Re: ORBS redux, round n

Re: ORBS redux, round n

[Phil Edwards]

Chris Faylor <cgf@cygnus.com>:
> On Fri, Mar 24, 2000 at 04:54:42PM +0000, Jonathan Larmour wrote:
> >Jim Kingdon wrote:
> >> 
> >> The current list of people in the "sourceware" group (who can edit
> >> infra/bin/rbl-whitelist) are:
> >
> >Well, if I do get added to the sourceware group, my first act will be
> >editting http://sourceware.cygnus.com/sourceware/spam.html to mention this
> >file!
>
> Do we want to make it publicly known that there is a whitelist?  That might
> remove an incentive for people to actually work to fix the problem.

"If you make an exception for one, you'll have to make exceptions for
everyone..."

My experience with these kinds of exceptions is that you don't publicize
them, and that you make the requirements to get on the list very stringent,
with no exceptions.  Of course, if you're going to be stringent about
no-exceptions-on-the-exceptions-list, you should probably be stringent
about ORBS in the first place, etc, etc.


Phil

Re: ORBS redux, round n

[Phil Edwards]

Chris Faylor <cgf@cygnus.com>:
> On Fri, Mar 24, 2000 at 04:54:42PM +0000, Jonathan Larmour wrote:
> >Jim Kingdon wrote:
> >> 
> >> The current list of people in the "sourceware" group (who can edit
> >> infra/bin/rbl-whitelist) are:
> >
> >Well, if I do get added to the sourceware group, my first act will be
> >editting http://sourceware.cygnus.com/sourceware/spam.html to mention this
> >file!
>
> Do we want to make it publicly known that there is a whitelist?  That might
> remove an incentive for people to actually work to fix the problem.

"If you make an exception for one, you'll have to make exceptions for
everyone..."

My experience with these kinds of exceptions is that you don't publicize
them, and that you make the requirements to get on the list very stringent,
with no exceptions.  Of course, if you're going to be stringent about
no-exceptions-on-the-exceptions-list, you should probably be stringent
about ORBS in the first place, etc, etc.


Phil

Re: ORBS redux, round n

[Jim Kingdon]

1.  I have added Chris Faylor and Jonathan Larmour to the sourceware
    group.  Don't upload trojan horses.  Be careful.  Buy low, sell high.

2.  I don't plan to _publicize_ the whitelist - publicizing it would
    mean listing it on http://sourceware.cygnus.com/lists.html or in
    the bounce message or places like that.

3.  I don't have a strong opinion one way or the other about
    mentioning the whitelist on
    http://sourceware.cygnus.com/sourceware/spam.html - I predict that
    if we did mention it there, few non-sourceware-admins would find
    it (there is a whole category of "non-publicized, but non-secret"
    information as I found when running Cyclic).

4.  It will be up to those project leaders who want to bother,
    generally speaking, to add whitelist entries.  I don't
    particularly plan on adding people in response to email to
    sourcemaster and postmaster.

5.  Therefore, it is up to the project leaders in question to take
    primarily responsibility for doing things like purging obsolete
    entries (we might want an explicit policy of expiring them after a
    year or whatever).  And in general keeping the job of maintaining
    it manageable (I predict that "If you make an exception for one,
    you'll have to make exceptions for everyone" won't be a big
    problem, although time will of course tell).

If people have further feedback on this subject, I'm sure I/we will
hear about it :-).

Re: ORBS redux, round n

[Jonathan Larmour]

Jim Kingdon wrote:
> 
> The current list of people in the "sourceware" group (who can edit
> infra/bin/rbl-whitelist) are:

Well, if I do get added to the sourceware group, my first act will be
editting http://sourceware.cygnus.com/sourceware/spam.html to mention this
file!

