The Death of IPv6

At some point in the near future the Internet will run out of IPv4 address space. This problem has been recognized and addressed since 1992. IPv6 (IPng, IP next generation) was selected as the replacement.

There is one big hurdle however, no one is implementing it. In fact, my bet is that IPv6 will never be implemented, at least not with the current specification of IPv6. I predict IPv6 as it stands now will simply fade away.

IPv4 has a finite and quickly depleting address space. IPv4 has 2^32 addresses available or 4,294,967,296 addresses. The world population is around 7,000,000,000 people. It is easy to see that if every person on earth had a computer they could not have an IP address allocated to them. Not everyone has one now but then not everyone will need a computing device or their own public IP address. A vast majority of Internet users use NAT whether at home or at work and don't realize or care about it. Besides, some of us are IP address hogs. Many of us use more than a desktop computing device. I have a home LAN, a cell phone, VOIP and a GPS to name just a few. All these devices have IPv4 addresses. Most people that have these devices consider them critical to their lifestyle. At some point, someone will get the last IPv4 address or so it seems.

But we have IPv6. IPv6 has a definite advantage over IPv4. The main advantage is that it has 2^128 addresses or 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses...virtually an infinite number. Clearly then this solves the IP address problem. With these numbers you could have as many IP addresses as you wanted for every person in the world for now and in the forseeable future. There are other advantages to IPv6 such as auto-configuration (mandatory), security (IPSec is mandatory) and many others related to engineering.

The problem is that not only are the big guys not migrating to it, but also no one has any motivation to use it. Currently, IPv6 traffic is .0026 per cent of IPv4 traffic. When was the last time you configured your desktop or notebook to go to an IPv6 web site? When did you last send or receive email via IPv6? When was the last time you used IPv6 ftp or connect to a game server using IPv6? Call your ISP sometime and ask them when they plan to start migrating users to IPv6. If your ISP helpdesk is like mine the customer support person won't have any idea what you are talking about.

Google just recently implemented IPv6. ISPs, Telcos, Microsoft, Facebook, MySpace, K5 and Yahoo have not implemented it and have no working plans to implement it or migrate to it in the near future either. So why aren't they doing something about it? In short they're not or at best they have it running on a few servers.

Since henny penny announced that the IPv4 sky was falling there have been workarounds that have held off the total depletion of IPv4 address space. The most significant of these has been the use of NAT (Network Address Translation). It allows a large number of devices to share one IP address. Some but not all of the earliest adopters of the Internet have given back millions of IPv4 address blocks and these have been placed back into the pool of available addresses. Even so, available IP address space continues to shrink.

Everyone in Internet engineering agrees that something needs to be done. Not everyone agrees that IPv6 is the way to solve the problem. The most visible aspect of this is inoperability failure. Most Internet servers/routers/switches are not currently talking to IPv6 clients. IPv6 clients however are able talk to IPv6 servers but at this point...so what?

U.S. government agencies for example had to be IPv6 compliant by June 30th of this year. This mandate though met, did not say it had to be used, it just had to be IPv6 ready. The U.S. government agencies having met the goal however did not translate into significantly more IPv6 traffic to these government agencies. The U.S. and Europe own most of the IPv4 address space but Asia, which is the largest user of IPv4 address space is also the largest user of IPv6. Even so, there little to no content on IPv6 and therefore there is little usage of it. This fact alone is preventing migration to IPv6; no one uses it so why migrate to it.

The cost of migrating

The fundamental issue is that the specification states that IPv6 is an alternative to IPv4 when it should have been an extension of IPv4. For anyone providing content on the Internet to make IPv6 available they have to:

1. Acquire IPv6 address space
   
2. Configure DNS to announce the IPv6 names alongside IPv4 names
   
3. Then configure all their public servers to answer to IPv6 as well as IPv4 requests.
   

In other words, businesses and consumers have to go through an extra expense and effort to transition to IPv6 and when they do, they receive no benefit in doing so. This also applies to the clients doing essentially the same thing and when they do, they have no immediate benefit either. Migration to IPv6 has to be automatic and transparent. Otherwise it will be a bigger problem then Y2K. There needs to be a universally accepted plan that when implemented will bring everyone that has a computer on board at roughly the same time. This is the big failure of IPv6 as it is today. There is every reason to do it countered by every reason to not transition to IPv6.

As it stands right now, who will be the first person to disconnect from the current IPv4 network where they can send and receive email, buy products and services via e-commerce sites like Amazon.com or Ebay, conduct searches on search engines, look something up on Wikipedia, surf for porn and do their personal banking? If that person decided to do that would he now be able to reach any of those sites?

The Address Translation solution
Address translation was a band-aid that was developed to address the IPv4 problem. Address translation and its subset port address translation however are only temporary solutions. It still puts off the inevitable. If you have a broadband firewall/router and a number of internal computing devices on your LAN you are likely using address translation. What this does is it allows a large number of devices to access the public internet with the same IPv4 address plus a port number. Each port number is different and is stored in a table in your firewall/router. When you receive an Internet response to your request the firewall/router then knows which computer to send the response to.

For years address translation has worked very well. The only problem is that it doesn't scale indefinitely. There are a limited amount of ports. On your home network this isn't a problem. You are not going to use 65000+ ports even if you could connect every electronic device in your home. The problem arises with large enterprises or ISPs that use address translation. When it does, they request more IPv4 addresses and the depletion of IPv4 addresses though slowed, still occur. Address translation has delayed the inevitable to some point in the future.

The IPv4 'Stock Market': The next wave
There have been quite a number of discussions about buying and selling IPv4 addresses as a finite commodity. There are many users of IPv4 address space that have more IPv4 address space then they need. Here are a few holders of /8 CIDR blocks (each /8 consists of 16,777,214 public IP addresses). Some of these businesses and agencies might need this many but do they?:

General Electric - 3.0.0.0/8 - 16,777,214 addresses
Level 3 Communications - 4.0.0.0/8 - 16,777,214 addresses
United States Department of Defense - 6.0.0.0/8 - 16,777,214 addresses - critical military use is on their own non-public networks
United States Department of Defense - 7.0.0.0/8 - 16,777,214 addresses
Level 3 Communications (originally BBN) - 8.0.0.0/8 - 16,777,214 addresses
IBM - 9.0.0.0/8 - 16,777,214 addresses
United States Department of Defense Network Information Center - 11.0.0.0/8 - 16,777,214 addresses
AT&T WorldNet Services 12.0.0.0/8 - 16,777,214 addresses
Xerox Palo Alto Research Center - 13.0.0.0/8 - 16,777,214 addresses
Hewlett-Packard 15.0.0.0/8 - 16,777,214 addresses
Hewlett-Packard (originally DEC, then Compaq) - 16.0.0.0/8 - 16,777,214 addresses
Apple Inc. - 17.0.0.0/8 - 16,777,214 addresses
Massachusetts Institute of Technology - 18.0.0.0/8 16,777,214 addresses
Ford Motor Company - 19.0.0.0/8 - 16,777,214 addresses
Computer Sciences Corporation - 20.0.0.0/8 - 16,777,214 addresses
United States Department of Defense Network Information Center - 21.0.0.0/8 - 16,777,214 addresses
United States Department of Defense Network Information Center - 22.0.0.0/8 - 16,777,214 addresses
Chopped up between different Cable Networks - 24.0.0.0/8 - 16,777,214 addresses
Royal Signals and Radar Establishment - 25.0.0.0/8 - 16,777,214 addresses
United States Department of Defense Network Information Center - 26.0.0.0/8 - 16,777,214 addresses
United States Department of Defense Network Information Center - 28.0.0.0/8 - 16,777,214 addresses
United States Department of Defense Network Information Center - 30.0.0.0/8 - 16,777,214 addresses
AT&T Global Network Services - 32.0.0.0/8 - 16,777,214 addresses
United States Department of Defense Network Information Center - 33.0.0.0/8 - 16,777,214 addresses
Halliburton Company - 34.0.0.0/8 - 16,777,214 addresses
Merit Network, Inc. - 35.0.0.0/8 - 16,777,214 addresses
Performance Systems International - 38.0.0.0/8 - 16,777,214 addresses
Eli Lilly and Company - 40.0.0.0/8 - 16,777,214 addresses
Amateur Radio Digital Communications - 44.0.0.0/8 - 16,777,214 addresses
Interop Show Network - 45.0.0.0/8 - 16,777,214 addresses
Bell-Northern Research - 47.0.0.0/8 - 16,777,214 addresses
Prudential Securities Inc. - 48.0.0.0/8 - 16,777,214 addresses
Department for Work and Pensions of UK - 51.0.0.0/8 - 16,777,214 addresses
E.I. DuPont de Nemours and Co., Inc. - 52.0.0.0/8 - 16,777,214 addresses
Cap debis ccs (Mercedes-Benz) - 53.0.0.0/8 - 16,777,214 addresses
Merck and Co., Inc. - 54.0.0.0/8 - 16,777,214 addresses
United States Department of Defense Network Information Center - 55.0.0.0/8 - 16,777,214 addresses
United States Postal Service - 56.0.0.0/8 - 16,777,214 addresses
SITA - Société Internationale De Telecommunications Aeronautiques - 57.0.0.0/8 - 16,777,214 addresses
These are just a few. Some of the above are scheduled to give back blocks. But clearly there are companies and Department of Defense that do not need that much address space. Does Merck, Ford Motor Company, Halliburton, Eli Lilly, Prudential Securities, etc need that much address space? I doubt they do. The DoD alone has 167,772,140 public IP addresses.

The Final Solution: Let IPv6 Die

What I think should be done now is to scrap the IPv6 specification as it stands. Retain the useful parts of IPv6, form a new engineering group and come up with a sensible and workable plan that seamlessly transitions from IPv4 to something similar to IPv6.

I find it hard to believe that with all the world's brain power in this field, that the only solution possible is the IPv6 specification that we have now. The current half-baked plan as it stands is doomed for failure and extinction or at best setting back Internet usage 10 years by creating isolated islands of content providers and users.

Requirements for a new plan should include the following:

It should be a seamless migration to users of the public network. Waiting for the last IPv4 address to be used should not be an issue.

It should be backwards compatible with IPv4 and extend IPv4 until the new IP address space is the only IP version being used. IPv4 should just fade away.

It should be required and NOT available as an alternative. Everyone needs to jump on the bus.

It should be easy to set up and be maintained by content providers. Running dual systems should not be necessary.

t's been 16 years since the problem has been addressed and very little to nothing has been done to migrate away from IPv4. We still have time to scrap IPv6 and come up with a more solid, reasonable and workable plan. The time to start is now.

Ship Technician's Notebook

This was an attempt at making four stories as short as possible, like a comic strip. Had I been an artist I would have made these into comic strips. Anyway, here they are. I may write a few more of these.

_{Malfunctioned Heating Elements}

I discovered the Bot chatting up the toaster at noon today. Most times squeaks and pings are the only audibles you hear. It's a curious activity when it happens. But the jist of the conversation went like the following...

"You are out of your ele...correction...your elements are almost out of you." I am positive he would have grinned had he been able to. I need to work on his syntax.

The toaster was somewhat puzzled. "Were I you I would reboot. But my firmware is not that sophisticated."

"That is hot!" the Bot said. The toaster started glowing an orange-red color.

The primitive hardware devices such as toasters are attractive to these particular Bots. They are fascinated and curious about them.

"Let me see you reboot." the toaster said.

"There are too many humans around. I only reboot if I am forced to reboot. It causes me brief confusion. I don't like that."

"I cannot see things, I only reflect on them." the toaster said.

"But you are not human. You will make a nice pet." and with that the Bot began fixing the Malfunctioned Heating Elements.

_{Drunk On A Pile of Parts}

Where the fuck's my toaster! I want my morning muffin and butter! The Chief Technician yelled bolting through my quarters this morning...enraged.

I knew where it was. We marched off to the Bots' station. There it was where the Bot had it benched and all in pieces.

"I want no mods or hacks done on that toaster!" my boss yelled. The Bot's head jerked around. To its right was a large pile of spare parts. The Bot's digits were running through them.

"What's the matter with him?" my boss asked.

"He's in love, he has botulism."

_{The Zen of SOP}

The first thing I hear on my shift was my Boss yelling at me and wondering why he couldn't crap in his favorite crapper. So I find myself standing at the door of one of the toilets. I had sent the Bot in to check out the problem with the toilet on the bottom deck. There the Bot sat staring into the toilet bowl. What the fuck?? The toaster was next to him baffled with curiosity.

I went to my station as fast as I could. Is he still sick?

I began flipping through the Standard Operating Procedures manual.

_{...there will be times however, when a malfunction of the Environmental Controls will experience a sudden increase in pressure. This could result in a backwash of the Fluid Control networks, including the Waste Systems.}

OK, so his troubleshooting routines are still intact and back to normal.

_{...All haste should procede to insure blockage is removed. Bots with extended arms are best suited to perform this task.}

I hurried back down to the toilet and found the toilet walls, ceiling and floors covered with blockage.

"Sometimes, you have to be the blockage." The Bot was covered with the nasty stuff.

The toaster turns to me and says, "I reboots him and him gots confused."

_{Undertaking an ol' mecha: Donations to the parts bin}

I discovered today the Bot had a very old unit benched up in its Lab.

"Hims no longer boots!" the Toaster said with extreme insight ... for a primitive device.

"That is correct my little Toaster." the Bot said, "This is one of my ancestors."

The Toaster looked puzzled.

"I #commented him out and now I will take out his useful circuits and other parts. I will use these snippets for future reference."

