Slashdot Mirror
ORBZ Shuts Down
Tim Jackson writes: "In a depressing development for those wanting to protect themselves against spam, it appears that popular open relay database ORBZ (formerly at www.orbz.org) has shut down effective immediately - see here for the final post from ORBZ admin Ian Gulliver on the ORBZ list explaining the reasons behind the closure.
The 'Lotus Domino' issue he refers to is the issue he discovered in the course of running ORBZ and reported to Buqtraq, which means that certain SMTP envelopes (such as those sent by ORBZ when testing for open relays) cause Lotus Domino servers to go into a loop, effectively creating a DoS situation.
Unfortunately (but understandably), irrelevant of the merits of the case, Ian doesn't want to risk jail for the sake of spam fighting. Of course, if common sense prevailed, it would be the mail server vendor in court for producing insecure mail server software, not a third party for happening to send requests that unintentionally crash poorly-written servers."
They should've mailed everyone to tell them.
"Under the iron bridge, we fist" - The Smiths, Still Ill
The Register has a little more info. It seems that there is a workaround which involves changing the settings in Domino, though persuading everyone in the world who's running Domino to apply the fix might be hard! It seems like orbz.org is down already, and it's probably going to stay that way :(
Is crap for a mailserver, I've always had problems out of it and avoid it like the plague when I can get away with it. For one, it tries to do too much for a mailserver, and its functionality as a mail server seems to be secondary to it's database features. Domino may work well as a workflow engine/document management, but it really isn't a good Mail server implementation. Unfortunately, so many companies use it as an Exchange replacement, even though it is intended to do much more and mail is done in a really clunky way.. Just spend a few days using Notes and you'll agree that mail does not seem to be a central concern in the scheme of domino..
Perosnally, I think postfix or qmail are good mail servers (though postfix doesn't cope at all with accounts that have uppercase in them, and qmail is only marginally better at it...). They are simple, short, and to the point. If you must use domino for mail serving, I would suggest having some sort of minimalistic mail server to act as a go between between domino and the outside world, as domino's is flawed in so many ways...
XML is like violence. If it doesn't solve the problem, use more.
I've never liked the open relay test based spam filters. Of course, they have a right to list who they want on their list, and if I run a publicly accessible SMTP server I can expect all kinds of bizarre malformed SMTP headers to arrive. However, when you are a self-appointed policeman of the internet, you should first be a good netizen. One of the things good netizens do not do is repeatedly exploit bugs in other people's software to bring down services. Imagine if netcraft started crashing some obscure OS/2 web server with its queries. We'd expect them to stop querying those servers, at the very least, and at best to fix their query.
--
E_NOSIG
I run a Domino server. In fact I run lots of Domino websites. And this "Denial of Service" issue that is reported is really due to Admins who don't know what they're doing.
Any system can try and forward to 127.0.0.1 if it is set that way. There is so much information available at all the normal locations that it is really the Admins own fault. Why they should take it out on somebody who has done as all a superb service is anybodies guess.
Where to look for info:
Lotus
Notes.net
DominoHive
SecurityTracker for Domino
I'm sure I'm missing something here, but why can't ORBZ use a different envelope that doesn't bounce to 127.0.0.1? If they would just use an envelope that bounces back to one of their machines, for example, then they could still test open relays in a non-destructive manner.
Can someone more knowledgeable than myself explain why they would rather go out of business than slightly alter their envelope that they test with?
Your right to not believe: Americans United for Separation of Church and
They used multiple envelope types when checking a relay that had requested to be taken off the list in order to make sure the site couldn't be used by a spammer. Some of the envelopes were unorthodox envelopes that spammers could use to get through a particular server's bugs, making an apparently clean mail server an open relay.
Of course, if common sense prevailed, it would be the mail server vendor in court for producing insecure mail server software.
:)
And that would leave us with how many commercial mail servers? None.
More laws like this will only make things worse. One thing we have seen proven time and time again (SSSCA, DMCA), is that legislation of technology by people who don't understand or are influenced by people who don't understand it is that it does not work.
I'd bet that nine out of ten 'insecure' or 'spamfriendly' open relays are human related errors. Granted, using sendmail is like playing with a loaded gun with the trigger welded down, but it is possible, and other MTAs are pretty damn secure and fast (I like Postfix).
The interesting thing is that very stupid bug in Lotus Domino should cause the servers to loop into oblivion everytime a potential spammer tries to relay mail through them...
- MAIL FROM:<bounce@[127.0.0.1]>
Why IBM decided to pursue criminal prosecution rather than releasing a simple bugfix is beyond me.RCPT TO:<address@domain.com>
Does this mean that Domino isn't adhering to SMTP standards? If so, then what is the problem? Domino users can't sue for DoS if their software is being used properly (according to standards).
-- null
"Unfortunately (but understandably), irrelevant of the merits of the case, Ian doesn't want to risk jail for the sake of spam fighting. Of course, if common sense prevailed, it would be the mail server vendor in court for producing insecure mail server software, not a third party for happening to send requests that unintentionally crash poorly-written servers."
So what this is saying is that Ian is willing to stop his client because a specific (and not nearly as widespread as its competitors) mail server has poorly written bugs. If anything, it is Lotus who should patch their servers. This just reeks of poor engineering decisions.
And Jail Time! heh. Give us a break. You can't be put in jail for writing good software. You can be put in jail for writing intentionally destructive software. If their server has a terrible bug, it's not your fault that it just happens to be exposed by a correctly functioning program that performs a useful task.
I can just imagine Lotus/IBM sending a cease and desist letter for the production of software that breaks their mail server... Except that the software is already out, the knowledge that the problem exists is widespread to the hackers (i.e. slashdot readers), and IBM better close those bugs before _we_ do.
ORBZ never came into as widespread use as it perhaps deserved, so a lot of slashdotters might be left wondering what exactly it is (was):
The short story is that it is a replacement to the now-dead ORBS, which stood for "Open Relay Behaviour-modification System", and was basically a system of centrally "policing" open mail relays by occasionally testing them with scripts. Any system that failed the test eventually entered ORBS's "black list", which some mail admin's used to bounce email with a path through them. Well, that project died, so ORBZ was born: the "Open Relay Blackhole Zones".
Now, it too, is dead.
And we can go back to blocking the whole of china, rather than just open relays on it.
shrug.
--
m iso socially aware artistic geek pen-pal, m or f, in '1337 edu. jazz, poetry a must.
Of course, if common sense prevailed, it would be the mail server vendor in court for producing insecure mail server software
I think that should be "in court for refusing to fix insecure mail-server software in a timely manner..."
When one of the open relay testers decides to test my systems (which have never been open relays), I get at least a dozen unsolicited e-mail systems double-bounced to me. Isn't it strange that a system created out of fury at unsolicited e-mail generates a fair amount of it? The double bounce messages never tell me specifically why they have decided to test my system, and they never tell me how to prevent them in the future. Shouldn't people on a moral crusade be careful about hypocrisy?
Let me get this straight. An organization whose sole purpose is fighting spam, is being shut down and afraid of facing jail time due to a bug in Lotus notes?
Can we find out who the suing party is, so folks can let this company and their state representatives know what they think of this?
Also, could not Lotus notes servers be identified (I would imagine they spit out an ID string like other SMTP servers) and this bug either worked around, or the Lotus servers ignored? It seems that would be more constructive than shutting down.
-me
Love many, trust a few, do harm to none.
We need a "Real time open relay tester black list", so that people can block the queries sent by open relay testers.
I'm not being entirely facetious either; it seems that the volume of relay testing traffic has increased signficantly over the past year.
Tarsnap: Online backups for the truly paranoid
Mail Abuse Prevention System
Tracks open relays, dial up netblocks, etc. Works with sendmail, postfix, etc..
Does require paid subscription, but free for personal/hobbyist usage.
Anybody can access a publicly available SMTP service and produce whatever type of SMTP headers they want. It is a publically available service.
However, you typical hacker does a similiar thing, he sends bytes to publically available service.
If you decide that any univited data being sent to your server is a crime, then sending an email to someone you dont know is a a crime. If you think its not a crime, then what script kidz do is a public service.
I personally hold to the latter, even though I abhor spam and hate malicious crackers. I think that by holding the server owner whos providing publicly available services accountable for his own security, that we would get more secure software out of it, and less coverups. (lawyers trying to do work that can only be done by programmers) SMTP servers should be able to handle munged headers!
I can imagine the PHB thinking now "Well since I cant sue the kiddie whos sending those bad SMTP headers, I guess im going to have to actually fix the bug in my mail server, oh the humanity!"
Of course fraud etc should still be a crime- but why should accessing publicly provided data services be one?
Well, in any case it is good to get DoS bugs fixed.
But with regards to IDing the server, you can't with certainty determine what SMTP server is running. Sure you can make a reasonable guess based on what strings follow the numbers during the SMTP transaction, but for some mailservers this is configurable or even could be disabled.
Let's say there was an envelope type that postfix occasionally lets through. Now, if the admin of that for some reason actually wants to exploit this to have an open mail relay, it could fake the strings to make it look like a server that wouldn't get probed for it...
In any case, I started work for a company and one of the first things I did was fix their mail servers so that they both did not offer open mail relays, and also played nice with ORBZ testing procuedure, and it was Lotus Domino, FYI. It's not like they randomly probe you into oblivion, you request the test and have a reasonable picture of when it will happen, and if you have been digging around the mailserver and fix it right before asking, this isn't a problem. Cases like this should show companies it is worth the money to hire competent systems administrators.
XML is like violence. If it doesn't solve the problem, use more.
One more point: if he's being sued for something done in the past, whether or not he shuts down Orbz is irrelevant, liability-wise. If he has been given a cease-and-desists (or else face prosecution), would not simply skipping Lotus servers meet that requirement, and prevent any future liability?
Surely he can't be held liable by whoever is suing him, for scanning the 99.9% of non-Lotus SMTP servers out there.
-me
Love many, trust a few, do harm to none.
Why IBM decided to pursue criminal prosecution rather than releasing a simple bugfix is beyond me.
If it is IBM, they deserve to be bitchslapped. Hard.
However, I'd be very curious to know who is actually doing the suing and issuing the legal threats.
I suspect they are incompetent admins, trying to cover their own incompetency by pointing an accusing finger at the innocent, in this case ORBZ.
Incompetents banding together has to be one of the more sinister forces in our society: far more common than intelligent and neferious conspiracies (which probably can be counted on one hand, if that), far more wide reaching, and far more destructive.
OTOH, for the more paranoid: what are the odds that some SPAMMERs themselves have set up Domino servers with the explicit knowledge of this bug, in order to have legal grounds to threaten and sue one of their most effective opponents out of existence? Actually, I was writing the previous sentence as a joke, but as I type it I don't find the scenerio nearly as unlikely as I first thought.
The Future of Human Evolution: Autonomy
... when they tested my mail server for open relay (which it had been, but was fixed). I was setting up qmail for the first time, and in cleaning up removed a file I shouldn't have (namely rcpthosts). In any case, for those of you who don't know, remove this file, and you're an open relay. I was, and sure enough, a spammer found it and started using it. I caught it when a bunch of bad email addresses bounced to my account (that and my maillog grew by about 2000%). I figured out the problem in about an hour, and closed it up. I also reported the spammer to their ISP (pacbell.net) and cleaned out the queue (over 2000 spams ready to be sent). In any case, someone must have reported me, even though I put up apology pages and comments suggestsion. In case whoever reported me is reading this, I bear you no ill-will, I was an open relay and deserved to be reported. In any case, their test showed I wasn't open, so I never got added to their list.
I emailed ORBZ over the issue, citing three identical spams all of which were from the same physical server (from a typo in the headers) yet from different IPs, all of which were marked as "Verified clean within the last 30 days". ORBZ' response to this was basically "use multiple RBL servers", which I already was. I stopped using them at all the same day and switched to an alternate RBL server that I could submit spam to for automatic inclusion once verified. Since then I've also set up my own local RBL server, which makes things much easier when you have multiple SMTP servers to administer...
