Still more effective is to check that the remote obeys the sequencing specified in the SMTP protocol, i.e. it does not send commands before it has received the welcome message. Especially when this welcome message consists of multiple lines with continuation markers. Most SPAM mailers fail this test.
I would prefer a backup solution that is not as naive as "keep a copy on a second drive, that should be fine".
Of course my disks are mirrored (RAID-1) so a disk failure will not immediately have me lose my files. But the filesystem can fail as well, or I could accidentally delete files I wanted to keep. In that case RAID-1 does nothing.
So, I want to keep backups. Preferably more than one, so it won't be a disaster when I discover that I deleted the files AFTER I made the next backup.
Of course I can keep multiple copies on several external disks, but I already have 1TB of diskspace right now, and it is not very practical. With tape drives you at least have a separate medium.
IDE... well, you may be satisfied but I do not really like it. In the old days I used SCSI (still have a controller for my tape), but when IDE drives became larger and cheaper all the time, of course I switched. But it is so bad when looking at scaling issues... you need more controller boards all the time, not to mention the limited cable length that becomes a real problem when using many disks.
The capacity gap between affordable harddisk storage and affordable backup solutions is ever increasing:-(
By now, the only practical way to backup a harddisk is to another harddisk. Of course, one can use an external (USB, Firewire or SATA) disk and store it offsite, but it would be nice if some high-capacity optical or tape solution appeared.
HD-DVD and blueray do not cut it. Who wants to backup his disk to 25 DVDs? What we need is something that stores at least 250GB, preferably 1TB or more. Only the highest-end SDLT drives come close, and those are not really within the average user's budget.
... said the guy who pre-registered 5 domains and then supposedly tried to register at least 10...
In the early days, in.nl any company could register at most ONE domain name. ONE. That was a clear rule. Once that was weakened to "ok, a second or third is okay too, but only when those are tradenames of that same company" the big mess started.
(there is still the distinction between "first domain" and "next domain" in the.nl WHOIS server)
But what if the supposedly wise guy that had decided not to install the patch because it might break something gets bitten by an attack because the patch wasn't installed? In hindsight it is always easy to say "you should not have installed the patch without 3 months of testing you dumbo", but in practice you can hardly test the full functionality of a system before deciding that a patch is OK to release. See the article about breaking Word 2002 on this page. Who would guarantee that this would be found, maybe the tester does not use Word or did not test to save a document.
What we have is an unattended install (NOT using images, but a scripted install of Windows and all user applications) that builds the system from zero. All hotfixes are applied during this install, and also during normal logon processing. When a hotfix turns out to break something irreversibly, we can always remove it from the hotfix directory and re-install all systems that already logged in before it was discovered. This brings everything to a known working state. I don't want to think about the headaches it would give to keep all kinds of images uptodate, and all the backup space for keeping all previous versions of those images....
This doesn't really matter. End-users do not read popup messages anyway, because they have developed a semiconsious habit of clicking away any dialog that only has an OK button. Small wonder, because those appear for so many reasons that one cannot afford to spend the time to learn about all of them.
What an OS should do is to present the "Something bad happened" to the user, and log the real error in the system log with enough detail for the techie to analyze it. This is being done in Windows, but not to the extent one would like to see.
Maybe you need to read the article and study the protocol before you post comments?
The article showed the complained about downstream bandwidh use. That is the topic, and saying it does not matter is beside the point. Also, NTP can return disclaimers and use policies in unauthenticated messages. So that claim is invalid as well.
Note that D-link only need to change their firmware becuase it was badly designed in the first place. His open letter discusses this. They should have used a DNS name like ntp.dlink.com to resolve the addresses of NTP servers to use, and the whole problem could be fixed in a minute.
The server owner is not responsible for the firmware design. He does not ask D-Link to change the firmware, he asks them to stop using his server. That this means the firmware has to be changed, is D-Link's fault.
people select time servers to get the time, and they'll stop requesting it if they don't get it (or get the wrong one).
Wrong. In practice, people configure some service or in the D-Link case get a default configuration out of the box, and they don't bother to monitor the system. I can find not other explanation for systems like 4.79.17.248 sending about a million queries to my NTP server and not noticing they get no reply.
Geez, software is buggy. Imagine that.
Not buggy. ABUSIVE. Software should be written complying to the specs, that state the intervals that requests should be sent. Undercutting these intervals is not buggy, it is abuse. Just like setting up a webserver DDOS network is abuse, not exploiting a bug in TCP or HTTP.
if you can't make it work with the NTP protocol, then the NTP protocol needs to be fixed
This is not an issue in NTP. With any protocol that serves you a reply in answer to a question, there is a finite overhead in terms of bandwidth and CPU usage. The protocol is fine, but abusers do not respect the interval between requests. That does not bring it to its knees, it just makes it use more resources than wanted.
It would require a pretty dumb court to get the ruling that he needs to pay damages to D-Link for feeding them incorrect information from a server they are willfully abusing. Maybe it could happen in the USA, but I don't think this would happen in more reasonable countries like Denmark.
There is no point in doing this. You can use authentication with an NTP request, but it only increases the load. Unauthenticated requests will keep coming in, and the only thing you can do is not reply to them. That won't cut your downstream bandwidth use.
I am running a server in the NTP pool mentioned in other replies. I don't mind providing this service for free, but why is it that some people have to abuse it by sending a request every second, every four seconds, or every fourteen seconds??? (common values encountered, apparently defaults of some extremely broken clients)
I have set a rate limit at 15 seconds per requests, but the only thing it can do is ignore the request. Some losers never notice they aren't being served and keep polling me forever.
All in all, as an NTP server there is little you can do to fight abuse. There is no way to contact abusers, and no way to completely undo the damage.
Re:Gmail is constantly blacklisted
on
Gmail vs Pine
·
· Score: 1
we don't blacklist gmail, don't know why anyone would
Possible reason: when one sends a spam or other abuse complaint to abuse at gmail.com, an autoreply is returned that tells you to jump through their webform hoops to submit a complaint. The form requires you to split your complaint into headers, subject header, body etc.
IMHO this is an unreasonable way to handle complaints. A plain text message giving a complaint reason and the full headers+body of the offending message should be accepted and handled at abuse at gmail.com. I can understand why people put gmail on "rfc ignorant" blockslists and similar, for this.
That really isn't a better system... it is the same here. The problem is that the rule is not only that the left lane is for passing only, but also that it is prohibited to pass on the righthand side.
When you pass someone on the righthand side you get ticketed for that. The person driving left does (usually) NOT get a ticket for driving left unnecessarily. This only happens when he drives left without anyone nearby. Apparently the passing on the right is seen as a worse offense than the driving on the left.
There is nothing wrong with passing on the righthand side, except that it is prohibited. Because it is, people pay less attention when going from the left to the right lane, and don't expect someone passing them there. And thus passing on the righthand side is deemed dangerous, and is prohibited. That is a circular argumentation. Scrapping this rule would probably improve traffic flow.
You are right. Where I work, we do this as well. In fact I prefer this mechanism over the typical "disk imaging" because it is so much easier to maintain. Updates to applications can simply be placed in the directory tree instead of having to update who-knows-how-many images (we replace systems as time goes by, not in one large chunk, so there are always at least 5 different types of system in use. and not all systems have the same set of applications installed).
Restoring a system is a simple operation. Boot from network, select re-install, answer about 3 questions, and from there it proceeds unattended until the system has been completely installed, at which time it will be turned off.
However as has been demonstrated over and over there are still gaping holes in Windows via IE, Outlook, etc that do not require a person to be logged in as administrator for a machine to become infected with a wide range of nasties.
Sure? Do you have a list of recently found "gaping holes" that do not require administrator privileges? When I read the notices that come with hotfixes, or descriptions of viruses, they invariably talk about things that only an administrator can do on a well configured system (like writing somewhere in %windir% or %ProgramFiles%, setting some key in HKEY_LOCAL_MACHINE, etc)
The current breed of viruses is not interested in damaging data or harming the system. That is (for now) something of the past. Viruses want to take control of the system to use it for spamming or hacking. Any modifications that are potentially detected by the user will increase the risk that the system gets repaired and is lost for this job.
So, as long as there is no new objective for virus authors (something that makes as much money as spamming and phishing) there will be no damage done to user files.
Terrorism is usually an act by groups that don't have the "usual" military mechanisms of destruction at their service. Large countries with a well equipped army just send out stealth bombers and intelligent missiles, and this usually is not termed "terrorism". Religiuous groups and small countries being invaded and suppressed by larger powers use terrorism as a method of scaring their opponents.
In the past decades we have seen one country occupying neighboring countries' terrain and getting security council resolutions against it to which they never comply and still the get moral and factual support. Another country does a similar thing and immediately a coalition force fights a war against them and proclaims that their leaders have to be captured and imprisoned. Small wonder that the victims on both these situations decide that it is time to act against it.
The coalition / the USA should either have invaded Israel long ago and set its borders, or they should have stayed out of Iraq and Afghanistan. Then we would have much less trouble today. (maybe there would have been a situation in Afghanistan and Iraq that we as outside observers would consider to be dictatorial, but the inhabitants of those countries might have a different viewpoint and it is not our task to give them a democracy they don't want)
the terrorists have won, they have fundamentally changed our societies
It has amazed me for a long time that major politicians fail to see this, or at least act as if they do so. 5 years go, all "free western country" politicians were telling you that freedom was the highest goal in life, that communism was lack of freedom and so it was bad, that totalitarian governments were evil, etc. They were also claiming they would never negotiate with - or give in to terrorists because that would mean the end of this sacred freedom.
And now, they are taking away all freedom at will to "combat" a problem that is mostly caused by their own behaviour. Freedom suddenly is worth nothing, now "security" is the buzzword. All other priorities and values have to give way to this.
Wouldn't it be better to look at the reasons for terrorism and do something about that, than to always try to "fight a war" against it? Terrorism is a byproduct of fighting wars against defenseless minority groups, and so fighting a war against terrorism is completely counter-productive.
They are lucky that there are so many vulnerabilities in IE that they need to release a patch every 1-2 months... without that, users could easily choose not to update.
Even then, they will have to be very careful. With some coverage in the general media, a lot of users could decide that it is better to diable windows update than to find their applications being crippled because of pointless quarrels in court.
You must be new on the block. There have been times that sendmail was the most insecure application on the Unix system! It had to run suid root and accepted data from many sources. It also had lots of extensibility that resulted in calls to external programs.
At some point, critical bugs were found as frequently as in MSIE today. The phrase "sendmail bug of the month club" was often heard. Just as with MSIE, after fixing a lot of problems and making some architectural changes, things seem to be more safe right now. But the occasional problem still appears.
I always thought Java was designed to have us poor PC owners realize that our machines are far less powerful than a Sun, and that we should reflect a moment on how fast our machine would be if it were from Sun.
(this moment being the load and initialize time of the JVM)
I understand, but this makes it clear that the situation is not that black-white.
I think a good solution would be to block outgoing (and maybe incoming) port 25 traffic by default, and have some option per customer to enable the port, with a webpage that explains the risks. Most customers will never notice what they are missing with filtered port 25, but for the few that need it, it is very inconvenient when it is closed for everyone.
Unfortunately the infrastructure does not always make it simple to do this (no separate access list per customer, and a combined accesslist would get much too long)
An ISP's SMTP server is not always a solution. I am running a mailserver on my own system (and use the same setup at work) to which the MX records for my domain are pointing, and which uses callbacks to verify source addresses whenever mail comes in. The callbacks require outgoing port 25 access and cannot be done via the ISP server. Advantage of sending mail directly instead of via ISP server is that you can watch the queue. Mail that is not getting delivered is apparent because it sits in your own queue. ISP queues are of course not visible to ordinary customers.
But for the average Windows user with Outlook Express and a POP account this is not important and blocking port 25 is no problem.
SuSE has had this for years.... why are you suggesting an improvement? The only thing that is missing is the "geographically close". But there IS a list of mirror servers that is downloaded by Yast Online Update. Maybe you have disabled the download of that list? (that is an option, which it offers when there turns out to be no Internet connection during the first update attempt)
I think "static" or "dynamic" IP has nothing to do with the issue. All ADSL and most Cable providers here give you a static IP, yet the number of bots and infected PC's here is the same as in the US, where dynamic IP seems to be the norm.
This is of course to be expected. When the bot writer uses a clever enough protocol to be able to control a PC on a dynamic IP, it will certainly work on a static IP.
Slashdot Mirror
Still more effective is to check that the remote obeys the sequencing specified in the SMTP protocol, i.e. it does not send commands before it has received the welcome message. Especially when this welcome message consists of multiple lines with continuation markers.
Most SPAM mailers fail this test.
a new binary called VERCLSID.EXE
:-)
Note that they still use 8.3 ALL-CAPS names for their files
I would prefer a backup solution that is not as naive as "keep a copy on a second drive, that should be fine".
Of course my disks are mirrored (RAID-1) so a disk failure will not immediately have me lose my files.
But the filesystem can fail as well, or I could accidentally delete files I wanted to keep. In that case RAID-1 does nothing.
So, I want to keep backups. Preferably more than one, so it won't be a disaster when I discover that I deleted the files AFTER I made the next backup.
Of course I can keep multiple copies on several external disks, but I already have 1TB of diskspace right now, and it is not very practical.
With tape drives you at least have a separate medium.
IDE... well, you may be satisfied but I do not really like it. In the old days I used SCSI (still have a controller for my tape), but when IDE drives became larger and cheaper all the time, of course I switched. But it is so bad when looking at scaling issues... you need more controller boards all the time, not to mention the limited cable length that becomes a real problem when using many disks.
The capacity gap between affordable harddisk storage and affordable backup solutions is ever increasing :-(
By now, the only practical way to backup a harddisk is to another harddisk.
Of course, one can use an external (USB, Firewire or SATA) disk and store it offsite, but it would be nice if some high-capacity optical or tape solution appeared.
HD-DVD and blueray do not cut it. Who wants to backup his disk to 25 DVDs?
What we need is something that stores at least 250GB, preferably 1TB or more.
Only the highest-end SDLT drives come close, and those are not really within the average user's budget.
... said the guy who pre-registered 5 domains and then supposedly tried to register at least 10...
.nl any company could register at most ONE domain name. ONE.
.nl WHOIS server)
In the early days, in
That was a clear rule. Once that was weakened to "ok, a second or third is okay too, but only when those are tradenames of that same company" the big mess started.
(there is still the distinction between "first domain" and "next domain" in the
But what if the supposedly wise guy that had decided not to install the patch because it might break something gets bitten by an attack because the patch wasn't installed?
In hindsight it is always easy to say "you should not have installed the patch without 3 months of testing you dumbo", but in practice you can hardly test the full functionality of a system before deciding that a patch is OK to release. See the article about breaking Word 2002 on this page. Who would guarantee that this would be found, maybe the tester does not use Word or did not test to save a document.
What we have is an unattended install (NOT using images, but a scripted install of Windows and all user applications) that builds the system from zero. All hotfixes are applied during this install, and also during normal logon processing. When a hotfix turns out to break something irreversibly, we can always remove it from the hotfix directory and re-install all systems that already logged in before it was discovered. This brings everything to a known working state.
I don't want to think about the headaches it would give to keep all kinds of images uptodate, and all the backup space for keeping all previous versions of those images....
This doesn't really matter. End-users do not read popup messages anyway, because they have developed a semiconsious habit of clicking away any dialog that only has an OK button. Small wonder, because those appear for so many reasons that one cannot afford to spend the time to learn about all of them.
What an OS should do is to present the "Something bad happened" to the user, and log the real error in the system log with enough detail for the techie to analyze it.
This is being done in Windows, but not to the extent one would like to see.
Maybe you need to read the article and study the protocol before you post comments?
The article showed the complained about downstream bandwidh use. That is the topic, and saying it does not matter is beside the point.
Also, NTP can return disclaimers and use policies in unauthenticated messages. So that claim is invalid as well.
Note that D-link only need to change their firmware becuase it was badly designed in the first place.
His open letter discusses this. They should have used a DNS name like ntp.dlink.com to resolve the addresses of NTP servers to use, and the whole problem could be fixed in a minute.
The server owner is not responsible for the firmware design. He does not ask D-Link to change the firmware, he asks them to stop using his server. That this means the firmware has to be changed, is D-Link's fault.
people select time servers to get the time, and they'll stop requesting it if they don't get it (or get the wrong one).
Wrong. In practice, people configure some service or in the D-Link case get a default configuration out of the box, and they don't bother to monitor the system. I can find not other explanation for systems like 4.79.17.248 sending about a million queries to my NTP server and not noticing they get no reply.
