So you don't consider joe-jobs to be a bad thing that already makes e-mail troublesome?
What about someone's PC that's infected with an e-mail worm that's able to spread because it can claim to be anybody?
This makes e-mail better, because:
- it's an opt-in system
- it's up to the destination mail server to decide what to do with the reverse MX information
- it provides some level of assurance that e-mail from a given domain is actually from that domain
- it eliminates the ability (unless they hack my outbound mail servers) of someone pulling a joe-job on my company and getting me sued as a spammer
ISPs will get with the program in order to keep their customer's business.
The interesting thing about reverse MX proposals is that not everyone has to follow the rules... however, as time goes on and more and more domains are following the rules... the remaining domains will find it more difficult to get their e-mail accepted by the destination domains.
Initially, destination domains will just use reverse MX information as one additional scoring criteria for their spam filters.
While this won't solve the spam issue... it does indeed slow spammers down. Mostly because it takes 24-72 hours for domain changes to propagate. It won't stop the bright ones who think ahead and have domains already queued up...
However... it makes it more likely that they'll have to use their own domain name in the source address... because they'll need control of the reverse MX records... which makes more of a paper trail to follow.
The odds? Pretty good... due to peer pressure by the larger domains saying - we will bounce any e-mails from domains without reverse MX policies.
Once you get 10-20% market penetration, I predict we'll see a quick uptake in the number of domains with reverse MX settings.
The beauty of the reverse MX idea (which is so simple that it's hard to believe it wasn't in there from the start) is that it's merely additional information that the destination can use. What they choose to do with that information is up to the destination. Initially, most domains with just use it as an additional score value for their spam filters.
1) use the ISP's outbound SMTP server that you are currently connected to, and change your Reply-To address to be your personal address
2) authenticate with a "home" SMTP server via SSH/SSL or by VPN'ing into a controlled network
ISPs are not dense... they will come up with a solution in order to keep your business when reverse MX systems come online.
Alternatively, you can configure your domain's reverse MX policies to be "loosey-goosey" and not care what the origin IP address is. Downsides are:
- too loose and bigger domains may choose to reject your e-mail (much like they reject any e-mail from dynamic IP address ranges)
- anyone can spoof or joe-job you (just like now)
It just means that you won't be able to send e-mail from your IP address claiming to be from the ISP's domain. ISPs have already begun to block port 25 outbound from dynamic IP ranges, and a lot of destination domains won't accept e-mail from dynamic IP addresses.
The authorized sender works by answering 2 questions when e-mail is delivered to a destination SMTP server.
1. Does this domain have a reverse MX policy/record?
2. Is the IP address of the SMTP server that is attempting to send e-mail for this domain listed in the reverse MX listing?
At that point, the destination SMTP server can decide whether to reject / drop / accept the e-mail. Entirely up to the destination server's admin as to how strict they wish to be, and the source domains are allowed to be as strict/loose with the IP range allowed to send e-mail on behalf of their domains
Now, the key benefits are:
- "joe jobs" become much more complicated to pull off, unless you hack your way into the target's mail server. (Which has the side effect of making it easier to secure and/or detect the intrusion because you only have to watch your outbound mail servers.)
- worms/viruses that spread via e-mail where the virus uses a built-in SMTP engine won't propogate because the destination SMTP servers will drop the e-mails because they don't come from authorized IPs for the purported "from" domains
- outbound e-mail for a domain can be funneled through official servers, providing a central point where corporate policy can be enforced (making sure all outbound e-mail is encrypted in a health/banking company, scanning outbound mail to eliminate viruses/worms)
The e-mail worms from this summer would have been almost non-events if it wasn't possible for ANY IP address to send e-mail claiming to be from ANY domain, with no way of the destination to check the veracity.
Everyone mentions this as an objection... which basically is saying "I don't want my e-mail domain to be spoofed, but I'm not willing to give up the ability to spoof my e-mail domain".
Our company solves the issue of people on the road by forcing them to VPN in before they can send outbound mail through our mail servers. Or, they can do the Reply-To thing.
Other solutions include using SSH/SSL to authenticate with your domain's outbound mail server over the internet. Or just configuring your domain to be "loose" (either no reverse MX settings, or a large range of IP addresses allowed).
