RE: ORBS (Re: Scanning)
From: E.B. Dreger [mailto:eddy+public+spam@noc.everquick.net] Sent: Sunday, May 27, 2001 8:05 AM
ORBS catches far more than MAPS.
As Randy stated "so does a hydrogen bomb". The problem is target acquisition and [the lack of] discrimination. The REASON tactical nukes aren't used regularly is the collateral damage issue.
My take is that anybody who has a problem with the infrequent ORBS probes should have a huge problem with the daily bombardment of relay attempts.
A system that tests positive for ORBS , yet is using MAPS, will not be used as a spam relay. Yet, ORBS will list such a system.
Bottom line: Blocking mail from rogue servers is the best way to stop spam and to not be a party to somebody else getting relay-raped. Anyone with clue closed relays how many years ago?
It is more accurate to state that most folks have placed guards on their mail systems.
I don't buy the "we need open relay for nationwide users" argument, either. Build a cheap MX that does nothing but take mail from a given POP, and send it to the world. Anti-spoofing at the border, don't accept mail from the outside world, and you're done.
You must not have a roaming staff or are willing to keep telcos wealthy.
Date: Sun, 27 May 2001 09:11:39 -0700 From: Roeland Meyer <rmeyer@mhsc.com>
[ snip ]
I don't buy the "we need open relay for nationwide users" argument, either. Build a cheap MX that does nothing but take mail from a given ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ POP, and send it to the world. Anti-spoofing at the border, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ don't accept mail from the outside world, and you're done.
You must not have a roaming staff or are willing to keep telcos wealthy.
Or I might know a better way. Again, put a simple MX at each POP. Want a constant IP address for the SMTP server? Each POP's border router redirects the SMTP server's IP address to the local machine, which only allows inbound SMTP from the local POPs. Nothing new here. And then there are VPNs for roaming staff... Eddy --------------------------------------------------------------------------- Brotsman & Dreger, Inc. EverQuick Internet Division Phone: (316) 794-8922 --------------------------------------------------------------------------- Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <blacklist@brics.com> To: blacklist@brics.com Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <blacklist@brics.com>, or you are likely to be blocked.
Roeland Meyer wrote:
I don't buy the "we need open relay for nationwide users" argument, either. Build a cheap MX that does nothing but take mail from a given POP, and send it to the world. Anti-spoofing at the border, don't accept mail from the outside world, and you're done.
You must not have a roaming staff or are willing to keep telcos wealthy.
RFC2554. Works very well for me; people can connect from anywhere that doesn't have port 25 filtered or they can connect on port 587, which is meant specifically for authenticated SMTP connections. Supported by all major e-mail clients, except for Outlook/OE 5.0, and even then only if they are using a specific version of INETCOMM.DLL that has a bug that causes it not to send authentication; upgrading to 5.5 fixes that. Sendmail, Exchange and a number of other mail server products now offer RFC2554 support. -- Tired of Earthlink? Get JustTheNet! Nationwide Dialup, ISDN, DSL, ATM, Frame Relay, T-1, T-3, and more. EARTHLINK AMNESTY PROGRAM: Buy a year, get two months free More info coming soon to http://JustThe.net, or e-mail me! B!ff: K3wl, w3'v3 r00t3D da N@vy... 0h CrAp, INC0M!Ng $%^NO CARRIER
At 9:11 AM -0700 5/27/01, Roeland Meyer wrote:
A system that tests positive for ORBS , yet is using MAPS, will not be used as a spam relay. Yet, ORBS will list such a system.
I'm not sure I understand this logic: 1.) They test positive for orbs... so they ARE an open relay 2.) That system is using MAPS, which means that there is some subset of systems the open relay itself rejects mail from Somehow that means that non-MAPS-listed sources (of which there are many) are somehow magically restricted from relaying through the open relay?
You must not have a roaming staff or are willing to keep telcos wealthy.
POP-Before-SMTP is good. SMTP AUTH is better. Solves the problem quite nicely. D -- +---------------------+-----------------------------------------+ | dredd@megacity.org | "Conan! What is best in life?" | | Derek J. Balling | "To crush your enemies, see them | | | driven before you, and to hear the | | | lamentation of their women!" | +---------------------+-----------------------------------------+
On Sun, 27 May 2001, Dan Hollis wrote:
On Sun, 27 May 2001, Roeland Meyer wrote:
You must not have a roaming staff or are willing to keep telcos wealthy.
roaming staff either use webmail or pop-before-smtp.
