Re: RBL-type BGP service for known rogue networks?
On Thu, 6 Jul 2000, Dan Hollis wrote:
tin.it obviously fits all 3 criteria and thus would be blackholed. it might not get them to change their behaviour, but at least people who subscribe to the blackhole list wouldnt be rooted by tin.it customers
While this might seem to be a belt and suspenders approach, anyone who cares about their machines being rooted spends their time securing their machines. After securing your machines, RBL'ing tin.it is just extra work. On the other hand, RBLing tin.it is of limited prophylactic value since, if you haven't secured your machines, the script kiddies will just root your machine from elsewhere.
On 6 Jul 2000, Sean Donelan wrote:
tin.it obviously fits all 3 criteria and thus would be blackholed. it might not get them to change their behaviour, but at least people who subscribe to the blackhole list wouldnt be rooted by tin.it customers While this might seem to be a belt and suspenders approach, anyone who cares about their machines being rooted spends their time securing
On Thu, 6 Jul 2000, Dan Hollis wrote: their machines. After securing your machines, RBL'ing tin.it is just extra work. On the other hand, RBLing tin.it is of limited prophylactic value since, if you haven't secured your machines, the script kiddies will just root your machine from elsewhere.
A neat trick if you actually directly control all the machines in your network. If you dont, then a scriptkiddie blackhole list does help. Can you think of any good reason to continue accepting tin.it packets? I cant. Just because its not a perfect solution doesnt mean it doesnt have any value whatsoever. And if tin.it suddenly is unable to reach some portion of the internet due to blackholing, they might actually bother to do something. (well, we can hope.) -Dan
This form of "shunning" seems like an appropriate approach, but a little scary. What sorts of mechanisms will prevent temporary black holes and DoS attacks to get an otherwise cooperative organization black holed? It doesn't seem like the right long term approach, but it's something we've thought about doing in the past as a stop gap measure. John
On Fri, Jul 07, 2000 at 09:43:07AM -0500, John Kristoff wrote:
This form of "shunning" seems like an appropriate approach, but a little scary. What sorts of mechanisms will prevent temporary black holes and DoS attacks to get an otherwise cooperative organization black holed?
There are at least two (probably more) schools of thought on that. The ORBS approach: Put people on the list quickly, and make it easy for them to get back off the list. The MAPS approach: Make it damn hard to get on the list. So, for instance, in the first approach, any smidgin of proof that somebody should be on the list is enough to get them on there, but any smidgin of counter-proof gets them back off. In the second approach, you need multiple credible reports from independant sources with documentation of the problem, and of your unwillingness to fix it, before you can get on the list. The Usenet Death Penalty is similar to the latter, in that you have to be a widely-known flagrant abuser, and publicly fail to respond to a lot of requests to fix the problem, before you get UDPed. Getting back off is pretty public at that point. All three of these services rely upon the notion that although you have a right to create whatever traffic you like, you don't have the right to inject any of it into my network except on my terms. After that, it's a matter of who likes what particular terms.
On Fri, Jul 07, 2000 at 12:18:15PM -0400, Shawn McMahon wrote: [snip]
The ORBS approach:
Put people on the list quickly, and make it easy for them to get back off the list.
This statement is in no way a political basis for ORBS. ORBS lists open relay by policy. As simple as that. If ORBS is aware that you are an open relay, you get listed. ORBS is 100% objective.
The MAPS approach:
Make it damn hard to get on the list.
That's because MAPS is not automated, and not objective. MAPS relies on reports of abuse, which can be forged. IIRC MAPS does check if a server is an open relay. If it didn't I would rant :) Greetz, Peter. -- petervd@vuurwerk.nl - Peter van Dijk [student:developer:ircoper]
ORBS lists open relay by policy. As simple as that. If ORBS is aware that you are an open relay, you get listed. ORBS is 100% objective.
as we all know, this is utter horsepucky. orbs goes vigilante crazy and blackholes entire isp blocks over political poweplay nonsense. luckly, no responsible admin pays the least attention to orbs's list. also, orbs's insanity should not be taken to lessen the value of quality services such as rbl.maps.vix.com dul.maps.vix.com relays.mail-abuse.org randy
[ On Saturday, July 8, 2000 at 08:42:41 (-0700), Randy Bush wrote: ]
Subject: Re: RBL-type BGP service for known rogue networks?
ORBS lists open relay by policy. As simple as that. If ORBS is aware that you are an open relay, you get listed. ORBS is 100% objective.
as we all know, this is utter horsepucky. orbs goes vigilante crazy and blackholes entire isp blocks over political poweplay nonsense.
Listing a net-block that has several proven open relays within it but which will not allow testing, is not "going vigilante crazy" -- it's a very very reasonable and well thought out reaction (i.e. there is no lesser action possible since the originally tested open relays have been moved to new address space within the block). It is critically important to also realise that "ORBS" itself doesn't "go crazy" and do these things -- such "rogue net-block" listings are directly a result of pressure from ORBS users. Such users who continue to get spam from relays they've reported to ORBS for testing will complain and put pressure on the ORBS administrators until there is no other choice but to list the entire offending net-block. Use of the term "blackhole" in this context is not only wrong but also misleading. It is very important to understand that ORBS users are free to programmatically ignore, in real time, that section of the ORBS database which lists the so-called "rogue" net-blocks and only use the section of the database which contains actually verified relay results. Accusing ORBS of political powerplay and vigilantism is wrong since it is not ORBS, nor even its users, but rather the "rogue" net-block administrators who are playing political power games. In my humble opinion any admin who permits their mailer to receive any e-mail from a known open relay (even so-called legitimate e-mail, since there's absolutely no way to identify legitimacy at the protocol level) is an accessory to any theft-of-service attack perpetrated on the relay, and is furthermore "guilty" in part of allowing known spam to reach their end users (assuming of course that they are willing to do anything at all in the first place to protect their users from unsolicited junk e-mail). To this end an impartial and independent testing service such as ORBS is critical to the success of such efforts. The other services you mention are valuable, but nowhere near as powerful, and they are far more susceptible to unnecessary delays (time is critical in spam fighting!), and by definition they are more susceptible to human error. Finally it cannot be pointed out enough times that the administrators of the so-called "rogue" blocks need only change their attitudes and co-operate with ORBS in order to make this issue completely go away. Any SMTP service administrator who believes that SMTP port is totally private property is sadly mistaken and should firewall it if they really want it to be private. Being irrational about public testing of public services is, frankly, insane. Public testing by a known independent non-profit agency should be vigorously welcomed by all network admins! -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
On Sat, Jul 08, 2000 at 12:35:14PM -0400, Greg A. Woods wrote:
[ On Saturday, July 8, 2000 at 08:42:41 (-0700), Randy Bush wrote: ]
Subject: Re: RBL-type BGP service for known rogue networks?
ORBS lists open relay by policy. As simple as that. If ORBS is aware that you are an open relay, you get listed. ORBS is 100% objective.
as we all know, this is utter horsepucky. orbs goes vigilante crazy and blackholes entire isp blocks over political poweplay nonsense.
Listing a net-block that has several proven open relays within it but which will not allow testing, is not "going vigilante crazy" -- it's a very very reasonable and well thought out reaction (i.e. there is no lesser action possible since the originally tested open relays have been moved to new address space within the block).
Let me explain some things: - ORBS does not blackhole. It lists hosts and sometimes complete netblocks. $administrator can then choose to take any action (or not!) based on these listings. - ORBS lists hosts in several categories. One is 'open relay inputs'. Another is 'open relay outputs' (most open relays will be both). Yet another is 'untested/untestable'. Hosts/netblocks can end up in this last category in two ways: - by request from the admin of that host/netblock - when ORBS finds out that they are being blocked specifically. It is therefore incorrect to state 'ORBS blackholes whole netblocks'. These netblocks are listed *different* from open relays. The admin that decides to use ORBS has a choice to block *only* open relays, or also block hosts that do not want to be tested by ORBS. I hope this clears things up.
It is critically important to also realise that "ORBS" itself doesn't "go crazy" and do these things -- such "rogue net-block" listings are directly a result of pressure from ORBS users. Such users who continue to get spam from relays they've reported to ORBS for testing will complain and put pressure on the ORBS administrators until there is no other choice but to list the entire offending net-block.
Nope. ORBS doesn't do 'user pressure'. Such net-block listings (as 'untestable', not as 'open relay') are only done based on actions/requests by admins responsible for these netblocks.
Use of the term "blackhole" in this context is not only wrong but also misleading. It is very important to understand that ORBS users are free to programmatically ignore, in real time, that section of the ORBS database which lists the so-called "rogue" net-blocks and only use the section of the database which contains actually verified relay results.
Correct, this is what I explained above.
In my humble opinion any admin who permits their mailer to receive any e-mail from a known open relay (even so-called legitimate e-mail, since there's absolutely no way to identify legitimacy at the protocol level) is an accessory to any theft-of-service attack perpetrated on the relay, and is furthermore "guilty" in part of allowing known spam to reach their end users (assuming of course that they are willing to do anything at all in the first place to protect their users from unsolicited junk e-mail). To this end an impartial and independent testing service such as ORBS is critical to the success of such efforts. The other services you mention are valuable, but nowhere near as powerful, and they are far more susceptible to unnecessary delays (time is critical in spam fighting!), and by definition they are more susceptible to human error.
