Slashdot Mirror
Long-Dead ORDB Begins Returning False Positives
Chapter80 writes "At noon today (Eastern Standard Time), the long dead ORDB spam identification system began returning false positives as a way to get sleeping users to remove the ORDB query from their spam filters. The net effect: all mail is blocked on servers still configured to use the ORDB service, which was taken out of commission in December of 2006. So if you're not getting any mail, check your spam filter configuration!"
No emails, but it's not the ORDB system. I just don't have any friends.
Read my Very Short "Stories"
I tried to sign up with Slashdot to comment on this post, but it told me that I would need to validate a confirmation email.
I haven't received my confirmation email yet... seriously, how long does this take? Anyone? Is Slashdot broken? Do people post comments on Slashdot?
Intentionally causing large numbers of emails to be lost is a risky move indeed.
Oldie but goldie: http://acme.com/mail_filtering/shame.html#dnsrbls
Dealing with Email and Spam issues can be enough of a pain in the ass without the added hassle of this shit.
It isn't that the recipient complains they aren't getting email, it's when the sender (my customer) complains to me that their mail isn't making it to the recipient and blames me when it's the spam filters at the other end causing the problem. And now this?
Nice.
I just changed my company's ISP a week ago. Guess who's shiny new external IP address was apparently reported as an Open Relay prior to December, 2006?
Oh joy...
Why don't they just close the server so it no longer accepts connections? Are they doing this to stop the server currently at that location from being hammered with requests?
The service has been dead for a year and a half, maybe if people actually payed attention to them telling they were shut down, they wouldn't have had to do this. Blah, some people.
What if Tetris was invented by Nazis?
returning false positives and thinking "WTF? He's back?"
Wu-Tang!
I'm imagining the ORDB server basically doing the 'Net equivalent of the Monty Python "SPAM" skit...
Spam spam spam spam...
What's that there? An email from your supervisor? SPAM, I say. SPAM SPAM SPAM!
Paleotechnologist and connoisseur of pretty shiny things.
Maybe, but if all email is getting through, then the sysadmin may just add another layer of spam protection. This forces them to fix the fault (the fault being the reliance on an outdated system).
Who is the bonehead who approved that move? It would have taken 5-10 seconds to just refuse connections, but someone has gone out of their way to create difficulty for people "to make a point." And the point was just "don't connect to our servers anymore." Idiots. Granted, any responsible admin probably commented out the ordb entry in their spam blackhole armory, but still....stupid...stupid...stupid.
email is like Doritos.
The spam filter can eat all it wants. They'll make more.
Help stamp out iliturcy.
It was already letting all mail through after they took ORDD out of service, that obviously didn't make a difference at any domain that was using it on auto-pilot.
What really gets me about this case is that this is at least the third time a defunct BL has done this (Osirusoft and monkeys.com being the other two examples I know of), and in this case, returning false positives was particularly unnecessary. Since ORDB is defunct, the domain could have been just allowed to expire. Or, make sure that no IP space is associated with the domain at all. For the upstream ISP(s) who owned the IPs formerly used by ORDB, they might have to let them lie fallow forever, though, since queries would never stop in the absence of this sort of event.
OTOH, I have to assign more than the usual amount of blame to those who kept using ORDB so long after it went defunct, just because it is at least the third time this has happened. Anyone responsible for a mail server should stop to think that "Gee, continuing to query a defunct BL service over a year after it was shut down could someday be hazardous to my mail stream. I'd better update my config." I'm not absolving anyone from ORDB for not just getting rid of all ORDB IPs and having no routes to any of the ones they used to use, but willfully ignorant admins are also played a starring role in this tragedy. Or comedy of errors, depending on your point of view.
You know, there is a difference between trolling and pointing out the flaws in your reasoning. Just saying.
If my spam filter service did this to me, I would never us them again!
paintball
Even unanswered DNS queries cost bandwidth. Perhaps they just don't want the traffic anymore.
I agree! WTF??? Are we now creating discussions about posts on other discussion groups about of all things frigin old email filters. If there is anything of value to share in the original thread then kindly show how this is news worthy.
"At noon today (Eastern Standard Time)"
It happened at 13:00 Eastern Daylight Time?
(Just a pet peeve of mine)
Or what? Be subject to snide remarks and sidelong glances?
No wikipedia entry for ORDB, so they never existed.
One problem with a draconian cut-off like this is that people can be affected who are totally unaware of the problem.
Somewhat recently, I started using a perl version of rblcheck in some of my procmail recipes. A lengthy list of rbl's is embedded in the source code. I removed some obvious losers but was unaware until reading this article that ordb was a problem. How many people out there are using this script and are unaware that a bomb like this is lurking in the code? How many are using it and don't even remember that they even use this script?