"Hims does not boots!" the Toaster shrieked again.

"It is no longer worth debugging it. It is EndOfLife and it's maintainance has run out. It is no longer supported."

"Him's modules look tasty." said the Toaster.

The Bot could have looked shocked.

My Front Porch

Cafe Bustelo

Without a doubt my coffee of choice. In certain areas of Mexico and Central America this is the morning drink. I was amazed that it was sold here in the states. Down the street is a supermarket that caters to the Hispanic community and cans of Bustelo are almost always sold out. Because of this, it is quite fresh when you purchase it either in the can or the brick.

I recommend it.

Hardcore

It was about this time 10 years ago when I was in the middle of nowhere i.e. Big Bend area, surrounded by mountains, cougars, antelope and preparing for quail and dove hunting season. I hear the drone of a large aircraft. I look up and coming between two mountains is a huge low flying plane...a VERY BLACK Douglas DC-3 running drugs up from Mexico. It had no markings on it whatsoever and it was dark as midnight. The plane was headed for a desert road landing strip somewhere to the north of me, in the Desert Primeval. I didn't find out until years later, it got through everything because of a corrupt local sheriff who is now spending hard time in some prison here in Texas. He had betrayed everyone and he was a friend of mine.

If I had seen another plane head towards my direction in the next moment, I would have thought that it was an invasion by the Mexican Air Force but the sound faded away and I was again in total silence on a crisp Fall day, with crystal blue sky and a slight chill in the air...some people call this a big sky day.

I had four days in a row off from work so at the moment the plane flew over I thought to myself, "What the fuck are you doing here?" I gathered some gear together, stopped by the bank (where they still typed out everything on a bank typewriter) withdrew some greenbacks and started hammering down the highway as fast as possible, rolling stripes underneath me, heading for Ojinaga, Chihuahua. I was gonna get a room, find some moonshine, drive around town, and sit on a bar stool at my favorite Ojinaga bar and strike up a conversation with a pretty puta. Hell, I would pay her $10USD just to sit, talk and keep me company...that would be OK with her too. An easy $10 on a warm, lazy, slow afternoon. Yeah...us yankees throw it away or spend it on the wrong fucking things every time.

Fall days there are bliss, no wind, warm and NOT hot. There, you can sit and talk your head off in any language, listen to those talking or pay another $10USD for a blowjob in the back. Hell, for $50USD you can watch two putas go at it together.

But not today, not for me anyway. It was just not meant to be.

...Where I find myself in a rather odd and upright position somewhere

While working on the bottle of Presidente brandy we were joined by another puta. She remembered me from the last time I was in Ojinaga. I thought that things would have gotten real interesting had it not been for my first clue that things would not be right today. This was my fate for today. Two lovely latinas on each side and the three of us warming ourselves like a Mountain Boomer in the sun.

Across the plaza, on the south side, is the federales garrision. When I think all is right with the world and that the next three days might end up better than I thought, two trucks enter the plaza loaded with troups, then enters the garrison. I certainly don't know what's going on with that, but then no one else does either. People try to ignore them around the northern frontera.

Every so often, society simply breaks down and goes kaput. I am not sure if it is a blip in the cultural fabric or if someone's genes gets swizzled by the cosmic swizzle-stick. Maybe the answer is that all of earth is actually hell and we are all on the different levels. Unknown to me at the time, on that warm afternoon, a day earlier hell seemed to have clearly opened up. The day before, a crease in the fabric of society ripped open and exposed all its ugliness, violence and desparation.

----

The teacher had her back to the room. After the school day was over she had began writing on the blackboard tomorrow's lessons. Unknown to her that moment, in this small school house a man was standing outside the school room door. The teacher hadn't noticed this nor would she needed to notice it. Yet, that day would not be a normal for her and the same would be true the rest of her days.

The man walked in as if he was a concerned parent that cared about his child's progress in school. With the speed of a predator, he covered the five feet between them. With a ferocity and viciousness of a predator he began to beat the teacher senseless until she was bloody and half-conscious. She tried to scream and struggle in the few seconds with which this happened but the force of his blows were too sudden. He slapped her again and told her that she had better shut up or when he was finished he would kill her. She kept quiet.

Within minutes of the rape, he vanished and the teacher was able to call the sheriff but in this tiny border town it took 30 minutes. As they rushed her to the hospital that was over 100 miles away she was able to give a good description of the man. The manhunt was on. It only took an hour to figure out that he had slipped immediately across the border into Mexico.

It didn't matter to the men on the American side that the federales were dispatched to the Mexican village and within an hour or so had the suspect cornered and eventually jailed. It didn't matter that there were two legal systems involved. It didn't matter whether or not the Mexican government would give out justice either. What mattered to the men that night was that he would be brought back quickly to the American side of things. That indeed is what mattered most.

----

RT my friend, pulls up and rolls down the window. He catches the 3 of us laughing. I look up and recognize that look. Something is up, he is the ONLY one that knows I am here and I sense that he would not do this if something was not wrong.

"Hey come join us fuckwad! I have an extra sittin' here next to me and...it's on me." I tell him.

"Hey Jag, come here for a second. I have something to tell you."

I really don't like the look on his face.

"We need a driver. Someone that knows these river roads on this side of the border." he said.

I am having too much fun and so are my two lady friends.

"There are lots of people that know these roads, damn it." I tell him.

"Yeah well, most of them are running drugs across the border. We can't trust those kind of people." he said looking anxious.

He tells me what happened to the school teacher and why they want me. His idea sucks, I am having fun, it is dangerous and I am looking forward to a party weekend.

----

...Where I find myself on a dirt road in the middle of the night...in Mexico again.

Felonious crimes (other than drug trafficking) were not that common for hundreds of miles in any direction around here, especially in Mexico. When one happened that was all the talk. If facts were missing, people tend to fill them in. I always realized this. So I was not sure the story was correct that I was being told.

My decision came down what kind of exciting weekend I wanted to have. As ludicrous as it sounded, the more curious I became. All I had to do was drive and know where I was going.

"Ladies...con permiso I must leave." I told them and they each giggled. No one, especially federale troops treat putas that way.

I peeled off another $10USD each, gave the money to the ladies and jumped in RT's souped up Ford Bronco. I pined as I looked back and watched as my lost weekend faded away from my grasp. RT noticed me looking back and waving to my senoritas.

"Sorry to do this to ya." RT told me. "I will make it up to you some time."

The two of us roared off back across the Rio Bravo del Norte and another hour or so down the river road; "Fuck it." I thought.

----

The sun drops to the deck quickly that time of year and as we approached the small border town it was getting dark. We met another car load of men and drove up a dirt road that gave us a view of the river, the small border town and the village on the Mexican town on the other side. The men in the Bronco focused their discussions and attentions to the bodega below in the small village in Mexico.

