Brian Carpenter asked that the subject be changed. I've also removed the IESG from the cc-list. Doug, you've been misled. Inline. On Wed, 22 Jun 2005, Doug Royer wrote: > I have not been following this topic closely. > To the point of open relays being a problem. > > I think that the judgment as to if open replays are a problem > or not depends on which spam lists you are on. > > With my system and by grep-ing through my last 4 weeks of logs > there were 22,870 of 26,157 spams blocked by my usage of two open > relay DNS-black lists blocking them from 14,131 UNIQUE IP addresses. You cannot know from logs whether you are blocking spam or ham. You can only see that you blocked messages. Like many before you, you've been misled, but you probably feel much better thinking that you are blocking spam. I'm not sure which blacklists you consider being "open relay" blacklists. Since fall 2003 after most of the open relay blacklists shut, the remaining "blacklists" don't search for or block open relays anymore. (though SORBS started up in March, 2005) Indeed, Matthew Sullivan of SORBS recently tried to convince people on Nanog that he/SORBS was never interested in open relays, but rather in open proxies. This claim (like many of Sullivans), is belied by the facts: SORBS stands for "Spam and Open Relay Blocklist", and there is a SORBS project on sourceforge from 2002, with an open relay scanner program. > 6,676 of which have no reverse-DNS. They seem to be in IP blocks of > 10-12. The other 2,616 spams that were DNS-blocked were from > non-open-relay lists. I still get 20-50 spams that make it to > my inbox every day. > > The SORBS pages say they have over 3 Million such open relay or open > proxy (hacked or not) sites. SORBS/Sullivan is a documented liar, and Sullivan's associate Alan Brown (formerly of ORBS) has been proven in court to be a liar on 3 separate court cases. And Brown's only regret in those cases is that he told the court the truth when asked if he had subscribers. ORBS was shut for contempt of court when Brown published his blacklist instead of complying with a court order to remove false entries. You should review http://www.iadl.org, although it is not complete. > Spammers seem to setup open relays and use them. I think you are incorrectly analyzing headers. See below. > And as I do not think that there are 14 thousand spammers, my guess is > that the spammer machines change their IP nightly or find a lot of open > relays. I keep logs of TCP SYN packets to port 25 over a group of about 68,000 IP addresses, and run non-production queue-only relays that serve as honeypots for open relay scanning. No one is scanning for open relays, and no one has been scanning since most of the open relay blacklists shut in 2003, with the exception of SORBS which only restarted in March. Prior to 2003, only open relay blacklists were doing the scanning. We tested these blacklists as previously described, and fouund that they were associated with, and a necessary component to open relay abuse. Block the open relay blacklists and prevent their scanning, and open relays aren't abused. Further, I don't delete or block spam to several personal mailboxes. Years ago, I used to be able to go through my recently received spam and quickly find an open relay abuse delivering spam to my av8 (and non av8) email addresses. Today, this is the closest I could find: Received: from dial-66-59-238-35.lcinet.net (dial-66-59-238-35.lcinet.net [66.59.238.35]) by odie.av8.com (8.9.3/8.8.5) with SMTP id QAA24726 for <uucp@xxxxxxx>; Fri, 24 Jun 2005 16:43:27 -0400 (EDT) Received: from chastiser ([235.245.195.212] helo=lurched.lcinet.net) by dial-66-59-238-35.lcinet.net with SMTP id 17C396B7 for uucp@xxxxxxx; Fri, 24 Jun 2005 16:43:26 -0400 Note that 235.245.195.212 is not allocated. This is a forged header. 66.59.238.35 isn't running an open relay. Indeed, I could not find a single open relay spam in a sample of 15 of the 605 spams I've received in the last 24 hours. But I did find forged headers pretending to be open relay. Though that is also becoming the exception. Much spam doesn't even bother with forged headers. > If it were not for open-relay DNS black lists, I could not run my > company. These are probably doing you more harm than you realize. Or are you a promoter? (there are basically two kinds of users of these blacklists: The misled who don't know, and the promoters, who know and don't care) Most "open relay" blacklists are revenge lists, and while they may block some real spam [or possibly block pretend spam that they generated--they call this "mailbombing"], their purpose is revenge and extortion. This is well documented: ORBS and its successors, SORBS, Osirusoft, Monkeys.org, IMRSS. Most people "in the know" know that none of these blacklists are suitable for blocking spam, and few ISPs or professional mail staff use them. You will just wind up blocking non-spam email. Very few people use these lists. We can tell: We have been blocked by these lists since 1997, and have very little problem with their "blocking". This is due to the relatively low number of "subscribers". Last month, we had just 2 issues with SORBS. Yet SORBS blocks all of our IP address space claiming it to be hijacked. Both issues were with university student-run servers (GATech and UCLA). Neither University's professionally-operated mail systems used SORBS. We had no problem getting in touch with the professional University IT staff who told us in both cases that the offending servers were student-run, and who the student administrators were. One student admin was very surprised to find out about SORBS. He said SORBS was recommended by some web site, and he didn't know its revenge-oriented nature and false claims. He seemed genuinely surprised, and after verifying for himself, genuinely shocked and apologetic. The other admin was different: He clearly aware of SORBS, and was very beligerent, telling me to "see figure 1", and other things. His supervisor, however, was surprised, and much less willing to block non-spam email. Both quit blocking. See http://www.pathname.com/~corpus/NET.age for some stats on how much spam and ham is blocked by SORBS and other blacklists. The NET.age corpus isn't that big, but still interesting because it is hand sorted into spam and ham and compared. SORBS is the only blacklist whose "Hijacked" category blocks ham. > About 90% of the the spam that is in my logs seems to be from open > relays. You are probably being "mailbombed" by the blacklist. I have found that blacklist subscribers sometimes have uniquely interesting spam profiles. If your blacklist is way more "effective" than it should be, something is fishy. Much spam is sent by residential machines, and many residential ISPs use DHCP. So their IP addresses naturally change over relatively short periods. Ordinary blacklists should have difficulty keeping up with this---Indeed, it should be just about impossible to keep up with DHCP on millions of residential computers. When the blacklist knows the dynamic IP address of the abuser before it conducts abuse, something is wrong. > I read your paper. And FYI, I can name ONE person that is responsible > for about 60% of the spam that makes it into my inbox. So it is possible > that a few spammers are reading the anti-spam lists. No doubt spammers do read anti-spam lists. The FBI also reads the anti-spam lists. I rather doubt that one person is responsible for 60% of your (or anyone elses) spam. There were more anti-spammers than that abusing open relays---we've tracked them down to the point were the FBI investigated, and they were fired, and they __still__ didn't think that open relay abuse was wrong. But I agree that it probably isn't 14 thousand, either. > I can not me certain that the open-relay DNS-black lists are not > blocking other traffic. I only know which lists I subscribed to > after trial and error and looking at the logs to see which stopped > more spam. You can be certain they are blocking other traffic: Just look up 130.105/16 and 198.3.136/21 in ARIN and in SORBS. Just google for ORBS. Or go to www.iadl.org, or www.dotcomeon.com. -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000 _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf