On Wed, 10 Jul 2002, Theo Van Dinter wrote:
> On Wed, Jul 10, 2002 at 11:22:32AM -0400, Dean Anderson wrote:
> > Not all RBLs, just open relay RBLs. If you use Open relay rbls, then you
> > are blocking based on the connection address. This is wrong. You should be
> > filtering against the IP addresses in the headers of the message. If you
> > filter this way, the relay used by the spam is irrelevant. It doesn't
> > matter if the relay is open or closed.
>
> Well, no, actually that's exactly the address you want to block -- the open relay.
You can never "tell before it gets into your system" whether something is
spam or not. Thats the equivalent of trying to foretell the future.
Indeed, short messages are already in your system--There is this thing
called TCP windows--Messages under 8 or 16K are probably there before
sendmail gets around to processing anything.
An open relay or a closed relay usually belongs to an ISP, or a company
sending legitimate email. It makes no difference which the spammer uses.
Or if the spammer connects directly. There is still a spammer. Its the
junk mail, not the legitimate email, that you want to block.
Individuals can block legitimate email, to their own detriment, of
course. ISP's can't block legitimate email.
> > filters at all. Even then, they mostly just get a "feel good". Much the
> > "blocked spam" is originated by the open relay people.
>
> You need to stop generalizing -- not all open relay lists are bad.
> If you had a problem with some of them, then those lists may be bad,
> but they're definately not all bad.
Ok, I have haven't yet seen a open relay rbl that was good. Here are the
ones I've seen:
IMRSS.org (booted by ISP, shut)
ORBS.org (booted from Canada to NZ, then closed by NZ Court, shut--well
within 3 weeks, ORBZ and ORDB are created using the ORBS database)
ORBZ.org (booted from Taconic on news that they crashed MI computer, then
allowed back on news the city wasn't going to prosecute.)
ORDB.org (booted from US, found home in Europe)
ORBL.org (booted by ISP, shut)
NJABL.org (not yet booted)
OpenRelayWatch.org (booted by ISP, shut)
RSS (claims to have stopped scanning, but lies)
All of these have been proven sources of open relay abuse. Of these 8, 4
have been shut. All but RSS operated on very small connections, and so
can't have many users. All of these list our servers. We have very few
messages blocked. Just one last month, to skyandtelescope.com
Its not the idea of blacklists that is flawed, its the idea that open
relays should be blocked that is flawed. An open relay black list is
either naive and misled, or it is an abuser.
Anyone who has spent a lot of time analyzing spam or relay use would
figure out that open relays have their place, and that whether spam has
passed through an open or closed relay is irrelevant. And they should
have figured out that to use IP based RBL's properly, one needs to look at
the headers or the content, or both. There is no correlation between the
method of tranfer and spam content. All email is transfered in one of
three ways. All legitimate email, all junk email. The spammer can be
identified in two ways: Their IP address (only found in the headers) and
the content of the message. The IP address of their relay is not useful.
So I don't think its very credible that the open relay black lists are
really just naive. They are just looking for cover for their searches for
open relays to abuse.
There is no one else besides these groups searching for relays to abuse.
They are the spammers. But there could be other blacklists, and no doubt
are. Black lists that block ISPs can't be used by ISPs. Black lists that
do revenge blocking shouldn't be used by anyone.
Clearly, you don't want to use the services of a naive blacklist, and you
also don't want to use the services of an abusive blacklist. All open
relay black lists fall into one of these categories. So its safe to
generalize that any open relay black list should be avoided.
--Dean
---
Send mail for the `bblisa' mailing list to `[EMAIL PROTECTED]'.
Mail administrative requests to `[EMAIL PROTECTED]'.