Jifl
-- 
Red Hat, 35 Cambridge Place, Cambridge, UK. CB2 1NS  Tel: +44 (1223) 728762
"Plan to be spontaneous tomorrow."  ||  These opinions are all my own fault

Re: ORBS redux, round n

[Jeffrey A Law]

  In message < 200003241641.LAA18292@devserv.devel.redhat.com >you write:
  > >Or easier still, just a whitelist that individual project maintainers can
  > >edit?
  > 
  > That sounds like an excellent idea.  It fits in nicely with my scheme
  > to try to dump more work ^W^W^W get more help ^W^W^W empower the
  > project maintainers.  And it seems to make sense in the context of
  > "anarchy" or whatever the right word is for our governance structure.
This can be done, it wouldn't be that tough.

Each list has a file "editor" which runs the various filters and 
processes to get a message to the list.  I believe the first line in
each looks something like:

|/usr/sourceware/bin/rbl-check.sh gcc-patches --gcc-list

By passing various arguments (and possibly extending that file) we can
use project specific whitelists.

jeff

Re: ORBS redux, round n

[Tom Tromey]

Jim> Any objections to adding Jonathan Larmour, and I guess other
Jim> project maintainers who ask?

It is fine with me.

Jim> I guess I'd plan on applying some small amount of discretion, but
Jim> if there is some big hidden cost to putting people in this group,
Jim> let me know.

As long as we remind people we add to this group that they should be
careful, it'll be fine.

T

Re: ORBS redux, round n

[Chris Faylor]

On Fri, Mar 24, 2000 at 11:22:26AM -0500, Jim Kingdon wrote:
>I guess I'm leaning towards "do nothing" until/unless RSS gets more
>effective.

That sounds like a viable option to me.

I don't suppose we could offer some kind of smtp/pop service for people
where they would be able to send and receive email from/to sourceware
mailing lists once they'd been validated?  I don't know if that would
be a viable solution for people or not.  I suspect that most people
don't know how to change their smtp provider in their email software.

cgf

Re: ORBS redux, round n

[Chris Faylor]

On Fri, Mar 24, 2000 at 04:32:41PM +0000, Jonathan Larmour wrote:
>Chris Faylor wrote:
>> 
>> On Fri, Mar 24, 2000 at 11:22:26AM -0500, Jim Kingdon wrote:
>> >I guess I'm leaning towards "do nothing" until/unless RSS gets more
>> >effective.
>> 
>> That sounds like a viable option to me.
>> 
>> I don't suppose we could offer some kind of smtp/pop service for people
>> where they would be able to send and receive email from/to sourceware
>> mailing lists once they'd been validated?
>
>Or easier still, just a whitelist that individual project maintainers can
>edit?

Don't we have this already?  Or does it require someone with root access to
modify it?

cgf

Re: ORBS redux, round n

[Jonathan Larmour]

Jeffrey A Law wrote:
> 
>   In message < 38DB9DD2.6D6D0737@redhat.co.uk >you write:
>   > Jim Kingdon wrote:
>   > >
>   > > The current list of people in the "sourceware" group (who can edit
>   > > infra/bin/rbl-whitelist) are:
>   >
>   > Well, if I do get added to the sourceware group, my first act will be
>   > editting http://sourceware.cygnus.com/sourceware/spam.html to mention this
>   > file!
> No, please don't.  We do not want the maintenance headache of maintaining
> a large white list.  Getting on the whitelist should be a rare occurrence.
> If I had my way, we wouldn't have  whitelist to begin with.

In that case could Jim add this info to the blurb sent out to new project
maintainers? Otherwise they will never know about it, or where it is.

Jifl
-- 
Red Hat, 35 Cambridge Place, Cambridge, UK. CB2 1NS  Tel: +44 (1223) 728762
"Plan to be spontaneous tomorrow."  ||  These opinions are all my own fault

Re: ORBS redux, round n

[Jonathan Larmour]

Chris Faylor wrote:
> 
> On Fri, Mar 24, 2000 at 11:22:26AM -0500, Jim Kingdon wrote:
> >I guess I'm leaning towards "do nothing" until/unless RSS gets more
> >effective.
> 
> That sounds like a viable option to me.
> 
> I don't suppose we could offer some kind of smtp/pop service for people
> where they would be able to send and receive email from/to sourceware
> mailing lists once they'd been validated?

Or easier still, just a whitelist that individual project maintainers can
edit?