Yes. On the other hand, one might say that you as an admin do not have the right to block *any* mail for your users. This is solved by for example just inserting headers based on ORBS-listing and not outright rejecting mail, and then leaving the choice to your users thru procmail or other per-user filtering means.
Finally it cannot be pointed out enough times that the administrators of the so-called "rogue" blocks need only change their attitudes and co-operate with ORBS in order to make this issue completely go away.
Correct.
Any SMTP service administrator who believes that SMTP port is totally private property is sadly mistaken and should firewall it if they really want it to be private. Being irrational about public testing of public services is, frankly, insane. Public testing by a known independent non-profit agency should be vigorously welcomed by all network admins!
Correct again. AboveNet blackholing ORBS is therefore an action I do not understand, especially since they host MAPS. I see 2 possibilities: - MAPS doesn't test if a reported spamhouse is really an open relay, and is therefore susceptible to forgery. - MAPS does do open relay testing and therefore performs the same 'unsolicited traffic' as ORBS, which would mean they're hypocritic. Greetz, Peter. -- petervd@vuurwerk.nl - Peter van Dijk [student:developer:ircoper]
I see 2 possibilities: - MAPS doesn't test if a reported spamhouse is really an open relay, and is therefore susceptible to forgery. - MAPS does do open relay testing and therefore performs the same 'unsolicited traffic' as ORBS, which would mean they're hypocritic.
testing != probing, so your list of possibilities is incomplete. Stephen
On Sat, Jul 08, 2000 at 10:27:43AM -0700, Stephen Stuart wrote:
I see 2 possibilities: - MAPS doesn't test if a reported spamhouse is really an open relay, and is therefore susceptible to forgery. - MAPS does do open relay testing and therefore performs the same 'unsolicited traffic' as ORBS, which would mean they're hypocritic.
testing != probing, so your list of possibilities is incomplete.
Standing slightly corrected by another post, it seems MAPS investigates each report thoroughly. I do not see how you would check if a machine is an open relay without testing, tho. Greetz, Peter. -- petervd@vuurwerk.nl - Peter van Dijk [student:developer:ircoper]
I do not see how you would check if a machine is an open relay without testing, tho.
MAPS doesn't test any machine without an incident of SPAM being reported. Does ORBS, in fact, only test relays that have been reported? If so, I'd love to know why I'm on the list, as was reported to me (just yesterday, amusingly enough, by someone who tells me they tag ORBS-listed mail but do not reject it). My outbound mail comes from behind a firewall, and my inbound relay is secured against third-party relay and does not prevent testing by anyone (that's not an invitation to test, by the way). My crime appears to be having an address block in the same prefix as the MAPS people - and not on the Abovenet network. AboveNet (AS6461) does not host MAPS. MAPS is serviced by the AS3357 network, which is owned by the same entity, MFN, that owns the AboveNet network (AS6461). The routing policies of the two networks are *different*. The AS3557 network uses the MAPS RBL feed in BGP mode to attempt to ensure that any address or block on the list *can* communicate with the MAPS staff by email, or reach the various MAPS servers that would allow them to figure out what's going on and how to make it stop. I know, because I made it work that way at MAPS' request. So - I don't run an open relay, which can be verified (and I suppose my logs will be full of tests now that I've mentioned it), so why am I listed on ORBS? My guess is that since I happen to be in a block advertised by AS3557, I got caught up in either the ORBS-Abovenet jihad or the ORBS-MAPS jihad. Stephen
[sigh... I thought this wasn't going to turn into a big debate] "Greg A. Woods" wrote:
It is critically important to also realise that "ORBS" itself doesn't "go crazy" and do these things -- such "rogue net-block" listings are directly a result of pressure from ORBS users.
The issue isn't with ORBS, it's with Alan Brown, the administrator. Alan runs what could be a useful service, but if you don't allow him to test your systems, he adds you to a "static" list... in his defense, this is NOT a list of systems that have tested as open relays, but many people block sites on that list too, even if there is no documented spam coming from those IP's. It's ridiculous. He also doesn't stop when told not to probe people's networks. RoadRunner and AboveNet both blocked him because he refused to honor the requests to stop, and of course they both were subsequently placed on the list of untestable systems. I will offer this one data point: I welcome ORBS relay tests. I have given Alan specific, permanent permission to run the tests against my servers. Not too long ago, I had a server that I configured with Linuxconf, not realizing that Linuxconf uses an old sendmail ruleset that leaves your server open to third-party relaying. I am eternally grateful that ORBS found the server - it had been running that way for at least a year, and I thought it was closed. (We're extremely lucky no one spammed through it.) But I will not use ORBS as a spamblocking tool.
Accusing ORBS of political powerplay and vigilantism is wrong since it is not ORBS, nor even its users, but rather the "rogue" net-block administrators who are playing political power games.
Alan's a good guy, but the "rogue" net-block administrators aren't the issue. Alan is.
e-mail). To this end an impartial and independent testing service such as ORBS
ORBS isn't always "impartial."
Finally it cannot be pointed out enough times that the administrators of the so-called "rogue" blocks need only change their attitudes and
Yeah, ok. RoadRunner isn't rogue. Neither is AboveNet.
Being irrational about public testing of public services
I'm sorry. If you're doing something to my network, and I ask you not to do it, you stop. If you do not stop, I block you (and possibly complain to your service provider.) You do not have the ultimate right to determine what I do with my network. I own the network, and as the network owner, I am the one with that right. Maybe people aren't justified in asking Alan to stop. That doesn't justify Alan ignoring them. -- North Shore Technologies, Cleveland, OH http://NorthShoreTechnologies.net Steve Sobol, BOFH - President, Chief Website Architect and Janitor Pictures of two of my 'children': http://www.WrinkleDogs.com About Spamfighters: "We're not net nazis. We're dot communists." - W. Arnold
Steve, IMHO, I have had problems with the "hair trigger" ORBS. Which you say is Allen..... Personally, I have not seen such behavior out of MAPS. My .04, (Sorry, getting too popular, had to raise the price) :) Steve Sobol wrote:
[sigh... I thought this wasn't going to turn into a big debate]
"Greg A. Woods" wrote:
It is critically important to also realise that "ORBS" itself doesn't "go crazy" and do these things -- such "rogue net-block" listings are directly a result of pressure from ORBS users.
The issue isn't with ORBS, it's with Alan Brown, the administrator.
Alan runs what could be a useful service, but if you don't allow him to test your systems, he adds you to a "static" list... in his defense, this is NOT a list of systems that have tested as open relays, but many people block sites on that list too, even if there is no documented spam coming from those IP's.
It's ridiculous. He also doesn't stop when told not to probe people's networks. RoadRunner and AboveNet both blocked him because he refused to honor the requests to stop, and of course they both were subsequently placed on the list of untestable systems.
I will offer this one data point: I welcome ORBS relay tests. I have given Alan specific, permanent permission to run the tests against my servers. Not too long ago, I had a server that I configured with Linuxconf, not realizing that Linuxconf uses an old sendmail ruleset that leaves your server open to third-party relaying. I am eternally grateful that ORBS found the server - it had been running that way for at least a year, and I thought it was closed. (We're extremely lucky no one spammed through it.)
But I will not use ORBS as a spamblocking tool.
Accusing ORBS of political powerplay and vigilantism is wrong since it is not ORBS, nor even its users, but rather the "rogue" net-block administrators who are playing political power games.
Alan's a good guy, but the "rogue" net-block administrators aren't the issue. Alan is.
e-mail). To this end an impartial and independent testing service such as ORBS
ORBS isn't always "impartial."
Finally it cannot be pointed out enough times that the administrators of the so-called "rogue" blocks need only change their attitudes and
Yeah, ok. RoadRunner isn't rogue. Neither is AboveNet.
Being irrational about public testing of public services
I'm sorry. If you're doing something to my network, and I ask you not to do it, you stop. If you do not stop, I block you (and possibly complain to your service provider.) You do not have the ultimate right to determine what I do with my network. I own the network, and as the network owner, I am the one with that right.
Maybe people aren't justified in asking Alan to stop. That doesn't justify Alan ignoring them.
-- North Shore Technologies, Cleveland, OH http://NorthShoreTechnologies.net Steve Sobol, BOFH - President, Chief Website Architect and Janitor Pictures of two of my 'children': http://www.WrinkleDogs.com About Spamfighters: "We're not net nazis. We're dot communists." - W. Arnold
On Sat, Jul 08, 2000 at 08:00:34PM -0400, Steve Sobol wrote:
[sigh... I thought this wasn't going to turn into a big debate]
"Greg A. Woods" wrote:
It is critically important to also realise that "ORBS" itself doesn't "go crazy" and do these things -- such "rogue net-block" listings are directly a result of pressure from ORBS users.
The issue isn't with ORBS, it's with Alan Brown, the administrator.
Alan runs what could be a useful service, but if you don't allow him to test your systems, he adds you to a "static" list... in his defense, this is NOT a list of systems that have tested as open relays, but many people block sites on that list too, even if there is no documented spam coming from those IP's.
Yes. The problem then lies with 'many people' and not with Alan. Alan provides a way to objectively lookup known open relays, and you are also able to find out that a host is 'untested' instead of a 'verified open relay'. You may choose to block those too. Good arguments for that can be found. The problem with ORBS is that many people implement it incorrectly, and then ORBS is blamed.