One of the good things about reverse MX proposals is that it puts the control into the hands of the mail administrator to set things as draconian or as hippy as they wish.
The Goon Show from the 1950s (radio) did a similar riff... a Great International Christmas Pudding.
They used dry docks, bombers and long range field guns to deliver various ingredients and navy ships to stir the mixture. All being described to the audience as a reporter is interviewing the military person in charge.
A bit of the joy of listening to the Goon Show, however, is trying to keep track of just how many characters Peter Sellers plays.
The form factor may not matter too much as long as the blueray DVDs fit into standard sized CD-ROM storage units (you know, the ones with slots?).
If the size is large enough and the $/Gb low enough, I think BlueRay will do fine and people will learn to adapt to having media inside of cartridges again.
One recommendation for the future is to make use of the PAR/PAR2 utilties. (I personally use QuickPAR v0.7)
Basically, you create 'parity' files that you store on the DVD/CD along with the source files. Then, if any of the source files become corrupted, QuickPAR should be able to reconstruct the broken bits.
The amount of redundancy is up to you... 10% is normal, 20% might be worthwhile. (So to store 4Gb with 10% redundancy, you'll need 4.4Gb of space.)
And the better online games provide tools for the community to police themselves with.
And these tools don't even have to be tools per se... they can be something as simple as needing to depend on another player to get from point A to B quickly.
Other games attempt to depend on a police force of some sort... and there's never a cop around when you need one.
Reverse-DNS proposals will make it more difficult to spoof domain names. (SMTP servers will be able to check that a given IP address is authorized to send e-mail on behalf of a particular domain.)
Once domain spoofing is taken care of, you can take steps to lock down your authorized outbound SMTP servers to verify senders if you wish.
Reverse-DNS proposals have the nice feature that it distributes the responsibility. Good netizens can protect their domains from being joe-job'd as well as deciding just how authoritarian they wish to be abount controling which machines are allowed to send e-mail on behalf of their domain.
DMP - Last IETF draft published Aug 2003 and expires at the end of Sep 2003. However, version 5 of the document has not yet been posted and the author(s) does not have seem to have a central site to check for news.
DRIP - Last draft was published July 2003, expires Dec 2003. I don't see anywhere a central home page to check for news.
SMTP+SPF - Last update was mid-July 2003. I'm not sure if there is an IETF draft being floated or not.
Or to put it another way... how good are you at continuous-learning?
One of the tricks that I've always tried to pass on to colleagues who wonder how I come up with answers so quick is... take a moment and chase the rabbit trails when you're on a hunt for information.
When I'm researching a topic (e.g. delving into MS's Knowledge Base or MSDN Library) I might end up with a stack of 30 documents sitting on my desk (or bookmarked). Roughly a quarter to a third of those documents will have little bearing on the problem at hand, yet it's worth my time to quickly skim the contents anyway. As a result, I'll come away from the search with not only the answer for the immediate problem, but a bunch of background information in possibly unrelated areas that will probably prove useful down the road when a different issue comes up.
Same reason that I read/. and a raft of other sources... more info to simmer at the back of my mind until I find it necessary to become more of an expert in a particular subject. It's a heck of a lot easier doing research when you have some inkling of the subject matter then trying to dig into Google at random.
OTOH, sitting around and debating an issue off-line counts as social interaction. Heck, it may even count as intelligent social interaction depending on the topic. In fact, the whole point of the exercise may not even be to get at the truth but to merely socialize.
Is the.SXW file the one that is actually a compressed file containing the bits and pieces that make up the document? If so, a 2x savings may just be because the result is a compressed file.
I vaguely remember that the native OOo file format is a compressed archive, but I don't remember if it's a ZIP file or not.
And if it is a compressed file... something tells me that it's going to be more difficult to do full text searches unless your search tool knows how to open up the OOo files.
Or any of the other (3) proposals that I know about...
Last I heard (a month ago?), all of these (4) proposals are still in draft status... which means that if we're really lucky; we might see them implemented in 2005?
Personally, I'm hoping that postfix, sendmail, ect. will build in support for one of the proposals prior to it becoming official.
