Slashdot Mirror
ORBZ Shuts Down
Tim Jackson writes: "In a depressing development for those wanting to protect themselves against spam, it appears that popular open relay database ORBZ (formerly at www.orbz.org) has shut down effective immediately - see here for the final post from ORBZ admin Ian Gulliver on the ORBZ list explaining the reasons behind the closure.
The 'Lotus Domino' issue he refers to is the issue he discovered in the course of running ORBZ and reported to Buqtraq, which means that certain SMTP envelopes (such as those sent by ORBZ when testing for open relays) cause Lotus Domino servers to go into a loop, effectively creating a DoS situation.
Unfortunately (but understandably), irrelevant of the merits of the case, Ian doesn't want to risk jail for the sake of spam fighting. Of course, if common sense prevailed, it would be the mail server vendor in court for producing insecure mail server software, not a third party for happening to send requests that unintentionally crash poorly-written servers."
They should've mailed everyone to tell them.
"Under the iron bridge, we fist" - The Smiths, Still Ill
The Register has a little more info. It seems that there is a workaround which involves changing the settings in Domino, though persuading everyone in the world who's running Domino to apply the fix might be hard! It seems like orbz.org is down already, and it's probably going to stay that way :(
Is crap for a mailserver, I've always had problems out of it and avoid it like the plague when I can get away with it. For one, it tries to do too much for a mailserver, and its functionality as a mail server seems to be secondary to it's database features. Domino may work well as a workflow engine/document management, but it really isn't a good Mail server implementation. Unfortunately, so many companies use it as an Exchange replacement, even though it is intended to do much more and mail is done in a really clunky way.. Just spend a few days using Notes and you'll agree that mail does not seem to be a central concern in the scheme of domino..
Perosnally, I think postfix or qmail are good mail servers (though postfix doesn't cope at all with accounts that have uppercase in them, and qmail is only marginally better at it...). They are simple, short, and to the point. If you must use domino for mail serving, I would suggest having some sort of minimalistic mail server to act as a go between between domino and the outside world, as domino's is flawed in so many ways...
XML is like violence. If it doesn't solve the problem, use more.
I've never liked the open relay test based spam filters. Of course, they have a right to list who they want on their list, and if I run a publicly accessible SMTP server I can expect all kinds of bizarre malformed SMTP headers to arrive. However, when you are a self-appointed policeman of the internet, you should first be a good netizen. One of the things good netizens do not do is repeatedly exploit bugs in other people's software to bring down services. Imagine if netcraft started crashing some obscure OS/2 web server with its queries. We'd expect them to stop querying those servers, at the very least, and at best to fix their query.
--
E_NOSIG
I run a Domino server. In fact I run lots of Domino websites. And this "Denial of Service" issue that is reported is really due to Admins who don't know what they're doing.
Any system can try and forward to 127.0.0.1 if it is set that way. There is so much information available at all the normal locations that it is really the Admins own fault. Why they should take it out on somebody who has done as all a superb service is anybodies guess.
Where to look for info:
Lotus
Notes.net
DominoHive
SecurityTracker for Domino
I'm sure I'm missing something here, but why can't ORBZ use a different envelope that doesn't bounce to 127.0.0.1? If they would just use an envelope that bounces back to one of their machines, for example, then they could still test open relays in a non-destructive manner.
Can someone more knowledgeable than myself explain why they would rather go out of business than slightly alter their envelope that they test with?
Your right to not believe: Americans United for Separation of Church and
They used multiple envelope types when checking a relay that had requested to be taken off the list in order to make sure the site couldn't be used by a spammer. Some of the envelopes were unorthodox envelopes that spammers could use to get through a particular server's bugs, making an apparently clean mail server an open relay.
Of course, if common sense prevailed, it would be the mail server vendor in court for producing insecure mail server software.
:)
And that would leave us with how many commercial mail servers? None.
More laws like this will only make things worse. One thing we have seen proven time and time again (SSSCA, DMCA), is that legislation of technology by people who don't understand or are influenced by people who don't understand it is that it does not work.
I'd bet that nine out of ten 'insecure' or 'spamfriendly' open relays are human related errors. Granted, using sendmail is like playing with a loaded gun with the trigger welded down, but it is possible, and other MTAs are pretty damn secure and fast (I like Postfix).
- MAIL FROM:<bounce@[127.0.0.1]>
Why IBM decided to pursue criminal prosecution rather than releasing a simple bugfix is beyond me.RCPT TO:<address@domain.com>
-- null
ORBZ never came into as widespread use as it perhaps deserved, so a lot of slashdotters might be left wondering what exactly it is (was):
The short story is that it is a replacement to the now-dead ORBS, which stood for "Open Relay Behaviour-modification System", and was basically a system of centrally "policing" open mail relays by occasionally testing them with scripts. Any system that failed the test eventually entered ORBS's "black list", which some mail admin's used to bounce email with a path through them. Well, that project died, so ORBZ was born: the "Open Relay Blackhole Zones".
Now, it too, is dead.
And we can go back to blocking the whole of china, rather than just open relays on it.
shrug.
--
m iso socially aware artistic geek pen-pal, m or f, in '1337 edu. jazz, poetry a must.
Mail Abuse Prevention System
Tracks open relays, dial up netblocks, etc. Works with sendmail, postfix, etc..
Does require paid subscription, but free for personal/hobbyist usage.
Anybody can access a publicly available SMTP service and produce whatever type of SMTP headers they want. It is a publically available service.
However, you typical hacker does a similiar thing, he sends bytes to publically available service.
If you decide that any univited data being sent to your server is a crime, then sending an email to someone you dont know is a a crime. If you think its not a crime, then what script kidz do is a public service.
I personally hold to the latter, even though I abhor spam and hate malicious crackers. I think that by holding the server owner whos providing publicly available services accountable for his own security, that we would get more secure software out of it, and less coverups. (lawyers trying to do work that can only be done by programmers) SMTP servers should be able to handle munged headers!
I can imagine the PHB thinking now "Well since I cant sue the kiddie whos sending those bad SMTP headers, I guess im going to have to actually fix the bug in my mail server, oh the humanity!"
Of course fraud etc should still be a crime- but why should accessing publicly provided data services be one?
Well, in any case it is good to get DoS bugs fixed.
But with regards to IDing the server, you can't with certainty determine what SMTP server is running. Sure you can make a reasonable guess based on what strings follow the numbers during the SMTP transaction, but for some mailservers this is configurable or even could be disabled.
Let's say there was an envelope type that postfix occasionally lets through. Now, if the admin of that for some reason actually wants to exploit this to have an open mail relay, it could fake the strings to make it look like a server that wouldn't get probed for it...
In any case, I started work for a company and one of the first things I did was fix their mail servers so that they both did not offer open mail relays, and also played nice with ORBZ testing procuedure, and it was Lotus Domino, FYI. It's not like they randomly probe you into oblivion, you request the test and have a reasonable picture of when it will happen, and if you have been digging around the mailserver and fix it right before asking, this isn't a problem. Cases like this should show companies it is worth the money to hire competent systems administrators.
XML is like violence. If it doesn't solve the problem, use more.
Why IBM decided to pursue criminal prosecution rather than releasing a simple bugfix is beyond me.
If it is IBM, they deserve to be bitchslapped. Hard.
However, I'd be very curious to know who is actually doing the suing and issuing the legal threats.
I suspect they are incompetent admins, trying to cover their own incompetency by pointing an accusing finger at the innocent, in this case ORBZ.
Incompetents banding together has to be one of the more sinister forces in our society: far more common than intelligent and neferious conspiracies (which probably can be counted on one hand, if that), far more wide reaching, and far more destructive.
OTOH, for the more paranoid: what are the odds that some SPAMMERs themselves have set up Domino servers with the explicit knowledge of this bug, in order to have legal grounds to threaten and sue one of their most effective opponents out of existence? Actually, I was writing the previous sentence as a joke, but as I type it I don't find the scenerio nearly as unlikely as I first thought.
The Future of Human Evolution: Autonomy
I emailed ORBZ over the issue, citing three identical spams all of which were from the same physical server (from a typo in the headers) yet from different IPs, all of which were marked as "Verified clean within the last 30 days". ORBZ' response to this was basically "use multiple RBL servers", which I already was. I stopped using them at all the same day and switched to an alternate RBL server that I could submit spam to for automatic inclusion once verified. Since then I've also set up my own local RBL server, which makes things much easier when you have multiple SMTP servers to administer...
UNIX? They're not even circumcised! Savages!
Oh really?
TO BUY A NEW CAR WOULD MAKE YOU SEXUALLY ATTRACTIVE.
why can't ORBZ use a different envelope that doesn't bounce to 127.0.0.1?
:-)
Mail servers need to be configured to relay mail from the localhost (themselves). Otherwise, things just don't work. What using the 127.0.0.1 does is attempt to fool the mail server into thinking that the mail is coming from itself. Also, it makes sysadmins aware that there's a config problem in their mail servers.
If a server can't relay, it should REJECT the mail ("error: no relay thru here") but Lotus seems to be bouncing it.
A properly configured mail server will be able to look at the mail and say to itself, "I've seen this before, let's trash it."
A mail server should NEVER crash do to malformed messages. The strongest lock is no good if the door is weak.
Give me my freedom, and I'll take care of my own security, thank you.
You are so wrong! Think about what you are saying for a second. You are saying that software vendors should be held liable for producing faulty software. What does this apply to? Only Lotus, Microsoft, and the big guys? What about holding Alan Cox and Linus liable for bugs in the Linux kernel? I hope you don't want to hold security programmers liable for demos of exploits. Software is fundamentally different from a product that can be recalled and judged unsafe. The marginal cost of software is zero, and it is not a physical product - it's just information.
Do you have any idea how it would cripple the software industry if they operated under the constant threat of product liability suits? What about old software? Really old versions of Sendmail were set to open relay by default. Certainly it's not the fault of the programmers that they didn't protect against spam, BEFORE SPAM EXISTED. Now think about a software industry where a pack of lawyers has to review every design document, every line of code in the name of 'product safety.'
This is clearly a case where the free market already solves these problems, and your foolish solution would only serve to artificially disable an industry. If companies are upset with Domino, they will eventually switch to a better software package. If Lotus cared about their customers, they would have patched their software. I can't believe it when people like you say these things without thinking of the consequences.
You did hit on one correct point - intent. It's unfortunate that ORBZ was in danger of being sued. They shouldn't be in danger, due to intent. They have no intent to DOS random Lotus Domino servers.. but it seems like they just can't risk it. If I intentionally exploited the Domino bug to crash servers, well that's another story. It's not Domino's problem, it's mine, and I should be carted to jail for that.
So now, regardless of the fact that I'm doing something completely benign, I have to also be careful about "offending" some poorly administered mail server? I won't even get into how stupid it is to set up a mail server with a local loop -- it's the principle of the matter that really pisses me off. Next I won't be allowed to surf the web with an adbuster because it confuses and even crashes some websites...eghads! What the hell is this world coming to?
"It appears"? It is or it isn't. Funnily enough, I'd got the impression that cases were filed before courts ordered documents to be handed over.
Further to that, isn't the case going to be about past behaviour? So isn't taking ORBZ down is response to it a de facto admission of guilt? Is this some sort of preemptive plea bargain attempt?
Ian Gulliver has never struck me as being stupid or cowardly. I can't help but feel that there must be more communication going on here, i.e. an offer to drop the charges if ORBZ just goes away. Frankly, I find that highly distasteful, as it's edging very close to barratry.
I don't blame Ian one bit for shutting down, I just think that he's been shown a carrot as well as a stick so that this never has to reach a court.
If you were blocking sigs, you wouldn't have to read this.
Who is to say what's a bug? Can I be sued because there's a feature a customer wants that I didn't implement? What if I wrote sendmail 10 years ago, and now someone sues me because I wrote an open relay? But there wasn't any spam when I wrote it. There is a grey area between bug, and undesired behavior. Let's say I write a word processor. Do I get sued because my app won't let you print from the print preview screen? Because it doesn't save your default tab stops?
You can't regulate software.. and if customers don't like something, they'll look to another vendor. This is already a self-regulated open market folks, move along..
I seems to me that if Orbz can send certain SMTP envelopes that cause Lotus Domino servers to go into a loop those servers are going to need to be fixed.
:=)
This vulnerability is public knowledge now so how many black hats are going to be doing this just for fun and giggles?
I can't help feeling that when a company gets shutdown rather than a obvious corrective action being taken that there is a hidden agenda lurking about. Just my suspicious nature taking over.
The race isn't always to the swift... but that's the way to bet!
FEATURE(dnsbl,`or.orbl.org', `Mail from $&{client_addr} refused: See http://or.orbl.org/ (ORBL)')
FEATURE(dnsbl,`relays.ordb.org', `Mail from $&{client_addr} refused: relays.ordb.org. See http://www.ordb.org/')
FEATURE(dnsbl,`or.orbl.org', `Mail from $&{client_addr} refused: or.orbl.org. See http://www.orbl.org/')
FEATURE(dnsbl,`spamhaus.relays.orisusoft.com', `Mail from $&{client_addr} refused: spamhaus.relays.osirusoft.org. See http://relays.orirusoft.com/')
FEATURE(dnsbl,`spews.relays.orisusoft.com', `Mail from $&{client_addr} refused: spews.relays.osirusoft.org. See http://www.spews.org/bounce.html')
FEATURE(dnsbl,`rbl-plus.mail-abuse.org',`Mail from $&{client_addr} refused by RBL+. See http://www.mail-abuse.org/')
I for one am happy to see this happen and I hope the rest of them all shut down or get shut down also.
The sheer volume of mail that we received as "probes" to test for relays which we have NEVER supported, is SPAM in itself, in my opinion.
Worst of all, I sent repeated requests to people like orbs.org asking to be excluded and they replied with very rude e-mails which contained vulgarities, etc. Real professional guys - glad to see another one bite the dust...
Eph. 1:2
Seems to me that the majority of the DoS attacks came from 127.0.0.1.
I suggest the prosecution track down the owner of that IP, and haul him into court instead of orbz.
Spamassassin is nice in this regard, because you shouldn't need to change any configuration rules. The rule that ORBZ deals with, (RCVD_IN_ORBZ) shouldn't need to be changed, however, I'm going to weight the other rules that check for that kind of information (RCVD_IN_RELAYS_ORDB_ORG, RCVD_IN_OSIRUSOFT_COM, RCVD_IN_VISI, RCVD_IN_RFCI, and RCVD_IN_ORBS) up a few points to make up for the lost service.
I disable sigs...do you?
Now I won't have to put up with anymore double-bounces from ORBZ's continual probing of my closed relays. These don't even send our OUR mail. You can't test our outgoing relays, the conversation is in the wrong direction and won't pass our firewall.
Ian, YOU DUMBASS!! I hope you beat the criminal rap, but you got what was coming, what you were asking for. ORBZ's probes were every much a trespass as the spam itself. Why they never understood this is beyond me. Plenty of other DNSBL run a good list without intrusive probing, and are not getting put up on charges either.
Edith Keeler Must Die
Do you have any idea how it would cripple the software industry if they operated under the constant threat of product liability suits?
Oh no! Then we would be under the same, crippling rules as just about every other industry on the planet. Microsoft, IBM, Symantec, et al, would actually need to make a due-diligence effort to fix bugs rather than add new, unnecessary features and eye candy.
