Discussion:
Ooma VoIP robocaller blocking
(too old to reply)
Thad Floryan
2014-05-07 23:41:55 UTC
Permalink
Raw Message
Following is an article I posted to comp.dcom.telecom earlier
today and is one of the reasons I'll be upgrading in a few days
to Ooma's Premier service.

For the curious, comp.dcom.telecom is arguably the oldest Usenet
group which has been both a mailing list and a Usenet group whose
archives are here:

http://telecom-digest.org/
aka
http://massis.lcs.mit.edu/telecom-archives/

John Levine http://en.wikipedia.org/wiki/John_R._Levine is
the guy at MIT who set the group up with the simultaneous Usenet
and mailing list capability which I'm hoping to duplicate as we
move 1000s of Groups away from the failing Yahoo Groups mess that
were badly hosed by infecting Yahoo Groups with the crapola HTML5
NEO interface in mid-August 2013.

-------- Original Message --------
Subject: Re: Re-post: Stopping illegal robocalling [telecom]
Date: Wed, 07 May 2014 00:28:17 -0700
From: Thad Floryan <***@thadlabs.com>
Organization: The Telecom Digest
Newsgroups: comp.dcom.telecom
Because of the weak response to my previous posting (2 Feb.2014), I'm once
again asking the newsgroup readership to help form a grassroots alliance to
get illegal robocalling stopped.
The method is detailed in my entry to the 2012-2013 FTC Robocalling contest.
See http://telecom-digest.org/robocalls.pdf. I'll give a brief overview
here.
In my opinion it will be fruitless to try to stop these calls by threats,
making them illegal, etc. This will work only if the callers can be
identified and prosecuted easily. Therefore, my proposal relies on
technical means to actually stop most calls from completing. The method is
based on caller ID (CID) information delivered with the calls. It requires
development of new features to be deployed in the phone network.
[...]
I'm all for blocking robocallers. But as Fred, the pro tem moderator,
wrote [appended to your Tuesday May 6 article]:

" The probem is that it requires changing switch software in
" existing old DMS and 5E switches, and in the SS7 network. That
" stuff is old, not well supported, and the telcos are just letting
" them rot in place. So trying to get them to do anything would be
" extremely difficult. Comments from the rest of the readership are
" welcome!

Shoe-horning a solution into the aging existing infrastructure is going
to be a very difficult part of achieving the goal assuming legislative
support for the task. I wouldn't be holding my breath waiting. :-)

Note your original February 3, 2014, article also cited the IETF in
addition to your http://telecom-digest.org/robocalls.pdf document:

" The main thrust of the proposal is to detect Caller ID spoofing.
" For your information, the IETF has resurrected its efforts to
" detect Caller ID spoofing.
"
" Check it out:
" http://tools.ietf.org/html/draft-ietf-stir-problem-statement-03
"
" Also available at:
" ftp://ftp.ietf.org/internet-drafts/draft-ietf-stir-problem-statement-03.txt

Out of curiosity, I did some Googling regarding the Ooma VoIP service in
this regards and found these 3 URLs with some interesting solutions and
thoughts:

1. View topic - Robocall blocking suggestions. - Ooma
http://www.ooma.com/forums/viewtopic.php?f=19&t=16626

2. Want to block telemarketers? Use Ooma's Blacklist feature ...
http://www.ooma.com/node/1325
[ noting Ooma Premier has a personal blacklist and a community one ]

3. AMERICANS FED UP WITH POLITICAL ROBOCALLS - Ooma
http://www.ooma.com/press/press-releases/americans-fed-political-robocalls
"
" [...]
" At the top of the list of most desirable home phone features is
" the ability to automatically block unwanted callers. Among
" people considering switching home phone service, 77% said a
" feature that automatically blocks telemarketers and other
" unwanted callers would make them more likely to switch, says
" another study conducted by novaQuant, Inc., a leading market
" research firm, and commissioned by Ooma, Inc., a leading
" Internet-based home phone service.
"
" Ooma offers this unique privacy feature as part of its Premier
" Service via a personal and community blacklist. The Personal
" Blacklist blocks specific callers or sends them directly to
" voicemail and the Community Blacklist draws on a database of
" thousands of known telemarketers and solicitors automatically
" blocking those callers.
" [...]

