Stealth Blocking

David Schwartz davids at
Thu May 24 02:10:03 UTC 2001

Roeland Meyer wrote:

> I don't need to check because I have a piece of confirmed spam
> from them. A
> smoking gun. That's the way MAPS RBL has been working for years.
> That is the
> way I expect it to continue to work. The main reason that I posted to this
> thread is that some of the posts lead me to believe otherwise. They were
> confused.

	I think you're missing the big picture. If you receive a single piece of
spam from a site, that's not automatically grounds to block the site. That's
a recipe for maximizing collateral damage.

	Receiving spam from a site is your grounds for investigating the site.
Perhaps you file a complaint. Perhaps you do a web search to see if others
have complaints about the same site. Perhaps you check if the mailer is an
open relay. Perhaps you wait for the site's administrator to respond to you.

	In some cases, can can't make a rational judgment without all this
additional information. In some cases, you can make one immediately based
only upon the immediate circumstances.

	So the receipt of a spam from a site is the beginning of the process, not
the end.

> > 	Absolutely. Probe the machine that is of concern, not
> > whole blocks randomly.

> Also, only block the proven spam-host. No one else.

	That's a more complex judgment. In most cases, I agree that this is
appropriate, but I can think of (and have personally witnessed) more extreme
circumstances. I've seen ISPs who say, "no, we like to spam and we will spam
in the future". In those extreme cases, I'll block their entire address
space from reaching my mail servers until their policy changes.

> > 	No, its open-relay status is not irrelevant. If you
> > know a site is an open
> > relay, however you know this, and you want to block open
> > relays (which I do)
> > and it's my right to block open relays, then I will block
> > them. How I find
> > out they're an open relay is another story. The usual way is
> > you probe a
> > site when it becomes an actual problem.

> I submit that if you have a piece of spam, from a site, and are blocking
> them, why do you need to probe them?

	Well, if you're blocking them because they're an open relay and they say
they've fixed the problem, it's certainly reasonable to probe them to decide
whether you should begin allowing mail from them. Or do you think it's
better to block them indefinitely just so that you don't 'trespass' by
probing them?

> > 	3) Do you think it's unreasonable to block known open
> > relays as a
> > protection against future spam.

> Absolutely not. Our entire Norte Americano culture is biased
> AGAINST apriori
> restrictions.

	Nonsense! This argument would say that you should allow children to bring
guns into school provided they haven't yet shot them. Our culture is biased
against a priori restrictions upon speech imposed by the government, but
there is nothing inherently bad about a priori restrictions.

> You DO NOT spank someone for something that they
> have NOT, in
> fact, done. It's called prior restraint and there is a reason that it is
> considered unjust. It violates the PURE WAR ethos. There is no excuse for
> collateral damage. Innocents should not be involved, period. This is
> important because we DO have the technology to wage the PURE WAR and are
> ethically compelled to use it.

	I honestly don't understand what you're talking about at this point. If
another person puts you at unacceptable risk of harm, you defend yourself
from them without waiting for them to shoot you. If you don't want to be
shot on your property, you have every right to prevent people from bringing
guns onto your property. That this means people who always carry guns can't
go to your parties is their problem, not yours.

> > 	If you really believe what I think you're saying, then
> > you would have to
> > object to, for example, the ident protocol.

> I think we have [only] a slight disconnect here. ident is part of the
> protocol. [side note: I'm setting up a new Postfix host (my first Postfix
> host ... used to doing sendmail). Does Postfix do SMTP AUTH?]

	Ident is part of what protocl? Ident is a protocol all its own.

> > Unfortunately, you have to make hazardous
> > misconfigurations inconveniencing or they won't be fixed.

> There is a major distinction between a spam hazard and a proven spam site.

	Yes, time. But I agree that there's a difference between malicious spammers
(those who knowing the issues but send spam anyway), accidental spammers
(those who honestly don't understand the problem), spam supporters (those
who don't care if their customers spam), those who just haven't secure their
sites (perhaps because their operating system installed as an open relay and
they never checked or don't know how to), and those who can't easily secure
their sites without inconveniencing their customers. I personally treat
these five cases differently. I've heard some complaints that MAPS RBL
doesn't do a good job of distinguishing these cases, but I don't know enough
about them to comment.


More information about the NANOG mailing list