Slashdot Mirror
UPDATED: AOL Added To ORBS List - At Their Request
Scott Crain, AOL 'Spamdinista,' wrote in with an update, and to make what's going on crystal clear.
There are two machines that have been added to ORBS on AOL's networks, at my request. The two machines are a new system in place to allow us to keep spammers from using outbound SMTP connections to spam the rest of the net with junk. Alan Brown, the maintainer of ORBS and I correspond frequently on a couple mailing lists we both frequent, and he asked if it would be ok if I had him place these two machines in ORBS, to which I agreed.
Basically, the two machines that are there are the external gateway for a percentage of AOL members using their TCP connectivity to send mail out of AOL without using the AOL client. It's no different than blocking AOL's dialup IP's (*.ipt.aol.com) as the MAPS DUL does currently.
In other words, this is a good thing. I'm sure I'm not the only one who doesn't like spam from AOL, and this looks like a step in the right direction.
So who knows, maybe AOL will catch on. But somehow I'm a bit pessimistic. As somebody pointed out, AOL has been put on blacklists before, and obviously it didn't phase them. Maybe ORBS is a more prominent list, maybe not. I'm not very familiar with the background here (AOL doesn't exactly consume my every waking moment)
I certianly hope AOL does get the message, however. God only knows how much spam I get from AOL accounts, yet I can't afford to block them because I need to be able to communicate with customers that only have AOL.
NOW if it will only tell me what they have done to several spammers I've reported. All I'm getting is a virtual "We're won't tell you anything. It's our 'security' policy. NYAH!" when I'm still getting junk from AOL's dialups and servers are slowly banning AOL manually. This isn't just for spamming, it also encompases harrassment of the users of those non-AOL servers. (IRC, MUCK's, interative services, even AOL's own AIM are examples of this)
---
Another non-functioning site was "uncertainty.microsoft.com." The purpose of that site was not known. -- MSNBC 10-26-1999 on MS crack
--
# Canmephians for a better Linux Kernel
$Stalag99{"URL"}="http://stalag99.net";
All I'm looking for is a semi-personal form letter saying you've nuked the account afflicted. This is insanely eazy to implement, and can even be hooked up into an existing reporting database. Infact, I wrote one up in this Usenet post to news.admin.net-abuse.email for UUNet. Just this setup time works well with ISP's as big as AOL.
We can't tell you any specific details of any action we take against a member's account, because AOL's privacy policy guidelines prohibit this.
[humor] I don't care if you used a five-kiloton thermonuke missile to get a spammer off your system, or a three-kiloton. [/humor] All I ask is that the user who sent me the junk to my account has been delt with. Not "We'll deal with it." I'm looking for a "We've dealt with him. He will not be spamming from us again."
All I'm getting is a "We're looking into it." I've gotten too many "We're looking into it's" from ISPs. I've gotten too many bounce messages, too. I've already helped get Real Networks on the MAPS RBL for being unrepentant in sending me junk. XOOM's getting there now. I have 84 spams waiting for LARTS to be fired off again, 4 relays to nominate to the RSS, and 74 spams filtered out according to the RBL or RSS. I'm tempted to start doing a spam or four a day. I only delete spams when I see the user responsible removed or reeducated. I wouldn't be suprized if I get a third of the load cut down because it's all AOL origionating stuff.
I'm not saying that the job gets done. I just don't have any proof of it, and it shows on other servers.
---
Another non-functioning site was "uncertainty.microsoft.com." The purpose of that site was not known. -- MSNBC 10-26-1999 on MS crack
--
# Canmephians for a better Linux Kernel
$Stalag99{"URL"}="http://stalag99.net";
Yet even with all that, I _still_ am beginning to hate uunet more and more. I've taken to adding little personal notes to my customary remarks- like "Please kill this spammer's account, oh UUnet source of my unending torments and target of my everlasting loathing and hatred. -postmaster@airwindows.com" It seems to make no difference and only relieves my feelings a bit. UUnet never stops giving spammers accounts and I'm damned if I can figure out if they even restrict them in the slightest way. I've heard they might do something like give warnings and say 'Send to other emails, ones that don't complain to us!' which is not an acceptable response.
Could _somebody_ please rip uunet's head off and #*$% down their neck? As a personal favor to me and Denor here? :P
Ohhhhh, I like this. I like it very much. I would point out that it's much much better to not have the others making threatening (and actionable) remarks at all. Have them just be there in a chillingly disciplined manner, saying nothing.
Ohhhhh, I'd pay to get to do that. Maybe someone should try to organize this :) pity I don't have a black suit. I do have imitation Blues Bros. sunglasses :)
If you don't want to get rid of the NT box yet, couldn't you use a Sendmail your public server which would only do basic relay checking and then relay the mail to your NT box for actual delivery?
That should be easier than moving your whole operation to Sendmail all at once.
--
"L'IT c'est moi!"
They don't even require a spam incident -- they will launch this "test" against any host that is nominated REGARDLESS OF WHETHER IT HAS EVER SENT SPAM.
I suspect that this is why ORBS is still accused of scanning for open relays. Some spammer is probably "nominating" whole IP blocks so they can check the ORBS list later. Since nobody smart uses ORBS, they now have a list of open relays, which are not on any real blacklist.
Either this is the case, the ORBS kiddies actually *are* doing scans, or AboveNET and many other ISPs are lying when they claim ORBS is scanning them.
-Chris
I rather like the RSS. It's suitably aggressive to catch a lot of spam, and has several advantages over ORBS:
/16s of AboveNet listed.
1) It doesn't list multi-level relays[*] -- I count this as an advantage, because it cuts out the "block an entire ISP because of a few rogue customer" effect.
2) They can actually produce a spam for each listing, something that ORBS cannot do in most cases.
3) [related to (2)] When explaining to a (non-)admin why you are blocking their mail, you can point them to an ACTUAL SPAM INCIDENT and say
"here's why."
4) [also related to (2)] There are no "manual listings" on the RSS -- every RSS-listed host is actually an open relay. Many ORBS-listed hosts are not open relays.... perhaps even most, with the multiple
[*] I really dislike the way ORBS handles this problem. Basically, if you run a (closed) relay, you apparently need to subscribe that relay to ORBS in order to keep it off of ORBS. Oh, yeah... there is one other alternative: you can enforce a no-servers policy, or (ack!) filter all incoming port 25 traffic to customers.
-Chris
If you are free to block them,
how can you say they can't block you?
It's not that they can't, because clearly they can. It's that they shouldn't. They have attained a position of significant repspectability (fairly wide-spread use) with their service, this separates them from the common user or isp. Users trust them to provide even-handed and consistent service, just like we trust our local police not to shoot someone in the knee caps for saying "Fuck you" to an officer.
When such brutality does occur, as we all know it does from time to time, the Police must be taken to task for weilding state-level power on a personal basis.
ORBS has successfully become a sort of 'Police' of the Internet. If they aren't grown-up enough to handle the responsibility in an enlightened manner, they will be replaced, and rightfully so.
I think (hope) that such things are growing pains, and that as they come to realize that their new-found influence comes with certain responsibilities.
.
.
**>>BELCH
The 'CLUE of prevention' you speak of is valid at the local level. At the global level things aren't so clear. You, as a fully functional human being, have untold potential to wreak havoc upon your neighbors. Should they kill you now to prevent that possibility?
**>>BELCH
First, a note to say that I *highly* disagree with the moderator consensus relegating your post to mere 'flamebait'. It's a jury of our peers, tho', and we can't expect to agree all the time. Bad moderation happens, as we see here. Fact of /. life. For the record, overall, I think moderation works pretty well.
That said, I disagree with your post for the simple reason that this is an interesting and important issue, and it's good to have it a bit further in the public eye. I care about such things, but I'm not a full-time administrator, so I don't (yet) peruse the specialist forums. Your annoyance is understandable, but I still disagree.
Respectfully,
skent
**>>BELCH
Brilliant post, doomed to the slush-pile.
Oh well!
**>>BELCH
This clearly demonstrates the problems associated with one entity having too much market share in any particular market. Any blacklist that bans AOL is shooting itself in the foot, because there's too much legitimate mail coming from the aol.com domain. For millions of people, AOL basically is the Internet. That's a problem. It demonstrates a problem we all know so well from the operating systems field: when one player has too much market share, they can basically act with reckless abandon. Everyone has to work with them or risk locking out their own customers, or potential customers.
--
Tired of FB/Google censorship? Visit UNCENSORED!
I'm sure the vast majority of the AOL machines are NOT in ORBS, and most mail will get through.
---
The ORBS people have always been sitting ducks for a restraint-of-trade lawsuit.
Now they've taken on someone who knows very well how to spell "lawyer".
The last I saw a discussion with the ORBS kids, their attitude was "we decide who is in the wrong, and how to punish them". Even when they are right, such an attitude creates enemies.
And when they are wrong, the lawyers descend.
I have been an opponent of the RBL for a while. There is absolutely no checks and balances to prevent personal grudges from taking a toll on businesses, etc. The company I work for was placed on the RBL by one of the board members, without any contact. The reason: He received an email he didn't want from a customer which had a website with us. Mind you they didn't use our mail system to send him this email, nor was it SPAM.
Subjective control of the Net is wrong, for the same reason that censorware is wrong.
The RBL is a heavy handed approach to solving problems. Rather than taking the approach ESR took with Netscape, they are extorting email providers into compliance. That's just wrong.
ORBS only serves to make an application level RBL. These approaches are entirely wrong, diplomatic approaches must be made to solve the problem, not heavy handed politics.
Our relay is partially open - it allows relay only if the sender's e-mail address or at least one recipient's e-mail address is from a locally-hosted domain. Not the most secure method, perhaps, but it seems to be enough extra work that spammers simply find a wide-open relay and use it instead of us. There's a much better way to do this. I modified our POP server at a previous employer such that it placed an IP on an approved relay list for up to two hours after a valid authentication. This worked great for people on the road because all they had to know was that they had to check their mail before trying to send anything (something people usually do anyway). c.
Log in or piss off.
Tough luck. When you sign with an ISP you sign with the Acceptable Use Policy, Term of Service and other appropriate stuff. If it says no SPAM this means no SPAM. If unhappy change the ISP. You have no legal grounds to sue the sysadmin after you have signed that you actually allow the sysadmin to do the filtering. So long and thank you for the Fish...
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
AOL has been in the RBL in the past. It has not invalidated the RBL. Actually it brought more popularity.
I did not consider using ORBS till now, I do now.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
These are not AOL mail outputs. These are the inputs.
As a person who had been hit by an AOL end-user generated mail D.O.S. at one of my previous jobs I can tell you for sure. You are checking the wrong IPs. Better scan your logs for AOL incoming and get the IPs from there. Thus you will get the tier 1 relays. From what I recall there are at least two more tiers which you can determine by firewalling Tier1 and than the appearing Tier2.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
A company I just got a job with is having the same problems with NT. It use to allow open relying for customers, but guessed what happened? Yep, spammers found us. Now were closed, but the mail package is a real peice of crap and I got the boss to let us switch over to qmail. I guess enough with the side story.
