In addition to all the service and technical issues when looking for a host, there are others that can affect us. What does a host offer in the way of spam (unsolicited bulk e-mail) protection? There are several free services from organizations like MAPS that can significantly reduce the amount of spam coming into a server. The MAPS RBL (Realtime Black List) will block e-mail from spam friendly or neutral sites. Their RSS (Relay Spam Stopper) will block spam from open relays, what is also called relay rape. Those two methods alone would cut the majority of spam received.

Security is another concern. The mail program used can be a source of vulnerability to attack. Sendmail is the most commonly used mail transport program but was created without thoughts of security in mind. Hypocritically or ironically, depending on your point of view, Red Hat uses Qmail for itself yet distributes sendmail.

These issues are important ones to consider, especially for business sites. When it comes to spam and hosting companies, if you're not part of the solution, you're part of the problem. When it comes to security, it doesn't make sense to use inferior products with great vulnerabilities. Wu ftp is another one for which a better replacement exists.

You have a very good point.

I think that companies should turn to more secure alternatives to the software they use. Or atleast upgrade to the latest version.

There's a good article on the subject at http://www.securityportal.com/closet/closet20000705.html It is entitled "Why do vendors ship us junk they wouldn't use?"

Dedicated server companies are equally to blame. They have a stock configuration, duplicated on all their ready to install drives, without even minor security precautions in place.

It would be great to see a company whose stock configuration was an excellent one. This could include sudo instead of su, qmail instead of sendmail, ProFTP instead of Wu FTP, and Open SSH instead of Telnet, just for starters. Anti-spam features would be another welcome choice.

Servers would be more secure, their customers less vulnerable to attacks and being cracked (which would make them happier), and everybody benefits. There is really no cost differential since quality programs are available for free just as the problematic ones are. It's mostly a matter of caring enough to make the right choices and setting higher standards.

That would be something worth duplicating.

Also to boot, many of the alternatives are faster or more efficient.

lol

Duster did u go look @ my default server config or something? :)

Not familar myself with sudo but i'll look into it :)

Servers use exim instead of sendmail

proftpd instead of wu_ftpd

ssh included :)
telnet still avaliable though

VDI's done a good job with their install pack which sets up a redhat server in a flash :)

Sincerely
Daniel Pearson
UltraSpeed USA~

Hey Duster,
You seem to be a pretty intelligent individual. Do you mind if I ask whats your website? I wouldn't mind seeing more about who you are since you post a lot of very insighful info here and at thescriptkeeper.

Sure. My server site is at http://techcellence.net I have information aand other resources for those new to dedicated server management (which includes me). It's in that context that I mention it periodically. Like tabernack, I host sites for my own customers (mostly businesses whose sites I created) and am not agressively seeking new customers on a large scale.

I also host my own site about scuba diving, Diverlink, at http://diverlink.com, which has become a respected and even trusted source of information. It covers certain subjects that others don't and covers others in greater depth than anyone else. It's even had some positive effects on the industry.

The Internet is a great way to combine two interests of mine, diving and computers. One thing I like about computers is they force you to continue learning and growing. Right now, security is a particular focus, along with php and MySQL. Stopping spam is something I started learning long before I got my own server.

It's amazing how much better servers could be security wise, including preventing spam from arriving, if the companies only took time to think about the programs they use and the measures they take. Some need to set their standards higher and think of their customers' convenience. It would be far better to have a more secure server and duplicate it than to have a plain one and say the customer can always turn certain features on (which isn't necessarily true). Replacing programs is a bigger problem and some companies won't allow you to do it.

Maybe we can effect a change in the industry in that respect.

Duster,

As much as I hate SPAM, I don't believe that hosting companies should be implementing anti-SPAM filters, especially those filters that are available today. I firmly believe that what MAPS is doing is illegal, and it is going to eventually catch up to them and their users.

