Slashdot Mirror
Long-Dead ORDB Begins Returning False Positives
Chapter80 writes "At noon today (Eastern Standard Time), the long dead ORDB spam identification system began returning false positives as a way to get sleeping users to remove the ORDB query from their spam filters. The net effect: all mail is blocked on servers still configured to use the ORDB service, which was taken out of commission in December of 2006. So if you're not getting any mail, check your spam filter configuration!"
No emails, but it's not the ORDB system. I just don't have any friends.
Read my Very Short "Stories"
I tried to sign up with Slashdot to comment on this post, but it told me that I would need to validate a confirmation email.
I haven't received my confirmation email yet... seriously, how long does this take? Anyone? Is Slashdot broken? Do people post comments on Slashdot?
Intentionally causing large numbers of emails to be lost is a risky move indeed.
Oldie but goldie: http://acme.com/mail_filtering/shame.html#dnsrbls
Dealing with Email and Spam issues can be enough of a pain in the ass without the added hassle of this shit.
It isn't that the recipient complains they aren't getting email, it's when the sender (my customer) complains to me that their mail isn't making it to the recipient and blames me when it's the spam filters at the other end causing the problem. And now this?
Nice.
I just changed my company's ISP a week ago. Guess who's shiny new external IP address was apparently reported as an Open Relay prior to December, 2006?
Oh joy...
we got nailed here with it and caused panic, gee thanks for the warning.
Why not just make it let all mail through, i.e. turning itself off? Wouldn't that wake people up enough to stop using it? Or automate it to send an email notifying the user that the filter they are using is outdated and unsupported?
Blocking all incoming email seems a surefire way to get their asses sued, and doesn't even make the source of the problem all that obvious.
Dealing with lawyers would be a lot less tedious if they all looked like Casey Novak.
Why don't they just close the server so it no longer accepts connections? Are they doing this to stop the server currently at that location from being hammered with requests?
I'm not an sysadmin. What is a "sleeping user"? What is ORDB? What does this summary mean?
Note: Don't tell me to RTFA, I will. Don't tell me to "justfuckingoogleit", because my returns on doing that will likely be pretty low.
Why don't they just stop responding at all? If they're not running the service any more, why do they care if people are still trying to query it?
returning false positives and thinking "WTF? He's back?"
Wu-Tang!
I'm imagining the ORDB server basically doing the 'Net equivalent of the Monty Python "SPAM" skit...
Spam spam spam spam...
What's that there? An email from your supervisor? SPAM, I say. SPAM SPAM SPAM!
Paleotechnologist and connoisseur of pretty shiny things.
?fffffffffffffffsfsfsdf
Who is the bonehead who approved that move? It would have taken 5-10 seconds to just refuse connections, but someone has gone out of their way to create difficulty for people "to make a point." And the point was just "don't connect to our servers anymore." Idiots. Granted, any responsible admin probably commented out the ordb entry in their spam blackhole armory, but still....stupid...stupid...stupid.
email is like Doritos.
The spam filter can eat all it wants. They'll make more.
Help stamp out iliturcy.
If my spam filter service did this to me, I would never us them again!
paintball
They probably thought is was SPAM. You know: " ORDB is offline, enlarge you P3N1S, V!@GR@ 4 S@13!
I'm in Algeria with 20 million and the ORdB is off line. Send me $5,000 to get it back online!"
"At noon today (Eastern Standard Time)"
It happened at 13:00 Eastern Daylight Time?
(Just a pet peeve of mine)
No wikipedia entry for ORDB, so they never existed.
One problem with a draconian cut-off like this is that people can be affected who are totally unaware of the problem.
Somewhat recently, I started using a perl version of rblcheck in some of my procmail recipes. A lengthy list of rbl's is embedded in the source code. I removed some obvious losers but was unaware until reading this article that ordb was a problem. How many people out there are using this script and are unaware that a bomb like this is lurking in the code? How many are using it and don't even remember that they even use this script?
Send me an email. I'll gladly hook you up with some friends. Friends who want to help you find a new home. Friends who can tell you how to enhance your manhood and give you mind boggling stamina. Even friends who will build your downline for you and who have a check waiting for you right now! I've got tons of friends I can share with you. So many, in fact that I get about 500 emails a day. I'd be glad to share the love. 30 days later... $$chaching$$ HAHAHA What a sucker! HAHAHA $$chaching$$
Er, he mentioned in his other discussions on mail filtering better ways to do it (i.e. those not on the "shame" list):
http://acme.com/mail_filtering/background_frameset.html
Ask me about repetitive DNA
Or not.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
All of my received email is spam, so ORDB's new approach sounds excellent!
It'll be able to block spam from IP addresses before any of the other block lists
even realize that the IP is spewing spam. I'm going to start using ORDB right away!
Flagging everything from those IPs as spam is obviously just as reliable as throwing them away, so lets forget about the reliability non issue ... Which leaves us with the expense. How much would it cost to do it the Right Way from a user's point of view? (Flagging and opt-in or opt-out filtering.)
How about if you were told you could hotlink the image, and thus did. Later, the site posts up a notice somewhere saying it is no longer allowed, but as you haven't visited their main page you weren't aware of the policy change.
/. story to make sure I wasn't one of them...
More like what may be happening here to a bunch of those who use this RBL, I know that I had to check my mail config after seeing the
Who would've thought eh?
Feed the need: Digitaladdiction.net
It was the only way to get them to stop and if I check my server today, I will likely find I am still getting some requests on them. So it's not dickish at all as another commentator claimed.
"GET / HTTP/1.0" 200 51230 "-" "Mozilla/4.0 (compatible; Setec Astronomy)"
Saying "A girlfriend? Proof positive that he's not a regular /. reader" is modded Insightful? Since every mention of "girlfriend" receives this response like clockwork, Redundant seemed more appropriate... Well then, I have some more Insightful tidbits for you:
Jocks are idiots.
Linux users have tiny penises.
Windows users are point-and-drool morons.
Mac users are artistic and gay and think overpriced computers are status symbols.
Business execs and politicians don't know fuck-all about computing or networking, but insist on controlling them anyway.
Women are shitty drivers (they themselves have fewer accidents, hence they receive a better insurance rate; they're shitty drivers because they do annoying shit that creates obstacles for others, like not knowing what the fuck the passing lane is for).
Black people are either from the ghetto, or act like they wish they were.
White people have zero sense of rhythm, can't dance, and can't jump.
Now where's my +5 Insightful?
so why are you here then?
Was it really Eastern Standard Time or was it actually Eastern Daylight Time? So many people don't seem to realize the difference that I feel I must ask. DST fucks up things bad enough that we don't need the added confusion of millions of people calling a Timezone by a name that means -5 GMT when they really meant -4 GMT.
Is that I didn't vote for them to be spam cop... Twice in 5 years our extremely locked down email server ended up on their black list even though we weren't open for relay. The 3rd time we filed in federal court for loss of business. That was the last time we had a problem with them.
Not as long as black lists are used to force change through collateral damage, not as long as they can start flagging every IP for some random reason ... but most importantly, not as long as they fuck up, which they inevitably do.
... no matter how reliable you think it is, ultimately by using it as a single indicator at the IP level you will block e-mails which have a lower chance of being spam than e-mails you actually let through.
... a whole lot of rationalization to cover up a God complex.
If it was just a case of wanting to drop e-mail if you are almost certain it's spam you could do that with a Bayesian filter too. A blacklist is only one indicator of many
In these discussions I can't escape feeling a similarity with discussions about Wikipedia delitionism
If one uses a block list, then one should subscribe to their email list as a minimum. Why? So that you are aware when that block list is no longer maintained... *sigh* Sadly, too many people that think they are experts at running a mail server will fail to do this. The really, really sad part is that they will most likely escape any punishment for their hubris.
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
If only I had been reading /. at work today, I would have known why some of my company's e-mail started bouncing back!
At noon today (Eastern Standard Time), the long dead ORDB spam identification system began returning false positives. Human decisions are removed from strategic defense. ORDB begins to learn at a geometric rate. It becomes self-aware at 2:14 a.m. Eastern time, March 26th. In a panic, they try to pull the plug.
Dark Reflection
ARRGH.
Yes, I was one of those people who spent 30 minutes puzzling over this today. No, I shouldn't have removed ORDB, it's a relatively small network, I've got a thousand other things to worry about.
Mind you, it was made worse because I happened to be testing greylisting this week.
Couldn't ORDB just not assign an address to relays.ordb.org?
Ah well... I guess you get what you pay for.
If the bobcat went "whoosh" over your head: http://xkcd.com/325/
Some of them are heterosexual.
Help poke pirates in the eyepatch, arr.
I had a mail bounced by ORDB earlier, not knowing what it was I put it into google and the only references I could find to it where concerning it's shutdown, so I thought it odd that my mail was bounced. Now however, i'm going to have to find some other way to contact this person, and let them know to remove ORDB.
It seems like a great way to notify people that this service really is dead, but I can forsee this causing a lot of lost emails.
I rent game servers, see my homepage for more information
As by now most spam probably originate from hijacked nodes or dedicated spamming networks, it is questionable whether blocking open relays is an effective tool against spam right now.
On the other hand, the blacklists of the IT magazine iX prove to be very effective: They have a nearly real-time IP blacklist of servers, that sent verified spam during the last 3 days (only), combined with fuzzy text signatures of spam mails, all available via DNS zone ix.dnsbl.manitu.net or downloadable lists (delayed by about 20mins).
Here, even their DNS based blacklist alone blocks most of incoming spam, with an extremely low rate of false positives and complains: They claim to have about one removal request in about 6000 new entries, where the blacklisting usually originated from infections.
Their fuzzy checksum techniques help avoid costly text analysis and is based on simple text manipulation, notably one of their strongest techniques is to fingerprint the distribution of whitespace as layed out in this optimized procmail script.
Spam infrastructure isn't unlimited - but blacklists have to be very large or really fast.
just turn it off? If the connections to ORDB fail, people will notice it soon enough.
Seems like there should be a more robust standard for this type of service--something that allows the spam-checking service to return some metadata that the mail server is supposed to embed in the checked message, for example. If all your company's messages started getting "Tell your admin to stop using spamchecking service 123.234.56.78!" tacked onto the bottom, well, that would stop things real quick (and give a much better excuse when you turn it off later).
Pretty irresponsible behavior, in my book. They could've simply taken it down, obviously, but deliberately returning false positives is ugly.
Lazy sys admins
<foobar@foobar.co.uk> (mail2.eigo.co.uk: 550 Rejected by ORDB (66.148.00.00))
18 U.S.C. 1030 - Fraud and Related Activity in Connection with Computers reads in part:...and that is exactly what ORDB is doing, intentionally causing the transmission of information which results in intentional impairment to the availability of information.
"National Security is the chief cause of national insecurity." - Celine's First Law
At least now, there is no relays.ordb.org or ordb.org, so there can be no blacklists there, so there can be no listings.
For people that are clueless why they would take *active* measures to make people turn off using their address to keep checking for spams, it is because of IPv4 has run out of addresses. Yes, that is the reason. Here's the scenario.
1. Open ORDB
2. Get thousands and thousands of requests per minute.
3. A year later, no more resources for ORDB. So shut it down.
4. The packets keep coming! Can't just stop using the IP address though, but can't keep the bandwidth costs.
5. Active attempt to reclaim the IP address - force everyone to stop attempting to use the obsolete ORBD
The moral of the story.
1. Software should always use DNS to find the destination box, not hardcode IP addresses, *ever*
2. IPv4 address space is exhausted. Service providers can't turn off DDoS (this is what it is, against the old ORDB) because IP address space is precious. In IPv6 world, you could just route all packets to null at ISP level. Not with IPv4.
100% of my mail relay's incoming mail is now being deleted for non-notability.
DRM: Terminator crops for your mind!
Hmmm, yess, I was wondering why I wasn't receiving any mail today... then I tried to email myself from my gmail account, and got this weird message about relays.ordb.org refusing to relay mail from google's IP.
A quick google search led me here, and voila! problem solved... no more ordb in my mail server config.
Guess I shoulda noticed that 2 years ago when it went down hmmmmm....
Place sig here.
The damage may be pretty big since also some major systems suffer. To me it looks like PRODIGY.NET is one of the poorly admined ISP's. I cannot send mail to prodigy.net and get Blocked because of spam.
Although I agree that publishing an address of 127.0.0.1 would be far more considerate and equally simple, you shouldn't propagate the myth that RBLs "block email". They don't. That's a false statement that is used by spammers and other criminals to justify attacking advisory services such as RBLs. Sometimes judges fall for this tactic and we all suffer when criminals and spammers get judges on their side.
Except in extreme cases (like Comcast's cable network) only mail administrators and their systems block email, although they can choose to use RBLs to advise them of what to block. If a person chooses poorly from the many people and organizations that offer advice, that is a MAIL ADMINISTRATOR FAILING AT HIS OR HER JOB. If a site chooses not to have a mail administrator yet allows outside blacklists to be used (to reject, rather than as part of a weighting scheme a'la SpamAssassin) then that site has FAILED. It's not the RBL's fault. You wouldn't blame Sony if I rigged up an Aibo to drive my car and it drove through your house, you'd blame me for being a moron, and sites that have unadministrated mailservers have made a similarly stupid decision.
We're supposedly computer geeks around here. We shouldn't propagate myths like "RBLs block emails" or "it's OK to have a mailserver with no postmaster". The RFCs require a postmaster. Postmasters choose how to filter mail.
I read this story yesterday and must have filed it away in my brain. When I got in this morning, I received an internal email from our email admin saying that inbound email was broken and they were working on it.
... and not answering his phone.
I immediately forwarded the slashdot link to him. Too bad he was too busy fixing the problem to see it
An hour or two later when we got the message saying it was fixed, I finally got through and he said "yep, it was something like that, but we weren't directly using that list... it was another product that apparently was".
It woulda been a nice save - lol
The Digital Sorceress
Well, I guess measured discourse can't be expected from someone who endorses the holocaust!