Home page logo

nanog logo nanog mailing list archives

ORBS (Re: Scanning)
From: "E.B. Dreger" <eddy+public+spam () noc everquick net>
Date: Sun, 27 May 2001 14:15:06 +0000 (GMT)

Date: Sun, 27 May 2001 02:02:24 -0400 (EDT)
From: Greg A. Woods <woods () weird com>

But, ORBS remains indefensible.

It would seem that I have no problems either defending it, or using it.

ORBS catches far more than MAPS.  My take is that anybody who has a
problem with the infrequent ORBS probes should have a huge problem with
the daily bombardment of relay attempts.

Besides, whoever said that one must use ORBS "out of the box"?  I maintain
a whitelist of IP addresses to override ORBS.  As much as I'd like to see
Earthlink get a clue, MSN close their relays (have they yet?), and
RoadRunner cooperate, I allow their MXes through when I find them.

Modern spammers have gotten nasty.  They use hundreds of different relays,
each time changing the source address:

        a57e6s () t8iji7 somedomain tld
        in46hi () diief4 anotherdomain tld
        xkm8ey () ithi62 yetanotherdomain tld

with * DNS so that all subdomains resolve, and the subject:

        I have no respect for netiquette!!!!!      [i35ed7]
        I have no respect for netiquette!!!!!      [ed8ooe]
        I have no respect for netiquette!!!!!      [h8qi2h]

So as to throw off MXes that look for the same message again and again.
I suppose that scanning the body and looking for repetition is possible,
but it's only a matter of time until _that_ get perturbed in 100 different

Bottom line:  Blocking mail from rogue servers is the best way to stop
spam and to not be a party to somebody else getting relay-raped.  Anyone
with clue closed relays how many years ago?

I don't buy the "we need open relay for nationwide users" argument,
either.  Build a cheap MX that does nothing but take mail from a given
POP, and send it to the world.  Anti-spoofing at the border, don't accept
mail from the outside world, and you're done.



Brotsman & Dreger, Inc.
EverQuick Internet Division

Phone: (316) 794-8922


Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist () brics com>
To: blacklist () brics com
Subject: Please ignore this portion of my mail signature.

These last few lines are a trap for address-harvesting spambots.  Do NOT
send mail to <blacklist () brics com>, or you are likely to be blocked.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]