[ On Friday, December 17, 1999 at 14:41:48 (-0500), Daniel Senie wrote: ]
Subject: Re: ORBS block
I do suppose that says it all. You don't care to talk to large numbers of people and so you use a service which indistriminantly blocks systems out of spite when asked to stop probing (whether those systems are relays or not).
My security policy says that I should not accept SMTP connections from insecure mailers (i.e. mailers that are susceptible to theft of service attacks). There's nothing "in-discriminant" about it -- it's very discriminating and extremely specific in its intent. If ORBS or something very much like it did not exist to share this valuable information I would be forced to implement similar checks on a dynamic per-connection basis (though hopefully with some form of result caching). I'm sure most *network* operators would agree that one shared service is highly preferred than having every mailer with a similar policy performing such checks regularly on every mailer they communicate with! Indeed most mailer operators would probably feel the same too. I'm obviously not an ISP, but even a few ISPs are using ORBS, and more are considering blocking mail from open relays (either with ORBS or with similar lists). I can't say anything further about these ISPs, of course. Meanwhile those of you who do not choose to, or do not understand how to, work with ORBS (and others like them), will just have to suffer and learn to live with the fact that there are at least two sides to every issue.
Your server looks for an A record with the domain sending. This is bogus. I send from a system with an MX record pointing to the system which is sending, and A records for the names in the MX records. This valid config is rejected by your server.
Perhaps you should re-read RFC 1123 #5.2.5, keeping in mind that it is within my right as the owner of the system in question to ignore any given part of an RFC where I deem it necessary to do so. (i.e. I require your server to adhere to the requirement in RFC 1123 #5.2.5 regardless of the fact that the RFC advises I should not directly refuse connections when it is not met.)
I suspect mail through ACM will get to you, though.
Yes, of course -- their mailer and DNS are correctly configured (though surprisingly little spam gets through -- they've got very effective filters!). -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>