Got this from bugtraq. Bill Sehmel Peninsula School District Information Services Jr. Network Engineer. 253-857-8180 bsehmel@mail.peninsiula.wednet.edu -----Original Message----- From: Elias Levy <aleph1@SECURITYFOCUS.COM> To: BUGTRAQ@SECURITYFOCUS.COM <BUGTRAQ@SECURITYFOCUS.COM> Date: Wednesday, January 12, 2000 1:48 PM Subject: Administrivia: ORBS
It seems the folks at ORBS (orbs.org) have decided that since our mail server its hosted of above.net, and above.net is filtering their probes since they claim they are a DoS, ORBS is adding any mail servers connected via above.net (including ours) to their spam relaying list, regardless that our servers have never perform relaying functions. I've emailed them but so far they have not responded. You may wish to email them (orbs@orbs.org) and voice your dissatisfaction. Of curse if our email to you is being blocked by ORBS then you will probably not receive this message ;-)
-- Elias Levy Security Focus http://www.securityfocus.com/
Of all the gin joints in all the towns in all the world, "Sehmel, William C." had to walk into mine and say:
Got this from bugtraq.
Alot of us did. I thought about posting it to nanog, but then I actually researched the issue a bit, and discovered that securityfocus' listerver is *not* in the ORBS database at this time. Sounds like FUD to me. -- Harald Koch <chk@pobox.com> "It takes a child to raze a village." -Michael T. Fry
At 12:18 PM -0500 1/13/00, Harald Koch wrote:
Of all the gin joints in all the towns in all the world, "Sehmel, William C." had to walk into mine and say:
Got this from bugtraq.
Alot of us did. I thought about posting it to nanog, but then I actually researched the issue a bit, and discovered that securityfocus' listerver is *not* in the ORBS database at this time.
Sounds like FUD to me.
As an ORBS user and a BugTraq subscriber, let me tell you it IS in the database, but you can't find it "individually", because its in a "netblock" entry... narn:~ # host 207.126.127.68 68.127.126.207.IN-ADDR.ARPA domain name pointer lists.securityfocus.com narn:~ # host 68.127.126.207.relays.orbs.org 68.127.126.207.relays.orbs.org has address 127.0.0.4 So let me just reiterate that it ISN'T FUD, they really are listing all of above.net, and I really did stop receiving BugTraq because of it. :) D
I see them listing specific addresses from a netblock that is hacked either through their dns server for that particular hosted domain and or their email is an open relay, to say that it is limited to the entire netblock does not appear to be a statement of fact based on my use of the toolset to track spammers. "Derek J. Balling" wrote:
At 12:18 PM -0500 1/13/00, Harald Koch wrote:
Of all the gin joints in all the towns in all the world, "Sehmel, William C." had to walk into mine and say:
Got this from bugtraq.
Alot of us did. I thought about posting it to nanog, but then I actually researched the issue a bit, and discovered that securityfocus' listerver is *not* in the ORBS database at this time.
Sounds like FUD to me.
As an ORBS user and a BugTraq subscriber, let me tell you it IS in the database, but you can't find it "individually", because its in a "netblock" entry...
narn:~ # host 207.126.127.68 68.127.126.207.IN-ADDR.ARPA domain name pointer lists.securityfocus.com narn:~ # host 68.127.126.207.relays.orbs.org 68.127.126.207.relays.orbs.org has address 127.0.0.4
So let me just reiterate that it ISN'T FUD, they really are listing all of above.net, and I really did stop receiving BugTraq because of it. :)
D
-- Thank you; |--------------------------------------------| | Thinking is a learned process so is UNIX | |--------------------------------------------| Henry R. Linneweh
At 12:18 PM 1/13/00 -0500, Harald Koch wrote:
Of all the gin joints in all the towns in all the world, "Sehmel, William C." had to walk into mine and say:
Got this from bugtraq.
Alot of us did. I thought about posting it to nanog, but then I actually researched the issue a bit, and discovered that securityfocus' listerver is *not* in the ORBS database at this time.
Sounds like FUD to me.
patrick@pts/0.ns2/10:40AM# nslookup www.orbs.org Server: localhost Address: 127.0.0.1 Non-authoritative answer: Name: www.orbs.org Address: 202.36.148.16 Traceroute Output FROM www.above.net TO 202.36.148.16. traceroute to 202.36.148.16 (202.36.148.16): 1-30 hops, 38 byte packets 1 gate-96.main.sjc.above.net (207.126.96.189) 1.21/2.28/3.5 (0.612) ms 10/10 pkts (0% loss) 2 core1-main.sjc.above.net (209.133.31.153) * !H * * * * * 2.9/2.9/2.9 (0.0) ms 1/7 pkts (86% loss) Above.Net really is filtering ORBS. And if ORBS lists people who block them.....
Harald Koch <chk@pobox.com>
TTFN, patrick -- I Am Not An Isp - www.ianai.net ISPF, The Forum for ISPs by ISPs, <http://www.ispf.com> "Think of it as evolution in action." - Niven & Pournelle (OhMyGod - Watch out 'Net, I got enable again! ;-)
ORBS does seem to have this policy although it is not on their web site. I Am Not An Isp wrote:
At 12:18 PM 1/13/00 -0500, Harald Koch wrote:
Of all the gin joints in all the towns in all the world, "Sehmel, William C." had to walk into mine and say:
Got this from bugtraq.
Alot of us did. I thought about posting it to nanog, but then I actually researched the issue a bit, and discovered that securityfocus' listerver is *not* in the ORBS database at this time.
Sounds like FUD to me.
patrick@pts/0.ns2/10:40AM# nslookup www.orbs.org Server: localhost Address: 127.0.0.1
Non-authoritative answer: Name: www.orbs.org Address: 202.36.148.16
Traceroute Output
FROM www.above.net TO 202.36.148.16.
traceroute to 202.36.148.16 (202.36.148.16): 1-30 hops, 38 byte packets 1 gate-96.main.sjc.above.net (207.126.96.189) 1.21/2.28/3.5 (0.612) ms 10/10 pkts (0% loss) 2 core1-main.sjc.above.net (209.133.31.153) * !H * * * * * 2.9/2.9/2.9 (0.0) ms 1/7 pkts (86% loss)
Above.Net really is filtering ORBS. And if ORBS lists people who block them.....
Harald Koch <chk@pobox.com>
TTFN, patrick
-- I Am Not An Isp - www.ianai.net ISPF, The Forum for ISPs by ISPs, <http://www.ispf.com> "Think of it as evolution in action." - Niven & Pournelle (OhMyGod - Watch out 'Net, I got enable again! ;-)
This allow me to repeat - don't bother about ORBS, no one serious can use this service because it cause the missing of the important mail -:). Than let's they are doing troubles to those who want this troubles. My policy was always the same - if someone yse ORBS, we never promise to deliver e-mail for him. I guess this policy exists yet. On Thu, 13 Jan 2000, Garlic wrote:
Date: Thu, 13 Jan 2000 11:35:31 -0800 From: Garlic <garlic@garlic.com> To: I Am Not An Isp <patrick@ianai.net> Cc: nanog@merit.edu Subject: Re: Fw: Administrivia: ORBS
ORBS does seem to have this policy although it is not on their web site.
I Am Not An Isp wrote:
At 12:18 PM 1/13/00 -0500, Harald Koch wrote:
Of all the gin joints in all the towns in all the world, "Sehmel, William C." had to walk into mine and say:
Got this from bugtraq.
Alot of us did. I thought about posting it to nanog, but then I actually researched the issue a bit, and discovered that securityfocus' listerver is *not* in the ORBS database at this time.
