This was clipped from another document, which was directed at ORBZ (an open
relay scanner) abuse.

Mr. Terranson's position is based on his assertion that open relay is
_never_ necessary, and that _all_ open relay use is somehow abusive. This
assertion is false, and being false, blocking a legitimate service is a
violation of provisions of the ECPA.

--Dean

------
The ORBZ product is actually unnecessary: Properly configured spam filters
are unaffected by relay use, whether the relay is open or closed. A spammer
(abuser) may send spam or abuse email in one of three ways: 1) Using a
direct connection from the abuser computer to the recipient computer. 2)
Using the (perhaps closed) relay provided by the abuser's ISP. 3) Using an
open relay. Relays (open and closed) add headers to email messages that
indicate the source of the message. When (properly) filtering spam, one
must either check the headers of the message for spam sources, or one must
use context scanning methods such as Vipul's Razor which check the contents
of the message for spam content. All one needs is a database of spam
source addresses or a database of spam content signatures for tools like
Vipul's Razor. One does not need to block open relays.

The ORBZ product actually hurts the ORBZ user: If a naïve admin uses open
relay blocking and thus fails to check the message headers for known spam
sources, they will not be able to block spam that is sent though an ISP's
closed relays. They will also block a lot of legitimate email from
companies that use open relays and federal agencies such as the FAA. Using
ORBZ service therefore actually increases the amount of spam permitted
through the ORBZ-enabled spam filter.

Often ORBZ proponents assert that open relay is never necessary. They assert
they are only helping secure unsecured computers. When pressed, they usually
reveal their assumption that one doesn't really need to do anything they
themselves aren't doing, and they aren't doing anything that requires open
relays. They also acknowledge that very few relays are closed as a result of
their probing. Often, their professional experiences are limited to ISP's
offering limited consumer services, or with small companies that operate
their own servers, don't outsource, and only occasionally travel.
Frequently, they have only operated their home computer. Despite their
assertion of open relay never being necessary, all email SMTP software
supports open relay as an option. To fully refute their assertion, you
need to understand more about SMTP and relay services.

Open Relays are necessary components to offering outsourced email services
where Internet access may be obtained from one vendor, email service from
another vendor, and web service from yet another vendor. While many ISP's
don't need to offer open relay services due to limitations in their service
offering, open relays are necessary in more general settings. To understand
the more general settings, you will need to understand a little more detail
about SMTP. Since the SMTP protocol doesn't include authentication and
authorization facilities, these facilities need to be added on in some
fashion. There are several methods of doing this: 1) POP (Post Office
Protocol) before SMTP. 2) IP Address restriction. 3) SMTP AUTH Protocol. 4)
Usage Logging and post-use validation.

The 'POP before SMTP' method only works if the ISP providing Internet access
also provides POP email box service. This is a common configuration for
many ISP's offering consumer services such as AOL. It is not the only
possible configuration. For example, Av8 Internet provides leased line
connectivity to small companies that outsource email to another ISP or ASP
(Application Service Provider). If the ASP does not provide a relay, Av8
Internet must provide a relay. If that company uses dialup from yet another
company, or if users frequently travel to other companies and use the other
companies' leased line access, then Av8 Internet must provide an open relay.
This situation is very common when the ASP also offers its own dialup or
dedicated access services and only provides relay service to its access
customers. IP address restriction can't be used since the IP address the
user may use is unknown in advance. For another example, some DSL providers
don't permit their customers to relay using their own domains, and don't
permit the customer to have a fixed IP address. A Company who gets Internet
access from such a DSL provider and purchases outsourced email service from
another ASP needs a relay. Since the ASP doesn't provide relay service, the
company obtains (open) relay service from Av8 Internet.

The 'SMTP AUTH' method is a protocol extension for SMTP that was designed by
Netscape to replace the 'POP before SMTP' method. It was only accepted as an
Internet standard in January 2001. It is unsupported by many email clients,
and can't be used for inter-ISP email. Therefore it isn't a suitable
authentication system. When AOL purchased Netscape, it decided to convert
all AOL employees to this email application for their business use. After
many complaints from junior and senior executives, AOL discontinued its
internal conversion to saying the software "was designed for consumers and
not businesses". SMTP AUTH ought to work well for consumers, since
consumers have relatively few choices for email applications. But SMTP AUTH
suffers from the same flaws as POP before SMTP described above. It offers no
support for devices and software that only supports the SMTP Protocol and
have no individual username and password. There are many systems and devices
that send email but don't receive email. For example, many computer and
software monitoring systems send mail but don't pick up mail. Pagers and
other devices send mail but don't pickup mail.

Av8 Internet uses the fourth method: logging and post-use validation. This
is somewhat similar to the gas station attendant getting the license plate
of the car that drives away without paying. We have discovered that
authorized users are easily distinguished from unauthorized abusers. When
we detect suspicious use, we challenge the user via their ISP. We also
operate a number of "special" relays that help us detect abuse and scanning.
This method works extremely well. Abusers are detected and their abuse is
halted. Often we make abuse reports before any recipients report abuse.
However, it does not satisfy ORBZ.

Often, anti-spam zealots will make unreasonable demands. For example,
consider the recent case with MAPS (Mail Abuse Prevention Service) another
anti-spam organization) and Exactis Corporation. Exactis sent commercial
email to confirmed opt-in recipients. MAPS demanded double confirmation, and
listed Exactis as a spam source, blocking email from Exactis. Exactis sued,
obtained injunctions and won a number of key decisions: essentially the
court determined that single confirmation was sufficient. Having lost key
decisions, MAPS agreed to remove the blocks and agreed to severe penalties
if blocks are added in the future. Both parties then agreed to dismiss the
suit. However, on its web site MAPS merely states the suit was dismissed,
as though for lack of merit.

Av8 Internet has been threatened on several occasions that it would suffer
if it did not stop offering open relay services. Other open relay operators
have reported receiving similar threats. On several occasions Av8 Internet
has found ORBZ proponents abusing our relay to "make their point" and carry
out their threats. They have made postings to abuser/hacker newsgroups such
as alt.2600 soliciting abuse and cracking for our computers. Our relay
servers have been broken into. Web servers with the same vulnerability were
not attacked, even though they are more visible targets. On one occasion,
an administrator at another ISP repeatedly abused our service from his
company workstation. On each occasion, we reported the abuse to his ISP.
Eventually, he was terminated from the ISP and sent me email saying it was
because of his abuse of our service. We suspect that a substantial amount
of open relay abuse is sent by anti-relay proponents trying to "make their
point." On at least one occasion, an anti-spam organizer has acknowledged
that it was his goal to "make things worse ... to force legislators to act
[to
ban spam]." After ORBZ sent over 400 unauthorized messages through our
servers, with large number of bounced emails, I contacted ORBZ and Taconic
Technology to inform them of unauthorized use, and informed them of the
criminal and abusive nature of their operations. I told them it is illegal
to scan non-public government computers. They were unconcerned with any
consequences.