RE: ORBS (Re: Scanning)

Roeland_M.J_Meyer · May 27, 2001, 6:30pm

From: Derek Balling [mailto:dredd@megacity.org]
Sent: Sunday, May 27, 2001 11:20 AM

> > I'm not sure I understand this logic:
>>
>> 1.) They test positive for orbs... so they ARE an open relay
>> 2.) That system is using MAPS, which means that there is
some subset
>> of systems the open relay itself rejects mail from
>
>I somehow missed your logic here. A MAPS blocked system is,
by definition
>NOT an open-relay, since it IS MAPS-blocked. Yet, ORBS will
list it as an
>open-relay. I agree, there is a disconnect here. Your second premis
>invalidates the first. This may be a semantic issue, please
examine and
>clarify.

I think this is all a phrasology thing.

I'm sorry. I hate hare-splitting too.

Assuming "a MAPS-blocked system" means a system that is
listed/blocked by MAPS as a spam source.

Then your statement makes no sense because in all
likelihood, that
host IS an open relay.

My bad. What I meant was a MAPS-blocked system as a subcriber to MAPS. Not a
MAPS-known spam source.

Assuming "a MAPS-blocked system" means a system that is partaking of
the MAPS lists to block inbound mail to it

Then your statement further makes no sense, because any
non-MAPS-listed host could (in theory) send mail to/through that
system. If the system using MAPS is an open relay, then
non-MAPS-listed hosts could quite happily/easily pump mail through
that system regardless of whether or not it is using MAPS.

Not true, I'm assuming that MAPS isn't the only anti-spam measures being
implemented.

>I might point out that, since MAPS has been running for a
few years, most if
>not all, the spammer sources are now listed.

I think my personal evidence (that about 90-95% of my spam that is
blocked is NOT from MAPS sources) does not seem to bear that out.

You bear out my assumptions that other methods, besides MAPS and ORBS, are
being deployed as well. Feeding such data into MAPS would improve MAPS
accuracy.

Derek_Balling · May 27, 2001, 6:40pm

> I think this is all a phrasology thing.

I'm sorry. I hate hare-splitting too.

So long as we at least decide what it is we're disagreeing on.

My bad. What I meant was a MAPS-blocked system as a subcriber to MAPS. Not a
MAPS-known spam source.

That's what I had thought you meant.

> Then your statement further makes no sense, because any

non-MAPS-listed host could (in theory) send mail to/through that
system. If the system using MAPS is an open relay, then
non-MAPS-listed hosts could quite happily/easily pump mail through
that system regardless of whether or not it is using MAPS.

Not true, I'm assuming that MAPS isn't the only anti-spam measures being
implemented.

But @BLOCKED_HOSTS != @WHOLE_OF_INTERNET, so it doesn't matter WHAT anti-spam features they're using, if they're an open relay, they deserve to be in ORBS.

Another hair to split is that "ORBS" is not a list. It's a COLLECTION of lists. The above-described open-relay should be listed on the inputs.orbs.org list.

> I think my personal evidence (that about 90-95% of my spam that is

blocked is NOT from MAPS sources) does not seem to bear that out.

You bear out my assumptions that other methods, besides MAPS and ORBS, are
being deployed as well. Feeding such data into MAPS would improve MAPS
accuracy.

I don't think so. Judging from discussions in forums where this topic is more prevalent (spam-l, spamtools) MAPS seems to be a bit of a blackhole itself, with lots of sites being nominated as spam sources for the MAPS RBL and very few actually seeming to get listed.

D

Steve_Sobol2 · May 27, 2001, 7:22pm

Derek Balling wrote:

I don't think so. Judging from discussions in forums where this topic
is more prevalent (spam-l, spamtools) MAPS seems to be a bit of a
blackhole itself, with lots of sites being nominated as spam sources
for the MAPS RBL and very few actually seeming to get listed.

Someone else, perhaps Roeland, mentioned that MAPS is a lot more
deliberate than ORBS is. Also mentioned was the fact that that can
be viewed either as a good thing or a bad thing depending on your
point of view. It's true. Some people like the more aggressive stance
ORBS takes. Some people don't like the apparent abitrariness (if that's
a word) of some of the ORBS listings.

E.B_Dreger · May 27, 2001, 8:09pm

Date: Sun, 27 May 2001 15:22:09 -0400
From: Steve Sobol <sjsobol@NorthShoreTechnologies.net>

[ snip ]

Someone else, perhaps Roeland, mentioned that MAPS is a lot more
deliberate than ORBS is. Also mentioned was the fact that that can
be viewed either as a good thing or a bad thing depending on your

That would have been myself...

point of view. It's true. Some people like the more aggressive stance
ORBS takes. Some people don't like the apparent abitrariness (if that's
a word) of some of the ORBS listings.

...and I also stated that nobody forces one to use MAPS or ORBS as-is.
I've never heard much of an argument, let alone a solid one, against this.

As much as I'd love to strong-arm providers into fixing their open relays,
I whitelist acceptable MXes, and often contact the admin in question. The
dearth of clueful admins who don't run open relays makes it difficult at
best to refuse mail from all ORBS-listed MXes.

Hence, I submit that "MAPS + ORBS + manual whitelist" is better than any
alternative, particularly the "MAPS + !ORBS + whack-a-mole blacklist".

And anybody who claims that MAPS kills most of the spam isn't running much
of an MX. I deliberately have sendmail check MAPS (all three) _before_
any ORBS. If MAPS truly stopped most spam, then ORBS would yield mostly
false positives... and it just ain't so.

Eddy