Suggestions for a more privacy conscious email provider
Hi all, I am in need of some suggestions for some privacy conscious email providers. I am currently using Migadu email hosting from Switzerland, basically they allow their users to have as many domains and mailboxes without storage limits without extra cost. However they only allow 10 messages to be sent per day on their free tier. -- Sincerely Michael S Singh, M: 914-266-0601 W: www.wadadli.me F: 5E0E FD46 4592 1682 A4B6 5F62 761E 4940 A177 3B38 Sent via Migadu.com, world's easiest email hosting
On Sat, Dec 2, 2017 at 1:35 PM, Michael S. Singh <michael@wadadli.me> wrote:
I am in need of some suggestions for some privacy conscious email providers. I am currently using Migadu [...] However they only allow 10 messages to be sent per day on their free tier.
If you aren't paying for it and it's not a demo meant to get you to pay for it then you're not the customer, you're the product. If you're the product, guess what the customer is paying for. Regards, Bill Herrin -- William Herrin ................ herrin@dirtside.com bill@herrin.us Dirtside Systems ......... Web: <http://www.dirtside.com/>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Sat, Dec 2, 2017 at 1:35 PM, Michael S. Singh <michael@wadadli.me> wrote:
I am in need of some suggestions for some privacy conscious email providers. I am currently using Migadu [...]
I use KolabNow, based in Switzerland, for a lot of personal e-mail communications. They are very, very privacy conscious: - --> https://kolabnow.com/feature/confidence They are *not* free, but quite reasonable, and I am quite happy with the m. - - ferg - -- Paul Ferguson ICEBRG.io, Seattle USA -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlojJ0cACgkQKJasdVTchbLl5AD/QTSs+qOHuwKIyiBVYgmGR9MQ N8pz3AJ3pyks/IxLxIgA/jNhyl0Dlg97wNiitZm9sAjaxLA7xIPRDACHQICnNSbJ =LCAZ -----END PGP SIGNATURE-----
If you plan to use it for a small group of people, you should consider hosting it yourself. You could set it up with SPF, dkim, dmarc, ipv6. It could be seen as a personal challenge to achieve. Then if you need real privacy, you will need to encrypt with public keys like PGP or S/MIME. You can upload your public key to the public pgp key servers. I guess that one day this thing will be very popular. Challenge accepted? Jean On 17-12-02 05:20 PM, Paul Ferguson wrote:
On Sat, Dec 2, 2017 at 1:35 PM, Michael S. Singh <michael@wadadli.me> wrote:
I am in need of some suggestions for some privacy conscious email providers. I am currently using Migadu [...]
I use KolabNow, based in Switzerland, for a lot of personal e-mail communications. They are very, very privacy conscious:
--> https://kolabnow.com/feature/confidence
They are *not* free, but quite reasonable, and I am quite happy with the m.
- ferg
It's kind of a pain to manage a mail server. Even if you have SPF, DKIM correctly setup and you are not on any common blacklists, you constantly have to fight for good deliverability - some mail server solutions will simply reject you no matter what. You might be on some obscure blacklist nobody uses and then you have to waste time sending blacklist removal requests. I personally run my own mail server, but route outgoing emails via Amazon SES. Gives me all the benefits of having my own mail server (domain aliases, extensions, custom spam filter etc) and saves me from the pain of managing outgoing reputation. -- Filip Hruska Linux System Administrator Dne 12/3/17 v 16:12 Jean | ddostest.me via NANOG napsal(a):
If you plan to use it for a small group of people, you should consider hosting it yourself. You could set it up with SPF, dkim, dmarc, ipv6.
It could be seen as a personal challenge to achieve.
Then if you need real privacy, you will need to encrypt with public keys like PGP or S/MIME. You can upload your public key to the public pgp key servers. I guess that one day this thing will be very popular.
Challenge accepted?
Jean
On 17-12-02 05:20 PM, Paul Ferguson wrote:
On Sat, Dec 2, 2017 at 1:35 PM, Michael S. Singh <michael@wadadli.me> wrote:
I am in need of some suggestions for some privacy conscious email providers. I am currently using Migadu [...] I use KolabNow, based in Switzerland, for a lot of personal e-mail communications. They are very, very privacy conscious:
--> https://kolabnow.com/feature/confidence
They are *not* free, but quite reasonable, and I am quite happy with the m.
- ferg
Hi Filip I appreciate the response! Do you host the mail server with a third party provider (e.g Rackspace) or do you have an 'in-house' solution. If you're able to elaborate more on your setup, I would love to read more about it. I am considering purchasing a Raspberry Pi and hosting my own, as it seems worth the experience. However does it require that I have my own DNS server and a static IP address in order to connect to the mail server from anywhere in the world? On 12/03/2017 09:08 AM, Filip Hruska wrote:
It's kind of a pain to manage a mail server.
Even if you have SPF, DKIM correctly setup and you are not on any common blacklists, you constantly have to fight for good deliverability - some mail server solutions will simply reject you no matter what. You might be on some obscure blacklist nobody uses and then you have to waste time sending blacklist removal requests.
I personally run my own mail server, but route outgoing emails via Amazon SES. Gives me all the benefits of having my own mail server (domain aliases, extensions, custom spam filter etc) and saves me from the pain of managing outgoing reputation.
-- Filip Hruska Linux System Administrator
Dne 12/3/17 v 16:12 Jean | ddostest.me via NANOG napsal(a):
If you plan to use it for a small group of people, you should consider hosting it yourself. You could set it up with SPF, dkim, dmarc, ipv6.
It could be seen as a personal challenge to achieve.
Then if you need real privacy, you will need to encrypt with public keys like PGP or S/MIME. You can upload your public key to the public pgp key servers. I guess that one day this thing will be very popular.
Challenge accepted?
Jean
On 17-12-02 05:20 PM, Paul Ferguson wrote:
On Sat, Dec 2, 2017 at 1:35 PM, Michael S. Singh <michael@wadadli.me> wrote:
I am in need of some suggestions for some privacy conscious email providers. I am currently using Migadu [...] I use KolabNow, based in Switzerland, for a lot of personal e-mail communications. They are very, very privacy conscious:
--> https://kolabnow.com/feature/confidence
They are *not* free, but quite reasonable, and I am quite happy with the m.
- ferg
-- Sincerely Michael S Singh, M: 914-266-0601 W: www.wadadli.me F: 5E0E FD46 4592 1682 A4B6 5F62 761E 4940 A177 3B38 Sent via Migadu.com, world's easiest email hosting
You will also need your internet provider to setup reverse DNS for you, otherwise many mail servers may reject your mail if the reverse DNS does not match the hostname of the mail server. -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Michael S. Singh Sent: Sunday, December 3, 2017 12:57 PM To: nanog@nanog.org Subject: Re: Suggestions for a more privacy conscious email provider Hi Filip I appreciate the response! Do you host the mail server with a third party provider (e.g Rackspace) or do you have an 'in-house' solution. If you're able to elaborate more on your setup, I would love to read more about it. I am considering purchasing a Raspberry Pi and hosting my own, as it seems worth the experience. However does it require that I have my own DNS server and a static IP address in order to connect to the mail server from anywhere in the world? On 12/03/2017 09:08 AM, Filip Hruska wrote:
It's kind of a pain to manage a mail server.
Even if you have SPF, DKIM correctly setup and you are not on any common blacklists, you constantly have to fight for good deliverability - some mail server solutions will simply reject you no matter what. You might be on some obscure blacklist nobody uses and then you have to waste time sending blacklist removal requests.
I personally run my own mail server, but route outgoing emails via Amazon SES. Gives me all the benefits of having my own mail server (domain aliases, extensions, custom spam filter etc) and saves me from the pain of managing outgoing reputation.
-- Filip Hruska Linux System Administrator
Dne 12/3/17 v 16:12 Jean | ddostest.me via NANOG napsal(a):
If you plan to use it for a small group of people, you should consider hosting it yourself. You could set it up with SPF, dkim, dmarc, ipv6.
It could be seen as a personal challenge to achieve.
Then if you need real privacy, you will need to encrypt with public keys like PGP or S/MIME. You can upload your public key to the public pgp key servers. I guess that one day this thing will be very popular.
Challenge accepted?
Jean
On 17-12-02 05:20 PM, Paul Ferguson wrote:
On Sat, Dec 2, 2017 at 1:35 PM, Michael S. Singh <michael@wadadli.me> wrote:
I am in need of some suggestions for some privacy conscious email providers. I am currently using Migadu [...] I use KolabNow, based in Switzerland, for a lot of personal e-mail communications. They are very, very privacy conscious:
--> https://kolabnow.com/feature/confidence
They are *not* free, but quite reasonable, and I am quite happy with the m.
- ferg
-- Sincerely Michael S Singh, M: 914-266-0601 W: www.wadadli.me F: 5E0E FD46 4592 1682 A4B6 5F62 761E 4940 A177 3B38 Sent via Migadu.com, world's easiest email hosting
In article <37613d30-ae69-9140-5d88-7596857ce99e@wadadli.me> you write:
I am considering purchasing a Raspberry Pi and hosting my own, as it seems worth the experience. However does it require that I have my own DNS server and a static IP address in order to connect to the mail server from anywhere in the world?
You really don't want to do that unless you have a friend at a hosting center who will let him plug your Pi into his rack and lend you a static IP. Getting static IPs at home these days is pretty much impossible unless you get very expensive business class cable service. Even if you have a static-ish IP on residential cable, nobody accepts mail directly from resi networks since it is about 99.99% botnet spam. On the other hand, it is the work of a moment to set up a $5/mo VPS running linux with a static IP at any of a long list of hosting providers like Tektonix or Digital Ocean or Linode. From your point of view, it's a linux box you can ssh into and manage the same way you'd manage linux on a small physical machine. R's, John
From your point of view, it's a linux box you can ssh into and manage the same way you'd manage linux on a small physical machine. In my naive opinion, there are some subtle differences with where "the
On 12/04/2017 02:24 PM, John Levine wrote: linux box you can ssh into" resides. Namely, when I ran my server at home, it took a search warrant to legally enter my house to access the server, which I would be immediately made aware of. I can't say the same with the same degree of certainty for a server located in a co-location facility. I'm obviously ignoring someone compromising the system across the network. Though even then, I can disconnect the server from the outside world and still access it from my home. -- Grant. . . . unix || die
On Mon, 04 Dec 2017 15:06:07 -0700, Grant Taylor via NANOG said:
Namely, when I ran my server at home, it took a search warrant to legally enter my house to access the server, which I would be immediately made aware of.
I'll just remind everybody that if this is a serious component of your threat model, you probably need to have gotten in touch with some serious professionals to help set everything up, because it's going to have more little gotchas than we can cover here on NANOG. For starters, did you build your system in a way that avoids cold-boot attacks against the crypto keys that manage access to your hard drive? (Those 6 of you who *are* serious professionals at this can ignore that advice :)
On Dec 4, 2017, at 4:20 PM, valdis.kletnieks@vt.edu wrote:
I'll just remind everybody that if this is a serious component of your threat model, you probably need to have gotten in touch with some serious professionals to help set everything up, because it's going to have more little gotchas than we can cover here on NANOG.
Yup.
For starters, did you build your system in a way that avoids cold-boot attacks against the crypto keys that manage access to your hard drive?
Probably not.
(Those 6 of you who *are* serious professionals at this can ignore that advice :)
Do I count? I only accused the Director of the NSA of High Treason in my letter to the editors of the Communications of the ACM (see <http://www.shub-internet.org/brad/cacm92nov.html>). So, yeah -- having the hardware here in my house so that it is more secure against unreasonable search and seizure -- that is very much in my threat model. -- Brad Knowles <brad@shub-internet.org>
On Mon, 04 Dec 2017 16:41:55 -0600, Brad Knowles said:
(Those 6 of you who *are* serious professionals at this can ignore = that advice :)
Do I count? I only accused the Director of the NSA of High Treason in my letter to the editors of the Communications of the ACM (see <http://www.shub-internet.org/brad/cacm92nov.html>).
Treason fail. What declared enemy of the US did the Director provide aid and comfort to? (Hint: a declaration of war seems to be considered important - during the Korean conflict a number of soldiers didn't get prosecuted for treason at least partly because we hadn't actually declared war on North Korea. Similarly, the Rosenbergs got the chair for espionage but not treason, because we didn't declare war on the USSR either during the Cold War). Actually, we haven't declared war on anybody since WWII...)
On Dec 4, 2017, at 4:51 PM, valdis.kletnieks@vt.edu wrote:
Do I count? I only accused the Director of the NSA of High Treason in my letter to the editors of the Communications of the ACM (see <http://www.shub-internet.org/brad/cacm92nov.html>).
Treason fail. What declared enemy of the US did the Director provide aid and comfort to?
Technically, I accused him of causing Very Grave Harm to National Security Interests, which is treated at the same severity as High Treason. Or at least, that was the way I read the "Orange Book" TCSEC at the time, because I deliberately took the wording straight from that book. -- Brad Knowles <brad@shub-internet.org>
There are all kinds of factual issues with the arguments in the referenced document. 1. During Desert Storm I personally sent hundreds of STU-IIIs to the sandbox. They didn't go in diplomatic pouches, they went as Air Force cargo like everything else. The State Department did not have to "smuggle" anything. They use diplomatic pouch as a way to prevent the receiving country from inspecting the shipments. This is common for all cryptographic devices, classified or not. Also commonly used for Playboy magazines and bottles of scotch going into Saudi Arabia. 2. Treason is not applicable here because there must be a declared war. Treason requires interaction with a declared enemy during a time of war. I know that term gets thrown around haphazardly lately but it is a very specific legal term. 3. Asking a government agency act as the KDF is so demonstrably brain damaged we don't even need to go into the problems with that. They have shown that: a. They are not interested in keeping your data secure, in fact they would like to keep as much of it in their databases as possible. b. Most of the organizations you listed have been breached multiple times and receive failing grades under their own IT standards for security. c. International organizations are even worse. So, if my keys are stored by the IEEE does that mean that only countries that are part of the United Nations can get access to my data. I feel much better now :) 4. Sending a device or technology out of the US does not equal an export under ITAR. In your example, if a device is going to be used by US Government employees or military personnel and kept under their control, it is not an export. As a matter of fact a US company can use export restricted software and hardware in foreign countries in most cases if it is under to control of US Nationals. i.e. US company can use high encryption licenses for Cisco devices inside of China branch offices to secure their VPN connections. My company has this in writing, we did all of the appropriate export paperwork and then was told it was unnecessary since the software remains under the control of US nationals (of course they know that all the foreign intel agencies already have it so they are not worried about James Bond sneaking in the middle of the night to reverse engineer it). 5. The DirNSA has a vested interest in the collection of intelligence and the security of US GOVERNMENT systems as his primary responsibilities. Securing US private entities is way down his list of priorities and if in conflict with his primary missions will take a back seat. Not treason my friend just focus on his mission. Steven Naslund Chicago IL -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Brad Knowles Sent: Monday, December 04, 2017 4:55 PM To: valdis.kletnieks@vt.edu Cc: nanog@nanog.org; Grant Taylor Subject: Re: Suggestions for a more privacy conscious email provider On Dec 4, 2017, at 4:51 PM, valdis.kletnieks@vt.edu wrote:
Do I count? I only accused the Director of the NSA of High Treason in my letter to the editors of the Communications of the ACM (see <http://www.shub-internet.org/brad/cacm92nov.html>).
Treason fail. What declared enemy of the US did the Director provide aid and comfort to?
On Dec 4, 2017, at 5:22 PM, Naslund, Steve <SNaslund@medline.com> wrote:
There are all kinds of factual issues with the arguments in the referenced document.
1. During Desert Storm I personally sent hundreds of STU-IIIs to the sandbox. They didn't go in diplomatic pouches, they went as Air Force cargo like everything else.
Maybe not all of them went the way I described, but there were public stories at the time regarding ones that had been sent in diplomatic pouches, and which was confirmed by the government. I wasn't concerned about the STU-IIIs that got sent the "normal" way, and therefore I did not mention them. What really concerned me at the time was that it was totally okay to send them in a wide variety of ways before they were keyed, but they had to be sent via diplomatic pouches once they had been keyed, in order to get around our own export controls regarding munitions. Today, I know a bit more about what "keying" means than I did then, but not much more. I guess if you're using shared secrets everywhere, it becomes really important to protect those shared secrets against everyone, including other members of our own government.
2. Treason is not applicable here because there must be a declared war. Treason requires interaction with a declared enemy during a time of war. I know that term gets thrown around haphazardly lately but it is a very specific legal term.
Okay, so treason was the wrong term. I grant you that. In fact, I granted that in my previous message. Let's get over that word.
3. Asking a government agency act as the KDF is so demonstrably brain damaged we don't even need to go into the problems with that. They have shown that:
At the time, I think it was reasonable to at least mention using a government agency as a Key Escrow agent, if only to point out one possible solution. Key Escrow has had a lot more research since 1992, and we've learned a lot of lessons since then.
4. Sending a device or technology out of the US does not equal an export under ITAR. In your example, if a device is going to be used by US Government employees or military personnel and kept under their control, it is not an export. As a matter of fact a US company can use export restricted software and hardware in foreign countries in most cases if it is under to control of US Nationals. i.e. US company can use high encryption licenses for Cisco devices inside of China branch offices to secure their VPN connections. My company has this in writing, we did all of the appropriate export paperwork and then was told it was unnecessary since the software remains under the control of US nationals (of course they know that all the foreign intel agencies already have it so they are not worried about James Bond sneaking in the middle of the night to reverse engineer it).
The rules regarding the exportation of strong crypto have changed since 1992. Although it now looks like maybe they're soon going to be going back the other direction. However, for the moment, it is still a non-sequitur to apply the rules of exportation under modern law to something that was written in 1992.
5. The DirNSA has a vested interest in the collection of intelligence and the security of US GOVERNMENT systems as his primary responsibilities. Securing US private entities is way down his list of priorities and if in conflict with his primary missions will take a back seat. Not treason my friend just focus on his mission.
I believed at the time that he was causing Very Grave Harm to National Security Interests, through their actions to try to force the standardization on poor encryption algorithms and prohibit the use of strong crypto. As far as that statement goes, I believe that it is as true and applicable today as it was in 1992. -- Brad Knowles <brad@shub-internet.org>
On 12/04/2017 04:06 PM, Grant Taylor via NANOG wrote:
In my naive opinion, there are some subtle differences with where "the linux box you can ssh into" resides.
Namely, when I ran my server at home, it took a search warrant to legally enter my house to access the server, which I would be immediately made aware of. I can't say the same with the same degree of certainty for a server located in a co-location facility.
I'm obviously ignoring someone compromising the system across the network. Though even then, I can disconnect the server from the outside world and still access it from my home. If you're really worried about this, separate your mail storage from the mail transport. Run an inbound and outbound smarthost on your $5 VPS to queue up mail and deliver it back to your house where your long term mail is stored. This gives you the benefit of the static IP at the VPS along with the security and cheap storage of having the mail storage in house.
If you're worried about the short amount of time that messages are queued up on your VPS before making it to your house then you really shouldn't be communicating over email.
On Dec 4, 2017, at 4:42 PM, Andy Brezinsky <andy@mbrez.com> wrote:
If you're really worried about this, separate your mail storage from the mail transport. Run an inbound and outbound smarthost on your $5 VPS to queue up mail and deliver it back to your house where your long term mail is stored. This gives you the benefit of the static IP at the VPS along with the security and cheap storage of having the mail storage in house.
The concept is sound, but attempting to use your $5 VPS as your outbound mail relay is only going to end in pain and tears -- your VPS cannot have or build a good enough reputation to get reliable delivery to the big mail providers. You need to use an outbound mail relay that already has a good reputation, and that works hard to continue to maintain that reputation. As for handling your inbound mail, use something like imapsync and then effectively treat your IMAP provider as a POP3 provider instead, and download/delete the messages from their system as soon as they have been copied to your local system. The bad guys could tap into the stream of mail that flows through that system, but they wouldn't be able to get into your archive of old mail without breaking into the box sitting in your house. -- Brad Knowles <brad@shub-internet.org>
On 12/04/2017 03:47 PM, Brad Knowles wrote:
The concept is sound, but attempting to use your $5 VPS as your outbound mail relay is only going to end in pain and tears -- your VPS cannot have or build a good enough reputation to get reliable delivery to the big mail providers. You need to use an outbound mail relay that already has a good reputation, and that works hard to continue to maintain that reputation.
My experience shows otherwise. I've been using a VPS as my primary mail server for > 2 years and have only been black listed once. Even that was a 12 hour automated listing because I sent one message to an address I had not used in 7 years, which had since been converted into a spam trap. I've also known others that use VPSs for this exact thing with considerable success.
As for handling your inbound mail, use something like imapsync and then effectively treat your IMAP provider as a POP3 provider instead, and download/delete the messages from their system as soon as they have been copied to your local system.
Why? Having a different provider handle inbound will require them supporting your domain(s). Why not handle inbound email directly?
The bad guys could tap into the stream of mail that flows through that system, but they wouldn't be able to get into your archive of old mail without breaking into the box sitting in your house.
S/MIME / PGP }:-) -- Grant. . . . unix || die
I run my own mailserver... On Mon, Dec 4, 2017 at 3:00 PM, Grant Taylor via NANOG <nanog@nanog.org> wrote:
On 12/04/2017 03:47 PM, Brad Knowles wrote:
The concept is sound, but attempting to use your $5 VPS as your outbound mail relay is only going to end in pain and tears -- your VPS cannot have or build a good enough reputation to get reliable delivery to the big mail providers. You need to use an outbound mail relay that already has a good reputation, and that works hard to continue to maintain that reputation.
My experience shows otherwise.
I've been using a VPS as my primary mail server for > 2 years and have only been black listed once. Even that was a 12 hour automated listing because I sent one message to an address I had not used in 7 years, which had since been converted into a spam trap.
I've also known others that use VPSs for this exact thing with considerable success.
As for handling your inbound mail, use something like imapsync and then
effectively treat your IMAP provider as a POP3 provider instead, and download/delete the messages from their system as soon as they have been copied to your local system.
Why? Having a different provider handle inbound will require them supporting your domain(s). Why not handle inbound email directly?
The bad guys could tap into the stream of mail that flows through that
system, but they wouldn't be able to get into your archive of old mail without breaking into the box sitting in your house.
S/MIME / PGP }:-)
-- Grant. . . . unix || die
On Mon 2017-12-04 16:00:11-0700 Grant wrote:
I've been using a VPS as my primary mail server for > 2 years and have only been black listed once. Even that was a 12 hour automated listing because I sent one message to an address I had not used in 7 years, which had since been converted into a spam trap.
