ORBZ Shuts Down

← Back to Stories (view on slashdot.org)

Posted by timothy on Wednesday March 20, 2002 @04:12AM from the click dept.

Tim Jackson writes: "In a depressing development for those wanting to protect themselves against spam, it appears that popular open relay database ORBZ (formerly at www.orbz.org) has shut down effective immediately - see here for the final post from ORBZ admin Ian Gulliver on the ORBZ list explaining the reasons behind the closure. The 'Lotus Domino' issue he refers to is the issue he discovered in the course of running ORBZ and reported to Buqtraq, which means that certain SMTP envelopes (such as those sent by ORBZ when testing for open relays) cause Lotus Domino servers to go into a loop, effectively creating a DoS situation. Unfortunately (but understandably), irrelevant of the merits of the case, Ian doesn't want to risk jail for the sake of spam fighting. Of course, if common sense prevailed, it would be the mail server vendor in court for producing insecure mail server software, not a third party for happening to send requests that unintentionally crash poorly-written servers."

26 of 409 comments (clear)

Min score:

Reason:

Sort:

Domino... by Junta · 2002-03-20 04:20 · Score: 5, Insightful

Is crap for a mailserver, I've always had problems out of it and avoid it like the plague when I can get away with it. For one, it tries to do too much for a mailserver, and its functionality as a mail server seems to be secondary to it's database features. Domino may work well as a workflow engine/document management, but it really isn't a good Mail server implementation. Unfortunately, so many companies use it as an Exchange replacement, even though it is intended to do much more and mail is done in a really clunky way.. Just spend a few days using Notes and you'll agree that mail does not seem to be a central concern in the scheme of domino..

Perosnally, I think postfix or qmail are good mail servers (though postfix doesn't cope at all with accounts that have uppercase in them, and qmail is only marginally better at it...). They are simple, short, and to the point. If you must use domino for mail serving, I would suggest having some sort of minimalistic mail server to act as a go between between domino and the outside world, as domino's is flawed in so many ways...

--
XML is like violence. If it doesn't solve the problem, use more.
1. Re:Domino... by Morpheus-NL · 2002-03-20 04:38 · Score: 2, Insightful
  
  Great idea ...
  setting up a simple mailserver/mailproxy , they could use SpamAssassins spamproxyd ;-)
  
  That way they could also filter out any spam
Relay-testing by Rupert · 2002-03-20 04:21 · Score: 3, Insightful

I've never liked the open relay test based spam filters. Of course, they have a right to list who they want on their list, and if I run a publicly accessible SMTP server I can expect all kinds of bizarre malformed SMTP headers to arrive. However, when you are a self-appointed policeman of the internet, you should first be a good netizen. One of the things good netizens do not do is repeatedly exploit bugs in other people's software to bring down services. Imagine if netcraft started crashing some obscure OS/2 web server with its queries. We'd expect them to stop querying those servers, at the very least, and at best to fix their query.

--

--
E_NOSIG
1. Re:Relay-testing by PhiberKut · 2002-03-20 04:26 · Score: 2, Insightful
  
  Rupert, ORBZ has never intentionally exploited bugs in other people's software. The test involves sending an email to the mail server and having it bounced back to you. If the mail server is incapable of doing this without DOS'ing itself; well the issue is obvious.
  
  Before querying the server, how is orbz to know that it is lotus?
  
  --
  Elijah Chancey www.elijahsadventure.com nomadic IT consultant, bicycling across america "all that you touch / and all
2. Re:Relay-testing by SuperBill · 2002-03-20 04:38 · Score: 2, Insightful
  
  I totally disagree.
  If Netcraft crashed my servers with a standard query, I would look at it as a free security analysis(and then filter their IP until I fixed the problem ;) ). If a simple query crashes your server, and ONLY YOUR SERVER, you have a flawed server. It's not like ORBZ was crafting DOS packets with the intention of taking down a server.
3. Re:Relay-testing by Fastball · 2002-03-20 04:42 · Score: 2, Insightful
  
  While you have a point about good netizens not repeatedly exploiting bugs in other people's software, I wonder at what point the responsibility should shift toward the developers of said buggy software.
  Is it not reasonable for us to ask Lotus developers to "catch up" to the crowd and fix the problem therein? I know Lotus Domino is proprietary software and all, but that doesn't give them a free pass (pun intended).
  The scoreboard that way I look at it:
  Developers of unstable, buggy proprietary software backed by an ignorant legal system 1, netizens 0.
4. Re:Relay-testing by Anonymous Coward · 2002-03-20 04:46 · Score: 2, Insightful
  
  When I last used them (about two weeks ago) to test my mail server, they were running a 'confirmed opt-in' relay tester (meaning you had to submit an email addy along with the IP to test AND you had to reply to that confirmation message before the test probes would be run).
  
