The thing is, the sender was forged. Since the virus scanner knows the message was a virus and correctly identifies it as such, shouldn't it know that the virus uses forged headers? And since it should know the header was forged, it should NOT return the message.
This would require the anti-virus software to be a lot smarter than it currently is. The antivirus definitions would need to include a flag that says "Always uses forged addresses" and then not return a bounce for those messages. This would make sense and I would like to see it implemented.
Further, the virus scanner should not send the whole fucking virus back. That's just retarded.
No antivirus software that I am aware of sends the virus back. All they do is reference the file name and return a bounce. If you know of any software that actually returns the virus then I would have to agree. That is retarded.
The possibility of knowing one of them had a virus (presumably that I may not yet be aware of, or I'd have already blocked it), seems a damn good idea to me.
But this just doesn't work when you have tens of thousands of users.
Blacklisting seems a far more drastic step to take.
I do not see it as being drastic. They get an error messages which clearly explains why their email is being refused. If the domain is important, then I only blacklist their anti-virus software address.
Meant to say previously, e-mail is NOT reliable, it should never be counted on, if you need to know someone got a message you need to phone them anyway.
Amen! I know that. You know that. I wish to hell the corporate world understood that. I can explain why a message was bounced. I can not explain to someone when a message disappears.
Sorry, I just don't get what you are trying to say here: 1. Sending mail to dev/null is wrong, because people need to be able to use e-mail. 2. If an admin tries to be helpful (maybe misguidedly), you blacklist them, thus no more mail. This seems to be a contradiction, at least to me.
What good does notifying postmaster@mydomain.com do about an email virus that is (potentially) on one of my users computers? Notify my user. If they have a virus or think that they do, they will contact me and I will help them. I am already blocking any of the common email Subject: lines used by the many virus variations going around so chances are it isn't one of my users anyway.
As for the admin trying to be helpful? Hardly. The admin in this case is not doing _anything_. She has simply checked a box in her anti-virus software that sounded cool. Or perhaps did not uncheck a box because she did not read the directions.
In the end these sorts of bounces have no positive impact and a huge negative impact. That makes it useless.
Oh, and btw, usenet rocks.
Usenet has become a cess-pool. There are still patches of it that are useful, but on the whole, it is not worth the bother any more.
Email needs to be reliable communication medium. If a message can not be delivered, it has to be returned to the sender. It is absolutely unacceptable to simply discard a message.
Want a better idea? Try _blocking_ the message. When I see any executable attachment in a message, my server does not accept the message. It returns a 5xx series message and tells the person to resend it without the attachment. I do the same thing for common virus Subject: lines. The message is rejected with a 5xx error and the user is told to change the subject line.
Although I agree that bouncing a message with a virus sucks, entirely too many legitimate messages are already bounced for various reasons. If a sender can not be sure an email was received or rejected, then email will become as useless as usenet.
One thing that should never happen is notifying the postmaster of a domain that a message contained a virus. I get this all the time. Some anti-virus gateway receives a message claiming to be from someone at a domain that I administer. Instead of just bouncing the message, their software also notifies postmaster@mydomain.com to let _ME_ know that my user has a virus.
The only problem being that the original message was a forgery and has nothing to do with me or my domains. These people take a bad problem, (a virus) and make it worse by DOUBLING the number of messages sent. How idiotic is that? Anytime I see one of those messages, I put that persons entire domain in my blacklist and I will not remove it until I am notified that they have stopped such a stupid practice.
I set up a socks server on a dedicated linux box I pay $65/mo for (I'm hosting some websites there). I connect to this box via SSH and tunnel port 1080 so I can use all the IMs--AIM, Yahoo, MSN, ICQ. All without The Man being the wiser.
As a firewall and IDS admin, I can tell you first hand that if your company has decent admins, they probably know what you are doing. There are a number of people in the companies I do work for that do exactly this sort of thing.
As an admin, I ignore it because if they were able to set it up, they probably know what they are doing. If it became wide spread, however, you can be pretty sure I would clamp down on it immediately.
It is getting to the point that a company is now forced to block _all_ outbound traffic, and to restrict what is accessible via the HTTP proxy.