Sounds like FUD to me.
patrick@pts/0.ns2/10:40AM# nslookup www.orbs.org Server: localhost Address: 127.0.0.1
Non-authoritative answer: Name: www.orbs.org Address: 202.36.148.16
Traceroute Output
FROM www.above.net TO 202.36.148.16.
traceroute to 202.36.148.16 (202.36.148.16): 1-30 hops, 38 byte packets 1 gate-96.main.sjc.above.net (207.126.96.189) 1.21/2.28/3.5 (0.612) ms 10/10 pkts (0% loss) 2 core1-main.sjc.above.net (209.133.31.153) * !H * * * * * 2.9/2.9/2.9 (0.0) ms 1/7 pkts (86% loss)
Above.Net really is filtering ORBS. And if ORBS lists people who block them.....
Harald Koch <chk@pobox.com>
TTFN, patrick
-- I Am Not An Isp - www.ianai.net ISPF, The Forum for ISPs by ISPs, <http://www.ispf.com> "Think of it as evolution in action." - Niven & Pournelle (OhMyGod - Watch out 'Net, I got enable again! ;-)
Aleksei Roudnev, (+1 415) 585-3489 /San Francisco CA/
Above.Net really is filtering ORBS. And if ORBS lists people who block them.....
indeed! and just imagine the ensuing chaos if orbs decided to (or got hacked and was made to) list the root-servers. -- |-----< "CODE WARRIOR" >-----| codewarrior@daemon.org * "ah! i see you have the internet twofsonet@graffiti.com (Andrew Brown) that goes *ping*!" andrew@crossbar.com * "information is power -- share the wealth."
On Thu, Jan 13, 2000 at 02:48:28PM -0500, Andrew Brown wrote:
indeed! and just imagine the ensuing chaos if orbs decided to (or got hacked and was made to) list the root-servers.
Umm... the root-servers don't deliver mail, so there wouldn't be a problem -- John Payne jcapayne@att.com OpenNet Infrastructure Team, AT&T Global Network Services Mailpt C2E, c/o IBM North Harbour, PO Box 41 Portsmouth, PO6 3AU Tel - +44 (0)23 9256 1977, Fax - 23 9221 0543
On 01/13/00, Andrew Brown <twofsonet@graffiti.com> wrote:
Above.Net really is filtering ORBS. And if ORBS lists people who block them.....
indeed! and just imagine the ensuing chaos if orbs decided to (or got hacked and was made to) list the root-servers.
What's wrong with blocking e-mail from the root servers? Remember, ORBS doesn't have a MAPS RBL-style BGP feed. ---------========== J.D. Falk <jdfalk@cybernothing.org> =========--------- | "There is no constitutional requirement that the incremental cost of | | sending massive quantities of unsolicited advertisements must be | | borne by the recipients." | | -- Judge Graham, Compuserve vs. Cyber Promotions | ----========== http://www.cybernothing.org/jdfalk/home.html ==========----
Above.Net really is filtering ORBS. And if ORBS lists people who block them.....
indeed! and just imagine the ensuing chaos if orbs decided to (or got hacked and was made to) list the root-servers.
What's wrong with blocking e-mail from the root servers?
nothing.
Remember, ORBS doesn't have a MAPS RBL-style BGP feed.
yes, okay, fine. i'm a confused weenie. :) -- |-----< "CODE WARRIOR" >-----| codewarrior@daemon.org * "ah! i see you have the internet twofsonet@graffiti.com (Andrew Brown) that goes *ping*!" andrew@crossbar.com * "information is power -- share the wealth."
Above.Net really is filtering ORBS. And if ORBS lists people who block them..... indeed! and just imagine the ensuing chaos if orbs decided to (or got hacked and was made to) list the root-servers.
oh my god! we could not receive dns responses by email! this would be the end of the net as we know it! news at 11. randy
Above.Net really is filtering ORBS. And if ORBS lists people who block them..... indeed! and just imagine the ensuing chaos if orbs decided to (or got hacked and was made to) list the root-servers.
oh my god! we could not receive dns responses by email! this would be the end of the net as we know it! news at 11.
alright already. randy...i would expect better from you. yes, i admit to being confused and thinking that orbs was (as rbl is) available as a bgp map. it is not. i am corrected. ip route 202.36.148.16 255.255.255.255 null0 -- |-----< "CODE WARRIOR" >-----| codewarrior@daemon.org * "ah! i see you have the internet twofsonet@graffiti.com (Andrew Brown) that goes *ping*!" andrew@crossbar.com * "information is power -- share the wealth."
Above.Net really is filtering ORBS. And if ORBS lists people who block them..... indeed! and just imagine the ensuing chaos if orbs decided to (or got hacked and was made to) list the root-servers.
two horrifying further thoughts occurred to me during my mid-afternoon popcorn break. o if someone hacked into isps' routers they could announce the root servers and just imagine the ensuing chaos. so, should we take down all bgp-speaking routers. i bet you think not. so maybe this is not the issue, but security and spam are. o if someone hacked orbs and blocked the merit smtp host, we could all be deprived of the critical operational information we get from this mailing list <gasp!>. but we should back off and not usurp bill's job as the bad-but-cute idea fairy. randy
Above.Net really is filtering ORBS. And if ORBS lists people who block them.....
I could be very wrong on this, and will probably get flamed for even jumping in... But I seem to remember reading on ORBS that they will list people who block them (or have a firewall) only manually, and only if they get a complaint about spam from an IP. Then it can only be de-listed manually too. Deepak Jain AiNET
Anyway, if you said me _you are using ORBS_, it's just as you say _)you do not use e-mail for the serious purposes, only as a joke_. It's the same. And so people can do not pay any attention to the ORBS - if you block your own mail by using ORBS, it's your own troubles and your own concern to lostr e-mail. On Thu, 13 Jan 2000, Deepak Jain wrote:
Date: Thu, 13 Jan 2000 15:28:38 -0500 (EST) From: Deepak Jain <deepak@ai.net> To: I Am Not An Isp <patrick@ianai.net> Cc: nanog@merit.edu Subject: Re: Fw: Administrivia: ORBS
Above.Net really is filtering ORBS. And if ORBS lists people who block them.....
I could be very wrong on this, and will probably get flamed for even jumping in...
But I seem to remember reading on ORBS that they will list people who block them (or have a firewall) only manually, and only if they get a complaint about spam from an IP. Then it can only be de-listed manually too.
Deepak Jain AiNET
Aleksei Roudnev, (+1 415) 585-3489 /San Francisco CA/
On 01/13/00, Deepak Jain <deepak@ai.net> wrote:
Above.Net really is filtering ORBS. And if ORBS lists people who block them.....
I could be very wrong on this, and will probably get flamed for even jumping in...
But I seem to remember reading on ORBS that they will list people who block them (or have a firewall) only manually, and only if they get a complaint about spam from an IP. Then it can only be de-listed manually too.
Nope, they'll list anyone who blocks them, regardless of open relay status. ---------========== J.D. Falk <jdfalk@cybernothing.org> =========--------- | "A straight line may be the shortest distance between two points... | | but it is by no means the most interesting." | | -- Jon Pertwee as Doctor Who in "Doctor Who and | | the Time Warrior" by Robert Holmes (BBC, 1974) | ----========== http://www.cybernothing.org/jdfalk/home.html ==========----
At 06:31 PM 1/13/00 -0500, Shawn McMahon wrote:
If that's true, they're going too far, and won't be able to become widespread enough to matter.
That's a damn shame.
So if I am an open relay, and I know it, all I have to do is block ORBS to continue without fear of reprisal? What do other open relay lists (e.g. MAPS/RSS) do when they are filtered at the network level? TTFN, patrick -- I Am Not An Isp - www.ianai.net ISPF, The Forum for ISPs by ISPs, <http://www.ispf.com> "Think of it as evolution in action." - Niven & Pournelle (OhMyGod - Watch out 'Net, I got enable again! ;-)
Subject: Re: Fw: Administrivia: ORBS
At 06:31 PM 1/13/00 -0500, Shawn McMahon wrote:
If that's true, they're going too far, and won't be able to become widespread enough to matter.
That's a damn shame.
