North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Summary: Re: trapdoor.merit.edu and other impatient Postfix mailers everywhere (fwd)
- From: Kai Schlichting
- Date: Fri Aug 03 12:59:54 2001
As this topic has exploded and boiled up to some insane level, I feel I have
to summarize a few things here, and point out some simple facts.
- Wietse Venema was friendly enough to email me on his own, pointing out
that the timeout-waiting-for-SMTP-banner is indeed 300s, as stipulated
by RFC 1123. My article indeed contained language saying that I have
not researched this, but logically concluded that its operator's
dirty hands that are fiddling with the knobs - the fact that Postfix is
in the spotlight is probably BECAUSE it uses such small amounts of
resources (ram*time product, cpu-time), which makes it popular with
very large operators, who yet STILL can't resist making it try to use
even less resources in an irresponsible manner.
Thanks also go to John A. Martin, who was the first respondent who
dumped the Postfix default via "postconf -d|grep 'smtp_.*time'" on me,
also showing a SMTP EHLO timeout of 300s.
- Wietse Venema had some trouble with his posts to the lists getting
silently discarded due to not being member of the NANOG-Post list.
Someone at Merit.Central please take note that silent discards rather
than proper bounce-backs are not the preferred modus operandi for any
mail system. Then again, what do I know about their list mailer :)
No thanks to AOL for doing their part of silent discards of legitimate
mailing list mail sent to their subscribers.
- freeloading users of MAPS RBL (direct DNS queries) vs. people pulling
zones as confidential secondaries: this is purely a question of
resources: how many DNS queries directed at MAPS consume the same
amount of resources as a zone transfer at regular intervals?
It's probably a well-known number to MAPS LLC, and highly dependent
on the refresh times (10 minutes?) for the zones.
And then there is the legal/confidentiality problems, at least with
their specific way of running the service.
- All the conspiracy theories aside: MAPS has provided a (largely) free
service to the community for a number of years, something I wish to
profoundly thank them for in this forum. You built, they came.
As we all know from the dancing hamster website: sometimes popularity
will kill you, because it starts to consume resources that you can no
longer afford, not as an individual, not even as a group. Even if your
group consists of relatively wealthy MFNX shareholders who had the
good fortune of initiating structured longterm sell-offs before the
dot-com bubble imploded :) (and I think that a certain NANOG poster has
no idea about what is insider trading and what is not in this context)
Speculation: ORBS going away has increased pressure on MAPS' resources
quite a bit, probably at a time when funding for MAPS was already
critical. Someone from MAPS LLC may want to comment on this idle
Their pricing scheme is probably experiemental: how do you price a
service in a new market, covering your cost, and not horribly shooting
over the mark or making terrible losses? Give these guys a break.
I think we can only speculate on the cost of live bodies running
the system vs. infrastructure cost - if the infrastructure cost is
the lions share, they'd probably happily run 20 secondaries to their
zones (legal issues of non-disclosure of their db contents aside), and
add however many are needed to keep cost to them at a minimum and
the burden to secondary DNS server operators at a minimum.
- yesterday's event indeed points at an unintended MAPS failure -
some people have speculated that them not answering non-paying networks'
DNS queries resulted in an explosion of (then negatively cached) queries.
Sometimes during the day, all zones returned to being publicly queryable
and available, and the behavior of their servers returned to normal - for
the time, so the waves calm down, I am sure.
As I asked yesterday: how do you shred/drop traffic
you are no longer willing to accept while continuing to provide the
same service to a select group of (paying) subscribers? A tough cookie
as far as DNS is concerned, as former ORBS DNS secondary provider
Ronald F. Guilmette found out a while ago: the left-over DNS queries for
the defunct ORBS zones started to kill his limited bandwidth, and he was
the one starting to answer all ORBS zone queries positively, as a means
to 'notify' operators by means of their mail systems starting to reject
every single piece of mail they received. Identifying and contacting all
querying operators (1000's) was likely beyond his means, rather than his
- notifying users of DNS RBL zones: certainly doable, judging from mail
I received as a POC for a netblock, saying that my netblock contained
Code Red-infested machine(s). That certainly required a significant
effort, and 100,000 queries to whois.arin.net (explaining it's uhm,
limited availability lately?).
Free services are disappearing from the Internet every single day,
and barely ever do you hear about them going away in advance.
I am not sure if there is a MAPS/RBL-announce mailing list, but
I am just as guilty as a lot of other people for not subscribing
to it after starting to use the their RBL zones.
- if you don't like MAPS LCC's idea of getting compensated for the
resources they spend on running their RBL - go start your own.
A few people have tried. A few people have realized the amount of
resources required and backed out of it. A few will probably
succeed until their resources are getting as drained as MAPS'
when their services have grown in popularity.
Or, someone do us all a big favor and invent a highly distributed,
yet authenticated and trustworthy structure for large-scale distribution
of information about sources of abuse, and be able to run it in a
less centralized and US-lawyer-vulnerable fashion than say: Napster
or my.MP3.com. We can certainly use some new ideas in this field,
but that's for the SPAMTOOLS list.