusing that access - instead, they are tracking down people running private websites and NNTP nodes, because they want to be content providers and they don't like competition.
I get 6-700 worm attacks a week on my cable modem at home - all identified by snort and stopped by iptables. All cable modem addresses are VLANS. The cable company can easily monitor them from a central point, and these are mostly KNOWN, EASILY IDENTIFIED worm spoor.
The big ISPs are the biggest part of the problem because:
#1 - they don't care about quality of service as long as they get their money
#2 - they have regional monopolies
#3 - they refuse to co-ordinate with each other
Solve these problems and the Internet will start working properly again.
Generally, it's considered desireable to have the DNS functional before getting the rest of the site up and running.
But if you can't get that going for some reason or other, just forward all mail from the new mailserver through the old mailserver.
For example, if you are using sendmail, you set up the new mailserver to use the old one as a "smart hub" and explicitly list the new mailserver's address in the old mailservers access.db as being allowed to relay mail.
I can get more detailed if you want, but only if you use sendmail, because I am an old dinosaur and have never bothered to learn postfix (the only mailer IMnotsoHO that is probably superior).
You can also just play games with MX records... you should always run a local nameserver (accessible from loopback only) on each mailserver anyway, you know - a mailserver pounds the bejabbers out of DNS and consequently should have local DNS caches to reduce network load and mail delivery times.
First off, you can't put inverse zone records (PTRs) in the same zone files as A and MX records.
Second, the guy stated he has a cable modem, and thus he has no access to the inverse zone files for his IP. The cable ISP does not *want* him to have his own domain name, so they will *not* delegate any of the inverse namespace (which they own) to him. They want to force all his mail through their unreliable, virus-plagued, incompetently administered mailservers and not allow him to run his own.
I recommend you read Cricket Liu's book "DNS and Bind in a Nutshell" before you start giving people DNS advice.
Why not just refuse all messages that come from IP addresses that include the number 68?
I have analyzed the vast body of spam (for Bayes purposes) that has come through my mailservers over the last year or so, and I find that a lot of spam is sourced from IP addresses that include this number.
Sometimes it's x.x.68.x, sometimes it's x.n68.x.x, but that evil little 68 just keeps popping up!
According to my numbers, a greater amount of spam comes from IPs containing 68 or 24 than comes from domains with inconsistent PTRs.
So, using your own logic, I should just ban all IPs with 68 in them, and tell people with legitimate Email needs that they will have to find a new ISP.
To paraphrase a previous poster, "The fact that discarding mail from addresses containing the number 68 significantly reduces spam is reason enough that everyone should do so. I too will have to stop using a bunch of numbers I own but, it is worth the effort to stick to this policy. If you have a 68 in your IP, you can't send me mail!"
Note to moderators: Irony is not the same thing as flamebait...
As authoritively documented on that red sleeve thingy and, more mundanely, on Access Asia.
Because, that which is not mandated is forbidden, you dirty GNU hippy.
Haven't you been paying ANY attention to Mullah Ashcroft?
Traitorous freethinkers like you will be first up against the wall once Fightin' George Bush completes the Reagan revolution!
I kind of admire Theo, but it's SOOOOOO tempting to call him "Theo the Rat".....
Good work OpenBSD team!
Buy a Japanese laptop so she can easily get service here or there, buy a lightweight one for convenience, buy a powerful one so she won't look like a chump to the Japanese... seems to me that all adds up to a Vaio.
You didn't set a price range, so I'm assuming price is no object. Get her the one with the full size keyboard if she doesn't like those silly little chiclet keys.
They can run linux, too. I saw Patrick running Slackware on one a while back.
Y'know, like the joke can of peanuts that shoots 10-foot long spring-loaded worms when you open it?
There ought to be some way to make a fake drive that shoots spring-loaded worms at curious children/co-workers/spouses/cleaning staff etc.
GNU software installation procedures are the least user-friendly of all those I've used. They generally go like this:
./configure
./configure
./configure
./configure;make;make install recursions.
Download software.
Search for documentation - find incomplete and poorly written docs that assume too much.
research and correct 15 badly documented error conditions.
identify 3 totally undocumented errors.
join project mailing list and post question.
be roundly flamed and referred to FAQ
post references showing errors are not documented in FAQ
be roundly flamed and referred to list archives
search list archives for several days
post again asking for specific references to archives
Acerbic but kindly guru finds comment written in swahili that is only in the CVS version you can't access, and translates it for you in a private Email.
remove a single character from the configure script
edit the makefile to correct unwarranted assumptions about file locations, system capabilities, network architecture, etc.
make
correct typos introduced by prior editing (D'OH!)
make
research and correct 7 errors caused by missing libaries (these libraries are normally required only by Welsh Morris dancers, but for some reason your GNU software won't compile without them).
make
research and attempt to correct 3 errors caused by having a different version of gcc than the software authors.
make
give up on correcting the errors and go download the precise version of gcc used by the developers.
make
cheer like nobody's watching, which they aren't because it is five O'clock in the morning.
make install
Congratulations! You have sucessfully built your GNU software. This amazingly powerful software will now run incredibly smoothly and accurately for unbelievable lengths of time. (Unless it's a 2.4 linux kernel, in which case it'll be obsolete by Monday when the latest remote root exploit comes out, or whenever Linus decides to replace a major subsystem wholesale in the middle of a "stable" kernel series.)
After a few years of living comfortably with your smoothly running, reliable, low maintenance GNU software, you'll break even on the pain and suffering quotient.
I recently configured heartbeat and I've done most of the uber-GNU utilities that don't deign to have man pages (info is so much better, the only way it could be more user friendly is if it required all input in Common Lisp) so it's just barely possible I might have some idea what I'm talking about. On the other claw, I may be stark raving bonkers from too many
I can only comment on the local area, but this is information I have first-hand knowledge of:
Goodwill Industries wants your old but working computer crap. Check with your local Goodwill organization (the main site can help you with this) to see if they are one of the sites that handles electronic goods and appliances. In Delaware it's the Lea Street facility that takes them.
The State of Delaware will recycle broken electronics for free (sort of mostly free to you, that is - the state's taxes pay for it, but those taxes have not been specifically increased to support this program). You might get harrassed by the DNREC Gestapo if you don't have DE plates on your car, though - this service is for citizens of Delaware.
I think we'll see this type of thing get more common in the future. I usually take as much stuff out of the recycling bin as I put in, personally. I do this quite openly in full view of the guard shack.
\.
Everything else is either based on or pretty similar to those two... well, OK, there's also Ethernet's CD/CSMA paradigm.
THREE things, that's THREE things to learn Cardinal Fang! (And a fanatical devotion to the Pope!)
John Slimick's the guy to learn from at Pitt; he used to teach at the Bradford campus in the frozen north. He's an excellent teacher as well as an all-around nice guy.
Did something new happen in the ME/XP/2k versions of windows? I don't use those, but on my win98 and winNT boxes the netbios ports are 137,138, and 139. Did Microsoft kerberize these services or something?
/etc/services on all my *nix boxen port 445 is undefined, but IANA says Microsoft does indeed own 445. My samba boxes and NT servers don't show the port live with nmap, though.
In
The smoothwall firewall SSL admininstration application runs on 445. That's the only thing I know of offhand that uses it.....
DNS is designed to be an extensible, flexible, distributed, and massively scaleable lookup database. It is quite suited to what you propose, and has certainly been used for much lamer ideas already.
I wouldn't use TXT records, though. SRV records might be more appropriate, but people are apparently using SRV for LDAP nowadays so you're probably better off just defining a new type. Use the procedure laid out in the RFCs for designating a new type of "experimental" DNS record, so that everyone will be compatible with you (well, everyone that follows the RFCs, anyway, which might leave out MS and DJB) or figure out how to use one of the obsolete record types.
You can look at some of the other types of records in RFCs 1035, 1183, 1706, 1886, 2672, 2782, and 2874. Most of the important ones (well, other than IPv6 stuff) are in RFC1035.
Incidentally, you're going to get dozens (if not hundreds) of posts here that will say "You shouldn't do that with DNS!". Pretty much any question you ask around here that even mentions DNS will get the same result, so just ignore them. I think these people are a lot more interested in shooting down ideas than in actually testing them, which is the only real way to find out if they will work.
If you write an applications program, you should gain intimate knowledge of the application and the environment in which it will be executed. If you don't, your code will usually suck (but you won't even know it until the users come up the road to the castle waving pitchforks and torches).
By applying that knowledge, a good analyst can potentially abuse the system and gain access to whatever s/he wants or needs.
This assumes the co-operation of the system owners, but even if you are a shady type you could just pose as a janitor and do the deed.
It's a bit different for systems programmers; they aren't constrained by application hardware and stupid management policies to the same degree that apps programmers are. But even with system utilities, it's always possible to get full access with a quick jaunt into single-user mode. For example, in my building, you could just cut power to the building, saunter in to the computer room as everyone else floods out (conveniently opening the doors for you) and re-boot your chosen node on UPS power with a Linux BBC. Create a new root-group or wheel account, reboot and whistle as you walk back out. Knowledge of the operating environment - who is in the server room when, for example - will tell you who needs to get a touch of salmonella in their sandwich twenty minutes before the big event.
The crackers like to say "knowledge is power", but that's not really the crux of the biscuit - knowledge is potential, and how well you can use your knowledge determines the power that you exert. People who write backdoors are either ignorant or insufficiently imaginative.
Your own glowing testimonial is not exactly a balanced review of the real product.
But perhaps people like yourself, who are willing to give the X developers the accolades they so richly deserve, are necessary to counterbalance the people who only see the bad points of X.
There are good and bad things that can be said about X-windows, but I don't think anybody that is paying attention would have anything but praise for the people who have worked so hard to make it as useable as it is.
On the other hand, I can honestly say that Xwindows is the only piece of software that ever caused my monitor to literally catch on fire. Gave me a very strong incentive to RTFM, I must say.
Damn, I would have had first post, if Xwindows hadn't crashed again.
OK, I see that you've got principles behind your statements, and that you are not simply being contrarian. I retract any accusations I might have made to that effect, with apologies.
But I still think your argument in invalid; all the indirect costs you keep bringing up are the costs of overpopulation, not the costs of meat production.
Our ideas of what a healthy population of humans would be are probably quite different; as a meat-eater, I would prefer to be near the top of the food chain. Top predators in a balanced ecosystem should have very low population density, like tigers or bears.
I share your concerns over the unsustainable nature of the western world's agriculture. But, if we're going to deal with true root causes, I would take them back to burgeoning population, the culture of excessive consumption, and an economic system that insists only unlimited, continuous growth can be healthy.
The "nutball" remark was purely ad-hominem.
Your evasiveness has become tedious to me. You know perfectly well that the Bush family and their friends are heavily invested in dirty energy, both at home and abroad, and that prior knowledge of US military intentions is to their financial advantage.
I suppose I can simply listen to the Limbaugh hour if I wish to hear any more of your views.
Goodbye, and I thank you for some interesting insights into what passes for reasoned discourse among some Americans.
So no documentation is valid unless it supports your views; a single newspaper article conforming to your expectations is sufficient, but it's clear that the videotape of Saddam conversing with the US ambassador would not be "a fact".
I bid you adieu.