Volume 21, Number 3 - March 2005
|No Program Description Was Available At Newsletter Publication Time
Thursday, March 17, 7:00 PM
The CACTUS Newsletter is a monthly publication, distributed to our members and other interested people. Visit the CACTUS Newsletter on the web at http://www.cactus.org/Newsletter/. There you will find archives of back issues, as well as instructions on how to subscribe to the e-mail distribution. We welcome newsletter submissions by our members. Please contact newsletter [at] cactus <dot> org for more information.
The next CACTUS meeting will be held on Thursday, March 17, 2005 at 7:00 PM (doors open at 6:30 PM for pizza and informal discussion), in the auditorium of UT Applied Research Laboratories. (See end of newsletter for directions to the facility).
Hello? Is this microphone on??
You'll notice this month that there are several items missing from the newsletter -- Notably the meeting program. While I applaud Ron for writing the previous month's meeting report, only having information about last month's meeting doesn't make very interesting reading.
This newsletter is an important communications mechanism for all the members of CACTUS. Please read the newsletter, take note of the places where our organization is deficient, and step up to the plate and help resolve some of these.
New president Randy Zagar, sporting a cowboy hat, had difficulty getting the members attention, so Gil Kloepfer slapped a pointer on a table to call the meeting to order. Treasurer Johnny Long reported that we're still solvent. M.H. Khan brought an IBM 43P Power PC desktop to donate to CACTUS. Gil mentioned that he had gone to the trouble to post the newsletter on USENET, and immediately the user account from which he posted started getting SPAM. Gil will never say he wants SPAM anymore.
Because CACTUS has so many different machines hosted at different locations, Gil suggested that we list them on the message of the day (MOTD) on linux.cactus.org. Someone remarked that the current MOTD kept listing the disk hog, M.H. Khan, who finally came to a meeting.
Lenny Tropiano announced that he was testing a new spam prevention product: Barracuda Networks' Spam Firewall.
Randy Zagar introduced the presenter for the evening, Chris Boyd. Chris is the Chief Technical Officer (CTO) and co-founder of Midas Networks. Their website (www.midasnetworks.com) says, "Hosting that won't hold you hostage." Noting that his laptop was running Unix, Chris described himself more as a plumber than a systems administrator. Chris has been in the telecom industry for more than fifteen years. He worked for MCI for a while, and his retirement fund suffered accordingly. He also worked for Paradyne who made telecom equipment.
Chris also worked for a residential ISP targeting college students about the same time that Kazaa was released. He had some horror stories to tell about that. The Mom and Pop ISP business model has been dead for a couple of years now--either defunct or sold out. As of December, 2004 fifty per cent of the market uses broadband. In 1996, the price for CLECs was more than SBC's DSL offerings.
Chris and a co-worker started Midas Networks about two and a half years ago. He brought up a slide showing possible starting points for topics that listed: VOIP, ISPs, Open Source Software and SPAM. So naturally the topic became SPAM. Using SpamHaus, Midas has an 85% rejection rate. Chris spoke of a new co-location customer, who upon transferring his domain name, was use 40 kilobits per second of SPAM, fostered by a dictionary attack.
Chris still uses sendmail version 8.12 as the Midas MTA. He ranted a bit about Outlook Exchange Server, which he manages for some customers who have an addiction to calendar services and shared folders. He noted that they use the MultiRouter Traffic Grapher (MRTG) for network management, which he praised for its speed.
Though they wanted to locate in Cedar Park, the wound up at 8500 Shoal Creek in a building that used to be a lab for Radian Corporation. They are currently running on a T1, but are negotiating to get a fiber connection. They started with only a $5,000 initial investement. He called Midas a small, high-touch business with lots of start ups for customers. They use no advertising, just word of mouth. Chris says it's starting to pay off as their customers grow. He mentioned that the biggest co-location company in Austin is Inflow.
Midas has no residential customers, and bills bases on average use, not peak. Midas also is involved with the Austin Wireless Project. They trained the city of Austin administrators and provided consultation. Chris took a minute to rail against house bill 789, a tool of the big telecoms that seeks to limit cities' ability to offer free wireless access.
Though not really done flaming the telecom industry, Chris mentioned that the railroad company charges $1,000 a month per circuit to go through an existing conduit. The rail roads own the right of way. Not many people know that the SP in Sprint stands for Southern Pacific. MCI bought right-of-way from Western Union. Western Union got right-of-way from the railroads in exchange for sending traffic information on its telegraph.
Chris told an interesting story about former gubernatorial candidate Clayton Williams, who made pipelines. He figured out that he could run cables through unused pipelines and sell them to Sprint. The carriers loved it. Pipe is very protective. Backhoes kill connections at least once a day, but even a backhoe operator notices when he hits metal.
Chris also mentioned that he was interested in deploying Asterisk for his company's PBX. Gil Kloepfer and other members related their experiences in this regard.
The talk turned to hardware for awhile. Chris speculated that 3Com must be re-using MAC addresses since they probably expect that old ISA based fiber ethernet cards probably have been retired by now. Randy Zagar related a story about buying a bunch of shuttle PCs that all had the same MAC address. The discussion degenerated into a flame war against cheap Linksys routers. And Chris concluded by asking why we have to set up a network configuration when we add a new user to a Windows XP computer?
Thans to Chris Boyd and Midas Networks for a though provoking presentation.
Like most organizations these days the one I work for is struggling to deal with a never-ending problem with spam. Unfortunately the person who has been tasked to deal with that problem is me. While I have tried to utilize Open Source solutions in our anti-spam defense as much as possible, the spam "arms race" has become more than a full-time job for a single person (if you're going to launch an effective defense, anyhow). Our mail gateway system is also, like other larger organizations, very complex and utilizes UNIX-based solutions to route and process incoming e-mail. It became apparent that Open Source by itself could no longer keep-up effectively with the spam problem while still satisfying management's requirement for efficient and reliable e-mail with few to no anti-spam "false-positives."
