Re: How do I mount under /run from /etc/fstab in 7.0/wheezy?
On Sat, May 3, 2014 at 3:53 AM, Andrei POPESCU andreimpope...@gmail.com wrote: On Vi, 02 mai 14, 12:33:12, Jacob Anawalt wrote: What is the best way to get my fstab mounts under /run to automatically mount on boot again? What are you actually trying to achieve? This feels a lot like the XY problem. At the moment I am trying to understand how mounts under /run are suppose to work on a Debian 7.0 system using tempfs for /run. Is it a bug that fstab mounts under /run fail? Is there a hook in some other config to make them work? Is it always a bad idea to mount under /run? I would like to understand that. Then I will have more options when I pop the stack and return to Y and my learning won't be sidetracked with a case based only on Y. Thank you, -- Jacob -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/cae4rx+ovjaitdyvfikzecshhbpzmq17t1rpxnjox5hydkbb...@mail.gmail.com
How do I mount under /run from /etc/fstab in 7.0/wheezy?
Hi, For some time now and at least through all of Debian 6.0/squeeze I have had some mount points under what use to be /var/run. After upgrading to Debian 7.0/wheezy these mounts broke. I have come to conclude that this is due to a combination of the run directory release goal for 7.0 [0] and my use of boot-time mounting under the /run directory via /etc/fstab entries. I believe the failure is due to mountall.sh mounting fstab entries before creating the /run tempfs but it has been a little tricky to track down because mounts like /run are handled in code and not specified in fstab [1]. What is the best way to get my fstab mounts under /run to automatically mount on boot again? [0] https://wiki.debian.org/ReleaseGoals/RunDirectory [1] http://superuser.com/questions/460815/mounts-not-present-in-fstab-where-are-they Thank you, -- Jacob (Please CC, I am not on the list.) -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/cae4rx+n53ouhuh-sx1lgo0sypcfvzuey99-qfjnrjv927dg...@mail.gmail.com
Re: mozilla mailcap
Rick Pasotto wrote: How do I get mutt to use an already running mozilla to display text/html documents. It's popping up the profile selector and then saying it can't use the only one there is because it's already in use. Have you tried the remote option? From mozilla --help snip -remote command Execute command in an already running Mozilla process. For more info, see: http://www.mozilla.org/unix/remote.html -- Jacob Anawalt - Not on the list, following via news. - I apologize in advance for the missing muttish headers -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: faster start
Gunnar wrote: The whole idea is to have a Linux system with no GUI if you like, so almost every server app is started before GUI. Yes, but why can't the mailserver start in the background or somewhere else? Why do I have to wait for it to finish it's startup? I wan't to login (without X) as fast as possible. I've thought the same would be nice, but it has yet to bother me enough to work on switching things around. Some services I don't use often but I want them there to turn on if I do need to use them like the apple file sharing service which takes a while to load. Others I use occasionally but I am pretty sure that they aren't required before X like postfix. I should fix the links for the netatalk, but doing so feels like such a kludge compared to chkconfig --levels 2345 netatalk off that I put off the task. Some ideas I was going to play with: * Change the order of items in your preferred run level so that X (gdm,kdm,xdm) is higher in the start listing by changing the NN value. Be sure you start required services like *log, hotplug, alsa and fam. Depends on what services you need. I don't doubt that my list has some critical holes. * Group extra but not always used items to start in the ondemand a,b and c groups and call those groups when I need the service then just leave them running until I shut down or stop each service by hand. * Figure out if I can start some of the services from inetd so they aren't started until they are needed. Some programs written for inet invocation have options to hang around for a while after invocation just incase another connection comes in. There is a flat-file replacement for sysv/init.d, but it's name escapes me. I don't know if it would handle this any better or not. There is work on a program called [1] daemond. I also found [2] runit which was derived from [3] daemontools. Another promising option looks like [4] SystemServices which from the few references I've read seems to be targeting at doing what you're looking for. It is suppose to link into the hopefully up-and-coming [5] D-BUS daemon. I never get very far on this thought because it currently works well enough for me. I think if I had a laptop or tablet I would put more thought into the setup. Send me an email if you get something working that you like. :) [1] http://sourceforge.net/projects/daemond/ [2] http://smarden.org/runit/benefits.html [3] http://cr.yp.to/daemontools.html [4] http://www.osnews.com/story.php?news_id=4711 [5] http://www.freedesktop.org/Software/dbus -- Jacob Anawalt - Not on the list, following via news. - I apologize in advance for the missing muttish headers -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Netscape segmentation fault
Marie Regine SAPIR wrote: Hello, My bank is driving me crazy... I can't get their online banking system with any of the browsers I regularly use (galeon, opera, mozilla). They absolutely want Netscape 4.7 (or IE, but that's not really an option). What bank is this? What's the url? Have you complained to them, telling them that you would like support for Opera and Mozilla or a new bank? Have you tried 'faking it'? There was a thread not too long ago where someone mentioned that you can set the browser tag in Opera so it looks like NS4. The two ways I can think of off of the top of my head for identifying a browser are looking at the browser tag or running javascript to check for some functions. Maybe there is a need for Mozilla to have a 'pretend I'm NS4' mode. snip However, after uninstalling, there's still lot's of stuff left: the whole directory /usr/lib/netscape/ (pointed to by /usr/bin/X11/netscape - /etc/alternatives/netscape - /usr/lib/netscape/477/communicator/communicator-smotif) is still there... $ su Password: # dpkg -P netscape netscape-smotif-477 communicator dpkg - warning: ignoring request to remove netscape which isn't installed. dpkg - warning: ignoring request to remove netscape-smotif-477 which isn't installed. dpkg - warning: ignoring request to remove communicator which isn't installed. How about purging communicator-smotif as well since that is what your alternatives is pointing too for 'netscape'. snip Can someone tell me how I go about reparing Netscape? Sorry. I don't know if I can help you with that directly. I can give you some pointers on the package management though. Try dselect or even better aptitude. Use their search features to find all the installed netscape and communicator packages installed and purge them all. Then re-install. -- Jacob Anawalt - Not on the list, following via news. - I apologize in advance for the missing muttish headers -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: establish private network (no wires)
Brett Carrington wrote: On Sun, Feb 29, 2004 at 06:54:54PM +0100, Karsten Bolding wrote: Hello I'm seeking advice on a technical matter. I want to establish a private (wireless) network in an area of say 5x5 km2. In this area there are a number of vehicles moving around and each of the vehicles should constantly - every second - be updated about the position of the other vehicles (obtained via GPS). In addition to the position other types of data might need to be exchanged/distributed as well. Each of the vehicles will have a laptop onboard which will be used for processing the information obtained from the other vehicles. Since it is not possible to cover the area with normal wireless access points I'm seeking another carrier of the signal. GSM/GPRS is not really an option either due to the cost of having around 25 phones running 24/7. Does anybody know of another technical solution which I can use to create such a network? Regular Wireless access points (as in 802.11x) can _absolutely_ cover this distance. All you need is a good antenna and powerful transmitter. In America you need a license to transmit as very high powers so you should check with your local govt. I bet if you looked around your neck of the woods for amateur radio operators they'd be glad to explain how to do this. There are other solutions too, like short wave radio or the like. Using regular commodity WiFi however will be easiest to integrate with laptops though. If this didn't sound so much like a business setup and you weren't talking about an private (encrypted) wlan, I'd point to [1] APRS for the GPS requirement and [2] HAM 802.11 for the networking. It sounds like you need some other wireless technology that you can get an FCC radio license for or work out an arrangement with any wireless ISP in your area. Maybe you could set up a second business to be a wireless ISP in your area. :) There is an 'airnet' where I live that covers at least twenty square miles. Usually they set us up with a directional antenna for the best transmit/receive. There might be omnidirecional antennas that would work well vehicle mounted if the ISP's antenna was somewhere inside of the area. You've probably already looked into these options though. [1] http://www.aprs.net/ [2] http://www.arrl.org/hsmm/project.html -- Jacob Anawalt - Not on the list, following via news. - I apologize in advance for the missing muttish headers -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: spamassassin
James Ireson wrote: Colin Watson wrote: On Fri, Feb 27, 2004 at 12:58:41PM -, James Ireson wrote: Dselect is telling me that Spamassassin wants libc6 2.3.2-1 but all that's available is 2.2.5-11.5... Install a version backported to stable rather than trying to install the one from testing/unstable directly. Cheers, I am installing from stable... my sources are deb http://ftp.uk.debian.org/debian/ stable main deb-src http://ftp.uk.debian.org/debian/ stable main deb http://non-us.debian.org/debian-non-US stable/non-US main deb-src http://non-us.debian.org/debian-non-US stable/non-US main deb http://security.debian.org/ stable/updates main Spamassassin in stable is reccomending libc6 = 2.3.2-1. Dselect spins it's wheels on this telling you that there are unsatisfied dependancies. Aptitude will do the right thing. Try aptitude to get spamassassin updated/installed. Jacob Anawalt - Not on the list, following via news. - Apologize in advance about missing muttish headers -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: spamassassin
Jacob Anawalt wrote: James Ireson wrote: Colin Watson wrote: On Fri, Feb 27, 2004 at 12:58:41PM -, James Ireson wrote: Dselect is telling me that Spamassassin wants libc6 2.3.2-1 but all that's available is 2.2.5-11.5... Install a version backported to stable rather than trying to install the one from testing/unstable directly. Cheers, I am installing from stable... my sources are deb http://ftp.uk.debian.org/debian/ stable main deb-src http://ftp.uk.debian.org/debian/ stable main deb http://non-us.debian.org/debian-non-US stable/non-US main deb-src http://non-us.debian.org/debian-non-US stable/non-US main deb http://security.debian.org/ stable/updates main Spamassassin in stable is reccomending libc6 = 2.3.2-1. Dselect spins it's wheels on this telling you that there are unsatisfied dependancies. Aptitude will do the right thing. Try aptitude to get spamassassin updated/installed. There is a closed bugreport that gives some info here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=222372 It seems that spamassassin 2.20-1woody4 isn't out yet. apt-get will also install the package, as will dselect if you override. I used aptitude because I didn't read the message in dselect closely enough to realize it was a reccomendation and not a requirement to have libc6 = 2.3.2=1 and I have yet to tell dselect I know what I'm doing. :) Jacob Anawalt - Not on the list, following via news. - I apologize in advance for the missing muttish headers -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendations sought for some MS-OS applications
DG wrote: I'm investigating a switch from MS-OS to *NIX. I've made a list of my MS-OS applications and I've found *NIX equivalents for most of them. Unfortunately, there are a few for which I have not been able to find replacements. Besides using google, which you may be doing already, try searching the debian packages: http://www.debian.org/distrib/packages#search_packages Below is the list of MS-OS applications for which I'm still looking for *NIX equivalents. If you have any suggestions, I'd appreciate your input. * Ad-aware/Spybot/Pest Patrol (removes spyware cookies and software) I've not needed such things on Linux (or windows for that matter). I have had to help people who use windows remove this type of software. Cookies, block them if you don't like them. Delete them occasionally if you don't want to be tracked. Use Mozilla or whatever to prompt you for permission to accept or block the cookie. Software - don't download free but not open software (like file sharing or music software). In Linux I identify sources that I trust and download software from them. If I download software from someone else it is source code that I can browse before deciding to trust it or not. I know this is a paradigm shift from the windows thought of try anything on cnet/download.com/tucows but I shun such haphazard installing of software. Too many things want to install Gator or AOL. I will balk out of a web page that requires special plug-ins that say By installing this software you agree to the following license; You are installing adware name bla bla bla... * Medved Quote tracker (stock quotes) * Schwab Velocity (real time stock quotes) * Fidelity Active Trader Pro (real time stock quotes) I've read over projects for doing stock quotes. I don't have the list in front of me, google for linux stock quotes. Some real time quotes are done via java applets (which may be an issue in the future) which will run in Linux. Tell Schwab, Fidelity and Medved that you would like a Linux compatable version, even if that just means it runs well under wine. * Panasonic USB camera viewer (View Panasonic Digital Camera Pictures) * Intel CreateShare USB Camera software (Download and view Intel Camera Pictures) * VistaScan copy machine utility (uses scanner and printer to create copies) There is a package called sane for talking to scanners. It or some other programs (gphoto?) can talk to some serial and usb cameras. The cameras probably even appear as USB storage devices to the kernel (I've not tried). Unless the Intel camera is doing it's own protocol, it should work ok. Use gphoto, kamera or others (apt-cache search gphoto lists a few packages). While there may not be software already written with a 'photocopy' button that scans and prints, a workable solution should be available. * AM-Deadlink (finds dead links in Web Browser, IE/Netscape) Never used it, and if it just changes the color of the link on a web page to say it's dead, I'm not sure I see the value in it. I don't find following a dead link to be that much of a loss of time. If it was from google, I hit back and click cached. If AM-Deadlink crawls a web site and reports a list of broken links, there are many scripts written to do that. * eMedia Guitar Method (guitar instruction software) Not sure about guitar learning, but there are music programs for Linux. I think I have replacements for the following, but I'm open to your suggestions: * MS-Outlook Appointment Calendar (probably available in OpenOffice)i I'm not an evolution fan, but some like it as a drop-in replacement of Outlook * AOL/ATTBI Remote access (dialup ISP for travel, needed on laptop ... Earthlink?) Unless you have to do some propriatary connection (old AOL), any dial up that uses PPP with standard username/passwords will configure and work just fine under Linux, even if they say We don't support linux. If it works for Windows and Mac, it probably works for Linux (unless they invested in writing special connection software for both Windows and Mac). I heard AOL is releasing a netscape branded dialup that is 'bare bones'. That type of system (or any local ISP system) should be just fine. Not to discourage your questions, but if you'd like to get to the meat of the answers to your questions, google around for linux the thing you want to do (or www.google.com/linux) and read a page or two of links on each topic. -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Web-based e-mail system?
Randy Orrison wrote: Aaron wrote: I currently use a fetchmail / procmail / mbox / mutt e-mail setup, with ssmtp (properly linked through `sendmail` of course) for sending. I would really like to have a web mail system set up so that I can at least read, if not send, e-mail from my website as well. Does anyone know of a package that can put mbox mail on the web? It sounds kind of silly, given the inefficiency of mbox, so I'm not holding high hopes, but if anyone has info. about it, that'd be great. I was using mbox at first, but eventually bit the bullet and switched to maildir. I'm using courier-imap and squirrelmail, and am very happy with it. I also use mutt when I'm logged into the console, and sometimes Mozilla mail from my Windows box through IMAP. Procmail will deliver to maildir just fine, so there's no reason to stick with mbox. (I used mutt to move my messages from my mbox files to maildir, via the IMAP server). If you need more details about setting any of it up, just ask. If you really want to stick with your mbox files, I think uw-imap will handle them, but I don't recommend it (it's SLOW). I started with that and squirrelmail. Slow for how many users? How slow is slow? I've played with SquirrelMail/IMAP for a few weeks and for a few users it's been just fine. Looking at the logs I do see that it's constantly re-connecting to the server with each page change (as is expected unless it could have some sort of IMAP proxy.) I was just wondering what your experiance with SLOW was so I could be aware of potential future issues. -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How to manage services?
Colin Watson wrote: On Tue, Oct 07, 2003 at 09:43:45PM +0530, Sudeep Mukherjee wrote: I want to disable some services, e.g., Samba. What is the Debian way to do it? If you don't want them, why not uninstall them? That is of course often the best, except that I'm a pack-rat and think I'll play with that next week, so why uninstall just to re-download/install. :) If for some reason you don't want to do that, I find it best to stop the service and then simply move the Snnwhatever symlink in /etc/rc2.d/ to a name that starts with an 's' rather than an 'S' (so, let's say, 'mv /etc/rc2.d/S20samba /etc/rc2.d/s20samba'). There's update-rc.d too, but its semantics are a little confusing in connection with upgrades and it's probably best to leave it for use only by automatic scripts until you're familiar with it. I am glad to hear that others consider the symantics and operation of update-rc.d to be less than straight forward for non-package management functions. I keep thinking I ought to write some collection of Redhat conversion survival scripts like service and chkconfig (ntsysv sounds like a canidate as well, though I've never used it). I keep stopping myself with the though Some deeper thinking individual or individuals on the Debian project must have already had a reason for not doing things this way, and surely it was a better reason than 'because RH does it.' -- Jacob - liking SpamAssassin, but still thinking there has to be a better way to do email; trusted smart relays or something. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Trouble with Bind
Alan Chandler wrote: On Tuesday 07 October 2003 19:53, Alan Chandler wrote: What I have discovered is that using 10.0.10.100 to lookup an address on the external intenet times out. I presume it is therefore not forwarding the queries correctly. How can I debug what is happening. I tried using ndc to raise the debug level, but I can't get any meaningful output Although I have solved my main problem - it was something completely different - this machine has two ethernet cards and I had removed the bridge linking them and left eth0 unconfigured. This was seeming causing some form of networking loop. I would still like to know how to debug what bind is trying to do. Running named with the debug and foreground options would produce a lot of output (man named). I haven't had troubles with bind like you had. Mostly it's a config file issue that is logged and I notice it in the log files. -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Howto not reject mail to Postmaster etc. in Exim4
Kjetil Kjernsmo wrote: Thanks for the response! On Wednesday 08 October 2003 21:23, Philipp Weis wrote: This is certainly true for postmaster, but I think it would be RFC-compliant to reject viruses and spam on abuse or security. Yeah, I think so too. However, rejecting legitimate mail could be scary in either case, for example rejecting a spam complaint to abuse because it looks like spam (I imagine spam complaints are rarely distinguishable from spam...) is a Bad Idea[tm], though spam could never be sent from here. You may have already visited and read over the ideas presented by rfc-ignorant.org. I wanted to point out the site incase you hadn't because they do have some thoughts on rejecting emails from rfc required email addresses, specifically while they take your point with not rejecting mail to postmaster based on RBL's, they do not list (and in fact I've looked up servers that have been unlisted) for RBL postmaster rejections as long as the rejection states that the sending ip was RBL'd and on which listing. Currently I'm accepting all but executable attachement emails and letting SpamAssassin wrap it up in a new message if it's spam. Executables get bounced with a 550 please use a non executable file format. I'll go kicking and yelling if someone tells me I'm obligated to accept executable attachments to posmaster. If it weren't for email clients preferring HTML email, I'd be for rejecting all but text only email and email over a couple hundred kilobytes to postmaster, hostmaster, webmaster (www), security, noc and abuse (I don't run news or ftp). Those mailboxes are easy enough targets for filling up on virus and UCE/UBE traffic and thus being too full to accept a legitimate mail. -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Tool to bounce mails
John Hasler wrote: Naitik writes: I was wondering if there's some script/application that can bounce those, so I can do my part in annoying the spammer. You won't bother the spammer at all, but you will annoy the hell out of me and others whose domains the spammers forge. I know virii usually fake their headers, but most real spam I've seen doesnt... At least 99% of all spam has forged headers. The addresses are valid because they forge valid ones such as mine. About 25% of all my incoming mail is bogus bounces from people such as you. _DO_ _NOT_ _BOUNCE_ _SPAM_ Just to clarify for anyone else reading over this, you're refering to the 'returning mail post SMTP delivery' definition of bounce and not the 'SMTP time 3-5xx error' definition, right? If you have issues with the latter, then surely your feelings are directed at the operator of the machine on the sending side of the SMTP session for having an 'open relay' and not the operator of the recieving (rejecting) side of the SMTP session. The 'open relay' sending side of the SMTP session would then be performing a post-SMTP delivery bounce once the 'rejecting' side said it didn't want to accept delivery. If the sending side wasn't an open relay, but was an authentication required SMTP server for it's own group of clients/users, and if the recieving SMTP server only bounced at SMTP time, then I wouldn't get the bounce unless I sent the email. -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Tool to bounce mails
Monique Y. Herman wrote: On Thu, 09 Oct 2003 at 17:36 GMT, ScruLoose penned: And if you really want to start annoying spammers, go do a google search on teergrubing. This likewise only applies if you're running your own mailserver. Okay, I keep seeing this term, so I finally did look it up. http://www.iks-jena.de/mitarb/lutz/usenet/teergrube.en.html I wonder what the legal ramifications are, as well as wondering how likely it would be that teergrubing would result in retaliation that would saturate my bandwidth and make my ISP very unhappy with me (not to mention rendering my net access unusable). I'm not sure how I feel about this sort of vigilante behavior. I'm not saying I disapprove -- I'm saying I haven't decided. Anyone have opinions, thoughts, experiences they can share? I haven't implemented a teergrubing system yet, but I have read about the implementation and I am not worried about the bandwidth. Some mail transfer agents (MTA) such as postfix already have options to slow down if the sending program is trying to give commands too fast. When the SMTP sender gives a command, it sends a few bytes via TCP and then waits for the SMTP reciever to give a response. It is probable that they are mailing a huge system doing some LDAP/database lookup for the user address (except for the lame huge ones that accept all mail and then post-SMTP bounce...). While it waits, there is no SMTP tcp traffic until the SMTP reciever responds. If the reciever responds with a small amount of data that indicates 'more to come' the SMTP sender would keep waiting. http://www.iks-jena.de/mitarb/lutz/usenet/teergrube.en.html When I get around to implementing teergrubing, I intend to have it based off of a ip list, or even better the number of RBL type services that the address is listed with. I wouldn't want to make my list mail take any longer, nor would my employer be happy to know that I'd effectivly slowed down all incoming email. I would imagine that if the practice of teergrubing becomes wide-spread, spamming software will just disconnect and move on if the responses take too long or send too many continuation lines (some percentage or deviation above the average). If they started doing that, the hope to help stop their spamming of others would be discouraged, but the spammers may start keeping lists of teergrubers and avoid spamming them. :) -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: mqueue question
Vivek Kumar wrote: Hi , Is there any problem is deleting all the mail queues from mqueue directory ?? I got lot of files in that directory. Also when i used mailq command I get a long list. When i do ps -ef | grep sendmail, I see few sendmail processes ends with email id and user open. I feel these email-ids are the junk mails. Can i delete those processes or not ?? It's been a while since I've used sendmail, but I don't think that just deleting the messages unless you're sure they are bad is a good idea. I don't know if sendmail keeps some state file, or if it just acts on what it finds in the directories. You could try stopping sendmail and deleting the messages and then starting sendmail again. Before you do that, consider the following: Have you looked at the mail log? /var/log/maillog Watch that ( tail -f ) to see if sendmail is trying to re-send those messages. It shouldn't collect 'junk' over time. It will normally try to resend messages for up to five days if there are DNS or network issues. After the five days it will try and return the mail to the sender (which may also take some time if the senders don't have local mail boxes). Is all the mail that sendmail handles for local accounts, or might you be allowing other sites to relay through you? -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Exim4 ACL recipes
Steve Lamb wrote: Does anyone know of any sites out there that have some Exim4 ACL recipes? Google's starting to fail me ever since they return virtually nothing but mailing list discussions. :/ Sorry no sites because I don't know exactly what you're looking for. Googling with this query dropped a ton of mailing list stuff thought: exim4 acl -site:lists.debian.org -pipermail -site:mail-archive.com -site:gmane.org -site:groups.yahoo.com -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Reading Debian Documentation - Newbie ?
Fredderic wrote: On Fri, 10 Oct 2003 18:00:52 +0200, Kim Eik wrote: Have a file named, /usr/share/doc/exim4-base/README.Debian.gz How do I access and read this file? gunzip /usr/share/doc/exim4-base/README.Debian.gz and then open de file created. apt-get install less instead of unpacking the file.. do: zless /usr/share/doc/exim4-base/README.Debian.gz Actually, as long as lesspipe/lessopen is set up, you don't even need that z on the front, so long as the filename ends in .gz . 'less' for me at least, will open gz'd files, even let me see a list of what's stored inside tgz's and tar.gz's, and same for arj's, deb's, shows me info about an image in a number of image formats, lzh's, it can view pdf's as text, rar's, rpm's, jar's, zip's, and zoo's, and a few others I skipped over for brevity. Less with mime-type handling is cool. zless is also cool. If you don't have either you could: zcat /usr/share/doc/exim4-base/README.Debian.gz | less gunzip -c /usr/share/doc/exim4-base/README.Debian.gz | less Not that you wouldn't have all the others available (at least since Woody) but in case you were on a system that didn't have all the tools and you didn't have the ability to install new things. zless and zcat are normally packaged with gzip. For completeness, if you dont have 'less', you might have 'more'. :P -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: exim exposed to the internet
David Fokkema wrote: Hi group, I had trouble with my ISPs mail server which was telling me that it wasn't going to relay mail for me. This is since friday, and still going on. [snip] Have you called your ISP? Is it the server (error message) or the people that are saying they won't relay for you? How are the average users of the ISP suppose to send email? Is this an issue of them not wanting you to use a domain name other than the isp's domain for your email? I think that for the most cases relaying through your ISP is a good idea. They are online all the time to handle 5 day's of retrying for network/dns failures. They should (hopefully) know which customer sent which email and send it back to the right person if delivery fails and (hopefully) limit or block outgoing virus generated mail and inform the sender their system is infected. (*fumes* to the ISP's that send the message on after *kindly* removing the virus...) I know other people have other thoughs and reasons, but I think if the ISP will do a good job handling mail, I have _no_ issues with them firewalling outgoing/incoming SMTP (port 25) traffic that doesn't go through the ISP. If I need to send through another mail server, I can use a secure tunnel or smtps. -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Decent browsers for Linux? Anything to replace IE?
Monique Y. Herman wrote: On Tue, 14 Oct 2003 at 10:28 GMT, Joseph Jones penned: While I'm a huge Firebird fan, IE was better at some tasks (yes, they are non-standard HTML tasks, but what can you do when that's what the industry uses? *sigh*). I've tried Konqueror and found it lacking extremely (yes, I love it as a file manager when combined with qvwm, but it simply isn't as full-featured as other browsers) and Opera seems worse than Firebird. So, can anyone suggest a browser that tries to replicate these changes? Many thanks Joe. Maybe if you enumerated *which* changes and tasks you like in IE? Maybe he was hoping for some of the nifty remote attack my computer Active-X apps which are costing MS a few million right now. ;) http://rss.com.com/2100-1023_3-5079580.html?part=rss I like Mozilla. I like tabbed browsing a lot, so any browser that has that feature gets a big plus in my book. I would like Mozilla and IE to both be 100% document object model (DOM) compliant, but it's much more livable now than it was a few years ago. -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Web-based e-mail system?
Joyce, Matthew wrote: [snip] Jacob Anawalt Wrote: I've played with SquirrelMail/IMAP for a few weeks and for a few users it's been just fine. Looking at the logs I do see that it's constantly re-connecting to the server with each page change (as is expected unless it could have some sort of IMAP proxy.) [snip] You could consider the imapproxy available on the Horde website. I have been using it for nearly a year with no problems. another one is www.imapproxy.org, but I have no experience of this. Thanks for pointing those out. I will definatly give them a try. -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Microsoft-Fonts
Uwe Dippel wrote: Here are the paths: FontPath /usr/X11R6/lib/X11/fonts/misc/ FontPath /usr/X11R6/lib/X11/fonts/75dpi/:unscaled FontPath /usr/X11R6/lib/X11/fonts/100dpi/:unscaled FontPath /usr/X11R6/lib/X11/fonts/Type1/ FontPath /usr/X11R6/lib/X11/fonts/Speedo/ FontPath /usr/X11R6/lib/X11/fonts/75dpi/ FontPath /usr/X11R6/lib/X11/fonts/100dpi/ # paths to search for fonts catalogue = /usr/lib/X11/fonts/misc/,/usr/lib/X11/fonts/cyrillic/,/usr/lib/X11/fonts/100dpi/:unscaled,/usr/lib/X11/fonts/75dpi/:unscaled,/usr/lib/X11/fonts/Type1/,/usr/lib/X11/fonts/CID,/usr/lib/X11/fonts/Speedo/,/usr/lib/X11/fonts/100dpi/,/usr/lib/X11/fonts/75dpi/ How are the fonts going? Get your apt sources.list set straight? I find myself struggling with fonts in unstable from time to time because things change and I don't think I know the 'right' way to configure fonts - because there are so many ways and because I forget the commands to rebuild stuff (defoma-? dpkg-reconfigure fontconf?) Somehow or the other I seem to get it to work. I have the msttcorefonts package installed. It dropped a lot of files in /usr/share/fonts/truetype including Arial.ttf. I believe that the package will configure the fonts to be available through defoma and through X11/fonts/TrueType. I don't see TrueType in your font list. Here is the font list I am using in XFree86-4: FontPath /var/lib/defoma/x-ttcidfont-conf.d/dirs/CID FontPath /var/lib/defoma/x-ttcidfont-conf.d/dirs/TrueType # if the local font server has problems, we can fall back on these FontPath/usr/lib/X11/fonts/Type1 FontPath/usr/lib/X11/fonts/CID FontPath/usr/lib/X11/fonts/Speedo FontPath/usr/lib/X11/fonts/misc FontPath/usr/lib/X11/fonts/cyrillic FontPath/usr/lib/X11/fonts/100dpi FontPath/usr/lib/X11/fonts/75dpi I am pretty pleased with the defoma managed fonts. I tried deleting all the X11/fonts but X wouldn't work. Anyway I have Arial available in my KDE Control Center Font chooser, and I think it is coming from /var/lib/defoma/x-ttcidfont-conf.d/dirs/TrueType/Arial.ttf -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: reverting to ext2 (Was: Re: How to kill X?)
Monique Y. Herman wrote: On Fri, 10 Oct 2003 at 11:09 GMT, Tim Connors penned: Not a case of ext3 being crap, a case of ext3 with journalled *data* being crap. Quite a nice allrounder with the other two ext3 options set. And you get the same problems with all other fses when their equivalent of journalled *data* was turned on (if they had such a feature). I read that but didn't understand it. Is it that you can use ext3 without journalling? Or is journalling data different from normal journalling somehow? I'm confused. I believe they are referring to the type of journaling being done. The default on Woody 2.4.18-bf2.4 (and RH7.3) is data=ordered. With the first version of ext3 or if you are using data=journal, the data is written to the journal and then to the normal location on the file system. With data=ordered only metadata is written to the journal but it guarentees that it won't commit transactions until the real data has hit the disk. This is a pretty good EXT3 faq http://batleth.sapienti-sat.org/projects/FAQs/ext3-faq.html If I am rememering correctly other journaling file systems journal metadata as well. It is obviously a larger performance hit to write the same data twice; data=ordered avoids that and still gives good journaling protection. As fhe FAQ points out, you could use data=writeback for even less of a runtime performance hit with a faster fsck recovery than ext2. It was my understanding that ext3 is ext2 with some additional structure information (within the space allocated for such things by ext2, so 100% reverse compatable) and a journal file. I hadn't heard anything about needing to be careful about mounting rw with a dirty journal before this thread. That is something that I'll read into. I've been using ext3 since it shipped standard on RH with version2 data=ordered. That's been at least a year and a half (probably longer) and I've never had a problem on the dozen machines I've run it on. Ext2, while not extreme in any performance spec, has been a reliable Linux FS, and ext3 just builds onto that. I don't loose any sleep over any data I put on it, and I have yet to fret over how it affects dsk I/O on any of the servers. -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: install
Sidney Brooks wrote: I followed the instructions below. When I entered linux single at the boot prompt, I ended up with a blank screen and frozen computer. I might add, Debian potato didn't work for me in the graphical mode because it only accepted the lowest resolution, 640x400 (I think), and everything was so big that it was useless. With it, I could get into the text mode which I cannot do with woody. For the record, RedHat gives me no trouble I apologise for this very late reply, especially when I see that I replied in this thread earlier because I noticed the MBR offshoot. I wasn't watching the mail in a thread capable reader and had missed the context of your whole message. I have a SavagePRO on the K133 chipset in a Shuttle XPC. I don't remember it giving me such grief in text mode, but I was not able to use X with Stable(Woody). The right driver can be found at Tim Robert's site: http://www.probo.com/timr/savage40.html. Unfortunatly it requires xserver-xfree86 v4.2 which was ithe version in Sarge in June/July 2003. I pinned to get it and discovered that I was better off using Sarge, and then Sid. You mean Debian Woody and not Potato, right? Either way should be the same. I only ask because you mention both and I haven't tried this chipset with Potato. I am puzzled about your not being able to boot into single user mode. I can (sortof) understand a lockup if you have X configured to start when the system boots all the way but not the lack of text mode. The SavagePRO DDR on the K133 worked just fine for me. If other systems didn't work, I'd wonder if you had some video memory allocated to the chipset and the other settings correct in the BIOS. Since you say RH works on that machine, and text mode seems to be failing you, I'm stumped. If you are able to get into text mode (even if it's by re-installing) then set gdm/kdm/xdm to not start a graphical login at boot. Once you have that, get the Savage driver from Tim's site and configure X. Test using startx before setting your display manager to auto-start again. Although one person answered the message below, I never saw it posted. In case something strange happened, I am trying it again. Rodney D. Myers responded to it. I attempted to install Woody version 3.0. Everything went smoothly until I tried to use it after the installation. All I get is a blank screen and a frozen computer. I think that my problem is a video card that linux does not like, S3 Pro-Savage KM133. Any suggestions as to how I can make things work. I cannot use the text mode, therefore I cannpt change any files. The questions after this are spot-on. Because you were able to go through the installer, it seems that the comptuer is able to talk to your video chip in text mode. It sounds like the system is trying to start the X server with a display manager and dying. If you are unable to switch virtual terminals by pressing CTRL-ALT-F[1-5], then the computer is pretty locked up. I don't remember trying the VGA driver for X, and I never experianced a hard lockup like that. At worst X would restart a few times then the config program would run asking me to choose different settings. Does Ctrl-Alt-F2 not switch you to a workable text-based console? From there you should be able to repair whatever's wrong. Otherwise you can, at the boot: prompt (assuming you're using lilo and not grub, etc), enter linux single to boot into single-user mode, where you can then repair what's wrong. Once at a text-based console, the first thing to do is to disable the automatic startup of X. You're probably using a graphical session manager, either xdm, wdm, kdm, or gdm. There are several ways to do this; probably the way I would do it is to temporarily put the single line exit 0 as the first executable line in the session manager start-up script. This script will be in /etc/init.d, and will have a symlink in /etc/rc2.d. The script in /etc/init.d will probably be named xdm, wdm. kdm. or gdm. The script in /etc/rc2.d will have a S and a number in front of the script name, like S99kdm or S98gdm. You can disable the graphical session for the current boot only by running this script with the stop flag, like so: /etc/init.d/kdm stop (which you'll want to do _before_ adding exit 0 to the script). Now run dpkg-reconfigure xserver-xfree86 and play with the X settings, and then try starting X with startx. Once you get a working system, you can remove the exit 0 and then run the script with the start option and see if the graphical session manager (GUI logon screen) works. I hope this gets you running. I feel bad that I missed being able to help out so long ago. I hope you don't mind that I'm CC'ing you incase you have dropped from the list. -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: network visibility
ataraxia2500 wrote: I've just upgraded to sid, everything is working fine except my winxp box does not find my debian box on the network anymore though it used to find it before the dist-upgrade, maybe it installed stuffz that changed some confz on my debian machine. any idea what it might be? thanx in advance ps: i can still smbmount my winxp shared docs Possibly in the dist-upgrade you chose to 'update' your config files for samba, changing the workgroup or disabling samba from being able to run with sensible parameters. Check your smb.conf file and verify that the samba services smb and nmb are running. -- Jacob Ps, I'm CC-ing you because your post seemed pretty old, but didn't appear to have a reply. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: get rid of unstable and testing packages
Malte Negendank wrote: Hi all, I have, after unsuccessfully downgrading my system, just reinstalled my system, using apt-pinning. This, however, turned out to be less brilliant as it sounded at first, it just gave me loads of dependeny problems with some packages. I tried it too once, with xserver-xfree86. The library dependancies un-installed all of my non-pinned development tools. :( So I decided to move to stable, using backports (having found out that the things I needed testing and unstable for exists as backport - man am I a slow thinker!). Problem is, the non-stable packages are still there, and removing them would uninstall most of my system. Hopedfully someone else shares how to get rid of the testing/unstable packages. Is there a safe way of removing these packages? Or - alternatively - is there a way to use apt-pinning without the dependency problems? Sure, there's a way to use apt-pinning without dependancy problems; only pin small packages that dont depend on newer libraries. Unfortunatly with the version change in gcc between stable and testing/unstable the pickings are probably pretty slim. You could also pin more stuff, but then why not just dist-upgrade if you're going to be fine using the new package and all the new libraries. The back-port route you've discovered is likely the safest way of getting newer software onto your older system. Search on apt-get.org is a very common answer on the list when people ask about getting newer packages for stable. You will then be waiting on the third-party packager for security updates instead of the Debian security team. -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: freedom of debian
[EMAIL PROTECTED] wrote: On Sat, 4 Oct 2003, Jason Housewright wrote: [snip] Using Debian, is it fair to say that one has more freedom regarding the software installed...specifically, I mean that my experience with GNU/Linux thus far has been that if you want to install an upgraded version of something...say mozilla for example, or KDE, that you have to overcome the older packages... While Debian does have a great package management system. it doesn't always do what you want and it is possible to end up breaking things by trying stuff like pinning apt, but that is usually only because you aren't trying to do things the right way. As Kevin says apt-get does a good job of dependancies. dselect and aptitude do an even better job because (along with other good reasons) they tell you about suggested packges as well. If all you are trying to do is install the stable version of some package on Debian Stable, you can just type aptitude install package and away it goes. No searching for the rpm that provides libxyz. (I've heard the graphical rpm manager in RH8 was much better at this than older versions.) The greatest freedom (and most work) of installing new versions of software is to build it from source. The reason why RPM (and deb) based packages have dependancy issues is that they link at run time to some specific version of a library. Newer libraries come out and the newer software is packaged linked to the newer libraries. You don't have all the newer libraries on your older system, and have a dependancy issue. You can build packages from source using dpkg, or you can search apt-get.org for backports to Debian stable. Stable is a good place to start or to use on servers or if you don't want to update 300MB of files every month ;). If you really wanted to roll your own on everything with even greater freedom (and work), you could try Gentoo. I've been using an rpm distro if that clarifies a bit. Anyway, I want to be able to put what I want on my computer without having to go through a song and a dance so to speak just to get it. Perhaps I'm just lazy. You all have been great and this list is really informative. Thanks for your help. You are greatly appreciated. As I said above, building from source will generally give you the greatest freedom (flexibility), but it is not a lazy' process. I have an aquaintance who builds KDE from source. It's not something that I like to do for fun. I appreciate the packages. Unless the new software's source code _requires_ newer libraries that are not on your system, you could build the new mozilla and run it out of $HOME/bin or even /usr/local/bin. It's preferable to put non-distro programs in those locations rather then replacing the distro managed files in /usr. Even if it did require the newer libraries, you could build them from source as well and install them into $HOME/lib or /usr/local/lib, or possibly give the build process a flag to statically link the libraries. You just need to compile the libraries first, letting them know where they will reside, and then tell the program where the libraries will be when you compile it. It's work, but you can learn a lot (or spend a lot of time pulling hair and hating your system.) Debian can still give you a song-and-dance (or hours of head pounding) if you are trying to install some package with lots of depenancies out of testing/unstable into stable. With both the Debian and the RPM based distro's you have the choice of compiling your own version, or using a back-ported package. snip Hi Jason, rpm based distro work like this: find the new package yourself, find the dependencies yourself, pray that eveything works ok. Althought with Ximian red carpet express, this is much simplifed. And now there is an APT for rpm which is being improved with the new Fedora Redhat project. But Debian has (almost) always used apt-get which figures dependencies for you (most of the time). I would like to again point out dselect or aptitude. If you don't like dselect because of the ncurses (menu) interface, you can run aptitude from the command line almost as if it were apt-get, and you can run aptitude as though it were some type of dselect. With debian, the files come to you whereas the old rpm system required you to find packages and fix things yourself. And isn't it just better this way? Thanks goes to all the hard working package mantainers! :) Also with apt-get you can get a source package if you want, to a freshly minted app. Redhat has srpms but again you have to do all the work. I've used rpm with srpms many times. Once I understood the process it wasn't a big deal to re-compile a package with some flags or patches I wanted. I've used dpkg to build a package from the debian source once and I can't remember now why I did. I think it was to try a newer version of lmsensors. For both package systems there are rules that have to be followed in order to turn a source directory into a
Re: install Apache problem under Debian 3.0 r1
tao lin wrote: Hi, all I am a newbie of Linux. Now I am using Debian 3.0 r1. When I try to use tasksel, and select web server to install, it return the follow error - == Since you only requested a single operation it is extremely likely that the package is simply not installable and a bug report against that package should be filed. The following information may help to resolve the situation: Sorry, but the following packages have unmet dependencies: analog: Depends: libgd1 (= 1.8.4-11) but it is not going to be installed or libgd1-noxpm (= 1.8.4-11) but it is not installable Depends: perl but it is not going to be installed E: Sorry, broken packages == I have already use apt-get update to update my Debian. Why I have so many Package Dependency problem? Can any one help me to solve these problems please? What sources are you using in /etc/apt/sources.list? I ask because libgd1 1.8.4-17.woody2 and libgd1-noxpm 1.8.4-17.woody2 should be available to you. Did the apt-get update (or dselect Update) fail? Are you choosing to not run dselect after tasksel? Ilve never tried doing that so don't know how it works or doesn't work. Try running dselect with Update, Select and Install. -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Replace HDD
Joyce, Matthew wrote: Hi, I have an old pc running Debian Woody and I have 2 questions. Firstly, the hard drive ios quite old and become quite noisy, I suspect it is on the way out. What is the easiest way to replace it ? It only have 2 partions, one of them a swap. The new drive is slightly bigger. Do you have a boot/rescue disk handy? A Knoppix disk may make things even easier. If you could boot off of your CD-ROM and mount both the new and old disks, then rsync everything except /proc and lost+found. Maybe it would be safe to do this while running off of the current install. I don't know. If anyone has corrections to this possibly hair-brained idea, please comment. [snip] -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: exim4 SSL/TLS client: refusal to verify certificate
Sebastian Kapfer wrote: On Thu, 02 Oct 2003 03:40:07 +0200, Vineet Kumar wrote: Perhaps it's failing because it can't verify a certificate chain from a trusted root certificate? You might need to grab the thawte CA cert and append it to your tlscerts.out. You are right. Exim doesn't even care about the server's certificate. When I concatenate all Thawte root certs (from the ca-certificates package) into tlscerts.out, Exim can derive the validity of the GMX certificate. I find that a bit strange, since I cannot see why I should trust Thawte more than I trust my email provider, but so be it LOL. I agree with that. While _we_ don't trust Verisign or Thawte more than somone we deal directly with, the masses do because their browser came installed with thier root certificates. Why does exim use CA/X509 based certificates rather than OpenPGP ones? Probably because TLS was designed with X509/CA based certs . There was an internet draft for using OpenPGP keys and thus their trust model that according to the link I found that expired the first of this month: http://www.ietf.org/internet-drafts/draft-ietf-tls-openpgp-keys-03.txt The whole trust thing is funny. What does it take for me to get a Verisign Certificate? A business tax ID, preferably a Dun number, and a printed form on my business letterhead. There, now you can trust me to send your credit card numbers to. :P So, why do businesses pay them? Because they are afraid that people will get the browser alert warning them the certificate is not signed by a trusted authority. The CA owners and investors must laugh all the way to the bank every day. -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Recommendations for donated machines
Kevin Mark wrote: Hello D-u's, I need a recommendation for some donated machines. Here are the specs: P I/75 32MB 2GB (may upgrade memory to 64/96MB) That is good, the more the merrier to help buffer your slow IDE disk. Of course the 33mhz (?) FSB isn't going to be a speed demon for even memory access. (also may try cpu upgrade.) Good luck. I wouldn't stress on this unless you're thinking of doing the main board, then you'll need different memory which will be faster and a newer power supply oh, UDMA 66+ 80 pin cables, hmm, might as well get a bigger UDMA capable drive... etc. ;) Which version of Debian (or possibly Slackware) would work? I think Woody should work. Kernel 2.2 or 2.4, X 4 or 3, Abiword, gnumeric or OO? KDE, Gnome, XFCE or ? I would expect 2.2 to use less resources than 2.4 but I've never tested or read about it. X - depends on the video card(s). v4 drops support for older cards. KDE vs Gnome... I don't know which is 'heavier', WindowMaker is pretty light weight. If you chose KDE, then you may as well use KOffice. If you chose Gnome, then Abiword/Gnumeric/etc OO is pretty heavy, but after you waited a year each time you start it, maybe it would run be ok on a P75. *shrug* Or anything that would help get the most out of this setup. I think of graphical web browsers Netscape 4.x loads the fastest, possbily because it had a rendering engine that only followed Netscape's standards ;P If you're using KDE, Konquerer should be a fair choice. I haven't really tried too many others. I like Mozilla, but I like it much better on a 1.8ghz machine than I did on a 450mhz. Gallleon was OK, but since Mozilla has tabs and works how I like, I dont use Galleon much. Lynx is definatly one of the fastest! :) I think lighter is better. If people are going to expect the machines to work like a 1.5+ Ghz machine, and load software that runs just fine on those systems, they are going to be _very_ disappointed. Evaluating what these machines will be used for and sharing that would help. It seems you want to do standard office type applications in a graphical environment. My first linux setup was on a P120, and compared to Win95 on another P120 starting X and Gnome was sluggish (this was Gnome 1x on RH 6.2), Netscape 4.x was OK. I used gedit for notes and Netscape Mail for mail/news. i was very happy with it but others cringed at the lack of pretty spinning graphics on every action. I have a neighbor who still uses WordPerfect for DOS. Loves it. They have a hard time (and I agree) with the whole black text on a white background because it's hard for them to read. Up on campus they had lots of terminal email machines. Lots of people used them. They've since gone to web based email with only the web, and I see the lines to use the terminals being no longer or shorter. There's a lot to be said for a good curses based application... -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How do people remount /usr read-only after apt-get?
Malcolm Ferguson wrote: [snip] 2) This makes me wonder why we don't restart affected processes after applying security patches. For instance, today's OpenSSL patch seemed to affect ssh and bind. Well, I had to restart them as part of remount /usr ro. Presumably those processes were still using a vulnerable version of the library. Ssh was doubly annoying as I had to log out and log back in ;) Every Debian update I've installed like this has had text saying You will need to restart all services that depend on this library. I've never had to log out and in to restart sshd. I don't know if my connection is passed from one process to the next, or if the old process hangs on until I log out, but I've restarted it (and cycled my interfaces down and up) while connected many times (which I think is very nice!) -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: New OpenSSL installed -- recompilation required?
Lukas Ruf wrote: Dear all, after I have installed the latest libssl, do I need to re-compile anything that makes use of libssl? Concrete examples for me are: - OpenSSH - Mod_SSL The reason I am asking for, on my server I have OpenSSH and Apache hand-tailored to fit our needs. However, for compile-options, I make use of the ones submitted with each as default. Thanks for any enlightenment. I believe that the answer is yes, you will need to recompile using the updated source packages, but I don't know the debian policy or reference that states this. It seems that the same would go for using a back-ported package. You'd have to watch for the security announcement and then keep watching for an update from the back-port source. -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian uptime 497 days
Rich Johnson wrote: On Saturday, October 4, 2003, at 12:24 AM, Jacob Anawalt wrote: Everytime I think about this thread or any boast about uptime one question comes into my mind: Are these machines on trusted networks with trusted users, or do people really get lucky and pick or compile a kernel that doesn't have any bugs/exploits found in the next year? At this point aren't most of the vulnerabilities found in the loadable modules and/or services rather than the kernel itself? Wed, 13 Aug 2003 20:46:04 -0400 [SECURITY] [DSA-358-4] New kernel packages fix potential oops Tue, 5 Aug 2003 08:58:30 -0400 [SECURITY] [DSA-358-2] New kernel packages fix potential oops Mon, 4 Aug 2003 22:00:46 -0400 [SECURITY] [DSA-358-3] New kernel packages fix potential oops Thu, 31 Jul 2003 21:57:30 -0400 [SECURITY] [DSA-358-1] New kernel source and i386, alpha kernel images fix multiple vulnerabilities Sun, 29 Jun 2003 12:19:51 -0400 [SECURITY] [DSA-336-1] New Linux 2.2.20 packages and i386 kernel images fix several vulnerabilities Sat, 28 Jun 2003 21:44:01 -0400 [SECURITY] [DSA-332-1] New Linux 2.4.17 source code and MIPS kernel images fix several vulnerabilities Sun, 8 Jun 2003 21:26:02 -0400 [SECURITY] [DSA-311-1] New kernel packages fix several vulnerabilities Mon, 9 Jun 2003 23:42:32 -0400 [SECURITY] [DSA-312-1] New powerpc kernel fixes several vulnerabilities Thu, 3 Apr 2003 15:22:50 +0200 [SECURITY] [DSA 276-1] New Linux kernel packages (s390) fix local root exploit Thu, 27 Mar 2003 07:49:13 +0100 [SECURITY] [DSA 270-1] New Linux kernel packages (mips + mipsel) fix local root exploit http://lists.debian.org/debian-security-announce/debian-security-announce-2003/threads.html I hadn't used Debian before this spring, and it looks like from the 2002 and 2001 archives there were practically no issues with the kernel back then. It seemed like I would get a fixed kernel from RH every three to six months. A view from the low end of the spectrum is that I've had no kernel problems since I switched my now 8 year old PowerMac to linux 3-1/2 years ago. For the last 1-1/2 years I've been happy as a clam with 2.4.18. With linux the machine's been more reliable than the power grid. Very nice. Alas, it's only been 125 days since the machine was last powered down for transport. Don't get me wrong, I think the high uptime is an impressive testiment of the quality of the kernel and other software running on the system, but it also indicates that the kernel is likely missing some security update. It's your call if the security fixes an issue that is pertinent to your situation or not. -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Virus-infected hosts list
Paul Johnson wrote: [snip] Tommorrow someone else will be assigned those same IPs and you'll be blocking them even if they were never vulnerable to begin with. If it's a problem, they email me, and I pull the IP. So you're just keeping a list of problem IP's and accepting additional traffic from them, or do they have to use another IP address to mail the Disinfected, thanks email to? -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian uptime 497 days
Tom wrote: On Mon, Sep 29, 2003 at 05:11:49PM -0700, Alvin Oga wrote: hi ya On Mon, 29 Sep 2003, Vineet Kumar wrote: * Kyle Loree ([EMAIL PROTECTED]) [030929 08:58]: the other system is at 486 days 16 hours 36 minutes, and I expect that it will do the rollover in another 11 days. is there anything I can do so that the uptime will be retained? Why? Your uptime is the amount of time your machine has been running, not the output of the uptime command. Just because you overflow a 32-bit number with it, it doesn't mean your machine is any less stable. one of my machines has rolled over 2x already ... and still up and running and survived being moved from one bldg to another bldg in a diff city ( running off ups in the car w/ 12vdc-110vac invertor too ) - inverters doesnt always work as advertized though Here's a burning question: does hibernate mode in a laptop count? No world records broken here, but I once kept a W2K laptop going for about 6 months with logout, hibernate, and sheer insansity. Everytime I think about this thread or any boast about uptime one question comes into my mind: Are these machines on trusted networks with trusted users, or do people really get lucky and pick or compile a kernel that doesn't have any bugs/exploits found in the next year? -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: xwindows
steef wrote: .hey out there, can somebody tell me how come: - installing woody_kernelvariant bf2.4; taskel does not give the possibility to install Xwindows a f t e r having installed debian security packages. so apt cannot get the Xwindowspackages from the (ftp) server. when i install woody, bf24 w i t h o u t security packages all goes well:, normal. does somebody has an idea what causes this blockade? [tried this out on three completely different machines with vanilla as well with the same results as for bf24] Hopefully somone comes back with a good answer soon. Until then, I just wanted to confirm that I have installed woody on a number of machines initially using the bf2.4 kernel and installed the xserver-xfree86 package. Are you installing using another kernel package, then selecting the vf2.4 and xserver-? Have you tried installing from a base-install source that has the bf2.4 kernel? What xserver package are you trying to install? xserver-xfree86? What server are you using for your local debian mirror? http://ftp.nl.debian.org/ ? -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Anyone else notice that Swen is slowing down?
ScruLoose wrote: On Wed, Oct 01, 2003 at 07:56:07PM -0500, Michael D Schleif wrote: What I am saying is -- IMHO -- especially in light of the problems that I have experienced with Swen, auto-executing virus/worms are only *part* of the problem. Social engineering is often scoffed at as a real threat; but, what we see with Swen is so real looking that people I know have actually __manually__ clicked on those attachments! Of course, there's also the fact that since they run Windows, they are of necessity logged in with admin privileges *all* the time, so it only takes one click to install an executable that then has full access to the system, including network devices... Even with Windows XP Pro, I work with people who have it set in their minds that they'd rather always be an Administrator/Power User to avoid the once-in-a-while hassle of typing a password to install a program or update than run as a normal user for the most part and be a little more protected from these problems. No they'd rather fume when they have to restore/reinstall or deal with the constant annoyingness of their virus scanner that complains if they try to send more than one email at a time, or happen to send the same message to a few different people. One of them had his DNS settings changed the other day and he coudn't figure out how that had happened. It's like it's cool to have full control and even cool to remove a virus. *boggle* I think the problem is they worked with Win9x for too long, or often think they live in the relatively safe world of late 80's early 90's networked computing. It blows me away that others like to work like this and want to share the root of their systems to avoid occasional permission issues. They really have issues dealing with user/group based permissions. I grew up with Macs and disliked the fact that my desktop was always changing (on the other hand I never knew what an IRQ conflict was). Win9x pretended to keep my files and desktop seperate, but still others could 'clean up' and delete my work. There was also the dumbness of having 2-3 desktop backgrounds appear as you booted up and logged in. When I installed my first Linux distro on an x86 I was hooked. That was how a computer system should work! Maybe a few more years and more people will catch on to the idea of checking file permissions and learn appreciate them. -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: yahoo wants to save cookies at /
Derrick 'dman' Hudson wrote: On Thu, Oct 02, 2003 at 05:35:11PM +0300, Alphonse Ogulla wrote: | Unable to open mail.yahoo.com in konqueror as non root for the simple fact | that yahoo wants to dump some cookies at / (root) directory for which I have | no permissions. Anybody experience this strange behaviour? What makes you think konqueror is trying to save data in /? Maybe you are getting an error because you have cookies disabled? Go into settings - configure konqueror; cookies. See if enable cookies is checked and if it is, make sure yahoo.com isn't set with a reject policy in the domain specific policy area. I can see how this could be confusing if you didn't have the knowledge of how cookies work (which Derrick explains below) and you know that your filesystem root '/' is off limits to your user. Fortunatly the browser only writes into your home directory or possibly /tmp. If you're looking at the Path (as mozilla calls it) in the Cookie Details dialog, that has no relevance to your local file system. It is the base path of URLs at that site for which the cookie will be returned. For example, if I browse to http://mail.yahoo.com/ and the server requests setting a cookie with path /, then when I browse to http://mail.yahoo.com/foo, the browser will supply the cookie back to the server because /foo is under /. HTH, -D -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
OT: Spam was Re: Spamassassin Configuration
ScruLoose wrote: As others have noted, virus traffic is not actually the same as spam-traffic, and you might want a particular tool for each job... To me they are both Spam. I did not ask to recieve either, and they are both attempting to fill the mailboxes of several users on the same system with unwanted data. I like the more recent definitions of UCE and UBE for commercial/promotional mass mailings. The following sources say much more about the definitions of Spam than I could. :) dict spam dict UCE dict UBE Back on topic, I agree that it is important to realize that different tools may be more effective against different forms of Spam. P.S. Is the +debuser working to help you avoid Spam? -- Jacob - Looking for better email spam solutions -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Can't get eth0:0 subinterface
debian.1 wrote: Greetings: I'm a current Redhat user _trying_ to switch to debian. More under the hood differences than I expected :-( I need to add a static IP subintrface on eth0. I used to just add a file in /etc/sysconfig/network-scripts corresponding to the new intrface and reboot. No problem Now, I cant ge the d^%# thing to work. I edited /etc/network/interfaces and added the requisite section for the new interfaces: iface eth0:0 inet static address ...etc But when I do a ifup/down, ifconfig still shows no subinterface.ipup -a give me a list of SIOCSx No such device errors What does one have to do to add a sub interface? This is a freshly installed and updated Woody system. This was the first settign I tried to change. PITB. Thanks very much for the time to help, Things are definatly different in many places. I hope getting the hang of the Debian way doesn't prove to be too stressful. I just added the eth0:0 entry to /etc/network/interfaces: [copy] auto eth0 iface eth0 inet dhcp auto eth0:0 iface eth0:0 inet static address 192.168.1.98 network 192.168.1.0 netmask 255.255.255.0 broadcast 192.168.1.255 [/copy] After issuing an ifup command, I had: eth0 Link encap:Ethernet HWaddr 00:01:02:26:0A:0A inet addr:192.168.1.8 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:89510660 errors:139 dropped:0 overruns:97 frame:139 TX packets:147560 errors:0 dropped:0 overruns:0 carrier:0 collisions:6147 txqueuelen:100 RX bytes:3035508172 (2.8 GiB) TX bytes:44244548 (42.1 MiB) Interrupt:11 Base address:0xec00 eth0:0Link encap:Ethernet HWaddr 00:01:02:26:0A:0A inet addr:192.168.1.98 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:11 Base address:0xec00 Maybe some parameter in your settings for eth0:0 is incorrect. -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Can't get eth0:0 subinterface
Scott Horton wrote: snip What does one have to do to add a sub interface? This is a freshly installed and updated Woody system. This was the first settign I tried to change. PITB. Thanks very much for the time to help, Things are definatly different in many places. I hope getting the hang of the Debian way doesn't prove to be too stressful. I just added the eth0:0 entry to /etc/network/interfaces: snip You got that right. I never imagined all the little nuances I forgot I knew (and now don't know any more). I'm muddling through it. The whole point being to get something more stable than a once a year complete OS rebuild/swap for RHx. I got it (eth0:0) to work but had to build a new kernel to do it. That took some doing as well, but I believe I finally got all the piece parts together (for the kernel) and got it going. It seems somehow on install I got some sort of mini-kernel. Probably something I did. Installing the precompiled kernel didn't work because my NIC wouldn't come up. I'm glad to hear you got it working, but I'm puzzled that you had to go to such lengths. The eth0 in the machine I tested on uses 3c59x as a module. *shrug*. One tool I like a lot is modconf. Once you find the right tools for doing the job in Debian, the configuration of things is generally much easier. The trick seems to be learning the new tool names and learning the Debian way of dong things. -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: bind has quit working
Jeff Elkins wrote: On Saturday 27 September 2003 9:10 am, Jeff Elkins wrote: What is a missing ptr? OK, to named.conf I added: zone 192.in-addr.arpa { type master; file /etc/bind/db.192; }; A minor note, I'd write db.192 as db.192.168.0, so that if you have another private network it's db.192.168.1 or whatever. The exact name doesn't matter, but I think it's nice to use numbers all the way down to the subnet you're claiming reverse dns authority for so that you know by glancing at the file name and zone config what network it's a pointer record for. and /etc/bind/db.192 contains: ; ; BIND reverse data file for 192.168.0.0 ; $TTL604800 @ IN SOA localhost. root.localhost. ( 1 ; Serial If you were to include the date in the serial number you could quickly see when you last made zone changes. 2003092701 ; Serial in MMDDSN where si is the day's serial increment number (SN - Sometimes I'll mess up or a second request for changes will come the same day.) 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS localhost. Do you want other computers in the network to look to themselves or the dns server for resolution of the reverse dns zone? @ IN NS server.elkins 1.0.168.192.in-addr.arpa. IN PTR server.elkins. 2.0.168.192.in-addr.arpa. IN PTR router.elkins. 10.0.168.192.in-addr.arpa. IN PTR kathix.elkins. 20.0.168.192.in-addr.arpa. IN PTR mac.elkins. 30.0.168.192.in-addr.arpa. IN PTR music.elkins. 40.0.168.192.in-addr.arpa. IN PTR buttons.elkins. 50.0.168.192.in-addr.arpa. IN PTR tosh.elkins. 60.0.168.192.in-addr.arpa. IN PTR z.elkins. nslint now reports no errors. Am I on the right track here? Yep. It's working, right? :) I think it's odd that you had to uninstall/reinstall bind I've not yet had that issue. I'm glad it's working now. -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [OT] kernel 2.4.22 local APIC errors
David Fokkema wrote: Hi group, I compiled linux 2.4.22 from kernel-source-2.4.22 and now my logs are flooded with these errors: Sep 27 15:32:24 orion kernel: APIC error on CPU0: 40(40) Sep 27 15:32:52 orion last message repeated 45 times ... Lots of people were getting this error. Try searching google for kernel APIC error. Many responses suggested turning off APIC on boot with the noapic option. I think I even remember reading a post saying it was OK to ignore the errors, but I cant find the source now so don't trust that. In total, this message is repeated hundreds of times. Also, I get the following error: Sep 27 15:32:21 orion kernel: apm: BIOS version 1.2 Flags 0x03 (Driver version 1Sep 27 15:32:21 orion kernel: apm: overridden by ACPI. But I have only compiled apm as a module, which is not loaded (checked with lsmod). But maybe I should simply compile without this module. Strange that there would be error messages unless maybe apm keeps trying to load. Is apmd running and trying to load apm? You can also disable ACPI and hopefully avoid the errors by using the pci=noapci option for the kernel on boot. If this is a server, I don't think you need apm or acpi. If this is a desktop or a laptop and you want to experiment w/ power management, then I agree with your conclusion of _not_ compiling apm. If your bios/mb support acpi (and the Linux version support the version in BIOS) it should be better than using APM. If you try acpi and it doesn't work well, then compile without it and with apm. Anyway, what are the APIC errors? Google wasn't very helpful. I didn't have these errors in 2.4.21. Advanced Programmable Interrupt Controller (Intel, PIC) - dict apic, or click the APIC link in You searched the web for APIC in the blue area below the tabs in Google. -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Lindows was Re: This might be a darned fine Knoppix station
martin f krafft wrote: also sprach Martin Jungowski [EMAIL PROTECTED] [2003.09.26.0032 +0200]: While we're on that subject, does anyone in here have any Lindows experience? I remember that several years ago when it was first announced, there was rumors about a 100% MS Windows compatible Linux that will run every Windows application out of the box. Did they really achieve that? No, not even close. I think they ended up giving in and dropped that line fro marketing. I don't have any experiance with using LindowsOS, but I have kept tabs on it from time to time so I can have semi-informed conversations about it with friends and family. I believe they were initially banking on CodeWeavers to to get winelib or some code based on winelib to a state where it would run all of Office2000 by the time they first released, but CodeWeavers said they didn't promise the emulation would be that fast (at least that's what I remember from the article) and it didn't happen. It's interesting to see that since then LindowsOS has shifted their position to 'use all opensource code, and we'll try to find conversion filters' and CodeWeavers is now marketing the code on their own as CrossOver for around 50.00/US. -- Jacob - is still looking for a better way to do email. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Anyone else notice that Swen is slowing down?
[EMAIL PROTECTED] wrote: On Sat, 27 Sep 2003, Pim Bliek wrote: I get the virii with 3 different content-types: application/x-msdownload,audio/x-wav,audio/x-mid so, just exe doesnt seem to cover it. But how do you filter them out using postfix? Pim I was commenting that you can not just check on .exe becasue the virus is not just in .exe files. I was suggesting to check the message body for this line. I do not know about postfix. sorry. -K With postfix 2.x you can do mime_header_checks for dangerous extensions in the Content-Type/Content-Disposition and body_checks for the MS executable MIME fingerprint http://sbserv.stahl.bau.tu-bs.de/~hildeb/postfix/postfix_sobigf.shtml I'm running 1.x, so I only do body_checks. I feel like I'm in a bit of a delima there though, because I want my gateway mail server to be stable and supported by the security team, but I want the newer features of the later versions so I can make better inbound SMTP decisions. Same goes if I chose to use exim, I'd want v4. Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
OT: Using a mic in Windoze Re: problen
jay wrote: hi i have a on board sound card a ac97 on my msi 865pe neo2 board running home xp the problem is thst the head phones and mic work in all on board tests and also on msn mess test all scales move up and down but and this is the big but i can hear other people talk to me but they can not here me have checked every thing and so has other people still not work help please cheer p Well, since I'm unaware of a MSN client for Linux that allowes you to use their voice conversation protocol, so i have to guess that you're: * Testing the Mic in Windows and asking for support on Debian-User which isn't focused or generally friendly to heiping with MS issues. * Running VMWare in Debian, which could somehow be construed as a Debian user issue because the input sound isn't getting from VMWare to the sound card. Try this: http://csociety-ftp.ecn.purdue.edu/pub/knoppix/KNOPPIX_V3.3-2003-09-22-EN.iso or this: http://csociety-ftp.ecn.purdue.edu/pub/knoppix/contrib/minicd/kix_0.9.iso or this: http://www.phy.olemiss.edu/debian-cd/woody-i386-1.iso See if your sound works using those programs. We can help you better if you have issues with sound using the programs from the last link, but the first one may be a little more user friendly. :) -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: backup to dvd of apple files
Rudy Gevaert wrote: Hello, I have recently inherited a (voluntary) sysadminjob. We have a fileserver where Macs and Windows clients can connect to. On the fileserver I use netatalk and samba. I have about 10 gig of data on it and I want to dump that data to a DVD. I have found someone who has a DVD burner so I only have to make a couple of images. The problem is I do not know how to handle the files from the Mac. They do not have an extension. When the DVD is burned the files made on apple machines must be again readable on a apple machine. The files made on a Windows computer must be readable on a Windows machine. I tried to make an image of a couple of directories with mkisofs -r -J but it shortened a lot of filenames. Many, but many file names are very long and have much of spaces. So my question is: what is the best way to make my image so I do not loose the long filenames and the DVD is readable in the Macs and Windows computers. Thanks in advance, Even getting the right mkisofs commands may not be enough. Unless your local server filesystem is HFS (Apple's), netatalk has made some .AppleDouble directories to hold the resource fork of the Mac files. Even if you were to mkisofs using a translation table, rock ridge extensions, Joilet and HFS I don't believe that that you will get valid Mac files. I have always pulled the files back off of my linux server to a Mac, created an ISO of the files and then burned from wherever. You may find that it is easiest if you burned or at least mastered all the files from a Mac. Hopefully someone else can share more encouraging information and steps on how to master a Mac/Win compatable ISO from a netatalk share's data. I'll definatly take note of the procedure if they do. Maybe the key is in how OSX handles files, what file system they use and how tools like tar have been modified to handle Mac files that have resource forks. -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Allowing any user to shutdown from gnome (gdmconfig show system menu)
Jerome BENOIT wrote: Ben Edwards wrote: Is there a way of allowing any user to shutdown. Idealy from the taskbar (but I guess in this case it's simply a case of writing a short script and calling it from the taksbar. Ben Have a look to /etc/X11/gdm/gdm.conf Also accessable as su -c /usr/sbin/gdmconfig If you check show system menu which is on the security tab of gdmconfig in unstable. I don't know what version you are running. Also you can have it require a password using the standard greeter with secure system menu checked. Once this is set people can shut down after logging out. This reminds me, I got one response about the graphical greeter secure system menu on unstable so I'm still not sure if it is a config issue or a bug. Does the standard but not the graphical greeter prompt for the root password for anyone else when secure system menu is selected? I believe both should, but the graphical does not on my system. Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Problems getting security updates?
Chuck Mattern wrote: Possibly a newbie issue here but the lines: deb cdrom:[Debian GNU/Linux 3.0r1 Update CD 20030109: i386]/ woody contrib main non-US/contrib non-US/main non-US/non-free non-free deb cdrom:[Debian GNU/Linux 3.0 r1 _Woody_ - Official i386 Binary-7 (20021218)]/ unstable contrib main non-US/contrib non-US/main deb cdrom:[Debian GNU/Linux 3.0 r1 _Woody_ - Official i386 Binary-6 (20021218)]/ unstable contrib main non-US/contrib non-US/main deb cdrom:[Debian GNU/Linux 3.0 r1 _Woody_ - Official i386 Binary-5 (20021218)]/ unstable contrib main non-US/contrib non-US/main deb cdrom:[Debian GNU/Linux 3.0 r1 _Woody_ - Official i386 Binary-4 (20021218)]/ unstable contrib main non-US/contrib non-US/main deb cdrom:[Debian GNU/Linux 3.0 r1 _Woody_ - Official i386 Binary-3 (20021218)]/ unstable contrib main non-US/contrib non-US/main deb cdrom:[Debian GNU/Linux 3.0 r1 _Woody_ - Official i386 Binary-2 (20021218)]/ unstable contrib main non-US/contrib non-US/main deb cdrom:[Debian GNU/Linux 3.0 r1 _Woody_ - Official i386 Binary-1 (20021218)]/ unstable contrib main non-US/contrib non-US/main deb http://security.debian.org/ woody/updates main contrib non-free deb ftp://ftp.us.debian.org/debian/ stable main contrib non-free in my /etc/apt/sources.list I get the following errors (trimmed for brevity) when I run dselect and do an update, can anyone tell what I'm doing wrong? Get:1 http://security.debian.org woody/updates/main Packages 99% [1 Packages gzip 0] [Waiting for file] gzip: stdin: not in gzip format Err http://security.debian.org woody/updates/main Packages Sub-process gzip returned an error code (1) Hit http://security.debian.org woody/updates/main Release Get:2 http://security.debian.org woody/updates/contrib Packages [7533B] 99% [2 Packages gzip 0] [Waiting for file] gzip: stdin: not in gzip format Err http://security.debian.org woody/updates/contrib Packages Sub-process gzip returned an error code (1) Hit http://security.debian.org woody/updates/contrib Release Get:3 http://security.debian.org woody/updates/non-free Packages 99% [3 Packages gzip 0] [Waiting for file] gzip: stdin: not in gzip format Err http://security.debian.org woody/updates/non-free Packages Sub-process gzip returned an error code (1) Hit http://security.debian.org woody/updates/non-free Release Fetched 9533B in 19s (477B/s) Failed to fetch http://security.debian.org/dists/woody/updates/main/binary-i386/Packages Sub-process gzip returned an error code (1) Failed to fetch http://security.debian.org/dists/woody/updates/contrib/binary-i386/Packages Sub-process gzip returned an error code (1) Failed to fetch http://security.debian.org/dists/woody/updates/non-free/binary-i386/Packages Sub-process gzip returned an error code (1) Failed to fetch ftp://ftp.us.debian.org/debian/dists/stable/main/binary-i386/Packages Server closed the connection [IP: 35.9.37.225 21] Is there a not-so-transparent proxy doing virus scanning and uncompressing but not recompressing the files, or is it just that it doesn't like woody? deb http://security.debian.org/ stable/updates main contrib non-free -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Question on GPG
Roberto Sanchez wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I just started playing with GPG today. Can't you tell? :-) Anyhow. I generated bunches of keys trying to get Enigmail to play nice with Thunderbird and also with gpg on the command line. When I finally got around to the part of the HowTo on searching for keys (of course I did not read through all the way before starting), I searched for my key. It turns out that at some point all my keys (3 in all) were exported. The problem is that I had already deleted the key-pairs from my machine, since they were just test runs. Is there a way to get rid of them from the keyservers? I don't believe so. If you had a revocation cert or if they have expiration dates then they could become 'invalid/untrustworthy', but I believe they always stay on the server. I was going to try enigma. Do you remember clicking on something to send the key to the server, or did it do that on it's own to be 'helpful'? Playing with Kgpg it didn't show me the first test key I made until I made a second one when I didn't have any in my account. I hope they haven't been uploaded to a keyserver. -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Multi-user Debian
Roberto Sanchez wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ron Johnson wrote: |This has got to be the best idea since Linux and |Debian... | |Hurry! Patent it! ;-) | | | Too late. Multiuser-DOS schemes using this kind of technology | was popular back in the mid-80s. | I don't believe that will have an impact, given the current state of the USPTO. :P *sigh* Too true. Hey, is that web applet licensed??? -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Anyone else notice that Swen is slowing down?
Xavier Andrade said: On Fri, 26 Sep 2003, Clive Menzies wrote: [...] Can't say I agree here ;( I don't actually track the numbers (haven't yet managed to implement a filtering solution) but I must have deleted well over 100 today I'm using this in my procmailrc: :0 B * ^TVqQAAME//8AALgAQA+$ mail/virus I don't know what it does, but works very well. I get it from someone at debian-user-spanish. It watches for the MIME fingerprint of Windows/Dos executables that is at the first of raw executable attachment (not zipped/compressed) MIME data. Maybe you could convince the people in charge of your ISP to even reject all of that at SMTP for all users of your system. :) -- Jacob Trying out SquirrelMail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Windows multiboot (aaargh!)
cr said: On Friday 19 September 2003 21:12, cr wrote: (DOS / Win95 / Win98 install) Next step, see if I can boot the whole thing with GRUB cr Progress report... :) The 'rgh' was prophetic Well, it all booted happily with Grub while it was Drive 1 in my spare PC. So I put it in this box as /hdd, DOS would boot OK, but while I was faffing around with 'map' and 'hide' trying to make Windows behave consistently, *something* (whether me with Grub or Windows thinking it ought to be on Drive 1) went and munged /dev/hda5 where Debian lives. First I knew of it was 'kernel panic' when trying to boot Deb. I found that /hda1 ( /boot) was OK, but /hda5 (root) and /hda6( /swap) seemed to have got themselves lost in/hda2. And I *hadn't* backed up the mbr, nor did I have a record of the exact partition size Soo...I got a spare drive, installed Debian on it intending to see if I could salvage the old /hda5 somehow, and in the midst of my usual battle to the death with dselect I came across a little utility called gpart which guesses partitions. And, it works!OK, relying on it is a bit like driving your car into a power pole to check if the seat belts work, but still, I'm damn grateful to its author. Conclusions: 1. Back up the MBR and everything else, first! 2. Be very, very careful when using 'map' to swap drives around I've used 'map' without any damages, but Win* didn't want to finish booting using it. 3. It's probably safest to let DOS/Windows occupy Drive 1, where in its blinkered arrogance it thinks it belongs. Linux can sit somewhere else. ...because it was written with open minds! I second this plan, and strongly recommend people to use two drives when possible if you're going to multi-boot w/ windows. That way WinDos can play their games with the drive A's partition table, and Linux can sit on a fdisk/cfdisk/whatever made partition table in drive B-ZZ99. I've been through frustration like you've described more than once trying to mix windows and linux on the same disk. That's not to say I don't do it because in one computer I only have space for one IDE HD, but where I can avoid it I do. -- Jacob Trying out SquirrelMail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: MS mail bombs
Bob McElrath said: Wayne Gemmell [EMAIL PROTECTED] wrote: Walt L. Williams [EMAIL PROTECTED] wrote: Is there anyone else out there being mail bombed with emails that look like there from M$? The rate at which their coming is increasing exponentially. I recieved 10Mb of mail over the weekend, and I the last 12 hours I recieved another 10Mb. I have a 10Mb internet based, downloadable mailbox and at this rate I should recieve mail for 3 hours tomorrow before it becomes flooded! Its very disturbing. I'd love to get my hands on the person responsible for this! I hit 150MB this morning before setting up some rules to drop these mails in /dev/null. I guess that's as effective for reducing the bulk of your inbox as sending 550 executables not accepted, especially if you don't have control over the mail server and you match this virus with 100% accuracy. Either way, /dev/null or 550 after DATA crlf.crlf you've recieved the whole message. The 550 would inform the sender of a non-automated message that your server didn't accept delivery based on content. This of course means you are scanning for bad content during the SMTP delivery session. I think it is a bad idea to post-delivery 'bounce' an email or to forward an email to the recipient if you found a virus in it. The 'sender' and 'reciever' in the From: and To: headers are almost definatly forged. Are they targetting mailing lists exclusively? Why are other people not getting bombed? Other people don't participate as activly in the internet community? On this list people have said that Swen gathers emails from different places including usenet, and that debian-user is mirrored to usenet. There are a few threads running right now on topics from procmail to mail bombs that I believe were all kicked off by our mailboxes suffering the effects of Swen. -- Jacob Trying out SquirrelMail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Anti-Spam ideas for usenet/list harvested email addresses (forpostfix mail admins)
daniel said: I found a nice web page which can give postfix mail admins some nice tips to block most incoming spam/mail bombs. I added most of the checking described in this url plus a 100Kb mail limit since nobody sends me more than that. Before I could be receiving 10 spam and/or mail bombs per 5 min.. now per 5 min. I am receiving none.. Im anxious to check how many do I receive tomorrow... This is the link - http://www.wsrcc.com/spam/ Thanks for the link, looks pretty sensible in their setup. I don't think this rule is a good idea: http://www.wsrcc.com/spam/bounce.html [quote] 550 Client host rejected: cannot find your hostname, [168.126.3.59]; Here the sending site's DNS administrator forgot to put the name of the host into the DNS system at all. Our system has no way to tell the name of your host. This is probably the most common mistake. There are two places the DNS administrator has to enter the information for each host. One, the so called forward mapping maps the hostname to IP address. Two, the reverse mapping maps the IP address to the hostname. Both of these mappings have to agree for our host to believe the information it gets. [/quote] This will reject email from many vaild and well managed mail servers who aren't able to buy their own ip block or get an ISP who will do reverse-dns for their mail servers. -- Jacob Trying out SquirrelMail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Why such volume with W32/Swen@MM?
ScruLoose said: On Wed, Sep 24, 2003 at 09:33:56PM -0400, ScruLoose wrote: On Mon, Sep 22, 2003 at 03:54:08PM -0600, Monique Y. Herman wrote: I've heard that using html encoding for the @ symbol on webpages will reduce harvesting ... it still shows up properly in mail clients when the user clicks on the mailto. Anyone know if the above is true or wishful thinking? I have a mailto using a little Javascript that I got here: http://innerpeace.org/escrambler.shtml which works beautifully, though only for people who have JavaScript enabled on their browser. Hm. On looking at my reply, I've just noticed that the question I answered was not the question you asked. Oops. I haven't tried using the html escape-code for the @ symbol... I imagine it'll fool the crawlers, until someone writes a crawler that looks for it (being a one-to-one substitution, it would be very easy to detect and defeat)... And whether it resolves properly when a user clicks on the mailto button I really don't know. I wouldn't be at all surprised if the results varied depending on what browser/MUA combo people are using. IMO these ideas while being slightly harder to harvest than no encodiing are just that, slightly harder. Unfortunatly your work to protect your email address on your web site doesn't provide a solution to the Swen issue (message topic), because it most likely grabbed your email from usenet, not from your web page. http://lists.debian.org/debian-user/2003/debian-user-200309/msg03834.html -- Jacob Trying out SquirrelMail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: fetchmail and mailfilter
[EMAIL PROTECTED] said: On Thu, 25 Sep 2003, Ross Boylan wrote: Sorry, forgot one other point. Another potential issue I see is that if mailfilter causes the messages to be marked as seen, fetchmail may not retrieve them in at least some modes. I am confused. Does mailfilter only do a regex on the header? If so, I will be less useful that I thought. -K I don't use mailfilter so I cant speak for it, but I can speak for the ideas that started this thread and others related to POP3 filtering: How to not download so much junk from my POP3 account because it's full of spam, and most pointedly Swen If your goal is to limit bandwidth, you use a program that only downloads the headers and makes decisions on what to drop based on that like mailfilter. You are right if you're less usefull thought is based on it can't possibly be as accurate as scanning the whole message, because you are only looking at headers. If you want to be more accurate at the cost of more downloading, download everything and pipe it into your local mail transport agent or mail filters. In either case the spam has already hit your inbox on your isp, and in either case you're downloading some bit of data to make decisions on. The question is, how much. Both solutions are usefull to different people. For brief moments I think that having dict analyze subject line could be a good enough spam filter* but then I quickly remember my typos. *(Buy our junK and s*k*i*p the d0ctor asx asdf jsadf) :P -- Jacob Trying out SquirrelMail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: MS mail bombs
Bob McElrath said: Jacob Anawalt [EMAIL PROTECTED] wrote: I guess that's as effective for reducing the bulk of your inbox as sending 550 executables not accepted, especially if you don't have control over the mail server and you match this virus with 100% accuracy. Either way, /dev/null or 550 after DATA crlf.crlf you've recieved the whole message. 550 executables not accepted would obviously be a superior solution. How do you do it? My google searches and list archive searches turned up nothing... I use postfix v1.x, so I implement the body_checks regexp method, matching the MS executable MIME 'fingerprint' mentioned here: http://sbserv.stahl.bau.tu-bs.de/~hildeb/postfix/postfix_sobigf.shtml It's been a while since I used Sendmail and even when I used I didn't understand most of the settings, but there's got to be something similar. Someday viruses will zip themselves and this check will fail. Then I'll need to unzip and scan before giving the 250 OK after DATA or reject all zip attachments as well :( . Too bad there isn't some big public server to upload stuff to and the only thing you send in an email is a url that expires. One copy sits on one server, only a url sits in the server's mailbox. OpenPGP sign or encrypt your data and it's safe. I could do this myself and I don't always do it because emailing an attachment is so easy on both ends. I've had a hard time getting the person on the other end to go to a web page (AOL user...) If all email clients used this for attach... :) P.S. I notice you use [EMAIL PROTECTED] Is this email address only for list traffic? I'm toying w/ the idea of doing that and only accepting email to that address that comes from the list. Topic: Anti-Spam ideas for usenet/list harvested email addresses. -- Jacob Trying out SquirrelMail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: MS mail bombs
Bob McElrath said: Jacob Anawalt [EMAIL PROTECTED] wrote: Bob McElrath said: Jacob Anawalt [EMAIL PROTECTED] wrote: I guess that's as effective for reducing the bulk of your inbox as sending 550 executables not accepted, especially if you don't have control over the mail server and you match this virus with 100% accuracy. Either way, /dev/null or 550 after DATA crlf.crlf you've recieved the whole message. 550 executables not accepted would obviously be a superior solution. How do you do it? My google searches and list archive searches turned up nothing... I use postfix v1.x, so I implement the body_checks regexp method, matching the MS executable MIME 'fingerprint' mentioned here: http://sbserv.stahl.bau.tu-bs.de/~hildeb/postfix/postfix_sobigf.shtml It's been a while since I used Sendmail and even when I used I didn't understand most of the settings, but there's got to be something similar. Darn, I was hoping (aren't we all) for a way to reject it before the whole thing is sent. You know...it wouldn't be hard to scan the input for the EXE header and close the connection as soon as it's seen. Then you'd only download 1k or so rather than 150k... While you _could_ do that, and if you _knew_ the mail had been sent directly from some Windowz end user system and not relayed through a valid server (I've noticed a couple of we dropped the virus but sent you the message anyway swen messages in my inbox) then I guess that would be just fine, might as well throw up a firewall rule to block their next attempts or have your mail server send 550 reject at the next connection. If it's a real server, I thought that it would just try the connection again because it didn't get a yes 250 or a no 5xx or even a maybe later 3-4xx, and you might not want to firewall or reject all email from a mailserver just because one of their users is infected. Anyone, please correct me if I'm wrong here. Doesn't protocol dictate that if I accept HELO, MAIL FROM and RCPT TO that I'm suppose to accept the whole of DATA before I can say 'not ok'. Wouldn't a connection reset by peer just cause the sending server (if it wasn't a dumb virus smtp session) to resend later? P.S. I notice you use [EMAIL PROTECTED] Is this email address only for list traffic? I'm toying w/ the idea of doing that and only accepting email to that address that comes from the list. Topic: Anti-Spam ideas for usenet/list harvested email addresses. Yes, I'm reciving 80k copies of Swen because of the debian/usenet gateway, and one time when I didn't use bob+debian. :( So none of the email is to bob+debian? Nice to know that Swen writer didn't try too hard. Maybe others won't and people who can should use +/- in their email address. The plus addresses (anything on the right side of the plus, and the plus can be a minus too) is RFC compliant and sendmail automatically ignores the RHS of the +/-. It's supposed to be local delivery information -- like which mailbox to put it into. Of course [EMAIL PROTECTED] is not a valid email and that's what most harvesters pick up. Occasionally I see attempts in my logs to deliver to such addresses. Be aware though that many web-forms out there are broken and don't accept the + in an email field. (For which I usually make an alias using an underscore) Only accepting email that comes from the list to the +debian address wouldn't work because of people (like yourself) that reply to my mails. Hey! I thought I'd been very careful on this thread to only send directly to the list. I even double checked just now. :P While I did get your cc'd reply faster than the one you sent to the list, I would have gotten the one from the list all the same, and your cc'd reply would have bounced with the error code I suggested in that other thread. I've got some new (possibly poor) thoughts on how to get people my directy-response email w/o resorting to typing it into the body of the mail message in some 'safe' manner, but I wan't to keep it in the Anti-spam thread. -- Jacob Trying out SquirrelMail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Verislime
Stephen Patterson said: On Tue, 23 Sep 2003 05:00:18 +0200, [EMAIL PROTECTED] wrote: Anyone care to calculate how many domains that would be? ;) Given that they're using IP4 addressing, anything up to 4 billion (less currently assigned hosts). I'm defiantly not a mathematician or a statistician, but I believe the answer to the question is something similar to this: [ [ [number of valid url characters]^[max length of domain name (253?)] names.] * 2 (net com) ] – assigned domain names -- Jacob Trying out SquirrelMail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Anti-Spam ideas for usenet/list harvested email addresses
Kirk Strauser said: At 2003-09-23T21:16:02Z, Ray [EMAIL PROTECTED] writes: perhaps if someone wrote the don't f*$ open me[1] virus and had it go through a little tutorial about why not to open unknow attachments have message go something like I was foolish enough to open the attachment, and since you are at risk of getting a message from me with a virus, this attachment has forwarded itsself to you Indeed. You know, we're going through a lot of effort and hypothesizing do to exactly one problem: Outlook* makes it easy for uneducated users to do stupidly dangerous things. Outlook2002 will tell you bla bla bla unsafe bla bla bla outlook users might not be able to open this because without being hooked to an exchange server w/ a policy to allow unsafe attachments, outlook blocks your access to those attachments. OE will let you send it w/o a peep, but the default is to block access to it on the recieving side. You just have to uncheck a little box to get the attachment. That's it - the whole problem. You don't get junk from Macs or Mozilla users, and those are nice, easy-to-use GUI clients. We're having this entire conversation simply because Microsoft refuses to make it more difficult to execute an attached file than clicking on an attachment icon. As much as I agree to some degree or another to the spirit of what you're saying, I started this thread because Swen was swamping me. If thousands of people were personally emailing me virus laiden emails, that's one thing, but that's not the case here. I'm getting thousands of emails from copies of a virus that isn't opening O* to send it's mail. I am getting those emails because 1) Win users were either not updated with security patches or gullible and 2) I have posted to this list using my valid email address. Since I don't have much faith in fixing #1 any time soon beyond some pep talks to friends, I am focusing on how to avoid the easy target #2 left me open to be. Normally when I get viruses it's only from people I've sent email to. This time it was from anyone who was infected/unprotected and who's computer found my email from the mailing list. I would also like to avoid UCE/UCB Spam that harvested my email from usenet as well. That isn't a virus or email client specific issue. Out of curiosity, are there *any* legitimate reasons at all why you'd want to mail an uncompressed executable to someone? I'm sure someone could pipe up about how it's hard to walk their grandma/client through installing *zip, which unfortunatly is a valid point. :( Lets say all viruses start mailing zipped copies of themselves. They only have to zip themselves once on the host machine then mail that copy. Now we have to watch for a zip archive in mime data and unzip all mail to scan it, or reject zipped files as well. :( I'm all for p2p file sharing or some server based file store and only sending p2p invite keys/urls in your email. If email were only text, load could sure drop, but I don't think it will happen. Its too convenient. I know I use it even when I don't _have_ to. Right now, if my grandma tries to email me some christmas windows screen saver (possibly a virus in disguise as something neat), she get's a '550 We do not accept executable attachments' and I can deal with any flack telling her I'm sorry, but I don't want to get a virus. If someone else sends me the same file but claims to be her, they get the 550 unless an open relay was involved. I don't post-delivery bounce. -- Jacob Trying out SquirrelMail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: MS mail bombs
Bob McElrath said: Jacob Anawalt [EMAIL PROTECTED] wrote: Bob McElrath said: Darn, I was hoping (aren't we all) for a way to reject it before the whole thing is sent. You know...it wouldn't be hard to scan the input for the EXE header and close the connection as soon as it's seen. Then you'd only download 1k or so rather than 150k... While you _could_ do that, and if you _knew_ the mail had been sent directly from some Windowz end user system and not relayed through a valid server (I've noticed a couple of we dropped the virus but sent you the message anyway swen messages in my inbox) then I guess that would be just fine, might as well throw up a firewall rule to block their next attempts or have your mail server send 550 reject at the next connection. If it's a real server, I thought that it would just try the connection again because it didn't get a yes 250 or a no 5xx or even a maybe later 3-4xx, and you might not want to firewall or reject all email from a mailserver just because one of their users is infected. Well Swen sends mail directly, no? Does it retry? As you said you could send a 550 on the second connection from that server. Also I discovered the MaxMessageSize option for sendmail...which generates a 550. But I'm weary of using it for all the people that might complain after trying to send me their 10MB postscript paper. I don't know if it retries on a dropped connection. I could watch the logs closer to see if it retries on a 550. I sure hope it isn't :( I need to be catching and firewalling or immediatly 5xx'ing on HELO to these senders after the first try if they are retrying. I had thought that Swen mailed directly, but now I believe that it will relay when it cannot do direct mailing - based on the number of Notice, this email had Swen but we were cool and removed it. We suck though because even though it _was_ a virus sent email, we sent it to you anyway! Thank-you for reading how cool we are. Have a nice day! emails I've been getting. Even worse would be if they were also sending a message to the likely forged From address. Sure they drop the exe and advertise how dumb they are, but they also turn one email into two, neither of which reach the user of the infected system. weary - wary? I guess you could tell them 'If you want to mail big stuff, do it from on campus' or 'upload it to here'. If you haven't had a file size issue, then I guess it's not an issue for you. I have a 1 or 2 MB limit on this address. It isn't smaller for similar reasons. The whole idea being to reduce the bandwidth eaten by copying virii around... Anyone, please correct me if I'm wrong here. Doesn't protocol dictate that if I accept HELO, MAIL FROM and RCPT TO that I'm suppose to accept the whole of DATA before I can say 'not ok'. Wouldn't a connection reset by peer just cause the sending server (if it wasn't a dumb virus smtp session) to resend later? If only we could see the MIME envelope before as part of the SMTP negotiation... Ya, if only. We need a new mail transport protocol. :) Instead of email it's email2 (like internet2) if your ISP uses e2 to send mail it gets there faster (or falls back to email) because it uses some trust metric like GPG, oppertunistic ipsec and states upfront what type of data it is transporting. Mail admins decide who they trust, and that mail comes in _unscanned_ lickety split. Someone becomes a problem, they get untrusted and have to use normal email who's scanning duties are shuffled off to an old 386 running NT for maximum slowness! Where's my email from Bob? Bob@someopenrelay.com? They allow spam so it's going through the New Technology Technology server. Should be processed in a day or so. Well there was that idea a while ago of exponential falloff -- when you recognize a virus just don't send TCP ACK's (or, send them but double the time between ACK's between each packet). This way you not only stop the virus but also tie up a TCP connection for a long time on the sender's side. But the mail would still get delivered. What ever happened to that idea? Teergrubing is still out there. The writeup I read was about having the mailserver delay not your ip stack. A good idea that I have yet to implement. [snip] Check this swanky procmail rule: [snip] Thanks for the rule! :) -- Jacob Trying out SquirrelMail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: MS mail bombs
Karsten M. Self said: on Mon, Sep 22, 2003 at 07:03:47PM -0600, Jacob Anawalt ([EMAIL PROTECTED]) wrote: There's a company that provides this service. First time emails to you get an auto-response You aren't authorized to send me email, visit this web page to get authorized or something like that. I Googled and can't find it again. Interesting idea. This is known as challenge-response, and as an anti-spam / anti-virus method, without mitigation, it's simply unacceptable. Swen spoofs addresses resolving to nonexistent addresses (challenge to Verisign), Microsoft (ditto), or Morgan Stanley (ms.com). As Verisign has elected to receive this crap, and Microsoft is responsible for the problem, I'm not shedding tears for their admin teams. Morgan Stanley, however, is taking a hit on about 5% of all Swen bounces, and is a completely innocent party. When their lawyers pay you a visit for Joe-job DDoSing them, note you've been warned. SoBig.F spoofed arbitrary senders. Same problem except that the load was more broadly distributed. I've received far more invalid, than valid, C-R challenges. This is simply spam by another name. http://kmself.home.netcom.com/Rants/challenge-response.html ...also discussed at some length in d-u last month. Since I posted this I've read the whole challenge and response (C-R) thread and updated myself on some of the content on your site including the aforementioned link. I won't be seeing Morgan Stanley lawyers about bouncing email at them because I don't bounce email. I stop it at SMTP. -- Jacob Trying out SquirrelMail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Anti-Spam ideas for usenet/list harvested email addresses
Jacob Anawalt said: [snip] One major concern that I've lightly touched on and will bring up again is “What if I want to have other people contact me off list?” You wouldn't want to post your non-list-only email to the list, that would be counter-productive. There's got to be a convenient way of providing a source for people to look up your email address that is very resistant to scripting it's harvest for the UCE/worms/etc. One idea that comes to mind are images of pictures with your email address on your web site. I keep thinking that PGP/GPG should be able to help in some way, either by adding to the EHLO command set or something on the users web site. There have to be better and still simple ways of doing this that make it cost much more to find our email addresses than it costs us to filter the junk. [snip] I'm still thinking that an email address that only recieves email from the list is a possible solution for those who have control over mailserver settings, or rotating email addresses when the spam hits the fan for those who dont. My current wild though is this, I find my old gpg private key (or make a new one if I can't find it or it has this email address) and start signing stuff. I have the list only address that I use to reply to the list and recieve from the list, but if gpg savy people really want to talk to me, they look up my email in my public key. I could even hint in my .sig that if you need to talk to me, look at my public key. Either it will be too hard for people to do, or it catches on and viruses ship with gpg embeded. :) -- Jacob Trying out SquirrelMail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Anti-Spam ideas for usenet/list harvested email addresses
Arnt Karlsen said: On Tue, 23 Sep 2003 22:06:19 -0600, Jacob Anawalt [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]: Arnt Karlsen wrote: On Tue, 23 Sep 2003 13:16:38 -0600 (MDT), Jacob Anawalt [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]: Compare this to the dog chasing cars method of inventing a new filter rule that looks through the MIME data to decide if this is the latest worm you don't want or the kissing picture that you do. Sure it's cool to be a geek and figure out the rules. If you like doing this, do it. ..another option is blow up the road: http://www.ordb.org/submit/ I laughed at this at first, taking it as a Jacob, this is about as dumb an idea as blowing up the road to your house, but then after seeing the link was to their open relay form, I was stumped. Do you mind shedding some more light on this for me if you were not trying to be light hearted? Thanks. ..why spoil the fun? ;-) Spam etc needs relaying roads to travel to your box. ORDB also accepts email reports rather than this, uh, massive web form, and I would think mailfilter or fetchmail or somesuch can be a workable source for a mailto pipe. Doesn't some spam come directly from an individual running SMTP from their box to yours? I'm pretty sure this is the case for the W32/[EMAIL PROTECTED]'s email spreading methods. ..a third idea is a to first check if the same spam relay has been reported by someone else, ORDB has a 200 host report cap, and reporting the same box half a bazillion times a day would just DOS ORDB, which is not quite what we wanna do. ;-) A bitter irony is that we aren't using anything like ORDB to stop email because others users don't trust it to not block email they want to get. They heard stories about occasional blockings of places like AOL, and they have friends set on using those ISP's. I'm going to try the suggestions I've seen on the list by running S/A on one domain. Maybe I can show the other users that it will be OK to use RBL filtering of email. I like the ideas I've read on having S/A trigger firewall rules for obvious spam. Still I'd like to find some better way of sharing my email address without feeling obligated to process all email sent to me in full. If there is a good way of doing this, it would help not just my situation but also users who like to post to lists and usenet but have no control over how their ISP handles email and who have limited bandwidth or quotas on their traffic. If many of these users were all on the same mail system, that mail server would benefit by not processing the DATA of list/usenet trolled spam/worm SMTP traffic. Maybe rotating email addresses is the only way. That puts almost all of the burden of spam prevention on my end without any special hoops for others to jump through and once I close an account the SMTP server gets to reject at the RCPT TO: stage. Someone looking at an old message and trying to use the old email to contact me would get a bounce. Hopefully I could minimize even this inconveniance by having an overlap of some reasonable time frame between opening the new account and closing the old one, and I forward all email from the old to the new until the old is closed. Maybe I could even coordinate OpenPGP sub keys used to sign my coorispondance to expire on some interval, and my .sig could say If the public subkey for this digital signature is revoked or expired, I've changed email addresses. Any rants on how inconveniant those methods would be if they wanted to be nice enough email me? :) Next month's news: A new email worm that attacks only users of OpenPGP key servers by pulling down their public keys and emailing all their identities. *sigh* I'll keep trying things and if I get some more mail server side wild (possibly bad) ideas, I'll post it to the debian-isp list. -- Jacob Trying out SquirrelMail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: S.M.A.R.T. messages - what do they mean
René Seindal said: I just got these messages from smartmontools on my laptop. I checked the logs because the disk make a weird sound. Device: /dev/hda, Failed SMART usage Attribute: 193 Load_Cycle_Count. Device: /dev/hda, Failed SMART usage Attribute: 193 Load_Cycle_Count. Device: /dev/hda, SMART Usage Attribute: 191 G-Sense_Error_Rate changed from 99 to 98 Device: /dev/hda, Failed SMART usage Attribute: 193 Load_Cycle_Count. I have had the Load_Cycle_Count messages before, but I have never been able to figure out what they mean, in spite of much googling. What do these messages mean and do I need to buy a new harddisk? S.M.A.R.T. - Self-Monitoring Analysis and Reporting Technology Googling for the full name returns lots of good results like this one: http://www.pcguide.com/ref/hdd/perf/qual/featuresSMART-c.html Sorry I've never looked into error messages from S.M.A.R.T. enabled disks, so I can't help you with the rest without doing as much reading as you'll probably need to do. -- Jacob Trying out SquirrelMail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Sudden increase in size of Debian?
Kevin McKinley said: On Wed, 17 Sep 2003 00:21:55 -0600 Jacob Anawalt [EMAIL PROTECTED] wrote: Now you have me interested. Do you already have a script to mirror only stable and unstable with rsync? I think I would try only mirroring stable with such a script, but I thought it would take having a program parse things like the Packages files for each release and main/contrib/non-free sub folder and arch that you were after. Yes, I do. It's attached. That attachment, debian.rsync, seems to just be anonftpsync (rsync script) only with your rules. Maybe there were suppose to be two attachments? If not, I think you're mirroring all releases except experimental of i386 and maybe some more stuff as well. I still prefer the include/exclude rules I posted to this thread. Ok, I'm only slightly less lazy in this area today. Here's a half-baked idea of what I thought it would require. 1) Run rsync for just the dists/* files and links that you want, but specifically getting all the Packages files for the targets you want but at least dists/woody/main/binary-i386/Packages* if you're after i386. 2) Call a script that does this - only make yours better ;) Modify the package reading script to read the Packages file for all release, target and arch you are interested in, writing the output into rsync_packages.txt. Use whatever language you like. Here's some Perl in your eye. #! /usr/bin/perl # Create a --include-file= source for rsync open(PACKAGES,debian/dists/woody/main/binary-i386/Packages) or die $ !; open(RSYNCLIST,rsync_packages.txt); while ($line = PACKAGES) { next if ($line !~ /^Filename: (.*)$/); print RSYNCLIST $1,\n; } close(PACKAGES); close(RSYNCLIST); 3) rsync again, only this time you include from the file you wrote and exclude everything else in pool, and dists/ because you already did that. ie: --include-file=rsync_packages.txt --exclude dists/ --exclude=pool/ There's lots of improvement but I thought I'd share the half-baked idea before I get around to implementing it since no one else pointed out a script like this when I asked. [snip] Maybe if/when non-free is moved out of the mirrors that will also help the mirror size. I don't feel like writing a Packages file parsing/file I don't think that will help much; I don't think non-free is that significant. (But I was mirroring only main and contrib.) Agreed -- Jacob Trying out SquirrelMail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Sudden increase in size of Debian (Mirror)?
Kevin McKinley said: On Wed, 17 Sep 2003 00:00:23 -0600 Jacob Anawalt [EMAIL PROTECTED] wrote: Your list has the virtue of being much simpler; I wonder what 5 Gb I have that you don't? I'm not sure, what does this command return on your system? find pool/ -name *deb | egrep -v '_i386\.u?deb$' - | grep -v '_all\.u?deb$' I get 7835 packages; scanning the list most of them seem to be _all.deb. :| I'm sorry, that was a typo on my part. The second grep also needs to be egrep. Or you could drop the u? and use grep on both if you don't have udeb's mirrored. The idea of the command is to return *deb files that aren't *_i386.deb, *_i386.udeb, *_all.deb, *_all.udeb. -- Jacob Trying out SquirrelMail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Proper SMTP server setup - was Anti-Spam ideas for usenet/list harvestedemail addresses
Daniel L. Miller said: Jacob Anawalt wrote: Doesn't some spam come directly from an individual running SMTP from their box to yours? I'm pretty sure this is the case for the W32/[EMAIL PROTECTED]'s email spreading methods. I have exactly this configuration. Our e-mail is hosted off-site on another server, but I have configured an Postfix server to send all our outgoing mail. Is there a proper way I should configure our internal server and/or domain registration so we don't appear to be a spammer - since a reverse lookup would fail and my internal SMTP server does not accept mail at this time? While I can wish all I want that outgoing and incomming SMTP will map to vaild MX records, as far as I know it isn't required to have outgoing traffic map have a MX DNS record. It sounds like the off-site server is your MX server. I'm going to guess that this is for amfes.com. MX 5=smtpav.wpdbiz.com = 66.238.186.13. MX 10 = smtp.amfes.com = 66.238.186.115. You could relay all your mail through them if they have a good smarthost, but it isn't required. I did notice that on this email, your mail server identifies itself with the local network instead of afes.com: mail.amfeslan.local - 67.106.235.126.ptr.us.xo.net [67.106.235.126] There is a reverse DNS IP, it just isn't owned by amfes or named to amfes.com and XO Communications doesn't want to or wasn't asked to have that reverse dns record say gw.amfes.com. The system I'm mailing from doesn't have the domain name's reverse dns on it. It did for a few months, but then our ISP changed some policies or something and changed them all again because it was easier on them. It's not necessary to send email to have reverse DNS of afes.com for your IP. Lots of systems dont have 'perfect' reverse dns. The name your gateway mailserver is using doesn't resolve to anything useful by people outside of your lan. If you control your DNS you could at least have the forward dns point to gw.afes.com or some afes.com name and then have postfix on mail.amfeslan.local put that name.afes.com value for $hostname. The best way to avoid being called a spammer is to make sure spam doesn't leave your system by not relaying for other networks, and watching outgoing email for spam - especialy from viruses. Since you only accept outgoing mail, your rules can be even stricter. You can reject all incoming mail except postmaster and abuse. Maybe you can even reject them since technically you have a valid MX record to recieve mail on a different machine. You may want to subscribe to or search the web on debian-isp to keep informed of other issues. I only started this thread here because the affects of Swen on people who posted to debian-user. -- Jacob SquirrelMail - Webmail for Nuts -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: MS mail bombs
Ron Johnson said: On Tue, 2003-09-23 at 02:54, [EMAIL PROTECTED] wrote: On Sat, 20 Sep 2003, Ron Johnson wrote: On Sat, 2003-09-20 at 00:22, Steve Lamb wrote: On Fri, 19 Sep 2003 23:08:42 -0600 Walt L. Williams [EMAIL PROTECTED] wrote: Is there anyone else out there being mail bombed with emails that look like there from M$? The rate at which their coming is increasing exponentially. My solution has been exim4, exiscan-acl, clamav, spamassassin and liberal use of shorewall's blacklist. Does that prevent the emails from being downloaded from the ISP's pop3 server in the 1st place? If us linux users can create procmail filters or other such things, why cant the isp filter this stuff? They can, and they (or at least some) see it as an additional revenue stream. Some see it as a possible negative revenue stream, either out of concern over possible litigation or loss of customers if they start filtering all mail and some customers throw a fit because the isp is filtering but that wasn't in their service agreement or because of the potential extra tech support load in getting everyone the filtering they want. I'm not saying either of those are valid, just that they are reasons I've been given. The real reason could be as simple as not wanting to go through the effort of installing systems and not being farsighted enough to see the benefits. I think that Hotmail has a fairly easy system of giving the user options as to what they consider junk, and what to do with it. You have three levels of their junkfilter system with the highest being it's junk if they're not in my contact or safe list. You can easily manage your contacts and safe list. You can add mailing lists to a special list of safe email so that it gets through. You can block specific senders. And you can add some pretty simple subject or from filters. You can opt to have junkmail auto-deleted or moved to the Junk box where it is auto-purged if it is more than seven days old. There have to be ISP's using some other web mail control system that provides these options as well. I've only come across it in Hotmail because I haven't really looked anywhere else. The hotmail setup is no user-customizable bayesian/Razor/etc SpamAssassined/procmailed/Sieve rule set, but works for me. I use my hotmail address on forms where I don't trust the collecting party to not sell/give away my address and I have hotmail junkfiltering everything that I haven't authorized. I can still get that 'your password is' message from the Junk Box as long as I check within seven days but I never have to look at or download the rest of the unsolicited/unauthorized email. There have been many posts to the lists about using filter X to stop email Y, rules and server overloads, and why debian-user posters are getting so much email from this windows worm that I think we have all been in !spam mode. I've had some thoughts (but I'm not saying they're good thoughts) on the idea that I'll start a new thread for. -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Anti-Spam ideas for usenet/list harvested email addresses
To me the big question is how do I avoid the spam in the first place, besides avoiding email all together? I want to participate on the web, I just don't want so much junk email nor do I want to have my mailbox or ISP suffering from gigabytes of worm attachments or advertising data. We've all done or seen people do this: jacob at cachevalley dot com, [EMAIL PROTECTED], [EMAIL PROTECTED], etc. Are we kidding ourselves thinking that if we can write a filter rule that just catches SoBig.[A-Z], that someone else can't turn all of those 'safe' addresses back into the real email address? I've already mentioned the web authorization idea and the rotate your email address on some schedule ideas in another thread. I've even seen a web site go so far as to use a .js file function to put together the email address from a bunch of fragments when you click the mailto link. That would take more work to parse, but it is still possible by having an email grabbing webbot that can run javascript. Another though I've had on the mailing list issues (besides wondering why I'm trying to make mail act like a news client with threads and looking for a 'watch thread' capable client) is if I had an email address to use on mailing lists that only accepted email from the list servers I was on and reject all others I should only get the spam that relayed through the list. The mail server would need to have access to my personal list of acceptable email addresses so it could give a 550 with the appropriate extended SMTP code for unauthorized/security and an appropriate error message after the HELO and MAIL FROM and RCPT TO: have been given. It should only do this for mail accounts that have entries in the safe list. If your list is empty, all email is valid. If you have one or more entries, only those ones can send you email. Some ideas for rules to accept or reject the email may include: If HELO does not match a reverse DNS lookup and doesn't match the domain of RCPT TO: or to a user specified value then the mail is rejected. A looser match would be just on the HELO name where the name given is some md5hash of the user's email address and some value noted on the mailing list. People start getting spammed, the list admin changes the key used to generate the name value and people go to the web to see what it has been changed to. A tighter setup might be to have the hash in the MAIL FROM: value and have it be a hash of the subscriber's list password and their email address. That way the subscriber can change their list password at any time they see spam coming “from” the list. I'm sure there are other better ideas to be had along the lines of how to quickly identify that the sending server is who they say they are and look up a safe list to see if the user accepts email from that server. A side benefit of using an email address that only accepts list traffic for some would be that it would reject the second email if someone replies to you and the list. People using this setup could have their .sig say This email address only accepts authorized list traffic, please reply to the list. Since we have seen that a greater volume of worm mail is possible with email addresses usenet and mailing lists, it seems a setup based on this system could help cut down the cost of fighting spam generated from those sources. The rules would be based on a simple lists, with each user responsible for maintaining their list. Much less CPU power, bandwidth and storage space would be required to match those rules because the matching is done before delivery is accepted. Mailing lists could publish to their subscribe page the values they use for HELO and MAIL FROM when sending the messages to all subscribers. Compare this to the dog chasing cars method of inventing a new filter rule that looks through the MIME data to decide if this is the latest worm you don't want or the kissing picture that you do. Sure it's cool to be a geek and figure out the rules. If you like doing this, do it. Maybe spam isn't a cost to you but a benifit if you consider your enjoyment at solving each filter puzzle. I think that's why I like finding bugs, to help find and solve puzzles. On the other hand this method of filtering is more expensive in every measure I can think of except the freedom of allowing anyone to email you anytime. You spend time thinking up rules, writing rules and testing rules. The rules are applied after you have accepted the bandwidth of the transfer. Running the rules takes CPU time and possibly more bandwidth as you do RBL DNS or Razor and storing the email takes disk space. If you're sick of getting swamped (as a user or admin) wouldn't this setup be usefull? An ISP could encourage users to use [EMAIL PROTECTED] for email addresses that are going to be used on usenet or public mailing lists. The new email address could just dump into the real address after the mailing list rules were validated, or it could be it's own account and mailbox.
Re: Anti-Spam ideas for usenet/list harvested email addresses
Jeronimo Pellegrini said: On Tue, Sep 23, 2003 at 01:16:38PM -0600, Jacob Anawalt wrote: [snip] The mail server would need to have access to my personal list of acceptable email addresses so it could give a 550 with the appropriate extended SMTP code for unauthorized/security and an appropriate error message after the HELO and MAIL FROM and RCPT TO: have been given. It should only do this for mail accounts that have entries in the safe list. If your list is empty, all email is valid. If you have one or more entries, only those ones can send you email. Some ideas for rules to accept or reject the email may include: If HELO does not match a reverse DNS lookup and doesn't match the domain of RCPT TO: or to a user specified value then the mail is rejected. Blocks big ISPs... I've found two already. One of them is movistar.com. Can't remember the other Also, probably breaks small businesses who use DSL and can't use their ISPs smarthosts (see the recent thread, OT: Martin Krafft - mail bouncing. But my goal was to reduce the spam I get that is harvested from mailing lists. If someone wants to subscribe to a mailing list that doesn't do reverse dns, then there needs to be authentication before DATA on some other bit of information. I could still get posts from the guy in Brazil or the guy using SMTP off of his cable modem DHCP'd address because they would be mailing the list, not me. The list is mailing me. A looser match would be just on the HELO name where the name given is some md5hash of the user's email address and some value noted on the mailing list. People start getting spammed, the list admin changes the key used to generate the name value and people go to the web to see what it has been changed to. If I use taht, I'll have to keep changing the key every now and then. Spam is bad not only because it takes a lot of bandwidth, but also because it's not convenient. Challenge-response solution can be as inconvenient as spam itself, for example. And I think the same would work for this solution... Well, that's the cost we pay for conveniance. I'm willing to give up that freedom for less spam on the email address I use for mailing lists. My first choice as a user will be to subscribe to lists that have proper reverse dns. I understand that others don't want that hassel. I'm sure there are other better ideas to be had along the lines of how to quickly identify that the sending server is who they say they are and look up a safe list to see if the user accepts email from that server. Make the list server PGP-sign the messages, maybe? You install the list server key once, and never worry about it again? If some small PGP/GPG data could be sent as part of a new EHLO syntax command then OK, otherwise I'm in the DATA section again. It would have to be a standard before I'd use that. Compare this to the dog chasing cars method of inventing a new filter rule that looks through the MIME data to decide if this is the latest worm you don't want or the kissing picture that you do. Sure it's cool to be a geek and figure out the rules. If you like doing this, do it. Maybe spam isn't a cost to you but a benifit if you consider your enjoyment at solving each filter puzzle. I think that's why I like finding bugs, to help find and solve puzzles. On the other hand this method of filtering is more expensive in every measure I can think of except the freedom of allowing anyone to email you anytime. You spend time thinking up rules, writing rules and testing rules. The rules are applied after you have accepted the bandwidth of the transfer. Running the rules takes CPU time and possibly more bandwidth as you do RBL DNS or Razor and storing the email takes disk space. I agree. But then I think any technical solution has the same problem. The real solution would be making spammers not want to spam (so we don't have to block them). You'd need to understand the intricacies of their business, and so something that makes them give up. A very naïve thing would be to start doing statistical research, asking people how they feel when they get spam, and make that get to the clients of these spammers. But as I said, this is naïve, and assumes that we know how that business works. (I don't think I know that) But something along those lines will have to work, someday -- I hope! The latest churn on debian-user about Spam hasn't been UCE spam. It's been worm spam. I don't know anyone personally who likes to recieve WORM/Virus code in their inbox but it persists. I don't see a near-term solution for convincing the individuals who write this code. As for UCE/UBE, well someone else can deal with the politics of it. I will also be glad when they just decide to stop. I just want some good ideas on keeping them from getting my address in the first place or on minimizing the bandwidth, cpu and human time on my end to block any that did get my address. -- Jacob Trying
Re: Anti-Spam ideas for usenet/list harvested email addresses
Jeronimo Pellegrini said: On Tue, Sep 23, 2003 at 01:16:38PM -0600, Jacob Anawalt wrote: I've already mentioned the web authorization idea and the rotate your email address on some schedule ideas in another thread. I've even seen a web site go so far as to use a .js file function to put together the email address from a bunch of fragments when you click the mailto link. That would take more work to parse, but it is still possible by having an email grabbing webbot that can run javascript. That would also break for people who use non-Javascript enabled browsers. Another though I've had on the mailing list issues (besides wondering why I'm trying to make mail act like a news client with threads and looking for a 'watch thread' capable client) is if I had an email address to use on mailing lists that only accepted email from the list servers I was on and reject all others I should only get the spam that relayed through the list. Interesting. But managing that would require some energy from you... If it requires less energy than maintaining my filters, it seems like a gain to me. See, when I replied and sent to you and the list you would have only gotten one email ;) Sorry about that. I realized after I clicked send that I forgot to replace your email w/ the list's and drop the CC to the list. -- Jacob Trying out SquirrelMail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Anti-Spam ideas for usenet/list harvested email addresses
