NOPROBE is an unique draft proposed standard for ORBS/ORDB type services.
It is propagated by one individual: Tino.
IT IS STRICTLY PROHIBITED TO USE NOPROBE IN THE SMTP BANNER OF OPEN RELAYS!
The standard is defined the way that any SMTP relay conforming
to this standard SHOULD have the word "NOPROBE" or word sequence
"NOPROBE DDOS" (without quotes) in the SMTP banner header.
Only relays which are not OPEN for SPAMmers to relay SPAM/UCE
can conform to this standard!
The word NOPROBE in the SMTP banner header is the information to
ORBS/ORDB type systems NOT to probe the relay because probing
the relay is prohibited by the relay administrator.
Probing a relay means to send a test message to the relay
to see if the relay "relays" the message. All a relay conforming
to the NOPROBE standard the relay MUST perfome one of the
a) The message will be refused by relaying denied
This is the recommended action for unknown probes.
Otherwise and if this action is not possible, following applies:
b) The message will be forwarded as if the relay is OPEN.
This is the NOPROBE standard way for operators to inform
the sending side of the fact that the relay is closed,
and the relay is a SPAM killer (see c or d).
This action is recommended if the message is a known probe.
c) The message will be hold back 1 year and will be forwarded
if the toll fee (1 EURO) is payed per stated recipient.
Note that this action is recommended.
d) The message will be deleted without notice (blackhole)
Note that this action is not recommended.
e) The message is neither accepted nor rejected, the relay
just closes the connection or pretends to fail due to
other causes (disk full, cannot queue, etc.). (tarpitting)
Note that this action is recommended for enerving probers.
f) The message will be handed to the NOPROBE network for
further inspection and action.
This will be the recommended action in future as soon
as this service is implemented.
g) The probe message is taken as the expressed wish to
get a DDOS attack to the originating IP of the probe
message. Before the DDOS any other action (a-f) is taken.
In this case the exact sequence "NOPROBE DDOS" (without quotes)
ALWAYS MUST be present in the SMTP header.
Note that NOPROPE never recommends, endorses nor publishes
implementations for this type of action. However all
code which is published according to this standard
MUST provide hooks for this type of action.
(Update: As Klez abuses relays a DDOS would inform the operator
of infected dialup computers of the fact that there is a Klez
worm. There is no other option to get the information there.
My stealth NOPROBE relays conforming to variant c currently
kill arround 10 to 40 Klez mails per day. This rate is
pretty constant now, when one computer gots disinfectedj
it does not take long for a new infected machine to come up).
Stealth NOPROBE conforming relays:
Relays CAN choose to conform to this standard in a stealth mode,
this is they can choose to be NOPROBE but do not state in the
header to be so, to make it SPAMmers harder to guess if the
relay is not open (in favor to method c and f).
Stealth NOPROBE relays MUST NOT implement action g,
even if they sometimes set the NOPROBE tag as in next paragraph:
To prevent probing services from probing, the relay
must set the NOPROBE header in case such a probing service
tries to send the message. To be able to do so the
NOPROBE network will implement a publicly available DNS
zone for AXFR which contains all IPs of registered probing
services. Details with a SENDMAIL hack and a QMAIL patch
will be published here as soon as the service is started.
Don't expect it to spring in existence before 2003.
However as soon as it springs in existence this will
become the recommended way to implement NOPROBE.
2002-07-20 clarified and typos corrected (Stealth NOPROBE relays MUST NOT implement action g)