Gamefest 2006 Content & XNA

I noticed over at Let’s Kill Dave that the content for Gamefest 2006 was released and is available for download. Head over to Dave’s blog to check it out!


Also, XNA Game Studio Express is out. Go get it. You’ll need Visual C# Express as well, but the complete package looks pretty slick. Time to learn yet another programming language!

Microsoft takes a step towards user content

Gamasutra has some news about Microsoft’s XNA Game Studio Express, a game development tookit geared towards the amateur/hobbyist developer. From the article :


The details of the new tech are as follows: XNA Game Studio Express will be available for free to anyone with a Windows XP-based PC, and will provide them with what’s described as “Microsoft’s next-generation platform for game development.” In addition, by joining a “creators club” for an annual subscription fee of $99, users will be able to build, test and share their games on Xbox 360, as well as access a wealth of materials to help speed the game development progress.


So it looks like Microsoft is taking the first steps towards making the need for modchips obsolete! Maybe. According to the article, the content created won’t be available to “regular” 360 owners, just to those who are part of the creator’s club. However, they go on to state that the content may be available via Xbox Live Arcade (XBLA) at some point in the future. It’s not explicitly stated, but it looks like PC owners will have access to the content regardless of membership.

Other companies have already pledged support. GarageGames has already ported their Torque Engine over to the studio, and Autodesk has confirmed support for their FBX file exchange format. Apparently some universities and game development schools have decided to add the studio to their curriculum and will use the XBox 360 exclusively. While I’m not sure I like the lock-in to the 360 console, it is nice to see awareness and knowledge growing.

So, what does this mean for the indie developer? Well, in short, it gives access to a pretty powerful console. And since it’s officially sanctioned by Microsoft you can expect mailing lists and forums dedicated to development. Ownership of a 360 isn’t necessary either as the studio runs on a Windows XP PC. It may also mean a revenue stream as well. If Microsoft opts to allow content to be available on XBLA, they may also allow the developer to charge for downloads. I’m sure Microsoft will get their cut, but this could mean some serious cash for the young developer.

Overall, this is definitely a step in the right direction. Despite what you and I may think of Microsoft, I think they’re doing something right here. Only time will tell how it turns out. I’ll definitely be downloading this when it becomes available on August 30th.


UPDATE : Maxconsole dug up the official FAQ direct from Microsoft. This is different than the FAQ on the XNA site. Looks like you’ll have to sign up to get the beta :


A beta of XNA Game Studio Express will be released on August 30. To receive a notification on when the Beta is available, please go to and select “Available Connections.” Then choose the XNA connection and follow the link to sign up for the XNA Game Studio Express Beta. (Note: A valid Windows Live ID is required, if you do not have one, you will be given the option of creating one.)


It looks like the beta will be limited to PC content only. It uses .NET technology on both the 360 and PC to create the games and according to the FAQ, it looks like it will be limited to C# code only.

The Patchwork OS

Twelve patches, Twenty Three vulnerabilities.

Tuesday was Microsoft Patch day. Of the twelve patches, nine were for the Windows OS, two for Office, and one for Internet Explorer. A breakdown of the severity of each patch can be found on the ISC Website.


I mention this because of the severity of these flaws. There is already an exploit in the wild taking advantage of MS06-040, a flaw in the Server service. This is yet another flaw in the RPC functionality of Windows. Ports 139/tcp and 445/tcp are again the attack vector used to exploit this. For those that remember the past few years, these ports are notorious for being used as vectors to exploit the RPC service. Most commonly associated with Netbios, these are probably the most blocked ports on the Internet.

In addition to the above gem, there are also vulnerabilities in DNS resolution, the Windows Management Console, and more. You can find more information on all of these exploits at the link mentioned above. I highly recommend patching your system ASAP since exploits are in the wild and this could easily turn into another Blaster style attack. Even the Department of Homeland Security is recommending that you patch immediately. According to some reports, Microsoft is already bracing for an attack.


I find the frequency and number of exploitable bugs in the Windows OS to be disturbing. Linux and OSX have bugs, but nothing as frequent as Windows seems to have. A lot of the reports that compare the various operating systems seems to miss the fact that Windows as an OS (minus any Office or IE patches) has a higher number of critical exploits as compared to Linux or OSX. Often the exploits of other packages such as apache, ftp, etc are lumped in with the Linux count and assumed to be part of the OS. While most Linux distros ship with much more than the Linux Kernel itself, it’s unfair to count those exploits as part of the whole. Other reports seem to realize these facts and produce results much closer to the truth.

I think, however, that Microsoft has helped the computer industry. They helped popularize the personal computer and provided much of the software for the initial PC boom. They have invested billions of dollars into creating their products and bringing them to market. But, I think it’s high time for them to make some major changes. I would like to see them embrace the Open Source community and learn how to build and market open source products. If they embraced the Linux OS and helped extend it instead of fighting against it, I think the computer industry could take another giant leap forward. They can certainly continue to create and sell the various applications they currently have, and even produce new ones. The very act of running their apps on a Linux system may help to enhance security across the entire industry. Linux itself has proven to be very resilient to attack.

One of the biggest myths about Linux seems to be the belief that all software running on a Linux system has to be open source. Nothing could be further from the truth, however. It is certainly acceptable to run closed source products on an open source OS provided that you play within the rules. I’m not 100% clear on all of the ramifications of the GPL license, but as I understand it, you are permitted to modify any OSS product out there provided you make the source available. But, I believe you are permitted to build closed source apps using OSS libraries and not distribute the source *if* you use unaltered versions of the libraries. I may be wrong here, so please correct me if I am. Regardless, the ability to write closed source programs that run on an OSS platform definitely exists.



I stumbled upon a blog entry on Ozymandias about Modchips. Ozymandias is the blog for Andre Vrignaud, an XBox Team Member. I found his comments to be interesting, but I disagree on a few points.

Andre cites three “main” reasons used to defend modchips :


  • the ability to copy and play pirated games
  • the ability to play import games
  • the ability to add new functionality (such as running homebrew software)

Like Andre, I’ll comment on these one at a time.



Pirated games… What can be said about this? Piracy is, in the end, wrong. There are a number of reasons given for piracy ranging from the pure view of “I want it and I don’t want to pay for it”, to the almost forgivable, “I need it to survive but I can’t afford it.” The former is just pure piracy and is akin to stealing a physical object. There are arguments that software is a different beast because stealing a copy doesn’t mean there is one less copy in the world, but, in fact, that there is one more. But, in general terms, I can agree that this is stealing.

The latter excuse is more interesting. There are several instances of people pirating software for the simple reason that they need it to produce a viable product. However, they don’t have the up-front money to pay for the pirated software. In some cases, they purchase the pirated software after they’ve earned the money to do so. This excuse is becoming less viable at time goes on, however. With the advent of Open Source software, there are numerous OSS packages that can produce results similar to commercial products. One has to be careful, however, since some of these OSS products include licenses to prevent commercialization.

Regardless of the reasons for piracy though, I agree with Andre. If you’re modding your console for the express reason of pirating games, then you’re wrong. This is probably the main reason Modchips get such a bad name. Those who know what modchips are think you’re doing it to pirate games, not to unlock features or make homebrew a reality.


Next up is imports. Imports are a bit of a wierd beast. In the not too distant past, consoles were able to play any game, import or local. The main reasons for importing a game were to get something that wasn’t available on the local market. The downside was that you usually needed to learn a new language to play the game! Unfortunately, my Japanese is basically nonexistant, so playing imports is tough.