-Dan
Is there a rule that, except for local dial-in, we cannot offer the same services to a client located in a part of the world that we dont't have a dial-in POP as we offer to our local clients? Why shouldn't such clients be able to get their dial-in somewhere and the rest of their services from somewhere else? That includes using a remote SMTP server in the same way a local user can, period. --Mitch NetSide
On 05/27/01, Mitch Halmu <mitch@netside.net> wrote:
Is there a rule that, except for local dial-in, we cannot offer the same services to a client located in a part of the world that we dont't have a dial-in POP as we offer to our local clients? Why shouldn't such clients be able to get their dial-in somewhere and the rest of their services from somewhere else? That includes using a remote SMTP server in the same way a local user can, period.
You have to balance that desire against your users' generally unspoken requirement that your service be functioning, usable, and able to deliver mail to its' final destination. If this were any other kind of service that commonly requires user authentication (accounting, data storage, etc.) there wouldn't even be a question. And seriously, Mitch, when was the last time that you heard a new argument for why you should close your relay? Since you're obviously unwilling to do so, what's the point of bringing it up again and again? -- J.D. Falk SILENCE IS FOO! <jdfalk@cybernothing.org>
On Sun, 27 May 2001, J.D. Falk wrote:
On 05/27/01, Mitch Halmu <mitch@netside.net> wrote:
Is there a rule that, except for local dial-in, we cannot offer the same services to a client located in a part of the world that we dont't have a dial-in POP as we offer to our local clients? Why shouldn't such clients be able to get their dial-in somewhere and the rest of their services from somewhere else? That includes using a remote SMTP server in the same way a local user can, period.
You have to balance that desire against your users' generally unspoken requirement that your service be functioning, usable, and able to deliver mail to its' final destination. If this were any other kind of service that commonly requires user authentication (accounting, data storage, etc.) there wouldn't even be a question.
The service is functional, usable, and able to deliver mail to those destinations your organization or the other overseas rival gang have no control over. Some users left because of the blockade. Others stayed, because they understand the reasoning posted at http://www.dotcomeon.com That *should* worry you. It shows that most Joe users hate Big Brother.
And seriously, Mitch, when was the last time that you heard a new argument for why you should close your relay? Since you're obviously unwilling to do so, what's the point of bringing it up again and again?
-- J.D. Falk SILENCE IS FOO! <jdfalk@cybernothing.org>
I didn't bring it up this time, you did, and even changed the topic. Vixie himself posted a request for comments on this also (twice, uh oh), and I haven't seen any replies. Perhaps others are afraid? I resisted the temptation to answer, although you can imagine I had a lot to say to your boss (btw, I did put on a shirt and shoes just to write these lines ;) I did reply once to this message, since it's been addressed to me, and my private post bounces from your network. It seems you still cannot answer the top paragraph intelligently. So here's the essence of my reasoning: your approach to combat spamming and your methods of enforcement are wrong. You employ the same argument to restrict relays as used against lawful gun owners by those that want to take them away. You are unwilling to go after the actual spammers, and instead punish network owners for someone else's client deeds. Well, that won't fly in America. There is your legal precedent in spirit. I am in favor of explicit federal legislation regulating this aspect of electronic communications. Then we'll all know exactly what's legal and what's not, and the playing field becomes level again for all. That would likely put you out of a job, I'm afraid... FOO! --Mitch NetSide
Is there a rule that, except for local dial-in, we cannot offer the same services to a client located in a part of the world that we dont't have
Auth-SMTP?
control over. Some users left because of the blockade. Others stayed, because they understand the reasoning posted at http://www.dotcomeon.com
heh, personal vendetta or what! (for the record i would have left)
That *should* worry you. It shows that most Joe users hate Big Brother.
or arent really following the technical reasoning and arguments..
I didn't bring it up this time, you did, and even changed the topic. Vixie himself posted a request for comments on this also (twice, uh oh),
did he turn you down for a job or something? said something bad about your mother?
I did reply once to this message, since it's been addressed to me, and my private post bounces from your network. It seems you still cannot
you could get a hotmail account until you become a fully functional provider?
So here's the essence of my reasoning: your approach to combat spamming and your methods of enforcement are wrong. You employ the same argument to restrict relays as used against lawful gun owners by those that want to take them away. You are unwilling to go after the actual spammers, and instead punish network owners for someone else's client deeds. Well, that won't fly in America. There is your legal precedent in spirit.
guns aside, how can you go after spammers? the internet is global and anonymous. you're getting strangely patriotic over the discussion on open relays, surprised theres no mp3 of star spangled banner attached..
