Stealth Blocking

Roeland Meyer rmeyer at
Thu May 24 01:12:56 UTC 2001

> From: David Schwartz [mailto:davids at]
> Sent: Wednesday, May 23, 2001 5:24 PM
> > > From: David Schwartz [mailto:davids at]
> > > Sent: Wednesday, May 23, 2001 4:54 PM
> > >
> > > > In the PURE war, one ONLY shoots confirmed bad-guys and has ZERO
> > > > collateral damage.
> > >
> > > 	So if someone has a machine gun and is firing randomly,
> > > you don't act to stop him until he happens to hit someone?
> >
> > Lottsa mitigating circumstances here;
> > .Are they shooting spam?
> > .Are they trying to hit anyone?
> 	How can you tell if you don't check? As soon as you 
> have reason to believe
> they're creating a hazzard to innocent people, you are 
> justified in checking
> if they really are. This has been standard Internet practice 
> since day one.

I don't need to check because I have a piece of confirmed spam from them. A
smoking gun. That's the way MAPS RBL has been working for years. That is the
way I expect it to continue to work. The main reason that I posted to this
thread is that some of the posts lead me to believe otherwise. They were

> > One spammer is no justification for nuking their entire 
> city. Targeted
> > response, sir ... targeted response. That's what MAPS is, a laser
> > beam, not
> > a hand granade.
> 	Absolutely. Probe the machine that is of concern, not 
> whole blocks randomly.

Also, only block the proven spam-host. No one else.

> > > That's madness. [I] don't advocate
> > > random scanning, as it is unethical to probe random people for
> > > vulnerability. However, once you know there is in fact an
> > > open relay, you are entirely justified in blocking it.
> > Agreed, but its open-relay status is irrelevent. The fact 
> that one has
> > proof-positive of spam, from that site, is.
> 	No, its open-relay status is not irrelevant. If you 
> know a site is an open
> relay, however you know this, and you want to block open 
> relays (which I do)
> and it's my right to block open relays, then I will block 
> them. How I find
> out they're an open relay is another story. The usual way is 
> you probe a
> site when it becomes an actual problem.

I submit that if you have a piece of spam, from a site, and are blocking
them, why do you need to probe them?

> 	So let me ask you three questions:
> 	1) If I find out a site is an open relay by legitimate 
> means, do you agree
> that I have the right to block it if I want to?


> 	2) If a site sends me spam or otherwise inconveniences 
> me, do you agree
> that I have the right to probe it to see if it's an open 
> relay if I wish to
> do so?


> 	3) Do you think it's unreasonable to block known open 
> relays as a
> protection against future spam.

Absolutely not. Our entire Norte Americano culture is biased AGAINST apriori
restrictions. You DO NOT spank someone for something that they have NOT, in
fact, done. It's called prior restraint and there is a reason that it is
considered unjust. It violates the PURE WAR ethos. There is no excuse for
collateral damage. Innocents should not be involved, period. This is
important because we DO have the technology to wage the PURE WAR and are
ethically compelled to use it.

> > > And if you have legitimate reason to
> > > suspect a site is an open relay, you are entirely justified
> > > in probing it to see whether or not it is.
> > No you are not, by your own ethical standards. Suspicion is not
> > proof. Only
> > a piece of spam, in hand, from that specific site, is 
> sufficient grounds.
> 	If you really believe what I think you're saying, then 
> you would have to
> object to, for example, the ident protocol.

I think we have [only] a slight disconnect here. ident is part of the
protocol. [side note: I'm setting up a new Postfix host (my first Postfix
host ... used to doing sendmail). Does Postfix do SMTP AUTH?]

> > > 	If your neighbor is aiming a gun at you, you are
> > > justified in checking to see if it's loaded.
> > No you are not, you assume that it is and fire first 
> <grin>. But, you are
> > not justified in taking out his whole block, including the other
> > neighbors.
> > You are not allowed ANY collateral damage. Anything less is 
> sloppy anyway.
> > What's the matter, ain't you that good? Can't you aim?
> 	The only collateral damage is that the man's children 
> lose their father. There's nothing you can do about that.

Yes, but with ORBS, they take out the entire town, even if there aren't any
spammers there. That's serious collateral damage. It is unacceptable. It is
not the PURE WAR.

> Similarly, if you block a site that's
> a known problem, you inconvenience any legitimate mail 
> traffic that might have passed through that site.
> But that's the kind of collateral damage
> that's unavoidable.

Not really, since it is the owner of the site that is directly responsible
for that site's mail delivery. The atomic unit is the site, not the users of
that site. To go effectively below that level of granularity is, IMHO, not
technologically feasible.

> Unfortunately, you have to make hazardous
> misconfigurations inconveniencing or they won't be fixed.

There is a major distinction between a spam hazard and a proven spam site.

More information about the NANOG mailing list