Alright, ORBS sucks - next topic, please ;) [was RE: RBL-type BGP service for known rogue networks?]
I -do- have a postmaster account, and there's nothing broken on my mail server. I *don't run an open relay*. I provide SMTP service to my clients *in conformance with the relevant RFCs*, as well as reasonable and prudent security practices. I'm not a spam-house; I have internal mechanisms for detecting such activity before it becomes a problem for others, in most cases. When something slips through the cracks, I jump on it immediately. It's great that their 'service' helped you; however, some of us would prefer to rely upon our own skills and experience to ensure that our systems are properly set-up. I no more want the ORBS people forging mail via my server than I do the 'MAKE MONEY FAST' people, and their attitude belies a stunning arrogance coupled with extreme shortsightedness, which isn't something any of us should wish for in an organization whose stated aim is to improve the user experience. And that's enough of that. -----Original Message----- From: Eric A. Hall [mailto:ehall@ehsco.com] Sent: Saturday, July 08, 2000 12:08 PM To: rdobbins@netmore.net Cc: nanog@merit.edu Subject: Re: RBL-type BGP service for known rogue networks?
ORBS forge headers (thereby violating the RFC) to look as if they're coming from domains you host, then if it goes through, they put you in their little black book for being an 'open relay'. No notice, nothing.
The last part of that statement is simply untrue. I got ORBS'd once and they notified me via postmaster@domain. If you don't get notified then you don't have a postmaster account for the domain, and it is you who are in violation of the RFCs. As for the "forge headers in violation" part, they have to test the common variations. Who cares if they do that as a one-off probe. If they were doing it all the time it would be a problem, but once is nothing. Of course, the spammers who are using your server as an open relay are certainly violating that and much more, so if it really bothers you close your freaking relay. ;) I for one was happy for the free and comprehensive testing. It pointed out a whole I had missed in my config. Once patched, I was out of the ORBS database in less than 24 hourse, and was able to get out on my own just by filling out a form on their web site that kicked off an automated retesting. I think ORBS provides an excellent service, and I say that because my experience says that they rely entirely upon factual evidence before they block, and it is easy to get out of the database once you provide evidence that you have fixed your server. -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
It's great that their 'service' helped you; however, some of us would prefer to rely upon our own skills and experience to ensure that our systems are properly set-up.
I don't know if you actually went out of your way to misrepresent my comments or if it was accidental. Either way, you're wrong again: The 'service' they provide is a database of VERIFIED open relays. It is a damn good service and is very a useful tool in the arsenal. As to your "skills and experience," how did you manage to get in their database of open relays with such a finely-tuned system? I got in because I left a small hole; my own skills and experience were good but not perfect. If you choose not to use outside verification tools that's certainly up to you, but I'm not required to accept mail from your open relays, regardless of how superior your intellect may be. Thanks -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
[Note reply-to is not the list; see nanog archives for more orbs discussion] On Sat, Jul 08, 2000 at 01:22:01PM -0700, Eric A. Hall wrote: [snip]
I don't know if you actually went out of your way to misrepresent my comments or if it was accidental. Either way, you're wrong again: The 'service' they provide is a database of VERIFIED open relays. It is a damn good service and is very a useful tool in the arsenal.
ORBS is a well-documented spite list, among other things. Networks are listed for requesting that they not be probed, regardless of their status, among other behaviors. The mere fact that un-requested and un-provoke probes are issued at whim is alarming net.abuse, IMNSHO, and the only marginally relevant portion of this particular offshoot thread. Cheers, Joe -- Joe Provo Voice 508.486.7471 Director, Internet Planning & Design Fax 508.229.2375 Network Deployment & Management, RCN <joe.provo@rcn.com>
----- Original Message ----- From: "Eric A. Hall" <ehall@ehsco.com> Cc: <nanog@merit.edu> Sent: Saturday, July 08, 2000 10:22 PM Subject: No, ORBS is a good tool [WAS: Alright, ORBS sucks - next topic, please ;) [was RE: RBL-type BGPservice for known rogue networks?]]
It's great that their 'service' helped you; however, some of us would prefer to rely upon our own skills and experience to ensure that our systems are properly set-up.
I don't know if you actually went out of your way to misrepresent my comments or if it was accidental. Either way, you're wrong again: The 'service' they provide is a database of VERIFIED open relays. It is a damn good service and is very a useful tool in the arsenal.
I totally agree with this statement. Could someone please explain what is the truth in the mutual finger pointing between Abovenet/MAPS and ORBS ? On one hand you can read on the mail-abuse.org that : "Effective 6/22/2000, we cannot accept submissions from you if you refuse mail from sites listed by ORBS. ORBS has listed our mailserver, and we'd therefore be unable to respond to your email. (No, we're not running an open relay.) " Which seems totally false since I am using ORBS and I am able to exchange email with the MAPS RSS staff. On the other hand, ORBS claims Abovenet is blackholing /24 that contain ORBS servers which I was totally unable to verify despite my path to ORBS goes through Abovenet. I am not aware of any listing of ORBS servers in MAPS not aware of listing of MAPS servers in ORBS. What is the truth in all this? I do understand that Abovenet does not want ORBS to test its network and that therefore Abovenet is listed in the untestable networks, but why is the argument going any further? Isn't that a bit stupid? I mean some network admin hate ORBS, some use part of it, some love it. Let each admin choose.
On Sun, 9 Jul 2000, JP Donnio wrote:
I don't know if you actually went out of your way to misrepresent my comments or if it was accidental. Either way, you're wrong again: The 'service' they provide is a database of VERIFIED open relays. It is a damn good service and is very a useful tool in the arsenal.
I totally agree with this statement.
Could someone please explain what is the truth in the mutual finger pointing between Abovenet/MAPS and ORBS ?
The truth is always hard to determine I would say. My personal stake in this ordeal so far has been to try to get the madness to stop, it seems to no avail.
On one hand you can read on the mail-abuse.org that : "Effective 6/22/2000, we cannot accept submissions from you if you refuse mail from sites listed by ORBS. ORBS has listed our mailserver, and we'd therefore be unable to respond to your email. (No, we're not running an open relay.) "
AboveNet (and thus MAPS) has been listed as untestable. Unfortunately, at least part of the people who implement ORBS on their mailservers aren't fully aware of the difference between being listed as untestable and being listed as an open relay.
Which seems totally false since I am using ORBS and I am able to exchange email with the MAPS RSS staff.
On the other hand, ORBS claims Abovenet is blackholing /24 that contain ORBS servers which I was totally unable to verify despite my path to ORBS goes through Abovenet.
We currently host the ORBS tester. We've had several incidents where traffic from our network to the NZ-based site (where the database and website run) dropped to a dead stop inside AboveNet space.
I am not aware of any listing of ORBS servers in MAPS not aware of listing of MAPS servers in ORBS.
ORBS was once put in the RBL. This was later retracted. MAPS is not listed in ORBS, beyond those ranges that are listed as untestable.
What is the truth in all this?
I do understand that Abovenet does not want ORBS to test its network and that therefore Abovenet is listed in the untestable networks, but why is the argument going any further? Isn't that a bit stupid? I mean some network admin hate ORBS, some use part of it, some love it. Let each admin choose.
The problem stems in the fact that Vixie and Rand, in their role as AboveNet staff, take it upon themselves to not only demand that ORBS not test their own network, but also that the tests do not pass their transit routes. Two weeks ago our primary /24 got nullrouted inside AboveNet space without any prior communication from their side (no abuse-complaints, no mail to our uplinks, nothing), effectively blocking around 30,000 domains from being reachable. I took up communication with vixie, basically trying to get into some form of dialogue to get issues settled. The core of his reply is that he does not want to provide any information to ORBS to enable them to comply to his demands of ORBS tests not passing AboveNet transit and he demands that we take the testers offline. We're still pondering our options here. Silly as this entire venture is, we may not be able to afford losing routability for our customer base so we might actually have to give in to his demands. HTH, Pi
On Sun, Jul 09, 2000 at 11:57:00AM +0200, Pim van Riezen wrote:
On Sun, 9 Jul 2000, JP Donnio wrote:
I don't know if you actually went out of your way to misrepresent my comments or if it was accidental. Either way, you're wrong again: The 'service' they provide is a database of VERIFIED open relays. It is a damn good service and is very a useful tool in the arsenal.
I totally agree with this statement.
Could someone please explain what is the truth in the mutual finger pointing between Abovenet/MAPS and ORBS ?
The truth is always hard to determine I would say. My personal stake in this ordeal so far has been to try to get the madness to stop, it seems to no avail.
