Slashdot Mirror
ORBZ Shuts Down
Tim Jackson writes: "In a depressing development for those wanting to protect themselves against spam, it appears that popular open relay database ORBZ (formerly at www.orbz.org) has shut down effective immediately - see here for the final post from ORBZ admin Ian Gulliver on the ORBZ list explaining the reasons behind the closure.
The 'Lotus Domino' issue he refers to is the issue he discovered in the course of running ORBZ and reported to Buqtraq, which means that certain SMTP envelopes (such as those sent by ORBZ when testing for open relays) cause Lotus Domino servers to go into a loop, effectively creating a DoS situation.
Unfortunately (but understandably), irrelevant of the merits of the case, Ian doesn't want to risk jail for the sake of spam fighting. Of course, if common sense prevailed, it would be the mail server vendor in court for producing insecure mail server software, not a third party for happening to send requests that unintentionally crash poorly-written servers."
Why not just use another envelope? I'm guessing ORBZ wanted to go away anyway and are using this as an excuse.
Of course, if common sense prevailed, it would be the mail server vendor in court for producing insecure mail server software.
:)
And that would leave us with how many commercial mail servers? None.
More laws like this will only make things worse. One thing we have seen proven time and time again (SSSCA, DMCA), is that legislation of technology by people who don't understand or are influenced by people who don't understand it is that it does not work.
I'd bet that nine out of ten 'insecure' or 'spamfriendly' open relays are human related errors. Granted, using sendmail is like playing with a loaded gun with the trigger welded down, but it is possible, and other MTAs are pretty damn secure and fast (I like Postfix).
True, but Domino administrators tend to be sensitive about SMTP settings - mainly because a Domino server install defaults to being an open relay!
Information wants to be beer.
Does this mean that Domino isn't adhering to SMTP standards? If so, then what is the problem? Domino users can't sue for DoS if their software is being used properly (according to standards).
True, but remember that it's the same thing for at least 95% of security issues. Dumb and extremely busy admins will go with the default install and they usually won't even customize the software. So who gets the blame? MS, IBM, Sun, Linux, etc.
When one of the open relay testers decides to test my systems (which have never been open relays), I get at least a dozen unsolicited e-mail systems double-bounced to me. Isn't it strange that a system created out of fury at unsolicited e-mail generates a fair amount of it? The double bounce messages never tell me specifically why they have decided to test my system, and they never tell me how to prevent them in the future. Shouldn't people on a moral crusade be careful about hypocrisy?
Why IBM decided to pursue criminal prosecution rather than releasing a simple bugfix is beyond me.
If it is IBM, they deserve to be bitchslapped. Hard.
However, I'd be very curious to know who is actually doing the suing and issuing the legal threats.
I suspect they are incompetent admins, trying to cover their own incompetency by pointing an accusing finger at the innocent, in this case ORBZ.
Incompetents banding together has to be one of the more sinister forces in our society: far more common than intelligent and neferious conspiracies (which probably can be counted on one hand, if that), far more wide reaching, and far more destructive.
OTOH, for the more paranoid: what are the odds that some SPAMMERs themselves have set up Domino servers with the explicit knowledge of this bug, in order to have legal grounds to threaten and sue one of their most effective opponents out of existence? Actually, I was writing the previous sentence as a joke, but as I type it I don't find the scenerio nearly as unlikely as I first thought.
The Future of Human Evolution: Autonomy
I emailed ORBZ over the issue, citing three identical spams all of which were from the same physical server (from a typo in the headers) yet from different IPs, all of which were marked as "Verified clean within the last 30 days". ORBZ' response to this was basically "use multiple RBL servers", which I already was. I stopped using them at all the same day and switched to an alternate RBL server that I could submit spam to for automatic inclusion once verified. Since then I've also set up my own local RBL server, which makes things much easier when you have multiple SMTP servers to administer...
UNIX? They're not even circumcised! Savages!
Surely if they knew the envelopes they were sending out would crash some servers, then that was at best highly irresponsible behaviour. Yes, in an ideal world all software would have no bugs and all sysadmins would be omnipotent, but I don't see that happening any time soon :-). I don't believe that ORBZ has the right to go around DOSing servers that they consider to be inadequately set up - effectively electing themselves judge, jury *and* executioners.
If ORBZ behaved a bit less arrogantly I suspect they would make fewer enemies.
This incident again raises serious questions about the viability of so-called "dnsbl"s. (DNS Block/Black Lists) If a dnsbl receives a notification that a certain IP address has an open mail relay, they either have to test it to verify it's condition or assume it's open based on a copy of apparently (?) relayed email. Does this possible action mean that dnsbls need to locate themselves in jurisdictions that are unlikely to prosecute minor (?) "computer crimes?" Do the operators of DNS servers for dnsbls need to isolate themselves from any apparent relationship to whomever might be doing such open-relay testing? Coupled with SLAPP-style threats from those ending-up on open-relay lists, it almost seems that those wishing to aid in the combating of spam by running dnsbls will have to adopt the behaviour of criminals (like the spammers themselves?) to avoid persecution.
One wonders if the people who initiated this action (the criminal charges) considered the possible fallout resulting from doing so? Any skript kiddie with telnet can execute this 'sploit. The skript kiddiez may have known about this before, but they certainly know about it now. I'd hate to be running a Bloated Goats MTA exposed to the 'net right now. (Or ever, for that matter. But that's another issue.) It also seems to me this company has just painted a big red and white bullseye target on themselves. I mean, how would you like to be an Admin for that place? Not me. I think I'd be lookin' for other employment like right now. I also imagine that, right or wrong, there will be mail admins that will locally block-list these people till the end of time itself for "attacking" a dnsbl. It just doesn't seem to me that this was a very smart move on the part of the aggrieved party.
Lastly, it seems to me that ORBZ could have avoided this problem entirely by finger-printing MTAs it was going to test and avoiding the more esoteric open-relay exploit tests when it was discovered the server under test was Bloated Goats malware. In fact: relayed spam on-hand would indicate a Bloated Goats MTA in the "Received:" headers. (Blotus seems unaccountably proud of their work.) In such a case, if the open-relay nomination was in order (relayed spam on-hand), just list the damn server and be done with it.
"It appears"? It is or it isn't. Funnily enough, I'd got the impression that cases were filed before courts ordered documents to be handed over.
Further to that, isn't the case going to be about past behaviour? So isn't taking ORBZ down is response to it a de facto admission of guilt? Is this some sort of preemptive plea bargain attempt?
Ian Gulliver has never struck me as being stupid or cowardly. I can't help but feel that there must be more communication going on here, i.e. an offer to drop the charges if ORBZ just goes away. Frankly, I find that highly distasteful, as it's edging very close to barratry.
I don't blame Ian one bit for shutting down, I just think that he's been shown a carrot as well as a stick so that this never has to reach a court.
If you were blocking sigs, you wouldn't have to read this.
FEATURE(dnsbl,`or.orbl.org', `Mail from $&{client_addr} refused: See http://or.orbl.org/ (ORBL)')
FEATURE(dnsbl,`relays.ordb.org', `Mail from $&{client_addr} refused: relays.ordb.org. See http://www.ordb.org/')
FEATURE(dnsbl,`or.orbl.org', `Mail from $&{client_addr} refused: or.orbl.org. See http://www.orbl.org/')
FEATURE(dnsbl,`spamhaus.relays.orisusoft.com', `Mail from $&{client_addr} refused: spamhaus.relays.osirusoft.org. See http://relays.orirusoft.com/')
FEATURE(dnsbl,`spews.relays.orisusoft.com', `Mail from $&{client_addr} refused: spews.relays.osirusoft.org. See http://www.spews.org/bounce.html')
FEATURE(dnsbl,`rbl-plus.mail-abuse.org',`Mail from $&{client_addr} refused by RBL+. See http://www.mail-abuse.org/')
I for one am happy to see this happen and I hope the rest of them all shut down or get shut down also.
The sheer volume of mail that we received as "probes" to test for relays which we have NEVER supported, is SPAM in itself, in my opinion.
Worst of all, I sent repeated requests to people like orbs.org asking to be excluded and they replied with very rude e-mails which contained vulgarities, etc. Real professional guys - glad to see another one bite the dust...