Just yesterday, a lawsuit was filed naming MAPS *and many of their users* (read ISPs and web hosting companies that use the MAPS software) - you can read more about the suit at http://www.internetworldnews.com/h_bot.shtm#8.01Harris

There are several problems with a web hosting company implementing a system such as MAPS RBL. First, if I, as a small web hosting company, started using MAPS, and because of that action we were named as a defendant in a lawsuit, it would put us out of business. Our insurance would not cover the defense against such a lawsuit (since MAPS is a questionable and most likely illegal organization), and we certainly don't have the capitalization to defend against someone like Harris Group.

Further (and perhaps more importantly), the number of customers who praised us for implementing anti-spam measures would be far outweighed by the number of customers who suddenly couldn't get that e-mail from Grandma anymore because MAPS is blocking her ISP. Our research suggests that we'd lose 20% or more of our user base if we implemented anti-spam measures - something that we certainly can't afford to do as a small company. And, thus far, in our 3-year history, we've only lost one customer due to our refusal to implement MAPS RBL (and indeed, this is the *only* customer who has even asked us to do it).

As much as I hate to say it, vigilante groups such as MAPS are not the answer to the SPAM problem. The only solution to the SPAM problem will be government legislation making it illegal. I don't like the idea of the government legislating the Internet any more than anyone else does, but it's really the only way that it's going to help.

However - I will say this - if MAPS gave their ISP members the ability to see *who* was being filtered, and adjust the filtering themselves, I might consider using it. The fact that it's an all-or-nothing list is what is most repugnant (for example, MAPS blocks mail.com, because they are often used by spammers. This is certainly true - but a *lot* of legitimate mail gets sent from mail.com. In fact, if we suddenly started blocking mail.com, we'd have about 50 *clients* who could no longer send us e-mail from their personal mail accounts! That is *not* something I consider an acceptable anti-spam measure).

Just my opinion, but I think that the average user would be a lot more unhappy about losing legitimate e-mail then they are about receiving SPAM. And losing legitimate e-mail is a guaranteed side-effect of implementing a system like MAPS RBL.

Services such as SpamCop (www.spamcop.net) are great services, and I fully support them. In my opinion, cutting SPAM off at the source is far more beneficial than cutting it off at the recipient end.

Take care,

Jason

------------------
Jason Ellis, CEO
Hosting Solutions, Inc.
www.windowswebhost.com (http://www.windowswebhost.com)
Now offering Fully Managed Servers!

Jason,

What I said was that hosting companies might offer anti-spam services. At the very least, RSS would cut a lot of spam out. There is nothing illegal about MAPS and what it does. Among other things, it keeps a list of spam friendly or neutral hosts, a list of open relays, and allows companies and individuals to choose not to receive e-mail from those sources. There is nothing illegal about people making choices for themselves. I fail to understand how you could even think that the right to choose could be illegal.

Since preventing the sending of spam is near impossible, preventing the reception of it is a more effective method as I see it.

That suit you mention includes AOL, Qwest, and other major providers, basically anyone who blocks spam. I believe the chances of Harris winning are about the same as unlimited bandwidth being true, non existent.

I also believe that laws alone will accomplish little, especially given the global nature of the Internet. It will take a combination of laws and technology (much of it exists now) to put an end to spam.

One of the things MAPS does is help educate companies in an effort to prevent spam. Yesmail did itself a lot of harm by refusing to go to the confirmed opt-in method (the only one that ensures you don't spam) and is now blocked by perhaps hundreds of systems independently of MAPS.

With all due respect, I believe your lack of understanding about MAPS is reflected in the finding of your company that you would lose 20% of your customers for instituting anti-spam measures.

There are other anti-spam measures that would indicate otherwise. For instance, one host I used had a feature in their control panel that allowed users to add domains and IP addresses to be blocked. I believe it did it by writing to the access.db file in sendmail. I used it faithfully and the amount of spam I got was reduced considerably. No one spammed me twice.

My spam level went up after leaving that dreadful company, though it os once more declining since I got my own server and began instituting protective measures. Though I have a fraction of the customers you do, they do appreciate a reduction in it. I help them with tips on avoiding getting on lists to begin with as well as blocking spam if they do.

At any rate, the primary focus of this discussion is overall security (which must include spam), especially the poor choices some hosts make in their software, and their inadequate configurations.

