Slashdot Mirror
Internet Vigilante Justice, SPAM, and Copyrights
pdw writes "An interesting article about how vigilante justice on the Internet by anti-spam advocates can be just as threatening to the Internet as those proposed for copyright advocates."
← Back to Stories (view on slashdot.org)
How had it gained access to my mail server? Simple. It had forged the headers on its email to convince my mail server that the email it sent was from a permitted user.
One word: Authentification.
You see, my mail servers were set up to pass mail only from a domain name of which I am the only user. It blocks everything else. That's not an open relay. Unless you're a user in my domain, you can't use it.
Uh, it may not be a totally open relay in the literal sense of the word, but surely that still means it can be used to send spam, as long as the spammer figures out who to identify himself as - and if the Danes could do it, then it can't be that hard?
Any spam-block that relies entirely on the "from:" header is broken by design. What, spammers disguise their identities? Never!
When that appears in the first paragraph the rest loses credibility. Anybody qualified enough to be commenting on SPAM should be aware that simply by opening the email you may have verified the address as valid (if it contains an external image).
-----
interested in inventions?
I fail to understand how this can be a valid argument against bad-maintained blackhole lists. The author was listed because *anyone could use his server to relay just by using a MAIL FROM command sporting his domain name*. Sheesh! When you configure your relay ACL, you use *IP ranges*, not domains (an awful lot of spammers forge all the headers in the messages they throw out). Even better, you use SMTP AUTH. That guy didn't bother to implement a technically valid solution, and thus his mail server definitely *could* be abused. No wonder it has been put on a blacklist...
BTW, this doesn't mean there aren't stupid blacklists out there listing innocent people. But this article proves nothing. Moreover, there are now better ways to filter spam, based on message content checksum, like Vipul's razor. This is not the first time people bitch and moan about their badly-configured relays being censored by the antispam Nazis (I remember a guy, from the EFF I believe, that did the same thing some time ago) but they simply are irrelevant. Their solution is to RTFM and play by the rules. Period (grrrr, I really dislike bad admins :-/.
Xenu brings order!
Blacklists are a lot like a security blanket, they make you feel comfortable but they don't do anything about the real problems. A recent employer (a university) was placed on earthlink's blacklist simply because a customer had pressed a wrong button and reported an email to earthlink as spam. (Admittedly, the manager who insisted on handling the mailserver himself was technically clueless...but there wasn't any ACTUAL spam we could find traced to our server)
First off, why is earthlink who is the domain of quite a bit of spam itself running a blacklist? Secondly, why couldn't they have at least bothered to send a courtesy automail to let us know? We finally found out when the sender of the original "spam" tried to send another email to her friend at earthlink. At that time it took a series of calls to earthlink to even find the department we needed to talk to! And then I found out that we'd been on their blacklist for MONTHS!
Blacklists should be carefully administered and you should develop your own as it's really not that difficult to set up blocks for individual domains. Too many domains are blocked by error or because one company put another on a blocklist that got circulated but never bothered to circulate that spamming domain had been fixed and removed from teh list.
Of course, a contributing problem is that many mailserver admins don't bother to keep proper security (or even keep their security patches up to day) for their server. It's way too easy to find a mail server that is VERY open to people outside the actual domain. But any truly working solution to the problem will have to involve responsible actions on the part of the "blacklisters" and the mail admins.
This article really turned my crank. What a load of hogs-wallop. To wit:
... :)
... I dunno). His actions are not only irresponsible, they are just plain stupid.
... I skipped to the end and read:
... ISPs use it voluntarily. Hell, switch ISPs if you don't like the level of access they provide you with!
... Why are you wasting the courts' time?"
For one, the Danish antispam organization falsified an email header to gain access to my mail server. Illegal access to a computer system is, if not a criminal violation, then a trespass on my private property.
Except that he previously admitted to asking the antispam people to check his mail server. So it isn't trespass if you invite them in. Or it's entrapment on his part, right?
As I've discussed previously in this space, one of the novel legal theories now catching on for these kinds of unacceptable accesses to computer systems is a centuries-old tort called "trespass to chattels." At a minimum, I ought to be able to sue the Danish company for the damage it caused me from its illegal access.
Alternatively, you could secure your f'ing mail server properly.
But in spite of all that, I could probably get an injunction, or least a dollar or two to compensate me for my injuries and establish that I have been wronged.
Always the lawyer
Who knows whether the organization is a real legal entity or just some name cooked up by a group of self righteous individuals.
At some point along here I gave up reading. This guy is a whining, deluded, litiginous fuckwad. And a bit xenophobic (maybe he had a bad experience with a Danish girl once
Okay
It isn't difficult to imagine that the RIAA could pressure a sufficient number of ISPs into subscribing to this copyright blackhole list and blocking access to their users, or to any traffic emanating from them.