It's ridiculous. He also doesn't stop when told not to probe people's networks. RoadRunner and AboveNet both blocked him because he refused to honor the requests to stop, and of course they both were subsequently placed on the list of untestable systems.
AboveNet blocks without warning. I do not know about RoadRunner. [snip]
But I will not use ORBS as a spamblocking tool.
Neither will I. Even tho I like ORBS and support it's goals (the hosting company I work for hosts the current ORBS relay tester, even!), I feel that I as an admin do not have the right to block mail for my users. I will someday (when I find the time :) [snip]
e-mail). To this end an impartial and independent testing service such as ORBS
ORBS isn't always "impartial."
Until someone shows me an example of *one* host that is *not* an open relay that still got listed *as an open relay*, I firmly believe that ORBS is impartial.
Finally it cannot be pointed out enough times that the administrators of the so-called "rogue" blocks need only change their attitudes and
Yeah, ok. RoadRunner isn't rogue. Neither is AboveNet.
AboveNet is.
Being irrational about public testing of public services
I'm sorry. If you're doing something to my network, and I ask you not to do it, you stop. If you do not stop, I block you (and possibly complain to your service provider.) You do not have the ultimate right to determine what I do with my network. I own the network, and as the network owner, I am the one with that right.
Correct. This is why ORBS has the 'untested/untestable' listing. You request ORBS to stop, ORBS puts you in *that* lists and won't ever probe you again.
Maybe people aren't justified in asking Alan to stop. That doesn't justify Alan ignoring them.
I have found Alan to be a very reasonable and thoughtful guy. Greetz, Peter. -- petervd@vuurwerk.nl - Peter van Dijk [student:developer:ircoper]
On Sun, Jul 09, 2000 at 12:01:49PM +0200, Peter van Dijk wrote:
I have found Alan to be a very reasonable and thoughtful guy.
Just very stubborn -- John Payne http://www.sackheads.org/jpayne/ john@sackheads.org http://www.sackheads.org/uce/ Fax: +44 870 0547954 340% tax? http://www.boycott-the-pumps.com/
On Sat, 8 Jul 2000, Greg A. Woods wrote:
In my humble opinion any admin who permits their mailer to receive any e-mail from a known open relay (even so-called legitimate e-mail, since
It's either legitimate or it isn't.
there's absolutely no way to identify legitimacy at the protocol level) is an accessory to any theft-of-service attack perpetrated on the relay, and is furthermore "guilty" in part of allowing known spam to reach their end users (assuming of course that they are willing to do anything
Next, you'll be asking telephone companies to be filtering phone solicitors. How would you like that done, by NPA or NPA/NXX? The determination as to whether an ISP desires to exclude or include data into the network should be based upon its business plan and customer demands and not upon anyone's political agenda or name-calling.
[ On Sunday, July 9, 2000 at 18:52:47 (-0500), J Bacher wrote: ]
Subject: Re: RBL-type BGP service for known rogue networks?
Next, you'll be asking telephone companies to be filtering phone solicitors. How would you like that done, by NPA or NPA/NXX?
I can in fact do that today with Bell Canada's services. It's under my direct control though, so in effect it's more like giving the e-mail user ability to install "sieve" scripts in your Cyrus IMAP server or similar.
The determination as to whether an ISP desires to exclude or include data into the network should be based upon its business plan and customer demands and not upon anyone's political agenda or name-calling.
In general when speaking of SMTP server policy I'm not necessarily talking about ISPs alone. Not all e-mail on the Internet is delivered to ISP SMTP servers! ;-) -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
Anonymous call blocking is a WONDERFUL thing the call gets dropped at the switch and the phone never rings. It does not answer the legitimacy question but I figure if they do not wish to identify themselves I do not want to talk to them! J Bacher wrote:
On Sat, 8 Jul 2000, Greg A. Woods wrote:
In my humble opinion any admin who permits their mailer to receive any e-mail from a known open relay (even so-called legitimate e-mail, since
It's either legitimate or it isn't.
there's absolutely no way to identify legitimacy at the protocol level) is an accessory to any theft-of-service attack perpetrated on the relay, and is furthermore "guilty" in part of allowing known spam to reach their end users (assuming of course that they are willing to do anything
Next, you'll be asking telephone companies to be filtering phone solicitors. How would you like that done, by NPA or NPA/NXX?
The determination as to whether an ISP desires to exclude or include data into the network should be based upon its business plan and customer demands and not upon anyone's political agenda or name-calling.
On Sat, Jul 08, 2000 at 05:34:05PM +0200, Peter van Dijk wrote:
The ORBS approach:
Put people on the list quickly, and make it easy for them to get back off the list.
This statement is in no way a political basis for ORBS.
That's right; it's a very simplified technical description of what happens. You can get on the list after a single automatic test; not multiple complaints, not after being warned and refusing to fix things; just bang zoom, you're on. I was not value-judging it, nor was I attempting to speak to their motivations, I was describing what happens.
That's because MAPS is not automated, and not objective. MAPS relies on reports of abuse, which can be forged. IIRC MAPS does check if a server is an open relay. If it didn't I would rant :)
Again, nobody said it was objective. I was describing at a very high level how it works. As you will see from the rest of the discussion, the difference is important because spam relays can be objectively tested, but script kiddie harbors are going to be subjective. That's an important distinction for our discussion, don't you agree?
On Sat, Jul 08, 2000 at 01:13:50PM -0400, Shawn McMahon wrote: [snip]
That's right; it's a very simplified technical description of what happens.
You can get on the list after a single automatic test; not multiple complaints, not after being warned and refusing to fix things; just bang zoom, you're on.
Correct. I agree.
I was not value-judging it, nor was I attempting to speak to their motivations, I was describing what happens.
Ok :)
That's because MAPS is not automated, and not objective. MAPS relies on reports of abuse, which can be forged. IIRC MAPS does check if a server is an open relay. If it didn't I would rant :)
Again, nobody said it was objective. I was describing at a very high level how it works.
As you will see from the rest of the discussion, the difference is important because spam relays can be objectively tested, but script kiddie harbors are going to be subjective.
Yes. The ORBS approach won't fit for what we're discussing. The MAPS approach might.
That's an important distinction for our discussion, don't you agree?
I agree, I was just defending ORBS because what you said seemed like a value-judgement. I apologize for misreading. Greetz, Peter. -- petervd@vuurwerk.nl - Peter van Dijk [student:developer:ircoper]
Peter van Dijk wrote:
On Fri, Jul 07, 2000 at 12:18:15PM -0400, Shawn McMahon wrote:
The ORBS approach:
Put people on the list quickly, and make it easy for them to get back off the list.
Unfortunately, while this is an admirable objective, it is *not* the way ORBS operates. Were it, MAPS would have not been forced to create a working alternative.
This statement is in no way a political basis for ORBS.
Good. Because it misses the abusive nature of ORBS itself (lack of specificity, broad and shotgun based, enormous collateral damage, and a documented track record of personal vendettas (see http://www.deja.com/bg.xp?level=news.admin.net-abuse and search for ORBS)). The attacks on Steve Atkin's SamSpade come to mind.
ORBS lists open relay by policy. As simple as that. If ORBS is aware that you are an open relay, you get listed. ORBS is 100% objective.
See the above.
The MAPS approach:
Make it damn hard to get on the list.
That's because MAPS is not automated, and not objective.
No, that's because the collateral damage can be enormous, and you can't allow such mistakes to happen.
MAPS relies on reports of abuse, which can be forged.
The presupposes that some rather bright people can be fooled easily by headers. Perhaps you should look at the pedigree's of the MAPS employees (there are 10 or 15 of them already, recruited from the best of the abuse department in some major ISPs). MAPS does not rely on reports to add addresses (ask anyone who has nominated address space to MAPS). Sometimes the damn research that MAPS does, and the discussions they get into with the owners of the source address space take so long and are so detailed that MAPS take flak for not acting quickly enough, or ignoring the nomination, or bowing to pressure. They are thorough to the n'th degree. Here's a little snippet: I bet that Paul Vixie's email addresses gets forge subscribed 10 times a day in the hopes that he will react, and punish the list he is forge subscribed to. If personal reaction and a vendetta were his MO I bet there would be a long trail of complaints, and a successful lawsuit or two.
IIRC MAPS does check if a server is an open relay. If it didn't I would rant :)
They do a lot more than that. Understand the fundamental difference between ORBS and MAPS. ORBS attempts to punish. No educational value. MAPS educates the spammer (if possible) and the network providers. I would hazard a guess that a large number of smaller providers now whack spammers and have tough AUPs because of an "education" provided by MAPS. I*I*RC as long as a provider is actively in communication with MAPS and is discussing a solution, the addresses that are suspected are removed from MAPS. I suggest a thorough read of all the pages at http://mail-abuse.org. DISCLAIMER: I subscribe and use all of the MAPS services on my network - so I am a satisfied customer. Geez, I should have listened to my own suggestion, and taken the thread elsewhere. But I guess this is certainly a good place for network operators to get an education about the issue.
Peter van Dijk wrote:
ORBS lists open relay by policy. As simple as that. If ORBS is aware that you are an open relay, you get listed. ORBS is 100% objective.
