who offers cheap (personal) 1U colo?

every time i tell somebody that they shouldn't bother trying to send e-mail
from their dsl or cablemodem ip address due to the unlikelihood of a well
staffed and well trained and empowered abuse desk defending the reputation
of that address space, i also say "buy a 1U and put it someplace with a real
abuse desk, and use your dsl or cablemodem to tunnel to that place."

and then a few questions come in -- "where can i put a 1U for the $50/month
you claim is possible?" so as a public service i've decided to gather some
answers to that question and put them on the web someplace so i can refer
folks to it when i'm asked.

if you know of a place that offers 1U/month for $50/month with some kind of
bandwidth limitations (moderate peak, low average), and a strong abuse desk
(including repossessing the 1U server upon proof of abuse or neglect), please
send me e-mail with a url and some details. i'll summarize it all online
and report the aggregation URL back to this mailing list.

Why the assumption that a server connected via a patch cord will be better
administered than a server connected by a dsl or cable modem or T1 line?

What you seem to actually be looking for is a connection with a fixed IP
address which doesn't share "address reputation" with others. Old
timers who were able to obtain small IP address blocks for free don't
have as much of a problem. They can arrange for any ISP to announce those
IP addresses from any location, including their home basement colo over a
DSL line. Their "address reputation" less dependent on third-parties.

But with address conservation measures, new IP addresses are much more
tightly packed with all sorts of address assignments very close to each
other. Unlike "provider independent" IP addresses, some operators of
block lists will block large numbers of provider assigned addresses even
if any particular address has never done anything "wrong." Even if an ISP
had a perfect abuse response desk, some people pre-emptively block all
so-called "dialup" address ranges.

Why shouldn't an individual be able to operated a server on their DSL or
cable modem connection? Wasn't the original end-to-end nature of the
Internet based on that? Why prevent people from running servers on DSL
and cable modem connections, yet say they could run an identical
server in a colo? Why is one unsafe, and the other is considered Ok?

Why the assumption that a server connected via a patch cord will be better
administered than a server connected by a dsl or cable modem or T1 line?

partly it's a question of scale. if a provider is terribly successful
at this low end personal colo business they might have 10 racks of 40
customers per rack, such that they could quit their day job and just run
this low-end personal colo business.

which would be a 400:1 ratio between customers and staff, which is better
than the 10000:1 ratio you'll see from your best-case dsl or cable isp.
thus, a customer who neglects their server and allows others to use it as
an abuse-staging platform, or a script kiddie who stupidly fouls their own
nest by staging an attack from their own host, will get noticed by someone
with clue, in nearly real time.

What you seem to actually be looking for is a connection with a fixed IP
address which doesn't share "address reputation" with others.

no, i'm looking for a way to share address reputation amongst a group of
serious-minded professional power-users who have learned over the years how
to maintain their own BSD or Linux platform.

Why shouldn't an individual be able to operated a server on their DSL or
cable modem connection?

because their provider is, statistically speaking, a money-grubbing slob.

Wasn't the original end-to-end nature of the Internet based on that?

why, yes, it was. but an implicit design criteria was that all of the users
would always be as smart and as professional as the scientists, engineers,
and educators who were the first generation of IP's users. (big mistake.)

Why prevent people from running servers on DSL and cable modem
connections, yet say they could run an identical server in a colo?

because most providers don't want to give out static ip addresses, for one
thing. because these providers are counting on a high suck:blow ratios from
its customer base. because these providers know that people will pay more
to get real internet access and they're holding you all for ransom. take
your pick.

Why is one unsafe, and the other is considered Ok?

one is totally governed by a bilateral relationship between a 1U owner and
a colo provider, neither of whom has a monopoly, and both of whom have
something to lose if the IP address used in the relationship is abused.

this isn't a technical thing. it's all about people getting what they want.

> What you seem to actually be looking for is a connection with a fixed IP
> address which doesn't share "address reputation" with others.

no, i'm looking for a way to share address reputation amongst a group of
serious-minded professional power-users who have learned over the years how
to maintain their own BSD or Linux platform.

Ah, so its mostly a boutique mystic issue. I understand. I can't afford
Equinix's prices, so I have my personal server in a small colo outside
the California earthquake zone. Strictly an issue of money.

> Why prevent people from running servers on DSL and cable modem
> connections, yet say they could run an identical server in a colo?

because most providers don't want to give out static ip addresses, for one
thing.

Most DSL and Cable modem providers will assign static IP address, just
not for the same price for the same product. You pay more, which turns
out to be very close to what you would pay for a static IP address in a
colo. Coincidence?

> Why is one unsafe, and the other is considered Ok?
this isn't a technical thing. it's all about people getting what they want.

Actually its about convincing block list operators that your IP address is
"Ok" to run a server. Some block list operators choose to list large
ranges of IP address, even if any particular address never did anything,
such as all APNIC address or anything they think (but not always is) a
"dialup" address. Because block list operators make mistakes, people
wanting to run servers are forced to find IP address ranges "far enough
away" not to be mistaken for a dialup address range.

If the block list operators think it is a "dialup" range, they
pre-emptively block all the addresses in the range. If the block list
operators think it is a "static" range, regardless if it is a server in a
colo or T1 line to your house, they usually don't pre-emptively block the
address.

It has very little to do with the quality of the ISP's abuse desk. UUNET
is listed by Spamhaus as one of the worst ISPs for spam, but UUNET T1
address ranges aren't pre-emptively blocked. But large DSL or cable
address ranges, even if the addresses are statically assigned to specific
customers, are pre-emptively blocked.

I suppose ISPs could create boutique service provider subsidaries for
serious-minded professional power-users. Ask ARIN for independent "elite"
IP address ranges. Maybe even get a different 1-800 number for customer
service and abuse complaints. Of course, customers would pay more for
this "elite" service.

sean@donelan.com (Sean Donelan) writes:

If the block list operators think it is a "dialup" range, they
pre-emptively block all the addresses in the range.

that's because at $30/month there's no budget for a "dialup" provider
to call their worm-infested customers one at a time and talk them
through "Windows Update", and the "free" "antivirus" software they
include on their customer cdroms is crippleware or adware or both.

providers who refuse to enter the "race to the bottom" can get their
dialup blocks delisted from any blackhole list operator i know of,
just by demonstrating clue and conviction.

It has very little to do with the quality of the ISP's abuse desk.

long term, it does. my sister is in sbc-dsl territory and before i
linuxed her and tunneled her, i had a terrible time getting e-mail from
her. the /24 that her nat/dsl box got by dhcp had a dozen open proxies
in it. sbc's abuse desk sure as hell didn't want to hear from me about
it and the owners of the infected pee cee's wouldn't've wanted to hear
from me even if i'd had some way to identify them and offer them a free
linux upgrade if they'd just open their front door and lead me to their
pee cee.

... But large DSL or cable address ranges, even if the addresses are
statically assigned to specific customers, are pre-emptively blocked.

there's a sound statistical basis for this. and a strong abuse desk
(which would show up as higher-than-$30/month-fees) would change those
statistics and improve the reputation of that "kind" of address space.

I suppose ISPs could create boutique service provider subsidaries for
serious-minded professional power-users. Ask ARIN for independent
"elite" IP address ranges. Maybe even get a different 1-800 number for
customer service and abuse complaints. Of course, customers would pay
more for this "elite" service.

rather, i think that your employer and other dsl providers ought to get
into the $50/month 1U colo business and market this to their power users
and budget for a strong abuse desk for the small amounts of address space
used by that function. (and if you do, please send me the URL and details.)

it would be marketing suicide to offer a different dsl-dhcp ip address
to people willing to pay enough to budget for an abuse desk. but if you
call it colocation then it doesn't look as if you're cheap bastards for
not being willing to budget for a strong abuse desk for ALL your customers.

anyone seen a new email virus that uses windows help file attachments to
infect a machine? I just received what looks like a new attempt to trojan
folks via email. It claims to be an AV warning with instructions contained
in a help file attachment.

Geo.

Why shouldn't an individual be able to operated a server on their DSL or
cable modem connection?

Because DSL and cable moden networks have evolved into lowest-cost, widest-reach service networks designed to allow anyone with $30 access to a relatively fat pipe. As a result those networks have turned into rich sources of net garbage, and most clueful network operators have taken to defending themselves against this torrent of silliness.

So, I suppose that the question is not so much of one being "allowed" to run a server on an xDSL or cable link, but of the real world effectiveness of doing so.

Why prevent people from running servers on DSL
and cable modem connections, yet say they could run an identical
server in a colo? Why is one unsafe, and the other is considered Ok?

Nothing is 100% safe, but I'd much rather accept unrestricted traffic from a network with 1000 customers and 2 geek engineers than from a network with 1,000,000 customers and 25 engineers on staff wading through mountains of abuse reports. At least at the smaller, more "geek intensive" level, there is a greater ability to deal with mischief in a timely and decisive fashion.

Paul Vixie wrote:

sean@donelan.com (Sean Donelan) writes:

If the block list operators think it is a "dialup" range, they
pre-emptively block all the addresses in the range.

that's because at $30/month there's no budget for a "dialup" provider
to call their worm-infested customers one at a time and talk them
through "Windows Update", and the "free" "antivirus" software they
include on their customer cdroms is crippleware or adware or both.

providers who refuse to enter the "race to the bottom" can get their
dialup blocks delisted from any blackhole list operator i know of,
just by demonstrating clue and conviction.

