RE: Scanning (was Re: Stealth Blocking)

Roeland_M.J_Meyer · May 27, 2001, 7:01am

From: woods@weird.com [mailto:woods@weird.com]
Sent: Saturday, May 26, 2001 11:02 PM

[ On Sunday, May 27, 2001 at 00:17:29 (-0400), William Allen
Simpson wrote: ]

> But, ORBS
> remains indefensible.

It would seem that I have no problems either defending it, or
using it.
Whether I'm successful in the latter endeavour is only for me
to decide.
Whether I'm successful in the former endeavour is a larger question.

> The MAPS leads to far fewer mistakes -- does not block non-relaying
> servers just because they don't think the network has sufficient
> "action against spammers in recent months." That's entirely
> judgmental, not operational.

The mechanically verified part of ORBS cannot, by definition,
lead to any

Greg, it all comes down to ONE major issue ... collateral damage.

> We've been
> falsely accused by ORBS,

Which list were you on again? Wasn't it the manual netblocks list?

> without any evidence of spamming.

He makes a perfectly valid point here. In the past few days I have seen much
testimony, from folks right here on this list, that were listed on ORBS.
I've also read testimony that their systems were never used for spam. I
can't imagine a spammer being on this list for long. Nor, can I imagine
those illustrious folks being spammers. Yet, they were on the ORBS list.
BTW, MHSC systems were also carried on ORBS for a while and when they were,
over 50% of my bandwidth was used to fend off crack attempts. Thank gawd I
was using MAPS at the time. None of the relay attempts got through.
Although, I *did* have to replace a couple of weak BIND boxen (thanks for
the extra work, BTW >:P ).

Brother, that is the very definition of collateral damage. In fact, it was
worse. It's "friendly fire". If we start taking out innocents and even our
own guys, the spammers will win. We need to start fighting the PURE WAR
against spammers. What ORBS does is to find innocents and paints bulls-eyes
on them for the spammers to find easier. The argument ORBS presented, on
their web-site, to justify this, is terribly weak. It still amount to
pointing the guns ... in the WRONG direction.

Please do not forget that ORBS goal is not to detect or
prevent spamming per se.

But, without spammer behavior, open-relays are perfectly acceptable. Else,
why was it the default option in sendmail for so long? The "anti" argument
falls over dead without spammers. It's not the gun, it's the bloke pointing
it.

It's full name should make this clear: Open Relay Behaviour-
modification System. Any open relay is a bad thing regardless of
whether it has yet been abused by a spammer (because it will
undoubtably be abused unless it is closed first).

You make my point here. Remove spammers and ORBS becomes nothing more than a
totalitarian tool for a political agenda without merit. If I can run a relay
system safely (without spammer abuse) then you have lost the right to tell
me I can't do so because there is no possible damage to your systems. It's
also a control issue, I strongly resent someone, whom isn't paying the rent
here, trying to modify my behavior. I get enough of that from my government.

> ORBS blocks for political reasons, rather than technical.

I guess I can't really disagree with that, though I will
point out that
I am using ORBS as a deterrent against such acts of theft of
service and
fraud and thus it is in fact what's known as a "technical control".

Can't you see how inherently corrupt that is? Drop ORBS and go with MAPS. Be
friendly to your friends and disdain only those that are truely your
enemies.

_Greg_A_Woods · May 27, 2001, 7:18pm

[ On Sunday, May 27, 2001 at 00:01:36 (-0700), Roeland Meyer wrote: ]

Subject: RE: Scanning (was Re: Stealth Blocking)

> The mechanically verified part of ORBS cannot, by definition,
> lead to any

Greg, it all comes down to ONE major issue ... collateral damage.

All my friends, colleagues, etc., who were still stupid enough to be
running open relays on the day I started using ORBS had their mailers
secured by sundown.

(and any that didn't, well, perhaps they weren't smart enough to be my
friends and colleagues after all....

He makes a perfectly valid point here. In the past few days I have seen much
testimony, from folks right here on this list, that were listed on ORBS.
I've also read testimony that their systems were never used for spam. I
can't imagine a spammer being on this list for long. Nor, can I imagine
those illustrious folks being spammers. Yet, they were on the ORBS list.

You keep, conveniently it seems, forgetting that ORBS is not designed to
block spammers -- it's designed to convince people not to run open relays.

So, in other words, those illustrious folks were being less-than-
professional, one way or another (either they were insisting on running
open relays, or they were blocking the tester for political reasons).

Please also try harder to remember that there's ORBS, and then there are
the other adjunct lists that are offered under the same domain name but
which are not mechanically tested open relays. These days ORBS doesn't
completely confuse untestable hosts with hosts that are open relays!

But, without spammer behavior, open-relays are perfectly acceptable. Else,
why was it the default option in sendmail for so long? The "anti" argument
falls over dead without spammers. It's not the gun, it's the bloke pointing
it.

Open relays are unacceptable on any public network, since they lead not
only to plain old theft-of-service, but also to much more dangerous
things, such as theft-of-service for the purpose of committing fraud.
They would be unacceptable even in a spam-free world.

Sendmail started out as an open relay mailer by default for so long
because it was the de facto mailer on an effectively private academic
network where peer pressure is more of a deterrent than any technical
control can ever be! Think about it -- true hackers (in the MIT sense)
find technical controls to be a challenge. (Hmmm... maybe sendmail
should always have been secure by default and then the early hackers
would have long ago identified all its weak spots!

Obviously the problem on the public Internet wouldn't be quite so bad if
mailers didn't start out as open relays by default. Unfortunately even
though most mailer authors and maintainers have long ago fixed their
software to be secure by default, their vendors have often failed to
work to erradicate the old insecure instances and as such we still see
new open relays installed every day. Technical controls are the only
feasible way to identify and deter the use of such new open relays.

Your USA-centric view of the world is also part of the problem. If all
perpetrators of theft of service and fraud could be prosecuted equally
under a common law then it would be much more difficult for them to get
away with the illegal acts they are committing. However given that the
Internet is actually a global service, and given that open relays can be
installed in any legal jurisdiction and used from any other legal
jurisdiction, it's almost impossible to ever make legal action into any
serious deterrent, at least not within any reasonable Internet-based
timeframe. Only technical controls can ever stand a chance of creating
such a deterrent in this kind of disjoint legal quagmire.