North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: RBL-type BGP service for known rogue networks?

  • From: Peter van Dijk
  • Date: Sat Jul 08 13:23:14 2000

On Sat, Jul 08, 2000 at 12:35:14PM -0400, Greg A. Woods wrote:
> 
> [ On Saturday, July 8, 2000 at 08:42:41 (-0700), Randy Bush wrote: ]
> > Subject: Re: RBL-type BGP service for known rogue networks?
> >
> > > ORBS lists open relay by policy. As simple as that. If ORBS is aware that
> > > you are an open relay, you get listed. ORBS is 100% objective.
> > 
> > as we all know, this is utter horsepucky.  orbs goes vigilante crazy and
> > blackholes entire isp blocks over political poweplay nonsense.
> 
> Listing a net-block that has several proven open relays within it but
> which will not allow testing, is not "going vigilante crazy" -- it's a
> very very reasonable and well thought out reaction (i.e. there is no
> lesser action possible since the originally tested open relays have been
> moved to new address space within the block).

Let me explain some things:
- ORBS does not blackhole. It lists hosts and sometimes complete netblocks.
  $administrator can then choose to take any action (or not!) based on
  these listings.
- ORBS lists hosts in several categories. One is 'open relay inputs'.
  Another is 'open relay outputs' (most open relays will be both). Yet
  another is 'untested/untestable'. Hosts/netblocks can end up in this
  last category in two ways:
  - by request from the admin of that host/netblock
  - when ORBS finds out that they are being blocked specifically.

It is therefore incorrect to state 'ORBS blackholes whole netblocks'. These
netblocks are listed *different* from open relays. The admin that decides
to use ORBS has a choice to block *only* open relays, or also block hosts
that do not want to be tested by ORBS.

I hope this clears things up.

> It is critically important to also realise that "ORBS" itself doesn't
> "go crazy" and do these things -- such "rogue net-block" listings are
> directly a result of pressure from ORBS users.  Such users who continue
> to get spam from relays they've reported to ORBS for testing will
> complain and put pressure on the ORBS administrators until there is no
> other choice but to list the entire offending net-block.

Nope. ORBS doesn't do 'user pressure'. Such net-block listings (as
'untestable', not as 'open relay') are only done based on actions/requests
by admins responsible for these netblocks.

> Use of the term "blackhole" in this context is not only wrong but also
> misleading.  It is very important to understand that ORBS users are free
> to programmatically ignore, in real time, that section of the ORBS
> database which lists the so-called "rogue" net-blocks and only use the
> section of the database which contains actually verified relay results.

Correct, this is what I explained above.

> In my humble opinion any admin who permits their mailer to receive any
> e-mail from a known open relay (even so-called legitimate e-mail, since
> there's absolutely no way to identify legitimacy at the protocol level)
> is an accessory to any theft-of-service attack perpetrated on the relay,
> and is furthermore "guilty" in part of allowing known spam to reach
> their end users (assuming of course that they are willing to do anything
> at all in the first place to protect their users from unsolicited junk
> e-mail).  To this end an impartial and independent testing service such
> as ORBS is critical to the success of such efforts.  The other services
> you mention are valuable, but nowhere near as powerful, and they are far
> more susceptible to unnecessary delays (time is critical in spam
> fighting!), and by definition they are more susceptible to human error.

Yes. On the other hand, one might say that you as an admin do not have the
right to block *any* mail for your users. This is solved by for example
just inserting headers based on ORBS-listing and not outright rejecting
mail, and then leaving the choice to your users thru procmail or other
per-user filtering means.

> Finally it cannot be pointed out enough times that the administrators of
> the so-called "rogue" blocks need only change their attitudes and
> co-operate with ORBS in order to make this issue completely go away.

Correct.

> Any SMTP service administrator who believes that SMTP port is totally
> private property is sadly mistaken and should firewall it if they really
> want it to be private.  Being irrational about public testing of public
> services is, frankly, insane.  Public testing by a known independent
> non-profit agency should be vigorously welcomed by all network admins!

Correct again. AboveNet blackholing ORBS is therefore an action I do not
understand, especially since they host MAPS.

I see 2 possibilities:
- MAPS doesn't test if a reported spamhouse is really an open relay, and is
  therefore susceptible to forgery.
- MAPS does do open relay testing and therefore performs the same
  'unsolicited traffic' as ORBS, which would mean they're hypocritic.

Greetz, Peter.
-- 
petervd@vuurwerk.nl - Peter van Dijk [student:developer:ircoper]