Hello. I run Gentoo and Exim 4.54 on my home cable modem. I'm getting
increasingly frustrated with this RBL ****. Many ISPs (AL, earthlink,
_eximlist_ etc.) are blocking mail from my domain simply because I
happen to be on a Comcast (Seattle, WA) dynamic IP. UGH!
I am researching ways to get around this BS.
The two I've found (and I'm open to ideas on any others)
And
Also, to be honest, I don't know a lot about email and all that
configuration of exim. I ran the packages and setup via some online
tutorials. I'm a web designer and simply want my own domain (which is my
name).
I have several small virtual hosts on the same box (friends and clones
of sites I've done, etc).
Also, is it possible to setup Exim such that these services to only take
effect for the problematic ISPs -- in other words, can I setup Exim so
that when mail is sent to AL/earthlink/THIS LIST/etc, it uses the
service/product, but if mail is sent to a domain that will accept my
mail fine, then Exim doesn't use the service/product and just uses the
normal mail system?
Daevid.
"You had me at EHL" (10.04.05)

According to Jason W.,
12/2/05, Daevid Vincent <daevid (AT) lockdownnetworks (DOT) comwrote:
Hello. I run Gentoo and Exim 4.54 on my home cable modem. I'm getting
increasingly frustrated

Welcome to the reality of life If you decide to live in a
neighborhood known for crime, don't be surprised if you're labeled a
criminal at some point

Sorry to say this, but you sound like one of those cops in
the suburban white neighborhood who blocked, with shotguns,
the refugees fleeing New with shotguns. It's not a
big step from your train of thought to racism.

Perhaps Dr. King would say today, that "I have a dream
yes, I have a dream that one day, people will not be
judged by the neighborhood of their IP address but by
the content of their connections"

T

Daevid Vincent wrote:

_eximlist_ etc.) are blocking mail from my domain simply because I
happen to be on a Comcast (Seattle, WA) dynamic IP. UGH!

this is not limited to comcast, it's very common today to add a negative
score (at least) to deliveries from dynamic addresses.

I am researching ways to get around this BS.

I saw services offering static addresses via tunnels, which is a nice
solution IMH you get some vserver, but that implies a higher
administrative burden.

The two I've found (and I'm open to ideas on any others)

What is better about that than using your provider's smarthost?

tutorials. I'm a web designer and simply want my own domain (which is my
name).

It's easier to go to some hosting company for that, then.

Also, is it possible to setup Exim such that these services to only take
effect for the problematic ISPs -- in other words, can I setup Exim so

Manually, yes, but you'll never know all of them. Some simply drop mail
without notice.

Fri, Dec 02, 2005 at 11:25:08PM -0800, Tony Godshall wrote:
According to Jason W.,
>Welcome to the reality of life If you decide to live in a
>neighborhood known for crime, don't be surprised if you're labeled a
>criminal at some point
Sorry to say this, but you sound like one of those cops in
the suburban white neighborhood who blocked, with shotguns,
the refugees fleeing New with shotguns. It's not a
big step from your train of thought to racism.

Perhaps Dr. King would say today, that "I have a dream
yes, I have a dream that one day, people will not be
judged by the neighborhood of their IP address but by
the content of their connections"

This isn't really a helpful statement. upon a time, it did happen like
that. The current situation is a response to the unbelievably high volumes
of crap emitted from these unsecured and un-virus-checked 24/7-connected
home PCs. Any responsible mail system administrator will not overspec a
machine to handle an appropriate volume of mail for their organisation (it
is equally as wrong to underspec it, to be fair). In order to handle the
volume of this, you have to seriously overspec it.

It is more appropriate, in terms of the limited resources available, to
ignore the much much less than 1% of home users on Cable/DSL lines who are
actually clued enough to send mail properly and cleanly, and tar the >99%
with the brush of "this connection is likely to be full of rubbish".

In the case of the quote above, the percentages weren't so stacked, even
if they were percieved to be. Unfortunately, in this case, the constant
reports I hear from colleagues and peers of having to un-spyware machines,
and having virus checkers find numerous different viruses, and the inability
of most people to update their software, means that I'm more inclined to
believe those figures. This is not racism, this is reality, more's the pity.

This discussion has been had to death many times. I'm afraid that if you want
to host your domain on a residential cable/dsl line, then you have to live
with the consequences. If your IP is dynamic, forget it, as there's little to
no traceability that I have, if it's static, that's a bit better, but why
should I trust you any more than the compromised windows boxes on either side
of you by IP?

Cheers

MBM

Sat, 3 Dec 2005, Matthew Byng-Mad**** reminds us that:

Fri, Dec 02, 2005 at 11:25:08PM -0800, Tony Godshall wrote:
[]
Sorry to say this, but you sound like one of those cops in
the suburban white neighborhood who blocked, with shotguns,
the refugees fleeing New with shotguns. It's not a
big step from your train of thought to racism.

My advice to you: don't waste your ammunition in this futile way.
Even if you managed to convince the subscribers to this list (which
I'd rate as unlikely, but hey), it wouldn't make an appreciable
difference to the Big Picture. Dynamic addresses already /are/ widely
blocked, and generic addresses are increasingly being blocked, by
local policies based on the general principle that anyone can offer
mail, but nobody's forced to accept it. Let me be candid with you: if
you hope to operate a properly constituted MTA on the real live
Internet, you better wake up to the reality out there, instead of
hoping to impose your own rules by false analogies.

This isn't really a helpful statement. upon a time, it did
happen like that. The current situation is a response to the
unbelievably high volumes of crap emitted from these unsecured and
un-virus-checked 24/7-connected home PCs. Any responsible mail
system administrator will not overspec a machine to handle an
appropriate volume of mail for their organisation (it is equally as
wrong to underspec it, to be fair). In order to handle the volume of
this, you have to seriously overspec it.

Indeed.

best regards

According to Matthew Byng-Mad****,
Fri, Dec 02, 2005 at 11:25:08PM -0800, Tony Godshall wrote:
According to Jason W.,
>Welcome to the reality of life If you decide to live in a
>neighborhood known for crime, don't be surprised if you're labeled a
>criminal at some point

Sorry to say this, but you sound like one of those cops in
the suburban white neighborhood who blocked, with shotguns,
the refugees fleeing New

This isn't really a helpful statement. upon a time, it did happen like
that. The current situation is a response to the unbelievably high volumes
of crap emitted from these unsecured and un-virus-checked 24/7-connected
home PCs

I respectfully submit that a machine running *nix with
proper DNS and SPF should not be lumped in with "unsecured
and un-virus-checked". I don't get what IP-checking gets
you that DNS/SPF-checking doesn't. Are you arguing that it
takes a lot more CPU?

This is not racism, this is reality, more's the pity.

Indeed I did not say it *was*, I just said the arguments are
similar. In this case it might be called "corporatism"- that
only large organizations with the resources to buy the "right
kind" of connections may host domains.

This discussion has been had to death many times. I'm afraid that if you want
to host your domain on a residential cable/dsl line, then you have to live
with the consequences

Well, my machine is in my residence, but it's the extra-special
"small business" plan that has the static IP address. Where do
you draw the line?

If your IP is dynamic, forget it, as there's little to
no traceability that I have,

My IP is not dynamic, but it may well be in the middle of a
dynamic block. Those who block me on this basis are f**kin
corporatists ;-P

if it's static, that's a bit better, but why should I trust
you any more than the compromised windows boxes on either side
of you by IP?

Uh, because my DNS records point to it. I haven't seen any
virus or worm that can do that.

Well, like you say, the discussion here doesn't matter much.
The market will takes its toll, both on ISPs that overblock
and on ISPs that undersecure. Some people are learning that
there are advantages to having your e-mail separate from
your pipe, which makes it easier to switch and harder for
ISPs to hold people by intertia.

Sat, Dec 03, 2005 at 10:48:08AM -0800, Tony Godshall wrote:
According to Matthew Byng-Mad****,
>Fri, Dec 02, 2005 at 11:25:08PM -0800, Tony Godshall wrote:
According to Jason W.,
Welcome to the reality of life If you decide to live in a
neighborhood known for crime, don't be surprised if you're labeled a
criminal at some point
Sorry to say this, but you sound like one of those cops in
the suburban white neighborhood who blocked, with shotguns,
the refugees fleeing New
>This isn't really a helpful statement. upon a time, it did happen like
>that. The current situation is a response to the unbelievably high volumes
>of crap emitted from these unsecured and un-virus-checked 24/7-connected
>home PCs
I respectfully submit that a machine running *nix with
proper DNS and SPF should not be lumped in with "unsecured
and un-virus-checked". I don't get what IP-checking gets
you that DNS/SPF-checking doesn't. Are you arguing that it
takes a lot more CPU?

Where does SPF come into the equation? As has already been pointed out to
you in this thread, SPF is one of the first things that spammers set up
these days. If it has proper DNS, that to me means:
- it HEL as something which looks up to its name
- looking up the reverse for its IP address yields an A/AAAA record which
looks up to that IP address.
(preferably the two things are the same, too)

I don't care what the machine is running, I've seen plenty of Unix open
relays in my time

If that machine has "dsl" "cable" or some variant of the least significant
parts of the IP address in its reverse lookup name, then I reserve the
right to tell it where it can go

>This is not racism, this is reality, more's the pity.
Indeed I did not say it *was*, I just said the arguments are
similar. In this case it might be called "corporatism"- that
only large organizations with the resources to buy the "right
kind" of connections may host domains.

So, me, the hobbyist, is weird for having "the resources to buy the right
kind of connection". I don't think that's true. This is a bogus argument.
These days, vhosts are cheap and reliable, co-los are not terribly much
more, and you'll get proper mailhosting on that.

>This discussion has been had to death many times. I'm afraid that if you
>want to host your domain on a residential cable/dsl line, then you have
>to live with the consequences
Well, my machine is in my residence, but it's the extra-special
"small business" plan that has the static IP address. Where do
you draw the line?

When you show me that there's a proper audit trail from me reporting abuse
from your machine to your ISP taking appropriate actions, and where there's
a sufficiently small number of abuses that this is actually useful. Until
then, live with the consequences. Noone suggested that small businesses were
any more able to manage a mail system.

>If your IP is dynamic, forget it, as there's little to
>no traceability that I have,
My IP is not dynamic, but it may well be in the middle of a
dynamic block. Those who block me on this basis are f**kin
corporatists ;-P

I see. I would prefer to call them "sensible", actually, for the overspec
reasons that I've stated above. I'm sorry, but if it really matters to you
then you're going to have to set up a virtual machine with some provider
and host your mail there. When you connect, I'm not going to do p0f to find
out what you're running (actually, I may soon, but that's another story),
so to be honest, it doesn't really matter to me whether you're running
windows or a unix-like or even something completely crazy like VMS. You've
come from a cable/dsl block, and therefore you are >99% likely to be a
compromised windows machine spewing crap to me. Please explain why I should
spend the CPU resources to hold the mail conversation with you on that
basis?

>if it's static, that's a bit better, but why should I trust
>you any more than the compromised windows boxes on either side
>of you by IP?
Uh, because my DNS records point to it. I haven't seen any
virus or worm that can do that.

You appear not to know very much about running large mail systems, but
you may find that like the split in any sensible size of DNS resolvers
and DNS authority servers, it is often sensible to split inbound MX and
outbound relays. What does your DNS pointing to your domain mean, not
a lot, unfortunately

Well, like you say, the discussion here doesn't matter much.
The market will takes its toll, both on ISPs that overblock
and on ISPs that undersecure. Some people are learning that
there are advantages to having your e-mail separate from
your pipe, which makes it easier to switch and harder for
ISPs to hold people by intertia.

Yes, indeed. The number of people using various webmail systems as their
primary mail makes that obvious. ISPs that overblock will lose customers
who think they know better. ISPs that undersecure will find themselves
unable to talk to most of the internet. I'm actually considering starting
to block by AS number, too, so any ISP that advertises itself as
"spam-friendly" based in china can't do anything.

Cheers

MBM

Hi, everyone.

I'd like to apologize to Daevid Vincent for hijacking his
thread. I meant to just chime in with my experiences that
appeared to me to be related to his issues, but it looks
like the conversation has veered considerably.

According to Matthew Byng-Mad****,
Sat, Dec 03, 2005 at 10:48:08AM -0800, Tony Godshall wrote:
According to Matthew Byng-Mad****,
>Fri, Dec 02, 2005 at 11:25:08PM -0800, Tony Godshall wrote:
According to Jason W.,
Welcome to the reality of life If you decide to live in a
neighborhood known for crime, don't be surprised if you're labeled a
criminal at some point
Sorry to say this, but you sound like one of those cops in
the suburban white neighborhood who blocked, with shotguns,
the refugees fleeing New
>This isn't really a helpful statement. upon a time, it did happen like
>that. The current situation is a response to the unbelievably high volumes
>of crap emitted from these unsecured and un-virus-checked 24/7-connected
>home PCs
I respectfully submit that a machine running *nix with
proper DNS and SPF should not be lumped in with "unsecured
and un-virus-checked". I don't get what IP-checking gets
you that DNS/SPF-checking doesn't. Are you arguing that it
takes a lot more CPU?

Where does SPF come into the equation? As has already been pointed out to
you in this thread, SPF is one of the first things that spammers set up
these days. If it has proper DNS, that to me means:
- it HEL as something which looks up to its name
- looking up the reverse for its IP address yields an A/AAAA record which
looks up to that IP address.
(preferably the two things are the same, too)

Really? DNS and SPF set up for infected zombies? That's
new to me. But I'm no long-time mail admin

I don't care what the machine is running, I've seen plenty of Unix open
relays in my time

Indeed. But that's generally a misconfig issue, not a "unsecured
and un-virus-checked 24/7-connected home PCs" issue.

If that machine has "dsl" "cable" or some variant of the least significant
parts of the IP address in its reverse lookup name, then I reserve the
right to tell it where it can go

Yeah, that's fine I guess- market forces will have their way.

>This is not racism, this is reality, more's the pity.

Indeed I did not say it *was*, I just said the arguments are
similar. In this case it might be called "corporatism"- that
only large organizations with the resources to buy the "right
kind" of connections may host domains.

So, me, the hobbyist, is weird for having "the resources to buy the right
kind of connection". I don't think that's true. This is a bogus argument.
These days, vhosts are cheap and reliable, co-los are not terribly much
more, and you'll get proper mailhosting on that.

It's also nice to have my machine under my, the hobbyist's,
direct control.

>This discussion has been had to death many times. I'm afraid that if you
>want to host your domain on a residential cable/dsl line, then you have
>to live with the consequences

Well, my machine is in my residence, but it's the extra-special
"small business" plan that has the static IP address. Where do
you draw the line?

When you show me that there's a proper audit trail from me reporting abuse
from your machine to your ISP taking appropriate actions, and where there's
a sufficiently small number of abuses that this is actually useful. Until
then, live with the consequences. Noone suggested that small businesses were
any more able to manage a mail system.

There's nothing inherent that makes a small business more
or less able to manage a domain than a large telco. Some
admins are there by compentence and can do their jobs, and
some are constrained by insane adminstrative policy, and
some are there by seniority or buttkissing ability.

>If your IP is dynamic, forget it, as there's little to
>no traceability that I have,

My IP is not dynamic, but it may well be in the middle of a
dynamic block. Those who block me on this basis are f**kin
corporatists ;-P

I see. I would prefer to call them "sensible", actually, for the overspec
reasons that I've stated above. I'm sorry, but if it really matters to you
then you're going to have to set up a virtual machine with some provider
and host your mail there. When you connect, I'm not going to do p0f to find
out what you're running (actually, I may soon, but that's another story),
so to be honest, it doesn't really matter to me whether you're running
windows or a unix-like or even something completely crazy like VMS. You've
come from a cable/dsl block, and therefore you are >99% likely to be a
compromised windows machine spewing crap to me. Please explain why I should
spend the CPU resources to hold the mail conversation with you on that
basis?

Yes, you've made that argument. I guess my smiley failed.

>if it's static, that's a bit better, but why should I trust
>you any more than the compromised windows boxes on either side
>of you by IP?
Uh, because my DNS records point to it. I haven't seen any
virus or worm that can do that.

You appear not to know very much about running large mail systems, but
you may find that like the split in any sensible size of DNS resolvers
and DNS authority servers, it is often sensible to split inbound MX and
outbound relays. What does your DNS pointing to your domain mean, not
a lot, unfortunately

Indeed, that's why I'm here. To learn. I think the compromised
windows boxes you are worrying about on the cable/dsl blocks
are generally *not* in DNS, but you seem to be contradicting
that above.

Well, like you say, the discussion here doesn't matter much.
The market will takes its toll, both on ISPs that overblock
and on ISPs that undersecure. Some people are learning that
there are advantages to having your e-mail separate from
your pipe, which makes it easier to switch and harder for
ISPs to hold people by intertia.

Yes, indeed. The number of people using various webmail systems as their
primary mail makes that obvious. ISPs that overblock will lose customers
who think they know better. ISPs that undersecure will find themselves
unable to talk to most of the internet.

Wow. We agree on something.

I'm actually considering starting
to block by AS number, too, so any ISP that advertises itself as
"spam-friendly" based in china can't do anything.

K, more to look into. Thanks for the jargon.

12/3/05, Tony Godshall <togo (AT) of (DOT) netwrote:

Welcome to the reality of life If you decide to live in a

Sorry to say this, but you sound like one of those cops in
the suburban white neighborhood who blocked, with

I also said I am a Comcast user as well, so that analogy is not valid.
I am in the same boat as everybody else runing an MTA on a dynamic IP.
The only difference is I understand that an MTA on a dynamic IP does
NT have the right to speak to every other mail server directly In
fact, your mail server has no right whatsoever to speak to any other
MTA except your smarthost that you pay for - that is a privilege and
should be treated as such. There's an expression for this, "My server,
my rules"

You've mentioned that you think your DNS should protect you. Do you
mean your reverse DNS? If that is the case, then people using reverse
DNS checks to block dynamic IP's won't block you. DNSBL's will still
get you tho - it is your ISP's responsibility to tell the blacklist
operators that your IP is not dynamic any more.

my MTA which accepts connections from port 25 from the world and
sends mail via a smarthost, you must have FCrDNS to send me mail.
Forward Confirmed Reverse DNS means the IP connecting to me must have
a PTR record that resolves to some name and that name should resolve
to the same IP that connects to me. I do this because I can block by
domain and not have to block by IP's and play whack-a-mole. Sure I get
false positives from people I need to speak with. But they learn their
server doesn't have rDNS and so it should be fixed. Some can't do that
and I have to whitelist them.

But there is no way that I will accept mail from ANY machine with
generic rdns like pcp486767pc.xx.comcast.net. I also do not expect
people to accept mail from me if I do not use my smarthost

Does anyone know of a software-agnostic list this sort of topic might
be better on? Seems T for exim-users.

Matthew Byng-Mad**** wrote:
and host your mail there. When you connect, I'm not going to do p0f to find
out what you're running (actually, I may soon, but that's another story)

I can't recommend this enough. I use a scoring system, and the 30 points
I award to Windows clients is enough to push a lot of spam above the
threshold.

This way I'm still able to accept e-mail from non-Windows clients with
generic (or no) rDNS or from clients listed in "dial-up" DNSBLs.

Bob

Tony Godshall wrote:

My IP is not dynamic, but it may well be in the middle of a
dynamic block. Those who block me on this basis are f**kin
corporatists ;-P

I had not found the need to block anyone on that basis.

But a professional mailadmin/sysdamin does not have an entirely free hand.

Quite aside from a growing list of often contradictory regulations and
upstream ToS,
- nearly impossible to keep abreast of - we are also expected to act as
a 'prudent man' would act.

That last part is easier, and includes avoiding obvious hazards to our
clientele.

You have proved the very point you are fretting about - that there are
too many
folk who are either clueless, rebellious, oblivious, hostile, arrogant,
all of the above,
or otherwise non-cooperative running MTA's on the fringe of the net.

And the net can't run without cooperation.

HEL 'Dude' wants 'togo (AT) of (DOT) net'?

Granted. And the horse you rode in on.

Bill Hacker

Hi, Jason.

And the net can't run without cooperation.

HEL 'Dude' wants 'togo (AT) of (DOT) net'?

Granted. And the horse you rode in on.

Hmmm. I gather there's an issue with dude's (my mail
server's) config? Sorry. I'll go inspect some headers.

Hi, Bill.

Welcome to the reality of life If you decide to live
in a

Sorry to say this, but you sound like one of those cops
in
the suburban white neighborhood who blocked, with

I also said I am a Comcast user as well, so that analogy
is not valid.

I'm not. And you don't explain why. You did conveniently
cut out the bit about living in a dangerous neighborhood,
which is specifically what I was analogizing about.

In
fact, your mail server has no right whatsoever to speak to
any other
MTA except your smarthost that you pay for - that is a
privilege and
should be treated as such. There's an expression for this,
"My server,
my rules"

Indeed you are correct.

