Thanks again for your thoughts. No, I'm not an ISP, and I take very
seriously security on my own systems. I personally have no enthusiasm for
insecure systems.
That said ... two ISPs whose smarthost mail relays are on ORBS' open-relay
list are PacBell Internet Services and Best Internet Services (now part of
Verio) -- two of the biggest ISPs in my area (also my current and my
soon-to-be-former ISP). They seem to survive the alleged vulnerability quite
well. I don't know if they have something in place that protects their
smarthosts, but that doesn't meet your standards, or if the vulnerability
simply isn't as great as you say it is ... or if they've just been lucky up
till now (I doubt this last possibility, since both are in the portion of
the ORBS database that anyone, including spammers, can consult).
As to my immediate concern ... I have so far only seen two messages about
people who have found themselves cut off from linux-newbie due to vger's use
of the ORBS' open-relay database.
At 02:47 PM 1/19/00 +1300, ORBS catchall account wrote:
>On Tue, 18 Jan 2000, Ray Olszewski wrote:
>
>> I didn't say it was impossible for a smarthost manager to comply with ORBS'
>> standards. I said it was "VERY difficult ... to avoid getting tagged". Your
>> response -- that you give them "several days" to comply with your standards
>> -- doesn't avoid the difficulties of having to police EVERY client they sell
>> service to.
>
>If you are an ISP, you had better be prepared to police every
>client you sell service to, or else you shouldn't be in the
>business.
>
>Having owned and operated an ISP for something like 10 years, I
>_do_ know what I'm talking about. ISPs who don't deal with their
>problems tend to find themselves widely disliked and usually
>attract every kind of script kiddie under the sun.
>
>AB
------------------------------------"Never tell me the odds!"---
Ray Olszewski -- Han Solo
Palo Alto, CA [EMAIL PROTECTED]
----------------------------------------------------------------
