Home page logo
/

nanog logo nanog mailing list archives

RE: ORBS (Re: Scanning)
From: "Patrick W. Gilmore" <patrick () ianai net>
Date: Sun, 27 May 2001 14:27:03 -0400


At 11:10 AM 5/27/2001 -0700, Roeland Meyer wrote:
>
>> From: Derek Balling [mailto:dredd () megacity org]
>> Sent: Sunday, May 27, 2001 10:49 AM
>>
>> At 9:11 AM -0700 5/27/01, Roeland Meyer wrote:
>> >A system that tests positive for ORBS , yet is using MAPS,
>> will not be used
>> >as a spam relay. Yet, ORBS will list such a system.
>>
>> I'm not sure I understand this logic:
>>
>> 1.) They test positive for orbs... so they ARE an open relay
>> 2.) That system is using MAPS, which means that there is some subset
>> of systems the open relay itself rejects mail from
>
>I somehow missed your logic here. A MAPS blocked system is, by definition
>NOT an open-relay, since it IS MAPS-blocked. Yet, ORBS will list it as an
>open-relay. I agree, there is a disconnect here. Your second premis
>invalidates the first. This may be a semantic issue, please examine and
>clarify.

>A MAPS-blocked system may show as an open-relay to another system not listed
>in MAPS. However, it will show as closed to a system that is listed in MAPS.
>It all depends on the source of the test. AHA! Maybe ORBS should be listed
>in MAPS? That will certainly resolve this problem and ORBS will no longer
>show false positives.

Although I do not really like ORBS, but I thought the first explanation was closer.

(NOTE: I assume we are only discussing the MAPS RSS, not other MAPS products.)

I was under the impression that an open relay listed in MAPS is still an open relay. MAPS cannot reconfigure other people's mail servers. However, if my mail server subscribes to MAPS, my mail server will automatically reject mail from your server if it is listed in MAPS. This does not make your mail server a "closed relay", I just deny all mail from you. As such, even "good" e-mail from your own end users will be denied. This is what some call "collateral damage".

Also, two systems listed in MAPS will still accept e-mail from each other (assuming they do subscribe to MAPS, which would be silly since they are both open relays and listed in MAPS).

So, listing ORBS in MAPS would not really do much good. Besides, ORBS is not an open relay, not a whole lot of mail (unless they are probing you :) and probably no spam comes from ORBS, so who cares?

Did you know that MAPS has been listed in ORBS for quite a while. :) (It is rumored - proven to some of us - that ORBS will list servers out of spite. And by ORBS' own documentation, it will list any server which blocks an ORBS probe, whether open or not.)


I think we can pretty much end this thread. Anyone who wants to block as much spam as they can, even at the cost of a lot of "real" e-mail, please use ORBS. Your server, your choice. Those of us who like a more surgical approach with less collateral damage can use MAPS. And those of us who love their delete key can use nothing. :)

All I suggest is that EVERYONE close their relays.  Period.


Now, can't we all just get along? :)

TTFN,
patrick




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]