Slashdot Mirror
UPDATED: AOL Added To ORBS List - At Their Request
Scott Crain, AOL 'Spamdinista,' wrote in with an update, and to make what's going on crystal clear.
There are two machines that have been added to ORBS on AOL's networks, at my request. The two machines are a new system in place to allow us to keep spammers from using outbound SMTP connections to spam the rest of the net with junk. Alan Brown, the maintainer of ORBS and I correspond frequently on a couple mailing lists we both frequent, and he asked if it would be ok if I had him place these two machines in ORBS, to which I agreed.
Basically, the two machines that are there are the external gateway for a percentage of AOL members using their TCP connectivity to send mail out of AOL without using the AOL client. It's no different than blocking AOL's dialup IP's (*.ipt.aol.com) as the MAPS DUL does currently.
In other words, this is a good thing. I'm sure I'm not the only one who doesn't like spam from AOL, and this looks like a step in the right direction.
You can always "whitelist" any servers that you wish to receive mail from, despite their presence on ORBS, RSS, RBL, or DUL, by putting them into /etc/mail/access (assuming you're running sendmail, and have that feature enabled), e.g.
mail.wideopenrelay.com RELAY
This, of course, diminishes the punitive value of the list, but it's better than not using the list at all. IMHO, you don't even need to give a second thought to using the RBL (which only lists serious repeat offenders, IIRC) and the DUL (dialup users should use their ISP's mailserver. The only servers I've had to whitelist at a user's request have been on RSS, which is far more agressive than the RBL. (I don't use ORBS, since I find it too aggressive.)
--
Great, AOL has been added to ORBS. This will probably serve to invalidate ORBS more than anything else. The fact of the matter is that an ISP can not refuse AOL e-mail. AOL simply puts out too much legitimate e-mail to make blocking them outright even a possibility. The customer complaints would be tremendous and it would cause an ISP to lose credibility with customers who don't understand things like ORBS and open relays, who only understand things like grandma can't e-mail her granddaughter happy birthday. What's that mean? Selective entries on ORBS will start being ignored and once you start down that slippery slope, you may as well wave bye-bye to any sort of influence that list may have.
What needs to happen is a bunch of ISPs need to get together and file a lawsuit against AOL for allowing so much spam through their systems. A groundbreaking case for responsible management of systems on the Internet would serve our fair network well.
I also find your anecdote extremely surprising, and I'd like to see some proof... I thought that the RBL was a last-ditch effort after contacts had been made.
---
In the immortal words of one of my co-workers. "You can't spell a**hole, without AOL"
"Politicians are interested in people. Not that this is always a virtue. Fleas are interested in dogs." P.J. O'Rourke
I've been a victim of their net-terrorism.
My company has a dedicated server through Digital Nation. Well, apparently, we inherited the IP address of a machine that USED TO BE an open relay. Never mind that we've been using a version of sendmail that doesn't permit open relays since the first day we turned the machine on.
And ORBS refused to take us off their list.
You can't call them up and reason with a human being. You're totally at the mercy of their anonymous maintainers. And they don't listen to you when you show them PROOF that your IP isn't an open relay. And they don't listen to your ISP when they show them PROOF that there is no open relay.
ORBS sucks. Their cure really is worse than the disease.
As a behavior-modification tool, the ORBS is useless. Too many people run insecure mail servers for most people to be willing to filter it all out. Enforcing the ORBS list will be more painful to the enforcer than the violator.
A better method would be to get a court case to establish that people running insecure mail-servers have partial liability for spam-floods using their server. A case could easily be made that anyone with the knowlege to run a mail-server has the ability to discover that running an open relay is dangerous, and the ability to perform some minimal securing.
Completely misleading.
If you follow the naive instructions to turn on ORBS, it will bounce everything, and it will also bounce all of the "static listings" - hosts which are almost always *NOT* open relays, many of which have never emitted a single spam, ever, but just don't allow gratuitous testing.
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
http://www.mail-abuse.org/rss is a "realtime" relay system. If you get a spam that used someone else as a relay, you forward them the IP of the relay, and it gets added to an RBL style list. Only after it's been proven that someone's mail server is being used for spam can it get added, and the turnaround time for off and on this list is very short. Take a look at their FAQ for more info.
Aside from the irony that the AOL listing is not for AOL itself but the dialups..
People like you who dont bother to secure themselves against spam are why the problem exists. If you had an unsafe building then you would get forced to clean it up.
ORBS exists because people don't care about open
relaying. Hey its not you being spammed, its all
those other folk, you can fix it later.
Not socially responsible at all.
Well, I know of a few people who are going to be a little dissapointed if this happens... my school properly secured the mailserver a few years ago, at which point some of the more spam oriented folks on campus realized that aol's servers were still wide open for such things... actually, so were sgi's (at the time). I'm sure that's been fixed...
/mp3 and /movies directories... There were more than a few people who got shut down because of that.
The best is when the school ran a local search, and all sorts of people got hatemail saying "we found an active relaying mailserver on the system in your room. Fix it or be assimilated... I mean, deactivated" (or something to that effect). Pretty funny. Then, of course, came the firewall, so that ended the need for that, so they only scoured internal webservers for spurious
Of course, a college can easily shut off a port on a managed hub, but for AOL, maybe Sprint, MCI, et al could just sever any links out to the rest of the world until they comply... that would be pretty funny (I can see the even dumber commericials now... "Now with re-activted internet connectivity!").
AOL... hehe
"It's tough to be bilingual when you get hit in the head."
AOL doesn't use any external 'blocking lists' in total. We maintain our own lists of problem providers and dialup IP ranges, supplemented by careful and judicious use of what's publicly available.
There's a simple reason that we don't bounce messages during the transaction, and that's because we don't verify user information during the transaction, in order to prevent spammers from dictionary-attacking us to get lists of AOL's usernames (Not that they don't try... they do... constantly).
Even though we have controls in place to try and prevent the amount of bounced mail we send to a delivering site, we still crush a number of them from time to time, because they're a: getting spammed through, or b: getting spam forged in their name.
Ask Netcom (well, you could if they were still around in other than name), MCI, Yahoo, hotmail, and more, but they're the ones that everyone knows. Hell, Vint Cerf's called personally to get us to take it easy on 'em. (I did).
We simply don't have time to respond to spam complaints... way way WAY too many of them. We can't tell you any specific details of any action we take against a member's account, because AOL's privacy policy guidelines prohibit this. (though I've been known to drop the occasional hint when it's something that needs a response)
I (up 'til yesterday) was the person that dealt with IRC abuse, and I know that it gets dealt with, albeit slowly because it takes awhile to track down the actual user.
As for MU(X|SH|CK|D)s, I'm a mux/mush coder myself, and I'm pretty damn sympathetic to those kind of abuses, and if I see 'em, they get dealt with harshly (no, that doesn't mean mail me directly... reports from people I don't know get ignored cause otherwise I'd go insane)
AIM is (supposed to be) self-policing... that's what the warning ability is there for. Sure, it gets abused, but well, you can't give something away with assholes getting in the mix.
Scott Crain
AOL Mail Ops (and up way too late. Where's dat update you mentioned, Hemos? =)
I couldn't agree more. I have a system running qmail which I'm pretty sure is not an open relay, but I can't post to mailing lists that use ORBS because ORBS blocks every single address associated with my ISP, Roadrunner. Why? Because Roadrunner objected to being scanned. Perhaps a little pigheaded on their part, but it's Roadrunner's perogative. It was even more pigheaded of ORBS to retaliate by listing every single *.rr.com host as an open relay.
. com...
I simply don't see how ORBS helps the internet community. They block hosts indiscriminately, sometimes vindictively.
Here's Roadrunner's commentary on the whole mess, taken from one of their newsgroups:
; "Jr." wrote in message
news:MPG.12ffb6474d5873d1989688@newsr2.texas.rr
HISTORY:
Road Runner customers and Affiliates initially contacted us with a
security issue. They were concerned with their privacy and security when
an unknown entity (to them) began scanning them without permission. We
initially tried to address this case by case and later contacted the ORBS
administrators and requested this unwelcome scanning terminated. This is
analogous to someone requesting they be removed from a list that they did
not subscribe to. With this request, all Road Runner IP space was
unexpectedly added to the ORBS list with a public statement on the ORBS
WWW site, as well as the bounce message which our subscriber has
received. As scanning continued against our repeated requests, the
individual ORBS scanning hosts were filtered out of our network.
Although we strongly believe in stopping SPAM on the Internet, as well as
respect the initial work and charter ORBS has been under in the past, we
have serious concerns at the current methods and actions that are taking
place:
e.g.