Jifl
-- 
Red Hat, 35 Cambridge Place, Cambridge, UK. CB2 1NS  Tel: +44 (1223) 728762
"Plan to be spontaneous tomorrow."  ||  These opinions are all my own fault

Re: ORBS redux, round n

[Jim Kingdon]

>Or easier still, just a whitelist that individual project maintainers can
>edit?

That sounds like an excellent idea.  It fits in nicely with my scheme
to try to dump more work ^W^W^W get more help ^W^W^W empower the
project maintainers.  And it seems to make sense in the context of
"anarchy" or whatever the right word is for our governance structure.

The current list of people in the "sourceware" group (who can edit
infra/bin/rbl-whitelist) are:

[kingdon@sourceware sourceware]$ grep sourceware /etc/group
sourceware:*:65526:anoncvs,jsm,dj,listarch,drepper,webuser,tromey,hp,kingdon

Any objections to adding Jonathan Larmour, and I guess other project
maintainers who ask?  I guess I'd plan on applying some small amount
of discretion, but if there is some big hidden cost to putting people
in this group, let me know.  I realize that people in that group can
more easily compromise security but I guess this strikes me as
manageable.

ORBS redux, round n

[Jim Kingdon]

OK, let me try to approach the ORBS thing in a calmer manner (yeah, I
know, fat chance, but I'll try :-)).

The current problem with ORBS is that there are situations in which
someone's mail is getting blocked and I don't know what to tell them.
For example, someone wrote in with 24.95.79.12 as their IP ("nslookup
12.79.95.24.relays.orbs.org" returns 127.0.0.4).  Note that this is a
static ORBS listing - not a listing because it was tested and found to
be an open relay (see discussion of 127.0.0.4 at
http://www.orbs.org/usingindex.html ).  Actual open relays will get
listed by RSS in due course, so people who have open relays are still
going to need to fix them, with or without ORBS.

So what are our options?

* Do nothing.  Comfort ourselves with the fact that the people annoyed
  by ORBS are fewer in number than the people annoyed by spam.

* Tell people "you need to allow ORBS to probe for open relays on your
  network".  Do we really want to require this as a condition for
  sending email to us?  And is it known that concern over being probed
  is the only reason people get a static ORBS listing?

* Modify our tester so that we only consider ORBS listings of
  127.0.0.2.  I guess the main downside for me is just that it would
  make our configuration more complicated at a time when we are having
  fewer and fewer resources (that I've noticed, anyway) available for
  maintain a complex configuration.

* Stop using ORBS and rely on RSS for open relay blocking.  There are
  certain problems which the above solutions don't solve (multi-level
  relays, the PR factor of whether ORBS is widely respected quite
  aside from whether those perceptions are justified, there might be
  others).  The question is how much spam RSS would let through that
  is currently being blocked by ORBS.

    [kingdon@sourceware /qmail]$ grep RSS /var/log/rbl-checks | wc -l
	112
    [kingdon@sourceware /qmail]$ grep ORBS /var/log/rbl-checks | wc -l
	396
    [kingdon@sourceware /qmail]$ 

  If memory serves, rblcheck checks RSS first, then ORBS, so the above
  numbers are pretty bad for RSS.

* Any others?

I guess I'm leaning towards "do nothing" until/unless RSS gets more
effective.

Re: ORBS redux, round n

[Chris Faylor]

On Fri, Mar 24, 2000 at 05:22:33PM +0000, Jonathan Larmour wrote:
>Jeffrey A Law wrote:
>>In message < 38DB9DD2.6D6D0737@redhat.co.uk >you write:
>>> Jim Kingdon wrote:
>>>>The current list of people in the "sourceware" group (who can edit
>>>>infra/bin/rbl-whitelist) are:
>>>
>>>Well, if I do get added to the sourceware group, my first act will be
>>>editting http://sourceware.cygnus.com/sourceware/spam.html to mention
>>>this file!
>>No, please don't.  We do not want the maintenance headache of
>>maintaining a large white list.  Getting on the whitelist should be a
>>rare occurrence.  If I had my way, we wouldn't have whitelist to begin
>>with.
>
>In that case could Jim add this info to the blurb sent out to new
>project maintainers?  Otherwise they will never know about it, or where
>it is.