  I don't know that they had this in place from day one, but I suspect not. Either that or someone with a bone to pick discovered some way to abuse the system in order to create this outcome.
  
  I suspect that should the names & IPs of the parties involved in the investigation be published, those ranges are going to end up in so many private blacklists that the universe will experience heat death before it's removed from all of them.
5. Re:Relay-testing by felicity · 2002-03-20 04:46 · Score: 4, Insightful
  
  This doesn't make sense -- don't attempt a query against server type X when the query is attempting to determine if the server is type X.
  The open-relay checks are not made up of "bizarre malformed SMTP" commands. "HELO", "MAIL", "RCPT", "DATA", and "QUIT" are the only commands that one should be using to do relay checks. If a mail server gets into a tizzy with those, then it's a completely broken server since all other servers will be sending those commands.
  As with the netcraft tests (ie: web servers unable to handle a "GET" request), it's not the fault of the person sending the request if the server is expected to know how to handle said requests.
6. Re:Relay-testing by Rik+van+Riel · 2002-03-20 04:48 · Score: 3, Insightful
  
  However, when you are a self-appointed policeman of the internet ...
  They're absolutely not self-appointed.
  When I chose to use ORBZ on my mail server, I "appoint" the administrators of that DNSBL list.
  The spammers using the "free speech" argument will run into the same thing; their right to free spam^H^Heech stops at the border of my private network.
7. Re:Relay-testing by liquidsin · 2002-03-20 04:49 · Score: 3, Insightful
  
  I realize it's not a bug, but is it responsible of slashdot to post links to small sites that don't have the bandwidth and bring down their servers? We, the slashdot community, are constantly bringing down sites. Do you blame slashdot for this? It's not his fault they haven't patched their shoddy software, and it's not a malicious attack - he's not repeatedly crashing the same servers. It's a bug - a security flaw - and it needs to be fixed.
  
  --
  do not read this line twice.
8. Re:Relay-testing by tkrotchko · 2002-03-20 04:52 · Score: 4, Insightful
  
  You're right. But on the other hand, once you understand what you're doing is crashing servers, you should probably either (a) fix what you're doing, even though its not your fault (b) refuse to test domino servers until they get it fixed.
  
  Or both.
  
  But to say "Gee, we crash Lotus server, too bad for them" is really poor manners.
  
  Mind you, it isn't criminal in a sane world, but it is thoughtless.
  
  --
  You were mistaken. Which is odd, since memory shouldn't be a problem for you
9. Re:Relay-testing by ftobin · 2002-03-20 05:44 · Score: 3, Insightful
  
  You're right. But on the other hand, once you understand what you're doing is crashing servers, you should probably either (a) fix what you're doing, even though its not your fault (b) refuse to test domino servers until they get it fixed.
  
  With regards to your (a), there wasn't anything to 'fix' on ORBZ's end. If you think so, you have a gross lack of knowledge of SMTP. If you think (b) is a viable solution, then it would only be fair to to mark all Lotus servers as open relays if they can't be tested. This would be a worse solution than simply getting people to fix their Lotus servers.
10. Re:Relay-testing by fulgan · 2002-03-20 06:19 · Score: 3, Insightful
  
  You are wrwong on two accounts.
  
  First, you're wrong when you say "repeatedly exploit bugs in other people's software to bring down services". You're mixing effects and intends. The EFFECT is a crashed/hung server. The intend, however, is quite different.
  
  Second, internet mail software must follow a set of rules defined by the relevant RFCs. If a server software do not follow these rules and crashes when they are followed by third parties on it, it shouldn't be put into use on the internet and, if it is, then the blame clearely can't be put on the external party (in particular if it can be proved that the intend wasn't to DOS the server, somthing quite easy in this case).
  
  Now, this mostly boils down to: do the ORBZ scans follow the RFCs. Well, I've been scanned several times and, so far, I've not seen anything that wasn't abbiding to the RFCs.
11. Re:Relay-testing by mmusn · 2002-03-20 06:57 · Score: 2, Insightful
  
  So, by your reasoning, if my (non-IE) web browser causes your server to spin out of control, I'm supposed to stop using my web browser? And if I'm foolish enough to attempt to get to your web page every now and then, assuming that you might actually to fix your server at some point, then I'm supposed to be responsible for criminal DoS?
  That makes no sense. If your software is broken, you need to fix your software, and going into an infinite loop from an occasional malformed request is a bug in your software.
Stupid question by ethereal · 2002-03-20 04:21 · Score: 5, Insightful

I'm sure I'm missing something here, but why can't ORBZ use a different envelope that doesn't bounce to 127.0.0.1? If they would just use an envelope that bounces back to one of their machines, for example, then they could still test open relays in a non-destructive manner.
Can someone more knowledgeable than myself explain why they would rather go out of business than slightly alter their envelope that they test with?