I've also known others that use VPSs for this exact thing with considerable success.
I do the same thing, with pretty much the same experience. One initial blacklist hiccup that was easily resolved. I ran my mail server at home for a while, but after a few storm-related outages I switched to a cheap VPS doing store-and-foward. You can also shop around to get some storage (20-50GB) that you can use for remote backups of critical files (encrypted, of course). I find Low End Box <https://lowendbox.com/> is a good resource for finding VPS providers. You will have to pay attention if you want IPv6 support, as it's far from universal. -- Robert Story <http://www.isi.edu/~rstory> USC Information Sciences Institute <http://www.isi.edu/>
In my experience with creating new mail servers that use IP addresses belonging to dedicated hosting/colocation/VPS companies. This is *after* all of the obvious setup things like having a real static IP, A records, PTR records, SPF and DKIM set up proprely, are taken care of so that a public facing smtpd can exchange mail with the world. a) The closer the company is to the lower price end of the market, the more likely the IP space is to be in a bunch of RBL or have "poor" reputation from major mail destinations like gmail and office365. People buy $5/mo VPS for testing stuff and accidentally run open relays, get a whole /24 black listed, and so forth. b) IP space that has been previously used by higher-end dedicated server customers (people who are paying $400/mo for a beefy machine vs. a $35/mo Intel Atom) is proportionally less likely to be in RBLs, is more likely to have abuse contacts at the ISP who will work with RBL operators to get it removed if necessary, and so forth. c) The "best" IP space to run a mail server from is a block that has never had any sort of dedicated server/colo/VPS customers in it whatsoever, and has not had a bunch of random people running smtp daemons in it at some point in the previous 10-15 yers. On Mon, Dec 4, 2017 at 3:00 PM, Grant Taylor via NANOG <nanog@nanog.org> wrote:
On 12/04/2017 03:47 PM, Brad Knowles wrote:
The concept is sound, but attempting to use your $5 VPS as your outbound mail relay is only going to end in pain and tears -- your VPS cannot have or build a good enough reputation to get reliable delivery to the big mail providers. You need to use an outbound mail relay that already has a good reputation, and that works hard to continue to maintain that reputation.
My experience shows otherwise.
I've been using a VPS as my primary mail server for > 2 years and have only been black listed once. Even that was a 12 hour automated listing because I sent one message to an address I had not used in 7 years, which had since been converted into a spam trap.
I've also known others that use VPSs for this exact thing with considerable success.
As for handling your inbound mail, use something like imapsync and then
effectively treat your IMAP provider as a POP3 provider instead, and download/delete the messages from their system as soon as they have been copied to your local system.
Why? Having a different provider handle inbound will require them supporting your domain(s). Why not handle inbound email directly?
The bad guys could tap into the stream of mail that flows through that
system, but they wouldn't be able to get into your archive of old mail without breaking into the box sitting in your house.
S/MIME / PGP }:-)
-- Grant. . . . unix || die
I'm not personally really worried about this. - I was just calling out that it is a difference. For others that do care. ;-) On 12/04/2017 03:42 PM, Andy Brezinsky wrote:
If you're really worried about this, separate your mail storage from the mail transport. Run an inbound and outbound smarthost on your $5 VPS to queue up mail and deliver it back to your house where your long term mail is stored. This gives you the benefit of the static IP at the VPS along with the security and cheap storage of having the mail storage in house.
I agree that the VPS Smart Host is a good solution. However that puts you in a position that you are now administering multiple mail servers. I'd suggest that people new to mail servers stick with a single $5 ~ $10 / month VPS that does all of the roles. - Then graduate to the multiple server solution.
If you're worried about the short amount of time that messages are queued up on your VPS before making it to your house then you really shouldn't be communicating over email.
I think it depends what part of the communications you're worried about. S/MIME and PGP tend to cover a lot of the (non-metadata) concern. -- Grant. . . . unix || die
In article <e726b3a2-4dbf-9db6-a695-95b483001036@spamtrap.tnetconsulting.net> you write:
On 12/04/2017 02:24 PM, John Levine wrote:
From your point of view, it's a linux box you can ssh into and manage the same way you'd manage linux on a small physical machine.
Namely, when I ran my server at home, it took a search warrant to legally enter my house to access the server, which I would be immediately made aware of.
Your life appears to be much more exciting than the rest of ours. I've been running mail servers in various places including my house for the past 30 years, with no attention from law enforcement at all. R's, John
On 12/04/2017 06:46 PM, John Levine wrote:
Your life appears to be much more exciting than the rest of ours.
I've been running mail servers in various places including my house for the past 30 years, with no attention from law enforcement at all.
I believe my comment "it took a search warrant" was taken slightly out of context. Nothing like that ever happened. I was meaning to imply that I believe it would be more difficult to access the server at my house than at a co-lo / hosting facility. I'm speaking in the hypothetical with zero experience. -- Grant. . . . unix || die
In article <0f7a39b9-efee-54d6-d449-081c7825cdec@spamtrap.tnetconsulting.net> you write:
I was meaning to imply that I believe it would be more difficult to access the server at my house than at a co-lo / hosting facility.
Depends on the hosting facility. My server is in a locked room that used to contain printing presses, so it's pretty sturdy. I expect the hosting provider would be sceptical if someone showed up with a subpoena. For that matter, due to the somewhat informal way the IPs are managed (I'm borrowing a block from a local ISP who doesn't currently need it), it's rather hard to figure out where the server is. See if you can tell me where the host mail.iecc.com is physically located. R's, John
On 12/04/2017 02:06 PM, Grant Taylor via NANOG wrote:
Namely, when I ran my server at home, it took a search warrant to legally enter my house to access the server, which I would be immediately made aware of. I can't say the same with the same degree of certainty for a server located in a co-location facility.
It takes a search warrant for co-located gear, but the warrants I received as a rack monkey at a Web hosting company were served on the company, not on the customer, and those warrants included gag orders -- I could not inform the customer that his equipment had its hard disk copied. (Now THERE's a story, but you will have to by me beer to hear it.) Mail tap orders? Same deal, had to do narrow captures and not speak a word of it to anyone. (IRS warrant in that case. And if you think I'm violating the gag order, that was 11 years ago.)
On 12/03/2017 10:08 AM, Filip Hruska wrote:
It's kind of a pain to manage a mail server.
I disagree. I have been running my own mail server for > 15 years and extremely happy with it. I spend less than an hour a month needing to do things to it. Usually that's just the same type of OS updates that I do to my workstation. Having my own mail server gives me a LOT more flexibility than relying on someone else's mail server. -- Grant. . . . unix || die
On Sun, Dec 3, 2017 at 10:31 AM, Grant Taylor via NANOG <nanog@nanog.org> wrote:
On 12/03/2017 10:08 AM, Filip Hruska wrote:
It's kind of a pain to manage a mail server.
I disagree.
I have been running my own mail server for > 15 years and extremely happy with it.
I spend less than an hour a month needing to do things to it. Usually that's just the same type of OS updates that I do to my workstation.
Having my own mail server gives me a LOT more flexibility than relying on someone else's mail server.
For those of us who have the savvy to do so competently, sure. For others, the key word may be "provider". Setting up a Linode server on static IP space (to avoid being blacklisted), setting up greylisting, antivirus/antispam (maybe?), STARTTLS, etc. ... Maybe the OP is interested in outsourcing all of that - letting someone else stay current with patching, spammer tactics, etc. Royce
On 12/03/2017 12:55 PM, Royce Williams wrote:
Maybe the OP is interested in outsourcing all of that - letting someone else stay current with patching, spammer tactics, etc.
You make a fair point. My point is that it is possible to do yourself /if/ you want to do so. Everyone has to make their own decision. - My goal is to provide information to help make said decision. -- Grant. . . . unix || die
On Sun, Dec 03, 2017 at 05:08:33PM +0000, Filip Hruska wrote:
I personally run my own mail server, but route outgoing emails via Amazon SES.
Not a good idea. Amazon's cloud operations are a constant source of spam and abuse (e.g., brute-force SSH attacks), they refuse to accept complaints per RFC 2142, and -- apparently -- they simply don't care to do anything about it. I've had SES blacklisted in my MTA for years (among other preventative measures) and highly recommend to others. ---rsk
As an anecdotal aside, approx. 70% of incoming portscanners/rdp bots/ssh bots/etc that hit the firewalls at my sites are coming from AWS. I used to send abuse emails but eventually gave up after receiving nothing beyond "well, aws ip's are dynamic/shared so we can't help you" -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Rich Kulawiec Sent: Monday, December 4, 2017 2:27 AM To: nanog@nanog.org Subject: Re: Suggestions for a more privacy conscious email provider On Sun, Dec 03, 2017 at 05:08:33PM +0000, Filip Hruska wrote:
I personally run my own mail server, but route outgoing emails via Amazon SES.
Not a good idea. Amazon's cloud operations are a constant source of spam and abuse (e.g., brute-force SSH attacks), they refuse to accept complaints per RFC 2142, and -- apparently -- they simply don't care to do anything about it. I've had SES blacklisted in my MTA for years (among other preventative measures) and highly recommend to others. ---rsk
On Monday, 4 December, 2017 04:20, Edwin Pers <EPers@ansencorp.com> wrote:
As an anecdotal aside, approx. 70% of incoming portscanners/rdp bots/ssh bots/etc that hit the firewalls at my sites are coming from AWS.
I used to send abuse emails but eventually gave up after receiving nothing beyond "well, aws ip's are dynamic/shared so we can't help you"
I tried, once upon a time, to run my private SMTP server as an AWS machine. What a disaster, even with a rubber band IP or whatever it is they call a static IP assignment. Tried sending through SES and that was just as bad. Moved it to a Linode and set up the appropriate DNS including the rDNS delegations and it has been perfectly fine (both on IPv4 and IPv6). I do recall having to do something to get it to initially work (maybe Linode does some outbound blocking of port 25 -- I don't remember exactly as it was several years ago). I know of a couple of other folks that run SMTP on Linodes and a couple of big mailing lists as well, all of which seem to work with no problems. Never had any problems with any listings on any of several hundred DNSbl either. Plus of course it is a pretty cheap way to get a reliable server (albeit virtual) on decently connected and configured infrastructure.
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Rich Kulawiec Sent: Monday, December 4, 2017 2:27 AM To: nanog@nanog.org Subject: Re: Suggestions for a more privacy conscious email provider
On Sun, Dec 03, 2017 at 05:08:33PM +0000, Filip Hruska wrote:
I personally run my own mail server, but route outgoing emails via Amazon SES.
Not a good idea. Amazon's cloud operations are a constant source of spam and abuse (e.g., brute-force SSH attacks), they refuse to accept complaints per RFC 2142, and -- apparently -- they simply don't care to do anything about it. I've had SES blacklisted in my MTA for years (among other preventative measures) and highly recommend to others.
---rsk
--- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
On Mon, Dec 04, 2017 at 11:19:56AM +0000, Edwin Pers wrote:
As an anecdotal aside, approx. 70% of incoming portscanners/rdp bots/ssh bots/etc that hit the firewalls at my sites are coming from AWS.