More recently, however, console manufacturers have “region locked” their consoles rendering imports useless. There are a number of reasons for region locking such as different release dates across countries, preventing illegal content in certain countries, and increased revenue due to pricing differences between countries. Vendors feel pretty strongly about these points and even have the backing of the US Government in the form of the much hated Digital Millenium Copyright Act (DMCA). The DMCA has a specific clause that restricts circumventing these protections.

With the exception of preventing illegal content from entering certain countries, this all appears to be about money. The vendor can region lock a game or movie, and sell that title at varying prices depending on where in the world they are. Obviously this allows them to maximize their profits by taking advantage of the local market.

However, there is a slight problem with this. Some people enjoy watching foreign films, or playing imported games. For some, it may even be a means to stem the tide of homesickness. For others, it’s a chance to play something that won’t be released in their home region. I see this as a perfectly valid reason for wanting to mod your console. You paid for the console, you paid for the movie/game, why can’t you just use the two together? Andre states the following :

But sometimes companies have good reasons to either not release a title into a region or release it at different dates. It may be because of the time and cost of localization, marketing plans, ad buys, cultural considerations, or perhaps even because of the impact of piracy in the region. Whatever the case, it’s safe to assume the publisher has thought about it.

First of all, if I’m importing a game, there’s a good chance I know it hasn’t been localized. And for a lot of people, that’s the point. So concerns about time and money for localization are moot. As for piracy, I’m not sure what to say there. Because of possible piracy in a region, a company is unwilling to allow anyone at all to purchase the title? Give me a break, money is money. I can understand that they don’t want to localize and market the product, but if it’s been localized and marketed elsewhere, why prevent anyone in that region from buying and using it? It just doesn’t make sense to me. If they want to pirate it, they likely have modded consoles anyways, so the argument is pointless.

I’m quite sure the publisher has thought it through though. If you weigh the cost vs revenue it makes sense to not bother marketing some areas. For instance, there are a large number of games that are popular in Japan that just don’t have a chance in the US. So it makes sense for them to skip localization and marketing for the US. But, if I happen to speak and read Japanese, and I have an interest in the game, why would they want to prevent me from handing over my hard earned money to purchase it? In fact, that’s extra, unforseen revenue. Isn’t that a good thing?


The last item Andre cites is the desire for homebrew. I can definitely identify with this desire. I own a PSP and I’ve been looking long and hard at the Undiluted Platinum PSP Modchip. This chip allows the user to switch between 2 versions of firmware on the PSP, allowing you to stick with version 1.5 for homebrew, or the latest version for compatibility with the latest games. Of course, this means you need to alter the PSP, void the warranty, etc. And who knows, maybe Sony will come up with a workaround to disable it. But the desire to be able to do this is pretty strong.

According to Andre, the industry currently uses a razor/razor blade model. In short, this means that they sell the console at a loss with the hope that the end user will buy enough games and peripherals to make up the cost. Not a bad model for something like a razor. Chances are you’re going to buy blades in order to use that razor. Though, as one person commented, you can always use them to prop open windows…

So the argument is that since the console manufacturers sell at a loss, we should be locked into using the console to their specifications and no others. Is it my fault that the vendor decided to sell at a loss? Did I make some sort of deal with them stating that if they sold the console at a loss, I would make up the difference in games/movies and peripherals? They’re right that the lower cost is an incentive to buy. If the PSP was twice it’s current price, I probably wouldn’t have purchased it. And Andre hits on that point :

Some folks point to the fact that they bought the hardware and believe they should be able to do anything they wish with it. Unfortunately, this argument ignores the fact that they’re buying that hardware at below cost, and it’s the razor/razor blade model that makes it even possible to buy at that price. The other solution would be to sell the hardware at a price that covers cost and also includes a profit margin so that selling the console alone (with no game/peripheral/service sales) could be a stand-alone business.

And he goes on to state some problems with this reasoning :

Problem is A) this model already exists (it’s called a PC), and B) selling a console at PC prices (especially with the capabilities the console has in it) would simply be too expensive and no one would buy it. At the end of the day, the cost difference needs to be made up somewhere, and that’s why we need to you buy those razor blades.