I'm not sure that I understand the objection to making this known to the
maintainers.  We obviously should not be cavalier about adding people
to the white list but hopefully every mailing list maintainer understands
that.  If the information on how to add people is not available then
Jim Kingdon is just going to be pinged about it.

If we are going to do this, I think it is also a good idea to notify new
mailing list maintainers about it, too, FWIW.

cgf

Re: ORBS redux, round n

[Chris Faylor]

On Fri, Mar 24, 2000 at 11:58:46AM -0500, Chris Faylor wrote:
>On Fri, Mar 24, 2000 at 04:54:42PM +0000, Jonathan Larmour wrote:
>>Jim Kingdon wrote:
>>> 
>>> The current list of people in the "sourceware" group (who can edit
>>> infra/bin/rbl-whitelist) are:
>>
>>Well, if I do get added to the sourceware group, my first act will be
>>editting http://sourceware.cygnus.com/sourceware/spam.html to mention this
>>file!
>
>Do we want to make it publicly known that there is a whitelist?  That might
>remove an incentive for people to actually work to fix the problem.

Sorry.  Nevermind.  This isn't a public page.

cgf

Re: ORBS redux, round n

[Chris Faylor]

On Fri, Mar 24, 2000 at 08:50:46AM -0800, Tom Tromey wrote:
>Jim> I guess I'd plan on applying some small amount of discretion, but
>Jim> if there is some big hidden cost to putting people in this group,
>Jim> let me know.
>
>As long as we remind people we add to this group that they should be
>careful, it'll be fine.

Right, right.  I'll be careful.

(chair falls over backwards)

cgf

Re: ORBS redux, round n

[Chris Faylor]

On Fri, Mar 24, 2000 at 04:54:42PM +0000, Jonathan Larmour wrote:
>Jim Kingdon wrote:
>> 
>> The current list of people in the "sourceware" group (who can edit
>> infra/bin/rbl-whitelist) are:
>
>Well, if I do get added to the sourceware group, my first act will be
>editting http://sourceware.cygnus.com/sourceware/spam.html to mention this
>file!

Do we want to make it publicly known that there is a whitelist?  That might
remove an incentive for people to actually work to fix the problem.

cgf

Re: ORBS redux, round n

[Jeffrey A Law]

  In message < 38DB9DD2.6D6D0737@redhat.co.uk >you write:
  > Jim Kingdon wrote:
  > > 
  > > The current list of people in the "sourceware" group (who can edit
  > > infra/bin/rbl-whitelist) are:
  > 
  > Well, if I do get added to the sourceware group, my first act will be
  > editting http://sourceware.cygnus.com/sourceware/spam.html to mention this
  > file!
No, please don't.  We do not want the maintenance headache of maintaining
a large white list.  Getting on the whitelist should be a rare occurrence.
If I had my way, we wouldn't have  whitelist to begin with.

jeff

Re: ORBS redux, round n

[Chris Faylor]

On Fri, Mar 24, 2000 at 05:22:33PM +0000, Jonathan Larmour wrote:
>Jeffrey A Law wrote:
>>In message < 38DB9DD2.6D6D0737@redhat.co.uk >you write:
>>> Jim Kingdon wrote:
>>>>The current list of people in the "sourceware" group (who can edit
>>>>infra/bin/rbl-whitelist) are:
>>>
>>>Well, if I do get added to the sourceware group, my first act will be
>>>editting http://sourceware.cygnus.com/sourceware/spam.html to mention
>>>this file!
>>No, please don't.  We do not want the maintenance headache of
>>maintaining a large white list.  Getting on the whitelist should be a
>>rare occurrence.  If I had my way, we wouldn't have whitelist to begin
>>with.
>
>In that case could Jim add this info to the blurb sent out to new
>project maintainers?  Otherwise they will never know about it, or where
>it is.

