|
|
| Author |
Message |
| 25 new of 547 responses total. |
russ
|
|
response 427 of 547:
| 
Jun 24 03:49 UTC 2003 |
It might be easier to deal with spam by accepting the first N pieces
of mail from a novel host, then delaying the rest; if the mail starts
showing up in the UCE bin, further mail from that host is refused for
an extended period (or perhaps permanently). This takes care of
hijacked relays as well, while passing the occasional e-mail from an
odd host without any delays at all.
While spam may not be a big bandwidth load, it sure isn't going to
stay small unless we act; it really behooves us to frustrate spammers
if we can.
Jan, is there any way to get Backtalk to salt its pages with fake
e-mail addresses that would be picked up by spam harvesters? That
would be one way to be certain that a host was sending spam to Grex.
|
gull
|
|
response 428 of 547:
|
Jun 24 13:11 UTC 2003 |
All of these delaying tactics sound like they have the potential to
cause problems for people who are on legitimate mailing lists.
|
janc
|
|
response 429 of 547:
|
Jun 24 15:34 UTC 2003 |
I think it's probable that email addresses are being harvested from Grex, but
I'm not sure of the extent of the problem. Grex backtalk has a robot.txt file
that requests honest robots not to harvest it, which is why google searches
don't find Grex items (somewhat mixed blessing). Obviously dishonest spammers
are likely to disregard this, and I have seen indications of robots walking
through Backtalk on Grex. In most Backtalk interfaces, clicking on the user
name will give user bio page - but on Grex that is just the .plan file, and
won't contain in clickable email addresses, which are probably the spammer's
favorite thing to harvest (on other systems Backtalk does have clickable email
links, an issue that I need to address). Some people will have their
email addresses in their .plan files, but most probably don't or have email
addresses for systems other than Grex, so spam to addressesharvested from
there would go to non-Grex addresses and be hard to recognize.
A spammer might be smart enough to go through the Backtalk pages, pick up login
names and attach "@grex.org" to the end of each. But I'd think this would be
uncommon.
I'm not really inclined to think that seeding a lot of bad addresses is
going to help enough to be worth the ugliness. However, you are certainly
welcome to include <A HREF=mailto:uce@grex.org>send spam here</A> links
in all your HTML postings on Grex.
|
scg
|
|
response 430 of 547:
|
Jun 27 22:40 UTC 2003 |
I don't doubt that delaying mail acceptance for an hour would be effective
against the current generation of spammers, but my general impression of
techniques for blocking spam by insisting on standards compliance is that
spammers are getting better and better at following standards. That strikes
me as something which, if done commonly, would put a lot of extra load on
legitimate mail servers, and would break the ability of e-mail to be used as
a fairly instantanious back and forth communications tool.
|
i
|
|
response 431 of 547:
|
Jun 28 00:22 UTC 2003 |
More results from using this at work - over 75% of spammers do not come
back within 24 hours. No evidence that any legit e-mail has been lost.
Looking through the tuple database, substantial spam attacks are *really*
obvious...suggesting automated means to keep 'em locked out after their
tuples age out of probation...i think we're using 5 minutes for this now.
Yes, like any anti-spam technology, this has downsides and costs for both
the infrastructure & users. But *not* using any anti-spam technology
also has downsides & costs - like overflowing "in" boxes of left-'cause-
there-was-too-much-spam ex-users.
|
gull
|
|
response 432 of 547:
|
Jun 30 15:31 UTC 2003 |
Walter, are you using some kind of pre-made package to do this or did
you roll your own?
|
i
|
|
response 433 of 547:
|
Jul 2 01:08 UTC 2003 |
We rolled our own (adding a few lines of C to our mail server software
with MySQL on the back end). Graylisting is hardly more complex than
a bubblesort routine, and it took fewer lines of code than any bubblesort
that i can recall.
We started it in "observer, record, & report what you'd do" mode. We've
added more simple features (whitelist, etc.) to it as they've occured to
us.
