Since midnight something has been posting spam via the web server; I've killed everything in the queue that was going outbound spam. Outbound mail to AOL, YAHOO, etc mail be delayed considerably (They blacklisted us due to the spam). The entry point for it has been neutralized (and the vulnerable software is now on the ban list here).
..for security reasons.
Hollar if anything is still amiss.
This is to users to ssh to gigo.com.
Last year, I enabled countermeasures to help keep the SSH hack attempts against gigo.com down to a minimum. We automatically block the IP address of systems trying to log in to gigo.com and repeatedly failing.
The problems are getting worse; as such I'm making these changes:
- Attempts to log in as a valid ID: unchanged; 10 attempts and you're banned 15 minutes
- Unknown accounts and daemon accounts: immediately blocked for 150 minutes
If you log in from another account with a different account name, make sure that you always remember to specify your gigo.com account name (correctly!) or the machine you are connecting from will be blocked for everything but the web server, for 150 minutes. If this regularly affects you, I *can* whitelist specific IP addresses to be immune to this behavior.
[Updated Sunday 2:00p] - Changes are now in effect.
Condensed version:
Attachments are allowed now (most are, at least). Incoming viruses or otherwise "dangerous" files will be made a bit safer (the message is turned into an attachment; and the message you see, will say [VIRUS ATTACHED] in the subject line).
Attachments (in and out) are scanned for viruses using an open-source virus checker. This is not a good substitute for you running your own protection. We could (collectively) pay for a commercial virus checker. A better use for your money is to make sure your workstation is running antivirus of its own.
Spam filtering has changed a bit; please make sure you are filtering on "X-Spam-Flag: YES". If you can only filter by subject, then look for SPAM in the subject line. A limited amount of customization is still available at https://mail.gigo.com/ - primarily affecting whitelists, blacklists, and a minimum score to consider a message as SPAM.
Finally, @gigo.com mail is being signed with DKIM. Some providers will give us a a positive nudge when they do their own spam checking when the mail is properly signed. I can do this for other domains as well - let me know if you want this.
I'm reachable as jfesler@gigo.com or (if you have problems with that for any reason) postmaster@gigo.com .
As of this morning I've enabled some of the blacklists from SpamHaus. Anyone who has their mail rejected mailing our system will be given a url in the bounce message; as well as postmaster@gigo.com's email address for exceptions. Note that postmaster is never filtered here - even if we generally block their mail when they mail me as postmaster, it'll still come through.
I'm watching the logs and looking at the rejects looking for signs of false positives.
This change in behavior is to cut down the resources it takes to fight spam - the greylisting was the primary barrier previously, but that is becoming costly. If you want me to turn off antispam measures at the mail server level to your address or domain, let me know.
Apple, what is wrong with you? Now, all of your laptops are glossy screen only? I for one don't enjoy looking at the overhead lights of the cubicle farm; I prefer to actually see what is on my screen. The only reason I have a macbook pro today, instead of a macbook, is the screen - Yes, I paid that much difference in cash to have my preferred screen. And now, you don't offer it all.
Oh - what the heck is with moving to the macbook keyboard?
Between reducing screen and keyboard options to the macbook level, you've made no compelling arguement for anyone to go "pro" with their laptop any more. And you've certainly made it to where I won't be buying another Mac laptop until you fix this flaw, so at minimum another 2 years out.
Avenue Q is an adult-oriented spoof on Sesame Street, with performers and puppets worthy of Henson. Unless you're an uptight prude (most of the folks I hang with arent'), you definitely need to see this show.
Earlier this week was the SuperStar 2008 awards dinner. Talk about swank!
Accommodations were at the St Regis Hotel, in San Francisco. The lobby was a bit upscale, valet parking as you'd expect, etc. Maybe a bit more than you'd expect, they pretty much insisted on taking the bags, for the entire 30 foot walk to checkin. Other than being slightly overstaffed, checkin was fairly nornal. Then right after checkin, I'm asked if we would like to have the butler called.
Whoa. What? No, thanks, we're good.
We made our way to the room, and were fairly impressed. Lots of marble, _huge_ windows, centralized controls for the lights and drapes and whatnot (Yes, automatic drapes). Huge tub that appears to straddle the bathroom and the bedroom (though, you can close the doors and make it a bit more traditional and closed). It gave the room a much larger appearance than it would have otherwise. The shower was huge, as was the shower head - I am pretty sure any time someone took a shower the rest of the city felt the water pressure drop.
Shortly after we're settled in, an unexpected ring at the door. Yahoo sent us wine. We don't drink wine, but it is the thought that counts. My father in law will certainly drink it.
"Huh."
We finally start getting ready for the dinner, switching to the monkey suit for myself, the dress for Danae. We fumble with my tie for ~10 minutes. Another ring at the door. This time Yahoo sent a fine cheese assortment. The person bringing us this, gave us the most valuable recommendation of the evening - "call the butler". This wise person needs a raise, as does the butler, as between them I managed to wear a tie.
Whew.
5:45 rolls around, time to head to the festivities. We're greeted as we exit the elevator, onto the floor that Yahoo rented out. Pictures, congratulations, a badge and a flower pinned to the monkey suit. And now the media starts in, the fun stuff we use for internal PR.
"Would you like to answer a few interview questions?" "No." "Too bad. Come this way please." Damn. I proceed to make a fool of myself on camera for a few. I think I managed to frustate them, as I'm not really a public speaker of any sort. Small crowds are cool. Big crowds, recordings, etc.. Oi! Next hour or so, mingling (difficult when you're hard of hearing), refreshments, more video cameras and awkwardness. I'm very much afraid of the video they'll produce and show at the next company All Hands..
7p finally rolls around, and the dining hall opens. I'm good at this part! Dinner itself was several courses; I managed to lose count. Very posh, and the service was exceptional. I managed to try everything that was served, despite my usual reservations on food.
Everyone is ultimately called up in a random order; 16 individuals, and 8 teams (or at least their delegates). Everyone is presented, with a story or three, how they've benefited the company, etc. Everyone, and everything they've done, is quite impressive - I pretty much feel out of my league here. Everyone receiving an award is expected to also give a speech. Ruh roh. I manage to not make a total fool of myself by keeping it short. SuperStar 2008 trophies are handed out, as well as bonuses. I'm good at this part!
After dinner, we made our way back to our rooms. While we were out, our rooms were touched up by the hotel staff. Bathrobes were hung out for us; as well as slippers next to the bed. Water was placed beside each bedside table. We are most definitely not used to this level of service...
those of you running gallery on my server - I've updated all of them for a security update.
For those of us running IPv6 on FreeBSD, there's a new security bulletin out. Gist of it is, rebuild your kernel.
I figured, kernel alone was plenty, since we're going from 7.0-STABLE to 7.0-STABLE - usually those deltas are _very_ trivially minor. Alas, that wasn't the case - the ramdisk utilities that gigo.com depends on didn't like the new kernel, and the box didn't work after reboot I ended up having to drive to the colo in Fremont (120 miles, rush hour), and rebuild the OS.
In any case.. we're back up now.