Software engineering is not some kind of black magic. It's no different than any other form of complex engineering, be it passenger jets to modern automobiles. To do it right requires care, time, diligence, and testing. If software companies dedicated 1/10 the effort to testing their products that they do to marketing them, 99.99% of problems would be caught before the products ever shipped.
I guess what it comes down to is this: If you are truly a software engineer, then you should embrace time-proven engineering principles and stop hiding behind the "we're just selling a license" cop-out.
No one is suing him, these are criminal charges. Criminal charges are brought by the state.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Ya, I've got a problem with spam. I had subscribed to the PHP mailing lists about 6 months ago, no big deal. Here about 2 weeks ago I no longer had a reason to need them and went to unsubscribe from them. I was told that the server would not take my email because my IP provider was in spews now.
Now mind you, my server (on its own IP address) has NEVER sent out spam (I'm the only one who can send email from it and I've no reason to spam). It seems that some fscking idiot on one of the IPs in CA (my server is in MN) spammed and spews will BH all class C's of the owner no matter where.
So now I get email I don't want and can't get rid of... Should I report the PHP mailing lists to spews as spammers? I'm on a list and I can't contact them to remove me, how is this different from the spammers? Easy to get on, impossiable to get off of...:)
BWP
I'm not sure how many of the slashdot crowd know this, but it was orbz policy not to stop testing a server when requested, unless requested in writing. If it was requested in writing, then they would stop testing the server and list them in orbz as an open relay.
So, as an administrator you had the choice between being tested and being blacklisted even if your server had never relayed a single piece of mail. It was also typical of users of orbz to submit every ip address of every mail server they received mail from regardless of it being spam or not. This was encouraged by the orbz administrator. I'm assuming that this policy, in combination with the fact that the testing caused Denial of Service for certain users might be what caused this suit. If you know you are causing a Denial of Service problem and you don't stop especially if you are requested to do so, I'd suspect that is actionable. Ian's inflexibility as to the policy of either testing (and putting up with the DoS if you were a Notes user) or being blacklisted seems like a bad idea if you rephrase it like "Either you let me crash your server or I'll blacklist you", which might be what the people on the other side are thinking.
Again. This is just my guess. I'm really interested in seeing the facts come to light in relation to this. I suspect that the fact that there was a fix available might be a way out for Ian, but I'll be watching with interest.
There is NO VALID CONFIGURATION which should result in an infinite loop on the bounceback. If there are ways to configure to avoid it, great. But there shouldn't be a way to actually configure it to do this, and it most certainly should NEVER be the default setup.
When mail is sent to a bad name, and it attempts to bounce back to the apparent sender, it should first recognize that it is connecting to itself. Failing that, the sender of the bounce message should either be a valid box to collect failed bounces for the postmaster to clean out, or it should be a null address which gets discarded. A bounce should never trigger another bounce, either on its delivery, its failure to deliver, or its return. In this, Lotus Notes/Domino is a defective software product and needs to be fixed. I recommend that Ian Gulliver ask his attorney about filing a motion of interpleader to bring IBM into the case as a defendant, if the plaintiff continues to pursue it. If IBM (which just stuck a big ad in my face here on /. spouting off about their security) can't fix this, then they are the ones who should be paying up.
now we need to go OSS in diesel cars
Me again. Elsewhere it has been noted that IBM has in fact fixed this a while back. In this case, (someone at) IBM should be called as an expert witness to testify that the bug is fixed and that the administrator of the defective system is negligent in having failed to apply the fix. Failure to apply fixes is a major cause of security and spam problems on the net, certainly costing at least hundreds of millions of dollars a year to clean up, and lost time and bandwidth dealing with the effects. Someone who fails to apply fixes in a timely manner (30 days tops) should be slapped very very hard.
And we want to know who the hell it is that brought this complaint.
now we need to go OSS in diesel cars