I'm not sure that I understand the objection to making this known to the
maintainers.  We obviously should not be cavalier about adding people
to the white list but hopefully every mailing list maintainer understands
that.  If the information on how to add people is not available then
Jim Kingdon is just going to be pinged about it.

If we are going to do this, I think it is also a good idea to notify new
mailing list maintainers about it, too, FWIW.

cgf

Re: ORBS redux, round n

[Jim Kingdon]

1.  I have added Chris Faylor and Jonathan Larmour to the sourceware
    group.  Don't upload trojan horses.  Be careful.  Buy low, sell high.

2.  I don't plan to _publicize_ the whitelist - publicizing it would
    mean listing it on http://sourceware.cygnus.com/lists.html or in
    the bounce message or places like that.

3.  I don't have a strong opinion one way or the other about
    mentioning the whitelist on
    http://sourceware.cygnus.com/sourceware/spam.html - I predict that
    if we did mention it there, few non-sourceware-admins would find
    it (there is a whole category of "non-publicized, but non-secret"
    information as I found when running Cyclic).

4.  It will be up to those project leaders who want to bother,
    generally speaking, to add whitelist entries.  I don't
    particularly plan on adding people in response to email to
    sourcemaster and postmaster.

5.  Therefore, it is up to the project leaders in question to take
    primarily responsibility for doing things like purging obsolete
    entries (we might want an explicit policy of expiring them after a
    year or whatever).  And in general keeping the job of maintaining
    it manageable (I predict that "If you make an exception for one,
    you'll have to make exceptions for everyone" won't be a big
    problem, although time will of course tell).

If people have further feedback on this subject, I'm sure I/we will
hear about it :-).

Re: ORBS redux, round n

[Jonathan Larmour]

Jeffrey A Law wrote:
> 
>   In message < 38DB9DD2.6D6D0737@redhat.co.uk >you write:
>   > Jim Kingdon wrote:
>   > >
>   > > The current list of people in the "sourceware" group (who can edit
>   > > infra/bin/rbl-whitelist) are:
>   >
>   > Well, if I do get added to the sourceware group, my first act will be
>   > editting http://sourceware.cygnus.com/sourceware/spam.html to mention this
>   > file!
> No, please don't.  We do not want the maintenance headache of maintaining
> a large white list.  Getting on the whitelist should be a rare occurrence.
> If I had my way, we wouldn't have  whitelist to begin with.

In that case could Jim add this info to the blurb sent out to new project
maintainers? Otherwise they will never know about it, or where it is.

Jifl
-- 
Red Hat, 35 Cambridge Place, Cambridge, UK. CB2 1NS  Tel: +44 (1223) 728762
"Plan to be spontaneous tomorrow."  ||  These opinions are all my own fault

Re: ORBS redux, round n

[Jeffrey A Law]

  In message < 38DB9DD2.6D6D0737@redhat.co.uk >you write:
  > Jim Kingdon wrote:
  > > 
  > > The current list of people in the "sourceware" group (who can edit
  > > infra/bin/rbl-whitelist) are:
  > 
  > Well, if I do get added to the sourceware group, my first act will be
  > editting http://sourceware.cygnus.com/sourceware/spam.html to mention this
  > file!
No, please don't.  We do not want the maintenance headache of maintaining
a large white list.  Getting on the whitelist should be a rare occurrence.
If I had my way, we wouldn't have  whitelist to begin with.

jeff

Re: ORBS redux, round n

[Jeffrey A Law]

  In message < 200003241641.LAA18292@devserv.devel.redhat.com >you write:
  > >Or easier still, just a whitelist that individual project maintainers can
  > >edit?
  > 
  > That sounds like an excellent idea.  It fits in nicely with my scheme
  > to try to dump more work ^W^W^W get more help ^W^W^W empower the
  > project maintainers.  And it seems to make sense in the context of
  > "anarchy" or whatever the right word is for our governance structure.
This can be done, it wouldn't be that tough.

Each list has a file "editor" which runs the various filters and 
processes to get a message to the list.  I believe the first line in
each looks something like:

|/usr/sourceware/bin/rbl-check.sh gcc-patches --gcc-list

By passing various arguments (and possibly extending that file) we can
use project specific whitelists.

jeff

Re: ORBS redux, round n

[Chris Faylor]

On Fri, Mar 24, 2000 at 11:58:46AM -0500, Chris Faylor wrote:
>On Fri, Mar 24, 2000 at 04:54:42PM +0000, Jonathan Larmour wrote:
>>Jim Kingdon wrote:
>>> 
>>> The current list of people in the "sourceware" group (who can edit
>>> infra/bin/rbl-whitelist) are:
>>
>>Well, if I do get added to the sourceware group, my first act will be
>>editting http://sourceware.cygnus.com/sourceware/spam.html to mention this
>>file!
>
>Do we want to make it publicly known that there is a whitelist?  That might
>remove an incentive for people to actually work to fix the problem.

Sorry.  Nevermind.  This isn't a public page.

cgf

Re: ORBS redux, round n

[Chris Faylor]

On Fri, Mar 24, 2000 at 04:54:42PM +0000, Jonathan Larmour wrote:
>Jim Kingdon wrote:
>> 
>> The current list of people in the "sourceware" group (who can edit
>> infra/bin/rbl-whitelist) are:
>
>Well, if I do get added to the sourceware group, my first act will be
>editting http://sourceware.cygnus.com/sourceware/spam.html to mention this
>file!

Do we want to make it publicly known that there is a whitelist?  That might
remove an incentive for people to actually work to fix the problem.

cgf

Re: ORBS redux, round n

[Jonathan Larmour]

Jim Kingdon wrote:
> 
> The current list of people in the "sourceware" group (who can edit
> infra/bin/rbl-whitelist) are:

Well, if I do get added to the sourceware group, my first act will be
editting http://sourceware.cygnus.com/sourceware/spam.html to mention this
file!

Jifl
-- 
Red Hat, 35 Cambridge Place, Cambridge, UK. CB2 1NS  Tel: +44 (1223) 728762
"Plan to be spontaneous tomorrow."  ||  These opinions are all my own fault

Re: ORBS redux, round n

[Chris Faylor]

On Fri, Mar 24, 2000 at 08:50:46AM -0800, Tom Tromey wrote:
>Jim> I guess I'd plan on applying some small amount of discretion, but
>Jim> if there is some big hidden cost to putting people in this group,
>Jim> let me know.
>
>As long as we remind people we add to this group that they should be
>careful, it'll be fine.

Right, right.  I'll be careful.

(chair falls over backwards)

cgf

Re: ORBS redux, round n

[Tom Tromey]

Jim> Any objections to adding Jonathan Larmour, and I guess other
Jim> project maintainers who ask?

It is fine with me.

Jim> I guess I'd plan on applying some small amount of discretion, but
Jim> if there is some big hidden cost to putting people in this group,
Jim> let me know.

As long as we remind people we add to this group that they should be
careful, it'll be fine.

T

Re: ORBS redux, round n

[Jim Kingdon]

>Or easier still, just a whitelist that individual project maintainers can
>edit?

That sounds like an excellent idea.  It fits in nicely with my scheme
to try to dump more work ^W^W^W get more help ^W^W^W empower the
project maintainers.  And it seems to make sense in the context of
"anarchy" or whatever the right word is for our governance structure.

The current list of people in the "sourceware" group (who can edit
infra/bin/rbl-whitelist) are:

[kingdon@sourceware sourceware]$ grep sourceware /etc/group
sourceware:*:65526:anoncvs,jsm,dj,listarch,drepper,webuser,tromey,hp,kingdon

Any objections to adding Jonathan Larmour, and I guess other project
maintainers who ask?  I guess I'd plan on applying some small amount
of discretion, but if there is some big hidden cost to putting people
in this group, let me know.  I realize that people in that group can
more easily compromise security but I guess this strikes me as
manageable.