Thad
Travis James
2014-05-08 04:25:47 UTC
Permalink
Raw Message
Post by Thad Floryan
"
" Ooma offers this unique privacy feature as part of its Premier
" Service via a personal and community blacklist. The Personal
" Blacklist blocks specific callers or sends them directly to
" voicemail and the Community Blacklist draws on a database of
" thousands of known telemarketers and solicitors automatically
" blocking those callers.
" [...]
Thad
I use the community list and have dozens of blocks on top of that. It's
not a perfect solution since the scammers change 8xx numbers or even use
location based areas codes, but it's better than nothing. It cuts down
on the noise and effectively blocks the political and union (SEIU in
particular) calls that are allowed to circumvent donotcall.gov.
Thad Floryan
2014-05-08 05:54:13 UTC
Permalink
Raw Message
Post by Travis James
Post by Thad Floryan
" [...]
" Ooma offers this unique privacy feature as part of its Premier
" Service via a personal and community blacklist. The Personal
" Blacklist blocks specific callers or sends them directly to
" voicemail and the Community Blacklist draws on a database of
" thousands of known telemarketers and solicitors automatically
" blocking those callers.
" [...]
I use the community list and have dozens of blocks on top of that. It's
not a perfect solution since the scammers change 8xx numbers or even use
location based areas codes, but it's better than nothing. It cuts down
on the noise and effectively blocks the political and union (SEIU in
particular) calls that are allowed to circumvent donotcall.gov.
Hi Travis,

It appears to be a never-ending battle much like with email though it
seems I've essentially won the email spam war: I see absolutely ZERO
spam due to very aggressive filtering.

You might find this diagram interesting:

ThadLABS' Email Service Simplified Flow Diagran

INTERNET <--->[ QMAIL ]->---CLAMAV->---SPAMASSASSIN->---PROCMAIL->---+
^ |
| |
OUTGOING <--------+ [ mail databases, directories ]<-+
from home office or +->[ and individual email files ]
online at shell |
|
RETRIEVAL <-->[ DOVECOT IMAP ]<--+
to home office or
online at shell

FINAL DISPOSITION AND PROCESSING OF INCOMING EMAIL:

1. clamav found malware ------> "Quarantine" directory for research
2. Mail flagged as spam ------> "Junk" directory with automatic expiry
for each email after 24 hours
3. Sender not in addressbook -> "Pending" directory for examination
to determine if should add Sender to
addressbook or mark as junk meaning
future email from same spam address
automatically goes to "Junk"
4. Leave email in INBOX or distribute to directories named by "Sender"


Note I've set spamassassin's threshold to 3.0 from the default 5.0.

procmail is where certain TLDs are totally dropped sight unseen, such
as the following:

*.ad *.ae *.af *.ag *.ai *.al *.am *.an *.ao *.ar *.as *.aw *.ax
*.az *.ba *.bb *.bd *.bf *.bg *.bh *.bi *.bj *.bm *.bn *.bo *.br
*.bs *.bt *.bv *.bw *.by *.bz *.cc *.cd *.cf *.cg *.ci *.ck *.cl
*.cm *.cn *.co *.cr *.cs *.cu *.cv *.cx *.cy *.dj *.dm *.do *.dz
*.ec *.ee *.eg *.eh *.er *.et *.eu *.fj *.fk *.fm *.fo *.ga *.gd
*.ge *.gf *.gh *.gi *.gm *.gn *.gp *.gq *.gr *.gs *.gt *.gu *.gw
*.gy *.hk *.hm *.hn *.hr *.ht *.hu *.id *.in *.io *.iq *.ir *.jm
*.jo *.ke *.kg *.kh *.ki *.km *.kn *.kp *.kr *.kw *.ky *.kz *.la
*.lb *.lc *.li *.lk *.lr *.ls *.lt *.lv *.ly *.ma *.mc *.md *.me
*.mg *.mh *.mk *.ml *.mm *.mn *.mo *.mp *.mq *.mr *.ms *.mt *.mu
*.mv *.mw *.mx *.my *.mz *.na *.nc *.ne *.nf *.ng *.ni *.np *.nr
*.nu *.om *.pa *.pe *.pf *.pg *.ph *.pk *.pm *.pn *.pr *.ps *.pw
*.py *.qa *.re *.ro *.ru *.rw *.sa *.sb *.sc *.sd *.sg *.sh *.si
*.sj *.sl *.sm *.sn *.so *.sr *.st *.su *.sv *.sy *.sz *.tc *.td
*.tf *.tg *.th *.tj *.tk *.tl *.tm *.tn *.to *.tp *.tr *.tt *.tv
*.tw *.tz *.ua *.ug *.us *.uy *.uz *.va *.vc *.vg *.vi *.vn *.vu
*.wf *.ws *.ye *.yt *.yu *.za *.zm *.zr *.zw
*lqnwt.com *tgw.com *eversave.com *flowers.com *hinet.net
*dunhillvacations.com *paypal.com