I can't even begin to comment on this. My point was not that spam comes form misconfigured systems. My point was that in order to be able to receive email from all of the misconfigured systems out there, I can't configure strict checking on my server. This lets the spammers send mail to my systems that I could otherwise block.
If you do not think there are a TON of completely misconfigured servers out there, then you need help. Try running Postfix with the following configuration:
Then look at your logs and see just how much email you would miss if you required people to have a correctly configured system. (warn_if_reject will not reject email, just add an entry in your log file telling you that it would have been rejected.)
Some of these options only affect spammers, but a number of them also affect legitimate servers that are just poorly administrated. If you do not believe me you either have never looked at your logs, or you have never run an email server for a large site.
Your rant dates back to the mid 1990's, you really need to keep up with the problems on the internet today.
I wasn't even running a mail server in the mid 90's so I do not know how to address this comment. Perhaps asking you to take your trolling elsewhere would be a good start.
Use authenticated SMTP, POP before SMTP, or just SSH to my shell system and email from there.
As for running local mail servers on everything, well, that is not how the protocol was meant to be used. You should be relaying mail through a static, well known (In terms of DNS) server.
If you do not agree, then go and argue with the people who wrote the RFC's. I would suggest Greg Woods. He absolutely loves to argue about this:)
If people would set up their email servers correctly, I could eliminate 99% of the spam from my systems. Unfortunately, a bunch of administrators seem to feel that they do not actually have to configure their systems correctly. If I want to be able to receive mail from them, then I need to open my server up and allow misconfigured servers to talk to it. Guess who has the majority of (usually intentionally) misconfigured servers. You guessed it, spammers.
Getting rid of spam is simple. Stop bitching about it and fix your own damned mail server.
Do you:
Have a postmaster account?
Have an abuse account?
Have reverse DNS?
Have matching forward and reverse DNS?
HELO with your server's Fully Qualified Domain Name (FQDN)?
Reject invalid HELO names (Either non-FQDN's, HELO names that do not resolve, HELO names that do not resolve to the IP address of the connection, or hosts that use a numeric HELO without brackets)
Accept email for postmaster@a.b.c.d (Where a.b.c.d is the external address of your email server and e.f.g.h is the internal, non-NAT'd address). Many hosts fail this test (Though this is not something that you, as the receiver, would be checking.)
I have a three head desktop and I needed some cool backgrounds. Unfortunately, the desktop is a single large canvas and not three smaller ones. I have a small script that grabs 3 random images from my backgrounds directory (mostly images from Digital Blasphemy) and stitches them together to form a single large background image.
4 GB is for the OS and application TOGETHER. The stock behaviour on Linux and Windows is to give 2 GB to the OS and 2 GB to the application. You can go as high as 3GB to the application Linux, but there are some serious warnings against going even that high.
Did I like the two movies so far? Yes. Were they Earth shattering? No. I would much rather spend my money on nice copies of the books than on these DVD's. (In fact, I have)
And while I am inviting the flame-bait moderations:
Is anyone else as sick to death as I am about hearing how amazing Gollum was, how he should have won an academy award, been knighted by the Queen, been elected supreme ruler of Earth, etc.?
Was the performance good? Sure. Was it spectacular. Dear god no. Frankly I have no idea what movie these zealots were watching. Seeing some silly CGI hop around the screen and speaking with a lisp that made me want to gag is not my idea of a great performance.
hmm, Can anyone else picture the strings leading from Jordan's fingers to Steve Job's fingers. I mean cmon, does it really matter? Its like asking a friend to build you a bikeshed then bitching because they didn't do a good enough job.
Frankly most people found it to be a very innocous request. Jordan never demanded anyone change it, and pointed out that if need be, Apple will maintain the changes themselves. The point was that should people start using this ERRNO outside of the kernel, then programmers will need to maintain two different sets of ERRNO values. Just kinda silly.
I think that it adds more character to freebsd than a stale, sterilized and bland OS.
EDOOFUS may add more character, but I think it adds the wrong character. Frankly, it isn't even that funny. Who the hell uses the word doofus anyway?
Then he has the balls to say that he likes a specific name. ...
Saving some face there Jordan? Good try bud.
