ORBZ Shuts Down

Tim Jackson writes: "In a depressing development for those wanting to protect themselves against spam, it appears that popular open relay database ORBZ (formerly at www.orbz.org) has shut down effective immediately - see here for the final post from ORBZ admin Ian Gulliver on the ORBZ list explaining the reasons behind the closure. The 'Lotus Domino' issue he refers to is the issue he discovered in the course of running ORBZ and reported to Buqtraq, which means that certain SMTP envelopes (such as those sent by ORBZ when testing for open relays) cause Lotus Domino servers to go into a loop, effectively creating a DoS situation. Unfortunately (but understandably), irrelevant of the merits of the case, Ian doesn't want to risk jail for the sake of spam fighting. Of course, if common sense prevailed, it would be the mail server vendor in court for producing insecure mail server software, not a third party for happening to send requests that unintentionally crash poorly-written servers."

That was quiet

[Big+Dogs+Cock]

They should've mailed everyone to tell them.

Re:That was quiet

[Zocalo]

No, what they *should* have done, was sent the admins with the broken servers the links to the fixes "DragonC" posted these here earlier. I mean, it's not like they couldn't find an open relay to mass email them all from, is it? ;)

Re:That was quiet

They did - I received it on the ORBZ mailing list.

it has to get worse

im getting around 80 mails per day, ~40% is spam.
i guess it has to be around 1000 spam mails per day for everyone to make something change/happen.

Sounds weak to me

Why not just use another envelope? I'm guessing ORBZ wanted to go away anyway and are using this as an excuse.

Re:Sounds weak to me

[Ioldanach]

Why not just use another envelope? I'm guessing ORBZ wanted to go away anyway and are using this as an excuse.

They used multiple envelope types when checking a relay that had requested to be taken off the list in order to make sure the site couldn't be used by a spammer. Some of the envelopes were unorthodox envelopes that spammers could use to get through a particular server's bugs, making an apparently clean mail server an open relay.

Re:Sounds weak to me

[letxa2000]

Uh, duh, what envelope do you suggest they use to determine if a server is relaying?

The interesting thing is that very stupid bug in Lotus Domino should cause the servers to loop into oblivion everytime a potential spammer tries to relay mail through them...

Re:Sounds weak to me

[artg]

That's one way of filtering the spam out !

Re:Sounds weak to me

[Account+10]

So why can't orbz determine the server type ... and then try just those envelopes that that server is known vulnerable to; vulnerable in a relaying sense, not in a "lockup server" sense

Re:Sounds weak to me

[Junta]

Well, in any case it is good to get DoS bugs fixed.

But with regards to IDing the server, you can't with certainty determine what SMTP server is running. Sure you can make a reasonable guess based on what strings follow the numbers during the SMTP transaction, but for some mailservers this is configurable or even could be disabled.

Let's say there was an envelope type that postfix occasionally lets through. Now, if the admin of that for some reason actually wants to exploit this to have an open mail relay, it could fake the strings to make it look like a server that wouldn't get probed for it...

In any case, I started work for a company and one of the first things I did was fix their mail servers so that they both did not offer open mail relays, and also played nice with ORBZ testing procuedure, and it was Lotus Domino, FYI. It's not like they randomly probe you into oblivion, you request the test and have a reasonable picture of when it will happen, and if you have been digging around the mailserver and fix it right before asking, this isn't a problem. Cases like this should show companies it is worth the money to hire competent systems administrators.

Re:Sounds weak to me

Sometimes it is not very hard to find out what mail server is running...

I just said helo a few times

220 XXXXXXXXXXXXXXX ESMTP Service (Lotus Domino Release 5.0.9a) ready at Wed, 20
Mar 2002 10:42:48 -0800
501 Command "helo" requires an argument

OR this one

220 XXXXXXXXXXXXX ESMTP Sendmail 8.9.3/8.9.3; Wed, 20 Mar 2002 10:51:07
-0800 (PST)

OR

220 XXXXXXXXX ESMTP Sendmail 8.9.1a/8.9.1; Wed, 20 Mar 2002 10:53:5
8 -0800 (PST)
501 helo requires domain address

I think that I have a good guess what these 3 places are running...

Re:Sounds weak to me

Duh, one that doesn't use a loopback address. Regardless of testing server bugs, an automated system does not need to check all possibilites, just see if the relay is open.

As for the server, it should follow the standard and not bounce a bounce more than ten times.

They should have stuck with it and got it tossed on the basis that it is designed to accept the email and bugs are not the senders problem. This makes it viable to sue everyone on the internet that uses email.

Re:Sounds weak to me

[fanatic]

Cases like this should show companies it is worth the money to hire competent systems administrators.

What's the point in that when stupid laws written by ignorant legislators (oops - redundancy) let you shoot the messenger instead?

On a tangent, my experience with Notes (aka Domino) is that it may be good for something, but that something is not email. It sucks for email.

Re:Sounds weak to me

Well, you gutless fuck, why don't you pick up the ball? Let me guess...you won't. .

Sucks for him...

[NeoSkandranon]

If this goes to court, it'll make another good /. story at some point.
A shame though, that he's getting nailed for Lotus's incompetence. Is that looping issue patchable?

El Reg

[Mr+Windows]

The Register has a little more info. It seems that there is a workaround which involves changing the settings in Domino, though persuading everyone in the world who's running Domino to apply the fix might be hard! It seems like orbz.org is down already, and it's probably going to stay that way :(

Re:El Reg

[tcr]

True, but Domino administrators tend to be sensitive about SMTP settings - mainly because a Domino server install defaults to being an open relay!

Re:El Reg

[gorilla]

Most people I know running a Domino setup, put a server outside, this means that you don't have to expose your domino server directly to the internet, and that forwarding server can still be up when you have to take your domino server down, which seems to be fairly frequently.

Re:El Reg

[Bilestoad]

Gee, it would be terrible if people angry about this turn of events decided to punish those responsible for the demise of ORBZ. It would be awful if IT administrators were forced to get off their fat asses and upgrade to the fixed version of Domino. It would be a sad state of affairs indeed if issues like this forced said IT administrators to abandon expensive, buggy solutions like Domino in favor of free alternatives for enterprise email.

Just tragic!

Re:El Reg

What would be tragic is if your advocacy of a felonious act got Rob into trouble when he refused to turn in your information to the authorities.

'Free alternatives for enterprise mail.'

Heh. Yeah. Everybody should use Pine as their client and sendmail as their server. If that's not good enough send in the Stallmanist troops.

Re:El Reg

Well if you don't know the difference between client and server...

Thanks for your input, Mt. Fat-assed IT Manager.

Domino...

[Junta]

Is crap for a mailserver, I've always had problems out of it and avoid it like the plague when I can get away with it. For one, it tries to do too much for a mailserver, and its functionality as a mail server seems to be secondary to it's database features. Domino may work well as a workflow engine/document management, but it really isn't a good Mail server implementation. Unfortunately, so many companies use it as an Exchange replacement, even though it is intended to do much more and mail is done in a really clunky way.. Just spend a few days using Notes and you'll agree that mail does not seem to be a central concern in the scheme of domino..

Perosnally, I think postfix or qmail are good mail servers (though postfix doesn't cope at all with accounts that have uppercase in them, and qmail is only marginally better at it...). They are simple, short, and to the point. If you must use domino for mail serving, I would suggest having some sort of minimalistic mail server to act as a go between between domino and the outside world, as domino's is flawed in so many ways...

Re:Domino...

[reaper20]

You know, you can use iNotes and let your PHB still use Outlook and he won't tell the difference between Exchange and Notes.

Domino/Notes may have some issues, but I think many people will agree that on the backend, it does what it needs to do and it does have a significant number of advantages over Exchange.

Re:Domino...

[Morpheus-NL]

Great idea ...
setting up a simple mailserver/mailproxy , they could use SpamAssassins spamproxyd ;-)

That way they could also filter out any spam

Re:Domino...

we upgraded notes and switched all our outlook mail to come through the notes server and the result was dramatic we have only had one virus scare in the last 3 months as opposed to one a week with outlook. I am all for lotus even though orbz did block our server

Re:Domino...

[jgerman]

Qmail is good, but take a stroll through the code one day, there's some stuff on there that'll make your hair stand on end. A coworker found a lot of poor coding in the source, mostly performance stuff.

Re:Domino...

[coreman]

I worked in Lotus for the last 6+ years as a contractor and was appalled at the mail system. I came out of a DEC/Compaq background and never realized how nice it was to send mail and here the "new mail" beeps within the group cubicles immediately after sending. Even within the mail group we had people that couldn't fix simple configurations on the servers and I think I got 3 "failure" messages about mail not getting out while I was running about 60% success rate on sending outside mail. I kept my external shell account so I could send mail I needed to make sure got there and never relied on the system for anything "timely". IBM has been a good influence on them in terms of software reliablity but there's an underlying problem with the software and IBM destroyed the Lotus culture that was the one positive about working there. I wouldn't imagine Domino has much of a future with WebSphere in the picture. Lotus software is looking more and more EOL.

Re:Domino...

A yea, right sure. So if he is such a good coder where is the patch (must work across all platforms Qmail supports)?

Re:Domino...

[defile]

Dan Bernstein's software is certainly different, but I've never known it to exhibit "poor coding". Do you have any additional information?

Re:Domino...

[jgerman]

To begin with, the "one-byte writes" are a huge performance loss.

Don't get me wrong, qmail is good software, I use it personally. There are just changes that I feel need to be made, I've made them myself.

Wrong!

[mnordstr]

This is in every way wrong. If that damn company can't make mail software it's their problem. They don't have anything to do with us who just try to block spam.

No spam filter... Now what? Guess I have to look for another, hopefully as good as orbz.

Re:Wrong!

[grifferz]

This is in every way wrong. If that damn company can't make mail software it's their problem. They don't have anything to do with us who just try to block spam.

The way I see it, Ian/Orbz was criminally negligent for using a test that he knew (because he already reported the problem hismelf) would crash unpatched Domino servers.

What's more, he knew that that particular test never worked on Domino servers.

IMHO at the very least he should have skipped that check for Domino servers.

Now, I am not arguing against the fact that Domino admins should be clueful enough to apply the appropriate patches, but some blame has to lie with Ian/Orbz for negligent behaviour.

I would consider it appropriate that Ian/Orbz be fined in order to serve as some form of encluement. The other guys have already had their encluement in the form of downtime.

I am not advocating destroying Ian's livelihood nor would I wish to see Orbz die, but IMHO under a fair legal system, once some blame is apportioned then it has to be accounted for.

People who run DNSBL-style services have a duty to be good Internet citizens just as much as the corporate sysadmins who run servers. This issue is very close to my heart since I am involved with Yet Another DNS-based Blocking Service myself.

Relay-testing

[Rupert]

I've never liked the open relay test based spam filters. Of course, they have a right to list who they want on their list, and if I run a publicly accessible SMTP server I can expect all kinds of bizarre malformed SMTP headers to arrive. However, when you are a self-appointed policeman of the internet, you should first be a good netizen. One of the things good netizens do not do is repeatedly exploit bugs in other people's software to bring down services. Imagine if netcraft started crashing some obscure OS/2 web server with its queries. We'd expect them to stop querying those servers, at the very least, and at best to fix their query.

Re:Relay-testing

[PhiberKut]

Rupert, ORBZ has never intentionally exploited bugs in other people's software. The test involves sending an email to the mail server and having it bounced back to you. If the mail server is incapable of doing this without DOS'ing itself; well the issue is obvious.

Before querying the server, how is orbz to know that it is lotus?

Re:Relay-testing

[SuperBill]

I totally disagree.
If Netcraft crashed my servers with a standard query, I would look at it as a free security analysis(and then filter their IP until I fixed the problem ;) ). If a simple query crashes your server, and ONLY YOUR SERVER, you have a flawed server. It's not like ORBZ was crafting DOS packets with the intention of taking down a server.

Re:Relay-testing

[Fastball]

While you have a point about good netizens not repeatedly exploiting bugs in other people's software, I wonder at what point the responsibility should shift toward the developers of said buggy software.

Is it not reasonable for us to ask Lotus developers to "catch up" to the crowd and fix the problem therein? I know Lotus Domino is proprietary software and all, but that doesn't give them a free pass (pun intended).

The scoreboard that way I look at it:
Developers of unstable, buggy proprietary software backed by an ignorant legal system 1, netizens 0.

Re:Relay-testing

When I last used them (about two weeks ago) to test my mail server, they were running a 'confirmed opt-in' relay tester (meaning you had to submit an email addy along with the IP to test AND you had to reply to that confirmation message before the test probes would be run).

I don't know that they had this in place from day one, but I suspect not. Either that or someone with a bone to pick discovered some way to abuse the system in order to create this outcome.

I suspect that should the names & IPs of the parties involved in the investigation be published, those ranges are going to end up in so many private blacklists that the universe will experience heat death before it's removed from all of them.

Re:Relay-testing

[felicity]

This doesn't make sense -- don't attempt a query against server type X when the query is attempting to determine if the server is type X.

The open-relay checks are not made up of "bizarre malformed SMTP" commands. "HELO", "MAIL", "RCPT", "DATA", and "QUIT" are the only commands that one should be using to do relay checks. If a mail server gets into a tizzy with those, then it's a completely broken server since all other servers will be sending those commands.

As with the netcraft tests (ie: web servers unable to handle a "GET" request), it's not the fault of the person sending the request if the server is expected to know how to handle said requests.

Re:Relay-testing

[Rik+van+Riel]

However, when you are a self-appointed policeman of the internet ...

They're absolutely not self-appointed.

When I chose to use ORBZ on my mail server, I "appoint" the administrators of that DNSBL list.

The spammers using the "free speech" argument will run into the same thing; their right to free spam^H^Heech stops at the border of my private network.

Re:Relay-testing

[Rupert]

If your query crashes my server, I agree, I should fix my server. But if I ask you to stop sending the query until I get it fixed, I think that's a reasonable request.

Re:Relay-testing

[liquidsin]

I realize it's not a bug, but is it responsible of slashdot to post links to small sites that don't have the bandwidth and bring down their servers? We, the slashdot community, are constantly bringing down sites. Do you blame slashdot for this? It's not his fault they haven't patched their shoddy software, and it's not a malicious attack - he's not repeatedly crashing the same servers. It's a bug - a security flaw - and it needs to be fixed.

Re:Relay-testing

[tlk+nnr]

Before querying the server, how is orbz to know that it is lotus?

By checking the SMTP greeting: Lotus adds it's own name into the greeting?

220 mailserver.domain.com ESMTP Service (Lotus Domino Release 5.0.6a) ready at Sat, 2 Jun 2001 13:40:23 -0400

I guess Ian didn't want to skip the checks if he sees that greeting, because someone with a open relay might add "Lotus" into his greeting to defeat orbz.

Re:Relay-testing

[tkrotchko]

You're right. But on the other hand, once you understand what you're doing is crashing servers, you should probably either (a) fix what you're doing, even though its not your fault (b) refuse to test domino servers until they get it fixed.

Or both.

But to say "Gee, we crash Lotus server, too bad for them" is really poor manners.

Mind you, it isn't criminal in a sane world, but it is thoughtless.

Re:Relay-testing

[Rupert]

Who uses the list is a separate question from how they generate the list. In this instance, the method they use to generate the list is causing a problem.

Re:Relay-testing

Get out your scripts kiddies and get to work on those Domino servers! Someone needs to convince Lotus to fix their buggy crap. Can you say DDOS against all Lotus Domino servers? Woop.

Re:Relay-testing

The Lotus crashing mail is completely valid.
Mail loops are not that uncommon with flawed mailserver configurations.
The fact that Lotus Domino is badly configured in a default installation seems to be the major problem.

Re:Relay-testing

Also, most administrators, even the ones that do NOT fix their open relays, change the default greetings of their Domino servers.

Re:Relay-testing

[IMarvinTPA]

If I undestand it correctly, you got tested once when you were added to the list. Then again whenever you asked them to test you again because you thought you fixed the problem. so, you would DoS yourself when asking for a re-test. He wasn't trying to kill the servers.
Sure, killing the Lotus servers wasn't nice.
Neither is spam nice. Basically, he's caught between a rock and a hard place.

Andy

Re:Relay-testing

[pod]

You can still determine what the server is running without having to send in any envelopes. Server id string is the first thing you'll see when you connect to port 25. Of course, as soon as word got out all spam relays would change their id string to avoid getting scanned and blacklisted.

Re:Relay-testing

Bring it on. Had mine patched before this story appeared.

Re:Relay-testing

[jgerman]

Hmm ORBZ is sending email to my server, un-solicited no less, sounds like Spam to me. ;)

Re:Relay-testing

[Strog]

Spam needs to be bulk. This email doesn't go to users so I'm not sure how bulk you could call it

Re:Relay-testing

[ftobin]

You're right. But on the other hand, once you understand what you're doing is crashing servers, you should probably either (a) fix what you're doing, even though its not your fault (b) refuse to test domino servers until they get it fixed.

With regards to your (a), there wasn't anything to 'fix' on ORBZ's end. If you think so, you have a gross lack of knowledge of SMTP. If you think (b) is a viable solution, then it would only be fair to to mark all Lotus servers as open relays if they can't be tested. This would be a worse solution than simply getting people to fix their Lotus servers.

Re:Relay-testing

[jgerman]

Define bulk. They send un-solicited mail to hundreds if not thousands of servers a day, not even with the intention of selling anything but in order to exploit flaws in mail servers.

Re:Relay-testing

[silicon_synapse]

I'll have to disagree with you. Just because SPAM usually is bulk certainly doesn't mean it has to be. SPAM is unsolicited, usually commercial, email. If I didn't specifically request an email or it's not from an individual trying to initiate corespondance with me personally and non-commercially, it's SPAM.

Re:Relay-testing

[fulgan]

You are wrwong on two accounts.

First, you're wrong when you say "repeatedly exploit bugs in other people's software to bring down services". You're mixing effects and intends. The EFFECT is a crashed/hung server. The intend, however, is quite different.

Second, internet mail software must follow a set of rules defined by the relevant RFCs. If a server software do not follow these rules and crashes when they are followed by third parties on it, it shouldn't be put into use on the internet and, if it is, then the blame clearely can't be put on the external party (in particular if it can be proved that the intend wasn't to DOS the server, somthing quite easy in this case).

Now, this mostly boils down to: do the ORBZ scans follow the RFCs. Well, I've been scanned several times and, so far, I've not seen anything that wasn't abbiding to the RFCs.

Re:Relay-testing

[mmusn]

So, by your reasoning, if my (non-IE) web browser causes your server to spin out of control, I'm supposed to stop using my web browser? And if I'm foolish enough to attempt to get to your web page every now and then, assuming that you might actually to fix your server at some point, then I'm supposed to be responsible for criminal DoS?

That makes no sense. If your software is broken, you need to fix your software, and going into an infinite loop from an occasional malformed request is a bug in your software.

Re:Relay-testing

[red_dragon]

ORBZ did not have the "confirmed op-in" relay tester that you mentioned; you could submit any IP address for testing, and the tester would queue it right away without sending you an e-mail to confirm the request. In that light, it could definitely be abused by kiddiots to cause a DOS on some poor soul's Domino box. The system you described is actually implemented by ORDB, which is independent from ORBZ.

Re:Relay-testing

"If you think so, you have a gross lack of knowledge of SMTP. "

Only about 1/3 of the problems in life require technical fixes, most only require procedural changes.

Simple things would help:

1) Attempt to determine if the receiver is a Lotus Domino server. If so, don't do the @[127.0.0.1] test that causes the loop.

2) Assuming you don't want to do that, you could limit your testing of the server to 1 time for a domino server on an IP address.

3) Once you receive email from a hapless admin, you should never do any more testing until he/she fixes the bug in their config.

4) Be helpful and send a link or URL to the affected person that shows them how to fix it.

Of course, this assumes the guy running ORBZ takes an active role and doesn't depend on the tired defense of "gee, I don't have the time to educate everybody". Well, damnit, if you took on running ORBZ, then you better have the time to run it right, or shut it down!

Don't dump on somebody because they don't have infinite time to learn every nuance of Lotus Domino. Some people are overworked and you might make their day with a little bit of help.

Re:Relay-testing

Awww crap - that's what I get for not checking my logs closer. With a lot of recent spare time on my hands (layoffs again) I started trying to get on top of the spam problem at my vanity domain (receiving, not sending) and have ended up muddying the memories of what service I was using for what (I'm currently using osirusoft's service)

You're right - it is ORDB that has the confirmed opt-in tester. It's a shame ORBZ couldn't/didn't want to impliment something similar; it could have saved him/them from this problem.

On the note of spam, anyone seen a marked increase in the amount of such flowing today? My server isn't exactly going nuts (it's not well publicized), but I'd estimate I'm seeing about a 500% increase compared to what I've received/rejected over the last week.

Re:Relay-testing

[MadAhab]

Right on. When various blackhole lists were still free, I was free to use them or not, depending on how I felt about the job they were doing. Personally, while I do think there are problems with the procedures by which mail servers get on and off the lists, I had a hard time arguing with the results, which stopped 90% of the spam I received, and never blocked something I wanted to get. Right now I'm just lazy and don't particularly care enough to find a non-subscription alternative.

Welcome to freedom. It ain't always easy, because people choose to do things you might not like. But compared to the alternatives - ICANN, for example - pragmatic anarchy often looks pretty good.

Re:Relay-testing

What if a spammer can make a mail server an open relay by using a "bizarre malformed SMTP"?
Should this not be tested as well?

Re:Relay-testing

[Lemmy+Caution]

Would Lotus have preferred that by default every server identifying itself as a Lotus server be added to the black hole?

Insert obligatory If This Were Microsoft Instead Of Lotus remark here.

Re:Relay-testing

[crucini]

If your query crashes my server, I agree, I should fix my server. But if I ask you to stop sending the query until I get it fixed, I think that's a reasonable request.

Are you aware of some incident where ORBZ continued to send unwanted queries to a mailserver over the protests of its admins? As far as I know, ORBZ did not do this.

Re:Relay-testing

[ftobin]

Well, damnit, if you took on running ORBZ, then you better have the time to run it right, or shut it down!

Why do you get to determine what it means to "run it right"? ORBZ wasn't doing anything wierd at all. No other mail server in the world crashed, only Domino. If your browser crashes when it comes across PNG images, do you blame all the website owners out there that use PNG, or do you blame your browser maker?

Re:Relay-testing

That would be because you're not bright enough to figure out that what ORBZ is doing does not fall into the category of unsolicited bulk email. Now, who can tell me why not? Those who cannot, please collect your complimentary peppermint-flavored cyanide capsules on the way out. Remember, chlorinating the gene pool is everyone's responsibility.

Re:Relay-testing

"Why do you get to determine what it means to "run it right"? "

I didn't "determine" anything. I'm telling you that to turn on a service, and not add procedural and human elements is irresponsible.

The fact that he didn't have any proper procedures in places puts ORBZ in the "cute amateur" status. Maybe its for the good he was shut down.

Re:Relay-testing

No, basically he pulled a Barney Fife and tripped over his gun belt.

