Could be considered off-topic because it is humor.
I guess a lot of US network operators are going to have to change their DNS entries because apparently the rDNS policies are now set by federal law.....
http://www.au.sorbs.net/~matthew/funny/rDNS-set-by-federal-law.txt
Regards,
Mat
Typical SORBS behavior. While this guy can demand all he wants, doesn't mean he will get what he wants or that he's right or wrong.
Personally, we gave up using SORBS because of it's very high false-positive ratio and we got tired of hearing customers who were upset because they didn't get their airline tickets, hotel reservations, or someone in the family was hurt and they missed the email. Fact of the matter is, whether Yahoo! has an SMTP server that 'is spewing SPAM according to SORBS..' or not, blanket screwing over everyone else in the same range which SORBS does -- is crap. Customers found it to be crap and I got tired of justifying it.
Very hard to justify when someone mails a customer and 50 other people and only *my* customers were rejected due to SORBS.
Ditched SORBS and the customers couldn't be happier.
If I were this guy, I wouldn't care. I'd complain to anyone sending him a SORBS failure about all the other *important* mail they're missing and prevent their SORBS usage and educate them the harm SORBS is doing.
Thanks for the OT post though. It gave me my chance to RANT.
Regards,
SR
Matthew Sullivan wroteth on 3/15/2007 2:28 PM:
Typical SORBS behavior. While this guy can demand all he wants, doesn't
mean he will get what he wants or that he's right or wrong.
What's wrong with what Mat posted? The guy claiming DNS is regulated by
federal law is an idiot. Not that I always agree with what Mat says, but
the guy's claims are obviously and patently false. The claims, in fact,
are so ridiculous that I tend to think he's making them to weasel out of
solving the problem that got him listed in the first place. People doing
that *deserve* to be publically ridiculed.
When I talk to Mat I generally have no problems having a civil and
productive discussion with him. But I don't start out with an attitude,
and I don't cook up absurd stories to try to get out of fixing my spam
problem. (Not that I have one, but if I did, I'd not try to weasel out of
fixing it.)
Personally, we gave up using SORBS because of it's very high
false-positive ratio
YMMV; at $DAYJOB we don't seem to have the same problem.
Disclaimer: My opinions, not my boss's, etc.
Nothing is wrong with what he posted. The guy is a moron. However, I was taking my 15 min of fame to jab at SORBS policy of listing people on their respective lists. It's dysfunctional and broken, but that again is just my opinion.
Oh and, of course publicly humiliating the guy is certainly not that cool. However, while it's not really above me to do the same, he could have removed the email address so spammers aren't adding to that guys list of problems.
Anyway, don't mind me. I just wanted to add to the off-topic drivel Mat posted since I can't stand SORBS. :>
Steve Sobol wroteth on 3/15/2007 7:31 PM:
Steve Sobol wrote (on Thu, Mar 15, 2007 at 10:31:44PM -0400):
> Personally, we gave up using SORBS because of it's very high
> false-positive ratioYMMV; at $DAYJOB we don't seem to have the same problem.
I gave up using SORBS (and I'm not Mat's enemy, mind you - I used to
work for SORBS and still like the idea) because it was so random.
Mat would block 2, say, out of AOL's 26 or whatever mailservers.
Why? b/c those two were used to send spam. Right. So, not only do
I have to explain to users why their AOL friends cannot write them,
I *also* have to explain that the blocking is at random, and if
their friend just retrys sending, they'll have a 92% chance of
getting through. Completely unworkable. If you want to block AOL
(and I totally sympathize with Mat here) just ... block ...
them and be done with it. Don't make me play email roulette.
Fair enough.
Nothing is wrong with what he posted. The guy is a moron. However, I
was taking my 15 min of fame to jab at SORBS policy of listing people on
their respective lists.
when 42 other folk have similarly whined, i am not sure the word 'fame'
is appropriate
randy
Anti-spam strategies based on concealment and/or obfuscation of addresses
are no longer viable. (For a variety of reasons, including harvesting
from public sources, harvesting from private sources such as compromised
systems, and the deployment of abusive, spam-supporting tactics such as
callbacks/sender address verification.)
Yes, I know there are counter-examples, I have my own collection of them.
But they're exceptions, not the rule.
---Rsk
We do not have any problem with SORBS. We use SORBS entire list
with the exception of the DUL at all of our client sites. I have worked
with Mat for years, and despite our differences with regard to DUL
lists, our relationship has always been both respectful and cordial.
This guy was talking out the wrong end of his anatomy, and Mat called
him on it.
