ORBS block

Greg A. Woods woods at most.weird.com
Fri Dec 17 21:22:55 UTC 1999

[ On Friday, December 17, 1999 at 14:41:48 (-0500), Daniel Senie wrote: ]
> Subject: Re: ORBS block
> I do suppose that says it all. You don't care to talk to large numbers
> of people and so you use a service which indistriminantly blocks systems
> out of spite when asked to stop probing (whether those systems are
> relays or not).

My security policy says that I should not accept SMTP connections from
insecure mailers (i.e. mailers that are susceptible to theft of service
attacks).  There's nothing "in-discriminant" about it -- it's very
discriminating and extremely specific in its intent.  If ORBS or
something very much like it did not exist to share this valuable
information I would be forced to implement similar checks on a dynamic
per-connection basis (though hopefully with some form of result
caching).  I'm sure most *network* operators would agree that one shared
service is highly preferred than having every mailer with a similar
policy performing such checks regularly on every mailer they communicate
with!  Indeed most mailer operators would probably feel the same too.

I'm obviously not an ISP, but even a few ISPs are using ORBS, and more
are considering blocking mail from open relays (either with ORBS or with
similar lists).  I can't say anything further about these ISPs, of course.

Meanwhile those of you who do not choose to, or do not understand how
to, work with ORBS (and others like them), will just have to suffer and
learn to live with the fact that there are at least two sides to every

>  Your server looks for an A record with the domain
> sending. This is bogus. I send from a system with an MX record pointing
> to the system which is sending, and A records for the names in the MX
> records. This valid config is rejected by your server.

Perhaps you should re-read RFC 1123 #5.2.5, keeping in mind that it is
within my right as the owner of the system in question to ignore any
given part of an RFC where I deem it necessary to do so.

(i.e. I require your server to adhere to the requirement in RFC 1123
#5.2.5 regardless of the fact that the RFC advises I should not directly
refuse connections when it is not met.)

> I suspect mail
> through ACM will get to you, though.

Yes, of course -- their mailer and DNS are correctly configured (though
surprisingly little spam gets through -- they've got very effective

							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods at acm.org>      <robohack!woods>
Planix, Inc. <woods at planix.com>; Secrets of the Weird <woods at weird.com>

More information about the NANOG mailing list