…and it does. Below is the header from a mail generated by an “email this tracking page to somebody” web request via their website. WTF is “+0000 (EST)” in the Date field value. Really. Is it Canada Post that sucks, SAP, or both. Well I know for the most part Canada Post sucks and, well, SAP sucking on this point wouldn’t surprise me at all.
This really reinforces my feeling that their panic inspired product e-Post probably sucks and is likely prone to getting caught up in anti-spam systems.
In any case, being dumb costs you. For this stupidity SpamAssassin awards you with:
50_scores.cf:score INVALID_TZ_EST 2.601 2.065 2.265 2.696
50_scores.cf:score DATE_IN_PAST_03_06 2.299 1.394 1.306 0.044
Which is:
4.9 for set 0 — which lucky for them is the only thing that hits in set 0.
3.459 for set 1 — it’s a good thing the body is formatted to avoid checksum database hits.
Set 2 and 3 scores are pretty safe as long as the user’s bayes database doesn’t take off in the wrong direction (I hit BAYES_50).
Oh yeah, they forge the mail from: too! Idiots.
Return-Path: <sender@example.net>
Received: from OT1LF900.CPC (mailoutcpc.canadapost.ca [66.110.6.70])
by mx-04.dostech.net (8.13.8/8.13.8) with SMTP id l4FKMgXq005778
for <recipient@example.com>; Tue, 15 May 2007 16:22:43 -0400
Received: from (10.130.62.19) by OT1LF900.CPC via smtp
id 0969_7d2e5b8a_034c_11dc_8ee3_0002b3da1013;
Tue, 15 May 2007 21:26:36 -0400
Received: from canadapost.ca ([10.100.21.29]) by cpcw1003.cpggpc.ad with Microsoft SMTPSVC(6.0.3790.211);
Tue, 15 May 2007 16:22:42 -0400
Date: Tue, 15 May 2007 16:22:41 +0000 (EST)
From: sender@example.net
Subject: =?iso-8859-1?Q?Event_Notification_/_Avis_d’activit=E9?=
To: recipient@example.com
Reply-To: sender@example.net
Message-ID: <ADR32000002408715@canadapost.ca>
MIME-Version: 1.0
Importance: Normal
X-Priority: 3 (Normal)
X-Mailer: SAP Web Application Server 6.40
Content-Type: text/plain;
charset=”iso-8859-1″
Content-Description:
=?iso-8859-1?Q?Event_Notification_/_Avis_d’activit=E9?=
X-OriginalArrivalTime: 15 May 2007 20:22:42.0226 (UTC) FILETIME=[CA55D120:01C7972E]
May 15th, 2007
After years of sitting on my wallet not wanting to spend the money on any of the available outdoor 2.4Ghz or 900Mhz radios intended for long range use, I finally had a bit to drink on my birthday and started ordering stuff to setup a wireless link from my house to work so that I could get a better than 19,200bps internet connection. It turns out I couldn’t get high enough to get a stable link between my house and work due to a heck of a lot of noise in the direction of the office (and a lot of tall trees cutting down the SNR) so I gave up hope on free high speed internet access and went knocking on my closest neighbors’ doors. I found a guy willing to let me put an antenna on his garage in exchange for me paying for his cable internet.
Pictured below is the gear located at my house. It’s a 24 dBi grid antenna connected to a Linksys WRT54-GL via 10 feet of LMR-400 all mounted to the windsock tower on the far side of the runway next to my house, about 400′ away. The remote site is located on the right side at the tree line on the horizon 3km away. The link SNR is 30 dB. It runs at 54 Mbps.
Pictured below is the Linksys WRT54-GL, a Linksys 12 volt PoE adapter, an ethernet lightning protector and a 0-3Ghz coax lightning protector all mounted in a gutted Federal Pioneer disconnect box. So far the Linksys gear has had no problems with -10 degree celsius temperatures.
Cost for just the link (two radios, two antenna, two coax lightning protectors, two 10′ LMR-400 cables) was about $600 CDN. Another $700 or so was spent on 500′ of outdoor Cat5e (no problems with a 380′ ethernet segement between the Linksys WRT54-GL and a DLink Switch II 5 port switch), a pair of ethernet surge protectors, a PoE adapter, some surge protector power bars, another WRT54-GL to act as a NAT router at the remote end with the cable connection, and a pair of D-Link PowerLine HD Ethernet Adapters (BoPL adapters) to make a connection between the guy’s house with the internet connection and his garage that I attached the antenna and radio to.