I am in favor of explicit federal legislation regulating this aspect of electronic communications. Then we'll all know exactly what's legal and what's not, and the playing field becomes level again for all. That would likely put you out of a job, I'm afraid...
good plan, one small flaw; not sure on the exact figures but theres many o.r servers outside the US, especially asia.. and much of the spam i receive is not of US origin, and not being in the US i wouldnt have to honour any such legislation. so tell me, how will US federal law improve on ORBS/MAPS other than you'd be able to start sending email directly to Vixie again! (you could always setup another - closed - mail server if you insist on o.r. for roaming users to get around MAPS/ORBS) Interesting as this thread may be (sarc), is there actually any topical discussion going on here or are a few individuals publicly airing their problems at the expense of my Inbox? .. suggest someone either contributes or we give up this thread!!! Steve
"Stephen J. Wilcox" wrote:
Is there a rule that, except for local dial-in, we cannot offer the same services to a client located in a part of the world that we dont't have
Auth-SMTP?
As I said to Roeland Meyer, it's a good solution and all but eliminates the roaming user problem. -- Tired of Earthlink? Get JustTheNet! Nationwide Dialup, ISDN, DSL, ATM, Frame Relay, T-1, T-3, and more. EARTHLINK AMNESTY PROGRAM: Buy a year, get two months free More info coming soon to http://JustThe.net, or e-mail me! B!ff: K3wl, w3'v3 r00t3D da N@vy... 0h CrAp, INC0M!Ng $%^NO CARRIER
On Mon, May 28, 2001 at 04:36:38AM -0400, Mitch Halmu wrote:
The service is functional, usable, and able to deliver mail to those destinations your organization or the other overseas rival gang have no control over. Some users left because of the blockade. Others stayed, because they understand the reasoning posted at http://www.dotcomeon.com
That *should* worry you.
No, what worries me is that you realize you're running an open SMTP relay for no real reason other than stubbornness, and outright refuse to fix it, even though it's widely regarded as an irresponsible operational practice. Please quit whining and close it up already. Thanks! -a
Mitch Halmu wrote:
The service is functional, usable, and able to deliver mail to those destinations your organization or the other overseas rival gang have no control over. Some users left because of the blockade. Others stayed, because they understand the reasoning posted at http://www.dotcomeon.com
That *should* worry you. It shows that most Joe users hate Big Brother.
If use of the blackhole lists was mandatory, I would say that that last statment has some validity. Since it's completely optional, the statement has no validity. -- Tired of Earthlink? Get JustTheNet! Nationwide Dialup, ISDN, DSL, ATM, Frame Relay, T-1, T-3, and more. EARTHLINK AMNESTY PROGRAM: Buy a year, get two months free More info coming soon to http://JustThe.net, or e-mail me! B!ff: K3wl, w3'v3 r00t3D da N@vy... 0h CrAp, INC0M!Ng $%^NO CARRIER
On 05/28/01, Mitch Halmu <mitch@netside.net> wrote:
So here's the essence of my reasoning: your approach to combat spamming and your methods of enforcement are wrong. You employ the same argument to restrict relays as used against lawful gun owners by those that want to take them away. You are unwilling to go after the actual spammers, and instead punish network owners for someone else's client deeds. Well, that won't fly in America. There is your legal precedent in spirit.
The core problem with your reasoning is that you consider any site's refusal of your mail to be "enforcement," presumably some type of punishment, while most of the folks who deny your mail see it as security. They are protecting themselves from the people that YOU have allowed to abuse your mail server. They don't know or care who you are, who your users are, or what your reasons for allowing that abuse might be. I don't expect you to admit to being wrong this late in the thread, but please, think about that difference for a while, even if you disagree with it.
I am in favor of explicit federal legislation regulating this aspect of electronic communications. Then we'll all know exactly what's legal and what's not, and the playing field becomes level again for all. That would likely put you out of a job, I'm afraid...