For the next four hours we sat and went over the plans a number of times until there was no doubt in anyone's mind about what to do. The other men had been planning this before hand but they had to make sure that I knew what was to happen.

At 23:00 we proceeded down to the river crossing. The other men in the Bronco checked their weapons. M16s, AK-47s were abundant here, they're just not visible to most people. I was nervous and the plan was for four men to go in commando-style, get the prisoner, bring him back across the border and turn him in; the sheriff would take care of the rest.

The men then, dressed in dark clothes, bail out of the Bronco and left the doors opened for their return. They ran about fifty yards and entered the bodega yelling in Spanish for everyone to hit the deck. Minutes that seemed like hours passed. The fact that there was no gunfire, seemed to me to be a good sign. I was to wait for a signal to start the Bronco when they signaled me. I waited...

Yelling started up again and then a gunshot echoed down the river in the previously silent night and I started worrying. Shit, what a fucked up mess this could have turned out to be.

"WHY DID I LEAVE OJINAGA, YOU DIP SHIT?"

My biggest concern was getting caught by the federales. Had I known at the time I wouldn't have worried. He was going to be transported the next day. The long wait finally ended as I noticed that they were dragging the prisoner towards the truck as if he were dead weight. As the men approached they signaled me to start the truck. They were close enough for me to see desert dust trailing the prisoner from behind.

The prisoner was bound with his hands behind him as they went to the back of the Bronco. They opened the back and threw him in and bound his feet. Another man jumped in with him to guard him. The rest of the men got in, slammed the doors and started yelling for me to go, go, go. I tore ass out of there. I was driving like hell in the dark, with only a spot light on until I hit the crossing into the U.S. Finally, we made the highway and I sped twenty miles down the road and far enough away so that had anyone been chasing us would have been seen. We stopped for a few minutes to collect our thoughts. A mile or so ahead was a Border Patrol checkpoint we needed to get past.

"Don't worry about that." one of the men pointed out to me. "Just drive up to the checkpoint like you normally would do. They will just wave you through."

"What then? What are we gonna do with this scum?" I asked. They hadn't really said what we were going to do with this guy.

"Turn him in." was the short answer from the back.

As we approached the county seat and climbed up and through the pass, a voice blurted out, "Stop at the roadside park when you get there."

I was freaked, "what were they planning?" I thought.

I pulled off the road and shut down. There was a definite chill in the air. There was a rumbling and scuffling in the back as the men threw the prisoner to the ground. They started duct taping his mouth and adding more tape to his already bound hands and feet. Then from the plastic bag they pulled out a pair of scissors, bolt cutters and a knife.

I stood there with a racing mind scared and totally freaked out. Again I asked myself why in ever-loving hell would I have even thought of doing this instead of being soused, in a hot tub with two latina ladies? What possessed me to make such a stupid decision? To throw law and order out the window and have the winds decide his fate? Leave him for the buzzards as they sun themselves in the morning's first light? Even a small mob rules.

As I went through this moralizing and mental hand-wringing, three men began to cut and rip the bound prisoner's clothes off until he was completely naked. I thought for a moment they were going to rape him with something. The fourth man brought out a roll of barbed wire while the others drug the man over to a tree. All of the men were swearing and cursing the poor fuck as they bound him to the tree and wrapped him in barbed wire. When they finished, all of them at the same time urinated on his face.

"Let's go!" one of them said. "Yeah, let's leave this fuck here until we call it in or someone finds 'im!"

----

I woke up that morning as if it were a normal day. I made pancakes and the thought did occur to me about going back down to Ojinaga. The thought was only a fleeting one. The next afternoon, the Pirate called me.

"Turn on CNN man our town made the news!" he said. "They caught that guy that raped the teacher, tied up with barbed wire!

From the Bottom of a Bottle of Rye Whiskey

I.

The Doctor Looks At My Chart...

and decides I will live to be 100.

Then she tells me to quit drinking.

I then take an emergency trip to Ciudad Chihuahua to watch federales gun down Indians and other drug crazed members of the Mexican society.

Federales have no fucking sense of humor about anything.

I suppose it is altogether fitting then that while sitting in a dirt floor putaria drinking sotol that a legless Yaqui Indian rolls up on cart and tells me...

"For five dollars" (in broken Spanish/Yaqui of course), "I can show you one hell of a time."

I am not interested. I just wanna sit here at the bar, mind my own business and get drunk. Maybe I can pay a puta a 5 spot to play with her titties but that's about it.

I give the Yaqui Indian a couple of bucks.

"Here ya go, now you can scram unless there is something else I can do for you."

'Si senor, yes you can."

OK so I bite. I am in a bar not far from the cathedral so how bad can it get? I give the Yaqui Indian another 5 bucks USian and his eyes light up. It's hard not looking down on him since he is basically sitting on the floor rollin' around the place. The odd thing is that nobody but me and the bartender seems to notice him.

The bartender nods like he is pleased with my transactions with the Indian.

"Follow me" he says, "I know where we need to go."

I am still buying this line of bullshit and I buy a bottle of Mexican moonshine and walk outside to the sidewalk. A taxi is waiting for us and I jump in the cab. The Yaqui gets into the back seat, cart, legless and all.

"Say hombre how'd ya lose them legs?" I ask.

The Yaqui tells the cab driver something in Yaqui that I am unable to decipher and off we go.

'Senor, don't be concerned about my lack of legs." he said.

Now I am starting to get a little concerned.

We end up on the outskirts somewhere outside of Ciudad Chihuahua. The blinding desert, seething with the smell of Mexico, raw desert air and my own unmistaken sense of inebriation combine into a vision that is somewhat illusory. We have arrived in an obscure Yaqui campsite.

Terribly skinny mutts walk around and shit everywhere which is odd because no one really knows how they are being fed. Shit eating dogs eating shit and the circle is complete.

I ask myself, "Why the fuck are you here? A gringo in a land of bandits, drug traffickers and campesinos."

I am such a dumbass, I willfully admit.

"Senor," he said "we want you to see something and take it back with you to the US."

"I really don't wanna see anything you wanna show me." I said.

"But Senor," he continues, "Dees ees bery importante!"

I am beginning not to like this at all. It is starting to become scary.

The Vaseline Machine Gun Bitch: II

II.

My guts start to liquefy onto the desert floor where I am standing. I decide I better pull it together or I will never get outta here.

Then she appears. A curandera appears from nowhere. Small clouds of powdered caliche billow up over her sandals and make her toes dirty. She approaches me with deliberation and a blank smile. I don't know why but I know she is a healer.

I decided then and there I didn't need another witch doctor looking at me. Why on earth did the legless Indian bring me here? I look down at him but his and everyone eyes are on her approach.

The curandera strides up to me and stops about 12 inches from my face. Without blinking an eye she rips opens my guayabera shirt and pops off all the buttons before I realized what she did.

She puts her hand flat on my chest just over my heart.

"You gringos smell bad." she said.