April 27th, 2007
I’m an idiot. How over the span of 4 years I didn’t figure out that it was my Creative SB Audigy 2 causing my system to lock up I don’t know. I could have sworn that the card had sat on my desk while the problems continued. As far as I know (and I really don’t care to really look into it) the Audigy 2 doesn’t like whatever chipsets were used by Asus for their A7A266s and A7Vs. Nor do they like to run on MSI KT4Vs. Setting PCI latency to an insane value of 256 doesn’t help (at least on the KT4V). As soon as the system asks the card to do something there’s a good chance it’s going to hang the system.
Of course I never noticed the correlation between “sound” and “crash” since, before two weeks ago, I very rarely had my stereo switched to the computer sound. Usually it was on the radio or television. After getting a high speed wireless link setup on April 7th and listening to radio stations over the internet, and experiencing 6+ system lockups a day a couple days in a row, I finally clued in.
Frickin’ Creative. Not even the absurdity of buying THX from Lucas Film and giving THX approval to all your sound cards (how does that work… I’ve got the requirements for cinema THX specs and they don’t appear to apply very well to computer sound cards) could make me want to run out and buy another one from you. I can’t believe that the best sound card I ever had was an Adlib Gold (straight from the 80’s).
April 18th, 2007
After months of people bugging me to join Facebook I finally joined on the weekend. My first impression was, “wow they’ve really got a nice, well layed out, clean interface”. That changed last night while I was browsing the site at the same time they changed to their new layout which, in a word, blows.
The old layout had everything in a small compact column along the top left side. Now there’s some stuff in the old location, some stuff along the top left of the page, and some stuff on the top right of the page. So now, instead of ever so slightly rolling your hand and clicking you’ve got to move the pointer all over the place. Maybe I’m lazy, or maybe it really does suck. This Facebook group seems agree that it sucks.
April 11th, 2007
It’s about f*#cking time.
As announced back in December, wireless number portability (WNP) is to be available today in BC, AB, ON and QC. The rest of the country (and population wise, that’s probably less than a quarter of the country) will likely have to wait a while (probably until at least September 12, 2007 or for one provider to try to beat their competition to the punch) for port-in facilities since they are currently only being offered port-out facilities; “here’s your number, you can’t use it”.
I can’t wait to stick with my current provider while knowing that if I wanted to I could switch providers, go through the hassle of finding, and of course buying, a non-flip/slide/stupid GSM phone while getting to keep the number I’ve had for a long time. Really, it’s good news. No really, it is, I just don’t imagine there’s much to gain (for me) from a different providers’ rate plan. Technology isn’t an issue… I like CDMA. I like that my CDMA phone also has analog capabilities (which could stop working everywhere in a year or less anyway). In the event that I ever find myself in GSM only land, well, I hope it’s on vacation.
Anyway… I can’t wait to see all the people who switch between Bell Mobility and Telus or Rogers Wireless and Fido looking for better call quality from the same cellular network, rather than for rate plan/whatever else reasons.
March 14th, 2007
There’s only one thing that drives me nuts about daylight time; people (nearly everyone) who insist on calling it “Daylight Savings Time”. There are no savings folks, you can’t deposit sunlight into your bank account. At least you can’t at my bank, where you’re having a good day if you get to deal with someone who can successfully deposit real money into your account. Other than that, I love daylight time… I get to sleep longer without being bothered by the pesky sun.
It’s Daylight Saving Time. If you need practice, repeat the following sentence a few times before bothering me.
“I don’t want to pay Microsoft $4000 for the hotfix to make the Daylight Saving Time change on my Windows 2000 machines, can you help?”
March 12th, 2007
Apache SpamAssassin 3.1.8 was released on Wednesday. It would be a good idea for most people to update — especially those processing a lot of mail for a lot of users/domains. People using sa-update with channels from sources that they don’t particularly trust to adequately secure their channel to prevent it being compromised should also update. With versions prior to 3.1.8 a channel, that you use, compromised by a malicious party could turn your SpamAssassin install into a spambot (or anything else that could be done with privs sa-update or other SA software runs as on your machine). Cool. The spambot possibility is the reason I pushed for the new –allowcode option (disabled by default).
Speaking of sa-update channels. People using the “Openprotect” channel are shit-out-of-luck for now if they’re using 3.1.8. Apparently they publish a separate txt record for each version of SpamAssassin. Actually, it’s not even each version of SA that supports sa-update — only versions 3.1.3-3.1.7 are currently supported by their channel. I suspect that their free DNS provider (speaking of not totally secure channels — make sure you’re not disabling the gpg key check for this channel since they outsource their DNS) doesn’t allow wildcards. I don’t know why they wouldn’t anticipate new releases in advance, though, and add records for, say, versions up to 3.1.15, or at least one more than the version number in current release.