So, reason number one is that the PC already exists. Well, it does, but is it portable? Does everyone have the same exact PC as you? The same reasons for creating content on a console are relevant to the desire for homebrew as well. It’s often much easier to develop for a single static platform than it is for a platform that varies from unit to unit. You also need to keep in mind that most, if not all, of the users desiring the ability to create homebrew software already own a PC. It’s the desire to work on a different platform that drives us.

Andre’s second reason is cost. And here I have to agree slightly. If they were to sell the console at cost, then it may be to expensive. Or would it? How much are these companies losing per console? I’ve heard varying numbers, but I think the vendor is the only one who knows for certain.

So, yes, the difference should be made up with peripherals. Hrm. A thought has occured to me. Maybe they could sell a software development kit! And the necessary hardware to copy code from the PC to the console! Couldn’t that make up a portion of the cost? Yes, I’m aware that they already have development kits for the console, but I can’t afford it, can you? If they released a slimmed down version of the software, minus all of the specialty hardware that usually ships with the SDK (commonly because the actual console has yet to exist prior to them shipping the SDK), then the cost can be reduced quite a bit. Don’t offer support for the SDK, just release it to the public and the public will create the support. Don’t believe me? How about ps2dev which supports both PS2 and PSP development? There are hundreds of site on the internet that support PSP development. And hundreds more that support XBox, Gamecube, Gameboy, etc. And none of those console manufactureres has, to my knowledge, released any development code at all. It’s everyday hackers like you and I that are creating the SDKs from scratch and releasing them to the public.


So in short, I don’t see a problem with Modchips in general. There are those people who will use them to pirate and steal, but in all honesty, the Modchip isn’t the reason for that. Pirates are out there to pirate for the pure reason that they can make money doing it. And regardless of the existance of a Modchip, the pirate will continue. Perhaps the need for a Modchip can be reduced if the console manufacturers would give up on this idea of region locking, and open up the consoles to the masses. Let the little guys take a crack at coding. Are you afraid they might create something better than what you have to offer?

Patent Wars

And so it begins.


Slashdot posted an article today about some patent claims against Open Source developers. They linked to an article by Bruce Perens, a well known OSS advocate, detailing some of the issues surrounding 2 particular patent cases currently pending. The first case is a recent case against RedHat regarding their Hibernate software package. Firestar Software is claiming that they hold a patent on what they call Object Relational Mapping. If I understand correctly, this is a programming technique used to hide the implementation details of a database behind an object. In other words, it’s basically encapsulating the database within an object.

Umm.. yeah. Duh. Ok, so let me get this straight. If I create an object in a programming language that can be used within the program to prevent having to write direct SQL calls, then that falls under this patent? Well, I guess I’ll have someone banging on my door pretty soon. phpTodo uses this same technique! Isn’t this an obvious extension of the object-orientation paradigm in most modern programming languages? It’s the next logical step from creating procedures or functions to accomplish the same thing!

According to the article by Bruce, there is plenty of prior art that covers this. And rightly so! The problem here seems to be the US patent system as a whole. Patents on their own seem, at least to me, to be something useful. At least, useful to a degree. I don’t hold any patents so, if anything, I’m biased against the system. But I do see some worth in it. I can see the need to defend a new, unique idea, at least for a time. However, it seems that patents are being granted on the most ridiculous things! For instance, check out patent number 6,368,227. WHAT? Are you kidding me? A patent for swinging on a swing? Sure, it’s side to side instead of the traditional forward and backward swing, but give me a break. I did this when I was a kid, and probably in the same manner.

Check out this excerpt from the patent itself :

“It should be noted that because pulling alternately on one chain and then the other resembles in some measure the movements one would use to swing from vines in a dense jungle forest, the swinging method of the present invention may be referred to by the present inventor and his sister as ‘Tarzan’ swinging. The user may even choose to produce a Tarzan-type yell while swinging in the manner described, which more accurately replicates swinging on vines in a dense jungle forest. Actual jungle forestry is not required.”




