Re: SORBS Contact

[D'Arcy J.M. Cain]

On Sun, 13 Aug 2006 21:11:58 -0700
David Schwartz [EMAIL PROTECTED] wrote:

 
 
  Obligation to _whom_?   My only obligations are to those who _pay_ me for
  access to my systems/resources.  If the people who *do* pay me for use of
  my systems/resources don't want that cr*p, then I do 'have an
  obligation'
  to _not_ deliver that traffic.
 
   Nonsense. You have tort obligations as well as contractual obligations.
 Specifically, if you take custody of someone else's data, and you have no
 contract with that person, you have a tort obligation not to destroy it.

You do realize that when we talk about sending data we are using
language in a very loose way, right?  Data isn't actually sent.  When I
send a packet of data, I still retain that data.  If you lose it you
have only lost your copy of it, not mine.

Are you one of those people that makes an extra photcopy when you have
to fax one to someone?

   Your argument is similar to a mall that claims they can shoot people who

It is illegal to shoot people whether they enter your mall or not.

   The same would be the case if I used FedEx to return something of yours 
 to
 you. If they destroyed your property, you would have a claim against them
 even though you didn't pay them for anything.

IANAL but I am pretty sure that my claim would be against you, not
FedEx.  You would have to counter claim against FedEx because you made
the contract with them.

-- 
D'Arcy J.M. Cain darcy@druid.net |  Democracy is three wolves
http://www.druid.net/darcy/|  and a sheep voting on
+1 416 425 1212 (DoD#0082)(eNTP)   |  what's for dinner.

Re: SORBS Contact

[Laurence F. Sheldon, Jr.]

David Schwartz wrote:


Nonsense. You have tort obligations as well as contractual obligations.
Specifically, if you take custody of someone else's data, and you have no
contract with that person, you have a tort obligation not to destroy it.


The nonsense is here!  I am not a lawyer, but I am pretty sure that if 
you abandon property (stretching the definition of property to get you 
foolishness into view) that I did not ask for on my property, I am am 
pretty sure that not only can I abate the nuisance, I in doing so have a 
tort claim against you for the damage and the cost of abatement.


triviata deletia
--
Requiescas in pace o email

Ex turpi causa non oritur actio

http://members.cox.net/larrysheldon/

Re: SORBS Contact

[Laurence F. Sheldon, Jr.]

Laurence F. Sheldon, Jr. wrote:



David Schwartz wrote:

Nonsense. You have tort obligations as well as contractual 
obligations.

Specifically, if you take custody of someone else's data, and you have no
contract with that person, you have a tort obligation not to destroy it.



The nonsense is here!  I am not a lawyer, but I am pretty sure that if 
you abandon property (stretching the definition of property to get you 
foolishness into view) that I did not ask for on my property, I am am 
pretty sure that not only can I abate the nuisance, I in doing so have a 
tort claim against you for the damage and the cost of abatement.


triviata deletia


Too bad I'm no longer bright enough to read my own .sig!  Among other 
things, it says there from time to time:


Ex turpi causa non oritur actio which I believe to be Lawyer Latin for 
No cause of action may be founded upon an immoral or illegal act.


(Thanks sixthformlaw.info for the quotation.)
--
Requiescas in pace o email

Ex turpi causa non oritur actio

http://members.cox.net/larrysheldon/

Re: SORBS Contact

[Valdis . Kletnieks]

On Sun, 13 Aug 2006 21:11:58 PDT, David Schwartz said:

   Nonsense. You have tort obligations as well as contractual obligations.
 Specifically, if you take custody of someone else's data, and you have no
 contract with that person, you have a tort obligation not to destroy it.

Of course, that only applies if you're dumb enough to answer '250 OK' to
the '.' after the DATA.  You 5xx that puppy anywhere before that, and you
haven't taken custody of that data...


pgpQOH1qXbosA.pgp
Description: PGP signature

Re: SORBS Contact

[Derek J. Balling]

On Aug 14, 2006, at 12:00 PM, [EMAIL PROTECTED] wrote:


On Sun, 13 Aug 2006 21:11:58 PDT, David Schwartz said:

	Nonsense. You have tort obligations as well as contractual  
obligations.
Specifically, if you take custody of someone else's data, and you  
have no
contract with that person, you have a tort obligation not to  
destroy it.


Of course, that only applies if you're dumb enough to answer '250  
OK' to
the '.' after the DATA.  You 5xx that puppy anywhere before that,  
and you

haven't taken custody of that data...


This is ridiculous (not your argument, Valdis, but the whole thread  
in general).


If my customers ask me to, or accept via subscribing to a service  
with a TOS that so permits, me accepting their mail and throwing it  
away silently, then that's between me and them, nobody else.


This is no different from me authorizing Mail Boxes Etc to be my  
proxy for UPS packages, and them being allowed to simply discard  
anything from, say, an ex-wife.   My ex-wife has no claim, in this  
hypothetical, against MBE for tossing my package in the trash,  
because they're acting as my agent.


Now, *I* might have a claim against MBE, if I never authorized them  
to do so and they didn't have a terms-of-service document which I'd  
agreed to (actively or passively) which said they could do it, but  
that's a claim between my agent and myself, not the sender.


Cheers,
D


--

Derek J. Balling
Manager of Systems Administration
Vassar College
124 Raymond Ave
Box 0406 - Computer Center 217
Poughkeepsie, NY 12604
W: (845) 437-7231
C: (845) 249-9731




smime.p7s
Description: S/MIME cryptographic signature

RE: SORBS Contact

[David Schwartz]

[combined responses]

 You do realize that when we talk about sending data we are using
 language in a very loose way, right?  Data isn't actually sent.  When I
 send a packet of data, I still retain that data.  If you lose it you
 have only lost your copy of it, not mine.

The packet includes its origin, destination, next hop, and like
information. If the copy were identical to the original in all respects, it
would not be a copy. There must be some distinction between the two, and it
is that distinction that makes the copy useful. (That's why you made it.)

 Are you one of those people that makes an extra photcopy when you have
 to fax one to someone?

Why fax something to someone at all then? If the fax really is the same 
as
the original, why bother faxing? Obviously, there is a difference between
the two copies, and the value of the duplicate is in that difference.

The fact that the information can change physical form doesn't mean it
isn't a coherent object. For example, my car may exchange electrons with
your sidewalk, but that doesn't make it any less my car. The value of the
car is not in which particular electrons it has (which can change) but in
their arrangement and utility (which does not).

If I have some information that I want to get to a particular place, 
and I
make a copy and dispatch it toward its destination, that copy with its
destination information behaves just like my car does. It changes on the
way, but it does not ever become any less my car (or the ultimate
recipient's car) regardless of whose roads it travels over.

  Your argument is similar to a mall that claims they can
  shoot people who

 It is illegal to shoot people whether they enter your mall or not.

Precisely. Your obligation not to destroy someone else's data is a basic
tort obligation that applies to how you must treat other people's property,
even if it happens to be on your network.

  The same would be the case if I used FedEx to return
  something of yours to
  you. If they destroyed your property, you would have a claim
  against them
  even though you didn't pay them for anything.

 IANAL but I am pretty sure that my claim would be against you, not
 FedEx.  You would have to counter claim against FedEx because you made
 the contract with them.

You could make a claim against me and I could counter claim against 
FedEx.
But you could also claim against FedEx directly. They destroyed your
property.

Whatever you're smoking, you've really gotta share some with the rest of
us. :P I guarantee you that there is not a single packet that I will route
which is neither from nor to someone I have a contract with. If you want
to give away free service to people without contracts that is your right,
but I sure as hell don't have to.

Transit networks route many packets that are neither from nor to anyone
they have a contract with. They pass the traffic from aggregators to
aggregators. This is the same as a person who walks from store to store in a
mall even though he has no contract with the stores, the stores have
contracts with the mall.

Packets are not property, there is no intrinsic value in returning them to
sender. Plus I guarantee you if you drop off a package with Fedex and
don't pay for it (thus entering into a contract with them for services),
they will eventually throw it in the trash rather than deliver it.

Packets are property. There is no value in returning them to sender but
there is value in delivering them to the recipient. If the lack of return
value is evidence against property, why is the presence of delivery value
not evidence for?

I don't deny that you can drop a packet on the floor if nobody paid you 
to
carry it and you did nothing to solicit its presence on your network. That
is not the same as the case where somebody paid you to carry the packet, but
the person who paid you is not the owner of the packet but merely someone
similarly contracted by the owner.

This is no different from me authorizing Mail Boxes Etc to be my
proxy for UPS packages, and them being allowed to simply discard
anything from, say, an ex-wife.   My ex-wife has no claim, in this
hypothetical, against MBE for tossing my package in the trash,
because they're acting as my agent.

You are quite correct *if* they are the agent for the intended 
recipient.
In the general case, a transit carrier will not be an agent for the intended
recipient and possibly not for the originator either.

Of course, that only applies if you're dumb enough to answer '250 OK' to
the '.' after the DATA.  You 5xx that puppy anywhere before that, and you
haven't taken custody of that data...

Exactly. I think the mail case is simpler though because it is quite 
rare
for an email message to wind up in the hands of someone who has no
contractual relationship with either the sender or the recipient. Exceptions
would include things like relay rape where I 

Re: SORBS Contact

[Jeremy Chadwick]

The thread was originally very benefitial (for me, as
we use SORBS and provide some basic SMTP services), despite
being somewhat off-topic for NANOG... but has now evolved into
the Battle of Awful Analogies(tm).  Discussions of this type
always resort to the same analogy, for that matter: cars.

It seems we've reached that point.

Also, as I'm still fairly new here: why do so many NANOG
threads go this route (pun intended)?  Are some folks here
unable to simply say what they mean?  Just curious.

-- 
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networkinghttp://www.parodius.com/ |
| UNIX Systems Administrator   Mountain View, CA, USA |
| Making life hard for others since 1977.   PGP: 4BD6C0CB |

Re: SORBS Contact

[Noel]

On Sun, 2006-08-13 at 13:29, Robert Bonomi wrote:


 If you want 'reliable' delivery, you _pay_ the recieving system (and the
 intermediaries) for that service.  Your lack of patience with something
 other people _give_ you the free use of is, quite simply, an inexcusable
 display of arrogance and presumption.

here here!  very well said entire post, I have left only this para tho,
because my second comment, and thats my suggestion is they can pay for a
co-located  machine that they can go out and get a domain for and run
their own mail server on and get as much spam and virus's they want :)
that of course will never interfere with 99. reptv % of
customers *dont* want.



-- 
Regards,
Noel Butler
System Administrator
Internet Services
L.C.P No. 251002 http://counter.li.org
---
This Email and any attachments may contain legally privileged 
information and remains confidential. You may not reveal any
of the contents to anyone without the authors express authority 
to do so. If you are not the intended recipient please notify
the sender of this error and delete immediately. 
---

RE: SORBS Contact

[Noel]

Last time I saw someone so strenously crying that 'thou must accept
mail' and trying so hard to justify why we should accept it was a low
life toss pot scum sucking spammer, ooops I mean direct marketer, ahh
stuf fit, both the same thing  ...not implying anything here but if
the shoe fits



On Tue, 2006-08-15 at 06:46, David Schwartz wrote:
 [combined responses]
 
  You do realize that when we talk about sending data we are using
  language in a very loose way, right?  Data isn't actually sent.  When I
  send a packet of data, I still retain that data.  If you lose it you
  have only lost your copy of it, not mine.
 
   The packet includes its origin, destination, next hop, and like
 information. If the copy were identical to the original in all respects, it
 would not be a copy. There must be some distinction between the two, and it
 is that distinction that makes the copy useful. (That's why you made it.)
 
  Are you one of those people that makes an extra photcopy when you have
  to fax one to someone?
 
   Why fax something to someone at all then? If the fax really is the same 
 as
 the original, why bother faxing? Obviously, there is a difference between
 the two copies, and the value of the duplicate is in that difference.
 
   The fact that the information can change physical form doesn't mean it
 isn't a coherent object. For example, my car may exchange electrons with
 your sidewalk, but that doesn't make it any less my car. The value of the
 car is not in which particular electrons it has (which can change) but in
 their arrangement and utility (which does not).
 
   If I have some information that I want to get to a particular place, 
 and I
 make a copy and dispatch it toward its destination, that copy with its
 destination information behaves just like my car does. It changes on the
 way, but it does not ever become any less my car (or the ultimate
 recipient's car) regardless of whose roads it travels over.
 
 Your argument is similar to a mall that claims they can
   shoot people who
 
  It is illegal to shoot people whether they enter your mall or not.
 
   Precisely. Your obligation not to destroy someone else's data is a basic
 tort obligation that applies to how you must treat other people's property,
 even if it happens to be on your network.
 
 The same would be the case if I used FedEx to return
   something of yours to
   you. If they destroyed your property, you would have a claim
   against them
   even though you didn't pay them for anything.
 
  IANAL but I am pretty sure that my claim would be against you, not
  FedEx.  You would have to counter claim against FedEx because you made
  the contract with them.
 
   You could make a claim against me and I could counter claim against 
 FedEx.
 But you could also claim against FedEx directly. They destroyed your
 property.
 
 Whatever you're smoking, you've really gotta share some with the rest of
 us. :P I guarantee you that there is not a single packet that I will route
 which is neither from nor to someone I have a contract with. If you want
 to give away free service to people without contracts that is your right,
 but I sure as hell don't have to.
 
   Transit networks route many packets that are neither from nor to anyone
 they have a contract with. They pass the traffic from aggregators to
 aggregators. This is the same as a person who walks from store to store in a
 mall even though he has no contract with the stores, the stores have
 contracts with the mall.
 
 Packets are not property, there is no intrinsic value in returning them to
 sender. Plus I guarantee you if you drop off a package with Fedex and
 don't pay for it (thus entering into a contract with them for services),
 they will eventually throw it in the trash rather than deliver it.
 
   Packets are property. There is no value in returning them to sender but
 there is value in delivering them to the recipient. If the lack of return
 value is evidence against property, why is the presence of delivery value
 not evidence for?
 
   I don't deny that you can drop a packet on the floor if nobody paid you 
 to
 carry it and you did nothing to solicit its presence on your network. That
 is not the same as the case where somebody paid you to carry the packet, but
 the person who paid you is not the owner of the packet but merely someone
 similarly contracted by the owner.
 
 This is no different from me authorizing Mail Boxes Etc to be my
 proxy for UPS packages, and them being allowed to simply discard
 anything from, say, an ex-wife.   My ex-wife has no claim, in this
 hypothetical, against MBE for tossing my package in the trash,
 because they're acting as my agent.
 
   You are quite correct *if* they are the agent for the intended 
 recipient.
 In the general case, a transit carrier will not be an agent for the intended
 recipient and possibly not for the originator either.
 
 Of course, that only applies if 

Re: SORBS Contact

[Noel]

On Tue, 2006-08-15 at 02:13, Derek J. Balling wrote:

 
  Of course, that only applies if you're dumb enough to answer '250  
  OK' to
  the '.' after the DATA.  You 5xx that puppy anywhere before that,  
  and you
  haven't taken custody of that data...
 
 This is ridiculous (not your argument, Valdis, but the whole thread  
 in general).

Valdis's is correct, before the DATA is akin to hello anybody home 
and then does jack live there if I say yes he does, it does not mean
you can come in just because jack lives there


 This is no different from me authorizing Mail Boxes Etc to be my  
 proxy for UPS packages, and them being allowed to simply discard  

It is very different because you hold a physical package or something
for someone you are paid by somebody to do it, unless you operate a
charity



-- 
Regards,
Noel Butler
System Administrator
Internet Services
L.C.P No. 251002 http://counter.li.org
---
This Email and any attachments may contain legally privileged 
information and remains confidential. You may not reveal any
of the contents to anyone without the authors express authority 
to do so. If you are not the intended recipient please notify
the sender of this error and delete immediately. 
---

RE: SORBS Contact

[David Schwartz]

 Obligation to _whom_?   My only obligations are to those who _pay_ me for
 access to my systems/resources.  If the people who *do* pay me for use of
 my systems/resources don't want that cr*p, then I do 'have an
 obligation'
 to _not_ deliver that traffic.

Nonsense. You have tort obligations as well as contractual obligations.
Specifically, if you take custody of someone else's data, and you have no
contract with that person, you have a tort obligation not to destroy it.

Your argument is similar to a mall that claims they can shoot people who
don't buy anything. After all, their only obligation is to those who pay
them. But of course neither you nor they can do that. By setting up a
network and connecting it to the Internet, you know that you will sometimes
carry packets that are neither from nor to someone with whom you have a
contract. Those are not your packets, and you have no contract with their
owners, but you handle them in the ordinary course of your business, so you
have a variety of tort obligations to them.

The same would be the case if I used FedEx to return something of yours 
to
you. If they destroyed your property, you would have a claim against them
even though you didn't pay them for anything.

I see the view you are expressing quite commonly among network operators
and it is, IMO, dangerous. It is, of course, your network. But it handles
other people's data.

Of course, you can protect your own network. Just as FedEx can destroy a
bomb if someone tries to ship it through them. But you cannot do whatever
you want with your packets unless they really are your packets.

I will defend your right to do anything reasonable. However, it is
incorrect and dangerous to assert that because it's your network you can
do anything you want. Even if it's your mall, you can't invite people into
it and then shoot them just because you have no contract with them.

DS

Re: SORBS Contact

[Richard A Steenbergen]

On Sun, Aug 13, 2006 at 09:11:58PM -0700, David Schwartz wrote:
 
   Your argument is similar to a mall that claims they can shoot people who
 don't buy anything. After all, their only obligation is to those who pay
 them. But of course neither you nor they can do that. By setting up a
 network and connecting it to the Internet, you know that you will sometimes
 carry packets that are neither from nor to someone with whom you have a
 contract. Those are not your packets, and you have no contract with their
 owners, but you handle them in the ordinary course of your business, so you
 have a variety of tort obligations to them.

Whatever you're smoking, you've really gotta share some with the rest of 
us. :P I guarantee you that there is not a single packet that I will route 
which is neither from nor to someone I have a contract with. If you want 
to give away free service to people without contracts that is your right, 
but I sure as hell don't have to.

   The same would be the case if I used FedEx to return something of
 yours to you. If they destroyed your property, you would have a claim 
 against them even though you didn't pay them for anything.

Packets are not property, there is no intrinsic value in returning them to 
sender. Plus I guarantee you if you drop off a package with Fedex and 
don't pay for it (thus entering into a contract with them for services), 
they will eventually throw it in the trash rather than deliver it.

   Of course, you can protect your own network. Just as FedEx can destroy a
 bomb if someone tries to ship it through them. But you cannot do whatever
 you want with your packets unless they really are your packets.

The only thing you probably CAN'T do is take someone else's packets that 
were sent to you (either under contract or not) and sniff or alter them 
for the purpose of doing something Bad (tm) with the data (probably 
because said bad activity is already convered under some existing law, 
e.g. no extorting people, no impersonating others, etc).

-- 
Richard A Steenbergen [EMAIL PROTECTED]   http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

Re: SORBS Contact

[Robert Bonomi]

 From [EMAIL PROTECTED]  Wed Aug  9 22:00:58 2006
 To: nanog@merit.edu
 Subject: Re: SORBS Contact
 From: Allan Poindexter [EMAIL PROTECTED]
 Date: Wed, 09 Aug 2006 20:59:36 -0600


   Matthew so would you consider as it is my network, that I should
   Matthew not be allowed to impose these 'draconian' methods and
   Matthew perhaps I shouldn't be allowed to censor traffic to and
   Matthew from my networks?

 If you want to run a network off in the corner by yourself this is
 fine.  If you have agreed to participate in the Internet you have an
 obligation to deliver your traffic.

Obligation to _whom_?   My only obligations are to those who _pay_ me for
access to my systems/resources.  If the people who *do* pay me for use of
my systems/resources don't want that cr*p, then I do 'have an obligation'
to _not_ deliver that traffic.

And _how_ I implement that, to the satisfaction of =my= customers, is NONE 
OF _YOUR_ BUSINSESS, since you are *not* one of my paying customers. 
I don't have to tell _you_ what I do; I don't have to listen to any of your
'complaints'; and I sure-as-hell don't have to defend, _to_you_, what I do.

 At LISA a couple of years ago a Microsoftie got up at the SPAM
 symposium and told of an experiment they did where they asked their
 hotmail users to identify their mail messages as spam or not.  He said
 the users got it wrong some small percentage amount of the time.  I
 was stunned at the arrogance and presumption in that comment.  You
 can't tell from looking at the contents, source, or destination if
 something is spam because none of these things can tell whether the
 message was requested or is wanted by the recipient.  The recipient is
 the only person who can determine these things.

Do *you* _KNOW_ how hotmail came up with that determination that 'users
got it wrong some small percentage of the time'?   If you *don't*, you are
exhibiting _at_least_ as much 'arrogance and presumption' as you accuse
them of. 

I *KNOW*FOR*A*FACT*, that some people _do_, occasionally 'get it wrong'.
I, _personally_, have done it.  Be it an 'off-by-one' error in selecting 
and marking the message, to a long-delayed response to something _I_ sent,
and that came in _without_ reference to what I sent, errors *DO* happen.

Note: it can be _really_ easy to figure out if/when people mis-identify 'spam'.
You ask them to classify a bunch of old messages, presented one at a time.
You present the _same_ message *more*than*once*.  If they mark it is 'good'
three times, and 'spam' once.  Then they *did* 'get it wrong' -- it's not
certain _which_ way they 'got it wrong', but it *IS* absolutely certain that
they did 'get it wrong' at least once.

I've seen some of the stuff AOL _users_ flag as 'spam' -- content analysis
*alone* virtually guarantees that they were flagged in error.  Things like
college acceptance letters from Division I schools, bank overdraft notices,
NDRs for mail they themselves *sent*, 'delivery receipts' and/or 'read
receipts' that they had _requested_ on mail they sent out, etc., etc.



 There are simple solutions to this.  They do work in spite of the
 moanings of the hand wringers.  In the meantime my patience with email
 lost silently due to blacklists, etc. is growing thin.

If you want 'reliable' delivery, you _pay_ the recieving system (and the
intermediaries) for that service.  Your lack of patience with something
other people _give_ you the free use of is, quite simply, an inexcusable
display of arrogance and presumption.

Re: SORBS Contact

[Laurence F. Sheldon, Jr.]

Steve Sobol wrote:


Allan Poindexter wrote:


 Matthew so would you consider as it is my network, that I should
 Matthew not be allowed to impose these 'draconian' methods and
 Matthew perhaps I shouldn't be allowed to censor traffic to and
 Matthew from my networks?

If you want to run a network off in the corner by yourself this is
fine.  If you have agreed to participate in the Internet you have an
obligation to deliver your traffic.


In many cases, that is a gross overgeneralization. Do you think anyone really
wanted the Slammer worm, or complained when ISP's blocked it?


I suspect he really means that.  The whole game here is maximum dollar 
for minimum service.


I was pretty much chased off of NANOG some years ago because of my 
undiplomatic insistence that the SP's had an obligation to block evil 
traffic (which in those would have been an easier matter than it is 
today).  And yes, I didn't handle the diversionary flame wars and ad 
hominem attacks very well.  Don't bother yourself, anybody, with looking 
them up.


I work for a company that is contractually obligated to NOT carry certain
traffic for our clients.



the users got it wrong some small percentage amount of the time.  I
was stunned at the arrogance and presumption in that comment.  You
can't tell from looking at the contents, source, or destination if
something is spam because none of these things can tell whether the
message was requested or is wanted by the recipient.  The recipient is
the only person who can determine these things.



You're right. But... So what?

Perhaps it's because you're seeing things from an academic point of view and
not from a business point of view, but your post mention nothing about
contracts. People generally use DNSBLs without any formal agreement as to
what they should expect. Without any formal agreement, you really can't talk
about obligations to deliver traffic. In this case, your recourse is to not
use the DNSBL. If you're mailing someone who has a DNSBL, you (as the sender)
have *no* recourse other than to complain to the DNSBL user.

Plus, as I pointed out earlier, some people contract with service providers
to prevent certain traffic from getting to their networks (not just spam,
either).



There are simple solutions to this.  They do work in spite of the
moanings of the hand wringers.  In the meantime my patience with email
lost silently due to blacklists, etc. is growing thin.



You're certainly welcome to encourage others not to use blacklists. Just
understand that you have no right to complain when they decide to continue
using those blacklists.

Having said that, do understand that I don't think DNSBL's are a panacea, nor
are their operators perfect. But in many cases, they can be a useful tool in
the anti-spam arsenal.





--
Requiescas in pace o email

Ex turpi causa non oritur actio

http://members.cox.net/larrysheldon/

Re: SORBS Contact

[Nachman Yaakov Ziskind]

 You're certainly welcome to encourage others not to use blacklists. Just
 understand that you have no right to complain when they decide to continue
 using those blacklists.
 
 Having said that, do understand that I don't think DNSBL's are a panacea, 
 nor are their operators perfect. But in many cases, they can be a useful tool
 in the anti-spam arsenal.

Weighing in with an opinion, as bad as blacklists *may be*, at least
they let the sender know something's up. Not in an artful way, to be
sure, but they give some notice. The sender can do _something_,
including dropping his association with the recipient b/c it's not worth
his time and trouble. Blackholing email because you think it's spam, OTOH, 
is pure evil.

-- 
_
Nachman Yaakov Ziskind, FSPA, LLM   [EMAIL PROTECTED]
Attorney and Counselor-at-Law   http://ziskind.us
Economic Group Pension Services http://egps.com
Actuaries and Employee Benefit Consultants

Re: SORBS Contact

[Ken Simpson]

 Weighing in with an opinion, as bad as blacklists *may be*, at least
 they let the sender know something's up. Not in an artful way, to be
 sure, but they give some notice. The sender can do _something_,
 including dropping his association with the recipient b/c it's not worth
 his time and trouble. Blackholing email because you think it's spam, OTOH, 
 is pure evil.

Host type can only be used as a relatively small weighting factor
toward blocking connections. However in the absence of any other
reputation data on a particular IP, it's a safe way to trigger
throttling or rate limiting.

IMHO receivers have a right to filter traffic in any way that reduces
abuse while serving the needs of their end users. There is a lot of
pressure from end users and legitimate email senders to ensure that
whatever blocking strategy is in use ensures that the good stuff is
not blocked.

Regards,
Ken

-- 
MailChannels: Reliable Email Delivery (TM) | http://mailchannels.com

--
Suite 203, 910 Richards St.
Vancouver, BC, V6B 3C1, Canada
Direct: +1-604-729-1741

Re: SORBS Contact

[Nachman Yaakov Ziskind]

Ken Simpson wrote (on Fri, Aug 11, 2006 at 09:09:33AM -0700):
 
  Weighing in with an opinion, as bad as blacklists *may be*, at least
  they let the sender know something's up. Not in an artful way, to be
  sure, but they give some notice. The sender can do _something_,
  including dropping his association with the recipient b/c it's not worth
  his time and trouble. Blackholing email because you think it's spam, OTOH, 
  is pure evil.
 
 Host type can only be used as a relatively small weighting factor
 toward blocking connections. However in the absence of any other
 reputation data on a particular IP, it's a safe way to trigger
 throttling or rate limiting.
 
 IMHO receivers have a right to filter traffic in any way that reduces
 abuse while serving the needs of their end users. There is a lot of
 pressure from end users and legitimate email senders to ensure that
 whatever blocking strategy is in use ensures that the good stuff is
 not blocked.

I agree that IP by itself is of limited usefullness. My main point was
that, however you came to your decision (today I'm not accepting SMTP
from hosts with the number nine in their IP), you should reject mail
you don't want, not accept it and toss it.

-- 
_
Nachman Yaakov Ziskind, FSPA, LLM   [EMAIL PROTECTED]
Attorney and Counselor-at-Law   http://ziskind.us
Economic Group Pension Services http://egps.com
Actuaries and Employee Benefit Consultants

Re: SORBS Contact

[Andrew D Kirch]

Michael Nicks wrote:


Actually I think this thread progressed from someone getting dirty 
blocks, to complaining about liberal-listing-RBLs (yes SORBS is one), 
to RBLs defending themselves and their obviously broken practices. We 
should not have to jump through hoops to satisfy your requirements.


Best Regards,
-Michael



Again please parse you and your as being generic and not targeted at
Michael, this is merely a reply. (except in the first series of
interrogatories, nor do I have any evidence
that Michel is currently or has ever hosted anyone who has caused a
listing in the AHBL)

So, we shouldn't enforce _our_ policies on _our_ sites, that _our_ users
agree with and assume that we follow because it's inconvenient for _you_?
Assuming that I follow the rules that I have established, and published
for review for the running of my list, how are my practices broken?
Can I not conceivably list anyone who falls afoul of my listing policies
at any time?
Why should I, someone with years of experience running, maintaining and
defending a DNSBL listen to you who lacks such experience
(to my knowledge) as to how to run my list?
Why should I, with the above mentioned points of experience listen to
you as to how to run my list when your advice is in conflict with the
policies that my list abides by,
and that my uses expect and trust that I follow?
Should I also listen to your thoughts on routing protocols so as to
ensure you are not required to jump through hoops?
Perhaps I should consult with you in designing my web site for similar
reasons?
Maybe I should have you review my security so that my network is not
overly burdensome to you?
Or, maybe I should show up at your facilities and start ripping out
patch cables and torching servers and equipment used to provide service
to people who fall afoul of my listing policies.
I really don't think that you'd appreciate that.  Therefore your
statement that you should not have to jump through hoops is unsupportable.

