I’m trying to remember the title of a book that I believe was published about twenty years ago. It’s a collection of dumb thoughts, observations and predictions. One of my favourites was, “Groups with guitars are no longer popular”, which was the response that Brian Epstein heard at Decca Records in 1962 when he was rebuffed in his efforts to sign the Beatles to their first record contract. There’s also, “Can’t sing, isn’t very good looking, can dance a little”, and those were the first impressions from a Hollywood studio executive about a Fred Astaire audition at the start of his film career. My all time favourite has to be these words from British Prime Minister Neville Chamberlain in a 1938 letter to his sister, “I looked into the eyes of Hitler and knew that this was a man I could trust”. Not included because it was only said in 2004 is, “Two years from now Spam will be solved”. That was Bill Gates speaking at the World Economic Forum in Davos, Switzerland. Gates saw the solution in a variety of tools that establish the identity of the email sender. None of the suggested tools included the idea of cryptographically signing email with the sending domain’s digital signature or authenticating the sender based on what path the mail took over the internet. Yet these are the two methods that are now being used by most anti-spam software.. In October I wrote about the Domain Keys technology that Yahoo and PayPal initially developed using digital signed mail and how that has became an IETF standard this year. Path based authentication is the other tack that Spam fighters are taking in preventing it from breaching through the firewalls, blacklists and the various types of filters that have been erected as battlements. Email users don’t see spam as a big problem anymore because these methods by and large have been working in reducing the amount of spam that reaches their inboxes. But spam is still being generated in ever increasing numbers, mostly from large botnets that are composed of thousands of malware infected computer nodes. We are talking about messages that worldwide number in the billions per year so that if filtering and blocking reduce the percentage of spam mail getting through by 90%, that remaining ten percent is still a huge number in absolute terms.
Sender Policy Framework or SPF is the implementation of path authentication that has been incorporated into software such as SpamAssassin. It works by having the owner of a domain designate which computers in the domain are allowed to send email to the internet. These machine names and addresses are specified in special records on that domain’s domain name server or DNS. In essence the email receiving domain verifies the legitimacy of a given message by querying the sender’s DNS to see if the message was sent from an authorized host. Email addresses can be easily spoofed but not the IP address of a domain designated email sender. SPF wouldn’t prevent a spammer who has legitimate mailboxes on a domain from sending spam from one of those mailboxes but this is easily traced and it’s not how spammers currently work. The deficiency with SPF is that email that is forwarded does not retain the original return path and may be dropped. Also by using a DNS that has been compromised an attacker could designate his own sender authenticated hosts. However DNS attacks are much harder as these servers are usually carefully hardened with security patches applied on a regular basis. Together both path based authentication and signed mail should be very effective but unlike Bill I won’t make any predictions.
Showing posts with label tech stuff. Show all posts
Showing posts with label tech stuff. Show all posts
Friday, December 7, 2007
Saturday, October 27, 2007
Doing my own production systems support
I was reminded today of why I hate to troubleshoot my own computer problems. We have had a lot of issues with our TelstraClear ISP. Easy and relatively cheap broadband access is something I took for granted back in the States. And the U.S. isn't really given high marks for universal and relatively inexpensive high speed Internet access when ranked with South Korea and other Asia Pacific nations. But compared to New Zealand I think that the U.S. fares well. Here broadband is not as ubiquitous and low cost. When I first arrived in New Zealand in June I was surprised at the dearth of free hotspots and noted that this is not the place to go wardriving looking for unencrypted access points (not that I would ever think of doing such a thing myself). Now several months later I understand fully. I don't remember running up against bandwidth limits back in New Jersey or if my Cablevision contract included them but we have easily exceeded the 4 gigs monthly that we started out with in August. With a surcharge at $5.00 per 500 meg over it can get pretty dear.
The service has not been very robust to say the least. Lucy needs the internet especially for an on line nursing exam prep course that she signed up for 2 weeks ago. Our cable modem needs to be frequently power cycled; sometimes too many times to count in a single day. Today, Saturday was particularly vexatious. I couldn't get a connection this morning and tried multiple times to reset the modem, all to no avail. It was hard to raise a support tech through the voice mail system (some things don't change regardless of what hemisphere you're in) and when I finally did, after an interminable amount of time on hold, I was told that the modem looked good on his end. I had earlier tried to isolate the problem by taking my wireless Netgear router out of the picture. That didn't work. When I tried it again at his suggestion it did. I thanked him, finished the call and then tried to put the router back into my configuration but without luck. I did succeed with Cat 5 connecting one laptop to the router but it was strange that any wireless node I set up could see the router but not get out any further. After a few hours of this I finally got to the point where my wireless devices suddenly could make internet connections. I have no understanding of what the original problem was or how it could correct itself. Any insights would be greatly appreciated. I no longer do this type of stuff for a living, as I once did, and I'm glad for that. Still I'm uncomfortable with magic pixie dust solutions.
The service has not been very robust to say the least. Lucy needs the internet especially for an on line nursing exam prep course that she signed up for 2 weeks ago. Our cable modem needs to be frequently power cycled; sometimes too many times to count in a single day. Today, Saturday was particularly vexatious. I couldn't get a connection this morning and tried multiple times to reset the modem, all to no avail. It was hard to raise a support tech through the voice mail system (some things don't change regardless of what hemisphere you're in) and when I finally did, after an interminable amount of time on hold, I was told that the modem looked good on his end. I had earlier tried to isolate the problem by taking my wireless Netgear router out of the picture. That didn't work. When I tried it again at his suggestion it did. I thanked him, finished the call and then tried to put the router back into my configuration but without luck. I did succeed with Cat 5 connecting one laptop to the router but it was strange that any wireless node I set up could see the router but not get out any further. After a few hours of this I finally got to the point where my wireless devices suddenly could make internet connections. I have no understanding of what the original problem was or how it could correct itself. Any insights would be greatly appreciated. I no longer do this type of stuff for a living, as I once did, and I'm glad for that. Still I'm uncomfortable with magic pixie dust solutions.
Subscribe to:
Posts (Atom)