I was originally apprehensive about *.eu and *.us but from my point
of view those TLDs are 100% exclusively spammers. If not, tough.

I'll suppose I'll have to add all the idiotic new TLDs that clowns
such as Network Solutions have been touting recently but sore far
there have been none.

Thad
Keith Keller
2014-05-08 15:03:53 UTC
Permalink
Raw Message
Post by Thad Floryan
INTERNET <--->[ QMAIL ]->---CLAMAV->---SPAMASSASSIN->---PROCMAIL->---+
How is qmail these days? I used to use it but gave it up when I decided
that DJB was pretty insane.
Post by Thad Floryan
I was originally apprehensive about *.eu and *.us but from my point
of view those TLDs are 100% exclusively spammers. If not, tough.
This makes me sad. ;-) I suspect you're correct, however, at least
about .us.

--keith
--
kkeller-***@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information
Mike Hunt
2014-05-08 20:16:54 UTC
Permalink
Raw Message
Post by Keith Keller
Post by Thad Floryan
INTERNET <--->[ QMAIL ]->---CLAMAV->---SPAMASSASSIN->---PROCMAIL->---+
How is qmail these days? I used to use it but gave it up when I decided
that DJB was pretty insane.
I don't think anyone would argue DJB has some unique views, but I don't
think that means qmail is problematic.

I use it and am quite happy with it...
Keith Keller
2014-05-08 20:59:35 UTC
Permalink
Raw Message
Post by Mike Hunt
Post by Keith Keller
Post by Thad Floryan
INTERNET <--->[ QMAIL ]->---CLAMAV->---SPAMASSASSIN->---PROCMAIL->---+
How is qmail these days? I used to use it but gave it up when I decided
that DJB was pretty insane.
I don't think anyone would argue DJB has some unique views, but I don't
think that means qmail is problematic.
Sorry, I didn't mean to imply that qmail is problematic. I left solely
because he seemed nutty, and I wasn't sure what qmail's future would be.
(I also found qmail's configuration a bit frustrating to work with at
times.) I've been using postfix successfully, and haven't really
noticed any performance or security issues since. qmail might be better
for a site with more SMTP volume.

--keith
--
kkeller-***@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information
Thad Floryan
2014-05-08 22:48:06 UTC
Permalink
Raw Message
Post by Keith Keller
Post by Mike Hunt
Post by Keith Keller
Post by Thad Floryan
INTERNET <--->[ QMAIL ]->---CLAMAV->---SPAMASSASSIN->---PROCMAIL->---+
How is qmail these days? I used to use it but gave it up when I decided
that DJB was pretty insane.
I don't think anyone would argue DJB has some unique views, but I don't
think that means qmail is problematic.
Sorry, I didn't mean to imply that qmail is problematic. I left solely
because he seemed nutty, and I wasn't sure what qmail's future would be.
(I also found qmail's configuration a bit frustrating to work with at
times.) I've been using postfix successfully, and haven't really
noticed any performance or security issues since. qmail might be better
for a site with more SMTP volume.
Hi Keith,

I haven't noticed any explicit performance issues with either
sendmail or qmail.

I setup sendmail at Sigaba and qmail at another client with
similar message volume and everything seemed OK.

Sigaba once had a DDoS email attack directed towards it and
sendmail (and the email server) was brought to its knees.