Send me an email. I'll gladly hook you up with some friends. Friends who want to help you find a new home. Friends who can tell you how to enhance your manhood and give you mind boggling stamina. Even friends who will build your downline for you and who have a check waiting for you right now! I've got tons of friends I can share with you. So many, in fact that I get about 500 emails a day. I'd be glad to share the love. 30 days later... $$chaching$$ HAHAHA What a sucker! HAHAHA $$chaching$$
Er, he mentioned in his other discussions on mail filtering better ways to do it (i.e. those not on the "shame" list):
http://acme.com/mail_filtering/background_frameset.html
Ask me about repetitive DNA
Or not.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Flagging everything from those IPs as spam is obviously just as reliable as throwing them away, so lets forget about the reliability non issue ... Which leaves us with the expense. How much would it cost to do it the Right Way from a user's point of view? (Flagging and opt-in or opt-out filtering.)
How about if you were told you could hotlink the image, and thus did. Later, the site posts up a notice somewhere saying it is no longer allowed, but as you haven't visited their main page you weren't aware of the policy change.
/. story to make sure I wasn't one of them...
More like what may be happening here to a bunch of those who use this RBL, I know that I had to check my mail config after seeing the
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
Who would've thought eh?
Feed the need: Digitaladdiction.net
It was the only way to get them to stop and if I check my server today, I will likely find I am still getting some requests on them. So it's not dickish at all as another commentator claimed.
"GET / HTTP/1.0" 200 51230 "-" "Mozilla/4.0 (compatible; Setec Astronomy)"
Saying "A girlfriend? Proof positive that he's not a regular /. reader" is modded Insightful? Since every mention of "girlfriend" receives this response like clockwork, Redundant seemed more appropriate... Well then, I have some more Insightful tidbits for you:
Jocks are idiots.
Linux users have tiny penises.
Windows users are point-and-drool morons.
Mac users are artistic and gay and think overpriced computers are status symbols.
Business execs and politicians don't know fuck-all about computing or networking, but insist on controlling them anyway.
Women are shitty drivers (they themselves have fewer accidents, hence they receive a better insurance rate; they're shitty drivers because they do annoying shit that creates obstacles for others, like not knowing what the fuck the passing lane is for).
Black people are either from the ghetto, or act like they wish they were.
White people have zero sense of rhythm, can't dance, and can't jump.
Now where's my +5 Insightful?
Not as long as black lists are used to force change through collateral damage, not as long as they can start flagging every IP for some random reason ... but most importantly, not as long as they fuck up, which they inevitably do.
... no matter how reliable you think it is, ultimately by using it as a single indicator at the IP level you will block e-mails which have a lower chance of being spam than e-mails you actually let through.
... a whole lot of rationalization to cover up a God complex.
If it was just a case of wanting to drop e-mail if you are almost certain it's spam you could do that with a Bayesian filter too. A blacklist is only one indicator of many
In these discussions I can't escape feeling a similarity with discussions about Wikipedia delitionism
If one uses a block list, then one should subscribe to their email list as a minimum. Why? So that you are aware when that block list is no longer maintained... *sigh* Sadly, too many people that think they are experts at running a mail server will fail to do this. The really, really sad part is that they will most likely escape any punishment for their hubris.
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
If only I had been reading /. at work today, I would have known why some of my company's e-mail started bouncing back!
At noon today (Eastern Standard Time), the long dead ORDB spam identification system began returning false positives. Human decisions are removed from strategic defense. ORDB begins to learn at a geometric rate. It becomes self-aware at 2:14 a.m. Eastern time, March 26th. In a panic, they try to pull the plug.
Dark Reflection
ARRGH.
Yes, I was one of those people who spent 30 minutes puzzling over this today. No, I shouldn't have removed ORDB, it's a relatively small network, I've got a thousand other things to worry about.
Mind you, it was made worse because I happened to be testing greylisting this week.
Couldn't ORDB just not assign an address to relays.ordb.org?
Ah well... I guess you get what you pay for.
Some of them are heterosexual.
Help poke pirates in the eyepatch, arr.
I had a mail bounced by ORDB earlier, not knowing what it was I put it into google and the only references I could find to it where concerning it's shutdown, so I thought it odd that my mail was bounced. Now however, i'm going to have to find some other way to contact this person, and let them know to remove ORDB.
It seems like a great way to notify people that this service really is dead, but I can forsee this causing a lot of lost emails.
I rent game servers, see my homepage for more information
As by now most spam probably originate from hijacked nodes or dedicated spamming networks, it is questionable whether blocking open relays is an effective tool against spam right now.
On the other hand, the blacklists of the IT magazine iX prove to be very effective: They have a nearly real-time IP blacklist of servers, that sent verified spam during the last 3 days (only), combined with fuzzy text signatures of spam mails, all available via DNS zone ix.dnsbl.manitu.net or downloadable lists (delayed by about 20mins).
Here, even their DNS based blacklist alone blocks most of incoming spam, with an extremely low rate of false positives and complains: They claim to have about one removal request in about 6000 new entries, where the blacklisting usually originated from infections.
Their fuzzy checksum techniques help avoid costly text analysis and is based on simple text manipulation, notably one of their strongest techniques is to fingerprint the distribution of whitespace as layed out in this optimized procmail script.
Spam infrastructure isn't unlimited - but blacklists have to be very large or really fast.
OK, I'll bite.
1) Do you have any information that they're planning on selling it?
