Re: [Exim] Text of X-RBL-Warning Header?

Top Page
Delete this message
Reply to this message
Author: Tabor J. Wells
Date:  
To: Marc Haber
CC: exim-users
Subject: Re: [Exim] Text of X-RBL-Warning Header?
On Sun, Jan 16, 2000 at 12:05:03PM +0000,
Marc Haber <exim-users.exim.org@???> is thought to have said:

> As a response, ORBS chose to add static listings for
> all of above.net's netblocks. IIRC, this affects two entire /16
> netblocks which is IMO totally unacceptable.


Agreed. I was very glad that I was tagging headers rather than rejecting
on ORBS as I would have suddenly started missing all of the mail I receive
from securityfocus.com (bugtraq, incidents, and the like) as well as
several other mailing lists I read.

> Static ORBS listings return 127.0.0.4 upon query. I have my exim
> configured to add X-RBL-Warning:-Headers. A quick grep of my recent
> logs shows only one instance of
>
> |X-RBL-Warning: (rbl.maps.vix.com) Blackholed - see <URL:http://mail-abuse.org/cgi-bin/lookup?210.226.97.210>


Note that this is an RBL from the MAPS RBL not ORBS.

Here is the DNS TXT record that they're associating with this:

X-RBL-Warning: (relays.orbs.org) above.net has multiple open relays and
has blocked the ORBS tester.

which is different from their normal TXT record:

X-RBL-Warning: (relays.orbs.org) above.net has multiple open relays and
has blocked the ORBS tester.

> in the reject log. Is this the format of the actual header being
> inserted into the message? If yes, would it be possible to add the IP
> the RBL query returned as well?
>
> IMO, it would be desireable to have an option of selectively blocking
> E-Mail depending on the query result. That way, one could still block
> hosts that are dynamically blocked by ORBS (with a return value of
> 127.0.0.2) while accepting (and/or tagging) e-mail from static
> listings (which return 127.0.0.4).
>
> Is it possible to have that added to a future version?
>
> Disclaimer: After the recent debate, I would recommend disabling ORBS
> checking entirely. However, there are some sites that _want_ to use
> ORBS. Having a possibility of selectively blocking ORBS dynamically
> listed hosts while not blocking ORBS statically listed hosts would be
> a point in an argument with the admin of a ORBS using site, thus
> probably reducing the harm that ORBS does to the e-mail system.


Personally I'd rather we not do that. ORBS is in the wrong here, and to
support that by making changes to the software would be a mistake, IMO.
Alan could have (and should have) created a new subdomain like
blockedtester.orbs.org and let people use that instead. In fact he has
done that for other aspects of his "service" but didn't in this case.
Because he misuses the RBL format for his list shouldn't be a reason to
apply workarounds to Exim to support it.

A better solution would be to drop ORBS altogether in favor of MAPS RSS
which has a much more stringent policy of adding open relays. See
http://www.mail-abuse.org for details. FWIW I block on RBL, RSS, and DUL
and warn on ORBS. To date, my false positive rate (defined as legitimate
mail being blocked as spam) has been zero.

Tabor

-- 
--------------------------------------------------------------------
Tabor J. Wells                                     twells@???
Fsck It!                 Just another victim of the ambient morality