I'm not sure if my isp used MAPS but I have noticed that since yesterday afternoon, I got my first pile SPAM since using them.

Originally posted by Duster:
There is nothing illegal about MAPS and what it does.

Really? There are laws in the U.S. against blacklisting, which is *exactly* what MAPS does. If MAPS would post, either publicly on their web site or even privately after you've acknowledged whatever license agreement they require, *exactly* what domains they are blocking, and give the option of *unblocking* any that you choose, I would support MAPS efforts wholeheartedly and might even consider using them. It's the fact that they won't even tell you who they are blocking that I find repugnant.

There is nothing illegal about people making choices for themselves.

I agree - but my point is, MAPS prevents people from making choices for themselves because they keep their list hidden and don't allow users to modify it directly.

I fail to understand how you could even think that the right to choose could be illegal.

The right to choose isn't illegal. Blacklisting is.

I believe the chances of Harris winning are about the same as unlimited bandwidth being true, non existent.

I disagree. I believe the chances of Harris winning are very good.

I also believe that laws alone will accomplish little, especially given the global nature of the Internet. It will take a combination of laws and technology (much of it exists now) to put an end to spam.

We agree on this point

One of the things MAPS does is help educate companies in an effort to prevent spam. Yesmail did itself a lot of harm by refusing to go to the confirmed opt-in method

Again, we agree on this point as well.

and is now blocked by perhaps hundreds of systems independently of MAPS.

And that is great - wonderful in fact. If they are doing it independently of MAPS, that's great - that's their choice to make.

With all due respect, I believe your lack of understanding about MAPS is reflected in the finding of your company that you would lose 20% of your customers for instituting anti-spam measures.

I didn't say we'd lose 20% of our customers if we instituted anti-spam measures. I said we'd lose 20% of our customers if we instituted MAPS. The reason for this is that with MAPS, our customers have no control, and worse than that we have no control. So if we were running MAPS, and one of our customers came to us and said "My grandma uses mail.com for e-mail and I can't receive those e-mails, can you allow them through to my account so I can talk to dear ol' granny?", we couldn't do it. And that would cost us a lot of customers.

There are other anti-spam measures that would indicate otherwise. For instance, one host I used had a feature in their control panel that allowed users to add domains and IP addresses to be blocked.

And I fully support a feature of this type. If I could figure out a way to automate this with IMail and provide it as part of our customers' e-mail control panel, I would. Even without the automation if a customer asks us to block e-mail for their account from a specific domain, we happily do so. But we don't block that domain from everyone else's mail server, because they might want to receive that e-mail.

My point (and I"m sorry if my original post did not make this crystal clear) is not that I don't support anti-spam measures - I certainly do support anti-spam measures. I do not support anti-spam measures, such as MAPS, that in order to implement them require a system-wide implementation that locks every customer into having their e-mail filtered whether they like it or not. Many many legitimate e-mails are blocked by the MAPS system (for example, I am on Harris Poll's mailing list - I participate in Harris Polls about once a week. I enjoy doing so. This isn't theoretical, I actually do enjoy participating in these polls. If we had MAPS implemented, I'd stop getting those polls, and I'd stop getting them against my will - I want to get these polls, and just because someone else somewhere on the Internet forgets that they signed up with Harris Polls a year ago they complain to MAPS and MAPS adds them to their list. That is the point I am trying to make.

Anti-spam measures are good. Vigilante black lists are bad.

Just my opinion folks. I hope my post has been able to clarify things a bit more.

Take care,

Jason Ellis, CEO
Hosting Solutions, Inc.


------------------
Jason Ellis, CEO
Hosting Solutions, Inc.
www.windowswebhost.com (http://www.windowswebhost.com)
Now offering Fully Managed Servers!

Duster,

You say
There is nothing illegal about people making choices for themselves

But how many individuals get this choice? They don't, there ISP or web provider makes this choice for them. You are even one of those who block this mail for people on your servers... Where is their choice here?

You also state
With all due respect, I believe your lack of understanding about MAPS is reflected in the finding of your company that you would lose 20% of your customers for instituting anti-spam measures.