There's evidence that that might not be the case, but that's not a debate that would be on-topic, nor would it be appropriate, for this mailing list. -- North Shore Technologies, Cleveland, OH http://NorthShoreTechnologies.net Steve Sobol, BOFH - President, Chief Website Architect and Janitor Pictures of two of my 'children': http://www.WrinkleDogs.com About Spamfighters: "We're not net nazis. We're dot communists." - W. Arnold
On Fri, 7 Jul 2000, John Kristoff wrote:
This form of "shunning" seems like an appropriate approach, but a little scary. What sorts of mechanisms will prevent temporary black holes and DoS attacks to get an otherwise cooperative organization black holed?
Well lets see 1) we wont block DoS attacks, only script kiddies 2) cooperative organizations wont get blackholed. -Dan
Dan Hollis wrote:
scary. What sorts of mechanisms will prevent temporary black holes and DoS attacks to get an otherwise cooperative organization black holed?
1) we wont block DoS attacks, only script kiddies
I was referring to the case where an organization is blackholed without sufficient cause, which in effect is a denail of service on that organization. John
On Fri, Jul 07, 2000 at 01:41:55PM -0500, John Kristoff wrote:
I was referring to the case where an organization is blackholed without sufficient cause, which in effect is a denail of service on that organization.
Nonsense. It's a boycott, not a denial of service. And it's just a boycott, it's not even picketting out front with signs.
Shawn McMahon wrote:
I was referring to the case where an organization is blackholed without sufficient cause, which in effect is a denail of service on that organization.
Nonsense. It's a boycott, not a denial of service. And it's just a boycott, it's not even picketting out front with signs.
Perhaps I wasn't clear... The organization in question does nothing wrong... but somehow gets in the blackhole list either by someone spoofing their netblocks, from faked complaints or other means. Thus, causing the said organization to be denied connectivity by some malicious person(s). John
John Kristoff wrote:
Perhaps I wasn't clear...
The organization in question does nothing wrong... but somehow gets in the blackhole list either by someone spoofing their netblocks, from faked complaints or other means. Thus, causing the said organization to be denied connectivity by some malicious person(s).
If you are talking about any of the MAPS black holes (RBL RSS etc.) the process of getting in there is not arbitrary. It actually takes work. So the likelihood of an innocent bystander ending up there is close to zero. /rlj
On Fri, 7 Jul 2000, John Kristoff wrote:
I was referring to the case where an organization is blackholed without sufficient cause, which in effect is a denail of service on that organization. Nonsense. It's a boycott, not a denial of service. And it's just a boycott, it's not even picketting out front with signs. Perhaps I wasn't clear... The organization in question does nothing wrong... but somehow gets in
Shawn McMahon wrote: the blackhole list either by someone spoofing their netblocks,
If its spoofed it wouldnt get into the blackhole list. Pretty simple. -Dan
On Fri, 07 Jul 2000 13:55:42 PDT, Dan Hollis said:
If its spoofed it wouldnt get into the blackhole list. Pretty simple.
Simple to say. Hard to secure against a determined attacker. Go and *re*-read Ken Thompson's Turing Award Lecture "On Trusting Trust". Then start thinking paranoid. ;) (What, you haven't read it the FIRST time? Citation: @ARTICLE{Trusting.Trust, author={Ken Thompson}, title={Reflections on Trusting Trust}, journal={Communications of the ACM}, volume=27, number=8, month=Aug, year=1984, pages="761-763" } -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
On Fri, Jul 07, 2000 at 03:47:38PM -0500, John Kristoff wrote:
Nonsense. It's a boycott, not a denial of service. And it's just a boycott, it's not even picketting out front with signs.
Perhaps I wasn't clear...
The organization in question does nothing wrong... but somehow gets in the blackhole list either by someone spoofing their netblocks, from faked complaints or other means. Thus, causing the said organization to be denied connectivity by some malicious person(s).
No, it's still not a denial of service; it's a mass boycott for the wrong reason. If the Pope received faulty information that Disney was sacrificing babies inside Snow White's castle, and called for all Catholics to boycott but didn't say they had so, just that they should, could Disney sue the pope for preventing them from doing business? No, because those Catholics could choose to ignore the Pope. They follow him by choice. It's the same with the blackhole lists; people join on purpose, they're not forced to. They can choose to not use the blackhole list any time they want to. So far, every time somebody's threatened to sue the blackhole lists, they've backed off once they've talked to the lawyers and had them research it. There's a reason for that. If I as an individual choose to not use your services because somebody else recommended it, I'm not preventing your network from functioning; I'm just not allowing you to use *MY* network, and since you haven't paid for the privilege, you have nothing legitimate to bitch about.
Shawn McMahon wrote:
No, it's still not a denial of service; it's a mass boycott for the wrong reason.
Regardless, if that were to be SOP, then I don't think that's the answer the Internet should be looking for. Hearing from others, it appears as though the MAPS approach may have the desired affect without blackholing sites recklessly. John
On Fri, Jul 07, 2000 at 04:43:14PM -0500, John Kristoff wrote:
Regardless, if that were to be SOP, then I don't think that's the answer the Internet should be looking for. Hearing from others, it appears as though the MAPS approach may have the desired affect without blackholing sites recklessly.
That's what I was advocating. The ORBS approach is completely justified for open relays, which are easily testable programmatically (which is what they do), but clearly something like the MAPS and/or UDP approach is necessary for this. You can't really test people at random to see if they're harboring script kiddies, you have to observe it in action and observe their reaction when contacted.
On Fri, 07 Jul 2000 16:57:38 EDT, Shawn McMahon <smcmahon@eiv.com> said:
If the Pope received faulty information that Disney was sacrificing babies inside Snow White's castle, and called for all Catholics to boycott but didn't say they had so, just that they should, could Disney sue the pope for preventing them from doing business?
At least in the US, it's illegal to attempt to manipulate stock prices by spreading rumors about a company, and saying "you should sell before it tanks". The Pope might not be liable if he acted in good faith (sorry for the pun) and had reason to believe the information was true. However, the person who intentionally gave the Pope the information would quite likely be in for a bad time. And note that even if Disney can't sue the Pope, it could still have an effect on Disney's bottom line. Apply this thought experiment: Pick a *large* provider. AOL, Sprint, British Telecom, Yahoo - anything that a lot of people use. Now assume that the blackhole list is in common use (since it's not effective if it isn't). What's the impact on the net if said large provider *does* get black-listed? If I was clever and pissed at AOL, I'd certainly look for a way to create enough evidence that AOL needed black-listing. What a nice DOS that would be ;) -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
On Fri, Jul 07, 2000 at 05:45:28PM -0400, Valdis.Kletnieks@vt.edu wrote:
At least in the US, it's illegal to attempt to manipulate stock prices by spreading rumors about a company, and saying "you should sell before it tanks".
However, it's not illegal to say "don't shop there anymore".
Apply this thought experiment: Pick a *large* provider. AOL, Sprint, British Telecom, Yahoo - anything that a lot of people use. Now assume that the blackhole list is in common use (since it's not effective if it isn't). What's the impact on the net if said large provider *does* get black-listed?
Hell, let's not beat around the bush with thought experiments; Road Runner *IS* blackholed. Are they suing anybody? Are they likely to even try? That's one of the biggest ISPs in existence, and growing faster than anybody.
Shawn McMahon wrote:
Hell, let's not beat around the bush with thought experiments; Road Runner *IS* blackholed.
Are they suing anybody? Are they likely to even try?
That's one of the biggest ISPs in existence, and growing faster than anybody.
Not that I disagree with the base argument, but GeekTools SuperWhois tells me that RoadRunner has a *lot* of address space. *Very* few specific hosts are blackholed. It's not accurate to say that Road Runner is blackholed. The effect on users has not reached the threshold of pain, and those users who are inconvenienced are mostly aware, and culpable. AFAIK I guess it's time to move this thread to an appropriate forum... perhaps inet-access, or N.A.N.A.* /rlj
On Fri, 7 Jul 2000 Valdis.Kletnieks@vt.edu wrote:
If I was clever and pissed at AOL, I'd certainly look for a way to create enough evidence that AOL needed black-listing. What a nice DOS that would be ;)
People could try to pull this off with the RBL Now ask yourself why it hasnt happened yet...? -Dan
On Fri, 07 Jul 2000 17:45:28 -0400, Valdis.Kletnieks@vt.edu wrote:
Apply this thought experiment: Pick a *large* provider. AOL, Sprint, British Telecom, Yahoo - anything that a lot of people use. Now assume that the blackhole list is in common use (since it's not effective if it isn't). What's the impact on the net if said large provider *does* get black-listed?
If I was clever and pissed at AOL, I'd certainly look for a way to create enough evidence that AOL needed black-listing. What a nice DOS that would be ;)
In theory, the provider will get a nice e-mail before they're blocked... if someone's trying to pull a fast one, the ISP will be able to look at that and determine whether or not it's legitimate. Now, if the provider doesn't respond, they might get a little blacklisted... but is that necessarily bad, given the previous check? -rt -- Ryan Tucker <rtucker@netacc.net> Network Administrator NetAccess, Inc. Phone: +1 716 756-5596 3495 Winton Place, Building E, Suite 265, Rochester NY 14623 www.netacc.net
participants (16)
-
Dan Hollis
-
J Bacher
-
John Kristoff
-
John Payne
-
Peter van Dijk
-
Randy Bush
-
Richard Irving
-
Rodney Joffe
-
Ryan Tucker
-
Scott McGrath
-
Sean Donelan
-
Shawn McMahon
-
Stephen Stuart
-
Steve Sobol
-
Valdis.Kletnieks@vt.edu
-
woods@weird.com