Frankly, if you don't think this is a lot funnier, you need to get a life... or possibly actually sit your ass down and read Hitch Hikers Guide to the Galaxy. Even Wilko Bulte though this was funny and suggested changing the error number to 42.
Ohh yeah, One more thing. Fix it yourself lazy ass.
Jordan has already said he would fix it himself. He was simply trying to avoid future incompatibilities.
Do us a favor, if you are a FreeBSD user then please consider switching to Linux.
"Required" by what? A few RFCs? Those are, in case you didn't know, "Requests for Comments."
Is that what RFC stands for? Wow, thanks for telling me!
They are not rules. There is no enforcing body.
The Internet itself is the enforcing body. If you want to break the rules that everyone else has agreed to play by, then the rest of us are free to deny services to you. I (along with AOL, Yahoo, Hotmail, and a number of major corporations) have all decided to start enforcing the RFC's. You have two choices: a) Not send us anything or b) get your act together and start playing nicely. Given your post, I suspect you will choose the former.
Compliance is the thing to do if you want to get along. If you don't care about getting along, the RFCs have no arguments or sanctions to make against you.
If you don't want to follow the RFC's you might as well invent your own email protocol. In the end, the choice is yours. I'll be sure to submit your domain to rfc-ignorant.org so those of us who play nicely won't have to deal with your email though.
I only partly agree because the MX records are for hosts that receive mail. Not everybody sends and receives from the same hosts, and no, it is not a good idea to create MX records for your senders (even with a low preference) because people will attempt to send mail to them.
Per RFC 1912, Section 2.5:
"It is a good idea to give every host an MX record, even if it points to itself!" and: "Put MX records even on hosts that aren't intended to send or receive e-mail."
The point here is that every host should have an MX record. These records should either point to the host itself, or the mail exchanger for the domain (This is not required though: See RFC 2821, Section 5: "If no MX records are found, but an A RR is found, the A RR is treated as if it was associated with an implicit MX RR, with a preference of 0, pointing to that host.)
An outbound relay should have an MX record pointing to the mail exchanger for the domain if it does not want to handle it's own inbound email.
Also, to be fair, I never said a host had to have a valid MX record. A host need only have a valid A record and PTR record. The sender domain, however, should have a valid MX record or mail should not be accepted.
My main complaint, however is with EHLO and HELO information. Per RFC 2821, Section 3.6:
"The domain name given in the EHLO command MUST BE either a primary host name (a domain name that resolves to an A RR) or, if the host has no name, an address literal as described in section 4.1.1.1."
The number of hosts that fail this check is truly remarkable.
Perhaps I'm a journalist... and the sender -- a corporate whistleblower, or the person who obtains the next Pentagon Papers, or a Venezuelan revolutionary -- wishes to remain anonymous for fear of reprisal.
Anonymity doesn't make you a criminal any more than publicity makes you a saint.
You still have an IP address and a connection time which I can track. Worse, you are using straight SMTP so nothing is encrypted and anyone can read your message.
If you want anonymity, try using hushmail or other similar service. There you get a secure connection to the provider AND anonymity. In the end, that's a much better deal.
The odd thing about FreeBSD is that dynamic libraries have rarely been a show-stopper for me.
There are two reasons for this:
FreeBSD does not screw around with the libraries in between releases.
FreeBSD has always supported previous library versions.
The first point is self explanatory. As for their library mecahnisms: The last dozen or so times I have installed Linux, I have had to go on a treasure hunt to find exactly the right version of libc for a given application (Oracle, whatever). With FreeBSD, the old libraries can (and often are) installed and built with the system so you never have to hunt for them. Simply edit/etc/make.conf and include the libraries you need and you are done. Period.
FreeBSD libraries in make.conf also match the OS release so a 2.2 library is for a 2.2 kernel and program, etc. There is no guessing.
Example: ISP ownes the IP and give you 1 IP for your SMTP server.
So? Get them to add a PTR record for you. If they won't do it, then you are probably not supposed to be running a server on that account.
Or if you have multiple switched internet links for redundancy? Link goes down - you switch IP's to route around problem (switch providers)... but you can't force DNS cache to instantly update.
What the hell does this have to do with anything? All I said is that every IP should have a reverse DNS entry and that your HELO information provide a FQDN which has a valid A record and/or MX record. I never said this had to _match_ the PTR and A records in DNS. Besides which, nobody in their right mind handles HA this way. You run BGP4 and configure real redundancy. Don't know how to run BGP4? then perhaps you should not be worried about HA.
Also consider clusters. What if you have 3 machines, which need their own name for hardware management, but they are all acting as a single mail exchange host? Yes, I know about multiple MX records - clustering solves other issues. You can combine clustering + MX records.
If a cluster has a single IP, then nothing I suggested would pose a problem. If the cluster has unique IP addresses, then each one should correspond to a Unique DNS entry. Period. Please read RFC 1912.
Bottom line: It costs extra money and time to get your own block of IP Addresses and properly manage DNS. AOL can do it, but so what? Why lock out the small mail servers of the world just because they don't have reverse DNS?!
First, anyone running a mail server _should_ have a business class account of some sort. With that comes DNS, Reverse DNS, IP blocks, etc. (Hell a lot of non-business class accounts give you these features). The problem is, people who have no business running mail servers do so, and do so poorly. I am absolutely astonished at the kinds of questions people ask on the Postfix and qmail mailing lists. Every time I read one of their posts I am forced to ask myself how these people managed to get connected to the Internet in the first place.
Mail comes into my USPS mailbox in front of my house. The "FROM:" server does not have to exist to come to the TO: location.
That this doesn't bother you is a problem. If the sender doesn't exist, why the hell would you accept anything from them?
Yes, SPAM is a problem, but quit blaming protocols and technology with the issue is the small percentage of e-mail users who are _sending_ the spam.
If you read my post you would notice I never blamed the protocols. What I blame are the plethora of inexperienced or downright incompetent administrators out there.
The problem with spam is simple: the old rule that we should be forgiving about what we accept and strict about what we send.
We could wipe spam out, or at least render it controllable, if we simple required proper DNS entries (A, MX, PTR) and proper server configuration (HELO information, etc.)
Unfortunately, every Tom, Dick and Harry feels it is his god-given right to run a mail server despite having ABSOLUTELY NO IDEA what is required to run one. The sheer number of people without postmaster and abuse accounts is astonishing and both are required. The sheer number of people without matching forward and reverse DNS entries is astonishing. The number of people who call their server "Blah" and then put in a DNS entry for "mail" without an entry for "Blah" is amazing. Although this last part is not required by the RFC's, why on earth should I have to look through my logs and see "Blah" when there is no DNS entry for it? How am I supposed to troubleshoot?
This is like asking why Chevy didn't recall a car that blew up even though they didn't know about the problem ahead of time.
Security is a constantly moving target (Format string vulnerabilities are very new on the scene for example). The string functions that were replaced did not have holes, they were replaced because they wanted to avoid even the possibility of a vulnerability and because they wanted to clear all standard string operations out to make searching for possible future vulnerabilities easier and faster.
As for pf... More has been accomplished by pf in the last few months than has been accomplished by ipf since it came out. pf is even implementing state synchronization. I've been waiting for this in ipf for a long time. pf is not perfect, but neither is ipf.
The purpose of the ABL is not just to hit the missile but to actually hit the warhead also.
Mounting it on a 747 gives you several advantadges. First you can attack the warheads sooner. This means you can have a secondary system besides the 747 to protect you. Second, the higher you are, the less the atmosphere will interfere with the laser. This includes both focus problems (blooming) and disappation problems. You need less power than an equivalent ground based laser and you need simpler adaptive optics.
I don't help myself to it for free. I specifically said that in my post and if you had read it, you might realize that.
At this point, I simply don't listen to much music. I listen to a few college radio stations and some of the cd's I bought a long time ago but that is it.
Slashdot Mirror
The thing is, the sender was forged. Since the virus scanner knows the message was a virus and correctly identifies it as such, shouldn't it know that the virus uses forged headers? And since it should know the header was forged, it should NOT return the message.
This would require the anti-virus software to be a lot smarter than it currently is. The antivirus definitions would need to include a flag that says "Always uses forged addresses" and then not return a bounce for those messages. This would make sense and I would like to see it implemented.