So if I am an open relay, and I know it, all I have to do is block ORBS to continue without fear of reprisal? Until no one use you as open spam-relay, it's not more than your personal concern.
What ORBS is doing is like some man who is walking by the street and, if you forgot to close your car, break the ignition locks and write message _dear sir; you did not closed your car, and it could be stolen or used for the crime; to prevent it, I broke your car - now bad guys could not abuse it for their dark purposes_. Guess when this man finish his work? Just the same ORBS. It's your concern to have open relay as long as it does not bother others.
What do other open relay lists (e.g. MAPS/RSS) do when they are filtered at the network level?
TTFN, patrick
-- I Am Not An Isp - www.ianai.net ISPF, The Forum for ISPs by ISPs, <http://www.ispf.com> "Think of it as evolution in action." - Niven & Pournelle (OhMyGod - Watch out 'Net, I got enable again! ;-)
Aleksei Roudnev, (+1 415) 585-3489 /San Francisco CA/
the other day, having some questions about orbs and similar issues, i asked some net.friends where there was a rational mailing list discussing such. they laughed at me and said that rational discussion of anti-spam seemed socially impossible. thanks all for providing an empirical evidence, albeit not formal proof. it seems to me that an orbs-like service listing an entire netblock because an upstream is blocking orbs testing is a difficult issue. in this particular case it means that, because of other obligations i have chosen to assume (e.g. ietf mailing lists), i probably should not use orbs in reject mode. but i am foolish enough to think that i understand both orbs's and abovenet's sides of the issue (i have discussed it with both, politely), and don't feel qualified to preach what's right and what's wrong. but i can choose whether to use orbs in reject mode or not. so can you, it's your prerogative. and if friends/correspondents of yours don't like you using it (or the inverse), then that's a discussion between you and them. orbs and abovenet are neither wrong nor right. it's not like some cardinal sin is occurring. they are just services. you can choose to use them. you can choose not to. it is your choice. and if you use one but don't like its policy (or the lunch they serve, or whatever), then take that up with the provider of the service. randy
[ On Thursday, January 13, 2000 at 17:55:17 (-0800), Randy Bush wrote: ]
Subject: Re: Fw: Administrivia: ORBS
the other day, having some questions about orbs and similar issues, i asked some net.friends where there was a rational mailing list discussing such. they laughed at me and said that rational discussion of anti-spam seemed socially impossible. thanks all for providing an empirical evidence, albeit not formal proof.
Please let me just say that I believe your post has gone a long way towards proving that your net.friends may not have been 100% right! -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
Please let me just say that I believe your post has gone a long way towards proving that your net.friends may not have been 100% right!
if there was a market for nerd hysteria/hyperbole, there would be no need for internet ipos. as laura freedman once told me, if you put a group of geeks in a room and give them insufficient information, their explanations for the data will be amazing, and utterly off the wall. randy
Randy Bush wrote:
Please let me just say that I believe your post has gone a long way towards proving that your net.friends may not have been 100% right!
if there was a market for nerd hysteria/hyperbole, there would be no need for internet ipos.
Uh, I don't understand this comment, Randy. He was giving you a compliment -- your lucid posting showed that your net.freinds were not 100% correct, when saying that "rational discussion of anti-spam seemed socially impossible." We _can_ have a rational discussion, it just doesn't seem to happen very often. :-) Meanwhile, although I do not use ORBS for blocking, I do occaisionally use it for testing. Unfortunately, I used it for testing my site, and it discovered that the (commercial) mailing software still supports the old % hack, and now ORBS blocks the site. I dunno why that is considered "spam". Anyway, the commercial folks didn't know it was still in there, either, and it will be eradicated in the next release. WSimpson@UMich.edu Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
On Thu, 13 Jan 2000, Randy Bush wrote:
the other day, having some questions about orbs and similar issues, i asked some net.friends where there was a rational mailing list discussing such. they laughed at me and said that rational discussion of anti-spam seemed socially impossible.
Get brighter friends.
On Fri, 14 Jan 2000, Alex P. Rudnev wrote:
So if I am an open relay, and I know it, all I have to do is block ORBS to continue without fear of reprisal? Until no one use you as open spam-relay, it's not more than your personal concern.
If you're running an attractive nuisance, it's simply a matter of time until someone -does- find you. ORBS is simply being proactive about it, on advisement from people around the Internet.
What ORBS is doing is like some man who is walking by the street and, if you forgot to close your car, break the ignition locks and write message _dear sir; you did not closed your car, and it could be stolen or used for the crime; to prevent it, I broke your car - now bad guys could not abuse it for their dark purposes_. Guess when this man finish his work?
ORBS is NOT damaging your car, your network, or your ability to provide service. ORBS is merely letting you know that you left your car parked without the emergency brake on, and that it might roll down the hill and run over someone when you're not looking. And it's letting people who might be in the area know too. Yes, this means that someone might give your car a quick shove down the hill. But it also means people can get out of the way first. Aren't analogies fun? ORBS is simply investigating and reporting mail servers which are provable open relays, and netblocks which are unverifiable due to administrative choice (either requesting addition to the listing, or by blocking the testers). It's making use of information that is easily obtainable, on the suggestion from someone who has probably already checked that you might be a good choice to investigate (meaning someone has already noticed you, and you're not hidden from view anymore). I get regular ORBS probes, and I welcome them. As long as my service is not directly impacted by those probes (ie. they start bogging down my systems with tests, or consume a noticable chunk of bandwidth), I'll continue to do so.
Just the same ORBS. It's your concern to have open relay as long as it does not bother others.
And it's my prerogative to not listen to your mail server if I believe it is being operated negligently, if I don't believe your mail is RFC conformant, or if it's tea time. *shrug* ORBS helps me in making my decision with the first part. I decide if it's tea time by myself. :-) -- Edward S. Marshall <emarshal@logic.net> http://www.xnet.com/~emarshal/ ------------------------------------------------------------------------------- [ Felix qui potuit rerum cognoscere causas. ]
If you're running an attractive nuisance, it's simply a matter of time until someone -does- find you.
If this time is _10_ years (which is not too bad assumption_) - why not? let the people do their work instead of fighting with the shadows.
ORBS is simply being proactive about it, on advisement from people around the Internet.
What ORBS is doing is like some man who is walking by the street and, if you forgot to close your car, break the ignition locks and write message _dear sir; you did not closed your car, and it could be stolen or used for the crime; to prevent it, I broke your car - now bad guys could not abuse it for their dark purposes_. Guess when this man finish his work?
ORBS is NOT damaging your car, your network, or your ability to provide service. ORBS is merely letting you know that you left your car parked without the emergency brake on, and that it might roll down the hill and run over someone when you're not looking. And it's letting people who might be in the area know too. Yes, this means that someone might give your car a quick shove down the hill. But it also means people can get out of the way first. Aren't analogies fun?
ORBS is simply investigating and reporting mail servers which are provable open relays, and netblocks which are unverifiable due to administrative choice (either requesting addition to the listing, or by blocking the testers). It's making use of information that is easily obtainable, on the suggestion from someone who has probably already checked that you might be a good choice to investigate (meaning someone has already noticed you, and you're not hidden from view anymore).
I get regular ORBS probes, and I welcome them. As long as my service is not directly impacted by those probes (ie. they start bogging down my systems with tests, or consume a noticable chunk of bandwidth), I'll continue to do so.
Just the same ORBS. It's your concern to have open relay as long as it does not bother others.
And it's my prerogative to not listen to your mail server if I believe it is being operated negligently, if I don't believe your mail is RFC conformant, or if it's tea time. *shrug* ORBS helps me in making my decision with the first part. I decide if it's tea time by myself. :-)
-- Edward S. Marshall <emarshal@logic.net> http://www.xnet.com/~emarshal/ ------------------------------------------------------------------------------- [ Felix qui potuit rerum cognoscere causas. ]
Aleksei Roudnev, (+1 415) 585-3489 /San Francisco CA/
On Thu, 13 Jan 2000, Shawn McMahon wrote:
If that's true, they're going too far, and won't be able to become widespread enough to matter.