It is the fervent wish of every sane anti-spammer (and yes, I know, there's a lot who aren't sane) that we could stop doing this work entirely. Oh, and you appear to be mistaken about which organizations I am currently involved with. I will endeavor to ensure that all relevant web sties are updated. -- J.D. Falk SILENCE IS FOO! <jdfalk@cybernothing.org>
On Mon, 28 May 2001, J.D. Falk wrote:
On 05/28/01, Mitch Halmu <mitch@netside.net> wrote:
So here's the essence of my reasoning: your approach to combat spamming and your methods of enforcement are wrong. You employ the same argument to restrict relays as used against lawful gun owners by those that want to take them away. You are unwilling to go after the actual spammers, and
This is nonsense...most of us "go after the actual spammers" as best as we can and the law permits us. If you supply plastic explosives to terrorists with no checks, you may not be directly responsible for their actions, but you are certainly part of the problem. If you have an open relay, you are a big part of the spam problem, whether you like it or not.
instead punish network owners for someone else's client deeds. Well, that won't fly in America. There is your legal precedent in spirit.
What does "america" have to do with it? Open relays are all over the place, and a big PITA. Refusing your mail is *my* right, as owner of my network; and also my responsibility. Of course it is your "right" to have an open relay if you like, just don't expect everyone else to accept email from it.
The core problem with your reasoning is that you consider any site's refusal of your mail to be "enforcement," presumably some type of punishment, while most of the folks who deny your mail see it as security. They are protecting themselves from the people that YOU have allowed to abuse your mail server. They don't know or care who you are, who your users are, or what your reasons for allowing that abuse might be.
I would argue that it's both "enforcement" and security. I know MAPS has to argue otherwise in court, but let's face it, incentive is alot of what it's about. James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am =========================================================================
OK folks. Please. Leave poor Mitch alone and maybe he'll realize that this ISN'T the forum for him and go away. If you want a huge laugh, (and want to give ole Mitch the /. or NANOG effect) go check out http://www.netside.net/sys.html "Network and Communications NetSide is connected directly to the Internet backbone via a high speed point-to-point full T1 link (1.544 Mbps) into the MCI backbone (at Pompano Beach). A Cisco 4000 router is used to direct the in-house Ethernet TCP/IP network traffic to and from the Internet. To help reduce the network load and improve performance, two Ethernet 10-BaseT interfaces, connected to separate AT&T StarLAN 10 hubs (with blinking lights :-) forming in effect subnets, are used on the servers. Each subnet connects to a different Ethernet port on the Cisco router." That's some FAT pipe you have there Mitch. What EVER do you do with your spare bandwidth? heheheh And your network just blows me away. I love the "To help reduce the network load" part. Where's the load? You've got serious issues if you can't pass a DS1 worth of traffic without your net melting. "Emergency Provisions Besides redundant servers, NetSide is also prepared to operate in emergency conditions, such as city-wide power failures as experienced during Hurricane Andrew. Housed in a solid concrete block structure, we don't expect heavy storm damage to occur. Our fiber rack (for telephone and data lines) has 3 rows of battery backup rated for 8 hours of continuous operation. NetSide owns 2 emergency generators: an extended-run heavy-duty Coleman Powermate Vantage (14HP 2cyl electric start gas engine - 7000W), and a portable medium-duty Dayton (5HP gas engine - 2200W)." Wow! So, you've got enough generator to power the lights, soda machine and coffee maker. You gonna invite all the customers to your site and sit around and watch the servers not run drinking soda and coffee? Sounds like fun. Mitch. You're an END USER. Sure, you sell dialup access. You couldn't do much more with that big FAT DS1 you've got. You're an END USER. 9 border3-fddi-0.PompanoBeach.cw.net (204.70.92.19) [3561] 62.524 ms 60.403 ms 63.456 ms 10 netside-corporation.PompanoBeach.cw.net (204.70.95.18) [3561] 166.477 ms 198.570 ms 117.225 ms 11 205.159.140.2 (205.159.140.2) [3561] 195.153 ms * 194.081 ms You see, if you were a real network operator: (1) That would be more than a DS1. (2) The last hop wouldn't show up with the ASN of your upstream. (3) The last hop would RESOLVE in in-addr. NetSide Corporation (NET-NETSIDE) P.O.Box 403895 Miami Beach, FL 33140 US Netname: NETSIDE Netblock: 205.159.140.0 - 205.159.140.255 Maintainer: NETS Coordinator: Halmu, Mircea L. (MLH3-ARIN) admin@NETSIDE.NET 305-531-1995 Record last updated on 29-Oct-1998. Database last updated on 26-May-2001 22:57:19 EDT. It might be a good idea to register some in-addr resolution servers for that block there Mitch. ...Then again, why would we expect you to run any other portion of your operation any more professionally than you run your mailserver? I tell you what. You rate right up there in my book. Open Relay: 1,000,000,000 points Big FAT T1: 10,000,000 points Broken in-addr.arpa: 5,999,550 points HUBS not SWITCHES: 99,999,999,999 TILT! TILT! TILT! --- John Fraizer EnterZone, Inc
