Slashdot Mirror

← Back to Stories (view on slashdot.org)

Internet Vigilante Justice, SPAM, and Copyrights

Posted by CmdrTaco on from the stuff-to-think-about dept.

pdw writes "An interesting article about how vigilante justice on the Internet by anti-spam advocates can be just as threatening to the Internet as those proposed for copyright advocates."

5 of 316 comments (clear)

  1. Not an open relay? Hardly by stefanb · · Score: 4, Informative
    form teh article: You see, my mail servers were set up to pass mail only from a domain name of which I am the only user. It blocks everything else. That's not an open relay. Unless you're a user in my domain, you can't use it.

    Well, setting your sender's address to a trivially guessed domain name (such as the reverse-mapped address of the host), you effectivly have an open relay. Guess what spammers are doing: they are using known-good addresses, and try sending spam from those addresses MX hosts in the hope that the MTA do this foolish kind of access check.

    This has been discussed since at least five years, and has been a point in the many faqs and howtos on how to lock down your MTA for a long, long time.

    If you really need to send mail through your MTA from arbitrary IP addresses, you need to employ authentication. Again, this is hardly a new technology, and many documents explaining how to combine SSL and authentication for SMTP exist.

  2. Re:His relay is open by schon · · Score: 5, Informative

    His mail server is an open relay, and he still doesn't realize it.

    His mail problem is that he doesn't understand what an open relay really is.

    He says "I block SOME relayed mail, so therefore my relay isn't completely open, so therefore it's not an open relay."

    Well, if a door is ajar, are you going to argue that it's not open? If it's not closed, it's open.

  3. Follow up article... by silverhalide · · Score: 5, Informative

    If you subscribe to New Architect, this guy wrote a followup article to this one after receiving a boat load of mail pointing out the he was in fact running an open relay. He admitted to being behind the times, etc, said he was sorry. He still doesn't take back the fact he's mad at the vigilantes out there. Sorry, there's no link yet, I think NA has a lag between the print and web editions.

    Point being, if they can forge a header to get on your computer, a spammer can very easily do the same thing. An interesting thing on my campus is the technology department regularly scans and tries to hack into FTP sites running on campus, and sends an e-mail to the admins if they're successful. Some students got mad, but the moral of the story is, better to have someone trustworthy find your weakness rather than someone who's going to exploit it. This seems to be a new effective form of security that's emerging, since we can't depend everyone to stay up to date with the latest security issues, such as the Mr. Faussett in the article. I think vigilante is the wrong term, these blacklist ops are doing everyone a favor by helping to clean up insecure sites, which in the end saves everyone money. I propose we call them "Freelance Security Advisors" or something like that. :-)

  4. Re:Not a troll, but by catfood · · Score: 4, Informative

    Then that's when you want SMTP AUTH or POP-before-SMTP, a pretty typical configuration on modern mail servers. Or use your dialup ISP's mail server as a smarthost--that's what it's for.

  5. Re:His relay is open by Permission+Denied · · Score: 4, Informative
    I worked for this department that was running Appleshare IP 6.x for mail services. Of course, this wasn't my choice, and it took quite a while to convince them to move to something else (ASIP has these pointy-clicky user management tools).

    Anyway, ASIP only allows you to selectively allow relaying based on domain name, just like this guy is doing. It, of course, doesn't explain this as the documentation is truly useless. Also, it doesn't allow you to do IP-based selective relaying, which is what people actually need.

    This is a completely useless feature. You can simply do "MAIL FROM: somelocaluser@yourdomain.com" and it allows mail through. Then, in the actual mail message, you add a header "From: spammer@otherdomain.com", and the second thing is what most users (who don't read relay headers) will see.

    Someone else figured this out, and on a Friday evening, our server started spewing out LOTS of spam.

    Now, I couldn't simply put up another mail server, as ASIP keeps all of its mail in one large, monolithic file, so I couldn't, for instance, export the mail to a qmail machine. Instead, I put the ASIP box behind a firewall so that NOBODY could connect to it. Then, I set up a secondary MX record for the box pointing to a Linux machine running qmail. Then, I poked a hole in the firewall to allow mail to the ASIP box ONLY from the Linux box (and from a couple other IPs for which it actually needed to do the relaying in the first place). Yes, this is quite a hackish solution, but Apple's software was extremely defficient and I was sick of working with it.

    The point? This is an open relay, and it will be abused once some spammer runs out of open relays that don't even do "MAIL FROM:" checking. Whether or not this guy is an idiot, I don't know, but what I do know is that this guy needs a real admin.