Linux O Muerte!
You miss the point: If my system is closed, there is no reason for ORBS to list it in such a way that everyone using ORBS will think it is an open relay and bounce messages from it.
Unless, of course, it's a power trip, and has nothing to do with stopping spam.
Should people with buggy MTA's upgrade? Probably. But ORBS shouldn't spite-list them, and shouldn't keep testing them; it should leave them alone.
Keep in mind, we're not talking about "any random SMTP". We're talking about servers that move thousands of messages an hour, and never, ever, crash *EXCEPT WHEN ORBS HITS THEM*.
You may prefer 17 messages to a spam run. I prefer no messages to 17 messages. I know enough
to keep my servers secured, and test them actively whenever anything changes. ORBS does not believe I have a right to be left alone.
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
You're spoiling our fun. (Hey, folks, moderate that guy up. He's the AOL guy who makes less spam.)
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
Harmless if you happen to run the exact mail server they want.
There are mail servers, *WHICH ARE NOT OPEN RELAYS*
* where any relay attempt will create a message in postmaster's inbox.
* where certain of the ORBS tests *CRASH THE MAIL SERVER*.
The latter is a bug. So? Why should you have to let this *ASSHOLE* crash your system every time he gets the idea, when you *CAN'T* be used as a relay? He won't stop, ever, and the best you can do is have him list you as if you were a spam hydrant, even if no spam, ever, has left your machine, and you're not an open relay.
I know people who have this problem.
Anyway, if seventeen messages isn't enough resources to worry about, why do you mind spam? I only very rarely get more than 17 spams in a day after filtering...
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
Spam actually, really, from AOL accounts, or spam with "@aol.com" forged into the headers?
How much spam do you get per user? How does this compare to other ISP's?
I don't think AOL is all that bad *on a per-user basis*. The same thing that makes them so hard to block (they have an amazing number of users) pretty much guarantees that, even if they had many fewer spammers "per million users", they'd have an apparent "spam problem".
AOL isn't nearly as bad as Netcom and uu.net once were, and none of them are as bad now as what we used to take for granted as the cost of having an email address. I don't mind AOL all that much; they're not that much of my junk mail.
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
When did this happen? Which company? Which board member? Post a URL pointing to all the documentation showing what the email was.
:)
Or, allow me to continue believing that the RBL is astoundingly well-managed.
(Note that everything like this I've heard dates back about to the point where they had maybe one employee, and really doesn't apply to the RBL as it exists today.)
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
I manage a mail hub that was probed by ORBS. They provided the service of informing me of the security hole, for which I am grateful. Thanks to them, I secured my server against spam relaying.
Besides the obvious desire to provoke, why would you call their probes an "attack"? From my mail logs, I see that their probes take up very little resources. There were not that many requests, and there were pauses between them. They test using legitimate SMTP requests, and they are entitled to do so once you put your SMTP server on the net. There is a big difference between a handful of probes that result in perhaps a single relayed mail, and a spammer pounding on your unsecured server with thousands of requests for relayed email. I would rather have ORBS test my server any day.
See their site for details. They do not randomly test sites, but only test when a suspected unsecured site is nominated by someone. Their probing serves, as you say, to "talk to the host accused". The admin has a whole month to secure the thing if it is found insecure, before it is publicly listed.
I'm sorry? My company's mail and web servers that run off of a 2mbps SDSL line are pirate or not legitimate? The mail and "do everything" linux box I have on my 768k ADSL line is pirate or not legitimate? Gee, that's funny. I rather thought anything that could fling packets via TCP/IP was a "legitimate" server.
This will be of great interest to my users, both at home and at work. 752 people (as of this morning) will be happy to know the services they reliably access, and have accessed for almost 2 years now, are provided by an illegitimate server.
Oh, and before posting, please learn to spell. It's an "impediment" to accurate communication.
--------------------
I am trying to convince my superiors to let me start refusing mail based on ORBS and MAPS RBL queries, but denying a large volume of legitimate mail (as the case would be with AOL on the ORBS list)...
FYI, this would still be the case even if AOL were not in the ORBS database. ORBS lists quite a lot of servers that mostly deliver legitimate mail, sometimes on the basis of pretty obscure relay tests and often even if the relay is not actively being abused by spammers. The ORBS philosophy, as far as I can tell, is essentially that it's okay to throw out a few babies as long as you get rid of the bathwater.
I would put more trust in the MAPS RBL, DUL and RSS databases as more responsibly run systems: while not as aggressive as MAPS, much less likely to discard legitimate correspondence. For many sites, that is of paramount importance.
We use three spam lists:
RSS
DUL
RBL
The RSS is a toned down version of ORBS; it only lists relays that have been used to spam, which makes it easier to explain the problem. The DUL blocks any direct from dialup spam. The RBL blocks blackhole sites. The main problem with ORBS is that it is harder to explain (with RSS you can say 'spam _has_ been sent through this server'), and it blocks a lot more sites, which makes it hard to handle on anything larger than a personal mail machine.
Maybe your grandma can handle a real ISP, mine can't.
-B
But it need not be a black hole if you don't want it to. It may not be the default that they tell you how to set up, but should you be reconfiging company e-mail if you can't make Sendmail do what you want?
AFA their criteria, all of these different lists have different criteria. It's the Admin's job to pick the one that fits best with their mentality.
Pax.
-- IANAEG - I am not an elder god.