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of John Fraizer Sent: May 28, 2001 4:43 PM To: Mitch Halmu Cc: nanog@nanog.org Subject: Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning))
[note: the thing below was quoted by John from Mitch's site]
point-to-point full T1 link (1.544 Mbps) into the MCI backbone (at Pompano
That's the problem with Mitch, then. He must have gotten stuck in some type of time warp (or cool cryogenics), if he hasn't noticed that the "MCI" backbone was sold to Cable & Wireless nearly three years ago now (IIRC). Give the man a break... if he just woke up from an extended deep sleep or something, then it's no surprise that he still wants to run his mail server the way people ran mail servers five years ago. Vivien -- Vivien M. vivienm@dyndns.org Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
I dont generally participate in flame especially where its cruel pointless and at someone elses expense but thanks John for the laugh! You forgot to mention the main server, a Sun Sparcstation 10 with dual 75Mhz CPU.. (they have FIVE in total).. complete with 19" Trinitron monitors.. and running the all powerful Solaris 2.4 and 2.5.1 augmented with GNU, perl and python. Its even kitted up with a 64-port serial card for the sparc and microcom modems which is able to support a huge 33.6k dialup pool.... Altho I'm confused at how 'Netside offers a full uncensored usenet feed' with only '18Gb of dedicated news storage' and not to mention the T1 capacity problem? ... Good job they have TWO starlan hubs!! ... i need to lie down, my sides hurt ... On Mon, 28 May 2001, John Fraizer wrote:
OK folks. Please. Leave poor Mitch alone and maybe he'll realize that this ISN'T the forum for him and go away.
If you want a huge laugh, (and want to give ole Mitch the /. or NANOG effect) go check out http://www.netside.net/sys.html
"Network and Communications NetSide is connected directly to the Internet backbone via a high speed point-to-point full T1 link (1.544 Mbps) into the MCI backbone (at Pompano Beach). A Cisco 4000 router is used to direct the in-house Ethernet TCP/IP network traffic to and from the Internet. To help reduce the network load and improve performance, two Ethernet 10-BaseT interfaces, connected to separate AT&T StarLAN 10 hubs (with blinking lights :-) forming in effect subnets, are used on the servers. Each subnet connects to a different Ethernet port on the Cisco router."
That's some FAT pipe you have there Mitch. What EVER do you do with your spare bandwidth? heheheh And your network just blows me away. I love the "To help reduce the network load" part. Where's the load? You've got serious issues if you can't pass a DS1 worth of traffic without your net melting.
"Emergency Provisions Besides redundant servers, NetSide is also prepared to operate in emergency conditions, such as city-wide power failures as experienced during Hurricane Andrew. Housed in a solid concrete block structure, we don't expect heavy storm damage to occur. Our fiber rack (for telephone and data lines) has 3 rows of battery backup rated for 8 hours of continuous operation. NetSide owns 2 emergency generators: an extended-run heavy-duty Coleman Powermate Vantage (14HP 2cyl electric start gas engine - 7000W), and a portable medium-duty Dayton (5HP gas engine - 2200W)."
Wow! So, you've got enough generator to power the lights, soda machine and coffee maker. You gonna invite all the customers to your site and sit around and watch the servers not run drinking soda and coffee? Sounds like fun.
Mitch. You're an END USER. Sure, you sell dialup access. You couldn't do much more with that big FAT DS1 you've got. You're an END USER.
9 border3-fddi-0.PompanoBeach.cw.net (204.70.92.19) [3561] 62.524 ms 60.403 ms 63.456 ms 10 netside-corporation.PompanoBeach.cw.net (204.70.95.18) [3561] 166.477 ms 198.570 ms 117.225 ms 11 205.159.140.2 (205.159.140.2) [3561] 195.153 ms * 194.081 ms
You see, if you were a real network operator:
(1) That would be more than a DS1. (2) The last hop wouldn't show up with the ASN of your upstream. (3) The last hop would RESOLVE in in-addr.
