Re: Fw: Administrivia: ORBS
patrick@ianai.net (I Am Not An Isp) writes:
What do other open relay lists (e.g. MAPS/RSS) do when they are filtered at the network level?
That's a misleading question. MAPS RSS doesn't probe for relay openness unless spam has been received from the relay in question. OTOH, if there is spam receipt and if the relay doesn't appear to be reachable, a human operator can decide that a firewall might be involved and block the relay in spite of our inability to test it. MAPS RSS never blocks whole address ranges, only /32's. ORBS is apparently blocking whole /16's belonging to Abovenet only because Abovenet refuses to have whole /16's probed for SMTP servers and then having each such server probed for relay openness. (I can't say as I blame them.) -- Paul Vixie <vixie@mibh.net> >> But what *IS* the internet? > It's the largest equivalence class in the reflexive transitive > symmetric closure of the relationship "can be reached by an IP > packet from". --Seth Breidbart
On 14 Jan 2000, Paul Vixie wrote:
Date: 14 Jan 2000 18:41:48 -0800 From: Paul Vixie <vixie@mibh.net> To: nanog@merit.edu Subject: Re: Fw: Administrivia: ORBS
That's a misleading question. MAPS RSS doesn't probe for relay openness unless spam has been received from the relay in question. OTOH, if there is spam receipt and if the relay doesn't appear to be reachable, a human operator can decide that a firewall might be involved and block the relay in spite of our inability to test it.
MAPS RSS never blocks whole address ranges, only /32's.
ORBS is apparently blocking whole /16's belonging to Abovenet only because Abovenet refuses to have whole /16's probed for SMTP servers and then having each such server probed for relay openness. (I can't say as I blame them.) -- Paul Vixie <vixie@mibh.net>
In effect, Above.net is (by filtering the ORBS probes) licensing every single IP in their /16 to spam via the sordid and detailed means that ORBS works to prevent. This is an incorrect assumption? Please educate me as to how this is the wrong way to view this. I am under the assumption that the said block on Above.net/16 didn't go into effect until ORBS itself was blocked - thus the resulting block on Above.net. danielle v
ORBS is apparently blocking whole /16's belonging to Abovenet only because Abovenet refuses to have whole /16's probed for SMTP servers and then having each such server probed for relay openness. (I can't say as I blame them.)
In effect, Above.net is (by filtering the ORBS probes) licensing every single IP in their /16 to spam via the sordid and detailed means that ORBS works to prevent.
That's incorrect.
This is an incorrect assumption? Please educate me as to how this is the wrong way to view this.
Abovenet, like many ISP's, has a far-reaching antispam AUP, and aggressively disconnects customers of theirs who spam or who allow their own downstream customers to spam. On their main web page (www.above.net) I saw a link with the title "Anti-Spam Policy" pointing to http://www.above.net/anti-spam.html which begins: AboveNet's tolerance for spam originating from our customers, or from our customers' customers, or for spam advertising web sites of our customers of our customers' customers, is zero. Anyone who thinks that a network which refuses to be probed by ORBS must be a hotbed of spam is failing to understand the same property rights issues which spammers themselves fail to understand. Whenever I see a port scanner on my own network I locally block it since it is after all my network and I reserve the right to carry, or not carry, any traffic I want (or don't want). Abovenet seems to be exercising their property rights over their own network. According to reports, they asked ORBS to stop running their SMTP port scanner on Abovenet's address space, and ORBS refused. Abovenet's only recourse was to block access to ORBS' probe host. And so, "I can't say as I blame them."
I am under the assumption that the said block on Above.net/16 didn't go into effect until ORBS itself was blocked - thus the resulting block on Above.net.
That part is correct. Only the motives you impute Abovenet as having (see above text) are incorrect.
[ On Friday, January 14, 2000 at 21:20:19 (-0800), Paul A Vixie wrote: ]
Subject: Re: Fw: Administrivia: ORBS
Abovenet, like many ISP's, has a far-reaching antispam AUP, and aggressively disconnects customers of theirs who spam or who allow their own downstream customers to spam. On their main web page (www.above.net) I saw a link with the title "Anti-Spam Policy" pointing to http://www.above.net/anti-spam.html which begins:
AboveNet's tolerance for spam originating from our customers, or from our customers' customers, or for spam advertising web sites of our customers of our customers' customers, is zero.
IANAL, but that doesn't say anything directly about AboveNet's policy regarding open relays, at least not if you interpret "originate" as meaning that it was actually generated on the source site. They do say in another part of their policy that the "reserve the right ... to blackhole ... open relays", but they don't say that their tolernance for open relays "is zero" as above for direct spam. Of course I have no personal, or even second hand, experience to know if/how they implement their policies and until now I've had no reason to doutbt that they do enforce their policies quite strictly. I thought when this discussion first errupted that the issue might actually be one of multi-level relays (which would be very effectively stopped if AboveNet themselves used ORBS! :-), but after looking at the list of AboveNet IPs published by ORBS it would appear that the open relays are not generally of the multi-level nature. Everything else I've heard about this event suggests that there are indeed quite a few open relays within AboveNet's customer network space (and/or in their customer's customer's). What I don't know yet is how those open relays were first discovered, or whether or not any significant number of them have been exploited by spammers to any degree at all. Perhaps AboveNet would openly submit to testing by someone independent of ORBS who would agree not to release the detailed results (except to AboveNet) but who would check the validity of ORBS claims and provide a summary report. ORBS would of course have to be allowed to review the validity of the tests done.