I once had an DDoS email attack directed towards my site and
qmail didn't die though the system did slow down considerably.
I don't know whatthe load average reached because I couldn't
lot in so I requested a power-cycle which cleared it up and
everything was fine after that.

Thad
Thad Floryan
2014-05-08 22:39:57 UTC
Permalink
Raw Message
Post by Keith Keller
Post by Thad Floryan
INTERNET <--->[ QMAIL ]->---CLAMAV->---SPAMASSASSIN->---PROCMAIL->---+
How is qmail these days? I used to use it but gave it up when I decided
that DJB was pretty insane.
Hi Keith,

Huh? I consider sendmail to be obscene and written by
insane programmers. qmail is the way to go and I've
set it up for many clients over the years.

http://en.wikipedia.org/wiki/Qmail

http://www.qmail.org/

I've had zero issues with qmail.
Post by Keith Keller
Post by Thad Floryan
I was originally apprehensive about *.eu and *.us but from my point
of view those TLDs are 100% exclusively spammers. If not, tough.
This makes me sad. ;-) I suspect you're correct, however, at least
about .us.
I tested the .eu and .us for 6 months by having anything
from those TLDs placed in an "EXAMINE_THESE" directory.
Everything there was 100% spam, so now email from those
TLDs is dropped automatically along with the other TLDs I
cited.

Note that if any legitimate sender exists in the .eu or .us TLDs I
can specifically whitelist them using spamassassin and procmail won't
drop them, but I've had no occasion to do that to date.

Thad
Keith Keller
2014-05-09 02:11:22 UTC
Permalink
Raw Message
Post by Thad Floryan
Huh? I consider sendmail to be obscene and written by
insane programmers.
I would never use sendmail any more. But I do think the usual defense
is applicable: it was originally written in a time when serious cracking
was all but nonexistent, and when it became more rampant, they were too
slow to adjust. That left a gap in secure SMTP servers that qmail,
postfix, and exim filled.

qmail is great, but DJB is clearly a bit nuts. If you've ever tried to
run djbdns as a replacement for BIND (another victim of its age),
especially without his equally insane daemontools (which are terrible),
you'd understand. He didn't go totally goofball with qmail, which is
why it's more usable than his other tools.

Speaking of BIND, do people use other DNS servers? If you look at
Wikipedia's comparison
(https://en.wikipedia.org/wiki/Comparison_of_DNS_server_software), there
are very few which meet even basic needs. I want a free/open solution
that offers split DNS and is not djbdns. Wildcards, authoritative, and
recusion are also important. The only one that matches everything is
BIND! (PowerDNS does, sort of, but the note says you need GeoIP for
split DNS support, which isn't so great.) dbndns comes next closest,
but I also use wildcards and would like to use DNSSEC soon.

--keith
--
kkeller-***@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information
Thad Floryan
2014-05-09 04:00:49 UTC
Permalink
Raw Message
Post by Keith Keller
Post by Thad Floryan
Huh? I consider sendmail to be obscene and written by
insane programmers.
I would never use sendmail any more. But I do think the usual defense
is applicable: it was originally written in a time when serious cracking
was all but nonexistent, and when it became more rampant, they were too
slow to adjust. That left a gap in secure SMTP servers that qmail,
postfix, and exim filled.
qmail is great, but DJB is clearly a bit nuts. If you've ever tried to
run djbdns as a replacement for BIND (another victim of its age),
especially without his equally insane daemontools (which are terrible),
you'd understand. He didn't go totally goofball with qmail, which is
why it's more usable than his other tools.
Hi Keith,

I know nothing about "DJB" but the Wikipedia article I cited did
mention "controversies".

For that matter, "RMS" (of GNU) could be considered controversial,
too. The first time I met him face-to-face (we had been exchanging
email) was in John McCarthy's office at Stanford during September
1980 when he handed me an Emacs tape and this manual (scanned):

http://thadlabs.com/FILES/Emacs-150_1980.09.05.pdf 9MB

for use on my company's DECsystem-20s; I had already been using Emacs
on TOPS-20 systems since the mid-1970s by having received tapes of it
from folks at the Pentagon who were my customers at the time -- they
also sent me tapes of the MIT ZORK written in MUDDL for TOPS-20. RMS
in 1980 was clean-shaven wearing a suit and tie with polished shoes
and a nice haircut.

