North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Stealth Blocking

  • From: Dave Rand
  • Date: Thu May 24 12:39:38 2001

[In the message entitled "RE: Stealth Blocking" on May 24,  Roeland Meyer <[email protected]> writes:]
> 
> I'm getting seriously confused here. I thought that the open-relay issue was
> irelevent to MAPS. That MAPS only black-holed confirmed SPAM sites (a little
> tougher, but more granular, charter). Further, that it was ORBS that listed
> open-relay sites specifically, whether they were involved in a spam or not
> (unacceptable due to punishing potential anti-spammers for proliferating
> spam that never saw their systems). To me, these are two entirely different
> charters. If MAPS starts to look like ORBS then I will stop using MAPS.
> 
> Can someone please clarify?

Sure.

MAPS has four real-time lists.

The MAPS RBL(sm) is a list of sites and networks which are known to be
friendly, or neutral to spam.  They include sites which harbour known spam
origin points, multi-hop open relays which refuse to close (and have
transmitted spam), spamware sites, and other persistant spam sources.  Hosts
and networks can use this list via DNS (rejecting mail, and other traffic as
they see fit), or BGP (usually blackholing all traffic bound for those
sites).  It's very hard to get a site listed.  It's quite easy to
get off the RBL, assuming that the issue that caused the listing has been
corrected.

The MAPS RSS(sm) is a list of open relays *which have been abused*.  These
are sites which have been reported to MAPS as open relays, and have spam
samples.  Once the spam has been verified, a test is performed to verify
that the site is, indeed, an open relay.  If a sample message is accepted,
and then returned by the site as a relay, the host is listed.  Removal from
the RSS requires that the host no longer relays.  Automated probes are never
done - a human must request the test, and spam must be available.  Because
of the very large number of hosts listed (around 100,000 as I write this),
it's generally used in DNS mode only.  It's pretty easy to get a host which
is an open relay that has transmitted spam onto the list.  Between 100 and
1,500 hosts per day are added, and hundreds per day are taken off (as soon
as they let MAPS know that the relay has been closed).

The MAPS DUL(sm) is a list of dialup ports.  These are dialups which have
been reported to MAPS by the ISP running them, or by users which have
received spam from the dialup.  An investigator verifies that the address
range does contain dialup ports before they are listed.  Hosts and networks
typically use this list in DNS mode to reject direct-from-dialup spam.  It's
time-consuming to get an address listed, and also time-consuming to get an
address removed from this list.

The MAPS RBL+(sm) is a combined list, which allows a single lookup to
search all lists.  It's possible to use this in BGP mode, but it's
unlikely that anyone would want to do so.

So, does MAPS look like ORBS?

ORBS probes systems no matter if spam has emitted or not.  Does this catch
more open relays?  You bet.  Is it network abuse to scan for open relays?  I
think so.  Do spammers use the same techniques?  You bet.

MAPS probes systems only after they have been abused by spammers.  Does this
allow spammers to use the relays for at least one spam run?  You bet. Is it
network abuse to confirm an open relay that has transmitted spam?  I don't
think so.  Do spammers use the same techniques?  I don't think so.

ORBS probes systems periodically after they are listed to see if they have
been closed.  Does this ensure that relays are removed after they are
secured?  Sort of.  But this requires that the hosts listed be probed
frequently, and still doesn't ensure that they are removed "as soon as
they are secured".  

MAPS depends on the system administrator contacting MAPS to get a host
de-listed.  Does this ensure that they are removed once they are secured?
Sort of.  It does require that the admin be willing to contact MAPS. 

So, does MAPS look like ORBS?  You decide.

I'm certain that all of the network owners on this list want spam to stop.
MAPS is one tool that can help.  ORBS is another.  Where you draw the line,
or how you protect your networks is your choice.  

One thing that I think *will* help, particularly in the short term, is port
25 blocking of dialup ports.  It's my personal opinion that this will have
the greatest impact on spammers who abuse open relays.  I've watched this
happen over the last few months, as various large networks have secured
their dialup ports.  It's impressive.

--