That's a damn shame.
If ORBS can't test you, how do you propose they determine if you're an open relay? Take your word for it? Accept a piece of spam from someone who says they received it which has your SMTP server's headers in it (which could just as well have been forged)? Their answer was that if they can't test you, they have to assume you're operating open relays. I'd love to hear your thoughtful answer to the problem. -- Edward S. Marshall <emarshal@logic.net> http://www.xnet.com/~emarshal/ ------------------------------------------------------------------------------- [ Felix qui potuit rerum cognoscere causas. ]
If they can't test you, they rub two neurons together and test you from another address. Perhaps you should read their FAQ before asking questions about their service. The only way you can prevent them from having any means of testing you is: Close your relay. Now, you can fool their automatic tests; but somebody will turn you in and they'll do a manual. It's harder to get removed from a manual, because they don't do automatic update testing on them. All of this is answered in their FAQ. At 06:43 PM 1/13/2000 -0600, you wrote:
If ORBS can't test you, how do you propose they determine if you're an open relay? Take your word for it? Accept a piece of spam from someone who says they received it which has your SMTP server's headers in it (which could just as well have been forged)?
Their answer was that if they can't test you, they have to assume you're operating open relays. I'd love to hear your thoughtful answer to the problem.
On Thu, 13 Jan 2000, Shawn McMahon wrote:
If they can't test you, they rub two neurons together and test you from another address.
Ah. That scales wonderfully, and makes them the equivilent of roaming spammers. Great idea. I'm sure Alan and company will act on that right away. You honestly think moving the automated probes from network to network is a good idea?
Perhaps you should read their FAQ before asking questions about their service.
Actually, I'm extremely familiar with their service; I'm a long-time supporter of ORBS. Perhaps you should go back and read the NANOG archives for the multitude of times this subject has come up in the past.
The only way you can prevent them from having any means of testing you is:
Close your relay.
I wholeheartedly agree. What does this have to do with your original statement that ORBS has gone too far by manually listing address ranges which specifically block the relay probes? -- Edward S. Marshall <emarshal@logic.net> http://www.xnet.com/~emarshal/ ------------------------------------------------------------------------------- [ Felix qui potuit rerum cognoscere causas. ]
<sigh> If you're a supporter, why the hell aren't you familiar with their policies, and why are you responding to messages you haven't read, or at least haven't read closely enough to retain? It is not necessary to spam anyone to test an open relay. If you don't understand how to test a mail server for open relaying without spamming anyone, then you don't know enough about SMTP to participate in this conversation. Once it's proven you've blocked them to hide open relays, you go into a manual block. No automated probes get moved anywhere, that's very specific in their FAQ, don't know where in the hell you got that idea. Once you're in a manual block you stay there until you convince somebody it's worth bothering to check you again. My original statement stands; listing somebody's entire address range just because they block you is wrong. Listing their mail servers because they blocked you and you verified that one or more was still open is *NOT* wrong. The former is lazy and results in blocking folks who don't deserve it. The latter doesn't scale well. You want your spam fix to be completely automatic? Tough shit, the world doesn't work that way. If you can't keep up with the necessary load to test all the sites that are trying to fool ORBS, then you deal with that problem. There are lots of solutions, I can think of two just right off the top of my head. Can you? P.S. I couldn't conceivably care less what NANOG archives have to say about the matter. Most of the posts on the subject are by people who are wrong. People who actually USE the service usually don't see emails from those folks. At 07:08 PM 1/13/2000 -0600, you wrote:
Ah. That scales wonderfully, and makes them the equivilent of roaming spammers. Great idea. I'm sure Alan and company will act on that right away.
You honestly think moving the automated probes from network to network is a good idea?
Perhaps you should read their FAQ before asking questions about their service.
Actually, I'm extremely familiar with their service; I'm a long-time supporter of ORBS.
Perhaps you should go back and read the NANOG archives for the multitude of times this subject has come up in the past.
The only way you can prevent them from having any means of testing you is:
Close your relay.
I wholeheartedly agree. What does this have to do with your original statement that ORBS has gone too far by manually listing address ranges which specifically block the relay probes?
On Thu, 13 Jan 2000, Shawn McMahon wrote:
<sigh>
My sentiments exactly.
It is not necessary to spam anyone to test an open relay. If you don't understand how to test a mail server for open relaying without spamming anyone, then you don't know enough about SMTP to participate in this conversation.
You missed what I was saying. My point is that operating as a network-hopping operation (by testing from addresses that the network operator has not blocked) likens them to spammers sneaking around. A firewall preventing the ORBS netblock from probing a particular range of address space is an explicit statement that ORBS tests are unwelcome. Why should the ORBS maintainers attempt to work around that very explicit request from the network administrators to not probe their network? Their most ethical and reasonable option is to add that address block manually to the listing, because they cannot (without explicitly acting against the wishes of that network's administration) verify that the addresses in that space are relaying or not. Let me make it simple for you: the firewall is a big red sign saying KEEP OUT. ORBS is respecting that.
My original statement stands; listing somebody's entire address range just because they block you is wrong.
In your opinion. I see it as the only reasonable response for a system that acts responsibly and consistantly on this point.
The former is lazy and results in blocking folks who don't deserve it.
Blocking ORBS is an explicit request by the network administrator that those probes are unwelcome. Hence, there's no other real option here, without very clearly violating that request. The most I can see here would be a single verification of a relay behind that netblock, just to be sure.
P.S. I couldn't conceivably care less what NANOG archives have to say about the matter.
Yes, but the membership here would prefer you did, since we're rehashing ancient arguments here yet again.
Most of the posts on the subject are by people who are wrong.
In your opinion.
People who actually USE the service usually don't see emails from those folks.
Hmm. I use it. Does that mean I have to unsubscribe from NANOG now? -- Edward S. Marshall <emarshal@logic.net> http://www.xnet.com/~emarshal/ ------------------------------------------------------------------------------- [ Felix qui potuit rerum cognoscere causas. ]
Please refer to this paragraph from their FAQ: If you'd like to firewall the test machine, go right ahead. You'll test as fixed, then be removed from the database and you can bask in the false sense of security that you're not included as an open relay. Meantime, what will probably happen is that various spammer probes will find you, add your machine to the lists which they sell and hundreds of junkmailers will relay their crud through you - then you'll end up in our static table as a verified open relay when someone mails us that spam and we confirm there's a firewall up against our tester. Additionally, you'll most likely end up in dozens, if not hundreds of blocking lists operated by individual admins as they receive spam via your server - and it's far easier to get out of ORBS than out of a whole bunch of lists you've never heard of. If you must firewall, do it properly and only allow your own machines access to the open relay. I refer you specifically to the last part of the third sentence: "...and we confirm there's a firewall up against our tester." And we *CONFIRM*. Not speculate, not hear, CONFIRM. If they aren't doing that, they're wrong. That's my position. To say that my position denotes ignorance as to their policies is asinine. I'm done with this thread. At 07:59 PM 1/13/2000 -0600, you wrote:
Why should the ORBS maintainers attempt to work around that very explicit request from the network administrators to not probe their network? Their most ethical and reasonable option is to add that address block manually to the listing, because they cannot (without explicitly acting against the wishes of that network's administration) verify that the addresses in that space are relaying or not.
Thank you for reading deeper into the issue and pointing this out.. Shawn McMahon wrote:
Please refer to this paragraph from their FAQ:
If you'd like to firewall the test machine, go right ahead. You'll test as fixed, then be removed from the database and you can bask in the false sense of security that you're not included as an open relay. Meantime, what will probably happen is that various spammer probes will find you, add your machine to the lists which they sell and hundreds of junkmailers will relay their crud through you - then you'll end up in our static table as a verified open relay when someone mails us that spam and we confirm there's a firewall up against our tester. Additionally, you'll most likely end up in dozens, if not hundreds of blocking lists operated by individual admins as they receive spam via your server - and it's far easier to get out of ORBS than out of a whole bunch of lists you've never heard of. If you must firewall, do it properly and only allow your own machines access to the open relay.