NetSide Corporation (NET-NETSIDE) P.O.Box 403895 Miami Beach, FL 33140 US
Netname: NETSIDE Netblock: 205.159.140.0 - 205.159.140.255 Maintainer: NETS
Coordinator: Halmu, Mircea L. (MLH3-ARIN) admin@NETSIDE.NET 305-531-1995
Record last updated on 29-Oct-1998. Database last updated on 26-May-2001 22:57:19 EDT.
It might be a good idea to register some in-addr resolution servers for that block there Mitch.
...Then again, why would we expect you to run any other portion of your operation any more professionally than you run your mailserver?
I tell you what. You rate right up there in my book.
Open Relay: 1,000,000,000 points Big FAT T1: 10,000,000 points Broken in-addr.arpa: 5,999,550 points HUBS not SWITCHES: 99,999,999,999 TILT! TILT! TILT!
--- John Fraizer EnterZone, Inc
-- Stephen J. Wilcox IP Services Manager, Opal Telecom http://www.opaltelecom.co.uk/ Tel: 0161 222 2000 Fax: 0161 222 2008
On Mon, 28 May 2001 22:07:06 BST, "Stephen J. Wilcox" said:
Altho I'm confused at how 'Netside offers a full uncensored usenet feed' with only '18Gb of dedicated news storage' and not to mention the T1 capacity problem? ... Good job they have TWO starlan hubs!!
It's obvious.. it's a 1995 feed. We're talking a COMPLETE time warp here.
On Mon, 28 May 2001 Valdis.Kletnieks@vt.edu wrote:
On Mon, 28 May 2001 22:07:06 BST, "Stephen J. Wilcox" said:
Altho I'm confused at how 'Netside offers a full uncensored usenet feed' with only '18Gb of dedicated news storage' and not to mention the T1 capacity problem? ... Good job they have TWO starlan hubs!!
It's obvious.. it's a 1995 feed. We're talking a COMPLETE time warp here.
It's a 1995 page which hasn't been updated in ages. I didn't even remember it was still live. But at least it proves NetSide was around in those times. Let's see, I have a copy of a uu.net active file, dated Jan 6, 1996. At that time, they were the norm. It contains 13090 lines. You do the math. File URL http://www.dotcomeon.com/active.uunet I responded to Wilcox and Fraizer in private. Their bashful posts serve to illustrate exactly why such people cannot dictate policy to others. There is one lesson to learn from this. We have reached a stage where the rights of an individual or entity to existence in cyberspace need to be protected under the law. You may take the lead in applying democratic principles that follow the real world laws, or the legislature will do it ad hoc. --Mitch NetSide
On Tue, 29 May 2001, Mitch Halmu wrote:
I responded to Wilcox and Fraizer in private. Their bashful posts serve to illustrate exactly why such people cannot dictate policy to others.
Mitch, If you desire to reply to me in private, might I suggest that you do it from a mailserver that isn't listed in MAPS... May 28 18:19:11 Overkill sendmail[8797]: f4SMJBu08797: ruleset=check_rcpt, arg1=<nanog@Overkill.EnterZone.Net>, relay=[205.159 .140.2], reject=553 5.3.0 <nanog@Overkill.EnterZone.Net>... Open spam relay - see http://www.mail-abuse.org/rss/ May 28 18:19:12 Overkill sendmail[8797]: f4SMJBu08797: from=<mitch@netside.net>, size=6370, class=0, nrcpts=0, proto=ESMTP, da emon=MTA, relay=[205.159.140.2] May 29 05:33:39 Overkill sendmail[26337]: f4T9Xcu26337: ruleset=check_rcpt, arg1=<nanog@Overkill.EnterZone.Net>, relay=[205.15 9.140.2], reject=553 5.3.0 <nanog@Overkill.EnterZone.Net>... Open spam relay - see http://www.mail-abuse.org/rss/ May 29 05:33:39 Overkill sendmail[26337]: f4T9Xcu26337: from=<mitch@netside.net>, size=1439, class=0, nrcpts=0, proto=ESMTP, d aemon=MTA, relay=[205.159.140.2] --- John Fraizer EnterZone, Inc
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Mitch Halmu Sent: May 29, 2001 3:58 AM To: Valdis.Kletnieks@vt.edu Cc: Stephen J. Wilcox; nanog@nanog.org Subject: Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning))
There is one lesson to learn from this. We have reached a stage where the rights of an individual or entity to existence in cyberspace need to be protected under the law. You may take the lead in applying democratic principles that follow the real world laws, or the legislature will do it ad hoc.