And believe me when I say this, there's a long list of people on the
Internet that I consider to be idiots, and a large local deny file on my
mailservers for entities
I don't like, or don't want mail from that never make it into the AHBL.
I, and Matthew (to my knowledge) does not bend the rules simply because
it's convenient, or because the idiot deserved it.  On the front page of
the AHBL's website is a link in size 4 bold font.  If you were told to
come here to get removed
from our list, please see this page.  If you are for some reason
incapable of figuring out how to follow the link, navigating your way to
the lookup page in the subsequent instructions,
and then determining and entering your IP address; then why are you
running a mail server in the first place?  Also on our site is our
policies which every volunteer with access to the
AHBL has read and agreed to follow.  We also monitor raw incoming
submissions to ensure the volunteers DO follow them.  So feel free to
read our policies, and if you like them, feel free
to use our list if it suits your needs.  If it does not, please feel
free to direct your opinions to the bitbucket unless you want to come to
me with both a problem and a rational solution, instead of
bitching about how I do volunteer work.

Andrew

Re: Question for the List Maintaners -- (Re: SORBS Contact)

[Matthew Sullivan]

Steve Sobol wrote:

Matthew Sullivan wrote:

  

replied off list

Something to consider before replying: is this on or off topic for
NANOG? (personally I think part of this is on topic, other parts of the
thread are definitely off topic)



It has been agreed that spam is offtopic, although the issue of hijacked
netblocks certainly isn't. So I probably should have replied to you off-list
(apologies to everyone else for lowering the S:N ratio).

I don't know what the official word is on whether DNSBL operations in general
are on-topic for this list. I would appreciate if the people in charge of
deciding such things could tell me whether DNSBLs are on-topic or not...
  

List maintainers, would you please rule on whether:

1/ DNSbl operations are on or off topic.
2/ Hijacked netblocks are on/off topic (I suspect on topic, but would 
like to see an official word).


Regards,

Mat

Re: SORBS Contact

[Paul Vixie]

hit D now, i've been trolled.

[EMAIL PROTECTED] (Allan Poindexter) writes:

 ...  I have one email address that has:

 ...
 
 In short it should be one of the worst hit addresses there is.  All I
 have to do to make it manageable is run spamassassin over it.

may the wind always be at your back.  my troubles are different than yours,
and i hope i can count on your support if i feel compelled take more drastic
measures than you're taking.  especially since one of my troubles is about a
moral issue having to do with mutual benefit.  if an isp's business success
depends on them using access granted under an implied mutual benefit covenant
and they decide to operate in a sole benefit manner, they can't expect me to
continue to accept their traffic or their customer's traffic.  simpler put,
i won't run spamassassin to figure out what might or might not be spam after
i receive it -- i'll just reject everything they send me.

just because i think the linux kernel people are insane when they illegalize
binary or proprietary kernel modules, doesn't mean i'm ready to live in a
world where anyone on the internet can shift their costs to me with impunity.

but i respect your right to treat your inbox as you see fit.  can you say the
same about me and my rights and my inbox, mr. poindexter?

 That is the mildest of several measures I could use to fix the spam
 problem.  If it became truly impossible I could always fall back to
 requiring an address of the form apoindex+password and blocking all
 the one's that don't match the password(s).  That would definitely fix
 the problem and doesn't require any pie in the sky re-architecting of the
 entire Internet to accomplish.

if you wish to accept those costs, i hope noone opposes you.  but i'm not
willing to live that way, and i hope you won't try to force me to?

 For almost a decade now I have listened to the antispam kooks say that
 spam is going to be this vast tidal wave that will engulf us all.

that would be me, and it has.

 Well it hasn't.  It doesn't show any sign that it ever will.  In the
 meantime in order to fix something that is at most an annoyance people
 in some places have instigated draconian measures that make some mail
 impossible to deliver at all or *even in some case to know it wasn't
 delivered*.  The antispam kooks are starting to make snail mail look
 good.  It's pathetic.

that paragraph seems to be semantically equal to shut up and eat your spam
so i hope i'm misinterpreting you.  otherwise, it's your word, pathetic.

 The functionality of my email is still almost completely intact.  The
 only time it isn't is when some antispam kook somewhere decides he
 knows better than me what I want to read.  Spam is manageable problem
 without the self appointed censors.  Get over it and move on.

damn.  i've been trolled.  sorry everybody.
-- 
Paul Vixie

Re: SORBS Contact

[william(at)elan.net]

On Wed, 9 Aug 2006, Allan Poindexter wrote:


 william In the way you describe it any spam filter is bad any spam
 william filter manufacturer should go to jail...

Manufacturer?  No.  It is perfectly permissible for a recipient to run
a filter over his own mail if he wishes.


An RBL is in fact kind-of like spam filter manufacturer or more precisely
RBL operator is like spam filter manufacturer. I've not heard of antispam
product manufacturer ever being in court because of spam classification
problems with their product; in fact I've not even seen successful case 
brought against Microsoft and we do all know how much spam comes through 
because of deficiencies in their product...


In any case I think what you have a problem with is not RBL lists or 
anti-spam filtering but situation where lists and filters are used 
without your knowledge and approval by your ISP[*] to filter your mail.

My suggestion to you is to either have your own domain and run your
own filtering system or to choose an ISP that provides you with
capabilities to control their spam filter, for example by way of
using SIEVE scripts.

[*] I do want to point out though that if domain is owned by ISP
they can decide what rules to set for their users. Any email address
you get within that domain is not really yours but basically you're
licensed to use that address as long as you pay your service fees
and agree to policies and rules of the ISP (and license is in fact
correct term because often enough company would have a trademark on
their name and so when you use email address with such a name you
need their permission, i.e. a license).


I have in the past considered this antispam stuff ill advised or
something I oppose.  Expect me to fight it tooth and nail from
now on.


You need to understand first who to fight.

--
William Leibzon
Elan Networks
[EMAIL PROTECTED]

Re: SORBS Contact

[william(at)elan.net]

On Aug 9, 2006, at 1:06 PM, Matthew Sullivan wrote:


This is also why I took the time to create:


http://www.ietf.org/internet-drafts/draft-msullivan-dnsop-generic-naming-schemes-00.txt


The reason I do not like RDNS naming scheme is because it forces
one particular policy as part of the name. This is absolutely not 
expendable and incorrect architecture as RDNS is general concept

for use with any number and types of protocols. What needs to be
done is that policy record is associated with an address or name
itself. The record can be a policy for specific protocol or maybe
a general records that can support policies for multiple protocols.

My preference is that you lookup RDNS name and they do additional 
lookup when you do need a policy information (this can for example

be done with SPF record). Others have advocated putting policy
record as TXT directly in IN-ADDR zone which is ok as well though
I think PTR name is better because it allows to collect related
names together and list with one policy (kind of like common
static name schemes in fact).


The idea being a common but extensible naming scheme for organisations
want to specify generic/generated records rather than go to the hassle 
of creating  individual records for each customer/host.


If you generate a record you might as well generate some other record
to go along with it, not that difficult.

--
William Leibzon
Elan Networks
[EMAIL PROTECTED]

Re: SORBS Contact

[Noel]

There is one very key point to make in this,
use of *any* RBL is up to individual networks, no one makes anyone use
them, and those that do must know and accept all risks involved  when
dealing with DUL's, SORBS operates a zone 'just for vernom' as well,
just like spamcop and njabl and others, but if a network like many I can
name want to use the full coverage , that is up to us, we know the risks
and believe it does more good,  EVERYTHING will have collateral damage
and we know and accept that.



On Thu, 2006-08-10 at 09:59, Matthew Sullivan wrote:


 Actually that's debatable - the SORBS DUHL is about IPs assigned to 
 hosts/people/machines dynamically.  We do not list addresses where the 
 ISP have sent the list explictitly saying 'these are static hosts, but 
 they are not allowed to send mail' - similarly we do list hosts in the 
 DUHL where the ISP has said 'these are dynamic but we allow them to send 
 mail' - it's about the people using the SORBS DUHL for their purposes, 
 not for helping ISPs getting around the issue of whether to use SORBS as 
 a replacement to port 25 blocking.
 
 Regards,
 
 Mat

Re: SORBS Contact

[Peter Corlett]

On 10 Aug 2006, at 00:06, Matthew Sullivan wrote:

[...]  This is also why I took the time to create:

http://www.ietf.org/internet-drafts/draft-msullivan-dnsop-generic- 
naming-schemes-00.txt


Why is this information being encoded into the regular PTR records  
that already have another purpose, thus reducing its usefulness? It  
seems the only purpose is as a bandaid over dumb SORBS policy.


Create a new SPF-like record if you want *additional* information in  
DNS. Don't clobber an existing service.


There are things in the works that will enable the most complained  
about aspects of SORBS to be fixed and to go away permanently...   
The only thing that is delaying it is developer time...   So I will  
say this publicly - those that want to see drastic changes @ SORBS  
that are, or have access to a perl coder with SQL knowledge, and is  
able to spend 20-40 hours of pure coding time writing a user  
interface for user permissions  roles in Perl contact me off list  
as the user interface is the only thing that is holding up moving  
to the beta stage of the SORBS2 database.


I have the skills and time, but zero inclination to support SORBS. In  
fact, I think I'll hack my mostly-default SpamAssassin configuration  
to ignore SORBS. Grepping mailboxes for the SA tag suggests that  
SORBS makes no difference in detecting spam, and it tags a number of  
legitimate correspondents, including, it appears, Spamcop at  
204.15.82.27. (I'm going by the tags SA added to the message since I  
can't get past the CAPTCHA on your website to query that address.)


Blacklisting competitors is a low and dirty trick.

Re: SORBS Contact

[Robert E . Seastrom]

I'm not picking on William here; his message was just the last I saw
in this thread which has gotten way out of hand.

I have not discussed this thread with my fellow list admin team
members either, though we can do that...

But it would make our (the list admin team's) lives easier, as well as
the lives of everyone else who reads nanog@, if people would REFRAIN
FROM REPLYING to this thread and take it to a forum that specializes
in generating bits by flaming about RBLs.

Thank you in advance for your forbearance,

---Rob (member of nanog-admin, the
   [EMAIL PROTECTED] list admin 
team)

Re: SORBS Contact

[Rich Kulawiec]

On Wed, Aug 09, 2006 at 10:29:52PM -0500, Robert J. Hantson wrote:
 So with all this talk of Blacklists...  does anyone have any suggestions
 that would be helpful to curb the onslaught of email, without being an
 adminidictator?

Yes.  First, run a quality MTA -- that *requires* an open-source MTA
that is subject to ongoing, frequent, and strenuous peer review.
I recommend one of {postfix, sendmail, exim, courier}.  I recommend
against qmail.

Second, use the built-in capabilities of that MTA to block SMTP
traffic from misbehaving mail servers.  Examples: (1) Use the
greet_pause (sendmail) or equivalent feature. (2) enable checks for
forward and reverse DNS existence.  (3) enable checks for HELO/EHLO
(only to see if it's a FQDN, not to see if it matches connecting host).
(4) use postgrey (or equivalent) with whitelisting of hosts that
are known to you.  And so on -- each MTA has a myriad of features
that boil down to reject mail from misbehaving hosts and those
features can be used to reject an awful lot of spam.

(Yes, these measures will also occasionally reject mail from
hosts which are either running highly broken software or which
are badly misconfigured.  This is a feature, not a bug, and
the onus is on the operators of those hosts to bring them into
compliance with Internet standards, both codified and de facto.)

Third, Put in the Spamhaus DROP list on your border routers/firewalls.
There is no reason to accept ANY network traffic, nor send any network
traffic to, any network on that list.  Nothing good can come of it --
for you, that is.  Update once a month.

Fourth, use a judicious selection of DNSBLs/RHSBLs (to do outright
rejection).  I use and recommend:

Spamhaus XBL (which is the XBL+CBL combined zone).
NJABL
DSBL
TQMcube zone: dhcp
SORBS zones: http, socks, misc, smtp, web, zombie, dul
AHBL

I've never had a FP from the first three over many years of use.
I've had a handful of scattered FPs from the second three, but each
has been quickly addressed by the zone's maintainers -- and about half
of those weren't their fault anyway, but they still fixed the problem.

Fifth, if you don't need to accept mail from certain countries: don't.
Many people (including me) refuse all mail from Korean and Chinese IP
space because *at their site* it's 100.00% spam.  TQMcube provides DNSBls
for that, as do others.  (Conversely, if you happen to be in either of
those countries, you may find that 100.00% of your incoming traffic from
the US is spam...in which case you should consider blocking all US IP space.)

Sixth, consider a combination of AV/AS measures.  One such combination
might be ClamAV and SpamAssassin; another might use those two glued
together with Amavis-new.  But: it's not worth doing this until you've
done all the other stuff, because otherwise you will burden these
(relatively) computationally-intensive programs with traffic that you
could -- and should -- have already rejected near the beginning of
the SMTP transaction.

If you use SpamAssassin, you can also use various DNSBLs as part of
weighted scoring.  This is a fallback if you're not comfortable using
them to do outright rejection.

Seventh, do not use SMTP callbacks -- they are abusive and readily
lend themselves to DDoS attacks.  They're also pointless and stupid.
Don't bother using DomainKeys/SPF/whatever -- these technologies were
failures from the beginning despite grandiose promises (Spam as a
technical problem is solved by SPF).  And do everything possible
to make sure you don't emit outscatter (aka backscatter): reject
during the SMTP conversation, don't accept-then-bounce.

Eighth, get on the mailing lists that discuss this, like Spam-L,
spam-research, spam-tools, spambayes, etc.  NANOG really isn't
the best place for this conversation.

Finally, and perhaps most importantly: don't be a source of spam or a
supporter of it (by providing HTTP, DNS or other services to spammers).
Make sure you have a working, unblocked abuse address, read it,
and act on what you receive there promptly - by immediately and 
permanently revoking all services that you're providing to spammers.
Make sure that you have a TOS/AUP in place that allows you to shut
them down without prior notice -- i.e. the only warning they get is
the one in the TOS/AUP when they sign it.  Add a clause that allows
you to confiscate their data/equipment -- this will deter a *lot*
of spammers from even trying to sign up with you, which in turn will
greatly diminish the risk to your network and the amount of work you
may have to do later.

(The only reason any network has persistent/systemic issues with
spam (as opposed to sporadic/isolated issues, which can happen
to anyone) is that its operators are (1) lazy (2) stupid
(3) incompetent (4) greedy.  There are no exceptions.  There are
also no excuses.)
---Rsk

rDNS naming conventions (was: Re: SORBS Contact)

[Steven Champeon]

on Thu, Aug 10, 2006 at 01:11:50AM -0700, william(at)elan.net wrote:
 
 
 On Aug 9, 2006, at 1:06 PM, Matthew Sullivan wrote:
 
 This is also why I took the time to create:
 
 
  http://www.ietf.org/internet-drafts/draft-msullivan-dnsop-generic-naming-schemes-00.txt
 
 The reason I do not like RDNS naming scheme is because it forces
 one particular policy as part of the name.

Fair enough. FWIW, I've seen a wide variety of naming schemes (I've
got a project that collects these as an antispam/anti-botnet measure,
and so far we've got around 16K conventions documented for 11K domains).

I've read and commented on the ID above; I think Mat's heart is in the
right place but his hopes are too high. Not just because his approach is
too English-focused (what of correo for mail? what of other i18n
variants for 'static' or 'dynamic'?) but because I've seen so many bad
examples of people using rDNS for nothing useful at all, I doubt they'll
suddenly wake up and realize hey! I could have encoded something
useful and meaningful into my PTR! But it's a start.

Among my favorites are those who feel it necessary to add 'rev',
'reverse', 'ptr', 'ip', etc. to the PTR along with some encoding of the
IP itself. People, we *know* it's a PTR. If we didn't know the IP, we
couldn't have looked it up, so it's rather fruitless to encode it in the
PTR, don't you think? I'm guilty of the same thing, as the IP does
provide a differentiator as well as a way to say {something}.domain,
or this IP is not used for anything in particular, but it's still
an area in need of some inquiry.

Ideally, speaking as a mail admin, I'd prefer that any given PTR have
some indication of:

 - the assignment type and duration (short-term pool, long-term dyn,
   static, etc.)
 - the technology in use (dialup, cable, dsl, wireless, etc.)
 - whether it's assigned for 'business' or 'personal' use (yeah, I
   know, lousy distinction, but suggest a better one)

These are all useful for those who have to make judgement calls about
whether to trust output from a given source; this is true regardless of
protocol. It just happens that for some, email is in high relief; for
others, it might be IRC or Web spammers or SMS or ssh dictionary attacks
or whatever. 

Of the 16K naming conventions I've got handy, over 100 refer to IPs
that are labeled in one manner or another as unassigned. Of course,
I collected them from spam I received here, but they're officially not
in use. Thanks! I guess I'll refuse all mail from them.

Over half are classified as 'generic' - namely, there is so little
useful information in them we can't tell whether they're dynamic,
static, residential, dialup/dsl/cable/wireless, or anything. Many,
in fact, just start with 'host' and end with some variant of the
IP address encoded into the PTR. 

Only 682 of ~16K provide us enough information for us to judge them as
plainly 'static'. (There are a few other classifications that may
suggest static assignment, such as 'nat', 'vlan', 'lan', 'colo',
'webhost', etc. but that's just guesswork - 'dhcp' may strongly denote
dynamic, as may 'pool', but we've seen static DHCP as well as static
pools, whatever they are.) The most popular approach beyond the simple
host-foo seems to involve encoding geographic information into the
PTR; after that is perhaps advertising hosted.by.superwebhost! or
redundancy bigisp-foo-bar-baz.dyn.bigisp.net. Worst among those who
actually provide rDNS in SE Asia is probably tm.net.my, who name all of
their customer PTRs 'tm.net.my'. Hm. Maybe encoding the IP in the PTR
ain't such a bad idea after all, especially for tracking down mass
mailing viruses that HELO with the value of their PTR through NATs.

On the bright side, people seem to have mostly woken up to the idea
that if you're going to put static/dynamic identifiers into the PTR,
you need to do it rightwards, rather than leftwards e.g.

 1-2-3-4.east-campus.resnet.dhcp.pool.dyn.miskatonic.edu

rather than

 dyn-pool.dhcp.resnet-1-2.east.3-4.campus.miskatonic.edu

as the former is easily collected in formats such as sendmail's
access.db and doesn't require expensive regex overhead or many, many
entries to cover a single class of listing. I'm definitely seeing a
shift towards the former approach from the latter, though there are
always the jokers like 'dynamic_dsl_client.dsl.gol.net.gy' who woke up
and changed their _s to -s one day this year, but left the positional
aspects as is. And yes, that's the *full name* of the PTR, so at
least you can block it all with an access.db entry.

Your point below about having different schemes for policies in
different realms is on target, but doesn't mitigate the responsibility
of all ISPs to provide some useful information about their services to
remote systems; a well-designed PTR can do that as a first-stage effort
while we wait for $PROTOCOL's $ENHANCEMENT to stop $ABUSE to wend its
way through the standards committees and implementation.

 My preference is that you lookup RDNS 

Re: rDNS naming conventions (was: Re: SORBS Contact)

[Suresh Ramasubramanian]

On 8/10/06, Steven Champeon [EMAIL PROTECTED] wrote:

redundancy bigisp-foo-bar-baz.dyn.bigisp.net. Worst among those who
actually provide rDNS in SE Asia is probably tm.net.my, who name all of
their customer PTRs 'tm.net.my'. Hm. Maybe encoding the IP in the PTR


There's at least one vietnamese ISP that has / had till recently set
localhost as rDNS for all their IPs.

--
Suresh Ramasubramanian ([EMAIL PROTECTED])

Re: rDNS naming conventions (was: Re: SORBS Contact)

[bmanning]

On Thu, Aug 10, 2006 at 10:21:45AM -0400, Steven Champeon wrote:
 
 on Thu, Aug 10, 2006 at 01:11:50AM -0700, william(at)elan.net wrote:
  
  
  On Aug 9, 2006, at 1:06 PM, Matthew Sullivan wrote:
  
  This is also why I took the time to create:
  
  
   http://www.ietf.org/internet-drafts/draft-msullivan-dnsop-generic-naming-schemes-00.txt
  
  The reason I do not like RDNS naming scheme is because it forces
  one particular policy as part of the name.
 
 Fair enough. FWIW, I've seen a wide variety of naming schemes (I've
 got a project that collects these as an antispam/anti-botnet measure,
 and so far we've got around 16K conventions documented for 11K domains).

first...  as a draft, it carries ZERO weight. -IF- it becomes an
RFC, its targeted status in INFORMATIONAL, e.g no standard of any kind.
So no one is going to -force- you to implement it.

hum...  why does this draft remind me of the (in)famous WKS RR?
what is WKS?  you know, that RR type that specified  the well known 
services
running on/at the particular lable.

WKS was depricated, in part due to the fact that black hats would
use WKS to groom thair attack profiles.  Use of the conventions 
outlined in this draft would be very useful in building targeted
attacks.  To paraphrase Randy Bush, I encourage all my competition to 
implement these guidelines.

--bill  

Re: SORBS Contact

[Joe Maimon]

Matthew Sullivan wrote:



Mark Andrews wrote:


Actually there can be false positive.  ISP's
who put address blocks into dialup blocks
which have the qualification that the ISP is
also supposed to only do it if they *don't*
allow email from the block but the ISP's
policy explicitly allows email to be sent.
  


Actually that's debatable - the SORBS DUHL is about IPs assigned to 
hosts/people/machines dynamically.  We do not list addresses where the 
ISP have sent the list explictitly saying 'these are static hosts, but 
they are not allowed to send mail' - similarly we do list hosts in the 
DUHL where the ISP has said 'these are dynamic but we allow them to send 
mail' - it's about the people using the SORBS DUHL for their purposes, 
not for helping ISPs getting around the issue of whether to use SORBS as 
a replacement to port 25 blocking.


Regards,

Mat



This point in the thread seems as good as any to toss my two cents in.

Matthew, I use your list. I am very appreciative of the efforts you 
expend on it since those translate directly into less efforts expended 
on my part. You have my vote. Keep up the good things that you do.


This goes as well to the other DNSBL's, such as AHBL operators.

I have had no real issues removing systems that wandered accidentally 
into sorbs.


For those who cant tolerate any false positives from DNSBL.

I recommend that the whitelisting procedure be as easy as the 
blacklisting procedure -- that means running a DNSWL. Make it as easy as 
moving email from one imap folder to another to process whitelisting. 
Include instructions in your SMTP errors. Educate your support staff.


Joe

Re: rDNS naming conventions (was: Re: SORBS Contact)

[Edward Lewis]

At 15:47 + 8/10/06, [EMAIL PROTECTED] wrote:

On Thu, Aug 10, 2006 at 10:21:45AM -0400, Steven Champeon wrote:

 on Thu, Aug 10, 2006 at 01:11:50AM -0700, william(at)elan.net wrote:
  On Aug 9, 2006, at 1:06 PM, Matthew Sullivan wrote:
   
http://www.ietf.org/internet-drafts/draft-msullivan-dnsop-generic-naming-schemes-00.txt

 
  The reason I do not like RDNS naming scheme is because it forces
  one particular policy as part of the name.

 Fair enough. FWIW, I've seen a wide variety of naming schemes (I've
 got a project that collects these as an antispam/anti-botnet measure,
 and so far we've got around 16K conventions documented for 11K domains).


first...  as a draft, it carries ZERO weight. -IF- it becomes an
RFC, its targeted status in INFORMATIONAL, e.g no standard of any kind.
So no one is going to -force- you to implement it.

hum...  why does this draft remind me of the (in)famous WKS RR?
what is WKS?  you know, that RR type that specified  the well known
services running on/at the particular lable.

WKS was depricated, in part due to the fact that black hats would
use WKS to groom thair attack profiles.  Use of the conventions
outlined in this draft would be very useful in building targeted
attacks.  To paraphrase Randy Bush, I encourage all my competition to
implement these guidelines.


Piling on here ...

The effort is to infer the intent of a packet based on ancillary 
data.  The twin dangers here are inference of intent and exposure of 
the ancillary data.


The first part is like asking would I want to have security research 
done by a company on Glenwood Road or on Shady Lane?  (Ya, know 
shady in security.)  Legend has it that one research company moved 
it's location because of this, or maybe it was a joke that came 
afterwards.


The second part is what ancillary data is exposed.  You can require, 
you can request, or you can assume you won't get the data you need. 
Sometimes you won't get it because the giver doesn't want the 
headache of providing it or because the giver is afraid of the 
ancillary data going to nefarious uses.


My point is that inferring intent based on incomplete data is faulty, 
but it seems to be useable in real life.  However, once heuristics 
get encoded in deterministic algorithms, the results generally are 
not so good - mostly because the encoding of the heuristics fails. 
The answer is to include things like RFC 3514, (Note the pub date.) 
or ancillary data.  But the solution of adding ancillary data maybe 
worse than the disease.  This is just one of the hard problems.


--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis+1-571-434-5468
NeuStar

Soccer/Futbol. IPv6.  Both have lots of 1's and 0's and have a hard time
catching on in North America.

Re: SORBS Contact

[Joel Jaeggli]

On Wed, 9 Aug 2006 23:51:58 -0400
Derek J. Balling [EMAIL PROTECTED] wrote:
 On Aug 9, 2006, at 10:59 PM, Allan Poindexter wrote:
  At LISA a couple of years ago a Microsoftie got up at the SPAM
  symposium and told of an experiment they did where they asked their
  hotmail users to identify their mail messages as spam or not.

snip

 The recipient is
  the only person who can determine these things.

Sure, but humans aren't perfectly accurate...

Early tests with bayesian classifiers, on the false postive rate, tended to 
indicate that building a classifier with a lower false postive rate than the 
humans was pretty easy.

Certainly my own experience is that I occassionaly tag things as junk, or 
mis-moderate messages to mailing lists. my own false postive rate is probably 
less than 1% spammassassain's is much lower than that. false negatives however 
are a reason I sitll have to tag things.
 
 I'm gonna hold up the I call bullshit card here. Recipients most  
 certainly *can* get it wrong.
 

 
 

Re: SORBS Contact

[Scott Weeks]

- Original Message Follows -
From: Allan Poindexter [EMAIL PROTECTED]

 this is fine.  If you have agreed to participate in the
 Internet you have an obligation to deliver your traffic.

No you don't.  They're your property.  You bought them and
you can do anything you want with them.  You could deliver
one packet in a million if you chose to do so.  Nothing'd
work and no one would sign up for your service, but you
could do it if you wanted to.

scott

Re: rDNS naming conventions (was: Re: SORBS Contact)

[Steven Champeon]

on Thu, Aug 10, 2006 at 08:55:37PM +0530, Suresh Ramasubramanian wrote:
 
 On 8/10/06, Steven Champeon [EMAIL PROTECTED] wrote:
 redundancy bigisp-foo-bar-baz.dyn.bigisp.net. Worst among those who
 actually provide rDNS in SE Asia is probably tm.net.my, who name all of
 their customer PTRs 'tm.net.my'. Hm. Maybe encoding the IP in the PTR
 
 There's at least one vietnamese ISP that has / had till recently set
 localhost as rDNS for all their IPs.

IIRC, that was fpt.vn; they replaced 'localhost' with the incredibly
useful:

adsl-pool-xxx.fpt.vn
adsl-fix-xxx.fpt.vn
dialup-xxx.fpt.vn
adsl-dynamic-pool-xxx.fpt.vn
\d+-\d+-\d+-xxx-dynamic.hcm.fpt.vn
host-\d+-xx.hcm.fpt.vn
\d+-\d+-\d+-xxx-dynamic.hcm.fpt.vn

Yes, the 'xxx's are literals. e.g., 

$ host 210.245.14.143
143.14.245.210.in-addr.arpa domain name pointer dialup-xxx.fpt.vn.

Or it may have been hnpt.com.vn, who replaced it with e.g.,

adsl.hnpt.com.vn

Again, not terribly useful for tracking leakage via NATs.

$ host 203.210.213.149
149.213.210.203.in-addr.arpa domain name pointer adsl.hnpt.com.vn.

But hey, at least they *have* rDNS, I suppose that's something.

I agree that judgements based entirely on rDNS are troublesome. So,
too, are the side effects of chemotherapy. But we're trying to save
the patient before the miracle cures arrive, and right now email is
very, very sick indeed. And rDNS is a useful tool especially in a
scoring-based environment.

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
antispam news, solutions for sendmail, exim, postfix: http://enemieslist.com/
rambling, amusements, edifications and suchlike: http://interrupt-driven.com/

Re: rDNS naming conventions (was: Re: SORBS Contact)

[Nicholas Suan]

On 8/10/06, Steven Champeon [EMAIL PROTECTED] wrote:


on Thu, Aug 10, 2006 at 08:55:37PM +0530, Suresh Ramasubramanian wrote:
 There's at least one vietnamese ISP that has / had till recently set
 localhost as rDNS for all their IPs.

IIRC, that was fpt.vn; they replaced 'localhost' with the incredibly
useful:



There seem to be a couple in the area that do it:

As of 5 minutes ago:

% dig +short -x 203.160.1.3 -x 203.160.1.35
localhost.
localhost.

inetnum:  203.160.0.0 - 203.160.1.255
netname:  VNPT-VNNIC-VN
country:  VN

Re: SORBS Contact

[Steve Sobol]

Allan Poindexter wrote:
   Matthew so would you consider as it is my network, that I should
   Matthew not be allowed to impose these 'draconian' methods and
   Matthew perhaps I shouldn't be allowed to censor traffic to and
   Matthew from my networks?
 
 If you want to run a network off in the corner by yourself this is
 fine.  If you have agreed to participate in the Internet you have an
 obligation to deliver your traffic.

In many cases, that is a gross overgeneralization. Do you think anyone really
wanted the Slammer worm, or complained when ISP's blocked it?

I work for a company that is contractually obligated to NOT carry certain
traffic for our clients.

 the users got it wrong some small percentage amount of the time.  I
 was stunned at the arrogance and presumption in that comment.  You
 can't tell from looking at the contents, source, or destination if
 something is spam because none of these things can tell whether the
 message was requested or is wanted by the recipient.  The recipient is
 the only person who can determine these things.

You're right. But... So what?

Perhaps it's because you're seeing things from an academic point of view and
not from a business point of view, but your post mention nothing about
contracts. People generally use DNSBLs without any formal agreement as to
what they should expect. Without any formal agreement, you really can't talk
about obligations to deliver traffic. In this case, your recourse is to not
use the DNSBL. If you're mailing someone who has a DNSBL, you (as the sender)
have *no* recourse other than to complain to the DNSBL user.

Plus, as I pointed out earlier, some people contract with service providers
to prevent certain traffic from getting to their networks (not just spam,
either).

 There are simple solutions to this.  They do work in spite of the
 moanings of the hand wringers.  In the meantime my patience with email
 lost silently due to blacklists, etc. is growing thin.

You're certainly welcome to encourage others not to use blacklists. Just
understand that you have no right to complain when they decide to continue
using those blacklists.

Having said that, do understand that I don't think DNSBL's are a panacea, nor
are their operators perfect. But in many cases, they can be a useful tool in
the anti-spam arsenal.


-- 
Steve Sobol, Professional Geek ** Java/VB/VC/PHP/Perl ** Linux/*BSD/Windows
Apple Valley, California PGP:0xE3AE35ED

It's all fun and games until someone starts a bonfire in the living room.

Re: SORBS Contact

[Steve Sobol]

Allan Poindexter wrote:
   Todd There are simple solutions to this.  They do work in spite of
   Todd the moanings of the few who have been mistakenly blocked.
 
 So it is OK so long as we only defame a few people and potentially
 ruin their lives?


Weren't you the person complaining about *others* being alarmist?

-- 
Steve Sobol, Professional Geek ** Java/VB/VC/PHP/Perl ** Linux/*BSD/Windows
Apple Valley, California PGP:0xE3AE35ED

It's all fun and games until someone starts a bonfire in the living room.

Re: SORBS Contact

[Steve Sobol]

On Wed, 9 Aug 2006, Matthew Sullivan wrote:

 Sad state of affairs when ISPs are still taking money from spammers and 
 providing transit to known criminal organisations.

Hey Mat.

You aren't wrong, but that doesn't absolve you of the responsibility to 
de-list in an efficient manner when you have made a mistake, or if the 
listing is no longer accurate (i.e. if all the spammers have been kicked 
off the netblock in question.)

$DAYJOB lists spam filtering amongst the services we offer to our 
clients. I know we're using you to block IPs at the firewall, and we're 
probably also doing so at the server level. I am going to talk to my boss 
and co-workers about the impact of removing SORBS from our DNSBL list, 
because your replies lately have been snarky and completely 
unprofessional, including the reply quoted above. (Yes. It sucks that 
spammers are still spamming. So what?)

I don't know what your problem is, but you're not making things any better 
by refusing to fix listings that aren't incorrect or, in some cases, never 
were.

-- 
Steve Sobol, Professional Geek ** Java/VB/VC/PHP/Perl ** Linux/*BSD/Windows
Apple Valley, California PGP:0xE3AE35ED

It's all fun and games until someone starts a bonfire in the living room.

Re: SORBS Contact

[Steve Sobol]

On Wed, 9 Aug 2006, Steve Sobol wrote:
 
 I don't know what your problem is, but you're not making things any better 
 by refusing to fix listings that aren't incorrect or, in some cases, never 
 were.

Feh.

Listings that are NO LONGER CORRECT, or in some cases, never were.

Make sure brain is running before engaging fingers. :)

-- 
Steve Sobol, Professional Geek ** Java/VB/VC/PHP/Perl ** Linux/*BSD/Windows
Apple Valley, California PGP:0xE3AE35ED

It's all fun and games until someone starts a bonfire in the living room.

Re: SORBS Contact

[Nachman Yaakov Ziskind]

  I don't know what your problem is, but you're not making things any better 
  by refusing to fix listings that aren't incorrect or, in some cases, never 
  were.

IMHO, it's not about making things 'better' - we don't expect NANOG'ers
to be any more altruistic than other folk. It's about consumer
protection, as the anti-spammers always say; if $BLACKLIST does a good
job, we keep it. If it screws up too much, we go elsewhere. So Matt has
an incentive to be correct, I should think.

-- 
_
Nachman Yaakov Ziskind, FSPA, LLM   [EMAIL PROTECTED]
Attorney and Counselor-at-Law   http://ziskind.us
Economic Group Pension Services http://egps.com
Actuaries and Employee Benefit Consultants

Re: SORBS Contact

[Michael Nicks]

Don't forget racketeering.

A person who commits crimes such as extortion, loansharking, bribery, 
and obstruction of justice in furtherance of illegal business activities.


I think most network operators have learned about the ultra-liberal 
listing activities of RBLs these days.


-Michael

--
Michael Nicks
Network Engineer
KanREN
e: [EMAIL PROTECTED]
o: +1-785-856-9800 x221
m: +1-913-378-6516

Dean Anderson wrote:
SORBS is a well-known abusive/defamatory blacklist.  In the US, that 
violates a number of state and federal laws:


1. defamation
2. illegal group boycott in violation of antitrust act
3. (usually) unauthorized blocking by ISP in violation of its
		contract with its customer, which is a violation of the 
		electronic communications privacy act.
	4. There are frequently state laws that apply to electronic 
		communications that are even more broad.


You _can_ make the US based ISP not use SORBS. Most ISPs know better,
already.

--Dean


See also http://www.iadl.org.

--Dean

On Mon, 7 Aug 2006, Brian Boles wrote:

Can someone from SORBS contact me offlist if they are on here


On Tue, 8 Aug 2006, Stefan Hegger wrote:
We have the same problem. We are blacklisted and I filled out the webform. I 
got an email regarding ticket number and account/password to track the 
ticket. But it seems that nobody is working on it. 



There has been extensive discussion on NANAE and NANABl newsgroups on
this issue.  The bottom line:  The SORBS ticket queue is handled by a
group of unpaid volunteers, and there is quite a backlog.  


That's why there is the automatic de-listing system in place, which
requires proper host names and longer time-to-live (TTL) values in
rDNS.

Yes, it's a bit of work, but it beats waiting for someone to get around
to your ticket.

No, I'm not associated in any way with SORBS, just an interested
observer and system administrator who has had to deal with listings myself.





On Tue, 8 Aug 2006, Michael Nicks wrote:
Sad state of affairs when looney people dictate which IPs are good and 
bad.



On Tue, 8 Aug 2006, S. Ryan wrote:

Even worse if your ISP uses it and demands you ask the 'offender' to get 
'themselves' removed.

RE: SORBS Contact

[andrew2]

[EMAIL PROTECTED] wrote:
 I don't know what your problem is, but you're not making things any
 better by refusing to fix listings that aren't incorrect or, in some
 cases, never were.
 
 IMHO, it's not about making things 'better' - we don't expect
 NANOG'ers to be any more altruistic than other folk. It's
 about consumer protection, as the anti-spammers always say;
 if $BLACKLIST does a good job, we keep it. If it screws up
 too much, we go elsewhere. So Matt has an incentive to be
 correct, I should think.

I fear we're veering off topic, but the problem with the If $BLACKLIST
does a job, we'll keep using it axiom is that it makes the assumption
that the majority of mail admins who use blacklists as part of their
antispam arsenal are keeping close tabs on the efficacy and accuracy of
the blacklists they use.  Unfortunately I don't believe that is
generally the case.  In my experience, most use blacklists as a set and
forget kind of weapon, and the only method they use to judge the
reliability of a list is how many spams it blocks, regardless of
accuracy.  Too often you find admins that, when presented with an
example of a false-positive caused by an inaccurate blacklist, cop the,
Don't talk to me, talk to the blacklist operators attitude.

And it isn't entirely a lazy admin problem.  There really seems to be no
*good* way to judge the relative accuracy of different blacklists.  You
can read thier policies and procedures, but how do you know if they
actually follow them?  Keeping an eye on mailing lists and newsgroups
can help some, but how do you separate the net.kooks complaining about a
valid listing from people with legitimate gripes?  Especially when the
blacklist admins often come off as bigger net.kooks than their
detractors?

It winds up looking like a big catch-22 to me.  Blacklist operators
essentially punt all responsibility for incorrectly blocked emails on
the mail admins, and the mail admins punt all responsibility for
incorrect listings back at the blacklist operators.  And that leaves us
with *no one* taking responsibility, which makes me seriously question
the wisdom of using blacklists at all anymore.

Personally, I think completely automated systems with very short listing
times may be the way to go.  It removes the human element from the
listing and delisting process in order to avoid the
personality-conflict/vendetta listings that seem to poison a number of
popular blacklists.  In the long run, though, I think the spammers have
won the DNS blacklist war already and our time is better spent
developing better content filters to worry with the actual content of
the email than where it came from.

Andrew Cruse

Re: SORBS Contact

[Albert Meyer]

I think we can sufficiently indict SORBS by saying that they are a poorly 
managed email blacklist which isn't used by anyone with a clue, without putting 
on our tinfoil hats. http://www.iadl.org makes some interesting claims, but 
anyone who puts Paul Vixie in the same list of offenders with Alan Brown and 
Matt Sullivan is clueless at best. SORBS, SPEWS, etc. are a problem, but they 
aren't a criminal conspiracy, and claiming that they are isn't going to win any 
points among people who haven't followed the instructions at 
http://zapatopi.net/afdb/build.html


Michael Nicks wrote:


Don't forget racketeering.

A person who commits crimes such as extortion, loansharking, bribery, 
and obstruction of justice in furtherance of illegal business activities.


I think most network operators have learned about the ultra-liberal 
listing activities of RBLs these days.


-Michael

Re: SORBS Contact

[Andrew D Kirch]

Albert Meyer wrote:


I think we can sufficiently indict SORBS by saying that they are a 
poorly managed email blacklist which isn't used by anyone with a clue, 
without putting on our tinfoil hats. http://www.iadl.org makes some 
interesting claims, but anyone who puts Paul Vixie in the same list of 
offenders with Alan Brown and Matt Sullivan is clueless at best. 
SORBS, SPEWS, etc. are a problem, but they aren't a criminal 
conspiracy, and claiming that they are isn't going to win any points 
among people who haven't followed the instructions at 
http://zapatopi.net/afdb/build.html
Please parse usage of you and your as being generic and not directed 
at Albert Meyer except insomuch that I am replying to his message, thanks.
Correct me if I'm wrong but this thread started because someone acquired 
from ARIN IP Space which was previously infested with spammers.  The 
person acquiring the IP space sent multiple tickets (which annoys the 
crap out of every support list I've ever contacted) within the period of 
less than a week.  CAN-SPAM which is a poorly conceived and almost 
totally unenforced law allows spammers one week to remove users from 
their lists, and this person seems to expect instant turnaround from a 
volunteer organization.  It's unfortunate that he got tainted space from 
a RIR, and further unfortunate that it takes time to process removals, 
and further unfortunate that he is not capable of reading and following 
the directions on Matthew's website which clearly describe how to 
achieve removal from SORBS.  Calling unpaid volunteers clueless 
because they don't process removals instantly is in and of itself 
clueless, especially considering that 1. dozens of people are removed 
from SORBS daily and 2. this person has failed to follow the stated 
policies and procedures to be removed from SORBS. 
SORBS, SPEWS, The AHBL all operate on their own set of rules, it's up to 
the administrators of the mail servers that use our lists whether or not 
they agree with our policies.  Remember, and this is very important:  
When blacklisting there is no such thing as a false positive.  You are 
either blocked or you aren't at the determination of the administrator 
using our list.  Blacklisting is not, nor has it ever been based on 
whether your message is spam or not.  If it helps you, think of it more 
as wanted and unwanted e-mail.  By using SORBS the administrator is 
stating I do not want e-mail from people Matthew believes are 
spammers, and only a clueless person would think to enforce their will 
on someone else's mail server.
And yes if you request removal from the AHBL and can't follow the simple 
removal instructions, you are in my mind and in my list too clueless to 
contribute e-mail to the public Internet, I therefore don't miss your 
traffic and have never had one of my users complain that they miss it 
either.


--
Andrew D Kirch  |   Abusive Hosts Blocking List  | www.ahbl.org
Security Admin  |  Summit Open Source Development Group  | www.sosdg.org
Key fingerprint = 4106 3338 1F17 1E6F 8FB2  8DFA 1331 7E25 C406 C8D2

Re: SORBS Contact

[Michael Nicks]

Actually I think this thread progressed from someone getting dirty 
blocks, to complaining about liberal-listing-RBLs (yes SORBS is one), to 
RBLs defending themselves and their obviously broken practices. We 
should not have to jump through hoops to satisfy your requirements.


Best Regards,
-Michael

--
Michael Nicks
Network Engineer
KanREN
e: [EMAIL PROTECTED]
o: +1-785-856-9800 x221
m: +1-913-378-6516

Andrew D Kirch wrote:


Albert Meyer wrote:


I think we can sufficiently indict SORBS by saying that they are a 
poorly managed email blacklist which isn't used by anyone with a clue, 
without putting on our tinfoil hats. http://www.iadl.org makes some 
interesting claims, but anyone who puts Paul Vixie in the same list of 
offenders with Alan Brown and Matt Sullivan is clueless at best. 
SORBS, SPEWS, etc. are a problem, but they aren't a criminal 
conspiracy, and claiming that they are isn't going to win any points 
among people who haven't followed the instructions at 
http://zapatopi.net/afdb/build.html
Please parse usage of you and your as being generic and not directed 
at Albert Meyer except insomuch that I am replying to his message, thanks.
Correct me if I'm wrong but this thread started because someone acquired 
from ARIN IP Space which was previously infested with spammers.  The 
person acquiring the IP space sent multiple tickets (which annoys the 
crap out of every support list I've ever contacted) within the period of 
less than a week.  CAN-SPAM which is a poorly conceived and almost 
totally unenforced law allows spammers one week to remove users from 
their lists, and this person seems to expect instant turnaround from a 
volunteer organization.  It's unfortunate that he got tainted space from 
a RIR, and further unfortunate that it takes time to process removals, 
and further unfortunate that he is not capable of reading and following 
the directions on Matthew's website which clearly describe how to 
achieve removal from SORBS.  Calling unpaid volunteers clueless 
because they don't process removals instantly is in and of itself 
clueless, especially considering that 1. dozens of people are removed 
from SORBS daily and 2. this person has failed to follow the stated 
policies and procedures to be removed from SORBS. SORBS, SPEWS, The AHBL 
all operate on their own set of rules, it's up to the administrators of 
the mail servers that use our lists whether or not they agree with our 
policies.  Remember, and this is very important:  When blacklisting 
there is no such thing as a false positive.  You are either blocked or 
you aren't at the determination of the administrator using our list.  
Blacklisting is not, nor has it ever been based on whether your message 
is spam or not.  If it helps you, think of it more as wanted and 
unwanted e-mail.  By using SORBS the administrator is stating I do not 
want e-mail from people Matthew believes are spammers, and only a 
clueless person would think to enforce their will on someone else's mail 
server.
And yes if you request removal from the AHBL and can't follow the simple 
removal instructions, you are in my mind and in my list too clueless to 
contribute e-mail to the public Internet, I therefore don't miss your 
traffic and have never had one of my users complain that they miss it 
either.


--
Andrew D Kirch  |   Abusive Hosts Blocking List  | www.ahbl.org
Security Admin  |  Summit Open Source Development Group  | www.sosdg.org
Key fingerprint = 4106 3338 1F17 1E6F 8FB2  8DFA 1331 7E25 C406 C8D2

Re: SORBS Contact

[Laurence F. Sheldon, Jr.]

Michael Nicks wrote:

Actually I think this thread progressed from someone getting dirty 
blocks, to complaining about liberal-listing-RBLs (yes SORBS is one), to 
RBLs defending themselves and their obviously broken practices. We 
should not have to jump through hoops to satisfy your requirements.


Fair enough.

End users ought not to have the functionality of email destroyed because 
originating SP's won't show due diligence in preventing abuse of the 
network.


If you don't like SORBS, don't use it.

Don't send email to anybody who does.

--
Requiescas in pace o email

Ex turpi causa non oritur actio

http://members.cox.net/larrysheldon/

Re: SORBS Contact

[Mikael Abrahamsson]

On Wed, 9 Aug 2006, Michael Nicks wrote:

themselves and their obviously broken practices. We should not have to 
jump through hoops to satisfy your requirements.


We were hit by the requirement to include the word static in our DNS 
names to satisfy requirements. It wasn't enough to just say this /17 is 
only static IPs, one customer, one IP, no dhcp or other dynamics at all), 
we actually had to change all PTR records to this arbitrary standard.


Took several weeks to get delisted even after that.

--
Mikael Abrahamssonemail: [EMAIL PROTECTED]

Re: SORBS Contact

[Michael Nicks]

Doesn't really surprise me to be frankly honest. :) The way their 
requirements are structured, they remind me a lot of a state agency.


Best Regards,
-Michael

--
Michael Nicks
Network Engineer
KanREN
e: [EMAIL PROTECTED]
o: +1-785-856-9800 x221
m: +1-913-378-6516

Mikael Abrahamsson wrote:


On Wed, 9 Aug 2006, Michael Nicks wrote:

themselves and their obviously broken practices. We should not have to 
jump through hoops to satisfy your requirements.


We were hit by the requirement to include the word static in our DNS 
names to satisfy requirements. It wasn't enough to just say this /17 is 
only static IPs, one customer, one IP, no dhcp or other dynamics at 
all), we actually had to change all PTR records to this arbitrary 
standard.


Took several weeks to get delisted even after that.

Re: SORBS Contact

[william(at)elan.net]

On Wed, 9 Aug 2006, Mikael Abrahamsson wrote:


On Wed, 9 Aug 2006, Michael Nicks wrote:

themselves and their obviously broken practices. We should not have to jump 
through hoops to satisfy your requirements.


We were hit by the requirement to include the word static in our DNS names 
to satisfy requirements. It wasn't enough to just say this /17 is only 
static IPs, one customer, one IP, no dhcp or other dynamics at all), we 
actually had to change all PTR records to this arbitrary standard.


Would people support if there was a defined and standardized way that 
providers can specify if the system with this ip address does or does

not send email? There are several proposal for this but so far ISPs
have not shown sufficient interest in implimenting any one - if
number of ISPs agree to enter some records and it catches on then
the need for 3rd party maintained lists of dynamic ip addresses
would go away.

---

Of course the root cause for all these still remains that certain
OS vendor makes (and contines to) bad security design choices and
this results in users of their system getting infected and being
used as spam zombies. Combined with that is that many ISPs don't
maintain good enough policies to shutdown infected users quickly
or block their accounts from access to SMTP on per-user basis.
Last is sometimes due to low margins and ISPs trying to cut cost
and it is effecting abuse department - which the basicly the one
part of the company that not only not make any money but causes
to loose some business...

--
William Leibzon
Elan Networks
[EMAIL PROTECTED]

Re: SORBS Contact

[Aaron Glenn]

On 8/9/06, william(at)elan.net [EMAIL PROTECTED] wrote:

---

Of course the root cause for all these still remains that certain
OS vendor makes (and contines to) bad security design choices and
this results in users of their system getting infected and being
used as spam zombies. Combined with that is that many ISPs don't
maintain good enough policies to shutdown infected users quickly
or block their accounts from access to SMTP on per-user basis.
Last is sometimes due to low margins and ISPs trying to cut cost
and it is effecting abuse department - which the basicly the one
part of the company that not only not make any money but causes
to loose some business...


That (blocking SMTP) could become illegal is some proposed net
neutrality legislation is passed.


I apologize in advance for stoking the flames

Re: SORBS Contact

[Allan Poindexter]

  Laurence End users ought not to have the functionality of email
  Laurence destroyed because originating SP's won't show due
  Laurence diligence in preventing abuse of the network.

This is crisis mongering of the worst sort.  Far more damage has been
done to the functionality of email by antispam kookery than has ever
been done by spammers.  I have one email address that has:

  Existed for over a decade.

  Been posted all over Usenet and the Web in unmangled form.

  Only three letters so it gets spam from the spammers that send
  copies to every possible short address.

  All blacklisting turned off because that was causing too much mail
  to go into a black hole.

In short it should be one of the worst hit addresses there is.  All I
have to do to make it manageable is run spamassassin over it.  That is
the mildest of several measures I could use to fix the spam problem.
If it became truly impossible I could always fall back to requiring an
address of the form apoindex+password and blocking all the one's
that don't match the password(s).  That would definitely fix the
problem and doesn't require any pie in the sky re-architecting of the
entire Internet to accomplish.

For almost a decade now I have listened to the antispam kooks say that
spam is going to be this vast tidal wave that will engulf us all.
Well it hasn't.  It doesn't show any sign that it ever will.  In the
meantime in order to fix something that is at most an annoyance people
in some places have instigated draconian measures that make some mail
impossible to deliver at all or *even in some case to know it wasn't
delivered*.  The antispam kooks are starting to make snail mail look
good.  It's pathetic.

The functionality of my email is still almost completely intact.  The
only time it isn't is when some antispam kook somewhere decides he
knows better than me what I want to read.  Spam is manageable problem
without the self appointed censors.  Get over it and move on.


 

Re: SORBS Contact

[Noel]

On Thu, 2006-08-10 at 07:39, Aaron Glenn wrote:

 That (blocking SMTP) could become illegal is some proposed net
 neutrality legislation is passed.
 

hahaha try enforcing that in other countries

also, most networks are private (not state run) therefore we have the
right to say yes/no what data enters our own network, because unless
unless a contract (payment) exists for the senders ISP to receivers ISP
to accept data off them, the senders ISP can be told to go to hell :)


 
 I apologize in advance for stoking the flames

Re: SORBS Contact

[Matthew Sullivan]

Allan Poindexter wrote:

The functionality of my email is still almost completely intact.  The
only time it isn't is when some antispam kook somewhere decides he
knows better than me what I want to read.  Spam is manageable problem
without the self appointed censors.  Get over it and move on.
 
  
Interesting comment - so would you consider as it is my network, that I 
should not be allowed to impose these 'draconian' methods and perhaps I 
shouldn't be allowed to censor traffic to and from my networks?  Should 
you not be allowed to censor my traffic going to your network (if any)?  
The self appointed censors are not self appointed - they produce lists 
the admins of their own networks choose what traffic to accept or deny, 
if they choose to accept or deny based on a third party it doe not 
automatically make that person a self appointed censor.


Regards,

Mat

Re: SORBS Contact

[Noel]

On Thu, 2006-08-10 at 06:49, Mikael Abrahamsson wrote:

 
 We were hit by the requirement to include the word static in our DNS 
 names to satisfy requirements. It wasn't enough to just say this /17 is 
 only static IPs, one customer, one IP, no dhcp or other dynamics at all), 
 we actually had to change all PTR records to this arbitrary standard.
 
 Took several weeks to get delisted even after that.

We've had our moments with SORBS, Matthew is a very approachable person.
Things get sorted out pretty quickly, generally within a few days,
Matthew also has others who help him and one of them is an obnoxious
.

I do agree though, the requirment to have X TTL and 'static' or non
'dsl' 'dial' in DNS is a bit too far, I understand this is for
automation, its the only part of SORBS i disagree with, that said we
still use them, as do many large carriers ion this country, because the
use  of RBL's is for one reason, to STOP the wanker, and SORBS along
with spamcop and spamhaus and njabl go a very long way to prevent 
peoples privacy being invaded by those vernom

Re: SORBS Contact

[Aaron Glenn]

On 8/9/06, Noel [EMAIL PROTECTED] wrote:

On Thu, 2006-08-10 at 07:39, Aaron Glenn wrote:

 That (blocking SMTP) could become illegal is some proposed net
 neutrality legislation is passed.


Man, I really butchered that one. I look so much smarter when I don't
post on NANOG...



hahaha try enforcing that in other countries



That has never stopped the US from making terrible policy (-:


also, most networks are private (not state run) therefore we have the
right to say yes/no what data enters our own network, because unless
unless a contract (payment) exists for the senders ISP to receivers ISP
to accept data off them, the senders ISP can be told to go to hell :)


We're talking about owned Windows boxes on consumer/retail access
networks (cable/dsl/whathaveyou).

Re: SORBS Contact

[Matthew Sullivan]

Steve Sobol wrote:

On Wed, 9 Aug 2006, Matthew Sullivan wrote:

  
Sad state of affairs when ISPs are still taking money from spammers and 
providing transit to known criminal organisations.



Hey Mat.

You aren't wrong, but that doesn't absolve you of the responsibility to 
de-list in an efficient manner when you have made a mistake, or if the 
listing is no longer accurate (i.e. if all the spammers have been kicked 
off the netblock in question.)
  
If you checked with the original complainant you would find that both 
the zombie and DUHL listings are cleared.  If you knew the ticket 
numbers and where they sit in the SORBS RT Support system you would know 
that there were multiple tickets logged the oldest now being 10 days, 
the most recent being 5 days - and under published policy the earliest 
was pushed into the more recent.  You'll also note that the original 
complaint was about a single IP address as part of a /27 within a /19 
listing.


$DAYJOB lists spam filtering amongst the services we offer to our 
clients. I know we're using you to block IPs at the firewall, and we're 
probably also doing so at the server level. I am going to talk to my boss 
and co-workers about the impact of removing SORBS from our DNSBL list, 
because your replies lately have been snarky and completely 
unprofessional, including the reply quoted above. (Yes. It sucks that 
spammers are still spamming. So what?)
  
The quoted text above is intended for a few that might still be on this 
list, non of which posted to this thread.  The fact remains some ISPs 
provide transit to known criminal organisations for hijacked netblocks 
which are used for nothing but abuse (hosting trojans and viruses).  
Money talks.
I don't know what your problem is, but you're not making things any better 
by refusing to fix listings that aren't incorrect or, in some cases, never 
were.
  
Where do you get that from...?  We fix incorrect listings as soon as 
notified and with no deliberate delay.  If you are refering to listings 
like Dean Anderson's stolen netblock these are not delisted until such 
time as proof is obtained that our information is incorrect. 

We have been informed that Dean picked up that portable /16 (and 2 other 
networks - one of which was a non-portable UUNET block) when he parted 
company with OSF in 1998.  I have been contacted on a few occasions by 
Dean demanding delisting, each time I have asked for proof that he did 
not steal the netblock from the OSFs creditors (taking without 
permission even from a company folding is still stealing) - his response 
was a lot of bluster followed by the creation of the IADL.org site.  A 
few people (including myself) have attempted to contact 'The Open Group' 
who are the new owners of the old OSF organisation.  I am not aware of a 
reply that has been received from anyone other than Dean indicating that 
Dean is the legitimate owner of the said netblock.  You will also note 
that at least one of the netblocks that Dean has indicated that he was a 
legitimate owner of have been taken back and are reallocated.  To date 
no-one has backed Dean up in his assertion that he did not steal the 
netblock, all that we have seen is a short time after the listing 
suddenly Dean started providing services to 'opengroup.org' and cited 
that as proof he owns the block - considering the OpenGroup is in the UK 
now and are now unlikely to be able to prove to a court that they are 
the legitimate owners of the netblock I don't see that as reason to 
consider Dean the legitimate owner.  A verifiable document from the 
OSF/OpenGroup indicating that Dean Anderson is the legitimate owner of 
their /16 and it was transfered to him with their knowledge and 
permission is all that is required for delisting... however it seems 
Dean cannot obtain that adding weight to the view that he did indeed 
steal the netblocks.


Something to consider before replying: is this on or off topic for 
NANOG? (personally I think part of this is on topic, other parts of the 
thread are definitely off topic)


Regards,

Mat

Re: SORBS Contact

[Matthew Sullivan]

Noel wrote:

On Thu, 2006-08-10 at 06:49, Mikael Abrahamsson wrote:

  
We were hit by the requirement to include the word static in our DNS 
names to satisfy requirements. It wasn't enough to just say this /17 is 
only static IPs, one customer, one IP, no dhcp or other dynamics at all), 
we actually had to change all PTR records to this arbitrary standard.


Took several weeks to get delisted even after that.



We've had our moments with SORBS, Matthew is a very approachable person.
Things get sorted out pretty quickly, generally within a few days,
Matthew also has others who help him and one of them is an obnoxious
.
  
I'd love to know which one...  I have had several (had being the 
operative word) and from time to time some still are.

I do agree though, the requirment to have X TTL and 'static' or non
'dsl' 'dial' in DNS is a bit too far, I understand this is for
automation,
It is for automation, but it is also so that the SORBS DUHL would become 
pointless.  If a standard format was used admins would be able to choose 
their policy by simple regexs instead of relying on third-party lists 
which cannot possibly ever be 'uptodate' just because of the number of 
changes that happen on a daily basis around the world.  This is also why 
I took the time to create:


http://www.ietf.org/internet-drafts/draft-msullivan-dnsop-generic-naming-schemes-00.txt

There are things in the works that will enable the most complained about 
aspects of SORBS to be fixed and to go away permanently...  The only 
thing that is delaying it is developer time...   So I will say this 
publicly - those that want to see drastic changes @ SORBS that are, or 
have access to a perl coder with SQL knowledge, and is able to spend 
20-40 hours of pure coding time writing a user interface for user 
permissions  roles in Perl contact me off list as the user interface is 
the only thing that is holding up moving to the beta stage of the SORBS2 
database.  The SORBS2 database will allow registered RIR contacts to 
update list/delist parts/all of their netblocks within SORBS as well as 
getting instant reporting of issues (by mail or by SMS (fee applicable 
for SMS)) with minimal intervention from SORBS admins - this includes 
spam and DUHL listings.