All the 'spam cops' need to get fucking lives.

Re:Relay-testing

[Cato+the+Elder]

Your analogy isn't fair. Say that by entering
http://slashdot.org/comments.pl?supercra shstring=% 20%20%20%20%20%20%20%20
into your web browser you can bring down slashdot. Are you claiming it _isn't_ a denial of service if you "check if its been fixed" every five minutes?Once you find out that what you are doing is crashing someone elses system, you should make a good faith effort to stop doing it, or you are commiting a DoS attack.

Re:Relay-testing

[mmusn]

Are you claiming it _isn't_ a denial of service if you "check if its been fixed" every five minutes?

In short, yes, that's what I'm claiming; see below why.

Once you find out that what you are doing is crashing someone elses system, you should make a good faith effort to stop doing it, or you are commiting a DoS attack.

If I go to some web site that's important to me and it stops responding, of course, I'm going to try again every few minutes to contact it. If the site crashes again and again because of that, from my point of view, it is just down. I would never even know that my string crashed it.

Now, if I deliberately picked a string and used it to crash some site, that might not be particularly nice. But there are so many other innocent and legitimate reasons why I might continue to crash your site that way that even raising the possibility that it might be criminal DoS is chilling and unjustified.

Denial of service attacks are when someone sends 500 requests a second to your host from a dozen different machines. That's something you can't easily do accidentally, and it's something the target can't do anything about given our current (broken) Internet infrastructure. But just about anything else (even sending a lot of requests to one site from one client) is something that can easily happen for legitimate reasons, and it is something that the web site's operator can deal with. It is foolish to criminalize that kind of behavior.

Re:Relay-testing

[eggnet]

Would Lotus have preferred that by default every server identifying itself as a Lotus server be added to the black hole?

That might be preferable to being crashed by ORBZ.

Re:Relay-testing

Spoken like a true spammer. There's a reason why blackhole lists have become some popular.

Re:Relay-testing

[zinger]

Please note that may blackhole lists are still free. There may be questions about whether the free ones are as good, but they're still an option.

Re:Relay-testing

[mpe]

Attempt to determine if the receiver is a Lotus Domino server. If so, don't do the @[127.0.0.1] test that causes the loop.

Now this is out in the open such requests are more likely to come from vandals than anyone attempting to find open relays (for whatever reason)

Re:Relay-testing

[Alsee]

This doesn't make sense -- don't attempt a query against server type X when the query is attempting to determine if the server is type X.

Testing for an open server is fine. The issue here is that the messsages he was sending were designed be handled badly by open relays. He knew these messages were locking up machines, yet he continued to use them because they only locked up open relays.

While I support ORBZ and what it is trying to do, I think intentionally crashing servers is crossing the line. The criminal case may not be unreasonable.

-

Re:Relay-testing

He had no idea, and no reason to believe that, he was going to crash their Lotus Domino server. Can one person possibly know if any particular E-mail is going to crash a particular version of a particular E-mail server? There are countless versions of Lotus Domino, SendMail, and Exchange, just to name a few, all of which have different bugs and quirks. He sent an E-mail in a standard internet format, so he had no reason to expect that it would activate a latent Domino bug.

And about Lotus Domino being a sucky mail server, you are right...until you compare it to Outlook/Exchange. Every place I know of that runs Outlook/Exchange has had at least one E-mail virus kill their network. Maybe it doesn't have to happen, but it does. Every place I know of that runs Lotus Notes/Domino doesn't have that problem. Based on that, in my not so humbe opinion, putting up with the headaches of Domino is preferable to putting up with unchecked spread of E-mail viruses.

Incompetant Admins

[DragonC]

I run a Domino server. In fact I run lots of Domino websites. And this "Denial of Service" issue that is reported is really due to Admins who don't know what they're doing.

Any system can try and forward to 127.0.0.1 if it is set that way. There is so much information available at all the normal locations that it is really the Admins own fault. Why they should take it out on somebody who has done as all a superb service is anybodies guess.

Where to look for info:
Lotus
Notes.net
DominoHive
SecurityTracker for Domino

Re:Incompetant Admins

[WildBeast]

True, but remember that it's the same thing for at least 95% of security issues. Dumb and extremely busy admins will go with the default install and they usually won't even customize the software. So who gets the blame? MS, IBM, Sun, Linux, etc.

Re:Incompetant Admins

[DragonC]

My point exactly.

Every piece of software comes with default installations. Now, could I install and setup a Linux box? Yes. An Exchange serevr? Yes. But would you want to trust these setups on a live network? No. Why not? Because I know next to nothing about them.*

Any SA worth his salt would not stick to the default installations. They should know about, if not where to find, the latest patches and fixes. Thats their job! Nobody should ever put out-of-the-box installations onto live networks. Not Windows, not Linux, not Domino.

* - I know more about Linux than Exchange. But that's by personal choice. (^_^)

Re:Incompetant Admins

[dillon_rinker]

They should know about, if not where to find, the latest patches and fixes. Thats their job!
"Should" is a dangerous word. There should be universal peace and brotherhood, but I don't behave as if that is the case. Sometimes sysadmins aren't trained or experienced in IT. Sometimes they are office coordinators who came up through the ranks of typing pools and secretarial staff. Should the employer pay $60,000 a year to hire a sysadmin who can secure the one or two servers the business operates? Even if the business doesn't have that kind of cash flow? Even if the increased costs mean they can't compete? Even when the office coordinator can get the system functional (though nonoptimal)?

The solution to this problem is to create default installs that are SECURE. Make decreasing security and enabling features an option. Provide a variety of scripts that can be run after install that will enable features/disable security in a number of standard, customer-expected ways.

In short, given the choice between controlling the behavior of a few corporations or the behavior of 1E6 computer types, I'd rather focus on the former. Focusing on the latter is pointless.

Re:Incompetant Admins

[jgerman]

Should the employer pay $60,000 a year to hire a sysadmin who can secure the one or two servers the business operates? Even if the business doesn't have that kind of cash flow? Even if the increased costs mean they can't compete? Even when the office coordinator can get the system functional

Uhh yeah they should.

Should a new nuclear plant hire qualified technicians to prevent meltdowns? Even if they don't have the cashflow, even if it means they can't compete? Even if a high school student can get the plant functional?

If they can't be responsible they shouldn't be in business. It's a pretty simple concept.

Re:Incompetant Admins

[mjan]

That's once again one of thess comments which compares two completely different types of risks:

A meltdown of a nuclear plant might as well do some harm to people who happen to live closer than 1000 km to the plant.

A mail server does not kill anybody, even if it's an open relay.

The same comparison is often drawn when discussing the liability of s/w companies for security flaws in their products: it's just not the same thing as for a car tyre producer etc.

Don't compare safety with security.

Anyway, I fully agree that anybody who connects any kind of server to the internet should have a basic idea of security and act accordingly. (e.g. by paying somebody to make the boxes secure)

Re:Incompetant Admins

[ethereal]

Should the employer pay $60,000 a year to hire a sysadmin who can secure the one or two servers the business operates? Even if the business doesn't have that kind of cash flow? Even if the increased costs mean they can't compete? Even when the office coordinator can get the system functional (though nonoptimal)?

Maybe they should contract it out at a greatly reduced rate. The office coordinator could also install the business' alarm system and get it functional (though nonoptimal), but businesses understand that to get that kind of security right you hire a professional. Thus it is with software systems security as well.

Re:Incompetant Admins

[dillon_rinker]

Good analogy; the problem is convincing business owners of its validity. Insurance companies will give you reduced rates if you have a good alarm system. There's not a similar benefit for good computer security. It's sort of like wearing a seat belt - vital if you're in a wreck, kind of annoying otherwise./

Re:Incompetant Admins

[jgerman]

Wrong. Poor system could pose a threat to public health. If there were an info-terror war for example. Safety and security can never be wholly divided. You want to see examples of software safety/security issues? Read through the Risks Digest. The problem is that computing security is taken TOO lightly and is too often put in the hands of those who should not be incharge of any aspect of it.

Re:Incompetant Admins

If they can't be responsible they shouldn't be in business. It's a pretty simple concept.

Cool! We're probably in agreement. People shouldn't be allowed to run services unless they are responsible in how they run those services.

So, now that we're in agreement, let's start licensing people who run services and start holding people responsible.

You don't want to be required to have a license to run services on your net-connected computer?

Gee, that's a shame.

Re:Incompetant Admins

[ethereal]

I think there was a /. story a while back about an insurance company offering breaks for various secure computing activities - if you had a firewall, etc.

The problem with computing is that a 99% secure system is still wide open to 1% of the attacks, and that's all that you need. Guaranteed computer security is all or nothing, which is a little harder to insure I would think.

Lotus hey?

[WildBeast]

I remember some Lotus users who kept telling us how Sendmail and Exchange where so horribly insecure. That'll teach them :)

Re:Lotus hey?

Many people would say that there's a difference between a flaw in a component that can DOS a server, and a flawed environment were malicious code can propogate wildly (M$).

Stupid question

[ethereal]

I'm sure I'm missing something here, but why can't ORBZ use a different envelope that doesn't bounce to 127.0.0.1? If they would just use an envelope that bounces back to one of their machines, for example, then they could still test open relays in a non-destructive manner.

Can someone more knowledgeable than myself explain why they would rather go out of business than slightly alter their envelope that they test with?

Re:Stupid question

[Ioldanach]

why can't ORBZ use a different envelope that doesn't bounce to 127.0.0.1

Because they're testing for obscure bugs that allow spammers to use a server as an open relay even when its configured properly.

Re:Stupid question

[iabervon]

Why, then, can't they detect that it's a Domino server and skip the check? If the obscure bug, in this case, causes the server to crash, rather than sending the message to its destination, the server isn't an open relay (and likely not to remain open at all if a spammer tries to use it).

SMTP servers tend to give their version information when you connect to them, and, while they may refuse to say, they're unlikely to lie, and especially unlikely to be set up to say they're Domino, not have this bug, and be an open relay.

Re:Stupid question

[ethereal]

That sort-of makes sense. Although I still think they could remain in existence and just not test for that particular error condition. There's still some value in testing for just garden-variety open relays, isn't there? Surely it doesn't make sense for ORBZ to disappear just because they can't test for something obscure like this which probably doesn't affect very many servers.

Assuming that you actually agree that testing other people's mail relays is an OK thing to do, that is.

Re:Stupid question

[Dialithis]

Mostly because they don't care much at all about the admins of servers they are sending their tripe to. If you run a properly configured mailserver, such as qmail, many of their requests will triple-bounce and end up in postmaster's mailbox.

Which is annoying. And they refuse to skip certain tests for platforms that are 99% sure of being secure against that attack, and refuse to have a valid envelope address (they basically are sending forged emails out). They are only a step above the spammers, and in my case I get more "spam" from them than from spammers.

Just great

[bitva]

My company *used* to be an ISP. Our mail server was flagged an open-relay and instead of upgrading our crappy ass version of Sendmail to allow our customers to send e-mail to Pacbell customers (who was blocking us) we just decided to get out of the ISP business all together.

Guess we should've just waited out ORBZ's demise.

Re:Just great

[Carlos+Laviola]

And ORDB's, SpamCop's, DorkSlayer's, n.a.n.a's, ...

Re:Just great

Are you serious?

You let a simple upgrade of a software package get in the way of making money and doing business?

Re:Just great

[bitva]

We're lazy. It's also not what we're focusing in on anymore.

yeah right....

[reaper20]

Of course, if common sense prevailed, it would be the mail server vendor in court for producing insecure mail server software.

And that would leave us with how many commercial mail servers? None. :)

More laws like this will only make things worse. One thing we have seen proven time and time again (SSSCA, DMCA), is that legislation of technology by people who don't understand or are influenced by people who don't understand it is that it does not work.

I'd bet that nine out of ten 'insecure' or 'spamfriendly' open relays are human related errors. Granted, using sendmail is like playing with a loaded gun with the trigger welded down, but it is possible, and other MTAs are pretty damn secure and fast (I like Postfix).

Re:yeah right....

[McFly777]

using sendmail is like playing with a loaded gun with the trigger welded down

Sounds rather safe to me. If the trigger is welded, it can't be moved.

Re:yeah right....

[reaper20]

ok, crappy analogy - "plasma gun from doom with the triger welded down."

Re:yeah right....

[schon]

of course, if common sense prevailed, it would be the mail server vendor in court for producing insecure mail server software.

And that would leave us with how many commercial mail servers? None. :)

Yeah - just like all those lawsuits against car manufacturers resulted in them all going out of business!

More laws like this will only make things worse

Nobody said anything about more laws - they implied that existing laws for negligence should be used to force the appropriate parties to fix their software.

Re:yeah right....

[cholokoy]

Yeah - just like all those lawsuits against car manufacturers resulted in them all going out of business!

No, not really but it would make cars more expensive due to the more comprehensive testing involved.

Re:yeah right....

And that would leave us with how many commercial mail servers? None. :)

Hmmm, I wonder what this is then.

Re:yeah right....

[Strog]

Of course no "admin" would make it insecure accidently or on purpose.

Re:yeah right....

[crucini]

In general I agree that more government intervention will not help. However I disagree with your assumption that a court would somehow destroy or eliminate a mail server or its vendor. More likely, recognizing the mutable nature of software, the court would order the vendor to fix the relaying problem and make a reasonable effort to distribute the fix to registered customers.

Re:yeah right....

[No+One]

Hmm... So if it hadn't been for the product liability lawsuits again car manufacturers, I could have saved a couple a couple hundred on a car, at the price of being roasted alive when my gas tank explodes.

Damn those lawyer bastards!

Re:yeah right....

[Error27]

Slashdot had an article about this a week ago.

I'm really inclined to agree with the fellow who said that if you want a garuantee on your software, you can get it right now for a price. For example, banks and insurance companies need their software to work correctly and they are able to achieve impresive results.

There are plenty of legitimate reasons why some people do not purchase expensive service contracts, but that's their decision and they should deal with the consequences.

On the other hand, perhaps there should be laws that force software distributors to give a summary of all the security flaws the software has had in the last six months. Think of it as the ingredients list on food products. The summary would come with the software when you purchased it or would be posted on a website when you downloaded it.

In the end it's up to the consumer to decide what level of software quality they need (or can afford), but with this full disclosure consumers would be able to make better, more informed choices.

Re:yeah right....

[cabbey]

And that would leave us with how many commercial mail servers? None. :)

Not at all... the big companies like MS and Lotus would bring in their big lawyers and prove that it was a user config error, thereby clearing themselves and (in this case) ORBZ and laying the blame where it belonged, at the admin. They would then go back to their development labs and say "prevent the user from shooting themselves in the foot please." and a fix would be quietly issued a few months latter.

Just silly

[interiot]

The "DoS" is simply a mail header of the form:

• MAIL FROM:<bounce@[127.0.0.1]>
  RCPT TO:<address@domain.com>
  

Why IBM decided to pursue criminal prosecution rather than releasing a simple bugfix is beyond me.

Re:Just silly

[larien]

My guess is that it isn't IBM, but the admins of the crashing mail servers doing the suing.

Re:Just silly

I don't understand why ORBZ couldn't just skip this check when scanning a Domino server? It's not rocket science. I guess there were some other things at work here, and this is just the excuse. Of course, if they skipped the check, then all open relay spammers would change their server id string to match, thus defeating the purpose of the scan.

Why can't users take over?

[teamhasnoi]

If this is a problem with him sending out packets, why not give that duty to the anti-spam community? He can just post the results.

Domino doesn't adhere to standards?

[Merlinus]

Does this mean that Domino isn't adhering to SMTP standards? If so, then what is the problem? Domino users can't sue for DoS if their software is being used properly (according to standards).

Re:Domino doesn't adhere to standards?

I think you're missing the point here. ORBS could not continue to fire a malformed request at mail servers, knowing in some instances that it would take the server down. (Much in the same way that you don't go around force feeding people peanuts, to see who has a fatal allergy!)

Re:Domino doesn't adhere to standards?

[Skapare]

If they receive a complaint that the server is being taken down as a result of the receipt of a valid (albeit meaningless for sending valid mail) header, then just put that server in the list of (we don't test these, so they are permanently blocked for safety reasons), and move on. If it is the case that ORBZ received an initial communication about the issue from whoever runs that server, then this could have been done.

Your analogy about force feeding peanuts is false because it depends on the notion that feeding in general is a forced activity (which it it is not). It is the standard protocol for mail to be "force fed" to the recipient server ... in this case it had a peanut in it. So within the context of sending email, force feeding is the norm. And further, the form used by ORBZ is valid and should never cause impact. My servers have been tested and didn't fail. My only complaint to ORBZ was that they missed one of my servers in their testing cycle :-)

ORBS, ORBZ, and MAPS Previously on Slashdot

[rtos]

Previously on Slashdot:

ORBS Forks : "Wired is carrying this article about the shutdown of Alan Brown's Open Relay Behavior-Modification System, more commonly known as ORBS. Brown, of New Zealand, closed his operation after two local companies won legal injunctions against him for listing them." It seems the list of 94,000 open relays will be maintained by: "Open Relay Black List of Phoenix, AZ, Open Relay Block Zone (ORBZ), of Basingstoke, England, and the Open Relay Database (ORDB), of Aarhus, Denmark." We've gotten a zillion ORBS submissions since the day its website went down, but this is the first post-ORBS story with enough info to be worth a mention. Guess the dust just needed to settle."

MAPS vs. ORBS : "It seems that the anti-spammers at MAPS and ORBS have gone from a cold war into a shooting one, with MAPS listing ORBS on their blackhole list. ORBS accuses MAPS of doing it for financial gain, MAPS accuses ORBS of attacking systems, Alan Cox gets peeved about spam, kuro5hin.org has the obligatory "Slashdot is censoring the story!" postings but has at least one seemingly clueful post, and the U.S. House passed an anti-spam bill yesterday - coincidence, or devious conspiracy?"

ORBS Lookup Entries Undergo Major Revamping : "I noticed this morning that as of 2001/2/1 relays.orbs.org has been decommisioned, ORBS has announced. The announcement further mentions some serious new testing/checking/hostname additions, about a dozen of them, that will greatly increase the granularity of the ORBS results. A benefit seems to be the end user now has fine granularity in the results s/he will get back, obviating some of the bullshit griping that surrounds ORBS most often. More power to us and them. =)"

It is always helpful to read current stories with a bit of historical context.

Re:ORBS, ORBZ, and MAPS Previously on Slashdot

[JPriest]

BTW I know who now owns the remains of ORBS. I found out one day by accident, I don't think the company that owns it even knows.
Needless to say it won't be back.

Not his problem

"Unfortunately (but understandably), irrelevant of the merits of the case, Ian doesn't want to risk jail for the sake of spam fighting. Of course, if common sense prevailed, it would be the mail server vendor in court for producing insecure mail server software, not a third party for happening to send requests that unintentionally crash poorly-written servers."

So what this is saying is that Ian is willing to stop his client because a specific (and not nearly as widespread as its competitors) mail server has poorly written bugs. If anything, it is Lotus who should patch their servers. This just reeks of poor engineering decisions.

And Jail Time! heh. Give us a break. You can't be put in jail for writing good software. You can be put in jail for writing intentionally destructive software. If their server has a terrible bug, it's not your fault that it just happens to be exposed by a correctly functioning program that performs a useful task.

I can just imagine Lotus/IBM sending a cease and desist letter for the production of software that breaks their mail server... Except that the software is already out, the knowledge that the problem exists is widespread to the hackers (i.e. slashdot readers), and IBM better close those bugs before _we_ do.

Re:Not his problem

stop his client because a specific mail server has poorly written bugs

As opposed to all those well-written bugs in (say) MS software? *rimshot* :o)

Re:Not his problem

[vsync64]

And Jail Time! heh. Give us a break. You can't be put in jail for writing good software.

Oh really?

Re:Not his problem

[mesocyclone]

" You can't be put in jail for writing good software. You can be put in jail for writing intentionally destructive software. If their server has a terrible bug, it's not your fault that it just happens to be exposed by a correctly functioning program that performs a useful task. ."

Dude, you need to get educated before you program on your Dell! The legal systems could care less whether your program is well written, well intentioned or performing a useful task. If you cross arbitrary lines, you can be prosecuted, and jailed for a *long time!*

At least in the US, the jail time for doing this to TWO sites (2 counts) is more than the average murderer gets! Is this dumb? You bet, but it is real.

Re:Not his problem

[JLester]

The kicker is that for "hobbyists" like Ian, just fighting this would probably bankrupt him. It's unfortunate, but that's life in our "sue-happy" society these days.

Jason

Re:Not his problem

[kubrick]

At least in the US, the jail time for doing this to TWO sites (2 counts) is more than the average murderer gets! Is this dumb? You bet, but it is real.

This is the free market reaching its ultimate conclusion. What is the average human life worth? What is the average corporate endeavour worth? Arrive at figures for both and work out how to punish people based purely on the financial impact of their actions.

The idea of 'lives lost' being included in the budgets of major construction projects is another chilling reminder of how cheaply some people are prepared to price the lives of others.

A quick run-down of what ORBZ is (i.e. was)

[let+the+storm]

ORBZ never came into as widespread use as it perhaps deserved, so a lot of slashdotters might be left wondering what exactly it is (was):
The short story is that it is a replacement to the now-dead ORBS, which stood for "Open Relay Behaviour-modification System", and was basically a system of centrally "policing" open mail relays by occasionally testing them with scripts. Any system that failed the test eventually entered ORBS's "black list", which some mail admin's used to bounce email with a path through them. Well, that project died, so ORBZ was born: the "Open Relay Blackhole Zones".
Now, it too, is dead.
And we can go back to blocking the whole of china, rather than just open relays on it.
shrug.

--
m iso socially aware artistic geek pen-pal, m or f, in '1337 edu. jazz, poetry a must.

Re:A quick run-down of what ORBZ is (i.e. was)

[AnotherBlackHat]

On March 12, 2002, I pulled all the IPs from the spam in my trollboxes.
Combined, there were 105, which is pretty typical.
I checked these 105 with the handy web page that is unfortunately no longer available (http://orbz.org/)
That web page checked inputs.orbz.org, outputs.orbz.org, relays.ordb.org,
orbs.dorkslayers.com, dev.null.dk, relays.osirusoft.com, bl.spamcop.net, and relays.visi.com.

outputs.orbz.org listed the largest number as open relays at 43.
By combining orbz.inputs, orbz.outputs, dorkslayers, dev_null and visi,
the total went up 5, to 48.

In other words, using standard block lists that only list open relays would have stopped 46% of the spam received.
Spam cop caught 65, Osirus caught 51.
Spam cop and Osirus (despite the name relays.osirusoft.com) do not just list open relays.
Combining all these together caught 82, or 78% of the spam.
Since these were troll boxes, these is no measure of how many false positives there would have been.

Pretty strong evidence that most of the spam we receive
isn't even bounced off an open relay at all, much less a Chinese relay.

-- Spam Wolf, the best spam blocking vaporware yet!

Re:A quick run-down of what ORBZ is (i.e. was)

[Syberghost]

It was more widely used that most people know; Spamcop used it. (And as of last check was still attempting to, although I've emailed them, perhaps they've fixed it by now.)