UNIX? They're not even circumcised! Savages!
Hmmm, this just doesn't make any sense, so maybe it would best be defended with the Chewbacca Defense.
(Sigh, maybe some day I'll get all my comments in one post. I feel like George Costanza, coming up with the witty comeback long after the fact. "The jerk store just called, and they're all out of you!")
-me
Love many, trust a few, do harm to none.
why can't ORBZ use a different envelope that doesn't bounce to 127.0.0.1?
:-)
Mail servers need to be configured to relay mail from the localhost (themselves). Otherwise, things just don't work. What using the 127.0.0.1 does is attempt to fool the mail server into thinking that the mail is coming from itself. Also, it makes sysadmins aware that there's a config problem in their mail servers.
If a server can't relay, it should REJECT the mail ("error: no relay thru here") but Lotus seems to be bouncing it.
A properly configured mail server will be able to look at the mail and say to itself, "I've seen this before, let's trash it."
A mail server should NEVER crash do to malformed messages. The strongest lock is no good if the door is weak.
Give me my freedom, and I'll take care of my own security, thank you.
Surely if they knew the envelopes they were sending out would crash some servers, then that was at best highly irresponsible behaviour. Yes, in an ideal world all software would have no bugs and all sysadmins would be omnipotent, but I don't see that happening any time soon :-). I don't believe that ORBZ has the right to go around DOSing servers that they consider to be inadequately set up - effectively electing themselves judge, jury *and* executioners.
If ORBZ behaved a bit less arrogantly I suspect they would make fewer enemies.
...as long as individuals and other non-corporate entities run them. Why? Because we've seen how painfully easy it is for corporate or well-heeled individuals to apply pressure (usually monetary) against these individuals.
The solution is to make this process as anonymous as possible, yet maintain some degree of integrity in the process. Here's an idea: Somebody must be willing to step forward and create a script which can be fully automated to check for open relays. Generate the script signature, sign with a private key, and distribute script, signed sig, and public key. Run the script anonymously -- use anonymous relays, bogus envelopes, whatever it takes. Publish the results on Freenet, signed with the same key used to sign the sig of the script used. Obviously, the model needs some work, but I think if a public key is established as "trusted," then the results that are published anonymously on Freenet can be "trusted" with the same degree of trust.
Or something like that...
You are so wrong! Think about what you are saying for a second. You are saying that software vendors should be held liable for producing faulty software. What does this apply to? Only Lotus, Microsoft, and the big guys? What about holding Alan Cox and Linus liable for bugs in the Linux kernel? I hope you don't want to hold security programmers liable for demos of exploits. Software is fundamentally different from a product that can be recalled and judged unsafe. The marginal cost of software is zero, and it is not a physical product - it's just information.
Do you have any idea how it would cripple the software industry if they operated under the constant threat of product liability suits? What about old software? Really old versions of Sendmail were set to open relay by default. Certainly it's not the fault of the programmers that they didn't protect against spam, BEFORE SPAM EXISTED. Now think about a software industry where a pack of lawyers has to review every design document, every line of code in the name of 'product safety.'
This is clearly a case where the free market already solves these problems, and your foolish solution would only serve to artificially disable an industry. If companies are upset with Domino, they will eventually switch to a better software package. If Lotus cared about their customers, they would have patched their software. I can't believe it when people like you say these things without thinking of the consequences.
You did hit on one correct point - intent. It's unfortunate that ORBZ was in danger of being sued. They shouldn't be in danger, due to intent. They have no intent to DOS random Lotus Domino servers.. but it seems like they just can't risk it. If I intentionally exploited the Domino bug to crash servers, well that's another story. It's not Domino's problem, it's mine, and I should be carted to jail for that.
So now, regardless of the fact that I'm doing something completely benign, I have to also be careful about "offending" some poorly administered mail server? I won't even get into how stupid it is to set up a mail server with a local loop -- it's the principle of the matter that really pisses me off. Next I won't be allowed to surf the web with an adbuster because it confuses and even crashes some websites...eghads! What the hell is this world coming to?
And ORDB's, SpamCop's, DorkSlayer's, n.a.n.a's, ...
"It appears"? It is or it isn't. Funnily enough, I'd got the impression that cases were filed before courts ordered documents to be handed over.
Further to that, isn't the case going to be about past behaviour? So isn't taking ORBZ down is response to it a de facto admission of guilt? Is this some sort of preemptive plea bargain attempt?
Ian Gulliver has never struck me as being stupid or cowardly. I can't help but feel that there must be more communication going on here, i.e. an offer to drop the charges if ORBZ just goes away. Frankly, I find that highly distasteful, as it's edging very close to barratry.
I don't blame Ian one bit for shutting down, I just think that he's been shown a carrot as well as a stick so that this never has to reach a court.
If you were blocking sigs, you wouldn't have to read this.
Fortunately, they still exist, and the rest of us that hate spam will keep using it. If you feel frustrated by it, the solution is as simple as fixing your mail server. Period.
Who is to say what's a bug? Can I be sued because there's a feature a customer wants that I didn't implement? What if I wrote sendmail 10 years ago, and now someone sues me because I wrote an open relay? But there wasn't any spam when I wrote it. There is a grey area between bug, and undesired behavior. Let's say I write a word processor. Do I get sued because my app won't let you print from the print preview screen? Because it doesn't save your default tab stops?
You can't regulate software.. and if customers don't like something, they'll look to another vendor. This is already a self-regulated open market folks, move along..
I seems to me that if Orbz can send certain SMTP envelopes that cause Lotus Domino servers to go into a loop those servers are going to need to be fixed.
:=)
This vulnerability is public knowledge now so how many black hats are going to be doing this just for fun and giggles?
I can't help feeling that when a company gets shutdown rather than a obvious corrective action being taken that there is a hidden agenda lurking about. Just my suspicious nature taking over.
The race isn't always to the swift... but that's the way to bet!
FEATURE(dnsbl,`or.orbl.org', `Mail from $&{client_addr} refused: See http://or.orbl.org/ (ORBL)')
FEATURE(dnsbl,`relays.ordb.org', `Mail from $&{client_addr} refused: relays.ordb.org. See http://www.ordb.org/')
FEATURE(dnsbl,`or.orbl.org', `Mail from $&{client_addr} refused: or.orbl.org. See http://www.orbl.org/')
FEATURE(dnsbl,`spamhaus.relays.orisusoft.com', `Mail from $&{client_addr} refused: spamhaus.relays.osirusoft.org. See http://relays.orirusoft.com/')
FEATURE(dnsbl,`spews.relays.orisusoft.com', `Mail from $&{client_addr} refused: spews.relays.osirusoft.org. See http://www.spews.org/bounce.html')
FEATURE(dnsbl,`rbl-plus.mail-abuse.org',`Mail from $&{client_addr} refused by RBL+. See http://www.mail-abuse.org/')
self-appointed policeman of the internet
I hate that term. Nobody just went and 'appointed' themselves policeman. Everything the blacklists do is completely voluntary - you (or your ISP) do not have to participate if you don't want to. This is in contrast to real police, who keep society in order as part of our social contract. We don't have a choice about that one.
I for one am happy to see this happen and I hope the rest of them all shut down or get shut down also.
The sheer volume of mail that we received as "probes" to test for relays which we have NEVER supported, is SPAM in itself, in my opinion.
Worst of all, I sent repeated requests to people like orbs.org asking to be excluded and they replied with very rude e-mails which contained vulgarities, etc. Real professional guys - glad to see another one bite the dust...
Eph. 1:2
Seems to me that the majority of the DoS attacks came from 127.0.0.1.
I suggest the prosecution track down the owner of that IP, and haul him into court instead of orbz.
Why don't "they" just sue the spammers out of existance? "They" would make all of our lives that much easier.
If ORBZ is testing for obsure bugs/holes, you can bet that the spammers are doing it too.
~Sean
I have started using a-s-k to block spam, and have been pretty happy with it.
http://sourceforge.net/projects/a-s-k/
http://www.paganini.net/ask
Spamassassin is nice in this regard, because you shouldn't need to change any configuration rules. The rule that ORBZ deals with, (RCVD_IN_ORBZ) shouldn't need to be changed, however, I'm going to weight the other rules that check for that kind of information (RCVD_IN_RELAYS_ORDB_ORG, RCVD_IN_OSIRUSOFT_COM, RCVD_IN_VISI, RCVD_IN_RFCI, and RCVD_IN_ORBS) up a few points to make up for the lost service.
I disable sigs...do you?
I mean, why the hell doesn't it just send a header like: MAIL FROM: <orbz-admin@orbz-domain.com> anyway?
This seems like it would have been such a simple technical issue to fix on ORBZ side without putting the burden of fixing the problem on Lotus or people running Domino.
<irony>I'm against theft of resources in the form of spam, but I'm all for theft of resources in the form of forced distributed software debugging</irony>
You can usually figure it out with the 220 greeting message. Most people don't change the message strings, and I pretty sure Domino says Lotus Domino in the 220 message, by default. It's been a long time since I talked to a server running it.
One could also try sending "HELP" which, with sendmail anyway, will give the version in the first response string.
I think that in any case, impact could have been minimized for affected Lotus Domino servers where ID could be determined.
"Alcohol, Tobacco, Firearms, and Explosives" should be a convenience store, not a government agency.
So fix your broken (almost certainly qmail) server.
And FWIW, one of the best things about ORBZ was how professionally it was run. They generally tried to error on the side of caution. For instance, addressing your strawman argument, the ORBZ test messages described exactly what they were, and provided links for more info.
Now I won't have to put up with anymore double-bounces from ORBZ's continual probing of my closed relays. These don't even send our OUR mail. You can't test our outgoing relays, the conversation is in the wrong direction and won't pass our firewall.
Ian, YOU DUMBASS!! I hope you beat the criminal rap, but you got what was coming, what you were asking for. ORBZ's probes were every much a trespass as the spam itself. Why they never understood this is beyond me. Plenty of other DNSBL run a good list without intrusive probing, and are not getting put up on charges either.
Edith Keeler Must Die
Nonsense. The message is explain to your management what spam costs a company, and have them go along with it. We bounce an average of 500 mails from open relays per day into our not all that big network. The max so far is something like 2200 in a day. Even if people "just hit delete", the time adds up unbelievably fast. There is *NO* excuse to be running an open relay, AT ALL!
Do you have any idea how it would cripple the software industry if they operated under the constant threat of product liability suits?
Oh no! Then we would be under the same, crippling rules as just about every other industry on the planet. Microsoft, IBM, Symantec, et al, would actually need to make a due-diligence effort to fix bugs rather than add new, unnecessary features and eye candy.
Software engineering is not some kind of black magic. It's no different than any other form of complex engineering, be it passenger jets to modern automobiles. To do it right requires care, time, diligence, and testing. If software companies dedicated 1/10 the effort to testing their products that they do to marketing them, 99.99% of problems would be caught before the products ever shipped.
I guess what it comes down to is this: If you are truly a software engineer, then you should embrace time-proven engineering principles and stop hiding behind the "we're just selling a license" cop-out.
I've found that most hypocrits are on a moral crusade of one sort or another. But there are far more people on moral crusades who are not hypocrits. Being on a moral crusade <> hypocrit, but hypocrit == being on a moral crusade.
If all this should have a reason, we would be the last to know.
> I almost got a geeky linux dork fired for using one of their
> services to "protect" his servers.
Oh you should be *so* proud of yourself. You damn near got somebody
fired for trying to protect his company's mailboxes against the
incompetence and carelessness of companies like your's.
You wouldn't mind sharing with us your domain name or netblock, would
you?
Btw: If you'd tried that crap here, you would have received short
shrift. Even if my boss or my boss' boss (the owner) *was* friends
with your CEO. It's happened. The most that would happen is I'd
be instructed to white-list *that* *specific* email address. But I'd
be instructed to first try to get you to fix your broken-ass mail
server.