I refer you specifically to the last part of the third sentence:
"...and we confirm there's a firewall up against our tester."
And we *CONFIRM*. Not speculate, not hear, CONFIRM.
If they aren't doing that, they're wrong. That's my position.
To say that my position denotes ignorance as to their policies is asinine.
I'm done with this thread.
At 07:59 PM 1/13/2000 -0600, you wrote:
Why should the ORBS maintainers attempt to work around that very explicit request from the network administrators to not probe their network? Their most ethical and reasonable option is to add that address block manually to the listing, because they cannot (without explicitly acting against the wishes of that network's administration) verify that the addresses in that space are relaying or not.
-- Thank you; |--------------------------------------------| | Thinking is a learned process so is UNIX | |--------------------------------------------| Henry R. Linneweh
This is really simple to understand, here we have a service that actually aids you by informing you of an open relay problem being exploited on your network and when people rise above their apathy and eliteness and are grateful that someone actually is working on aiding self regulation. To me A network supporting open relays to the outside world is screwing the end user who is the paying customer. Most people that I have informed did not even realize this was happening on their network and were grateful when I pointed out the problem to them, I was really surprised at the responses. Shawn McMahon wrote:
If they can't test you, they rub two neurons together and test you from another address.
Perhaps you should read their FAQ before asking questions about their service.
The only way you can prevent them from having any means of testing you is:
Close your relay.
Now, you can fool their automatic tests; but somebody will turn you in and they'll do a manual. It's harder to get removed from a manual, because they don't do automatic update testing on them.
All of this is answered in their FAQ.
At 06:43 PM 1/13/2000 -0600, you wrote:
If ORBS can't test you, how do you propose they determine if you're an open relay? Take your word for it? Accept a piece of spam from someone who says they received it which has your SMTP server's headers in it (which could just as well have been forged)?
Their answer was that if they can't test you, they have to assume you're operating open relays. I'd love to hear your thoughtful answer to the problem.
-- Thank you; |--------------------------------------------| | Thinking is a learned process so is UNIX | |--------------------------------------------| Henry R. Linneweh
On 01/14/00, "Henry R. Linneweh" <linneweh@concentric.net> wrote:
This is really simple to understand, here we have a service that actually aids you by informing you of an open relay problem being exploited on your network and when people rise above their apathy and eliteness and are grateful that someone actually is working on aiding self regulation.
To me A network supporting open relays to the outside world is screwing the end user who is the paying customer.
Most people that I have informed did not even realize this was happening on their network and were grateful when I pointed out the problem to them, I was really surprised at the responses.
Unfortunately, ORBS does not allow for people who DO know about relays, and DO close them, and don't want to be scanned anymore. In the ORBS world, that simply isn't an option. That's where most of the sane anti-ORBS sentiment comes from. ("Sane" obviously does not include folks who actually do have open relays.) ---------========== J.D. Falk <jdfalk@cybernothing.org> =========--------- | Join the Usenet Cabob: It's a secret society on a stick! | ----========== http://www.cybernothing.org/jdfalk/home.html ==========----
At Friday 03:24 PM 1/14/00 , J.D. Falk wrote on NANOG:
Unfortunately, ORBS does not allow for people who DO know about relays, and DO close them, and don't want to be scanned anymore. In the ORBS world, that simply isn't an option.
That's where most of the sane anti-ORBS sentiment comes from.
("Sane" obviously does not include folks who actually do have open relays.)
People who object to their networks being scanned for SMTP vulnerabilities on occasion (with an interval that ranges from a couple of weeks to a couple of months) have something to hide. They are hiding incompetency, management failure, corporate idiocy , Dilbertism and most of all: financial interests that have managed to completely corrupt any dedication to providing secure, stable and responsible service on the Internet. Some people have apparently forgotten that the Internet does not work without consensus and respect for other entities making up the network as a whole: Those who violate principles of responsible networking morally forfeit any claim of protection under the same principles. Given that there is NOTHING they can (or would want to) do about random port scanning originating from throw-away dialup accounts or compromised *.edu machines, trying to erect a barrier against single, well-known entities that have a clear published agenda is completely dishonest, with a motivation clearly founded in a desire to cover up things mentioned in the first paragraph (above). Who would think of ORBS' agenda to be that of, say: a 13-year old hacker-wannabe from Pigs Knuckles, Idaho, who has hacker bragging rights on the school yard ? Pick who you want to block, and with what motivations. I have sent the following to he SMTPABUSE list earlier today, in the context of Bugtraq's co-located server (in above.net's network) getting ORBS-listed due to above.net apparently null0'ing all traffic to/from the network ORBS is located on. -----------SNIP-------------- At Friday 12:05 PM 1/14/00 , Bill Maloy wrote:
The following is a reason for not using the ORBS list.
Slight mod: "The following is an example of why anyone using the ORBS (or ANY blacklist, for that matter) should be prepared to whitelist specifics servers at a moment's notice."
above.net has several hundred open relays (?!) in the netblock which is blocking the ORBS tester.
See <http://www.orbs.org/above.net.txt>
-- Bill Maloy (brm4)
Or more figuratively: the landlord (above.net) directly acknowledges the occasional presence of a bunch of drug dealers using apartments (web servers in their rackspace) in his buildings without the tenant's (web housing and co-lo customers) or his consent (spammers abusing open relays on occasion) for their illegal activities by trying to prohibit his friendly neighbors (ORBS) from reporting about these deplorable conditions to the rest of the public and prohibiting said friendly neighbors to enter his buildings to occasionally check on tenants deliberately aiding and abetting (or doing so by failure to leave their doors locked, which is technically gross neglect) such illegal activities. Meanwhile, the criminal element using the property continues to go about its business, and the landlord apparently cares little that the "No Trespassing" sign is routinely ignored, and tenants routinely compromise security for themselves and their neighbors, as well as the rest of the community. This is setting vast precendents. Precendents that work in the friendly neighbor's favor, I have to add, and to the detriment of the landlord: - In the US, the government takes away property from neglient owners who ignore illegal activity connected or happening on their property, especially if they were informed about this (I think a few 1000 mails to abuse@ is undeniable notice). Needless to say that people have lost their property even if they truly knew anything about it . (Thank you for Civil forfeiture, part of the War on Drugs^H^H^H^H^HEverybody, Ronnie. we'll spit on your grave soon enough). - People get summoned and fined for leaving their cars unlocked, too, as the law recognizes that in order to protect the public from joyriding kids, insurance scams and rampant auto theft, an owner has to secure his vehicle, even if it poses just a minor hurdle for professional criminals. And to top this off with another analogy: As far as I am concerned, above.net is like a parking lot with a 3-inch fence, with a large number of vehicles unlocked and the keys in the ignition. Ready to rumble, I'd say! Compare this to the vast majority of car owners in urban areas who secure their vehicle with alarm systems and "The Club" <tm>. What will *you* steal for fun and profit ? ------------SNIP---------------- Yeah, someone reacted to this post, which had a Cc: to abuse@above.net, via private email. While that reaction is certainly personal, rather than an offical reaction by Above.net , I am quite surprised by the mind-bender of putting ORBS on the same footing (see analogy above) as thieves running around the parking lot, testing doors and then making off with the cars. ORBS may rattle doors, but its for control purposes only. Kind of like your insurance claims adjuster finding your Jaguar unlocked in front of your house: he isn't driving off with it, but he will revoke your theft coverage, then go on to make a factual entry into insurance carriers' shared databases that will subsequently prevent you from getting theft coverage with any other insurance. True and tried methods in the credit reporting and insurance industries. No more secrets. bye,Kai -- kai@conti.nu "Just say No" to Spam Kai Schlichting Palo Alto, New York, You name it Sophisticated Technical Peon Kai's SpamShield <tm> is FREE! http://SpamShield.Conti.nu | | LeasedLines-FrameRelay-IPLs-ISDN-PPP-Cisco-Consulting-VoiceFax-Data-Muxes WorldWideWebAnything-Intranets-NetAdmin-UnixAdmin-Security-ReallyHardMath
People who object to their networks being scanned for SMTP vulnerabilities on occasion (with an interval that ranges from a couple of weeks to a couple of months) have something to hide. They are hiding incompetency, management failure, corporate idiocy , Dilbertism and most of all: financial interests that have managed to completely corrupt any dedication to providing secure, stable and responsible service on the Internet. Some people have apparently forgotten that the Internet does not work without consensus and respect for other entities making up the network as a whole:
or maybe the collocation provider sees security as THEIR business and something THEY provide the customer. and maybe they see folk from outside 'testing' their network to be similar to someone walking down the street testing homeowners' doorknobs. not that i agree with this position completely, but i can see how someone might hold that opinion. but your self-righteous hyperbole is rather over the line.