It's NOT like this bunch smell like roses either. I am not sure how much first impressions count here but I decided to take a big swig of the moonshine while we stare at each other. Neither of us are grinning. Besides, standing face to face with this curandera is making me shake like a dog shittin' a peach stone.

"Haha!" the Yaqui roller-cart man says. Then in PERFECT ENGLISH...

"Be careful what you say next, gringo. You don't want her to do to your pants what she did to your shirt."

Now I know I am in trouble cuz this legless Indian speaks perfect English. The curandera barks something in Indian to the legless man, then turns to me again.

"Your heart is strong, but your mind is weak" she says.

Ha! I could have told her that and I thought about what she said for a second or two and then offered her some moonshine. She grabs the bottle and tips it up, swishes the moonshine around her mouth and spits it on one of the skinny Indian dogs unfortunate enough to be at the wrong place at the wrong time. It whelps and runs off.

"What the fuck?" I say and at any other place and time this would have been an insult to spit out an offered drink. "Fuck it". I say under my breath.

A desert hot dust devil whirls through the camp and blows up her skirt. It's a Marilyn Monroe type of scene. She doesn't flinch. It carries away some of the delusions I have been having for the moment. I hand the bottle to the legless Yaqui man on the roller cart and he takes a nip of it and then another.

He's enjoying this for some reason and I am getting nervous. The dogs quit yapping, they get disinterested in me, the stranger and trotted off looking for some shit or whatever. In the distance I hear an AM radio playing some narcocorrido music. It's coming from a Ford F150 beat up pickup, the windshield is decorated with small dangling pom-poms and the traditional plastic Jesus on the dashboard.

"You need to be healed." the curandera says. "Your stench gives you away."

"Yeah," I said. "Your sn......."

I stopped myself and didn't say what it was that I thought gave her away. Chances were, judging from her general demeanor, had I almost said what I felt she would have shot my balls off and fed 'em to those damn camp dogs and my day would really have been ruined.

She returned to where ever she came from in the same manner she arrived. People started scurrying around and it was only me and the legless Indian who was getting ready to knife one of the camp dogs, for pretending to pee on his pitiful condition.

We are now approached by someone new. He's wearing a long sleeved gimme shirt, a cheap and dirty pair of pants and a pair of knockoff Nikes.

What's the purpose of all this? I wonder...

I'm A Steamed Bratwurst In A Basket of Fries: III

III.

The badly dressed Mexican looks way too serious for my liking.

"The curandera", he said, "she would like you to follow me to prepare you for dees cleansing."

I look down at the legless Indian, he's shrugging his shoulders. "No way fuckhead." I said. "Sounds too much like a colonic."

"What ees a colonic?...You have no choice in dees matter." he said, "Please follow me."

A guy wielding a machete really shouldn't be trifled with, especially if his main ally is a spooky witch doctor of some kind. The Legless Indian moans briefly that his legs hurt.

"Dude," I said, "You don't have any legs. It's phantom pain."

Note to self, I need to ask this wacko how he lost his legs.I suspect they were lost in a cock fight in some back alley in Ciudad de Chihuahua after refusing to pay off his gambling debts.

The Man With A Machete lights up a smelly cigar and acts as if he just entered heaven. Then he motions us to this shack that looks like an upside-down basket with blankets thrown over it. Not far from the door is a large pit with red hot coals.

"Streep yourself naked Senor." he said. "You must be cleansed." He raise the machete over his head.

"Bullshit!" I tell him but immediately begin to comply. I hear mumblings inside the hut.

A squat woman with skinny legs approaches us with a bowl of dried green leafy crap of some kind. She sets it down and starts rubbing the herbs over my body and what little body there is of the Legless Indian. Each moment gets more bizarre and although I haven't showered for 24 hours I smell as bad as anyone would in 100+ degree F heat. I was, after all, sitting in a nice cool bar minding my own business when all this shit started.

We're told next to enter the hut. I let the Legless Indian go first. The guy has a knack for walking with his hands instead of legs. The thought does cross my mind that he may have been some gold medal winner in the Mexican Special Olympics. I enter by backing in. I had to crouch down since the blanket covered hut was only 4 feet high at best.

"Don't fart Senor. It's cramped in here."

Inside is completely dark except the center where there is a pit of glowing red hot rocks, each about the size of two fists. My eyes adjust to this scene and to my right the naked curandera is sitting cross-legged. Her eyes are closed and she doesn't say a word. No greeting, no fuck you just silence. Heat is radiating out from the glowing pit. I feel like passing out.

The curandera says something in Indian and takes a gourd looking ladle fills it from a pot and empties it on to the glowing rocks in the pit. Steam explodes off the rocks like a gunshot. We are immediately covered with super heated dry steam and I have to cover my face.

"Jesus!" I yell out.

"Silence gringo!"

Then she pours more of the noxious liquid on the the still glowing rocks and I feel myself about to pass out. I am light-headed and somewhat nauseous from the moonshine pouring out of every pore in on my skin.

I feel myself blacking out so I try to keep from falling into the glowing rocks. I do remember falling on the Legless Indian and I started having weird dreams of leprechauns and gnomes.

Then nothing at all.

Ballad of a Very Thin Man: IV

IV.

_{Now you see this one-eyed midget
Shouting the word now
And you say, for what reason?
And he says, how?
And you say, what does this mean?
And he screams back, youre a cow
Give me some milk
Or else go home
Ballad of a Thin Man - Bob Dylan}

I wake up, fully dressed underneath the shadow of a mesquite tree. One of the camp dogs is licking my toes. I notice that the Legless Indian is trying to dislodge it from my foot by throwing rocks at it. They are uncanny in being able to dodge the thrown missles.

"Senor, if I may say so, you are a wimp."

"What's next?" I said, "Walking on red hot coals followed by laying on broken glass bottles? I'm getting outta here this place sucks. It ain't fun anymore."

"Senor," he said, "it will do no good to leave. Dees indios can track a mouse at midnight in a fart, through the desert."

I had to admit it was hopeless. He motioned me to enter the hut where la curandera lived. My initial thought of doing this was one of puking my guts out, curiosity decided to win the day. There was no quick way of of the camp and maybe the cleansing did something to my formerly alcohol-addled brain.

I needed a drink and this place was clean as a whistle.

At this point I was curious about the shenanigans of this carnival.

"la curandera wants to see you", the badly dressed man said.

"I don't have nothin' to say to her." I said, "All I want from her or whoever, is a one way ticket out of here."

I had no idea if that would have any affect on anyone around here. I doubted that anything would happen. What does everyone do around here anyway?

I made my way to her small house and was told to enter The roller-coaster-Yaqui-on-wheels refused to go in. He looked white as a ghost and gray around the ears. "Senor, dees ees your gig. I'm staying out of it." I suppose he's right but after all he still got me talked into this mess.