It seems to me that the patent system needs a major overhaul. I swear I’m not trying to jump on the bandwagon here, but when larger companies start leveraging these ridiculous patents, I get a bit scared. I’m just as open to getting sued as RedHat is. I think most of the uproar over the Firestar patent has to do with them suing an Open Source company, but the same remains true for any other company. For instance, the patent dispute against RIM. My main issue with that case isn’t so much the content of the patents, but rather the company that held the patents. NTP is a holding company. The entire reason NTP exists is as an entity that owns patents and collects fees based on usage of those patents. From my point of view, this is extortion. Basically, these companies hold the patents and require the user of the patent to pay fees for continued use. But they never use the patent themselves! In fact, given the task, I doubt any patent holding company could ever hope to implement any of the patents they hold.

But even patents that are blatantly obvious and are easily overturned are still extremely harmful. The second case that Bruce mentions is against a small open-source developer, Bob Jacobsen, who makes no money from his creation, JMRI. KAM, the company that filed the claim, holds the rights to patent 6,530,329 which outlines a method for sending commands from a computer to a model train.

This *sounds* like a patentable idea to me, but, upon further inspection, they haven’t really invented anything. First, they seem to be using pre-existing hardware and merely writing software to control it. Second, it’s basically a queueing system. Essentially, the patent outlines how a queue works. User 1 sends a command and the digital controller sends an acknowledgement; A second user sends a command and the same process occurs; And so and so forth. The interesting part here is that the patent language makes it a point to explain that these acknowledgements are intended to inform the user that the action requested has taken place, when, in fact, it it merely queued. I can think of some other ways to do this, but the idea generally works. So where’s the new invention? It sounds to me like they took a pre-existing system and added a queue. That’s patentable?

So, because they have this patent, they have decided to sue Mr. Jacobsen. They are asking for $19 per user of JMRI. I’m not entirely sure how they determined how many users JMRI has, but my guess is that they merely looked at the number of downloads the software has received. It looks like version 1.4 received about 11000 downloads which is about right for the $200,000 they’re apparently asking for. However, it appears that there may be plenty of prior art to fght this claim, so what’s the big deal? The problem here is that Mr. Jacobsen probably doesn’t have a few thousand dollars lying around that he can use to defend himself. Depending on how the lawsuit proceeds, it can possibly take several months or years to either overturn the patent, or lose the case. Either way, it would cost Mr. Jacobsen a lot of money he likey doesn’t have.

This type of patent abuse only serves to hurt everyone in the long run. Some developers may stop developing, or at least stop releasing their code out of fear. If small developers can be sued like this, even for patents that were so obviously granted without proper review, then they run the risk of losing more than just the right to develop a product. OSS developers are usually independent and don’t have the luxury of a corporate umbrella to protect them. They run the risk of losing everything they own. Something needs to be done about this system.


Here are some of my ideas for patent reform. They are listed in no specific order :

  • Existing patents should be re-examined for validity.
  • Any patent over a certain age should be considered public.
  • Any patents held by companies that are not implementing them should be given two choices. Either start working on an implementation of the patent, or sell the patent to a company that will implement it. Either way, a deadline should be set to prevent the company from sitting on the patent. If they exceed the deadline, the patent should be placed into the public domain.
  • All new patents should be scrutinized for validity beyond the current methods. If insufficient expertise is available at the patent office, then an expert in that area should be consulted.
  • All new patents should be open to public review. (I believe this is already the case, but I may be mistaken)
  • All granted patents should have a shelf-life. This shelf-life should be the same across all patents regardless of what the patent is on.
  • Patents on software should either not exist at all, or should be very critically and very carefully reviewed before being granted. There are too many ways patents like this can be exploited.