Those who violate principles of responsible networking morally forfeit any claim of protection under the same principles.
somehow, i think this high-sounding moral stand would not prevail in a court of non-vigilante law. in fact, crackers who tried it as a defense failed. randy
Randy Bush has declared that:
[ ... ]
Those who violate principles of responsible networking morally forfeit any claim of protection under the same principles.
somehow, i think this high-sounding moral stand would not prevail in a court of non-vigilante law. in fact, crackers who tried it as a defense failed.
And also, who defines "responsible networking"? Some self-appointed sort? Checking a server following complaints I think is OK (as long as it doesnt get out of hand tantamount to an attack), but someone taking it on oneself to be the official tester of the net and testing all servers they can find, unasked, and w/o permission or probable cause (i.e., complaints), is guilty of the sort of thing they claim to be opposing, IMO. Pat M/HW
randy
-- #include <std.disclaimer.h> Pat Myrto (pat at rwing dot ORG) Seattle WA How government differs from every other agency in society: The others persuade; government compels. Government is the only entity where the use of force - including deadly force - to achieve an end is OK. This is why govt pushes so hard for a monopoly on the means of coercive force.
At Friday 05:00 PM 1/14/00 , Randy Bush wrote:
or maybe the collocation provider sees security as THEIR business and something THEY provide the customer. and maybe they see folk from outside 'testing' their network to be similar to someone walking down the street testing homeowners' doorknobs.
And this leads us straight back to what I wrote at the end: ORBS may rattle doors, but its for control purposes only. Kind of like your insurance claims adjuster finding your Jaguar unlocked in front of your house: he isn't driving off with it, but he will revoke your theft coverage, then go on to make a factual entry into insurance carriers' shared databases that will subsequently prevent you from getting theft coverage with any other insurance. True and tried methods in the credit reporting and insurance industries. The argument of "security" is completely bogus, due to the selective nature of the blocks, aimed at a single entity/network. Indeed I am calling anyone who says he is filtering ORBS or any other 'public' relay scanner for security reasons a f****** p**** o* s*** : lies from A to Z, 1 to 10 and 0.0.0.1 to 239.255.255.255 !
not that i agree with this position completely, but i can see how someone might hold that opinion. but your self-righteous hyperbole is rather over the line.
the facts of the matter are ugly. And they point to people running Internet operations with the attitude of the head-honcho of a brothel: legal? illegal? dangerous? filthy? spreading diseases ? unfulfilled promises ? Shut the f*** up and fork over the damn money ! And if you don't like what we do, get the f*** out ! So much for consumer protection. How you can label what I said as hyperbole is beyond me: look around you: crooks and Dilbert-bosses are running the Internet, and I have no incentive to be quiet about it. Connect the facts. Discover the web of deceit. Unless you sit on $20M of stock options, you will find something wrong with the Internet.
Those who violate principles of responsible networking morally forfeit any claim of protection under the same principles.
somehow, i think this high-sounding moral stand would not prevail in a court of non-vigilante law. in fact, crackers who tried it as a defense failed.
randy
And which crackers (define crackers) would that be. I am not talking about giving perpetrators rights to trash places and commit real crimes here, I am talking about voiding of victim's rights in the face of stupidity: if you ignore common sense (the most valuable and rare currency in America), you will get burned, and you have no right to cry foul. Let me tell you how fast a car left on the side of a highway in New York City disappears, piece by piece: 10 days. You drive by it every day and it seems to lose parts every single day, until the NYPD tows the carcass away, after some 14 days or so. Do you honestly believe that the victim should be compensated for theft by his (uhm, MY) insurance, after leaving his broken-down vehicle there, unattended ? And as far as the court goes: Guilt, as well as the degree of punishment (if any) in a court is usually measured by how easy it was to commit the crime. The harder it was, the more intent+effort it took and the higher the proceeds of the crime turned out to be, the harsher the penalty would be. Which relates directly to how easy the victim chose to make it for the perpetrator to commit the crime. bye,Kai
the facts of the matter are ugly. And they point to people running Internet operations with the attitude of the head-honcho of a brothel: legal? illegal? dangerous? filthy? spreading diseases ? unfulfilled promises ? Shut the f*** up and fork over the damn money ! And if you don't like what we do, get the f*** out ! So much for consumer protection.
How you can label what I said as hyperbole is beyond me
classic! really appreciated. i will keep this for a long time. thanks. randy
And as far as the court goes: Guilt, as well as the degree of punishment (if any) in a court is usually measured by how easy it was to commit the crime. The harder it was, the more intent+effort it took and the higher the proceeds of the crime turned out to be, the harsher the penalty would be. Which relates directly to how easy the victim chose to make it for the perpetrator to commit the crime.
to a certain degree, yes, but if i make it really hard for you to kill me and you kill me anyway, you're still gonna fry for it, no matter how hard it was to kill me. which is kind of the counterpart to the defence of putting a sign on the front of your gun that says "warning: do not stand in front of". you're still not allowed to point it at people. i'm not sure on which side of the fence these statements place me, but i do appreciate the chance to vent some amusing hyperbole. :) -- |-----< "CODE WARRIOR" >-----| codewarrior@daemon.org * "ah! i see you have the internet twofsonet@graffiti.com (Andrew Brown) that goes *ping*!" andrew@crossbar.com * "information is power -- share the wealth."
or maybe the collocation provider sees security as THEIR business and something THEY provide the customer. and maybe they see folk from outside 'testing' their network to be similar to someone walking down the street testing homeowners' doorknobs.
not that i agree with this position completely, but i can see how someone might hold that opinion. but your self-righteous hyperbole is rather over the line.
This may come as a shock to many, but I agree with Randy. If someone asks ORBS to stop probing, they should stop. -- North Shore Technologies http://NorthShoreTechnologies.net 888.480.4NET Steve Sobol, President, Chief Website Architect and Janitor sjsobol@NorthShoreTechnologies.net My opinions DO, in fact, represent the official opinions of North Shore Technologies Corporation, since I own the company. Thanks for asking.
At Friday 06:25 PM 1/14/00 , Steve Sobol wrote:
This may come as a shock to many, but I agree with Randy.
If someone asks ORBS to stop probing, they should stop.
