Re: [Exim] Question about ORBS and the validity thereof (off…

Top Page
Delete this message
Reply to this message
Author: Exim Users Mailing List
Date:  
To: exim-users
Subject: Re: [Exim] Question about ORBS and the validity thereof (offtopic)
[ On Wednesday, July 28, 1999 at 13:28:09 (-0400), Tabor J. Wells wrote: ]
> Subject: Re: [Exim] Question about ORBS and the validity thereof (offtopic)
>
> If the point is to block spam, then using ORBS results in a lot of false
> positives since anyone with an open relay is listed regardless of whether
> they are being used to propagate spam. If the point is to block open
> relays (and let the users of systems which have open relays know so that
> they can bug their admins to fix the problems) then ORBS is great.
> Personally I submit open relays to both ORBS and radparkers as
> appropriate.


And IMRSS.org too! ;-)

I get very few false positives from ORBS, and even one ISP (small, ~1500
users) where we tried it out wasn't getting very many false positives.
The big issue for the ISP was that some other much larger ISPs
(including most of the ones local to Toronto that are now owned by PSI)
had been listed in ORBS because they'd been slacking off.

We're going to try turning ORBS on again because there really is a lot
of spam getting through from open relays and the correspondence between
those hosts listed in ORBS and those that have actually been exploited
by spammers is very high, even if indeed it's not 100% (one of my test
machines is listed because I wanted to test it, but I've not yet seen
even any legitimate e-mail go through never mind spam, and indeed it's
no longer open anyway).


Now with IMRSS you do get a *lot* of false positives because they're
actively scanning for open relays almost every M$ MTA (or even every $$$
commercial MTA!) is wide open, especially if it's just smart-hosting to
the provider and almost none of them have postmaster mailboxes (IMRSS
doesn't yet notify postmasters either, but that's supposed to be
changing RSN!).

Luckily both IMRSS and ORBS list multi-level relays too. The
radparker.com guys have wimped out on this issue, even though
multi-level relays are becoming one of the more increasingly exploited
spam channels.


Now, to bring this back slightly to the topic of Exim: It seems there
are still a lot of ways to configure Exim that at first glance appear to
make it safe from open relays, but in fact leave it wide open to
multi-level relays, and indeed sometimes to other forms of relays
because untrusted information is used to allow the relay.

I personally don't believe the postmaster should even be given the
choice of trusting data from the network when it comes to determining
who's allowed to relay mail through the machine. The raw source IP
number, or a hostname that's been looked up and *verified* (i.e. the
reverse DNS is correct) is the only thing a relay test should use.

Of course teaching ISPs that they cannot trust any mailer for relay
unless they first block external port-25 connects *to* that mailer is
still a major hurdle to overcome in cleaning up multi-level relays.
I've seen a number of otherwise correctly configured Exim sites
compromised because some user set up a very simple TCP proxy on their
port 25 that connected immediately back to the ISPs gateway mailer!

-- 
                            Greg A. Woods


+1 416 218-0098      VE3TCP      <gwoods@???>      <robohack!woods>
Planix, Inc. <woods@???>; Secrets of the Weird <woods@???>