It looks like spammers are far more impatient on retrying than legit mail
servers - we're hoping to add the rule "if graylisted e-mail comes back
before the graylist time expires, then add a minute to the interval it
came back within, compare that sum to the remaining graylist interval,
and update the graylist interval to the greater of those two". Tweaking
the numbers promises to let almost all legit e-mail avoid additional
delays from this, hopefully spam with delay itself to death (or blacklist).
|
jep
|
|
response 434 of 547:
|
Oct 17 16:04 UTC 2003 |
How's the NextGrex project coming along? I haven't seen any updates
here since July. Is the computer still going to be new when this is
completed?
|
cross
|
|
response 435 of 547:
|
Oct 17 17:23 UTC 2003 |
It's stalled; too many staff have too many other things going on. I was
going to propose, and I suppose here is as good a place to do it, that
we move nextgrex from Jan's house to the pumpkin after the new version
of OpenBSD comes out. I think that'll make it easier to test and debug
subsystems, and ultimately easier to transition over from old grex to
new grex. Once we do that, we should set a schedule; a reasonable one,
that we can stick to, trying to anticipate people's time demands, for
switching over within, say, no more than three months.
Major subsystems I see needing configuration before we can switch are:
1) The BBS. Someone has to port PicoSpan (mdw?) or provide
an alternative (YAPP? Frontalk?)
2) Mail. We have to build out the mail system.
3) set up newuser
4) Configuration changes.
That's about it. Everything else, we can do once we've transitioned.
|
remmers
|
|
response 436 of 547:
|
Oct 17 17:30 UTC 2003 |
I'd say that's a fair summary. Only potential drawback that I can see
to locating it in the pumpkin is if the hardware still needs a fair
amount of hands-on attention, it'd be a nuisance for somebody to run
over there all the time to tend to it. If the hardware configuration
is pretty stable now, this isn't an issue.
|
jp2
|
|
response 437 of 547:
|
Oct 17 17:47 UTC 2003 |
This response has been erased.
|
mary
|
|
response 438 of 547:
|
Oct 17 18:09 UTC 2003 |
Could we keep mail as is, on old Grex, for a while?
Maybe get it up using YAPP and Frontalk only?
I, like everyone else, would hat to see this project
stagnate much longer. If that means coming up less
complete, that would be better than not at all.
|
aruba
|
|
response 439 of 547:
|
Oct 17 19:20 UTC 2003 |
I agree.
Re #437: My understanding is that Grex is running a legal copy of Picospan,
though we do not have an official license. The validity of our copy comes
from Marcus, so he needs to explain how that works.
|
jep
|
|
response 440 of 547:
|
Oct 17 19:58 UTC 2003 |
Sorry for the sharp-sounding comment at the end of my question. It
didn't come out the way I had imagined it would. No criticism was
intended.
If the hardware is moved to the Pumpkin, are there people who can do
the things which need doing? Is the direction of the mail system
determined closely enough that another staffer can do it, or is this
a "Marcus-only" project? How about newuser? I assume Picospan is
something only Marcus can do.
I'd hope the staff is avoiding things wherever possible that can only
be done by one specific person, whether it's Marcus or anyone else.
Specifically... all of the world uses e-mail; Grex should be able to
implement an e-mail system, too. It isn't even that important. If
Grex didn't have e-mail at all, every Grexer would be able to get by
anyway by using any of their dozens of other mail addresses. It would
be silly to find out NextGrex was being held up only because a specific
person wasn't available to set up a customized e-mail system.
For other topics; is there agreement on what needs to be done for
newuser? Is someone working on that?
I'm not particularly parsimonious... but all of the hardware was
purchased months ago, some of it at premium prices as I understand it
to obtain stuff that's state of the art. Computer hardware doesn't
have much of a shelf life for being state of the art.
Grex got donations, and bought all of the stuff at a pretty quick
pace... then nothing much seems to have happened, at least judging from
the information I'm seeing coming out. It made me wonder about why
things aren't happening any more. Is it a brief slowdown for specific
reasons, and things will be picking up again soon?
Thanks!
|
jp2
|
|
response 441 of 547:
|
Oct 17 20:02 UTC 2003 |
This response has been erased.
|
davel
|
|
response 442 of 547:
|
Oct 18 00:39 UTC 2003 |
Re 440: John, some users have no other email address whatsoever. I happen
to live with 3 of them. Other users have enough correspondents who email to
their Grex addresses that notifying them all would be a big problem - and
suddenly having mail start bouncing without much warning would be a much
bigger problem. I'd say we could do without conferencing for a while about
as well as doing without email.
|
cross
|
|
response 443 of 547:
|
Oct 18 02:05 UTC 2003 |
Regarding #440; We're not going live without a working mail system.
It's not rocket science to put one together, but it does take time,
and that's what everyone is lacking right now.
Regarding Remmers's comment about hardware configuration; As far as
I can tell, with the exception of the ethernet interface (which seems
flakey), it's pretty much set. Everything left is purely software
configuration.
|
jep
|
|
response 444 of 547:
|
Oct 18 03:18 UTC 2003 |
I'll accept the point about e-mail, but that's not the main point.
resp:0 brings up the idea of buying the hardware right away...
February 17, 2003. There was enthusiasm at that time, maybe even some
urgency.
The first component was purchased on April 8, ordering continued
through April, assembly began on May 4, and by May 17, aruba said it
was all assembled, tested and working. There was enthusiastic testing
through May. The final physical component arrived on May 28 -- the
OpenBSD CDs.
And work stopped, at least as visible to interested outsiders.
It has been 4 1/2 months since May 28; approximately twice as long as
it took to acquire, assemble and test all of the hardware. I presume
OpenBSD has been installed on the new hardware so that *something* can
have been done since then. In 4 1/2 more months, it will have been a
year since this item was entered.
Where's the urgency now? Or at least enthusiasm? Shall I wait until
February and ask again then? Or maybe hold my horses until April? Or
will that have been too soon to expect results from the purchase of
all new hardware that was fully assembled by the end of May?
If we hadn't bought anything yet, how much further behind would we be,
compared to where we are now? Put another way, how long do we wait
before the hardware needs to be replaced because it's too old?
I understand very well about being too busy... I also understand it's
not always *everyone* who's too busy. That's not even very likely.
There have been many group projects that never happen at all because
everyone waits forever on one person. It would be a real shame if
this project is one like that.
The treasurer bemoans the lack of donations all the time. Donations
are declining... but a lot of people rushed right in to send money
when they were told it was needed for the new NextGrex computer. You
folks on the staff gave every indication you were ready to set it up
so we could start using it. We all understood it would take time...
but how much time? It takes a *really* *long* time to finish a
project if no one is working on it.
If that's the case, as it appears to me it is, maybe it it could be
time to look at alternatives?
|
cross
|
|
response 445 of 547:
|
Oct 18 04:49 UTC 2003 |
Hey, I agree with you 100%. It's ridiculous that it's taken this long
to get things rolling. I think we should be able to move over to next
grex within three months, and I can think of no reason we shouldn't be
able to: this has stalled long enough.
There is some work happening, but you won't see it if you just read coop.
Most of it happens in garage, and some (to a much lesser extent) in
other places. In particular, despite juggling kids and other time
commitments, Jan has made some stellar progress setting up facets of
nextgrex. Regardless, we're stalled right now.
Here's my take on some of what happened. There's been disagreement
among staff about how _best_ to proceed in certain technical areas.
But traditionally, certain staff members have maintained domains of
responsibility comprising various subsystems on grex (like how Marcus
maintains PicoSpan). Some of this is necessary (Marcus and PicoSpan is a
good example; he's the only one with the source code), some is contrived.
Those parts have been, if not off-limits to other staffers, then at least
considered that individual staffer's responsibility and left up to them.
So, despite some staffers having more time than others, certain areas
of nextgrex remain untouched pending the staffers who have less time,
but traditional responsibility of those areas, to become available.
