Re: All the above but also
..... about a couple zillion years past "never"?
29 posts • joined 18 Jul 2019
No, it has nothing to do with any particulars of the mail transmission path. It's a DNS lookup volume issue.
Spamhaus (and most other public DNSBLs) put a limit on how many DNS queries "you" can do for free. Most place that limit at 100k queries.
That's a fairly large mail system - a small private system doing direct lookups will generate on the order of hundreds to maybe a low thousands per day.
Each and every SMTP connection to your server will generate a query to the DNS cache you have configured. At a small scale, that will be passed on to Spamhaus' DNS servers each time because the cache timeout for DNSBL data is generally pretty short. As mail volume goes up, some of the lookups will be found in the cache instead, saving a query direct to Spamhaus.
If you run your own cache, you'll stay within the free limits for quite some time - easily 10k+ mailboxes and 200k+ messages/day for general ISP mail traffic.
However, if you're forwarding DNS queries to a big public cache, Spamhaus only "sees" the query from the public cache - there's no (trivial/simple) way to see the individual cache users. So the query volume from these shoots past that free 100k-query limit in a matter of a few minutes each day. DNS is pretty lightweight..... up until you start looking at large platforms, supporting literally billions of queries daily. It costs big money to run a system capable of supporting that query volume, so they insist high-volume users pay for either a datafeed or "authenticated" direct query service.
I literally had to do this once. Driving down the highway, about to turn left, push on the brake pedal.. Nothing. Push a lot harder. Nothing. Since I'm not a complete maniac, I had space to use the hand brake before running out of turn lane, and instead of continuing to work I diverted slightly in the other direction to the dealership to get the brakes fixed.
One of the first things I do on the increasingly rare occasions I have a completely new browser install is to go into about:config and turn off the ability for a web page to disable the title bar, menu bar, address bar, scroll bars, etc. These are UI elements that belong to the browser and the page has no business monkeying with them.
What kind of Linux-head are you? The binary is *obviously* called joesbigbrother! /s
(Sadly this is not *quite* as sarcastic as it should be, I have in fact run into exactly this disconnect between package name and actual runnable program file name and menu entry name.)
"...schmuck in accounting will ... fling at the regulators..."
That might be the body tasked with digging up the loose change, but I'd bet it would be presented to the government by someone a fair bit higher up the food chain.
I'd also expect, unlike all too many similar fines in North America and Europe, that these will be paid in full the last yuan.
Don't underestimate the regional value of "face" either.
I *work* for a smallish mid-sized ISP, and I (and by all indications, the owners of this company) think you're wrong. It is absolutely NOT on the content provider to help pay for the receiving end's costs; it is up to the customer's ISP to scale their transit/peering as needed to support their customers' use of the Internet - whatever that usage is.
Or find some way to not have the data flow over a transit link for each and every viewer in the first place.
I've just had a quick skim through the Netflix Open Connect site, and if SK has decided not to host a handful of these appliances they've just gone and shot themselves in both feet with great enthusiasm. This kind of transit data volume is exactly the kind of thing they're designed and intended to PREVENT, and it's not like Netflix charges for them.
Erm..... and why would statistical toolkits or scripting environments like R and Python be deployed to 15k users when it's all of maybe a couple of hundred that have any use for them?
Installing all of the tools that anyone in the organization will need on all of the desktop machines in a big organization is a really horrible idea. If there's that much tracking and planning, surely someone realized that different groups need different sets of installed software...
I recently came across a form that forcibly PREVENTED pasting anything. Bizarrely enough, the "I forgot my password" form was quite happy to let me paste that same email address (you know, in order to, oh, say, make sure it was really the address I actually signed up to that site with...) and let me reset the password on a rarely-used account.
I don't really care one way or the other about "a whole remote desktop in a local window", but I *do* want to remotely access the entire remote console GUI workspace that has many browser windows and shell windows each with many tabs open on tasks in progress, times several desktops for different task groupings. Just logging in to all the servers I touch on a regular basis would occupy 30-45 minutes of my day, never mind the time lost to manually reconstructing all of the rest of the workspace state.
Shonky as it may be, Windows Remote Desktop utterly destroys anything I've tried on Linux for accessing a remote workspace. I can do *almost* anything over Remote Desktop, on a grotty 2M DSL line, that I can do sitting in front of the console of that remote system. I can barely read email, trying to use VNC (or any similar *nix tool I've tried) to (try to) work in the GUI workspace of a machine that is literally right next to the one I'm "in front of", both connected to the same gigabit switch. The situation is marginally better if I connect to a headless X11 workspace/session, but then I'm stuck with the leftover grottiness ALL THE TIME, including when I'm sitting in front of the machine the headless session is running on.
"If I pay more, I SHOULD get better service. Right?"
Sure, because YOU have decided that you want this or that service to work better FOR YOU. The problem comes when it's the ISP and/or content provider who pays extra for priority, giving that specific content provider (or in many cases in the US, the content division of the ISP/telco) a "free" ride into YOUR home - and leaving you stuck with shoddy service from the content providers you DO have an account with, because despite paying your ISP for the top-tier multi-gigabit-symmetrical connection, they're prioritizing someone else's traffic leaving you no better off than if you switched to the entry-level tin-can-and-string 1.5Mbps DSL.
(Fair disclosure - I work for a medium-sized Canadian ISP, and I have a couple of fingers in our DNS pie.)
"Your IP maybe dynamic but your ISP provides a hostname to that IP. That hostname is not dynamic, it's yours,"
Umm..... No. This is techically possible, but I'd be very surprised if many ISPs anywhere did this, and even more surprised if they're larger ones. Managing reverse DNS is turning into an arcane art, and all too many providers can't even get simple static names based on the IP right. Handling dynamic changes based on user logins requires more automation and processing to manage things, and it's easier to statically assign an IP to someone who wants a static connection for a server, and set the reverse DNS once, than to set up all that automation and provision the DNS platform to handle dynamic updates.
I've seen (small(ish)) businesses that *printed their business cards* before registering the domain they wanted. Which they ended up having to change, because the domain they wanted was already registered and Not For Sale. I've seen others who managed to score the domain, but only as a "premium" domain for a ridiculous price. (Think $5-10K for a .com, of no obvious significant value. No idea if these continue to cost huge bucks on renewal.)
Never underestimate the ability of business to totally not get this Internet thingy.
Unfortunately, yes, depending on the specific phish it is possible that just opening the message is enough to cause trouble.
Biting the hand that feeds IT © 1998–2022