Geez, software is buggy. Imagine that.
Not buggy. ABUSIVE. Software should be written complying to the specs, that state the intervals that requests should be sent.
Undercutting these intervals is not buggy, it is abuse. Just like setting up a webserver DDOS network is abuse, not exploiting a bug in TCP or HTTP.
if you can't make it work with the NTP protocol, then the NTP protocol needs to be fixed
This is not an issue in NTP. With any protocol that serves you a reply in answer to a question, there is a finite overhead in terms of bandwidth and CPU usage. The protocol is fine, but abusers do not respect the interval between requests. That does not bring it to its knees, it just makes it use more resources than wanted.
It would require a pretty dumb court to get the ruling that he needs to pay damages to D-Link for feeding them incorrect information from a server they are willfully abusing. Maybe it could happen in the USA, but I don't think this would happen in more reasonable countries like Denmark.
There is no point in doing this. You can use authentication with an NTP request, but it only increases the load. Unauthenticated requests will keep coming in, and the only thing you can do is not reply to them. That won't cut your downstream bandwidth use.
I am running a server in the NTP pool mentioned in other replies. I don't mind providing this service for free, but why is it that some people have to abuse it by sending a request every second, every four seconds, or every fourteen seconds??? (common values encountered, apparently defaults of some extremely broken clients)
I have set a rate limit at 15 seconds per requests, but the only thing it can do is ignore the request. Some losers never notice they aren't being served and keep polling me forever.
All in all, as an NTP server there is little you can do to fight abuse. There is no way to contact abusers, and no way to completely undo the damage.
we don't blacklist gmail, don't know why anyone would
Possible reason: when one sends a spam or other abuse complaint to abuse at gmail.com, an autoreply is returned that tells you to jump through their webform hoops to submit a complaint. The form requires you to split your complaint into headers, subject header, body etc.
IMHO this is an unreasonable way to handle complaints. A plain text message giving a complaint reason and the full headers+body of the offending message should be accepted and handled at abuse at gmail.com.
I can understand why people put gmail on "rfc ignorant" blockslists and similar, for this.
That really isn't a better system... it is the same here. The problem is that the rule is not only that the left lane is for passing only, but also that it is prohibited to pass on the righthand side.
When you pass someone on the righthand side you get ticketed for that. The person driving left does (usually) NOT get a ticket for driving left unnecessarily. This only happens when he drives left without anyone nearby. Apparently the passing on the right is seen as a worse offense than the driving on the left.
There is nothing wrong with passing on the righthand side, except that it is prohibited. Because it is, people pay less attention when going from the left to the right lane, and don't expect someone passing them there. And thus passing on the righthand side is deemed dangerous, and is prohibited. That is a circular argumentation. Scrapping this rule would probably improve traffic flow.
You are right. Where I work, we do this as well.
In fact I prefer this mechanism over the typical "disk imaging" because it is so much easier to maintain. Updates to applications can simply be placed in the directory tree instead of having to update who-knows-how-many images (we replace systems as time goes by, not in one large chunk, so there are always at least 5 different types of system in use. and not all systems have the same set of applications installed).
Restoring a system is a simple operation. Boot from network, select re-install, answer about 3 questions, and from there it proceeds unattended until the system has been completely installed, at which time it will be turned off.
However as has been demonstrated over and over there are still gaping holes in Windows via IE, Outlook, etc that do not require a person to be logged in as administrator for a machine to become infected with a wide range of nasties.
Sure? Do you have a list of recently found "gaping holes" that do not require administrator privileges?
When I read the notices that come with hotfixes, or descriptions of viruses, they invariably talk about things that only an administrator can do on a well configured system (like writing somewhere in %windir% or %ProgramFiles%, setting some key in HKEY_LOCAL_MACHINE, etc)
The current breed of viruses is not interested in damaging data or harming the system. That is (for now) something of the past.
Viruses want to take control of the system to use it for spamming or hacking. Any modifications that are potentially detected by the user will increase the risk that the system gets repaired and is lost for this job.
So, as long as there is no new objective for virus authors (something that makes as much money as spamming and phishing) there will be no damage done to user files.
Terrorism is usually an act by groups that don't have the "usual" military mechanisms of destruction at their service.
