RE: RBL-type BGP service for known rogue networks?

[rdobbins () netmore net]

ORBS forge headers (thereby violating the RFC) to look as if they're coming
from domains you host, then if it goes through, they put you in their little
black book for being an 'open relay'.  No notice, nothing.

The problem with this is that for hosting-only providers like my firm, it's
blatantly unfair.  We have thousands of users residing on networks (lots of
dynamic addresses) all over the world who have domains hosted with us; they
also have email aliases for the domains they host here.  And while we
encourage them to use IMAP, it's like herding cats to get any substantial
percentage doing anything other than basic POP and SMTP.

POP-before-SMTP isn't viable for the same reason that it's extremely
difficult to get people to use IMAP; to wit, users tend to resist change.
In a corporate environment, you can force remote users to use additional
authentication mechanisms, as long as you're willing to set them up and
train the users.  Out here in the world, though, if you come down on people
over something which forces them to change the way they do things in any
substantial way, they vote with their feet and go to some other provider who
not only doesn't secure his mail relay, but ignores spam complaints, as
well.

Our NOC staff act -immediately- upon any complaints of spam or forged mail -
no one has ever acused us of being a spam-house or anything other than
spammer-*unfriendly*.  And yet, due to the current well-known limitations of
SMTP as currently defined in the standard, their blatant adoption of
RFC-violating spammer tactics, and their unwillingness to acknowledge that
not every provider offers transport to his userbase (thereby rendering
address-based validation unworkable), the ORBS folks decide to tar my
organization with the same brush as, say, rr.com.

No discussion, no examination of our track record and response-times, nada.

Where's the equity in that, I ask you?

-----------------------------------------------------------
Roland Dobbins <rdobbins () netmore net> // 818.535.5024 voice
 

-----Original Message-----
From: Peter van Dijk [mailto:petervd () vuurwerk nl]
Sent: Saturday, July 08, 2000 10:15 AM
To: nanog () merit edu
Subject: Re: RBL-type BGP service for known rogue networks?



On Sat, Jul 08, 2000 at 12:35:14PM -0400, Greg A. Woods wrote:
> [ On Saturday, July 8, 2000 at 08:42:41 (-0700), Randy Bush wrote: ]
> > Subject: Re: RBL-type BGP service for known rogue networks?
> >
> > > ORBS lists open relay by policy. As simple as that. If ORBS is aware
that
> > > you are an open relay, you get listed. ORBS is 100% objective.
> >
> > as we all know, this is utter horsepucky.  orbs goes vigilante crazy and
> > blackholes entire isp blocks over political poweplay nonsense.
>
> Listing a net-block that has several proven open relays within it but
> which will not allow testing, is not "going vigilante crazy" -- it's a
> very very reasonable and well thought out reaction (i.e. there is no
> lesser action possible since the originally tested open relays have been
> moved to new address space within the block).

Let me explain some things:
- ORBS does not blackhole. It lists hosts and sometimes complete netblocks.
  $administrator can then choose to take any action (or not!) based on
  these listings.
- ORBS lists hosts in several categories. One is 'open relay inputs'.
  Another is 'open relay outputs' (most open relays will be both). Yet
  another is 'untested/untestable'. Hosts/netblocks can end up in this
  last category in two ways:
  - by request from the admin of that host/netblock
  - when ORBS finds out that they are being blocked specifically.

It is therefore incorrect to state 'ORBS blackholes whole netblocks'. These
netblocks are listed *different* from open relays. The admin that decides
to use ORBS has a choice to block *only* open relays, or also block hosts
that do not want to be tested by ORBS.

I hope this clears things up.

> It is critically important to also realise that "ORBS" itself doesn't
> "go crazy" and do these things -- such "rogue net-block" listings are
> directly a result of pressure from ORBS users.  Such users who continue
> to get spam from relays they've reported to ORBS for testing will
> complain and put pressure on the ORBS administrators until there is no
> other choice but to list the entire offending net-block.

Nope. ORBS doesn't do 'user pressure'. Such net-block listings (as
'untestable', not as 'open relay') are only done based on actions/requests
by admins responsible for these netblocks.

> Use of the term "blackhole" in this context is not only wrong but also
> misleading.  It is very important to understand that ORBS users are free
> to programmatically ignore, in real time, that section of the ORBS
> database which lists the so-called "rogue" net-blocks and only use the
> section of the database which contains actually verified relay results.

Correct, this is what I explained above.

> In my humble opinion any admin who permits their mailer to receive any
> e-mail from a known open relay (even so-called legitimate e-mail, since
> there's absolutely no way to identify legitimacy at the protocol level)
> is an accessory to any theft-of-service attack perpetrated on the relay,
> and is furthermore "guilty" in part of allowing known spam to reach
> their end users (assuming of course that they are willing to do anything
> at all in the first place to protect their users from unsolicited junk
> e-mail).  To this end an impartial and independent testing service such
> as ORBS is critical to the success of such efforts.  The other services
> you mention are valuable, but nowhere near as powerful, and they are far
> more susceptible to unnecessary delays (time is critical in spam
> fighting!), and by definition they are more susceptible to human error.

Yes. On the other hand, one might say that you as an admin do not have the
right to block *any* mail for your users. This is solved by for example
just inserting headers based on ORBS-listing and not outright rejecting
mail, and then leaving the choice to your users thru procmail or other
per-user filtering means.

> Finally it cannot be pointed out enough times that the administrators of
> the so-called "rogue" blocks need only change their attitudes and
> co-operate with ORBS in order to make this issue completely go away.

Correct.

> Any SMTP service administrator who believes that SMTP port is totally
> private property is sadly mistaken and should firewall it if they really
> want it to be private.  Being irrational about public testing of public
> services is, frankly, insane.  Public testing by a known independent
> non-profit agency should be vigorously welcomed by all network admins!

Correct again. AboveNet blackholing ORBS is therefore an action I do not
understand, especially since they host MAPS.

I see 2 possibilities:
- MAPS doesn't test if a reported spamhouse is really an open relay, and is
  therefore susceptible to forgery.
- MAPS does do open relay testing and therefore performs the same
  'unsolicited traffic' as ORBS, which would mean they're hypocritic.

Greetz, Peter.
-- 
petervd () vuurwerk nl - Peter van Dijk [student:developer:ircoper]