Eph. 1:2
I have started using a-s-k to block spam, and have been pretty happy with it.
http://sourceforge.net/projects/a-s-k/
http://www.paganini.net/ask
I certainly don't wish Ian any ill will, but if he had received or does receive criminal penalties for having caused a DoS by sending oddly formed email envelopes then it would have set a precedent for jailing spammers abusing open relays rather than just fining them.
spam busting databases can go to hell. they are a thorn in the side of NORMAL business, not just spam. I almost got a geeky linux dork fired for using one of their services to "protect" his servers. Seems we were on a black list due to a relay getting opened by an inept tech for a couple of days. Linux geek's server blocked us due to list. Linux geeks boss none too happy since he's buddy buddy with out CEO. Dont risk yer job for these wannabe cyber cowboys.
You mjst also agree to indemnify MAPS against any and all claims, including claims brought by third parties. In other words, if someone sues MAPS because you used MAPS' service, you agree to pay MAPS legal costs to defend themselves.
Our attorneys would not permit me to enter such an agreement. Absolutely NONE of our other vendors has ever included a clause like that in any contract.
Do you have any idea how it would cripple the software industry if they operated under the constant threat of product liability suits?
Oh no! Then we would be under the same, crippling rules as just about every other industry on the planet. Microsoft, IBM, Symantec, et al, would actually need to make a due-diligence effort to fix bugs rather than add new, unnecessary features and eye candy.
Software engineering is not some kind of black magic. It's no different than any other form of complex engineering, be it passenger jets to modern automobiles. To do it right requires care, time, diligence, and testing. If software companies dedicated 1/10 the effort to testing their products that they do to marketing them, 99.99% of problems would be caught before the products ever shipped.
I guess what it comes down to is this: If you are truly a software engineer, then you should embrace time-proven engineering principles and stop hiding behind the "we're just selling a license" cop-out.
My company is wrongfully on several Open-Relay/Spam lists from testing we were doing to a hotmail account (that we registered) to test an error reporting function in one of our programs (the spam part), and an open relay specifically for me (that was being exploited by others).
If anyone is using ORBZ's lists, we will never get off of them. You know that ISP's that "subscribed to a list" will not really work on updating their filter lists. They didn't do it when ORBZ existed.
So who is to save all these domains that were already blackholed and currently fixed.
I mean, it isn't the ORBZ owners responsibility, he merely compiled a list, he has no responsibility. He never instructed anyone to block anyones mail, it isn't his fault that anyone implemented any filters based on his list, and he can't be responsible if they never updated their filters, so how do these domains get "Un"-blackholed?
I understand the problems caused by spam. I understand how to configure a mail server. I don't understand why so many people line up behind this type of solution - it seems to me to be a case of the cure being worse than the disease.
What gives anyone the right to send any mail to my domain for any reason? Regardless of how poor my software may be, and how poorly configured, why should an outfit like ORBZ not be held responsible for what happens when they probe my system without my knowledge or consent?
My mail system is not an open relay. I'm frequently targeted as being an open relay because many of these vigilantes don't use competent and effective testing procedures. As soon as I end up on the list, I have to explain things that shouldn't need explaining, and we suffer an avalanche as the spammers pick up on the "open relay" list and attempt to route their traffic through our server. I eventually get the blacklisters straightened out, but it usually takes at least 7-10 days per occurrence. In the meantime, I'm getting as many as 2000-3000 pieces of spam per hour.
I'm leaving out technical details here. If anyone cares, I'll be glad to provide them. There are some of these groups that we've never had problems with because their testing methods are better. But the incompetents seem to outnumber them.
http://drteknikal.blogspot.com/
Ya, I've got a problem with spam. I had subscribed to the PHP mailing lists about 6 months ago, no big deal. Here about 2 weeks ago I no longer had a reason to need them and went to unsubscribe from them. I was told that the server would not take my email because my IP provider was in spews now.
Now mind you, my server (on its own IP address) has NEVER sent out spam (I'm the only one who can send email from it and I've no reason to spam). It seems that some fscking idiot on one of the IPs in CA (my server is in MN) spammed and spews will BH all class C's of the owner no matter where.
So now I get email I don't want and can't get rid of... Should I report the PHP mailing lists to spews as spammers? I'm on a list and I can't contact them to remove me, how is this different from the spammers? Easy to get on, impossiable to get off of...:)
BWP
Thanks for the .mc snippet,
but can you please explain why do you have
the open relay blockage listed twice?
Won't this result in extra query per each
incoming email?!