--
Your right to not believe: Americans United for Separation of Church and
Not his problem by Anonymous Coward · 2002-03-20 04:29 · Score: 2, Insightful

"Unfortunately (but understandably), irrelevant of the merits of the case, Ian doesn't want to risk jail for the sake of spam fighting. Of course, if common sense prevailed, it would be the mail server vendor in court for producing insecure mail server software, not a third party for happening to send requests that unintentionally crash poorly-written servers."

So what this is saying is that Ian is willing to stop his client because a specific (and not nearly as widespread as its competitors) mail server has poorly written bugs. If anything, it is Lotus who should patch their servers. This just reeks of poor engineering decisions.

And Jail Time! heh. Give us a break. You can't be put in jail for writing good software. You can be put in jail for writing intentionally destructive software. If their server has a terrible bug, it's not your fault that it just happens to be exposed by a correctly functioning program that performs a useful task.

I can just imagine Lotus/IBM sending a cease and desist letter for the production of software that breaks their mail server... Except that the software is already out, the knowledge that the problem exists is widespread to the hackers (i.e. slashdot readers), and IBM better close those bugs before _we_ do.
1. Re:Not his problem by vsync64 · 2002-03-20 04:45 · Score: 3, Insightful
  
  And Jail Time! heh. Give us a break. You can't be put in jail for writing good software.
  
  Oh really?
  
  --
  TO BUY A NEW CAR WOULD MAKE YOU SEXUALLY ATTRACTIVE.
Where do you draw the line ?? by Srin+Tuar · 2002-03-20 04:36 · Score: 3, Insightful

Anybody can access a publicly available SMTP service and produce whatever type of SMTP headers they want. It is a publically available service.

However, you typical hacker does a similiar thing, he sends bytes to publically available service.

If you decide that any univited data being sent to your server is a crime, then sending an email to someone you dont know is a a crime. If you think its not a crime, then what script kidz do is a public service.

I personally hold to the latter, even though I abhor spam and hate malicious crackers. I think that by holding the server owner whos providing publicly available services accountable for his own security, that we would get more secure software out of it, and less coverups. (lawyers trying to do work that can only be done by programmers) SMTP servers should be able to handle munged headers!

I can imagine the PHB thinking now "Well since I cant sue the kiddie whos sending those bad SMTP headers, I guess im going to have to actually fix the bug in my mail server, oh the humanity!"

Of course fraud etc should still be a crime- but why should accessing publicly provided data services be one?
No no no no NO! by CaptainSuperBoy · 2002-03-20 04:58 · Score: 3, Insightful

if common sense prevailed, it would be the mail server vendor in court for producing insecure mail server software, not a third party for happening to send requests that unintentionally crash poorly-written servers
You are so wrong! Think about what you are saying for a second. You are saying that software vendors should be held liable for producing faulty software. What does this apply to? Only Lotus, Microsoft, and the big guys? What about holding Alan Cox and Linus liable for bugs in the Linux kernel? I hope you don't want to hold security programmers liable for demos of exploits. Software is fundamentally different from a product that can be recalled and judged unsafe. The marginal cost of software is zero, and it is not a physical product - it's just information.
Do you have any idea how it would cripple the software industry if they operated under the constant threat of product liability suits? What about old software? Really old versions of Sendmail were set to open relay by default. Certainly it's not the fault of the programmers that they didn't protect against spam, BEFORE SPAM EXISTED. Now think about a software industry where a pack of lawyers has to review every design document, every line of code in the name of 'product safety.'
This is clearly a case where the free market already solves these problems, and your foolish solution would only serve to artificially disable an industry. If companies are upset with Domino, they will eventually switch to a better software package. If Lotus cared about their customers, they would have patched their software. I can't believe it when people like you say these things without thinking of the consequences.
You did hit on one correct point - intent. It's unfortunate that ORBZ was in danger of being sued. They shouldn't be in danger, due to intent. They have no intent to DOS random Lotus Domino servers.. but it seems like they just can't risk it. If I intentionally exploited the Domino bug to crash servers, well that's another story. It's not Domino's problem, it's mine, and I should be carted to jail for that.
Software is not a car by CaptainSuperBoy · 2002-03-20 05:08 · Score: 4, Insightful

Software isn't a car. Software isn't a cigarette. Read your EULA - there is no warranty on software that says it will meet your needs. It's just information, just a bunch of bits. It's not a product that can be regulated, or made 'safely.'
Who is to say what's a bug? Can I be sued because there's a feature a customer wants that I didn't implement? What if I wrote sendmail 10 years ago, and now someone sues me because I wrote an open relay? But there wasn't any spam when I wrote it. There is a grey area between bug, and undesired behavior. Let's say I write a word processor. Do I get sued because my app won't let you print from the print preview screen? Because it doesn't save your default tab stops?
You can't regulate software.. and if customers don't like something, they'll look to another vendor. This is already a self-regulated open market folks, move along..
1. Re:Software is not a car by dubl-u · 2002-03-20 07:20 · Score: 3, Insightful
  
  Maybe you're right; as a programmer, I'm sympathetic the notion. But arguing like you are won't convince anybody.
  
