Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Summary: Re: trapdoor.merit.edu and other impatient Postfix mailers everywhere (fwd)

  • From: Kai Schlichting
  • Date: Fri Aug 03 12:59:54 2001

As this topic has exploded and boiled up to some insane level, I feel I have
to summarize a few things here, and point out some simple facts.

- Wietse Venema was friendly enough to email me on his own, pointing out
  that the timeout-waiting-for-SMTP-banner is indeed 300s, as stipulated
  by RFC 1123. My article indeed contained language saying that I have
  not researched this, but logically concluded that its operator's
  dirty hands that are fiddling with the knobs - the fact that Postfix is
  in the spotlight is probably BECAUSE it uses such small amounts of
  resources (ram*time product, cpu-time), which makes it popular with
  very large operators, who yet STILL can't resist making it try to use
  even less resources in an irresponsible manner.

  Thanks also go to John A. Martin, who was the first respondent who
  dumped the Postfix default via "postconf -d|grep 'smtp_.*time'" on me,
  also showing a SMTP EHLO timeout of 300s.

- Wietse Venema had some trouble with his posts to the lists getting
  silently discarded due to not being member of the NANOG-Post list.
  Someone at Merit.Central please take note that silent discards rather
  than proper bounce-backs are not the preferred modus operandi for any
  mail system. Then again, what do I know about their list mailer :)
  No thanks to AOL for doing their part of silent discards of legitimate
  mailing list mail sent to their subscribers.

- freeloading users of MAPS RBL (direct DNS queries) vs. people pulling
  zones as confidential secondaries: this is purely a question of
  resources: how many DNS queries directed at MAPS consume the same
  amount of resources as a zone transfer at regular intervals?
  It's probably a well-known number to MAPS LLC, and highly dependent
  on the refresh times (10 minutes?) for the zones.
  And then there is the legal/confidentiality problems, at least with
  their specific way of running the service.

- All the conspiracy theories aside: MAPS has provided a (largely) free
  service to the community for a number of years, something I wish to
  profoundly thank them for in this forum. You built, they came.

  As we all know from the dancing hamster website: sometimes popularity
  will kill you, because it starts to consume resources that you can no
  longer afford, not as an individual, not even as a group. Even if your
  group consists of relatively wealthy MFNX shareholders who had the
  good fortune of initiating structured longterm sell-offs before the
  dot-com bubble imploded :) (and I think that a certain NANOG poster has
  no idea about what is insider trading and what is not in this context)
  Speculation: ORBS going away has increased pressure on MAPS' resources
  quite a bit, probably at a time when funding for MAPS was already
  critical. Someone from MAPS LLC may want to comment on this idle
  speculation.

  Their pricing scheme is probably experiemental: how do you price a
  service in a new market, covering your cost, and not horribly shooting
  over the mark or making terrible losses? Give these guys a break.
  I think we can only speculate on the cost of live bodies running
  the system vs. infrastructure cost - if the infrastructure cost is
  the lions share, they'd probably happily run 20 secondaries to their
  zones (legal issues of non-disclosure of their db contents aside), and
  add however many are needed to keep cost to them at a minimum and
  the burden to secondary DNS server operators at a minimum.

- yesterday's event indeed points at an unintended MAPS failure -
  some people have speculated that them not answering non-paying networks'
  DNS queries resulted in an explosion of (then negatively cached) queries.
  Sometimes during the day, all zones returned to being publicly queryable
  and available, and the behavior of their servers returned to normal - for
  the time, so the waves calm down, I am sure.

  As I asked yesterday: how do you shred/drop traffic
  you are no longer willing to accept while continuing to provide the
  same service to a select group of (paying) subscribers? A tough cookie
  as far as DNS is concerned, as former ORBS DNS secondary provider
  Ronald F. Guilmette found out a while ago: the left-over DNS queries for
  the defunct ORBS zones started to kill his limited bandwidth, and he was
  the one starting to answer all ORBS zone queries positively, as a means
  to 'notify' operators by means of their mail systems starting to reject
  every single piece of mail they received. Identifying and contacting all
  querying operators (1000's) was likely beyond his means, rather than his
  abilities.

- notifying users of DNS RBL zones: certainly doable, judging from mail
  I received as a POC for a netblock, saying that my netblock contained
  Code Red-infested machine(s). That certainly required a significant
  effort, and 100,000 queries to whois.arin.net (explaining it's uhm,
  limited availability lately?).

  Free services are disappearing from the Internet every single day,
  and barely ever do you hear about them going away in advance.
  I am not sure if there is a MAPS/RBL-announce mailing list, but
  I am just as guilty as a lot of other people for not subscribing
  to it after starting to use the their RBL zones.

- if you don't like MAPS LCC's idea of getting compensated for the
  resources they spend on running their RBL - go start your own.

  A few people have tried. A few people have realized the amount of
  resources required and backed out of it. A few will probably
  succeed until their resources are getting as drained as MAPS'
  when their services have grown in popularity.

  Or, someone do us all a big favor and invent a highly distributed,
  yet authenticated and trustworthy structure for large-scale distribution
  of information about sources of abuse, and be able to run it in a
  less centralized and US-lawyer-vulnerable fashion than say: Napster
  or my.MP3.com. We can certainly use some new ideas in this field,
  but that's for the SPAMTOOLS list.

bye,Kai





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.