FEATURE(dnsbl,`or.orbl.org', `Mail from $&{client_addr} refused: See http://or.orbl.org/ (ORBL)')
FEATURE(dnsbl,`or.orbl.org', `Mail from $&{client_addr} refused: or.orbl.org. See http://www.orbl.org/')
VKh
If the whiney Domino server admin types thought that was bad with ORBZ, now it's more than a little public what the bug is. I expect most Domino mail servers will be DOS'd to death from this in under a week. Stupid script kiddies.
I'm not sure how many of the slashdot crowd know this, but it was orbz policy not to stop testing a server when requested, unless requested in writing. If it was requested in writing, then they would stop testing the server and list them in orbz as an open relay.
So, as an administrator you had the choice between being tested and being blacklisted even if your server had never relayed a single piece of mail. It was also typical of users of orbz to submit every ip address of every mail server they received mail from regardless of it being spam or not. This was encouraged by the orbz administrator. I'm assuming that this policy, in combination with the fact that the testing caused Denial of Service for certain users might be what caused this suit. If you know you are causing a Denial of Service problem and you don't stop especially if you are requested to do so, I'd suspect that is actionable. Ian's inflexibility as to the policy of either testing (and putting up with the DoS if you were a Notes user) or being blacklisted seems like a bad idea if you rephrase it like "Either you let me crash your server or I'll blacklist you", which might be what the people on the other side are thinking.
Again. This is just my guess. I'm really interested in seeing the facts come to light in relation to this. I suspect that the fact that there was a fix available might be a way out for Ian, but I'll be watching with interest.
As a tech support rep for a not-so-small ISP, I can't help but think that the shutdown of an anti-spam blacklisting service would be a good thing.
One reason is that it often feels like they're overbearing - all too eager to put an ISP on the list (regardless of the relative quantity of spam) but not so eager to take them off. I can't help but think of the blacklisting of Hollywood stars in the '50s for communist beliefs; real or just perceived, you became a scapegoat for the real source of the problem (in this case, the actual spammers).
The other and personally more important reason is that it creates unrealistic expectations of ISP response. I once had a customer who expected us (the ISP) to change the mail server over to closed-relay (I don't even know if it WAS open-relay then) simply because he - one person - could not get Bigfoot's mail forwarding to work, as they used a blacklist site that happened to include our mail servers. To someone in tech support, that's about the same as asking "can you give my modem more bandwidth?" It sounds selfish and shows the relative ignorance of the customer.
Basically, these blacklists convince people that their ISP is some sort of monster (I don't think most ISPs say "let's go open-relay so companies we don't profit from can spam people!"), and worse in that they convince users that they can get support for things the ISP doesn't operate, just because they asked about it. How many of these blacklist sites warn you that most ISPs can't support the services of other companies? Almost none (if any). How many ask you to contact your ISP if their servers are on the blacklist, regardless of where the conflict is? Probably most (if not all) of them. As a result we get customers like the one I had, who are told by the site to contact us and expect us to change a major aspect of the service just because a single person (and we've had very few people in total) said so.
Besides, how much of this actually works? I believe most of our servers are now closed-relay (that customer wasn't the impetus, of course) but customers still get all kinds of spam, and they still think it's their ISP's fault (I've had customers tell me that WE were the spammers, that we sold their e-mail addresses, and so on). On top of this we get customers who actively complain that they can't send mail from accounts with us when they're away, when they could before.
It's not absolutely dire, but really... just like McCarthy, spam blacklists can frequently pass beyond genuine concern into unhealthy paranoia.
There is NO VALID CONFIGURATION which should result in an infinite loop on the bounceback. If there are ways to configure to avoid it, great. But there shouldn't be a way to actually configure it to do this, and it most certainly should NEVER be the default setup.
When mail is sent to a bad name, and it attempts to bounce back to the apparent sender, it should first recognize that it is connecting to itself. Failing that, the sender of the bounce message should either be a valid box to collect failed bounces for the postmaster to clean out, or it should be a null address which gets discarded. A bounce should never trigger another bounce, either on its delivery, its failure to deliver, or its return. In this, Lotus Notes/Domino is a defective software product and needs to be fixed. I recommend that Ian Gulliver ask his attorney about filing a motion of interpleader to bring IBM into the case as a defendant, if the plaintiff continues to pursue it. If IBM (which just stuck a big ad in my face here on /. spouting off about their security) can't fix this, then they are the ones who should be paying up.
now we need to go OSS in diesel cars