For those unaware, regarding Emacs:

This report describes work done at the Artificial Intelligence
Laboratory of the Massachusetts Institute of Technology. Support
for the laboratory's research is provided in part by the Advanced
Research Projects Agency of the Department of Defense under
Office of Naval Research contract N00014-75-C-0643.

Getting back to email --

Another (non-controversial) program in my email flow is Dovecot which
is one of only three fully-conforming IMAP servers as can be seen here:

http://imapwiki.org/ImapTest/ServerStatus

One of the other 3 conforming IMAP servers is PANDA written by Mark
Crispin who, sadly, died December 28, 2012. He was the author of the
IMAP RFCs among many others:

http://en.wikipedia.org/wiki/Mark_Crispin
Post by Keith Keller
Speaking of BIND, do people use other DNS servers? If you look at
Wikipedia's comparison
https://en.wikipedia.org/wiki/Comparison_of_DNS_server_software
there are very few which meet even basic needs. I want a free/open
solution that offers split DNS and is not djbdns.
http://en.wikipedia.org/wiki/Djbdns fixes BIND's security probs
Post by Keith Keller
Wildcards, authoritative, and recuRsion (sic) are also important.
The only one that matches everything is BIND!
OK, then what's the problem?
Post by Keith Keller
(PowerDNS does, sort of, but the note says you need GeoIP for
split DNS support, which isn't so great.) dbndns comes next closest,
but I also use wildcards and would like to use DNSSEC soon.
Hmmm, dbndns is a fork of djbdns by Debian which includes IPv6 support
per this article (and mentions it's "filtered" (whatever that means)
into Ubuntu:

http://en.wikipedia.org/wiki/Dbndns

Thad
Keith Keller
2014-05-09 04:59:26 UTC
Permalink
Raw Message
Post by Thad Floryan
I know nothing about "DJB" but the Wikipedia article I cited did
mention "controversies".
I wouldn't call DJB "controversial". Some of his decisions are just
stupid. His licensing terms make it impossible to redistribute (I think
he made some sort of limited exception for qmail, but no distros want to
touch it anyway) and difficult to get patched (there's a whole web site
devoted to patches you have to apply after installing stock qmail).
Post by Thad Floryan
Another (non-controversial) program in my email flow is Dovecot which
Dovecot is great.
Post by Thad Floryan
http://en.wikipedia.org/wiki/Djbdns fixes BIND's security probs
I used djbdns. It was awful. Its zone files are nonconformant to the
RFCs, it's difficult to run without daemontools (I had a crude hack to
get it to work), and as mentioned, its licensing sucks.
Post by Thad Floryan
Post by Keith Keller
The only one that matches everything is BIND!
OK, then what's the problem?
Not "problem" per se, but BIND does suffer a little from the same issues
that sendmail has had: an old codebase that needed refactoring. BIND9
did a lot of that, being a full rewrite, but named is still one
monolithic binary that does everything instead of isolated daemons
that do one task and is not automatically trusted by the other daemons.
(It looks like Bundy DNS, a renaming and handing off of BIND10, does
these things, but it's not clear what's actually been released. I see a
bind10-1.1.0 release, which might be a good starting point.)
Post by Thad Floryan
Hmmm, dbndns is a fork of djbdns by Debian which includes IPv6 support
per this article (and mentions it's "filtered" (whatever that means)
Yes, I saw that after I'd posted, so for me that rules out dbndns.

--keith
--
kkeller-***@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information
Thad Floryan
2014-05-09 05:57:31 UTC
Permalink
Raw Message
Post by Keith Keller
Post by Thad Floryan
[...]
Hmmm, dbndns is a fork of djbdns by Debian which includes IPv6 support
per this article (and mentions it's "filtered" (whatever that means)
Yes, I saw that after I'd posted, so for me that rules out dbndns.
Hi Keith,

20-20 hindsight is great. :-)

From one point of view networking should have begun with something
like IPv6 but the hardware simply wasn't up to it and networking
gear was extremely pricey -- think many $$$.