One of the commercial solutions I tested during our quest for a better anti-spam solution was PureMessage for UNIX from Sophos. PureMessage is an integrated anti-spam and anti-virus system with subscription-based virus and spam signature updates. Sophos started offering this product in September of 2003 as part of their acquisition of ActiveState. The immediate attraction of PureMessage to me as a FreeBSD system administrator was Sophos' support of this product on the FreeBSD OS platform. In fact, Sophos supports PureMessage on several distributions of Linux, Sun Solaris (SPARC), HP-UX, AIX (RISC), and of course on FreeBSD. PureMessage is not a MTA replacement, but rather a mail filter subsystem that is designed plug-into Sendmail or Postfix (for other MTAs, it can operate as a standalone relay). Finally, because of the way it interfaces to existing MTAs, organizations can maintain their own version of Sendmail or Postfix provided they are running reasonably recent versions of that software (who isn't these days?).
My relationship with PureMessage wasn't "love at first sight." Getting started with the evaluation was a little rough: It started with the CPU and memory requirements of the product. We are happily running our existing systems on 1 GHz P3 systems with 500MB of memory. PureMessage requires a minimum of 1GB of system memory. While during testing I didn't see memory requirements jump above 500-600MB, I believe that their sizing is probably on-target for a production environment.
The other principle rough spot at the beginning was wading through the mounds of configuration files. While I am a big fan of text-based configuration files and the ability to modify them with a text editor rather than a dedicated tool, PureMessage may have gone a little overboard here. The web-based documentation is not always clear how all these files interact with each other. Further, Sophos provides a web-based administration tool that modifies these files but not all of them, and not always in obvious ways. The good news is that Sophos has very knowledgable sales engineers who are willing to go the extra mile to help solve some of these technical issues in helpful ways. I can only hope their post-sales support is this good. PureMessage is not a system that can be pulled out-of-the-box and run in 30 minutes like some competing products. It requires an experienced system administrator to install and tune as it is a complex product.
Once I got past some of the installation issues things started getting better. With our installation of SpamAssassin™ with a well-trained Bayesean filter in our test we caught about 87% of the spam. Using PureMessage out-of-the-box with the same e-mail messages 97% of the spam was identified. PureMessage uses a combination of several public blacklists, a modified SpamAssassin engine with constantly-updated rulesets, lists of naughty words, and some custom classification and scoring rules to achieve these numbers. The important thing to note is that Sophos is constantly updating the anti-spam and anti-virus signatures (on one day, I saw 27 anti-spam signature updates). This is an important advantage of using a commercial product: There are people being paid money full-time to look for ways to get rid of spam (something you and I would rather not do). PureMessage also had an extremely impressive false-positive rate (one, during our tests!). We also have a low false-positive rate with SpamAssassin but that's because we have left our scoring somewhat conservative to achieve that.
The anti-virus capability is worthy of mention but not much needs to be said about it. Sophos has a reputation for having one of the best anti-virus engines and PureMessage utilizes Sophos' anti-virus engine. We are using Sophos SAVI with Open Source AMaViS, and it works extremely well. There was no difference in PureMessage. All viruses caught - no false positives/negatives. A noteworthy of advantage of PureMessage over AMaViS is that PureMessage can actually clean infected attachments from e-mail and deliver the remaining part of the message. I'm not sure this is a key advantage though since most e-mail-borne viruses have no valid information accompanying them anymore.
Overall performance (speed-wise) of PureMessage was quite acceptable for our environment. It is hard to do a side-by-side comparison since our existing system runs on much slower hardware. Unfortunately I don't have any numbers to present. Given that PureMessage has a large amount of perl code in it (what you would expect coming from ActiveState), the performance was impressive.
There are many features in PureMessage that deserve a more in-depth review (such as the end-user quarantine, central quarantine (for multi-server installations), enhanced policy manager, etc). Unfortunately that would make this already long article longer. I was impressed with what I saw of PureMessage, and recommend evaluating it if you're looking for a commercial anti-spam/virus product. For further information, see Sophos' web site at http://www.sophos.com/.
We would like to thank Thomas Benjamin, M.H. Khan, James Trice, Thomas Bodine, and Ronald Roberts for renewing their membership.
To renew your membership, please send check or money order payable to CACTUS ($30/yr for regular membership and $100/yr for corporate sponsorship):
PO BOX 9786
Austin, TX 78766-9786
You can also pay in person at the general meetings. Please direct any inquiries or address changes to membership [at] cactus <dot> org.
CACTUS meets on the third Thursday of each month at the Applied Research Laboratories (ARL) in the JJ Pickle Research Campus (JJ PRC). We'll meet in the main auditorium located directly behind the guard's desk and main lobby.
Please do not show up earlier than 6:20 PM on the specified day. Enter through the main entrance at 10000 Burnet Road for ARL. Tell the guard that you are here for the CACTUS meeting. You will be required to sign a log book, but not required to wear a badge. The guards will direct you to the auditorium entrance. Limited parking in the front of the building is available, but more extensive parking is available in the large parking lot just north of the ARL building. After 6:30 pm, all entrances to JJ PRC, except for the Burnet Road entrance, are closed and locked. You can still enter the parking lot in front of the ARL building. No parking tags are necessary after 6:00 PM (but you will need to inform the guard in the booth that you are attending a meeting at ARL). See map for further details.
Online maps are available at:
As always, please leave the facility as you saw it when you arrived.