[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OT: opem mail relays



On Wed, Aug 15, 2001, Alon Barzilai wrote about "OT: opem mail relays":
> I recently (in fact, today) set up my sendmail to use the RBL.
> now I see that some of the big ISP's in israel 
> are in those lists.
> 
> (netvision and bezekint mail servers are both on orbz.org)

Just to clear one confusion, these ISPs are not on the RBL (the original
black list containing only hard-core spammers - this is list is no longer
freely available, by the way) - they are on blacklists of open relays
(as you said in the subject line), such as orbz.org, ordb.org, orbl.org,
and so on.

By the way, none of the Israeli ISPs seem to have mail servers which are
open relay by themselves. The problem is that they have clients running
an open relay, and these clients in turn uses the ISP server to spew out
mail.

So you may notice the offending ISP mail servers appear on outputs.orbz.org,
but not in inputs.orbz.org. Other blacklists, like orbl.org (if I remember
correctly) don't have this seperation, and even multi-level relay output
like these end up on the main list. Yet other blacklists (like ordb, if I
remember correctly) don't list multilevel relay outputs at all, so you
won't have this problem with them.

See http://www.orbz.org/io.php for more information.

> I can not afford myself not getting mail from netvision.
> 
> what should I do ? 

Tell Netvision to fix the problem. This is not only the "shame" of appearing
on a black list: spammers actually *do* find those multilevel relays and
send spam through them! If find it strange that an ISP doesn't care that a
lot of spam is being pumped through its servers... Remember, none of the
blacklists in existance today are scanning the net for open relays: open
relays only appear on these black list after there is suspected spam from
them!

ISPs should periodically look in those blacklists whether any of their
non-dialup clients (i.e., fixed addresses that are allowed to relay through
their main server) are open relays, and if they are they shouldn't allow these
clients to relay through them until the problem is fixed. After all, these
clients don't *have* to relay through the ISP's server - they can send email
directly if they still wish to operate open relays deliberately.

P.S. If you're writing a spam filter and want to make sure that this false-
positive problem doesn't effect you, there's a solution: normally you get
from the email the IP address A from which the email came. Now, if A is
on inputs.orbz.org, it's a single-level relay, and you can safely mark this
as spam. However, if it's not on inputs.orbz.org but is on outputs.orbz.org,
you continue reading the headers, looking for other addresses. If any one
of them is on inputs.orbz.org, this *is* a multi-level relay, and this is
probably spam. If none of them is on inputs.orbz.org, then this is not a
multi-level relay in action, and it probably isn't spam.

I haven't yet fixed my filters to use this complicated "algorithm", because
strangely this isn't real problem with any decent ISP in the world - except
Israeli ISPs... :(


-- 
Nadav Har'El                        |       Wednesday, Aug 15 2001, 26 Av 5761
nyh@math.technion.ac.il             |-----------------------------------------
Phone: +972-53-245868, ICQ 13349191 |Sign on a back of truck: "Overtakers
http://nadav.harel.org.il           |beware, or you might meet the Undertaker"

=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il