Battle Creek, Michigan Settles Dispute with ORBZ

Peter Sachs, Esq. writes: "According to a press release that now appears on its official website, the City of Battle Creek, Michigan has 'settled"' its dispute with ORBZ.ORG. The City concluded that ORBZ.ORG had no criminal intent to cause the City harm by testing the 'open relay' status its server. In fact, the Assistant to the City Manager said, '...we recognize that [ORBZ.ORG] has done us a service. We are going to be taking a close look at our policies regarding Lotus security updates and how we can avoid the issue in general'"

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Gee, the city manager agrees with me.

[Skapare]

Russ, you're still wrong.

There's no reason to believe that a server that has NOT sent any spam is MORE likely to have defects in design, coding, or configuration, when compared to a server that has sent spam. In fact, if a server HAS sent spam, THAT is the server that should not be tested. The server that has sent spam is more likely to be afflicted by at least one of bad design, bad coding, or bad configuration.

There is no reason for any properly designed and managed server to crash and burn as a result of any piece of mail delivery. That some do is not a valid reason to devalue an important tool in the effort against spam. It could be of value if it is possible to identify from the SMTP banner if some server is a defective one, such as an older version of Lotus Notes. If that can be determined, then ORBZ should simply add the server to the list and not send anything there at all (except maybe a notice of why they are being listed). I suggest they be added because I do not want them to be sending my servers any mail because that mail has a risk of being spam, due to an obvious situation of inadequate or incompetent administration of that server.

Re:Shooting people to tests for vests

[WoodstockJeff]

As the person responsible for email at a small ISP, and a volunteer for our local Emergency Services, the thing I find amazing and disconcerting is that government agency computer departments have some of the worst security you can imagine. And a lot of it is because they won't spend the money to hire competent people... because that can't be "justified".

Recently, my mail server stopped accepting messages from my "boss" at the courthouse, because they'd managed to get listed in SpamCop, ORBZ, and ORDB, with MAPS listing them with "we have spam on file from this site".

When I pointed this out to the IT department, and gave them pointers to where to find at least a partial fix for GroupWise, I was told that they KNEW they were running an open relay for more than 6 months before the RBLs found out, but had no idea where to look to find the "cure". (Getting rid of GroupWise wasn't an option, apparently, even though this is the only way to secure a GroupWise installation... B-)

They still haven't addressed the fact that they run the only non-encrypted wireless networks in town...

Service checking vs. collateral damage

[frenztech]

One of the main issues here is whether ORBZ should be punished for checking a domain for SPAMing with authorization from that domain. There are several pros/cons for doing it this way:

PROS:
-SPAMing domain administrators aren't likely to respond to an email asking if they can be
-Incompetent administrators who will refuse and/or just not know what the check is so not want it to be done.
-Some administrators will simply delete it by mistake, not ever finding out they have an open relay.
-Also more reasons which I haven't thought of because I'm dead tired.

CONS:
-Lotus Domino and other servers with problems might either crash, or report false positives. This is a big problem for companies, but...they should really upgrade anyway.
-Probably some that I haven't thought of here too.

I think the positives far outweigh the
We were using their service for about 12,000 customers, and it worked quite well. Ah well.

---

It's my personal opinion that if someone sends one of these emails and it crashes your server, yes, it is your fault. Better to find out now, when you can fix it, before you lose more productivity later on when it is combined with all of the other
Maybe it will act as a reality check for all those managements out there who think security isn't a big issue. It is.

Re:Shooting people to tests for vests

[Skapare]

Interesting that the latest banner I get is....
220 battlecreek.org GroupWise Internet Agent 5.5.3.1 Ready (C)1993, 1999 Novell, Inc.

I had a run in that went a slightly different way with a member of the school board for the Spencer Wisconsin school district. I got spam from them. I reported the problem to them, noting also that this was an inappropriate way for tax dollars to be spent. I got this response:

Dear Phil,
We have talented people working hard to keep our system clean. Somehow
it seems that criminals and crackers are better funded than public school
systems. Figure that out. Meanwhile, if you would spend less time
criticizing honest hard working people and more time helping put a stop to
this sort of thing, we'd all be better off.
You sir, are a Prick.

Sincerely,
Jeff Darga
VP-Spencer Board of Education

What I'd like to know is why honest hard working people are incompetent and leave a mail server open to spamming abuses. Of course Mr. Darga doesn't really seem to care.

Do other mail servers have similar flaws?