That could be ok with me, unless they have something to hide. Those who ask ORBS (or anyone else) to stop testing cannot expect that they are not listed, if it turns up that they are eligible for listing through some other means (relayed spam evidence, popular nomination, etc.). ORBS does list such hosts differently: They are indicated as such via different A records: 127.0.0.2 - automated system listing. 127.0.0.3 - manual individual entry 127.0.0.4 - netblock entry - multiple open relays, but blocking tester. Problem: common RBL-style use in Sendmail does nothing but check for existance of the address RR, without distinguishing between the different types of listings. This is a deficiency at the MTA, not with the listing service at this time, really. Note how Above.net hosts appear as 127.0.0.4 . Someone oughta come up with some new sendmail.cf rules to accomodate specific records, such as : 127.0.6.66 - people who are pissing me off 127.0.9.99 - people who sued other people with bogus software patents in hand and should be punished 127.0.10.1 - RIIA, and other entities that are busy destroying the Internet as we know it that should be punished 127.0.22.2 - people who bullied kids out of their domain names because the name has been some obscure trademark for an unrelated industry for a long time. 127.1.1.1 - people nominated to be blocked by popular vote 127.5.5.5 - politically incorrect site of a couleur I don't approve of 127.31.33.7 - posts a lot on NANOG I think this kind of listing will open entirely new horizons, especially if the end-user behind the MTA has a choice in what he wants (not) to receive: "Your product is made of roasted, freeze-dried small animal organs ? Shove that email up yours!" I see a billion ways for the censorware folks to get into the RBL business. You heard it it here first, this is prior art. bye,Kai
On 01/14/00, Kai Schlichting <kai@pac-rim.net> wrote:
At Friday 06:25 PM 1/14/00 , Steve Sobol wrote:
This may come as a shock to many, but I agree with Randy.
If someone asks ORBS to stop probing, they should stop.
That could be ok with me, unless they have something to hide.
Everyone has something to hide, and that's none of our damned business unless it starts leaking into other networks. Or did you forget what "autonomous system" means? ---------========== J.D. Falk <jdfalk@cybernothing.org> =========--------- | "The opposite of a correct statement is a false statement. | | But the opposite of a profound truth may be another profound truth." | | -- Niels Bohr | ----========== http://www.cybernothing.org/jdfalk/home.html ==========----
[ On Friday, January 14, 2000 at 18:54:19 (-0500), Kai Schlichting wrote: ]
Subject: Re: Fw: Administrivia: ORBS [LONG]
I see a billion ways for the censorware folks to get into the RBL business. You heard it it here first, this is prior art.
Oh man! Now you've gone and ruined my whole business plan! :-) :-) :-) -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
or maybe the collocation provider sees security as THEIR business and something THEY provide the customer. and maybe they see folk from outside 'testing' their network to be similar to someone walking down the street testing homeowners' doorknobs.
not that i agree with this position completely, but i can see how someone might hold that opinion. but your self-righteous hyperbole is rather over the line.
This may come as a shock to many, but I agree with Randy.
If someone asks ORBS to stop probing, they should stop.
fyi, i did not say that was my personal opinion. i said i could see that as an understandable opinion held by someone else. i do not (yet) know enough to have an informed strong opinion on this one. randy
Randy Bush wrote:
fyi, i did not say that was my personal opinion. i said i could see that as an understandable opinion held by someone else. i do not (yet) know enough to have an informed strong opinion on this one.
Yeah, I know that's not exactly what you said, and I apologize for not making that clearer.
If someone asks ORBS to stop probing, they should stop.
That's my opinion. FWIW: Alan Brown, the guy maintaining ORBS, is not a bad person whose sole task is to run around infiltrating mail servers. That having been said, I've stood back and watched a lot of the ORBS debates back and forth on SPAM-L, and I definitely think that ORBS is not as useful a service as it could possibly be. -- North Shore Technologies http://NorthShoreTechnologies.net 888.480.4NET Steve Sobol, President, Chief Website Architect and Janitor sjsobol@NorthShoreTechnologies.net My opinions DO, in fact, represent the official opinions of North Shore Technologies Corporation, since I own the company. Thanks for asking.
On Fri, 14 Jan 2000, Kai Schlichting wrote:
People who object to their networks being scanned for SMTP vulnerabilities on occasion (with an interval that ranges from a couple of weeks to a couple of months) have something to hide.
Sorry, hate to pick nits, but we have 13 relay attempts from ORBS in our maillog between 9p last night up until 4:50 today. Since 6 Jan, there have been 113 relay attempts from orbs. Or, better put over 10 a day on average. This doesn't seem like "once every 2 weeks" let alone once every 2 months. (Note: I am not saying that I have an opinion re: orbs one way or another. I'm just providing a data point.) -forrestc@imach.com
[ On Saturday, January 15, 2000 at 16:55:46 (-0700), Forrest W. Christian wrote: ]
Subject: Re: Fw: Administrivia: ORBS [LONG]
On Fri, 14 Jan 2000, Kai Schlichting wrote:
People who object to their networks being scanned for SMTP vulnerabilities on occasion (with an interval that ranges from a couple of weeks to a couple of months) have something to hide.
Sorry, hate to pick nits, but we have 13 relay attempts from ORBS in our maillog between 9p last night up until 4:50 today.
Since 6 Jan, there have been 113 relay attempts from orbs. Or, better put over 10 a day on average.
Hmmm... very interesting. I've only received two over the past year, and one has been since my first public posting on this subject. If you trust how ORBS claims to work as being true this would suggest that a lot of eager beavers have been much more active at submitting test requests to ORBS ever since this subject came up. I've no doubt that these kind of people are more than willing to target various networks out of their own agendas rather than basing their test requests solely on actual spam events (as ORBS requests that they do). Just because people are anti-spam doesn't mean they're perfect! :-)
This doesn't seem like "once every 2 weeks" let alone once every 2 months.
There's a very fine line for ORBS to walk here. Those of us who use it obviously want it to be as accurate as possible, just as those who become listed in it do. If it doesn't find and list open relays being abused quickly we'll be just as upset as those who don't get off the list as soon as they've fixed their mailers are. Since ORBS is automated this means that an algorithm must be used to determine how frequently a test must be repeated (whether it's for the purpose of confirming a fix, or for the purpose of confirming that a site has been broken again). I don't know if there is such an algorithm in place yet or not, of course. I think a lot of the BS here would be avoided if people were to discuss rationally the attributes of various possible algorithms for ORBS to use to determine re-testing frequencies in different circumstances. The participants of this particular forum should be more than capable of having such a rational discussion, shouldn't we..... -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
[ On Friday, January 14, 2000 at 12:24:32 (-0800), J.D. Falk wrote: ]
Subject: Re: Fw: Administrivia: ORBS
Unfortunately, ORBS does not allow for people who DO know about relays, and DO close them, and don't want to be scanned anymore. In the ORBS world, that simply isn't an option.
That's where most of the sane anti-ORBS sentiment comes from.
("Sane" obviously does not include folks who actually do have open relays.)
Besides all of what Kai has said (thanks!), there is one other point that makes me wonder if even the "sane anti-ORBS sentiment" isn't just more self-spreading ignorance and ill-informed rhetoric. That point is that those of us who use ORBS are not about to believe anyone, especially these days, just because they say they've cleaned up their act and fixed all of their open relays. Those systems and networks that are listed in ORBS may have been (ab)used to spam before (usually*), and we're not about to believe the first SMTP HELO greeting we get from them without first confirming with ORBS that they have been, and remain, fixed. We reported them for independent testing to ORBS after we were spammed by them and we insist on the due dilligence of ongoing automated spot checks to ensure they stay fixed. If a site blocks ORBS after being cleared then we have every reason to believe that they are indeed hiding something ugly under the carpet and we'd rather reject all e-mail from them with no prejudice than risk getting any more spam from them. If your mailers were abused, reported to ORBS and listed, fixed, and finally cleared from ORBS then please don't prevent ORBS from testing them again in the future -- that is your guarantee that we won't individually block your mailers again with our own private lists. It also means that you won't accidentally get added to ORBS own manual database section and thus experience similar difficulties in getting removed again. (* obviously not every system listed in ORBS has been used to forward actual spam of course -- why even I have a test machine listed in there for test purposes! ;-) -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
(* obviously not every system listed in ORBS has been used to forward actual spam of course -- why even I have a test machine listed in there for test purposes! ;-)
what if there are systems blocked by orbs which are truely not mail relays, for which there has never been evidence of mail relaying, from which spam has never eminated, ...? sounds to me a lot like the kind of net abuse towards which you and kai are advocating downright vigilante action. [ note that i am not advocating such action ] "Those who violate principles of responsible networking morally forfeit any claim of protection under the same principles." some folk might contend that harming the innocent is not very responsible networking. this is not an easy simple problem. and a moral high ground is not so easy to spot, at least from here. randy
[ On Friday, January 14, 2000 at 16:48:51 (-0800), Randy Bush wrote: ]
Subject: Re: Fw: Administrivia: ORBS
(* obviously not every system listed in ORBS has been used to forward actual spam of course -- why even I have a test machine listed in there for test purposes! ;-)
what if there are systems blocked by orbs which are truely not mail relays, for which there has never been evidence of mail relaying, from which spam has never eminated, ...?