Similar observations here. I have found it useful to attempt to enumerate their network allocations and block them from access to any service that requires authentication, e.g., ssh, pops, imaps, etc. Not a panacea by any means, but it does cut down on the noise. ---rsk
AWS is probably the biggest cloud provider in the world. Of course the majority of junk is going to be coming from their network, simply because they are that big. Hovever, I really wanted to see what the bot statistics for my mail server were so I scanned my `Postfix` and `secure` log files for "access denied" entries. In the past 10 hours, there were: * 573 Postfix SASL Auth Failed entries from 106 different IPs * 1479 SSH Auth Failed attempts from 13 different IPs I see lots of OVH, Azure, home/business connection providers (TELSTRA Australia, lot of Asian stuff, Telefonica, Vodafone, Verizon...), some random cloud/dedicated server provider here and there... but not a single Amazon IP - which surprised me quite a bit actually. For reference, this server is with OVH in France and does not have fail2ban installed. Postfix has connection rate limiting enabled though. On another note, I wouldn't recommend blatantly blacklisting anyone, especially not large service/platform/infrastructure providers. Many businesses (such as e-shops) rely completely on AWS (or other cloud) infrastructure. If you don't receive emails containing order details or invoices because you completely blacklisted them... well, that's your problem. If your server is setup correctly, those bots are completely harmless and spamassassin will destroy 99.9% of spam emails, which I call success. The other 0.1% that goes through (that one email a week) I can delete manually. Regards -- Filip Hruska Linux System Administrator Dne 12/4/17 v 12:19 Edwin Pers napsal(a):
As an anecdotal aside, approx. 70% of incoming portscanners/rdp bots/ssh bots/etc that hit the firewalls at my sites are coming from AWS. I used to send abuse emails but eventually gave up after receiving nothing beyond "well, aws ip's are dynamic/shared so we can't help you"
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Rich Kulawiec Sent: Monday, December 4, 2017 2:27 AM To: nanog@nanog.org Subject: Re: Suggestions for a more privacy conscious email provider
On Sun, Dec 03, 2017 at 05:08:33PM +0000, Filip Hruska wrote:
I personally run my own mail server, but route outgoing emails via Amazon SES. Not a good idea. Amazon's cloud operations are a constant source of spam and abuse (e.g., brute-force SSH attacks), they refuse to accept complaints per RFC 2142, and -- apparently -- they simply don't care to do anything about it. I've had SES blacklisted in my MTA for years (among other preventative measures) and highly recommend to others.
---rsk
On Mon, Dec 04, 2017 at 05:59:30PM +0000, Filip Hruska wrote:
AWS is probably the biggest cloud provider in the world. Of course the majority of junk is going to be coming from their network, simply because they are that big.
This is incorrect reasoning. Because they're the biggest cloud provider in the world, they should send the least amount of junk: the larger an operation is, the easier abuse detection/prevention gets. [1] They have -- for all practical purposes -- unlimited computing resources, unlimited personnel resources, and unlimited financial resources. Shouldn't they be leading? Shouldn't they be more professional, more competent, more diligent than all of us? Shouldn't they be the exemplar for How To Do It Right? ---rsk [1] I don't expect them, or anyone else, to catch everything all the time. There are always unpleasant surprises. But there is absolutely no excuse for systemic, chronic abuse, for failure to accept abuse reports, for failure to respond to them quickly, for failure to act on them promptly, for failure to prevent repeat incidents, or for failure to apologize.
On Dec 4, 2017, at 6:34 PM, Rich Kulawiec <rsk@gsp.org> wrote:
---rsk
[1] I don't expect them, or anyone else, to catch everything all the time. There are always unpleasant surprises. But there is absolutely no excuse for systemic, chronic abuse, for failure to accept abuse reports, for failure to respond to them quickly, for failure to act on them promptly, for failure to prevent repeat incidents, or for failure to apologize.
Not from I’ve seen, most get big fast, and than security follows secondary. Name your ISP, your Cloud, and your Virtual Environment. Comcast and AOL used to be hell for spam, then they started blocking SMTP, or in AOL’s case sort of went out of business till the VZ buyout. From what I’ve noticed, OVH is sort of the same, got big quick and was one of the biggest spammers around, they have finally gotten their act together IMHO. Linode from what I remember hasn’t been that bad, a couple of hacked servers of course, but par for the course and kept things manageable and responsive to my requests. Main point I think is mailops comes with a learning curve, and it happens...
On Mon, Dec 04, 2017 at 07:38:18PM -0500, Eric Tykwinski wrote:
Main point I think is mailops comes with a learning curve, and it happens...
"Current Peeve: The mindset that the Internet is some sort of school for novice sysadmins and that everyone *not* doing stupid dangerous things should act like patient teachers with the ones who are." --- Bill Cole ---rsk
On 12/05/2017 02:59 AM, Rich Kulawiec wrote:
On Mon, Dec 04, 2017 at 07:38:18PM -0500, Eric Tykwinski wrote:
Main point I think is mailops comes with a learning curve, and it happens...
"Current Peeve: The mindset that the Internet is some sort of school for novice sysadmins and that everyone *not* doing stupid dangerous things should act like patient teachers with the ones who are."
--- Bill Cole
---rsk
Indeed. What Ajit Pai missed in his deliberations for the Dec 14 FCC vote is that the Internet as we know it was developed under the stern eyes of the Department of Defense and the National Science Foundation. The NSF in particular ran the 'Net like bouncers do in a strip club: you break the rules, you go. No argument. The original trust model for the Internet was based on this unrelenting oversight. You didn't expect Bad Things(tm) because the consequences of doing them was so severe: banishment and exile. Also, the technical ability required to do Bad Things(tm) wasn't easily won. Accessing the 'Net was a PRIVILEGE, not a right. Abuse at your own peril. Organizations had experienced sysadmins because it was imperative to the survival of the connection to the 'Net. One gained experience by being apprenticed to some experienced sysadmin. Today: not so much. Indeed, I'm not aware of any certification that applies to system administrators. Network administrators have certs that are well-recognized and accepted. Mail admins? Server admins? The certs that are out there border on jokes or disguised sale pitches. (Not unlike a certain operating system and software product vendor who put "free" copies into schools to build their marketing base.) Ok, I'll shut up now.
Thirty years ago I started my sysadmin journey on an Internet that was filled with helpful, experienced people that were willing to share their knowledge. Twenty years ago I was one of three people running CA*net, the cross-Canada research Internet with three connections to the NSFnet. I don't remember this world of banishment and exile you're discussing; the NSFnet staff I dealt with were all friendly and helpful. I plan to continue to "pay it forward", by being friendly and helpful to "novice sysadmins". The curmudgeons in this thread can, frankly, get off my lawn. -- Harald
On 12/05/2017 08:17 AM, Harald Koch wrote:
Thirty years ago I started my sysadmin journey on an Internet that was filled with helpful, experienced people that were willing to share their knowledge.
Twenty years ago I was one of three people running CA*net, the cross-Canada research Internet with three connections to the NSFnet. I don't remember this world of banishment and exile you're discussing; the NSFnet staff I dealt with were all friendly and helpful.
I plan to continue to "pay it forward", by being friendly and helpful to "novice sysadmins". The curmudgeons in this thread can, frankly, get off my lawn.
Exactly right. If there were some high priesthood for being able to put stuff on the net, there would be no net as we know it. This is a feature, not a bug. Mike
On 12/05/2017 09:17 AM, Harald Koch wrote:
Thirty years ago I started my sysadmin journey on an Internet that was filled with helpful, experienced people that were willing to share their knowledge.
The vast majority of what I've experienced in the last ~20 years has been people willing to help others who are trying to help themselves. If you are trying, make an honest mistake, and are willing to correct it when others politely let you know, you will quite likely find people willing to help you. Especially if you return the favor in kind. If you are being a hooligan and not responding to problems reported to you or purposefully ~> wantonly doing things to others ... good luck. -- Grant. . . . unix || die
Subject of interest; my 15 years experience I met a blend of senior admins while learning the curves ...... 1. Those who denied you knowledge/handover due to insecurity 2. Those who fed you with knowledge but were rude and could make you feel like you undergoing some military training 3. Those who gave you manuals and told you go and read; hardcopy was a common thing - I could deliberately stay back in the office and print a whole library :-) 4. The rare breed that walked you through sysadmins ! Right now it seems the tables have turned around; I already feel I have come to the end of the road as sysadmin but on a lighter note - I have been working hard on passing knowledge down and this are the new blend of people I have met. 1. Those willing to learn are very obedient but for some reason not up to the task 2. Those who know everything you try to teach them; are kinda rude and they bring down systems - lab systems 3. Those who commit to be taught but never show up for free lessons despite offering them free lunch :-) 4. A rare young breed that teaches me mobile apps and new games online - the 90's champs ! 5. A rare breed that goes the extra mile; sacrifice time and money to learn ! I love 4 & 5 ! On Tue, Dec 5, 2017 at 7:54 PM, Grant Taylor via NANOG <nanog@nanog.org> wrote:
On 12/05/2017 09:17 AM, Harald Koch wrote:
Thirty years ago I started my sysadmin journey on an Internet that was filled with helpful, experienced people that were willing to share their knowledge.
The vast majority of what I've experienced in the last ~20 years has been people willing to help others who are trying to help themselves.
If you are trying, make an honest mistake, and are willing to correct it when others politely let you know, you will quite likely find people willing to help you. Especially if you return the favor in kind.
If you are being a hooligan and not responding to problems reported to you or purposefully ~> wantonly doing things to others ... good luck.
-- Grant. . . . unix || die
-- Samson Oduor
And then, let's not forget the BOFH! (http://www.bofharchive.com), and Mordac. On 12/5/17 11:40 AM, Sam Oduor wrote:
Subject of interest; my 15 years experience I met a blend of senior admins while learning the curves ......
1. Those who denied you knowledge/handover due to insecurity
2. Those who fed you with knowledge but were rude and could make you feel like you undergoing some military training
3. Those who gave you manuals and told you go and read; hardcopy was a common thing - I could deliberately stay back in the office and print a whole library :-)
4. The rare breed that walked you through sysadmins !
Right now it seems the tables have turned around; I already feel I have come to the end of the road as sysadmin but on a lighter note - I have been working hard on passing knowledge down and this are the new blend of people I have met.
1. Those willing to learn are very obedient but for some reason not up to the task
2. Those who know everything you try to teach them; are kinda rude and they bring down systems - lab systems
3. Those who commit to be taught but never show up for free lessons despite offering them free lunch :-)
4. A rare young breed that teaches me mobile apps and new games online - the 90's champs !
5. A rare breed that goes the extra mile; sacrifice time and money to learn !
I love 4 & 5 !
On Tue, Dec 5, 2017 at 7:54 PM, Grant Taylor via NANOG <nanog@nanog.org> wrote:
On 12/05/2017 09:17 AM, Harald Koch wrote:
Thirty years ago I started my sysadmin journey on an Internet that was filled with helpful, experienced people that were willing to share their knowledge.
The vast majority of what I've experienced in the last ~20 years has been people willing to help others who are trying to help themselves.
If you are trying, make an honest mistake, and are willing to correct it when others politely let you know, you will quite likely find people willing to help you. Especially if you return the favor in kind.
If you are being a hooligan and not responding to problems reported to you or purposefully ~> wantonly doing things to others ... good luck.
-- Grant. . . . unix || die
-- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra
Should have an honorary list of great sysadmins. In my years of doing this sort of work, I found a number of folks that would lend a helping hand. To that, I would like to nominate: Strata Rose Chalup ------------------ Strata Rose Chalup began as a novice sysadmin in 1983 and has been leading and managing complex IT projects ever since. She is a co-author of The Practice of System and Network Administration and has taught at USENIX Annual Tech and LISA for many years. Strata is always looking at new technologies and is currently enjoying learning the Arduino microcontroller platform. [text from her USENIX conference page] On 12/5/17 11:23 AM, Miles Fidelman wrote:
And then, let's not forget the BOFH! (http://www.bofharchive.com), and Mordac.
