Slashdot Mirror

← Back to Stories (view on slashdot.org)

ORBZ Shuts Down

Posted by timothy on from the click dept.

Tim Jackson writes: "In a depressing development for those wanting to protect themselves against spam, it appears that popular open relay database ORBZ (formerly at www.orbz.org) has shut down effective immediately - see here for the final post from ORBZ admin Ian Gulliver on the ORBZ list explaining the reasons behind the closure. The 'Lotus Domino' issue he refers to is the issue he discovered in the course of running ORBZ and reported to Buqtraq, which means that certain SMTP envelopes (such as those sent by ORBZ when testing for open relays) cause Lotus Domino servers to go into a loop, effectively creating a DoS situation. Unfortunately (but understandably), irrelevant of the merits of the case, Ian doesn't want to risk jail for the sake of spam fighting. Of course, if common sense prevailed, it would be the mail server vendor in court for producing insecure mail server software, not a third party for happening to send requests that unintentionally crash poorly-written servers."

4 of 409 comments (clear)

  1. Re:Sounds weak to me by Junta · · Score: 5, Interesting

    Well, in any case it is good to get DoS bugs fixed.

    But with regards to IDing the server, you can't with certainty determine what SMTP server is running. Sure you can make a reasonable guess based on what strings follow the numbers during the SMTP transaction, but for some mailservers this is configurable or even could be disabled.

    Let's say there was an envelope type that postfix occasionally lets through. Now, if the admin of that for some reason actually wants to exploit this to have an open mail relay, it could fake the strings to make it look like a server that wouldn't get probed for it...

    In any case, I started work for a company and one of the first things I did was fix their mail servers so that they both did not offer open mail relays, and also played nice with ORBZ testing procuedure, and it was Lotus Domino, FYI. It's not like they randomly probe you into oblivion, you request the test and have a reasonable picture of when it will happen, and if you have been digging around the mailserver and fix it right before asking, this isn't a problem. Cases like this should show companies it is worth the money to hire competent systems administrators.

    --
    XML is like violence. If it doesn't solve the problem, use more.
  2. Not such a great loss as made out by Zocalo · · Score: 5, Interesting
    I actually stopped using ORBZ some time ago because of the way their database worked in conjunction with the vast amounts of spam coming from DSL lines. Basically if an IP was verified clean then it could not be resubmitted within 30 days, fair enough I guess, but this really fell apart with spam originating from what appeared to be dynamically allocated pools of DSL users. Obviously the same servers were changing IPs, and being reused by the same spammers, but ORBZ's submission engine couldn't deal with this in my numerous attempts to submit active spammers.

    I emailed ORBZ over the issue, citing three identical spams all of which were from the same physical server (from a typo in the headers) yet from different IPs, all of which were marked as "Verified clean within the last 30 days". ORBZ' response to this was basically "use multiple RBL servers", which I already was. I stopped using them at all the same day and switched to an alternate RBL server that I could submit spam to for automatic inclusion once verified. Since then I've also set up my own local RBL server, which makes things much easier when you have multiple SMTP servers to administer...

    --
    UNIX? They're not even circumcised! Savages!
  3. hooorayyyyy by Ph0bia · · Score: 5, Interesting

    I for one am happy to see this happen and I hope the rest of them all shut down or get shut down also.

    The sheer volume of mail that we received as "probes" to test for relays which we have NEVER supported, is SPAM in itself, in my opinion.

    Worst of all, I sent repeated requests to people like orbs.org asking to be excluded and they replied with very rude e-mails which contained vulgarities, etc. Real professional guys - glad to see another one bite the dust...

    --
    Eph. 1:2
  4. And why not? by fmaxwell · · Score: 5, Interesting

    Do you have any idea how it would cripple the software industry if they operated under the constant threat of product liability suits?

    Oh no! Then we would be under the same, crippling rules as just about every other industry on the planet. Microsoft, IBM, Symantec, et al, would actually need to make a due-diligence effort to fix bugs rather than add new, unnecessary features and eye candy.

    Software engineering is not some kind of black magic. It's no different than any other form of complex engineering, be it passenger jets to modern automobiles. To do it right requires care, time, diligence, and testing. If software companies dedicated 1/10 the effort to testing their products that they do to marketing them, 99.99% of problems would be caught before the products ever shipped.

    I guess what it comes down to is this: If you are truly a software engineer, then you should embrace time-proven engineering principles and stop hiding behind the "we're just selling a license" cop-out.