ORDB.org Going Offline

Allan Joergensen writes "ORDB.org has announced that they will shut down their services after fighting open relays and spam for more than five and a half years. The RBL DNS service and mailing lists will be taken down today (December 18, 2006) and the website will vanish by December 31, 2006." The reasons given tend to be the usual ones - volunteers have been focused on other things in life; my salute to those folks for keeping the service up as long as they did.

The reasons

[jginspace]

The reasons are, expanding from TFA: "open relay RBLs are no longer the most effective way of preventing spam from entering your network as spammers have changed tactics in recent years, as have the anti-spam community."

I concur.

Re:The reasons

[BenFranske]

Which is nearly what they said in the article:

We encourage system owners to remove ORDB checks from their mailers immediately and start investigating alternative methods of spam filtering. We recommend a combination involving greylisting and content-based analysis (such as the dspam project, bmf or Spam Assassin).

Re:Omnipotent awareness... or not

[BenFranske]

Maybe this will clarify what they do.

Efficiency

[cockroach2]

I'm not sure I agree about the lack of efficiency: On a "normal" day my server which hosts about 60 mailboxes blocks between 5000 and 6000 e-mail messages (4992 yesterday, 4936 Sunday, 5615 Saturday, 5763 Friday etc.) using ordb, spamhaus and dsbl. While it's true that I still have to use spamassassin for additional content filtering, that's more than 5000 messages a day which don't even enter the system - I consider that quite a lot.

Spam control methodology

[wiredog]

A "public" e-mail account, given to businesses, people who like to cross-post via CC (instead of BCC), places like /., etc. I use Gmail, which does a good bit of spam filtering.

A "private" e-mail account, given only to family and close friends, whit a set of filtering rules to build the whitelist, and everything else run through bayesian filtering.

Between the two, I have to deal with very little spam.

OT:This is my 2,000th Slashdot comment...

RBLs not so trivial

[jblakezachary]

The ORDB notice makes it sound like we should all abandon RBL lookups all together. I operate a small GroupWise domain ~about 300 users~ and checked my GWAVA stats when I read the article. 78,000 of the last 155,000 inbound messages were blocked as RBL hits. This first step in ridding most of our spam takes a load off of the more server intensive methods of filtering mail and still seems very relevant. I will be sad to see ORDB go.

For those of you relying on RBL lookups, the following are still available and seem to be very reliable, producing few to zero false positives:
zen.spamhaus.org
bl.spamcop.net
list.dsbl.org

Re:Are RBL's really finished

[Sentry21]

On my server, I use greylisting and RBLs, as well as other checks. In the span of one week, we received 128,000 e-mail attempts, 5000 of which were successful. The checks below block huge amounts of spam, to the point where I've actually removed spamassassin because the only messages it gets a chance to check are all legitimate.

For anyone who's wondering, here's what we've got going on, plus amavisd/clamav doing virus scanning. This blocks all spam I get (used to be 30-200 messages per day that Spamassassin would catch).

smtpd_recipient_restrictions =
    reject_non_fqdn_hostname,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_invalid_hostname,
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    reject_unauth_pipelining,
    reject_rbl_client opm.blitzed.org,
    reject_rbl_client list.dsbl.org,
    reject_rbl_client bl.spamcop.net,
    reject_rbl_client sbl-xbl.spamhaus.org,
    reject_rbl_client dynablock.njabl.org

Re:SORBS

[GigsVT]

Don't forgot the "we blocked you because you used the wrong ISP" people, SPEWS.

Re:Good case why not to trust "community" services

[Salsaman]

You have a point, but Free Software is hardly "dying" ! That's a ridiculous claim to make. *More* Free Software is being produced and used today than ever before. Just take a look at Freshmeat or Sourceforge.

Of course, if commercial organisations did wake up and realise they have a responsibilty to help support developers whose software they use, then probably developers would have a more comfortable lifestyle, and project development would become more professional and better organised.

Also, software is different from a web service. If a developer abandons a Free Software project, the code is still out their for somebody else to build on, or perhaps the original developer will return to it after taking a break.

Re:Are RBL's really finished

[btpier]

I use strict HELO requirements, greylisting, RBLs, and finally SpamAssassin on my home server. Very few spams make even make it to the SpamAssassin checks. Adding the HELO requirements and greylisting reduced the number spam emails SpamAssassin had to check from >100 emails per day down to an average of about 5 per week.

I haven't had any issues with greylisting. I know of no emails that I haven't eventually received and even web-page sign-ups/registrations have gotten through without a hitch.

There are also filters for postfix that can reject connections based on the age of the domain. If the domain is less than 4 days old, it's likely to be a spammer. I haven't implemented it yet but if the tide of spam swells again, that will be my next line of defense.

Re:Efficiency?

[cockroach2]

You're right, about 95% (or more) of the blocking is done by spamhaus (it is the first filter which is used, thus it's clear that they catch more than the others). Still, the ORDB guys basically say that open relay RBLs in general don't make much sense anymore which, as I consider spamhaus to be an open relay RBL too, I can't agree to.

For completeness' sake, here's the breakdown for yesterday:
  - spamhaus: 4769 (96%)
  - dsbl.org: 220 (4%)
  - ordb.org: 3 (0%)

Re:Are RBL's really finished

[LodCrappo]

well we are way off topic here, but this can happen for several reasons. first off, anything in the headers can (and often is) completely fake. Second, there is a big difference between the "To:" field in a message's headers and the SMTP envelope RCPT TO: address. If you're geniunely interested, I'd suggest looking at RFC 2821 and 2822 which are free online, or maybe skimming a book on SMTP.

HTH

Re:I wonder...

[nuzak]

http://www.craphound.com/spamsolutions.txt

He didn't invent the list. That's the kind of laziness we're looking for.

He even used it for the checklist's intended reason -- as satire. EVERYTHING fails somewhere on that list.

Re:Already offline?

[Incadenza]

Here's my set-up (old-style Postfix config). No false positives in five years, so these are pretty reliable (and from the comment the I must have written myself, ordb has been of my list for quite a while):

maps_rbl_domains =
list.dsbl.org,
sbl-xbl.spamhaus.org,
hil.habeas.com,
dul.dnsbl.sorbs.net,
dynablock.njabl.org

# Not enough hits to justify keeping them in the list

# relays.ordb.org
# opm.blitzed.org

Also, for RBL's that might not be 100% reliable, there is a simple to way to add them to your spamassassin setup (/etc/mail/spamassassin/local.cf), as I have done for PSBL:

# http://psbl.surriel.com/howto/

header RCVD_IN_PSBL eval:check_rbl('psbl', 'psbl.surriel.com.')
describe RCVD_IN_PSBL Received via a relay in PSBL
tflags RCVD_IN_PSBL net
score RCVD_IN_PSBL 0 1.00 0 1.00

Re:Good case why not to trust "community" services

[mephistus]

As far as community services go, I always put ORDB in the category of "means well, but a half assed effort." I inherited a job taking care of the mail servers at a company I used to work at, and I came to find out that we had an open relay and had been blacklisted. If memory serves me right, I want to say this was almost 5 years ago.

How did I come to find out that we had an open relay? Did ORDB notify us? Hell no. They just slapped us on their list, and our users started getting bounce messages from other mail servers. I fixed the problem quite easily once I knew about it, but the biggest problem was getting off the list!!! That was a whole other nightmare take took longer than hearing about the problem and fixing it.

So I say good riddance. Those guys are pretty bright and meant well, but my experience with them left me with a very bad impression. Hopefully they were more professional in recent years, but from the way they're ending their service, it sure as hell doesn't seem like it.

SORBS

[Hymer]

1. SORBS sucks... and they work because they suck. They assume any mail source is a spam source unless it got a rDNS record (wich may be quite hard to get on ADSL lines).
2. SpamHaus do a decent job and they don't make funny/crazy assumptions, and they do try to keep the list up to date.
3. Even content check does not block spam... spammers are sending pictures with their message... and they make those hard to run thru OCR (just like the Human-Check here on /.).
4. A world wide law against spam would help but is not likely to happen.
...whoever find a working non-STASI-like (ie. SORBS) and open solution will get my vote for the Nobel Prize...
...and yes I do know about several methods for fighting spam but they are far from perfect... they are usually based on certificates and they do work pretty well... we do however need a solution in the SMTP and not an propriatary addon on top of it...

Re:Good case why not to trust "community" services

[scoof]

ORDB always attempted to notify the administrators of listed servers, several variations on the postmaster@server would have been sent and ignored by the people maintaining the server before you.

Re:SORBS

[osu-neko]

SORBS has one useful list: the dial-up DNS blacklist (spare me the diatribes about being able to send mail from a dynamic address. I know the arguments, but the benefit doesn't outweigh the cost of the spam coming from that address space).

True. Now, if only someone actually had an accurate list of dynamic IP addresses, this would be a good strategy, but since neither SORBS nor anyone else actually has one, it gets rather annoying for those of us who get our email bounced or eaten because some idiot has their mailserver configured to bounce mail from our perfectly static IP addresses that happens to be on one of these highly inaccurate lists.

Re:SORBS

[Fred_A]

I'm not willing to pay Trend Micro for access to what used to be MAPS for my one, small domain, and I haven't found anyone other than SORBS offering a collection of dial-up addresses as a DNS blacklist. If there are other, reliable, dial-up blacklists, I'd love to hear about them.

Sorry, but as dynamic addresses go, MAPS certainly isn't reliable. It lists a number of statically allocated blocks (some addresses of which may indeed be abused) ans dynamic when they aren't.
For example my block is in the MAPS database despite having a proper reverse DNS, a properly setup DNS, a behaving MTA, etc. It is connected by ADSL but will be switched to fibre one of these days.

Dropping mail solely based on blacklists is stupid. Using it to score mails (in he spirit of what spamassassin does), in combination with other things, might be useful.