[swinog] Re: Swisscom DNS issue: spectrum-conference.org wrongfully resolves to a bluewin address in swisscom mobile networks
On Tue, 23 Apr 2024 08:59:07 +0200 Gert Doering via swinog wrote: > On Tue, Apr 23, 2024 at 08:55:49AM +0200, Serge Droz via swinog wrote: > > Yes, I understand the technical issues. And yes it's ugly. > > But do you have a better solution? > > Since this is not a "solution", just a new sort of problem, it doesn't > even qualify for a comparison. Even IF it would have a relevant impact on the spread of malware (and I agree with you that it definitely CAN'T), triggering actions that you CAN'T know the further consequences of is not a good idea. And furthermore, breaking protocols is usually an approach to do as much damage as you want. It is not technically intended for providers to do this. There is no interface to indicate that you are bending DNS for security reasons. In the end, this is just another approach to justify interfering with the network. Once the lever has been successfully applied because of cybercrime or malware, this will be extended more and more politically. All experience to date simply shows that. The Russians are evil? So block the network. The Chinese are evil? So network blocking. Wikileaks is evil? Network blocking. Because the users are poor sheep that we have to protect from evil information. And it's not the users who decide what information is evil. Best Regards Oli -- Automatic-Server AG • Oliver Schad Geschäftsführer Hardstr. 46 9434 Au | Schweiz www.automatic-server.com | oliver.sc...@automatic-server.com Tel: +41 71 511 31 11 | Mobile: +41 76 330 03 47 pgpijCkOaZy5M.pgp Description: OpenPGP digital signature ___ swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-le...@lists.swinog.ch
[swinog] Re: Swisscom DNS issue: spectrum-conference.org wrongfully resolves to a bluewin address in swisscom mobile networks
On Tue, 23 Apr 2024 08:51:41 +0200 Serge Droz via swinog wrote: > It's actually a pretty smart and light way of protection the majority > of users from malware. And yes, there will always be false positives. Do you plan to compensate financial losses through that behaviour, i.e. you block a webshop, a bank, an insurance? Do you plan to compensate health issues through that behaviour, i.e. you block an important health service? Do you plan to compensate social issues through that behaviour, i.e. you block an important social service, maybe a forum for unstable personalities, who rely on that platform? Maybe to avoid suicide? Are you sure, that this mechanism is "smart"? Maybe protection against malware is less important, than you think when you don't know the consequences of your actions. Best Regards Oli -- Automatic-Server AG ••••• Oliver Schad Geschäftsführer Hardstr. 46 9434 Au | Schweiz www.automatic-server.com | oliver.sc...@automatic-server.com Tel: +41 71 511 31 11 | Mobile: +41 76 330 03 47 pgpA_fGXM9M7j.pgp Description: OpenPGP digital signature ___ swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-le...@lists.swinog.ch
[swinog] Selling IPv4 /23
Hi everybody If someone is interested in buying a /23 IPv4, feel free to send me an offer via PM. Reply-To is set. Best Regards Oli -- Automatic-Server AG • Oliver Schad Geschäftsführer Hardstr. 46 9434 Au | Schweiz www.automatic-server.com | oliver.sc...@automatic-server.com Tel: +41 71 511 31 11 | Mobile: +41 76 330 03 47 pgpic5jXBf34p.pgp Description: OpenPGP digital signature ___ swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-le...@lists.swinog.ch
Re: [swinog] SBB.ch / IPv6 MTU / fragmentation problem
On Wed, 13 Mar 2019 08:33:51 + Müller Urs (IT-OM-SDP-SDN) wrote: > Yesterday, I was contacted by Silvia (and others) about that task. I > was then not registered with that list. @Silvia: Great! Thanks for quick response, Urs. > We were struggling with convincing the management to fund projects > until last year. The current solution is more or less a workaround > and this year, we are trying to achieve a direct connection to our > webservers. Quite normal. Infrastructure development is always hard to communicate to business. Same problems for education or know-how management. You can't measure a business value directly. > This year, we will give more effort on the subject. But our network > is quite complex and grown over the years. So there is no way to > "just put a box in between and some cables" ;-) That is true for most companies, which have bigger structures. Usually you just build up a parallel infrastructure to solve that, something cloud-ish today and by-pass all classic infrastructure - especially by-passing firewalls, loadbalancers and classic host management and virtualization environments. Develop that stuff step by step in the direction of self-services (aka software defined or API driven) is almost impossible. And on the other side it's good: you can do the right things (i.e. IPv6) inside of a cloud project and nobody will ask for the business value. Best Regards Oli ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Recommended IP-transit provider with large reachability (v4/v6) in Suisse Romande
On Thu, 2 Apr 2015 11:54:26 + Aviolat Romain romain.avio...@nagra.com wrote: We're looking for a provider with more or less the same reachability (ipv4+ipv6) and presence to have a well-balanced setup (inbound). I saw that UPC was interesting in term of reachability compared to Hurricane Electric (peering for UPC is made with the LibertyGlobal AS6830). But I don't know much about them in term of peering policy (consistent routes, ...), so any suggestions / comments are welcome ! Last but not least I'm looking for such service in Switzerland region around Lausanne. Don't know if Init7 is present there in Lausanne but always a good choice in terms of service and price - if available. Best Regards Oli ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] [swinog-antispam] Calling all stations!
On Thu, 23 Aug 2012 12:47:09 +0200 Lukas Meyer (TSG Codebase) lu...@codebase.ch wrote: Its been a while since the last activity on this thread, it was holiday season. Im aware that this list is usually for admin purposes, [...] [...] but I think I'm a so awesome guy, that I can ignore the purpose of such a mailinglist and spam it. You can call me chuck norris. Best regards from my drug dealer Luke ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Switzerland judged Cleanest Country
On Mon, 13 Aug 2012 21:52:35 +0200 Andreas Fink af...@list.fink.org wrote: Doesnt matter. Switch is only following the rules in the law. I don't blame switch to follow foolish laws. But there are two interesting questions: 1) why should I use switch when they can't offer a reliable service because they has to apply the law? 2) who did acknowledge from switch, that this would be a good idea before it became a law? In this form, it's a potential censorship infrastructure which can be used against anybody and can be used for pressure. It's very easy to create a case where any domain can be killed. The intention of some people for a law doesn't matter, it matters what you can do with a law (but my point of view is that the intention is a censorship infrastructure as in many other countries today). The term post-democracy law fits very good for this law. You can't protect yourself from applying it against you - that's a clear sign for a anti-democratic law. Regards Oli ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Switzerland judged Cleanest Country
On Mon, 13 Aug 2012 10:05:19 +0200 Serge Droz serge.d...@switch.ch wrote: I am a bit surprised at your reply. In fact, the domain take down process is described in the law: http://www.admin.ch/ch/d/sr/784_104/a14bist.html Besides the rather strict legal framework we operate in, we must submitt a list ob blocked domain names OFCOM four times a year. And we must be able to explain our action for each of these. The OFCOM people monitor this process quite closely. I hope this clarifies matters. It's a kind of a post-democracy law, decision and execution in a private hand. And mixing up the entities domain owner, server(s) owner, user(s) on that servers and ISPs of all or some servers is in the best case clueless. It's like punish a city/township because a car driver killed somebody somewhere and the car is registered in that city. It doesn't make sense to mix up responsibilities of entities. I'm very happy, that most of my domains have nothing to do with switch.ch and this clueless law. That ISPs help to clean up their networks is very important but it has to be done carefully and without mix up responsibilities. Regards Oli ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Switzerland judged Cleanest Country
On Mon, 13 Aug 2012 10:55:04 +0200 Guillaume Leclanche guilla...@leclanche.net wrote: I think the law makes a good job of delimiting the cases where the block can be done. In addition, I think Switch makes a good job applying this law. I'd be happy that switch blocks one of my domains to prevent me from being sued for damages by some infected people. If the entities domain owner, server owner and service owner are the same - no problem. You want that your email communication is blocked because one of your clients has a client that hosts a vulnerable PHP application? Come on. Regards Oli ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Pro / Contra Backup MX?
On Thu, 24 May 2012 16:55:04 +0200 Benoit Panizzon benoit.paniz...@imp.ch wrote: We have business customers with an own mailservers asking us to provide a backup MX for their mailserver. Usualy we deny such request, because such a backup MX would bounce all spam which cannot be relayed, and anyway, the sending server usualy queues the email usualy about the same amount of time a backup mx would queue it. So we see not advantage, but a big disatvantage. The simple advantage is the control. On a backup MX you can enforce your own rules for keeping mail, sending rates, alarming and so on. - Is it true, that most ISP offer this kind of service? An ISP is an ISP - not a mail provider. So why should an pure ISP offer something like a backup MX or a smarthost? But in this world business is not a perfect thing: sometimes you have to offer one service to sell another. But if you don't want to offer such services yourself - be smart and ask another party which has this in their business model included, make a contract and offer it to your customers for a additional fee. So all sides will win. That is the art of making business. So we have no problem to offer a mail service and I'm pretty sure you will find many more here. Regards Oli ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Pro / Contra Smarthosting
On Thu, 24 May 2012 17:07:58 +0200 Benoit Panizzon benoit.paniz...@imp.ch wrote: Business Customer with own Mailserver. They ofter want to know, which of our mailservers they can use as smarthost. We usualy tell them, that they operate an own fully connected mailserver which does not need any smarthost to deliver email to the world. Some do not agree. The reasons the tell us are: - It Tech XY has told them that sending via a smarthost is much more reliable. It's a pure thing of implementation which everybody can change to be reliable. - Their previous ISP asked them to use it's smarthost. Traditions are no reason of course - Our Server has better 'reputation' than theirs and thus emails are less likely to be considered spam by some spamfilters. That can matter - blacklisting is not only a technical thing. You know why swinog exists? - Some seem to see DNS issues which I never could understand (they have correct PTR and MX settings for their mailservers). No reason for anything. The problems I see with smarthosting are: - If an email to a recipient does not make it there, we get the blame even on trivias like 'user unknown'. What do you mean with get the blame? - We have to punch holes in the anti-spam thorttling measures to allow them to send more emails / time than the usual private customer does. I don't understand your point: if you don't like the customer: kick him. If you like the customer: sell him something. It's not about deeper technical truths. Many providers which offers services for small companies and private users allow big floods of mails because it doesn't fit in the price calculation. So you should communicate your technical limits in the AGBs and everything is fine. If a customer wants more than that find a partner which does this and make a business of that. Regards Oli ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
[swinog] Job: System- and Network Administrator at Automatic Server AG
Hello, we are looking for a System and Network Administrator, job description in german at http://www.automatic-server.com/jobs.html Regards Oli signature.asc Description: This is a digitally signed message part. ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Experience with 6rd Hardware
Am Monday 06 June 2011 schrieb mir Jeroen Massar: The only thing where it might not be compatible is the user interface for making it easy to configure them. While I agree to your point of view that 6rd and 6to4 are very close to each other and it shoudln't take much time to implement all necessary changes in user land and kernel it is still not compatible because you have to set the prefix. So if you look for a CPE or whatever which supports 6to4 you can't conclude that it supports 6rd. That is what I mean. Remember, the OP was looking for boxes which supports 6rd and in this context he asked for 6to4. And the answer is no, it isn't true, that support for 6to4 means support for 6rd. Regards Oli signature.asc Description: This is a digitally signed message part. ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Experience with 6rd Hardware
Am Monday 06 June 2011 schrieb mir Jeroen Massar: On 2011-Jun-06 15:55, Oliver Schad wrote: Am Monday 06 June 2011 schrieb mir Jeroen Massar: The only thing where it might not be compatible is the user interface for making it easy to configure them. While I agree to your point of view that 6rd and 6to4 are very close to each other and it shoudln't take much time to implement all necessary changes in user land and kernel it is still not compatible because you have to set the prefix. So if you look for a CPE or whatever which supports 6to4 you can't conclude that it supports 6rd. That is what I mean. Remember, the OP was looking for boxes which supports 6rd and in this context he asked for 6to4. And the answer is no, it isn't true, that support for 6to4 means support for 6rd. I did not state that, I did state that if you can configure a static protocol-41 tunnel, you can also configure a 6to4 and a 6rd one, just that you will have to do the prefix calculation yourself and not the easy way in the UI. Yes that's true. But you can implement 6to4 without the possibility to support 6rd. The implementation can be compatible but it's not a must. So maybe we have to different point of views what the term compatible means. Regards Oli signature.asc Description: This is a digitally signed message part. ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Connectivity problems with .255 IP Adress
On Thursday 31 March 2011 09:44:27 Mike Kellenberger wrote: One of our customers got a .255 IPv4 address assigned by sunrise. I know that this can be a valid host address with a netmask of /23 or greater, but the strange thing is, that he can't reach any of our Windows Server 2003 hosts with this IP. Windows Server 2008 Servers in the same subnet are no problem... Does anybody know of such a problem? Mr. Google couldn't give me any satisfactory results... :-) There is a old windows bug with .255, maybe it's still not solved. Regards Oli signature.asc Description: This is a digitally signed message part. ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Spam-Points if there is no SPF Record?