Because of that, I bet lots of people who have never heard of ORBZ were "using" it.

But there's no reason to despair; there are many others still functioning, and new ones coming up all the time.

My favorite new one is NJABL; Not Just Another BlackList.

Spamcop has a lovely one, and Osirus is excellent as well.

Re:A quick run-down of what ORBZ is (i.e. was)

[ftide]

ORBZ never came into as widespread use as it perhaps deserved

So move on. What's stopping a person or organization commissioning policy on spam? Then they can set up a centrally managed system with pre-agreed permission hierarchies or trust metrics for continuous operations, audits, and compliance over the system?

Spam is a big problem so businesses will eventually get to their senses and put money and logistics into /dev/nulling spam in a systematic organized fashion. ORBZ (is/was it a non-profit 501(c)3?) had good protocols and HOWTO "templates" for dealing with *($^%^&!!! spam.

So basically we need clones of ORBZ at various points of presence to stop spam servers short of nuking user mailboxes, an undeniably constant problem. instead of centrally policing it should be central policies for open mail relays. In an open design model they basically sit upstream of participating organizations checking bandwidth and share results with ISPs.

the trick is how do you successfully sysadmin and manage such ORBZ clones in distributed environment?

Lawsuit lottery

[csbruce]

Of course, if common sense prevailed, it would be the mail server vendor in court for producing insecure mail server software

I think that should be "in court for refusing to fix insecure mail-server software in a timely manner..."

Lotus Notes now a Target?

Has a patch ever been released for Notes?

Tell me Notes servers won't be targeted now in protest!

Re:Lotus Notes now a Target?

[Skapare]

I have no reason to "target" Notes servers. The defect does NOT (apparently) make them open relays. So I have no reason to block them. However, when I found out who it is that pursued the complaint against ORBZ and threatened them with criminal charges, I WILL BLOCK THEM and I will send them mail explaining that they are blocked and why.

As for targeting Notes servers for DoS attacks, why would I do that? There are plenty of kids around to take care of the job :-)

Re:Lotus Notes now a Target?

http://www.wired.com/news/business/0,1367,51218,00 .html

mail.battlecreek.org has address 216.120.158.120

whois \!NETBLK-TRLC-120-158-64-01
Interactive Learning Systems (NETBLK-TRLC-120-158-64-01)
64 West Michigan Ave
Battle Creek, MI 49017
US

Netname: TRLC-120-158-64-01
Netblock: 216.120.158.64 - 216.120.158.127

Re:Lotus Notes now a Target?

[Skapare]

Thanks for the info! I'm about to block them. But in the course of digging for info, I also found that they cannot send me mail anyway due to the fact they failed to put in their reverse DNS. That solidifies my knowledge that their network/server is being operated by someone not very competent.

phil@pollux:/home/phil 33> dnstracer 120.158.120.216.in-addr.arpa | head
Tracing to 120.158.120.216.in-addr.arpa via 209.102.208.30, timeout 15 seconds
209.102.208.30 (209.102.208.30)
|\___ D.ROOT-SERVERS.NET (128.8.10.90)
| |\___ JERK.ARIN.NET (192.12.94.32)
| | |\___ NSB.TRIVALENT.NET (216.120.131.35)
| | \___ NSA.TRIVALENT.NET (216.120.131.34)
| |\___ INDIGO.ARIN.NET (192.31.80.32)
| | |\___ NSB.TRIVALENT.NET (216.120.131.35) (cached)
| | \___ NSA.TRIVALENT.NET (216.120.131.34) (cached)
| |\___ HENNA.ARIN.NET (192.26.92.32)
phil@pollux:/home/phil 34> dig @NSB.TRIVALENT.NET. 120.158.120.216.in-addr.arpa. ptr

; <<>> DiG 8.3 <<>> @NSB.TRIVALENT.NET. 120.158.120.216.in-addr.arpa. ptr
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;; 120.158.120.216.in-addr.arpa, type = PTR, class = IN

;; Total query time: 288 msec
;; FROM: pollux.ipal.net to SERVER: NSB.TRIVALENT.NET. 216.120.131.35
;; WHEN: Thu Mar 21 15:56:15 2002
;; MSG SIZE sent: 46 rcvd: 46

phil@pollux:/home/phil 35>

I cant say that I blame him

[enrayged]

as absurd as this sounds, the way the legal seems to be working is if he did go to court he would probably end up going to prison, and probably serve a longer sentence than murderers and sex offenders, and I am not even going to into the legal fees that would be involved... if it is not already too late...

The open relay testers send me unsolicited e-mail

[Ian+Lance+Taylor]

When one of the open relay testers decides to test my systems (which have never been open relays), I get at least a dozen unsolicited e-mail systems double-bounced to me. Isn't it strange that a system created out of fury at unsolicited e-mail generates a fair amount of it? The double bounce messages never tell me specifically why they have decided to test my system, and they never tell me how to prevent them in the future. Shouldn't people on a moral crusade be careful about hypocrisy?

I think we've jumped a step here

[tomsparrow]

It doesn't say anywhere that it's Lotus/IBM suing them, just that they are being sued relating to the Domino issue. I would guess it's someone who was the victim of one of these DoS 'attacks' that is doing the suing.

IBM for rfc-ignorant.org

[Rik+van+Riel]

In related news: I've just submitted IBM, the makers of the (falling-over-like-)Domino email server, to rfc-ignorant.org because they don't seem to accept email (hence, no email to abuse@ and postmaster@):

$ host -t mx ibm.com
ibm.com mail is handled by 0 ns.watson.ibm.com.
$ host -t any ns.watson.ibm.com
ns.watson.ibm.com has address 198.81.209.2
$ telnet 198.81.209.2 smtp
Trying 198.81.209.2...
telnet: connect to address 198.81.209.2: Connection refused

Re:IBM for rfc-ignorant.org

Try abuse@watson.ibm.com. Seems to go to 198.81.209.6 and 198.81.209.18 which work fine.

Re:IBM for rfc-ignorant.org

Perchance they performed a reverse DNS on your IP, determined that you are NOT a DNS's mail server and thus refused the connection?

One should be careful judging technical issues without all the facts.

Re:IBM for rfc-ignorant.org

[Rik+van+Riel]

RFC 2142 requires every domain (with email) to have the abuse@domain.tld and postmaster@domain.tld addresses. IBM.com is a domain, so it is supposed to follow the rules in RFC 2142.

If they don't follow the RFC that's fine with me. However, I believe listing them at rfc-ignorant.org is a good thing so people who have chosen not to exchange email with domains who do not play by the rules have a chance to block IBM's mail automatically.

Re:IBM for rfc-ignorant.org

Um... Thier mailserver is not accepting connections. That is NOT the same as not having postmaster or abuse. IMB did not shut ORBZ down and you harassing them like this is not helping, at all.

Good. RIP.

[_narf_]

It was never very good for anything but bouncing
legit emails and causing uneeded headaches anyhow.

Automated blacklists are just simply a bad idea. Period.

They were never any better than the spammers
themselves IMHO, employing the same kind of tactics
to try and cram an email through your server, and then
making your life miserable after suceeding.

Something like RBL is much better as there is actually
some human thought involved before sinking that sources
emails to /dev/null.

Re:Good. RIP.

[Carlos+Laviola]

Fortunately, they still exist, and the rest of us that hate spam will keep using it. If you feel frustrated by it, the solution is as simple as fixing your mail server. Period.

Re:Good. RIP.

[_narf_]

Well, there's no convincing zealots that their way
isn't the only way of dealing with a problem.

And it's amazing how once can't honestly express their
frustrations with a poorly-managed organization without
being tagged as flamebait.

My mail servers are just fine thank you very much, my
issue is simply that there was never time allowed to repair
before being listed. That's like being charged with a crime,
and being forced to serve your time before your trial,
regardless of whether you were found guilty or not.

Not only that, but the act of scaning someone's servers
without their expressed permision to do so is no less
a theft of service than spam is. Not only that, but to me,
what they are doing is no less invasive than portscanning
the networks, which is s seriously grey legal area.

Don't get me wrong.... I hate spam as much as the next
guy.... but theres intelligent ways to deal with it, and theres
assinine ways of dealing with it. I just happen to feel that
ORBZ fell into the latter category.

'scuse me!

Re:Good. RIP.

[matuscak]

As a user of DNS BLs, I want a reported, verified open relay to be listed *instantly*, the sooner the better, with no time to spew more garbage into my network. A few years back, when spam was just getting started, I came in on a monday morning, after being sick the entire weekend, to find some idiot relaying spam through my server. I spent a long day fixing it, because it was my responsibilty to do so. No excuses then, even less now.

Re:Good. RIP.

[Carlos+Laviola]

You're using an analogy that is inaccurate; while in crime you need to be judged to see what you deserve for a penalty (or not), in spam, there's just it: spam. If your server is open, there could be a massive ongoing spamming occuring right now (think "open relay server" with "vast amounts of bandwidth" and "motivated spammer"), which would, comparing with a real-life 'crime scenario', be considered a crime like hijacking -- if/when you arrest the criminal, you're gonna put him in jail until the trial.

Huh? Jail time for fighting spam?

[PhotoGuy]

Let me get this straight. An organization whose sole purpose is fighting spam, is being shut down and afraid of facing jail time due to a bug in Lotus notes?

Can we find out who the suing party is, so folks can let this company and their state representatives know what they think of this?

Also, could not Lotus notes servers be identified (I would imagine they spit out an ID string like other SMTP servers) and this bug either worked around, or the Lotus servers ignored? It seems that would be more constructive than shutting down.

-me

We need a RT-ORT-BL!

[cperciva]

We need a "Real time open relay tester black list", so that people can block the queries sent by open relay testers.

I'm not being entirely facetious either; it seems that the volume of relay testing traffic has increased signficantly over the past year.

Re:We need a RT-ORT-BL!

[dubl-u]

The volume of relay testing traffic has increased signficantly over the past year.

That's because the big ones were shut down. They're still handy, so a zillion people have started them. If they are allowed to say open, then everybody will converge on a good one and the unused ones will drop off the face of the earth. But if they keep getting shut down, expect a greater number of too-small-to-bother-with relay testers in the future.

MAPS is still alive and well.

[tweakt]

Mail Abuse Prevention System

Tracks open relays, dial up netblocks, etc. Works with sendmail, postfix, etc..
Does require paid subscription, but free for personal/hobbyist usage.

Re:MAPS is still alive and well.

You mjst also agree to indemnify MAPS against any and all claims, including claims brought by third parties. In other words, if someone sues MAPS because you used MAPS' service, you agree to pay MAPS legal costs to defend themselves.

Our attorneys would not permit me to enter such an agreement. Absolutely NONE of our other vendors has ever included a clause like that in any contract.

Re:MAPS is still alive and well.

[Erik+Fish]

MAPS is also emasculated ever since the lawsuits.

SPEWS is where it's at now.

Re:MAPS is still alive and well.

FUCK SPEWS. Spews is a piece of trash, and you should NOT support that kind of antispam trash.

1. SPEWS has no contact information, you are forced to contact a newsgroup and jump through every hoop the people there feel like asking you to jump through.

2. SPEWS blocks huge friggin areas of the internet with no care for collateral damage.

3. SPEWS doesn't even clearly inform people of WHY they happen to be on the spews block list.

I'm sorry, I'm as against spam as anyone else, but SPEWS is not the way to solve the problem. It is the most aggravating and mismanaged system I've seen in a while. I suggest something along the lines of http://junkfilter.zer0.org/

Please do not support spews.

Re:MAPS is still alive and well.

> FUCK SPEWS. Spews is a piece of trash

No, fuck YOU. You're a booger head.

> SPEWS has no contact information

Why should they? So that spammers can contact them pretending to be innocent and/or claiming that they "are working on cleaning things up"?

> contact a newsgroup and jump through every hoop

Oh, I see. So the bad people on the newsgroup pointed out that you'd been ignoring spam complaints for months and told you to do something about it? How terrible!

This has been more or less the story in every SPEWS thread I've read in nanae.

> no care for collateral damage

Wrong. SPEWS is quite careful about avoiding true collateral damage. The only time you have to worry about SPEWS blocking you is if you're a spammer or you're getting connectivity from an ISP that harbors spammers. What's that, you didn't know your ISP was a spamhaus? The clue phone is ringing and it's for you!

> doesn't even clearly inform people of WHY

SPEWS is quite clear about the fact that its criteria for listing are its own. In all the cases I've seen the reason for being listed should be obvious to the person utilizing the IP space in question. It seems that a SPEWS listing requires abuse reports be ignored for some time before it occurs.

> the most aggravating and mismanaged system

The time for "education" has passed. MAPS treated spammers with kid gloves and gave them every benefit of the doubt. In return they were sued into uselessness.

Well the kid gloves are off, homie don't play that, etc. I have been using SPEWS at the 6000 user ISP I work at for the past three or four months and have had no complaints.

Re:MAPS is still alive and well.

Get lost spambag.

SPEWS works, proven where I sit. Used it for three months, users love the reduction in spam - zero "colateral damage" complaints. Could there be one day? Sure, the SPEWS site says there may be, but we ain't seen it yet.

SPEWS works, proven where spammers sit. They are bitching and moaning on a daily basis... same old tired "frea speach" crap they've been spouting since the mid 90's, all the while turning my mailbox into a wasteland.

People who use SPEWS and the other filter systems are smart - they don't want to waste the time deleting email from the likes of YOU!

Did I already say get lost? Yep.

Where do you draw the line ??

[Srin+Tuar]

Anybody can access a publicly available SMTP service and produce whatever type of SMTP headers they want. It is a publically available service.

However, you typical hacker does a similiar thing, he sends bytes to publically available service.

If you decide that any univited data being sent to your server is a crime, then sending an email to someone you dont know is a a crime. If you think its not a crime, then what script kidz do is a public service.

I personally hold to the latter, even though I abhor spam and hate malicious crackers. I think that by holding the server owner whos providing publicly available services accountable for his own security, that we would get more secure software out of it, and less coverups. (lawyers trying to do work that can only be done by programmers) SMTP servers should be able to handle munged headers!

I can imagine the PHB thinking now "Well since I cant sue the kiddie whos sending those bad SMTP headers, I guess im going to have to actually fix the bug in my mail server, oh the humanity!"

Of course fraud etc should still be a crime- but why should accessing publicly provided data services be one?

Re:Where do you draw the line ??

[Russ+Nelson]

You agree that fraud is a crime. Fine. Ian sent fraudulently addressed email. He admits to this and says that it is required because that is what spammers do. You say it's a crime, and Ian admits to doing it. Seems like an open and shut case to me.
-russ

Re:Where do you draw the line ??

[crucini]

I think that as more people come to understand how computers and networks work, we will eventually accept that anyone has the right to send any kind of data anywhere, except for DOS attacks. The computer receiving a packet makes the sole, total, and unappealable decision about what to do with that packet. Any actions taken on the basis of the packet are not the fault of the sender.

Our current road is headed for more and more complexity, legislation and litigation as we try to legally define what kinds of data can be sent. And all the metaphors comparing computers to buildings ("breaking in to") are muddying the waters. You cannot break into a computer unless you have physical access to it. You can communicate with the computer. The computer's responses to your messages are determined by the programs and configuration supplied by the owner, and therefore reflect the will of the owner.

mailman metaphor?

[cemcnulty]

Can a mailman, or the U.S. Postal Service be held liable if I design my mailbox in such a way that stuffing an improperly designed envelope in the mailbox causes my house to burn down? Can the person who designed the envelope be held responsible? What if the envelope contained free samples of gun powder?

It seems to me that the people responsible would be the mailbox designer and the idiot who purchased a mailbox that could potentially burn your house down (even if highly flammable object are placed in it).

The question for the judge in the case if such a metaphor were used is did the envelope more closely resemble an improperly folded envelope, a free sample of gunpowder or a live grenade.

-Chuck

Re:mailman metaphor?

U.S. Postal Service mailboxes cannot be designed by amateurs. They need to be of a design certified and approved by the Postal Service.

Only then is a mailbox manufacturer allowed to sell his mailboxes for USPS mail delivery.

Re:Huh? Jail time for fighting spam?

[PhotoGuy]

One more point: if he's being sued for something done in the past, whether or not he shuts down Orbz is irrelevant, liability-wise. If he has been given a cease-and-desists (or else face prosecution), would not simply skipping Lotus servers meet that requirement, and prevent any future liability?

Surely he can't be held liable by whoever is suing him, for scanning the 99.9% of non-Lotus SMTP servers out there.

-me

I'd be curious to know

[FreeUser]

Why IBM decided to pursue criminal prosecution rather than releasing a simple bugfix is beyond me.

If it is IBM, they deserve to be bitchslapped. Hard.

However, I'd be very curious to know who is actually doing the suing and issuing the legal threats.

I suspect they are incompetent admins, trying to cover their own incompetency by pointing an accusing finger at the innocent, in this case ORBZ.

Incompetents banding together has to be one of the more sinister forces in our society: far more common than intelligent and neferious conspiracies (which probably can be counted on one hand, if that), far more wide reaching, and far more destructive.

OTOH, for the more paranoid: what are the odds that some SPAMMERs themselves have set up Domino servers with the explicit knowledge of this bug, in order to have legal grounds to threaten and sue one of their most effective opponents out of existence? Actually, I was writing the previous sentence as a joke, but as I type it I don't find the scenerio nearly as unlikely as I first thought.

Re:I'd be curious to know

[ftobin]

However, I'd be very curious to know who is actually doing the suing and issuing the legal threats.

Ian Gulliver talked about facing criminal charges. Criminal charges have nothing to do with suits (those are civil matters), and are brought by the state, not individual citizens.

Re:I'd be curious to know

[FreeUser]

Criminal charges have nothing to do with suits

True, which is why I said "suing and issuing the legal threats." Criminal charges are only filed if their is a complaint ... so who is doing the complaining?

Incompetent admins? (Most likely)
IBM? (only if they are profoundly stupid)
SPAMMERs deliberately setting ORBZ up? (possible)

Re:I'd be curious to know

You're still wrong. The only person issuing the legal threat is the government entity prosecuting the case. If you'd said "making complaints to law enforcement" you'd have a position to fall back on. I'm fairly certain though that your (unjustified) egotism will prevent you from admitting you phrased things badly.

Re:I'd be curious to know

[clone304]

So do you have an answer for him, now that you know what he was wondering? Hmm, guess not. Sit down and shut up.

.

Just found out about ORBZ last week...

[Nos.]

... when they tested my mail server for open relay (which it had been, but was fixed). I was setting up qmail for the first time, and in cleaning up removed a file I shouldn't have (namely rcpthosts). In any case, for those of you who don't know, remove this file, and you're an open relay. I was, and sure enough, a spammer found it and started using it. I caught it when a bunch of bad email addresses bounced to my account (that and my maillog grew by about 2000%). I figured out the problem in about an hour, and closed it up. I also reported the spammer to their ISP (pacbell.net) and cleaned out the queue (over 2000 spams ready to be sent). In any case, someone must have reported me, even though I put up apology pages and comments suggestsion. In case whoever reported me is reading this, I bear you no ill-will, I was an open relay and deserved to be reported. In any case, their test showed I wasn't open, so I never got added to their list.

Alternate block list

Check out www.spews.org for a list. Personally I use the one published via osirusoft.com; works nicely for me.

[not karma whoring since I'm AC. w00t!]

Not such a great loss as made out

[Zocalo]

I actually stopped using ORBZ some time ago because of the way their database worked in conjunction with the vast amounts of spam coming from DSL lines. Basically if an IP was verified clean then it could not be resubmitted within 30 days, fair enough I guess, but this really fell apart with spam originating from what appeared to be dynamically allocated pools of DSL users. Obviously the same servers were changing IPs, and being reused by the same spammers, but ORBZ's submission engine couldn't deal with this in my numerous attempts to submit active spammers.

I emailed ORBZ over the issue, citing three identical spams all of which were from the same physical server (from a typo in the headers) yet from different IPs, all of which were marked as "Verified clean within the last 30 days". ORBZ' response to this was basically "use multiple RBL servers", which I already was. I stopped using them at all the same day and switched to an alternate RBL server that I could submit spam to for automatic inclusion once verified. Since then I've also set up my own local RBL server, which makes things much easier when you have multiple SMTP servers to administer...

Re:Not such a great loss as made out

[La+Buge]

Basically if an IP was verified clean then it could not be resubmitted within 30 days, fair enough I guess, but this really fell apart with spam originating from what appeared to be dynamically allocated pools of DSL users.

The workaround was to block the entire pool of IPs then. Including "good" servers running in this pool of DSL lines. It looks like a decision only you can make.
I mean the OR in ORBZ means Open-Relay and not "likely to be open" or "not-open but run by someone with a funny name".
It's good that you found (well built) a better service for your needs but it will not suit everyone.

And there must be, somewhere in this small world, someone who is allowing mail from a server he knows to be open because he has some important traffic coming from it.

Re:Not such a great loss as made out

[Skapare]

The only way to deal with the DADS "Dynamically Addressed Direct Spam" is to block the their whole pools one way or another. I prefer to block by domain name if they have set up the pools in separate DNS zones (smarter ISPs know to do this). If I get 2 DADS from the same domain that doesn't have a separate DNS zone, I just block the whole ISP and send them a nasty-e-mail about it telling them how to fix it (most are so incompetent they don't understand).

BTW, I also block based on the lack of reverse DNS that is correctly forward DNS verified. That does cut out a huge amount of spam. I also block China, Hong Kong, Korea, and Taiwan by IP address, and that also cuts out a huge amount of spam.

Re:Not such a great loss as made out

[mpe]

Basically if an IP was verified clean then it could not be resubmitted within 30 days, fair enough I guess, but this really fell apart with spam originating from what appeared to be dynamically allocated pools of DSL users.

The real source of the problem here is the ISP doing something stupid. Since this kind of IP assignment makes little sense with semi-permenant virtual circult connections.
There isn't a good solution any third party can apply here.

Re:Huh? Jail time for fighting spam?

[PhotoGuy]

Let me get this straight. An organization whose sole purpose is fighting spam, is being shut down and afraid of facing jail time due to a bug in Lotus notes?

Hmmm, this just doesn't make any sense, so maybe it would best be defended with the Chewbacca Defense.

(Sigh, maybe some day I'll get all my comments in one post. I feel like George Costanza, coming up with the witty comeback long after the fact. "The jerk store just called, and they're all out of you!")

-me

Glad to hear it.

[PrimalChrome]

Good riddance to ORBZ bullshit draconian methods.

It's the spammers that should be targeted with HEAVY fines and penalties....not innocent users or admins of closed SMTP servers that are lumped into the guilty category through association (ie on the same damned subnet as a dumbass with an open relay).

Check out some of the anti-spam and anti-telemarketing laws being passed in CA and TX.

Re:Glad to hear it.

[Carlos+Laviola]

You're only blocked if the SMTP server you use is listed as an open relay, not if your IP is in the same range of one of them.

Re:Glad to hear it.

Not completely true. The guy who ran ORBZ is an
asshole. I've had friends who were new to computers and internet manners, and had open relays being run. After being blacklisted they did more research, realized why having an open relay is a BAD idea, and enhanced their systems to use SSL or some other form of authentication. Now they are no longer an open relay. Ian REFUSED to take them off the blacklist. In fact, if Ian ever gets mad at you for any reason, you're liable to find yourself on the blacklist. And the problem with that is if you screw up once, you're blocked for life! And many major sites used the info from orbz.

Re:Glad to hear it.

[PrimalChrome]

Incorrect sir. I have a client that was blocked by ORBZ... Initiated tests on their SMTP server from ORBZ site showed it as being clear. I petitioned and was told that there was a guilty server on the same subnet so the entire subnet had been listed. They suggested that I contact the guilty party....since it was their fault. Logical? I think not.

Re:Glad to hear it.

[Carlos+Laviola]

I've never seen this happen, so I must assume that you're incorrect.

Re:Glad to hear it.

[wizkid]

I'm not.
I agree that spammers should have bigger fines and penalties.

Unfortunately, with most the open relays being
from outside the US/Europe, and the multi-national orgins of email, increased penalties will only have a limited effect.

The ORB/ORBZ/ORBD administrators do need to lighen up a little on open relays, and put forth a more professional image. They have been hard on open relay administrators in the past, and have a reputation to repair.

Re:Glad to hear it.

[derF024]

Ian REFUSED to take them off the blacklist. In fact, if Ian ever gets mad at you for any reason, you're liable to find yourself on the blacklist. And the problem with that is if you screw up once, you're blocked for life! And many major sites used the info from orbz.

what region of your ass did you pull that gem out of?

orbz never added or removed any host manually, but the tools were present on the web page to have the system automatically re-test and remove a host that was listed. no matter how much you insulted ian, he would never add you manually to the black hole list. it wasn't even possible.

Re:Glad to hear it.

[dieman]

Are you sure you didn't get blocked by SpamHaus?

Re:Glad to hear it.

are you the claviola@ajato.com.br who I used to send spam to?

I've noticed you contributing quite a bit to this discussion.

In case anybody is into clicking, it's claviola@ajato.com.br .

Or is the .br some obfuscation thing?

claviola@ajato.com

Better safe than sorry.

Re:Glad to hear it.

[schon]

I have a client that was blocked by ORBZ... Initiated tests on their SMTP server from ORBZ site showed it as being clear.

I think you're wrong - if ORBZ showed it as being clear, then it's clear - the tools did a live query to the DNS, so if your site was blacklisted (regardless of HOW it was blacklisted), it would have shown up when you checked the site.

I petitioned and was told that there was a guilty server on the same subnet

Perhaps you contacted the wrong people, or it wasn't ORBZ? (Maybe it was a different blacklist?)

There is a complete list of the ORBZ list at http://216.111.143.11/inputs. You'll note that there are no wildcards in this list.

Re:Glad to hear it.

[Carlos+Laviola]

Feel free.

The obfuscation is automatically done by slashdot, by the way, you loser. If you create an account -- oops, I think you have one and just posted anonymously because you're a coward -- and look at the user options, you'll see you can have slashdot obfuscate your e-mail automatically. Anyway, you're pathetic.

The message

[wdr1]

... before it gets slashdot'ed ...

Date: Wed, 20 Mar 2002 03:15:49 +0000
From: ORBZ
To: list@orbz.org
Subject: [ORBZ] Shutdown

Here's the email that those of you with forward sight
have been fearing since the inception of ORBZ.

As of this moment, ORBZ is shutting down. DNS zones
are going to stop resolving, the website will disappear
and mail will stop working (so furthur discussion on
this list probably won't work -- use NANAE).

I don't want to disappear in silence like ORBS, so I'll
try for as much description as possible without
compromising my own position.

I received an official court notice this afternoon to
turn over all information relation to ORBZ accounts.
This came from the 10th Judicial District court of the
State of Michigan. It appears that ORBZ may be facing
criminal charges for denial of service relating to the
Lotus Domino issue.

I was happy to try to weather any civil issues that may
have come up, and I was committed to seeing it through.
However, the threat of jail time is too much; I don't
believe in this fight quite that much.

Thank you all for all your support. I sincerely hope
that someone with the goal of carrying on the mission
of ORBZ pops up in another country with a less
foreboding legal system. Anyone who has copies of the
current zones may do with them what they wish.

For those of you stuck without good spam filtering,
please consider ORDB and SpamCop; they both provide
excellent free solutions.

Ian Gulliver
ORBZ

HAPPY HAPPY JOY JOY!

[matth]

I for one am happy that ORBZ is gone. I run a mail server on a dial-up modem and have more then once gotten a reply back that ORBZ IS BLOCKING SPAM FROM AN OPEN RELAY IP.. guess what? I'm not running an open relay but I guess someone else was. Well I'm sick of it. I'm glad Ian is gone with his Orbz stuff. As far as blocking.. that's up to the end user.. not some little guy who wants to start a list.

Re:HAPPY HAPPY JOY JOY!

yeah, woohoo!!@!# you get to run your rinky dinky mail server and mailing list while the thousands of users i provide mail for have to get even more spam which wastes time & money

Re:HAPPY HAPPY JOY JOY!

You have no reason to setup and maintain your own mailserver on dial-up. Use your ISP's smtp server idiot

Re:HAPPY HAPPY JOY JOY!

[mmkhd]

Fool!

Why don't you use the smtp relay of your ISP? (Your ISP offers one I hope? And don't tell me the additional hop annoys you too much..)

What else can admins do but block these dynamically allocated IP address pools?

Marcus

Re:HAPPY HAPPY JOY JOY!

[matth]

Actually the additional hop does annoy me. I should be able to run my own mail server. It's no bodies business but mine who gets spam. I don't send it out, so that's not what I"m doing. But as far as a central organization who doesn't have any business blocking it that's out of line. In my opinion if AOL or whoever wants to run ORBZ blocking that's their problem and their loss. They owen their machines and can block whoever they want, however I think it's bad business practice.

Re:HAPPY HAPPY JOY JOY!

[matth]

Uhh.. how about a cable modem ? And running a mail / web server off a commercial grade cable modem? There ARE reasons.. Or perhaps I like to be in control of my outgoing mail and don't want it going through my ISP? (again no I'm nto doing anything illegal or spamming)..

Re:HAPPY HAPPY JOY JOY!

As far as blocking.. that's up to the end user.. not some little guy who wants to start a list.

And exactly WHO decided to implement ORBZ blocking on their mailservers, dumbfuck? What, did you think that ORBZ went around forcibly installing their blocklist on other people's mailservers?

Re:HAPPY HAPPY JOY JOY!

[matth]

Uhhh no.... but I loose alot of respect for (I assume) sysadmins like you, who act like this. As well as for ISPs that install all of this spam blocking junk.

Re:HAPPY HAPPY JOY JOY!

You have no reason to set up your Linux computer to connect to your ISP. Use an OS that your ISP lists as supported.

Re:Not so stupid question

[Webmoth]

why can't ORBZ use a different envelope that doesn't bounce to 127.0.0.1?

Mail servers need to be configured to relay mail from the localhost (themselves). Otherwise, things just don't work. What using the 127.0.0.1 does is attempt to fool the mail server into thinking that the mail is coming from itself. Also, it makes sysadmins aware that there's a config problem in their mail servers. :-)

If a server can't relay, it should REJECT the mail ("error: no relay thru here") but Lotus seems to be bouncing it.

A properly configured mail server will be able to look at the mail and say to itself, "I've seen this before, let's trash it."

A mail server should NEVER crash do to malformed messages. The strongest lock is no good if the door is weak.

Other side of the argument

[p4k]

I know this isn't going to be a very popular argument, but here goes anyway...

Surely if they knew the envelopes they were sending out would crash some servers, then that was at best highly irresponsible behaviour. Yes, in an ideal world all software would have no bugs and all sysadmins would be omnipotent, but I don't see that happening any time soon :-). I don't believe that ORBZ has the right to go around DOSing servers that they consider to be inadequately set up - effectively electing themselves judge, jury *and* executioners.

If ORBZ behaved a bit less arrogantly I suspect they would make fewer enemies.

Re:Other side of the argument

While what they were doing might be a good thing (might), their ability to tell you so with self-possessed Godlike authority took away any positive feelings I might have developed for them.

Theirs was the true faith, so they thought, all others be damned.

I think their refusal to fix the Lotus thing made them equally as poor an entity as any spammer.

Re:Other side of the argument

[WoodstockJeff]

The problem is that one of the tests used by ORBZ is also one popular spammer technique for fooling a server into thinking mail is originated locally. I often get policy violation messages generated because a spammer used an address in the form "root@[192.168.1.1]" (IP changed to protect the innocent B-), which gets through some servers, but not a well-configured, secure one. Some versions and configurations of Lotus Notes are vulnerable to that address being [127.0.0.1], and that is a popular test address for a spammer. It is likely that others have shut down the problem system before... since ORBZ wouldn't have been testing it if it hadn't been used to send spam. SOMEONE ran spam relay tests before ORBZ did!

ORBZ Was broken anyways

[bifrost]

Their lame ass servers were always f'ing up. I ended up taking that crap out of my mailer config a few months ago because I was tired of lookups failing and slowing everything down.
I switched to ORDB and that seems to work fine.
I still get buttloads of spam from other places, but I do see a lot of blocked mail.

Blackhole lists doomed to fail...

[pongo000]

...as long as individuals and other non-corporate entities run them. Why? Because we've seen how painfully easy it is for corporate or well-heeled individuals to apply pressure (usually monetary) against these individuals.

The solution is to make this process as anonymous as possible, yet maintain some degree of integrity in the process. Here's an idea: Somebody must be willing to step forward and create a script which can be fully automated to check for open relays. Generate the script signature, sign with a private key, and distribute script, signed sig, and public key. Run the script anonymously -- use anonymous relays, bogus envelopes, whatever it takes. Publish the results on Freenet, signed with the same key used to sign the sig of the script used. Obviously, the model needs some work, but I think if a public key is established as "trusted," then the results that are published anonymously on Freenet can be "trusted" with the same degree of trust.

Or something like that...

No no no no NO!

[CaptainSuperBoy]

if common sense prevailed, it would be the mail server vendor in court for producing insecure mail server software, not a third party for happening to send requests that unintentionally crash poorly-written servers

You are so wrong! Think about what you are saying for a second. You are saying that software vendors should be held liable for producing faulty software. What does this apply to? Only Lotus, Microsoft, and the big guys? What about holding Alan Cox and Linus liable for bugs in the Linux kernel? I hope you don't want to hold security programmers liable for demos of exploits. Software is fundamentally different from a product that can be recalled and judged unsafe. The marginal cost of software is zero, and it is not a physical product - it's just information.

Do you have any idea how it would cripple the software industry if they operated under the constant threat of product liability suits? What about old software? Really old versions of Sendmail were set to open relay by default. Certainly it's not the fault of the programmers that they didn't protect against spam, BEFORE SPAM EXISTED. Now think about a software industry where a pack of lawyers has to review every design document, every line of code in the name of 'product safety.'

This is clearly a case where the free market already solves these problems, and your foolish solution would only serve to artificially disable an industry. If companies are upset with Domino, they will eventually switch to a better software package. If Lotus cared about their customers, they would have patched their software. I can't believe it when people like you say these things without thinking of the consequences.

You did hit on one correct point - intent. It's unfortunate that ORBZ was in danger of being sued. They shouldn't be in danger, due to intent. They have no intent to DOS random Lotus Domino servers.. but it seems like they just can't risk it. If I intentionally exploited the Domino bug to crash servers, well that's another story. It's not Domino's problem, it's mine, and I should be carted to jail for that.

Re:No no no no NO!

[bruns]

If you buy the softare, then you should be able to hold the company responsible. You don't buy linux. Its free, its out there in the open. No guarantees at all.

Re:No no no no NO!

[anonymous+cupboard]

This is an old one.

Open Source software has the possibility of the user being able to check out the potential problems be a source code inspection. If a problem is found, it can be very rapidly corrected.

If I tell you, trust me, my program is closed source then shoulnd't I have done my "due diligence" before I release it and charge money for it?

If we use your analogy of information being free of product liability, why are we saying an incorrect or missing warning notice elsewhere is actionable?

Re:No no no no NO!

[timjackson1]

OK, I was being slightly facetious, I was more trying to make the point that rather than ORBZ being threatened for sending packets (legitimately formed according to the RFCs? Probably) to a public server and DoSing it as a result, the people responsible for making a fragile server should be on the line. The right solution here is not for anyone to sue anyone but rather for vendors to respond quickly and effectively to security problems and admins to implement the fixes. However, there is significant debate going on at the moment about whether vendors *should* be responsible for security (or other) failings. Regardless of the result of this, authors of free programs (of any sort) should definitely be able to exempt themselves. (although in itself this opens up a can of worms...what about shareware/low cost software? etc.)

Re:No no no no NO!

[nochops]

How can you say there's no intent?

ORBZ sent messages with malformed headers to the domino servers, with the intent of relaying. The fact that they were going to use the server's response as evidence of an open relay is regardless. They also had knowledge of the bug in Domino, but did it anyway. How is this not intent?

Let me ask you a question: Say a circus knife thrower accidentally puts his knife through the heart of his beautiful assistant and kills her? Did he intend to kill her? No. Did he know that if his knife missed it's target, he *could* kill her? Yes. Should he be held liable for his actions, absolutely.

ORBZ may not have intended to DOS the Domino servers, but they did intend to relay messages through them with the knowledge that doing so on an incorrectly configured server would cause a mail loop. The BugTraq post is evidence of this knowledge. They should be held liable, no question.

Re:No no no no NO!

If I tell you, trust me, my program is closed source then shoulnd't I have done my "due diligence" before I release it and charge money for it?

Have you ever read a EULA?

Re:No no no no NO!

[CaptainSuperBoy]

That's a perfectly valid reason to USE open source software. You have not described a valid reason to SUE a closed-source vendor. The fact that there's a free alternative doesn't mean that closed-source vendors must match the 'availability' of open source code.

I guess you're right about pure information. Information that is intentionally or negligently wrong, such as a missing warning, should of course be prevented. That's more of a truth in advertising, or libel-type of concern.

Re:No no no no NO!

[rhavyn]

They weren't sending malformed headers at all. They sent FROM, RCPT, and QUIT. If your mailserver manages to crash by being sent those headers (no matter what the parameters to those headers are) the problem is not with the email that crashed the server.

Re:No no no no NO!

That might be technically correct, if they were repeatedly crashing someone's mail server, then it's only sensible that the lawyers would get called in.

Re:No no no no NO!

[zangdesign]

Ah, but then, once again, Open Sourcers want EVERYONE to use Open Source software, but not EVERYONE has the capability to check the software that they running. Nor do they have the funds to pay a programmer to check the code for them.

So it's a Catch-22. I agree that commercial software companies should be held liable for bugs in their software, but so should anyone who releases software to the public.

Just because the programmer does something for free should not absolve the programmer from the responsibility of making sure it is done as well as possible with the information at hand. Otherwise, Open Source will become the ultimate excuse rather than a belief.

Re:No no no no NO!

but... but... but... that would make Open Source impossible to distribute safely.

Oh well.

Re:No no no no NO!

The consensus-based language and culture of the Internet yet again shows how it will all ultimately break down.

The documents that 'govern' the legtimacy of email headers are called 'Request For Comment' documents.

Consensus-based 'guideline-driven' hierarchies don't scale well to huge spaces like the entire world.

Where the fuck in what court of law is a 'Request For Comment' going to be interpreted as a guideline that MUST be followed??

The 'net is gonna balkanize. It's going to break up into various commercial empires (with TLD's like .aol .msn .elk and such) with gateways connecting them. It's inevitable.

Deal with it.

Re:No no no no NO!

[anonymous+cupboard]

With sendmail, I have a chance to verify that there are, to put it politely, some configuration issues with the older versions. Can I say that about a closed source equivalent?

I must trust the developer with closed source and this isn't always wise.

Re:No no no no NO!

[mpe]

You are so wrong! Think about what you are saying for a second. You are saying that software vendors should be held liable for producing faulty software. What does this apply to? Only Lotus, Microsoft, and the big guys? What about holding Alan Cox and Linus liable for bugs in the Linux kernel?

There is the important distinction that with closed source software (including that which is "free") only the original producer can do anything about faults...

Do you have any idea how it would cripple the software industry if they operated under the constant threat of product liability suits?

So exactly what makes the "software industry" so different from any other industry. Do you hear Boeing saying "well it is just so difficult to make a flying machine which works perfectly"?

What about old software? Really old versions of Sendmail were set to open relay by default.

Being an open relay was never a requirment in the first place. Indeed there was never any requirment to support relaying in RFC821 in the first place. The original assumption was that TCP connections would be made on the basis of A records and RFC 974 introduced the context of MX records. Is this software more than 15 years old?

Certainly it's not the fault of the programmers that they didn't protect against spam, BEFORE SPAM EXISTED.

It wasn't the fault of De Havelland for putting square windows into a jet airliner, when they did it. But we know better now...

This is clearly a case where the free market already solves these problems, and your foolish solution would only serve to artificially disable an industry.

The only part of the software industry which can even operate as a "free market" is that using open source.
The proprietary software market relys upon using artificial monopoly.

Fallout

A bunch of thoughts...

This incident again raises serious questions about the viability of so-called "dnsbl"s. (DNS Block/Black Lists) If a dnsbl receives a notification that a certain IP address has an open mail relay, they either have to test it to verify it's condition or assume it's open based on a copy of apparently (?) relayed email. Does this possible action mean that dnsbls need to locate themselves in jurisdictions that are unlikely to prosecute minor (?) "computer crimes?" Do the operators of DNS servers for dnsbls need to isolate themselves from any apparent relationship to whomever might be doing such open-relay testing? Coupled with SLAPP-style threats from those ending-up on open-relay lists, it almost seems that those wishing to aid in the combating of spam by running dnsbls will have to adopt the behaviour of criminals (like the spammers themselves?) to avoid persecution.

One wonders if the people who initiated this action (the criminal charges) considered the possible fallout resulting from doing so? Any skript kiddie with telnet can execute this 'sploit. The skript kiddiez may have known about this before, but they certainly know about it now. I'd hate to be running a Bloated Goats MTA exposed to the 'net right now. (Or ever, for that matter. But that's another issue.) It also seems to me this company has just painted a big red and white bullseye target on themselves. I mean, how would you like to be an Admin for that place? Not me. I think I'd be lookin' for other employment like right now. I also imagine that, right or wrong, there will be mail admins that will locally block-list these people till the end of time itself for "attacking" a dnsbl. It just doesn't seem to me that this was a very smart move on the part of the aggrieved party.

Lastly, it seems to me that ORBZ could have avoided this problem entirely by finger-printing MTAs it was going to test and avoiding the more esoteric open-relay exploit tests when it was discovered the server under test was Bloated Goats malware. In fact: relayed spam on-hand would indicate a Bloated Goats MTA in the "Received:" headers. (Blotus seems unaccountably proud of their work.) In such a case, if the open-relay nomination was in order (relayed spam on-hand), just list the damn server and be done with it.

Political correctness taken to the next level!

[BierGuzzl]

So now, regardless of the fact that I'm doing something completely benign, I have to also be careful about "offending" some poorly administered mail server? I won't even get into how stupid it is to set up a mail server with a local loop -- it's the principle of the matter that really pisses me off. Next I won't be allowed to surf the web with an adbuster because it confuses and even crashes some websites...eghads! What the hell is this world coming to?

Re:Political correctness taken to the next level!

-1, Non Sequitur

The fact that you don't like political correctness doesn't mean that everything you don't like is political correctness.

Re:Political correctness taken to the next level!

Benign my foot. Orbz is taking that mail server's bandwidth with absolutely no productive value for the mail server operator.

Further, he wants to use said server to provide information for possible blacklisting and, if a Lotus Domino Server, punish it, simply cause they can.

There's something here we're not seeing

[Rogerborg]

• I received an official court notice this afternoon to turn over all information relation to ORBZ accounts. This came from the 10th Judicial District court of the State of Michigan. It appears that ORBZ may be facing criminal charges for denial of service relating to the Lotus Domino issue.

"It appears"? It is or it isn't. Funnily enough, I'd got the impression that cases were filed before courts ordered documents to be handed over.

Further to that, isn't the case going to be about past behaviour? So isn't taking ORBZ down is response to it a de facto admission of guilt? Is this some sort of preemptive plea bargain attempt?

Ian Gulliver has never struck me as being stupid or cowardly. I can't help but feel that there must be more communication going on here, i.e. an offer to drop the charges if ORBZ just goes away. Frankly, I find that highly distasteful, as it's edging very close to barratry.

I don't blame Ian one bit for shutting down, I just think that he's been shown a carrot as well as a stick so that this never has to reach a court.

Re:There's something here we're not seeing

[flamingcow]

I'm not going to comment on the current legal status. However, I will comment on the shutdown.

This shutdown isn't so much for this time, but for next time. I'm stuck fighting this one, but I don't have the time or inclination in my life to fight stupid pointless criminal charges on a weekly basis. Unfortunately, the way this world works, this'll be the tip of the iceberg once people realize that they can. Therefore, I'm out of this game.

Re:There's something here we're not seeing

[cnj]

My understanding of the situation is that ORBZ has been issued a search warrant in relation to potential criminal action, but that they have not been officialy accused of anything yet. As his own upstream provider, he was served a search and seizure and informed of a possible case.

I do not feel that he is acting irrationally given the situation in shutting down orbz. As he stated here, he does not want to face criminal charges repeatedly--nor should he be required to. He was willing to deal with civil suits, and I must agree that jail time is a different ball game than frivolous suits from annoyed admins.

Even if it looked like ORBZ were in the right [which I feel they are], it would not be illogical to take ORBZ down until after the trial. IANAL, but I am sure that the one advising ORBZ would advise the same, if at least to show ORBZ cooperation with the proceedings and desire to not cause further harm [there are other spamblocks which can be used in the mean time]. If ORBZ did want to continue during the trial, it would probably be a good idea to see have a lawyer carfully word a request to the judge [probably in the same sentence as requesting the case being dismissed].

On unrelated comment--and in regards to original poster's comments about having the company held liable:

I disagree with software liability [beyond clear malice, at least]. Negligence is difficult to prove, but as far has the issue is concerned, I feel that closed commercial products should be held to a higher standard than open source as open source products at least offer you the chance to fix bugs yourself even if they don't have the time to. If an Open Source developer is required to be liable for anything done with the source however, this is both stupid and impossible to manage [this would be the same as saying that K&R are responsible for anything written in C].

But to get back on topic, kind of, IBM itself should not be sued for having the faulty server [they have fixed it, actually--The Reg mentions this in their coverage--and the problem doesn't exist when correctly configured anyway, afaik]; but the admins and the corps should take responsibility for choosing the software and not configuring it properly.

This seems like just another example of the US mindset of blaming everybody else first because you don't want them to know that you messed up, and don't know what you're doing.

