Slashdot Mirror
Internet Vigilante Justice, SPAM, and Copyrights
pdw writes "An interesting article about how vigilante justice on the Internet by anti-spam advocates can be just as threatening to the Internet as those proposed for copyright advocates."
← Back to Stories (view on slashdot.org)
This article demonstrates the problem we are up against getting people to secure their networks.
His mail server is an open relay, and he still doesn't realize it. Worse, he's a lawyer. These are the people that will be setting policy.
I wonder if it is even worth e-mailing to explain the situation to him.
Not only is he a lawyer, but hes a lawyer with an open relay, and he doesn't believe that spammers will 'lie' to get that server to propagate their mail!
His server was set up so poorly that all it took was a forged header saying it was from his domain to get a message through?
Sounds like he should have been blocked. Come on, at the very least do some ip checking. It sounds like his server wasn't a textbook open relay, but it was pretty close.
Authenticating by the domain that the sender says he is from is very weak...
Holes like this are what keeps the spam coming to my mailbox...
Platform independent bug tracking software
He does seem remarkably clue resistant though. He *IS* running an open relay and admits it.
So what if you have to forge the FROM. It's not like spammers don't do that anyway.
This is the kind of thing you see every day in news:news.admin.net.abuse.email.
"Waah, I'm being blocked by your nasty list! I demand you stop blovking me or I'll drop piano's on all your heads! and I'm a lawyer!"
"A. no-one's blocking you, they're justing *choosing* not to accept email from known open relays (or whatever the perp feels accused of)."
"You're abusing my First Amendment Rights to 'Frea Speach'"
"Our list is based in the Gobi Desert. *Our* first amendment guarantees the right to tea with yak butter."
Also, searching for his email address to see if he had ranted on usenet, I found this: Archived Article
an Excerpt (from the above article by "R. A. Hettinga" ):
New Architect is a Microsoft/DotNet magazine. This article is
agitprop for Microsoft's identity solutions: UDDI, Passport, and Palladium.
Any reputation framework that arises in the wild would reduce the
profitability of a Microsoft solution, so they are going to badmouth it,
sue it, etc.
dave
Anyhow, IMHO this is an other blabla piece from someone who doesn't realy has an understanding of what he's doing.. Typical american sollution.. let's sue..
Nobody expects the spanish inquisition!
This guy admits his e-mail server WAS unsecure and is complaining that he got blacklisted. I understand his fustration, but I'm glad he was blacklisted.
Now what's needed is a simple to use tool to help users determine if their systems can be comprimized. Any ideas?
For one, the Danish antispam organization falsified an email header to gain access to my mail server.
Translation: His mail server is an open relay for anyone who forges a from: address using his domain name. No password, POP-before-SMTP or other identification and authentication mechanisms are used.
He's whining because his open relay was correctly listed as an open relay. And he's even suggesting a tresspass-to-chattels lawsuit against the group that properly identified his server as an open relay. What a dick!
No, this guy *IS* an idiot. Based on what he says in his diatribe, he has his server configured to allow relay based on the sender email address. As he doesnt seem to realize he has discovered, this is NOT a secure way of configuring a server, and a server configured that way *IS AN OPEN RELAY*. Relay controls must be based on IP address, not sender email address. Other secure options include SMTP Auth and POP-before-SMTP.
His saying his server is not an open relay doesnt make it so. If some random person on the Internet can make his server send a message to some other random person on the Internet, then his server is insecure. Yes, spammers *DO* forge sender addresses in order to abuse these servers.
Spam, and the security and policies necesarry to try and get control of it, are by nature a very technical field. More and more people who are just upset that they cant mail, and thing the blacklists are responsible, and who arent willing to take the time to understand whats really going on, and starting to get off on their soapboxes like this. THEY ARE WRONG.
There is no reason to allow sites from outside your LAN to relay through your mail server based just on the From line or the MAIL FROM smtp command. At the very least, it's pretty trivial to only allow mail to be sent to outside the LAN (or localhost) if it comes from inside the LAN. If you need to be able to send email through it when you're at work or away on business, for example, then set up an SSL tunnel or some sort of authentication.
A good 10-20% of all the spam I get has headers forged to look like it came from me or from mailer-daemon on my site. Allowing mail to go through based on where it claims to be coming from, rather than where it actually is coming from, is just plain stupid. Spammers lie. Their entire business model is based on a lie, so why would you assume that they'd never lie about being from your domain?
The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
I'm sorry, but I'm really failing to see what part of this is not the spammers' fault... or yours. Certainly it wasn't the listing service "abusing the hell out of [your] pipe" or slamming your servers. And you say your admins "did fix it eventually." Was that in a day, a few weeks, a year, or what? A mere two-plus weeks to be taken off the blackhole advisory list sounds very reasonable under the circumstances.
Sounds like the blackhole service did you a favor. Certainly they limited the damage your company did to the rest of the Internet by passing along all that spam while the relay was open.
Lets look at some of the things he says:
1."only I am authorized to use." Lets get this straight. I don't lock the door to my house, but I am the only one authorized to use it. I hire a security firm to test it (knowing full well that they publicize their results and what their methodology is). They test it and find it insecure. Hundreds of burglars then try to go in through my door and I sue the security testing firm.
2."For one, the Danish antispam organization falsified an email header to gain access to my mail server. Illegal access to a computer system is, if not a criminal violation, then a trespass on my private property." Of course he ignores the fact that he REQUESTED THEM TO TEST IT and they DO DESCRIBE there methods. How is a *requested* test illegal?
3."So the idea that private parties could get ISPs to block some people from talking to other people should be deeply troublesome."