Further, the virus scanner should not send the whole fucking virus back. That's just retarded.
No antivirus software that I am aware of sends the virus back. All they do is reference the file name and return a bounce. If you know of any software that actually returns the virus then I would have to agree. That is retarded.
-sirket
The possibility of knowing one of them had a virus (presumably that I may not yet be aware of, or I'd have already blocked it), seems a damn good idea to me.
But this just doesn't work when you have tens of thousands of users.
Blacklisting seems a far more drastic step to take.
I do not see it as being drastic. They get an error messages which clearly explains why their email is being refused. If the domain is important, then I only blacklist their anti-virus software address.
Meant to say previously, e-mail is NOT reliable, it should never be counted on, if you need to know someone got a message you need to phone them anyway.
Amen! I know that. You know that. I wish to hell the corporate world understood that. I can explain why a message was bounced. I can not explain to someone when a message disappears.
-sirket
Sorry, I just don't get what you are trying to say here: 1. Sending mail to dev/null is wrong, because people need to be able to use e-mail. 2. If an admin tries to be helpful (maybe misguidedly), you blacklist them, thus no more mail. This seems to be a contradiction, at least to me.
What good does notifying postmaster@mydomain.com do about an email virus that is (potentially) on one of my users computers? Notify my user. If they have a virus or think that they do, they will contact me and I will help them. I am already blocking any of the common email Subject: lines used by the many virus variations going around so chances are it isn't one of my users anyway.
As for the admin trying to be helpful? Hardly. The admin in this case is not doing _anything_. She has simply checked a box in her anti-virus software that sounded cool. Or perhaps did not uncheck a box because she did not read the directions.
In the end these sorts of bounces have no positive impact and a huge negative impact. That makes it useless.
Oh, and btw, usenet rocks.
Usenet has become a cess-pool. There are still patches of it that are useful, but on the whole, it is not worth the bother any more.
-sirket
Email needs to be reliable communication medium. If a message can not be delivered, it has to be returned to the sender. It is absolutely unacceptable to simply discard a message.
Want a better idea? Try _blocking_ the message. When I see any executable attachment in a message, my server does not accept the message. It returns a 5xx series message and tells the person to resend it without the attachment. I do the same thing for common virus Subject: lines. The message is rejected with a 5xx error and the user is told to change the subject line.
Although I agree that bouncing a message with a virus sucks, entirely too many legitimate messages are already bounced for various reasons. If a sender can not be sure an email was received or rejected, then email will become as useless as usenet.
One thing that should never happen is notifying the postmaster of a domain that a message contained a virus. I get this all the time. Some anti-virus gateway receives a message claiming to be from someone at a domain that I administer. Instead of just bouncing the message, their software also notifies postmaster@mydomain.com to let _ME_ know that my user has a virus.
The only problem being that the original message was a forgery and has nothing to do with me or my domains. These people take a bad problem, (a virus) and make it worse by DOUBLING the number of messages sent. How idiotic is that? Anytime I see one of those messages, I put that persons entire domain in my blacklist and I will not remove it until I am notified that they have stopped such a stupid practice.
-sirket
I set up a socks server on a dedicated linux box I pay $65/mo for (I'm hosting some websites there). I connect to this box via SSH and tunnel port 1080 so I can use all the IMs--AIM, Yahoo, MSN, ICQ. All without The Man being the wiser.
As a firewall and IDS admin, I can tell you first hand that if your company has decent admins, they probably know what you are doing. There are a number of people in the companies I do work for that do exactly this sort of thing.
As an admin, I ignore it because if they were able to set it up, they probably know what they are doing. If it became wide spread, however, you can be pretty sure I would clamp down on it immediately.
It is getting to the point that a company is now forced to block _all_ outbound traffic, and to restrict what is accessible via the HTTP proxy.
-sirket
I can't even begin to comment on this. My point was not that spam comes form misconfigured systems. My point was that in order to be able to receive email from all of the misconfigured systems out there, I can't configure strict checking on my server. This lets the spammers send mail to my systems that I could otherwise block.
