Marc Perkel wrote:
> Graham Murray wrote:
>> Because some senders erroneously treat a tempfail as a permfail (or even
>> worse as a successful delivery) and do not retry.
>>
> If that were the case then they already would have failed before getting
> to tarbaby as your main server is out. If they are on tarbaby then they
> already retried to get there.

tempfail != timeout

If the main servers are down or otherwise not responding, the sender
won't get a tempfail from those servers. So even if the sender is
broken enough to treat a tempfail as a permfail, it will still fall back
to the next MX until it gets to one that *does* respond. And if that
happens to respond with a tempfail...

--
Kelson Vibber
SpeedGate Communications

Ralf Hildebrandt wrote:
> * Ken A :
>
>>> How? He tempfails all mails.
>> Are you asking how sending your customer, or company email off someplace
>> you don't control might be a security risk?
>
> It's in no way more dangerous than using Postini...
>

Have you compared Postini's contract to the one you get from Marc?

Ummm.. just in case you have no luck finding that, what about a Privacy
policy?

See the link at bottom of
http://wiki.junkemailfilter.com/inde...roject_tarbaby
for the Privacy Policy. It's currently a blank page. That doesn't give
me a secure feeling..

Ken

--
Ken Anderson
Pacific.Net

Ken A wrote:
> Ralf Hildebrandt wrote:
>> * Ken A :
>>
>>>> How? He tempfails all mails.
>>> Are you asking how sending your customer, or company email off
>>> someplace you don't control might be a security risk?
>>
>> It's in no way more dangerous than using Postini...
>>
>
> Have you compared Postini's contract to the one you get from Marc?
>
> Ummm.. just in case you have no luck finding that, what about a
> Privacy policy?
>
> See the link at bottom of
> http://wiki.junkemailfilter.com/inde...roject_tarbaby
> for the Privacy Policy. It's currently a blank page. That doesn't give
> me a secure feeling..
>
> Ken
>

Well, I'm definitely a privacy advocate as a former EFF employee but
considering that we never receive and of the email (451 response before
data is sent) there's no information to disclose. We aren't receiving
the body of the email. Generally all we see is spam bot attempts and
harvest those IPs for the blacklist which has now grown to 2 million.

Yes - I'm in the same business as Postini. So the better our blacklist
is the better we can block spam.

Marc Perkel wrote:
>
>
> Ken A wrote:
>> Ralf Hildebrandt wrote:
>>> * Robert Schetterer :
>>>
>>>> Project Tarbaby helps you reduce spam and helps us build our
>>>> blacklist. This is done by adding a fake MX record to your existing
>>>> MX lists
>>>>
>>>> thats could be seen as a security risk
>>>> cause in rare cases you may recieve legal mails
>>>> i.e at an network outage etc
>>>
>>> How? He tempfails all mails.
>>>
>>
>> Are you asking how sending your customer, or company email off
>> someplace you don't control might be a security risk?
>>
>> Read the fine print. The way Marc's system works is by waiting for the
>> absence of the QUIT command. That means anything the system sees
>> before it's done waiting for QUIT is available to a process. Do you
>> have any idea what that process does, how it's coded, or how secure it
>> is? This isn't an open source project.
>>
>> Most of our customers would wonder why we are sending their mail off
>> without their explicit permission. That's a breach of trust at least,
>> and perhaps of contract. It might also be a violation of company
>> policy, or just plain illegal.
>>
>> Ken
>>
>
> It's not like I'm a stranger here. I've been on this list for 6 years so
> a lot of people do trust me.

That's not the kind of trust I'm talking about (it's not personal). It's
about data security, code review, privacy assurances.

As to looking for QUIT, it's not just that.
> There are a number of other sins that are required for blacklisting.
>
> As to getting pernmission from customers, you do ask customers for
> permission before using razor or dcc. Same thing.

Not. You are comparing systems that share checksums and allow simple
whitelisting (to exclude entries from shared db) to sharing plain text
email.

Ken


>
> And - if you don't trust me - don't use it. This is just for people who
> know me and want to help out.
>


--
Ken Anderson
Pacific.Net

On Tue, Aug 26, 2008 at 12:26 PM, Marc Perkel wrote:
>
>
> Ken A wrote:
>>
>> Ralf Hildebrandt wrote:
>>>
>>> * Ken A :
>>>
>>>>> How? He tempfails all mails.
>>>>
>>>> Are you asking how sending your customer, or company email off someplace
>>>> you don't control might be a security risk?
>>>
>>> It's in no way more dangerous than using Postini...
>>>
>>
>> Have you compared Postini's contract to the one you get from Marc?
>>
>> Ummm.. just in case you have no luck finding that, what about a Privacy
>> policy?
>>
>> See the link at bottom of
>> http://wiki.junkemailfilter.com/inde...roject_tarbaby
>> for the Privacy Policy. It's currently a blank page. That doesn't give me
>> a secure feeling..
>>
>> Ken
>>
>
> Well, I'm definitely a privacy advocate as a former EFF employee but
> considering that we never receive and of the email (451 response before data
> is sent) there's no information to disclose. We aren't receiving the body of
> the email. Generally all we see is spam bot attempts and harvest those IPs
> for the blacklist which has now grown to 2 million.

You continue to miss the point, or maybe you just don't want to understand it.

Sending my client's email to your servers is irresponsible at best and
possibly even a violation of contract or illegal.
It does not matter that you claim to always give a temp fail. It does
not matter that you are a Real Nice Guy.

What if your servers become compromised?
What if your DNS is hijacked?
What if your software giving the temp fail doesn't work properly?
What if a broken MTA sends the message even after you temp fail?
What if you turn into a Real Bad Guy?

There is also the issue that even if you do temp fail, even the
knowledge of which servers are trying to connect to my client's
domains may not be something they want you to gather.

As many have stated: if you are truly interested in this, get a client
together, preferably open source, that sends only the neccesary data
to your site.

-Aaron

Aaron Wolfe wrote:
> On Tue, Aug 26, 2008 at 12:26 PM, Marc Perkel wrote:
>
> You continue to miss the point, or maybe you just don't want to understand it.
>
> Sending my client's email to your servers is irresponsible at best and
> possibly even a violation of contract or illegal.
> It does not matter that you claim to always give a temp fail. It does
> not matter that you are a Real Nice Guy.
>
> What if your servers become compromised?
> What if your DNS is hijacked?
> What if your software giving the temp fail doesn't work properly?
> What if a broken MTA sends the message even after you temp fail?
> What if you turn into a Real Bad Guy?
>
> There is also the issue that even if you do temp fail, even the
> knowledge of which servers are trying to connect to my client's
> domains may not be something they want you to gather.
>
> As many have stated: if you are truly interested in this, get a client
> together, preferably open source, that sends only the neccesary data
> to your site.
>
> -Aaron
>
>

What if your server is compromised or your DNS is hijacked? I'm doing
the same thing Postini is doing, just better. Besides, if you keep your
email servers and backup servers online then good email will never reach
my server.

And - I'm putting this out for those who are interested. You are not
interested so this doesn't affect you.

Marc Perkel wrote:
>
> And - I'm putting this out for those who are interested. You are not
> interested so this doesn't affect you.
>

Mark,

This debate can continue until the end of time (assuming time has an end
;-p). How about creating a dedicated mailing list?

On Wed, 27 Aug 2008, mouss wrote:

> Marc Perkel wrote:
>>
>> And - I'm putting this out for those who are interested. You are not
>> interested so this doesn't affect you.
>>
>
> Mark,
>
> This debate can continue until the end of time (assuming time has an end
> ;-p). How about creating a dedicated mailing list?

Creating a list has been brought up before (at least twice that I can
remember).

-d

> Perkel wrote:
> What if your server is compromised or your DNS is hijacked? I'm doing
> the same thing Postini is doing, just better. Besides, if you keep your
> email servers and backup servers online then good email will never reach
> my server.
>
> And - I'm putting this out for those who are interested. You are not
> interested so this doesn't affect you.

.....

Actually Marc, it does affect us.

We tried using one of your rbl type solutions and you changed the specs on
it within two weeks of starting it without any notice thereby causing some
serious issues.

We followed your guidelines and even advertised you on our website as
requested.

lately, the spamming the spamassassin list has gotten a bit out of whack.

And I, in general, am one of your ideas and implementation advocates.

At least you are continually putting forth some effort and that is
commendable.

Yet Maybe you should consider paying jupitermedia and spam the isp lists?

Or better yet, if you are going to spam here, work something out with the SA
group so at least they get something ca$h out of it for furthering SA for
*everyone*

- rh