Am Monday 14 March 2011 schrieb mir Benoit Panizzon: We got two customers (one is another ISP) pretending that they have observed, that Google, Sunrise and other Services have startet flagging their customer's emails as spam, because the sender domain has not SPF record. Not an 'non matching' SPF record, but the sender just dones not use SPF at all. From my point of view especialy an ISP should be very carefull with SPF. Indeed. In my point of view, SPF is only useful in very special cases because the drawbacks are very wide spreaded and the benefit even small. Forcing SPF for cases where it doesn't fit is a very interesting step. Using SPF in a spam filter to give some minor positive weighting in the spam score is ok but to use it to flag spam? I can't imagine that somebody does that. It sounds very stupid to me. Regards Oli signature.asc Description: This is a digitally signed message part. ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] BGP Origin ASN Validation
Am Monday 15 November 2010 schrieb mir Roque Gagliano: I believe Tim has a point in this comment, we already analyze it positively internally to add that capability. Does somebody at cisco try to build a standard from that filtering stuff mabye together with other player on the market or do we get another isolated application with some patents on top to deny implementations on other platforms than cisco? Regards Oli signature.asc Description: This is a digitally signed message part. ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] BGP Origin ASN Validation
Am Monday 15 November 2010 schrieb mir Jeroen Massar: On 2010-11-15 13:05, Oliver Schad wrote: Am Monday 15 November 2010 schrieb mir Roque Gagliano: I believe Tim has a point in this comment, we already analyze it positively internally to add that capability. Does somebody at cisco try to build a standard from that filtering stuff mabye together with other player on the market or do we get another isolated application with some patents on top to deny implementations on other platforms than cisco? The configuration might be different, the work and protocols come from the IETF, see the SIDR working group Thank you for the pointer. Regards Oli signature.asc Description: This is a digitally signed message part. ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Blocking Malware distribution sites
Hello Serge, hello all without Serge, On Thursday 11 November 2010 08:22:53 Serge Droz wrote: On 25 November 2010 SWITCH will launch an new initiative to maintain the high security standards of Swiss websites. Let me briefly explain what we will do, as it is relevant to the SWINOG community: From different third parties we receive a fairly large number of URLs in .ch/.li ccTLDs which distribute malware. We're talking a few hundred URLs per week. In a first step SWITCH verifies that this claim is true. If the site is indeed distributing malware we will contact the domain holder and technical contact by e-mail and ask them to remove the problem within one working day. This is a difficult task and I see many problems. First of all you have to know, what is malware and what is not. This decision sounds simple but if you go to the details you see that lawyers have much work with such cases. The other thing is that you are responsible for domains which is a logical thing. It's not an dedicated computer with internet connectivity. DNS can do round robin for example, DNS can change every hour, every day. Somebody who manages a domain is in reality not the same person who manages computers. You get in trouble if you ignore all these facts. DNS is NOT a 1:1 mapping for IP addresses. This view is oversimplified. And you have also cases where it is not very easy to know on one server who is responsible. Imagine you have a file hoster - do you want to kill this business? If the they fail to do so, we will delete the name server delegation from the zone-file [1]. We report this to MELANI, as required by law [2]. The domain holder will be informed about this. So if a big company with slow decisions has maybe(!) a malware problem (remember the difficulties to decide what is malware) you kill the whole swiss traffic after one day? Do you know that if you have a malware problem it's not always easy to solve the problem? Great DoS opportunity against companies. If you don't give me money I attack your systems which you can't clean within a day and I call Switch immediatly. Bye bye business. Do you know that it is one thing to distribute the malware the other thing to have vulnerable software asking for a exploit? What you suggest is not a solution for anything. Distributing malware works perfect without domains. And distributing malware works perfect without the whole swiss internet. And I'm sure that your reaction is much slower than tons of bots which attacks thousands computers per second. You change nothing related to malware. I have to make it clear: As somebody who knows IT security very well I will avoid in the future swiss domains if this happens. I don't support systems with so many flaws. Yes I support fighting malware but I don't agree that the problem are people who supports downloading malware. The overall problem is the stupid patch management on many platforms. And if you want to change something, you should support people with patch management and maybe use of rating systems against browser exploits. This would be a constructive way to change the things instead trying to be repressive against domain holders. Remember, being a domain holder don't means that this guy is responsible for any system. They even don't have to know each other. Regards Oli signature.asc Description: This is a digitally signed message part. ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Registered for SWINOG21, but unable to attend?
Am Wednesday 10 November 2010 schrieb mir Rolf Sommerhalder: ... Then please contact me today as I am interested in buying your seat. So if there is a second one who is unable to come I would join the meeting instead. Kind Regards Oli signature.asc Description: This is a digitally signed message part. ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog