North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: RBL-type BGP service for known rogue networks?
On Sat, Jul 08, 2000 at 12:35:14PM -0400, Greg A. Woods wrote: > > [ On Saturday, July 8, 2000 at 08:42:41 (-0700), Randy Bush wrote: ] > > Subject: Re: RBL-type BGP service for known rogue networks? > > > > > ORBS lists open relay by policy. As simple as that. If ORBS is aware that > > > you are an open relay, you get listed. ORBS is 100% objective. > > > > as we all know, this is utter horsepucky. orbs goes vigilante crazy and > > blackholes entire isp blocks over political poweplay nonsense. > > Listing a net-block that has several proven open relays within it but > which will not allow testing, is not "going vigilante crazy" -- it's a > very very reasonable and well thought out reaction (i.e. there is no > lesser action possible since the originally tested open relays have been > moved to new address space within the block). Let me explain some things: - ORBS does not blackhole. It lists hosts and sometimes complete netblocks. $administrator can then choose to take any action (or not!) based on these listings. - ORBS lists hosts in several categories. One is 'open relay inputs'. Another is 'open relay outputs' (most open relays will be both). Yet another is 'untested/untestable'. Hosts/netblocks can end up in this last category in two ways: - by request from the admin of that host/netblock - when ORBS finds out that they are being blocked specifically. It is therefore incorrect to state 'ORBS blackholes whole netblocks'. These netblocks are listed *different* from open relays. The admin that decides to use ORBS has a choice to block *only* open relays, or also block hosts that do not want to be tested by ORBS. I hope this clears things up. > It is critically important to also realise that "ORBS" itself doesn't > "go crazy" and do these things -- such "rogue net-block" listings are > directly a result of pressure from ORBS users. Such users who continue > to get spam from relays they've reported to ORBS for testing will > complain and put pressure on the ORBS administrators until there is no > other choice but to list the entire offending net-block. Nope. ORBS doesn't do 'user pressure'. Such net-block listings (as 'untestable', not as 'open relay') are only done based on actions/requests by admins responsible for these netblocks. > Use of the term "blackhole" in this context is not only wrong but also > misleading. It is very important to understand that ORBS users are free > to programmatically ignore, in real time, that section of the ORBS > database which lists the so-called "rogue" net-blocks and only use the > section of the database which contains actually verified relay results. Correct, this is what I explained above. > In my humble opinion any admin who permits their mailer to receive any > e-mail from a known open relay (even so-called legitimate e-mail, since > there's absolutely no way to identify legitimacy at the protocol level) > is an accessory to any theft-of-service attack perpetrated on the relay, > and is furthermore "guilty" in part of allowing known spam to reach > their end users (assuming of course that they are willing to do anything > at all in the first place to protect their users from unsolicited junk > e-mail). To this end an impartial and independent testing service such > as ORBS is critical to the success of such efforts. The other services > you mention are valuable, but nowhere near as powerful, and they are far > more susceptible to unnecessary delays (time is critical in spam > fighting!), and by definition they are more susceptible to human error. Yes. On the other hand, one might say that you as an admin do not have the right to block *any* mail for your users. This is solved by for example just inserting headers based on ORBS-listing and not outright rejecting mail, and then leaving the choice to your users thru procmail or other per-user filtering means. > Finally it cannot be pointed out enough times that the administrators of > the so-called "rogue" blocks need only change their attitudes and > co-operate with ORBS in order to make this issue completely go away. Correct. > Any SMTP service administrator who believes that SMTP port is totally > private property is sadly mistaken and should firewall it if they really > want it to be private. Being irrational about public testing of public > services is, frankly, insane. Public testing by a known independent > non-profit agency should be vigorously welcomed by all network admins! Correct again. AboveNet blackholing ORBS is therefore an action I do not understand, especially since they host MAPS. I see 2 possibilities: - MAPS doesn't test if a reported spamhouse is really an open relay, and is therefore susceptible to forgery. - MAPS does do open relay testing and therefore performs the same 'unsolicited traffic' as ORBS, which would mean they're hypocritic. Greetz, Peter. -- firstname.lastname@example.org - Peter van Dijk [student:developer:ircoper]