Home page logo

nanog logo nanog mailing list archives

RE: Stealth Blocking
From: Roeland Meyer <rmeyer () mhsc com>
Date: Wed, 23 May 2001 19:35:42 -0700

From: David Schwartz [mailto:davids () webmaster com]
Sent: Wednesday, May 23, 2001 7:10 PM

Roeland Meyer wrote:

I don't need to check because I have a piece of confirmed spam
from them. A
smoking gun. That's the way MAPS RBL has been working for years.
That is the
way I expect it to continue to work. The main reason that I 
posted to this
thread is that some of the posts lead me to believe 
otherwise. They were

      I think you're missing the big picture. If you receive 
a single piece of
spam from a site, that's not automatically grounds to block 
the site. That's
a recipe for maximizing collateral damage.

      So the receipt of a spam from a site is the beginning 
of the process, not
the end.

Actually, I simplified the process. I agree with you 100% here. I don't have
the time for such an investigation therefore I use MAPS RBL.

  Absolutely. Probe the machine that is of concern, not
whole blocks randomly.

Also, only block the proven spam-host. No one else.

      That's a more complex judgment. In most cases, I agree 
that this is
appropriate, but I can think of (and have personally 
witnessed) more extreme
circumstances. I've seen ISPs who say, "no, we like to spam 
and we will spam
in the future". In those extreme cases, I'll block their 
entire address
space from reaching my mail servers until their policy changes.

Another reason to use MAPS RBL.

  No, its open-relay status is not irrelevant. If you
know a site is an open
relay, however you know this, and you want to block open
relays (which I do)
and it's my right to block open relays, then I will block
them. How I find
out they're an open relay is another story. The usual way is
you probe a
site when it becomes an actual problem.

I submit that if you have a piece of spam, from a site, and 
are blocking
them, why do you need to probe them?

      Well, if you're blocking them because they're an open 
relay and they say
they've fixed the problem, it's certainly reasonable to probe 
them to decide
whether you should begin allowing mail from them. Or do you think it's
better to block them indefinitely just so that you don't 'trespass' by
probing them?

I'm actually not advocating blocking all open relays. I am advocating
blocking all spammers, whether they have open relays or not. There are
actually open relays that a spammer can never use, because the open relay
site uses MAPS RBL. The are collateral damage, with ORBS. Show me how such a
site can be used by a MAPS RBL'd spammer. BTW, yet another reason to use

  3) Do you think it's unreasonable to block known open
relays as a
protection against future spam.

Absolutely not. Our entire Norte Americano culture is biased
AGAINST apriori

The following is a real good example of why I don't like argument by
analogy. Your analogy is broken. Let's deal with the issue directly. We
actually seem to be on the same side here or not very far apart.

      Nonsense! This argument would say that you should allow 
children to bring
guns into school provided they haven't yet shot them. Our 
culture is biased
against a priori restrictions upon speech imposed by the 
government, but
there is nothing inherently bad about a priori restrictions.

You DO NOT spank someone for something that they
have NOT, in
fact, done. It's called prior restraint and there is a 
reason that it is
considered unjust. It violates the PURE WAR ethos. There is 
no excuse for
collateral damage. Innocents should not be involved, period. This is
important because we DO have the technology to wage the PURE WAR and are
ethically compelled to use it.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]