Software is not a car

[CaptainSuperBoy]

Software isn't a car. Software isn't a cigarette. Read your EULA - there is no warranty on software that says it will meet your needs. It's just information, just a bunch of bits. It's not a product that can be regulated, or made 'safely.'

Who is to say what's a bug? Can I be sued because there's a feature a customer wants that I didn't implement? What if I wrote sendmail 10 years ago, and now someone sues me because I wrote an open relay? But there wasn't any spam when I wrote it. There is a grey area between bug, and undesired behavior. Let's say I write a word processor. Do I get sued because my app won't let you print from the print preview screen? Because it doesn't save your default tab stops?

You can't regulate software.. and if customers don't like something, they'll look to another vendor. This is already a self-regulated open market folks, move along..

Re:Software is not a car

[Mr.+Fred+Smoothie]

It's not a product that can be regulated, or made 'safely.'

That is such a load of shit. Please don't ever apply for a job as a software developer at my company.

You might as well say the same thing about car or aircraft manufacture. After all, there are doubtless rare meteorological conditions that could cause existing aircraft designs to fail. "Wow, it's impossible to design aircraft safely! Let's put a EULA on our fuselage saying we disclaim all warranties and that the risk of using the product is entirely on the airline, pilot and passengers!"

There is a constantly growing body of knowledge about proven insecure designs in software; likewise there is a growing body of knowledge about best practices in software development processes. Are they perfect, or failsafe? No. But they represent adequate due care in protecting one's customers. They can and should be applied by anyone building and distributing software. Period.

Re:Software is not a car

[schon]

Software isn't a car.

I never said it WAS a car.

What I implied though, was that software companies want to be treated like a manufacturer, and they should be liable, just like other manufacturers.

Can I be sued because there's a feature a customer wants that I didn't implement?

No, but can you be sued because you're an idiot?

It's pretty obvious what constitutes a bug in this case: THE SOFTWARE CRASHED WHEN FED DATA

What if I wrote sendmail 10 years ago, and now someone sues me because I wrote an open relay?

I'll address this because this is the ONLY thing that's remotely on-topic..

If you write a commercial program, and it HAS A BUG which causes a crash, which you never fix, and you never release the source, then yes, you should be liable.

If the software isn't commercial, or it's not a bug (see above), or a newer version of your software doesn't have the bug, then you shouldn't be liable.

It's really pretty simple. If you want to be treated like a manufacturer, then you should get treated like a manufacturer. PERIOD.

Re:Software is not a car

You are a moron.

Re:Software is not a car

[CaptainSuperBoy]

Please don't ever apply for a job as a software developer at my company.

I am a software engineer, and I don't need a job. Thanks for the offer though.

There is a constantly growing body of knowledge about proven insecure designs in software; likewise there is a growing body of knowledge about best practices in software development processes. Are they perfect, or failsafe? No. But they represent adequate due care in protecting one's customers. They can and should be applied by anyone building and distributing software. Period.

You haven't explained to me why we need this. Regulations should never be applied unless they are absolutely necessary - i.e. in the case of personal safety. Since customers already vote with their dollars (if you make useless, buggy software then nobody's going to buy it) why do we need artificial restrictions imposed on developers?

If every piece of software adhered to current best practices, we wouldn't have any new innovation would we? New algorithms? They're against the law (they're not certified as secure). Any more flexibility, and you open the door for unforeseen bugs and liabilities. In case you haven't noticed, the law is not a place for ambiguity. You can't just have a law, "thou shalt not code insecure software."

You seem perfectly suited for bottom-line, 'no new idea is a good idea' middle management. On second thought, I really don't want to work at your company. Please tell HR that I like to come up with my own ideas sometimes, which is clearly against your company policy.

Re:Software is not a car

[CaptainSuperBoy]

Please indulge me, and let me try to trap you in your own theory.

If the software isn't commercial, or it's not a bug (see above), or a newer version of your software doesn't have the bug, then you shouldn't be liable.

What if the newer version is not a free upgrade? Are you obliged to provide fixes for every version of the software you have ever released?

What if you discontinued the product line? Are you obliged to continue putting out security fixes?

What if you discontinued the product line and went broke? Are your creditors responsible?

What if you discontinued the product and its functionality was incorporated into another product?

Is free (as in beer) software commercial? Is freeware commercial? How about demoware? Pure (no-nag, no-cripple) shareware? How about a small, unsupported, free utility by a large software firm? I guess we can kiss those presents good-bye.

How about an incompatibility? Your software works fine, unless vendor xyz's software is running at the same time. After all the finger pointing, is anyone to blame?

Re:Software is not a car

I agree.

There is software that comes with specific guarantees -- say, the software that controls machines in hospitals. If the guarantees are broken, then yes, I say the company should be liable.

On the other hand, the idea of all software having a mandantory does-not-break guarantee is simply stupid. When I go buy a pack of 10 cent pencils, if they have a crack in them, they break. It would be incredibly dumb to require guarantees of absolute performance on them -- this sort of thing is an expensive service to provide, and one I don't want to pay for.

So if sendmail breaks, it breaks. Maybe you could demand your money back (at least for the depreciated value of the software), but anything over and above the cost of the software is silly. If the company wants to sell the software with a guarantee, let it be so. Otherwise, let the market decide.

Re:Software is not a car

Don't be an idiot. There are products that human safety directly depends upon, and there are products that have guarantees of performance. These are the products that you can sue for in the real world. If my peanut butter isn't crunchy enough, maybe I can get a refund on it, but I sure as hell can't sue the manufacturer.

Why should software be any different? Some software (medical embedded systems, software with a guarantee of specific performance) is required to have no flaws, and other software can.

It makes no sense to divide along the commercial/noncommercial line (unless you aren't really being fair, you're a GPL fanatic and are just in it to try to drive commercial software companies out of business). It does make sense to divide along the guarantee line.

The GPL, incidently, does not provide any warranty.

Re:Software is not a car

[dubl-u]

Maybe you're right; as a programmer, I'm sympathetic the notion. But arguing like you are won't convince anybody.

Since customers already vote with their dollars (if you make useless, buggy software then nobody's going to buy it) why do we need artificial restrictions imposed on developers?

That's a silly argument; you could make it just as well for any product, from bonds to airplanes. Why do we need auditors and all these fussy finanical regulations? The shares in poorly run companies won't be bought, right?

If every piece of software adhered to current best practices, we wouldn't have any new innovation would we? New algorithms? They're against the law (they're not certified as secure).

There are immense numbers of regulations for things like food, cars, and financial products, and there have been for decades. But all of those have changed drastically in the last 50 years, and they'll keep on changing. Why wouldn't the same be true for software?

You haven't explained to me why we need this. Regulations should never be applied unless they are absolutely necessary - i.e. in the case of personal safety.

That's certainly not the only case where we have product regulations. The things that are entirely unregulated seem to be the things that are perfectly ok to screw up. If you make music, there's no law saying it has to be good, but if your CD doesn't play in my player, you have to take it back.

When computers are used for something equally low-risk, then not regulating software seems fine. If a game crashes once in a while, that's swell.

But some of us would like to use software for more important things, too. Suppose you run an on-line business, and you pay Microsoft a lotta dough for a fancy ecommerse setup. Then the week after you install it, some script-kiddie takes it down, steals your customer credit card data, and forwards all your pages to porn sites. By the time your clean up the mess, you're in Chapter 11.

So you turn to Microsoft, and they say, "Sorry, Charlie, no warranties express or implied. Your check cleared, so we're outta here!" Is that how things should work?

That's how they worked with investments before we regulated them up the wazoo. And far from crushing investment, our financial markets are immensely lively and highly regarded around the world.

You seem perfectly suited for bottom-line, 'no new idea is a good idea' middle management.

Yeah, ad hominem attacks against a guy with a reasonable point persuade me of your views.

Re:Software is not a car

[Mr.+Fred+Smoothie]

So if sendmail breaks, it breaks. Maybe you could demand your money back (at least for the depreciated value of the software), but anything over and above the cost of the software is silly. If the company wants to sell the software with a guarantee, let it be so. Otherwise, let the market decide.

Isn't this the way existing (product liability, merchantability) law works anyway?

Again, I don't see why software merits different treatment. If the product doesn't do what it's supposed to do, you get your money back. If you paid no money, you get nothing. If the provider was negligent and that caused actual damages, and both of those conditions can be proved, the provider is liable for the damages.

Re:Software is not a car

There is a constantly growing body of knowledge about proven insecure designs in software; likewise there is a growing body of knowledge about best practices in software development processes.

I imagine VISA wishes this was the rule and not the exception when a buffer-overflow exploit in a certain monopoly's software leaks a couple thousand credit card numbers.

One day VISA, MC or AMEX is going to stand up and punch M$'s lawyers right in the face with a lawsuit challenging the EULA's restriction against damages, citing poor workmanship and even poorer repair support.

How much does the credit industry lose each year thanks to pirated personal information? And how much of it is obtained from dumpster diving vs. webserver invasion?

I thought so.

Re:Software is not a car

[schon]

Please indulge me, and let me try to trap you in your own theory.

You can troll me (which is what I suspect you're doing)

What if the newer version is not a free upgrade? Are you obliged to provide fixes for every version of the software you have ever released?

If you sold it to someone under the guise of a "product", then yes.

What if you discontinued the product line? Are you obliged to continue putting out security fixes?

Yes.

Is free (as in beer) software commercial? (snip)I I guess we can kiss those presents good-bye.

All of these questions have already been answered.

It's quite simple:

IF YOU SELL SOMETHING TO SOMEONE, UNDER THE GUISE OF "THIS IS MY PRODUCT" THEN YOU ARE OBLIGATED TO ENSURE THAT IT FUNCTIONS PROPERLY.

This is the whole point behind it: The commercial software industry is a service industry masquerading as a manufacturing industry. If they want to be a manufacturing industry, then they should have to play by the rules of the manufacturing industry, which includes liability for their "product"

The point of my (original) reply was simply to call into question the assumption that "if they can be sued, they'll go out of business" - like any other "manufacturer", they won't go out of business simply because they can be sued.

Re:Software is not a car

when a buffer-overflow exploit in a certain monopoly's software leaks a couple thousand credit card numbers.

The GPL hasn't yet succeeded in becoming the monopoly method for all software development.

Yet.

Re:Software is not a car

[mpe]

What if the newer version is not a free upgrade? Are you obliged to provide fixes for every version of the software you have ever released?

There is a difference between providing a "upgrade" and fixing what was wrong with your original product.

Re:Software is not a car

[mpe]

This is the whole point behind it: The commercial software industry is a service industry masquerading as a manufacturing industry. If they want to be a manufacturing industry, then they should have to play by the rules of the manufacturing industry, which includes liability for their "product"

They actually appear to change their mind on what they are supplying in such a way to minimise responsibility. Including having software as a licence which is not a "good" and not a "service". Since actual services are typically subject to the same kind of regulation as material goods. Or you have industrys where the goods and the services aspects are closely intertwined.

Black hats are going to love this

[Eric+Damron]

I seems to me that if Orbz can send certain SMTP envelopes that cause Lotus Domino servers to go into a loop those servers are going to need to be fixed.

This vulnerability is public knowledge now so how many black hats are going to be doing this just for fun and giggles?

I can't help feeling that when a company gets shutdown rather than a obvious corrective action being taken that there is a hidden agenda lurking about. Just my suspicious nature taking over. :=)

ORBZ was too aggressive

[dananderson]

As an active anti-spammer, I found ORBZ was too agressive in filtering spam. A spam filter is no good if it results in too many false positives. I had to stop using it. I don't know the specifics of this situation though and it could just as well be over-agressive lawyers. Here's the filters I use. Note that RBL requires permission, but is freely given and free for individual users (organizations/companies must pay).

FEATURE(dnsbl,`or.orbl.org', `Mail from $&{client_addr} refused: See http://or.orbl.org/ (ORBL)')
FEATURE(dnsbl,`relays.ordb.org', `Mail from $&{client_addr} refused: relays.ordb.org. See http://www.ordb.org/')
FEATURE(dnsbl,`or.orbl.org', `Mail from $&{client_addr} refused: or.orbl.org. See http://www.orbl.org/')
FEATURE(dnsbl,`spamhaus.relays.orisusoft.com', `Mail from $&{client_addr} refused: spamhaus.relays.osirusoft.org. See http://relays.orirusoft.com/')
FEATURE(dnsbl,`spews.relays.orisusoft.com', `Mail from $&{client_addr} refused: spews.relays.osirusoft.org. See http://www.spews.org/bounce.html')
FEATURE(dnsbl,`rbl-plus.mail-abuse.org',`Mail from $&{client_addr} refused by RBL+. See http://www.mail-abuse.org/')

self-appointed policeman of the internet

[CaptainSuperBoy]

self-appointed policeman of the internet

I hate that term. Nobody just went and 'appointed' themselves policeman. Everything the blacklists do is completely voluntary - you (or your ISP) do not have to participate if you don't want to. This is in contrast to real police, who keep society in order as part of our social contract. We don't have a choice about that one.

Re:self-appointed policeman of the internet

So, ummm, how do I know if my ISP participates, in order to make an informed decision?

How does my mom know?

Sorry, anti-spam vigilantes are self-appointed stuffed shirt thugs.

I am not 'in favor of spam' however I think it's a problem where self-important people who get off on 'power' are always gonna muscle in and 'save' us from the spam.

laugh...

[Ubergrendle]

These new advertisements are very well timed...IBM "build a moat" for your e-infrastructure....just as long as it's not Lotus based!!! ;)

hooorayyyyy

[Ph0bia]

I for one am happy to see this happen and I hope the rest of them all shut down or get shut down also.

The sheer volume of mail that we received as "probes" to test for relays which we have NEVER supported, is SPAM in itself, in my opinion.

Worst of all, I sent repeated requests to people like orbs.org asking to be excluded and they replied with very rude e-mails which contained vulgarities, etc. Real professional guys - glad to see another one bite the dust...

Re:hooorayyyyy

[wizkid]

It's unfortunate that the the people at orbs were unprofessional. It left a bad rep for the orbs type services. I had the (dis)pleasure of being part of a team that ran many mail servers for years. Spam is expensive, and the only solution is to block the inputs. The orbs type services are not a good solution, but they are for the most part the only working solution.

Many of the probes you recieved are probably from spammers looking for open relays. orbz has done a better job. If it wasn't for orbz and other services like that, the amount of real spam you receive would increase expotentually. Don't start hoping that the rest get shut down, because if they do, then the spam on the internet will probably make email useless.
w.kid

Re:hooorayyyyy

Oh please. If you knew what you were doing, you would not have actually received any of those emails in your inbox!

If you do get probes, and don't want them, how hard is it to block the *single* testing IP, or message type that causes the bounce to end up in your inbox?

Don't be such a retard..

Re:hooorayyyyy

[Russ+Nelson]

h0bia said: Worst of all, I sent repeated requests to people like orbs.org asking to be excluded and they replied with very rude e-mails which contained vulgarities, etc.

Typical ORBZ supporter said: Don't be such a retard..

Why does this not surprise me?
-russ
p.s. hi sudog. You're wasting your time again.

Re:hooorayyyyy

[derF024]

Typical ORBZ supporter said: Don't be such a retard..

i believe that was me who said that.
and i say it again. russ, don't be such a retard

Re:hooorayyyyy

[Russ+Nelson]

By the way, I liked the way you banned me from #ORBZ without me even saying a word. It's clear to me that your philosophy is intellectually bankrupt, when you can't have someone who disagrees with you listen to you.
-russ
p.s. When the court finds that Ian has passed on copies of his software, they're not going to be happy. Rule #1: never, never piss off the judge.

Re:hooorayyyyy

[Ph0bia]

Actually we weren't even on the banned list, I was just asking that they stop probing - all the probes were coming from orbs.org and manawatu.nz or some such thing.

When I e-mailed them their reply was
"Fix your fucking SMTP"
....which according to their own database wasn't even broken....

Spam has never been a huge problem for us, in fact these probes were the worst spam we ever encountered.

Re:hooorayyyyy

[Ph0bia]

The e-mails weren't hitting our inboxes, they were filling our "problem" queues, because they were being rejected. The business we are in requires us to inspect rejected e-mail as well.

I did end up blocking those domains at our firewall to solve the problem, and it was quite easy, thank you! :-)

Re:hooorayyyyy

[Russ+Nelson]

That's *ORBS*, not *ORBZ*.
-russ

Re:hooorayyyyy

[AftanGustur]

The sheer volume of mail that we received as "probes" to test for relays which we have NEVER supported, is SPAM in itself, in my opinion.

Those probes you are seeing are mostly spammers looking for open relays. I am in charge of releasing an (internal) security report each month for the company I work for and we receive on everage 250-330 such probes each month.

Re:hooorayyyyy

[WoodstockJeff]

As a mail administrator, if I get spam from your mail, I'm going to impose blocking against it until such time as the problem is fixed. If that problem is "just" that your system is an open relay, then you're not going to be able to send to me until it ISN'T an open relay. And I consider the fact that your server sent spam to me to be tacit permission to check whether or not it is an open relay. Now, I might delegate that test to someone else, like ORBZ, or I might do the test myself... I don't do as thorough of testing as ORBS or ORBZ did, but my test message, like those done by all the open relay testers, includes information on WHO to contact about the test, WHY the test is being done, and has a valid address to contact. If someone cops the attitude you're displaying, I'll say, "OK, no tests. Of course, no mail will be accepted, either!" That is my right, and I have the backing of my customers in saying it.

Check your logs.

[AnotherBlackHat]

Seems to me that the majority of the DoS attacks came from 127.0.0.1.
I suggest the prosecution track down the owner of that IP, and haul him into court instead of orbz.

With this logic...

[warpSpeed]

Why don't "they" just sue the spammers out of existance? "They" would make all of our lives that much easier.

If ORBZ is testing for obsure bugs/holes, you can bet that the spammers are doing it too.

~Sean

Anti Spam Killer

[kwerle]

I have started using a-s-k to block spam, and have been pretty happy with it.

http://sourceforge.net/projects/a-s-k/

http://www.paganini.net/ask

sort-of too bad he didn't receive jail time...

I certainly don't wish Ian any ill will, but if he had received or does receive criminal penalties for having caused a DoS by sending oddly formed email envelopes then it would have set a precedent for jailing spammers abusing open relays rather than just fining them.

good

spam busting databases can go to hell. they are a thorn in the side of NORMAL business, not just spam. I almost got a geeky linux dork fired for using one of their services to "protect" his servers. Seems we were on a black list due to a relay getting opened by an inept tech for a couple of days. Linux geek's server blocked us due to list. Linux geeks boss none too happy since he's buddy buddy with out CEO. Dont risk yer job for these wannabe cyber cowboys.

Re:good

[matuscak]

Nonsense. The message is explain to your management what spam costs a company, and have them go along with it. We bounce an average of 500 mails from open relays per day into our not all that big network. The max so far is something like 2200 in a day. Even if people "just hit delete", the time adds up unbelievably fast. There is *NO* excuse to be running an open relay, AT ALL!

Re:good

> I almost got a geeky linux dork fired for using one of their
> services to "protect" his servers.

Oh you should be *so* proud of yourself. You damn near got somebody
fired for trying to protect his company's mailboxes against the
incompetence and carelessness of companies like your's.

You wouldn't mind sharing with us your domain name or netblock, would
you?

Btw: If you'd tried that crap here, you would have received short
shrift. Even if my boss or my boss' boss (the owner) *was* friends
with your CEO. It's happened. The most that would happen is I'd
be instructed to white-list *that* *specific* email address. But I'd
be instructed to first try to get you to fix your broken-ass mail
server.

Asshole.

Re:good

i am proud of myself. Considering the relay had been closed for over 3 months, yet we were still on the list. Sorry, but it shouldn't be my problem to go to the blacklist and submit a retraction. You can't just start a fire and think you can walk away leaving it burning. That's what the aggressive spam blockers seem to think. And I for one am happy to see another self-serving cyber cowboy go bye bye. And that linux geek was fired anyways a couple of months later. Seems his zealotry got him into muddy waters more than once. Don't risk your job for passions, use some common sense.

Re:good

[J.+Random+Software]

Firefighters hose down your house to keep your problem from destroying the neighborhood. What's left of your house isn't their problem, and they certainly aren't going to come back and help you repair it.

ORBZ + SpamAssassin + Razor

[ONU+CS+Geek]

With that simple combo, you can keep a majority of spam out of you (and your users) inbox. I became really proactive about stopping spam after one of my (l)users installed a formmail.pl script on our web server and we became an 'open relay' for anyone who knew how to exploit the server. Subsequent emails to the abuse@ emails of the upstream providers resulted in nothing, and I still get attempts on the script. With that said, we flag the email as spam using the X-Message-Flag: header (as most of my clients use Outlook) as well as the Qmail-Scanner Tag that is injected into the message. This lets my users know that the message is spam, and I leave it to them on how to filter the messages out of their inbox.

Spamassassin is nice in this regard, because you shouldn't need to change any configuration rules. The rule that ORBZ deals with, (RCVD_IN_ORBZ) shouldn't need to be changed, however, I'm going to weight the other rules that check for that kind of information (RCVD_IN_RELAYS_ORDB_ORG, RCVD_IN_OSIRUSOFT_COM, RCVD_IN_VISI, RCVD_IN_RFCI, and RCVD_IN_ORBS) up a few points to make up for the lost service.

This was submitted earlier....

[LiteForce]

2002-03-20 08:58:41 ORBZ shut down in response to legal threats (articles,spam) (rejected)

Orbz

About time, orbs had us on its list forever, all because one of our clients sent a FFA links spam around. We deleted the account and changed our TOS a bit.. but some of these anti spam people don't care if you fixed everything up, they just want you to pay for someone elses stupidity.. So, lets hope orbs doesnt come back up :p now we can finally get mail through!

Call me stupid, but

[Mr.+Fred+Smoothie]

Why the hell doesn't the ORBZ software just send out a MAIL FROM: header that doesn't have the remote side's address?

I mean, why the hell doesn't it just send a header like: MAIL FROM: <orbz-admin@orbz-domain.com> anyway?

This seems like it would have been such a simple technical issue to fix on ORBZ side without putting the burden of fixing the problem on Lotus or people running Domino.

<irony>I'm against theft of resources in the form of spam, but I'm all for theft of resources in the form of forced distributed software debugging</irony>

Re:Call me stupid, but

[timjackson1]

Why the hell doesn't the ORBZ software just send out a MAIL FROM: header that doesn't have the remote side's address?

Because the point is that they are trying to find any configuration that permits relaying. If they can find it, so can spammers.

Some open relays are set up in such a way that they would not relay messages with MAIL FROM [orbz] but would with MAIL FROM [127.0.0.1].

IDing the server...

[Kymermosst]

You can usually figure it out with the 220 greeting message. Most people don't change the message strings, and I pretty sure Domino says Lotus Domino in the 220 message, by default. It's been a long time since I talked to a server running it.

One could also try sending "HELP" which, with sendmail anyway, will give the version in the first response string.

I think that in any case, impact could have been minimized for affected Lotus Domino servers where ID could be determined.