Another thing going on now is that much spam is contained entirely within an image
Does that mean that it's an HTML e-mail, serving up an image from a web server somewhere? (Making it easy to trace back?)
Agreed, Bayesian filtering is but one tool in the arsenal. (Personally, I have a dozen or so white list rules that run on the client prior to putting the rest of the e-mail through a Bayesian filter... The whitelist rules around around 95% accurate, which reduces the amount of work that the Bayesian has to do. (If it gets to the Bayesian filter, 95% positive that it's spam.)
However, we really need to get some sort of reverse DNS system into production so that whitelist rules are more dependable.
This has also/already been done with live TV... the specific instance that I can recall is the New Years Eve bash in Times Square, NYC. There was an ad behind Dick Clark (who's studio overlooked Times Square) which was digitially replaced by the network.
TV? What's that? Oh you mean that low-res, low-refresh dusty device sitting over in the corner?
About half a decade ago, I cancelled my CableTV since I was working 60+ hour weeks and spending the rest of my time doing anything but watching TV. (Why pay $30/mo for something that I wasn't watching more then a few hours per month?) It doesn't take long before you realize you don't miss it, and there are other things to do with your spare time. Now, the only TV that I see is when I'm away on a business trip (usually watch Discovery or History Channel) or if I'm over at friend's houses.
I've debated hooking cable TV back up... but I'd use a PVR system and want to be able to dump favorite episodes off to DVD.
Re:Can anybody remember the name of that old movie
on
NASA's New Space Wheels
·
· Score: 2, Informative
I'm going to guess that you're talking about Marooned (1969).
Right time period, but I've never seen the movie (and I didn't come up with any other matches).
So you don't consider joe-jobs to be a bad thing that already makes e-mail troublesome?
What about someone's PC that's infected with an e-mail worm that's able to spread because it can claim to be anybody?
This makes e-mail better, because:
- it's an opt-in system
- it's up to the destination mail server to decide what to do with the reverse MX information
- it provides some level of assurance that e-mail from a given domain is actually from that domain
- it eliminates the ability (unless they hack my outbound mail servers) of someone pulling a joe-job on my company and getting me sued as a spammer
ISPs will get with the program in order to keep their customer's business.
The interesting thing about reverse MX proposals is that not everyone has to follow the rules... however, as time goes on and more and more domains are following the rules... the remaining domains will find it more difficult to get their e-mail accepted by the destination domains.
Initially, destination domains will just use reverse MX information as one additional scoring criteria for their spam filters.
While this won't solve the spam issue... it does indeed slow spammers down. Mostly because it takes 24-72 hours for domain changes to propagate. It won't stop the bright ones who think ahead and have domains already queued up...
However... it makes it more likely that they'll have to use their own domain name in the source address... because they'll need control of the reverse MX records... which makes more of a paper trail to follow.
The odds? Pretty good... due to peer pressure by the larger domains saying - we will bounce any e-mails from domains without reverse MX policies.
Once you get 10-20% market penetration, I predict we'll see a quick uptake in the number of domains with reverse MX settings.
The beauty of the reverse MX idea (which is so simple that it's hard to believe it wasn't in there from the start) is that it's merely additional information that the destination can use. What they choose to do with that information is up to the destination. Initially, most domains with just use it as an additional score value for their spam filters.
A few options:
1) use the ISP's outbound SMTP server that you are currently connected to, and change your Reply-To address to be your personal address
2) authenticate with a "home" SMTP server via SSH/SSL or by VPN'ing into a controlled network
ISPs are not dense... they will come up with a solution in order to keep your business when reverse MX systems come online.
Alternatively, you can configure your domain's reverse MX policies to be "loosey-goosey" and not care what the origin IP address is. Downsides are:
- too loose and bigger domains may choose to reject your e-mail (much like they reject any e-mail from dynamic IP address ranges)
- anyone can spoof or joe-job you (just like now)
It just means that you won't be able to send e-mail from your IP address claiming to be from the ISP's domain. ISPs have already begun to block port 25 outbound from dynamic IP ranges, and a lot of destination domains won't accept e-mail from dynamic IP addresses.
The authorized sender works by answering 2 questions when e-mail is delivered to a destination SMTP server.
1. Does this domain have a reverse MX policy/record?
2. Is the IP address of the SMTP server that is attempting to send e-mail for this domain listed in the reverse MX listing?
At that point, the destination SMTP server can decide whether to reject / drop / accept the e-mail. Entirely up to the destination server's admin as to how strict they wish to be, and the source domains are allowed to be as strict/loose with the IP range allowed to send e-mail on behalf of their domains
Now, the key benefits are:
- "joe jobs" become much more complicated to pull off, unless you hack your way into the target's mail server. (Which has the side effect of making it easier to secure and/or detect the intrusion because you only have to watch your outbound mail servers.)
- worms/viruses that spread via e-mail where the virus uses a built-in SMTP engine won't propogate because the destination SMTP servers will drop the e-mails because they don't come from authorized IPs for the purported "from" domains
- outbound e-mail for a domain can be funneled through official servers, providing a central point where corporate policy can be enforced (making sure all outbound e-mail is encrypted in a health/banking company, scanning outbound mail to eliminate viruses/worms)
The e-mail worms from this summer would have been almost non-events if it wasn't possible for ANY IP address to send e-mail claiming to be from ANY domain, with no way of the destination to check the veracity.
Everyone mentions this as an objection... which basically is saying "I don't want my e-mail domain to be spoofed, but I'm not willing to give up the ability to spoof my e-mail domain".
Our company solves the issue of people on the road by forcing them to VPN in before they can send outbound mail through our mail servers. Or, they can do the Reply-To thing.
Other solutions include using SSH/SSL to authenticate with your domain's outbound mail server over the internet. Or just configuring your domain to be "loose" (either no reverse MX settings, or a large range of IP addresses allowed).
One of the good things about reverse MX proposals is that it puts the control into the hands of the mail administrator to set things as draconian or as hippy as they wish.
The Goon Show from the 1950s (radio) did a similar riff... a Great International Christmas Pudding.
They used dry docks, bombers and long range field guns to deliver various ingredients and navy ships to stir the mixture. All being described to the audience as a reporter is interviewing the military person in charge.
A bit of the joy of listening to the Goon Show, however, is trying to keep track of just how many characters Peter Sellers plays.
1.4Mb? I remember when you bought single-sided floppies, punched a hole on the other side and flipped them over.
The form factor may not matter too much as long as the blueray DVDs fit into standard sized CD-ROM storage units (you know, the ones with slots?).
If the size is large enough and the $/Gb low enough, I think BlueRay will do fine and people will learn to adapt to having media inside of cartridges again.
One recommendation for the future is to make use of the PAR/PAR2 utilties. (I personally use QuickPAR v0.7)
Basically, you create 'parity' files that you store on the DVD/CD along with the source files. Then, if any of the source files become corrupted, QuickPAR should be able to reconstruct the broken bits.
The amount of redundancy is up to you... 10% is normal, 20% might be worthwhile. (So to store 4Gb with 10% redundancy, you'll need 4.4Gb of space.)
MSDN requires that you re-license every year.
And I want to know *where* you're able to purchase MSDN Universal for $1k (and in what quantity).
Therein lies one of the rubs...
Everyone complains about domain spoofing... but nobody wants to give up the ability to spoof.
And the better online games provide tools for the community to police themselves with.
And these tools don't even have to be tools per se... they can be something as simple as needing to depend on another player to get from point A to B quickly.
Other games attempt to depend on a police force of some sort... and there's never a cop around when you need one.
Reverse-DNS proposals will make it more difficult to spoof domain names. (SMTP servers will be able to check that a given IP address is authorized to send e-mail on behalf of a particular domain.)
Once domain spoofing is taken care of, you can take steps to lock down your authorized outbound SMTP servers to verify senders if you wish.
Reverse-DNS proposals have the nice feature that it distributes the responsibility. Good netizens can protect their domains from being joe-job'd as well as deciding just how authoritarian they wish to be abount controling which machines are allowed to send e-mail on behalf of their domain.
The central idea behind reverse-DNS/MX proposals is to answer the following 2 questions:
1. Does a particular domain have a list of authorized IP addresses that are allowed to send out e-mail on behalf of the domain?
2. Is the IP address of the mail server that is attempting to talk to me on that authorized list?
The devil is, of course, in the details/implementation. (Can we do it without breaking older versions of BIND? What attacks is it suspectible to?)
Here's the (4) proposals that I know about (since I just went looking yesterday):
RMX proposal - No news on Mike Rubel's page since June 2003. Not much on the official home page either. The last published draft is June 2003.
DMP - Last IETF draft published Aug 2003 and expires at the end of Sep 2003. However, version 5 of the document has not yet been posted and the author(s) does not have seem to have a central site to check for news.
DRIP - Last draft was published July 2003, expires Dec 2003. I don't see anywhere a central home page to check for news.
SMTP+SPF - Last update was mid-July 2003. I'm not sure if there is an IETF draft being floated or not.
Or to put it another way... how good are you at continuous-learning?
/. and a raft of other sources ... more info to simmer at the back of my mind until I find it necessary to become more of an expert in a particular subject. It's a heck of a lot easier doing research when you have some inkling of the subject matter then trying to dig into Google at random.
One of the tricks that I've always tried to pass on to colleagues who wonder how I come up with answers so quick is... take a moment and chase the rabbit trails when you're on a hunt for information.
When I'm researching a topic (e.g. delving into MS's Knowledge Base or MSDN Library) I might end up with a stack of 30 documents sitting on my desk (or bookmarked). Roughly a quarter to a third of those documents will have little bearing on the problem at hand, yet it's worth my time to quickly skim the contents anyway. As a result, I'll come away from the search with not only the answer for the immediate problem, but a bunch of background information in possibly unrelated areas that will probably prove useful down the road when a different issue comes up.
Same reason that I read
OTOH, sitting around and debating an issue off-line counts as social interaction. Heck, it may even count as intelligent social interaction depending on the topic. In fact, the whole point of the exercise may not even be to get at the truth but to merely socialize.
Is the .SXW file the one that is actually a compressed file containing the bits and pieces that make up the document? If so, a 2x savings may just be because the result is a compressed file.
I vaguely remember that the native OOo file format is a compressed archive, but I don't remember if it's a ZIP file or not.
And if it is a compressed file... something tells me that it's going to be more difficult to do full text searches unless your search tool knows how to open up the OOo files.
Or any of the other (3) proposals that I know about...
Last I heard (a month ago?), all of these (4) proposals are still in draft status... which means that if we're really lucky; we might see them implemented in 2005?
Personally, I'm hoping that postfix, sendmail, ect. will build in support for one of the proposals prior to it becoming official.
Another thing going on now is that much spam is contained entirely within an image
Does that mean that it's an HTML e-mail, serving up an image from a web server somewhere? (Making it easy to trace back?)
Agreed, Bayesian filtering is but one tool in the arsenal. (Personally, I have a dozen or so white list rules that run on the client prior to putting the rest of the e-mail through a Bayesian filter... The whitelist rules around around 95% accurate, which reduces the amount of work that the Bayesian has to do. (If it gets to the Bayesian filter, 95% positive that it's spam.)
However, we really need to get some sort of reverse DNS system into production so that whitelist rules are more dependable.
This has also/already been done with live TV... the specific instance that I can recall is the New Years Eve bash in Times Square, NYC. There was an ad behind Dick Clark (who's studio overlooked Times Square) which was digitially replaced by the network.
NBC Upset About CBS's Digital Ethics
TV? What's that? Oh you mean that low-res, low-refresh dusty device sitting over in the corner?
About half a decade ago, I cancelled my CableTV since I was working 60+ hour weeks and spending the rest of my time doing anything but watching TV. (Why pay $30/mo for something that I wasn't watching more then a few hours per month?) It doesn't take long before you realize you don't miss it, and there are other things to do with your spare time. Now, the only TV that I see is when I'm away on a business trip (usually watch Discovery or History Channel) or if I'm over at friend's houses.
I've debated hooking cable TV back up... but I'd use a PVR system and want to be able to dump favorite episodes off to DVD.
I'm going to guess that you're talking about Marooned (1969).
Right time period, but I've never seen the movie (and I didn't come up with any other matches).