Well, your ORBS reply message should be set that someone should understand it well enough (though I grant you that few on AOL would grasp most concepts tougher than the 'start' button) to forward a copy to their postmaster.
;-)
Say something about your mail service, aol.com (create that), is assisting spammers and illegal activity, yadda yadda. If you want to help fix this so you can send *your* e-mail, forward this to postmaster@aol.com (create that, too). With a minute or two spent on the message, you could practically tell them step by step how to properly deal with it (though some couldn't find a button with two hands and a roadmap...). Then in the next paragraph you can list the normal ORBS stuff, with the URL and all that jazz.
Tens of thousands of calls to AOL customer service may be the only way to remedy the situation, so people have to do this. I suggested in another post a rather extreme view (have the backbones cut them off from the rest of the world until they update a setting or two). Shouldn't be tough to see some action then, and then AOL could have some cute little 'art' appear on everyone's screen saying that the world has stopped being unfair to all of you wonderful AOLusers and that you can get back to that big scary internet, but we know you don't want to, so come join a chatroom...
A lawsuit would work, too
"It's tough to be bilingual when you get hit in the head."
Moderate this as off-topic if you will, but does anyone remember the days when AOL was *strictly* a propietary ISP? Before the days when AOL'ers lurked (leaked) onto the Net proper? I get nostalgic for the days of Netscape 1.0. (Or even Mosaic betas...)
This entire discussion -- ORBS, RBL, etc. -- does bring up an interesting tangent: as a community, we have a helluva pull on the marionette strings. When a company does something bad, the ball usually starts rolling here for protest pages. But why doesn't someone start an "evil-company blackhole list" and disallow *all* services to that company. Block access to www.mattel.com or, better yet, redirect to a page telling people why Mattel is being evil and then give them the option of continuing to the site or signing a petition.
It's just a thought, a random and tangential thought, but hey... I figured why not throw it out there.
----
----
Am I the only one who thinks Microsoft is a misnomer? Perhaps Macrosoft would be a better fit?
I vote they suck. I own an ISP and about a year ago got blocked by ORBS for running a mail server that allowed mail throughs. I upgraded the server, shut off access to the outside world for mailing through us and report said event to ORBS. ORBS kindly removed my name from their list and everyone was happy. Two months later, a dedicated customer of mine got stuck on the list AND my mail server got stuck on there again but this time as a relay for THEM! Needless to say, the customer was running a crappy mail server on an even crappier O/S (insert best guess here) and I had to block him to get myself off ORBS. Turns out the customer had the logs from the whopping 1000 emails that had run through his site (in the past 4 months) and we discovered what appeared to be "fishs" for a mail through situation on his server and they originated from a site on ORBS. Now they say they don't scan for mail through servers, but this evidence seems to say otherwise. It's my opinion that they will do and say anything it takes to support their cause, which isn't fair to everyone involved.
Ok, great - so AOL is on the ORBS list. However, ORBS has been known in the past to do things that they should be smacked on the ass for. They have portscanned our network once - 96 class C's!! They probed one machine which was a virtual web server running an older version of sendmail, and came up with several hundred "open mail relays" not knowing that: 1. All of the IP's were the same machine, and it has_never_ been used for SPAM. It's a web server, and it doesn't do mail. Get it? *smack* 2. This kind of network intrusion is an invitation for an ass kicking. It would be nice that at least they would have said something... The move was definetey unethical. btw... ORBS used to be based in Canada. Then they pissed some pople off and had to relocate to New Zealand. har har. Anyhow, it is nice to know that someone out there is an active anti-spamer, but hey, using brute force will only make people angry. It definetely won't help solving the spam issues... And for AOL... As long as they provide a cheap, unreliable, insecure access to the net, they will be a spammer heaven. Frankly, I don't think they give a shit about ORBS. They will sue the living shit out of everyone and their dogs, and pay whatever the price is to get their way.
--- sig moved for great justice.
Most email clients I've used try to send outgoing mail first before downloading incoming. So telling your users to check their mail first doesn't help if they're using popular POP clients like Eudora. The MSOutlook/Exchange products often do some authentication first, so they might be able to use this dodge.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
So you're guilty _because_ you're innocent!
Seriously, if the purpose of ORBS is to prevent machines from being used by SPAMMERS, and ORBS can't get in to abuse the relay as a test, then spammers can't get in to abuse it for spamming.
If you've got a site that _deliberately_ blocks ORBS, either it's got some good reason to dislike the probes (e.g. the guys whose lameNT mailer crashes), or because it's running mailer protection software that interprets ORBS as a spammer's probe (good - so they're blocking real spammers too), or perhaps they provide spamming services (in which case the real problem is users with accounts there, not relays.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
This is almost the exact word for word attitude that some of that shitty censorware stuff takes.
Essentially their argument is that you can't have anything worthwhile to say if you have a free or no cost based web site. On that basis almost all of geocities, xoom, and many other providers gets blocked (Bess).
Another question that needs asking here. I can just imagine a group of fed up people actually taking civil action against and ISP that has some sysadmin that just blithely blocks e-mail from some location because of "spam" (that's a crapy name for it).
Few of the people who actually run ISPs are in fact owners of said equipment or lines and as such do not have the moral or ethical footing to make such calls.
Unless you are actually running your own legitimate server (no not a pirated or other server off you cable modem or DSL or ISDN connection) you can't make calls like that.
I have every reason to believe that most people are just getting screwed over by the Olympians on this one because no one who is getting harmed with having their e-mail blocked has any ability to effectively do anything with it.