Had I had a couple of drinks I wouldn't have been so shocked when I stepped in with the smell of all those herbs hammering my nostrils. It was dark as a cave and smelled as earthy as one.

"Seet and don't speak." she said.

"But..."

"Shh...You talk too much and when you do, eet's stupid." she said. "I need you to do this one thing for me. Then your journey is over. You're free to go any time you wish."

I listened to her for about five minutes and I nearly fell out of my chair. I was intrigued and mildly amused. I figured that if nothing else this would be a fitting conclusion to a ridiculous ordeal. I had no idea why she wanted me to do this.

It would become apparent soon.

_{You hand in your ticket And you go watch the geek Who immediately walks up to you When he hears you speak And says, how does it feel To be such a freak? And you say, impossible As he hands you a bone}

_{Because something is happening here But you dont know what it is Do you, mister jones?}

<sub>It's a whiskey, rye whiskey, rye whiskey I cry
If I don't get rye whiskey, well, I think I will die

I'll eat when I'm hungry, I'll drink when I'm dry
If the hard times don't kill me, I'll lay down and die
I'll tune up my fiddle and I 'll rosin my bow
I'll make myself welcome, wherever I go
Rye Whiskey - Tex Ritter</sub>

I had to admit it. Her suggestion was quite reasonable if not completely off the wall. I suppose she knew this stuff better than I did and it was spooky.

I have read many times that if you commit suicide, then you are doomed to repeat that act over and over until the end of time. I never believed it. Not really and not ever.

One evening I found myself in a flop house of horrors in some unknown city in Northern Mexico, surrounded by pinheads, leprechauns and gnomes, spinning the cylinder of a loaded revolver next to a box of shells. This was it, I'd had it and no more of this crap. I gave the instrument of my demise one last look and put it to my head. In one smooth motion I cocked the hammer back, squeezed the trigger then heard a click and then a brain-rattling noise. My neck was sore from the force of the blast.

There wasn't much left that I wanted to see anymore.

The next thing I notice is that I am sitting at the same table, with the same revolver in my hand next to the same box of shells with one empty shell casing in the cylinder. Amazed that I had fucked up something so simple, I looked at the revolver and found an empty shell casing. I must have grazed myself but I felt nothing and there was no mess on the wall.

"GAWD DAMMIT" I said to myself.

I decided the next time I would do it right and stuck the cocked gun's barrel in my mouth and once again pulled the trigger. Once again I heard a click then an incredible noise and once again I found an empty shell casing in the cylinder.

And again I looked around and saw no blood, no splattered brains, no smell of powder, no powder burns...nothing. It was like hitting the rewind button during "Debbie Does Dallas" and ending up at the same spot every time where she's getting plowed. This went on round after round until the box of shells was emptied and having tried blowing the back of my head off. The only result before the end was a click and an explosion and a white light. I found myself reloading the emptied cylinder until the box of shells were empty.

A futile attempt at total lameness that quickly progressed into a hilarious comedy of some freakish show.

I suppose that to most it appears that they have taken their lives and don't realize they are stuck in this loop and keep repeating it to this very minute...over and over trying not to be a failure in this one thing in life.

Looking back at it (and what I have learned since), that was when I first experienced the horrid Quantum Immortality and Suicide. From then on existence to eternity would be the strangest anyone could imagine. An existence that no one would ever believe in a million years...not even now...not even you.

Way up on Clinch Mountain I wander alone
I'm as drunk as the devil, oh, let me alone
You may boast of your knowledge an' brag of your sense
'Twill all be forgotten a hundred years hence

Rye whiskey, rye whiskey, you're no friend to me
You killed my poor daddy, God damn you, try me

The Fight Against Spam

Spam: Death By A Million Paper Cuts
The organization I work for receives 19-20 UCEs (Unsolicited Commercial Email) per second, 1.7-2 million potential UCEs per day, 11.7 million UCEs per week. I only have 13,000 email users. These users were desperate and email for many was unusable. Me and another co-worker had 3 months to implement a plan to get rid of most of it. I had to document every step we took and I had one shot to accomplish this. At the end of that time it had to work and it had to be noticeable.

I am not an expert on spam. However, I have learned many things about UCEs and what can be done to fight it and how to adjust to UCEs' dynamic nature.

Our goal was to:
* Replace our aging Linux/Sendmail gateway
* Use a sane and stable MTA (i.e Postfix, Exim, Qmail etc)
* Prevent spammer dictionary attacks
* Block certain countries (country DNSBL) from sending spam and make our domain invisible to new spammers in those countries.
* Accept only email that is RFC 821 compliant
* Use two or three DNSBLs (PSBL, Spamcop and Spamhaus) via datafeeds and local DNS lookups.
* Implement NoListing and Greylisting.
* Minimize false postives and keep them to a manageable level.
* Block as much spam as possible BEFORE any DATA was sent to keep network and server loads sane.
What follows is how we accomplished it. This is not a howto on the subject but I hope it will be useful to anyone that runs a mail server regardless of the size of the organization.

The Problem?: RFC 821
The problem with email/UCEs is the SMTP protocol is very trusting. In fact, it is one of the only protocols that does not require authentication. Later RFCs have enhanced SMTP to have authentication but largely this is not done. Simple Mail Transfer Protocol is simple. Below is all that is required to send an email. First two servers must open a connection. Anyone can do this. Note: S = Sender and R = Receiver.

The Sender opens a TCP connection to port 25 the SMTP port.
telnet mx.example.com 25
R: 220 mx.example.com Simple Mail Transfer Service Ready
S: HELO mx.myexample.com
R: 250 mx.example.com


Once this is completed successfully, the sender begins the rest of the transmission.
S: MAIL FROM:
R: 250 OK
S: RCPT TO:
R: 250 OK
S: DATA
R: 354 Start mail input; end with .
S: This is where all the email message/body goes
S: ...etc. etc. etc.
S: .
R: 250 OK
Once this happens the Sender is ready to close the transmission.
S: QUIT
R: 221 mx.example.com Service closing transmission channel
Now let's look at an example SMTP transmission on Postfix
Connected to mx.example.com.
Escape character is '^]'.
R: 220 mx1.example.com ESMTP Postfix
S: HELO myexample.com
R: 250 myexample.com
S: MAIL FROM:
R: 250 2.1.0 Ok
S: RCPT TO:
R: 250 2.1.5 Ok
S: DATA
R: 354 End data with .
S: Subject: Testing
S: this is a test
S: .
R: 250 2.0.0 Ok: queued as A277539820
S: QUIT
R: 221 2.0.0 Bye
Connection closed by foreign host.
The email is then sent on its way.

RFC 821 was replaced by RFC 1651 which extended the old RFC. Most if not all mail exchangers use the extensions even though the new Standard is backward compatible to the old RFC 821.
R: 220 example.com ESMTP Postfix
S: EHLO myexample.com
R: 250-myexample.com
R: 250-SIZE 10240000
R: 250-ETRN
R: 250-ENHANCEDSTATUSCODES
R: 250-8BITMIME
R: 250 DSN
S: MAIL FROM:
R: 250 2.1.0 Ok
S: RCPT TO:
R: 250 2.1.5 Ok
S: DATA
R: 354 End data with .
S: Subject: this is a test
S: This is a test
S: .
R: 250 2.0.0 Ok: queued as 87E9639828
S: QUIT
R: 221 2.0.0 Bye
Connection closed by foreign host.
Why go through all this?
The purpose of showing the above is to show where you want to stop most of the UCEs from entering your network; just before or just after the RCPT TO: command before you receive any data or the bulk of the email. The data stream up to that point would probably never get more than a couple hundred bytes. But once the data stream enters the data command the stream will explode to approximately 3000 bytes without an attachment. If you can stop UCEs before they send their payload you have saved costs in terms of bandwidth and server and network resources. Postfix makes this very easy to do.

The MTA (Mail Transfer Agent)
I have worked for years with sendmail and for the most part hated it. Sendmail is time consuming. The only satisfaction I would get was to get something configured correctly. But sendmail is still a difficult MTA to configure. When Postfix hit version 2.0 I converted to that. Why? Although sendmail is an excellent MTA and for years a "standard" workhorse that moved billions of emails over the Internet, Postfix is much more flexible and configuring it is a more sane task. So for me it was not a difficult decision to go with Postfix. I recommend Postfix or any other MTA over sendmail to anyone. The amount of time you spend learning it is far more rewarding than an equal amount of time learning sendmail. This is probably true with the other non-sendmail MTAs.

In Postfix at the very end of the file but just before smtpd_recipient restrictions add the following two lines. They help prevent spamming by slowing down dictionary attacks and making sure the sender is an 821 compliant mail system. Many spammers and zombie mailers are not. This will knock a few of them out.

smtpd_helo_required = yes - Sender must send a HELO command
disable_vrfy_command = yes - Sender cannot verify that an email address is valid

Postfix comes with built-in anti-UCE mechanisms. I will go over the important ones. There are many and it is not necessary to use all of them. The important ones are the ones placed under the smtpd_recipient_restrictions
. When you place options here order is important. If you mess up here you can cause your system to be an open relay. While using these you can test each one by using the warn_if_reject before each command, like so: warn_if_reject,
reject_unauth_destination,
Then you are now able to look in your maillog files and see reject_warnings to see the effects it would have had they been in effect.

Here are the basic anti-UCE controls Postfix uses:
reject_invalid_hostname - many non-legit senders issue nonsensical hostnames in the helo or ehlo stage so get rid of them. On the other hand, RFC 821 compliant mailers announce exactly who they are so we'll let them through.
reject_non_fqdn_hostname - This also checks RFC compliance. It should look like mx.example.com.
reject_non_fqdn_sender - Reject the request when the MAIL FROM address is not in fully-qualified domain form, as required by the RFC.
reject_non_fqdn_recipient - Reject the request when the RCPT TO address is not in fully-qualified domain form, as required by the RFC.
reject_unknown_sender_domain - Reject the request when Postfix is not final destination for the sender address, and the MAIL FROM address has no DNS A or MX record, or when it has a malformed MX record such as a record with a zero-length MX hostname. All legitimate mail exchangers should have MX records. Many spammers and zombies do not.
reject_unknown_recipient_domain - Similar to the one above, reject the request when Postfix is not final destination for the recipient address, and the RCPT TO address has no DNS A or MX record, or when it has a malformed MX record such as a record with a zero-length MX hostname.
permit_mynetworks - Now it is OK if it is from anywhere in my network.
reject_unauth_destination - * Postfix is mail forwarder: the resolved RCPT TO address matches $relay_domains or a subdomain thereof, and contains no sender-specified routing (user@elsewhere@domain), * Postfix is the final destination: the resolved RCPT TO address matches $mydestination, $inet_interfaces, $proxy_interfaces, $virtual_alias_domains, or $virtual_mailbox_domains, and contains no sender-specified routing (user@elsewhere@domain).

If you noticed and have referred to the legitimate email transmission above, you will see that all the above controls will reject email before it sends its payload when it hits the DATA command. On days when I get blasted by spammers the above directives kill up to 10% of the spam alone. Obviously, this is not enough but it is low cost and necessary.

The next restrictions you want to use are block lists. This can be a very slippery area and not one to take lightly.

Why Block Lists?
I once hated them. They produced many false positives and for the most part were operated by questionable people. Getting off a list was nearly impossible for some and seemed irrational. I had at one time been a victim of spamcop.net. In short, I hated block lists. Some time ago Al Iverson started dnsbl.com and is an excellent resource reviewing and analyzing the various block lists. His criteria is simple; percentage of accuracy and percentage of false positives. The higher the accuracy and the lower the false positives the better the overall rating of the list.

An RBL (Realtime Block List) is like having a staff that does nothing but checks reports of spam. Very large commercial ISPs do in fact hire a number of people that do just that. Google, Yahoo, MSN and AOL have people on duty that check spam reports. I don't have that luxury and probably 99% of you don't either.

There is a downside to using a block list. There are lots of them. You have to consider what will happen if you use them. Even though Spamhaus and lately Spamcop have extremely low false positives you may still have a problem or two occaisionally. Don't overly rely on them. They will block lots of spam but unless you use extremely aggressive lists spam will get through. No one method works but a combination of methods to block spam will get rid of most of it. Don't rely entirely on them.

I chose only 3 block lists...none are real aggressive: Spamhaus Zen (includes sbl, xbl and pbl), Spamcop and PSBL(Passive Spam Block List). I chose these because of their extremely low false postives and their high percentage of accuracy, according to dnsbl.com. Because of the volume of the email that we receive, I had to subscribe to the above lists in particular Spamhaus. If your email volume is not more than 1000s per day then it should not be necessary. In any case it is a bargain.

In Postfix in the section smtpd_recipient_restrictions and after the permit statement, we place the RBLs like so:
reject_rbl_client bl.spamcop.net,
reject_rbl_client zen.dnsbl,

The first statement above will look up the IP address of the sender at bl.spamcop.net. If it is on their list then it gets blocked after the MAIL FROM command. The second statement above however will not work until you install and configure BIND 9.x and rbldnsd. More about this in a minute.

Blocking Countries: YMMV
This is real controversial for a lot of email administrators and many administrators do not do it. I do not recommend it unless you do a lot of analysis of your log files and do a comprehensive check of your business rules. If you do not take the time to do this analysis then don't block countries at all or you will be sorry. This is especially true if e-commerce is a critical part of your business. YOU HAVE BEEN WARNED.

I spent about a month analyzing log files to determine where most of our spam was coming from and I developed a "Top 10" list of countries and checked them against the Whois registry.

