At 3:59 PM -0400 8/13/03, Chris Lewis wrote:
=head2 Truth in Advertising
The criteria for listing should be carefully described (on the
blacklist's web site, see below). You should be honest and never
enter a listing that doesn't meet the criteria.
In other words, be direct and honest as to what the listing criteria
are, and never mix in other entries. No spite listings [Footnote 3].
I think this may need expansion to make it clear that accuracy is
required, not precision. See CBL for an example of an accurate but
not precise description of listing criteria.
=head1 Security fault blacklists special rules
Some blacklists list IP addresses that are insecure in various ways
(e.g. open relays, open proxies). These are some recommendations for
these systems:
=head2 No automated probes
The blacklist will not automatically probe for insecure systems. The
reason for this is that there is little agreement in the community
as to whether or not this should be allowed. So we err on the side
of caution.
Listing should therefore be "spam in hand" from a spamtrap address,
or "email in hand" based on either a non-automated test, or a test
instigated by receiving an email from the tested IP address.
=head2 Reasonable re-scan periods
If the blacklist uses re-scans to determine whether the listing
should timeout or not, the re-scan period should be reasonable.
Scanning should occur no more often than once every 24 hours (this
fits in with the L<expiry period|/Listings should be temporary>
above L</Footnote1>).
I think there needs to be something to address the very real problem
of destructive scanning. At various points in the past few years
(notably with ORBZ and with the phase of the attack on a.r.s that
used open Wingate proxies) the 'white hat' folks have been seen to
use probes that take down targets. For SMTP relay testing this is a
multifaceted problem because in some cases (i.e. some versions of
Notes) it is only machines that do not relay which are crashed, and
in many cases machines that accept a test message as a result of some
relay test trick end up ricocheting the message internally until it
lands in a double-bounce mailbox, and even today some of those are
human-managed.
If there's going to be a de facto blessing of unauthorized security
testing at all (I'm quite negative on that entire idea) it seems to
me that it should at least define a clear and precise boundary on
those tests. If it is a bad thing for a spammer to use an email
address he does not own as SMTP sender, can it be justified by the
claim that one is not spamming but testing (without permission)
a machine that may well end up accepting the 'test' and then bouncing
it to someone who is neither spamming nor operating a system that
facilitates spamming?
I realize that a requirement to hold to a strict ethical standard in
SMTP relay testing is a requirement to not try tricks that spammers
could and even do use, so it means that a negative result is quite
uncertain.
--
Bill Cole
bill(_at_)scconsult(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg