Slashdot Mirror
Internet Vigilante Justice, SPAM, and Copyrights
pdw writes "An interesting article about how vigilante justice on the Internet by anti-spam advocates can be just as threatening to the Internet as those proposed for copyright advocates."
← Back to Stories (view on slashdot.org)
I don't run or maintain any mail server that I use, so I can't beat on the spammers the way I want. There's no way that I can say "My server, my rules" as clearly as I could by using the SPEWS blacklist. The best I can do is send the LARTs and hope the spammers get nuked. *sigh*
Come to the University of Mars! Classes starting soon!
the author of the article is a lawyer. However evil some of them are, they are the kind of people we need on our side. Good to see that they aren't all idiots.
The GeekNights podcast is going strong. Listen!
This article demonstrates the problem we are up against getting people to secure their networks.
His mail server is an open relay, and he still doesn't realize it. Worse, he's a lawyer. These are the people that will be setting policy.
I wonder if it is even worth e-mailing to explain the situation to him.
His server was set up so poorly that all it took was a forged header saying it was from his domain to get a message through?
Sounds like he should have been blocked. Come on, at the very least do some ip checking. It sounds like his server wasn't a textbook open relay, but it was pretty close.
Anyway, I think he should pick up the phone and call the dudes in Denmark. I think that being on an e-mail black hole list means never being ABLE to say you're sorry...
John
Authenticating by the domain that the sender says he is from is very weak...
Holes like this are what keeps the spam coming to my mailbox...
Platform independent bug tracking software
Well, setting your sender's address to a trivially guessed domain name (such as the reverse-mapped address of the host), you effectivly have an open relay. Guess what spammers are doing: they are using known-good addresses, and try sending spam from those addresses MX hosts in the hope that the MTA do this foolish kind of access check.
This has been discussed since at least five years, and has been a point in the many faqs and howtos on how to lock down your MTA for a long, long time.
If you really need to send mail through your MTA from arbitrary IP addresses, you need to employ authentication. Again, this is hardly a new technology, and many documents explaining how to combine SSL and authentication for SMTP exist.
How had it gained access to my mail server? Simple. It had forged the headers on its email to convince my mail server that the email it sent was from a permitted user.
One word: Authentification.
You see, my mail servers were set up to pass mail only from a domain name of which I am the only user. It blocks everything else. That's not an open relay. Unless you're a user in my domain, you can't use it.
Uh, it may not be a totally open relay in the literal sense of the word, but surely that still means it can be used to send spam, as long as the spammer figures out who to identify himself as - and if the Danes could do it, then it can't be that hard?
Any spam-block that relies entirely on the "from:" header is broken by design. What, spammers disguise their identities? Never!
The author of the article is an idiot, he thinks that spammers don't forge headers and therefore his relay is closed.
The proper way to close a relay is to check the sender IP address (from the TCP connection) and check if it's a local net.
When that appears in the first paragraph the rest loses credibility. Anybody qualified enough to be commenting on SPAM should be aware that simply by opening the email you may have verified the address as valid (if it contains an external image).
-----
interested in inventions?
This is the kind of thing you see every day in news:news.admin.net.abuse.email.
"Waah, I'm being blocked by your nasty list! I demand you stop blovking me or I'll drop piano's on all your heads! and I'm a lawyer!"
"A. no-one's blocking you, they're justing *choosing* not to accept email from known open relays (or whatever the perp feels accused of)."
"You're abusing my First Amendment Rights to 'Frea Speach'"
"Our list is based in the Gobi Desert. *Our* first amendment guarantees the right to tea with yak butter."
Also, searching for his email address to see if he had ranted on usenet, I found this: Archived Article
an Excerpt (from the above article by "R. A. Hettinga" ):
New Architect is a Microsoft/DotNet magazine. This article is
agitprop for Microsoft's identity solutions: UDDI, Passport, and Palladium.
Any reputation framework that arises in the wild would reduce the
profitability of a Microsoft solution, so they are going to badmouth it,
sue it, etc.
dave
"How had it gained access to my mail server? Simple. It had forged the headers on its email to convince my mail server that the email it sent was from a permitted user. You see, my mail servers were set up to pass mail only from a domain name of which I am the only user. It blocks everything else. That's not an open relay. Unless you're a user in my domain, you can't use it."
;) Sorry dude... no chance. Get a clue.
That seems like an invitation to spam trough his server with his domain name in it. Therefore I declare hereby his mailserver as an open relay
I fail to understand how this can be a valid argument against bad-maintained blackhole lists. The author was listed because *anyone could use his server to relay just by using a MAIL FROM command sporting his domain name*. Sheesh! When you configure your relay ACL, you use *IP ranges*, not domains (an awful lot of spammers forge all the headers in the messages they throw out). Even better, you use SMTP AUTH. That guy didn't bother to implement a technically valid solution, and thus his mail server definitely *could* be abused. No wonder it has been put on a blacklist...
BTW, this doesn't mean there aren't stupid blacklists out there listing innocent people. But this article proves nothing. Moreover, there are now better ways to filter spam, based on message content checksum, like Vipul's razor. This is not the first time people bitch and moan about their badly-configured relays being censored by the antispam Nazis (I remember a guy, from the EFF I believe, that did the same thing some time ago) but they simply are irrelevant. Their solution is to RTFM and play by the rules. Period (grrrr, I really dislike bad admins :-/.
Xenu brings order!
Let's just hope he can't convince an judge that his definition of 'open relay' is the correct one.
"How had it gained access to my mail server? Simple. It had forged the headers on its email to convince my mail server that the email it sent was from a permitted user. "
Hmmmm, So its only an open relay if the spammer is an "Honest" user.....
I'll just pop that cluestick in the post to him....
he needs one.
Althought the law provides recourse, it isn't enough to deter companies from doing this sort of thing. Anytime you use your email address, you're adding it to an archive of information that will never go away. All it takes is one text scanner running over a place where your email address is printed, and it's all over.
Even using your email address can be a bad thing. I went several years where the only email I ever got was my ISP reminding me that it was bill paying time. Then I gave my email address to one (1) relative. This relative gave my email address to one (1) other relative. Now I have spam everytime I check my email, although not in the volume the rest of the world seems to get. Incidentally, one of the relatives was using Hotmail, the other MSN.
Anyhow, IMHO this is an other blabla piece from someone who doesn't realy has an understanding of what he's doing.. Typical american sollution.. let's sue..
Nobody expects the spanish inquisition!
Forged headers? Oh my.
Bret A. Fausett is running an open relay. Instead of him trying to sue RBLs that I use to reject email from poorly ran servers such as his, perhaps he should start suing all the spammers that forge email headers.
I've had spammers use my domains in forged email headers before (note: not my servers, just email address from my domains) and after receiving hundreds of bounced pieces of spam from servers ran by dorks like Bret, I can testify that this is a major problem that should be tested on every RBL.
Kenny
This guy admits his e-mail server WAS unsecure and is complaining that he got blacklisted. I understand his fustration, but I'm glad he was blacklisted.
Now what's needed is a simple to use tool to help users determine if their systems can be comprimized. Any ideas?
For one, the Danish antispam organization falsified an email header to gain access to my mail server.
Translation: His mail server is an open relay for anyone who forges a from: address using his domain name. No password, POP-before-SMTP or other identification and authentication mechanisms are used.
He's whining because his open relay was correctly listed as an open relay. And he's even suggesting a tresspass-to-chattels lawsuit against the group that properly identified his server as an open relay. What a dick!
First off, he's right. A black hole list has the potential for abuse, and there need to be some checks to make sure they're not abused as such.
Second, once you're listed on a black hole, it can be hell to get off. My company had a secondary domain that was used for customer emails. It was, indeed, an open-relay due to misconfiguration. Eventually it got blackholed and our admins realized the mistake they'd made and set out to fix it. They did fix it eventually, but by that time the server was being slammed by spammers trying to use it as an open-relay. And on top of that trying to get the black hole list to remove the domain was difficult - it took well over two weeks, while the black hole-ing occurred in under a day. Eventually the entire domain was just dropped, since even with the open relay closed the spammers were still abusing the hell out of our pipe.
That said, as best I can tell the author of the article barely even tried to remedy the situation. Yes, the black hole system forged a header to hit his open relay. Duh. So do spammers. If they could do it, so could (and will) others, and that's why you're black holed. But I'm sure he could've contacted the people running the black hole to find out what he could do to fix the problem. Instead it looks like he just wants to take them to court.
Finally, black holes/black lists/spam filters/etc. aren't solving the problem. The bandwidth is still being chewed up, and as is pointed out in the article, the block lists act like honeypots for the spammers - everytime a new site is added the spammers find a new site to spam from. Sure, if you participate in the black hole you won't deliver the spam, but the bandwidth has already been sucked up from the backbones, and you're still using CPU power to deny the spam. As much as I'd like to see lawyers stay the hell away from the Net, I don't see any other way to stop spam than to make it illegal. It may be that most of the relays are foreign, but most of the spammers are in the US or another Western country. Anti-spam laws could significantly help.
What did Shakespeare say?
The first thing we do, lets kill all the lawyers.
ISPs on Anti Spam Hunt
MAPS Attack
I'm afraid I've got little sympathy for the author of the article. He is running an open relay. Yes, for someone to abuse it they've got to forge the headers. That spammers do this is news? I don't think so. So, he runs an open relay, it gets detected, he gets added to a blackhole list until he closes it, he's now upset that the list operator won't accept "Well, someone would have to lie to abuse my server, so it shouldn't count." as an excuse. Pardon my complete lack of sympathy for him. This isn't vigilante justice, this is simple shunning by the community. If he wants to restrict his server to authorized users, he should do just that. POP-before-SMTP and SMTP AUTH exist, they can be used. Requiring that someone forge his domain in a From: header is not securing a relay.
If what he says is true then his server is not as secure as it could be but it is hardly completely open. What should he be doing that he is not? What standard of hackproofing should every Mom & Pop on the internet have to meet, and why?
His e-mail server isn't secure (it's accepting forged e-mails), meaning that it is a potential spam-source. Configure your server properly, end of problem - Anyone who runs a server exposed to the net needs to be sufficiently experienced to properly configure it - else they deserve what they get. The worst part of all of this, is that the guy won't even acknowledge that there is a problem, his reaction is to look into legal recourses. The morale of the story: if you're ignorant, sue to change the system.
If you subscribe to New Architect, this guy wrote a followup article to this one after receiving a boat load of mail pointing out the he was in fact running an open relay. He admitted to being behind the times, etc, said he was sorry. He still doesn't take back the fact he's mad at the vigilantes out there. Sorry, there's no link yet, I think NA has a lag between the print and web editions.
:-)
Point being, if they can forge a header to get on your computer, a spammer can very easily do the same thing. An interesting thing on my campus is the technology department regularly scans and tries to hack into FTP sites running on campus, and sends an e-mail to the admins if they're successful. Some students got mad, but the moral of the story is, better to have someone trustworthy find your weakness rather than someone who's going to exploit it. This seems to be a new effective form of security that's emerging, since we can't depend everyone to stay up to date with the latest security issues, such as the Mr. Faussett in the article. I think vigilante is the wrong term, these blacklist ops are doing everyone a favor by helping to clean up insecure sites, which in the end saves everyone money. I propose we call them "Freelance Security Advisors" or something like that.
Blacklists are a lot like a security blanket, they make you feel comfortable but they don't do anything about the real problems. A recent employer (a university) was placed on earthlink's blacklist simply because a customer had pressed a wrong button and reported an email to earthlink as spam. (Admittedly, the manager who insisted on handling the mailserver himself was technically clueless...but there wasn't any ACTUAL spam we could find traced to our server)
First off, why is earthlink who is the domain of quite a bit of spam itself running a blacklist? Secondly, why couldn't they have at least bothered to send a courtesy automail to let us know? We finally found out when the sender of the original "spam" tried to send another email to her friend at earthlink. At that time it took a series of calls to earthlink to even find the department we needed to talk to! And then I found out that we'd been on their blacklist for MONTHS!
Blacklists should be carefully administered and you should develop your own as it's really not that difficult to set up blocks for individual domains. Too many domains are blocked by error or because one company put another on a blocklist that got circulated but never bothered to circulate that spamming domain had been fixed and removed from teh list.
Of course, a contributing problem is that many mailserver admins don't bother to keep proper security (or even keep their security patches up to day) for their server. It's way too easy to find a mail server that is VERY open to people outside the actual domain. But any truly working solution to the problem will have to involve responsible actions on the part of the "blacklisters" and the mail admins.
"An interesting article about how vigilante justice on the Internet by anti-spam advocates can be just as threatening to the Internet as those proposed for copyright advocates."
Sorry, it's an uninteresting article about a lawyer who doesn't understand how to configure a mail server, then blames his foibles on somebody else who's simply pointing out that he has an open relay.
If Bret has a lawsuit to file, then I have an amicus brief to file....
Do you have ESP?
He can send all the email he wants. And the recipients of that email are free to reject it. Since his server is blacklisted (and it sounds like his server IS a relay, regardless of how many times he states that it isn't) there in an increased probability that any email coming from there is spam, and the recipient judged it accordingly. Deal.
Does anyone know what blacklist he's talking about? SPEWS is Russian. I don't know any that are Danish.
Lets not get into a situation whereby only an elite class of people can stop the abuse of the Internet by knowing a special language called law.
It used to be that the technologists were the elite class of the online world, interestingly due to our ever increasing corporate world, the lawyers are one of the few with enough knowledge to have a chance of stopping this misuse of our treasured network.
I think the next few years will make country legal juristiction crystal clear for crimes committed on the Internet, but will take longer for laws to be passed and acted upon. I'd like to see agreed global unified laws for Internet and computer abuse. It's about time we took responsibility for this and tackled it now, not only for now but also proactively for the future as things will progressively get worse unless we take a stand today.
Here's a question for lawyers.
Could the United Nations pass a resolution to stop spam?
Goes to prove my assertion that most people who talk loudly of intellectual property are not intellectuals.
----
* a phrase used on Slashdot about as often as "Why do all those Supermodels keep throwing themselves at me?"
Envy my 5 digit Slashdot User ID!
Wouldn't the fact that he invited the Danish group to probe his mailserver seriously diminish his chances of suing for trespass? I can understand his angst...but can he understand mine? (You've got mail! 99.44% unsolicited, commercial effulvium, and one crucial e-mail which you'll unknowingly delete as well.)
SIG me, baby!
There are a variety of solutions to the technical problems that arise from wide-ranging internet access by the public. Those of us who were using the net in the late '80s recall sending and recieving email, unincombered by large volumes of spam. As internet usage gained popularity, so to did unacceptable practices undertaken by businesses and indeviduals.
SPAM is as much a social problem as a technical problem. Blackhole lists attempt to solve the social aspects of the problem with a technical solution - the idea being that the sender of spam is shunned and ignored when trying to communicate. I don't have all the answers but solutions like Vipul's Razor seem a bit more like technical solutions to the technical aspects of the problem.
Likewise, domain registration operates much like the wild west. He who hets there first, gets the loot. I was attempting to register an expiring domain at one point. It had expired 90 days previous and still had not been released by Verisign. I consulted my perfered domain registrar, who's generally vary helpful staff gave me this wild west analogy and suggested that my only recourse was to lodge a complaint with ICANN. We all know how helpful ICANN can be...
Any new technology opens up oportunities for baser elements of human nature to bear their collective ugly head. Over time the practices will iron themselves out and until then people like the lawyer, author if this article will probably have to suffer unless they want to contribute a positive solution. The Internet will eventually grow out indulging these childish behaviors but until then, we can only do what's best to protect ourselves from the poor choices of others.
--CTH
--Got Lists? | Top 95 Star Wars Line
Bret is an intellectual property and Internet attorney and also too stupid to realise he runs an open mail gateway. If you are going to write an article you should first get your facts straight i think...
Personally, I think we should stop trying to block all these spammers. Today is a tough day for everyone. Thinking about a year ago, how the world for many of us was turned upside down... it's hard to go about your daily routine. And yet, when I arrived at work, my mailbox was crammed full of spams, just like always. While many people are coming in late or taking the day off, these spammers continue to keep me updated about new penis enlargement technologies. They put aside their personal grief and send out news of a new get-rich-quick scheme, thereby showing the terrorists that they will never win. God bless them.
You want to beat on spammers using spews.org? And here I thought you linked to some quite violent imagery involving a steel pipe and some quick lime.
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert
How soon we forget.
I've run into a sort of related problem. My ISP I use at home now uses a Danish reference list to help filter spam. Somehow, my work mailserver turned up on it. The reason? It seems to have a dynamic IP address. Granted, my work mailserver hangs off of a business DSL account which has a block of 16 IPs. Its behind my router/firewall running NAT. the reject message from my ISP is as follows : .. the remote server gave us this error response ... 554 Service unavailable; [xx.xxx.xxx.xxx] blocked using dynablock.wirehub.net, reason: Dynamic IP range listed by Wirehub! Internet DynaBlock - http://doema.wirehub.nl/error/errors.html#dynabloc k
So now I'm off to have fun to try to convince these people that just because it MAY be a dyanmic address, even though its a block assigned by my ISP, that they should remove me. Thier other solution? Find a relay server!!!
From reading some of the comments, i'm quite surprised and shocked at the insensitivity and harshness of some people's posts. Whats with the "it's his fault, he deserved it attitude?". Is'nt the Internet all of our network and not his alone? Surely this makes it all of our problem and not just one persons. What happened to Internet camaraderie? Or has it become one for all and all for one on the high seas of the Internet, may the best Sysadmin win. I thought those days were long gone.
New Architect recieved a bunch of letters about that article and printed them in the October issue. Bret Fausett responded in the Letters section:
"When it comes to mail administration, it appears I've been several years behind the curve. My mail server software, circa 1996, was purring along quietly, so I never upgraded it to a version capable of a higher degree of authentication. I'm also old enough to remember when an "open relay" was a relay intentionaly left open, not one merely susceptible to misuse. Thank s to all of the reader who wrote to bring me into the new millennium. Both my software and my definition are now upgraded.
At the same time, I labeled the blackhole list operators "vigilantes" for good reason. It was always my understanding that if you lie about your identity to gain access to something that would be closed to you if you told the truth, you've done something wrong. That's tru whether you intend to send spam or prevent it. As vile as spam is, the ends don't justify the means. Regardless of whether my mail server used to be "open" or not, I stand by my analysis that placed legal responsibility on the blackhole operators who forged their identity."
This article really turned my crank. What a load of hogs-wallop. To wit:
... :)
... I dunno). His actions are not only irresponsible, they are just plain stupid.
... I skipped to the end and read:
... ISPs use it voluntarily. Hell, switch ISPs if you don't like the level of access they provide you with!
... Why are you wasting the courts' time?"
For one, the Danish antispam organization falsified an email header to gain access to my mail server. Illegal access to a computer system is, if not a criminal violation, then a trespass on my private property.
Except that he previously admitted to asking the antispam people to check his mail server. So it isn't trespass if you invite them in. Or it's entrapment on his part, right?
As I've discussed previously in this space, one of the novel legal theories now catching on for these kinds of unacceptable accesses to computer systems is a centuries-old tort called "trespass to chattels." At a minimum, I ought to be able to sue the Danish company for the damage it caused me from its illegal access.
Alternatively, you could secure your f'ing mail server properly.
But in spite of all that, I could probably get an injunction, or least a dollar or two to compensate me for my injuries and establish that I have been wronged.
Always the lawyer
Who knows whether the organization is a real legal entity or just some name cooked up by a group of self righteous individuals.
At some point along here I gave up reading. This guy is a whining, deluded, litiginous fuckwad. And a bit xenophobic (maybe he had a bad experience with a Danish girl once
Okay
It isn't difficult to imagine that the RIAA could pressure a sufficient number of ISPs into subscribing to this copyright blackhole list and blocking access to their users, or to any traffic emanating from them.
Except (you half-wit), the RIAA would likely use pressure. The anti-spam list doesn't force ISPs to use it
I hate spam as much as the next guy. If I found out my mail server was an open relay (which we did at one point), I sure as hell would spend my energies fixing the problem, rather than ranting about it and plotting a lawsuit.
I really hope that if he decides to take legal action, some judge with half a brain will say "You could've solved this yourself in half an hour
Sheesh.
Tuus crepidae innexilis sunt.
Should we recommend this guy to Bernie Shifman just in case he's still looking to sue people?
Publishing that article makes it almost impossible for this guy to get a conviction in a danish criminal court.
Also note that forging the headers of a mail that only is received by people knowing that the mail contains forged headers is not computer fraud, according to the above and danish criminal court practice.
oops... :-)
Discussing this on /. is all well and good, but if he is really astroturfing, and it appears that he is, someone that understands what is going on should submit a response article to the New Architect site. The do accept submissions. Check out http://www.newarchitectmag.com/guidelines/. I would do it, but I am not an expert on setting up mail servers or on the effectiveness of the black list.
Lasers Controlled Games!
Mail? Put "slashdot" in the subject to pass the spam filters.
Blind Vigilantes Blackhole lists offer dark prospects By Bret A. Fausett New Architect August 2002 Most of the email I receive these days is spam, yet I've never purchased anything advertised in a piece of unsolicited commercial email. I'm not even sure that I've ever clicked on a link sent to me in a piece of unsolicited commercial email. I haven't found any good method of blocking spam. Fortunately, I have a broadband connection, so things aren't as bad as they could be. But whenever I travel and find myself connecting via modem, I'm constantly frustrated by the significant amount of time I have to spend downloading junk mail, which is sometimes billed at exorbitant hotel or foreign telephone rates. So you'd think that I'd be somewhat sympathetic to the efforts of groups that create blackhole lists. For those of you unfamiliar with a blackhole list, it's a list that's typically maintained by volunteer antispam advocates. It contains the IP addresses and domain names of certain mail servers allegedly used to send unsolicited email messages en masse. When an Internet service provider subscribes to one or more of the blackhole lists, any inbound email to its service originating from a mail server on the lists is automatically rejected. The subscriber to a blackhole list doesn't filter based on the actual content of the email, just its place of origin, which makes this practice a fairly crude tool. It blocks all messages from specific locations regardless of content. Anyone who finds his or her mail server erroneously listed on a blackhole list can usually get off the list by establishing that he or she has remedied whatever server insecurity spammers exploited. At least that's how it works in theory. I don't run an insecure mail server, but mine recently found its way onto a blackhole list. I've tried to get off the list, but to no avail. I've become just another victim of vigilante justice on the Internet. The Wrong Guy One day back in March, I tried to send a friend of mine an email. It bounced. The mail server that rejected my message sent a polite note back explaining that the address of my mail server was now listed on its ISP's blackhole list. Over the next two weeks, the circle of people to whom I could send email started to shrink. Soon, even my father's email address was off-limits to me. The primary way to get on a blackhole list is to run an open relay. For various reasons having to do with access to networks and efforts to conceal their identities, senders of mass unsolicited email predominantly exploit such relays. An open relay accepts mail from anyone in the world and relays it to whomever is listed in the address. Most mail servers aren't open relays. They accept mail only from subscribers to that network's services, or from a set of persons specifically identified on the server. In spite of grass roots efforts to close the open relays, there are still more than a few of them out there. Not Guilty My mail server, however, was not an open relay. I have no idea who first submitted my name to a blackhole list operator in Denmark, but sometime in March of this year the operator added my mail server to its list. The first time the service was used to reject a piece of my mail, the rejection came accompanied by an explanation of why I was on the list and what I could do to be removed from it. The explanation was that I was running an open relay. How could I get off the list? That was simple, the message said. Close the open relay, and send a message to the operator's server asking to be re-scanned. Of course, as I mentioned, my mail server was never an open relay in the first place. So in response to the rejection message I received, I asked the blackhole list service if it would kindly re-scan my mail server and make another determination as to whether it was an open relay. I was sure that there had been some mistake and that on a second try, it would realize the error in its initial judgment. Shortly after I submitted my request, I sat down to monitor my mail logs. This time I saw the service in Denmark address my mail server. I watched my mail server accept the message and then pass the piece of email back to the Danish mail server. The Danish server promptly sent a message saying that my server was still operating as an open relay. How had it gained access to my mail server? Simple. It had forged the headers on its email to convince my mail server that the email it sent was from a permitted user. You see, my mail servers were set up to pass mail only from a domain name of which I am the only user. It blocks everything else. That's not an open relay. Unless you're a user in my domain, you can't use it. Blocked The group based in Denmark had pretended to be me, forged an email as though it had come from an address that only I am authorized to use, passed it through the mail server in my house, and then placed me on a list of people who should be blocked from sending mail. They circulated that list around the world. ISPs used by my friends and family here the United States subscribed to this list. Now, through no fault of my own--and in fact because of the trickery of Danish email activists--I was no longer able to send email to many people in my address book. It's hard to describe how angry this made me. The Danish consortium had lied about their identity, and I was paying for it. The worst thing about being blacklisted, however, wasn't that I could no longer send email, but that spammers began actively trying to use my mail server to send their spam. You see, blackhole lists work both ways. ISPs use it to block traffic, but as I've recently discovered, the spammers themselves use the lists as a kind of directory of servers to use for sending their mail. If you look at my mail server logs, you'll see that every few seconds or so, someone, somewhere tries to access my mail server and use it to send mail. Each time, without fail, my mail server declines the request and refuses to relay the requested message. It isn't an open relay. It's just doing its job. But my machine is bombarded with requests from all over the world from spammers seeking to use its minimal capabilities to send their penis enlarging, breast enhancing, get-rich-quick messages. My Rights But, hey, I'm a lawyer, right? I'm supposed to be able to solve this kind of dilemma. And there are a few things I could do. For one, the Danish antispam organization falsified an email header to gain access to my mail server. Illegal access to a computer system is, if not a criminal violation, then a trespass on my private property. As I've discussed previously in this space, one of the novel legal theories now catching on for these kinds of unacceptable accesses to computer systems is a centuries-old tort called "trespass to chattels." At a minimum, I ought to be able to sue the Danish company for the damage it caused me from its illegal access. Granted, the damage caused by my inability to send an email is likely not terribly significant. You can always pick up the phone, print the message out, and fax it or mail itÉor just use a different mail server. But in spite of all that, I could probably get an injunction, or least a dollar or two to compensate me for my injuries and establish that I have been wronged. The problem, of course, is that the loose organization of individuals who compiled the blackhole list is based in Denmark. Who knows whether the organization is a real legal entity or just some name cooked up by a group of self righteous individuals. However, they do have a domain name, and an IP address, and they circulate their work to ISPs around the world. In other words, there is a group for me to sue. But taking legal action on foreign entities is difficult. I would have to translate my legal documents into Danish. I would have to hire someone in Denmark to personally deliver these translated documents to the entity that I would be suing. That costs time and money. But I could sue them here in Los Angeles, California, that much I know. By sending their forged email through my mail server, which is located in my den in Los Angeles, they fulfilled certain California legal requirements that would let me sue them here. The connection to Los Angeles is also bolstered by the fact that I live here and my injury was suffered here. Of course, all of this is starting to sound like the kind of hypothetical legal conundrum that you might find on a law school exam. Problems like mine often remain hypothetical because the expense of bringing them to trial is so great, and the ability to gain any monetary relief from lawsuits is minimal. That's why the black hole providers have been able to get away with their vigilante justice for so long. For any individual user wronged by their efforts--and from what I understand, there are a lot of people in similar situations--the costs of pursuing these organizations, which are often located overseas, is too great. These groups of volunteer organizations have no assets to speak of--they are volunteers after all--and plaintiffs' lawyers are hesitant to take a case without the prospect of a lucrative damages judgment. The Case Before you think that this is all just about me and the fact that my father no longer receives any email from me, there are bigger policy implications for private individuals and companies that take steps to block connectivity. Much bigger. I've long championed the idea that the Internet should remain largely unregulated by governments. But at the same time, any private operator at an end point in the Internet's architecture can restrict the flow of content to a user. What's wonderful about the Internet is that it enables end-to-end communication from anywhere in the world to anywhere in the world. For all of the problems caused by spam, email is still the most widely used application on the Internet. So the idea that private parties could get ISPs to block some people from talking to other people should be deeply troublesome. The Danish blackhole list operators want to block access to computers that might be used for spam, but it's easy to imagine blacklists used for less noble purposes. For example, imagine that the RIAA compiled a list of IP addresses which, it contended, had at some time used peer-to-peer file sharing programs. Because these peer-to-peer systems could transmit copyrighted materials in a way that infringes on the copyright owner's rights, the RIAA could argue, those IP addresses should be blocked. It isn't difficult to imagine that the RIAA could pressure a sufficient number of ISPs into subscribing to this copyright blackhole list and blocking access to their users, or to any traffic emanating from them. Breaking end-to-end connectivity for any application, whether email or peer-to-peer or the Web, threatens the very thing that makes the Internet valuable. These are matters of principle. Which reminds me-- I have a lawsuit to file. Bret is an intellectual property and Internet attorney with Hancock, Rothert & Bunshoft. You can reach him at bret@lextext.com.
Is the sound of his domain being added to hundreds of private blacklists because he made a cartoony threat.
Welcome to the intranet, have a nice day.
There's no excuse for failing to do even the most basic research before posting an article. Still, nice work if you can get it, I suppose.
I was recently a victim of this problem. A machine at my former hosting provider (JTLnet, and they were already my former hosting provider before this incident) got infected by an email worm, and started propagating to everyone in that machine's address book - which seems to've included their entire customer-contact list. Being a modern email worm, it picked one address from that address book to spoof as the source of the messages, and I was the "lucky" guy so I ended up getting all the bounce messages.
There's a lot more to the story, but it's mostly about JTLnet and it's not their faults that are relevant here. The more interesting story is the part played by Verizon (my DSL service provider). Here's a major provider to millions of people, and their mail server was set up so it would happily propagate the worm's spoofed emails. A little experimentation quickly revealed that as long as the original FROM line (the SMTP one, not the one in the header) matched my email address the message would go through, regardless of where the connection came from. Unbelievable.
There is the tiniest shred of an excuse, though. I do remember being annoyed when they shut off SMTP access from outside their network entirely, so I couldn't reply to messages received on that account while at work. However, there are other ways to deal with the problem without allowing worms to spoof email through subscribers' accounts. SMTP authentication would be the obvious solution. A web interface for subscribers to specify which hosts could send email through their account would also have stopped the worm in its tracks. There's no excuse for a provider employing that many people to take the cheesy way out.
Slashdot - News for Herds. Stuff that Splatters.
Lets look at some of the things he says:
1."only I am authorized to use." Lets get this straight. I don't lock the door to my house, but I am the only one authorized to use it. I hire a security firm to test it (knowing full well that they publicize their results and what their methodology is). They test it and find it insecure. Hundreds of burglars then try to go in through my door and I sue the security testing firm.
2."For one, the Danish antispam organization falsified an email header to gain access to my mail server. Illegal access to a computer system is, if not a criminal violation, then a trespass on my private property." Of course he ignores the fact that he REQUESTED THEM TO TEST IT and they DO DESCRIBE there methods. How is a *requested* test illegal?
3."So the idea that private parties could get ISPs to block some people from talking to other people should be deeply troublesome."
4. "I haven't found any good method of blocking spam." Try CLOSING an open relay or using AUTH in order to verify that only authorized users are using your machine. That will help at least those of us getting spam relayed through you!
5. "I don't run an insecure mail server," Merely stating something does not make it so. If someone can relay mail through it, it is by DEFINITION insecure.
6. "My mail server, however, was not an open relay." Please look up the definition of an open relay, as above in #5
7. 'the spammers themselves use the lists as a kind of directory of servers to use for sending their mail." Duh.
If this guy is an IP and Internet attorney his firm is really scraping the bottom of the barrel.
Thank GOD I don't need him as an attorney.
The truth is that these home-grown spam mitigation methods do have their problems.
One of them is evident in the article: well-meaning users often do not understand what might be insecure about their server configurations, or what might need to be done to fix them. I am very comfortable with sendmail configuration, and I can tell you that setting up the authorizations correctly for mobile users to be able to send email safely is a narrow, twisty labyrinth in comparison to the big, flashing exit door marked "promiscuous relay".Another problem in the home-grown nature of these solutions is the tendency for them to be personality-driven, instead of professional. Often, IP addresses (or even whole ISPs) are placed on blacklists because the blacklist maintainer does not mind creating a little collateral damage if they think it might create a little extra pressure on a spammer or an ISP.
Some blacklists have blocked out entire hosting companies, including some of the biggest ones on the net, simply because they did not think they acted with sufficient alacrity against spammers in their midsts. This kind of wild overkill is unfortunately too common, and perhaps it's a good argument in favor of for-profit blacklisting, which would probably exert some good influence on the question of list quality.
Earthlink rejects mail from any IP address that belongs to a dial-up pool that attempts to connect to their SMTP servers.
Ostensibly, this is done to reduce "direct-to-mx" spam, which is a very common spammer tactic. Unfortunately, it also makes life harder on the home linux enthusiast, or home business operator who might be running their own perfectly legitimate sendmail server. All part of the collateral damage in the spam wars: Internet access and Internet business are slowly becoming more expensive and possibly moving out of the reach of people with limited means.