Re:The open relay testers send me unsolicited e-ma

[RevDigger]

So fix your broken (almost certainly qmail) server.

And FWIW, one of the best things about ORBZ was how professionally it was run. They generally tried to error on the side of caution. For instance, addressing your strawman argument, the ORBZ test messages described exactly what they were, and provided links for more info.

Good riddance

[kindbud]

Now I won't have to put up with anymore double-bounces from ORBZ's continual probing of my closed relays. These don't even send our OUR mail. You can't test our outgoing relays, the conversation is in the wrong direction and won't pass our firewall.

Ian, YOU DUMBASS!! I hope you beat the criminal rap, but you got what was coming, what you were asking for. ORBZ's probes were every much a trespass as the spam itself. Why they never understood this is beyond me. Plenty of other DNSBL run a good list without intrusive probing, and are not getting put up on charges either.

Re:Good riddance

[wizkid]

Talking about dumbass's, looked in a mirror lately?
Yea, orbz probes for open relays. SO WHAT! Maybe everyone should just forward there spam to YOU!

Re:Good riddance

[kindbud]

Excuse me, but the article is about ORBZ not probing for open relays anymore. Maybe I am a dumbass, but I can read.

You think I don't get my share of spam? I also get my share of double bounces. Double bounces are, for the postmaster of a site with many users (and especially many ex-users), the primary debilitating effect of spam. They clog up the queue for several days until the MTA gives up delivering the "no such user" message to the "no such user" spamdrop box. ORBZ added to that pile of cruft. It was intrusive, and I am glad they are gone.

Re:Good riddance

[wizkid]

They were probing but obviously there not now. If you have a properly configured mail server, it will not accept the mail, and it won't be piling mail in your queue. Instead it will respond to the mail server trying to send, or in this case probe a 5XX response saying I won't relay your mail. No mail will be accepted on your server, or put into your mqueue directory.

Re:Good riddance

[kindbud]

You're wrong. Qmail and Exchange are two examples of MTAs that, when properly configured, will accept ORBZ's probes, and only later bounce them once they are in the queue. That's because both MTAs delay any processing on incoming messages until they have been written to the queue. People running those MTAs were having to deal with the double bounces that were a direct effect of the ORBZ probing activity.

Furthermore if you blocked ORBZ's probes to save yourself from their trespass, they blacklisted you whether you were an open relay or not.

If that's not vigilantism, I don't know what is.

Re:Good riddance

[wizkid]

I'm a sendmail guy. I haven't delt with qmail or (Ugh) exchange. I'm suprised they do it this way.

I don't totally agree with blacklisting just because there probes are blocked. On the other hand, someone that wants to run an open relay for spammers could block orbz if they didn't do this. There is no right way to do this unfortunately. There is no legal recourse, so vigilantism is the only working method right now. It sucks, but somehow, a way needs to be found to control the spam. It's costing this industry millions right now.

Re:Good riddance

[WoodstockJeff]

"Plenty of other DNSBL run a good list without intrusive probing ..."

kindbud, I *invited* probes by ORBS (when they were around), ORBZ (ditto), and ORDB (yes, I submitted my own servers!). The sum total of probes by all these services in the past 18 months is a small fraction of the relay attempts I've gotten from just AOL users!

I would MUCH rather have someone I know doing a thorough test of my servers, making sure I'm not going to get phone calls and nasty emails from people I *don't* know, because someone figured out I missed something, and started using my system for spamming.

As for your firewall protecting you, I've got a few hundred spams in my archives that came through firewall-protected systems. All someone has to do is find your incoming port, and you might find yourself being the "source" of the latest kiddie porn site spam. I see a lot of headers where the oldest hop says something like, "Received by tommy from 192.168.1.5 [HELO OEMCOMPUTER]", and went through several firewall computers, completely obscuring the outside source.

My systems, by the way, are smart enough to bounce the attempts, before they get to the "double-bounce" stage... They DO send me notification of the attempt, though, as they do for everything that the spam filters bounce.

"Why they never understood this is beyond me."

Yes, it is!

Re:Good riddance

[WoodstockJeff]

"Qmail and Exchange are two examples of MTAs that, when properly configured, will accept ORBZ's probes ..."

And that's a good reason to put something more secure in front of them. The SMTP server SHOULD be smart enough to recognize its own domains, and Qmail is SUPPOSED to bounce the attempt before queing, from my reading of the Qmail docs.

The behaviour of Exchange is one of its spam holes - the spammer merely needs to send the mail as from the target address, with an undeliverable TO address, and Exchange will happily deliver it to the victim as part of its bounce process. Oh, it will wrap a message around it, but the whole original makes it through.

This is why I won't allow a customer of mine to have an Exchange server attached directly to internet...

Negligence is still negligence

[JonnyCalcutta]

Of course you can. Its called negligence and it only applies if they are 'directly responsible' for the effects. So you could sue a manufacturer who sold you a Firewall product with a claim that it was unbreakable (assuming it was broken and cost you money/sales/loss of reputation), or perhaps a database company with the same claim, or an OS company that kept serious security holes a secret. You couldn't sue a web server programer because _you_ didn't bother setting it up properly and left a glaring hole, or you didn't bother applying an available patch or because you downloaded a 10 year old mail program and used it as the company Internet mail server.
I'm pretty sure that even in the US you couldn't sue Ford because your self modified engine block exploded, or because your car skidded off the road when you'd been using the same tyres for 10 years. You sure could sue them if one model consistently toppled over going round corners and Ford did nothing about it.
Negligence - look it up in the dictionary and then tell me why it should apply to every product and service in the western world _except_ software?

Self regulation, like communism, is a utopian dream that can never exist in the real world where too many people are greedy, self serving, amoral, liars, etc.

I don't remember any contractors at Lotus.

Which office were you in? (Only 2 really).

I worked in Lotus Tech Support for a few years, and can honestly say [crap, hit button] that I don't remember a single contractor being present. Period.

As well, our mail was up 100% of the time, and extremely reliable. The only issues seemed to crop when IBM's servers crapped out, hardware issue, not a software issue.

Not to call BS on you, but perhaps you were in some strange corner of Big Blue with some true incompetents. However, that certainly isn't the case. Notes is much more reliable than exchange, even if the friendly beep you so want isn't present.

Re:I don't remember any contractors at Lotus.

[coreman]

5th and 6th floor 1RS/CAM. DomDoc, API group, DMS. Considering the mail servers were run by IS in LDB, I don't think you get much more mainstream than that. There were about 100+ of us contractors laidoff last July from Cambridge/Westford as part of the cost savings program.

As for Exchange, I don't hold that in high regard either. I had to write an interface to that as part of the Entrust project.

The DEC mail system wasn't a MS product either. Just real software written to fill a need, used daily by the entire company rather than written to fill a marketing brochure. The beep wasn't important, it was just the reassurance that the mail actually made it to the other end in a reasonable time. There was no reason for AIM or Sametime since the mail was just as reliable and there was no need question if it got there. Most of my days at DEC I rarely used a phone because the email was so much easier and less intrusive and the etiquette of timely reading/replying was in place. Spam was a thing of the future and generally email was considered something worthy of your attention.

Re:I don't remember any contractors at Lotus.

I and about about a dozen other people were doing contract work 5 years ago at Lotus, commuting from New York.

We did an intranet in a box application on top of domino. ( it turned out to be a truly miserable product )

We were in the offices over beside the river, the ones where you could go to and from the Sonesta hotel without going outside.

The place was pretty empty at the time.

Sorry we missed you.

Re:I don't remember any contractors at Lotus.

5 years ago is pretty irrelevant to the discussion of the Domino version at hand.

At any rate, R5 was not out then, and I'm pretty sure neither was 4.5., or 4.6.

If you're not up to R5, all bets are off.

Re:I don't remember any contractors at Lotus.

I would again assert your experience to be isolate. I never had Notes Mail issues where we were, but then again, we ran our own servers, and were competent enough to know what we were doing.

And we stayed up on the current versions.

I was in Austin, and avoided any other offices with great care.

Re:I don't remember any contractors at Lotus.

> irrelevant to the discussion of the Domino version at hand.

Perhaps, but if you read the subject of this thread you will see that it is "I don't remember any contractors at Lotus"

Not only were we there but we were writing product for them. It was on 4.5 I think.

Re:The open relay testers send me unsolicited e-ma

I too was completely surpised when ORBZ started tested our servers. 60+ bounced emails were waiting for me the first time and subsequent checks 30 or so. No warning what so ever.

Was listed as a closed relay in their database.

I wonder if Spammers checked the ORBZ database from time to time. It seems to me that 550 relay errors always increased after ORBZ doing a check.

Long live sendar!

and death to the CSS!

For this treat, we'll gladly take some potted meat as a side dish.

Insecure Linux server. Hah!

Re:Long live sendar!

what's wrong with cascading style sheets?

Well, they, hrmm, cascade...

And what's wrong with Nixon?

By All That's Holy

[waldoj]

I just think that he's been shown a carrot as well as a stick so that this never has to reach a court.

Carrot. Stick. They are not opposite things, they go together.

When sitting on an obstinate mule, you take the stick and attach the carrot to the end of it to dangle in front of said mule. The mule walks forward to get the carrot, which remains permanently (a la Tantalus) out of reach, and so it eventually hauls you and your load to your destination, at which time you may or may not give it the carrot. Whether or not this actually works, I'll leave to the farmers. But that's the origin -- surely you're familiar with the concept.

"Carrot and stick" refers to the provision of an incentive, real or decoy. It does not refer to beating the hell out of some poor jackass.

-Waldo Jaquith

(Originally appeared here.)

Moral of this story...

Don't use Lotus Domino!!! Especially if it falls over when trying to process a simple email. I'm surprised spammers haven't crashed Domino servers all over the place. You don't see them going to court very often.

Re:Moral of this story...

Err....

Or change one configuration setting in the server's name and address book. Which takes about thirty seconds.

Nice attitude. It's not like sendmail or exchange have ever had a bug or bad default config, right?

Domino... really needs a gateway in front of it

[mmkhd]

I agree with you wholeheartedly.

A company I know was using notes for all their mail. A blackhohle database notified them that they were acting as an open relay (that was the default install of that notes version) and asked them to remedy the situation.

To check things out I telnetted to port 25 and tried to relay some mail manually and just by accidentally entering some malformed input (I think I was trying to use backspace) I crashed the whole notes server!

Frowns all around ;-)

Now a smtp gateway protects that notes server from the internet.

And as an internal solution with all its other features it is really great, but to crash due to malformed input? That's worse than bad that's eh,mhh,yeah worse.

I hope newer notes versions do not show that behaviour.

Use notes, but never without protection :-)

Marcus

Use ORDB

I've been using ORDB for a few months and it works quite well. Only drawback is they don't re-scan regularly to see if relays are closed. www.ordb.org

And why not?

[fmaxwell]

Do you have any idea how it would cripple the software industry if they operated under the constant threat of product liability suits?

Oh no! Then we would be under the same, crippling rules as just about every other industry on the planet. Microsoft, IBM, Symantec, et al, would actually need to make a due-diligence effort to fix bugs rather than add new, unnecessary features and eye candy.

Software engineering is not some kind of black magic. It's no different than any other form of complex engineering, be it passenger jets to modern automobiles. To do it right requires care, time, diligence, and testing. If software companies dedicated 1/10 the effort to testing their products that they do to marketing them, 99.99% of problems would be caught before the products ever shipped.

I guess what it comes down to is this: If you are truly a software engineer, then you should embrace time-proven engineering principles and stop hiding behind the "we're just selling a license" cop-out.

Re:And why not?

[Kamel+Jockey]

If you are truly a software engineer, then you should embrace time-proven engineering principles and stop hiding behind the "we're just selling a license" cop-out.

Damn right. There is absolutely no reason why software engineers (myself included) cannot take reasonable precautions to make sure their products work right under a given set of circumstances, every other industry does the same friggin' thing already. Perhaps if software companies were held to this higher standard, and were legally horse-whipped if something bad happens in a reasonable circumstance, then people in this industry, along with the industry itself, would finally get some respect.

I use the term "reasonable" because we all know its not possible to test for every possible circumstance (e.g., obscure/unknown hardware platforms/configurations, etc.), but it is perfectly feasable to test against a given, well-defined set of parameters and tell the end-user "It works if you use x, y and z; but it may not work if you use anything else."

Re:And why not?

[CaptainSuperBoy]

Software engineering, as it is today, is pretty much a misnomer. There is not much about software production that resembles engineering, at least in most shops. I would guess that most programming doesn't adhere exactly to engineering principles - rigid design, development and testing cycles. I haven't done a formal 'black-box' test on my code in a while - I don't write the kind of software that needs formal engineering.

And why should it be different? Who's to say that it would be better if we regulated software as much as we regulated buildings, or cars? There's no way of knowing, but I say that additional regulation will only slow innovation. Buildings and cars are regulated solely in the name of safety. Most software is not 'mission-critical,' meaning people's lives are not on the line. There are already certifications for medical software, nuclear plant software, etc. I'm in favor of those, but I don't see the need for regulating standard commercial software.

You could argue that a mail server is 'mission-critical' in another way - maybe it doesn't threaten human lives, but it definitely needs high availability. The important thing to realize, is this is a business concern and not a safety concern. If your business needs high availability mail software, it should be up to YOU to seek out that software and test it yourself. It shouldn't be up to the courts to enforce your right to sue a vendor because they didn't provide what you needed.

Also, in response to: If software companies dedicated 1/10 the effort to testing their products that they do to marketing them, 99.99% of problems would be caught before the products ever shipped.

You can say a lot about software vendors, but there's no way to back up a claim that none of the big vendors do actual software engineering. MS employs some of the best software engineers in the business, tests their software for millions of hours, yet they keep putting out bug-ridden products. Clearly there's some other force at work here, preventing MS from releasing correct software.

Re:And why not?

[fmaxwell]

Software engineering, as it is today, is pretty much a misnomer. There is not much about software production that resembles engineering, at least in most shops. I would guess that most programming doesn't adhere exactly to engineering principles - rigid design, development and testing cycles.

Of course it does not. Because the software vendors know that they can hide behind the license they sell. Engineering happens when a company has something to lose by selling a defective product. Right now, if your word processor crashes and you lose hours worth of work, you have no legal recourse, so they have little incentive to make the software bulletproof.

I don't see the need for regulating standard commercial software.

I never suggest regulating it. I said that it should be treated like almost any other product or service. If someone pays for software and it fails to perform reliably and as documented and advertised, the buyer should have the ability to press a lawsuit.

If your business needs high availability mail software, it should be up to YOU to seek out that software and test it yourself.

So you believe that all professional firms that rely on e-mail, from law firms to accounting firms to stock brokers, need to become expert in the SMTP/POP3 protocols and invest thousands of man-hours testing servers that they bought from IBM, Microsoft, and other firms? That's absurd.

If you pay an electrician, accountant, or plumber, you have legal recourse if they don't do their job right. But when they buy your software, you think that you should be shielded from legal responsibility? If so, why?

Re:And why not?

[Vegetable+Soup]

I used to work for a small software company that claims that most of the money on products is made from supporting (read: fixing bugs) the software it sold. This is a definite market force in preventing them from releasing correct software. Although it would be better as a whole for the company to release bug-free software, the company had little incentive to do so. During the last project I worked on, the client asked for help developing an extensive testing plan for testing the software before it was released. I was lucky my team lead had previously worked for a military contractor, because there were very few people in my company who were experienced at developing good test plans.

Regulation of the software industry would stop this and many similar companies from selling poorly-written software. This is not to say there would be no more bugs, but I'm sure they would be quickly reduced. If a company has to release a service pack on the day it's major software product is released (Windows XP), this is definitely a flaw in the overall system.

Re:And why not?

[The+Cookie+Monster]

Regulation of the software industry would merely result in software companies getting insurance and tapping the insurance premium onto the price of the software. The only extra testing that would occur would be to bring about an equalibrium in the price-of-extra-testing vs lower-premiums-for-better-track-record.

If there was a market for software with liability then vendors would make software with liability. That they don't (or that it's rare) indicates that for most people, cost is more important - and if you regulate then you remove that choice.

The examples of other industry (buildings, planes etc) are always flawed as they are regulated for safety reasons, not consumer protection reasons (software upon which lives depend is a different kettle of fish). But even then I'm personally glad to live in a country where patients can't sue doctors (they held are accountable by other means), the state in the US looks more ridiculous each day.

However, with all the continual moaning about buggy software, it does surprise me that there aren't more vendors out there saying 'Our software works, and you can hold to that'.

Hey, you're a software person - maybe there's an untapped market there...

Re:And why not?

And, of course, software-release-interfaces will have to be developed. If you're not an approved software releasor with a liability insurance policy you will no longer be allowed to release software to the public.

I wonder how big Linus' insurance premium will be?

Re:And why not?

If a company has to release a service pack on the day it's major software product is released (Windows XP), this is definitely a flaw in the overall system.

What is the average number of days between each lowest-number level (i.e. 2.2.34 to 2.2.35) release of the Linux kernel?

Seems that Linus releases a hell of a lot more service packs than Microsoft does.

So you're saying it is a problem when Microsoft does it and a feature when Linus does it?

Re:And why not?

[mpe]

I use the term "reasonable" because we all know its not possible to test for every possible circumstance (e.g., obscure/unknown hardware platforms/configurations, etc.), but it is perfectly feasable to test against a given, well-defined set of parameters and tell the end-user

However the criteria of what is "reasonable" can vary. Allowing open relaying might have been low risk before spam came along, then it becomes high risk.

Re:The open relay testers send me unsolicited e-ma

[Ian+Lance+Taylor]

Sending double-bounce messages is a feature, not a bug. I would be happy to hear an explanation of what I should do to ``fix'' this with respect to ORB* messages.

And in what way was my argument a strawman? Read it again. I didn't say that the ORBZ messages didn't say what they were. I said they didn't tell me specifically why they were testing my server, and I said that they didn't tell me how to prevent receiving those messages in the future.

Re:The open relay testers send me unsolicited e-ma

[Rick+the+Red]

I've found that most hypocrits are on a moral crusade of one sort or another. But there are far more people on moral crusades who are not hypocrits. Being on a moral crusade <> hypocrit, but hypocrit == being on a moral crusade.

What about currently Backholed domains

My company is wrongfully on several Open-Relay/Spam lists from testing we were doing to a hotmail account (that we registered) to test an error reporting function in one of our programs (the spam part), and an open relay specifically for me (that was being exploited by others).

If anyone is using ORBZ's lists, we will never get off of them. You know that ISP's that "subscribed to a list" will not really work on updating their filter lists. They didn't do it when ORBZ existed.

So who is to save all these domains that were already blackholed and currently fixed.

I mean, it isn't the ORBZ owners responsibility, he merely compiled a list, he has no responsibility. He never instructed anyone to block anyones mail, it isn't his fault that anyone implemented any filters based on his list, and he can't be responsible if they never updated their filters, so how do these domains get "Un"-blackholed?

Re:What about currently Backholed domains

[Dahan]

If anyone is using ORBZ's lists, we will never get off of them. You know that ISP's that "subscribed to a list" will not really work on updating their filter lists. They didn't do it when ORBZ existed.

The list doesn't exist. ORBZ is gone, so it's not possible for anyone to be on their list. No "unblackholing" is needed...

Re:What about currently Backholed domains

It is my understanding that you didn't subscribe to a filter. You got the list, and created the filters from that list.

Anyone previously using a list still has the filters set up. The blackholes still exist somewhere.

Product liability

Do you have any idea how it would cripple the software industry if they operated under the constant threat of product liability suits?

You mean like most other industries?

Out of curiousity, why do you think the software industry should get a free ride?

Re:Product liability

[CaptainSuperBoy]

Out of curiousity, why do you think the software industry should get a free ride?

I don't think the software industry should be held to the same standards as, say, architects and structural engineers. I'm sure we could create amazing, cheap buildings if we weren't concerned about them crashing occasionally. But, we need buildings that can't crash, even once. However, we tolerate software that crashes occasionally due to quicker development cycles, lower costs, and more innovation.

I'm not in favor of a free ride.. of course I believe that software used in medical and nuclear plant situations needs to be rigidly tested and certified. Safety is the key - we should regulate industries based on safety, not arbitrarily impose the same restrictions on all industries.

For an open-source advocacy site, I'm puzzled at how many people think that software should be strictly regulated! Don't you realize that this is at odds with the basic philosophy of free software?

Re:Product liability

This is not an open-source advocacy site.

Some of you who hang out here bellow about it all the time, and even some of the people who run the site rant and rave about open-source all the time.

This is a geek site. It's a place where there are interesting articles posted about all sorts of topics.

You clearly should instead be hanging out on an .advocacy newsgroup, if you're that confused about what the focus of slashdot is.

Damn the vigilantes

[drteknikal]

I understand the problems caused by spam. I understand how to configure a mail server. I don't understand why so many people line up behind this type of solution - it seems to me to be a case of the cure being worse than the disease.

What gives anyone the right to send any mail to my domain for any reason? Regardless of how poor my software may be, and how poorly configured, why should an outfit like ORBZ not be held responsible for what happens when they probe my system without my knowledge or consent?

My mail system is not an open relay. I'm frequently targeted as being an open relay because many of these vigilantes don't use competent and effective testing procedures. As soon as I end up on the list, I have to explain things that shouldn't need explaining, and we suffer an avalanche as the spammers pick up on the "open relay" list and attempt to route their traffic through our server. I eventually get the blacklisters straightened out, but it usually takes at least 7-10 days per occurrence. In the meantime, I'm getting as many as 2000-3000 pieces of spam per hour.

I'm leaving out technical details here. If anyone cares, I'll be glad to provide them. There are some of these groups that we've never had problems with because their testing methods are better. But the incompetents seem to outnumber them.

Re:Damn the vigilantes

[software_non_olet]

"I'm leaving out technical details here. If anyone cares, I'll be glad to provide them."

I would like to know more about that. Could you post or contact me - zim@vegaa.de ?

Re:Damn the vigilantes

[drteknikal]

Our server is running Novell GroupWise 5.5. GW55 has a bit of an oddity - it will accept relay messages even with relaying disabled. If relaying is disabled, these messgages *will* be bounced. They don't check when receiving, they check during a subsequent routing cycle. This is known and documented behavior (both by Novell and some of the black hole lists), and should at most result in the server being flagged as "suspicious".

Don't get me wrong, I'm not defending Novell or GroupWise. It is at best a woefully inefficient way to handle it. But it's within the rfc, fully disclosed and documented, and specifically accommodated by several of the black hole lists. Others (including ISPs who are attempting to do this themselves) ignore this and implement seriously flawed testing methods, and we get (falsely) branded as an open relay.

The problems arise when the testing scripts assume that if a message is accepted, that the relay is open. Instead of waiting to see if the relayed message is received, we get blacklisted as soon as they succeed in dropping it on our server. Then we have to contact them, explain life to them in intricate detail, and most of the time, they just don't get it. The error is on their part, but the self-righteousness of these people can be astounding.

