RE: Stealth Blocking

From: David Schwartz [mailto:davids@webmaster.com]
Sent: Wednesday, May 23, 2001 7:10 PM

Roeland Meyer wrote:

> I don't need to check because I have a piece of confirmed spam
> from them. A
> smoking gun. That's the way MAPS RBL has been working for years.
> That is the
> way I expect it to continue to work. The main reason that I
posted to this
> thread is that some of the posts lead me to believe
otherwise. They were
> confused.

  I think you're missing the big picture. If you receive
a single piece of
spam from a site, that's not automatically grounds to block
the site. That's
a recipe for maximizing collateral damage.

  So the receipt of a spam from a site is the beginning
of the process, not
the end.

Actually, I simplified the process. I agree with you 100% here. I don't have
the time for such an investigation therefore I use MAPS RBL.

> > Absolutely. Probe the machine that is of concern, not
> > whole blocks randomly.

> Also, only block the proven spam-host. No one else.

  That's a more complex judgment. In most cases, I agree
that this is
appropriate, but I can think of (and have personally
witnessed) more extreme
circumstances. I've seen ISPs who say, "no, we like to spam
and we will spam
in the future". In those extreme cases, I'll block their
entire address
space from reaching my mail servers until their policy changes.

Another reason to use MAPS RBL.

> > No, its open-relay status is not irrelevant. If you
> > know a site is an open
> > relay, however you know this, and you want to block open
> > relays (which I do)
> > and it's my right to block open relays, then I will block
> > them. How I find
> > out they're an open relay is another story. The usual way is
> > you probe a
> > site when it becomes an actual problem.

> I submit that if you have a piece of spam, from a site, and
are blocking
> them, why do you need to probe them?

  Well, if you're blocking them because they're an open
relay and they say
they've fixed the problem, it's certainly reasonable to probe
them to decide
whether you should begin allowing mail from them. Or do you think it's
better to block them indefinitely just so that you don't 'trespass' by
probing them?

I'm actually not advocating blocking all open relays. I am advocating
blocking all spammers, whether they have open relays or not. There are
actually open relays that a spammer can never use, because the open relay
site uses MAPS RBL. The are collateral damage, with ORBS. Show me how such a
site can be used by a MAPS RBL'd spammer. BTW, yet another reason to use
MAPS RBL.

> > 3) Do you think it's unreasonable to block known open
> > relays as a
> > protection against future spam.

> Absolutely not. Our entire Norte Americano culture is biased
> AGAINST apriori
> restrictions.

The following is a real good example of why I don't like argument by
analogy. Your analogy is broken. Let's deal with the issue directly. We
actually seem to be on the same side here or not very far apart.

I'm actually not advocating blocking all open relays. I am advocating
blocking all spammers, whether they have open relays or not. There are
actually open relays that a spammer can never use, because the open relay
site uses MAPS RBL. The are collateral damage, with ORBS. Show me
how such a
site can be used by a MAPS RBL'd spammer. BTW, yet another reason to use
MAPS RBL.

  That's about the only thing you said that I don't agree with. Use of the
MAPS RBL does not make an open relay any less prone to abuse. Use of the
MAPS DUL will make an open relay less prone to abuse; however, there are
many dial up accounts that are not in the DUL. Nothing stops a spammer from
hopping between these dial up accounts.

  If you say, "well, those dial up accounts should be in the DUL", I'll
partially agree with you. But the DUL is largely opt-in. If the provider
doesn't want to opt in, then it's the open relay that's the problem.

  If you say, "well those dial up accounts should be in the RBL", then I
won't agree with you. Let's not forget that the RBL is a blackhole list.
It's unreasonable to blackhole provider A because his customers are using
someone else's open relay. This is especially the case if the open relay
makes it any harder to track the actual origin of the spam (say by not
putting the source port in the forwarded email). It won't help much if
provider A has a good anti-spam policy if someone else is enabling his
customers to spam.

  I am firmly convinced that an open mail relay is a hazzard to the community
at large. I don't wish to receive email from them, whether or not they've
yet been used to forward spam. While this does cause some collateral damage,
I submit that it's the unavoidable type of collateral damage. In practice,
the only ethical way to discover an open relay is for it to be used to
forward a spam, so in practice there's no distinction.

  In fact, I would not have really minded if ORBS had continued their
practice of probing for open relays. I personally didn't feel that it was
ethical, but I don't believe it itself caused any major problems. My break
with ORBS occured when they started listing sites that were not confirmed
open relays. If ORBS was still a list of only confirmed open mail relays,
I'd probably filter on it right now. (While ethically opposed to the way the
data was gathered, I don't see any ethical problem with using it. Much like
some data that was collected by Nazi medical 'experiments'. While I
certainly don't condone the experiments, the means with which the evidence
was gathered isn't grounds to dismiss the evidence.)

  I think we've both made our positions clear, so I'm going to stop this
thread unless you say something unbelievably radical.

  DS