So what should we do?
First, I think that current law against junk faxes should be extended to include junk emails. This would not eliminate spam, but it would give us the ability to correct the spammers who operate out in the open.
As a Libertarian, I want to jealously guard the right of the people to freedom of expression. But that right does not and cannot include the right to expropriate other people's time or money. You have a right to make your voice heard. You do not have a right to force me to pay for it.
Second, I think that we should be careful about the blacklists that we use, and prefer those operated by recognizable and accountable companies wherever possible.
Finally, I think that for the forseeable future, filtering at the user desktop will be necessary.
(Cards-on-the-table time: I am working on a new solution for end users to eliminate spam from their inboxes. It is based on a new method, and it will work for any user who uses a POP email account. It will be ready for public beta soon. Please write to me if you want to learn more.)
The struggle against spam is definitely picking up, and I think that a new equilibrium is approaching.
Just like a lawyer, wanting to sue. Apparently he forgot that he gave those Danes permission to scan his system in the first place.
When it comes to mail administration, it appears I've been several years behind the curve. My mail server software, circa 1996, was purring along quietly, so I never upgraded it to a version capable of a higher degree of authentication. I'm also old enough to remember when an "open relay" was a relay intentionally left open, not one merely susceptible to misuse. Thanks to all of the readers who wrote to bring me into the new millennium. Both my software and my definition are now upgraded.
At the same time, I labeled the blackhole list operators "vigilantes" for good reason. It was always my understanding that if you lie about your identity to gain access to something that would be closed to you if you told the truth, you've done something wrong. That's true wheteher you intend to send spam of prevent it. As vile as spam is, the ends don't justify the means. Regardless of whether my mail server used to be "open" or not, I stand by my analysis that placed legal responsibility on the blackhole operators who forged their identity.
(emphasis mine)
I still think the author is confused. Yes, it's possible he might be able to make a legal case that they're blacklisting him because his server is an unintentional open relay, but just because he doesn't know it's easily-exploited doesn't mean he doesn't have to take some responsibility. Consider this fable:
Homeowner: Why have you put my phone number on a list of unsecured phones!?!?
Locksmith: Well, there's a criminal running around in the neighborhood - he's sneaking into open houses and using their phones to make obscene phone calls. We can't stop him, so some of us in the neighborhood are trying to make a list of all the phones in houses that aren't protected, so people can avoid receiving calls from those phones if they want.
Homeowner: But that's not fair! And you're wrong, too! My house is always locked.
Locksmith: Well, it is a voluntary list - people don't have to block incoming calls from phones on the list if they don't want. But I'll take a look at your house anyway, to see if it's secure. If it is, I'll take your number off the list.
Homeowner: See!? The door is locked tight. No robbers are getting into my house!
Locksmith: Uh... how old is this front door?
Homeowner: Well, it was probably installed in the 1920's or so.
Locksmith: Oh, well that's the problem. See, old door latches like this can be pretty easily opened... like this. See how I can just slide a credit card here and the latch pops open? Now modern doors don't have this problem - the latches have a locking mechanism that...
Homeowner: You swine!
Locksmith: Pardon?
Homeowner: You filty crook! I can't believe you just trespassed on my house like that!
Locksmith: Uh... but, I was just showing you how a criminal could...
Homeowner: What kind of vigilante justics are you running here? Breaking into my house and blaming me for the problem! And blocking my phone calls as well! You'll be hearing from me as soon - I'm filing a lawsuit this week!
Locksmith: [stunned silence]
the point made still has some value. Whenever individiuals take it upon them to enforce what is right and wrong, there's a risk of abuse or simply them doing a poor job.
But I guess (hope) that all who use these blacklists, monitor how it's working and are prepared to act if errors are being made. If the guy who runs your mailserver thinks it's added value for his users to block from servers on the lists, then he's going to use them - otherwise not.
Rather than focus on what constitutes an "open relay," which is really a technical issue rather than a policy issue, I'd rather see more thought given to the damage caused by blackhole lists. Are we really interested in championing their use? Spam today, something else "offensive" tomorrow? How different is this than when Chinese ISPs decide to block Google? As vile as spam is, I don't think this is the right tool.
My response to the original letters sent in by New Architect readers:
Thanks.-- Bret
www.lextext.com
Yes, blacklists aren't perfect. But if you do what it takes to plug up obvious security holes in your service, you can get off of them; it may take time, but the volunteers who run these things need to verify that you have plugged up a hole, or that your service was always secure. I'm sure there are a lot of people added to blackhole lists who shouldn't be there, because some mistake was made. At the same time, I think the vast vast majority of people griping about being unfairly placed on a blackhole list are just people who don't understand the technical security flaws in their system.
/. makes me wonder about CmdrTaco. Taco, don't you read these articles at all? Or don't you even know that this is a security hole so big and obvious that even MS could have recognized it and plugged it up?
/. This method can effectively be used to filter out messages which are spam based on the headers, via user input; i.e., the user tells the program via the header, "this is spam, that isn't". The program then analyzes the characteristics of the header and modifies previous assumptions accordingly. Think of it as going to Las Vegas and flipping a coin. If you flip the coin 100 times and you get 51 heads and 49 tails, do you conclude that the coin is unfair? Depends. You have a previous assumption about how reputable the casino is; if you think its unreputable, maybe you think the coin is unfair; if you think its reputable, you probably think its fair. What if you flip the coin 100 times and you get 2 heads and 98 tails? Then your first impression is that the coin is unfair; the evidence strongly overwhelms your previous assumption that the coin was fair, so you modify your hypothesis. But if you then flip the coin another million times and you get 500,001 heads and 499,999 thousand tails, you probably conclude that the coin is fair, despite your first impression. Same thing goes on with e-mail.
Prime example is this idiot author. I'm not security expert -- in fact, I (gasp) don't even know how to set up a server. But I can recognize a security hole as big and obvious as the one his system has. If all someone has to do is forge a from address in the header to use your system for their e-mail without authorization, your system is completely insecure. This author displays his complete ignorance when he says, "the system was doing what it was supposed to do". Every system does what its supposed to do, and that's depends on how it was programmed by the programmers and set up by the administrator. That doesn't necessarily mean every system is doing things the right way.
That this story was posted on
At the very least, your service should request password and user-name verification. IP-address verification possibly, if you don't want to allow your users to be able to access it from any remote location. Someone needs to slap this author with the clue-stick. He fell off the a 300ft high dumb tree and hit every branch on the way down.
The author does, however, make two interesting points, though these are hardly news. (1) It takes forever (i.e., weeks) to get off a blackhole list; this is understandable, since these things are run by volunteers, and it takes time to verify. (2) Blackhole lists are used by spammers, which allows them to slam any domain on the list. This is something which needs to be fixed. I think this is that rare case where security through obscurity works. The only people who should know all the domain names on a blacklist are those running it. People running domain-names that have been placed on a blacklist should be notified so they can fix it, and if they want notify the public. But because these blackhole lists are available for anyone to see, spammers use them and effectively DoS those who are on the list, making their life difficult.
Oh yea, almost forgot. The title of this post is "Legal action needed," because I think laws are needed to deal with this problem. Spamming might not be particularly profitable, but its also not at all unprofitable; theoretically, it probably wouldn't even cost a cent to send spam to everyone on earth with an internet connection. Thus, spammers will continue spamming, because they have no reason not to. Even if only one out of a thousand people actually buy something from that "make your dick bigger by jilking" spam, it still amounts to something worthwhile for the spammer.
They will never stop unless there is a strong cost associated with spam. So what I propose is tagging very high high fines onto any spammer -- millions of dollars. Enough to bankrupt an individual and keep him in debt for a long time, or enough to send a company into Chapter 11. I'll admit that we won't catch many spammers; maybe 1 out of a 1,000. But when you can't catch most people who do something and punish them accordingly, the way to stop an activity is to say we'll punish anyone caught inordinately.
I strongly disagree with the misguided notion that somehow dealing with our spam-problem violates the principles the internet was founded on. This is just an example of community action to deal with a problem.
The anonymity that the net gives us is valuable because it allows those who have controversial opinions to speak privately; because it allows those who have inordinate interests (i.e., occult or pornography) to pursue them in privacy without fear of public scrutiny; because it allows us to share information though P2P networks without fear of a slap-down from the RIAA. No useful purpose is served by spammers using annonymity; it neither promotes a public good, nor facilitates them in excercising their rights; rather, it facilitates them in doing harm to the public and violating the rights of others. The community is dealing with that problem in many ways.
One of them is blackholes. Crude, but somewhat effective. Simplest method. It is valuable not so much because of the spam that it blocks, but because of the action it forces service providers to take -- securing their systems against spammers.
Another is bayesian filtering, as was recently mentioned on
Another method -- one I prefer -- is simply blocking any messages from those whom you don't have in your address book or on your "accepted senders list". This effectively blocks out all spam. You have to, however, keep an updated list of accepted e-mail addresses.
There are many others.
No method is perfect. My method blocks all spam, but also will block anything from anyone who I don't have on my accepted senders list; so I have to be vigilant in maintaining such a list. Bayesian methods effectively have no false positives or false negatives, so are pretty damn good. The primary usefulness of blackhole lists is making services secure their systems.
social sciences can never use experience to verify their statemen
AFAIK, on most servers if an e-mail address doesn't exist, a message gets sent back that an error occured because the user doesn't exist. What more validation does a Spammer need of an e-mail address?
Forging the 'From:' header is one of the most common spammer tactics known. If the guy's server responds to such a forgery by sending the forged message out to the world, then yes, he is indeed running an open relay EVEN IF it won't forward messages from, say, 'spammer@here.com.'
Any mail server worth its salt needs to look at more than just the 'From:' header. It needs to look at the originating IP address of the machine trying to send the message. If said address is not part of the mail server's local domain, the traffic should be rejected with extreme prejudice.
The article reads very much like a whine from someone who doesn't know enough about how a mail server works (or is supposed to work) to be running one; "Those Evil Censorous (sp?) Anti-Spam Nazis forged my domain name and cracked into my system! How dare they?! Even though it's the same trick a spammer might pull, how dare they?!"
This guy needs to get a clue. Quickly. In fact, I'm going to make sure to block his server out of mine when I get in tonight.
Bruce Lane, KC7GR,
Blue Feather Technologies
Spammers never lie or forge domain names! So of course it's unfair that this lawyer's mailserver was blacklisted. . .
Bah. With all the money lawyers make, you'd think he could buy himself a clue.
!#@%*)anks for hanging up the phone, dear.
The internet is often a useful tool for communication. It's also often a tool for complete idiots to share their useless opinions with the masses. This guy has an insecure mail server, gets blacklisted, and asks the blacklisting org to check his mailserver. He then bitches when they find a hole and get in, and decides he should sue them for illegally entering his server.
He claims they caused damage, but all they did was fulfill HIS request to double-check his server, and didn't in any way disrupt any functionality of his server, other than using an existing hole
Another spam-pigeon who thinks his right be leave his ass flapping in the wind overrules the rights of others who don't wish to get a gazillion messages bounced off his insecure server.
A few quotes to laugh at:
I asked the blackhole list service if it would kindly re-scan my mail server and make another determination as to whether it was an open relay
For one, the Danish antispam organization falsified an email header to gain access to my mail server
At a minimum, I ought to be able to sue the Danish company for the damage it caused me from its illegal access.