Re: ORBS redux, round n

[Chris Faylor]

On Fri, Mar 24, 2000 at 04:32:41PM +0000, Jonathan Larmour wrote:
>Chris Faylor wrote:
>> 
>> On Fri, Mar 24, 2000 at 11:22:26AM -0500, Jim Kingdon wrote:
>> >I guess I'm leaning towards "do nothing" until/unless RSS gets more
>> >effective.
>> 
>> That sounds like a viable option to me.
>> 
>> I don't suppose we could offer some kind of smtp/pop service for people
>> where they would be able to send and receive email from/to sourceware
>> mailing lists once they'd been validated?
>
>Or easier still, just a whitelist that individual project maintainers can
>edit?

Don't we have this already?  Or does it require someone with root access to
modify it?

cgf

Re: ORBS redux, round n

[Jonathan Larmour]

Chris Faylor wrote:
> 
> On Fri, Mar 24, 2000 at 11:22:26AM -0500, Jim Kingdon wrote:
> >I guess I'm leaning towards "do nothing" until/unless RSS gets more
> >effective.
> 
> That sounds like a viable option to me.
> 
> I don't suppose we could offer some kind of smtp/pop service for people
> where they would be able to send and receive email from/to sourceware
> mailing lists once they'd been validated?

Or easier still, just a whitelist that individual project maintainers can
edit?

Jifl
-- 
Red Hat, 35 Cambridge Place, Cambridge, UK. CB2 1NS  Tel: +44 (1223) 728762
"Plan to be spontaneous tomorrow."  ||  These opinions are all my own fault

Re: ORBS redux, round n

[Chris Faylor]

On Fri, Mar 24, 2000 at 11:22:26AM -0500, Jim Kingdon wrote:
>I guess I'm leaning towards "do nothing" until/unless RSS gets more
>effective.

That sounds like a viable option to me.

I don't suppose we could offer some kind of smtp/pop service for people
where they would be able to send and receive email from/to sourceware
mailing lists once they'd been validated?  I don't know if that would
be a viable solution for people or not.  I suspect that most people
don't know how to change their smtp provider in their email software.

cgf

ORBS redux, round n

[Jim Kingdon]

OK, let me try to approach the ORBS thing in a calmer manner (yeah, I
know, fat chance, but I'll try :-)).

The current problem with ORBS is that there are situations in which
someone's mail is getting blocked and I don't know what to tell them.
For example, someone wrote in with 24.95.79.12 as their IP ("nslookup
12.79.95.24.relays.orbs.org" returns 127.0.0.4).  Note that this is a
static ORBS listing - not a listing because it was tested and found to
be an open relay (see discussion of 127.0.0.4 at
http://www.orbs.org/usingindex.html ).  Actual open relays will get
listed by RSS in due course, so people who have open relays are still
going to need to fix them, with or without ORBS.

So what are our options?

* Do nothing.  Comfort ourselves with the fact that the people annoyed
  by ORBS are fewer in number than the people annoyed by spam.

* Tell people "you need to allow ORBS to probe for open relays on your
  network".  Do we really want to require this as a condition for
  sending email to us?  And is it known that concern over being probed
  is the only reason people get a static ORBS listing?

* Modify our tester so that we only consider ORBS listings of
  127.0.0.2.  I guess the main downside for me is just that it would
  make our configuration more complicated at a time when we are having
  fewer and fewer resources (that I've noticed, anyway) available for
  maintain a complex configuration.

* Stop using ORBS and rely on RSS for open relay blocking.  There are
  certain problems which the above solutions don't solve (multi-level
  relays, the PR factor of whether ORBS is widely respected quite
  aside from whether those perceptions are justified, there might be
  others).  The question is how much spam RSS would let through that
  is currently being blocked by ORBS.

    [kingdon@sourceware /qmail]$ grep RSS /var/log/rbl-checks | wc -l
	112
    [kingdon@sourceware /qmail]$ grep ORBS /var/log/rbl-checks | wc -l
	396
    [kingdon@sourceware /qmail]$ 

  If memory serves, rblcheck checks RSS first, then ORBS, so the above
  numbers are pretty bad for RSS.

* Any others?

I guess I'm leaning towards "do nothing" until/unless RSS gets more
effective.