I was running both StarLAN and Ethernet on my 3B1 systems at home
in the 1980s as can be seen in this 4-page scan of the O'Reilly
"Managing uucp and Usenet" book here:

http://thadlabs.com/FILES/OR_Mng_uucp+Usenet.pdf 165kB

During my recent LAN gigabit upgrade I was buying top-of-the-line
Intel GiGE NICs for $20 from Newegg; $20 wouldn't have even bought
a single AUI connector in the 1980s. I paid $18,500 for my first
Sun 3-60 system in the late 1980s and I paid $259 to Fry's for a
refurbed HP desktop with Vista to run Microsoft's WorldWideTelescope
in 2008 and that system is still working fine 16-18 hours/day every
single day and is the system I'm using to post this article -- that's
exactly 6 years now since I bought it May 8, 2008 in Sunnyvale though
I later upgraded the CPU, RAM and NIC and added an nVIDIA 9800GTX/1GB
video card for gaming via Steam.

Thad
Igor Sviridov
2014-05-16 04:32:49 UTC
Permalink
Raw Message
Post by Keith Keller
Post by Thad Floryan
Huh? I consider sendmail to be obscene and written by
insane programmers.
I would never use sendmail any more. But I do think the usual defense
is applicable: it was originally written in a time when serious cracking
was all but nonexistent, and when it became more rampant, they were too
slow to adjust. That left a gap in secure SMTP servers that qmail,
postfix, and exim filled.
I'd argue contemporary Sendmail is quite usable and secure.
Configuration language is too cryptic for casual use, but with m4 macros hiding the complexity even newbies can use it
(though i'd recommend exim or postfix instead). Sendmail configuration is definitely more extensible than any other
MTA i've used (zmailer is close), at the expense of complexity; but even that flexibility was not enough, hence milters.
Post by Keith Keller
qmail is great, but DJB is clearly a bit nuts. If you've ever tried to
run djbdns as a replacement for BIND (another victim of its age),
especially without his equally insane daemontools (which are terrible),
you'd understand. He didn't go totally goofball with qmail, which is
why it's more usable than his other tools.
I sort of agree with your assessment of DJB, at least as applied to his *nix software.
He's a genius cryptographer, but his software is idiosyncratic and lives
in it's own world, which differs from common expectation of *nix user or administrator.
Typically he saves bits by devising his own cryptic file formats and encodings, even when
there were commonly used formats available; amazing he did not try to use ASN1 for further efficiency.

His tools do work and are reliable. They usually appeal to people who never use
and are happy to learn a cryptic, but dense encoding; usually in a few years
I think his balance of convenience for programmer/efficiency on one side,
and usability on the other, is shifted towards first side.
Post by Keith Keller
Speaking of BIND, do people use other DNS servers? If you look at
Wikipedia's comparison
(https://en.wikipedia.org/wiki/Comparison_of_DNS_server_software), there
are very few which meet even basic needs. I want a free/open solution
that offers split DNS and is not djbdns. Wildcards, authoritative, and
recusion are also important. The only one that matches everything is
BIND! (PowerDNS does, sort of, but the note says you need GeoIP for
split DNS support, which isn't so great.) dbndns comes next closest,
but I also use wildcards and would like to use DNSSEC soon.
For most of typical usage scenarios i've needed over the years split horizon DNS offered enticing, seemingly simple,
and mediocre solution. It does require careful setup to avoid leaking and cross-contamination
(i.e. leaking private NS records into public Internet or vice versa). In most cases it does not offer you
anything more than what you can achieve by:
- using two zones, public and private (optional: use valid domain you own for private)
- adding both zones in the client resolver search list (always or only when connected to private environment)
- (optional) maintaining a stub private zone in the public Internet, with no records except SOA/NS
to facilitate quick "no such domain" responses when querying private domain without being connected to private network
- (optional) sharing some DNS zone data between public and private via $include's or other mechanisms

The only issue is ability to add multiple DNS search suffixes so you can resolve names both in private and in public
(when you are connected to private); in corporate environments this can be solved by centralized management tools
(group policies, etc); otherwise there is a simple hack of making private domain of the public and enabling suffix devolution,
i.e. with suffix of "priv.example.com" and DNS devolution on you would search both priv.example.com and example.com
(which are presumably our private and public domains).

There are rare valid situations where split DNS is way to go.
But it seem to be misused left and right in configurations which appear to provide no benefit
(well, may be except job security due to extreme complexity and fragility ;-)

Btw, if you're considering DNSSEC then split DNS adds whole another can of worms:
http://tools.ietf.org/html/draft-krishnaswamy-dnsop-dnssec-split-view-04

I think split DNS is usually more trouble than it's worth; once you remove split horizon requirement you can consider
NSD (or Knot) and Unbound :-)
Post by Keith Keller
--keith
--igor
Jack Ryan
2014-05-16 09:19:41 UTC
Permalink
Raw Message
Post by Igor Sviridov
I sort of agree with your assessment of DJB, at least as applied to his *nix software.
[...]
His tools do work and are reliable.
No they don't. Unpatched qmail chokes on DNS lookups, dnscache is poisoned
within minutes, tinydns needs even more 3rd party patches to be
standards-compliant (even without DNSSEC).

He's a good cryptographer, though. He just shouldn't write any programs.
Igor Sviridov
2014-05-18 20:50:13 UTC
Permalink
Raw Message
Post by Jack Ryan
Post by Igor Sviridov
I sort of agree with your assessment of DJB, at least as applied to his *nix software.
[...]
His tools do work and are reliable.
No they don't. Unpatched qmail chokes on DNS lookups, dnscache is poisoned
within minutes, tinydns needs even more 3rd party patches to be
standards-compliant (even without DNSSEC).
I'd state it this way: DJB's software as released is higher quality than for open-source (in same phase);
over the time it does not improve as fast due to the lack of collaborative development process
(with author engaged).
Post by Jack Ryan
He's a good cryptographer, though. He just shouldn't write any programs.
I would not go that far.
His software prioritizes convenience to write and perceived performance against convenience to operate/configure.
This may or may not fit your preferences; it does not fit mine.

--igor

Mike Stump
2014-05-09 16:06:06 UTC
Permalink
Raw Message
Post by Thad Floryan
It appears to be a never-ending battle much like with email though it
seems I've essentially won the email spam war: I see absolutely ZERO
spam due to very aggressive filtering.
Yeah, I'm contemplating a white-list email system. I know you, or,
reject at the smtp in-bound layer. So far, don't have the guts to
actually do it.
Post by Thad Floryan
procmail is where certain TLDs are totally dropped sight unseen, such
*paypal.com
So, I wonder if you use dkim. It is small, easy to set up, and can
verify senders, such as paypal. The bad point, they haven't
engineered in mailing list support, so, mere mortals can't use it yet.
Once (if) they solve the mailing list issues, be nice to see the world
use it to dump spam.
Thad Floryan
2014-05-09 23:49:34 UTC
Permalink
Raw Message
Post by Mike Stump
Post by Thad Floryan
It appears to be a never-ending battle much like with email though it
seems I've essentially won the email spam war: I see absolutely ZERO
spam due to very aggressive filtering.
Yeah, I'm contemplating a white-list email system. I know you, or,
reject at the smtp in-bound layer. So far, don't have the guts to
actually do it.
Post by Thad Floryan
procmail is where certain TLDs are totally dropped sight unseen, such
*paypal.com
So, I wonder if you use dkim. It is small, easy to set up, and can
verify senders, such as paypal. The bad point, they haven't
engineered in mailing list support, so, mere mortals can't use it yet.
Once (if) they solve the mailing list issues, be nice to see the world
use it to dump spam.
Hi Mike,

No, I don't use dkim: http://www.dkim.org/

The reason I block PayPal is that after the initial number of
transactions or amount was exceeded, they wanted me to reveal
my bank information to them. I refused and cancelled the Paypal
account but those clowns continue to send spam email years after
I dropped Paypal.

Note Paypal is not a regulated bank with all the protections
that such banks have and I refuse to deal with Paypal anymore.

I also ceased using a vendor who forced Google Checkout on me
as the final step placing an order for Syba RS-232 cards; that
vendor was http://www.mwave.com/ Hmmm, seems they use
"Amazon Payments" now, but still ...

Thad
Loading...