If you do not think there are a TON of completely misconfigured servers out there, then you need help. Try running Postfix with the following configuration:
smtpd_recipient_restrictions = permit_mynetworks, warn_if_reject, reject_unauth_pipelining, reject_unauth_destination, warn_if_reject, reject_invalid_hostname, warn_if_reject, reject_non_fqdn_hostname, warn_if_reject, reject_unknown_hostname, warn_if_reject, reject_unknown_client, warn_if_reject, reject_non_fqdn_sender, warn_if_reject, reject_non_fqdn_recipient, warn_if_reject, reject_unknown_sender_domain, warn_if_reject, reject_unknown_recipient_domain, permit
Then look at your logs and see just how much email you would miss if you required people to have a correctly configured system. (warn_if_reject will not reject email, just add an entry in your log file telling you that it would have been rejected.)
Some of these options only affect spammers, but a number of them also affect legitimate servers that are just poorly administrated. If you do not believe me you either have never looked at your logs, or you have never run an email server for a large site.
Your rant dates back to the mid 1990's, you really need to keep up with the problems on the internet today.
I wasn't even running a mail server in the mid 90's so I do not know how to address this comment. Perhaps asking you to take your trolling elsewhere would be a good start.
-sirket
I either:
:)
Use authenticated SMTP, POP before SMTP, or just SSH to my shell system and email from there.
As for running local mail servers on everything, well, that is not how the protocol was meant to be used. You should be relaying mail through a static, well known (In terms of DNS) server.
If you do not agree, then go and argue with the people who wrote the RFC's. I would suggest Greg Woods. He absolutely loves to argue about this
-sirket
If people would set up their email servers correctly, I could eliminate 99% of the spam from my systems. Unfortunately, a bunch of administrators seem to feel that they do not actually have to configure their systems correctly. If I want to be able to receive mail from them, then I need to open my server up and allow misconfigured servers to talk to it. Guess who has the majority of (usually intentionally) misconfigured servers. You guessed it, spammers.
Getting rid of spam is simple. Stop bitching about it and fix your own damned mail server.
Do you:
Just my two cents.
-sirket
When did MAC addresses increase in size from 48 bits to 56 bits?
-sirket
I have a three head desktop and I needed some cool backgrounds. Unfortunately, the desktop is a single large canvas and not three smaller ones. I have a small script that grabs 3 random images from my backgrounds directory (mostly images from Digital Blasphemy) and stitches them together to form a single large background image.
-sirket
... my interest was peaked.
What was the author trying to say here? His interest had been rising, he saw this PDA, and now his interest was falling?
Or, perhaps, did the author mean to say that this new PDA had "piqued" his interest?
-sirket
4 GB is for the OS and application TOGETHER. The stock behaviour on Linux and Windows is to give 2 GB to the OS and 2 GB to the application. You can go as high as 3GB to the application Linux, but there are some serious warnings against going even that high.
-sirket
This was the basis of Hari Seldon's PsychoHistory in Isaac Asimov's Foundation.
-sirket
Amen!
Did I like the two movies so far? Yes. Were they Earth shattering? No. I would much rather spend my money on nice copies of the books than on these DVD's. (In fact, I have)
And while I am inviting the flame-bait moderations:
Is anyone else as sick to death as I am about hearing how amazing Gollum was, how he should have won an academy award, been knighted by the Queen, been elected supreme ruler of Earth, etc.?
Was the performance good? Sure. Was it spectacular. Dear god no. Frankly I have no idea what movie these zealots were watching. Seeing some silly CGI hop around the screen and speaking with a lisp that made me want to gag is not my idea of a great performance.
-sirket
hmm, Can anyone else picture the strings leading from Jordan's fingers to Steve Job's fingers. I mean cmon, does it really matter? Its like asking a friend to build you a bikeshed then bitching because they didn't do a good enough job.
Frankly most people found it to be a very innocous request. Jordan never demanded anyone change it, and pointed out that if need be, Apple will maintain the changes themselves. The point was that should people start using this ERRNO outside of the kernel, then programmers will need to maintain two different sets of ERRNO values. Just kinda silly.
I think that it adds more character to freebsd than a stale, sterilized and bland OS.