You've mentioned that you think your DNS should protect
you. Do you
mean your reverse DNS? If that is the case, then people
using reverse
DNS checks to block dynamic IP's won't block you. DNSBL's
will still
get you tho - it is your ISP's responsibility to tell the
blacklist
operators that your IP is not dynamic any more.

I'm not on a dynamic IP.
I'm not on a dynamic IP.
I'm not on a dynamic IP.

Tony

Marc Sherman wrote:

Tony Godshall wrote:

>
>>I'm not on a dynamic IP.
>>I'm not on a dynamic IP.
>>I'm not on a dynamic IP.

Then you should get your provider to fix your reverse DNS.

$ host 24.143.132.148
148.132.143.24.in-addr.arpa domain name pointer

$ host
Host not found: 3(NXDMAIN)

As already mentioned, you should also fix your HEL string.
- Marc

Getting them to fix the PTR may not be all that likely:

Selected quotes from AlamedaNet's Terms of Service, at:

8.0 Bandwidth/Network Traffic and Limitations

Customers must not provide email or news services unless
express permission is granted by the Customer Agreement.

AlamedaNET Residential Services are not intended for business
applications such as mail

Many ToS are more restrictive, even port-specific.

In some jurisdictions Governmental regulations force it so,
and registration/licensing as an ISP or ASP is required. Audit and
reporting, even.

Would all those who wish to run an MTA on 'broadband', static IP or
otherwise, kindly read their own ToS first?

Exim list is about how best to do the 'technically possible', with a
practiced eye toward RFC's.

'Legally permissable' is two doors down the hall, and is not a technical
issue.

'nuf said.

Bill Hacker

Tony Godshall wrote:

I'm not on a dynamic IP.
I'm not on a dynamic IP.
I'm not on a dynamic IP.

Then you should get your provider to fix your reverse DNS.

$ host 24.143.132.148
148.132.143.24.in-addr.arpa domain name pointer

$ host
Host not found: 3(NXDMAIN)

As already mentioned, you should also fix your HEL string.
- Marc

>>I'm not on a dynamic IP.


>Then you should get your provider to fix your reverse DNS.
>
>$ host 24.143.132.148
>148.132.143.24.in-addr.arpa domain name pointer
>
>$ host
>Host not found: 3(NXDMAIN)
>
>As already mentioned, you should also fix your HEL string.

Getting them to fix the PTR may not be all that likely:

Selected quotes from AlamedaNet's Terms of Service

I'll check to see if these are the same terms for the small
business static-ip version, but you have a good point.

Would all those who wish to run an MTA on 'broadband', static IP or
otherwise, kindly read their own ToS first?

'nuf said.

Thank you for the pointers. I am suitably chastised.

Mon, 5 Dec 2005, Marc Sherman wrote:

| Tony Godshall wrote:
|
| I'm not on a dynamic IP.
| I'm not on a dynamic IP.
| I'm not on a dynamic IP.
|
| Then you should get your provider to fix your reverse DNS.
|
| $ host 24.143.132.148
| 148.132.143.24.in-addr.arpa domain name pointer
|
| $ host
| Host not found: 3(NXDMAIN)

And get a non-generic hostname, such as mail.of.net.

Tony Godshall wrote:

*trimmed*

(hacker sez)

>>Getting them to fix the PTR may not be all that likely:
>>
>>Selected quotes from AlamedaNet's Terms of Service

I'll check to see if these are the same terms for the small
business static-ip version, but you have a good point.


>>Would all those who wish to run an MTA on 'broadband', static IP or
>>otherwise, kindly read their own ToS first?


>>'nuf said.

NNNN

Thank you for the pointers. I am suitably chastised.

'Chastised' was not the intent. 'Made aware' was.

Glad to have gotten around the 'pre-conceived notion' barrier.

Better to have a 'heads up' from a fellow-traveler than a disconnect
and/or legalese threats from
an upstream that may not be easily replaceable. That can be seriously
inconvenient.

Most of us depend on those broadband tail-circuits. Too few of use read
the ToS. ;-)

My mail servers, BTW, sit in a leased rack in a proper data center.
'Traceroute' if you wish.

I don't run any 'service' from the workstation (in Hong Kong last week,
Bangkok this week, and the USA next week)

It pays to keep stuff in/on its proper 'box'.

HTH,

Bill