On 12/5/17 11:40 AM, Sam Oduor wrote:
Subject of interest; my 15 years experience I met a blend of senior admins while learning the curves ......
1. Those who denied you knowledge/handover due to insecurity
2. Those who fed you with knowledge but were rude and could make you feel like you undergoing some military training
3. Those who gave you manuals and told you go and read; hardcopy was a common thing - I could deliberately stay back in the office and print a whole library :-)
4. The rare breed that walked you through sysadmins !
Right now it seems the tables have turned around; I already feel I have come to the end of the road as sysadmin but on a lighter note - I have been working hard on passing knowledge down and this are the new blend of people I have met.
1. Those willing to learn are very obedient but for some reason not up to the task
2. Those who know everything you try to teach them; are kinda rude and they bring down systems - lab systems
3. Those who commit to be taught but never show up for free lessons despite offering them free lunch :-)
4. A rare young breed that teaches me mobile apps and new games online - the 90's champs !
5. A rare breed that goes the extra mile; sacrifice time and money to learn !
I love 4 & 5 !
On Tue, Dec 5, 2017 at 7:54 PM, Grant Taylor via NANOG <nanog@nanog.org> wrote:
On 12/05/2017 09:17 AM, Harald Koch wrote:
Thirty years ago I started my sysadmin journey on an Internet that was filled with helpful, experienced people that were willing to share their knowledge.
The vast majority of what I've experienced in the last ~20 years has been people willing to help others who are trying to help themselves.
If you are trying, make an honest mistake, and are willing to correct it when others politely let you know, you will quite likely find people willing to help you. Especially if you return the favor in kind.
If you are being a hooligan and not responding to problems reported to you or purposefully ~> wantonly doing things to others ... good luck.
-- Grant. . . . unix || die
On Tue, Dec 05, 2017 at 09:54:21AM -0700, Grant Taylor via NANOG wrote:
The vast majority of what I've experienced in the last ~20 years has been people willing to help others who are trying to help themselves.
"Help will always be given at Hogwarts to those who ask for it."
If you are trying, make an honest mistake, and are willing to correct it when others politely let you know, you will quite likely find people willing to help you. Especially if you return the favor in kind.
Yes. That's how we all get better at this. And when any of us learn, we all benefit, so it's in our mutual best interest to share knowledge. (I've learned more here than I can measure. And I'm grateful for it.)
If you are being a hooligan and not responding to problems reported to you or purposefully ~> wantonly doing things to others ... good luck.
And the latter is the problem: we are faced, unfortunately, with massive operations that were designed, built, and deployed without the slightest consideration for responsible behavior toward the rest of the Internet. All the rest of us are paying the price for that arrogance, incompetence and negligence: we're paying for it with DoS/DDoS defenses, with spam and phish defenses, with brute-force attack defenses, with time and money and computing resources, with complexity, with late nights and early mornings, with annoyed customers, and -- on the occasions when those defenses fail -- devastating consequences for organizations and people. These costs aren't always obvious because they're not highlighted line items in an accounting statement. But they're real, and they're huge. How huge? Well, one measure could be found in the observation that there's now an entire -- large and growing -- market segment that exists solely to mitigate the fallout from these operations. And those same massive operations are doing everything they possibly can to avoid hearing about any of this. That's why abuse@ is effectively hardwired to /dev/null. And I note with interest that nobody from AWS has had the professionalism to show up in this thread and say "Gosh, we're sorry. We screwed up. We'll try to do better. Can you help us?" Because we would. ---rsk
On Wednesday, 6 December, 2017 03:53, Rich Kulawiec <rsk@gsp.org> wrote:
On Tue, Dec 05, 2017 at 09:54:21AM -0700, Grant Taylor via NANOG wrote:
If you are trying, make an honest mistake, and are willing to correct it when others politely let you know, you will quite likely find people willing to help you. Especially if you return the favor in kind.
Yes. That's how we all get better at this. And when any of us learn, we all benefit, so it's in our mutual best interest to share knowledge. (I've learned more here than I can measure. And I'm grateful for it.)
If you are being a hooligan and not responding to problems reported to you or purposefully ~> wantonly doing things to others ... good luck.
And the latter is the problem: we are faced, unfortunately, with massive operations that were designed, built, and deployed without the slightest consideration for responsible behavior toward the rest of the Internet.
And here for all these years a thought the bargain was that you agree to carry my traffic without molestation and in return I covenant not to molest your infrastructure or create a nuisance or mess that you have to mitigate or clean up. Of late this thinking seems to have gone mostly by the wayside. It used to be that only the deliberate/wonton transgressors violated that covenant, however, it seems that molestation and nuisance creation have been spreading like an epidemic for a number of years. In fact it is quite common these days that if one brings up in discussion that to act in a certain manner would create a nuisance that others have to clean up and therefore you need to take special precautions to not create the nuisance in the first place, seems all too often be a cause for derision which, in my experience, results in not being invited to participate further. It also seems quite common that when these people then go ahead with their ill-conceived plans and obtain the result you told them would accrue, they act all surprised and astonished. The "Well, I did warn you" usually does not go over too well.
I disagree that nobody cares about abuse. I actually received an abuse report from SES as someone thought it would be funny to flag my previous email I sent to this discussion as spam. https://i.imgur.com/RgQa2fN.png -- Filip Hruska Linux System Administrator Dne 12/6/17 v 11:52 Rich Kulawiec napsal(a):
On Tue, Dec 05, 2017 at 09:54:21AM -0700, Grant Taylor via NANOG wrote:
The vast majority of what I've experienced in the last ~20 years has been people willing to help others who are trying to help themselves. "Help will always be given at Hogwarts to those who ask for it."
If you are trying, make an honest mistake, and are willing to correct it when others politely let you know, you will quite likely find people willing to help you. Especially if you return the favor in kind. Yes. That's how we all get better at this. And when any of us learn, we all benefit, so it's in our mutual best interest to share knowledge. (I've learned more here than I can measure. And I'm grateful for it.)
If you are being a hooligan and not responding to problems reported to you or purposefully ~> wantonly doing things to others ... good luck. And the latter is the problem: we are faced, unfortunately, with massive operations that were designed, built, and deployed without the slightest consideration for responsible behavior toward the rest of the Internet. All the rest of us are paying the price for that arrogance, incompetence and negligence: we're paying for it with DoS/DDoS defenses, with spam and phish defenses, with brute-force attack defenses, with time and money and computing resources, with complexity, with late nights and early mornings, with annoyed customers, and -- on the occasions when those defenses fail -- devastating consequences for organizations and people.
These costs aren't always obvious because they're not highlighted line items in an accounting statement. But they're real, and they're huge.
How huge? Well, one measure could be found in the observation that there's now an entire -- large and growing -- market segment that exists solely to mitigate the fallout from these operations.
And those same massive operations are doing everything they possibly can to avoid hearing about any of this. That's why abuse@ is effectively hardwired to /dev/null. And I note with interest that nobody from AWS has had the professionalism to show up in this thread and say "Gosh, we're sorry. We screwed up. We'll try to do better. Can you help us?"
Because we would.
---rsk
The day the secret service and the FBI showed up asking me for a network audit due to suspicious traffic I realized that I need to take abuse@ seriously. "I'm only the network administrator" didn't go over well. I've always been more than willing to share knowledge and skill training with those who show interest and talent; the more qualified and interested people involved, the better, in my opinion. Making the club "exclusive" by requiring thousands of dollars of training and testing is just another method of control and elitism. On Wed, Dec 6, 2017 at 9:38 AM, Filip Hruska <fhr@fhrnet.eu> wrote:
I disagree that nobody cares about abuse.
I actually received an abuse report from SES as someone thought it would be funny to flag my previous email I sent to this discussion as spam. https://i.imgur.com/RgQa2fN.png
-- Filip Hruska Linux System Administrator
Dne 12/6/17 v 11:52 Rich Kulawiec napsal(a):
On Tue, Dec 05, 2017 at 09:54:21AM -0700, Grant Taylor via NANOG wrote:
The vast majority of what I've experienced in the last ~20 years has been people willing to help others who are trying to help themselves.
"Help will always be given at Hogwarts to those who ask for it."
If you are trying, make an honest mistake, and are willing to correct it
when others politely let you know, you will quite likely find people willing to help you. Especially if you return the favor in kind.
Yes. That's how we all get better at this. And when any of us learn, we all benefit, so it's in our mutual best interest to share knowledge. (I've learned more here than I can measure. And I'm grateful for it.)
If you are being a hooligan and not responding to problems reported to you
or purposefully ~> wantonly doing things to others ... good luck.
And the latter is the problem: we are faced, unfortunately, with massive operations that were designed, built, and deployed without the slightest consideration for responsible behavior toward the rest of the Internet. All the rest of us are paying the price for that arrogance, incompetence and negligence: we're paying for it with DoS/DDoS defenses, with spam and phish defenses, with brute-force attack defenses, with time and money and computing resources, with complexity, with late nights and early mornings, with annoyed customers, and -- on the occasions when those defenses fail -- devastating consequences for organizations and people.
These costs aren't always obvious because they're not highlighted line items in an accounting statement. But they're real, and they're huge.
How huge? Well, one measure could be found in the observation that there's now an entire -- large and growing -- market segment that exists solely to mitigate the fallout from these operations.
And those same massive operations are doing everything they possibly can to avoid hearing about any of this. That's why abuse@ is effectively hardwired to /dev/null. And I note with interest that nobody from AWS has had the professionalism to show up in this thread and say "Gosh, we're sorry. We screwed up. We'll try to do better. Can you help us?"
Because we would.
---rsk
-- Nate Metheny natemetheny@gmail.com
On 12/6/17 09:16, Nate Metheny wrote:
I've always been more than willing to share knowledge and skill training with those who show interest and talent; the more qualified and interested people involved, the better, in my opinion. Making the club "exclusive" by requiring thousands of dollars of training and testing is just another method of control and elitism.
Is it elitism that professional engineers (structural, mechanical, civil, etc.) be educated with required experience as a junior engineer before they can take the PE exam?
On 12/06/2017 09:27 AM, Seth Mattinen wrote:
On 12/6/17 09:16, Nate Metheny wrote:
I've always been more than willing to share knowledge and skill training with those who show interest and talent; the more qualified and interested people involved, the better, in my opinion. Making the club "exclusive" by requiring thousands of dollars of training and testing is just another method of control and elitism.
Is it elitism that professional engineers (structural, mechanical, civil, etc.) be educated with required experience as a junior engineer before they can take the PE exam?
The internet has done pretty well without a guild thus far. The onus for regulation should be on the wannabe-guild builders. Mike
On 12/06/2017 09:27 AM, Seth Mattinen wrote:
On 12/6/17 09:16, Nate Metheny wrote:
I've always been more than willing to share knowledge and skill training with those who show interest and talent; the more qualified and interested people involved, the better, in my opinion. Making the club "exclusive" by requiring thousands of dollars of training and testing is just another method of control and elitism.
Is it elitism that professional engineers (structural, mechanical, civil, etc.) be educated with required experience as a junior engineer before they can take the PE exam?
What professional engineers you mentioned do can kill people. I have yet to hear of anyone dying from a sysadmin or netadmin screwing up. (Other than dropping something heavy onto someone, using a fork lift incompetently, or building an unsafe raised floor.).