As another poster has already pointed out there is a really nad streak of BOFH in many people that works almost the yway it does in cartoons.
You know the two little people that stand on the sholders of various characters and represent good and evil? Well I think that many people are listening to the pointy horned one.
I know personally of several cases where judgements were filed against various sysadmins who thought that they were going to screw the users in any fashion they wanted. A teacher at a highschool was relieved of his position after taking copies of e-mail correspondence that in fact did not belond to him and then attempting to use it to further his own agenda and get the people involved kicked out of school.
Data deletion and malicious banning are also things that I have known to happen.
How would you feel if say I really didn't like you and started to actually do packet sniffing and then do an active regex search of all packets comming out of your domain. Then I systematically tamper and trash all of those packets that are e-mail messages say after a random number of packets has matched? Not so funny now is it?
When you work at a job there is a little clause in employment contracts which states something to the effect that anything you do is only permitted if you have authorization from legal representatives within the company and perhaps others in the upper eschelons of the company. Without this you cannot do anything without taking a hefty chunk of liability and as such should not try to limit access from ISPs who are trying to legitimately attempting to provide a service to their users.
The mere fact that the list of blocked sites that is being discussed has been removed from it's own service providers several times is indicitative of how draconian these people are.
There are already attempts to make intelligent AI driver mail and news filtering engines that can attempt to classify various messages by content and word analysis (similar to Eschelon). Positive results are showing up all over the place.
Then once that is done just rapidly have users check their "spam" folder rather rapidly and bam no more problem for them. After doing an analysis of my own mail box and roughly 40,000 from several unix domains I have determined that in fact on the whole 97.8956% of all spam messages that are sent during "peek" times (ie when factored for various changes in TIme Zones relative to each other) between say Monday-Friday 10:00-22:00 with the peak being at about 8pm on Wednesday (maybe more people are home then).
Messages in this time period do not exceed 8-12k in any circumstance.
I can't see how realistically when such massive bandwidth and tremendous risk is involved one can justify acting as a free speach empidement.
Slashdot social engineering at it's finest
Oh, sorry... was that a troll?
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
>As long as they don't break any laws, there is no reason for me to do anything.
If you are talking about the door-knob turner, they ARE breaking the law. It is called prowling. And Trespass. And if they keep doing it, stalking
http://www.wwlia.org/ca-stalk.htm
>you should try to resolv this matter
Resolution is possible with reasonable people. ORBS are not reasonable with their methology. They blindly attack hosts, and when asked for proof as to why my host was attacked, they can provide NO PROOF OF SPAM so that I might figure out how to stop that 'alledged spam' in the future.
Go on NANOG's lists. Look around, and you will see that ORBS is believed to do more harm than good. Because ORBS is no better than the spammers who probe hosts. And because ORBS is a net terrorist.
You want change? Then get ORBS to modify their methods. Get them to contact the admins before they test. And provide proof of the SPAM from a site. Have ORBS be REASONABLE, and they won't generate all this ill-will they have.
Right now, ORBS is a net-terrorist.
If it was said on slashdot, it MUST be true!
For as long as I've figured out how to use nslookup, I've been waging my own private war against spammers.
Lately, my anger has been less and less directed toward the spammers themselves (they're still bastards), and more and more toward the companies that allow it to happen.
Specifically, PSINet and uunet, but I've also got spam from AOL, the sprint dialup network, and various lesser-known servers. Most of the time, the only kind of response I get when I send in an abuse report is a form letter, and that's it. Sometimes I get to know when the offender's account has been closed down, but when it's actually a relay acting up, that doesn't help.
And no matter how many abuse reports I send in, no matter how many times I send a letter to the administrative contacts telling them that they are allowing people to exploit security holes (the open relays) in their mailservers to send bulk e-mail to people, I've never once got any kind of reply other than a form letter.
So my question is, really, is there any way to get through to these people? Are the corporate ISPs so utterly clueless that they can't comprehend the idea that spam is a Bad Thing? What does it take to get through to these corporations? Does the Better Business Bureau take complaints about spam-enabling companies? Would writing letters to the editor every time a spam-offending company is mentioned positively in an article help? Would making an appointment with the corporate types and showing up in person even make it past the "call them up and try to arrrange something" phase?
I'm becoming really burnt out on trying to get rid of my spam. The S/N ratio on my mailbox has dropped to almost negligable levels - I'd abandon it if most people didn't e-mail me there. I want to stop spammers, but even sending e-mail to abuse departments doesn't help. What, then, can be done?
-Denor
Conversely, I haven't been able to attribute any of the last dozen or more spams I've gotten to an AOL source. Plenty have listed AOL in the headers, or included AOL e-mail addresses, but they were all forged in an effort to put people off of their trail.
Additionally, in the same period of time, I've received probably 8 or 10 e-mails from friends/family that use AOL. I would most certainly raise a stink if my ISP decided to honor ORBS lists and keep me from receiving this e-mail.
IMO, AOL doesn't account for *nearly* the amount of spam as other major ISP's out there, and despite the fact that their abuse address never really replies to my complaints (or if they do, it's usually about a month later), I rarely (if at all that I can remember) get a repeat AOL spammer. I mean I'm perfectly willing to acknowledge the possibility that I might just be lucky, and that the true majority are getting pummeled with repeated AOL spams from the same people, I'm just not one of those people, and from what I've been reading, lots of others are in the same boat as me.
I've never been particularly impressed with ORBS.. their "rules" about who gets added is entirely to subjective and not nearly objective as it needs to be. MAPS RSS has the same goals (listing open relays), but they're much more responsible about when they list someone. *shrug*.. Just my opinion.
You can always "whitelist" any servers that you wish to receive mail from, despite their presence on ORBS, RSS, RBL, or DUL, by putting them into /etc/mail/access (assuming you're running sendmail, and have that feature enabled), e.g.
mail.wideopenrelay.com RELAY
This, of course, diminishes the punitive value of the list, but it's better than not using the list at all. IMHO, you don't even need to give a second thought to using the RBL (which only lists serious repeat offenders, IIRC) and the DUL (dialup users should use their ISP's mailserver. The only servers I've had to whitelist at a user's request have been on RSS, which is far more agressive than the RBL. (I don't use ORBS, since I find it too aggressive.)
--
Great, AOL has been added to ORBS. This will probably serve to invalidate ORBS more than anything else. The fact of the matter is that an ISP can not refuse AOL e-mail. AOL simply puts out too much legitimate e-mail to make blocking them outright even a possibility. The customer complaints would be tremendous and it would cause an ISP to lose credibility with customers who don't understand things like ORBS and open relays, who only understand things like grandma can't e-mail her granddaughter happy birthday. What's that mean? Selective entries on ORBS will start being ignored and once you start down that slippery slope, you may as well wave bye-bye to any sort of influence that list may have.
What needs to happen is a bunch of ISPs need to get together and file a lawsuit against AOL for allowing so much spam through their systems. A groundbreaking case for responsible management of systems on the Internet would serve our fair network well.
I also find your anecdote extremely surprising, and I'd like to see some proof... I thought that the RBL was a last-ditch effort after contacts had been made.
---
In the immortal words of one of my co-workers. "You can't spell a**hole, without AOL"
"Politicians are interested in people. Not that this is always a virtue. Fleas are interested in dogs." P.J. O'Rourke
I've been a victim of their net-terrorism.
My company has a dedicated server through Digital Nation. Well, apparently, we inherited the IP address of a machine that USED TO BE an open relay. Never mind that we've been using a version of sendmail that doesn't permit open relays since the first day we turned the machine on.
And ORBS refused to take us off their list.
You can't call them up and reason with a human being. You're totally at the mercy of their anonymous maintainers. And they don't listen to you when you show them PROOF that your IP isn't an open relay. And they don't listen to your ISP when they show them PROOF that there is no open relay.
ORBS sucks. Their cure really is worse than the disease.
As a behavior-modification tool, the ORBS is useless. Too many people run insecure mail servers for most people to be willing to filter it all out. Enforcing the ORBS list will be more painful to the enforcer than the violator.
A better method would be to get a court case to establish that people running insecure mail-servers have partial liability for spam-floods using their server. A case could easily be made that anyone with the knowlege to run a mail-server has the ability to discover that running an open relay is dangerous, and the ability to perform some minimal securing.
Completely misleading.
If you follow the naive instructions to turn on ORBS, it will bounce everything, and it will also bounce all of the "static listings" - hosts which are almost always *NOT* open relays, many of which have never emitted a single spam, ever, but just don't allow gratuitous testing.
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
http://www.mail-abuse.org/rss is a "realtime" relay system. If you get a spam that used someone else as a relay, you forward them the IP of the relay, and it gets added to an RBL style list. Only after it's been proven that someone's mail server is being used for spam can it get added, and the turnaround time for off and on this list is very short. Take a look at their FAQ for more info.
Aside from the irony that the AOL listing is not for AOL itself but the dialups..
People like you who dont bother to secure themselves against spam are why the problem exists. If you had an unsafe building then you would get forced to clean it up.
ORBS exists because people don't care about open
relaying. Hey its not you being spammed, its all
those other folk, you can fix it later.
Not socially responsible at all.
Well, I know of a few people who are going to be a little dissapointed if this happens... my school properly secured the mailserver a few years ago, at which point some of the more spam oriented folks on campus realized that aol's servers were still wide open for such things... actually, so were sgi's (at the time). I'm sure that's been fixed...
/mp3 and /movies directories... There were more than a few people who got shut down because of that.
The best is when the school ran a local search, and all sorts of people got hatemail saying "we found an active relaying mailserver on the system in your room. Fix it or be assimilated... I mean, deactivated" (or something to that effect). Pretty funny. Then, of course, came the firewall, so that ended the need for that, so they only scoured internal webservers for spurious
Of course, a college can easily shut off a port on a managed hub, but for AOL, maybe Sprint, MCI, et al could just sever any links out to the rest of the world until they comply... that would be pretty funny (I can see the even dumber commericials now... "Now with re-activted internet connectivity!").
AOL... hehe
"It's tough to be bilingual when you get hit in the head."
AOL doesn't use any external 'blocking lists' in total. We maintain our own lists of problem providers and dialup IP ranges, supplemented by careful and judicious use of what's publicly available.
There's a simple reason that we don't bounce messages during the transaction, and that's because we don't verify user information during the transaction, in order to prevent spammers from dictionary-attacking us to get lists of AOL's usernames (Not that they don't try... they do... constantly).
Even though we have controls in place to try and prevent the amount of bounced mail we send to a delivering site, we still crush a number of them from time to time, because they're a: getting spammed through, or b: getting spam forged in their name.
Ask Netcom (well, you could if they were still around in other than name), MCI, Yahoo, hotmail, and more, but they're the ones that everyone knows. Hell, Vint Cerf's called personally to get us to take it easy on 'em. (I did).
We simply don't have time to respond to spam complaints... way way WAY too many of them. We can't tell you any specific details of any action we take against a member's account, because AOL's privacy policy guidelines prohibit this. (though I've been known to drop the occasional hint when it's something that needs a response)
I (up 'til yesterday) was the person that dealt with IRC abuse, and I know that it gets dealt with, albeit slowly because it takes awhile to track down the actual user.
As for MU(X|SH|CK|D)s, I'm a mux/mush coder myself, and I'm pretty damn sympathetic to those kind of abuses, and if I see 'em, they get dealt with harshly (no, that doesn't mean mail me directly... reports from people I don't know get ignored cause otherwise I'd go insane)
AIM is (supposed to be) self-policing... that's what the warning ability is there for. Sure, it gets abused, but well, you can't give something away with assholes getting in the mix.
Scott Crain
AOL Mail Ops (and up way too late. Where's dat update you mentioned, Hemos? =)
I couldn't agree more. I have a system running qmail which I'm pretty sure is not an open relay, but I can't post to mailing lists that use ORBS because ORBS blocks every single address associated with my ISP, Roadrunner. Why? Because Roadrunner objected to being scanned. Perhaps a little pigheaded on their part, but it's Roadrunner's perogative. It was even more pigheaded of ORBS to retaliate by listing every single *.rr.com host as an open relay.
. com...
I simply don't see how ORBS helps the internet community. They block hosts indiscriminately, sometimes vindictively.
Here's Roadrunner's commentary on the whole mess, taken from one of their newsgroups:
; "Jr." wrote in message
news:MPG.12ffb6474d5873d1989688@newsr2.texas.rr
HISTORY:
Road Runner customers and Affiliates initially contacted us with a
security issue. They were concerned with their privacy and security when
an unknown entity (to them) began scanning them without permission. We
initially tried to address this case by case and later contacted the ORBS
administrators and requested this unwelcome scanning terminated. This is
analogous to someone requesting they be removed from a list that they did
not subscribe to. With this request, all Road Runner IP space was
unexpectedly added to the ORBS list with a public statement on the ORBS
WWW site, as well as the bounce message which our subscriber has
received. As scanning continued against our repeated requests, the
individual ORBS scanning hosts were filtered out of our network.
Although we strongly believe in stopping SPAM on the Internet, as well as
respect the initial work and charter ORBS has been under in the past, we
have serious concerns at the current methods and actions that are taking
place:
e.g.
- Scanning of private networks without permission from targets
- No REMOVE capability from the ORBS scanner
- When someone tries to stop or block the ORBS scans, they are blocked by
ORBS.
- No warning, as well as false public statements about the individuals
scanned or their provider. THAT IS: If you have a relay (known, or
unknown to you) you are called a SPAM supporter publicly without any
warning to correct it before ORBS adds you.
- Misinformation on ORBS' own web site
(http://www.orbs.org/whatisthis.html) "What is ORBS? The short answer:
ORBS is a validated database of open mail relays and open mail relay
output points, accessable via DNS lookup."
- The addition of Road Runner hosts to a "secret" database. Road Runner
hosts are not listed via their normal web lookup at
http://www.orbs.org/verify_1.html
Road Runner believes strongly in the fight against SPAM. We have address
it with strong policies, enforcement and our own relay detection methods.
We will continue this effort, work together with other providers and the
Internet community (including ORBS) to make a difference. However, we
reserve the right to assess the methods used, by whom and determine the
best way to accomplish the desired results for our business.
Right now, 22:40 UTC, no AOL server is listed by ORBS. I mean, no MX for the domain aol.com is listed by ORBS. Maybe an AOL's client is listed by ORBS, but certainly not the entiere aol.com domain.
./bar
# host -t MX aol.com
aol.com mail is handled (pri=15) by yh.mx.aol.com
aol.com mail is handled (pri=15) by za.mx.aol.com
aol.com mail is handled (pri=15) by zb.mx.aol.com
aol.com mail is handled (pri=15) by zc.mx.aol.com
aol.com mail is handled (pri=15) by zd.mx.aol.com
aol.com mail is handled (pri=15) by yb.mx.aol.com
aol.com mail is handled (pri=15) by yc.mx.aol.com
aol.com mail is handled (pri=15) by yd.mx.aol.com
aol.com mail is handled (pri=15) by yg.mx.aol.com
Ok, each entry is a round-robin alias with 4 IPs.
With a bit of typing and http://www.xnet.com/~emarshal/rblcheck/, I verified that no IP listed by this simple query is actually listed in ORBS database, or at least the database which can be queried by the standard RBL DNS hack.
# host za.mx.aol.com >> foo
# host zb.mx.aol.com >> foo
etc...
# echo "bla 127.0.0.2" >> foo
(this is to check the script below)
(script named "bar")
#!/bin/sh
rblcheck -q -c -s relays.orbs.org $1 1>/dev/null 2>/dev/null
echo $? : $1
# sed 's,.* \([0-9.]*\)$,\1,g' foo | xargs -n1
("0 : " == not listed in ORBS
"1 : " == listed in ORBS)
0 : 152.163.224.3
0 : 152.163.224.4
0 : 152.163.224.5
(...etc...)
0 : 205.188.157.1
0 : 205.188.157.2
1 : 127.0.0.2
From their What is this? Page:
ORBS is NOT a "black hole" - we do not disseminate routing information causing included hosts to be
unreachable from portions of the Internet. Running an open relay is usually accidental and those admins who
continue to run open relays after being warned about it by ORBS and/or other entities will eventually find
themselves in the MAPS RBL - which is a "black hole" and is used by at least 40% of the mail servers on the
Internet.