EDOOFUS may add more character, but I think it adds the wrong character. Frankly, it isn't even that funny. Who the hell uses the word doofus anyway?
Then he has the balls to say that he likes a specific name.
Saving some face there Jordan? Good try bud.
Frankly, if you don't think this is a lot funnier, you need to get a life... or possibly actually sit your ass down and read Hitch Hikers Guide to the Galaxy. Even Wilko Bulte though this was funny and suggested changing the error number to 42.
Ohh yeah, One more thing. Fix it yourself lazy ass.
Jordan has already said he would fix it himself. He was simply trying to avoid future incompatibilities.
Do us a favor, if you are a FreeBSD user then please consider switching to Linux.
"Required" by what? A few RFCs? Those are, in case you didn't know, "Requests for Comments."
Is that what RFC stands for? Wow, thanks for telling me!
They are not rules. There is no enforcing body.
The Internet itself is the enforcing body. If you want to break the rules that everyone else has agreed to play by, then the rest of us are free to deny services to you. I (along with AOL, Yahoo, Hotmail, and a number of major corporations) have all decided to start enforcing the RFC's. You have two choices: a) Not send us anything or b) get your act together and start playing nicely. Given your post, I suspect you will choose the former.
Compliance is the thing to do if you want to get along. If you don't care about getting along, the RFCs have no arguments or sanctions to make against you.
If you don't want to follow the RFC's you might as well invent your own email protocol. In the end, the choice is yours. I'll be sure to submit your domain to rfc-ignorant.org so those of us who play nicely won't have to deal with your email though.
-sirket
I only partly agree because the MX records are for hosts that receive mail. Not everybody sends and receives from the same hosts, and no, it is not a good idea to create MX records for your senders (even with a low preference) because people will attempt to send mail to them.
Per RFC 1912, Section 2.5:
"It is a good idea to give every host an MX record, even if it points to itself!" and: "Put MX records even on hosts that aren't intended to send or receive e-mail."
The point here is that every host should have an MX record. These records should either point to the host itself, or the mail exchanger for the domain (This is not required though: See RFC 2821, Section 5: "If no MX records are found, but an A RR is found, the A RR is treated as if it was associated with an implicit MX RR, with a preference of 0, pointing to that host.)
An outbound relay should have an MX record pointing to the mail exchanger for the domain if it does not want to handle it's own inbound email.
Also, to be fair, I never said a host had to have a valid MX record. A host need only have a valid A record and PTR record. The sender domain, however, should have a valid MX record or mail should not be accepted.
My main complaint, however is with EHLO and HELO information. Per RFC 2821, Section 3.6:
"The domain name given in the EHLO command MUST BE either a primary host name (a domain name that resolves to an A RR) or, if the host has no name, an address literal as described in section 4.1.1.1."
The number of hosts that fail this check is truly remarkable.
-Sirket
Perhaps I'm a journalist... and the sender -- a corporate whistleblower, or the person who obtains the next Pentagon Papers, or a Venezuelan revolutionary -- wishes to remain anonymous for fear of reprisal.
Anonymity doesn't make you a criminal any more than publicity makes you a saint.
You still have an IP address and a connection time which I can track. Worse, you are using straight SMTP so nothing is encrypted and anyone can read your message.
If you want anonymity, try using hushmail or other similar service. There you get a secure connection to the provider AND anonymity. In the end, that's a much better deal.
-sirket
The odd thing about FreeBSD is that dynamic libraries have rarely been a show-stopper for me.
There are two reasons for this:
The first point is self explanatory. As for their library mecahnisms: The last dozen or so times I have installed Linux, I have had to go on a treasure hunt to find exactly the right version of libc for a given application (Oracle, whatever). With FreeBSD, the old libraries can (and often are) installed and built with the system so you never have to hunt for them. Simply edit
FreeBSD libraries in make.conf also match the OS release so a 2.2 library is for a 2.2 kernel and program, etc. There is no guessing.
-sirket
Example: ISP ownes the IP and give you 1 IP for your SMTP server.
So? Get them to add a PTR record for you. If they won't do it, then you are probably not supposed to be running a server on that account.
