netbsd-users: Re: OT: orbz.org

Subject: Re: OT: orbz.org - help needed
To: None <netbsd-users@netbsd.org>
From: Shannon <shannon@widomaker.com>
List: netbsd-users
Date: 01/29/2002 17:19:03
On Mon, Jan 28, 2002 at 10:23:00PM -0500, kpneal@pobox.com wrote:
> On Mon, Jan 28, 2002 at 12:05:36PM -0500, Shannon wrote:
> > The problem here is that it's possible to have open relays on your
> > domain, and you don't have control over that machine. Should you be
> > blacklisted in that case? I don't know if Orbz would blacklist in that
> > case, but some people have. A company I worked for was blacklisted
> > because a customer's machine had an open relay. As I recall, it was
> > difficult for us to reverse the situation, and lawyers were involved.
> 
> DNS is supposed to be arranged along administrative boundries. If
> an organization (company, whatever) cannot control machines in it's
> domain then that's a wrong way of arranging DNS. It sounds like
> your employeer was a bit clueless in allowing itself to get into
> this situation to start with. 

However, in this case, they were sold their own domain name, so it
should have been possible to blacklist them without affecting us. Maybe
the automated software gets confused if a host is mapped into two
domains. I think some machines were mapped like hostNNNN.ourdomain as
well as machine.theirdomain, and that might have caused it.

Dialup accounts can cause you to get blacklisted for various
vulnerabilities too, and it's just about always logistically impossible
to monitor them all.

I remember talking to a guy one time who worked for an ISP. Each time a
customer connected, a program he wrote actually tested them for things
like open relays, Windows vulnerabilities, and things like that. He said
the customers very rarely noticed (the ones running UNIX often did) and
it could have been useful, but management wasn't interested in it.

Wether or not you could do this on a large scale, I don't know, but it
has interesting possibilities. Anyone ever do this on their own systems
for dialup and/or dynamic IP? My dhcp server has hooks for this kind of
thing, but I've never played with it before.

-- 
shannon@widomaker.com  _________________________________________________
______________________/ armchairrocketscientistgraffitiexenstentialist
 "And in billows of might swell the Saxons before her,-- Unite, oh
 unite!  Or the billows burst o'er her!" -- Downfall of the Gael