Abovenet seems to be exercising their property rights over their own network. According to reports, they asked ORBS to stop running their SMTP port scanner on Abovenet's address space, and ORBS refused. Abovenet's only recourse was to block access to ORBS' probe host. And so, "I can't say as I blame them."
Ummm.... Something's wrong with that logic I think. As I understand it the open-relay problems are not with AboveNet's own mail servers, but rather with those of its customers, as I say above. In this case AboveNet is a transport provider and in my opinion they're risking their status as a network carrier to be filtering in they way they are. (Not that I know anything about carrier rights! :-). In my opinion they should be helping their customers secure the customer networks, at the customer's border router, and not trying to do this anywhere within AboveNet's network. If anything they should be filtering all external SMTP connections to or from the open relays on their networks, not just those from the relay tester. Of course if they can get by with using the MAPS RBL then they should be able to get by with using ORBS too! Your own filtering of your own network when your own hosts are involved is a much different scenario. If you don't want your mailers tested by ORBS then that's fine. Just arrange it such that they get back a TCP RST packet and then be darn sure nobody else can relay through you either. Don't even bother logging their probes and it won't affect your blood pressure. Finally can we please stop using the incorrect term "port scanner" here? ORBS does not "scan" and it most certainly doesn't scan arbitrary ports. -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
Greg A. Woods wrote:
[ On Friday, January 14, 2000 at 21:20:19 (-0800), Paul A Vixie wrote: ]
Subject: Re: Fw: Administrivia: ORBS Abovenet seems to be exercising their property rights over their own network. According to reports, they asked ORBS to stop running their SMTP port scanner on Abovenet's address space, and ORBS refused. Abovenet's only recourse was to block access to ORBS' probe host. And so, "I can't say as I blame them."
Ummm.... Something's wrong with that logic I think.
there's nothing wrong with that logic. i used to work for a little company here in Austin called MIDS. as sys/net admin on that network i fielded several requests from other networks to stop sending icmp echo requests to their network. we did this in an attempt to chart the "performance" of the Internet. you can argue about the validity of those measurements all you want. however, when we recieved a request to stop, we stopped. we then contacted the person who requested the halt, and explained to them what we were doing. if they understood and wished to continue to participate, we put them back in our lists. if they didn't want to participate, i thanked them and put them in a list of networks not to measure. it's called being a responsible netizen. it's just that simple. i would bet that if ORBS had taken a similar measure they could have worked out something with Abovenet. instead ORBS behaved in an "inappropriate" manner, and Abovenet took steps to ensure that unauthorized probes of their network were not allowed to reach their hosts. damon note: the only reason MIDS did not contact networks beforehand was because the time and manpower required were not available. -- Damon Conway Black Rock City Ranger...Riding the edge of chaos "Ana Ng and I are getting old, but we still haven't walked in the glow of each other's majestic presence." -- TMBG
[ On Saturday, January 15, 2000 at 14:13:48 (-0600), Damon M. Conway wrote: ]
Subject: Re: Fw: Administrivia: ORBS
there's nothing wrong with that logic. i used to work for a little company here in Austin called MIDS. as sys/net admin on that network i fielded several requests from other networks to stop sending icmp echo requests to their network. we did this in an attempt to chart the "performance" of the Internet. you can argue about the validity of those measurements all you want. however, when we recieved a request to stop, we stopped. we then contacted the person who requested the halt, and explained to them what we were doing. if they understood and wished to continue to participate, we put them back in our lists. if they didn't want to participate, i thanked them and put them in a list of networks not to measure. it's called being a responsible netizen. it's just that simple. i would bet that if ORBS had taken a similar measure they could have worked out something with Abovenet. instead ORBS behaved in an "inappropriate" manner, and Abovenet took steps to ensure that unauthorized probes of their network were not allowed to reach their hosts.
I understand that fully. ORBS *does* honour requests to stop, or at least they claim to and there's evidence they do in their database (stopping probing incidentally supposedly causes the network to be permanently listed). They claim they've never had any such requets from AboveNET. Who am I supposed to believe? I'm just an ORBS user and I only know one AboveNET person because of his on-line personality. Please visit http://www.orbs.org/, select the first link, and read their side of the story before making incorrect assumptions. -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
participants (5)
-
Damon M. Conway
-
danielle v.
-
Paul A Vixie
-
Paul Vixie
-
woods@most.weird.com