ORBS tracks these systems so that people operating mailservers subscribed to our database can block
e-mail coming from open relays until such time as they are fixed to no longer permit third-party SMTP relay.
Admins may alternatively set their systems up to tag messages delivered from open servers as "possibly
spam", or just log the connections. What any admin does is entirely up to that admin. If you've been blocked
from delivering mail and given a pointer to this site please note: It is the decision of the administrator of the site
which blocked you to disallow mail from open relays. Those open relays must comply with that admin's rules
(not ours) in order to deliver mail to that site - we're just verifying to the admin whether a host is an open relay
or not.
-- IANAEG - I am not an elder god.
despite the fact that it's great fun watching people find outlets for their high horse talk, heck I'm one of 'em.
.oO0Oo.
I've never used AOL or had any problem with any of it's users. What I do know is that it's using it's muscle in the UK for force down the price of access. They are attempting to expand in the UK not by simply wooing competitors customers but by expanding the market. In this way even maintaining market share - or even losing some - is still a win. When players such as Freeserve haven't turned a profit but derive their huge revenue from bloated cost of access they are still vulnerable to the next wave.
AOL was the first major company to move to a 1p a minute 24 hour access. Previously it was 4p per minute for daytime modem access (8am-6pm). Others have quickly followed (ntl: for instance) and now we are beginning to see flat rate 24/7 access finally arrive.
The UK is finally going to come alive net wise so expect plenty more AOL users to come aboard.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
[posting anonymously for obvious reasons]
Our company's primary mail server has been in the ORBS database for a long, long time... We made the choice (mistake?) of choosing a closed-source, commercial mail package running on Windows NT Server instead of something open (like Sendmail or Qmail). I've been regretting it ever since...
Our relay is partially open - it allows relay only if the sender's e-mail address or at least one recipient's e-mail address is from a locally-hosted domain. Not the most secure method, perhaps, but it seems to be enough extra work that spammers simply find a wide-open relay and use it instead of us.
Originally, we had a completely open relay, but after a few incidents where our server was used by spammers, we paid (through the nose) for an add-on option to our mail server to allow this selective relay ability. During one of these incidents, we were added to the ORBS database. And once you're in the ORBS database, you never, ever, ever get out, even if you're clean.
We passed the ORBS test with flying colors after getting the selective relay option working on our system... until about a year later, ORBS put us back in the database, after adding a couple new tests. One of the tests (NULL sender envelope) got through our system, and we were once again considered an "open" relay.
About that time, our mail server vendor had just released a new version of their software, including a fix for the problems ORBS detected. And it was bargain priced - only $1,500 US to upgrade to version 4.0! And hey - that "unlimited" domain hosting option we paid for? Sorry, not available in version 4.0, we'll have to pay-per-domain. Oh, and we'll have to pay extra to upgrade the anti-spam option we already paid $800 extra for just a few months ago.
This is turning into a ramble... I guess my point is, thanks to needing to have a partially open relay to support our remote and traveling users (quite a large number) and getting screwed over by our software vendor, we're now considered an "open" relay. So far, in the past six months or so since we were re-classified as open, we haven't had a single message bounce back to us, and we haven't had a single incident of spammers hijacking our server... but it still drives me nuts thinking that our server is in a blacklist.
I've been looking at a few options, such as the new authenticated SMTP options available in Sendmail and Qmail, but realistically? If it's not causing us a problem (i.e. bounced/blocked mail) then it's not high enough on our priority list to allocate the time and resources required to do it right.
And that's why I'm on the blacklist, and likely to stay there for the foreseeable future...
ORBS has, for quite a long time, been a list of "open relays, sites that object to being port-scanned, systems whose admins irritate the ORBS admins, systems that block port scans", and the like.
Really, they're jerks, and you should *NOT* use them to filter mail, unless you particularly think that everyone in the world has a moral obligation to let some guy run relay-rape attempts on their servers any time he feels like it.
I like MAPS. I don't like ORBS.
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
There's a much better way to do this. I modified our POP server at a previous employer such that it placed an IP on an approved relay list for up to two hours after a valid authentication
:( Alas, Outlook attempts to send email before it checks, so all those replies would be rejected. (It only has a send/recieve button, not two different "check" and "send" buttons) So, now they all have a little app that does a pop3 login, which they have to run before sending anything.
I have also this set up, but there is one problem. People dial up check their email, fine, and disconnect. Then they compose replies and reconnect (Ususally with a different IP, of course
--
Exigo spamos et dona ferentes
AOL has some new machines in place to redirect part of what would normally be the dialup (*.ipt.aol.com) mail traffic through machines where we can monitor the volume to control spam. We're just testing it at the moment, and these redirection proxy machines are the ones listed in ORBS, with my support and permission. AOL's dialups have been listed in ORBS and the MAPS DUL for a long time, because well, lots of mail shouldn't come directly from dialups to someone else's mailserver.
Now what're y'all gonna say, when ya find out that AOL added those machines to ORBS for your own good.
Scott Crain
AOL Mail Operations
This is actually quite frustrating. As a consumer, I strongly dislike AOL. However, they have a huge share of the North American e-mail market. I am trying to convince my superiors to let me start refusing mail based on ORBS and MAPS RBL queries, but denying a large volume of legitimate mail (as the case would be with AOL on the ORBS list) actually puts us in a situation where our customers would be complaining that they can't get their e-mail. O, woe is me. Is there a solution to this conundrum? I don't for one minute believe that AOL gives a rat's ass about open relays, or what list they are on -- after all, they are used to being hated. Hrmp.
--
Do daemons dream of electric sleep()?