  Since customers already vote with their dollars (if you make useless, buggy software then nobody's going to buy it) why do we need artificial restrictions imposed on developers?
  
  That's a silly argument; you could make it just as well for any product, from bonds to airplanes. Why do we need auditors and all these fussy finanical regulations? The shares in poorly run companies won't be bought, right?
  
  If every piece of software adhered to current best practices, we wouldn't have any new innovation would we? New algorithms? They're against the law (they're not certified as secure).
  
  There are immense numbers of regulations for things like food, cars, and financial products, and there have been for decades. But all of those have changed drastically in the last 50 years, and they'll keep on changing. Why wouldn't the same be true for software?
  
  You haven't explained to me why we need this. Regulations should never be applied unless they are absolutely necessary - i.e. in the case of personal safety.
  
  That's certainly not the only case where we have product regulations. The things that are entirely unregulated seem to be the things that are perfectly ok to screw up. If you make music, there's no law saying it has to be good, but if your CD doesn't play in my player, you have to take it back.
  
  When computers are used for something equally low-risk, then not regulating software seems fine. If a game crashes once in a while, that's swell.
  
  But some of us would like to use software for more important things, too. Suppose you run an on-line business, and you pay Microsoft a lotta dough for a fancy ecommerse setup. Then the week after you install it, some script-kiddie takes it down, steals your customer credit card data, and forwards all your pages to porn sites. By the time your clean up the mess, you're in Chapter 11.
  
  So you turn to Microsoft, and they say, "Sorry, Charlie, no warranties express or implied. Your check cleared, so we're outta here!" Is that how things should work?
  
  That's how they worked with investments before we regulated them up the wazoo. And far from crushing investment, our financial markets are immensely lively and highly regarded around the world.
  
  You seem perfectly suited for bottom-line, 'no new idea is a good idea' middle management.
  
  Yeah, ad hominem attacks against a guy with a reasonable point persuade me of your views.
Black hats are going to love this by Eric+Damron · 2002-03-20 05:10 · Score: 3, Insightful

I seems to me that if Orbz can send certain SMTP envelopes that cause Lotus Domino servers to go into a loop those servers are going to need to be fixed.

This vulnerability is public knowledge now so how many black hats are going to be doing this just for fun and giggles?

I can't help feeling that when a company gets shutdown rather than a obvious corrective action being taken that there is a hidden agenda lurking about. Just my suspicious nature taking over. :=)

--
The race isn't always to the swift... but that's the way to bet!
Re:good by matuscak · 2002-03-20 05:37 · Score: 2, Insightful

Nonsense. The message is explain to your management what spam costs a company, and have them go along with it. We bounce an average of 500 mails from open relays per day into our not all that big network. The max so far is something like 2200 in a day. Even if people "just hit delete", the time adds up unbelievably fast. There is *NO* excuse to be running an open relay, AT ALL!
Re:Incompetant Admins by ethereal · 2002-03-20 06:13 · Score: 2, Insightful

Should the employer pay $60,000 a year to hire a sysadmin who can secure the one or two servers the business operates? Even if the business doesn't have that kind of cash flow? Even if the increased costs mean they can't compete? Even when the office coordinator can get the system functional (though nonoptimal)?

Maybe they should contract it out at a greatly reduced rate. The office coordinator could also install the business' alarm system and get it functional (though nonoptimal), but businesses understand that to get that kind of security right you hire a professional. Thus it is with software systems security as well.

--
Your right to not believe: Americans United for Separation of Church and
Re:Huh? Jail time for fighting spam? by GigsVT · 2002-03-20 06:28 · Score: 4, Insightful

No one is suing him, these are criminal charges. Criminal charges are brought by the state.

--
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Re:There is no valid configuration which should do by Skapare · 2002-03-20 19:54 · Score: 3, Insightful

Me again. Elsewhere it has been noted that IBM has in fact fixed this a while back. In this case, (someone at) IBM should be called as an expert witness to testify that the bug is fixed and that the administrator of the defective system is negligent in having failed to apply the fix. Failure to apply fixes is a major cause of security and spam problems on the net, certainly costing at least hundreds of millions of dollars a year to clean up, and lost time and bandwidth dealing with the effects. Someone who fails to apply fixes in a timely manner (30 days tops) should be slapped very very hard.

And we want to know who the hell it is that brought this complaint.

--
now we need to go OSS in diesel cars