In a message written on Wed, Dec 06, 2017 at 10:51:32AM -0800, Stephen Satchell wrote:
What professional engineers you mentioned do can kill people. I have yet to hear of anyone dying from a sysadmin or netadmin screwing up. (Other than dropping something heavy onto someone, using a fork lift incompetently, or building an unsafe raised floor.).
Some of the folks on this list run networks that carry 911 phone calls. A call not going through may well result in fatalities. I'm personally torn, I think the "Professional Engineer" things are 75% racket, and 25% good, but I also think the 'net continues to miss out on the 25% good and could seriously use some of it. -- Leo Bicknell - bicknell@ufp.org PGP keys at http://www.ufp.org/~bicknell/
On 6 December 2017 at 13:51, Stephen Satchell <list@satchell.net> wrote:
What professional engineers you mentioned do can kill people. I have yet to hear of anyone dying from a sysadmin or netadmin screwing up.
Oh c'mon. Now you're being deliberately obtuse. I work IT for a hospital. Everything I do has the potential to affect patient safety, and we do have documented cases of patients dying from IT mishaps. Perhaps do your research before spouting off more of these unsubstantiated claims? -- Harald
On Wed, Dec 06, 2017 at 02:18:07PM -0500, Harald Koch wrote:
On 6 December 2017 at 13:51, Stephen Satchell <list@satchell.net> wrote:
What professional engineers you mentioned do can kill people. I have yet to hear of anyone dying from a sysadmin or netadmin screwing up.
Oh c'mon. Now you're being deliberately obtuse.
I work IT for a hospital. Everything I do has the potential to affect patient safety, and we do have documented cases of patients dying from IT mishaps.
Perhaps do your research before spouting off more of these unsubstantiated claims?
Like the famous case of the Therac-25 machine. Programmers, not sysadmins, but same idea.
On Wed, Dec 6, 2017 at 1:51 PM, Stephen Satchell <list@satchell.net> wrote:
What professional engineers you mentioned do can kill people. I have yet to hear of anyone dying from a sysadmin or netadmin screwing up. (Other than dropping something heavy onto someone, using a fork lift incompetently, or building an unsafe raised floor.).
I want pictures of the unsafe raised floor. -Bill -- William Herrin ................ herrin@dirtside.com bill@herrin.us Dirtside Systems ......... Web: <http://www.dirtside.com/>
All industries have risks associated. In our Sysadmin context - Though I have not heard of any yet - a case scenario of telesurgery/remote surgery. In the midst of this operation - a misconfiguration by either a netadmin(bgp) or sysadmin(dns) resulting into downtime cutting off communication = catastrophic end results. On Wed, Dec 6, 2017 at 11:56 PM, William Herrin <bill@herrin.us> wrote:
On Wed, Dec 6, 2017 at 1:51 PM, Stephen Satchell <list@satchell.net> wrote:
What professional engineers you mentioned do can kill people. I have yet to hear of anyone dying from a sysadmin or netadmin screwing up. (Other than dropping something heavy onto someone, using a fork lift incompetently, or building an unsafe raised floor.).
I want pictures of the unsafe raised floor.
-Bill
-- William Herrin ................ herrin@dirtside.com bill@herrin.us Dirtside Systems ......... Web: <http://www.dirtside.com/>
-- Samson Oduor
On Wed, Dec 6, 2017 at 1:51 PM, Stephen Satchell <list@satchell.net> wrote:
What professional engineers you mentioned do can kill people. I have yet to hear of anyone dying from a sysadmin or netadmin screwing up. (Other than dropping something heavy onto someone, using a fork lift incompetently, or building an unsafe raised floor.).
Military networks. Aviation. Hospitals. SCADA. The list goes on.
-- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra
People die all the time in our profession. Loss of job due to major failure… self inflicted suicide or even homicide by disgruntled employee due to others negligent actions and laziness. It only amplifies and is less reported these days that in the dot.com boom era. But the higher the classification the more likely its to happen whether its someone else or the person that made the “huge mistake”. But this thread is really out of line and can go on forever. I would encourage others to not reply as I will not as well.
On Dec 6, 2017, at 19:39, Miles Fidelman <mfidelman@meetinghouse.net> wrote:
On Wed, Dec 6, 2017 at 1:51 PM, Stephen Satchell <list@satchell.net> wrote:
What professional engineers you mentioned do can kill people. I have yet to hear of anyone dying from a sysadmin or netadmin screwing up. (Other than dropping something heavy onto someone, using a fork lift incompetently, or building an unsafe raised floor.).
Military networks. Aviation. Hospitals. SCADA. The list goes on.
-- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra
In a message written on Tue, Dec 05, 2017 at 06:49:43AM -0800, Stephen Satchell wrote:
The NSF in particular ran the 'Net like bouncers do in a strip club: you break the rules, you go. No argument.
I'm not sure I've ever seen a more inaccurate description of the NSF. What in the world are you talking about?
The original trust model for the Internet was based on this unrelenting oversight. You didn't expect Bad Things(tm) because the consequences of doing them was so severe: banishment and exile. Also, the technical ability required to do Bad Things(tm) wasn't easily won. Accessing the 'Net was a PRIVILEGE, not a right. Abuse at your own peril.
Oh wait, you took the BS to a new level. There was no banishment and exile. This was before we knew of buffer overflows, spoofing, and so on. I remember the weekly sendmail buffer overrun bugs, the finger back bombs, the rlogin spoofing attacks. Turns out bored college students were very good at creating mischeff. There was no banishment. There were plenty of bad things.
Ok, I'll shut up now.
Good plan. -- Leo Bicknell - bicknell@ufp.org PGP keys at http://www.ufp.org/~bicknell/
Back in the day, only Ph.D's used the internet, so they were the sysadmins. These days, I recommend that system administration be only allowed for card-holding responsible people who have proven their technical abilities. Then, when you get awarded your Ph.D, they can take your sysadmin card back. On Tue, Dec 5, 2017 at 8:33 AM, Leo Bicknell <bicknell@ufp.org> wrote:
In a message written on Tue, Dec 05, 2017 at 06:49:43AM -0800, Stephen Satchell wrote:
The NSF in particular ran the 'Net like bouncers do in a strip club: you break the rules, you go. No argument.
I'm not sure I've ever seen a more inaccurate description of the NSF. What in the world are you talking about?
The original trust model for the Internet was based on this unrelenting oversight. You didn't expect Bad Things(tm) because the consequences of doing them was so severe: banishment and exile. Also, the technical ability required to do Bad Things(tm) wasn't easily won. Accessing the 'Net was a PRIVILEGE, not a right. Abuse at your own peril.
Oh wait, you took the BS to a new level.
There was no banishment and exile. This was before we knew of buffer overflows, spoofing, and so on. I remember the weekly sendmail buffer overrun bugs, the finger back bombs, the rlogin spoofing attacks. Turns out bored college students were very good at creating mischeff.
There was no banishment. There were plenty of bad things.
Ok, I'll shut up now.
Good plan.
-- Leo Bicknell - bicknell@ufp.org PGP keys at http://www.ufp.org/~bicknell/
Umm.. back in the day, only researchers & engineers used the ARPANET, and secretaries, and administrators, and very quickly lots of military ratings, ... By the time networks were connected to form the Internet, and particularly once university LANs and CANs were connected, you had students, hackers, pretty much all types using the Internet. And among those of us who actually built pieces of the thing, I don't remember a lot of PhDs - to much interesting work to be done for people to stay in school. On 12/5/17 11:15 AM, amuse wrote:
Back in the day, only Ph.D's used the internet, so they were the sysadmins.
These days, I recommend that system administration be only allowed for card-holding responsible people who have proven their technical abilities. Then, when you get awarded your Ph.D, they can take your sysadmin card back.
On Tue, Dec 5, 2017 at 8:33 AM, Leo Bicknell <bicknell@ufp.org> wrote:
In a message written on Tue, Dec 05, 2017 at 06:49:43AM -0800, Stephen Satchell wrote:
The NSF in particular ran the 'Net like bouncers do in a strip club: you break the rules, you go. No argument. I'm not sure I've ever seen a more inaccurate description of the NSF. What in the world are you talking about?
The original trust model for the Internet was based on this unrelenting oversight. You didn't expect Bad Things(tm) because the consequences of doing them was so severe: banishment and exile. Also, the technical ability required to do Bad Things(tm) wasn't easily won. Accessing the 'Net was a PRIVILEGE, not a right. Abuse at your own peril. Oh wait, you took the BS to a new level.
There was no banishment and exile. This was before we knew of buffer overflows, spoofing, and so on. I remember the weekly sendmail buffer overrun bugs, the finger back bombs, the rlogin spoofing attacks. Turns out bored college students were very good at creating mischeff.
There was no banishment. There were plenty of bad things.
Ok, I'll shut up now. Good plan.
-- Leo Bicknell - bicknell@ufp.org PGP keys at http://www.ufp.org/~bicknell/
-- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra
On Tue, Dec 5, 2017 at 9:49 AM, Stephen Satchell <list@satchell.net> wrote:
the Internet as we know it was developed under the stern eyes of the Department of Defense and the National Science Foundation. The NSF in particular ran the 'Net like bouncers do in a strip club: you break the rules, you go. No argument.
The original trust model for the Internet was based on this unrelenting oversight. You didn't expect Bad Things(tm) because the consequences of doing them was so severe: banishment and exile.
Hi Stephen, Granted I was a late arrival in 1991, but I don't recall much in the way of oversight... or banishment. I do recall that the '88 Morris worm resulted in 400 hours of community service and a tenured professorship at MIT. I suppose the latter could be considered a severe consequence. Regards, Bill Herrin -- William Herrin ................ herrin@dirtside.com bill@herrin.us Dirtside Systems ......... Web: <http://www.dirtside.com/>
I realize there has been some call to end this thread but if I may add a little history... On December 5, 2017 at 06:49 list@satchell.net (Stephen Satchell) wrote:
Indeed. What Ajit Pai missed in his deliberations for the Dec 14 FCC vote is that the Internet as we know it was developed under the stern eyes of the Department of Defense and the National Science Foundation. The NSF in particular ran the 'Net like bouncers do in a strip club: you break the rules, you go. No argument.
I'm not sure I remember it quite like that, maybe I haven't been in enough strip clubs. But it wasn't a big problem. Under DARPA you needed a (generally military) sponsor and research activity to connect to the ARPAnet so any threat to that relationship was taken very seriously. NSFNET was largely a network of university and research institutions basically without the sponsor requirement (or put another way with NSF as your rubber-stamp sponsor) so if there were any problem it would be referred to the institution. Prior to NSFNET I was involved in putting a 10mb microwave between Boston Univ and Harvard which completed a high speed loop between Harvard/MIT/BU. So several of us at the the three universities involved in administering the net put together a mailing list to discuss progress and generally stay in touch. One of the major topics became: If one of MY students (&c) misbehaves on MY network then I know what to do. What do I do if one of YOUR students (&c) misbehaves on MY network? Is there even process in place? A few years later, 1989, I began putting the public on the internet for the first time. I was called into a videoconference at BBN with Jon Postel and a couple of DARPA people, I forget who exactly but I remember uniforms. They wanted to know: What happens if one of MY customers misbehaves? That is, same concern again. I said honestly I don't really know. I can cancel their account but there's little stopping them from creating a new account. Ultimately what I was doing was approved by NSF as an investigation of exactly this though no one ever followed up. It's been the same issue for over 30 years. (end of my comments, rest left for context.)
