Scanning (was Re: Stealth Blocking)

Sun May 27 19:18:27 UTC 2001

[ On Sunday, May 27, 2001 at 00:01:36 (-0700), Roeland Meyer wrote: ]
> Subject: RE: Scanning (was Re: Stealth Blocking)
>
> > The mechanically verified part of ORBS cannot, by definition, 
> > lead to any
> 
> Greg, it all comes down to ONE major issue ... collateral damage.

All my friends, colleagues, etc., who were still stupid enough to be
running open relays on the day I started using ORBS had their mailers
secured by sundown.

(and any that didn't, well, perhaps they weren't smart enough to be my
friends and colleagues after all....  :-)

> He makes a perfectly valid point here. In the past few days I have seen much
> testimony, from folks right here on this list, that were listed on ORBS.
> I've also read testimony that their systems were never used for spam. I
> can't imagine a spammer being on this list for long. Nor, can I imagine
> those illustrious folks being spammers. Yet, they were on the ORBS list.

You keep, conveniently it seems, forgetting that ORBS is not designed to
block spammers -- it's designed to convince people not to run open relays.

So, in other words, those illustrious folks were being less-than-
professional, one way or another (either they were insisting on running
open relays, or they were blocking the tester for political reasons).

Please also try harder to remember that there's ORBS, and then there are
the other adjunct lists that are offered under the same domain name but
which are not mechanically tested open relays.  These days ORBS doesn't
completely confuse untestable hosts with hosts that are open relays!

> But, without spammer behavior, open-relays are perfectly acceptable. Else,
> why was it the default option in sendmail for so long? The "anti" argument
> falls over dead without spammers. It's not the gun, it's the bloke pointing
> it.

Open relays are unacceptable on any public network, since they lead not
only to plain old theft-of-service, but also to much more dangerous
things, such as theft-of-service for the purpose of committing fraud.
They would be unacceptable even in a spam-free world.

Sendmail started out as an open relay mailer by default for so long
because it was the de facto mailer on an effectively private academic
network where peer pressure is more of a deterrent than any technical
control can ever be!  Think about it -- true hackers (in the MIT sense)
find technical controls to be a challenge.  (Hmmm... maybe sendmail
should always have been secure by default and then the early hackers
would have long ago identified all its weak spots!  ;-)

Obviously the problem on the public Internet wouldn't be quite so bad if
mailers didn't start out as open relays by default.  Unfortunately even
though most mailer authors and maintainers have long ago fixed their
software to be secure by default, their vendors have often failed to
work to erradicate the old insecure instances and as such we still see
new open relays installed every day.  Technical controls are the only
feasible way to identify and deter the use of such new open relays.

Your USA-centric view of the world is also part of the problem.  If all
perpetrators of theft of service and fraud could be prosecuted equally
under a common law then it would be much more difficult for them to get
away with the illegal acts they are committing.  However given that the
Internet is actually a global service, and given that open relays can be
installed in any legal jurisdiction and used from any other legal
jurisdiction, it's almost impossible to ever make legal action into any
serious deterrent, at least not within any reasonable Internet-based
timeframe.  Only technical controls can ever stand a chance of creating
such a deterrent in this kind of disjoint legal quagmire.

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods at acm.org>     <woods at robohack.ca>
Planix, Inc. <woods at planix.com>;   Secrets of the Weird <woods at weird.com>