First, why is it that in all your posts when someone disagrees with you it is because they "don't understand"?

Second, I believe Jason is correct. No one wants big brother deciding what they can receive and what they cannot. What next, are you going to stop certain people from visiting their sites? The fact is, people don't want someone else deciding what they can and cannot do. If I was on your server and you started blocking email from reaching me I would leave your service in a second!

Scott

Jason,

Our research suggests that we'd lose 20% or more of our user base if we implemented anti-spam measures - something that we certainly can't afford to do as a small company.

You did say anti-spam measures and not MAPS. Obviously, you meant one thing yet said another. MAPS offers several services and only RBL presents the scenario you depict. You could still block mail from open relays, a favorite of spammers.

I agree with you that it would be nice to be able to see which companies are blocked.

At any rate, I originally referred to anti-spam measures in general and cited MAPS as an example of some of what is available. We apparently agree that anti-spam measures can be helpful and only disagree in the execution of some of them.

I'm not going to play armchair judge and argue the legalities involved in the pending court cases. It would accomplish nothing. The courts will settle it.

Scott,

Big Brother properly applies to an oppresive government. I believe the term originated from Erich Frohm's 1984 in reference to a totalitarian government. It is entirely inappropriate when referring to a peer group or situations where people have a choice.

You asked, "Where is their choice here?" and supplied your own answer in "If I was on your server and you started blocking email from reaching me I would leave your service in a second!" There is the choice.

Actually, since the information is posted on my web site, you would have known about it before using my services.

Your remark about not understanding as regards people who disagree with me is so ridiculous as to not be worth addressing.

I didn't intend this to be a discussion on the merits of RBL. There are many anti-spam measures that can be taken, and overall server security at many companies could be much greater. That was my point.

Anyone wishing to debate the merits of the various MAPS services or just learn more about anti-spam measures can do so in the news.admin-net-abuse.email newsgroup


[This message has been edited by Duster (edited 08-03-2000).]

Originally posted by Duster:
There's a good article on the subject at http://www.securityportal.com/closet/closet20000705.html It is entitled "Why do vendors ship us junk they wouldn't use?"

Dedicated server companies are equally to blame. They have a stock configuration, duplicated on all their ready to install drives, without even minor security precautions in place.

It would be great to see a company whose stock configuration was an excellent one. This could include sudo instead of su, qmail instead of sendmail, ProFTP instead of Wu FTP, and Open SSH instead of Telnet, just for starters. Anti-spam features would be another welcome choice.


because the licensing agreements of sudo, qmail, proftpd, SSH , etc; PROHIBIT the distribution of its software in packaged linux distributions.

1984 was by George Orwell, BTW. :)

Anyhow, Big Brother has come to mean more than oppressive government, since like anything else, its meaning has changed over the years and through popular use of the phrase. I can see why some people don't care for MAPS and why they might consider it a Big Brother type of approach, given that we are a control-conscious society in general.

------------------
Annette
Hosting Matters, Inc.
http://www.hostmatters.com

George Orwell was a nom de plume of Erich Frohmm, as Mark Twain was that of Samuel Langhorne Clemens.

Given that using any MAPS services is still a voluntary choice, alluding to totalitarianism or heavy handed control is inappropriate. People popularly refer to the year 2000 as the beginning of the next millenium also, and misuse the term "light years" to indicate time, but that doesn't make them right.

Sweede,

Thanks for the info. This has to be a subject you're interested in. ;-) I've read very little about their specific licensing requirements. They may distinguish between
software offered on servers and that distributed, as Red Hat and others do, on CD-ROM. In discussion with DI, I did learn that the copyright runs out on Open SSH around the 20th of this month and there may be plans to offer it afterwards.

There are companies that offer more secure programs (see Daniel's above). It would be nice if there were more of them. It would save many people from having to redo the entire box to make it much better. ;-)

George Orwell was a nom de plume of Erich Frohmm, as Mark Twain was that of Samuel Langhorne Clemens.