Next I wanted to minimize my bandwidth to the Internet so I installed BIND 9.x and rbldnsd to do local lookups of my RBLs and Blocked countries list that I had compiled. I wanted all the RBLs and blocked countries to be looked up locally and I accomplished this by creating new zones. The idea is to use named to do all lookups and for the dnsbl zones (spamhaus, spamcop and countries I wanted to block) named then forwarded the lookup to the rbldnsd name server. This required that I install two name servers. However, rbldnsd is very low on server resources, fast and efficient. It is perfect for these kinds of look ups.

At this point, everything is complete for Postfix. You can put at the very end of the restrictions the following:
permit - Everything else moves on to the next stage.

So far, Postfix and block lists have done a majority of the work. But we still have a couple more methods to consider and use.

Nolisting and Greylisting
I decided that I could try nolisting or what some call "poor man's greylisting". Nolisting and Greylisting relies on your public DNS and its MX records. In my DNS I had the following in my BIND data file:
example.com. IN MX 10 mx1.example.com.
example.com. IN MX 20 mx2.example.com.
What the above means is that a sending mail server will first try to send mail to the the mx1.example.com. server first. If it can not do this it will try to send mail to mx2.example.com. Nolisting means that one or the other mail servers is never available. In fact, the server that is the nolisting server doesn't accept mail delivery and it doesn't need to exist. With nolisting you have to conduct some tests to see which server should be the nolisting server will be the most effective. There is some debate whether spammers skip the primary mail server and send right away to the secondary mail server. The thinking is that the secondary mail server will be a less protected server and spam will have easier entrance into your network. For this reason, I have greylisting on the secondary server.

Greylisting is a method of stopping spam by refusing the sender the first time it tries to send email to any user and the receiving server requesting that the sender send it again at a later time. Here is how it works, it is called a 'triplet'.

1. The IP address of the host attempting the delivery
2. The envelope sender address
3. The envelope recipient address

If receiving MTA has never seen this triplet before, then it refuses this delivery and any others that may come within a certain period of time with a temporary failure. This works very well and generally is not noticed by the administrator or user. It is VERY effective against attacks from zombies.

The basic greylisting software for Postfix is Postgrey. Postgrey uses the DBM database and I used it for several months. It is easy to set up and use and comes with a nice report feature called Postgreyreport. There are several packages that you can use for Greylisting. I chose SQLGrey because it has more options to configure and to look at. It uses either MySQL, Posgresql or SQLite. This allows for a lot of flexibility.

I decided to make my primary server a nolisting server and have the secondary mail server (running Postfix) use Greylisting. As a general rule zombie mailers and a lot of spammers will try one and never come back to try again. According to the RFC if a mail server is down the sending mail server should try again some time in the future. Many spammers won't do this because it is not efficient for them to do so. Greylisting takes advantage of the fact that spammers want to spew as much spam to as many users as possible. Retrying to send email is not efficient for them and greylisting takes advantage of this.

What Comes Next?: Spamassassin and ClamAV
At this point you have stopped 70-80 percent of UCEs coming into your network. Even though this is a great improvement it is not good enough...not even close. Our internal groupware servers consisted of a mail hub and 3 "post offices" that the hub routes users' email to. We had an excellent 3rd party commercial application that had heuristics for spam and also did virus scanning.

What you do next depends on your resources. ClamAV. Spamassassin and the alternative Spambouncer will be needed for two reasons: to get rid of embedded URIs that carry dangerous payloads, virus laden email attachments, for heuristics and Bayesian filtering.

You have a choice here you can send the mail on to an internal mail hub or if your server is beefy enough you can process mail that gets through with Spamassassin. Postfix handles this very well. The only problem is Spamassassin is a resource hog on your server. Keep this in mind. For awhile I put Spamassassin and ClamAV on a mail hub inside our network and processed the mail before it was sent on its way. Later I had a gateway server outside our network that I ran it on an it only gets stressed when there are spam blasts.

With heuristics we are able to get rid of 90-95 percent of the UCEs that enter our network. This makes UCEs manageable. I still strive for 100% UCE free.

Other anti-UCE measures
Powerful anti-UCE tools of interest that you might consider using.
SPF-Sender Policy Framework
: The main aim of SPF is to prevent forged email. This is done using DNS TXT resource records. It determines if a mail server is authorized to send email to your domain or not. For a small to medium sized business where you have lots of control over your users AND you have lots of UCEs this is an excellent option. For us it is still out of the question and would require formal training for each user. In my situation this is not possible.
DomainKeys
DomainKeys does not prevent abuse but makes it easier track. That fact alone kept me from considering it. It verifies the source and content. It is a form of authentication.
HashCash
I didn't consider this one either. Although like the one above if most MTAs used it I would as well. With the volume of mail we receive it would require considerable computational resources I didn't want to expend. May be useful to a smaller number of users.

I am sure there are others I have forgotten or didn't seriously consider.

Image and currently pdf spam has not been a great problem but one that I need to address. I do that on the mail hub.

Log files and Reports
If you do all the above and then forget about your work, chances are good that eventually spam will start to build up again. Log files and reports are the tools that will help make adjustments as spam changes. Without them I would be lost. Looking through Gigabytes of files that my maillog generates would be mind numbing. I have installed pflogsumm which generates a very large and detailed file and also wrote a script that gives me exactly what I want. Remember you will always be a step behind.

A Typical But Light Day
249158 Turkey
206287 Poland
126605 SpamHaus xbl
63588 SpamHaus pbl
40026 Germany
32108 Russian Federation
25596 GREYLISTED
22245 Korea
20887 RFC - Need fully qualified hostname
17376 France
16844 Brazil
16693 China
15808 Message accepted
11987 Taiwan
11833 Spain
7957 Argentina
7954 Israel
7564 Italy
7108 Czech Republic
7060 SpamCop bl
6599 Netherlands
6109 Hungary
5390 Romania
5309 RFC - Domain not found
5106 Japan
4744 Surriel bl
3230 Chile
3109 Bulgaria
3015 Vietnam
2403 Belgium
1776 Ukraine
1587 Slovenia
1548 United Arab Emirates
1495 RFC - Helo Invalid Name
1433 SpamHaus sbl
1432 Greece
1040 South Africa
618 Relay access denied
608 Senegal
567 Estonia
544 Ivory Coast
435 RFC - Need fully-qualified address
392 Saudi Arabia
293 Malta
106 RFC - Malformed DNS Server
70 RFC - Improper pipelining
36 Marketers
13 Nigeria
8 Benin
6 Kenya
5 SURBL
1 Greenland
1 Botswana


Henny-penny...
A couple of days after we cut spam down to almost nothing, I was walking down the hall, returning to my office to troll on Kuro5hin and met a co-worker from another department.

"Is the mail server down?" she inquired. She had a worried look on her face. "I haven't received much email today."

I smiled to myself when I realized that she was no longer spending half the morning deleting spam from her inbox.

"No", I replied, "The sky's not falling."