Large countries with a well equipped army just send out stealth bombers and intelligent missiles, and this usually is not termed "terrorism".
Religiuous groups and small countries being invaded and suppressed by larger powers use terrorism as a method of scaring their opponents.
In the past decades we have seen one country occupying neighboring countries' terrain and getting security council resolutions against it to which they never comply and still the get moral and factual support. Another country does a similar thing and immediately a coalition force fights a war against them and proclaims that their leaders have to be captured and imprisoned.
Small wonder that the victims on both these situations decide that it is time to act against it.
The coalition / the USA should either have invaded Israel long ago and set its borders, or they should have stayed out of Iraq and Afghanistan. Then we would have much less trouble today.
(maybe there would have been a situation in Afghanistan and Iraq that we as outside observers would consider to be dictatorial, but the inhabitants of those countries might have a different viewpoint and it is not our task to give them a democracy they don't want)
the terrorists have won, they have fundamentally changed our societies
It has amazed me for a long time that major politicians fail to see this, or at least act as if they do so.
5 years go, all "free western country" politicians were telling you that freedom was the highest goal in life, that communism was lack of freedom and so it was bad, that totalitarian governments were evil, etc.
They were also claiming they would never negotiate with - or give in to terrorists because that would mean the end of this sacred freedom.
And now, they are taking away all freedom at will to "combat" a problem that is mostly caused by their own behaviour. Freedom suddenly is worth nothing, now "security" is the buzzword. All other priorities and values have to give way to this.
Wouldn't it be better to look at the reasons for terrorism and do something about that, than to always try to "fight a war" against it?
Terrorism is a byproduct of fighting wars against defenseless minority groups, and so fighting a war against terrorism is completely counter-productive.
They are lucky that there are so many vulnerabilities in IE that they need to release a patch every 1-2 months... without that, users could easily choose not to update.
Even then, they will have to be very careful. With some coverage in the general media, a lot of users could decide that it is better to diable windows update than to find their applications being crippled because of pointless quarrels in court.
You must be new on the block. There have been times that sendmail was the most insecure application on the Unix system!
It had to run suid root and accepted data from many sources. It also had lots of extensibility that resulted in calls to external programs.
At some point, critical bugs were found as frequently as in MSIE today. The phrase "sendmail bug of the month club" was often heard.
Just as with MSIE, after fixing a lot of problems and making some architectural changes, things seem to be more safe right now. But the occasional problem still appears.
I always thought Java was designed to have us poor PC owners realize that our machines are far less powerful than a Sun, and that we should reflect a moment on how fast our machine would be if it were from Sun.
(this moment being the load and initialize time of the JVM)
I understand, but this makes it clear that the situation is not that black-white.
I think a good solution would be to block outgoing (and maybe incoming) port 25 traffic by default, and have some option per customer to enable the port, with a webpage that explains the risks. Most customers will never notice what they are missing with filtered port 25, but for the few that need it, it is very inconvenient when it is closed for everyone.
Unfortunately the infrastructure does not always make it simple to do this (no separate access list per customer, and a combined accesslist would get much too long)
An ISP's SMTP server is not always a solution. I am running a mailserver on my own system (and use the same setup at work) to which the MX records for my domain are pointing, and which uses callbacks to verify source addresses whenever mail comes in. The callbacks require outgoing port 25 access and cannot be done via the ISP server.
Advantage of sending mail directly instead of via ISP server is that you can watch the queue. Mail that is not getting delivered is apparent because it sits in your own queue. ISP queues are of course not visible to ordinary customers.
But for the average Windows user with Outlook Express and a POP account this is not important and blocking port 25 is no problem.
SuSE has had this for years.... why are you suggesting an improvement?
The only thing that is missing is the "geographically close". But there IS a list of mirror servers that is downloaded by Yast Online Update.
Maybe you have disabled the download of that list? (that is an option, which it offers when there turns out to be no Internet connection during the first update attempt)
I think "static" or "dynamic" IP has nothing to do with the issue.
All ADSL and most Cable providers here give you a static IP, yet the number of bots and infected PC's here is the same as in the US, where dynamic IP seems to be the norm.
This is of course to be expected. When the bot writer uses a clever enough protocol to be able to control a PC on a dynamic IP, it will certainly work on a static IP.