Home page logo

nanog logo nanog mailing list archives

Re: Scanning (was Re: Stealth Blocking)
From: woods () weird com (Greg A. Woods)
Date: Sun, 27 May 2001 02:02:24 -0400 (EDT)

[ On Sunday, May 27, 2001 at 00:17:29 (-0400), William Allen Simpson wrote: ]
Subject: Re: Scanning (was Re: Stealth Blocking)

And I love you too....  IIRC, investigation some time ago uncovered 
that these various services originated from and used the same 

The facts are not that hard to see from the current information
available on their repective web pages -- if you care to look; and can
be corroberated with other documentation easily found online with the
assistance of Google, etc.

One or more of them did automated scanning, with considerable false 
positives.  Hard to remember the details after all this time.  They 
were all associated with the same belligerent operator.

IMRSS certainly did very systematic scanning for open relays.  However I
don't see how it could have detected any false positives since it was
actually collecting relayed messages -- a relayed message sent from a
more or less arbitrary host out there on the internet almost certainly
indicates that the tested host is an open relay, no?

There's only one possible exception I can think of, and if memory serves
me correctly that particular exception could only have accounted for one
or two of the hundreds of thousands of open relays IMRSS found.  That
exception being of course that it detected its own upstream relay(s)
which would perhaps have explicitly authorised it to relay a message.

Greg, I'm sure you've done good things in the past.  CVS comes to
mind?  (assuming my memory is not entirely failing.)

(I've not done much but debate about CVS lately -- though I still
maintain Smail-3 and I contribute to *BSD and other minor things.)

 But, ORBS
remains indefensible.

It would seem that I have no problems either defending it, or using it.
Whether I'm successful in the latter endeavour is only for me to decide.
Whether I'm successful in the former endeavour is a larger question.

The MAPS leads to far fewer mistakes -- does not block non-relaying 
servers just because they don't think the network has sufficient 
"action against spammers in recent months."  That's entirely 
judgmental, not operational.

The mechanically verified part of ORBS cannot, by definition, lead to any

It all comes down to trust and reliability.  I trust MAPS.

I implicitly trust both MAPS and ORBS -- at least with my ability to
receive e-mail!  ;-)

In fact I trust the mechanially verified primary ORBS list far more than
any other related and manually maintained service.  By now the softare
maintaining that list has been extremely well tested and will most
certainly never make anywhere near as many mistakes as even the most
careful human.

 We've been 
falsely accused by ORBS,

Which list were you on again?  Wasn't it the manual netblocks list?

without any evidence of spamming.

Please do not forget that ORBS goal is not to detect or prevent spamming
per se.  It's full name should make this clear:  Open Relay Behaviour-
modification System.  Any open relay is a bad thing regardless of
whether it has yet been abused by a spammer (because it will undoubtably
be abused unless it is closed first).

I don't block e-mail from ORBS-listed hosts (just) because it might be
spam.  I block it because I do not wish to knowingly be a party to any
acts of theft of service or fraud.  If the received headers were part of
the SMTP envelope then it might be possible to be more discerning about
which messages to reject from an open relay, but with our current
protocol that is not possible and so I must simply block all e-mail from
any known open relay.

 ORBS blocks 
for political reasons, rather than technical.

I guess I can't really disagree with that, though I will point out that
I am using ORBS as a deterrent against such acts of theft of service and
fraud and thus it is in fact what's known as a "technical control".

 'nough said, for now.

or that....  :-)

                                                        Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods () acm org>     <woods () robohack ca>
Planix, Inc. <woods () planix com>;   Secrets of the Weird <woods () weird com>

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]