Yes, I know this - it was more for those people (like the person who dropped me an email earlier) who have no idea who Erich Frohmm is, but who have heard of George Orwell.

Given that using any MAPS services is still a voluntary choice, alluding to totalitarianism or heavy handed control is inappropriate. People popularly refer to the year 2000 as the beginning of the next millenium also, and misuse the term "light years" to indicate time, but that doesn't make them right.

It isn't voluntary for those people who may be hosted by someone who uses the MAPS list - this is the point. Their only option in that case is to move to a different provider, which stinks if they're happy with their current host otherwise. And it doesn't really matter how people misuse words - just because it isn't semantically correct isn't going to stop them from using phrases like that, and you know as well as I do how hard it can be to correct things like that once it's entered popular usage.

Peace, dude.

------------------
Annette
Hosting Matters, Inc.
http://www.hostmatters.com



[This message has been edited by Annette (edited 08-03-2000).]

it was more for those people (like the person who dropped me an email earlier) who have no idea who Erich Frohmm is, but who have heard of George Orwell.
Obviously, it made some people think. It challenged what they believed to be true and they investigated. That is a good thing (and admittedly part of the reason I used his real name).

It isn't voluntary for those people who may be hosted by someone who uses the MAPS list - this is the point. Their only option in that case is to move to a different provider,

But they have that choice. They may not like it, but they have a choice. In a totalitarian regime, or any kind of complete control situation, you usually lack the ability to make any choices.


And it doesn't really matter how people misuse words - just because it isn't semantically correct isn't going to stop them from using phrases like that, and you know as well as I do how hard it can be to correct things like that once it's entered popular usage.


Sure. Take a word most of us are familiar with, spam. Too many people misuse it to mean any advertisement or anything they don't like, when that is clearly not the meaning. You cant stop them from using it, but neither does it make them right in doing so. Another commonly misued term is hacker.

What is especially regretable is when news media misuses terms and reports false information, as they frequently do. Even CNN, sometimes praised for covering major news that others overlook, referred to the year 2000 as the beginning of the next millenium (and may have referred to the non-existent millenium bug).

That accounts partly for why I accept little at face value and prefer to research anything important enough to me. You simply can't trust what many believe to be true. It's not that they are lying, it's just that they may be mistaken. Also, even if seemingly correct, most people don't probe past superficial answers. One must often dig deep to get to the truth, which many people filter through their own expectations, experiences and beliefs.

That gives some inkling why a truly intelligent person cannot be arrogant (in my belief) for they realize that what they believe to be true is subject to change, and that the quest for the nature of things, the truth so to speak, is important. Being right (for its own sake) is not. Also, all of us, even the most intelligent, make errors, another reason not to be arrogant. We could be mistaken at any time. It's all part of being human.

Computers (in any part of it) are a perfect example. Things are changing constantly and what was true yesterday may be no longer true today. If one wraps their ego up in being right or being cocksure about their knowledge, computers can be a humbling experience for they will surely be wrong at
some point.

LOL - you and I are quite a bit alike.

I'm all in favor of intellectual curiousity; however, the rational side of me understands that most people are apt to take what they get or incorporate trendy phrases into their vocabulary wihtout any real thought ("Just do it!", "Where's the beef?", "spam"). I've always been interested in linguistics and semantics, and popular culture is rife with opportunity to indulge that curiousity.

It doesn't make people right to use, say spam, to describe just anything they don't like showing up in their mailbox or in a newsgroup. But because the term has become widely used with that associated definition, companies resposible for maintaining their networks have adopted the same definition, because that's how their clients view things - and clients, of course, drive the business.

Regarding the whole choice issue: sure, technically people have the choice to leave a host that uses MAPS to block mail. A larger question could be: would a host really want an otherwise happy client to leave their service over this issue?

------------------
Annette
Hosting Matters, Inc.
http://www.hostmatters.com

Originally posted by Annette:
LOL - you and I are quite a bit alike.


I noticed that too long ago.


But because the term has become widely used with that associated definition, companies resposible for maintaining their networks have adopted the same definition, because that's how their clients view things - and clients, of course, drive the business.

But it serves no one to be inaccurate, regardless of the motivation. They become part of the problem and unclear in their communications when they do so. They tend to lose trust in the process.

If a hosting company says "We do not tolerate spamming" without defining it (properly), it means nothing. By incorrect usage, nearly every company here has spammed and could be cancelled for doing so (under the misuse of the term). The reality is, though, that no company has spammed here, or possibly could.

When news media, which once was presumed to report the truth, spreads hysteria about the Y2k bug (some even called it a virus), refers to us being in the next millenium already (can't reporters count to 10 anymore) use terms like light years (and many others) wrongly, it makes intelligent people question everything they say. If they can't get the simple things right and won't use a dictionary, how can anything they say be trusted? Quite simply, it can't.
The news media reports what is popular, not what is true.

I won't discuss the MAPS issue any more. The newsgroup I mentioned is the appropriate place for that. I will say, in a broader context, that companies should let their potential customers know everything that affects them beforehand. If there is a change in policy that could have any possible adverse affects, customers should be notified with sufficient time to make a sound decision and make a change if necessary. This could be a price increase or anything else of importance. I think a minimum of 30 days notice would be a fair and reasonable thing to do.

[This message has been edited by Duster (edited 08-04-2000).]

Originally posted by Annette:
But because the term has become widely used with that associated definition, companies resposible for maintaining their networks have adopted the same definition, because that's how their clients view things - and clients, of course, drive the business.


Annette,
I have one word for you that makes my point.

Slander.

;-D

Jason et al,

As a point of information (and not for further discussion, please), you can look up and see if a particular domain is listed on the MAPS RBL. You have to do it by IP address as it won't work by host or domain name, but at least you can look it up. Just go to http://mail-abuse.org/cgi-bin/lookup

You can also check at Sam Spade. See http://samspade.org/t/ There, you can look up by domain name.


[This message has been edited by Duster (edited 08-04-2000).]

Originally posted by Duster:
Annette,
I have one word for you that makes my point.

Slander.

;-D

LOL - true enough, but that's a legal term, and most companies have real attorneys to help them with that definition. :)



------------------
Annette
Hosting Matters, Inc.
http://www.hostmatters.com

And light years is a scientific term. The point is, what is popularly used may not be right no matter how many people use it or believe it.

Ignorance (and especially stupidity) can be contagious. Opt for immunization. (Fortunately, some peole have a natural immunity).

A bit of a corollary to this discussion: http://www.theregister.co.uk/content/1/12376.html

------------------
Annette
Hosting Matters, Inc.
http://www.hostmatters.com

Originally posted by Sweede:
because the licensing agreements of sudo, qmail, proftpd, SSH , etc; PROHIBIT the distribution of its software in packaged linux distributions.


Not true. The Open SSH site says
Free Licensing

OpenSSH is not covered by any restrictive license. It can be used for any and all purposes, and that explicitly includes
commercial use. We feel that the world would be better if routers, network appliances, operating systems, and all other network
devices had ssh integrated into them.
Qmail's site mentions which versions can be distributed and does not mention any limitations. It also says, among other things,
If you want to distribute modified versions of qmail (including ports, no matter how minor the changes are) you'll have to get my
approval. This does not mean approval of your distribution method, your intentions, your e-mail address, your haircut, or any
other irrelevant information. It means a detailed review of the exact package that you want to distribute.
I've e-mailed them for specifics and confirmation.

ProFTP's site isn't working at the moment (perhaps due to maintenance). The article I referenced above says
A far superior replacement is sudo, which Red Hat now ships with 6.2.

I suspect ProFTP would also allow distribution, and will confirm or refute it when I can.

That removes any reasonable excuse a hosting company would have for making poor choices in the programs it offers and supports.

I was able to access the Pro FTP web site and confirm that they too allow distribution of their software. I also hear from Russell Nelson of Qmail. Not only do they allow distribution, but he does not consider qmail installed on servers by companies like DI, DN, and others, to be distribution.

That reiterates my initial point that hosting companies have no excuses for the poor choices thay make in the software they install and offer us. With better choices, we would have better security and less problems.