Oh yeah… people using the “Openprotect” channel may or may not be affected by the new “–allowcode” thing in sa-update. The “Openprotect” folks decided to enable 12 plugins for you in their updates. Some of these plugins aren’t enabled by default in the SA distro and sa-update now won’t load these plugins (using the loadplugin lines in the updates, anyway) without you including the “–allowcode” option in your call to sa-update. Depending on whether or not their rule files include the proper “ifplugin” lines the channel might not pass a lint (and thus not be installed) if you haven’t loaded the required plugins yourself in your system config (which sa-update now uses to load the plugins you’ve enabled in your setup when linting an update).
Now that I’ve probably pissed off everyone involved with the “Openprotect” channel and all those who use it (really that’s not my intention — I’m trying to give people a heads up so that they don’t waste a bunch of time trying to figure out what’s going on) I’ll point out that the SARE sa-update channels that I provide aren’t at all affected by any of this. My channels are also a lot more flexible… you get to pick your own rulesets. See this page for usage details or this post for why I set these channels up.
February 15th, 2007
Twice this month I was reminded why when you’re relying on someone else to backup data to any sort of removal media (or any media at all really, but removal media seems to be the worst) you should always if at all possible keep as many duplicate copies of the data being backed up on the same network (or if necessary, same machine) as the source data.
Why? Without fail, the most technologically clueless person in the orginization will blindly destroy the backups — all of the backups — that they know about whenever there’s a problem accessing the source data on the system. Always. The big red letters on the backup media itself saying not to do a backup if they’re having problems and to call whoever manages the system will never stop them. Nor will all the messages, saying the same thing, that the backup process spits out.
I’ve managed a number of point of sale stations and networks for a number of small (sales under 5 million or so a year) independent retailers for about 15 years. A lot of the systems are quite out dated — lots of Racal InterLan token ring gear, 10base5, Novell 2, NetWare Lite, LanMan, 386s, some Samsung 286s, and a whole lot of dBase. Along with the dBase comes a number of programs that can’t resist corrupting any dBase database they touch, the worst being early 90s era VendorWare. With dBase and VendorWare you’d better have rolling backups coming out of your ass.
Anyway… both times this month it was a case of corrupted dBase databases and VendorWare. As long as you’ve got a recent backup of the database it’s easy to fix after a VendorWare program has trashed the database since 99% of the time it trashes a database that rarely changes or doesn’t have any data you can’t easily get back in sync. Well, what do you know, before contacting me both of the organizations decided (like usual) that they’d try to make it work themselves. The first step in their troubleshooting process… try doing a backup to each set of backup media (overwriting the backups of the working database) and checking to see if things magically started to work.
Here’s the great thing about point of sale systems (POS) these days; they’ve almost always got a tonne of free disk space. This applies to both current POS software and ancient POS software. The ancient stuff was designed to run on systems with 40 or 80MB of space… most of those systems now have at least 512 MB partitioned (usually on a 10 or 40+ GB disk with an overlay on it). With all of that free space you’ve got lots of room to keep a week, or a month, or even a couple months of daily (or more often) copies of their databases right on the same disk. It’s useless if the disk goes up in flames/whatever — that’s why you’ve got the removal media — but it’s priceless for when there’s just data corruption caused by the POS software; you’ve got all the copies you’ll need to get the database back in a functional state.
Of course, if the users didn’t blindly sabatoge any chance of you using the removal media, the on disk copies wouldn’t be necessary (although the on disk copies are so much faster to use anyway), but if there’s one constant I’ve found with these type of installations (or any installation really) is that no amount of training, warnings, documentation, or whatever, is going to stop them from trashing your only backups — if they know about them.
Bottom line, keep backup copies on the same system as the source data and don’t tell them about it. If you tell them about it they’ll surely delete it, somehow. There shouldn’t be any sort of liability issue with it… if they’re purposely trying to destroy data (say to avoid pesky tax auditors, or whatever reason you can imagine someone would want to destroy their data for), anyone competent enough to figure out where the POS software is storing its data should notice the backups on the disk. You can usually get away with making it quite obvious to them too… store the backups in directories called backup.1, backup.2…, in the main volume… the clueless staff won’t notice them (the malicious staff is a different story — but that requires a whole different backup strategy).
