[29856] in North American Network Operators' Group
Re: RBL-type BGP service for known rogue networks?
daemon@ATHENA.MIT.EDU (Peter van Dijk)
Sat Jul 8 13:22:01 2000
Mail-Followup-To: nanog@merit.edu
Date: Sat, 8 Jul 2000 19:15:12 +0200
From: Peter van Dijk <petervd@vuurwerk.nl>
To: nanog@merit.edu
Message-ID: <20000708191512.J16030@vuurwerk.nl>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20000708163514.3971ADF@proven.weird.com>; from woods@weird.com on Sat, Jul 08, 2000 at 12:35:14PM -0400
Errors-To: owner-nanog-outgoing@merit.edu
On Sat, Jul 08, 2000 at 12:35:14PM -0400, Greg A. Woods wrote:
>
> [ On Saturday, July 8, 2000 at 08:42:41 (-0700), Randy Bush wrote: ]
> > Subject: Re: RBL-type BGP service for known rogue networks?
> >
> > > ORBS lists open relay by policy. As simple as that. If ORBS is aware that
> > > you are an open relay, you get listed. ORBS is 100% objective.
> >
> > as we all know, this is utter horsepucky. orbs goes vigilante crazy and
> > blackholes entire isp blocks over political poweplay nonsense.
>
> Listing a net-block that has several proven open relays within it but
> which will not allow testing, is not "going vigilante crazy" -- it's a
> very very reasonable and well thought out reaction (i.e. there is no
> lesser action possible since the originally tested open relays have been
> moved to new address space within the block).
Let me explain some things:
- ORBS does not blackhole. It lists hosts and sometimes complete netblocks.
$administrator can then choose to take any action (or not!) based on
these listings.
- ORBS lists hosts in several categories. One is 'open relay inputs'.
Another is 'open relay outputs' (most open relays will be both). Yet
another is 'untested/untestable'. Hosts/netblocks can end up in this
last category in two ways:
- by request from the admin of that host/netblock
- when ORBS finds out that they are being blocked specifically.
It is therefore incorrect to state 'ORBS blackholes whole netblocks'. These
netblocks are listed *different* from open relays. The admin that decides
to use ORBS has a choice to block *only* open relays, or also block hosts
that do not want to be tested by ORBS.
I hope this clears things up.
> It is critically important to also realise that "ORBS" itself doesn't
> "go crazy" and do these things -- such "rogue net-block" listings are
> directly a result of pressure from ORBS users. Such users who continue
> to get spam from relays they've reported to ORBS for testing will
> complain and put pressure on the ORBS administrators until there is no
> other choice but to list the entire offending net-block.
Nope. ORBS doesn't do 'user pressure'. Such net-block listings (as
'untestable', not as 'open relay') are only done based on actions/requests
by admins responsible for these netblocks.
> Use of the term "blackhole" in this context is not only wrong but also
> misleading. It is very important to understand that ORBS users are free
> to programmatically ignore, in real time, that section of the ORBS
> database which lists the so-called "rogue" net-blocks and only use the
> section of the database which contains actually verified relay results.
Correct, this is what I explained above.
> In my humble opinion any admin who permits their mailer to receive any
> e-mail from a known open relay (even so-called legitimate e-mail, since
> there's absolutely no way to identify legitimacy at the protocol level)
> is an accessory to any theft-of-service attack perpetrated on the relay,
> and is furthermore "guilty" in part of allowing known spam to reach
> their end users (assuming of course that they are willing to do anything
> at all in the first place to protect their users from unsolicited junk
> e-mail). To this end an impartial and independent testing service such
> as ORBS is critical to the success of such efforts. The other services
> you mention are valuable, but nowhere near as powerful, and they are far
> more susceptible to unnecessary delays (time is critical in spam
> fighting!), and by definition they are more susceptible to human error.
Yes. On the other hand, one might say that you as an admin do not have the
right to block *any* mail for your users. This is solved by for example
just inserting headers based on ORBS-listing and not outright rejecting
mail, and then leaving the choice to your users thru procmail or other
per-user filtering means.
> Finally it cannot be pointed out enough times that the administrators of
> the so-called "rogue" blocks need only change their attitudes and
> co-operate with ORBS in order to make this issue completely go away.
Correct.
> Any SMTP service administrator who believes that SMTP port is totally
> private property is sadly mistaken and should firewall it if they really
> want it to be private. Being irrational about public testing of public
> services is, frankly, insane. Public testing by a known independent
> non-profit agency should be vigorously welcomed by all network admins!
Correct again. AboveNet blackholing ORBS is therefore an action I do not
understand, especially since they host MAPS.
I see 2 possibilities:
- MAPS doesn't test if a reported spamhouse is really an open relay, and is
therefore susceptible to forgery.
- MAPS does do open relay testing and therefore performs the same
'unsolicited traffic' as ORBS, which would mean they're hypocritic.
Greetz, Peter.
--
petervd@vuurwerk.nl - Peter van Dijk [student:developer:ircoper]
