[In the message entitled "RE: Stealth Blocking" on May 24, Roeland Meyer <rmeyer@mhsc.com> writes:]
I'm getting seriously confused here. I thought that the open-relay issue was irelevent to MAPS. That MAPS only black-holed confirmed SPAM sites (a little tougher, but more granular, charter). Further, that it was ORBS that listed open-relay sites specifically, whether they were involved in a spam or not (unacceptable due to punishing potential anti-spammers for proliferating spam that never saw their systems). To me, these are two entirely different charters. If MAPS starts to look like ORBS then I will stop using MAPS.
Can someone please clarify?
Sure. MAPS has four real-time lists. The MAPS RBL(sm) is a list of sites and networks which are known to be friendly, or neutral to spam. They include sites which harbour known spam origin points, multi-hop open relays which refuse to close (and have transmitted spam), spamware sites, and other persistant spam sources. Hosts and networks can use this list via DNS (rejecting mail, and other traffic as they see fit), or BGP (usually blackholing all traffic bound for those sites). It's very hard to get a site listed. It's quite easy to get off the RBL, assuming that the issue that caused the listing has been corrected. The MAPS RSS(sm) is a list of open relays *which have been abused*. These are sites which have been reported to MAPS as open relays, and have spam samples. Once the spam has been verified, a test is performed to verify that the site is, indeed, an open relay. If a sample message is accepted, and then returned by the site as a relay, the host is listed. Removal from the RSS requires that the host no longer relays. Automated probes are never done - a human must request the test, and spam must be available. Because of the very large number of hosts listed (around 100,000 as I write this), it's generally used in DNS mode only. It's pretty easy to get a host which is an open relay that has transmitted spam onto the list. Between 100 and 1,500 hosts per day are added, and hundreds per day are taken off (as soon as they let MAPS know that the relay has been closed). The MAPS DUL(sm) is a list of dialup ports. These are dialups which have been reported to MAPS by the ISP running them, or by users which have received spam from the dialup. An investigator verifies that the address range does contain dialup ports before they are listed. Hosts and networks typically use this list in DNS mode to reject direct-from-dialup spam. It's time-consuming to get an address listed, and also time-consuming to get an address removed from this list. The MAPS RBL+(sm) is a combined list, which allows a single lookup to search all lists. It's possible to use this in BGP mode, but it's unlikely that anyone would want to do so. So, does MAPS look like ORBS? ORBS probes systems no matter if spam has emitted or not. Does this catch more open relays? You bet. Is it network abuse to scan for open relays? I think so. Do spammers use the same techniques? You bet. MAPS probes systems only after they have been abused by spammers. Does this allow spammers to use the relays for at least one spam run? You bet. Is it network abuse to confirm an open relay that has transmitted spam? I don't think so. Do spammers use the same techniques? I don't think so. ORBS probes systems periodically after they are listed to see if they have been closed. Does this ensure that relays are removed after they are secured? Sort of. But this requires that the hosts listed be probed frequently, and still doesn't ensure that they are removed "as soon as they are secured". MAPS depends on the system administrator contacting MAPS to get a host de-listed. Does this ensure that they are removed once they are secured? Sort of. It does require that the admin be willing to contact MAPS. So, does MAPS look like ORBS? You decide. I'm certain that all of the network owners on this list want spam to stop. MAPS is one tool that can help. ORBS is another. Where you draw the line, or how you protect your networks is your choice. One thing that I think *will* help, particularly in the short term, is port 25 blocking of dialup ports. It's my personal opinion that this will have the greatest impact on spammers who abuse open relays. I've watched this happen over the last few months, as various large networks have secured their dialup ports. It's impressive. --