I’m sure there is a lot more that should be covered, but this, at least, is a start. This would put everyone on a level playing field and help prevent the stifling of innovation. Let’s get real here. If patents such as the Object Relational Mapping patent are allowed to survive and are enforceable, then innocent developers such as myself and others are in danger. I have no prior knowledge of the existance of that patent, and I never would have bothered to check. This, to me, seems to be a common sense bit of programming!


Hopefully we’ll see a larger movement to reform the current patent system, or to do away with it entirely. While there is worth in the system as it is today, I think it has much more potential to do harm.

BumpTop : Taking your messy desk into cyberspace

Slashdot had an interesting story today about a new type of desktop organization called BumpTop. It’s definitely interesting from a “wow” perspective, but I’m not sure how useful it is in practice. Basically, it allows you to treat your files like magazines on a table. You can stack them, knock them down, toss them about. And then there are some useful tools like sorting, auto stacking, and searching.


It seems to be pretty processor intensive from the outside, though. The graphics are decent, but it seems to use true physics to control the movement and behaviour of the icons. They collide against each other, fall over, bounce around, etc. Seems to be a little much, but I guess processor power is increasing while cost is decreasing.


There have been other desktop improvements suggested over the years. One of the more popular styles is the 3D desktop design. Sphere is an example of this design. Basically, all of the windows become 3D objects that can be manipulated, moved around in a three dimensional state, tacked up in various areas, etc. I tried it back when it was in Beta. Pretty neat, but not something I wanted to use on a regular basis. Checking today, it looks like they’ve added an IE version as well that looks to do the same thing, but for individual web pages.


The idea of an alternate desktop is a neat one. I’m not sure what direction the future will go in, but it’s likely that it will have a lot to do with physical interactions such as pen and touch screens. And, perhaps, even further into the future we’ll see 3D interactive holographic systems. Something along the lines of a Star Trek Holodeck.


Wow, the future is exciting…

Review: Star Wars Battlefront II (PSP)

Anticipation : 7
Expectation : 7
Initial Reaction : 7
Overall : 7
Genre : Third-Person Shooter

Star Wars is a franchise near and dear to my heart, having grown up the the original three. (Let’s not delve into the recent three) Battlefront gives you the ability to immerse yourself in that universe and wage war using the weapons and vehicles seen in the movies.


The PSP version of this game is merely a port of the PS2 version with a few extras thrown in. Unfortunately, the controls seem to be a little lacking. They definitely tried to get creative, using the S/C/T/X buttons as camera controls. But, overall, the controls seem a little lacking. Or maybe I just haven’t played enough to find the right combination. Without fine camera control, hitting some of the enemies is a little tough, even with the auto-aim feature enabled.


The graphics are basically the same as the PS2 version, just on a smaller scale. The actions is intense and fast paced. Overall, it’s a great game and lots of fun to play. I recommend it to any Star Wars fan, or any fan of shooters in general.


Whois Query Fun


I ran across a really neat way to use the whois tool in Linux the other day. There is apparently a lot more information available than I knew about! Check out the full article for more.

Basically, in addition to the normal owner/tech contact data that you can get from the standard whois servers, and the IP block assignment information you can get from ARIN, there’s also some additional IP information you can get from Cymru. Specifically, you can run queries against ‘’ to determine what ISP hosts/owns the netblock. Check it out :

[user@localhost ~]$ whois -h

AS | IP | AS Name

33241 | | EMCS-AS – Endless Mountain Cyb

In addition to that, you can also check another server, ‘’ to check for upstream peers. Extremely useful for determining how “connected” a provider is when you’re looking for new service. Or, for determining what providers you need to talk to for help in blocking possible attacks. Check it out :

[user@localhost ~]$ whois -h

PEER_AS | IP | AS Name
3593 | | EPIX – EPIX
3737 | | PTD-AS – PenTeleData Inc.

Overall, I find this to be quite useful and I’ll definitely be using it! I hope you find it just as useful…


AJAX Security

I read an interesting article today over at Darknet. It brings to light some of the “new” techniques that can be used to exploit newer Web 2.0 applications.


The article was an interesting read and got me thinking about application security again. I find myself spending more and more time on security in an application, and less time on features and actual logic. Generally I’m splitting coding time between idiot proofing the application so the end user is forced to put in the right data, and hack proofing the code against would-be hackers. Even with custom frameworks to handle the boring bits, it still takes a lot of time and effort to make sure you’ve covered your bases. Oh well, such is the world we live in nowadays.

The new ways to exploit applications are interesting as well. Actually, most of them aren’t new, but rather the same old hacks used to exploit the new way of doing things. For instance, in an AJAX application you pass information between the browser and the server, behind the scenes. Ok, all well and good, but how do you make sure you’re still talking to the original browser that opened the request? You could use a cookie, or perhaps some sort of a session ID. Maybe a combination of the two. And on top of it, you might check the User Agent string and the referrer URL. Mind you, this can all be spoofed. In fact, spoofing the UA and referrer is extremely easy and can be done with tools like curl and wget. So what is the best way to secure these apps?

I haven’t really started working with AJAX very seriously, so I haven’t done much research into the matter. But, thinking about it, maybe there is a way to secure things a little better? Perhaps a variable in the browsers memory rather than a cookie? Combined with a session ID? Right now I like to secure my apps by using a combination of a session ID, the IP address of the user, and a cookie with seemingly random data in it. This has worked pretty well thus far, but I’m not sure how hard anyone has tried to hack it. I’m definitely interested in more security, though, provided it doesn’t slow things to a grinding halt.

Of course, there’s always the one true way for security. Unplug it. Turn it off. If it’s not running, it can’t be broken into.. Well, not yet anyways.. There’s always the quantum level.

Qmail SPP 0.42

Pawel Foremski is preparing to release the latest version (0.42) of his qmail-spp patch for qmail. This incredibly useful patch allows you to modify the behaviour of qmail, on the fly, through use of external scripts. These external scripts can be written in any programming language that allows STDIN and STDOUT. I have found this to be incredibly useful and it has haled tremendously when targeted by spammers and virii.


There was some initial concern about the overhead involved with calling an external program for processing, but my fears have been calmed since then. I’ve seen this patch in production on machines processing over 250,000 emails per day. That’s a LOT of email.


The patch allows you to inject special processing during specific portions of the smtpd process. These areas include
HELO/EHLO, MAIL, RCPT, DATA and (if supported) AUTH. There is also another hook available when the client connects, before any data is transferred between the client and server. These 6 areas allow for a massive amount of power. For instance, you can interrupt the process right after the HELO/EHLO and run an spf plugin. Or, you can check the from address during the RCPT portion and determine if the user is relaying, and if they’re allowed. Basically, a chkusr function. Tarpitting is fairly simple at the RCPT level as well. The initial connection point is a great time to check for blacklists. In fact, you can set different SPP config files for use depending on where the connection originates. Thus, you can add additional RBL lists depending on the source. So, you can skip RBL altogether for known local connections, and use a wider range of blocklists for external connections. All in all, the flexibility is incredible.


I highly recommend the use of this patch for any qmail installation intended for normal mail use. Obviously if you’re never going to allow mail delivery, there’s no real point, but if you need a strong, secure mail server, this is definitely a step in the right direction. In fact, I worked with Pawel to create a patch that will work with the SMTP AUTH/TLS patch that Bill Shupp put together. Bill has a nice page with a complete qmail toaster on it. His toaster was the basis for my own foray into the qmail scene, and I owe a lot to the work he’s done. I’ve built my own toaster based loosely on his, but using the qmail-spp patch, and some of my own experience. You can find my toaster by either clicking here, or on the link to the right.