- Scanning of private networks without permission from targets
- No REMOVE capability from the ORBS scanner
- When someone tries to stop or block the ORBS scans, they are blocked by
ORBS.
- No warning, as well as false public statements about the individuals
scanned or their provider. THAT IS: If you have a relay (known, or
unknown to you) you are called a SPAM supporter publicly without any
warning to correct it before ORBS adds you.
- Misinformation on ORBS' own web site
(http://www.orbs.org/whatisthis.html) "What is ORBS? The short answer:
ORBS is a validated database of open mail relays and open mail relay
output points, accessable via DNS lookup."
- The addition of Road Runner hosts to a "secret" database. Road Runner
hosts are not listed via their normal web lookup at
http://www.orbs.org/verify_1.html
Road Runner believes strongly in the fight against SPAM. We have address
it with strong policies, enforcement and our own relay detection methods.
We will continue this effort, work together with other providers and the
Internet community (including ORBS) to make a difference. However, we
reserve the right to assess the methods used, by whom and determine the
best way to accomplish the desired results for our business.
Right now, 22:40 UTC, no AOL server is listed by ORBS. I mean, no MX for the domain aol.com is listed by ORBS. Maybe an AOL's client is listed by ORBS, but certainly not the entiere aol.com domain.
./bar
# host -t MX aol.com
aol.com mail is handled (pri=15) by yh.mx.aol.com
aol.com mail is handled (pri=15) by za.mx.aol.com
aol.com mail is handled (pri=15) by zb.mx.aol.com
aol.com mail is handled (pri=15) by zc.mx.aol.com
aol.com mail is handled (pri=15) by zd.mx.aol.com
aol.com mail is handled (pri=15) by yb.mx.aol.com
aol.com mail is handled (pri=15) by yc.mx.aol.com
aol.com mail is handled (pri=15) by yd.mx.aol.com
aol.com mail is handled (pri=15) by yg.mx.aol.com
Ok, each entry is a round-robin alias with 4 IPs.
With a bit of typing and http://www.xnet.com/~emarshal/rblcheck/, I verified that no IP listed by this simple query is actually listed in ORBS database, or at least the database which can be queried by the standard RBL DNS hack.
# host za.mx.aol.com >> foo
# host zb.mx.aol.com >> foo
etc...
# echo "bla 127.0.0.2" >> foo
(this is to check the script below)
(script named "bar")
#!/bin/sh
rblcheck -q -c -s relays.orbs.org $1 1>/dev/null 2>/dev/null
echo $? : $1
# sed 's,.* \([0-9.]*\)$,\1,g' foo | xargs -n1
("0 : " == not listed in ORBS
"1 : " == listed in ORBS)
0 : 152.163.224.3
0 : 152.163.224.4
0 : 152.163.224.5
(...etc...)
0 : 205.188.157.1
0 : 205.188.157.2
1 : 127.0.0.2
From their What is this? Page:
ORBS is NOT a "black hole" - we do not disseminate routing information causing included hosts to be
unreachable from portions of the Internet. Running an open relay is usually accidental and those admins who
continue to run open relays after being warned about it by ORBS and/or other entities will eventually find
themselves in the MAPS RBL - which is a "black hole" and is used by at least 40% of the mail servers on the
Internet.
ORBS tracks these systems so that people operating mailservers subscribed to our database can block
e-mail coming from open relays until such time as they are fixed to no longer permit third-party SMTP relay.
Admins may alternatively set their systems up to tag messages delivered from open servers as "possibly
spam", or just log the connections. What any admin does is entirely up to that admin. If you've been blocked
from delivering mail and given a pointer to this site please note: It is the decision of the administrator of the site
which blocked you to disallow mail from open relays. Those open relays must comply with that admin's rules
(not ours) in order to deliver mail to that site - we're just verifying to the admin whether a host is an open relay
or not.
-- IANAEG - I am not an elder god.
despite the fact that it's great fun watching people find outlets for their high horse talk, heck I'm one of 'em.
.oO0Oo.
I've never used AOL or had any problem with any of it's users. What I do know is that it's using it's muscle in the UK for force down the price of access. They are attempting to expand in the UK not by simply wooing competitors customers but by expanding the market. In this way even maintaining market share - or even losing some - is still a win. When players such as Freeserve haven't turned a profit but derive their huge revenue from bloated cost of access they are still vulnerable to the next wave.
AOL was the first major company to move to a 1p a minute 24 hour access. Previously it was 4p per minute for daytime modem access (8am-6pm). Others have quickly followed (ntl: for instance) and now we are beginning to see flat rate 24/7 access finally arrive.
The UK is finally going to come alive net wise so expect plenty more AOL users to come aboard.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
[posting anonymously for obvious reasons]
Our company's primary mail server has been in the ORBS database for a long, long time... We made the choice (mistake?) of choosing a closed-source, commercial mail package running on Windows NT Server instead of something open (like Sendmail or Qmail). I've been regretting it ever since...
Our relay is partially open - it allows relay only if the sender's e-mail address or at least one recipient's e-mail address is from a locally-hosted domain. Not the most secure method, perhaps, but it seems to be enough extra work that spammers simply find a wide-open relay and use it instead of us.
Originally, we had a completely open relay, but after a few incidents where our server was used by spammers, we paid (through the nose) for an add-on option to our mail server to allow this selective relay ability. During one of these incidents, we were added to the ORBS database. And once you're in the ORBS database, you never, ever, ever get out, even if you're clean.
We passed the ORBS test with flying colors after getting the selective relay option working on our system... until about a year later, ORBS put us back in the database, after adding a couple new tests. One of the tests (NULL sender envelope) got through our system, and we were once again considered an "open" relay.
About that time, our mail server vendor had just released a new version of their software, including a fix for the problems ORBS detected. And it was bargain priced - only $1,500 US to upgrade to version 4.0! And hey - that "unlimited" domain hosting option we paid for? Sorry, not available in version 4.0, we'll have to pay-per-domain. Oh, and we'll have to pay extra to upgrade the anti-spam option we already paid $800 extra for just a few months ago.
This is turning into a ramble... I guess my point is, thanks to needing to have a partially open relay to support our remote and traveling users (quite a large number) and getting screwed over by our software vendor, we're now considered an "open" relay. So far, in the past six months or so since we were re-classified as open, we haven't had a single message bounce back to us, and we haven't had a single incident of spammers hijacking our server... but it still drives me nuts thinking that our server is in a blacklist.
I've been looking at a few options, such as the new authenticated SMTP options available in Sendmail and Qmail, but realistically? If it's not causing us a problem (i.e. bounced/blocked mail) then it's not high enough on our priority list to allocate the time and resources required to do it right.
And that's why I'm on the blacklist, and likely to stay there for the foreseeable future...
ORBS has, for quite a long time, been a list of "open relays, sites that object to being port-scanned, systems whose admins irritate the ORBS admins, systems that block port scans", and the like.
Really, they're jerks, and you should *NOT* use them to filter mail, unless you particularly think that everyone in the world has a moral obligation to let some guy run relay-rape attempts on their servers any time he feels like it.
I like MAPS. I don't like ORBS.
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
There's a much better way to do this. I modified our POP server at a previous employer such that it placed an IP on an approved relay list for up to two hours after a valid authentication
:( Alas, Outlook attempts to send email before it checks, so all those replies would be rejected. (It only has a send/recieve button, not two different "check" and "send" buttons) So, now they all have a little app that does a pop3 login, which they have to run before sending anything.
I have also this set up, but there is one problem. People dial up check their email, fine, and disconnect. Then they compose replies and reconnect (Ususally with a different IP, of course
--
Exigo spamos et dona ferentes
AOL has some new machines in place to redirect part of what would normally be the dialup (*.ipt.aol.com) mail traffic through machines where we can monitor the volume to control spam. We're just testing it at the moment, and these redirection proxy machines are the ones listed in ORBS, with my support and permission. AOL's dialups have been listed in ORBS and the MAPS DUL for a long time, because well, lots of mail shouldn't come directly from dialups to someone else's mailserver.
Now what're y'all gonna say, when ya find out that AOL added those machines to ORBS for your own good.
Scott Crain
AOL Mail Operations
This is actually quite frustrating. As a consumer, I strongly dislike AOL. However, they have a huge share of the North American e-mail market. I am trying to convince my superiors to let me start refusing mail based on ORBS and MAPS RBL queries, but denying a large volume of legitimate mail (as the case would be with AOL on the ORBS list) actually puts us in a situation where our customers would be complaining that they can't get their e-mail. O, woe is me. Is there a solution to this conundrum? I don't for one minute believe that AOL gives a rat's ass about open relays, or what list they are on -- after all, they are used to being hated. Hrmp.
--
Do daemons dream of electric sleep()?