Robins have been around for a few weeks. Last weekend I saw some bees flying around, but got sad when I found a dead carpenter bee in my garden. Hopefully he just stayed out a little to long in the cold. Last night I clinched Springs arrival, Linus and I where walking back form a evening walk along the canal and we saw bats. No sight of the white groundhog though.
A friend of mine is set up with a satellite Internet connection to his home in a not-all-that-rural part of Ireland. He’s been hosting his domain from there, with all email traffic and such going to his local server. Until recently, it was a perfectly workable solution, even with the normal supply of spam, virus, and other junk mail arriving.
But nearly two weeks ago, his domain came under attack from a bunch of spam botnets. Uncountable messages were forged to various places, all of which set up with the Sender: header to be totally random addresses @domain.ie. Unfortunately his ISP said they would not help block the traffic. (As opposed to could not.)
The workaround we came up with pushed his traffic through a virtual-hosted system I have set up over in the US with johncompanies.com (yes, a blatant plug, but I really like their service). There were a few steps I had to take in configuring Postfix before they added the MX record for his domain to reroute everything. (This is on a system running Debian GNU/Linux version 4.0, codenamed etch, using postfix 2.3.7.)
main.cf, add his domain to relay_domains (which already existed for other domains I MX with).relay_recipient_maps hash table. That would have been even cooler with its ability to block every single address except for the few that are in fact valid. In this case, however, he had a number of variants of addresses he used so it wasn’t a practical choice.smtpd_recipient_restrictions the linecheck_recipient_access hash:/etc/postfix/maps/access_recipient
and created the file /etc/postfix/access_recipient containing
postmaster@domain.ie REJECT MAILER-DAEMON@domain.ie REJECT
and then ran postmap access_recipient as root. I should note I did not put a line like domain.ie OK which would have let all other mail for the domain go through—but usurped any other rules that smtpd_recipient_restrictions may try to do after my access_recipients entry.
/etc/postfix/access_sender file with the lines below. The first was used because his server will never receive mail from someone in his domain.domain.ie REJECT MAILER-DAEMON@ REJECT MailerDaemon@ REJECT abuse@ REJECT admin@ REJECT Administrator@ REJECT autoresponder@ REJECT bounce@ REJECT info@ REJECT majordomo@ REJECT Majordomo-Owner@ REJECT nobody@ REJECT postmaster@ REJECT savrequest@ REJECT senderchallenge@ REJECT spam@ REJECT vacation@ REJECT
Then I had to run postmap access_sender as root. In main.cf, for smtpd_sender_restrictions I added
check_sender_access hash:/etc/postfix/access_sender
as well.
postfix-pcre Debian package, I created a new file /etc/postfix/access_sender.pcre with the lines/.*bounces\@/ REJECT /confirm-return.*\@/ REJECT
and in main.cf gave smtpd_sender_restrictions yet another entry of
check_sender_access pcre:/etc/postfix/access_sender.pcre
/etc/postfix/header_checks and gave it the lines/^Content-Type: multipart\/report; report-type=delivery-status\;/ REJECT no third-party DSNs /^Content-Type: message\/delivery-status; / REJECT no third-party DSNs
A second file, /etc/postfix/null_sender, had
<> 550 no third-party DSNs
In main.cf I gave the smtpd_sender_restrictions list the new entry of
hash:/etc/postfix/null_sender
and also added a new line defining header_checks as
header_checks = regexp:/etc/postfix/header_checks
Finally I had to run postmap null_sender as root.
master.cf I had to adjust the smtp unix and relay unix entries to only do 2 processes, not the default of 20, since having my machine try 20 simultaneous connections to his machine wouldn’t help. Under each, respectively, I had to add-o smtp_destination_concurrency_limit=2
and
-o relay_destination_concurrency_limit=2
I’m still not positive if the maximum of 2 processes would make these options necessary. I should note that this particular system I was setting up did no other mail delivery, so this change was okay. If you’re doing this on a fully production-level host, you might find a different way to throttle the delivery connections going to a specific host, instead of this change which makes all outgoing mail connections happen only two-at-a-time.