Asshole.
If they don't follow the RFC that's fine with me. However, I believe listing them at rfc-ignorant.org is a good thing so people who have chosen not to exchange email with domains who do not play by the rules have a chance to block IBM's mail automatically.
I understand the problems caused by spam. I understand how to configure a mail server. I don't understand why so many people line up behind this type of solution - it seems to me to be a case of the cure being worse than the disease.
What gives anyone the right to send any mail to my domain for any reason? Regardless of how poor my software may be, and how poorly configured, why should an outfit like ORBZ not be held responsible for what happens when they probe my system without my knowledge or consent?
My mail system is not an open relay. I'm frequently targeted as being an open relay because many of these vigilantes don't use competent and effective testing procedures. As soon as I end up on the list, I have to explain things that shouldn't need explaining, and we suffer an avalanche as the spammers pick up on the "open relay" list and attempt to route their traffic through our server. I eventually get the blacklisters straightened out, but it usually takes at least 7-10 days per occurrence. In the meantime, I'm getting as many as 2000-3000 pieces of spam per hour.
I'm leaving out technical details here. If anyone cares, I'll be glad to provide them. There are some of these groups that we've never had problems with because their testing methods are better. But the incompetents seem to outnumber them.
http://drteknikal.blogspot.com/
I don't think the software industry should be held to the same standards as, say, architects and structural engineers. I'm sure we could create amazing, cheap buildings if we weren't concerned about them crashing occasionally. But, we need buildings that can't crash, even once. However, we tolerate software that crashes occasionally due to quicker development cycles, lower costs, and more innovation.
I'm not in favor of a free ride.. of course I believe that software used in medical and nuclear plant situations needs to be rigidly tested and certified. Safety is the key - we should regulate industries based on safety, not arbitrarily impose the same restrictions on all industries.
For an open-source advocacy site, I'm puzzled at how many people think that software should be strictly regulated! Don't you realize that this is at odds with the basic philosophy of free software?
No one is suing him, these are criminal charges. Criminal charges are brought by the state.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Ya, I've got a problem with spam. I had subscribed to the PHP mailing lists about 6 months ago, no big deal. Here about 2 weeks ago I no longer had a reason to need them and went to unsubscribe from them. I was told that the server would not take my email because my IP provider was in spews now.
Now mind you, my server (on its own IP address) has NEVER sent out spam (I'm the only one who can send email from it and I've no reason to spam). It seems that some fscking idiot on one of the IPs in CA (my server is in MN) spammed and spews will BH all class C's of the owner no matter where.
So now I get email I don't want and can't get rid of... Should I report the PHP mailing lists to spews as spammers? I'm on a list and I can't contact them to remove me, how is this different from the spammers? Easy to get on, impossiable to get off of...:)
BWP
As for the second, what about the case where there were actual damages other than the loss of life or personal injury? For instance, a vulnerability or deficiency in your software leaks sensitive user data worth millions to an attacker or the public, resulting in your user going out of business, or losing substantial sums of money?
In that case, I don't see why software developers should be exempt from the same "due care" measure of negligence that *every other person* in *every other situation* in our society is. Does that mean I think that you should be able to sue for negligence if the spell checker in your email program doesn't fix your mistakes and makes you look stupid in your email correspondance? Maybe. But hopefully a judge or jury would realize that in that case no standard of "due" care was violated, and if you're lucky, penalize the plaintiff for filing a nuisance suit.
I think our existing laws about negligence have the right idea, and software developers shouldn't get some "magic" exemption.
Note, in some states and in front of some judges, your EULA might be ruled unenforceable anyway, and existing law will be brought to bear and you'd be out $$$ anyway, sucka.
You would think that Ian would have gotten a clue from all the people whom his probes angered. If he only restricted himself to testing systems for which he had spam on record, then he would have a defense. "Yes, your honor, I crashed the system, but I was only defending myself against more relayed spam." As it is, he had to fold because he has no justification for probing those systems.
-russ
Don't piss off The Angry Economist
That doesn't work, just as it doesn't work for most spammers. Your see, like most other spammers, ORBZ lies about its hostname.
-russ
Don't piss off The Angry Economist
Thanks for the .mc snippet,
but can you please explain why do you have
the open relay blockage listed twice?
Won't this result in extra query per each
incoming email?!
FEATURE(dnsbl,`or.orbl.org', `Mail from $&{client_addr} refused: See http://or.orbl.org/ (ORBL)')
FEATURE(dnsbl,`or.orbl.org', `Mail from $&{client_addr} refused: or.orbl.org. See http://www.orbl.org/')
VKh
"Professionally" my ass. Ian lied about the source of the email. He used envelope sender addresses which would not return a bounce message back to him. He used envelope recipient addresses which were not only invalid, but which were specially crafted to break through a server's anti-relay defenses. These are the actions of a professional, yes -- a professional spammer.
-russ
Don't piss off The Angry Economist
Cases like this should show companies it is worth the money to hire competent systems administrators.
What's the point in that when stupid laws written by ignorant legislators (oops - redundancy) let you shoot the messenger instead?
On a tangent, my experience with Notes (aka Domino) is that it may be good for something, but that something is not email. It sucks for email.
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
Actually the additional hop does annoy me. I should be able to run my own mail server. It's no bodies business but mine who gets spam. I don't send it out, so that's not what I"m doing. But as far as a central organization who doesn't have any business blocking it that's out of line. In my opinion if AOL or whoever wants to run ORBZ blocking that's their problem and their loss. They owen their machines and can block whoever they want, however I think it's bad business practice.
I'm not sure how many of the slashdot crowd know this, but it was orbz policy not to stop testing a server when requested, unless requested in writing. If it was requested in writing, then they would stop testing the server and list them in orbz as an open relay.
So, as an administrator you had the choice between being tested and being blacklisted even if your server had never relayed a single piece of mail. It was also typical of users of orbz to submit every ip address of every mail server they received mail from regardless of it being spam or not. This was encouraged by the orbz administrator. I'm assuming that this policy, in combination with the fact that the testing caused Denial of Service for certain users might be what caused this suit. If you know you are causing a Denial of Service problem and you don't stop especially if you are requested to do so, I'd suspect that is actionable. Ian's inflexibility as to the policy of either testing (and putting up with the DoS if you were a Notes user) or being blacklisted seems like a bad idea if you rephrase it like "Either you let me crash your server or I'll blacklist you", which might be what the people on the other side are thinking.
Again. This is just my guess. I'm really interested in seeing the facts come to light in relation to this. I suspect that the fact that there was a fix available might be a way out for Ian, but I'll be watching with interest.
We run Notes here at work but no SMTP stuff. I've not gotten a delivery failure in about 11months. Mail runs smooth and servers almost never go down. We have network outages moreso than we do mail server downtime. I run R6\RNext at home and so far in the months since it came out it's been rock solid. Not exactly handling a ton of mail or WEB access but for beta it seems pretty good.
;-) Here in the office weve got quite a few people so mail gets delivered every few minutes on a busy day - the servers certainly do work hard. Oh, and none of that single object store crap going on either!
I dunno' - not disputing what you've seen but administered properly Notes is a pretty good product IMO. I'll grant that mail chimes aren't "instant" but that's a client issue not a server delivery problem. Hell, if my mail chimed as soon as something dropped in the box I'd have to turn it off or go deaf!
More on topic.. the latest RNext code supports an RBL! Unfortunatly it looks like you've got to actually subscribe to it in order to use it - no thanks. I'm not sure how easy it would be to use another RBL but I'm hoping Lotus makes it an option. Locking down relaying also looks to be a little easier in this incarnation with things spelled out more clearly in the setup etc.
Whoever it is that's suing shouldn't have a leg to stand on since this is a bug in the server code - fixed by Lotus in later revisions. You would think that these folks would want to have a secure server, perhaps if their identity could be found out some SPAMMING SCUM could utlize their services? Might that teach them a lesson? (sigh) A shame one of the good guys is being forced out over this, I think identifying them for all to see and SHUN would be a very good idea...
P.S. Agree on what IBM has done to Lotus. Lots of firings and general disruption. Glad I never went to work for them! Friends did though and are now much poorer for it...
Build it, Drive it, Improve it! Hybridz.org
As a tech support rep for a not-so-small ISP, I can't help but think that the shutdown of an anti-spam blacklisting service would be a good thing.
One reason is that it often feels like they're overbearing - all too eager to put an ISP on the list (regardless of the relative quantity of spam) but not so eager to take them off. I can't help but think of the blacklisting of Hollywood stars in the '50s for communist beliefs; real or just perceived, you became a scapegoat for the real source of the problem (in this case, the actual spammers).
The other and personally more important reason is that it creates unrealistic expectations of ISP response. I once had a customer who expected us (the ISP) to change the mail server over to closed-relay (I don't even know if it WAS open-relay then) simply because he - one person - could not get Bigfoot's mail forwarding to work, as they used a blacklist site that happened to include our mail servers. To someone in tech support, that's about the same as asking "can you give my modem more bandwidth?" It sounds selfish and shows the relative ignorance of the customer.
Basically, these blacklists convince people that their ISP is some sort of monster (I don't think most ISPs say "let's go open-relay so companies we don't profit from can spam people!"), and worse in that they convince users that they can get support for things the ISP doesn't operate, just because they asked about it. How many of these blacklist sites warn you that most ISPs can't support the services of other companies? Almost none (if any). How many ask you to contact your ISP if their servers are on the blacklist, regardless of where the conflict is? Probably most (if not all) of them. As a result we get customers like the one I had, who are told by the site to contact us and expect us to change a major aspect of the service just because a single person (and we've had very few people in total) said so.
Besides, how much of this actually works? I believe most of our servers are now closed-relay (that customer wasn't the impetus, of course) but customers still get all kinds of spam, and they still think it's their ISP's fault (I've had customers tell me that WE were the spammers, that we sold their e-mail addresses, and so on). On top of this we get customers who actively complain that they can't send mail from accounts with us when they're away, when they could before.
It's not absolutely dire, but really... just like McCarthy, spam blacklists can frequently pass beyond genuine concern into unhealthy paranoia.
SMTP servers usually announce their name and version, right? These probes are relay probes checking for all of the various ways spammers can relay spam through a mail server, right? Why can't the probes simply skip this particular test, or use a slightly different relay test when it comes across an SMTP server carrying the Lotus signature? Sure, it means ORBZ is slightly less effective at identifying a potential SMTP relay, but it also doesn't DoS a buggy/misconfigured mail server and risk legal action.
It seems like this would be a better solution to the problem than simply throwing in the towel.
There is NO VALID CONFIGURATION which should result in an infinite loop on the bounceback. If there are ways to configure to avoid it, great. But there shouldn't be a way to actually configure it to do this, and it most certainly should NEVER be the default setup.
When mail is sent to a bad name, and it attempts to bounce back to the apparent sender, it should first recognize that it is connecting to itself. Failing that, the sender of the bounce message should either be a valid box to collect failed bounces for the postmaster to clean out, or it should be a null address which gets discarded. A bounce should never trigger another bounce, either on its delivery, its failure to deliver, or its return. In this, Lotus Notes/Domino is a defective software product and needs to be fixed. I recommend that Ian Gulliver ask his attorney about filing a motion of interpleader to bring IBM into the case as a defendant, if the plaintiff continues to pursue it. If IBM (which just stuck a big ad in my face here on /. spouting off about their security) can't fix this, then they are the ones who should be paying up.
now we need to go OSS in diesel cars
That return address is a perfectly valid one for which bounceback loops make no sense in compliance with email standards. Some defective mail servers check the sender address to determine if the mail should be sent to the recipient address, and if that sender address is "local" it allows it to go on. The test ORBZ was doing was a perfectly valid test that should never be forwarded on (but some mail servers see it as a local sender), and wouldn't bounce infinitely in a properly designed mail server.
now we need to go OSS in diesel cars
I have no reason to "target" Notes servers. The defect does NOT (apparently) make them open relays. So I have no reason to block them. However, when I found out who it is that pursued the complaint against ORBZ and threatened them with criminal charges, I WILL BLOCK THEM and I will send them mail explaining that they are blocked and why.
As for targeting Notes servers for DoS attacks, why would I do that? There are plenty of kids around to take care of the job :-)
now we need to go OSS in diesel cars
if an IP was verified clean then it could not be resubmitted within 30 days
Not only that, but if an IP address couldn't be tested (because it was down, or there were network problems, for example) then it was marked "clean" - and wouldn't be retested within 30 days.
If you want double bounce messages, that's your business. If you don't want them, you do know how to turn that off. Using local sender address is a way to fool many mail servers into relaying spam, so it is a valid test. If your mail server deals with this poorly, that's your problem. You can also filter your double bounces from your mailbox based on the headers. Do what you need to do.
now we need to go OSS in diesel cars
Ian was mimicking a spammer to carry out the test. So of course it can look like a spammer to those who fail to check the original of the connection. Most of my servers have been tested, and I've never had a problem with it. If course the tests must be specially crafted to break through the anti-relay defenses when the server is programmed or configured in a way that allows anyone to break through, as spammers can, and probably do. Calling Ian a spammer is absurd. He has not sent bulk mail.
now we need to go OSS in diesel cars
It seems to me that a spam e-mailer would make similar arguments. ``You get e-mail you don't want? That's your problem.''
What's the difference?
Is the difference just that ORBZ e-mail testing is good? What if I disagree? I'm sure some spammers think that their e-mail is good. Is their spam OK? Why is ORBZ right and the spammers wrong? Either way I get unsolicited e-mail in my mailbox.
The mechanism Ian was using was OPEN RELAYING. Open relaying was quite common before commercialization came to the internet, and it wasn't considered to be spam, then. Why should it be considered to be spam now? The definition of SPAM involves the bulk transmission of email. This bulk aspect is what causes the problem we fight against. Open relays are one of the mechanisms spammers have abused (remember, at one time, open relaying was a good thing when the internet was benevolent). When Ian sent a probe, as long as he didn't send bulk mail to many different addresses, it was NOT SPAM!
That said, he DID make a mistake in failing to stop sending to that server when the administrator complained. What he should have done was list the server as "will not test" and let us block mail coming from there under the principle that I cannot trust whether it is, or is not an open relay (I prefer not to accept mail delivery at the SMTP protocol layer from an server believed or suspected to be an open relay because it defeats my efforts to block sources of spam). This presumes that the administrator of that broken Notes server (double bounces as in qmail might be an annoying feature, but infinite bounces as in Notes is a blatant defect) did notify him. If not, then I place no blame on Ian whatsoever.
now we need to go OSS in diesel cars
I have administered Lotus Notes before. It was a RPITA ... worse than even sendmail. It's definitely something to be avoided, and where it can't be avoided, front-ended with another mail server (which I did).
now we need to go OSS in diesel cars
Of course it's my problem. I take care of my problem by not accepting mail from places I believe may send spam. Then it's up to them to decide whether they want to continue their ways, or change their ways. ORBZ email testing did not disrupt my servers. I see no basis to believe those probes would disrupt any properly designed and properly configured servers. ORBZ provided useful information for me to further my aims to prevent incoming mail from misconfigured and broken mail servers. As long as ORBZ was not sending their probes in bulk, I don't see it as spam.
now we need to go OSS in diesel cars
To me, spam is unsolicited e-mail. I don't know what sending in bulk has to do with anything. I just care about what winds up in my mailbox.
You're right in that I should have just refused to accept mail from ORBZ. Unfortunately, doing so would have caused me to be listed in ORBZ, and thus caused others to not receive my e-mail. Catch-22: refusing to accept spam would have caused me to be labelled as a spam generator.
My main point, from the post which started this thread, is simply that I believe that ORBZ was acting in a hypocritical fashion, which is a risky position from which to take a moral stand.
So contact the damned morons in the Michigan justice department, contact the govenor, contact the local media there. What a shower of incompetent asinine fools. They're supposed to be defending the public interest not assaulting it. They have removed a valuable public service to the world under the guise of doing the opposite. This kind of inexcusable stupidity by Michigan authorities makes me furious. Why don't those incompetent morons go catch some real DoS criminals. Oh wait, that would require some real investigative work on the part of some some damndably stupid people there. It's too much to hope that these idiots will be held accountable for their wanton vandalism here.
So if you post online, and your email address is available, and someone replies by email directly, instead of doing an online followup, you consider that spam? I don't.
Take a look at the history of the term "spam". It came from a skit on Monty Python's Flying Circus where the term "Spam", in reference to a processed pork meat product, was repeated extensively in the skit. Later, this skit was repeated in online MUD games, and morphed into repeats of many other words. But the term "spamming" developed there as a result of the pointless repeating. It then was used in reference to repeated online postings to multiple newsgroups in Usenet, and from there to email.
The bulk postings on Usenet don't have any particular "solicited" attribute. Spam is unacceptable because it cannot scale. It's not something that is practical for "everyone to do it" due to the lower sender cost and high receiver cost.
The term "unsolicited" was added later to distinguish the most hated forms of spam which are sent to harvested email lists gathered from various sources unrelated to preferences in receiving commercial announcements. The terms "spam" and "unsolicitted" do intersect, but are not the same set.
If you don't want to make it possible for specific parties to determine whether your mail server can or cannot be exploited by others who have bad intents, then I don't blame them for then listing your mail server as one that the safety of which cannot be determined. I would then not want to allow my mail server to accept any mail from your mail server due to the risk that such mail may in fact be the spam that has exploited your server.
All you need to do is to refuse to RELAY the mail in the probe. Then discard the bounce-back when it has the string "sender.orbz.org" in the headers. They are NOT depending on the bounceback coming back; just depending on the delivery not being completed in the orignal probe. Don't reject the probe ... just reject the forwarding/relaying of the probe.