So, if Uncle Sam comes along and decides that open relays are illegal, would you _finally_ reconfigure your mail server? As I'm sure you're aware, there are two sides to government intervention in anything, and until the government intervenes, you don't know if it will be favourable or not to your attitude. If it isn't, then should we expect www.dotgovon.com criticizing the government for siding with the "evil Vixie conspiracy"? Vivien -- Vivien M. vivienm@dyndns.org Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
On Mon, 28 May 2001, John Fraizer wrote:
If you want a huge laugh, (and want to give ole Mitch the /. or NANOG
... then laugh about this one: http://www.dmnews.com/cgi-bin/artprevbot.cgi?article_id=15323 --Mitch NetSide
On 05/30/01, Mitch Halmu <mitch@netside.net> wrote:
On Mon, 28 May 2001, John Fraizer wrote:
If you want a huge laugh, (and want to give ole Mitch the /. or NANOG
... then laugh about this one:
http://www.dmnews.com/cgi-bin/artprevbot.cgi?article_id=15323
Yeah, it's pretty funny, actually. That decision was made like six months ago. I'm told the case continues. Unfortunately, MAPS hasn't put their press release about this on their web site yet. -- J.D. Falk SILENCE IS FOO! <jdfalk@cybernothing.org>
Well, you MUST (RFC2505, 2.1) prevent unauthorized use of your mail server as a mail relay. So if your question is "since my local users don't have to authenticate themselves against my mail server, is there a rule that says I can't offer unauthenticated SMTP service to roaming users", I guess the answer is "yes, there IS actually a rule forbidding that." Cheers, D At 9:18 PM -0400 5/27/01, Mitch Halmu wrote:
On Sun, 27 May 2001, Dan Hollis wrote:
On Sun, 27 May 2001, Roeland Meyer wrote:
You must not have a roaming staff or are willing to keep telcos wealthy.
roaming staff either use webmail or pop-before-smtp.
-Dan
Is there a rule that, except for local dial-in, we cannot offer the same services to a client located in a part of the world that we dont't have a dial-in POP as we offer to our local clients? Why shouldn't such clients be able to get their dial-in somewhere and the rest of their services from somewhere else? That includes using a remote SMTP server in the same way a local user can, period.
--Mitch NetSide
-- +---------------------+-----------------------------------------+ | dredd@megacity.org | "Conan! What is best in life?" | | Derek J. Balling | "To crush your enemies, see them | | | driven before you, and to hear the | | | lamentation of their women!" | +---------------------+-----------------------------------------+
On Sun, 27 May 2001, Derek Balling wrote:
Well, you MUST (RFC2505, 2.1) prevent unauthorized use of your mail server as a mail relay.
So if your question is "since my local users don't have to authenticate themselves against my mail server, is there a rule that says I can't offer unauthenticated SMTP service to roaming users", I guess the answer is "yes, there IS actually a rule forbidding that."
Cheers, D
Derek, there is a subtle difference between the words you SHOULD and you MUST. The RFC you quoted is a "Best Current Practices" document. You know, like "The Surgeon General had determined that [insert your favorite vice here] is bad for your health". i.e, he can't order you MUST stop smoking, maybe you SHOULD consider it because yadayada. Now let's go back to 1997 and see how this baby was born. In Sep 1997, on this very list, Paul Vixie was known to have laid the seed: `Could somebody who hasn't been burned to a crisp by IETF politics please write a "Mail Relay Requirements" RFC that we can brandish at these vendors? (Dave Crocker seems like a logical choice for this given his past credits.)' Full text of the message at http://www.dotcomeon.com/relay_default.html
From this grew a business that puts food on the table for several members of this list. And now the paid enforcers and their groupies are brandishing it at legitimate network operators. There is a lot of money in the jackpot now, in case you haven't noticed, and dissent will not be tollerated.
If people would have paid attention then to the implications, this monster would have been nipped in the bud. Instead, their camel is now in your tent. And it's not even Uncle Sam's beast... So what was that Conan saying again? ;) --Mitch NetSide
At 9:18 PM -0400 5/27/01, Mitch Halmu wrote:
On Sun, 27 May 2001, Dan Hollis wrote:
On Sun, 27 May 2001, Roeland Meyer wrote:
You must not have a roaming staff or are willing to keep telcos wealthy.
roaming staff either use webmail or pop-before-smtp.
