<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

Re: Children of ORBS

  • To:
  • From: Anders Andersson < >
  • Date: Sat, 1 Sep 2001 02:10:52 +0200 (MET DST)

"Jesus Sanz de las Heras. CSIC/RedIRIS" <jesus.heras@localhost wrote:
>  What do you think about  these new black lists?  Some of you are using 
>them ?
>
>http://www.ordb.org
>http://www.orbz.org
>http://www.orbl.orb

Due to the MAPS July announcement, I went hunting for another
supplier of relay data just like you, and I decided to try ORDB
as an add-on to MAPS RSS, primarily as a precaution against MAPS
disappearing from our view before we have obtained a contract.

My primary reasons for picking ORDB: A good web interface with
essential data about each listing, and a substantial number of
relays already listed (to ensure a large subscriber base; I want
to go where most people probably go).

A Swedish ISP with which we wanted to maintain contact turned out
to be listed by ORDB, so I disabled ORDB while we investigated.
I was unable to verify the open relay myself, but ORDB showed they
could relay, and the ISP decided to upgrade their sendmail, which
appearantly solved the problem, except that the ORDB test wasn't
conclusively negative afterwards, but said (address crossed out):

> >The host you submitted at ORDB.org (xx.xx.xx.xx), has been thoroughly
> >checked, and does not seem to permit relaying.
> >
> >Please note however, that this may be caused by extreme delays at
> >the servers end.

There should be no extreme delays in "550 Relaying denied"...

ORBL drawbacks: Rudimentary IP address lookup facility ("A full
database search takes about one minute"); no information on when
a particular IP address was submitted, tested, added or removed;
no distinction between single-hop and multi-hop relays.

ORBZ drawbacks: No IP address lookup facility except for the DNS
zone; hence no listing details on the addresses either; no way to
submit suspected relays for testing; no statistics at all.

All three share the same drawback that Furio Ercolessi pointed out;
no evidence of actual spamming either provided or necessary for IP
address submission.  While I agree that all open relays _should_ be
closed, I believe most effort should be spent on relays already in
use by the spammers.  Even if I may eventually want to block unused
open relays as well, I want to provide different error messages in
order to properly indicate the severity of each problem.  Spammers
probably spend quite some time probing random addresses for relays;
I don't want to engage more people to help them finish this task in
half the time just because the rest of the relays _may_ be abused.

If the owner of a newly found relay is informed, but fails to do
anything about the problem within, say, a month, _then_ a listing
may be warranted even without spam evidence, but I'd still want it
to be a _separate_ listing so that I can gather my own statistics
on the hit rates of individual blacklists (or elect to use only one
of the lists).  How long does it take for a new host on the Internet
to be found and abused as a relay by spammers, on average?

I block inbound TCP traffic to port 25 (SMTP) on most IP addresses,
leaving only secured mail servers open to the Internet, and I log
any failed connection attempts.  Our subnets comprise around 3,500
IP addresses together.  Over the past week, 748 of them (mostly
named hosts in the DNS) have been the targets of connection attempts
from 62 different client addresses, and twelve of those clients (in
seven different ISP netblocks) have tried connecting to more than
ten different servers each.  I don't know whether these numbers can
be used to estimate the amount of probing going on across the entire
Internet, but I'd welcome input from professional statisticians.

The availability of evidence of abuse submitted by subscribers is
what I like about MAPS.  The announcement that the collection of
evidence constitutes MAPS' intellectual property to be made
available only to paying subscribers is what I dislike about MAPS,
and I hope to find a service that is committed to keeping their
database open to the public, in order to replace MAPS.

Is there a good replacement for MAPS DUL (Dial-up Users List)?
<URL:http://www.declude.com/junkmail/support/ip4r.htm> suggests
osirusoft.com and five-ten-sg.com, but I haven't evaluated either
of them yet.  I'd like to see an easy way of nominating candidate
networks for evaluation and possible listing, without having to
engage the ISP abuse desk in a private therapy session first.

--
Anders Andersson, Dept. of Computer Systems, Uppsala University
Paper Mail: Box 325, S-751 05 UPPSALA, Sweden
Phone: +46 18 4713170   EMail: andersa@localhost





  • Post To The List:
<<< Chronological >>> Author    Subject <<< Threads >>>