Except (you half-wit), the RIAA would likely use pressure. The anti-spam list doesn't force ISPs to use it
I hate spam as much as the next guy. If I found out my mail server was an open relay (which we did at one point), I sure as hell would spend my energies fixing the problem, rather than ranting about it and plotting a lawsuit.
I really hope that if he decides to take legal action, some judge with half a brain will say "You could've solved this yourself in half an hour
Sheesh.
Tuus crepidae innexilis sunt.
The internet is often a useful tool for communication. It's also often a tool for complete idiots to share their useless opinions with the masses. This guy has an insecure mail server, gets blacklisted, and asks the blacklisting org to check his mailserver. He then bitches when they find a hole and get in, and decides he should sue them for illegally entering his server.
He claims they caused damage, but all they did was fulfill HIS request to double-check his server, and didn't in any way disrupt any functionality of his server, other than using an existing hole
Another spam-pigeon who thinks his right be leave his ass flapping in the wind overrules the rights of others who don't wish to get a gazillion messages bounced off his insecure server.
A few quotes to laugh at:
I asked the blackhole list service if it would kindly re-scan my mail server and make another determination as to whether it was an open relay
For one, the Danish antispam organization falsified an email header to gain access to my mail server
At a minimum, I ought to be able to sue the Danish company for the damage it caused me from its illegal access.
Debating on anonymously spamming this guy with a few, 'got spam? you're a moron' messages from his owner server... - phorm
I just read your articles /s=2442/n a0802g/index.html) about
(http://www.newarchitectmag.com/document
open relays and figured I'd email you with my experience. For my day job,
I work network security (handling spam complaints, hacking, etc) for an
extremely large public educational institution, so I see an extremely
large number of spam complaints, spam issues and whatnot every day.
If your mail server is allowing mail to be relayed to it through the
domain it advertises, it is an open relay. Period. An open relay is a
relay that permits an unauthenticated, unidentified host on the network to
send mail through it. Your claim that you are not running an open relay
simply because you only allow mail from users on your domain demonstrates
a fundamental lack of understanding of the mail protocol. The FROM
field is not any kind of authorization, it's not a login, it's completely
arbitrary and should never be used to allow or disallow mail except in
rare cases where virii may email out with fixed FROM addresses that are
known to not be legitimate.
Your mail server advertises what domain it claims to be (and likely has
reverse dns to supply a spammer with the domain), therefore it's trivial
for any spammer to (as the denmark organization did) simply but a from
address of your domain. And are they lying? It might be interesting to
note that since your mail server is sending the message, the mail ~is~
from the domain they put in the from field.
The issue is not that some anti-spammers spoofed a from field. The issue
is that your mail server allows relaying of spam email. I'm sorry you see
it otherwise. There are other effective ways to secure your mail server
so you can travel and still have access to it, but your current
'protection' is not.
If you would like more information on how exactly you can configure your
mail server to not be an open relay and still allow remote access, please
feel free to respond via email and I'd be glad to help.
The difference is that you have the option not to use a blackhole list. You can evaluate the credibility of a blackhole list maintainer, check for false positives on various discussion boards, use several independent blackhole lists and only reject mails when the server is listed by more than x lists and so on. Nobody is blocking your mail except the recipient (or his provider, if the recipient chose so).
Them testing your mailserver with forged headers is also not a problem: You invited them to do that. Testing for an open relay means that all known techniques which are used by spammers to get around relaying limitations are applied to a server.
Lists of spam-friendly relays are among the best things we got against spammers today. They are not perfect and the possibility of a well established list becoming a weapon against non-spammers is well known. That's why sensible users don't rely on open-relay lists alone. Development of other countermeasures is very active and may render lists obsolete someday. But one thing I know for sure: When this problem is handed over to lawyers, everybody loses.
- Both groups maintain lists that are optional for subscribers. Are you willing to trust Cybersitter's judgement in what is offensive or not? Fine, buy their software and use it. Want to tweak the definition of what's "offensive"? Cybersitter lets you do that too. The most important word here is "optional" - you don't have to use Cybersitter if you don't agree that their list is fair, accurate, or otherwise useful.
- Both groups contain ways to get off the list. Was your site mistakenly identified by CyberSitter or some other filter software? Most of them have ways to get in touch with the list maintainers and have your site re-evaluated. Similarly, most blackhole list operators feature prominent instructions on how to get yourself removed from their list.
