Given the rousing success of .mail, which immediately succeeded in reducing spam to a...oh...wait...

And then there's .pro, which is used exclusively by millions of professionals and...oh...umm...

Alright, never mind that. Of course it will be secure, because a well-known security company is on the job and...oh...errrrmm... Verisign, Pillar of Internet Security, Hacked...

Doesn't matter. I'm certain it will work perfectly. I mean, really, what blackhat would target a .secure domain? Everyone knows they're secure.

But it's still cheaper and easier to use google apps

(a) No, not if you have competent IT staff, it's not and (b) should universities REALLY have email service provided by the lowest bidder?

With respect to (b), email has been an integral part of campus communication systems for 20+ years. It carries everything from class assignments to administrative discussions to sports chit-chat to well, EVERYTHING else. It's a key part of the function of the university by now, and because it is, much of what it carries needs to remain private, for varying values of "private". Outsourcing to someone who says that they can do it cheaply -- and then of course will just cookie-cutter another mail service instance just like all the other ones -- shows really poor judgment. Doubly so when the chosen outsource vendor has a very, very, very long history of miserable performance on privacy issues. Triply so when there is no reason on the table (at the moment) to believe that they'll attempt to defend it against wholesale harvesting by government agencies. (Your own university might not either, or they might not do so very well -- but historically, universities as a class have shown vastly more spine than Google has. And at least if they're compelled to, you have a decent chance of finding out that they have -- whereas with Google, you're likely to hear nothing.)

Incidentally, I've run email services ranging in size from "a few" to "a few million" users, and I've run some of them in academic environments -- i.e., I'm not speculating.

1. It's too open to issues: security, privacy, conflict-of-interest, reliability, etc. Everyone knows (or should know) that Google's and Microsoft's and Yahoo's mail services are "loss leaders": they exist only (a) to drive customers to products that make money and (b) to monetize as much private information about users as possible. That's why it should surprise nobody that the latter two are absolutely hideous: completely overrun by spammers years ago -- and the former muddles along at a minimally acceptable quailty level, no better.

2. Any university that can't stand up a functional mail service really needs to evaluate its IT capabilities. It's not hard. I know, I've done it many times. In fact, it gets easier every year due to (a) reduction in server costs (b) improvements in open-source software (c) improvements in load-balancing/fault-tolerance/scalability hardware and software and (d) reduction in storage costs. To put it another way: it's only hard if you make it hard. If you do stupid things like using Exchange, using Outlook, trying to implement mail quotas, failing to teach people how to send links instead of files, trying to use hideously-overpriced commercial anti-spam "solutions" that are anything but, and so on, then YES it will be hard. But if you do smart things -- like using open source throughout, like realizing that in any email environment at most 1% of the people will be storage hogs and it's silly to design an entire infrastructure just to deal with them, like paying attention on mailop/postfix/courier/sendmail/dovecot/imap/etc. mailing lists, like figuring out that basic traffic analysis will give you an awfully good first approximation to the whitelisting you'll need -- then it's just not that difficult. Or expensive.

3. The corpus of mail generated and received by a university community has value -- monetary and otherwise -- to third parties. Therefore there exists a nonzero set of potential buyers. Within that exists a subset who have sufficient funding and sufficient motivation to attempt to acquire it. And within that exists another subset who will succeed. When email is outsourced, the most cost-effective and expedient path to that goal is to identify someone who works for the outsourced supplier and bribe or blackmail them. If they're even modestly clueful, they'll be able to maintain full plausible deniability. Granted, this risk exists even with university employees, but at teast (a) they have a dog in the fight and (b) they're subject to university discipline.

Bottom line: the myth that email is hard/expensive is just that. It's really quite easy and quite cheap, when done in-house and done properly. And while doing it in-house doesn't guarantee privacy, security, or anything else, it's a far better bet.

The average web site is now loaded with buttons and icons whose meaning is obvious...once you know their meaning. (Look at this one, for example.) Adding still more is not forward progress.

I think it's a useful exercise for all web designers to attempt to use their sites in text-only browsers. Not only does this give at least some appreciation for the difficulties of handicapped users, but it tends to highlight problems that affect all users. It strips away all the eye candy and leaves only the skeleton of basic function -- and sometimes that function isn't very good. I'm not just talking about navigation (although that's often an issue) but communication: is it obvious INSTANTLY to someone what the site is trying to tell them? Or is the site using some cute and idiosyncratic mechanism that everyone involved thinks is great...but which leaves users with "huh?".

First, the obvious reason: as we've seen over and over and over again, spammers can make huge sums of money and then settle up pre-trial for a fraction of it. Then they can dissolve the company, move somewhere else, reincorporate, and use both the capital acquired and the lessons learned to try their hand at something even more abusive. The classic example of this is Sanford Wallace, but he's not the only one.

Second, the non-obvious reason: Facebook are spammers. But we don't see any AG going after them, because they're big and powerful, and they've wrapped themselves in the cloak of corporate respectability.

First, let's presume you're running Linux for what follows.

1. You're going to want to be familiar with both file(1) and find(1). File(1) is pretty straightforward, but be aware that its heuristics for file type detection vary in accuracy. If you're not find-literate, then at least get used to this construct:
find /foo/bar -name "*.jpg" -print | sort -u > /tmp/files.jpg
which will recursively search directory /foo/bar for all files suffixed ".jpg" and dump a sorted list of them into /tmp/files.jpg and this one:
find /foo/bar -type f -print | sort -u > /tmp/files.all
which will search the same directory, but will return a list of all (plain) files, that is, things which are not directories, devices, sockets, etc., sorted and dumped into file /tmp/files.all. (Note that the method by which find traverses filesystem trees won't yield sorted output, hence the need to pipe these through sort.)

2. You now have (a) a list of all jpg files and (b) a list of all files. (I picked jpg arbitrarily to illustrate the process, by the way.) You can now generate a list of all files that are NOT jpg with this:
comm -13 /tmp/files.jpg /tmp/files.all > /tmp/files.all2l
The point of this exercise is that you can now repeat steps 1-2 with .gif, .mpg, etc., as you deal with each file type and reduce the remaining list to those awaiting your attention. /tmp/files.all3, /tmp/files.all4, etc. will each be smaller and eventually, if you deal with all files, /tmp/files.allX will be zero-length. Note that not all files have suffixes, of course -- and those without will likely be the ones requiring the most manual effort. If you want to know which suffixes are most numerous, something like
sed -e "s/.*\.//" /tmp/files.all | sort | uniq -c | sort -n
will give you a rough idea.

3. Now then...you'll need some tools for dealing with each file type. The first tool I'd use is stat(1), to check sizes for plausability. Then things like jpeginfo(1), mp3val(1), tidy(1), will be some help, but of course you'll need to distinguish between "error message emitted because file is corrupt" and "error message emitted because file has minor issues...that it had BEFORE this episode". You may need to check the Ubuntu repository for tools you don't have; you may need to do some searching on the web for "Linux tool to check PDF integrity) and similar.

4. If you have backups of any kind and can restore them, then you could try using sum(1) to compare checksums pre- and post-incident. This is a filetype-invariant method, which is good because it lets you skip the above...but bad because all it wll tell you is "different", not "mildly damaged" or "horribly corrupted" or something in between.

5. I would recommend against deleting anything at this point. Instead, move it to secondary storage, like an external drive. I don't have a specific reason for advising this, other than "many years of experience doing partially-manual, partially-automated things like this and a recognition that sometimes errors in the methodology...or fatigue introduced by the tedium of executing it...lead to mistakes".

6. Good luck.

Prolific spammer Facebook allegedly implements an anti-spam mechanism? In related news, Exxon has announced that henceforth its offshore drilling platforms will be called "environmental enhancement modules".

Welcommmmmmme to the machine.

No, wait, wrong reference.

