sorbs.net

From owner-nanog@merit.edu Tue Mar 15 12:53:30 2005
Date: Tue, 15 Mar 2005 10:53:22 -0800
From: Micah McNelly <micah@style.net>
Subject: Re: sorbs.net

Actually I got a response quickly from a list member who represent sorbs
at some level. Do you really think opinion has a place in mail
delivery?

*MY* opinion on that matter doesn't count for sh*t.

Neither does yours.

The _only_ opinion that matters is that of the *owner* of the destination
mail-server. As in "My server, *my* rules."

Quite obviously, the server operator at the place you were trying to mail
_to_ *DOES* believe that 'opinion' has a place in e-mail delivery.

Like I said, the _first_ place you should take your 'problem' is to *them*.
*NOBODY* is 'forced' to use SORBS, or any othe blocklist. The mail-system
owners/administrators that *CHOOSE* to do so, have made a voluntary decision
to restrict incoming mail to their system on that basis. THEY did it, nobody
else.

a few questions

  o could this be used as a dos and then become extortion?
    has this actually happened, or is it just black heli?

  o the ts&cs would seem to indicate that the donation is
    voluntary, and proportional to the spam generated. e.g.,
    if you generated no spam, no donation. do i understand
    this correctly?

randy

Unlikely. Blocklists are used by choice, and blocklists which
either aren't effective or don't have sane policies don't get
chosen often. (See "BLARS", which even blars was recommending
that you don't use the last time I checked.) So if someone
tried this approach, the most likely outcome is that those
using it would stop and the problem would evaporate.

---Rsk

unfortunately, that *still* didn't stop people from using it, which
translated into an unresolvable headache for me as a sp. if you don't
consider a blacklist to be usable by the public, don't publish it. however,
publishing a draconian blacklist seems to get you a 'hardcore' label/clout
in certain circles and is thus irresistible for some.

-p

Then gripe at the people who chose to use it: it was *their*
decision, and if it was a poor one, then they are the people
who need to be held accountable for it.

Look, if I want to publish a blocklist of all domains with the
string "er" in them and all IP addresses ending in .7, that would be
a silly thing to do: but after all, it's just a list. It doesn't
_do_ anything until someone decides to use it for some purpose.
And if they're insane enough to do so, well, <shrug>, so be it.
It's their system/network; they're free to decline any inbound
traffic they don't wish to receive. And you, and I, and everyone
else who's not on their system/network, don't get a vote.

---Rsk

Sorry if this thread is older, but I ran into a PRIME operational example of this last week that cost one of the techs here a few hours headache.

Lady was running exchange. She had the Symantec virus/spam/crap filter for it installed.. All email to her was bouncing with a 550 spam site deny.

We jerked around with it for quite some time before we realized that one of the dnsbl's that the Symantec product was using was returning positive for ALL queries.

This is the risk you run - this product either had it on by default, or it was in a list of options to turn on. End users don't know what it is, and only know it'll help eliminate spam, and they turn it on. Then they generate support load when their email breaks.

Average user, or even sysadmin, doesn't know about dnsbl's. To state that you make a concerted effort to use them nowadays may be false. Spamassassin comes out of the box poking SORBS and adding score if it's in there. I turned it off because of questionable listings, but how many users of SA know how to do that?

Food for thought.

Jason

This sounds like an excellent sales point for value added mail
processing...

Cheers,
-- jra

actually the risk being run is 'not understanding what you are doing'
mark this admin of mail systems up with the others who blithely use ANY
RBL without knowing how/what/where/when it gets made.

-Chris

It is not just clueless end user exchange admins who deploy dumb filter rules.

If I had a nickel for every time I've run into stupid spam filtering
(read: filtering that affects mail from my over 40 million users,
because an admin was too dumb to read forged headers) at surprisingly
large operators [ISPs, huge corporate networks etc] I'd be rich.

Luckily, quite a few people who turn on dumb spam filters do turn them
off when contacted and told about their bad filtering. Some make the
mistake of not doing so - and they'll be destined to lose email for
their users, on a permanent basis.

Its that old Spiderman quote - With great power comes great
responsibility. Having root / enable / postmaster access at a site
means its not enough to know how to do "access list 101 deny" or "vi
/etc/mail/access" .. it means that the guy should know when to do it -
and when not to. And he should be reachable, and should know enough
to realize he's screwed up, and to fix it. Sadly, this is rather less
common than simply knowing how to throw filters in - that's the easy
part. Kind of like the difference between a mining engineer
triggering carefully shaped and placed demolition charges, and Wile E
Coyote lighting the fuse on a bundle of dynamite.

.. it means that the guy should know when to do it -
and when not to. And he should be reachable, and should know enough
to realize he's screwed up, and to fix it. Sadly, this is rather less
common than simply knowing how to throw filters in - that's the easy
part. Kind of like the difference between a mining engineer
triggering carefully shaped and placed demolition charges, and Wile E
Coyote lighting the fuse on a bundle of dynamite.

There are a lot of people in this industry who claim to
be engineers but they're not. In fact, I am of the opinion
that there is no such thing as an Internet network engineer
because there are no published best practices for Internet
network engineering and there is no formal oversight for
Internet network engineering. This is the fundamental problem
in Internet operations today. Too many cowboys and Wile E Coyotes.

