Stealth Blocking

Roeland Meyer rmeyer at
Thu May 24 02:35:42 UTC 2001

> From: David Schwartz [mailto:davids at]
> Sent: Wednesday, May 23, 2001 7:10 PM
> Roeland Meyer wrote:
> > I don't need to check because I have a piece of confirmed spam
> > from them. A
> > smoking gun. That's the way MAPS RBL has been working for years.
> > That is the
> > way I expect it to continue to work. The main reason that I 
> posted to this
> > thread is that some of the posts lead me to believe 
> otherwise. They were
> > confused.
> 	I think you're missing the big picture. If you receive 
> a single piece of
> spam from a site, that's not automatically grounds to block 
> the site. That's
> a recipe for maximizing collateral damage.

> 	So the receipt of a spam from a site is the beginning 
> of the process, not
> the end.

Actually, I simplified the process. I agree with you 100% here. I don't have
the time for such an investigation therefore I use MAPS RBL.

> > > 	Absolutely. Probe the machine that is of concern, not
> > > whole blocks randomly.
> > Also, only block the proven spam-host. No one else.
> 	That's a more complex judgment. In most cases, I agree 
> that this is
> appropriate, but I can think of (and have personally 
> witnessed) more extreme
> circumstances. I've seen ISPs who say, "no, we like to spam 
> and we will spam
> in the future". In those extreme cases, I'll block their 
> entire address
> space from reaching my mail servers until their policy changes.

Another reason to use MAPS RBL.

> > > 	No, its open-relay status is not irrelevant. If you
> > > know a site is an open
> > > relay, however you know this, and you want to block open
> > > relays (which I do)
> > > and it's my right to block open relays, then I will block
> > > them. How I find
> > > out they're an open relay is another story. The usual way is
> > > you probe a
> > > site when it becomes an actual problem.
> > I submit that if you have a piece of spam, from a site, and 
> are blocking
> > them, why do you need to probe them?
> 	Well, if you're blocking them because they're an open 
> relay and they say
> they've fixed the problem, it's certainly reasonable to probe 
> them to decide
> whether you should begin allowing mail from them. Or do you think it's
> better to block them indefinitely just so that you don't 'trespass' by
> probing them?

I'm actually not advocating blocking all open relays. I am advocating
blocking all spammers, whether they have open relays or not. There are
actually open relays that a spammer can never use, because the open relay
site uses MAPS RBL. The are collateral damage, with ORBS. Show me how such a
site can be used by a MAPS RBL'd spammer. BTW, yet another reason to use

> > > 	3) Do you think it's unreasonable to block known open
> > > relays as a
> > > protection against future spam.
> > Absolutely not. Our entire Norte Americano culture is biased
> > AGAINST apriori
> > restrictions.

The following is a real good example of why I don't like argument by
analogy. Your analogy is broken. Let's deal with the issue directly. We
actually seem to be on the same side here or not very far apart.

> 	Nonsense! This argument would say that you should allow 
> children to bring
> guns into school provided they haven't yet shot them. Our 
> culture is biased
> against a priori restrictions upon speech imposed by the 
> government, but
> there is nothing inherently bad about a priori restrictions.
> > You DO NOT spank someone for something that they
> > have NOT, in
> > fact, done. It's called prior restraint and there is a 
> reason that it is
> > considered unjust. It violates the PURE WAR ethos. There is 
> no excuse for
> > collateral damage. Innocents should not be involved, period. This is
> > important because we DO have the technology to wage the PURE WAR and are
> > ethically compelled to use it.

More information about the NANOG mailing list