Slashdot Mirror

← Back to Stories (view on slashdot.org)

ORBZ Shuts Down

Posted by timothy on from the click dept.

Tim Jackson writes: "In a depressing development for those wanting to protect themselves against spam, it appears that popular open relay database ORBZ (formerly at www.orbz.org) has shut down effective immediately - see here for the final post from ORBZ admin Ian Gulliver on the ORBZ list explaining the reasons behind the closure. The 'Lotus Domino' issue he refers to is the issue he discovered in the course of running ORBZ and reported to Buqtraq, which means that certain SMTP envelopes (such as those sent by ORBZ when testing for open relays) cause Lotus Domino servers to go into a loop, effectively creating a DoS situation. Unfortunately (but understandably), irrelevant of the merits of the case, Ian doesn't want to risk jail for the sake of spam fighting. Of course, if common sense prevailed, it would be the mail server vendor in court for producing insecure mail server software, not a third party for happening to send requests that unintentionally crash poorly-written servers."

13 of 409 comments (clear)

  1. El Reg by Mr+Windows · · Score: 5, Informative

    The Register has a little more info. It seems that there is a workaround which involves changing the settings in Domino, though persuading everyone in the world who's running Domino to apply the fix might be hard! It seems like orbz.org is down already, and it's probably going to stay that way :(

  2. Domino... by Junta · · Score: 5, Insightful

    Is crap for a mailserver, I've always had problems out of it and avoid it like the plague when I can get away with it. For one, it tries to do too much for a mailserver, and its functionality as a mail server seems to be secondary to it's database features. Domino may work well as a workflow engine/document management, but it really isn't a good Mail server implementation. Unfortunately, so many companies use it as an Exchange replacement, even though it is intended to do much more and mail is done in a really clunky way.. Just spend a few days using Notes and you'll agree that mail does not seem to be a central concern in the scheme of domino..

    Perosnally, I think postfix or qmail are good mail servers (though postfix doesn't cope at all with accounts that have uppercase in them, and qmail is only marginally better at it...). They are simple, short, and to the point. If you must use domino for mail serving, I would suggest having some sort of minimalistic mail server to act as a go between between domino and the outside world, as domino's is flawed in so many ways...

    --
    XML is like violence. If it doesn't solve the problem, use more.
  3. Incompetant Admins by DragonC · · Score: 5, Informative

    I run a Domino server. In fact I run lots of Domino websites. And this "Denial of Service" issue that is reported is really due to Admins who don't know what they're doing.

    Any system can try and forward to 127.0.0.1 if it is set that way. There is so much information available at all the normal locations that it is really the Admins own fault. Why they should take it out on somebody who has done as all a superb service is anybodies guess.

    Where to look for info:
    Lotus
    Notes.net
    DominoHive
    SecurityTracker for Domino

  4. Stupid question by ethereal · · Score: 5, Insightful

    I'm sure I'm missing something here, but why can't ORBZ use a different envelope that doesn't bounce to 127.0.0.1? If they would just use an envelope that bounces back to one of their machines, for example, then they could still test open relays in a non-destructive manner.

    Can someone more knowledgeable than myself explain why they would rather go out of business than slightly alter their envelope that they test with?

    --

    Your right to not believe: Americans United for Separation of Church and

    1. Re:Stupid question by Ioldanach · · Score: 5, Informative
      why can't ORBZ use a different envelope that doesn't bounce to 127.0.0.1
      Because they're testing for obscure bugs that allow spammers to use a server as an open relay even when its configured properly.
  5. A quick run-down of what ORBZ is (i.e. was) by let+the+storm · · Score: 5, Informative

    ORBZ never came into as widespread use as it perhaps deserved, so a lot of slashdotters might be left wondering what exactly it is (was):
    The short story is that it is a replacement to the now-dead ORBS, which stood for "Open Relay Behaviour-modification System", and was basically a system of centrally "policing" open mail relays by occasionally testing them with scripts. Any system that failed the test eventually entered ORBS's "black list", which some mail admin's used to bounce email with a path through them. Well, that project died, so ORBZ was born: the "Open Relay Blackhole Zones".
    Now, it too, is dead.
    And we can go back to blocking the whole of china, rather than just open relays on it.
    shrug.

    --
    m iso socially aware artistic geek pen-pal, m or f, in '1337 edu. jazz, poetry a must.

  6. MAPS is still alive and well. by tweakt · · Score: 5, Informative

    Mail Abuse Prevention System

    Tracks open relays, dial up netblocks, etc. Works with sendmail, postfix, etc..
    Does require paid subscription, but free for personal/hobbyist usage.

  7. Re:Sounds weak to me by Junta · · Score: 5, Interesting

    Well, in any case it is good to get DoS bugs fixed.

    But with regards to IDing the server, you can't with certainty determine what SMTP server is running. Sure you can make a reasonable guess based on what strings follow the numbers during the SMTP transaction, but for some mailservers this is configurable or even could be disabled.

    Let's say there was an envelope type that postfix occasionally lets through. Now, if the admin of that for some reason actually wants to exploit this to have an open mail relay, it could fake the strings to make it look like a server that wouldn't get probed for it...

    In any case, I started work for a company and one of the first things I did was fix their mail servers so that they both did not offer open mail relays, and also played nice with ORBZ testing procuedure, and it was Lotus Domino, FYI. It's not like they randomly probe you into oblivion, you request the test and have a reasonable picture of when it will happen, and if you have been digging around the mailserver and fix it right before asking, this isn't a problem. Cases like this should show companies it is worth the money to hire competent systems administrators.

    --
    XML is like violence. If it doesn't solve the problem, use more.
  8. Not such a great loss as made out by Zocalo · · Score: 5, Interesting
    I actually stopped using ORBZ some time ago because of the way their database worked in conjunction with the vast amounts of spam coming from DSL lines. Basically if an IP was verified clean then it could not be resubmitted within 30 days, fair enough I guess, but this really fell apart with spam originating from what appeared to be dynamically allocated pools of DSL users. Obviously the same servers were changing IPs, and being reused by the same spammers, but ORBZ's submission engine couldn't deal with this in my numerous attempts to submit active spammers.

    I emailed ORBZ over the issue, citing three identical spams all of which were from the same physical server (from a typo in the headers) yet from different IPs, all of which were marked as "Verified clean within the last 30 days". ORBZ' response to this was basically "use multiple RBL servers", which I already was. I stopped using them at all the same day and switched to an alternate RBL server that I could submit spam to for automatic inclusion once verified. Since then I've also set up my own local RBL server, which makes things much easier when you have multiple SMTP servers to administer...

    --
    UNIX? They're not even circumcised! Savages!
  9. Re:There's something here we're not seeing by flamingcow · · Score: 5, Informative

    I'm not going to comment on the current legal status. However, I will comment on the shutdown.

    This shutdown isn't so much for this time, but for next time. I'm stuck fighting this one, but I don't have the time or inclination in my life to fight stupid pointless criminal charges on a weekly basis. Unfortunately, the way this world works, this'll be the tip of the iceberg once people realize that they can. Therefore, I'm out of this game.

  10. hooorayyyyy by Ph0bia · · Score: 5, Interesting

    I for one am happy to see this happen and I hope the rest of them all shut down or get shut down also.

    The sheer volume of mail that we received as "probes" to test for relays which we have NEVER supported, is SPAM in itself, in my opinion.

    Worst of all, I sent repeated requests to people like orbs.org asking to be excluded and they replied with very rude e-mails which contained vulgarities, etc. Real professional guys - glad to see another one bite the dust...

    --
    Eph. 1:2
  11. ORBZ + SpamAssassin + Razor by ONU+CS+Geek · · Score: 5, Informative
    With that simple combo, you can keep a majority of spam out of you (and your users) inbox. I became really proactive about stopping spam after one of my (l)users installed a formmail.pl script on our web server and we became an 'open relay' for anyone who knew how to exploit the server. Subsequent emails to the abuse@ emails of the upstream providers resulted in nothing, and I still get attempts on the script. With that said, we flag the email as spam using the X-Message-Flag: header (as most of my clients use Outlook) as well as the Qmail-Scanner Tag that is injected into the message. This lets my users know that the message is spam, and I leave it to them on how to filter the messages out of their inbox.

    Spamassassin is nice in this regard, because you shouldn't need to change any configuration rules. The rule that ORBZ deals with, (RCVD_IN_ORBZ) shouldn't need to be changed, however, I'm going to weight the other rules that check for that kind of information (RCVD_IN_RELAYS_ORDB_ORG, RCVD_IN_OSIRUSOFT_COM, RCVD_IN_VISI, RCVD_IN_RFCI, and RCVD_IN_ORBS) up a few points to make up for the lost service.

    --

    I disable sigs...do you?
  12. And why not? by fmaxwell · · Score: 5, Interesting

    Do you have any idea how it would cripple the software industry if they operated under the constant threat of product liability suits?

    Oh no! Then we would be under the same, crippling rules as just about every other industry on the planet. Microsoft, IBM, Symantec, et al, would actually need to make a due-diligence effort to fix bugs rather than add new, unnecessary features and eye candy.

    Software engineering is not some kind of black magic. It's no different than any other form of complex engineering, be it passenger jets to modern automobiles. To do it right requires care, time, diligence, and testing. If software companies dedicated 1/10 the effort to testing their products that they do to marketing them, 99.99% of problems would be caught before the products ever shipped.

    I guess what it comes down to is this: If you are truly a software engineer, then you should embrace time-proven engineering principles and stop hiding behind the "we're just selling a license" cop-out.