IMHO, ORBZ was doing a fine job, and doing it reasonably well. I don't see their probe as being "spam" (yes, it is technically "unsolicited", but that's not the issue I concern myself with), and I see their database as useful in rejecting delivery attempts from risky servers. I will miss them. I've already gotten 5 spams today, well exceeding my recent average of about 1 per day (with about 50 rejected per day to just my own email addresses). I hope they find a way to get back online, and I hope you find a way to make your mail server operate smoothly even with these probes. The only problem I'd see is if hundreds of people started up their own system of probes.
now we need to go OSS in diesel cars
See the part where it says Return-Path: bounce-xxxxxxx@localhost? That's the part where Ian is lying about his email address. His email address is not and has never been anything @localhost.
-russ
Don't piss off The Angry Economist
I had no opinion about Ian before he spammed me. Clearly that was not a good first impression for him to make on me! My opinion is that Ian is a teenager who has a sense of idealism -- that he should be able to create something wonderful, something perfect. His creation is a list of each and every open relay on the Internet. I have no problem with that. It is a worthy goal. Unfortunately, his methods involve sending fraudulently-addressed email to innocent SMTP servers. He and I disagree on whether he should use this method to discover open relays. He doesn't see anything wrong with this. I agree with him that testing for an open relay requires that he send such email. That would be perfectly fine if he was defending *his* SMTP server against attacks by someone running an SMTP client. It's perfectly reasonable to see if that host is also running an SMTP server which is an open relay. Self-defense is a perfectly fine reason for doing this. Ian went far, far beyond this, and tested (dare I say "abused"?) servers with no history of abuse. This is why he is now in the position of having to defend himself against charges of abuse.
-russ
Don't piss off The Angry Economist
By all means, explain what those ulterior motives might be. I am paid by nobody for my anti-spam efforts, so I have no pecuniary interest.
My motives are exactly as I laid out on the orbz mailing list: I don't want to be attacked by open relay probes, and I don't want other innocent hosts to be similarly attacked. I have no problem with testing a host which has sent you spam. I have no problem with testing a host on behalf of someone who was sent spam. But unless you have a copy of the spam in hand, testing the host is completely irresponsible.
-russ
Don't piss off The Angry Economist
Me again. Elsewhere it has been noted that IBM has in fact fixed this a while back. In this case, (someone at) IBM should be called as an expert witness to testify that the bug is fixed and that the administrator of the defective system is negligent in having failed to apply the fix. Failure to apply fixes is a major cause of security and spam problems on the net, certainly costing at least hundreds of millions of dollars a year to clean up, and lost time and bandwidth dealing with the effects. Someone who fails to apply fixes in a timely manner (30 days tops) should be slapped very very hard.
And we want to know who the hell it is that brought this complaint.
now we need to go OSS in diesel cars
Mail servers need to be configured to relay mail from the localhost (themselves). Otherwise, things just don't work. What using the 127.0.0.1 does is attempt to fool the mail server into thinking that the mail is coming from itself.
Actually it dosn't, Since most mail software uses some other form of IPC for local deliveries.
The rest of the message makes it more than a little plain that it was an ORBZ test doesn't it? Does context mean nothing to you? He did the same thing any bulk mailer would've done.
I had my server tested by a different service last night, a Domino server in fact. It was found to relay (doh!) but I was able to fix it with a little reading and reconfiguring. I believe that some of the test messages I received also had faked fields just like the one above. In fact looking at some of the bounces it looks like the test even tried to spoof my upstream provider! My server survived just fine, I didn't receive tons of crap in my mailboxes, and in the end I've got a better server for it. If they HADN'T used the same sorts of tricks that a SPAMMER would've done then what good would the test have been?
Build it, Drive it, Improve it! Hybridz.org
I just thought I'd report how my mail server handled the shutdown.
When I heard ORBZ was shutting down, I stared to look for another service. After some research I decided to use relays.osirusoft.com and spew.relays.osirusoft.com. I've been running the server for over a day now with those filters, and I haven't recieved any spam (neither has any of the other users). Good mail has come through though =)
I recommend the two services I mentioned here, they seem to work really well!
Open Relay Database
Thanks for the info! I'm about to block them. But in the course of digging for info, I also found that they cannot send me mail anyway due to the fact they failed to put in their reverse DNS. That solidifies my knowledge that their network/server is being operated by someone not very competent.
phil@pollux:/home/phil 33> dnstracer 120.158.120.216.in-addr.arpa | head
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;; 120.158.120.216.in-addr.arpa, type = PTR, class = IN
;; Total query time: 288 msec
;; FROM: pollux.ipal.net to SERVER: NSB.TRIVALENT.NET. 216.120.131.35
;; WHEN: Thu Mar 21 15:56:15 2002
;; MSG SIZE sent: 46 rcvd: 46
Tracing to 120.158.120.216.in-addr.arpa via 209.102.208.30, timeout 15 seconds
209.102.208.30 (209.102.208.30)
|\___ D.ROOT-SERVERS.NET (128.8.10.90)
| |\___ JERK.ARIN.NET (192.12.94.32)
| | |\___ NSB.TRIVALENT.NET (216.120.131.35)
| | \___ NSA.TRIVALENT.NET (216.120.131.34)
| |\___ INDIGO.ARIN.NET (192.31.80.32)
| | |\___ NSB.TRIVALENT.NET (216.120.131.35) (cached)
| | \___ NSA.TRIVALENT.NET (216.120.131.34) (cached)
| |\___ HENNA.ARIN.NET (192.26.92.32)
phil@pollux:/home/phil 34> dig @NSB.TRIVALENT.NET. 120.158.120.216.in-addr.arpa. ptr
; <<>> DiG 8.3 <<>> @NSB.TRIVALENT.NET. 120.158.120.216.in-addr.arpa. ptr
; (1 server found)
phil@pollux:/home/phil 35>
now we need to go OSS in diesel cars
The issue isn't spammers setting up their own servers as open relays. Spammers don't set up open relays; they use other people's open relays. If the spammers were setting up the servers, they would presumably have them only relay their spam, not everyone else's.
The issue is when person A sets up their server wrong and person B sends spam through it; person A isn't responsible for the message and person B is impossible to find.