The original trust model for the Internet was based on this unrelenting oversight. You didn't expect Bad Things(tm) because the consequences of doing them was so severe: banishment and exile. Also, the technical ability required to do Bad Things(tm) wasn't easily won. Accessing the 'Net was a PRIVILEGE, not a right. Abuse at your own peril.
Organizations had experienced sysadmins because it was imperative to the survival of the connection to the 'Net. One gained experience by being apprenticed to some experienced sysadmin. Today: not so much.
Indeed, I'm not aware of any certification that applies to system administrators. Network administrators have certs that are well-recognized and accepted. Mail admins? Server admins? The certs that are out there border on jokes or disguised sale pitches. (Not unlike a certain operating system and software product vendor who put "free" copies into schools to build their marketing base.)
Ok, I'll shut up now.
-- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
In article <20171205105918.GA8503@gsp.org> you write:
"Current Peeve: The mindset that the Internet is some sort of school for novice sysadmins and that everyone *not* doing stupid dangerous things should act like patient teachers with the ones who are."
Up to a point. If you ask a reasonable question that shows you've done some homework, you'll get a reasonable answer. On the other hand ... I need to send mail to a million people. But when I send the mail, a lot of it bounces back. How can I tell networks not to censor me? I'ms using Bulk Blaster Pro! Should I use a different program? R's, John
On Dec 4, 2017, at 3:19 AM, Edwin Pers <EPers@ansencorp.com> wrote:
As an anecdotal aside, approx. 70% of incoming portscanners/rdp bots/ssh bots/etc that hit the firewalls at my sites are coming from AWS. I used to send abuse emails but eventually gave up after receiving nothing beyond "well, aws ip's are dynamic/shared so we can't help you"
Last week we found out that Helpscout sends email from AWS servers. Thank you, Helpscout, for forcing me to lift the AWS blocks on my incoming MTAs, that were cutting down my incoming spam scanning load by a factor of two. At least. Note that I work for an email hosting company, which makes this infinitely more annoying. A factor of two, in this case, is a non-trivial number. --lyndon
On 12/04/2017 06:47 PM, Lyndon Nerenberg wrote:
Last week we found out that Helpscout sends email from AWS servers.
Thank you, Helpscout, for forcing me to lift the AWS blocks on my incoming MTAs, that were cutting down my incoming spam scanning load by a factor of two. At least.
If I may make a suggestion: rate-limit incoming connections from AWS, with a pinhole for Helpscout. Spammers try only one if they are doing direct SMTP; legit mail servers will retry failed transmissions. I used to do this with Postfix at the edge of a Web host network. (Yes, yes, I know that compromised PHP scripts will inject mail into a real mail server, so rate-limiting only spreads out the pain.)
You can cut down significantly on SPAM by simply dropping any email with a gtld which didn't exist prior to 2001. Give it a try! On Dec 4, 2017 22:57, "Stephen Satchell" <list@satchell.net> wrote:
On 12/04/2017 06:47 PM, Lyndon Nerenberg wrote:
Last week we found out that Helpscout sends email from AWS servers.
Thank you, Helpscout, for forcing me to lift the AWS blocks on my incoming MTAs, that were cutting down my incoming spam scanning load by a factor of two. At least.
If I may make a suggestion: rate-limit incoming connections from AWS, with a pinhole for Helpscout. Spammers try only one if they are doing direct SMTP; legit mail servers will retry failed transmissions.
I used to do this with Postfix at the edge of a Web host network.
(Yes, yes, I know that compromised PHP scripts will inject mail into a real mail server, so rate-limiting only spreads out the pain.)
Last week we found out that Helpscout sends email from AWS servers.
Ouch. I'm in the same boat as you are - three of our biggest suppliers have all their public-facing stuff hosted on AWS, including their email smarthosts. None of them have static addresses.
This is incorrect reasoning. Because they're the biggest cloud provider in the world, they should send the least amount of junk: the larger an operation is, the easier abuse detection/prevention gets.
You'd think so, yes. Somehow Google and DO and most other hosting companies manage to do it. Feels like AWS truly doesn't care about it.
On 12/05/2017 06:38 AM, Edwin Pers wrote:
You'd think so, yes. Somehow Google and DO and most other hosting companies manage to do it. Feels like AWS truly doesn't care about it. "Never attribute to malice that which is adequately explained by stupidity, ignorance, or negligence." --based on Hanon's Razor
"...misunderstandings and neglect create more confusion in this world than trickery and malice. At any rate, the last two are certainly much less frequent." -- Goethe's _The Sorrows of Young Werther_ (1774)
On Tue, 5 Dec 2017, Edwin Pers wrote:
Last week we found out that Helpscout sends email from AWS servers.
This is incorrect reasoning. Because they're the biggest cloud provider in the world, they should send the least amount of junk: the larger an operation is, the easier abuse detection/prevention gets.
You'd think so, yes. Somehow Google and DO and most other hosting companies manage to do it. Feels like AWS truly doesn't care about it.
AWS imposes "email sending limitations", by default, on all EC2 accounts. Anyone who wants those limitations removed has to fill out a form and make a use case to AWS Support. AWS also says they work with ISPs and "Internet anti-SPAM orgs" like Spamhaus. That sounds a bit more than "doesn't care about it", no? -Gordon (yes, I'm an AWS customer)
http://docs.aws.amazon.com/ses/latest/DeveloperGuide/manage-sending-limits.h... On 12/05/2017 10:16 AM, Gordon Ewasiuk via NANOG wrote:
AWS imposes "email sending limitations", by default, on all EC2 accounts. Anyone who wants those limitations removed has to fill out a form and make a use case to AWS Support.
AWS also says they work with ISPs and "Internet anti-SPAM orgs" like Spamhaus.
That sounds a bit more than "doesn't care about it", no?
On Wed, 6 Dec 2017, Stephen Satchell wrote:
http://docs.aws.amazon.com/ses/latest/DeveloperGuide/manage-sending-limits.h...
On 12/05/2017 10:16 AM, Gordon Ewasiuk via NANOG wrote:
AWS imposes "email sending limitations", by default, on all EC2 accounts. Anyone who wants those limitations removed has to fill out a form and make a use case to AWS Support.
AWS also says they work with ISPs and "Internet anti-SPAM orgs" like Spamhaus.
I can't comment about SES. Don't use it. Didn't mention it in my previous message. Though, since you brought it up, the fact that Amazon imposes any limits on their SES customers (sending quotas), has a initial sandbox that allows a miniscule 200 msgs a day, and requires customers to demonstrate the need to increase those limits suggests they are paying more than lip-service to fighting spam. They also have a published and current AUP: https://aws.amazon.com/aup/ A working abuse team: abuse AT amazonaws DOT com and an online form where you can report EC2 abusers: https://aws.amazon.com/forms/report-abuse Suggesting AWS doesn't care seems...well...inaccurate. -Gordon
On Wed, Dec 06, 2017 at 12:29:30PM -0500, Gordon Ewasiuk via NANOG wrote:
and an online form where you can report EC2 abusers: https://aws.amazon.com/forms/report-abuse
1. Used it (and the abuse@ address). Either (a) no response and/or (b) boilerplate response. No responses indicating that reports were read and understood by a human. No responses indicating any action taken, whether reactive or proactive. No apparent change in observed attacks/abuse. 2. Y'know, if I can see attacks/abuse arriving at networks/systems that I run, then surely they can see it leaving networks/systems that they run. The same data is available to them as is available to me, and I have absolutely no trouble noticing it. Why don't they see it and do something about it even before I (or anybody else) has the chance to report it? Better yet, why not study the large-scale patterns over time and proactively address it? (In fairness, the SMTP rate-limit described inter alia is exactly the sort of thing that would be part of this, and it's good that they're doing that.) ---rsk
On Wed, 06 Dec 2017 16:26:00 -0500, Rich Kulawiec said:
2. Y'know, if I can see attacks/abuse arriving at networks/systems that I run, then surely they can see it leaving networks/systems that they run.
A packet stream that will DoS a 20/2 cable subscriber is just a tiny fraction of a 100G pipe outbound from a large data center. (Though I'm sure the pipe to your systems is bigger than 20 megabits, I'm also sure that your inbound is probably smaller than the sum of all outbound pipes from AWS) Is anybody selling monitoring gear that can do deep packet inspection at line rate on a 100G pipe?
On Wed, 06 Dec 2017 16:26:00 -0500, Rich Kulawiec said:
Better yet, why not study the large-scale patterns over time and proactively address it?
If only there was some sort of distributed analytics/search/etc platform they could use to do that.... https://www.elastic.co/ https://aws.amazon.com/elasticsearch-service/ It's not hard. Only took me by myself a few days of farting around to learn it and start getting good hard information out of a single local ES instance that was being fed nothing but firewall logs. I'm sure they would have no trouble with it On Wed, 06 Dec 2017 16:40:00 -0500, valdis.kletnieks@vt.edu said: Sent: Wednesday, December 6, 2017 4:40 PM
Is anybody selling monitoring gear that can do deep packet inspection at line rate on a 100G pipe?
Found this within a few minutes of looking: https://accoladetechnology.com/portfolio-item/anic-200Ku/ Not sure if it would meet the needs but I'm sure that there's something out there that can do it. The actual inspection of captured packets doesn't have to be line rate (unless you want to ban people on the fly). Either way, with their resources, anything is possible. I'm sure Cisco would sell you a complete "solution" as well, along with the hefty service contract that comes with buying into Big Green On Wed, 06 Dec 2017 16:43:00 -0500, Brian Kantor said:
For the largest players, I can see no economic advantage in being a good network neighbor, and plenty of cost (salaries, equipment) to do so.
Exactly. But at the same time we don't see this with google, digital ocean, etc other big players in the market. I don't see any feasible way to get them to change their behavior either. For all we know they're already doing this. But if they are they aren't doing much with the data they get out of it -ed
Email sending limits are one thing. A couple hundred ssh/rdp/sql bots hitting my firewalls constantly is another. From what I'm reading on that AWS doc page, those limits only apply to SES users. -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Stephen Satchell Sent: Wednesday, December 6, 2017 11:44 AM To: nanog@nanog.org Subject: Re: Suggestions for a more privacy conscious email provider http://docs.aws.amazon.com/ses/latest/DeveloperGuide/manage-sending-limits.h... On 12/05/2017 10:16 AM, Gordon Ewasiuk via NANOG wrote:
AWS imposes "email sending limitations", by default, on all EC2 accounts. Anyone who wants those limitations removed has to fill out a form and make a use case to AWS Support.
AWS also says they work with ISPs and "Internet anti-SPAM orgs" like Spamhaus.
That sounds a bit more than "doesn't care about it", no?
SES can't hit your firewall with bots, it's just an email service. Maybe you meant EC2? And as I said earlier, if you have correctly setup firewall and servers, port scanning or bots can't hurt you in any way. -- Filip Hruska Linux System Administrator Dne 12/6/17 v 18:31 Edwin Pers napsal(a):
Email sending limits are one thing. A couple hundred ssh/rdp/sql bots hitting my firewalls constantly is another.
From what I'm reading on that AWS doc page, those limits only apply to SES users.
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Stephen Satchell Sent: Wednesday, December 6, 2017 11:44 AM To: nanog@nanog.org Subject: Re: Suggestions for a more privacy conscious email provider
http://docs.aws.amazon.com/ses/latest/DeveloperGuide/manage-sending-limits.h...