I don't think this is working out too well. I think maybe we should
consider just saying, ``screw it; we need to get the new machine online.
Let's figure out the quickest way to do that and go from there.''
*THAT* said, we also have to be careful. Grex, right now, is a real
mess in my opinion. There are patches upon patches upon bandaids upon
kludges upon hacks upon more patches stacked up so high, it's difficult
to see over them all. I think it's scary for newer staff (well, for
me anyway) to *do* anything because everything is so customized. A lot
of the work Jan has been doing on nextgrex is meticulously documenting
*everything* he's done so that rebuilding grex from scratch is going to
be an easy process for a reasonably competent Unix system administrator.
This is good, and necessary, and we really do need to do this with all
the major components of the system so that, moving forward, we don't
end up in the hole we're in right now (it really is a hole).
I think we can get back on track if a couple of us agree to donate a few
hours or so a day for the next couple of weeks, to get OpenBSD 3.4 to
where we're at now with OpenBSD 3.3 (note: OpenBSD 3.4 comes out on
the first of November). If we then put the machine in the pumpkin, we
should be good to go with getting nextgrex online in under three months.
hour or so a day for the next few weeks to g
|
jp2
|
|
response 446 of 547:
|
Oct 18 14:27 UTC 2003 |
This response has been erased.
|
cross
|
|
response 447 of 547:
|
Oct 18 14:46 UTC 2003 |
I've proved the security of grex's password hash to be the same as that
of sha1, which is provably mathematically superior to MD5.
Also, isn't YAPP shareware? I thought you had to pay a significant
amount of money for anything other than casual use?
|
jp2
|
|
response 448 of 547:
|
Oct 18 15:12 UTC 2003 |
This response has been erased.
|
cross
|
|
response 449 of 547:
|
Oct 18 19:06 UTC 2003 |
Blowfish in OpenBSD is pretty slow. I've argued many times that building
our own scrambling algorithm was a bad idea, and I certainly would have
done it differently, but it happened before I came on board. Sorry,
them's the breaks. Sometimes you just have to accept what you're given
and work with it as best you can: we've got anywhere from 20,000 to
40,000 users whose passwords are hashed with it. But, we've also gotten
it working with OpenBSD (I've got it working with login.conf on nextgrex).
Jamie, I think you have a lot of good ideas on how to move grex forward,
but don't blow it by being your polemical self. Three months *is*
a reasonable amount of time for a complete build out of nextgrex.
And I don't care how long it took Salcedo to get mnet up and running.
This isn't mnet, and we want to have an amount of downtown that's a
minimal amount longer than the time it takes to transfer the data from
oldgrex to nextgrex (five weeks just to move things over---now that's
outrageously long, in my opinion). I don't even live anywhere *near*
Ann Arbor (otherwise, I'd volunteer to take in the hardware and crank
away on it over the next two or three weekends), and other staffers
don't have a lot of time, so it's unlikely we'll be able to half the
amount of time I already projected.
As for YAPP, I'm all for it. We need something up and running sooner
than later. However, ``you-think-you-heard-someone-say-maybe'' isn't
a license agreement, and if your primary objection to PicoSpan is a
licensing issue, then trading that can of worms for a mess that is a
verbal licensing agreement for YAPP doesn't seem much better. Now,
if I had my druthers, I'd just as soon see FrontTalk built out and
used as a replacement for both. We're sure of the license for that;
unfortunately, that would require someone talking a lot of time to
make happen, and, as we know, time is an issue.
Look, you're preaching to the choir here. So cut the confrontational
crap and let's figure out how to move forward.
|
jp2
|
|
response 450 of 547:
|
Oct 18 19:16 UTC 2003 |
This response has been erased.
|
glenda
|
|
response 451 of 547:
|
Oct 18 20:19 UTC 2003 |
I would like to see us stay with picospan. I left m-net when they switched
to yapp. I tried it for a couple of weeks, hated it and never logged in
again.
|
