nanog mailing list archives
RE: RBL-type BGP service for known rogue networks?
From: "Roeland M.J. Meyer" <rmeyer () mhsc com>
Date: Sun, 9 Jul 2000 09:04:51 -0700
Sabri Berisha: Sunday, July 09, 2000 8:27 AM On Sat, 8 Jul 2000, Roeland M.J. Meyer wrote:I agree. MHSC lost an entire market plan, hosting third-party secure mail, becasue third-party mail services must allow relaying that is at minimum semi-open. At the time SMTP AUTH didn't exist (Until it's use becomes more wide-spread it
still
isn't real useful). The anti-relay bunch are killing a valid business model.I can understand your grief. However, I expect you to have the same commen sense most of us have and you will probably know who to blame for this. Do you wish to blame the spammers or the volunteers who fight
spam? Now that you mention it, yes I do. Spammers don't block access. The RBL, which my systems subscribe to, only lists systems that are PROVEN to originate or relay spam. ORBS simply is on the "close all relays" jihad even if the system never saw spam. This is very Napoleanic, not something that I can condone. Also, as I said, there are valid reasons to allow third-party relays. In fact, they are even required, depending on circumstances. The ORBS effort, at forcing closure of ALL relays, and their faulty testing (see prior message), actually creates a security problem. If you don't see requireing internal confidential email to go through an untrusted IAP mail hub as a security issue then we have nothing more to talk about.
Even for internal use, we have staff, on client-site, that need to send/recieve their mail from our servers, even when their lap-top is DHCP attached to another net-block. Every week we find ourselves having to open the
relays
more and more. Next week, I am travelling to the EU on
business.
That's yet more net-blocks that I have to allow relaying
from.
I know of an isp in the netherlands that has it's relay open
for their
users from all over the world. They built this system that checks if you have logged on using pop3 at least 1 time in the lasts 5 minutes. If you did; you can relay. If you did not; your mail will be rejected. http://www.dds.nl is the project; their admins can tell you
more. SMTP AUTH is more useful. We are looking into POP/SSL. POP before SMTP is consiidered a non-starter.
Using the same sort of mind-set to subjectively BL
script-kiddee
networks is dangerous, as the ORBS bunch has shown. It is all
too
easy for it to get out of hand, vigilante-style. What are the criteria and who has the over-sight?You can find the criteria on http://www.orbs.org
The criteria is arguable, but more importantly, where is the oversight?
That said, having had a few of our production hosts "owned",
by
mwsh in the past, I am NOT fond of script-kiddies and agree
that
something needs to be done. But, I am seriously resistant to
yet
another ORBS style regulator bunch. That is NOT the answer. Please, let's all look for another solution.You are free to come with a proposal?
How about setting up a REAL organization for once, rather than these ad hoc hanging committees? You know, incorporate a non-profit, feed it $$$ and watch it grow? Require membership approval, oversight, etc.? You know, legitimate operations.
Current thread:
- Re: "top secret" security does require blocking SSH, (continued)
- Re: "top secret" security does require blocking SSH Alex Bligh (Jul 09)
- RE: "top secret" security does require blocking SSH Derrick (Jul 09)
- Re: "top secret" security does require blocking SSH Alex Bligh (Jul 09)
- RE: "top secret" security does require blocking SSH Roeland M.J. Meyer (Jul 09)
- RE: "top secret" security does require blocking SSH Christopher Palmer (Jul 10)
- RE: "top secret" security does require blocking SSH Greg A. Woods (Jul 09)
- Re: "top secret" security does require blocking SSH Greg A. Woods (Jul 09)
- Open Broadcast Amplifier networks list. Simon Lyall (Jul 12)
- Re: "top secret" security does require blocking SSH Stephen Sprunk (Jul 09)
- RE: RBL-type BGP service for known rogue networks? Sabri Berisha (Jul 09)
- RE: RBL-type BGP service for known rogue networks? Roeland M.J. Meyer (Jul 09)
- Re: RBL-type BGP service for known rogue networks? Richard Irving (Jul 09)
- RE: RBL-type BGP service for known rogue networks? Derek J. Balling (Jul 09)
- RE: RBL-type BGP service for known rogue networks? Roeland M.J. Meyer (Jul 09)
- Re: RBL-type BGP service for known rogue networks? Valdis . Kletnieks (Jul 10)
- Re: RBL-type BGP service for known rogue networks? Scott McGrath (Jul 10)
- Re: RBL-type BGP service for known rogue networks? Brett Frankenberger (Jul 11)
- OT: C&W Engineer Bradly Walters (Jul 11)
- RE: RBL-type BGP service for known rogue networks? Sabri Berisha (Jul 09)
- RE: RBL-type BGP service for known rogue networks? Roeland M.J. Meyer (Jul 10)
- RE: RBL-type BGP service for known rogue networks? Greg A. Woods (Jul 09)