Re:Damn the vigilantes

[Tyrall]

The particular open relay listing service that the article mentioned is ORBZ. ORBZ required a mail to actually be received before it appeared on the blacklist. Anyone using a blacklist that lists a server based on acceptance of a message (for passing to a virus scanner, for example) deserves not to get ANY mail, much less just your mail. I'd contact the ISPs/organisations using the blacklist, not the blacklist itself. Educate the users of the crap lists that there are better alternatives (sadly, one of the finer ones just left town), and it's unlikely they'll continue to use it. After all, surely they want real mail to arrive, too?

Re:Damn the vigilantes

[driehuis]

There are some of these groups that we've never had problems with because their testing methods are better.

Could you name man and horse, please? I think the volunteers who set up the block lists deserve better than to be called vigilantes, especially if you then proceed to mention that there are some that are less evil than others.

And likewise, which block lists publish the address of hosts that drop probes on the floor silently? I'd like to know what block lists to avoid or only use for tagging.

For the longest time, I ran an outdated release of Postfix that would silently eat some of the probes, but I never wound up on any block list (and I know I was tested by a bunch of them because Postfix would forward the failed probe to me).

Re:Damn the vigilantes

[drteknikal]

We've had problems with Earthlink, CWNet, and PacBell among others. These appeared to have been rolling their own solutions, and wrote amateurish scripts. Earthlink dragged on for almost a month, until I posted on /. and they contacted me directly. CWNet took two weeks and a minor threat (we're a law firm). PacBell is so heavily blocked themselves that I can't even get mail to them, we're still blocked six months later.

We've had problems with ORDB, ORBL, DorkSlayers, OsiruSoft, and Selward/XBL. The last was the weirdest, most difficult to contact, and most beligerent. They blacklisted based on accepting the messages, and wouldn't delist until a week passed without receiving the messages - retesting only served to extend the delays. They don't recommend using their list for blackholing, and admit that it would block much legitimate email. Most of the others were straightened out within a week or so, though making initial contact with a human is always the most difficult step.

I will rail against all of them as a class, based on my experiences with the bad ones. I feel justified calling them ALL vigilantes, because the term fits precisely. "One who takes or advocates the taking of law enforcement into one's own hands."

Even with the ones that don't falesly list us, I'm annoyed at the number ot bounced test messages I have to wade through. I didn't give anyone permission to test my mail server's capabilities or configuration, and view this as a form of harassment. Those test messages are worse than spam in my opinion, as they indicate a negative presumption on the part of the sender. Given that I work for a law firm, that kind of thing doesn't sit well.

Re:Damn the vigilantes

[winnetou]

Selward/XBL. The last was the weirdest, most difficult to contact, and most beligerent.

It is selwErd. If you had read the webpage, you would have noticed it is not a list of open relays. You probably were the 50th person that day telling me your mailserver was not an open relay and demanding I should remove its IP based on that.

Re:Damn the vigilantes

[driehuis]

I will rail against all of them as a class, based on my experiences with the bad ones. I feel justified calling them ALL vigilantes, because the term fits precisely. "One who takes or advocates the taking of law enforcement into one's own hands."

Hmm. So the ISP's and not the block lists are the worst test designers? Interesting.

Dunno about the others, but ORDB at least only tests upon request, usually as the result of someone investigating a spam. But even if others were to test random swaths of netspace, it still doesn't merit the word "vigilante". I'm not sure of the dictionary definition of vigilante, but in common speach it is used most often in the context not of fact gathering, but in the context of handing out punishment.

The alternative of delegating the task of testing a server for being an open relay to a service such as ORDB is to not test and just block the suspected IP space. This is, in fact, what a lot of Internet sites now do in response to spam from China and Korea.

Oh, I almost forgot, of course there's the alternative of delegating it to the government of your choice. Do the math on that solution :-)

Re:Huh? Jail time for fighting spam?

[GigsVT]

No one is suing him, these are criminal charges. Criminal charges are brought by the state.

Anyone local to the Domino admin, kick his ass

So rather than trying to resolve this situation by getting his busted Domino server fixed, the admin called in the cops. How f**ked up is that?

Anyone local to this Domino admin, please give them a hard time about it.

Re:Anyone local to the Domino admin, kick his ass

Posting the IP of his POS (tm) should be enough...

So, are the PHP mailing lists spam now???

[bovinewasteproduct]

Ya, I've got a problem with spam. I had subscribed to the PHP mailing lists about 6 months ago, no big deal. Here about 2 weeks ago I no longer had a reason to need them and went to unsubscribe from them. I was told that the server would not take my email because my IP provider was in spews now.

Now mind you, my server (on its own IP address) has NEVER sent out spam (I'm the only one who can send email from it and I've no reason to spam). It seems that some fscking idiot on one of the IPs in CA (my server is in MN) spammed and spews will BH all class C's of the owner no matter where.

So now I get email I don't want and can't get rid of... Should I report the PHP mailing lists to spews as spammers? I'm on a list and I can't contact them to remove me, how is this different from the spammers? Easy to get on, impossiable to get off of...:)

BWP

Re:So, are the PHP mailing lists spam now???

I'd do it.

The people that use these vigilante groups are as guilty as the vigilante's themselves.

Fuck 'em.

Re:So, are the PHP mailing lists spam now???

[buss_error]

It seems that some fscking idiot on one of the IPs in CA (my server is in MN) spammed and spews will BH all class C's of the owner no matter where.

Look at the assignments from Road Runner vs. SW Bell. Bell lists the individual blocks assigned, Road Runner doesn't. How the heck can I effectivly block a spammer, when I don't know his netblock assignments? I can guess, assuming I have time. I really don't have time.

OTOH, I'd be a bit red in the face if I was lumped in with spammers too.

From a previous post about spam, we are now blocking all 202, 203, 210, 211 IP ranges, and most of 218 too. 200.128 - 200.255 is next.

Re:The open relay testers send me unsolicited e-ma

[RevDigger]

Well, I guess that came off jerky, and since there's no more ORBZ mailing list archive, I can't point out the extended discussion on the subject, so...I'll let it go and hope you enjoy your double-bounces I guess. :)

the darkness of legalese spreads like cancer ...

solution simple, outlaw lawyers

Re:The open relay testers send me unsolicited e-ma

You mean

#echo "@orbz.org" >> /var/qmail/control/badmailfrom

Don't put words in my mouth

[Mr.+Fred+Smoothie]

I was responding to your comment:

It's not a product that can be regulated, or made 'safely.'

I never proposed a specific regulation, nor did the any of the parent posts. As a matter of fact, the poster to whom you responded said explicitly:

Nobody said anything about more laws - they implied that existing laws for negligence should be used to force the appropriate parties to fix their software.

Now you say:

If every piece of software adhered to current best practices, we wouldn't have any new innovation would we?

and.

Regulations should never be applied unless they are absolutely necessary - i.e. in the case of personal safety

Your first statement is prima facie ridiculous.

As for the second, what about the case where there were actual damages other than the loss of life or personal injury? For instance, a vulnerability or deficiency in your software leaks sensitive user data worth millions to an attacker or the public, resulting in your user going out of business, or losing substantial sums of money?

In that case, I don't see why software developers should be exempt from the same "due care" measure of negligence that *every other person* in *every other situation* in our society is. Does that mean I think that you should be able to sue for negligence if the spell checker in your email program doesn't fix your mistakes and makes you look stupid in your email correspondance? Maybe. But hopefully a judge or jury would realize that in that case no standard of "due" care was violated, and if you're lucky, penalize the plaintiff for filing a nuisance suit.

I think our existing laws about negligence have the right idea, and software developers shouldn't get some "magic" exemption.

Note, in some states and in front of some judges, your EULA might be ruled unenforceable anyway, and existing law will be brought to bear and you'd be out $$$ anyway, sucka.

IBM/Lotus has known about this for a while?

[seantrue]

The thread in which Ian reported this at Bugtraq has a comment to it saying that the bug had been reported to Lotus in 2000.

"It was reported in vuln-dev list on May, 20 2000 by SMILER in same time with SMTP buffer overflow in Lotus. I wonder why it's not patched yet."

There is a note to that effect on www.security.nnov.ru.

It's two years since the report, so one might expect a fix in Lotus any time now.

NOOOOOO!

[tuxlove]

This was a totally cool project. I depended on it. It stopped lots of spam. I will never use another Lotus product. Not that I ever did.

Re:NOOOOOO!

[Skapare]

I have administered Lotus Notes before. It was a RPITA ... worse than even sendmail. It's definitely something to be avoided, and where it can't be avoided, front-ended with another mail server (which I did).

Indeed, a relay probe is spam.

[Russ+Nelson]

You would think that Ian would have gotten a clue from all the people whom his probes angered. If he only restricted himself to testing systems for which he had spam on record, then he would have a defense. "Yes, your honor, I crashed the system, but I was only defending myself against more relayed spam." As it is, he had to fold because he has no justification for probing those systems.
-russ

Re:Indeed, a relay probe is spam.

I think a lot of the posters are missing somethings. The problem as I see it with ORBZ, et al is three fold:

1) They set themselves up as email vigilantes. They have no authority or sactioning from anyone to do what they are doing.

2) My experiences with these types of sites has been that they don't bother to get any verifiable evidence before they start probing. Makes it very hard to defend your actions.

3) As far as I have been able to tell having an open relay email server is not illegal!

Testing a suspected relay without authorization and crashing the email server is activity that in some jurisdictions is illegal. Its akin to entering an unlocked office building and trashing the place and then trying to defend yourself by saying it was the owners' fault for not locking the door.

They are causing the company whose server they crash loss of their property, loss of employee time, and possibly loss of revenue. All under the guise of "it ain't right".

Again the motives are laudable, but that don't make them right in the eyes of the law. The companies affected could take civil action, but in this case, it sounds like the state of Michigan was looking for someone to make an example of.

Re:The open relay testers send me unsolicited e-ma

[Russ+Nelson]

That doesn't work, just as it doesn't work for most spammers. Your see, like most other spammers, ORBZ lies about its hostname.

-russ

Why or.orbl.org is listed twice??

[BACbKA]

Thanks for the .mc snippet,
but can you please explain why do you have
the open relay blockage listed twice?
Won't this result in extra query per each
incoming email?!

FEATURE(dnsbl,`or.orbl.org', `Mail from $&{client_addr} refused: See http://or.orbl.org/ (ORBL)')
FEATURE(dnsbl,`or.orbl.org', `Mail from $&{client_addr} refused: or.orbl.org. See http://www.orbl.org/')

Re:Why or.orbl.org is listed twice??

[winnetou]

orbl isn't active anymore, see the NANAE FAQ. The ORBZ in that FAQ is ORB UK, not the ORBZ that was recently shut down.

Re:The open relay testers send me unsolicited e-ma

[Russ+Nelson]

"Professionally" my ass. Ian lied about the source of the email. He used envelope sender addresses which would not return a bounce message back to him. He used envelope recipient addresses which were not only invalid, but which were specially crafted to break through a server's anti-relay defenses. These are the actions of a professional, yes -- a professional spammer.
-russ

asif I trust anything but sendmail anyway!

jeez, I don't even USE anything but sendmail. If I start a job or do a consulting gig, and let's say the company is using exchange, domino, whatever. EVEN IF THEY USE SENDMAIL.

Whatever the box is, I ALWAYS create a very secure linux box, install sendmail, set up forwards and put the rules together (milter) to block spam and block certain extensions to give whatever downstream mail server some extra breathing room so it doesn't have to use it's own anti-virus software to try to clean every piece of email out there. Usually people complain, but once you remove it, they see the light when the proverbial dog waste hits the fans. If that has happened already, even the suits can tell what a good difference this makes.

I don't trust ANY mail server cept sendmail. ALL others are cheap imitations and limited in value to what I think is required (i.e. good spam filtering capabilities, good plugins, write your own scripts/proggys to go in there, world wide support, etc...)

Nothing ever has been able to come close (other than the clones, etc...)

At the very LEAST, if some admin doesn't want to deal with hard issues like actually learning how to use the pre-processor (HA) or using a simple 3 line pre-processor config file that essentially makes the server secure as could be expected and is HIGHLY visible in their documentation, etc... That person shouldn't BE an admin. I taught some of my junior guys how to set this up. Most of them are microsoft weenies. They took to this like flies on sugar. They ate it up and loved every minute of it. Even they saw the fruitless hope that exchange should ever EVER be externalized as a company mail server.

I think this "middleware" solution that lets a known security-averse enterprise mail software stay within the confines of the firewalls, and lets a real mail software act as it's proxy. I don't see doing it any other way.

There are OTHER OPTIONS!!!!

[Zunni]

Centrinity creates an commercial alternative for mail/web/ftp/Unified Messaging. It runs on Windows as well as Mac servers with Linux server/client coming soon. So there are always other options.

What makes you think they are testing?

I'd guess that a majority of those bounced messages are probably people wantingto make a list of open relays. Probably most of them are not on a crusade except a crusade to exploit your mail server. Why would someone who wants to illegally use your system resources come up and tell you how to prevent it from happening? Oh thats right they wouldn't.

Re:What makes you think they are testing?

[Ian+Lance+Taylor]

I think they were testing because the messages came from the ORBZ machines.

You thought that was bad

If the whiney Domino server admin types thought that was bad with ORBZ, now it's more than a little public what the bug is. I expect most Domino mail servers will be DOS'd to death from this in under a week. Stupid script kiddies.

Bad Combination

[fwc]

I'll be interested in seeing the outcome of this and seeing what the facts of the case are.

I'm not sure how many of the slashdot crowd know this, but it was orbz policy not to stop testing a server when requested, unless requested in writing. If it was requested in writing, then they would stop testing the server and list them in orbz as an open relay.

So, as an administrator you had the choice between being tested and being blacklisted even if your server had never relayed a single piece of mail. It was also typical of users of orbz to submit every ip address of every mail server they received mail from regardless of it being spam or not. This was encouraged by the orbz administrator. I'm assuming that this policy, in combination with the fact that the testing caused Denial of Service for certain users might be what caused this suit. If you know you are causing a Denial of Service problem and you don't stop especially if you are requested to do so, I'd suspect that is actionable. Ian's inflexibility as to the policy of either testing (and putting up with the DoS if you were a Notes user) or being blacklisted seems like a bad idea if you rephrase it like "Either you let me crash your server or I'll blacklist you", which might be what the people on the other side are thinking.

Again. This is just my guess. I'm really interested in seeing the facts come to light in relation to this. I suspect that the fact that there was a fix available might be a way out for Ian, but I'll be watching with interest.

Common sense?

If common sense prevailed, this man would've been wiped from the face of the net a long time ago.

Sure, I remember back in the day, when the net was akin to a good old Western - the fastest nuke, the fastest flood.. Someone pisses you off, you take them out.

Guess what? That net's been gone for years. Get with the program - messing with someone's box is not acceptable, under any circumstances.

Intersting...

[BLKMGK]

We run Notes here at work but no SMTP stuff. I've not gotten a delivery failure in about 11months. Mail runs smooth and servers almost never go down. We have network outages moreso than we do mail server downtime. I run R6\RNext at home and so far in the months since it came out it's been rock solid. Not exactly handling a ton of mail or WEB access but for beta it seems pretty good.

I dunno' - not disputing what you've seen but administered properly Notes is a pretty good product IMO. I'll grant that mail chimes aren't "instant" but that's a client issue not a server delivery problem. Hell, if my mail chimed as soon as something dropped in the box I'd have to turn it off or go deaf! ;-) Here in the office weve got quite a few people so mail gets delivered every few minutes on a busy day - the servers certainly do work hard. Oh, and none of that single object store crap going on either!

More on topic.. the latest RNext code supports an RBL! Unfortunatly it looks like you've got to actually subscribe to it in order to use it - no thanks. I'm not sure how easy it would be to use another RBL but I'm hoping Lotus makes it an option. Locking down relaying also looks to be a little easier in this incarnation with things spelled out more clearly in the setup etc.

Whoever it is that's suing shouldn't have a leg to stand on since this is a bug in the server code - fixed by Lotus in later revisions. You would think that these folks would want to have a secure server, perhaps if their identity could be found out some SPAMMING SCUM could utlize their services? Might that teach them a lesson? (sigh) A shame one of the good guys is being forced out over this, I think identifying them for all to see and SHUN would be a very good idea...

P.S. Agree on what IBM has done to Lotus. Lots of firings and general disruption. Glad I never went to work for them! Friends did though and are now much poorer for it...

Re:The open relay testers send me unsolicited e-ma

Umm, of course Ian would use spammer tactics to try and get around a server's anti-relay defenses because, wait for it...wait for it...THE SPAMMERS ARE ALREADY USING THOSE TRICKS!

You'd have a larger dose of credibility with your objections if you didn't publicize the fact on your site that you are active in other anti-spam projects. It leads one (me, anyway) to think that you have some ulterior motive for attacking like you are.

[I'm AC because I don't care and you should'nt either!]

Hate to say this ,but it's not such a bad thing

[JonathanF]

As a tech support rep for a not-so-small ISP, I can't help but think that the shutdown of an anti-spam blacklisting service would be a good thing.

One reason is that it often feels like they're overbearing - all too eager to put an ISP on the list (regardless of the relative quantity of spam) but not so eager to take them off. I can't help but think of the blacklisting of Hollywood stars in the '50s for communist beliefs; real or just perceived, you became a scapegoat for the real source of the problem (in this case, the actual spammers).

The other and personally more important reason is that it creates unrealistic expectations of ISP response. I once had a customer who expected us (the ISP) to change the mail server over to closed-relay (I don't even know if it WAS open-relay then) simply because he - one person - could not get Bigfoot's mail forwarding to work, as they used a blacklist site that happened to include our mail servers. To someone in tech support, that's about the same as asking "can you give my modem more bandwidth?" It sounds selfish and shows the relative ignorance of the customer.

Basically, these blacklists convince people that their ISP is some sort of monster (I don't think most ISPs say "let's go open-relay so companies we don't profit from can spam people!"), and worse in that they convince users that they can get support for things the ISP doesn't operate, just because they asked about it. How many of these blacklist sites warn you that most ISPs can't support the services of other companies? Almost none (if any). How many ask you to contact your ISP if their servers are on the blacklist, regardless of where the conflict is? Probably most (if not all) of them. As a result we get customers like the one I had, who are told by the site to contact us and expect us to change a major aspect of the service just because a single person (and we've had very few people in total) said so.

Besides, how much of this actually works? I believe most of our servers are now closed-relay (that customer wasn't the impetus, of course) but customers still get all kinds of spam, and they still think it's their ISP's fault (I've had customers tell me that WE were the spammers, that we sold their e-mail addresses, and so on). On top of this we get customers who actively complain that they can't send mail from accounts with us when they're away, when they could before.

It's not absolutely dire, but really... just like McCarthy, spam blacklists can frequently pass beyond genuine concern into unhealthy paranoia.

Re:Hate to say this ,but it's not such a bad thing

[winnetou]

I once had a customer who expected us (the ISP) to change the mail server over to closed-relay (I don't even know if it WAS open-relay then)

RFC 2505 was published February 1999, it is BCP 30.

I believe most of our servers are now closed-relay

In my honest opinion "believing" is not enough nowadays.

Re:Hate to say this ,but it's not such a bad thing

[JonathanF]

Well, one thing I do know is that most of SMTP servers can't be used when you're not on the 'native' connection, and when on dial-up you usually (but not always, I've found) have to specify that you're logging into the server in your settings. That's enough to at least deter "casual" spamming.

Anyways, what's this about RFC 2505 and BCP 30? In my line of work the only concern is "open-relay" versus "closed-relay," and that's about it. My particular situation doesn't require me to work on the servers themselves.

Re:Hate to say this ,but it's not such a bad thing

[winnetou]

Anyways, what's this about RFC 2505 and BCP 30?

Oops, sorry. RFC is an acronym for "Request for Comments", RFCs as published by the IETF (Internet Engineering Task Force) often have those comments already incorporated. RFC 2505 is "Anti-Spam Recommendations for SMTP MTAs".

Some RFCs are merely (but often very) funny, like RFC 1149 ("A Standard for the Transmission of IP Datagrams on Avian Carriers"), other like RFC 2821 ("Simple Mail Transfer Protocol") can not easily be ignored.
BCP means "Best Current Practice", technically not required, but rude if one ignores it. An intranet is IP-based too. ;-)

Thank you!

[BLKMGK]

Will be testing my Notes server ASAP! Appreciate the info and the link. I've been wondering how best to test it for relaying... ;-)

Why couldn't a SPAMMER simply...

[BLKMGK]

configure their server software to respond like a Domino server in that case? It cuts both ways - the server has to be tested regardless of what it claims to be...

Re:Why couldn't a SPAMMER simply...

[iabervon]

The issue isn't spammers setting up their own servers as open relays. Spammers don't set up open relays; they use other people's open relays. If the spammers were setting up the servers, they would presumably have them only relay their spam, not everyone else's.

The issue is when person A sets up their server wrong and person B sends spam through it; person A isn't responsible for the message and person B is impossible to find.

Cease and Desist!

Dear Spammer,

Your recent letter "Make Money Fast!!!!!" crashed my mail server, which is allergic to sequences containing a prime number of exclamation points.

This constitutes a denial of service attack on my mail server. We can settle for $10,000, or I can sue you for damaging my mail server. Your choice.

P.S. Does anyone know where I can get a mail server that crashes on the phrase "This is a one-time mailing" ?

Lotus, lighten up!

[RinkSpringer]

Geez, I can't believe this. This "DoS" is just a stupid programming bug. Let Lotus be ashamed of themselves, and NOT let perfectly good anti-spam sites pay for their own stupidity...

If this continues, I fear we'd really have a problem. Suppose Microsoft DoS #1749 pops up, which happends to be triggered when someone appends a / to a file request... would then all search engines be sued because their spiders come up with faulty links in pages?

C'mon Lotus, you should kick your programmers and *NOT* ORBZ!

TheRegister has a more balanced/truthful story

[Dave21212]

Regarding

"Of course, if common sense prevailed, it would be the mail server vendor in court for producing insecure mail server software, not a third party for happening to send requests that unintentionally crash poorly-written servers."

As a Notes developer/admin with 7+ years exp., let me inform anyone here who doesn't know, that the Timothy's (both the poster and apparently the editor?) have written a gross exageration and obviously biased opinion.

Check theReg for a more balanced and truthful approach, and be sure to note the update at the bottom of the story.

Lotus has always been highly responsive to the very, very few issues that they have had to issue updates for. Suggesting they should be "in court" is only demonstrates the bias and a lack of simple fact checking.

From theReg:

A Notes administrator has kindly informed us that the potential undetected routing loop bug which is the focus of all the flak was fixed in Lotus Domino version R5.0.9. You can read the details on this here.

With normal anti-relay configuration in place, the exploit didn't work anyway, according to the admin.

"There was an additional workaround available, for situations where normal anti relay settings couldn't be used. This vulnerability never has been a big issue, in my opinion," he writes.

p.s. For you slashdot posters who apparently didn't RTFA, Lotus and IBM aren't suing anyone, some idiot admin is going after ORBZ and ORBZ is using this as an excuse to close up shop... seen that one before !!!

Thanks - Domino Dave

Why can't they just avoid this test with Domino?

[Fastolfe]

SMTP servers usually announce their name and version, right? These probes are relay probes checking for all of the various ways spammers can relay spam through a mail server, right? Why can't the probes simply skip this particular test, or use a slightly different relay test when it comes across an SMTP server carrying the Lotus signature? Sure, it means ORBZ is slightly less effective at identifying a potential SMTP relay, but it also doesn't DoS a buggy/misconfigured mail server and risk legal action.

It seems like this would be a better solution to the problem than simply throwing in the towel.

There is no valid configuration which should do it

[Skapare]

There is NO VALID CONFIGURATION which should result in an infinite loop on the bounceback. If there are ways to configure to avoid it, great. But there shouldn't be a way to actually configure it to do this, and it most certainly should NEVER be the default setup.

When mail is sent to a bad name, and it attempts to bounce back to the apparent sender, it should first recognize that it is connecting to itself. Failing that, the sender of the bounce message should either be a valid box to collect failed bounces for the postmaster to clean out, or it should be a null address which gets discarded. A bounce should never trigger another bounce, either on its delivery, its failure to deliver, or its return. In this, Lotus Notes/Domino is a defective software product and needs to be fixed. I recommend that Ian Gulliver ask his attorney about filing a motion of interpleader to bring IBM into the case as a defendant, if the plaintiff continues to pursue it. If IBM (which just stuck a big ad in my face here on /. spouting off about their security) can't fix this, then they are the ones who should be paying up.

The return address is perfectly valid

[Skapare]

That return address is a perfectly valid one for which bounceback loops make no sense in compliance with email standards. Some defective mail servers check the sender address to determine if the mail should be sent to the recipient address, and if that sender address is "local" it allows it to go on. The test ORBZ was doing was a perfectly valid test that should never be forwarded on (but some mail servers see it as a local sender), and wouldn't bounce infinitely in a properly designed mail server.

Re:The open relay testers send me unsolicited e-ma

Perhaps he thinks Ian is a creep, and that Ian makes it harder for people who aren't as weasely as he is to fight spam.

Re:What about currently Blackholed domains

[Tyrall]

That's incorrect.

ORBZ is(was) a DNS-based system, which is about as close to real time as you can get. No DNS server, no lookup, no blacklisting.

ORBZ and ORDB are examples of how open relay lists SHOULD be run; fully automated, with no human 'opinions' causing the sort of grief that MAPS and ORBS generated.

Ian, your service will be greatly missed.

All RBLs with attitude will end up dead

All the RBLs that have people with "attitude" running them will end up gone sooner or later.

Step on too many people's toes, and someone will kill/hurt you whenever they can, for whatever they can.

Perhaps there is something to be learnt from this.

However, I DO think that good, semi-automated, responsible services like Spamcop will prevail. The owner has no bad attitude and is friendly, the system works very well, and the RBL rarely rarely blocks legitimate email, unlike other lists that block most/all of Asia and Europe.

Not only that...

[schon]

if an IP was verified clean then it could not be resubmitted within 30 days

Not only that, but if an IP address couldn't be tested (because it was down, or there were network problems, for example) then it was marked "clean" - and wouldn't be retested within 30 days.

Re:Not only that...

[Zocalo]

I suspected that was the case, but never really checked into it. All in all, while any anti-spam efforts are better than none, ORBZ's scripts needed to be much better than they were to be effective. Still, to be fair, it was a free service, so you can't really criticize too much, and it was probably ideal for some people's anti-spam efforts.

And it's still a victory for the spammers, dammit!

Re:The open relay testers send me unsolicited e-ma

[Skapare]

If you want double bounce messages, that's your business. If you don't want them, you do know how to turn that off. Using local sender address is a way to fool many mail servers into relaying spam, so it is a valid test. If your mail server deals with this poorly, that's your problem. You can also filter your double bounces from your mailbox based on the headers. Do what you need to do.

Re:The open relay testers send me unsolicited e-ma

[Skapare]

Ian was mimicking a spammer to carry out the test. So of course it can look like a spammer to those who fail to check the original of the connection. Most of my servers have been tested, and I've never had a problem with it. If course the tests must be specially crafted to break through the anti-relay defenses when the server is programmed or configured in a way that allows anyone to break through, as spammers can, and probably do. Calling Ian a spammer is absurd. He has not sent bulk mail.

Re:The open relay testers send me unsolicited e-ma

[Ian+Lance+Taylor]

It seems to me that a spam e-mailer would make similar arguments. ``You get e-mail you don't want? That's your problem.''

What's the difference?

Is the difference just that ORBZ e-mail testing is good? What if I disagree? I'm sure some spammers think that their e-mail is good. Is their spam OK? Why is ORBZ right and the spammers wrong? Either way I get unsolicited e-mail in my mailbox.

this has been tried before too

[ahodgson]

This has been tried before. I was the original creator of ORBS, and operated it for less than a year. In that time I had the RCMP contact me once because some idiot accused me of criminal acts in association with testing open relays.

I don't recall exactly, but I believe it was due to something very similar on some pos Mac mail server. Although I think it was the notices I was sending them (to postmaster@[ipaddress]) that caused the problem.

Fortunately, after I explained exactly what I was doing and why, the officer was nice enough to blow off the investigation. I guess the cops down south aren't as smart.

Having said that, in this case, given that the test in question is fairly useless in most cases (of all open relays, I'd guess 99.9% can be identified with a single simple test), I personally would have just stopped sending that particular test to Domino servers.

It's too bad. ORBZ was by far the most effective open relay list out there. I hope ORDB and Osirusoft can make up for the loss.

My biggest question on this matter is this - what does Ian hope to accomplish by closing? If he's already been accused of committing a criminal act, does he think it will go away if he just stops doing it? I really don't think that's how these things work. I certainly do hope things work out well for him, though.

No, a probe is NOT spam - it's OPEN RELAYING

[Skapare]

The mechanism Ian was using was OPEN RELAYING. Open relaying was quite common before commercialization came to the internet, and it wasn't considered to be spam, then. Why should it be considered to be spam now? The definition of SPAM involves the bulk transmission of email. This bulk aspect is what causes the problem we fight against. Open relays are one of the mechanisms spammers have abused (remember, at one time, open relaying was a good thing when the internet was benevolent). When Ian sent a probe, as long as he didn't send bulk mail to many different addresses, it was NOT SPAM!

That said, he DID make a mistake in failing to stop sending to that server when the administrator complained. What he should have done was list the server as "will not test" and let us block mail coming from there under the principle that I cannot trust whether it is, or is not an open relay (I prefer not to accept mail delivery at the SMTP protocol layer from an server believed or suspected to be an open relay because it defeats my efforts to block sources of spam). This presumes that the administrator of that broken Notes server (double bounces as in qmail might be an annoying feature, but infinite bounces as in Notes is a blatant defect) did notify him. If not, then I place no blame on Ian whatsoever.

Re:The open relay testers send me unsolicited e-ma

[Skapare]

``You get e-mail you don't want? That's your problem.''

Of course it's my problem. I take care of my problem by not accepting mail from places I believe may send spam. Then it's up to them to decide whether they want to continue their ways, or change their ways. ORBZ email testing did not disrupt my servers. I see no basis to believe those probes would disrupt any properly designed and properly configured servers. ORBZ provided useful information for me to further my aims to prevent incoming mail from misconfigured and broken mail servers. As long as ORBZ was not sending their probes in bulk, I don't see it as spam.

Re:The open relay testers send me unsolicited e-ma

[Ian+Lance+Taylor]

To me, spam is unsolicited e-mail. I don't know what sending in bulk has to do with anything. I just care about what winds up in my mailbox.

You're right in that I should have just refused to accept mail from ORBZ. Unfortunately, doing so would have caused me to be listed in ORBZ, and thus caused others to not receive my e-mail. Catch-22: refusing to accept spam would have caused me to be labelled as a spam generator.

My main point, from the post which started this thread, is simply that I believe that ORBZ was acting in a hypocritical fashion, which is a risky position from which to take a moral stand.

It's the Michigan law enforcement morons fault

[Performer+Guy]

So contact the damned morons in the Michigan justice department, contact the govenor, contact the local media there. What a shower of incompetent asinine fools. They're supposed to be defending the public interest not assaulting it. They have removed a valuable public service to the world under the guise of doing the opposite. This kind of inexcusable stupidity by Michigan authorities makes me furious. Why don't those incompetent morons go catch some real DoS criminals. Oh wait, that would require some real investigative work on the part of some some damndably stupid people there. It's too much to hope that these idiots will be held accountable for their wanton vandalism here.

Re:The open relay testers send me unsolicited e-ma

[Skapare]

So if you post online, and your email address is available, and someone replies by email directly, instead of doing an online followup, you consider that spam? I don't.

Take a look at the history of the term "spam". It came from a skit on Monty Python's Flying Circus where the term "Spam", in reference to a processed pork meat product, was repeated extensively in the skit. Later, this skit was repeated in online MUD games, and morphed into repeats of many other words. But the term "spamming" developed there as a result of the pointless repeating. It then was used in reference to repeated online postings to multiple newsgroups in Usenet, and from there to email.

The bulk postings on Usenet don't have any particular "solicited" attribute. Spam is unacceptable because it cannot scale. It's not something that is practical for "everyone to do it" due to the lower sender cost and high receiver cost.

The term "unsolicited" was added later to distinguish the most hated forms of spam which are sent to harvested email lists gathered from various sources unrelated to preferences in receiving commercial announcements. The terms "spam" and "unsolicitted" do intersect, but are not the same set.

If you don't want to make it possible for specific parties to determine whether your mail server can or cannot be exploited by others who have bad intents, then I don't blame them for then listing your mail server as one that the safety of which cannot be determined. I would then not want to allow my mail server to accept any mail from your mail server due to the risk that such mail may in fact be the spam that has exploited your server.

All you need to do is to refuse to RELAY the mail in the probe. Then discard the bounce-back when it has the string "sender.orbz.org" in the headers. They are NOT depending on the bounceback coming back; just depending on the delivery not being completed in the orignal probe. Don't reject the probe ... just reject the forwarding/relaying of the probe.

IMHO, ORBZ was doing a fine job, and doing it reasonably well. I don't see their probe as being "spam" (yes, it is technically "unsolicited", but that's not the issue I concern myself with), and I see their database as useful in rejecting delivery attempts from risky servers. I will miss them. I've already gotten 5 spams today, well exceeding my recent average of about 1 per day (with about 50 rejected per day to just my own email addresses). I hope they find a way to get back online, and I hope you find a way to make your mail server operate smoothly even with these probes. The only problem I'd see is if hundreds of people started up their own system of probes.

Big 3?

[pantywaste]

One of the big automakers has 130,000 Notes seats, and this was filed in michigan. Also, EDS is a major contractor for same.

Re:The open relay testers send me unsolicited e-ma

[AX.25]

And where did he lie about the source? Below is an example orbz email. I see orbz.org all over it. (I've removed everything that could identify me or my mail servers and replaced that with x's. I've also removed the greater-than and less-than symbols around the email addresses so /. would display them)

Return-Path: bounce-xxxxxxx@localhost
Delivered-To: xxxxx-xxx@xxxx.com
Received: (qmail xxxx invoked by uid xxx); xx xxx xxxx xx:xx:xx -0000
Delivered-To: xxxx-xxxx@xxxx.com
Received: (qmail xxxx invoked by xxx); xx xxx xxxx xx:xx:xx -0000
Delivered-To: relay%orbz.org@localhost
Received: (qmail xxxx invoked by uid xxx); xx xxx xxxx xx:xx:xx -0000
Received: from bounce-xxxxxxx@localhost by xxxx.com
by uid 527 with qmail-scanner-1.10 (avp. Clear:0. Processed in x.xxxxx secs); xx xxx xxxx xx:xx:xx -0000
Received: from sender.orbz.org (HELO orbz.org) (sender@205.231.149.53)
by xx.xx.xx.xx with SMTP; xx xxx xxxx xx:xx:xx -0000
Message-ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.1.4@orbz.org
Date: xxx, xx xxx xxxx xx:xx:xx +0000
From: bounce@orbz.org
Errors-To: bounce@orbz.org
To: relay@orbz.org
Subject: ORBZ TestThis is a test message from the ORBZ service. We are checking your
mail server for open relay capabilities. The receipt of this email in
no way indicates that you are running an open relay.

If you are interested in the results of this test, see:

http://orbz.org/?xx.xx.xx.xx

If it turns out your server fails the test and is an open relay,
spammers might be stealing your bandwidth. In fact, ORBZ tests are
often triggered by forwarded spam. In this case, you can find
information on how to secure your mail server at:

http://mail-abuse.org/tsi/

MAIL FROM:bounce-xxxxxxx@localhost
RCPT TO:relay%orbz.org@localhost

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx(removed unique identifier)

Free and high-end commercial software same?

[moncyb]

Most open source software is written by students, hobbists, and professionals in their spare time. They don't have the resources to extensively test their product. Nor is most of this software intended for companies to be dependant on its reliability, and if that company is dependant on the reliability of that software, it is implied that the company is responsible for verifying integrity for use in the company's systems.

However, for a commercial product that was written, tested and sold for the specific purpose of a company operating their business with that software, then the vendor saying 'NO WARRANTIES', too bad if our massive amount of bugs ruin your operations, well IANAL, but it seems to me that this is a contradiction. In fact, I thought that people selling products could not legally warranty away certain types of liability.

It would be absurd to sue a video game manufacturer for millions just because the game crashes every once in a while. Just like it would be absurd to sue someone who gave you a piece of software for free and it had some bug--any bug. Warranties were created so that buyers could have reasonable expectations of a product that is sold on the market. In free software there is no buyer, seller, or market--the product is given away.

However if that same video game is so buggy it's unusable, then you should be able to take it back and be refunded the price you paid for it. Just like you can return free software and get nothing back--as the the developers did when they gave it to you.

Oh, and I don't think all "Open Sourcers" want everyone to only use free/open source software--I think that's mostly just the GNU mongers....

Re:The open relay testers send me unsolicited e-ma

[Russ+Nelson]

See the part where it says Return-Path: bounce-xxxxxxx@localhost? That's the part where Ian is lying about his email address. His email address is not and has never been anything @localhost.
-russ

Re:The open relay testers send me unsolicited e-ma

[Russ+Nelson]

I had no opinion about Ian before he spammed me. Clearly that was not a good first impression for him to make on me! My opinion is that Ian is a teenager who has a sense of idealism -- that he should be able to create something wonderful, something perfect. His creation is a list of each and every open relay on the Internet. I have no problem with that. It is a worthy goal. Unfortunately, his methods involve sending fraudulently-addressed email to innocent SMTP servers. He and I disagree on whether he should use this method to discover open relays. He doesn't see anything wrong with this. I agree with him that testing for an open relay requires that he send such email. That would be perfectly fine if he was defending *his* SMTP server against attacks by someone running an SMTP client. It's perfectly reasonable to see if that host is also running an SMTP server which is an open relay. Self-defense is a perfectly fine reason for doing this. Ian went far, far beyond this, and tested (dare I say "abused"?) servers with no history of abuse. This is why he is now in the position of having to defend himself against charges of abuse.
-russ

Re:The open relay testers send me unsolicited e-ma

[Russ+Nelson]

By all means, explain what those ulterior motives might be. I am paid by nobody for my anti-spam efforts, so I have no pecuniary interest.

My motives are exactly as I laid out on the orbz mailing list: I don't want to be attacked by open relay probes, and I don't want other innocent hosts to be similarly attacked. I have no problem with testing a host which has sent you spam. I have no problem with testing a host on behalf of someone who was sent spam. But unless you have a copy of the spam in hand, testing the host is completely irresponsible.
-russ

Good riddance

I know this will start a jihad, but I'm saying it anyway. Good riddance! A few years ago I worked for a company that had a run in with ORBZ. A spammer (not affiliated with us) was using html in his spam and to save his own bandwidth href'd images from our servers without our permission or knowledge. Because an image in the spam came from our servers we were listed by ORBZ. We didn't find out until companies we dealt with told us they weren't getting our emails. Thanks for the courtesy warning, Ian.

We contacted them and tried to clear it up, but it was like trying to get a pitbull to let go of another dog's throat. Once they thought they had a spammer they would never let go. It took months to get through to ORBZ that we had nothing to do with the spam. Even though the very samples of the spam ORBZ sent us with headers intact clearly showed it did not come from us. And the content of the spam clearly had nothing to do with us. Months! that's not reasonable. Within two days of getting on the list we had given them solid proof that we were not the spammers nor were we profitting in any way from it. But it took months to get them to just stop and listen.

I know that Ian and his cohorts meant well. It was a great idea, and I really think it could work. But it's clear to me it went straight to their heads. From the way they dealt with us I got the clear image of a megalomaniac who stands in front of the mirror at night practicing his Lawn Mower Man speech, 'I am a God in here!'

Yeah, I know, 'If you don't like the list, don't subscribe'. I don't. Reguardless, if they are going to tell the world 'here's a list of spammers' then they bloody well have an obligation to make sure they're right. It seems to me they failed to do so. And a lot of people subscribed and for the most part blocked spammers (congratulations), but they also blocked legitimate domains with legitimate emails because ORBZ's policy was shoot first, ask questions later - much, much later.

l8r

Re:There is no valid configuration which should do

[Skapare]

Me again. Elsewhere it has been noted that IBM has in fact fixed this a while back. In this case, (someone at) IBM should be called as an expert witness to testify that the bug is fixed and that the administrator of the defective system is negligent in having failed to apply the fix. Failure to apply fixes is a major cause of security and spam problems on the net, certainly costing at least hundreds of millions of dollars a year to clean up, and lost time and bandwidth dealing with the effects. Someone who fails to apply fixes in a timely manner (30 days tops) should be slapped very very hard.

And we want to know who the hell it is that brought this complaint.

Give us their address

Quick, give us the bastards' domain name, so we can show them that they picked the wrong target. They will have to sue the entire Internet to thwart abuse of their server!

Re:The open relay testers send me unsolicited e-ma

[AX.25]

He was trying a known exploits to find out if a mail server sends spam and should be black listed. He never lied about the intentions of the email and so what if the Return-Path is forged, the point is if a mail is not returned to him it is not spam. My mail server can handle bounces no problem. If Lotus Domino can't then to bad for them and the idiots that use the swiss army knife type software.

Re:Not so stupid question

[mpe]

Mail servers need to be configured to relay mail from the localhost (themselves). Otherwise, things just don't work. What using the 127.0.0.1 does is attempt to fool the mail server into thinking that the mail is coming from itself.

Actually it dosn't, Since most mail software uses some other form of IPC for local deliveries.

Big deal!

[BLKMGK]

The rest of the message makes it more than a little plain that it was an ORBZ test doesn't it? Does context mean nothing to you? He did the same thing any bulk mailer would've done.

I had my server tested by a different service last night, a Domino server in fact. It was found to relay (doh!) but I was able to fix it with a little reading and reconfiguring. I believe that some of the test messages I received also had faked fields just like the one above. In fact looking at some of the bounces it looks like the test even tried to spoof my upstream provider! My server survived just fine, I didn't receive tons of crap in my mailboxes, and in the end I've got a better server for it. If they HADN'T used the same sorts of tricks that a SPAMMER would've done then what good would the test have been?

This is about Battle Creek, right?

Any sysadmin who refuse to patch a program and instead goes for filing criminal charges deserves to have his system taken down hard...

Anyone know the IP of this server in question?

It would be really fun if millions all over the world sends these 'malformed' emails to that server, effectively taking it down for a long time with new mails coming in from all over the world, repeatedly causing crashes until the thing is fixed, teaching that moron what a real DoS attack feels like. All these mails should contain the repeated phrase "I will patch my server and not file charges against people doing good work for all of us." which when repeated a gazillion times should penetrate the thick sculls of that sysadmin and his superiors... Hopefully anyway.

Not a problem

[mnordstr]

I just thought I'd report how my mail server handled the shutdown.
When I heard ORBZ was shutting down, I stared to look for another service. After some research I decided to use relays.osirusoft.com and spew.relays.osirusoft.com. I've been running the server for over a day now with those filters, and I haven't recieved any spam (neither has any of the other users). Good mail has come through though =)

I recommend the two services I mentioned here, they seem to work really well!

City of Battle Creek netblock

for those who might want to add them to their local firewall (after all if they are blocking relay testers, they could be wide open to relay spam through their server)...

City of Battle Creek (NETBLK-TRLC-168-32-01)
190 East Michigan Avenue
Battle Creek, MI 49017
US

Netname: TRLC-168-32-01
Netblock: 216.120.168.32 - 216.120.168.63

Coordinator:
Netops, Netops (NN603-ARIN) netops@trivalent.net
(616) 222-9200 (FAX) (616) 222-9300

Record last updated on 24-May-2001.
Database last updated on 20-Mar-2002 19:58:52 EDT.

oh... and ORDB

[tweakt]

Open Relay Database

Leave Battle Creek A Message !

[0zzymandias]

People are leaving messages on thier Guestbook explaining how upset they are! I urge you to do the same.

Open Relay Testing isn't unsolicited

My servers were tested monthly by ORBS and then ORBZ, because I routinely submitted nominations to them. As such, I agreed to have MY servers tested just as often as spam relays are. Each and every test/probe generates a policy violation message to me on my servers, so I know within 5 minutes of such a test starting...

ORBS, ORBZ, ORDB, MAPS, etc., do not test unsolicited. They don't go sweeping through an IP block and test every SMTP server they find, like spammers do. They only test servers that have sent spam to SOMEONE, often a spam trap. I have over a dozen such traps, hit daily... and anyone that does gets black listed, at least on MY servers.

RBLs

I'm not sure, but you might check into http://www.ordb.org and see what kinds of subscriptions they offer. Something tells me you might like the terms.

The patch has been out...

[sean.peters]

Yup. Patch has been available for some time now... I believe it was fixed in 5.0.9, which has been out for at least several months. Sean

It wasn't IBM who launched the lawsuit.

[sean.peters]

That would be unimaginably silly. The suit was filed by the city of Battle Creek, MI, which was running an unpatched version of Domino, and now wants to blame its troubles on ORBZ. Sean

You are correct!

[sean.peters]

It does by default identify itself as a Domino server in the greeting. Of course, you can turn this off if you want, but an admin who knew enough to turn off that feature would probably a) be smart enough to turn off mail relaying and b) be smart enough to keep up to date with his Domino patches! Sean

Thanks

[JonathanF]

Thanks for the clarification - you'd think I would research this myself, but I figured that getting the answer directly might get the most accurate response (honest!).

Personally I agree about being careful about the SMTP servers; I'm just not that enthused with customers who contact me and are convinced that an ISP with tens of thousands of users in their area alone can just flick a switch and change the mail servers because they said so. It's much like the customers we get who ask for "more bandwidth" not because it's slow, but because they think they can get special treatment (and of course, they don't even think that they might have to pay for it if it's available).

Now, if a group (unofficial or not) asks a concern of theirs to be looked into by the ISP, that's one thing... but I think far too many users basically think that they own the ISP because they pay X amount of dollars per month.