/etc/postfix/transport file with the lines# 20080327 help fight the flood, tunnel the mail to its real destination, e.g., his server is 1.2.3.4 domain.ie :[1.2.3.4]:1767 .domain.ie :[1.2.3.4]:1767
and ran postmap transport as root. Into main.cf I added
transport_maps = hash:/etc/postfix/transport
postfix restartThe end result, with Justin’s rules in particular, has had thousands and thousands of attempts get blocked trying to get through the door. Some still trickle through, even after the amavis/clamav/spamassassin content filter has processed them.
This is the final accumulation (with a few I already had):
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/access_sender,
check_sender_access pcre:/etc/postfix/access_sender.pcre,
hash:/etc/postfix/null_sender
header_checks = regexp:/etc/postfix/header_checks
## Steps from http://www.akadia.com/services/postfix_spamassassin.html
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,
reject_unauth_destination,
reject_unauth_pipelining,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
check_recipient_access hash:/etc/postfix/access_recipient,
check_recipient_access pcre:/etc/postfix/access_recipient.pcre,
check_policy_service inet:127.0.0.1:60000,
permit
(The check_policy_service line is for my use of postgrey, another simple step which drastically reduced the amount of spam my own server was getting.)
Please let me know if any of the instructions above prove to not work out properly for you.
P.S. A command I found handy watching the logs to see what was getting through for attempted delivery, even after everything above:
sudo tail -f /var/log/mail.log | egrep -v '((RCPT|connect(ion)?).* from |smtpd_peer_init)'
For the longest time I’ve been sticking with having to only ever visit www.ros.ie using W1ndow$ on my laptop. Being self-employed, every two months I have to give some tax to The Man.
This time, I decided to look again to see if anyone has discovered a way to do this without that other OS. Luckily, I found some notes by Andrew S. Townley explaining exactly how. He’s found the link into the ros.ie site to get at the actual KCrypto Java applet that it uses (and claims fails to start).
As described, I put it into /usr/lib/jvm/java-6-sun-1.6.0.03/jre/lib/ext and restarted Firefox. Now the login page on the site worked fine, and I could get in. Yay!
P.S. I’m doing this under Ubuntu 7.10 (Gutsy Gibbon).
A Barack Obama supporter rang my door bell a few days ago, wanted me to change my party from Green to Democratic to vote April 22. I have until March 24to change my party if I wish to vote Democratic then. I didn’t change. Over a month until Pennsylvania’s primary, with no other delegates up for grabs between now and then. Mrs. Obama is going to be twenty miles from my house today. Hillary Clinton was on the other side of Philadelphia a few days ago. They should publish better schedules, I can’t easily figure where they are going to be, though it’s easy to figure out where they have been. Vote Quimby!
We recently moved zen.org to a different server, and in the process my dump and reload of our MySQL database worked—mostly. However any posts with UTF-8 Unicode characters didn’t get displayed correctly.
After spending too much time trying to figure out how to make mysql and mysqldump help me, I realized I should look around for others who’ve had the same problem.
Voila, Jonkepon in Japan gave the fix for exactly the problem we had. The fix has to do with the collation of the entries in the database, not the actual dumping and importing of the content itself.
Since the newer Wordpress already does their first step with SET TABLE, I just had to go in via phpMyAdmin. For each of post_content in wp_posts and comment_content in wp_comments, I changed the collation of each to binary (noting the type of LONGTEXT or TEXT) and saved it. Then I edited them again and set each to utf8_unicode_ci, and saved them.
Bingo! All is happy and good again. The other tables are all still latin1_swedish_ci (?!), but I’ll leave them alone until we bump into somewhere else that it’s a problem.
Last night, 2008-02-27, Linus Gustave Heinicke was extracted from my wife’s belly. Though a cæsarean section was scheduled for leap day, when 余艾蕾 went in for a preop the Doctors choose to make the fetus a baby then. He was just under 7 pounds. Height seemed to be will within error tolerance. The finger and toe count added up to twenty.
sven@bwf-03:~$ cat get.txt
Four score and seven years ago our fathers brought forth on this
continent a new nation, conceived in Liberty, and dedicated to the
proposition that all men are created equal.
Now we are engaged in a great civil war, testing whether that nation,
or any nation, so conceived and so dedicated, can long endure. We are
met on a great battle-field of that war. We have come to dedicate a
portion of that field, as a final resting place for those who here
gave their lives that that nation might live. It is altogether fitting
and proper that we should do this.
