Subject: Re: OT: orbz.org - help needed
To: Shannon <shannon@widomaker.com>
From: Greg A. Woods <woods@weird.com>
List: netbsd-users
Date: 01/28/2002 18:39:00
[ On Monday, January 28, 2002 at 01:01:44 (-0500), Shannon wrote: ]
> Subject: Re: OT: orbz.org - help needed
>
> I understand the process and how it shouldn't be possible for errors
> to occur.  Please note I was talking about RBL and Orbz both.

If you mean "RBL", as in "blackholes.mail-abuse.org", then you're
clearly talking about two totally unrelated and separate things as if
they are somehow related.  They are not.  Please do not confuse them.

>  Also
> note that 100% accurate means the filter lets all of my email through
> and only blocks SPAM.

Perhaps you need to re-think the policies you use to regulate your own
use of e-mail, implied or otherwise, and how you implement them.  Unless
you can arrange to have _all_ of the legitimate correspondents who might
send you e-mail to use cryptographically secure mechanisms to securely
tag all of "your e-mail", there is quite literally absolutely no
difference between "e-mail" and "spam mail directed to you".

There is no magic algorithm that can relibably identify spam e-mail and
not at the same time sometimes mistakenly identify the odd legitimate
message as a spam message (thouh there are some surprisingly simple
matching patterns that are reasonably reliable).  Certianly not all
e-mail coming from a mailer which is a known open relay is going to be
spam -- and open SMTP relay is merely a misconfigured mail server, not a
proven source of spam messages and only spam messages.  You can either
choose to receive all e-mail addressed to your mailbox and manually
delete the ones you don't want to read, or you can choose to implement
policies that will block some/most spam messages while at the same time
potentially blocking some legitimate messages too.  Since open SMTP
relays are very commonly exploited with theft of service attacks to
distribute spam messages, one very successful method of blocking many
spam messages is to block all e-mail from known open SMTP relays.

> That means if Orbz blocks my friend's email, it's not 100% accurate,
> regardless of why. Filters only have meaning from my point of view: they
> have to block SPAM and only SPAM.

If ORBZ lists your friend's e-mail server and you use that listing to
block your friend's e-mail then it could be argued that _your_ mail
server is (also) misconfigured.

ORBZ (and every other DNS black list too) doesn't block anything -- it
provides listing of SMTP servers that have proven to be open relays.  If
you choose to use those listings to block incoming mail then presumably
you have done so because you have defined a policy for your mail server
that says you will not allow it to accept any messages from known open
relays.  A slight modification to your policy definition and its
implementation will allow you to white-list specified mail servers.
Obviously if you white-list your friend's mail server even though it is
a known and proven open relay then you take the risk of receiving some
spam messages from that server.  It's up to you whether you wish to take
that risk or not.

> Sorry if I didn't make that clear.

Sorry if your freinds choose to use known open relays.....  :-)

Perhaps though if you choose to block e-mail from any of your friends
who use open SMTP relays then they can use this action as a lever to try
to convince their own postmasters to recognise their mailer's
vulnerabilities and to fix them.  It's also an easy way for your friends
to find out that they are using a mail server that is known to be
vulnerable to theft of service attacks.  :-)

Personally I use ORBZ and other open relay lists to block connections to
my mail servers because I do not wish it to be a party to any theft of
service attacks against anyone else.  The fact that this also stops many
spam messages directed at my mail servers is merely a very beneficial
side effect because I do not like spam mail and I do not wish to be
lured into using the services or products of anyone who would commit
theft of service attacks in their efforts to market their products or
services.

I also use lists of known spam sources, such as bl.spamcop.net, to block
SMTP connections, since as I mentioned I don't like spam e-mail very
much, and my mail servers host domains that seem to be very highly
targetted by spammers despite the relatively few mailboxes they host.

However I white-list several networks and hosts, not only to prevent
them from being accidentally blocked, but also to avoid having to look
up their addresses in the DNS black lists I use.

-- 
								Greg A. Woods

+1 416 218-0098;  <gwoods@acm.org>;  <g.a.woods@ieee.org>;  <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>