You're naive on this. There are enough of these blacklists, and many of
them are totally unresponsive to an ISP's assertions (and empirical
evidence) of aggressive handling of abuse. I know because I've tried to
do this. An ISP *cannot* effectively change the status of these IP
blocks...even with empirical evidence of dealing with abuse. It just
doesn't happen.

... But large DSL or cable address ranges, even if the addresses are
statically assigned to specific customers, are pre-emptively blocked.

there's a sound statistical basis for this. and a strong abuse desk
(which would show up as higher-than-$30/month-fees) would change those
statistics and improve the reputation of that "kind" of address space.

But you were just arguing above that it wasn't a statistical situation,
and that a provider to get unlisted from these blacklists. Now you're
arguing that its a statistical thing, therefore it *doesn't* have to do
with the empirical actions of the ISP. This second argument is the
correct one, FWIW. Its statistical, and an individual ISP effectively
cannot influence their listings on the blacklists.

rather, i think that your employer and other dsl providers ought to get
into the $50/month 1U colo business and market this to their power users
and budget for a strong abuse desk for the small amounts of address space
used by that function. (and if you do, please send me the URL and details.)

I'm sorry, Paul, but the "$50/month 1U colo business" that you keep
going on about is, at best, a niche market. It is not, and will not be,
a substitute for DSL/Cable. At best, it will be in addition to
DSL/Cable, which means an extra expense for customers, which means that
it will never be more than a niche.

Other's have said, and they are absolutely right, that there is no real
technical difference between a DSL line with a static IP, and a colo box.

There are ISPs out there that are providing clueful DSL service,
including allowing servers on it, with aggressive abuse response, at
competitive price points. It can be, and is being, done. Its rare,
yes, but it can be found.

So, the argument that we need to all start selling "$50/month 1U colo
boxes" because responsible DSL service can't be done is bogus.

it would be marketing suicide to offer a different dsl-dhcp ip address
to people willing to pay enough to budget for an abuse desk.

You're wrong here. It can be done, and it can be done profitably.

sean@donelan.com (Sean Donelan) writes:

> If the block list operators think it is a "dialup" range, they
> pre-emptively block all the addresses in the range.

providers who refuse to enter the "race to the bottom" can get their
dialup blocks delisted from any blackhole list operator i know of,
just by demonstrating clue and conviction.

There are several blacklists that clearly want more from the ISP than an
explanation that the offendors are being/were removed... one good example
is 'spews'.

> It has very little to do with the quality of the ISP's abuse desk.

long term, it does. my sister is in sbc-dsl territory and before i
linuxed her and tunneled her, i had a terrible time getting e-mail from
her. the /24 that her nat/dsl box got by dhcp had a dozen open proxies
in it. sbc's abuse desk sure as hell didn't want to hear from me about
it and the owners of the infected pee cee's wouldn't've wanted to hear
from me even if i'd had some way to identify them and offer them a free
linux upgrade if they'd just open their front door and lead me to their
pee cee.

As was pointed out to me by a co-worker: "Linux is not anymore inherently
secure than anyother OS." The difference really comes in the
administration of the pee cee. So, would upgrading joe-random-user to
Linux really make things better for them? (or us?) That is not clear at
all at this point.

Certianly the point central to your arguement is that with the right
abuse-desk to customer ratio AND the right customer base, things could be
kept clean for smtp/web/ftp/blah 'hosting'. This is most certainly the
case... I look forward to seeing your list of providers and prices

--Chris
(formerly chris@uu.net)

Paul Vixie wrote:

every time i tell somebody that they shouldn't bother trying to send e-mail
from their dsl or cablemodem ip address due to the unlikelihood of a well
staffed and well trained and empowered abuse desk defending the reputation
of that address space, i also say "buy a 1U and put it someplace with a real
abuse desk, and use your dsl or cablemodem to tunnel to that place."

My cable modem provider filters port 25, so I can't run my own SMTP server. Their mail servers suck. Yes, I could pay for a business class cable modem connection and they'd unblock the port... but I'd likely still be filtered.

Guess who is having a dedicated 1U set up right now?

I think Paul is right, there is a small niche market for this.

Hm, are there companies out there that offer outbound SMTP services (for
people who are blocked, or which need a mail server thats not blacklisted
because their provider isn't dealing with spam problems)? I never really
looked into too much, but I haven't seen it offered on provider's sites
outright.

I was considering setting up a service like this (we have 2-3 outbound mail
relay servers that are sitting idle because we don't need them yet), but
wasn't sure how interested people would be. Like, say, setup a service that
offers people the ability to send outbound mail through based on IP ACLs,
possibly SMTP AUTH, TLS/SSL certs, and other things which could authenticate
the sender, and have it accept SMTP on various other non-25 ports.