You can like SORBS (as I do), or not like them, that's your
choice, and I will respect all of you for it. But a follow-up bashing
SORBS listing policies certainly went off topic if the original premise
of the post was maybe a little off topic.
I think what we're talking about here as the larger issue is
your dog in your yard. Your dog is free to take a crap in your yard all
it likes, but when your dog comes over to my yard and takes a crap, I
might build a fence. I might also conscript something like Mat's
service, or Steve Lindford's service, or mine to keep my yard clean, if
that means your dog doesn't get to play in my yard... well that's just
unfortunate for you. (or in another manner of speaking, I could care
less) And damn, I think I just equated all of my volunteer time to the
equivalent of a pooper-scooper... ooh well.
Andrew D Kirch - All Things IT
Office: 317-755-0200
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf
Of S.
Ryan
Sent: Thursday, March 15, 2007 10:42 PM
To: Steve Sobol
Cc: Matthew Sullivan; nanog@merit.edu
Subject: Re: Possibly OT, definately humor. rDNS is to policy set by
federal law.Nothing is wrong with what he posted. The guy is a moron. However, I
was taking my 15 min of fame to jab at SORBS policy of listing people
on
their respective lists. It's dysfunctional and broken, but that again
is just my opinion.Oh and, of course publicly humiliating the guy is certainly not that
cool. However, while it's not really above me to do the same, he
could
have removed the email address so spammers aren't adding to that guys
list of problems.Anyway, don't mind me. I just wanted to add to the off-topic drivel
Mat
posted since I can't stand SORBS. :>
Steve Sobol wroteth on 3/15/2007 7:31 PM:
>
>
>> Typical SORBS behavior. While this guy can demand all he wants,
doesn't
>> mean he will get what he wants or that he's right or wrong.
>
> What's wrong with what Mat posted? The guy claiming DNS is regulated
by
> federal law is an idiot. Not that I always agree with what Mat says,
but
> the guy's claims are obviously and patently false. The claims, in
fact,
> are so ridiculous that I tend to think he's making them to weasel
out of
> solving the problem that got him listed in the first place. People
doing
> that *deserve* to be publically ridiculed.
>
> When I talk to Mat I generally have no problems having a civil and
> productive discussion with him. But I don't start out with an
attitude,
> and I don't cook up absurd stories to try to get out of fixing my
spam
> problem. (Not that I have one, but if I did, I'd not try to weasel
out
Nachman Yaakov Ziskind wrote:
Steve Sobol wrote (on Thu, Mar 15, 2007 at 10:31:44PM -0400):
Personally, we gave up using SORBS because of it's very high false-positive ratio
YMMV; at $DAYJOB we don't seem to have the same problem.
I gave up using SORBS (and I'm not Mat's enemy, mind you - I used to work for SORBS and still like the idea) because it was so random. Mat would block 2, say, out of AOL's 26 or whatever mailservers. Why? b/c those two were used to send spam. Right. So, not only do I have to explain to users why their AOL friends cannot write them, I *also* have to explain that the blocking is at random, and if their friend just retrys sending, they'll have a 92% chance of getting through. Completely unworkable. If you want to block AOL (and I totally sympathize with Mat here) just ... block ...
them and be done with it. Don't make me play email roulette.
This is a problem, and with the advent of the latest bots using ISPs MTAs etc I am more than happy to talk to people and listen to constructive suggestions from ISPs (such as those on this list) about how to resolve the issue. I am even happy to receive constructive suggestions and to discuss changes to SORBS general policies (though would have to be another forum) if anyone here would like to do that.... The spammers have changed, SORBS needs to, I don't have the answers.
Regards,
Mat
Would you care to expand on why you think sender callback verification is apparently abusive and supports spam?
I sure don't mind my MXers being probed if it stops somebody forging mail from my domains.
What next, will forward lookups of rDNS to verify that they're not forged also be considered abusive because the forged third-party's servers get consulted out of paranoia?
(a) this is wandering off-topic and (b) this has been covered in great
depth on Spam-L multiple times, so I'll refer you there for more
substantive discussion; consider this merely a brief overview whose
points are not particularly well-ordered, although I'm going to try
to list them from abstract-to-applied.
1. Is it really a good idea to allow unknown parties to cause *your* servers
to generate outbound SMTP traffic to destinations of *their* choosing?
I sure don't think so.
2. We're drowning in junk SMTP traffic. Any "solution" which creates
*more* SMTP traffic is wrong. Not just bad, not just suboptimal, but
flat-out wrong. The system desperately needs dampening, not positive
feedback. And this is (another reason) why callbacks, C/R and bounces
are all bad news.