Debating on anonymously spamming this guy with a few, 'got spam? you're a moron' messages from his owner server... - phorm
the time between notifying the black hole list that the problem was fixed and being off the black hole list.
I just read your articles /s=2442/n a0802g/index.html) about
(http://www.newarchitectmag.com/document
open relays and figured I'd email you with my experience. For my day job,
I work network security (handling spam complaints, hacking, etc) for an
extremely large public educational institution, so I see an extremely
large number of spam complaints, spam issues and whatnot every day.
If your mail server is allowing mail to be relayed to it through the
domain it advertises, it is an open relay. Period. An open relay is a
relay that permits an unauthenticated, unidentified host on the network to
send mail through it. Your claim that you are not running an open relay
simply because you only allow mail from users on your domain demonstrates
a fundamental lack of understanding of the mail protocol. The FROM
field is not any kind of authorization, it's not a login, it's completely
arbitrary and should never be used to allow or disallow mail except in
rare cases where virii may email out with fixed FROM addresses that are
known to not be legitimate.
Your mail server advertises what domain it claims to be (and likely has
reverse dns to supply a spammer with the domain), therefore it's trivial
for any spammer to (as the denmark organization did) simply but a from
address of your domain. And are they lying? It might be interesting to
note that since your mail server is sending the message, the mail ~is~
from the domain they put in the from field.
The issue is not that some anti-spammers spoofed a from field. The issue
is that your mail server allows relaying of spam email. I'm sorry you see
it otherwise. There are other effective ways to secure your mail server
so you can travel and still have access to it, but your current
'protection' is not.
If you would like more information on how exactly you can configure your
mail server to not be an open relay and still allow remote access, please
feel free to respond via email and I'd be glad to help.
If they make a mistake, you and your organization are screwed until they decide to admit their mistake and correct it -- if they ever do. They have cute, pat answers to explain away any responsibility for their behavior and generally refuse to communicate with those they block. I have had a nasty experience recently with "relays.osirusoft.com" where a client of our was using them as a part of their Postfix RBL configuration. Some Nazi^H^H^H^H German nominated our mail server as a spamhaus when we were not. Without being tested, our server was blacklisted -- I checked my logs and saw no check on the date we were listed. We received no notice, no automated robot checked out server or would anyone respond to my inquiries, just accusations that I was supporting SPAM--an absolute lie. If you are listed, you have to be an evil SPAM supporter with their mentality.
It took one month of constantly e-mailing their retest e-mail address. Daily checking of my mail logs and seeing that their robot was being rejected from relaying, yet, we were not taken off the RBL. Finally, after a month, we were removed. Nothing changed in our configuration, no notice was given as to why we were removed nor why we were added outside of the nomination origin. We were just lucky that "relays.osirusoft.com" decided to do what's right but was too cowardly to admit they were wrong. Hiding behind the anonymity of the Internet with no responsibility to the people they harm. We will never know how many e-mail messages were lost because of "relays.osirusoft.com"'s mistake.
Pathetic.
Strange women lying in ponds distributing swords is no basis for a system of government.
One could have predicted that the vast majority of Slashdot readers would have responded with, "This guy is an idiot because ... misconfiguration ... blah blah" without addressing the underlying complaint. The more important issue is that a group of unregulated volunteers (albeit well-meaning volunteers) has the power to block any server from sending mail, by placing it on a blackhole list. Nobody is holding these people accountable for the power that they wield, and their grievance procedures are either obscure or non-existent.
Toronto-area transit rider? Rate your ride.
Here is what I wrote to this guy back on July 25 when the article had just come out. I never received a response from him. Was he totally embarassed by his idiocy once it was explained to him? I guess so.
<lettertext>
I just read the article you wrote on New Architect Magazine entitled "Blind Vigilantes; Blackhole lists offer dark prospects". I feel you have missed certain points in your analysis, and as a result, you misunderstand what is going on. That's OK, because the majority of network administrators still do, too. As a lawyer you would not be expected to know this kind of stuff. You clearly know a lot more about it than the average lawyer. I'm writing in hopes of filling in the gaps. I sincerely hope you have the time to read this. It's long, but I think this is important.
First of all, I use these blackhole lists myself, so it is possible that your reply to me could bounce back. I can override it if I know the IP address of your mail server. But I won't know it until there is a server log telling me about it bouncing. What I'll do is get your IP address at that time, add it to the exception database, and you can repeat the reply later on. Or you can send me mail from Hotmail, which I believe is not blocked anymore.
I want to fast forward to the point in your article where I think the main misunderstanding is:
One of the methods spammers use to send their mail through a mail server configured like yours is to do exactly what you are complaining about. I see upwards of 10,000 of these a day on my servers. The spammers have these massive lists of email addresses, quite many of which are valid. What they do is look up which mail server those users would use, which is not hard because that's exactly what the whole system is designed to be able to do. Every delivered piece of email had to do that. Once they have this information, then they forge that user in their FROM line and start sending mail to the user's server. In the case of a server set up to test only the domain name in the FROM line, it works, and the spam message gets sent on its way.
That's why your mail server is considered to be an open relay, because it is possible for a spammer to use it, despite the fact that they are doing something illegal such as forging your domain name. If it lets a spammer forward mail, it's an open relay.
It is standard practice for every program (there are several available) which does the open relay tests to try dozens of different ways to fool a mail server into forwarding mail. Forging the domain name of the users of that server is one of the simpler tricks. There are some that are more complicated. These programs are simply doing exactly the same thing that a spammer would do. It's the same principle used by security test programs which test whether or not a computer can be broken into. They have to pull all the punches a hacker might try. Otherwise such programs will fail to detect a flaw and the program itself will be worthless.
I periodically run tests on all my mail servers to make sure I have not accidentally configured out the relay controls. I watch these tests take place, and they do this forgery exactly as expected.
Actually, that is not true. Read on and this will be explained.
Last year, one of my client companies, a local web hosting business, had a case of one of their customers running a spamming operation right from the server they were paying my client to use, in violation of their AUP. The customer got cut off, and my client asked me to help him clean up the mess. In so doing, I obtained a copy of not only the spamming software (a special version intended for running from web servers), but also a copy of a big list of about 1.5 million addresses.
There was something very interesting in this list. The first 1000 or so entries were email address that were familiar to me. They were OTHER SPAMMERS. That's right, other spammers have their own names in these lists. What that means is if any spammer discovers an open relay, the others find out about it fairly quickly. The "spammer network" as I might call it is very well connected. They all see the successes of the others. And much like wild animals on the African Savannah when one makes a kill, the others circle around to take their own bite out of the carcass. That's what is happening to your server.
The anti-spam group have some of their addresses on these lists, too. That's how they first find out if your mail server is an open relay. They get spam that some spammer who found it relayed through. That's how you were first put on the list.
The blackhole lists are run through a distributed database called DNS. This is the same thing that allows looking up a domain name to get the numeric IP address which the routers use to send packets to the correct destination. But the point about it is that DNS works as a general distributed database, and unless someone runs the DNS server wrongly, there is no mechanism to get a list of these addresses. All that can be done is to pick and address and do a lookup. Unlike a regular database, there is no means to do a query lookup like "give me all the IP addresses which are open relays".
In reality, there are sometimes some breakdowns in that security and the blocked addresses can get out. I've acquired one such list myself. But for the most part, spammers do one of two things. They scan the net at high speeds looking for open relays, and they scan through their mailbox which is on the lists to check for good pickings in recent spam they received.
They have a legal defense. You actually gave them permission to do the scan. Although you did not know the scan involved the address forgery, their defense is that the practice is the only way to test to see if a mail server is an open relay (that is, if it could be used by a spammer who would forge the address). As mentioned above, this and many other tests like it are standard practice in security testing (and testing for an open relay is simply one form of security test).
This is why when an open relay listing is in the database they will not remove it by periodically testing on their own accord. That would truly be illegal. They require you to consent to the test before they will do it. And again, the standard for these tests is to do exactly every know trick a spammer would try.
It is not their test that put you in the list in the first place. It was the fact that they received a copy of spam that some spammer relayed through your server first. It is that spammer that trespassed on your server and caused you the real harm.
Those who compile the database are just the messengers. But your real problem is that these guys are just the little fish. The big ones are even harder to reach. They are rumored to be in Bulgaria, an Eastern Europe country formerly behind the infamous Iron Curtain.
And there is the risk that they would win if they were present to defend their practice. They would certainly bring up the point that the original listing was due to a spammer discovering your open relay, and that they received permission from you to test their server.
The choice to use the information from blacklists to reject delivery of email in a mail server is something the owner of the mail server would do. This becomes a private property issue. I have the right to refuse any mail into my mail server I wish (except on the basis of the few parameters law now prohibits, like gender, race, religion, etc). I have the right to get my list of IP addresses to block from anywhere I like. If Joe down the street tells me he blocked email using his private little list of IP addresses and it cut out 90% of his spam, then of course I'd like for him to share it with me.
Could there be an issue of libel here? Sure, there could. But it's a clear line between saying "You are a spammer" and saying "Your mail server allowed a spammer (who uses forgery) to send spam to me, and when you gave me permission to test it, I found that by mimicking just what the spammer would do, it was still allowing it."
I do worry that the techniques used to reduce and prevent spam could be put to less noble uses. I also worry that facilities that exist on the internet to allow anonymous communications (which some people sometimes need to have) are abused by spammers (there are techniques to reduce that abuse) and in turn blocked by anti-spammers.
Personally, I don't consider the anti-spam movement to be less noble than peer-to-peer file sharing. The vast majority of what is shared on those networks is copyrighted material being shared well beyond the rights of the copyright owners. While I'm not advocating that those file sharing programs be outlawed, or the networks they use be shutdown, I do consider it to be less noble a thing that the effors of the anti-spam community to help keep mailboxes cleaner.
It depends on who is doing the breaking. If I break connectivity in my own server, even if I use information from someone else that I choose to use, who offers that information to me freely (I didn't illegally copy it), then what law have I broken? What tort have I committed? Who have I harmed? If it involves my customers in a service I provide to them, then it's a matter of the business relationship between me and that customer. In practice, my customers want the spam blocking since it proves to be very effective against spam.
As to your mail server. It is an open relay, and it needs to be closed.
If a thief enters a building by opening an unlocked door, it is breaking and entering. Merely opening the closed door was breaking, as opposed to the door being wide open. It does not matter if there was a lock on the door or not. It does not matter if the lock was left unlocked. It is still breaking.
Your mail server has a closed door, but it has no lock. You are making the assumption that spammers won't do the "breaking in" thing with address forgery. But they do. What you need is the equivalent of a lock on your mail server. Instead of just checking the FROM line to see if it has your domain name on it, it needs to check something that a spammer simply cannot forge at all. Usually this is an IP address. If you want to be able to use your mail server from other locations, then the IP address is not good enough. There is another method that is used which requires you to log in to READ your mail first. The way that works is when the mail reading login is done, the server notes what the IP address is from which the successful login came, and puts that IP address in a list which is valid for sending mail for some period of time, say maybe 30 minutes to an hour. Thousands of people use this technique successfully. It's typically called "SMTP after POP" (in reference to the POP protocol used to read mail in most cases).