Or if you have multiple switched internet links for redundancy? Link goes down - you switch IP's to route around problem (switch providers)... but you can't force DNS cache to instantly update.
What the hell does this have to do with anything? All I said is that every IP should have a reverse DNS entry and that your HELO information provide a FQDN which has a valid A record and/or MX record. I never said this had to _match_ the PTR and A records in DNS. Besides which, nobody in their right mind handles HA this way. You run BGP4 and configure real redundancy. Don't know how to run BGP4? then perhaps you should not be worried about HA.
Also consider clusters. What if you have 3 machines, which need their own name for hardware management, but they are all acting as a single mail exchange host? Yes, I know about multiple MX records - clustering solves other issues. You can combine clustering + MX records.
If a cluster has a single IP, then nothing I suggested would pose a problem. If the cluster has unique IP addresses, then each one should correspond to a Unique DNS entry. Period. Please read RFC 1912.
Bottom line: It costs extra money and time to get your own block of IP Addresses and properly manage DNS. AOL can do it, but so what? Why lock out the small mail servers of the world just because they don't have reverse DNS?!
First, anyone running a mail server _should_ have a business class account of some sort. With that comes DNS, Reverse DNS, IP blocks, etc. (Hell a lot of non-business class accounts give you these features). The problem is, people who have no business running mail servers do so, and do so poorly. I am absolutely astonished at the kinds of questions people ask on the Postfix and qmail mailing lists. Every time I read one of their posts I am forced to ask myself how these people managed to get connected to the Internet in the first place.
Mail comes into my USPS mailbox in front of my house. The "FROM:" server does not have to exist to come to the TO: location.
That this doesn't bother you is a problem. If the sender doesn't exist, why the hell would you accept anything from them?
Yes, SPAM is a problem, but quit blaming protocols and technology with the issue is the small percentage of e-mail users who are _sending_ the spam.
If you read my post you would notice I never blamed the protocols. What I blame are the plethora of inexperienced or downright incompetent administrators out there.
-sirket
-Begin Rant-
The problem with spam is simple: the old rule that we should be forgiving about what we accept and strict about what we send.
We could wipe spam out, or at least render it controllable, if we simple required proper DNS entries (A, MX, PTR) and proper server configuration (HELO information, etc.)
Unfortunately, every Tom, Dick and Harry feels it is his god-given right to run a mail server despite having ABSOLUTELY NO IDEA what is required to run one. The sheer number of people without postmaster and abuse accounts is astonishing and both are required. The sheer number of people without matching forward and reverse DNS entries is astonishing. The number of people who call their server "Blah" and then put in a DNS entry for "mail" without an entry for "Blah" is amazing. Although this last part is not required by the RFC's, why on earth should I have to look through my logs and see "Blah" when there is no DNS entry for it? How am I supposed to troubleshoot?
Oh well, I give up.
-End Rant-
This is like asking why Chevy didn't recall a car that blew up even though they didn't know about the problem ahead of time.
Security is a constantly moving target (Format string vulnerabilities are very new on the scene for example). The string functions that were replaced did not have holes, they were replaced because they wanted to avoid even the possibility of a vulnerability and because they wanted to clear all standard string operations out to make searching for possible future vulnerabilities easier and faster.
As for pf... More has been accomplished by pf in the last few months than has been accomplished by ipf since it came out. pf is even implementing state synchronization. I've been waiting for this in ipf for a long time. pf is not perfect, but neither is ipf.
-sirket
The purpose of the ABL is not just to hit the missile but to actually hit the warhead also.
Mounting it on a 747 gives you several advantadges. First you can attack the warheads sooner. This means you can have a secondary system besides the 747 to protect you. Second, the higher you are, the less the atmosphere will interfere with the laser. This includes both focus problems (blooming) and disappation problems. You need less power than an equivalent ground based laser and you need simpler adaptive optics.
-sirket
The article didn't even say HPUX. The mentioned HP's AIX. This article has so many grammatical and technical errors it was not worth reading.
-sirket
I don't help myself to it for free. I specifically said that in my post and if you had read it, you might realize that.
At this point, I simply don't listen to much music. I listen to a few college radio stations and some of the cd's I bought a long time ago but that is it.
-sirket