ORBS (Re: Scanning)

Patrick W. Gilmore patrick at ianai.net
Sun May 27 18:27:03 UTC 2001


At 11:10 AM 5/27/2001 -0700, Roeland Meyer wrote:
 >
 >> From: Derek Balling [mailto:dredd at megacity.org]
 >> Sent: Sunday, May 27, 2001 10:49 AM
 >>
 >> At 9:11 AM -0700 5/27/01, Roeland Meyer wrote:
 >> >A system that tests positive for ORBS , yet is using MAPS,
 >> will not be used
 >> >as a spam relay. Yet, ORBS will list such a system.
 >>
 >> I'm not sure I understand this logic:
 >>
 >> 1.) They test positive for orbs... so they ARE an open relay
 >> 2.) That system is using MAPS, which means that there is some subset
 >> of systems the open relay itself rejects mail from
 >
 >I somehow missed your logic here. A MAPS blocked system is, by definition
 >NOT an open-relay, since it IS MAPS-blocked. Yet, ORBS will list it as an
 >open-relay. I agree, there is a disconnect here. Your second premis
 >invalidates the first. This may be a semantic issue, please examine and
 >clarify.

 >A MAPS-blocked system may show as an open-relay to another system not listed
 >in MAPS. However, it will show as closed to a system that is listed in MAPS.
 >It all depends on the source of the test. AHA! Maybe ORBS should be listed
 >in MAPS? That will certainly resolve this problem and ORBS will no longer
 >show false positives.

Although I do not really like ORBS, but I thought the first explanation was 
closer.

(NOTE: I assume we are only discussing the MAPS RSS, not other MAPS products.)

I was under the impression that an open relay listed in MAPS is still an 
open relay.  MAPS cannot reconfigure other people's mail servers.  However, 
if my mail server subscribes to MAPS, my mail server will automatically 
reject mail from your server if it is listed in MAPS.  This does not make 
your mail server a "closed relay", I just deny all mail from you.  As such, 
even "good" e-mail from your own end users will be denied.  This is what 
some call "collateral damage".

Also, two systems listed in MAPS will still accept e-mail from each other 
(assuming they do subscribe to MAPS, which would be silly since they are 
both open relays and listed in MAPS).

So, listing ORBS in MAPS would not really do much good.  Besides, ORBS is 
not an open relay, not a whole lot of mail (unless they are probing you :) 
and probably no spam comes from ORBS, so who cares?

Did you know that MAPS has been listed in ORBS for quite a while. :)  (It 
is rumored - proven to some of us - that ORBS will list servers out of 
spite.  And by ORBS' own documentation, it will list any server which 
blocks an ORBS probe, whether open or not.)


I think we can pretty much end this thread.  Anyone who wants to block as 
much spam as they can, even at the cost of a lot of "real" e-mail, please 
use ORBS.  Your server, your choice.  Those of us who like a more surgical 
approach with less collateral damage can use MAPS.  And those of us who 
love their delete key can use nothing. :)

All I suggest is that EVERYONE close their relays.  Period.


Now, can't we all just get along? :)

TTFN,
patrick






More information about the NANOG mailing list