4. "I haven't found any good method of blocking spam." Try CLOSING an open relay or using AUTH in order to verify that only authorized users are using your machine. That will help at least those of us getting spam relayed through you!
5. "I don't run an insecure mail server," Merely stating something does not make it so. If someone can relay mail through it, it is by DEFINITION insecure.
6. "My mail server, however, was not an open relay." Please look up the definition of an open relay, as above in #5
7. 'the spammers themselves use the lists as a kind of directory of servers to use for sending their mail." Duh.
If this guy is an IP and Internet attorney his firm is really scraping the bottom of the barrel.
Thank GOD I don't need him as an attorney.
The truth is that these home-grown spam mitigation methods do have their problems.
One of them is evident in the article: well-meaning users often do not understand what might be insecure about their server configurations, or what might need to be done to fix them. I am very comfortable with sendmail configuration, and I can tell you that setting up the authorizations correctly for mobile users to be able to send email safely is a narrow, twisty labyrinth in comparison to the big, flashing exit door marked "promiscuous relay".Another problem in the home-grown nature of these solutions is the tendency for them to be personality-driven, instead of professional. Often, IP addresses (or even whole ISPs) are placed on blacklists because the blacklist maintainer does not mind creating a little collateral damage if they think it might create a little extra pressure on a spammer or an ISP.
Some blacklists have blocked out entire hosting companies, including some of the biggest ones on the net, simply because they did not think they acted with sufficient alacrity against spammers in their midsts. This kind of wild overkill is unfortunately too common, and perhaps it's a good argument in favor of for-profit blacklisting, which would probably exert some good influence on the question of list quality.
Earthlink rejects mail from any IP address that belongs to a dial-up pool that attempts to connect to their SMTP servers.
Ostensibly, this is done to reduce "direct-to-mx" spam, which is a very common spammer tactic. Unfortunately, it also makes life harder on the home linux enthusiast, or home business operator who might be running their own perfectly legitimate sendmail server. All part of the collateral damage in the spam wars: Internet access and Internet business are slowly becoming more expensive and possibly moving out of the reach of people with limited means.
So what should we do?
First, I think that current law against junk faxes should be extended to include junk emails. This would not eliminate spam, but it would give us the ability to correct the spammers who operate out in the open.
As a Libertarian, I want to jealously guard the right of the people to freedom of expression. But that right does not and cannot include the right to expropriate other people's time or money. You have a right to make your voice heard. You do not have a right to force me to pay for it.
Second, I think that we should be careful about the blacklists that we use, and prefer those operated by recognizable and accountable companies wherever possible.
Finally, I think that for the forseeable future, filtering at the user desktop will be necessary.
(Cards-on-the-table time: I am working on a new solution for end users to eliminate spam from their inboxes. It is based on a new method, and it will work for any user who uses a POP email account. It will be ready for public beta soon. Please write to me if you want to learn more.)
The struggle against spam is definitely picking up, and I think that a new equilibrium is approaching.
The flip-side of this liberty is that I have the full right to accept or deny any email I want and I have chosen to block email from open relays, so if Mom & Pop want to mail me, they'll have to make their server secure enough to meet my standards.
Btw, I'm using DSBL for my open relay and open proxy blocking...
Quoth the poster:
But you did ask the blackhole list people to check your server, yes? You do have the right to access your server in any way you see fit and to permit others the same access, correct?
If I contracted with a security testing firm to test the security of my office, I'd be severely annoyed with them if they did not try to lie their way past the office manager who watches the front door.
People like this can't be educated. He has taken a stand and refuses to believe that his mail server is an open relay even when presented with irrefutable evidence. He KNOWS that his mail server accepts forged mail. The problem is VERY clear to all the parties involved.
This lawyer is both stupid and stubborn which IMHO is the worst kind of lawyer.
As an FYI, most rejections refer you to web pages on the RBL which explain things. None of the web pages I have EVER seen has said anything about "you nasty friend of spammers". Instead, they generally inform you that you are running an open proxy or relay and point you to information on how to fix it, however they rely on YOU (or your administrator) to know what mail server you are running. The web page has NO way of knowing which mail server you are running based on your browser / browsers IP address. Note that SOME rejection messages can refer you to a CGI script that looks up the offending mail server info, but not all MTAs support the ability to customize error messages in the fashion needed for this functionality.
If it's not closed, it's open. Virtually all spammers forge headers - this is a VERY WELL KNOWN fact. What he SHOULD be doing is securing his mail server against unauthorized relaying. Restricting a mail server to only relay from email addresses from your domain is NOT enough. It needs to be based on IP address, SMTP Auth, or other mechanism that truely restricts unauthorized use. Information is widely available on the net on how to secure your server, so I'm not going to repeat it here, but you can check out http://spam.abuse.net/adminhelp/ for some info.
Most Mom & Pop's don't run thier own mail servers. If you don't have the knowledge to secure your mail server then you shouldn't be running one. You should use your ISP's. If you don't know how to drive a car, you probably shouldn't drive until you get some education. Take a cab or bus instead. It's the same thing.
Some students got mad, but the moral of the story is, better to have someone trustworthy find your weakness rather than someone who's going to exploit it.
Sometime in the next week or so, I am going to stop by your home and probe for any security problems that a burglar might exploit.
You sir, are of subhuman intelligence.
There is a distinct difference between a University testing the security of systems directly connected to its own network and jackasses like yourself equating it to random strangers "testing" a systems security.
To clarify in terms of the flawed analogy you provide, no one should have trouble with their landlord testing their home's security, as the landlord is the one who is responsible, and who fixes it when it is broken. That is not the same as inviting any random stranger off the street to do likewise.
The Future of Human Evolution: Autonomy