Regards,

Mat

Re: SORBS Contact

[Mark Andrews]

Actually there can be false positive.  ISP's
who put address blocks into dialup blocks
which have the qualification that the ISP is
also supposed to only do it if they *don't*
allow email from the block but the ISP's
policy explicitly allows email to be sent.

They have a default port 25 filter that will
be turned off on request. i.e. they allow
direct out going email on request.

The said ISP *thinks* they are doing the
right thing by listing the block when in
reality they are lying by listing the block.

Mark

Re: SORBS Contact

[Matthew Sullivan]

I'll post this back to NANOG as others are likely to comment similar ways...

Michael J Wise wrote:

On Aug 9, 2006, at 1:06 PM, Matthew Sullivan wrote:


This is also why I took the time to create:

http://www.ietf.org/internet-drafts/draft-msullivan-dnsop-generic-naming-schemes-00.txt 



Seems like it specifies a bit TOO much detail, but.
This is why it says that it is a suggestion and indicated that the level 
of detail you choose to use is upto you, however if you adopt some of 
the more specific detail you should use the less specific detail.


ie if you follow it you should as a minimum specify static/dynamic.  If 
you want to add more detail like service type, that is your choice, but 
you shouldn't specify the service types (eg wifi) without specifying 
static/dynamic (does that make sense?).


Also it should be noted that it is a 'suggested naming scheme for 
generic records' and therefore not intended to be mandatory, further it 
says you should indicate the hostname of the machine in preference to 
generic records.


The idea being a common but extensible naming scheme for organisations 
want to specify generic/generated records rather than go to the hassle 
of creating individual records for each customer/host.


Regards,

Mat

Re: SORBS Contact

[Matthew Sullivan]

Mark Andrews wrote:

Actually there can be false positive.  ISP's
who put address blocks into dialup blocks
which have the qualification that the ISP is
also supposed to only do it if they *don't*
allow email from the block but the ISP's
policy explicitly allows email to be sent.
  
Actually that's debatable - the SORBS DUHL is about IPs assigned to 
hosts/people/machines dynamically.  We do not list addresses where the 
ISP have sent the list explictitly saying 'these are static hosts, but 
they are not allowed to send mail' - similarly we do list hosts in the 
DUHL where the ISP has said 'these are dynamic but we allow them to send 
mail' - it's about the people using the SORBS DUHL for their purposes, 
not for helping ISPs getting around the issue of whether to use SORBS as 
a replacement to port 25 blocking.


Regards,

Mat

Re: SORBS Contact

[Rich Kulawiec]

On Wed, Aug 09, 2006 at 03:42:32PM -0600, Allan Poindexter wrote:
 Far more damage has been done to the functionality of email by antispam
 kookery than has ever been done by spammers.

That is not even good enough to be wrong.

---Rsk, with apologies to Enrico Fermi

Re: SORBS Contact

[Mark Andrews]

 Mark Andrews wrote:
  Actually there can be false positive.  ISP's
  who put address blocks into dialup blocks
  which have the qualification that the ISP is
  also supposed to only do it if they *don't*
  allow email from the block but the ISP's
  policy explicitly allows email to be sent.

 Actually that's debatable - the SORBS DUHL is about IPs assigned to 
 hosts/people/machines dynamically.  We do not list addresses where the 
 ISP have sent the list explictitly saying 'these are static hosts, but 
 they are not allowed to send mail' - similarly we do list hosts in the 
 DUHL where the ISP has said 'these are dynamic but we allow them to send 
 mail' - it's about the people using the SORBS DUHL for their purposes, 
 not for helping ISPs getting around the issue of whether to use SORBS as 
 a replacement to port 25 blocking.

I wasn't thinking about SORBS.  It was a general warning to
only put blocks on lists where the usage matches the policy
of the list.

I was thinking about a Australian cable provider that doesn't
do the right thing.  I'm sure there will be other ISP's that
also fail to check the list policy before nominating the
address blocks for the lists.

In reality there shouldn't be the need for dialup lists.

Also most people don't really use the dialup lists correctly.
They really should not be a absolute blocker.  They should
also turn off dialup pattern matching tests otherwise you
are getting a double penalty for the same thing.

Mark
 
 Regards,
 
 Mat
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]

Re: SORBS Contact

[Rik van Riel]

Allan Poindexter wrote:


The functionality of my email is still almost completely intact.  The
only time it isn't is when some antispam kook somewhere decides he
knows better than me what I want to read.  Spam is manageable problem
without the self appointed censors.  Get over it and move on.


I rather suspect that your spam problem is manageable because
other admins are using DNSBLs and are thereby putting pressure
on ISPs to boot spammers off their networks.

Even a list like SPEWS, which is used by very few people, may
motivate ISPs to clean up their network.

--
Debugging is twice as hard as writing the code in the first place.
Therefore, if you write the code as cleverly as possible, you are,
by definition, not smart enough to debug it. - Brian W. Kernighan

Re: SORBS Contact

[Matthew Sullivan]

Mark Andrews wrote:

I wasn't thinking about SORBS.  It was a general warning to
only put blocks on lists where the usage matches the policy
of the list.
  

Ah my apologies I misinterpreted.

I was thinking about a Australian cable provider that doesn't
do the right thing.  I'm sure there will be other ISP's that
also fail to check the list policy before nominating the
address blocks for the lists.

In reality there shouldn't be the need for dialup lists.
  
You'll get nothing but agreement from me on that statement.  There 
currently is a need for the list, however there *shouldn't* be any need 
for it.


Regards,

Mat

Re: SORBS Contact

[Allan Poindexter]

  Matthew so would you consider as it is my network, that I should
  Matthew not be allowed to impose these 'draconian' methods and
  Matthew perhaps I shouldn't be allowed to censor traffic to and
  Matthew from my networks?

If you want to run a network off in the corner by yourself this is
fine.  If you have agreed to participate in the Internet you have an
obligation to deliver your traffic.

At LISA a couple of years ago a Microsoftie got up at the SPAM
symposium and told of an experiment they did where they asked their
hotmail users to identify their mail messages as spam or not.  He said
the users got it wrong some small percentage amount of the time.  I
was stunned at the arrogance and presumption in that comment.  You
can't tell from looking at the contents, source, or destination if
something is spam because none of these things can tell whether the
message was requested or is wanted by the recipient.  The recipient is
the only person who can determine these things.

There are simple solutions to this.  They do work in spite of the
moanings of the hand wringers.  In the meantime my patience with email
lost silently due to blacklists, etc. is growing thin.

Re: SORBS Contact

[Christopher L. Morrow]

On Wed, 9 Aug 2006, Allan Poindexter wrote:
 moanings of the hand wringers.  In the meantime my patience with email
 lost silently due to blacklists, etc. is growing thin.

don't let some third party you have no relation to determine the 'fate' of
your email/messages? with all blacklists you run the same risk, someone
else now controls the fate of your 'service'. Unless you have some very
large hammer to beat them with it's going to cause you pain eventually,
when they decide that ${PROVIDER} is 'gone black' or whatever they call it
these days... or they just fat finger some entry.

-Chris

RE: SORBS Contact

[Robert J. Hantson]

So with all this talk of Blacklists...  does anyone have any suggestions
that would be helpful to curb the onslaught of email, without being an
adminidictator?

Right now, the ONLY list we are using is that which is provided through
spamcop. They seem to have a list that is dynamic and only blacklists
during periods of high reports, then takes them off the list after a
short time...

Or am I just a little naive?

Robert Hantson
Network Operations Director
QBOS, Inc - Dallas Texas
www.qbos.com


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Christopher L. Morrow
Sent: Wednesday, August 09, 2006 10:19 PM
To: nanog@merit.edu
Subject: Re: SORBS Contact




On Wed, 9 Aug 2006, Allan Poindexter wrote:
 moanings of the hand wringers.  In the meantime my patience with email
 lost silently due to blacklists, etc. is growing thin.

don't let some third party you have no relation to determine the 'fate'
of
your email/messages? with all blacklists you run the same risk, someone
else now controls the fate of your 'service'. Unless you have some very
large hammer to beat them with it's going to cause you pain eventually,
when they decide that ${PROVIDER} is 'gone black' or whatever they call
it
these days... or they just fat finger some entry.

-Chris

RE: SORBS Contact

[Christopher L. Morrow]

On Wed, 9 Aug 2006, Robert J. Hantson wrote:

 So with all this talk of Blacklists...  does anyone have any suggestions
 that would be helpful to curb the onslaught of email, without being an
 adminidictator?

 Right now, the ONLY list we are using is that which is provided through
 spamcop. They seem to have a list that is dynamic and only blacklists
 during periods of high reports, then takes them off the list after a
 short time...

 Or am I just a little naive?

reference comment below about 'hammer to beat with' ... spamcop you
aren't paying for that 'service' right? So what happens when someone
reports someone you do business with? or messes up a report that affects
someone you do business with? Oops! dropped your email due to a
thirdparty we let 'moderate' our email, sorry!

you COULD monitor deliveries to unused addresses in your domain and
blacklist based on that... but that's a little dicey at times as well :(

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
 Christopher L. Morrow
 On Wed, 9 Aug 2006, Allan Poindexter wrote:
  moanings of the hand wringers.  In the meantime my patience with email
  lost silently due to blacklists, etc. is growing thin.

 don't let some third party you have no relation to determine the 'fate'
 of
 your email/messages? with all blacklists you run the same risk, someone
 else now controls the fate of your 'service'. Unless you have some very
 large hammer to beat them with it's going to cause you pain eventually,
 when they decide that ${PROVIDER} is 'gone black' or whatever they call
 it
 these days... or they just fat finger some entry.

 -Chris

Re: SORBS Contact

[Todd Vierling]

On 8/9/06, Allan Poindexter [EMAIL PROTECTED] wrote:

There are simple solutions to this.  They do work in spite of the
moanings of the hand wringers.  In the meantime my patience with email
lost silently due to blacklists, etc. is growing thin.


There are simple solutions to this.  They do work in spite of the
moanings of the few who have been mistakenly blocked.  In the meantime
my patience with email lost in the sea of spam not blocked by
blacklists, etc. is growing thin.

--
-- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]

Re: SORBS Contact

[Derek J. Balling]

On Aug 9, 2006, at 10:59 PM, Allan Poindexter wrote:

At LISA a couple of years ago a Microsoftie got up at the SPAM
symposium and told of an experiment they did where they asked their
hotmail users to identify their mail messages as spam or not.  He said
the users got it wrong some small percentage amount of the time.  I
was stunned at the arrogance and presumption in that comment.  You
can't tell from looking at the contents, source, or destination if
something is spam because none of these things can tell whether the
message was requested or is wanted by the recipient.  The recipient is
the only person who can determine these things.


I'm gonna hold up the I call bullshit card here. Recipients most  
certainly *can* get it wrong.


Things I've seen reported as spam:

	- An autoresponse from [EMAIL PROTECTED] telling the user that the e- 
mail they had JUST sent to [EMAIL PROTECTED] had been accepted and was  
being fed to a human being for processing


- Receipts for online purchases the user legitimately made

... and numerous other things just like this that, whether the user  
wants to call it spam or not, certainly is not spam.


So yes, I would have to -- as much as it pains me in my heart of  
hearts -- agree with the Hotmail representative in your example.  
Users can and will get it wrong at the very least some small  
percentage of the time.


Cheers,
D

--

Derek J. Balling
Manager of Systems Administration
Vassar College
124 Raymond Ave
Box 0406 - Computer Center 217
Poughkeepsie, NY 12604
W: (845) 437-7231
C: (845) 249-9731




smime.p7s
Description: S/MIME cryptographic signature

Re: SORBS Contact

[Steve Atkins]

On Aug 9, 2006, at 8:29 PM, Robert J. Hantson wrote:



So with all this talk of Blacklists...  does anyone have any  
suggestions

that would be helpful to curb the onslaught of email, without being an
adminidictator?

Right now, the ONLY list we are using is that which is provided  
through

spamcop. They seem to have a list that is dynamic and only blacklists
during periods of high reports, then takes them off the list after a
short time...

Or am I just a little naive?


Fairly naive. Spamcop blacklists a lot of IP addresses that send
a lot of email that isn't spam. And some that send zero spam, by
any sane definition.

That doesn't mean to say it doesn't work for you, but don't mistake
a list that'll block a mailserver for a week on the basis of one or
two unsubstantiated reports as _safe_ solely because it will only
block it for a week.

Depending on your demographics SpamCop may have an acceptable
false positive level, but it's not a list I advise most users to use  
as it

regularly lists sources of large amounts of non-spam (such as, for
example, mailservers used solely for closed-loop opt-in email).
Despite that, though, it's quite effective if you're prepared to accept
the false positive rate.

You may want to look at the CBL or XBL if you're interested in a
very effective IP based blacklist with a very low level of false
positives. Not zero, but really pretty low.

Pretty much all the others have levels of false positives that are
bad enough that I wouldn't use them myself, though depending
on the demographics of your recipients they may be acceptable
to you. Using them to block mail to all recipients is likely to be
problematic in most cases. Some recipients who choose to use
it? Sure. As part of a scoring system? Perhaps. Blocking across
all users? Probably a bad idea in most cases.

Cheers,
  Steve

Re: SORBS Contact

[Allan Poindexter]

  Todd There are simple solutions to this.  They do work in spite of
  Todd the moanings of the few who have been mistakenly blocked.

So it is OK so long as we only defame a few people and potentially
ruin their lives?

  Todd In the meantime my patience with email lost in the sea of
  Todd spam not blocked by blacklists, etc. is growing thin.

Hmm.  Let me think a minute.  Nope not buying it.  I have already
given two simple solutions that don't involve potentially dropping job
offers, wedding invitations, letters from old sweethearts, and other
such irreplaceable email.  Certainly it is impossible to guarantee all
mail gets delivered.  But to intentionally make it worse by
deliberately deleting other people's email is arrogant and immoral.

On the other side what do we have for those falsely defamed?  I
suppose we could psychically contact them to tell them their mail was
deleted.  Certainly email won't be reliable enough after these guys
are done with it.

If they worked for the post office these guys would be in jail.

Re: SORBS Contact

[william(at)elan.net]

In the way you describe it any spam filter is bad any spam filter
manufacturer should go to jail...

On Wed, 9 Aug 2006, Allan Poindexter wrote:


 Todd There are simple solutions to this.  They do work in spite of
 Todd the moanings of the few who have been mistakenly blocked.

So it is OK so long as we only defame a few people and potentially
ruin their lives?

 Todd In the meantime my patience with email lost in the sea of
 Todd spam not blocked by blacklists, etc. is growing thin.

Hmm.  Let me think a minute.  Nope not buying it.  I have already
given two simple solutions that don't involve potentially dropping job
offers, wedding invitations, letters from old sweethearts, and other
such irreplaceable email.  Certainly it is impossible to guarantee all
mail gets delivered.  But to intentionally make it worse by
deliberately deleting other people's email is arrogant and immoral.