[billstewart]

I've been thinking about the spam problem and how to discourage attacks from open relays. Are there mail systems that don't do loop detection, or aren't good at detecting if mail is really addressed to their machine? For instance, what do the popular mailers do if they get mail for spambait.example.com and dns resolves the name to 127.0.0.1 or 127.0.0.2 or 255.255.255.255? Do they decide it's for them, or do they think it's for somebody else and send it back to themselves? Or if you set your DNS to tell spam-relay-1.com.kr that spambait.example.com's IP address is the address of spam-relay-2.com.kr and vice versa - will they end up in an endless mail loop the next time somebody sends mail to harvestme@spambait.example.com, or will they decide (at least after one or two iterations) that they've seen the message twice so they'll drop it or try to send bouncemail to the original (presumably fake) spammer's address?

Of course, even if you can't get the spammers in a strict loop, telling relay1 to that your machine's ip address is that of relay 2, relay2 that it's relay3, relay3 that it's relay4, ..., should at least leave the Korean Spam Relays talk to each other and slowing down the number of messages they can send to real people.

Re:Shooting people to tests for vests

[darkonc]

So why didn't you send this information to the local newspaper? Seems to me the voters would love to see what a foul-mouth guy this "Jeff Darga" allegedly is.

verbal moderation: +1 interesting.

No "unannounced" tests?

[mgkimsal2]

In turn, however, we have asked him to reconsider his policy of making unannounced tests on servers.

But if sending a mail to a server could cause it to crash, how else could you contact someone to get permission to test? Phone calling?

Re:Gee, the city manager agrees with me.

[Russ+Nelson]

AFAIK, ORBZ sends the emails to itself

No. Ian forged addresses intended to trick the SMTP server into forwarding the email. Ian also used a false envelope sender (blah@localhost) which is unusable for returning a bouncing email.
-russ

Why Should He Risk All to do *US* a Favor?

[FreeUser]

Second, this all could have been avoided if Ian Gulliver hadn't freaked when he got the order. If he'd waited a bleeding 24 hours this would have been resolved and ORBZ could have gone on its merry way.

It's very easy to be an armchair general from the peanut gallary, especially since you have nothing at risk.

This was a (relatively rare) instance of a government excersizing some common sense. There was no guarantee that this would be the outcome.

Imagine if it had gone the other way (they pressed charges) and he had continued operating as before. Going in front of a judge and being forced to admint that "yes, I engaged in the same activity for which I was being prosecuted after having been served notice," is the kind of thing that results in penalties that tend toward the harsh, rather than linient, if convicted.

ORBZ was a service being provided for our benefit, for the "greater good" if you will (yes, I know how alien that phrase sounds in our Money Ueber Alles culture, but there do still exist people who spend their energy trying to better all of humankind, rather than merely themselves. They may be endangered, but they aren't extinct just yet). It is not at all reasonable to expect someone to risk fines, seizure of equipment, and possibly even jail time simply so they can go on doing everyone else a favor.

The government body in question may be contrite now, but the damage is done, and they are, ultimately, the cause of that damage. Whitewashing their responsiblity now behind the argument that "that's just how investigations are done" does nothing to alleviate their responsiblity, though it does underscore just how aggressive, flawed, and Orwellian many of our "standard investigative procedures" have become. Not that we needed any more examples, we seem to have been getting hit in the face with that fact every day lately.

Re:Shooting people to tests for vests

[biffnix]

Wow. Read your original letter, and I must admit - you ARE a prick. Your letter was condescending, self-aggrandizing (what was up with your bragging about the number of mail servers you block - does that get you chicks or something?), and rude.

As the IT Director for the Bishop Union Elementary school district, I'd probably send you a similar response if you sent a bitchy message as yours to Spencer, WI.

The bottome line - you were whiny, you didn't actually help (or offer to help) him, and you were rude. Just precisely how did you *expect* him to react? School administrators have enough work to do without having to deal with annoying strangers.

Sheesh.

Joe Griego
Dir., I.T.
Bishop Union Elementary, and Bishop Joint Union High School Districts
Bishop Elementary
Bishop High

Re:Better late than never?

[GSloop]

Even better, it's like me connecting to your web server, and your web server crashing because I used Opera, rather than IE. Then you get the police to obtain a search warrant, because my machine caused yours to crash, and you didn't have any better explaination.

Sounds like a case of CYA to me.

If I connect to your machine, that you've publicly connected to the internet, and you're offering services on, and send valid packets to request service, and your machine crashes? Well, too bad. Fix it, or learn to live with a server that doesn't work right.

What else is an SMTP server to do, other than accept mail. If your mail server crashes because it can't understand the mail, then it's the mail servers problem. NOT THE PERSON SENDING THE MAIL! Now, if I hacked my way into your internal network, and then used a non-public SMTP server to send mail, you might have a case.

That's like designing software that doesn't account for all types of input. When someone puts something in that you didn't anticipate, and the software crashes, then you blame the person who entered the data? Sheesh! Talk about passing hte buck.

Perhaps SillyMe out to get smacked by the clue stick.

Cheers!