Have you been looking at providers in the right industry? Such services are
usually offered as addons by people who sell DNS services (especially
dynamic DNS) and other such things designed to make it easier for people to
run their own servers. They do exist, and as was pointed out earlier in this
discussion, cost much less than the 1U colo alternative. We do it, and I
know at least one or two others in our industry do...

Vivien

I have actually. I see an awful lot of services for incoming SMTP
filtering of spam/viruses, or just to hold the mail while you are offline,
but haven't seen outgoing SMTP services - which is why I asked

As I posted earlier in this thread, DynDNS.org's outgoing SMTP service
(available on port 25 and several others as well):

http://www.dyndns.org/services/mailhop/outbound/

Some others I know of off-hand:

http://www.no-ip.com/services.php/mail/smtp
http://www.smtp.com/

There are several blacklists that clearly want more from the ISP than an
explanation that the offendors are being/were removed... one good example
is 'spews'.

What do you think spews wants? My experience with them has been that
that's pretty much the only thing that will satisfy them. I have had
customer IPs in spews, and got them removed. "I've" also been collateral
damage (at a consulting client's site), which sucks, but that's the stick
spews wields. In most cases, that's encouragement enough for a provider
to clean up their network or keep it from becoming a mess. Sometimes it's
not.

As was pointed out to me by a co-worker: "Linux is not anymore inherently
secure than anyother OS." The difference really comes in the
administration of the pee cee. So, would upgrading joe-random-user to
Linux really make things better for them? (or us?) That is not clear at
all at this point.

That's an argument for another list...but the short answer is no, giving
JRU who knows nothing about Linux a default install, especially a popular
one, say Red Hat, is not much, if any, better. They won't maintain it.
It will be hacked. At least it probably won't be done with and then
participate in email viruses.

That's funny since we've cleaned up several over the years, yet they are
still listed... and in some cases the listings have expanded. Spews
does not provide a decent path to get listings remoevd, and they don't
seem to remove listings if you do show the change.

: > I have actually. I see an awful lot of services for incoming SMTP
: > filtering of spam/viruses, or just to hold the mail while you are offline,
: > but haven't seen outgoing SMTP services - which is why I asked
:
: As I posted earlier in this thread, DynDNS.org's outgoing SMTP service
: (available on port 25 and several others as well):
:
: http://www.dyndns.org/services/mailhop/outbound/
:
: Some others I know of off-hand:
:
: http://www.no-ip.com/services.php/mail/smtp
: http://www.smtp.com/

http://www.pobox.com/ - All accounts come with free (but must be enabled in
the web admin interface) SASL-authenticated outbound SMTP. "See this mail's
headers."

I don't mean to rain on Tim's parade, but it's comparably priced ($15/yr).
So pick which service provides the pair of things you need: SMTP and
dynamic DNS (dyndns.org), or SMTP and aliasing (pobox.com).

You might want to post to NANAE (or better to new "clean" newsgroup
news.admin.net-abuse.blocklisting) and actually say that that such and such
customer has been disconnected and or such and such ip block is no longer
in use them). Most blacklist administors dont really check on each and every
listing every month (although they probably should to keep good lists, but
spamhaus maybe the only ones who do it and even with them I'm not sure).

In fact one of the reasons I think that some blacklist operators have bad
impression on UUNET is that you don't inform what you do and they think
you do nothing, while in fact I'm sure its not the case.

I've always wanted to enter a "niche market" like this. I've never had a
boss that saw this as big enough to break even. This really is a small
enough endeavour for a few people to start up. Here in NYC, you can get
some decent co-lo at a "Tier 1" for $650/mo. and bandwidth at $150/MB with
no commit. And that's at a very nice facility. I'm sure that others know
of even better deals, but I think that's a fair market price for a
facility/name that everyone knows and trusts.

If anyone on the east coast also thinks this is something worth putting
together (either for-profit or as a co-op situation), feel free to contact
me directly.

Thanks,

Charles

<quote who="Charles Sprickman">

If anyone on the east coast also thinks this is something worth putting
together (either for-profit or as a co-op situation), feel free to contact
me directly.

This is currently being organized in the IAD area:
http://lists.gotroot.com/mailman/listinfo/dcccp

We've done a similar setup as a non-profit in SFO/SJC).
http://www.communitycolo.net/

It's not for everyone, but it is more than adequate for most people's needs.

With some more networking volunteers (as opposed to systems people) we
could probably become a lot more robust than we already are. We are
currently using 8 cabinets at Hurricane Electric off a 100mbit feed with a
bunch of Cisco 1900 and 2900 series switches.

Email's to me offlist for anyone interested in knowing more.

-davidu