You didn't mention the rest of the story in your New Architect followup, but what happened after you updated your mail software? Did you contact the blackhole list operator again? Did they test your server again and find it secure? Did they remove you from their list?Similarly, you and/or your ISP don't have to subscribe to blackhole lists if you/they don't want. You ask what would happen if someone (say, the Chinese government) starts making a blackhole list of sites that deal with something they they consider offensive? (say, western media, Falun Gong, etc.) The answer is that you and most ISPs probably won't subscribe to such a list. They can blackhole as many sites as they want... but most of the world won't care, or even notice.
Open-relay blackhole lists thrive not because "vigilantes" are cramming their brand of justice down our throat, but because enough people agree with their philosophies that they're freely willing to make use of the product they're offering.
If not, then you may still have a legitimate complaint. But if they did, then I think the system worked the way it was supposed to.
You said that your "software and your definition are now upgraded". The opportunity for you to upgrade both your software and your understanding of what an open relay have been around for a very long time now. I think that by running your own mail server, you raise yourself to a higher level of Internet citizen. No longer just a casual web user, you have to take the responsibility of maintaining your server, keeping up with security patches and issues, and just generally being a good Net citizen. Blackhole lists are something of a last resort for people who won't/can't take care of the problem in any other way. Now that you've solved the problem and your site has emerged from the blackhole, I would take it as a lesson learned and go on from there - not spend 1/3 of a magazine column trying to figure out what the best way to sue a Danish company is.
P.S. Here's a quick, automated way for anyone to check and see if their mail server is an open relay:
> telnet relay-test.mail-abuse.net
If they make a mistake, you and your organization are screwed until they decide to admit their mistake and correct it -- if they ever do. They have cute, pat answers to explain away any responsibility for their behavior and generally refuse to communicate with those they block. I have had a nasty experience recently with "relays.osirusoft.com" where a client of our was using them as a part of their Postfix RBL configuration. Some Nazi^H^H^H^H German nominated our mail server as a spamhaus when we were not. Without being tested, our server was blacklisted -- I checked my logs and saw no check on the date we were listed. We received no notice, no automated robot checked out server or would anyone respond to my inquiries, just accusations that I was supporting SPAM--an absolute lie. If you are listed, you have to be an evil SPAM supporter with their mentality.
It took one month of constantly e-mailing their retest e-mail address. Daily checking of my mail logs and seeing that their robot was being rejected from relaying, yet, we were not taken off the RBL. Finally, after a month, we were removed. Nothing changed in our configuration, no notice was given as to why we were removed nor why we were added outside of the nomination origin. We were just lucky that "relays.osirusoft.com" decided to do what's right but was too cowardly to admit they were wrong. Hiding behind the anonymity of the Internet with no responsibility to the people they harm. We will never know how many e-mail messages were lost because of "relays.osirusoft.com"'s mistake.
Pathetic.
Strange women lying in ponds distributing swords is no basis for a system of government.
However, the reason to not do this is that it's insecure. A large percentage of the spam I receive claims to be from the domain that it's being sent to, so his system would happily relay it.
The second reason should trump the first reason, but obviously if you're a clue resistant lawyer with a chip on your shoulder, it doesn't.
For those who appreciate irony, consider this --
He's basically written this big diatribe, which to spammers says `hey! you can relay through my mail server!' ... so a spammer finds it, and forges their spam to allow it to go through it, and uses it to spam the world. Then somebody gets flooded with these spams, and sues our friend Bret. They can even use his article as evidence that his mail server was open and he knew it, but that he refuses to secure it.
That is almost exactly the my reaction a couple of weeks ago after reading the print version of this article. In fact I included pretty much this same info in an email to the author, along with some recommendations of how to close his "partially ajar" mail relay. Two weeks out now, and no response to it yet... Or maybe he did respond and my spam checker bounced it for him being on an open relay :grin:
To err is human, but to really foul things up requires a computer
telnet naam.pair.com 25
.
Trying 209.68.1.237...
Connected to naam.pair.com (209.68.1.237).
Escape character is '^]'.
220 naam.pair.com ESMTP
HELO test.lextext.com
250 naam.pair.com
mail from: randomuser@test.lextext.com
250 ok
rcpt to: bret@lextext.com
250 ok
DATA
354 go ahead
Hello Mr. Fausett,
your mail server is wide open. please fix it.
250 ok
quit
221 naam.pair.com
Connection closed by foreign host.
So it seems the article published in New Architect is wrong. It is defamatory and it is claiming that the guy is innocent while he's guilty as sin.
I guess that's what passes for lawyers nowadays...
Please DO NOT flood the poor guy with email. He's enough trouble already: He's a lawyer, he's been caught pants down after claiming he wore belts and suspenders, he's a lawyer, he's been blacklisted, and he's a lawyer.
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/