-Dan
Is there a rule that, except for local dial-in, we cannot offer the same services to a client located in a part of the world that we dont't have a dial-in POP as we offer to our local clients? Why shouldn't such clients be able to get their dial-in somewhere and the rest of their services from somewhere else? That includes using a remote SMTP server in the same way a local user can, period.
--Mitch NetSide
-- +---------------------+-----------------------------------------+ | dredd@megacity.org | "Conan! What is best in life?" | | Derek J. Balling | "To crush your enemies, see them | | | driven before you, and to hear the | | | lamentation of their women!" | +---------------------+-----------------------------------------+
Umm...but most businesses (and the government even) restrict *WHERE* you can smoke (because smoking is also harmful to others, just as open relays are). So if you're going to use smoking as an analogy, then MAPS is my right to a "smoke-free zone". -- Mike Jones mike@biggorilla.com * Mitch Halmu (mitch@netside.net) [05/28/01 02:19]:
Derek, there is a subtle difference between the words you SHOULD and you MUST. The RFC you quoted is a "Best Current Practices" document. You know, like "The Surgeon General had determined that [insert your favorite vice here] is bad for your health". i.e, he can't order you MUST stop smoking, maybe you SHOULD consider it because yadayada.
On Sun, 27 May 2001, Mitch Halmu wrote:
On Sun, 27 May 2001, Dan Hollis wrote:
On Sun, 27 May 2001, Roeland Meyer wrote:
You must not have a roaming staff or are willing to keep telcos wealthy.
roaming staff either use webmail or pop-before-smtp.
-Dan
Is there a rule that, except for local dial-in, we cannot offer the same services to a client located in a part of the world that we dont't have a dial-in POP as we offer to our local clients? Why shouldn't such clients be able to get their dial-in somewhere and the rest of their services from somewhere else? That includes using a remote SMTP server in the same way a local user can, period.
--Mitch NetSide
Mitch, Lets end this useless thread now. If it wasn't obvious to everyone previously, it is definately obvious now. You're a whining crybaby who doesn't want to secure his servers for ANY REASON. No matter that the technology is there to do so. No matter that it will NOT cause undue problems for your customers. You just want to whine about something. I'm for one SICK OF IT! If you don't like being listed in MAPS/ORBS/NAME-YOUR-LIST, secure your servers. If you want to complain about it somewhere, do it someplace where it at least has a chance of being operational content. This is NANOG. Even if you drop the NA prefix, the rest of that means "NETWORK OPERATORS GROUP." It does NOT mean "open mailserver operators group" or anything like it. So, grow up. Secure your server. Contact us from another email address when you have. For now, you're <PLONKED!> --- John Fraizer EnterZone, Inc
Mitch Halmu wrote:
Is there a rule that, except for local dial-in, we cannot offer the same services to a client located in a part of the world that we dont't have a dial-in POP as we offer to our local clients? Why shouldn't such clients be able to get their dial-in somewhere and the rest of their services from somewhere else? That includes using a remote SMTP server in the same way a local user can, period.
You *can* do all that. I prefer SMTP AUTH to POP-before-SMTP because PbS leaves a small vulnerability on your mail server - very small, but it exists nonetheless. But many providers use PbS too. If this whole issue cropped up because you wanted to provide roaming access to your mail servers, those are two very widely-implemented solutions. If you want, I can even offer some help getting it set up as I have had a longstanding policy of offering relay-closing help at no charge to ISPs who need it. The only requirement is that you be running an MTA that I'm familiar with. -- Tired of Earthlink? Get JustTheNet! Nationwide Dialup, ISDN, DSL, ATM, Frame Relay, T-1, T-3, and more. EARTHLINK AMNESTY PROGRAM: Buy a year, get two months free More info coming soon to http://JustThe.net, or e-mail me! B!ff: K3wl, w3'v3 r00t3D da N@vy... 0h CrAp, INC0M!Ng $%^NO CARRIER
participants (14)
-
Adam Rothschild
-
Dan Hollis
-
Derek Balling
-
E.B. Dreger
-
J.D. Falk
-
John Fraizer
-
mike@biggorilla.com
-
Mitch Halmu
-
Roeland Meyer
-
Stephen J. Wilcox
-
Steve Sobol
-
up@3.am
-
Valdis.Kletnieks@vt.edu
-
Vivien M.