On 12/05/2017 10:16 AM, Gordon Ewasiuk via NANOG wrote:
AWS imposes "email sending limitations", by default, on all EC2 accounts. Anyone who wants those limitations removed has to fill out a form and make a use case to AWS Support.
AWS also says they work with ISPs and "Internet anti-SPAM orgs" like Spamhaus.
That sounds a bit more than "doesn't care about it", no?
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Gordon Ewasiuk via NANOG Sent: Wednesday, December 6, 2017 12:30 PM To: nanog@nanog.org Subject: Re: Suggestions for a more privacy conscious email provider
Suggesting AWS doesn't care seems...well...inaccurate.
-Gordon
This is all anecdotal so take it as you will. In 2016 I filed a total of 76 reports either via their web form or by emailing their abuse email directly. Every single one got this in reply: After submitting the initial abuse report (providing all the information they ask for in an initial report):
Hello, Thank you for your abuse report. We were unable to identify the customer responsible for the reported activity. Due to the frequency with which AWS >public IP addresses can change ownership, we will need additional information in order to identify the responsible customer(s).
Then a few days later, after replying back to their email with the same content that was in the initial abuse report:
Hello, This is a follow up regarding the abusive content or activity report that you submitted to AWS. We have investigated this report, and have taken steps to >mitigate the reported abusive content or activity. Due to our privacy and security policies we are unable to provide details regarding the resolution of this >case or the identity of our customer. We are committed to mediating reports of abusive content or activity to the satisfaction of both the reporters and our customers. If you believe the >reported content or activity persists, or are not satisfied with the resolution of this case, please reply directly to this message with more information. Your >response should include the most recent activity logs or web location of the content that you have available that indicates that the activity or content >persists, as well as a clear, succinct explanation of what you expect of us and our customer.
Thank you for bringing this matter to our attention.
Regards, AWS Abuse Team
So yes, it would //appear// that they do care. They do have an abuse team and they're very good at sending out those canned emails and making you think they've done something. But here we are in 2017 and I'm still seeing the exact same attempts from the exact same IP's that I reported in 2016. The way I see it, there's only two explanations: A bunch of people are running the same exact bots that use the same exact source ports and they all just happened to get the same set of public v4's assigned to them and they all just happened to target all of my sites at the exact same rate. or AWS didn't actually do anything about it. (Yes, none of that applies to their SES service, but there's nothing stopping someone from running postfix on an e2c instance. I won't comment on how the SES team there handles things, because I haven't had any dealings with their abuse team.) -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Filip Hruska Sent: Wednesday, December 6, 2017 12:55 PM To: nanog@nanog.org Subject: Re: Suggestions for a more privacy conscious email provider
SES can't hit your firewall with bots, it's just an email service.
Maybe you meant EC2? And as I said earlier, if you have correctly setup firewall and servers, port scanning or bots can't hurt you in any way.
-- Filip Hruska Linux System Administrator
I don't remember mentioning SES in this thread before today. But as Rich said earlier:
And the latter is the problem: we are faced, unfortunately, with massive operations that were designed, built, and deployed without the slightest consideration for responsible behavior toward the rest of the Internet. All the rest of us are paying the price for that arrogance, incompetence and negligence: we're paying for it with DoS/DDoS defenses, with spam and phish defenses, with brute-force attack defenses, with time and money and computing resources, with complexity, with late nights and early mornings, with annoyed customers, and -- on the occasions when those defenses fail -- devastating consequences for organizations and people.
These costs aren't always obvious because they're not highlighted line items in an accounting statement. But they're real, and they're huge.
How huge? Well, one measure could be found in the observation that there's now an entire -- large and growing -- market segment that exists solely to mitigate the fallout from these operations.
And those same massive operations are doing everything they possibly can to avoid hearing about any of this. That's why abuse@ is effectively hardwired to /dev/null. And I note with interest that nobody from AWS has had the professionalism to show up in this thread and say "Gosh, we're sorry. We screwed up. We'll try to do better. Can you help us?"
Because we would.
I agree, the dumber bots won't cause any harm (beyond the wasted bandwidth) But every now and then there's a slightly smarter and more targeted bot run by someone who actually knows how to use nmap. New exploits are discovered every day, and as we all know the ones that are made public are in the minority. I know I'd sleep better at night knowing that one of the largest cloud providers would do something about it. I'm sure most of you would agree. I'll leave it at that. -Ed
Hi Jean, I appreciate your response. I was considering purchasing a Raspberry Pi and setting up my own mail server on it. Would it be capable of running a personal mail server? I am on the Linux Kernel mailing list which receives around 300 emails a day. Will I also need a static IP address in order to connect to the server from anywhere in the world? On 12/03/2017 07:12 AM, Jean | ddostest.me via NANOG wrote:
If you plan to use it for a small group of people, you should consider hosting it yourself. You could set it up with SPF, dkim, dmarc, ipv6.
It could be seen as a personal challenge to achieve.
Then if you need real privacy, you will need to encrypt with public keys like PGP or S/MIME. You can upload your public key to the public pgp key servers. I guess that one day this thing will be very popular.
Challenge accepted?
Jean
On 17-12-02 05:20 PM, Paul Ferguson wrote:
On Sat, Dec 2, 2017 at 1:35 PM, Michael S. Singh <michael@wadadli.me> wrote:
I am in need of some suggestions for some privacy conscious email providers. I am currently using Migadu [...] I use KolabNow, based in Switzerland, for a lot of personal e-mail communications. They are very, very privacy conscious:
--> https://kolabnow.com/feature/confidence
They are *not* free, but quite reasonable, and I am quite happy with the m.
- ferg
-- Sincerely Michael S Singh, M: 914-266-0601 W: www.wadadli.me F: 5E0E FD46 4592 1682 A4B6 5F62 761E 4940 A177 3B38 Sent via Migadu.com, world's easiest email hosting
On Sun, 03 Dec 2017 09:48:02 -0800, "Michael S. Singh" said:
I am on the Linux Kernel mailing list which receives around 300 emails a day.
If you're only getting 300 a day, your mail infrastructure is severely broken. As I write this, I've gotten 2,151 mails from linux-kernel so far this month, and it's only the 4th. So 600-700/day is closer to what you should be seeing (plus another 300+ if Greg KH patchbombs the list for one of the stable release candidates...) Having said that, a Raspberry Pi is more than capable of that volume - many moons ago I was processing well over 1 million RCPT TO: per day on an IBM RS6000/220, which boasted a whole whopping 128M of RAM and a 133Mhz CPU.
On 12/03/2017 10:48 AM, Michael S. Singh wrote:
I was considering purchasing a Raspberry Pi and setting up my own mail server on it. Would it be capable of running a personal mail server? I am on the Linux Kernel mailing list which receives around 300 emails a day.
Is a Raspberry Pi capable of functioning as a mail server, sure. Would I recommend it, most likely not. I see two things being a limitation for the Raspberry Pi, 1) lack of memory (for various filters and support daemons) and 2) (lack of) disk. I think you will be spending quite a bit more time than you will likely care to waiting on the Raspberry Pi. An external disk will help. I would strongly suggest that you look at a Linode VPS (which is what I'm using) or something similar. Preferably something that is very well connected (both speed and more diverse back bone connectivity) and SSD backed.
Will I also need a static IP address in order to connect to the server from anywhere in the world?
Technically, no. You can tune your DNS such that the A record that your MX record points to has a low TTL thus avoiding caching and enabling dynamic DNS. - Would I do this for my mail server? Not at all. Would I do this for my home server that smart hosts through my mail mail server (Linode VPS), sure. There is a big difference in what will technically work and what you will want to end up using. If you're serious about this (which I encourage you to scratch the itch if you're so inclined) then I would strongly recommend spending ~$10 a month for a VPS as your primary mail server. (You can then have it forward to an internal mail server if you want to.) Feel free to reply to me (on or off list) if you would like to discuss further details. Note: You will need DNS servers with static IPs that you can configure in your domain registrar. (ProTip: Linode allows you to use their five DNS servers for the low price of having a single Linode VPS.) Everything else is ... technically flexible from that point. -- Grant. . . . unix || die
On Sun, Dec 03, 2017 at 09:48:02AM -0800, Michael S. Singh wrote:
Will I also need a static IP address in order to connect to the server from anywhere in the world?
Yes. And it will need to be located in an allocation that's known to be static, i.e., a single static address in the midst of a large block of dynamic addresses == trouble. It'll also need to be on a provider that that has scrupulously dealt with abuse issues; those that don't may have large swaths of address space that's already blacklisted. One way to determine this is to ask them what address they will assign *before* you sign up, then check that address against various blacklists. You'll also need matching A and PTR records: if the mail server is mail-abc.example.com, then the PTR needs to match. It's also highly advisable to make it HELO as that same canonical name. I also suggest running an instance of a nameserver on the same box. Mail servers make a lot of DNS queries, so having one right there -- with a cache that will eventually be populated according to local usage patterns -- is useful. Just make sure it's not an open resolver, i.e., make sure it only answers queries on 127.0.0.1 A Raspberry Pi can handle this. Doubly so if you customize its defenses specifically to your needs. The more abuse you reject outright via the onboard firewall and via MTA configuration, the less will make it through to more computationally expensive steps. Note that you'll need enough storage if you really do plan to use it for the LKML; I've seen roughly 50M in traffic on it since 11/28 and there are times when it spikes (in terms of the number of messages and their aggregate volume) quite a bit. ---rsk
Sort of a side note, but has anyone played with a Magma server? Ladar Levison’s project to create a totally encryption email system. I donated a bit, but have yet found time to beta test anything. Just looking for pro’s/con’s and if it’s even worth spending the time. https://darkmail.info/ <https://darkmail.info/>
On Dec 2, 2017, at 1:35 PM, Michael S. Singh <michael@wadadli.me> wrote:
Hi all,
I am in need of some suggestions for some privacy conscious email providers. I am currently using Migadu email hosting from Switzerland, basically they allow their users to have as many domains and mailboxes without storage limits without extra cost.
However they only allow 10 messages to be sent per day on their free tier.
-- Sincerely Michael S Singh, M: 914-266-0601 W: www.wadadli.me F: 5E0E FD46 4592 1682 A4B6 5F62 761E 4940 A177 3B38
Sent via Migadu.com, world's easiest email hosting <michael.vcf>
On 2017-12-02 10:35, Michael S. Singh wrote:
Hi all,
I am in need of some suggestions for some privacy conscious email providers. I am currently using Migadu email hosting from Switzerland, basically they allow their users to have as many domains and mailboxes without storage limits without extra cost.
However they only allow 10 messages to be sent per day on their free tier.
participants (35)
-
amuse -
Andy Brezinsky -
Brad Knowles -
bzs@theworld.com -
Chuck Anderson -
Edwin Pers -
Eric Kuhnke -
Eric Tykwinski -
Filip Hruska -
Gordon Ewasiuk -
Grant Taylor -
Harald Koch -
Jason Hellenthal -
Jean | ddostest.me -
John Levine -
Keith Medcalf -
Laurens Vets -
Leo Bicknell -
Lyndon Nerenberg -
Michael S. Singh -
Michael Thomas -
Miles Fidelman -
Naslund, Steve -
Nate Metheny -
Paul Ferguson -
Rich Kulawiec -
Robert Story -
Royce Williams -
Sam Oduor -
Seth Mattinen -
Stephen Satchell -
Tim Pozar -
timrutherford@c4.net -
valdis.kletnieks@vt.edu -
William Herrin