Welcome to the dumbing down of the Internet, which is increasingly compromised at all levels of software designed to cater to the stupid, the clueless, the impatient, the vapid, the illiterate, the uneducated, the ignorant, the selfish...and not at all to those who are even modestly intelligent, resourceful, and self-educating.

If you can understand "find /etc -type d -print" or any of its thousands of equivalents, you're now among a tiny few who actually take some kind of interest in how things work. The vast majority just wants to hand over their private data to spammer Mark Zuckerberg, blather away in worthless140-character sound bites, and look at cat pictures. The Internet, for them, is entertainment and shopping mall, because that's the height of their pitiful intellectual activity.

And the Firefox, the Ubuntu, the Gmail developers and more are enabling them, because they lack the spines to say "no".

As someone who has been using web browsers since before some of you were born, I'd like to make a few comments on this latest foray into copying either Chrome or that spawn-of-evil, Metro.

Alright, one comment. A very brief comment.

No.

Firefox does not need its UI endlessly tweaked by a circle jerk of self-congratulatory programmers who rejoice at every spline and every pixel-level change. Firefox needs the following:

1. Bug fixes. There are a lot of them pending. Have you noticed? I have. It's not nearly as much as fun as playing with the UI, but it needs to be done. (Yes, I've helped. But I'm getting damn tired of writing extremely detailed, carefully researched bug reports that sit in the queue indefinitely.)

2. Security and privacy improvements. A substantial subset of the functionality of NoScript, AdBlock Plus, Better Privacy, Beef TACO, Disconnect, BlockSite, BugMeNot, ShareMeNot and oh yes, HTTPS Everywhere, needs to be IN THE BROWSER. Not an add-on. IN THE BROWSER. Hell, you have a budget: buy the technology if you have to, but get it in. Security and privacy are NOT add-ons, they're core functions. Make it happen.

3. Resource usage. Not everyone on this planet is wealthy enough to afford a new laptop every two years just to run a web browser. And make it possible for users to clamp memory footprint, CPU utilization, and other resources so that they don't find their web browser eating their system alive.

4. Standards compliance. I don't care if you think some of the standards suck -- I think they do too. Do it anyway.

5. Stop dumbing it down. THAT function should be in an add-on, call it "Training Wheels for Firefox".

6. If anyone suggests adding "social network" functions, please give my earnest sympathies to their surviving friends and family.

7. Respect Mah Authoritah! No automatic updates, no automatic checking for updates, nothing. (Why? Think about browser fingerprinting techniques and add-ons, and why some people really, REALLY don't want their browser to provide any clues to those who are doing DPI on the network they're connected through at the moment.)

8. Every icon in every panel needs to be set up as (a) icon only (b) text only or (c) icon and text. All of them. Because i'm getting damn tired of squinting at my 7" netbook screen trying to figure out WTF some squiggle means.

9. Get off my lawn!

10. Stop trying to out-Opera Opera, out-Chrome Chrome, and REALLY stop trying to out-IE IE. You have...had...a vision of a pretty good piece of software and somewhere around Firefox 4, you lost it. Stop. Go find it. Pick it up, dust it off, and tack it on the wall. Then pay attention to it.

I recommend taking the following steps to defend your operations against spammer Gary Munitz:

1. Block all email to/from socialloot.com. (This might need updating if they register additional domains to avoid blocking. A very common spammer tactic is to use sequentially numbered domains, e.g., example01.com, example02.com, example03.com.)

2. Firewall out 122.252.6.0/24. Make the block is bidirectional so that nobody on your network can reach their allocation. (This will probably need updating if they receive an additional allocation.)

3. If you run a DNSBL or RHSBL, list the domain and the network allocation. If you maintain a list of spammer/phisher/abuser domains, add the domain.

4. If you run an ISP or similar operation, make it a policy that any user participating in this scam will be terminated immediately. Same for mailing lists, web forums, newsgroups, etc.

5. Do not hire anyone who has ever worked for socialloot.com. Make sure that words spread that working for spammer Gary Munitz is toxic.