Slashdot Mirror

← Back to Stories (view on slashdot.org)

ORBZ Shuts Down

Posted by timothy on from the click dept.

Tim Jackson writes: "In a depressing development for those wanting to protect themselves against spam, it appears that popular open relay database ORBZ (formerly at www.orbz.org) has shut down effective immediately - see here for the final post from ORBZ admin Ian Gulliver on the ORBZ list explaining the reasons behind the closure. The 'Lotus Domino' issue he refers to is the issue he discovered in the course of running ORBZ and reported to Buqtraq, which means that certain SMTP envelopes (such as those sent by ORBZ when testing for open relays) cause Lotus Domino servers to go into a loop, effectively creating a DoS situation. Unfortunately (but understandably), irrelevant of the merits of the case, Ian doesn't want to risk jail for the sake of spam fighting. Of course, if common sense prevailed, it would be the mail server vendor in court for producing insecure mail server software, not a third party for happening to send requests that unintentionally crash poorly-written servers."

6 of 409 comments (clear)

  1. Domino... by Junta · · Score: 5, Insightful

    Is crap for a mailserver, I've always had problems out of it and avoid it like the plague when I can get away with it. For one, it tries to do too much for a mailserver, and its functionality as a mail server seems to be secondary to it's database features. Domino may work well as a workflow engine/document management, but it really isn't a good Mail server implementation. Unfortunately, so many companies use it as an Exchange replacement, even though it is intended to do much more and mail is done in a really clunky way.. Just spend a few days using Notes and you'll agree that mail does not seem to be a central concern in the scheme of domino..

    Perosnally, I think postfix or qmail are good mail servers (though postfix doesn't cope at all with accounts that have uppercase in them, and qmail is only marginally better at it...). They are simple, short, and to the point. If you must use domino for mail serving, I would suggest having some sort of minimalistic mail server to act as a go between between domino and the outside world, as domino's is flawed in so many ways...

    --
    XML is like violence. If it doesn't solve the problem, use more.
  2. Stupid question by ethereal · · Score: 5, Insightful

    I'm sure I'm missing something here, but why can't ORBZ use a different envelope that doesn't bounce to 127.0.0.1? If they would just use an envelope that bounces back to one of their machines, for example, then they could still test open relays in a non-destructive manner.

    Can someone more knowledgeable than myself explain why they would rather go out of business than slightly alter their envelope that they test with?

    --

    Your right to not believe: Americans United for Separation of Church and

  3. Re:Relay-testing by felicity · · Score: 4, Insightful
    This doesn't make sense -- don't attempt a query against server type X when the query is attempting to determine if the server is type X.

    The open-relay checks are not made up of "bizarre malformed SMTP" commands. "HELO", "MAIL", "RCPT", "DATA", and "QUIT" are the only commands that one should be using to do relay checks. If a mail server gets into a tizzy with those, then it's a completely broken server since all other servers will be sending those commands.

    As with the netcraft tests (ie: web servers unable to handle a "GET" request), it's not the fault of the person sending the request if the server is expected to know how to handle said requests.

  4. Re:Relay-testing by tkrotchko · · Score: 4, Insightful

    You're right. But on the other hand, once you understand what you're doing is crashing servers, you should probably either (a) fix what you're doing, even though its not your fault (b) refuse to test domino servers until they get it fixed.

    Or both.

    But to say "Gee, we crash Lotus server, too bad for them" is really poor manners.

    Mind you, it isn't criminal in a sane world, but it is thoughtless.

    --
    You were mistaken. Which is odd, since memory shouldn't be a problem for you
  5. Software is not a car by CaptainSuperBoy · · Score: 4, Insightful
    Software isn't a car. Software isn't a cigarette. Read your EULA - there is no warranty on software that says it will meet your needs. It's just information, just a bunch of bits. It's not a product that can be regulated, or made 'safely.'

    Who is to say what's a bug? Can I be sued because there's a feature a customer wants that I didn't implement? What if I wrote sendmail 10 years ago, and now someone sues me because I wrote an open relay? But there wasn't any spam when I wrote it. There is a grey area between bug, and undesired behavior. Let's say I write a word processor. Do I get sued because my app won't let you print from the print preview screen? Because it doesn't save your default tab stops?

    You can't regulate software.. and if customers don't like something, they'll look to another vendor. This is already a self-regulated open market folks, move along..

  6. Re:Huh? Jail time for fighting spam? by GigsVT · · Score: 4, Insightful

    No one is suing him, these are criminal charges. Criminal charges are brought by the state.

    --
    I've had enough abrasive sigs. Kittens are cute and fuzzy.