The following has a number of useful links to help in testing and closing an open relay:
</lettertext>
now we need to go OSS in diesel cars
Unlike "sharing" of "marketing information" by credit card companies, telephone companies, and banks, blackhole lists for email ar opt-in.
You have to explicitly subscribe to someone else's judgement in order for it to have an effect on what you block.
Your argument about the putative "RIAA P2P blacklist" is flawed, in that you would have to go out of your way to elect to subscribe to RIAA's judgement.
A much more salient argument might be Palladium, which is effectively a black list of people who do not used Palladium, and which holds you hostage via the use of monopolistic power in the marketplace. A black list which forces you to use it -- which is not "opt-in" -- is much more of a threat.
PS: In your original argument, you had exactly one valid point, which was that the original probe of your email server -- before you asked them to recheck it, thereby giving them permission -- was in fact a criminal trespass on your system. On the other hand, from a legal standpoint, it's probably easy to argue "attractive nuisance" in defense of the original probe, particularly if your mail server had been reported by a third party who had received SPAM via it.
-- Terry
Of course, the follow-up is too late to save him from getting another boatload of mail...
Sometime in the next week or so, I am going to stop by your home and probe for any security problems that a burglar might exploit. I know we have never met before but its in your best interests. Since I have the best of intentions, I am sure you won't mind. You wouldn't want to leave your home with security holes in it?
Strange women lying in ponds distributing swords is no basis for a system of government.
...if it would be a good idea to declare a 5 year moratorium on ALL laws pertaining to security and the internet/networks. In other words, declare the internet a "new frontier" and let the strong survive.
Not only would this spur on an intense period of security systems development, and force those individuals who languish outside the circle of the latest security enhancements to keep up with the current advancements, but it just might encourage people to recognise the true nature of network systems and digital data (...among other things, networks are insescure for MANY reasons and that the data is never permanent or secure).
Keep in mind that vigilantism would be fair play...someone cracks your network and you can retaliate. Furthermore, the thought of impending attack might encourage the right people to have a level of alertness that should ALREADY be in place with regard to their networks.
This would also give "us" some time to take a close look at how things REALLY work on the internet before "they" start legislating.
Also, the desire to have a secure OS would drastically change the current marketplace. The average consumer would now HAVE to learn a little bit more about what they were actually spending their money on, and the execs of companies would pay better attention to which systems were designed with security in mind. Those systems with blatant, glaring, abundant, security holes (Hmmm, wonder who that could be?!) would find themselves out on their proverbial asses, maybe even overnight!
While this does run contrary to my feeling about law, property, and justice it is an idea that keeps popping up in my head...maybe my manifesto will be out next spring....hehe. Please comment.
Vincit que se vincit.
When the only tool you have is a claw hammer every problem starts to look like the back of someone's skull.
Let it be a problem for those that don't know any better, or how to deal with it. Set up a SpamAssassin-enabled mail server for you, your buddies (or clients) and let the rest of the world deal with the junk.
Junk-Filter that works. End of problem!
Most of the email and newsgroup spam is done by a few large companies who also make a big deal about the smaller companies sending 1/10th of the emails or posts they do. If you make a stink about it you will find yourself threatened with lawsuits and tons of anonymous emails to your ISP advising them they better disconnect you.
Meanwhile, "fronts" for some of these sites like the JKPrivat posts and "free" (stolen) galleries (that lead to their pay sites) are left up and their posts are not taken down. Looking at the cancel trends of these "vigilantes" will show you quite an interesting trend. Worse thing is they actually post the cancel reports online - which you would think would damn them... but unless ou have a lot of money, you learn very quickly not to confront them or piss them off.
For if you do, they personally in their capacity as "anti-spam vigilante" who can personally answer a few thousand posts a day and report or cancel more emails and posts than entire legitimate organizations devoted to it, they will threaten your ISP a dozen ways till Sunday and demand you be disconnected.
Of course, then posts "by you" will start surfacing on the 'net in hacker groups calling them all sorts of bad things, questionable emails and posts will be sent out on your behalf to people everywhere, and you'll be hoping your ISP has the sense to notice the forged email and news headers... nonetheless, a few hundred lamo hackers and hacker wannabes will already be attacking your site - sometimes a few hundred thousand attacks a day...
Kill the competition... that's that half these "spam vigilantes" are really about.
I wont mention names... but just look at the source of much of your pr0n email spam, or surf the adult oriented newsgroups and notice which big companies' posts dont get taken down - even if it's the same posts day in and day out. Then look at the cancel logs and note that "the other guys" can send a hundred different "on topic" posts total to 50 groups and have them all cancelled, while these guys can send a hundred posts to ONE group of any sort and not be touched.
Of course, anyone can try and dispute it, but the "spam cancel reports" are all online in the admin newsgroups, so dont bother.
Ok, maybe this is the wrong case, he IS running an open relay but there a bigger issue here is how much power and freedom are we willing to give up? When do operators of these lists get TOO MUCH power? Who watches the watcher? If the list operator makes a mistake what is our power to remedy it? If government was running the list, would we feel the same way?
Case in point, there is a certain BlackHole list out there that is blocking my email server. Why you ask? Is it because I send a lot of spam? No. Is it because I have an open relay? No. They block the whole class B belonging to my ISP because "there were many SPAMers on my ISP". Ok, I feel their pain - I hate spammers too (praise the SpamAssassin allmighty!!!). But they are no longer blocking just the spammers, they are blocking innocent bystanders as well. A quick check will reveal that there are no open relays anywhere on *MY* part of the network. So, why should *I* suffer for someone else's inability to handle SPAM problems?
I know, I know, there is the obvious "Well, change the ISP then." -- well easier said than done. For mirriad of reason - not the least of which is financial - this is pretty much out of the question.
My solution was to ignore the idiots and they'll go away. I do not think all too many people use the mentioned blackhole list anymore. I am guessing this is probably because their list is pretty much worthless if it blocks whole class B's. I have not seen a message bounce because of it in over a year. But there are much more respected lists out there, and what happens when one of them makes a mistake and refuses to fix it? Is there a remedy for the small guy who is getting screwed by this mistake?
In ideal world the list is controlled by it's subscribers and if it is inaccurate, they would not use it. But in ideal world there would not be spam, and last check of my SpamAssassin's "spam" folder tells me we are not living in ideal world.
None of the subscribers give a damn untill the problem hits them.
So, what is the little guy to do?
RelevantElephants: A Somatic WebComic...
If I ask a cop to check my doors and windows, and he finds a way to get in. Can I sue him for burgelary?
How about you give me your address and if I can get in, I can take what I want?
The last time I checked the 'danish site' isn't a cop.
Typical american sollution.. let's sue.
All *I* want is laws that let me sue spammers. If he sues people who FORGE HEADERS (as he's suggesting he'll do) I'm all for this lawyer suing.
The reason email on the internet exists at all is that there are standards for handling it that have gone through the RFC process to be accepted. When someone can point to a relevant standard specifying how email MUST be authenticated in a certain way and everyone does it the same way, then sites will be justified in refusing communications with others that don't follow the accepted standard. Until then it is all handwaving and vigilante activity - and mostly ineffective as well.
Is not so much the blocklists themselves, but the manner in which they are implemented.
Often, the mail server admin team of even a medium to large size ISP will decide amongst themselves to implement a blocklist on their mail server, with approximately ZERO consultation with either management or customers.
This is a pain in the ass for 2 parties.
(1) The perfectly legitimate, non-spamming, innocent company who happens to be hosted by an ISP for whom said blocklist has blocked ENTIRELY,
and
(2) The potential customer of that company at the ISP who's mail admin has selfishly decided to blocklist the company in (1).
So that's 2 parties inconvenienced. Yeah, sure SPAM is a problem, but so is what i've just described.
Fine, implement your favourite blocklist on your OWN mail server, but if you're hanlding mail for others I think you should have the decency to consult and advise that you are potentially blocking valid email for sake of cutting down on SPAM.
I don't know if this would work practiacally in the real world, but since I intsalled Jaguar (MacOSX 10.2) which includes that nifty junk mail filter than Steve Jobs crowed about during the Expo using "latent semantic mapping", I don't think I have gotten a single junk email. My Junk folder, where all the filtered stuff goes, is ALL junk - no misidentified stuff. I've been training the system for about 3 weeks now.
So here's my idea: what if Apple built the junk-mail filering code into a seerate application, which would then run on the mail servers and routers themselves. This would not only (possibly) eliminate the hassle to end users, but possibly cut down and bandwidth wastage also, if a junk mail was stopped in transit from one end to the other.
Now, I understand that this has a lot of problems. What if it catches something that it shouldn't - something important, like, oh say, a domain renewal notice (This happened to the owner of the domain Macslash.com a while back because Apple's DOT-MAC email servers block anyting from Dotster, wich really screws people who have registered domains with them. There's also a question of whether the LSM would work considering that there are different general "types" of spam out there.
If such technology were at the ISP level, then customers could periodically check to see if the filter caught anything it shouldn't have. If you put it at the router level, which would be more efficient from a bandwidth point-of-view, you could never do this (unless a router that catches a junk message flags it and then sends it to the reciever anyway - but that doesn't solve your bandwidth problems.)
Of course, Apple would probably never do this, at least no for a while, because if it were publisized, it would remove a reason to by Jaguar and buy a Mac to run it on..
I think if judiciously applied, this type of approach could also *masively* cut down on the number of worms/virii floating around out there. The email server (or router level) software detects a known malicious NIMDA or Mellissa-copy attachmet? It's removed. Period, end of problem. But that would require that an actual human be the one writing the Perl-script thingees which would scan and delete, so we don't get the kind of 'midireview' crap that Yahoo people now have to put up with. But if a trusted virus alert center, say CERT, teamed up with router manufactuers, I would ventue you could stop at least 50% of the common worms out there now. (Note I say now. The dark side of this is that it will spur the virus writers to write more polymorphic viruses - then the only hope will be to make an AI-based "internet immune system"..) I'm truely surprised that some router company hasn't done this..
I wonder, this thread already has over 300-odd comments. Might I just do as well to send this one into a black hole instead?
Ok. So this idiot configed his server to trust what people say thier domain name is. Shhh. Big suprise to most of us. Spammers lie.
While on my domain server I havent a problem I have had a problem with people spoofing email spam from my yahoo account. If you allow people to spoof from your domain you deserve a blacklisting.
Limit relaying to IP's on your network or use authentication. If your not doing that then you deserve to be blacklisted.
--- Always remember. 99.36% of all statistics are inaccurate.
I think a concerted email effort to this lawyer's firm pointing out his idiocy and how poorly it reflects on them will calm his sue happy nature.
The firm is listed at the bottom of the article.
All he had to do is allow connections for port 25 from his IP, be it 127.0.0.1 or whatever IP address he uses and have the firewall reject/deny any other connections on that port from all other IP addresses. You can do this with zonealarm in Win9x and sysgate.
So what if mail servers accepted SMTP for inbound mail only, and required POP for outbound mail? Mail arriving from points unknown would be accepted via SMTP, but mail heading out would need that initial authentication -- no more forged headers. I think it's a great solution: it's compliant with IETF standards that are in place today. There's one problem.
Since PMMail, and I assume its short-lived Windows version PMMail 95, I haven't seen any mail clients that support POP for outgoing mail. Given the problem with spam and forged headers, I can't believe that no one has seized upon this idea.
Anyway, if the response is positive enough, I may be motivated to crack open some open-source mail client add support for outbound POP...
Say you own a bar in the US. You let anyone come in and drink, without regards to their age. You get shut down by the police for serving alcohol to minors.
So you reopen your bar, but now you check ages. Anyone can come into your bar so long as they provide a piece of paper that says "I am over 21." The police send an undercover agent, aged 16, in with a piece of paper, and again shut you down for serving alcohol to minors.
Do you learn your lesson, and start requiring Authentic proof of ages? Or do you sue the police for sending someone in with a false proof of age? Whose fault is it that your standards of proof are too easily falsified?
You're speaking of SPEWS. And the whole point is that because spammers move around to evade blocking, the front line of defense is the ISPs. Blocking just the spammer alone is a futile effort. Getting spammers disconnected doesn't work at too many of the larger ISPs because they would rather take spammer money than keep non-customers happy. So of course the logical way to go is to block ISPs. And SPEWS doesn't immediately block a whole ISP (unless they are so small they have less than a class C network or something). They raise the pressure gradually so the ISP gets the message before too many customers are impacted.
The only way these ISPs are going to respond to dealing with spammers is when they are forced to decide between the revenues of spammers vs. the revenues of non-spammers. Absent that force, they just keep spammers online and the internet suffers. With that force, most will eventually see the financial issue and make the decision (and yes, some have decided to go with spammers and have gotten 100% blocked ... and rightly so).
As long as you stay with an ISP that supports spammers, then you are, every time you make a payment to them, saying "It's OK for you to keep spammers online because I'll keep paying you even though it causes me grief". If it's so costly to change ISPs for you, then maybe you should have done due diligence in the first place to discover what their real intentions are with regard to spam.
I already ignore spammers. They have not gone away. That idea is stupid because there will always be some small percentage that don't ignore them, and it only takes that small percentage for them to get more money out of spamming than they put in. Then while they spam, they force us to do deal with all the junk. Even if you just count the 3 seconds it takes to delete each piece of spam at a typical low end wage of an office worker, spam costs over a billion dollars a year (at its current rate) just in lost worker productivity in the USA. Now that Europe has caught up and edged past the USA on internet users, I'm sure the figure is nearly as high there, and will soon be higher. And this doesn't count the time it takes for staff to manage the situation and clean it up.
What's a little guy to do? For starters, try convincing your ISP to stop supporting spammers. But if you say to them "because it costs me so much money to move to another ISP, I will stay with you no matter what you do", then why would they give up the revenue from the spammers just for you? Maybe what you should do is figure out why and how you got yourself into a mess where you can't change to another ISP?
now we need to go OSS in diesel cars
"I am a lawyer who cannot configure a f*&$ing mail server. Instead of asking for help from people who do know how, I am going to sue the Danish company who is doing the world a good service. I do not care if they are volunteers trying to make the internet a better place for no money, I want compensation."
Stupid jackass. Why is it that attorneys pretend to know everything? Is this kind of arrogance required to pass the California State Bar? I don't pretend that since I have a masters degree in computer science that I can fix a car, take a case to court, or perform surgery. I seek help from professionals to do things that I cannot. People like this guy are what is wrong with our country.
He states in the article that he's not running an open relay, but got blacklisted anyway by an open relay detector robot. To quote:
:), and cause mail to be sent to an arbitrary destination on the Internet. I.e., an open relay. Mail originating from an outside connection should never be sendable to a domain outside the one the mail server serves, unless some sort of secure authentication method is used to validate the identity of the sender. Period.
How had it gained access to my mail server? Simple. It had forged the headers on its email to convince my mail server that the email it sent was from a permitted user. You see, my mail servers were set up to pass mail only from a domain name of which I am the only user. It blocks everything else. That's not an open relay. Unless you're a user in my domain, you can't use it.
By definition, he's running an open relay. Someone was able to connect to his mail server, forge the headers (a spammer would *never* forge a header, would they?
This guy needs to get a clue. He's got some very valid points in his article, but his ignorance really gets in the way of his message. He also talks of fighting the blackhole listers through legal means, because they "trespassed" on his computer by falsifying email headers. Technically he may be correct, but how else are blackholers supposed to determine if spammers can get mail through his server? Spammers fake the headers as a matter of common practice, but is this guy talking of suing the spammers who have sent him junk mail with faked headers? No.
If this guy would do the simple thing and secure his server, his problems would go away. Instead, he decides to take a sledgehammer to those who are trying to stamp out ignorance about open relays, because he's ignorant and doesn't want to face it.
Here's a message for you, buddy. This is old ground. Much less clueless people than you, such as John Gilmore, have learned the hard way that there is NO EXCUSE for open relays, and that legal action probably won't help you. All reasons for having open relays have been obviated by secure relay mechanisms that are readily available. Most likely, if you're not sending mail through your mail server from the outside world (i.e., when you're on the road or something), you don't even need a secure relay because you don't need a relay at all. Get with the program and STOP WHINING. And geez, at least try to become fully educated on a topic before writing a freaking article about it.
This is the reply I got from the email I sent to the email on the website of this article, and my rely back.
;-)_ _________
Even though I understand what it is you are saying about the blacklist operators, I am totally on their side on this, I work for a
ISp and have been working for ISP's for sometime now, The only way I can think to stop SPAM or to at least calm it down some is to
hold the Mails server that send the SPAM liable for their actions.
I don't see any problem with someone doing the test that you have a problem with, it is a simple test to see if the mail server is
setup to send mail from anyone with their domain in the FROM field.
Sense maybe you don't understand that most SPAM does use this to send mail through a mail server.
I can remember when allot of this mess was first started.
At first the ISP I used to work for used to let anyone forward mail through the mail server, Back then SPAM was not a problem.
Then it did become a problem, first thing that we did was do what you are doing, only let mail coming from people with our domain
in the FROM field forward mail, unfortunately that only work for a short time, people who send SPAM figured that out pretty fast.
So then it became normal to only let the IPs that a ISP was responsible for send mail through the mail server.
This does cause a headache for the ISP, I cant tell you how many people bought email services through us that where connected via
another ISP's connection, and requested to have their IP range added to the allow list of the mail server.
Today most ISP's do not provide for this, they just tell you to use the SMTP server of the people you are connected to directly,
and still use their POP3 or IMAP server to get mail.
We still do on occasion added others ip ranges to our list just to help though.
With all the headaches this causes for the ISP, you better believe that I do stand behind the idea of stopping open relay's in
hope that one day most SPAM will go away or that server will be a Banned list.
Your mail server ports are BTW open to the whole internet, and don't think the people who send spam don't test mail servers
constantly to see who allows the above problems.
I do think that if you want to allow the world to send mail through your mail server that is fine with me, as long as I have the
right to BAN that server from sending mail to me, if it is deemed a problem.
The test you are referring to is the best way to find these problems and simply add the servers to that list.
I guess you wont understand, But i really wish a service like this could be kept up and running even in the US and be let alone to
do this test.
I feel like you are wrong in this issue and really should just fix the problem. This really is a good idea.
Please reconsider any ideas of suing or trying to cause problems for these companies, I find the service to be very valuable, and
am afraid that you might do allot more harm than good.
Bret Fausett wrote:
>
> Thanks for the note. I'm sure you won't be surprised that I've received a
> lot of comments about this article, not only from today's Slashdot post but
> from when the article was originally printed in the magazine. Here's my
> response to the original letters, printed in New Architect's current
> edition:
>
> When it comes to mail administration, it appears I was
> several years behind the curve. Since my mail server
> software, circa 1996, had been purring along quietly
> without problems since it was new, I had never upgraded
> it to a version capable of a higher degree of authentication.
> I'm also old enough to remember when an "open relay" was
> a relay intentionally left open for anyone to use, not
> one merely susceptible to misuse. Thanks to all of the
> readers who wrote to bring me into the new millennium.
> Both my software and my definition are now upgraded.
>
> At the same time, I labeled the blackhole list operators
> "vigilantes" for good reason. It was always my understanding
> that if you lie about your identity to gain access to
> something that would be closed to you if you told the truth,
> you've done something wrong. Thats true whether you intend
> to send spam or prevent it. As vile as spam is, the ends
> dont justify the means. Regardless of whether my mail
> server used to be "open" or not, I stand by the legal
> analysis that placed fault on the blackhole operators who
> forged their identity.
>
> Aside from the proper definition of an "open relay," the point made in the
> Slashdot introduction is at the heart of the problem with blackhole lists:
> if we accept "blackholes" for spam, what will happen when ISPs are
> strong-armed into blacklisting sites engaged in peer-to-peer file-sharing or
> other things deemed "offensive" by a segment of the community?
>
> I plan to read to all of the messages that I received today in more detail
> (and I'll try to respond to all of those that weren't intended as an insult.
>
>
> Thanks again for writing,
>
> Bret
>
> --
> Bret Fausett | fausett@lextext.com | http://www.lextext.com
> Hancock Rothert & Bunshoft, LLP Los Angeles, California
> _________________________________________________
>
> jeffd wrote:
>
> > Dude, not tring to be a jerk here, but you should just admit you were wrong
> > and fix the problem.
> > If you actully need help fixing your Open Relay, please let me know I will try
> > to help.
> > There are several ways to actully fix the problem, But allowing your server to
> > send mail only from people with your domain name in
> > thier email address is pretty bad.
"For example, imagine that the RIAA compiled a list of IP addresses which, it contended, had at some time used peer-to-peer file sharing programs. Because these peer-to-peer systems could transmit copyrighted materials in a way that infringes on the copyright owner's rights, the RIAA could argue, those IP addresses should be blocked."
*cough* what? have their ip blocked from what? the p2p system? no, that's why he's blacklisted in the first place. blocked from the ISP? no, the ISP is the entity that owns the IP address in the first place. jeez. someone at NA needs to hire some REAL editors
--- What
"An end user's choice devolves to changing ISPs".
Or running their own mail server, yes. That's correct.
This is, though, completely orthogonal to your original argument, and I don't think it's a legitimate complaint, even if you come down to lack of choice. As a Californian, you don't have any choice about having the oxygenate MTBE in the gasoline you buy for your car, no matter which gas station you go to, even if your car was manufactured since 1981, and has an Oxygen sensor, causing the fuel to be burned more rich, and actualy causing *more* rather than *less* pollution.
Individual filtering is also not a good answer. Filtering after download multiplies the problem and the amount of computational effort required. It also has you paying message units for the transfer of the unwanted email, if you are using a commercial phone line in the U.S., if you are using a cellular phone, if you have elected that tarrif for your residential telephone connection, or, if you are a European or Japanese user who has no choice in the matter.
Filtering also has the undesirable side effect of everyone having to accumulate their own, potentially very large and expensive to accumulate, undesirable sender list.
Filtering on the server side to avoid the download has these same negatives, as well as increasing the amount of CPU cycles that have to occur at the ISP (at least at the ISP, the cycles are amortized across all users selecting a set of filtering options, instead of being a per user cost). Still, why should I have to pay more for an ISP who has to pay more for compute cycles for more flexible filtering?
The problem comes down to one of unsolicited senders costing a recipient money.
In any case, since you are running your own mail server, you have the choise of whether or not to use a black list. If you don't opt-in to one, then you aren't a member of the class that you are complaining about anyway.
I don't think you have a valid legal argument against black lists, unless you are in fact forced to utilize one as a conditon of not being black-listed (e.g. as Microsoft's Palladium permits, and will inevitably encourage as a result of non-interoperability penalties).
-- Terry
Yeah, that is what you think...
(Yes, I know the difference. Just couldn't resist).
That article is the sort of thing that farmers plow into their back 40 to make the crops grow. A no trespassing sign is not vigilantism, and neither is a boycott. Court after court has ruled that the owner of a network is not obligated to accept any traffic. Multiple courts have ruled that UBE is theft by conversion, theft of service and trespass to chattel. So what next; will they call you a vigilante for locking your front door?
Why is this being discussed now? It was published online back in July. Jeez, is everyone running out of material? Take a look at his bio: http://www.hrblaw.com/atty_bio_248.htm He looks like a smarmy little nerd.
Just to weight` in with my expierence -- I'm a sysadmin who does lots of contract work, and I have to fix open relays for people all the time.
:), and (b) report it closed for retesting. ORDB usually takes less than a day, MAPS has been quick (so long as the relay is gone. Never dealt with maps over a mailing list issue though). The guys at monkeys can be really rude, but again, never had a problem with long delays once the problems been fixed.
::SARCASTIC::).
:). Anyway, I'm holding out most
hope for technical solutions combined with
good AUPs and ISPs to make SPAM less and less
practical.
My experience is that most RBL lists all you have to do is (a) fix the server or cut off all outside world access to it, and smarthost it through something else (in order to buy time
In short, I've not seen this "two week" thing, and I know that band-aid or not, I am *not* removing black list filters from my servers, because I tried that once! (yeek! You should of seen it start to pile up.) As for "making it illegal", well, I doubt you are going to get every country in every world to buy into the same deal, and what the heck is enforcement going to look like? The current laws as they are evolving already look really scary enough, thanks (hey, if they can make it illegal to inspect your own property, why not spam, right??
Please remember folks, that "U.S.A" isn't a synonym for "the whole world" (Triva: India has more *vegitarians* than there are citizans of the US!
Dear Sir.
I have read your New Architect article, in which you state that you are going to sue some people who tried to help you learn how to be a good netizen.
I am blackholing your entire domain on the three mailservers I administrate. You will not be able to communicate with the aproximately 500 users on these networks.
I want you to understand that I am not doing this because you are an open relay. Since I have not yet received spam from your site, you are not on my open relay blackhole list.
I am doing this because you are dangerously, purposely ignorant and you react to people trying to educate you with threats and lawsuits.
Users in my domains do not need or want to communicate with you, or anyone who shares your attitude. Since I have the legal right to accept or deny mail from anyone I please, I am revoking the assumption of good will that previously applied to you.
I image many other domains will do the same.
--A Postmaster who wishes to remain anonymous
Your post and numerous others on this issue are wrong. He is complaining about the following - which I have seen happen...
You screw with an email's header by doing the following. You set up your own email server and tell it that it is mail.adomainyoutrust.com and you send the mail to the person's mail server. Or you send an email and have your email server change other header lines (not the FROM field) to read from your domain name.
And of course, in the header, the FROM field usually gets changed to match...
The issue is, email servers have settings to determine where mail gets relayed from. If you have a mail server at mail.mywork.com and have a dialin you check your mail from when home (and send from), then you have to enable relaying from myipaddress.athome.com which means anyone who has received an email from you can use that information to send via your server...
Change (forge) the Received lines before it gets to the server...
Return-Path: root@theblazinghost.com
Received: from mail.reallyfakedomain.com (64.38.243.210 [64.38.243.210]) by cei.nu (Hethmon Brothers Smtpd) id
20020911071410-24648-7 ; Wed, 11 Sep 2002 07:14:10 -0500
Received: from heater (localhost [127.0.0.1]) by mail.reallyfakedomain.com (Postfix) with SMTP id C47821101B for ; Wed, 11
Sep 2002 01:39:22 -0700 (MST)
Received: Micro$oft Mailer 2.3
And now you better hope your mail server does IP address lookups to make sure they match... problem with that? Simple... if you connect via a dialin, you cannot use IP addresses, you have to use wildcarded IPs or more likely wildcarded domain names... like *.earthlink.net (more precise like *.southern.nj.earthlink.net or similar), but that still leaves gaping holes...
- Robert
WebMaster:
BinFeeds
XXX Thumbnailed Image Newsgroups but
The same point remains. His server based authentication on the forgeable domain name. Some spammer did discover his server worked that way. I see spammers frequently testing my servers exactly that way, by trying to use local domains, including the name of the server itself, to see if any of those have been blindly (and stupidly) configured to allow relaying. They don't get through mine because I don't configure it to trust forgeable information. And it is easy for a spammer to try this because he already has lots of email addresses from which he can do MX lookups to find mail servers. If that server is stupidly configured, that email address stands a good chance at being allowed to relay by merely being the MAIL FROM or the From: address. If that doesn't work, they try the reverse DNS of the mail server IP address as the hostname part. Some spammer did that on Bret Fausett's mail server, and at least one of those spams went into a spamtrap mailbox, resulting in the initial listing. Then when he discovered the situation and read about how to get it unlisted by being tested, he asked for that, probably without yet knowing the mechanisms the spammer used, and therefore that the relay test would have to use. When he discovered that the test mail forged his own domain name, he got into a tizzy and started writing his article.
It doesn't matter what the mechanisms actually are. There are many others that some mail servers will be fooled by to allow relaying. If a spammer can use it to relay spam, then a relay tester must include that mechanism in the testing to determine if that particular mechanism has now been closed.
now we need to go OSS in diesel cars
The university clearly has the right to test its own network in whatever way it chooses. The students don't "own" the network, they are just granted the right to use it in whatever way the owners want.
As for the guy in the main article, he also asked to be tested. So, where is the "without permission" part?
And as for getting in a blackhole list in the first place, no one has to probe his server. Some of us still can read email headers and determine where some piece of email came from.
http://www.newarchitectmag.com/documents/s=2442/ne w1018046666890/index.html
Someone else posted this link where you can find his CV and a list of his published work.
A magazine that would continually publish articles by this jack ass must be complete garbage.
I filter my mailservers and I like the results. :)
But just don't add those filters without thinking about what you are doing.
Take SPEWS as an example(others apply as well), I am not using them myself at the moment. If you use the service, you should also know that entire subnet's of ISP's have been blocked because they failed to take action to people spamming.
Now I like to keep spammers out of my mailserver but when you choose to use the filtering, you are joining the statement: "So this ISP is bad, we shut them out and hope they will go out of biz.". And maybe it would be for the greater good if the filtering indeed caused them to close down their company. But you need to be aware that you are taking this standpoint, not just "I don't like spam and won't have it" but every company that are connected though the bad ISP are affected as well, even the ones that does not spam anyone.
my sig
To satisfy your specificity, just think I am your Dorm Resident Advisor and I want to make sure of your Dorm Room security. Therefor, without warning to you, I start to probe the various ways I can I break into your room. Hey, its just the University's dorm. They have a right to make sure all students living in them are secure. And what do you mind? If they happen to "stumble" on your 6 foot water pipe disguised as a Sunflower stand and kick you out, its for your security. How can you complain?
Strange women lying in ponds distributing swords is no basis for a system of government.
telnet naam.pair.com 25
.
Trying 209.68.1.237...
Connected to naam.pair.com (209.68.1.237).
Escape character is '^]'.
220 naam.pair.com ESMTP
HELO test.lextext.com
250 naam.pair.com
mail from: randomuser@test.lextext.com
250 ok
rcpt to: bret@lextext.com
250 ok
DATA
354 go ahead
Hello Mr. Fausett,
your mail server is wide open. please fix it.
250 ok
quit
221 naam.pair.com
Connection closed by foreign host.
So it seems the article published in New Architect is wrong. It is defamatory and it is claiming that the guy is innocent while he's guilty as sin.
I guess that's what passes for lawyers nowadays...
Please DO NOT flood the poor guy with email. He's enough trouble already: He's a lawyer, he's been caught pants down after claiming he wore belts and suspenders, he's a lawyer, he's been blacklisted, and he's a lawyer.
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
This was discussed on SPAM-L back in July. Can't someone tell the idiot who submitted this article to find something new for once? Go look at the author's site, find his bio, and look at what a putz he is.
Virtually all modern E-mail clients (yes, even OutLook) and SMTP servers can be configured to use that.
There's just no excuse for open relays anymore.
/Styx
If you connect via a dialin, you have two options.
:(
You can either use your ISP's mail server as your relay (many MTA's refer to this as a "smarthost") or you can setup POP-before-SMTP to temporarily enable mail relaying for the exact IP you have successfully authenticated from. The former is so much more easier than the latter, but even the latter is not difficult to do, and its extremely rare to have a MUA that cannot do it (even LookOut! can, which is fascinating considering it's not a Microsoft protocol).
Anybody configuring their mail server to allow any mail from a domain to be relayed is configuring an open relay. This is the most common misconfiguration of an MTA unfortunately
Matt
This has already been on /.
(Cards-on-the-table time: I am working on a new solution for end users to eliminate spam from their inboxes. It is based on a new method, and it will work for any user who uses a POP email account. It will be ready for public beta soon.
I hope it'll do better than the ~98% spam tagging rate I get running freeware SpamPal as a POP proxy in front of my Winbloze aps? Oh, and SpamPal relies heavily on those "problematic blacklists" as you call them. No problem for me, just for spammers trying to reach me.
I hate spam, but I think in the case of the spam vigilantes the cure is worse than the disease.
Here's what happened to me because of SpamCop: I emailed the owner of a website with a topic related to mine, suggesting a link. For some reason he forwarded my mail to SpamCop. Even though it had my return address in the headers and in the body text, neither he nor SpamCop mailed me. Instead SpamCop proceeded straight away to send an accusatory unsolicited email to my ISP.
Another time SpamCop blacklisted my home ISP (who happen to be about the biggest ISP in the UK - BT Internet) for something or other. So when a client emailed asking for help, my replies to him all bounced! Thanks SpamCop. I contacted SpamCop and, as the previous time, I got a barrage of self-important indifference (at least they replied), and I was told to contact my ISP to get them to stop whatever it was SpamCop reckoned they were doing. I did complain to the ISP but they didn't answer my email - quelle surprise.
I doubt whether SpamCop and the other posturing self-appointed holier-than-thou busy-bodies have very much effect on spammers. The spammers probably just switch to another ISP, an option not practical for SpamCop's innocent victims. The spam in my inbox I can deal with - but unfortunately I can't delete SpamCop!
Jerk. You're even worse than goatse.cx.
Google Groups Link:
"blackhole lists offer dark prospects"
Bill apparently is too dumb to realize Usenet doesnt like spam either. (Unless it is someone trying to get him blacklisted again.)
Some lawyers never learn.