--Michael Dillon

P.S. Has anyone else had a look at the PITAC report to the
President on Cyber Security? http://www.itrd.gov/pitac/

I wish it were always so easy. I've been talking to an administrator
lately who's policy is that "loosing occasional email is ok if it
means we keep out a whole bunch of spam". If they're that far over
the fence I'd need a strong bull with a long rope to try to pull them
back to my side. I keep trying to tell him I'm potentially losing
business due to his position, but he's convinced spam is worse.

Some people simply can't be educated.

On the other hand, which should he choose - *you* losing business due to
his position, or *HIM* losing business if he takes the other position?

If he lowers his spam filters enough to allow your *potentially* lost
business through, and he loses 10% of his customers to someplace that has
a heavier-duty spam filter policy, are you going to repay him for that
lost revenue?

That is a far cry from far dumber filtering mistakes that keep
happening, and that I have an issue with.

If an admin has spam in hand - go ahead. Block till its fixed, if the
numbers add up the way this guy says. And be prepared to listen, and
to unblock

If you are blocking based on your misreading of forged spam, or are
implementing over-extreme filters, and dont want to listen to
complaints about it, or to address false positives, consider
downgrading the infrastructure you manage from "production mailserver"
to "etch a sketch"

More on spam-l or some other more appropriate list. I'm starting to
repeat myself

-srs

If there were a centralized site to which to contribute such things, a
site based on MediaWiki, for example (the engine which drives
Wikipedia), would the members of this list contribute to it?

Cheers,
-- jra

For those who have never heard of Wikipedia, it is an
online encyclopedia that anyone can contribute to. However,
it is not a free-for-all. There is some structure to it and
it has evolved to the point where where it really does provide
accurate and comprehensive information at least equal to
the big paper encyclopedias.

It could actually help us solve the problem of getting
best practices published. However, the Mediawiki tool itself
is not the solution to the problem, only a vehicle towards
a solution. We would need a large percentage of NANOG members
to write (or review and correct) sections relating to their
expertise.

And Jay, before you put up this site, I suggest that you think
long and hard about who will run/promote the site. The technical
aspect of getting MediaWiki running on a server are trivial. The
real challenge is in promoting the site and getting a high enough
calibre of contributor. That will mean repeated status update
presentations at NANOG meetings and a lot of chasing people in
hallway discussions to get them to contribute.

However, it could work and I'm glad that you suggested this
because it is a nice incremental and evolutionary technique
to collect and publish the knowledge of the "profession".

--Michael Dillon

[ Me: ]

> If there were a centralized site to which to contribute such things, a
> site based on MediaWiki, for example (the engine which drives
> Wikipedia), would the members of this list contribute to it?

For those who have never heard of Wikipedia, it is an
online encyclopedia that anyone can contribute to. However,
it is not a free-for-all. There is some structure to it and
it has evolved to the point where where it really does provide
accurate and comprehensive information at least equal to
the big paper encyclopedias.

In general, and you can get a fairly good idea of the provenance of a
given fact if you need to rely on it for something.

It could actually help us solve the problem of getting
best practices published. However, the Mediawiki tool itself
is not the solution to the problem, only a vehicle towards
a solution. We would need a large percentage of NANOG members
to write (or review and correct) sections relating to their
expertise.

Correct: we would. I'm a fairly good general and structural editor,
but for this, I'd likely even need for someone(s) to contribute a good
structural framework onto which to hang the necessary information.

Wiki's *do* have the nice advantage that the content is structure free:
you can build and rebuild any ontology around the information that
suits you, and indeed multiple ones (topic index, tutorial, etc) around
the *same* information.

And Jay, before you put up this site, I suggest that you think
long and hard about who will run/promote the site. The technical
aspect of getting MediaWiki running on a server are trivial. The
real challenge is in promoting the site and getting a high enough
calibre of contributor. That will mean repeated status update
presentations at NANOG meetings and a lot of chasing people in
hallway discussions to get them to contribute.

As far as running it, I was considering letting Wikipedia do it.

They've got a service that the founder of Wikipedia cooked up called
Wikicities; same rough idea as Geocities (centralized hosting, your
content), but they're pickier about who'll they'll start one for (for
obvious reasons). I need to investigate whether they host those sites
on the Wikipedia cluster (where, in general, the connectivity and
support are reasonably good and improving)...

though as you note, installing and maintaining a small one is pretty
trivial.

As far as promoting it?

If we build it, they will come. Google is your friend. Making clear
what it is and who's writing for it is enough for the second-tier
visitors, and they'll likely word-of-mouth it to the first-tier.

As far as I can see, the fact that it's all in one place makes the
"making the net a better place" motivation more applicable.

However, it could work and I'm glad that you suggested this
because it is a nice incremental and evolutionary technique
to collect and publish the knowledge of the "profession".

I've become *quite* fond of Wiki's for knowledge capture. The ease of
editing and linkage locality of reference they provide make it *much*
simpler for people to post the things they know and believe (though
distinguishing the two can be ... interesting at times).

Not alone because I *am* a network operator (however customer-side and
small) who knows that they don't know everything, it's something I'd
like to see happen. Somehow.

Cheers,
-- jra