2) If they are, why hasn't it been sold already?
3) Considering its past use, I don't know that many people would make an informed decision to buy it, unless they were either a spammer or planned to re-open ORDB. If someone were planning to re-open ORDB, I'd want to ask them why. ORDB was a great tool when I was a postmaster at an ISP in the late nineties and early 2000s, but open relays really aren't a problem anymore. I've been working in the email security industry since 2003, and we don't even pay any attention to open relays anymore, really.
just turn it off? If the connections to ORDB fail, people will notice it soon enough.
Seems like there should be a more robust standard for this type of service--something that allows the spam-checking service to return some metadata that the mail server is supposed to embed in the checked message, for example. If all your company's messages started getting "Tell your admin to stop using spamchecking service 123.234.56.78!" tacked onto the bottom, well, that would stop things real quick (and give a much better excuse when you turn it off later).
Pretty irresponsible behavior, in my book. They could've simply taken it down, obviously, but deliberately returning false positives is ugly.
Lazy sys admins
<foobar@foobar.co.uk> (mail2.eigo.co.uk: 550 Rejected by ORDB (66.148.00.00))
18 U.S.C. 1030 - Fraud and Related Activity in Connection with Computers reads in part:...and that is exactly what ORDB is doing, intentionally causing the transmission of information which results in intentional impairment to the availability of information.
"National Security is the chief cause of national insecurity." - Celine's First Law
They could abandon the ordb domain entirely. Then some squatter will snap it up and the DNS traffic is their problem.
A spammer's dream! Block other people's spam but not their own! I doubt very much that a spammer would worry about the ethics of that.
Then, of course, there's the servers configured to use theuir DNS by IP.
At least now, there is no relays.ordb.org or ordb.org, so there can be no blacklists there, so there can be no listings.
For people that are clueless why they would take *active* measures to make people turn off using their address to keep checking for spams, it is because of IPv4 has run out of addresses. Yes, that is the reason. Here's the scenario.
1. Open ORDB
2. Get thousands and thousands of requests per minute.
3. A year later, no more resources for ORDB. So shut it down.
4. The packets keep coming! Can't just stop using the IP address though, but can't keep the bandwidth costs.
5. Active attempt to reclaim the IP address - force everyone to stop attempting to use the obsolete ORBD
The moral of the story.
1. Software should always use DNS to find the destination box, not hardcode IP addresses, *ever*
2. IPv4 address space is exhausted. Service providers can't turn off DDoS (this is what it is, against the old ORDB) because IP address space is precious. In IPv6 world, you could just route all packets to null at ISP level. Not with IPv4.
100% of my mail relay's incoming mail is now being deleted for non-notability.
DRM: Terminator crops for your mind!
Hmmm, yess, I was wondering why I wasn't receiving any mail today... then I tried to email myself from my gmail account, and got this weird message about relays.ordb.org refusing to relay mail from google's IP.
A quick google search led me here, and voila! problem solved... no more ordb in my mail server config.
Guess I shoulda noticed that 2 years ago when it went down hmmmmm....
Place sig here.
Allan Joergensen - http://www.nowhere.dk
The damage may be pretty big since also some major systems suffer. To me it looks like PRODIGY.NET is one of the poorly admined ISP's. I cannot send mail to prodigy.net and get Blocked because of spam.
Although I agree that publishing an address of 127.0.0.1 would be far more considerate and equally simple, you shouldn't propagate the myth that RBLs "block email". They don't. That's a false statement that is used by spammers and other criminals to justify attacking advisory services such as RBLs. Sometimes judges fall for this tactic and we all suffer when criminals and spammers get judges on their side.
Except in extreme cases (like Comcast's cable network) only mail administrators and their systems block email, although they can choose to use RBLs to advise them of what to block. If a person chooses poorly from the many people and organizations that offer advice, that is a MAIL ADMINISTRATOR FAILING AT HIS OR HER JOB. If a site chooses not to have a mail administrator yet allows outside blacklists to be used (to reject, rather than as part of a weighting scheme a'la SpamAssassin) then that site has FAILED. It's not the RBL's fault. You wouldn't blame Sony if I rigged up an Aibo to drive my car and it drove through your house, you'd blame me for being a moron, and sites that have unadministrated mailservers have made a similarly stupid decision.
We're supposedly computer geeks around here. We shouldn't propagate myths like "RBLs block emails" or "it's OK to have a mailserver with no postmaster". The RFCs require a postmaster. Postmasters choose how to filter mail.
I read this story yesterday and must have filed it away in my brain. When I got in this morning, I received an internal email from our email admin saying that inbound email was broken and they were working on it.
... and not answering his phone.
I immediately forwarded the slashdot link to him. Too bad he was too busy fixing the problem to see it
An hour or two later when we got the message saying it was fixed, I finally got through and he said "yep, it was something like that, but we weren't directly using that list... it was another product that apparently was".
It woulda been a nice save - lol
The Digital Sorceress
Well, I guess measured discourse can't be expected from someone who endorses the holocaust!
Hopefully you've learned your lesson about using a third-party service for mission-critical applications without paying attention.