Wandering Thoughts archives

2005-10-09

Troubleshooting versus support

When we talk about 'support', especially things like 'vendor support', I think that there are actually two general things that are getting lumped under the same label: issues that you could have dealt with on your own if you knew enough, and things that are broken.

Although I don't have really good names for them, let's call the first sort of issue 'troubleshooting' and the second sort 'support'.

Unless the vendor dropped the ball on their documentation (which is certainly known to happen), calling the vendor up for troubleshooting is your fault, because you've failed to read or to understand (or you have decided that calling the vendor is faster than reading). In a sense you are wasting the vendor's time and asking them to do your work for you.

Support issues, genuinely broken things, are the vendor's fault, not yours. No amount of understanding the documentation or reading the FAQ can help (except perhaps to say 'this is a known bug'). Fixing the problem is not your work, it's the vendor's.

The difference matters in part because reasonable pricing is different between troubleshooting and support. It's hard to object to being charged each time you want a vendor to hold your hand, or to a vendor with flat rate troubleshooting saying 'you're asking for too much hand holding'. But being charged for each broken thing you discover, or hearing 'this is costing us too much to fix, go away' is infuriating for reasons I covered in more depth in SupportMythPartII.

Working in a heavily technical environment as I do, I don't care very much about a vendor's ability to do troubleshooting; we'll handle that ourselves. I do care quite a bit about the vendor being sane about support.

tech/TroubleshootingVsSupport written at 21:02:35; Add Comment

Weekly spam summary on October 8th, 2005

This week we received 12,111 email messages from 242 different IP addresses. Our SMTP server handled 61,080 sessions from 6,951 different IP addresses. Both email volume and session volume is up from last week, despite us being cut off from Level 3 customers for part of the week. (The University of Toronto gets core connectivity from Cogent, and you may have heard about the spat Cogent and Level 3 had between Wednesday and Friday.)

Overall connections are up again from last week: 299,200 connections from at least 41,000 different IP addresses. Our SMTP frontend once again hit a highwater of 50 maximum connections in flight. (I really need to be able to do a day by day breakdown of these numbers, to see when the connection rates jump.)

Looking back to the first of these reports in SpamStats-2005-06-25 it's tempting to draw some overall conclusions. Unfortunately it would be misleading, since our connection-time checking process is different now than it was back then. The growth in connection rates and the changes in other statistics may be in large part because we are now more aggressive about telling people to come back later.

(At the same time I think it's clear on a week to week basis that we have seen significant jumps in the volume of bad stuff.)

Kernel level SMTP blocks:

Host/Mask           Packets   Bytes
61.128.0.0/10         17702    858K
66.92.140.53          13785    662K
202.96.0.0/12         10500    517K
212.216.176.0/24       9717    506K
218.102.53.0/24        8949    413K
213.4.149.69           8804    403K
24.173.71.171          7366    354K
24.147.105.129         7340    352K
220.160.0.0/11         6826    331K
65.124.82.6            6257    300K

China comes in like gangbusters for once, specifically chinanet.cn.net (all three of the large netblocks in the top ten are theirs). I believe this may be a record placement of large netblocks in the top ten listing. tin.it and Netvigator continue their strong showings.

  • 213.4.149.69, a terra.es machine listed for bad reverse DNS data, has made the top 10 before (in SpamSummary-2005-09-17).
  • 24.147.105.129, smtp.capinc.com, is SPEWS-listed as part of Comcast/ATTBI.
  • 65.124.82.6, in QWEST space, was rejected because of bad reverse DNS; QWEST has hosted enough spammers that we now require anyone from their network space to have valid reverse DNS before we'll talk to them.
  • and finally, 66.92.140.53 and 24.173.71.171 did the usual thing of pumping out unresolvable HELO greetings.

This is clearly an atypical week; most weeks, the leading cause of getting into our kernel-level filters is unresolvable HELO greetings.

Connection-time rejection stats:

  25755 total
  12244 dynamic IP
   6513 bad or no reverse DNS
   1852 class bl-cbl
   1434 class bl-spews
   1044 class bl-dsbl
    556 class bl-sbl
    549 bad Chinese networks
    494 class bl-ordb
    285 class bl-sdul
    133 class bl-njabl
      8 class bl-opm

The stats are broadly the same as last week. Apart from 210.51.25.177, almost singlehandedly responsible for the sudden appearance of 'bad Chinese networks' in the list of noteworthy things, no single source stands out.

Other stats:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 30842 1438 20892 1155
Bad bounces 8181 4121 7235 3322

Since both of these numbers are up from last week, it's probably spammers forging us (yet again) as the MAIL FROM in their spam runs.

(Technical issues make the 'last week' numbers from this table not quite match up with the 'this week' numbers in the same report last week. I'm switching some manual procedures around so that the numbers should match up better in the future; the divergence has to do with when logfiles are rolled over and how that interacts with the weekly reboot.)

spam/SpamSummary-2005-10-08 written at 02:02:12; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.