Scanning (was Re: Stealth Blocking)

Sun May 27 06:02:24 UTC 2001

[ On Sunday, May 27, 2001 at 00:17:29 (-0400), William Allen Simpson wrote: ]
> Subject: Re: Scanning (was Re: Stealth Blocking)
>
> 
> And I love you too....  IIRC, investigation some time ago uncovered 
> that these various services originated from and used the same 
> databases.  

The facts are not that hard to see from the current information
available on their repective web pages -- if you care to look; and can
be corroberated with other documentation easily found online with the
assistance of Google, etc.

> One or more of them did automated scanning, with considerable false 
> positives.  Hard to remember the details after all this time.  They 
> were all associated with the same belligerent operator.

IMRSS certainly did very systematic scanning for open relays.  However I
don't see how it could have detected any false positives since it was
actually collecting relayed messages -- a relayed message sent from a
more or less arbitrary host out there on the internet almost certainly
indicates that the tested host is an open relay, no?

There's only one possible exception I can think of, and if memory serves
me correctly that particular exception could only have accounted for one
or two of the hundreds of thousands of open relays IMRSS found.  That
exception being of course that it detected its own upstream relay(s)
which would perhaps have explicitly authorised it to relay a message.

> Greg, I'm sure you've done good things in the past.  CVS comes to
> mind?  (assuming my memory is not entirely failing.)

(I've not done much but debate about CVS lately -- though I still
maintain Smail-3 and I contribute to *BSD and other minor things.)

>  But, ORBS
> remains indefensible.

It would seem that I have no problems either defending it, or using it.
Whether I'm successful in the latter endeavour is only for me to decide.
Whether I'm successful in the former endeavour is a larger question.

> The MAPS leads to far fewer mistakes -- does not block non-relaying 
> servers just because they don't think the network has sufficient 
> "action against spammers in recent months."  That's entirely 
> judgmental, not operational.

The mechanically verified part of ORBS cannot, by definition, lead to any

> It all comes down to trust and reliability.  I trust MAPS.

I implicitly trust both MAPS and ORBS -- at least with my ability to
receive e-mail!  ;-)

In fact I trust the mechanially verified primary ORBS list far more than
any other related and manually maintained service.  By now the softare
maintaining that list has been extremely well tested and will most
certainly never make anywhere near as many mistakes as even the most
careful human.

>  We've been 
> falsely accused by ORBS,

Which list were you on again?  Wasn't it the manual netblocks list?

> without any evidence of spamming.

Please do not forget that ORBS goal is not to detect or prevent spamming
per se.  It's full name should make this clear:  Open Relay Behaviour-
modification System.  Any open relay is a bad thing regardless of
whether it has yet been abused by a spammer (because it will undoubtably
be abused unless it is closed first).

I don't block e-mail from ORBS-listed hosts (just) because it might be
spam.  I block it because I do not wish to knowingly be a party to any
acts of theft of service or fraud.  If the received headers were part of
the SMTP envelope then it might be possible to be more discerning about
which messages to reject from an open relay, but with our current
protocol that is not possible and so I must simply block all e-mail from
any known open relay.

>  ORBS blocks 
> for political reasons, rather than technical.

I guess I can't really disagree with that, though I will point out that
I am using ORBS as a deterrent against such acts of theft of service and
fraud and thus it is in fact what's known as a "technical control".

>  'nough said, for now.

or that....  :-)

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods at acm.org>     <woods at robohack.ca>
Planix, Inc. <woods at planix.com>;   Secrets of the Weird <woods at weird.com>