But, in a larger sense, we can not dedicate—we can not consecrate—we
can not hallow—this ground. The brave men, living and dead, who
struggled here, have consecrated it, far above our poor power to add
or detract. The world will little note, nor long remember what we say
here, but it can never forget what they did here. It is for us the
living, rather, to be dedicated here to the unfinished work which they
who fought here have thus far so nobly advanced. It is rather for us
to be here dedicated to the great task remaining before us—that from
these honored dead we take increased devotion to that cause for which
they gave the last full measure of devotion—that we here highly
resolve that these dead shall not have died in vain—that this nation,
under God, shall have a new birth of freedom—and that government of
the people, by the people, for the people, shall not perish from the
earth.
sven@bwf-03:~$ cat local/bin/turn
#!/usr/bin/perl
use warnings;
use strict;
use encoding "UTF-8";
my %turn =
(
M => chr(0x019C),
e => chr(0x01dd),
a => chr(0x0250),
h => chr(0x0265),
m => chr(0x026f),
r => chr(0x0279),
t => chr(0x0287),
v => chr(0x028c),
w => chr(0x028d),
y => chr(0x028e),
k => chr(0x029e),
i => chr(0x1d09),
g => chr(0x1d77),
'&' => chr(0x214B),
);
while(<>){
for my $c (keys %turn) {
s/$c/$turn{$c}/g;
}
print;
}
sven@bwf-03:~$ turn get.txt
Fouɹ scoɹǝ ɐnd sǝʌǝn ʎǝɐɹs ɐᵷo ouɹ fɐʇɥǝɹs bɹouᵷɥʇ foɹʇɥ on ʇɥᴉs
conʇᴉnǝnʇ ɐ nǝʍ nɐʇᴉon, concǝᴉʌǝd ᴉn Lᴉbǝɹʇʎ, ɐnd dǝdᴉcɐʇǝd ʇo ʇɥǝ
pɹoposᴉʇᴉon ʇɥɐʇ ɐll ɯǝn ɐɹǝ cɹǝɐʇǝd ǝquɐl.
Noʍ ʍǝ ɐɹǝ ǝnᵷɐᵷǝd ᴉn ɐ ᵷɹǝɐʇ cᴉʌᴉl ʍɐɹ, ʇǝsʇᴉnᵷ ʍɥǝʇɥǝɹ ʇɥɐʇ nɐʇᴉon,
oɹ ɐnʎ nɐʇᴉon, so concǝᴉʌǝd ɐnd so dǝdᴉcɐʇǝd, cɐn lonᵷ ǝnduɹǝ. Wǝ ɐɹǝ
ɯǝʇ on ɐ ᵷɹǝɐʇ bɐʇʇlǝ-fᴉǝld of ʇɥɐʇ ʍɐɹ. Wǝ ɥɐʌǝ coɯǝ ʇo dǝdᴉcɐʇǝ ɐ
poɹʇᴉon of ʇɥɐʇ fᴉǝld, ɐs ɐ fᴉnɐl ɹǝsʇᴉnᵷ plɐcǝ foɹ ʇɥosǝ ʍɥo ɥǝɹǝ
ᵷɐʌǝ ʇɥǝᴉɹ lᴉʌǝs ʇɥɐʇ ʇɥɐʇ nɐʇᴉon ɯᴉᵷɥʇ lᴉʌǝ. Iʇ ᴉs ɐlʇoᵷǝʇɥǝɹ fᴉʇʇᴉnᵷ
ɐnd pɹopǝɹ ʇɥɐʇ ʍǝ sɥould do ʇɥᴉs.
Buʇ, ᴉn ɐ lɐɹᵷǝɹ sǝnsǝ, ʍǝ cɐn noʇ dǝdᴉcɐʇǝ—ʍǝ cɐn noʇ consǝcɹɐʇǝ—ʍǝ
cɐn noʇ ɥɐlloʍ—ʇɥᴉs ᵷɹound. Tɥǝ bɹɐʌǝ ɯǝn, lᴉʌᴉnᵷ ɐnd dǝɐd, ʍɥo
sʇɹuᵷᵷlǝd ɥǝɹǝ, ɥɐʌǝ consǝcɹɐʇǝd ᴉʇ, fɐɹ ɐboʌǝ ouɹ pooɹ poʍǝɹ ʇo ɐdd
oɹ dǝʇɹɐcʇ. Tɥǝ ʍoɹld ʍᴉll lᴉʇʇlǝ noʇǝ, noɹ lonᵷ ɹǝɯǝɯbǝɹ ʍɥɐʇ ʍǝ sɐʎ
ɥǝɹǝ, buʇ ᴉʇ cɐn nǝʌǝɹ foɹᵷǝʇ ʍɥɐʇ ʇɥǝʎ dᴉd ɥǝɹǝ. Iʇ ᴉs foɹ us ʇɥǝ
lᴉʌᴉnᵷ, ɹɐʇɥǝɹ, ʇo bǝ dǝdᴉcɐʇǝd ɥǝɹǝ ʇo ʇɥǝ unfᴉnᴉsɥǝd ʍoɹʞ ʍɥᴉcɥ ʇɥǝʎ
ʍɥo fouᵷɥʇ ɥǝɹǝ ɥɐʌǝ ʇɥus fɐɹ so noblʎ ɐdʌɐncǝd. Iʇ ᴉs ɹɐʇɥǝɹ foɹ us
ʇo bǝ ɥǝɹǝ dǝdᴉcɐʇǝd ʇo ʇɥǝ ᵷɹǝɐʇ ʇɐsʞ ɹǝɯɐᴉnᴉnᵷ bǝfoɹǝ us—ʇɥɐʇ fɹoɯ
ʇɥǝsǝ ɥonoɹǝd dǝɐd ʍǝ ʇɐʞǝ ᴉncɹǝɐsǝd dǝʌoʇᴉon ʇo ʇɥɐʇ cɐusǝ foɹ ʍɥᴉcɥ
ʇɥǝʎ ᵷɐʌǝ ʇɥǝ lɐsʇ full ɯǝɐsuɹǝ of dǝʌoʇᴉon—ʇɥɐʇ ʍǝ ɥǝɹǝ ɥᴉᵷɥlʎ
ɹǝsolʌǝ ʇɥɐʇ ʇɥǝsǝ dǝɐd sɥɐll noʇ ɥɐʌǝ dᴉǝd ᴉn ʌɐᴉn—ʇɥɐʇ ʇɥᴉs nɐʇᴉon,
undǝɹ God, sɥɐll ɥɐʌǝ ɐ nǝʍ bᴉɹʇɥ of fɹǝǝdoɯ—ɐnd ʇɥɐʇ ᵷoʌǝɹnɯǝnʇ of
ʇɥǝ pǝoplǝ, bʎ ʇɥǝ pǝoplǝ, foɹ ʇɥǝ pǝoplǝ, sɥɐll noʇ pǝɹᴉsɥ fɹoɯ ʇɥǝ
ǝɐɹʇɥ.
sven@bwf-03:~$
Being 71 Chuck Norris thinks McCain might be too old. It turns out Mr. McCain’s mother, a sprite 95, is still alive! She also seems to be quite the jet setter.
Is it me or does Mr. Huckabee have a similar stare to George W. Bush a dairy cow?
Up at 5am with an awake 1 year-old, you find ways to keep yourself amused. Watching the NASN cable channel in Ireland, they had a college football game between Cincinnati (the victor) and Southern Miss (the defeated). But it all went wrong when the announcer said, “…here on the PapaJohns.com Bowl…”.
Back in 1996, Candlestick Park was whored out by the city of San Francisco to 3Com under the guise of a money-raising marketing campaign. The phenomenon has happened all over the place: in 2006 Wired did a great article tracing the lineage of US Cellular Field, Mellon Arena, HP Pavilion, and the rest.
Now we’re being thrown into a world of registered trademark bowl games. Poinsettia, Holiday, Rose, we’ve still got some. But they’ve got a short life to live before they’ll be the Intel UPS Micro$oft Samsung AT&T festivals of the future. Renaming actual sports events is a step further into a marketing abyss where we live surrounded by logos and posters and billboards.
Perhaps Blade Runner deserves more credit; New York and Tokyo, among other cities, are well on their way.
Powered by WordPress