3. What if everyone did this? Callbacks *do not scale*. As Alan Brown
has pointed out:
Because it doesn't scale against tens or hundreds of thousands of
servers doing callouts against a single host which has had From:
addresess forged - especially when you add in the factor that
many spammers are mutating the left hand portion of the address
with each mail sent - specifically to defeat caching mechanisms.
4. It's abusive because it's a deliberate attempt to circumvent an
access control, somewhat like ignoring a robots.txt. The correct way
to verify an address with SMTP is to use the VRFY command, not
a dummy mail sequence. If I have VRFY off, then I have clearly
announced to the world that I don't wish to provide a sender
verification service. Yet those using callbacks are insisting on
bypassing site security policy by forging a dummy mail message
(since they have no intent to actually try to deliver one).
IANAL but this seems to me to raise serious questions of legality.
5. Those using this "feature" are providing a free, anonymizing, scalable,
spam support service. How? Because they're also enabling spammers
to bypass my security mechanisms. Suppose I have firewalled out
1.2.3.0/24. Suppose X hasn't. Spammers can now use X's mail servers
to attack mine. Well, and everyone else using callbacks: X and everyone
else are now deliberately helping spammers go after third parties.
And yes, they're doing it.
6 (7, 8, etc.) Callbacks enable multiple D/DoS attack mechanisms.
Here's a simple one: attacker identifies N hosts using callbacks,
where N is large enough to matter. Attackers forges mail to all of
them claiming to be from victim-domain.com. All of them obligingly try
to open up simultaneous SMTP connections to victim-domain.com's MX's.
How many do you think will be required before victim-domain.com feels
some serious pain? At the hands of those using callbacks.
This is NOT a theoretical problem. And this alone is reason enough to
stop doing callbacks immediately.
(For more variations, including much nastier ones, see the Spam-L archives,
but keep in mind that not all of them have been discussed publicly.)
7. Use of rate-limiting (sometimes advanced as a lame excuse for this
abuse) enables other DoS attack vectors. So does result caching.
(Example: if you only do X queries per Y time of any given domain's MX
or any given MX, then an attacker can block traffic by making sure that
forged traffic exceeds the rate limit. And so on.)
8. Consider that attackers can control where your outbound connections
terminate. How? Register a throwaway domain, point the MX's at the
victim, and then send *unforged* mail from the throwaway domain to you.
Or set up an SMTP proxy which terminates on someone else's real mail
server. Or which loops back to you. Or... There are also some
decidedly nasty variations to this approach.
There's more, but I said I'd be brief. The bottom line is that callbacks
are an appallingly bad idea, right up there with C/R for boneheadedness.
And as Bob O'Bob has pointed out, some receivers are starting to recognize
callback abuse, and firewall off the offending hosts. It seems likely
that public blacklists will be compiled and used if the originators of
this abuse don't stop on their own.
---Rsk
> Would you care to expand on why you think sender callback
> verification is apparently abusive and supports spam?(a) this is wandering off-topic and (b) this has been covered in great
depth on Spam-L multiple times, so I'll refer you there for more
substantive discussion; consider this merely a brief overview whose
points are not particularly well-ordered, although I'm going to try
to list them from abstract-to-applied.
You failed to mention that callbacks encourage spammers to use real email
addresses instead of bogus inventions, thus making the backscatter
problem worse. Also, a non-working sender address is not well correlated
with spam: there are lots of legitimate but broken senders, such as mail
servers which reject MAIL FROM:<> and web servers which send MAIL
Tony.
Peter Corlett wrote:
[...] abusive, spam-supporting tactics such as
callbacks/sender address verification.)Would you care to expand on why you think sender callback verification is apparently abusive and supports spam?
I sure don't mind my MXers being probed if it stops somebody forging mail from my domains.
What next, will forward lookups of rDNS to verify that they're not forged also be considered abusive because the forged third-party's servers get consulted out of paranoia?
Also others didn't mention it doesn't actually work properly when other things are going on.
Anywhere that is RBL'd when it tries to callback receives a message saying that delivery fails - this results in the outgoing mail not getting delivered (and I've had to deal with that problem several times where people are accusing SORBS of blocking their outgoing mail).
DDoS attack is very understated, consider any SOHO... I have an 8M link here, 2m call backs will wipe out both my bandwidth for a few hours, as well as probably use up my monthly quota.
Spammers who are blocked from my servers can use callback on your servers to determine what the real/working addresses are on my network.
Rate-limiting on my servers is useless under callback attack (because it's not a DoS, but a DDoS).
Many other things are bad about it... Read Spam-L and other lists for information.
Regards,
Mat