Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 4 Feb 1999 01:48:53 +0000 (GMT)
From:      Terry Lambert <tlambert@primenet.com>
To:        chat@FreeBSD.ORG
Cc:        ports@FreeBSD.ORG
Subject:   Re: ports/9864: make rblcheck use relay.orbs.org instead of
Message-ID:  <199902040148.SAA14298@usr02.primenet.com>
In-Reply-To: <199902040109.RAA15905@kithrup.com> from "Sean Eric Fagan" at Feb 3, 99 05:09:20 pm

next in thread | previous in thread | raw e-mail | index | archive | help
> A growing number of ISPs are preventing, at the firewall level, their dial-up
> customers from connecting to SMTP (and others, for that matter) ports.  This
> is a good thing, since about 90% of the spam I get these days is from a
> dial-up customer who bypassed his ISP's mail server (since doing so would have
> resulted in their theft being noticed much earlier).
> 
> The DUL is the result of people trying to get dialups added to the RBL, most
> notably UUNET's.  That wasn't going to happen, since the RBL is used too often
> as a BGP feed, and placing a group of dialup addresses on that would result in
> not being able to access any portion of the internet.
> 
> It is also possible to get a netblock removed from the DUL, although it is
> somewhat harder than it is with the RBL (so I'm told).
> 
> I have absolutely no sympathy for you, or anyone else affected by this -- all
> it means is you have to use your ISP's mail relay, or find someone willing to
> relay for you.  You don't like it, tough -- but you were going to lose it
> anyway, as more and more ISPs go with firewalls and redirectors.  If you want
> to run a server, then you should not be using a dialup pool; if your ISP
> doesn't have anything but that, then you'll have to get your ISP to talk to
> the DUL folks, if they end up on it.  (And a netblock will only end up on the
> DUL after spam is sent from it -- it's not pre-emptive.)

Actually, ORBS is preventing all multilevel relay.  If an ISP is
willing to relay from a dialup that belongs to the ISP, then they
go onto the ORBS list (Primenet just made the list today, in fact).

The problem with this is that there are legitimate reasons for
multilevel relay, starting with bastion hosts acting as corporate
mail relays for interior hosts.  Also tarred with the same brush
is any "thin server" or "appliance" type device that uses dialup
with a dynamic rather than a static IP.


While we are all looking forward to the day when IPv6 is deployed,
or someone implements Dynamic DNS updates from RADIUS credential
based authentication as a public reference implementation for UNIX
hosts (ala Microsoft's IAS, which already supports this), neither
of these look like they are going to happen any time soon.


The correct way to deal with this is source host certificate based
credentials, verified via DNS, and proxyiable through credential
verification via email and/or virtual domain MX in DNS.

Killing all multilevel relay goes further down the evil road that
started with damaging the ability to allow source routing to
overcome network failures following a nuclear war.

What the RBL should *really* be enforcing is not allowing relay
from machines not enforcing via the RBL; instead, it's this
second order thing, with an assumption of end-to-end connectivity.

The RBL could do this with a server RBL forward lookup for a
"name" in a randomly chosen 32 bit space that rotates contents
at intervals.  The client would have to do an RBL lookup to be
able to respond to the challenge.

Alternately, a certificate system would allow incremental upgrade
of servers with less dire consequences, since if a server were not
presented a certificate before the "MAIL FROM:" when EHLO returned
that the server supported the "CALLERID" ESMTP extension, the
server could then ask the certificate authority "would you sign for
this server if the server asked you to sign for it?".  All transparent,
and the load associated with not using certificate is pushed into
a (potentially) large latency for the legacy client getting a
positive response to the "MAIL FROM:".  Mild punishment for a failure
to upgrade.  You could offer blanket exceptions for internal
(local network) clients, and you could require dialup clients to
register before you relay for them.


If the people who are doing this get their way, there will be no
way to send mail from one dialup server to another, unless both
*happen* to be dialed in at the same time and using static IP's
(or DDNS) so they can find each other's SMTP port via direct
connection.  This would be Bad(tm).


You don't need the government to pass laws to screw up the Internet
if you are willing to screw it up yourself.  Taking the wire cutters
to the intentionally redundant *on purpose* architecture is just
plain stupid.  8-(.


					Terry Lambert
					terry@lambert.org
---
Any opinions in this posting are my own and not those of my present
or previous employers.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-chat" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199902040148.SAA14298>