Hi Pim! Pim is another one of my co-workers, I agree with him fully on this statement.
On one hand you can read on the mail-abuse.org that : "Effective 6/22/2000, we cannot accept submissions from you if you refuse mail from sites listed by ORBS. ORBS has listed our mailserver, and we'd therefore be unable to respond to your email. (No, we're not running an open relay.) "
AboveNet (and thus MAPS) has been listed as untestable. Unfortunately, at least part of the people who implement ORBS on their mailservers aren't fully aware of the difference between being listed as untestable and being listed as an open relay.
And mail-abuse.org deliberately suggests that ORBS is at fault here, claiming that ORBS lists them and stating they are not an open relay. Both are true facts. ORBS, therefore, does not list mail-abuse.org's mail server as an open relay.
Which seems totally false since I am using ORBS and I am able to exchange email with the MAPS RSS staff.
On the other hand, ORBS claims Abovenet is blackholing /24 that contain ORBS servers which I was totally unable to verify despite my path to ORBS goes through Abovenet.
We currently host the ORBS tester. We've had several incidents where traffic from our network to the NZ-based site (where the database and website run) dropped to a dead stop inside AboveNet space.
AboveNet has, at one time, blackholed our /24, including our nameservers, everywhere they could. This meant 30.000 domains were *unreachable* for abovenet customers.
I am not aware of any listing of ORBS servers in MAPS not aware of listing of MAPS servers in ORBS.
ORBS was once put in the RBL. This was later retracted. MAPS is not listed in ORBS, beyond those ranges that are listed as untestable.
Correct.
What is the truth in all this?
I do understand that Abovenet does not want ORBS to test its network and that therefore Abovenet is listed in the untestable networks, but why is the argument going any further? Isn't that a bit stupid? I mean some network admin hate ORBS, some use part of it, some love it. Let each admin choose.
The problem stems in the fact that Vixie and Rand, in their role as AboveNet staff, take it upon themselves to not only demand that ORBS not test their own network, but also that the tests do not pass their transit routes. Two weeks ago our primary /24 got nullrouted inside AboveNet space without any prior communication from their side (no abuse-complaints, no mail to our uplinks, nothing), effectively blocking around 30,000 domains from being reachable.
As I stated in another email, indeed, AboveNet does not warn or complain. They just blackhole.
I took up communication with vixie, basically trying to get into some form of dialogue to get issues settled. The core of his reply is that he does not want to provide any information to ORBS to enable them to comply to his demands of ORBS tests not passing AboveNet transit and he demands that we take the testers offline. We're still pondering our options here. Silly as this entire venture is, we may not be able to afford losing routability for our customer base so we might actually have to give in to his demands.
Which would be a big bloody shame :( Greetz, Peter. -- petervd@vuurwerk.nl - Peter van Dijk [student:developer:ircoper]
----- Original Message ----- From: "Peter van Dijk" <petervd@vuurwerk.nl> To: <nanog@merit.edu> Sent: Sunday, July 09, 2000 12:08 PM Subject: Re: No, ORBS is a good tool [WAS: Alright, ORBS sucks - next topic, please ;) [was RE: RBL-type BGPservice for known rogue networks?]]
We currently host the ORBS tester. We've had several incidents where traffic from our network to the NZ-based site (where the database and website run) dropped to a dead stop inside AboveNet space.
So their restrained the transit they sold... without notifying the contract holder I guess.
AboveNet has, at one time, blackholed our /24, including our nameservers, everywhere they could. This meant 30.000 domains were *unreachable* for abovenet customers.
The problem stems in the fact that Vixie and Rand, in their role as AboveNet staff, take it upon themselves to not only demand that ORBS not test their own network, but also that the tests do not pass their
routes. Two weeks ago our primary /24 got nullrouted inside AboveNet space without any prior communication from their side (no abuse-complaints, no mail to our uplinks, nothing), effectively blocking around 30,000 domains from being reachable.
As I stated in another email, indeed, AboveNet does not warn or complain. They just blackhole.
I took up communication with vixie, basically trying to get into some
of dialogue to get issues settled. The core of his reply is that he does not want to provide any information to ORBS to enable them to comply to his demands of ORBS tests not passing AboveNet transit and he demands
Well we cannot really oppose this, who on this list is providing access to the entire whole internet? Obviously not abovenet. If they want to deny traffic from the tester entering their network, why not. You should make sure that no other traffic (your business) is hurt by this. Why not setup an AS with a /24 and run the tester from there? Or several of them in diverse locations. transit form that
we take the testers offline. We're still pondering our options here. Silly as this entire venture is, we may not be able to afford losing routability for our customer base so we might actually have to give in to his demands.
Which would be a big bloody shame :(
Sure it would. It should be possible to avoid AboveNet though. Isolate the tester from your business and let him block the new /24 if he wants. And make sure that the facts are clearly explained on the web; your previous email was pretty clear I think.
On Sun, 9 Jul 2000, JP Donnio wrote:
traffic from our network to the NZ-based site (where the database and website run) dropped to a dead stop inside AboveNet space.
So their restrained the transit they sold... without notifying the contract holder I guess.
The standard reply here is "we do not disclose details on transit customer contracts". Pretty convenient.
AboveNet has, at one time, blackholed our /24, including our nameservers, everywhere they could. This meant 30.000 domains were *unreachable* for abovenet customers.
Well we cannot really oppose this, who on this list is providing access to the entire whole internet? Obviously not abovenet. If they want to deny traffic from the tester entering their network, why not. You should make sure that no other traffic (your business) is hurt by this. Why not setup an AS with a /24 and run the tester from there? Or several of them in diverse locations.
Problem is, we're just an ISP. So we'd have to get our uplinks to organize that. And since the purpose of the blackhole was beyond blocking the tester (they did have a similair block on the /32 of the tester, which was at least morally defendable), but rather to pressure us to take the thing offline, I'm afraid that moving it to another /24 will not make any difference, there'd still be 'retaliations' against the hosting ISP.
Which would be a big bloody shame :(
Sure it would. It should be possible to avoid AboveNet though. Isolate the tester from your business and let him block the new /24 if he wants. And make sure that the facts are clearly explained on the web; your previous email was pretty clear I think.
In the current situation he can (and previously did) block the /32 of the tester. He extended that to a /24, so if I move to another /24 with the tester I'm afraid he'll probably move up another layer. For the record, the block is currently gone, but this measure was marked as "temporarily". Cheers, Pi
Well we cannot really oppose this, who on this list is providing access to the entire whole internet? Obviously not abovenet. If they want to deny traffic from the tester entering their network, why not. You should make sure that no other traffic (your business) is hurt by this. Why not setup an AS with a /24 and run the tester from there? Or several of them in
----- Original Message ----- From: "Pim van Riezen" <pi@vuurwerk.nl> To: "JP Donnio" <ml-nanog@TBS-internet.com> Cc: "Peter van Dijk" <petervd@vuurwerk.nl>; <nanog@merit.edu> Sent: Sunday, July 09, 2000 2:17 PM Subject: Re: No, ORBS is a good tool [WAS: Alright, ORBS sucks - next topic,please ;) [was RE: RBL-type BGPservice for known rogue networks?]] diverse
locations.
Problem is, we're just an ISP. So we'd have to get our uplinks to organize that. And since the purpose of the blackhole was beyond blocking the tester (they did have a similair block on the /32 of the tester, which was at least morally defendable), but rather to pressure us to take the thing offline, I'm afraid that moving it to another /24 will not make any difference, there'd still be 'retaliations' against the hosting ISP.
That's interesting. This would prove the Abovenet's behaviour is evil; if they can filter on the /32 but choose to filter on the /24, they are morally undefendable. Even ORBS opposers cannot support such behavior I guess!
On Sun, Jul 09, 2000 at 02:37:29PM +0200, JP Donnio wrote:
That's interesting. This would prove the Abovenet's behaviour is evil; if they can filter on the /32 but choose to filter on the /24, they are morally undefendable. Even ORBS opposers cannot support such behavior I guess!
Why? They can block any traffic on their network that they want. If their customers don't like it, they can move elsewhere. Cheers John (nothing to do with abovenet except being a customer of a downstream) -- John Payne http://www.sackheads.org/jpayne/ john@sackheads.org http://www.sackheads.org/uce/ Fax: +44 870 0547954 340% tax? http://www.boycott-the-pumps.com/
participants (7)
-
Eric A. Hall
-
Joe Provo - Network Architect
-
John Payne
-
JP Donnio
-
Peter van Dijk
-
Pim van Riezen
-
rdobbins@netmore.net