Slashdot Mirror

← Back to Stories (view on slashdot.org)

ORBZ Shuts Down

Posted by timothy on from the click dept.

Tim Jackson writes: "In a depressing development for those wanting to protect themselves against spam, it appears that popular open relay database ORBZ (formerly at www.orbz.org) has shut down effective immediately - see here for the final post from ORBZ admin Ian Gulliver on the ORBZ list explaining the reasons behind the closure. The 'Lotus Domino' issue he refers to is the issue he discovered in the course of running ORBZ and reported to Buqtraq, which means that certain SMTP envelopes (such as those sent by ORBZ when testing for open relays) cause Lotus Domino servers to go into a loop, effectively creating a DoS situation. Unfortunately (but understandably), irrelevant of the merits of the case, Ian doesn't want to risk jail for the sake of spam fighting. Of course, if common sense prevailed, it would be the mail server vendor in court for producing insecure mail server software, not a third party for happening to send requests that unintentionally crash poorly-written servers."

19 of 409 comments (clear)

  1. El Reg by Mr+Windows · · Score: 5, Informative

    The Register has a little more info. It seems that there is a workaround which involves changing the settings in Domino, though persuading everyone in the world who's running Domino to apply the fix might be hard! It seems like orbz.org is down already, and it's probably going to stay that way :(

  2. Incompetant Admins by DragonC · · Score: 5, Informative

    I run a Domino server. In fact I run lots of Domino websites. And this "Denial of Service" issue that is reported is really due to Admins who don't know what they're doing.

    Any system can try and forward to 127.0.0.1 if it is set that way. There is so much information available at all the normal locations that it is really the Admins own fault. Why they should take it out on somebody who has done as all a superb service is anybodies guess.

    Where to look for info:
    Lotus
    Notes.net
    DominoHive
    SecurityTracker for Domino

  3. Just silly by interiot · · Score: 4, Informative
    The "DoS" is simply a mail header of the form:
    • MAIL FROM:<bounce@[127.0.0.1]>
      RCPT TO:<address@domain.com>
    Why IBM decided to pursue criminal prosecution rather than releasing a simple bugfix is beyond me.
    1. Re:Just silly by larien · · Score: 3, Informative

      My guess is that it isn't IBM, but the admins of the crashing mail servers doing the suing.

  4. Re:Stupid question by Ioldanach · · Score: 5, Informative
    why can't ORBZ use a different envelope that doesn't bounce to 127.0.0.1
    Because they're testing for obscure bugs that allow spammers to use a server as an open relay even when its configured properly.
  5. ORBS, ORBZ, and MAPS Previously on Slashdot by rtos · · Score: 3, Informative
    Previously on Slashdot:
    ORBS Forks : "Wired is carrying this article about the shutdown of Alan Brown's Open Relay Behavior-Modification System, more commonly known as ORBS. Brown, of New Zealand, closed his operation after two local companies won legal injunctions against him for listing them." It seems the list of 94,000 open relays will be maintained by: "Open Relay Black List of Phoenix, AZ, Open Relay Block Zone (ORBZ), of Basingstoke, England, and the Open Relay Database (ORDB), of Aarhus, Denmark." We've gotten a zillion ORBS submissions since the day its website went down, but this is the first post-ORBS story with enough info to be worth a mention. Guess the dust just needed to settle."

    MAPS vs. ORBS : "It seems that the anti-spammers at MAPS and ORBS have gone from a cold war into a shooting one, with MAPS listing ORBS on their blackhole list. ORBS accuses MAPS of doing it for financial gain, MAPS accuses ORBS of attacking systems, Alan Cox gets peeved about spam, kuro5hin.org has the obligatory "Slashdot is censoring the story!" postings but has at least one seemingly clueful post, and the U.S. House passed an anti-spam bill yesterday - coincidence, or devious conspiracy?"

    ORBS Lookup Entries Undergo Major Revamping : "I noticed this morning that as of 2001/2/1 relays.orbs.org has been decommisioned, ORBS has announced. The announcement further mentions some serious new testing/checking/hostname additions, about a dozen of them, that will greatly increase the granularity of the ORBS results. A benefit seems to be the end user now has fine granularity in the results s/he will get back, obviating some of the bullshit griping that surrounds ORBS most often. More power to us and them. =)"

    It is always helpful to read current stories with a bit of historical context.
    --
    -- null
  6. A quick run-down of what ORBZ is (i.e. was) by let+the+storm · · Score: 5, Informative

    ORBZ never came into as widespread use as it perhaps deserved, so a lot of slashdotters might be left wondering what exactly it is (was):
    The short story is that it is a replacement to the now-dead ORBS, which stood for "Open Relay Behaviour-modification System", and was basically a system of centrally "policing" open mail relays by occasionally testing them with scripts. Any system that failed the test eventually entered ORBS's "black list", which some mail admin's used to bounce email with a path through them. Well, that project died, so ORBZ was born: the "Open Relay Blackhole Zones".
    Now, it too, is dead.
    And we can go back to blocking the whole of china, rather than just open relays on it.
    shrug.

    --
    m iso socially aware artistic geek pen-pal, m or f, in '1337 edu. jazz, poetry a must.

    1. Re:A quick run-down of what ORBZ is (i.e. was) by Syberghost · · Score: 3, Informative

      It was more widely used that most people know; Spamcop used it. (And as of last check was still attempting to, although I've emailed them, perhaps they've fixed it by now.)

      Because of that, I bet lots of people who have never heard of ORBZ were "using" it.