February 1st, 2007
Looking at my httpd logs for the sa-update channel for SARE’s 70_sc_top200.cf that I host at 70_sc_top200.cf.sare.sa-update.dostech.net (howto), I’m wondering why about 25% of the IPs (and about 17% of the /24s) use it. If you’re running network tests SpamAssassin already queries SpamCop by default, so if you’re also using this channel (or ruleset via RDJ directly from SARE) you’re just adding a, usually outdated, copy of the same data you’re getting via DNS lookups.
My guess is that there’s a lot of people just not paying too much attention. I can’t imagine that there’s that many systems running without network tests, at least not on purpose (I know there’s a lot of people that think they’re using network test, or all the tests available to them, but don’t realize that their distro disabled network tests by default).
I mentioned that the SpamCop data in this channel/ruleset is usually outdated… here’s a list of the updates since the beginning of December (I don’t know why Fred hasn’t automated the updates, last I heard he was manually uploading the ruleset — which itself is generated automatically):
Dec 1 13:04 200612011100.tar.gz
Dec 1 19:04 200612011700.tar.gz
Dec 2 15:04 200612021300.tar.gz
Dec 2 16:04 200612021400.tar.gz
Dec 5 18:04 200612051600.tar.gz
Dec 6 14:04 200612061200.tar.gz
Dec 6 18:04 200612061600.tar.gz
Dec 9 13:04 200612091100.tar.gz
Dec 13 18:04 200612131600.tar.gz
Dec 23 16:04 200612231400.tar.gz
Jan 2 11:24 200701020900.tar.gz
Jan 8 10:24 200701080800.tar.gz
Jan 9 12:24 200701091000.tar.gz
The update frequency is just weird… in the past I’ve noticed that it is sometimes updated three times in the span of two hours and then not updated again for weeks.
January 11th, 2007
I’ve known of Rogers doing this for years, but of course, I forgot all about it until it happened to me.
About a month ago I was having problems with a Linksys WRT54G locking up sporadically. Knowing some of the Linksys $10 routers have had issues under load, probably running out of memory or something, I configured a server running a SpamAssassin daemon (spamd) to forward all of it’s DNS queries to the DNS server assigned by Rogers via DHCP in an attempt to decrease the amount of state data the router had to keep track of for all the UDP queries.
That seemed to help a little, but not much, a firmware update released in December seems to have fixed it, but that’s besides the point.
The problem with using Rogers’ DNS server is that they run a script on their query log that looks for clients who send a lot of queries that result in NXDOMAIN, indicating a machine that could be a spam zombie or otherwise infected by malware. The problem is that the script doesn’t care what the queries were for, just that they returned NXDOMAIN. So if you’re using SpamAssassin, or any other anti-spam method, and are using any sort of DNSBL, you’re going to end up getting a lot of NXDOMAIN results. Specifically, you’re going to get lots of them for every message you check.
So anyway, without any notice (of course), Rogers disabled the highspeed internet service to the cable modem this was all sitting behind. After spending two hours on hold waiting to talk to someone, I managed to (a) get them to re-activate the service, (b) tell the poor guy who insisted I try and get a position in their networking department why what they were doing was a pretty good idea, but could be implemented better, and (c) find out that the threshold for NXDOMAIN query results in a single day is really low, as in “like way less than 300″. For someone filtering their own mail to one or two addresses, it’ll probably only take them a few minutes (and certainly no more than an hour) to hit 300 NXDOMAIN results. I know that mail to just my personal domain will trigger than in only a few seconds.
Once the service was re-activated, I configured Bind to forward all queries to my own DNS servers which have a huge cache or “spam query” results (so it’s probably faster than just doing the queries recursively on this low volume machine).
Anyway… Rogers could do better by paying attention to the number domains that are causing the NXDOMAIN results. In my case, all of the NXDOMAIN results were in response to queries to only a half dozen domains, like multi.surbl.org and multi.uribl.com. Certainly not a pattern consistent with a spam zombie — at least not an effective one (it could be one who’s master host/domain has been kicked off the net). I’d think that the trade off in not detecting infected, but ineffective, hosts over the false positives in cases like mine would be acceptable, especially considering that Rogers blocks port 25 in and out — which is great.
Anywho… if you’re a Rogers Highspeed Cable Internet customer, and you’re running SpamAssassin, or whatever, or do a lot of DNS queries for some other reason, I’d avoid using their DNS servers if you want to avoid having your connection disabled.
December 31st, 2006
Next Posts
Previous Posts