On the other side what do we have for those falsely defamed?  I
suppose we could psychically contact them to tell them their mail was
deleted.  Certainly email won't be reliable enough after these guys
are done with it.

If they worked for the post office these guys would be in jail.

Re: SORBS Contact

[Allan Poindexter]

  Derek I'm gonna hold up the I call bullshit card here. Recipients
  Derek most certainly *can* get it wrong.

Sorry I wasn't very clear.  The results in the hotmail example were
where the users said it wasn't spam but hotmail insisted it was.  It
is possible for a user to indentify non-spam as spam.  But if a user
says it isn't spam then it isn't no matter how much it might look like
it might be.  I have had this happend to me personally.  Some of my
fellow admins at the time insisted some of my incoming mail was spam.
As it happened the mail (offering some telephone products) was
specifically requested.

Re: SORBS Contact

[Matthew Sullivan]

Allan Poindexter wrote:

  Matthew so would you consider as it is my network, that I should
  Matthew not be allowed to impose these 'draconian' methods and
  Matthew perhaps I shouldn't be allowed to censor traffic to and
  Matthew from my networks?

If you want to run a network off in the corner by yourself this is
fine.  If you have agreed to participate in the Internet you have an
obligation to deliver your traffic.
  
That's a very interesting statement. Here's my response, I'll deliver 
your traffic if it is not abusive if you delivery my non-abusive 
traffic.  My definition of 'abusive' is applied to what I will let cross 
my border (either direction) - I expect you will want to do the same 
with the traffic you define as abusive, and I expect you to and support 
your right to do that.

There are simple solutions to this.  They do work in spite of the
moanings of the hand wringers.  In the meantime my patience with email
lost silently due to blacklists, etc. is growing thin.
  
Anyone using SORBS as I have intended and provided (and documented) 
will/should not silently discard mail.


If anyone asks how to silently discard mail I actively and vigorously 
discourage the practice.*  In fact because I disagree with that even in 
the case of virus infected mail I patches my postfix servers to virus 
scan inline so virus infected mail can be rejected at the SMTP 
transaction. RFC2821 is clear when you have issued an ok response to the 
endofdata command you accept responsibility for the delivery of that 
message and that should not fail or be lost through trivial or avoidable 
reasons - I consider virus detection and spam as trivial reasons - if 
you can't detect a reason for rejection at the SMTP transaction, deliver 
the mail.


Regards,

Mat


* except in extreme/unusual circumstances - for example, there are 2 
email addresses that if they send mail *to* me, they will get routed to 
/dev/null regardless of content.

Re: SORBS Contact

[Todd Vierling]

On 8/10/06, Allan Poindexter [EMAIL PROTECTED] wrote:

  Todd There are simple solutions to this.  They do work in spite of
  Todd the moanings of the few who have been mistakenly blocked.

So it is OK so long as we only defame a few people and potentially
ruin their lives?


That's quite a stretch there, bub.  Defame means that it is somehow
misrepresented as true, factual information.  Publicly accessible (and
non-mandatory) blacklists are opinions, not portrayed as fact by any
stretch of the imagination.


  Todd In the meantime my patience with email lost in the sea of
  Todd spam not blocked by blacklists, etc. is growing thin.

Hmm.  Let me think a minute.  Nope not buying it.


If your inbound mail isn't at least 30% spam (or blocked spam
attempts) these days, then you haven't been using the Internet long
enough.  I have better things to do than pass that 30% of mail
traffic.  The spam can FOAD as far as I care, and if there is a
problem of a mistake with something improperly blocked, it is fixable
(and takes a lot less maintenance time than dealing with the spam
tsunami).

Sorry, but those of us who have actually done this sort of thing for a
living for a while know quite well why not every network can implement
bayes-ish Report Spam button schemes (which are inaccurate anyhow,
as you've pointed out), nor simply present all actual spam to the
users (who would be flooded with well more than 30% in some cases --
there are in-use mailboxes on systems I've managed that would be above
99% spam if the spew weren't blocked at the gate).

It's either lack of industry experience on your part, or you're yet
another troll for a list renter or bulker -- which is it?  Based on
earlier statements of yours, I would give you the benefit of the doubt
and assume the former.  However, you just had to pull out the defame
word in a completely invalid grammatical and legal context, so I'm
starting to hedge bets on the latter.

--
-- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]

Re: SORBS Contact

[Allan Poindexter]

  william In the way you describe it any spam filter is bad any spam
  william filter manufacturer should go to jail...

Manufacturer?  No.  It is perfectly permissible for a recipient to run
a filter over his own mail if he wishes.  

Jail?  Not what I said.  I said postal workers couldn't get away with
this behavior.  The laws governing email are different.  BUT:

They aren't as different as is generally believed.  Go read the
ECPA sometime.

Being legal isn't the same thing as being moral.  The world would
be a better place if people started worrying about doing what is
right rather than only avoiding what will get them in jail.

If I seem testy about this it is because I am.  A friend of mine with
cancer died recently.  I learned later she sent me email befoe she
died.  It did not reach me because some arrogant fool thought he knew
better than me what I wanted to read.  And it isn't the first time or
the only sender with which I have had this problem.  I have had plenty
of users with the same complaint as well.

I have in the past considered this antispam stuff ill advised or
something I oppose.  Expect me to fight it tooth and nail from now
on.

Question for the List Maintaners -- (Re: SORBS Contact)

[Steve Sobol]

Matthew Sullivan wrote:

 If you checked with the original complainant you would find that both
 the zombie and DUHL listings are cleared.  If you knew the ticket
 numbers and where they sit in the SORBS RT Support system you would know
 that there were multiple tickets logged the oldest now being 10 days,
 the most recent being 5 days - and under published policy the earliest
 was pushed into the more recent.  You'll also note that the original
 complaint was about a single IP address as part of a /27 within a /19
 listing.

OK. I have no problem with that. I want you to understand that my observation
comes from seeing *many* people complain about a lack of response. If it was
just a couple, that'd be a horse of another color.

And frankly, it's not like you try to hide. You're a public figure here and
on several other discussion forums. So I don't think it's unreasonable to
assume that if people are having trouble reaching SORBS, it's not because the
contacts aren't published. In fact, I've seen a number of complaints that
people *have* contacted SORBS and have failed to get a response.

 The quoted text above is intended for a few that might still be on this
 list, non of which posted to this thread.  The fact remains some ISPs
 provide transit to known criminal organisations for hijacked netblocks
 which are used for nothing but abuse (hosting trojans and viruses). 

I'm not arguing that fact. Whether or not it was an appropriate response is
another matter.

 I don't know what your problem is, but you're not making things any
 better by refusing to fix listings that aren't incorrect or, in some
 cases, never were.
   
 Where do you get that from...?  We fix incorrect listings as soon as
 notified and with no deliberate delay.  If you are refering to listings
 like Dean Anderson's stolen netblock these are not delisted until such
 time as proof is obtained that our information is incorrect.

Perhaps refusal is not the proper word, and I apologize for using it. It
does imply intent. failure may be a more accurate description.

 permission even from a company folding is still stealing) - his response
 was a lot of bluster followed by the creation of the IADL.org site. 

Yup, I know. I'm there too. I am one of Dean's most vocal detractors.

 Something to consider before replying: is this on or off topic for
 NANOG? (personally I think part of this is on topic, other parts of the
 thread are definitely off topic)

It has been agreed that spam is offtopic, although the issue of hijacked
netblocks certainly isn't. So I probably should have replied to you off-list
(apologies to everyone else for lowering the S:N ratio).

I don't know what the official word is on whether DNSBL operations in general
are on-topic for this list. I would appreciate if the people in charge of
deciding such things could tell me whether DNSBLs are on-topic or not...

-- 
Steve Sobol, Professional Geek ** Java/VB/VC/PHP/Perl ** Linux/*BSD/Windows
Apple Valley, California PGP:0xE3AE35ED

It's all fun and games until someone starts a bonfire in the living room.

Re: SORBS Contact

[Dave Pooser]

 Sorry I wasn't very clear.  The results in the hotmail example were
 where the users said it wasn't spam but hotmail insisted it was.  It
 is possible for a user to indentify non-spam as spam.  But if a user
 says it isn't spam then it isn't no matter how much it might look like
 it might be. 

Phishing spam leaps immediately to mind as a counterexample; the fact that
the user mistakes it for legit mail is exactly the problem.
-- 
Dave Pooser, ACSA
Manager of Information Services
Alford Media  http://www.alfordmedia.com

Re: SORBS Contact

[Stefan Hegger]

We have the same problem. We are blacklisted and I filled out the webform. I 
got an email regarding ticket number and account/password to track the 
ticket. But it seems that nobody is working on it. 

Best Stefan 

On Monday 07 August 2006 20:54, Brian Boles wrote:
 Can someone from SORBS contact me offlist if they are on here

 My most recent allocation from ARIN turned out to be dirty IP's, and I'm
 having trouble getting them removed following the steps on their website
 (no action on tickets opened).

 64.79.128.0/20

 Brian Boles
 [EMAIL PROTECTED]

-- 
Stefan Hegger
Internet System Engineer
[EMAIL PROTECTED]
Tel: +49 5241 8071 334

Lycos Europe GmbH
Carl-Bertelsmann Str. 29
Postfach 315
33311 Gütersloh

Re: SORBS Contact

[Stefan Hegger]

If you are blacklisted due of SPAM, and this happens often when you are an 
ISP, there is not automatic process.

Stefan

On Tuesday 08 August 2006 11:36, Stephen Satchell wrote:
 Stefan Hegger wrote:
  We have the same problem. We are blacklisted and I filled out the
  webform. I got an email regarding ticket number and account/password to
  track the ticket. But it seems that nobody is working on it.

 There has been extensive discussion on NANAE and NANABl newsgroups on
 this issue.  The bottom line:  The SORBS ticket queue is handled by a
 group of unpaid volunteers, and there is quite a backlog.  That's why
 there is the automatic de-listing system in place, which requires proper
 host names and longer time-to-live (TTL) values in rDNS.

 Yes, it's a bit of work, but it beats waiting for someone to get around
 to your ticket.

 No, I'm not associated in any way with SORBS, just an interested
 observer and system administrator who has had to deal with listings myself.

-- 
Stefan Hegger
Internet System Engineer
[EMAIL PROTECTED]
Tel: +49 5241 8071 334

Lycos Europe GmbH
Carl-Bertelsmann Str. 29
Postfach 315
33311 Gütersloh

Re: SORBS Contact

[Michael Nicks]

Sad state of affairs when looney people dictate which IPs are good and 
bad.


-Michael

Brian Boles wrote:

Can someone from SORBS contact me offlist if they are on here

My most recent allocation from ARIN turned out to be dirty IP's, and I'm 
having trouble getting them removed following the steps on their website 
(no action on tickets opened).


64.79.128.0/20 http://64.79.128.0/20

Brian Boles
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]





--
Michael Nicks
Network Engineer
KanREN
e: [EMAIL PROTECTED]
o: +1-785-856-9800 x221
m: +1-913-378-6516

Re: SORBS Contact

[S. Ryan]

Even worse if your ISP uses it and demands you ask the 'offender' to get 
'themselves' removed.




Michael Nicks wroteth on 8/8/2006 7:27 AM:


Sad state of affairs when looney people dictate which IPs are good and 
bad.


-Michael

Brian Boles wrote:

Can someone from SORBS contact me offlist if they are on here

My most recent allocation from ARIN turned out to be dirty IP's, and 
I'm having trouble getting them removed following the steps on their 
website (no action on tickets opened).


64.79.128.0/20 http://64.79.128.0/20

Brian Boles
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]

Re: SORBS Contact

[Hank Nussbacher]

On Tue, 8 Aug 2006, S. Ryan wrote:

I have recommended to every client in the past to drop any ISP that uses 
SORBS, but amazingly there are still plenty of clueless ISPs out there 
that use SORBS.


Hank Nussbacher
http://www.interall.co.il



Even worse if your ISP uses it and demands you ask the 'offender' to get 
'themselves' removed.




Michael Nicks wroteth on 8/8/2006 7:27 AM:


Sad state of affairs when looney people dictate which IPs are good and 
bad.


-Michael

Brian Boles wrote:

Can someone from SORBS contact me offlist if they are on here

My most recent allocation from ARIN turned out to be dirty IP's, and I'm 
having trouble getting them removed following the steps on their website 
(no action on tickets opened).


64.79.128.0/20 http://64.79.128.0/20

Brian Boles
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]







+++
This Mail Was Scanned By Mail-seCure System
at the Tel-Aviv University CC.

Re: SORBS Contact

[Matthew Sullivan]

Michael Nicks wrote:


Sad state of affairs when looney people dictate which IPs are good 
and bad.
Sad state of affairs when ISPs are still taking money from spammers and 
providing transit to known criminal organisations.



/ Mat

Re: SORBS Contact

[S. Ryan]

Someone is providing you transit.. what gives? :)

Matthew Sullivan wroteth on 8/8/2006 4:33 PM:

Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Michael Nicks wrote:
Sad state of affairs when looney people dictate which IPs are good 
and bad.
Sad state of affairs when ISPs are still taking money from spammers and 
providing transit to known criminal organisations.



/ Mat

Re: SORBS Contact

[Matthew Sullivan]

Brian Boles wrote:

Can someone from SORBS contact me offlist if they are on here

My most recent allocation from ARIN turned out to be dirty IP's, and 
I'm having trouble getting them removed following the steps on their 
website (no action on tickets opened).


64.79.128.0/20 http://64.79.128.0/20

If course checking this we find that SORBS is not the only problem you 
have...


http://www.completewhois.com/hijacked/files/64.79.128.0.txt


Regards,

Mat

Re: SORBS Contact

[william(at)elan.net]

On Wed, 9 Aug 2006, Matthew Sullivan wrote:


Brian Boles wrote:

Can someone from SORBS contact me offlist if they are on here

My most recent allocation from ARIN turned out to be dirty IP's, and I'm 
having trouble getting them removed following the steps on their website 
(no action on tickets opened).


64.79.128.0/20 http://64.79.128.0/20

If course checking this we find that SORBS is not the only problem you 
have...


http://www.completewhois.com/hijacked/files/64.79.128.0.txt


That was old user of that ip block. The block has been deleted
and ARIN now reassigned/reallocated it to somebody else.

The file you need to watch (which gets updated when ip block
previously hijacked is no longer an issue) is:
 http://www.completewhois.com/hijacked/hijacked_flist.txt

(though a few more legacy blocks listed there got deleted
 in last months, so it does need to be updated again)

--
William Leibzon
Elan Networks
[EMAIL PROTECTED]

Re: SORBS Contact

[Matthew Sullivan]

william(at)elan.net wrote:

That was old user of that ip block. The block has been deleted
and ARIN now reassigned/reallocated it to somebody else.

The file you need to watch (which gets updated when ip block
previously hijacked is no longer an issue) is:
 http://www.completewhois.com/hijacked/hijacked_flist.txt

(though a few more legacy blocks listed there got deleted
 in last months, so it does need to be updated again)



Ta, missed that link previously.

Regards,

Mat