      But there's no reason to despair; there are many others still functioning, and new ones coming up all the time.

      My favorite new one is NJABL; Not Just Another BlackList.

      Spamcop has a lovely one, and Osirus is excellent as well.

  7. MAPS is still alive and well. by tweakt · · Score: 5, Informative

    Mail Abuse Prevention System

    Tracks open relays, dial up netblocks, etc. Works with sendmail, postfix, etc..
    Does require paid subscription, but free for personal/hobbyist usage.

    1. Re:MAPS is still alive and well. by Erik+Fish · · Score: 2, Informative

      MAPS is also emasculated ever since the lawsuits.

      SPEWS is where it's at now.

  8. Re:Not so stupid question by Webmoth · · Score: 4, Informative

    why can't ORBZ use a different envelope that doesn't bounce to 127.0.0.1?

    Mail servers need to be configured to relay mail from the localhost (themselves). Otherwise, things just don't work. What using the 127.0.0.1 does is attempt to fool the mail server into thinking that the mail is coming from itself. Also, it makes sysadmins aware that there's a config problem in their mail servers. :-)

    If a server can't relay, it should REJECT the mail ("error: no relay thru here") but Lotus seems to be bouncing it.

    A properly configured mail server will be able to look at the mail and say to itself, "I've seen this before, let's trash it."

    A mail server should NEVER crash do to malformed messages. The strongest lock is no good if the door is weak.

    --
    Give me my freedom, and I'll take care of my own security, thank you.
  9. Re:IBM for rfc-ignorant.org by Anonymous Coward · · Score: 1, Informative

    Try abuse@watson.ibm.com. Seems to go to 198.81.209.6 and 198.81.209.18 which work fine.

  10. Re:There's something here we're not seeing by flamingcow · · Score: 5, Informative

    I'm not going to comment on the current legal status. However, I will comment on the shutdown.

    This shutdown isn't so much for this time, but for next time. I'm stuck fighting this one, but I don't have the time or inclination in my life to fight stupid pointless criminal charges on a weekly basis. Unfortunately, the way this world works, this'll be the tip of the iceberg once people realize that they can. Therefore, I'm out of this game.

  11. ORBZ + SpamAssassin + Razor by ONU+CS+Geek · · Score: 5, Informative
    With that simple combo, you can keep a majority of spam out of you (and your users) inbox. I became really proactive about stopping spam after one of my (l)users installed a formmail.pl script on our web server and we became an 'open relay' for anyone who knew how to exploit the server. Subsequent emails to the abuse@ emails of the upstream providers resulted in nothing, and I still get attempts on the script. With that said, we flag the email as spam using the X-Message-Flag: header (as most of my clients use Outlook) as well as the Qmail-Scanner Tag that is injected into the message. This lets my users know that the message is spam, and I leave it to them on how to filter the messages out of their inbox.

    Spamassassin is nice in this regard, because you shouldn't need to change any configuration rules. The rule that ORBZ deals with, (RCVD_IN_ORBZ) shouldn't need to be changed, however, I'm going to weight the other rules that check for that kind of information (RCVD_IN_RELAYS_ORDB_ORG, RCVD_IN_OSIRUSOFT_COM, RCVD_IN_VISI, RCVD_IN_RFCI, and RCVD_IN_ORBS) up a few points to make up for the lost service.

    --

    I disable sigs...do you?
  12. Re:The open relay testers send me unsolicited e-ma by RevDigger · · Score: 2, Informative

    So fix your broken (almost certainly qmail) server.

    And FWIW, one of the best things about ORBZ was how professionally it was run. They generally tried to error on the side of caution. For instance, addressing your strawman argument, the ORBZ test messages described exactly what they were, and provided links for more info.

  13. Good riddance by kindbud · · Score: 3, Informative

    Now I won't have to put up with anymore double-bounces from ORBZ's continual probing of my closed relays. These don't even send our OUR mail. You can't test our outgoing relays, the conversation is in the wrong direction and won't pass our firewall.

    Ian, YOU DUMBASS!! I hope you beat the criminal rap, but you got what was coming, what you were asking for. ORBZ's probes were every much a trespass as the spam itself. Why they never understood this is beyond me. Plenty of other DNSBL run a good list without intrusive probing, and are not getting put up on charges either.

    --
    Edith Keeler Must Die
  14. Re:Call me stupid, but by timjackson1 · · Score: 2, Informative

    Why the hell doesn't the ORBZ software just send out a MAIL FROM: header that doesn't have the remote side's address?

    Because the point is that they are trying to find any configuration that permits relaying. If they can find it, so can spammers.

    Some open relays are set up in such a way that they would not relay messages with MAIL FROM [orbz] but would with MAIL FROM [127.0.0.1].

  15. I don't remember any contractors at Lotus. by Anonymous Coward · · Score: 1, Informative

    Which office were you in? (Only 2 really).

    I worked in Lotus Tech Support for a few years, and can honestly say [crap, hit button] that I don't remember a single contractor being present. Period.

    As well, our mail was up 100% of the time, and extremely reliable. The only issues seemed to crop when IBM's servers crapped out, hardware issue, not a software issue.

    Not to call BS on you, but perhaps you were in some strange corner of Big Blue with some true incompetents. However, that certainly isn't the case. Notes is much more reliable than exchange, even if the friendly beep you so want isn't present.

  16. Use ORDB by Anonymous Coward · · Score: 1, Informative

    I've been using ORDB for a few months and it works quite well. Only drawback is they don't re-scan regularly to see if relays are closed. www.ordb.org