Like I said, I have a test machine listed in ORBS for testing purposes only. I got it there by explicitly allowing my mailer to relay the ORBS test (and only the ORBS test! :-). However what of it? Who cares? *I* don't, obviously. And who exactly is going to prove it? If suddenly your machine Randy shows up in ORBS but you really need to send me e-mail from it are you going to show me all your mailer logs and allow me to corroborate them with all of your net-neighbours just to prove it? Who do I believe? Who really cares if there are in fact a few odd-ball vigilantes out there who are abusing the ORBS testing service just to scan for open relays? I'm certainly not going to blame ORBS for the actions of those few bad apples. They are clearly starting to spoil things for the rest of us, but all that really means is we all have to be vigilant and make sure we stop them if we find them and that we don't knowing let them on our networks while at the same time cleaning up all open relays we find ourselves with a diligence that would put such vigilantes to shame. If anyone seriously believes that the stale DB listings published by ORBS are really making the spammers jobs any easier I've got some prime ocean-front swamp^H^H^H^H^Hbeach for sale in Saskatchewan.... It's real cheap at just a cool million dollars (USA $$$, that is!) and you'll just love the weather! You might have to wait a million years or so before it's an active ocean beach again, but that's your problem.... -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
Paul Vixie's Mail Abuse Prevention System addresses this. The MAPS Relayed Spam Stopper is similar to ORBS but *only lists servers that are known to have been used to spam.* It's not as proactive as ORBS. But there are a lot fewer false positives. I'd venture to say that the actual number is very close to zero. :) Randy Bush wrote:
(* obviously not every system listed in ORBS has been used to forward actual spam of course -- why even I have a test machine listed in there for test purposes! ;-)
what if there are systems blocked by orbs which are truely not mail relays, for which there has never been evidence of mail relaying, from which spam has never eminated, ...?
-- North Shore Technologies http://NorthShoreTechnologies.net 888.480.4NET Steve Sobol, President, Chief Website Architect and Janitor sjsobol@NorthShoreTechnologies.net My opinions DO, in fact, represent the official opinions of North Shore Technologies Corporation, since I own the company. Thanks for asking.
[ On Sunday, January 16, 2000 at 14:03:52 (-0500), Steve Sobol wrote: ]
Subject: Re: Fw: Administrivia: ORBS
It's not as proactive as ORBS. But there are a lot fewer false positives. I'd venture to say that the actual number is very close to zero. :)
ORBS cannot, by definition, have any "false positives". Only a user of ORBS could determine that in any case (eg. when manual entries have been added for whatever reason). This kind of slip-up in your thinking may be another key to why so many people misunderstand it. -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
I think if ORBS read the RBL documents as a standard this entire argument would end and that all services which want to help combat spam should have the same policy based approach and that the parties involved get together and hammer out a policy acceptable to the NSP/ISP community and that prepackaged fixes for broked networks be available to implement, for the less technically inclined. Shawn McMahon wrote:
At 11:44 AM 1/19/2000 -0500, you wrote:
ORBS cannot, by definition, have any "false positives".
And yet, it does.
There are IPs that are blocked in ORBS, but do not run an open relay. It's a demonstrable fact.
-- Thank you; |--------------------------------------------| | Thinking is a learned process so is UNIX | |--------------------------------------------| Henry R. Linneweh
[ On Wednesday, January 19, 2000 at 12:42:48 (-0500), Shawn McMahon wrote: ]
Subject: Re: Fw: Administrivia: ORBS
There are IPs that are blocked in ORBS, but do not run an open relay. It's a demonstrable fact.
Show me. Yes there may be hosts/networks "blocked" because they've asked to be tested, but those are clearly not "false positives" either. (Actually as I've already said I myself have what might be a "false positive" entry in the ORBS db -- one test machine where I explicitly allowed the ORBS test through but which should be impervious to any relay attempts by any unauthorised party. I wouldn't really call it a "false positive" either though.) -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
Hey, I'm not the one who misunderstands. Hell, I just spent my evening helping somebody close their open relays for free, then showed them how to get ORBS to rescan them. I was actually "tail -f"ing their logfile when the probe came. :-) At 11:24 AM 1/14/2000 -0800, you wrote:
This is really simple to understand, here we have a service that actually aids you by informing you of an open relay problem being exploited on your network and when people rise above their apathy and eliteness and are grateful that someone actually is working on aiding self regulation.
More. The whole ISP's in Russia filter out ORBS; then ORBS can try to list the whole Russia in their black lists... I'll get a lot of pleasure to see how they can do it. -:) /I am not in Russia now, but anyway/ No, if you cry every day _there is a wolf and he'll eat me_, no one believe you; and if you met the real wolf with the real sharp teaths, no one help you. Just as in this case - the futher the less people can use ORBS. On Thu, 13 Jan 2000, Edward S. Marshall wrote:
Date: Thu, 13 Jan 2000 18:43:16 -0600 (CST) From: Edward S. Marshall <emarshal@logic.net> To: Shawn McMahon <smcmahon@eiv.com> Cc: nanog@merit.edu Subject: Re: Fw: Administrivia: ORBS
On Thu, 13 Jan 2000, Shawn McMahon wrote:
If that's true, they're going too far, and won't be able to become widespread enough to matter.
That's a damn shame.
If ORBS can't test you, how do you propose they determine if you're an open relay? Take your word for it? Accept a piece of spam from someone who says they received it which has your SMTP server's headers in it (which could just as well have been forged)?
Their answer was that if they can't test you, they have to assume you're operating open relays. I'd love to hear your thoughtful answer to the problem.
-- Edward S. Marshall <emarshal@logic.net> http://www.xnet.com/~emarshal/ ------------------------------------------------------------------------------- [ Felix qui potuit rerum cognoscere causas. ]
Aleksei Roudnev, (+1 415) 585-3489 /San Francisco CA/
On Thu, Jan 13, 2000 at 12:18:31PM -0500, Harald Koch wrote:
Alot of us did. I thought about posting it to nanog, but then I actually researched the issue a bit, and discovered that securityfocus' listerver is *not* in the ORBS database at this time.
http://www.orbs.org/verify_1.html doesn't list the manual entries. The only way to check if ORBS is listing a site is to use a DNS lookup -- John Payne jcapayne@att.com OpenNet Infrastructure Team, AT&T Global Network Services Mailpt C2E, c/o IBM North Harbour, PO Box 41 Portsmouth, PO6 3AU Tel - +44 (0)23 9256 1977, Fax - 23 9221 0543
participants (22)
-
Alex P. Rudnev
-
Andrew Brown
-
Dan Hollis
-
Deepak Jain
-
Derek J. Balling
-
Edward S. Marshall
-
Forrest W. Christian
-
Garlic
-
Harald Koch
-
Henry R. Linneweh
-
I Am Not An Isp
-
J.D. Falk
-
John Payne
-
Kai Schlichting
-
Pat Myrto
-
Patrick Greenwell
-
Randy Bush
-
Sehmel, William C.
-
Shawn McMahon
-
Steve Sobol
-
William Allen Simpson
-
woods@most.weird.com