Rich Puhek said: (my reply is a bit disjointed, since I put things inline, and jumped around while crafting my response...sorry for the nonlinear thinking pattern) 'sOK. I thought you had some good points. Thanks for the input. Inline is just right for me. Jacob Anawalt wrote: To me the big question is how do I avoid the spam in the first place, besides avoiding email all together? I want to participate on the web, I just don't want so much junk email nor do I want to have my mailbox or ISP suffering from gigabytes of worm attachments or advertising data. Your ISP should be filtering worms. It's fairly easy to do. If they don't want to bother with setting up a virus filter, hard drive space is fairly cheap. In addition, it would be nice if more ISPs filtered outgoing email as well. That's not always practical, and it won't stop the latest worms which sprechen SMTP, but it could help. I don't want to spend CPU cycles, bandwidth or disk space scanning the DATA section of an SMTP transfer or post-reciept scanning to determine if it's mail I want in my inbox. (1) How is the ISP filtering the mail if not by giving 250 OK to HELO, MAIL FROM: and RCPT TO: and entering into the DATA section. We've all done or seen people do this: jacob at cachevalley dot com, [EMAIL PROTECTED], [EMAIL PROTECTED], etc. Are we kidding ourselves thinking that if we can write a filter rule that just catches SoBig.[A-Z], that someone else can't turn all of those 'safe' addresses back into the real email address? Spammers don't really care either way... look to the dictionary attack type of spammers for an example...(well, I've seen a [EMAIL PROTECTED], so let's try [EMAIL PROTECTED] as well). The problem with turning a safe email address into a real one isn't a big deal, it just protects against the dumb harvesters. It's like using The Club on the steering wheel of your car... it won't defeat an experienced car thief, but it may convince him to skip your vehicle. In the case of a mailing list, I fail to see any advantage in the obfuscation of your email address, since it's present in the header. The exception would be private versus post-only addresses, as you mention below. Yes, and [EMAIL PROTECTED] would be as weak as [EMAIL PROTECTED] under your very valid point. [EMAIL PROTECTED] would be much better for my usenet/mailing list address. Of course my real email will get spam because jacob is common enough to try while running the gauntlet of admin, postmaster and webmaster for viagra adds, so I need to stop accepting email on that account and get a new alias for normal email, but my personal mail spam isn't the issue I'm focusing on. I'm looking for solutions to spam to email that went out to usenet or mailing lists. [snip] Another though I've had on the mailing list issues (besides wondering why I'm trying to make mail act like a news client with threads and looking for a 'watch thread' capable client) is if I had an email address to use on mailing lists that only accepted email from the list servers I was on and reject all others I should only get the spam that relayed through the list. The mail server would need to have access to my personal list of acceptable email addresses so it could give a 550 with the appropriate extended SMTP code for unauthorized/security and an appropriate error message after the HELO and MAIL FROM and RCPT TO: have been given. It should only do this for mail accounts that have entries in the safe list. If your list is empty, all email is valid. If you have one or more entries, only those ones can send you email. So in practice, the idea would work something like the following? 1) Create a Debian-user only address, which you'd use for posting to debian-user. 2) Email to the debian-user only address must come from the debian mailing list, or I'm going to SMTP-reject it, since it's probably from a spammer. Exactly. Mostly. I'd like a mailing list only address that accepts mail only from the lists I select. Some ideas for rules to accept or reject the email may include: If HELO does not match a reverse DNS lookup and doesn't match the domain of RCPT TO: or to a user specified value then the mail is rejected. In general, this will reject legit mail. In particular, sites that host for more than one domain will not have a reverse DNS matching what you might expect. If only applied to a particular mailing-list, it might work, though. Perhaps even IP address would be fine (debian-user-jacob emails must come from a server with reverse DNS of murphy.debian.org). Note that you cannot trust reverse DNS, though, so a forward lookup would also have to be done. Forward and reverse. OK. Under my definition of valid email as Valid email for this address is _only_ email from the debian-users list would this drop valid email? A looser match would be just on the HELO name where the name given is some md5hash of the user's
Re: Anti-Spam ideas for usenet/list harvested email addresses
Jeronimo Pellegrini said: [snip] Make the list server PGP-sign the messages, maybe? You install the list server key once, and never worry about it again? If some small PGP/GPG data could be sent as part of a new EHLO syntax command then OK, otherwise I'm in the DATA section again. It would have to be a standard before I'd use that. You want to reject the mail before it's queued. I like the idea, but that's more difficult to implement... I wonder how many MTAs would let you do this: - set up a mail for lists only - set up terribly-aggressive blocking with DNSBLs and other things (like requiring the reverse DNS), *only for that address*. Other addresses would not go through such restrictive tests. I hope postfix does. I'm pretty sure it will, since it supports external mapping programs. I don't know how complicated it will be, but I'm hoping it's like this: RECPT TO: user User has entries in ~/.safe-list-only? Does the data from MAIL FROM or HELO match an entry in the list? Does the reverse DNS and forward DNS for the HELO match the list? 250 OK else 550 Error message. The latest churn on debian-user about Spam hasn't been UCE spam. It's been worm spam. I don't know anyone personally who likes to recieve WORM/Virus code in their inbox but it persists. I don't see a near-term solution for convincing the individuals who write this code. Right, I forgot about that. Anyway... Blocking servers wouldn't help in the case of viruses, I think. Ordinary people get viruses, and the mail is sent through their (probably correctly configured) smarthost. Maybe something like Postfix header_checks? But that would also require some work :-( My normal email address that was in my windoze using friend's outlook express address book would still be vulnerable to email from the virus running on his computer. My list-only email address would be sitting pretty costing the mail server very little by rejecting all email including ones generated by a friend or some other mailing list subscriber. The only virus mail it should get is the stuff that makes it through the mailing list server, and Debian's servers do a very good job at filtering this. Since this address is the one spread across usenet and many subscriber's address books, I think it is the more important one to be restrictive with. -- Jacob Trying out SquirrelMail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Anti-Spam ideas for usenet/list harvested email addresses
Ray said: On Tuesday 23 September 2003 15:12, Jacob Anawalt wrote: Jeronimo Pellegrini said: On Tue, Sep 23, 2003 at 01:16:38PM -0600, Jacob Anawalt wrote: [snip] The latest churn on debian-user about Spam hasn't been UCE spam. It's been worm spam. I don't know anyone personally who likes to recieve WORM/Virus code in their inbox but it persists. I don't see a near-term solution for convincing the individuals who write this code. rant it seems to me the easiest solution would be for ISPs to have a policy and software that supported the policy of no .exe .com .src .pif .bat (etc...) attachments. any email will either be dropped or have the attachment dropped and replaced with a short explination of it being against policy and how to make a zip/gz/tar/whatever file if they really want to send a .exe since most viruses now use bad mime headers for the attachment, we won't be able to filter on that. i talked with my isp about it, but for some reason one customer regularly sends a .exe and since they don't want to make a policy change that would affect their customers business we don't get to enable that feature on our email server. the downside of course will be that virus writers will then attach .zips and use the normal social hacking they do now to get people to open the attachment anyway. perhaps if someone wrote the don't f*$ open me[1] virus and had it go through a little tutorial about why not to open unknow attachments have message go something like I was foolish enough to open the attachment, and since you are at risk of getting a message from me with a virus, this attachment has forwarded itsself to you [1] http://msn.bbspot.com/News/2002/01/open.html /rant I am OK with that policy. The servers I maintain reject email with a windows executable attachment fingerprint with a message suggesting the sender zip the file. My workplace has had no issues with this policy. If more ISP's did this and blocked outgoing smtp that didn't relay through their servers that happened to scan inbound and outbound mail for viruses, maybe we'd be better off in the virus/worm scene. Maybe we'd all be happier, or maybe we'd have more frustration because what use to work doesn't. I think if you delete the attachment from the email you had better include some verbose explination that shows up in the html and text versions or change the subject. It's hard enough knowing if the other person forgot to attach the file or not without adding a reason to suspect your own mail server. Others hate the policy and will tell you horror stories of getting zip installed and talking people through zipping a file. Later viruses may send zipped copies and we have the same problem again, except that hopefully it's less data because it's zipped. Also, restrictions like no outgoing SMTP can be bad for people who run well managed SMTP services in an ISP's network. While waiting for your simpler solution to be enacted across every computer on the internet, I'll keep looking for some interim solution. :) -- Jacob Trying out SquirrelMail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: MS mail bombs
Steve Lamb wrote: On Tue, 23 Sep 2003 02:26:42 -0500 Ron Johnson [EMAIL PROTECTED] wrote: And wasn't there a big, long thread last month where most in the thread excoriated C-R? Yup. Which goes to show that these people clearly didn't read it, don't care, or are just plain stupid. I vote for all three. *sigh* Maybe they gave up early on it due to content. I just forced myself to drudge through the whole of it. Lots of good ideas and reasons to not use C-R* from the I'll take it all to not miss one email camp. *Challenge and response (I didn't know the acronym so I thought others might not.) -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Anti-Spam ideas for usenet/list harvested email addresses
Arnt Karlsen wrote: On Tue, 23 Sep 2003 13:16:38 -0600 (MDT), Jacob Anawalt [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]: Compare this to the dog chasing cars method of inventing a new filter rule that looks through the MIME data to decide if this is the latest worm you don't want or the kissing picture that you do. Sure it's cool to be a geek and figure out the rules. If you like doing this, do it. ..another option is blow up the road: http://www.ordb.org/submit/ I laughed at this at first, taking it as a Jacob, this is about as dumb an idea as blowing up the road to your house, but then after seeing the link was to their open relay form, I was stumped. Do you mind shedding some more light on this for me if you were not trying to be light hearted? Thanks. -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: MS mail bombs
Steve Lamb wrote: On Tue, 23 Sep 2003 21:59:00 -0600 Jacob Anawalt [EMAIL PROTECTED] wrote: Maybe they gave up early on it due to content. I just forced myself to drudge through the whole of it. Lots of good ideas and reasons to not use C-R* from the I'll take it all to not miss one email camp. Easier to just read Karsten's excellent essay on the matter. Hmm. I must have missed that link when I looked up his site last month after reading a post in reference to his ideas on backups. http://kmself.home.netcom.com/ - I am not sending you viruses http://kmself.home.netcom.com/Rants/challenge-response.html While reading that certainly clarified the woes of the challenge-response system, I'm unsure if it would have cleared me of your charges since they said to read the thread: Steve Lamb wrote: On Tue, 23 Sep 2003 02:26:42 -0500 Ron Johnson [EMAIL PROTECTED] wrote: And wasn't there a big, long thread last month where most in the thread excoriated C-R? Yup. Which goes to show that these people clearly didn't read it, don't care, or are just plain stupid. I vote for all three. *sigh* :P :) -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: MS mail bombs
daniel said: Wayne Gemmell wrote: [snip] I can't see any solution to this. Downloading this amount of mail during the day would cost me a fortune *sniff* Maybe it sounds drastic but I even thought of making some type of acl of who can send me e-mail and deny the rest with a msg of If you really want to Send me E-mail send a mail with the Subject Request to send you e-mail, setting another e-mail account in which only subjects like Request to send you e-mail would allow me to know if somebody who wants to send me e-mail, and therefore I would allow their addresses is that is what I want... There's a company that provides this service. First time emails to you get an auto-response You aren't authorized to send me email, visit this web page to get authorized or something like that. I Googled and can't find it again. Interesting idea. Another is to use disposable email addresses for lists and usenet and then rotate email addresses when you get spammed, or just every so often for good measure. Sneakmail.com talks about this and provides a service. Too bad I had read about this idea but forged ahead w/ the email I like. An advantage of switching email addresses is that the email is rejected before the SMTP server commits to the DATA section. The disadvantages of shuffling email addresses are obvious. One article I read suggested using a sensible method of picking new usernames - with the date in it. Eg. [EMAIL PROTECTED] -- Jacob Trying out SquirrelMail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: install
Kent West wrote: Sidney Brooks wrote: 2) I have Windows XP, Mandrake, Redhat, and Debian partitions. Everything but Debian works. The boot loader is Mandrake lilo. HOWEVER, I CANNOT TAKE LILO OUT. In what may or may not be a That's right, you don't take it out you need to overwrite it with another boot loader, or always boot off different media (like a floppy or CD-ROM). I believe L only means the first stage booted (in MBR) but was unable to find the second stage (because you had uninstalled lilo). If uninstalling lilo were to write zeros to the MBR then you wouldn't be any better off than you are leaving lilo in the MBR with the stage two program uninstalled. shameless plug Now if you were to use grub instead of lilo, you can even boot kernels and OS's that you didn't configure (or forgot to configure before rebooting). Using grub, I've been very happy with not needing to remember to run Lilo to re-write the MBR each time I install a new kernel. Oh, and I don't have to worry about /boot being below 1024 cylindars like I did with lilo when I use to use it. (That's been a while, I think Lilo might not have the old BIOS limit anymore.) The grub command line is very usefull once you get to know it. /shameless plug Since it's Mandrake that you've got lilo installed from, just boot into Mandrake, update it's config file (/etc/lilo.conf ?) so that it includes the entry for the debian boot partition and run lilo to write the new data to the MBR. Or install Grub and use it for your boot loader. :) -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: named complaining about lame servers when resolving
Malcolm Ferguson wrote: Hi, I've tried to configure bind on my Woody box as a caching DNS server for a segment of the network. However, after mistyping an IP address that I was trying to resolve elsewhere I'm now getting lots of messages in the log file complaining about a lame server. Have I misconfigured named, or is this an error I can ignore? If the latter, how do I make the problem go away - restart the daemon? Bind 9.1 (bind9_1:9.2.1-2.woody.1_i386) Error message (repeated over and over): Sep 22 17:12:00 ns1 named[12680]: lame server resolving '75.1.5.198.in-addr.arpa' (in '1.5.198.in-addr.arpa'?): 198.6.1.161#53 Are you recieving SMTP or other external traffic with a service that may be trying to resolve IP addresses to names? The IP 198.5.1.75 belongs in a block assigned to UUNET Technologies, Inc. but doesn't appear to have a reverse dns record available. It also doesn't respond to ping's. If you know you don't want to deal with that address, you could drop all packets to/from it with iptables. -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: MS mail bombs
Michael C. wrote: In linux.debian.user, Ron Johnson [EMAIL PROTECTED] wrote: On Sat, 2003-09-20 at 00:22, Steve Lamb wrote: On Fri, 19 Sep 2003 23:08:42 -0600 Walt L. Williams [EMAIL PROTECTED] wrote: Is there anyone else out there being mail bombed with emails that look like there from M$? The rate at which their coming is increasing exponentially. My solution has been exim4, exiscan-acl, clamav, spamassassin and liberal use of shorewall's blacklist. Does that prevent the emails from being downloaded from the ISP's pop3 server in the 1st place? I asked this on alt.os.linux. I was told to search freshmeat.net for a perl script called poppy. It will get headers only, and ask what you want to do with the mail one by one, but it also includes a script called spamkill, which does okay. I'm debugging some changes I made now. I tweaked it so if my email isn't in the To:, Cc:, or Bcc: header it should be considered spam. Right now To:, and Cc: both work. I am almost 100% positive that your mail server won't have a Bcc: header for incoming mail. I imagine you have some whitelist rule for exceptions like the debian-user list which should have it's address in the To: line instead of your address. Sometimes debian-user goes on the Cc: line, which you must be watching for as well. -- Happy mail filtering, Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Help w/http default Woody install, Squirrelmail, defaults
Scott Ehrlich wrote: I installed a Woody system on my Intel box with an HTTP installation from debina.lcs.mit.edu. I wanted squirrelmail, so I installed apache-ssl, then squirrelmail, all via apt-get, and squirrelmail magically worked fine. After a couple weeks of perfect operation, I opt to add virus scanning for email, choosing clamav, which is what a colleague at work is using for lab-wide mail filtering, and I saw it worked great against a ton of infected spam. In the process of my following the clamav directions, I ended up mangling my squirrelmail installation to the point it would no longer let me authenticate. I tried several rounds of apt-get remove php4, squirrelmail, and apache-ssl, all to no avail. Google search reveal(ed/s) I may have had uw-imap installed, so I tried that. No luck. I tried cyrus. No luck. I tried obtaining a fresh versio of squirrel from the squirrel site and almost got it working, but, upon logging in, it refused to see my mailboxes and said it was disconnected from the imap server. I tried variants of uw-imapd and cyrus. No luck. I eventually pulled it and apt-got squirrel again, along with apache-ssl. So now, I am at a state where SM's URL is seen, but hangs after I enter my username/password. I also set up another Intel box at home the same as the first, with SM running fine. I've been doing back-to-back comparisons and haven't come up with anything helpful yet. My question is how what are all the dependencies of a default Debian, out-of-box http install, for squirrelmail to work, and how do I modify my first machine with existing mail to allow SM to authenticate me again? As an aside, I also have PINE w/SSL installed and it used to be able to write to my Inbox.Sent folder via an Fcc line. It can no longer do so, thus it at least appears the IMAP server is a problem, if not more. I am able to send mail fine via elm and mailx, and receiving is also fine. Please help. Have you tried logging into your IMAP account with any other IMAP clients? I don't know how the installation of clamav could have touched your /webdir/sqirrelmail files, and thus how it could have messed its configuration up. I think more likely your IMAP service setup has changed. You say you've tried UW and Cyrus imap. Which was there in the first place? What mail service are you using (postfix, sendmail, etc)? Try IMAP with some other software like mozilla mail and see if that works before trouble-shooting squirrel mail. -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: spam filtering
Gerard Ceraso wrote: I am currently using procmail and spamassassin and I heard that razor is better. Any opinions? Gerard http://devslash.org Razor can be used in procmail recipes (which I do) or in SpamAssassin. If you like what you've read about razor, you can use it in either/both procmail and SpamAssasin. Razor recipe from my ~/.procmailrc: :0 Wc | razor-check :0 Wa { :0 Wf | formail -A X-Razor2-Warning: SPAM. :0 W /home/jacob/IMAP/SPAM } This sticks all mail Razor says is spam into my SPAM IMAP folder. You could stick it in /dev/null if you wanted. I've noticed a couple things about Razor vs Cloudmark's SpamNet. First Spamnet has the advantage of letting the email age in your inbox before scanning, so there is time for others to report it as spam. Second the version of Razor I'm using on that machine will mark the whole email as spam if it contains a MIME entity that has been called spam (think OE backgrounds or free email footers.) That's why I don't just toss the Razor spam. I'm sure someone else will point out that SpamAssassin would just change the spam score based on Razor's results if I don't mention it. Also I could have just added the X-Razor2-Warning: SPAM header via formail -A and let the email go to my INBOX anyway. -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Problems with a Fresh install of Sarge
Christopher L. Everett wrote: I've got Sarge installed, with a 2.6.0-test4 kernel installed, and although everything is pretty much OK, minor annoyances remain: 1) Both Mozilla and the Firebird browser packs up at randomly: so far the only consistency is that but only when I'm moving the mouse around with the left button down to highlight text. 2) Application window text and button captions fail to repaint after their windows come back to focus, also application text disappears after being unhighlighted. 3) X11 seems to be loggin me out after several hours of disuse 4) nautilus-gtkhtml packs when I click on a link in gnome 2 help. 4) I can't get the thing to boot properly with the keyboard and mouse plugged into the USB ports, but since I have hotplug working I can switch over to USB after it boots. Can anyone help me resolve these issues? Have you tried running with a deb package 2.4 kernel to see how many of the issues are related to running 2.6? -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: realteck RTL 8193c module problem
[EMAIL PROTECTED] wrote: What is the output of lsmod? Did you insmod or added module name to /etc/modules ? Hi, the output of lsmod is no 8139too. the /etc/modules has 8139too in it the insmod said /lib/modules/2.4.20/kernel/drivers/net/8139too.o:unresolved symbol mii_link_ok_Rsmp_4ad815a3 and lot of other messages. If I remember right it is possible i put the 8139too.o in to the folder by cp from the 2.4.18 driver folder. When I then take the 8139too.o out of the folder and try to do insmod nothig happens, the computure says it is not there. Put the module back / leave it where it was put by the module's install make target or however you got it. Instead of using insmod, use modprobe on the 8139too it will pull in the mii module as well (if it's available). You could insmod mii and then insmod 8139too, but in general it's better to use modprobe. Even better (IMO) is to use modconf. It will let you choose from the available modules, load the module, and update your config files to load it automatically when you boot up. -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: NAT
Ashish Ariga wrote: On Thu, 2003-09-18 at 18:00, Adrian Berardi wrote: Hi, i'm a new debian user, and without too much experience in linux. I'm trying to install a Debian here at home to use it as internet access for a couple windows PCs. Someone told me that i had to install first the two eth, then configure the networkcards, then install dhcp3 (for the PCs to get a dinamic ip), and then do NAT (iptables) Everything worked OK, but it is not the case of the NAT: i can access internet from de debian, but i dont know how to configure or what to install for access internet from the windows PCs through the Debian. Any comment will be kindly accepted.! Best regards, Adrian Adrian Is NAT necessary ? How about using Squid ? (Does it do NAT internally ?) (Sorry, if this sounds stupid, but I'd really like to know.) NAT is only necessary if you want to allow computers behind the internet gateway to (for the most part) be able to use the internet as if they each had their own public ip address. The general NAT rules you would use are to re-write the source ip and port of internet traffic comming from the internal network to appear to be coming from the gateway machine. It remembers the associations it has made so that when the computer across the internet responds, it can send the reply to the right ip and port in the internal network. Squid will act as a proxy for some internet traffic, mostly http. If you only want to allow your computers behind the gateway to access the web via the proxy, and configure each browser to use that proxy, then Squid alone is enough for you. Proxy differs from NAT on some important points. Without some ip packet manipulation, the existance of the proxy server is apparent to all involved parties. Usually you install the proxy server to provide some performance through caching of web content and optionally to filter based on not just ip address but on actual content. NAT on the other hand is mostly invisible to the client and the server across the internet. Using some tricks of iptables or ipchains you can make your clients think they are not using a web proxy, but redirect the packets through Squid anyway. This is a 'transparent proxy' setup, and you need to tell Squid it's functioning in this mode. One more NAT trick of iptables is to map a port on your gateway machine to an internal machine's ip address and port. That way you can have your mail, web, or even proxy (Squid) server not on the internet gateway machine. You can also create 'firewall' rules using iptables or even better install a firewalling package and let it manipulate the iptables rules for your firewall. These options aren't exclusive to iptables, but my wording is geared towards how iptables is worded and I recommend it over ipchains. Hopefully that clarifies NAT vs Proxy (Squid) in your mind. For a more in-depth (and correct) look, read up on iptables and Squid at their sites and then how to use them (like at www.tldp.org). -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apt-get and gzipped Package list files
Antti Peltonen wrote: Hi, Our companys proxy server is pain in the ass.. all web access _must_ go thru it and on some really mind boglingly stupid reason it decompresses Gzipped files as default. And suprise suprise the maintaince crew is unwilling to change this behaviour. Because of this behaviour apt-get cant receive the Package files correctly since it pipes files thru gzip which returns an error because its no longer gzipped file since the proxy decompressed it allready. After reading several how-tos etc and man pages I still cant find any suitable configuration parameter for changing this behaviour of apt-get so that it would not pipe the data thru gzip. Has anyone _any_ idea howto get around this? I could allways make redirected sockets to one of our unix servers and thru there bypass the proxy but its ugly,ugly,ugly way to achieve this. If there is no ready wrapper or patched apt-get or that mystical config parameter which im not able to find anywhere I probably need to sacrifice few minutes for coding a patch + some CPU time for gcc -) Didn't you ask this last month? Well, your the judge of what is ugly, ugly, ugly but if you have access to one of your Unix servers, and if it has direct internet access (which I'm guessing it does by your proposal) and a perl parser and web server, you could run apt-cacher on it. (Anyone guessing by now that I like that program? ;) ) Then again, maybe it's ugly because you don't really have access to those Unix servers either. Your network isn't doing NAT and only proxied data passes to the internet? No ftp or ssh? If you are the person who asked this last month, then I guess you looked into that apt program that allows you to download on one system, save to removable media, and then upgrade off of that media from the other system. I hope then that someone else knows this undocumented param, or that it isn't difficult for you to hack it in so you can download the Packages instead of the compressed Packages.gz file. Before you do all that work, have you tried downloading a .deb package via http? If they also get killed by the proxy virus scanner, getting the Packages file down is not worth anything. I second the opinions stated last time. If the scanner is choking on a gzipped text file, how can it do better on a .deb? You've sent a scathing email to the virus scan company right? ;) http://ftp.us.debian.org/debian/dists/stable/main/binary-i386/ http://ftp.us.debian.org/debian/pool/main/e/everybuddy/ (You may want to find a more local mirror.) -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Insert module at startup
Derrick 'dman' Hudson wrote: On Thu, Sep 18, 2003 at 06:09:21PM -0600, Jacob Anawalt wrote: | | Greg Folkert said: | | People read. Please change this | consequences. Like break they way | top posting has some very annoying | In regard to top posting | | I agree with you 100%. I think. What are you saying? | | *Puzzles what type of cypher this is.* Its a top-posted cipher. Read it from bottom to top, just like a top-posted reply. The layout emphasizes his point. (Nice, Greg. :-)) -D It's funny and I understand it if I throw all sense of grammar out the window reading from bottom to top. Still of all the lines Like break they way leaves me wondering if bottom to top is really the right way, but I cant make it fit anywhere else. In regard to top posting top posting has some very annoying consequences. Like break they way People read. Please change this -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh + X11
Arnt Karlsen said: On Thu, 18 Sep 2003 17:30:11 -0600 (MDT), Jacob Anawalt [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]: [snip] no X11Forwarding as in the line isn't in the file, or as in: X11Forwarding no ..the latter, I found one of my boxes having yes. I'm glad it's all sorted out and working as it claims to. [snip] When I set /etc/ssh/sshd_config X11Forwarding no and restart the sshd service, the next time I connect with ssh -X (or without that and ~/.ssh/config ForwardX11=yes or that set in the /etc/ssh/ssh_config) I see that $DISPLAY isn't set. xclock of course saysError: Can't open display. I set $DISPLAY to localhost:10.0 (the first offset set in my sshd_config file and no one else is sshing to the machine) and xclock says Error: Can't open display: localhost:10.0. I change the setting back to X11Forwarding yes, restart sshd. Disconnect, reconnect with forwarding requested by my client ssh session and $DISPLAY is auto-set to localhost:10.0 and xclock works. ..correct, this is what nearly had me drop Debian for RH, and I still get this when su'ing another user, I set up several users so I could su - arnt etc for the various stuff I do, and have several differing setups for each task, I can do this with ssh -X [EMAIL PROTECTED] app , but I prefer su - user on the localhosts, less typing. Heh. I'm trying to shift gears and change paradigms on that one as well, since I've been working on prep'ing to switch in just the other direction, RH-Deb. I notice that su - doesn't set DISPLAY for root. I'm sure there's some relativly simple step that needs to be taken to have su - copy over the xauth info including the MIT-MAGIC-COOKIE-1 data, but I haven't looked into it. Instead I've been doing this: su -c program name and args Seems to work just right for my needs. I've been lazy and haven't re-setup sudo on the Sid system I've been testing on so I don't know how it's working in these situations. -- Jacob Trying out SquirrelMail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Sieve script to filter today's MS annoyances
Kirk Strauser said: At 2003-09-19T16:41:51Z, Arnt Karlsen [EMAIL PROTECTED] writes: ..hmmm, cool. And in .procmailrc'ese it is? No. In Sieve-ese it is. See RFC 3028 for details. ftp://ftp.rfc-editor.org/in-notes/rfc3028.txt This RFC doesn't say I have to use Sieve, just that they've created it so more people (hopefully) can easily filter email. Maybe someday procmail will come with a Sieve ruleset option. I thought your rules looked pretty lispish. Reading that RFC I see that it is CommonLisp. Now you've gone and reminded me that I've not played with Guile or Scheme for a while. Quote from Martin Pool [EMAIL PROTECTED], September 2001 http://www.opensource.apple.com/darwinsource/7.0b1/rsync/rsync/rsync3.txt - Sadly probably not enough people know Scheme. http://www.gnu.org/software/mailutils/mailutils.html#sieve If GNU sieve or sieve.scm work with that ruleset (or you know of another stand alone sieve parser) and return success if it handled the mail, and failure otherwise: # Rule expecting sieve to put the mail in a mailbox (like for IMAP) :0 Wc | sieve :Wa { # Sieve handled it, sticking it in the right mailboxes # so we don't need to do anything } This is just a general off-the-cuff guess. Lots of details to work out and options to tweak, like sieve knowing what rule file to use. -- Jacob Trying out SquirrelMail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
EveryBuddy questions (MS update and others)
I've been using EveryBuddy on Debian and RH for at least a year now. The past couple weeks I've been getting the MSN Security Team message You need to update or won't be able to use this service or something to that effect. Trillian use to get the same message but today I downloaded their patch to the msn and yahoo protocols. I have been wondering for a while if some update would be made for EveryBuddy and tonight as I search around I'm not getting the MSN Security Team message, so I decided to wait on reporting the 'bug'. Besides, I thought it was odd that there wasn't already a bug report for this error. I haven't researched the issue to see if it just requires a change in Windows based code, or in the protocol. Also while I was searching around on this I came across a page talking about a 'DoS' issue with EveryBuddy 0.4.3. I tried the test and didn't experiance the crash they were talking about, so I sent them an email saying that it didn't seem to affect version 0.4.3-1 in Debian. http://xforce.iss.net/xforce/xfdb/12817 http://www.securiteam.com/securitynews/5HP031FAUE.html The everybuddy package in Debian _seems_ to be abandoned/superceeded by EBlite and ayttm. Is the EveryBuddy (v0.4.3) in Debian being maintained upstream, or have it's developers stopped or switched over to one of the newer projects? It has some bugs against it that are pretty old. http://www.everybuddy.com/ http://sourceforge.net/projects/ayttm/ http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=everybuddy Anyone have some insight or comments on these issues? If I had all my net contacts on Jabber or something else I wouldn't wonder, but they arent. Most are on MSN, and a few on Yahoo. Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: MS mail bombs
Walt L. Williams wrote: Is there anyone else out there being mail bombed with emails that look like there from M$? The rate at which their coming is increasing exponentially. Any suggestions on how to make it stop. I believe you are seeing the work of Win32.Swen.A http://www3.ca.com/virusinfo/virus.aspx?ID=36939 Pretty nice looking email, huh? :) This worm seems to have kicked off the thread on Sieve. I'd say you could have searched the archives for it, but maybe the thread is too recent to search for. Anyway, it may be worthwhile to glean the information from the thread in the second link below. http://lists.debian.org/search.html http://lists.debian.org/debian-user/2003/debian-user-200309/msg03045.html -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: lilo problem
[EMAIL PROTECTED] wrote: Thanks for the help everyone, especially Michael. With your help I managed to get it working :) On Wed, 2003-09-17 at 15:03, Michael Bellears wrote: Ensure that /vmlinuz exists. It does on /dev/hdc8 Please show the output of mount. Cool, now that you've been through that and got it working, ever looked at Grub? * You don't have to run /sbin/grub every time you install a new kernel * If you forget to add the new config entry describing your new kernel you can still load the new kernel on reboot from the grub command line. ** Because of those features, if you had purged the kernel package for your configured boot kernel, you would still have a chance of booting into Debian, as long as some version of the kernel is installed. Although the method of defining drives is different than /dev/hd*, once you get the knack of it, the config file isn't that hairy. Just install grub-doc with grub and read the documentation. # By default, boot the second entry. default 1 # Boot default automatically after 30 seconds timeout 30 # Fallback to the first entry if the default fails fallback 0 # Debian Sid, Woody bf2.4 kernel title Debian Sid install kernel root (hd0,2) kernel /boot/vmlinuz-2.4.18-bf2.4 ro root=/dev/hda3 # Debian Sid 2.4.20-3-k7 title Debian Sid 2.4.20-3-k7 with Alsa root (hd0,2) kernel /boot/vmlinuz-2.4.20-3-k7 ro root=/dev/hda3 initrd /boot/initrd.img-2.4.20-3-k7 # Debian Sid 2.4.21-4-k7 title Debian Sid 2.4.21-4-k7 no sound root (hd0,2) kernel /boot/vmlinuz-2.4.21-4-k7 ro root=/dev/hda3 initrd /boot/initrd.img-2.4.21-4-k7 -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Weird network behaviour - can anyone explain it?
Oliver Elphick wrote: We have a machine whose network configuration is in some way wrong, but I don't know how. When it boots, the network is configured correctly, according to ifconfig, but it takes forever for things (a deliberately vague word) to be processed. Then it seems to handle a number of requests all at once and goes back to sleep for a while. The effect is illustrated by this ping across the local ethernet (other machines on the same net have no problems): # ping braydb PING braydb.somedomain.com (192.168.1.18): 56 data bytes 64 bytes from 192.168.1.18: icmp_seq=33 ttl=64 time=0.6 ms 64 bytes from 192.168.1.18: icmp_seq=34 ttl=64 time=0.8 ms 64 bytes from 192.168.1.18: icmp_seq=35 ttl=64 time=1.4 ms 64 bytes from 192.168.1.18: icmp_seq=18 ttl=64 time=17002.5 ms 64 bytes from 192.168.1.18: icmp_seq=19 ttl=64 time=16003.6 ms 64 bytes from 192.168.1.18: icmp_seq=20 ttl=64 time=15004.2 ms 64 bytes from 192.168.1.18: icmp_seq=21 ttl=64 time=14004.8 ms 64 bytes from 192.168.1.18: icmp_seq=22 ttl=64 time=13005.4 ms 64 bytes from 192.168.1.18: icmp_seq=23 ttl=64 time=12005.9 ms 64 bytes from 192.168.1.18: icmp_seq=24 ttl=64 time=11006.5 ms 64 bytes from 192.168.1.18: icmp_seq=25 ttl=64 time=10007.0 ms 64 bytes from 192.168.1.18: icmp_seq=26 ttl=64 time=9007.6 ms 64 bytes from 192.168.1.18: icmp_seq=27 ttl=64 time=8008.1 ms 64 bytes from 192.168.1.18: icmp_seq=28 ttl=64 time=7008.6 ms 64 bytes from 192.168.1.18: icmp_seq=29 ttl=64 time=6009.1 ms 64 bytes from 192.168.1.18: icmp_seq=30 ttl=64 time=5009.7 ms 64 bytes from 192.168.1.18: icmp_seq=31 ttl=64 time=4010.3 ms 64 bytes from 192.168.1.18: icmp_seq=32 ttl=64 time=3010.9 ms --- braydb.somedomain.com ping statistics --- 49 packets transmitted, 18 packets received, 63% packet loss round-trip min/avg/max = 0.6/8339.2/17002.5 ms After some considerable time, this effect stops and normal response times resume. (I hope that this will also be the case on this occasion; the machine has been running for 5 hours so far.) Kernel is 2.4.20 SMP, built for this machine. I can't identify the network card until the machine starts to respond correctly (I am not on site). The problem began a couple of months back; I do not know of any relevant software change. Since then, the machine has not been rebooted again until today. If the other machines on the network were pinging the same remote machine just fine at the same time the above is happening then I'd suspect: network cables to this computer; port on the hub/switch that this computer plugs into; driver for this computer's ethernet card; this computers ethernet card. Trying a different port is a quick test, so is trying a different ethernet cable. If the problem is one of the above guesses, you should get the same results pinging another local machine while the problem is showing up pinging that remote system. The lag looks exactly like what I have seen in the past on oversold service or dslam issues on DSL (routing or network congestion issues). Good luck. -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh + X11
Arnt Karlsen said: On Thu, 18 Sep 2003 14:16:59 +0100, Colin Watson [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]: On Thu, Sep 18, 2003 at 03:06:54PM +0200, Arnt Karlsen wrote: On Thu, 18 Sep 2003 11:42:32 +0100, Colin Watson [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]: On Thu, Sep 18, 2003 at 12:20:37PM +0200, Arnt Karlsen wrote: ...=yes, and it can be overridden with -X, is how it works here. ;-) If the server has 'X11Forwarding no', which is the default, then nothing you do to the client, -X or no -X, will let you forward X11 traffic. You need to configure the server with 'X11Forwarding yes'. ..then something is wrong here, because I ssh -X all I like from my X11Forwarding=no boxes. ;-) *From* your 'X11Forwarding no' boxes? The client makes no difference, it's the sshd_config on the server, the box you're connecting *to*, that matters. ..yep, I own all but 2 boxes in my lab, and have root access on all, and I see no X11Forwarding here. no X11Forwarding as in the line isn't in the file, or as in: X11Forwarding no Also, you'd only notice a problem when you tried to open an X client over the ssh connection. ..yeah, I was half way back to RH before I picked up the -X here in DU, does not neccesarily mean I got it right, though. Wow, something must be wrong ..unless you're not looking at /etc/ssh/sshd_config, but instead looking at /etc/ssh/ssh_config and mixing X11Forwarding up with ForwardX11. I doubt that, but it's the only non-code-issue I could think of short of some non-standard /etc/init.d/ssh file with say ssh -o 'X11Forwarding yes'. If the X11Forwarding line isn't even in the file, then maybe sshd has been recompiled with X11Forwarding as the default? (Woody defaults to 'no' as far as I can tell) (Sorry, I just had to use '..' ;) ) When I set /etc/ssh/sshd_config X11Forwarding no and restart the sshd service, the next time I connect with ssh -X (or without that and ~/.ssh/config ForwardX11=yes or that set in the /etc/ssh/ssh_config) I see that $DISPLAY isn't set. xclock of course says Error: Can't open display. I set $DISPLAY to localhost:10.0 (the first offset set in my sshd_config file and no one else is sshing to the machine) and xclock says Error: Can't open display: localhost:10.0. I change the setting back to X11Forwarding yes, restart sshd. Disconnect, reconnect with forwarding requested by my client ssh session and $DISPLAY is auto-set to localhost:10.0 and xclock works. This is ssh'ing to a (OpenBSD Secure Shell server) Debian stable 'Woody' system with the ssh 3.4p1-1.woody.2 update. It worked this way before the update as well. I don't have a 'Sid' system nearby to test on. -- Jacob Trying out SquirrelMail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Moz Firebird
tvn said: On Thu, 18 Sep 2003 14:15:08 +0700 Oki DZ [EMAIL PROTECTED] wrote: Hi, Have you stumbled upon the text fields that wouldn't accept any input? (ie: no keystroke accepted, but the mouse works). It happens to me, on Mozilla snapshot and also the recent Firebird. Oki Yes, that happens a lot in Galeon using gecko engine too, especially after resize the font. I just open a new tab or switch to a new tab then switch back. A similar thing has been happening to me with Firebird on '98. I can type stuff in, but I don't see the cursor. When I type in a URL and press the enter key, nothing happens. Same with form fields.. -- Jacob Trying out SquirrelMail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security updates vs. Sarge and Sid??
Lou Losee said: The posts that arrive from the Debian Security list show package updates for Woody. How does one ensure that these same updates are applied when running a mixed system (testing stable)? As long as there aren't people working to put security updates into testing, you won't see any 'security team' updates to testing. http://www.debian.org/releases/ (read the testing section) So you have to wait for the package maintainer to fix it, release the fix into unstable (which if you've been following the lists you'll notice it hasn't happened for the ssh package as of last night but the ssh update has been in stable for a couple of days.) Then you'll need to wait for the unstable update to pass the gates of testing. Once all that's happened you'll have an updated mysql. (I'm probably missing some conditions that someone may comment on.) For instance: Recently a post for mysql-common indicated an update was available. If I run apt-cache policy mysql-common I get the following output: mysql-common: Installed: 4.0.13-3 Candidate: 4.0.13-3 Version Table: 4.0.14-1 0 500 http://ftp.de.debian.org unstable/main Packages *** 4.0.13-3 0 990 http://ftp.de.debian.org testing/main Packages 100 /var/lib/dpkg/status 3.23.49-8.5 0 500 http://security.debian.org stable/updates/main Packages 3.23.49-8 0 500 http://ftp.de.debian.org stable/main Packages So, I have the latest version installed from testing. Does that include the changes from security.debian.org? I don't know the answer to that, sorry. Most likely it doesn't. -- Jacob Trying out SquirrelMail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]