Long-Dead ORDB Begins Returning False Positives

Chapter80 writes "At noon today (Eastern Standard Time), the long dead ORDB spam identification system began returning false positives as a way to get sleeping users to remove the ORDB query from their spam filters. The net effect: all mail is blocked on servers still configured to use the ORDB service, which was taken out of commission in December of 2006. So if you're not getting any mail, check your spam filter configuration!"

Nope.

[TheLazySci-FiAuthor]

No emails, but it's not the ORDB system. I just don't have any friends.

Re:Nope.

[neonmonk]

Well that makes sense! I was starting to get anxious that I wouldn't be able to order some p3 nis pi11z.

Phew!

Re:Nope.

[morgan_greywolf]

Now you do. Don't you feel better now?

Re:Nope.

[blhack]

No emails, but it's not the ORDB system. I just don't have any friends. I have tons and tons of emails.
None of them are from people who are friends :(.

Recieved email, instead of loving signs of friendship, message contained bobcat.
Would not communicate with again.

Re:Nope.

[flyingfsck]

Well, if you are feeling very lonely, then you could always sign up for some spam.

Re:Nope.

[172pilot]

Hey - Who let YOU in here! ;-)

Re:Nope.

[orkysoft]

What, did you sell his address to the spammers, or add him as friend? It's a rather big ambiguity, you know...

Re:Nope.

[EdIII]

I have thousands and thousands of friends. All of them convinced my penis is small and they have the answer.

Re:Nope.

[Hal_Porter]

http://www.spamyourenemies.com/

Such a succinct website name.

No luck

[smackenzie]

I tried to sign up with Slashdot to comment on this post, but it told me that I would need to validate a confirmation email.

I haven't received my confirmation email yet... seriously, how long does this take? Anyone? Is Slashdot broken? Do people post comments on Slashdot?

Re:No luck

[xiaomai]

How did you post that one logged in, eh ?

Remember: real trolls use their primary account.

I'm pretty sure he was making a joke. He couldn't get the confirmation E-Mail because he hadn't removed the ORDB spam-filter from his mail system.

Re:No luck

[dapyx]

How did you post that one logged in, eh ?

He's using his girlfriend's account!

Re:No luck

[gfilion]

A girlfriend? Proof positive that he's not a regular /. reader. Well, he could be this guy.

Man, he's been dumped by his own robot girlfriend!

Whoa! ORDB better have a good disclaimer

[mrcaseyj]

Intentionally causing large numbers of emails to be lost is a risky move indeed.

Re:Whoa! ORDB better have a good disclaimer

[ZenDragon]

They arent being lost, simply being flagged as spam by the database. People will have to go into their respectave administration interface and "release" the mail and/or mark it as safe. Kind of a pain in the ass, but if your depending on a spam database that is over a year old, its not likley doing much for you anyway.

Re:Whoa! ORDB better have a good disclaimer

[neonmonk]

Don't worry, they're completely covered, they did- of course - send an email.

Wait...

Re:Whoa! ORDB better have a good disclaimer

[Sentry21]

I think the worst part of it is that the systems that are rejecting mail (because they're still configured to use ORDB) are the ones that are the least-maintained, and quite possibly completely forgotten about - and therefore are least likely to be noticed quickly or fixed intentionally.

That said, if you're that crappy of a sysadmin, you deserve a wake-up call. It's just too bad that other people have to suffer for you to learn to do your job properly.

Re:Whoa! ORDB better have a good disclaimer

[mrcaseyj]

It's one thing for a spam filter to make a mistake or even be careless and put a message into the spam folder, but quite another for a filter to intentionally cause known good messages to be absent from a users inbox. Why don't they just start reporting all messages as good, or just not give any rating to any message? This might be especially bad in situations where ORDB is only given partial weighting in the spam categorization process so that many messages still get through, thus making it less likely that the errors will be noticed quickly because there will not be a total block on email. To do what they're doing might be considered wreckless. I don't know much about the law in a situation like this but I'd be worried about liability even with a good disclaimer in the user agreement.

Re:Whoa! ORDB better have a good disclaimer

[iangoldby]

When I had a run-in with my old ISP a few years ago, the issue was that a) they did not advertise anywhere that they weren't accepting mail from blacklisted peers, and b) mail from blacklisted peers was simply discarded. There was no 'administration interface' to '"release" the mail and/or mark it as safe.' There was in fact no way for the recipient (i.e. me) to ever know that a mail addressed to them that had not been delivered had even been sent.

That said, the approach of ORDB does seem to be the right way to stop administrators from using it. If you don't force the issue by stopping all mail, then random non-spam emails will continue to be blocked indefinitely. Short-term pain for long-term gain...

Re:Whoa! ORDB better have a good disclaimer

[arkhan_jg]

ORDB was a realtime blacklist. I.E. it identified the IP addresses of open relays. Most people use RBL's like zen and njabl to block connections from 'bad' SMTP servers at HELO, they're much more effective at that stage than later as part of bayesian spam filters - context filtering is expensive and unrelaible with the volume of spam these days. Blocking open relays and dynamic ranges* at HELO is often the only practical way to get a handle on 99% spam loads.

Configured that way, there's no email to release, as the server was not allowed to connect in the fiirst place - in effect, ORDB would have caused an admin unaware that they had shut down to have his server block all inbound email at the connection level. Given the amount of sample configs about that still include them, that's not impossible to imagine.

Effective way of getting people to stop querying their servers, but kinda dickish.

*Yes, I know dynamic ranges sometimes host legit personal mail servers. Unfortunately, for every legit user there are hundreds of spam zombies on those dynamic IPs, often dumping dozens of spam at a time, often hitting over and over again until they get past the greylist timeout. I'm watching my log now, and I just blocked 50 odd connection attempts from one 1 pretending to be 50 different email domains. In the time it's taken me to write this footnote, the dynamic range IPs blacklists have blocked a few hundred emails.

Re:Whoa! ORDB better have a good disclaimer

[timmarhy]

the only person to blame is the careless mail admin who leaves ORDB in. ORDB is a free service, they have every right to take it down, hell i'm pretty amazed they left it up for a year and gave all the warnings they did.

Re:Whoa! ORDB better have a good disclaimer

[interiot]

Why don't they just start reporting all messages as good, or just not give any rating to any message?

That's precisely what they did for the last 15 months (a pretty reasonable amount of time):

DNS and the mailing lists will vanish today, December 18, 2006.

I don't know... do they still own a machine that responds to DNS requests, and are therefore paying for bandwidth? Probably not.

Do they want to sell the domain to someone, who wouldn't want to get hit with a bandwidth bill as soon as they throw some servers up? More likely.

Re:Whoa! ORDB better have a good disclaimer

[Naurgrim]

Concur, wholeheartedly.

I put a good deal of effort into getting spamassassin configured to classify spam into imap folders for my users, and giving them tools for whitelisting, etc. on an individual basis. One man's spam is another man's ham, after all.

I could not in good faith arbitrarily delete mail based on automatic filtering. I would rather run completely unfiltered than make that decision for somebody, and for a long time I resisted the idea of filtering server-side. Bottom line was that my customers demanded it, so I had to come up with a system that met their requirements and mine.

Re:Whoa! ORDB better have a good disclaimer

[MrNaz]

As much as we can rail against stupid mail admins, I think it would not be remiss of us to remember that the ultimate sufferers are end users who probably have no idea what their mail server administrator is doing. In other words, this hurts the people who *rely* on mail administrators, not the mail administrators. For that reason, I think ORDB is doing the wrong thing. This is yet another reason why privately owned spam registrars like ORDB are a bad idea; they just do not understand the either the gravity of what they are doing, nor do they have the responsibility to take it seriously. If you are doing something on such a large scale, it is inevitable that there will always be stragglers. Don't get all indignant about how "dumb mail admins" should know better unless you know that all your utility providers abide by the latest best industry practices in their respective fields.

On a side note, given that this move by ORDB specifically targets people other than those who they want to change the behaviour of in an attempt to get those innocent bystanders to affect change upon the real people they want to affect, this actually meets the FBI's definition of terrorism.

Re:Whoa! ORDB better have a good disclaimer

[squiggleslash]

And the end users will learn what admins do, complain, and admins who subscribe to third party "anti-spam" solutions that use innuendo based logic to remove spam will get a well deserved roasting from their users.

No, I'm not happy the innocent users are suffering either, but I'd argue that they already were, just less aware of what was going on (probably suffering occasional emails removed due to false positives without realizing it was due to deliberate administrator decisions, blaming instead "unreliable email" (clue: it really isn't unreliable any more, except for the effects of some of the more incompetent anti-spam solutions)

Let's be clear here: the fact is these admins not only subscribed to an innuendo-based filtering system, but also didn't bother doing their job, monitoring the services they subscribe to and ensuring their system used it correctly. It's safe to say the users were suffering anyway, both because of the decisions the admins had made directly, and because of the general skill level of the admin whose services the users are relying upon. Hopefully for many of those users, this is a lesson in why not to trust the people they're currently relying upon.

Re:Whoa! ORDB better have a good disclaimer

[brassman]

What you're missing is that if ORDB flags all mail as "good," then clueless soi-disant 'admins' will continue to hammer the site with their useless queries, up to thousands of them per second. Blocking world+dog is a desperation move -- which has been used a few times in the past by other RBL administrators -- just to make people stop doing that.

When someone just plain will not check back to see if your free service is still working (and free), how else do you get their attention?

Re:Whoa! ORDB better have a good disclaimer

[MrNaz]

I appreciate the ideas in your response, but I cannot even concede as far as your position. Let me ask you this: Would you be happy with somebody cutting the electricity to your house for a week to get you to complain to your power company about the fact that your neighbourhood has not yet been updated to use the latest most efficient transformers?

Re:Whoa! ORDB better have a good disclaimer

[timmarhy]

and why are they doing it? to stop getting hammered with requests from dumbass admins who still try a lookup on it for every single freaking email, you moron.

the complete opposite of what i said would be if they had no right to take it down. comprehension eludes you doesn't it?

Re:Whoa! ORDB better have a good disclaimer

I rarely have the desire to use the TLA OMG, but wow. One of my hats is 'mail admin', admittedly for a small but active domain. If the mail goes out for a couple of hours, I get a phone call, or I get paged, and I am expected to be fixing it in less than an hour.

First, I'm not aware of any publicly owned spam registrars. Care to enlighten me?

Second, how is a publicly owned (e.g. stock exchange, or do you mean run by the government of a country chosen at random (or heaven forefend the UN)) service less likely to go belly up? There have been any number of companies delisted from the stock exchange... As far as government services, that's a little touchy, at least in the good old U.S. of A. Kind of a 1st amendment issue.

Third, how do you suggest a company providing a service like this behave as it is going out of business? Keep in mind that a four letter domain name is quite valuable. Would you expect the original company to continue to forever pay the extra bandwidth costs due to 'dumb mail admins' for a DNS service that they don't use, or use for another purpose? How about the purchaser of the domain if/when it sold? Do they have a responsibility to continue to provide the false negatives? Why?

Fourth, arguably false negatives are as bad as false positives. If a mail admin has layered another spam detection method on top of ORDB because ORDB wasn't working well enough (because it was off) and ignored the malfunctioning service, are they still not irresponsible? If they didn't, and their customers were being bombarded by spam for over a year, are they still responsible administrators, with users who are being terribly hurt?

Fifth, terrorism? Really? Who is being frightened? Who is being terrorized? This word is horrifyingly overused, and I do not think it means what you clearly think it means. If I purchase the land on either side of your house, and set up a circus on one side, and a parking lot on the other side, is it terrorism if you put up a fence to keep my customers from strolling through your yard? Really?

Re:Whoa! ORDB better have a good disclaimer

[Antique+Geekmeister]

For such a bad idea, they're pretty effective at containing a lot of spam attacks and worms. The difference, in my experience, 2 years ago, was a 50% drop in spam getting through and a huge drop in SMTP server load when I was permitted to install DNS blacklist features. It meant I didn't have to buy and maintain another front-end mail server, just to do raw spam filtering.

Re:Whoa! ORDB better have a good disclaimer

[monsted]

Nope, if they just let the domain expire, it would have caused the .org authoritative servers to die. It's been done already, shortly after they first shut down the service, causing them to open it a again, responding that everything is ham.

If the ordb.org zone goes away, every halfwit mail admin who uses ordb.org will be hammering the .org servers instead. This is why it was first reenabled and now shut down the way it is.

Re:Whoa! ORDB better have a good disclaimer

[squiggleslash]

Nope, but the two situations aren't comparable. If your electricity was provided by a company that chose to prevent power surges by having a (well insulated) three year old frequently swing at the overhead wires with a pole, the other end of which was earthed, essentially earthing the power every few seconds, and if power was supplied in your area by a variety of organizations, rather than only one company, and if you actually live in an mud-hut village in the middle of the third world that's only been using power for a few years and which nobody is completely reliant or trusting of it, then yeah, I'd be in favor of that (now grown up) ex-three year old using his key to go into the "earthing room" and leaving the pole up there, denying power to the people who were subscribing to this incompetent organization.

Of course, that's a completely unrealistic scenario, which is why your analogy doesn't really work. In this case:

1. e-mail is too unreliable for anyone to consider it critical
2. The use of an innuendo-based filtering system has already contributed to the above. It is simply implausible that anyone who lost email as a result of ORDB's actions has come to rely upon it.
3. There are a choice of email administrators to the end users. They will be able to chose someone else.

I am sympathetic to the end users, but I think the end users were suffering before this, and for the most part, all this has done is show the users what the real cause of their long time woes are.

Re:Whoa! ORDB better have a good disclaimer

[ta+bu+shi+da+yu]

Dude, ORDB didn't fail. It was taken down. Stupid mail admins kept using it. This generated a fair amount of traffic to a pretty useful domain name. The fault is solely with the mail admins, not the ORDB.

You cannot say that people were NOT warned. Lazy mail admins, who couldn't be bothered changing their boxes are the problem here. Looks like they got burned due to their laziness and lack of proactiveness. They weren't good mail admins in the first place, if they got this wrong, what else are they doing wrong? At the end of the day, they deserve everything they get.

Re:Whoa! ORDB better have a good disclaimer

[harrumph]

It's one thing for a spam filter to make a mistake or even be careless and put a message into the spam folder, but quite another for a filter to intentionally cause known good messages to be absent from a user[']s inbox.

This is a misunderstanding of blacklists. Blacklists are not filters; some filtering methods use blacklists, and ORDB was (is) a blacklist. The operators of blacklists, by definition, cannot cause anything to happen with anyone's e-mail. Every blacklist has a criterion or criteria for listing, and any user of that list can check to find if a given IP address or domain name is listed. Listing criteria could be "domain recently bounced e-mail to postmaster@", "IP address was reported as sending junk mail by fifty different users", or "IP address is on Bob's personal shit-list". Users of blacklists can do whatever they like with the data. When ORDB was active, mail servers for domains I controlled checked all incoming connections against ORDB and simply refused to converse any further with listed systems. ORDB didn't make the mail bounce. I did. By my choice, just like the choices of everyone else who has ever used ORDB or any other blacklist, I specifically configured my systems to refuse messages from systems (or domains) listed. I decided that the listing of an IP address by ORDB was reason enough to refuse connections from it.

Why don't they just start reporting all messages as good, or just not give any rating to any message?

That is exactly what they've been doing for over fifteen months. They stopped listing anything. In fact, they stopped responding at all. Almost every system that was left configured to use ORDB after it was shut down in December 2006 has logged an error message every time it tried to check an incoming connection or message against ORDB, because ORDB didn't respond. Some systems with particularly out-of-touch administration have persisted in trying to query ORDB--or, according to this story, so many that it's been an annoyance to the admins of the systems receiving the queries. If this goes on for months and months and months, I think it's quite reasonable for the blacklist admins, who stopped their service fifteen months ago, to start a new list with a single new criterion: Everything is listed. Call it a test list. It's their list, and they can do whatever they want with it. The only systems that are affected are those that are specifically configured to use this list.

So, if you, the administrator, specifically tell your mail system to refuse to accept mail sent from a system listed in ORDB (which ceased to exist long ago), your system will now bounce everything until you stop telling it to do that. According to the story, this is what's happening, but only in the systems configured to do exactly that.

Why DNS-RBLs suck

Oldie but goldie: http://acme.com/mail_filtering/shame.html#dnsrbls

Re:Why DNS-RBLs suck

[whoever57]

Oldie but goldie: http://acme.com/mail_filtering/shame.html#dnsrbls

I'll take the DNS-RBLs out of my email configuration when there is a realistic alternative. Clicking the "Conclusions" link on the referenced page, the author provides no solutions, other than throwing pies at Bill Gates. Not very credible.

Re:Why DNS-RBLs suck

[Mr.+Roadkill]

RBLs are horribly broke & you should never use them as a sole method of determining if an email is spam.

Then, why do I have an extremely low reported false-positive rate from them? Maybe it's got something to do with which ones I choose to use, how I choose to use them, the mix of mail people at my organisation expect to receive, and the mitigating whitelistings I've stuck in place over the years. There is no "zero false-positive anti-spam magic bullet", but for my specific values of "workable" (i.e. my users get a few pieces of spam rather than a deluge, and I don't get many questions about accidentally blocked mail from real people outside the organisation), I've found carefully selected and applied RBLs to be invaluable as a first-line of defence - when you've got between half a million and a million delivery attempts per day, 95% of which you don't end up accepting, you don't want to run that many resource-intensive tests if you don't have to.

Seriously, are you trying to tell me that I should just ignore data in something like the CBL or SpamHaus's PBL? In the case of the former, there's something horribly broke about something using the sending IP - and in the case of the latter, the sending IP is being used in a way the sender's connectivity provider has said it shouldn't be used. I have no problem with either of those, and see no reason to specifically white-list around either of those. Additionally, things like SpamCop can be very useful if properly applied - using any new RBL for scoring-only at first and going over your logfiles with a fine-tooth comb for obvious things you might want to whitelist (like the mail relays of local large ISPs, yes I'm looking at you Bigpond and Optus)can be a good way to ensure there are minimal problems when you do start blocking with them. Plus, a local list of whitelistings can minimise the effort and research required when evaluating and adding other RBLs in future. Granted, mine has been built up over a number of years and I'd hate to have to start from scratch, but it should be possible for any organisation to know what they'll need to whitelist for before they start blocking using RBLs if they use the list for scoring for a while and then go over their logs looking for hits.

Perhaps the biggest problem with RBLs isn't so much the lists themselves (although there are some poor ones out there), but how they're applied and the response of an organisation that uses them when you contact them to report a piece of mail that you think should have got through. Personally, I find them invaluable and I think the last RBL-related "false-postive" that was reported here was a few months back. Give them to a lazy, useless, know-it-all admin who hasn't looked at their potential darker side and isn't willing to do the hard work to make sure they don't cause significant problems, and you've got a recipe for disaster....but the same could be said about a whole lot of SA rules that look like a good idea too that you can't apply too high a score to in practice(No MsgID? Yeah, there are a lot of Domino servers out there in businesses that would affect mail from. Percentage of HTML? Good luck with Chinese webmail.)

Sheesh guys, spam filtering is hard. That's why there are so many commercial products out there, following so many different methodologies, and why so many places seem to have difficulty doing a fair to decent job of it.

Nice

[topham]

Dealing with Email and Spam issues can be enough of a pain in the ass without the added hassle of this shit.

It isn't that the recipient complains they aren't getting email, it's when the sender (my customer) complains to me that their mail isn't making it to the recipient and blames me when it's the spam filters at the other end causing the problem. And now this?
Nice.

Re:Nice

[TubeSteak]

It's like hotlinking an image off someone's website after you've been told not to. Yes, the site owner is a dick for replacing the pic with goatse, but it's still your fault for linking to it in the first place.

This will cause some confusion at first, but if it hit /. word will get out soon enough.
I just hope no one's spam filter defaults to automatic-deletion.

Why not just close the server?

[Em+Adespoton]

Why don't they just close the server so it no longer accepts connections? Are they doing this to stop the server currently at that location from being hammered with requests?

Re:Why not just close the server?

[travisd]

Because the requests will still come. And even without a response, the request will consume bandwidth that someone is paying for, and consuming an IP address that someone would like to re-use.

Re:Why not just close the server?

[ashridah]

While that's accurate to a point, Seems to me that doing this at the DNS level (deleting a DNS record, or pointing it to 127.0.0.1 and giving it a TTL of a few decades) would do the trick better than BLOCKING EMAIL.

My bet is this is going to really REALLY negatively affect all of those mailservers that have been setup, for which there is *no* administrator. You know. the ones setup for smaller companies who have no inhouse admin, who hired a consultant, but wouldn't pay for ongoing maintenance (either due to tightness or actual lack of funds, etc). The response time here, and time to resolution is likely to be high to non-existent.

All in all, this is a pathetic (understandable, mind you) move, and reeks of inconsideration.

Re:Why not just close the server?

[Mr.+Roadkill]

Or, better still, remove the address from DNS?

Again, they'll still get DNS queries that will consume bandwidth that someone will have to pay for.

An awful lot of mail systems have been set up as set-and-forget by work-for-hire conslutants, who never end up touching them again. The only way to get those kind of systems re-configured is for the organisations that use them to suffer some pain. It's arguable that that pain is deserved, since they're obviously not running their mail systems responsibly. Anyone who used ORDB and responsibly managed their mail system knew long ago that ORDB was going to do this and stopped using it ages ago. Besides, there may well come a day on which that domain lapses and falls prey to squatters - or worse. Don't you think that J. Random-Hacker would love to get information on poorly-configured or poorly-maintained systems? ORDB have to stop people querying them before they can even think about relinquishing the domain, if only to protect the ignorant from themselves. In the case of ORDB, it's probably not much of an issue - but imagine what would happen if Ironport decided to pull the plug on Spamcop and then forgot to renew the domain before January 30 next year and there were still a few thousand ill-informed people generating queries against the SpamCop RBL. Not pretty...

Re:Why not just close the server?

[ashridah]

Uh, so it's not configured to make the distinction between "OK" / "Not okay", and "i can't talk to it right now because it's returning a bogus result"?

127.0.0.1 is probably going to turn out a quick response consisting of "who are you, and why are you touching me in my private place"

Re:Why not just close the server?

[adolf]

No, they won't -- at least not much, if they were using a subdomain for their RBL (as is the only sane method of doing so).

They could abandon this subdomain (which would be silly), or just set up its SOA to have a huge TTL, and have an NS line in the right spot pointing to localhost.

Requests from end-user mail servers would still happen, perhaps thousands of them per minute, but they'll only be met with references to a nameserver known as 127.0.0.1. The DNS hierarchy will then cache this bogus nameserver for TTL seconds.

They'd still see some traffic, particularly from poorly-behaved DNS servers which don't honor TTL, but it ought to be pretty easy to limit their traffic to no more than one request, per server, no more frequently than every few days (at least on average).

Which, I'd think, would be good enough. But even if it's not: It's nowhere near as bad as you seem to make it appear.

Re:Why not just close the server?

[Jimithing+DMB]

or pointing it to 127.0.0.1 and giving it a TTL of a few decades)

That's more or less what they actually do. Unfortunately, returning 127.x.y.z to a DNS request ist a DNS-RBL's way of saying "SPAM".

I think what GPP was trying to say is that the only thing necessary is to add relays IN NS localhost to the ordb.org zone file. That means that a recursing resolver (e.g. a caching nameserver) will query one of the root servers and be redirected to the .org nameservers by virtue of the glue records which will be queried and redirected to ordb.org by virtue of those glue records which will then be redirected to localhost by ordb.org by virtue of its "glue" records for relays. Since the recursing nameserver will not be authoritative for the relays.ordb.org zone it will fail to look up anything. Assuming the TTL is set high enough on the relays glue record, the recursing server will cache this for quite some time and thus all further queries to *.relays.ordb.org will immediately fail without banging on the ordb.org nameservers.

This is also quite different from returning IN A 127.0.0.1 to the query of a name. What will happen instead is that the ordb.org nameservers will explicitly disown the relays.ordb.org zone in much the same way that the root nameservers explicitly disown the GTLDs and the GTLDs explicitly disown the domains within them.

Doing it this way, the ordb.org servers will be hit very infrequently. Really only once by any given caching nameserver which upon seeing the relays IN NS record delegating authority to localhost will remember it and stop asking ordb.org for anything in relays.ordb.org. It's a really really simple solution that wouldn't break anything and wouldn't put much if any burden on the ordb.org nameservers. Too bad they didn't think of this before adding *.relays IN A 127.0.0.2 to the ordb.org zone file.

Re:We had one NDR today because of this

[RollingThunder]

You're right, the 90% of inbound mail that gets dropped at the pure IP level before it even hits my more CPU intensive filters is "worthless".

Heh...

[FlyByPC]

I'm imagining the ORDB server basically doing the 'Net equivalent of the Monty Python "SPAM" skit...

Spam spam spam spam...
What's that there? An email from your supervisor? SPAM, I say. SPAM SPAM SPAM!

Bonehead

[Ritz_Just_Ritz]

Who is the bonehead who approved that move? It would have taken 5-10 seconds to just refuse connections, but someone has gone out of their way to create difficulty for people "to make a point." And the point was just "don't connect to our servers anymore." Idiots. Granted, any responsible admin probably commented out the ordb entry in their spam blackhole armory, but still....stupid...stupid...stupid.

Re:Bonehead

[WarJolt]

One connection refused doesn't take up a lot of bandwidth. Thousands of connections refused per day does. Clients often times aren't smart enough to figure out the site is down permanently.

Re:Bonehead

[Joe+U]

Are you paying for their bandwidth? How about the servers that are being hammered, are you paying for them?

Short of removing themselves from DNS, this is the most effective way to reduce bandwidth usage in the long term AND teach mail admins on how to properly run their mail servers.

Re:We had one NDR today because of this

[pe1rxq]

You can have 100% of inbound mail dropped simply by unplugging the network cable....
However, such a filter wouldn't score good if it were judged on the really important metrics like number of false positives.

Re:Wow, they've got that ass-backwards.

[gujo-odori]

It was already letting all mail through after they took ORDD out of service, that obviously didn't make a difference at any domain that was using it on auto-pilot.

What really gets me about this case is that this is at least the third time a defunct BL has done this (Osirusoft and monkeys.com being the other two examples I know of), and in this case, returning false positives was particularly unnecessary. Since ORDB is defunct, the domain could have been just allowed to expire. Or, make sure that no IP space is associated with the domain at all. For the upstream ISP(s) who owned the IPs formerly used by ORDB, they might have to let them lie fallow forever, though, since queries would never stop in the absence of this sort of event.

OTOH, I have to assign more than the usual amount of blame to those who kept using ORDB so long after it went defunct, just because it is at least the third time this has happened. Anyone responsible for a mail server should stop to think that "Gee, continuing to query a defunct BL service over a year after it was shut down could someday be hazardous to my mail stream. I'd better update my config." I'm not absolving anyone from ORDB for not just getting rid of all ORDB IPs and having no routes to any of the ones they used to use, but willfully ignorant admins are also played a starring role in this tragedy. Or comedy of errors, depending on your point of view.

Re:Wow, they've got that ass-backwards.

[TheVelvetFlamebait]

Why not just make it let all mail through, i.e. turning itself off?

Because people won't notice. Long time, blindly faithful customers will just assume that spam is becoming increasingly wily, or that all spam filters have this problem, etc. When they start flagging ordinary emails as spam, people may actually realise that not only wasn't the filter doing anything at all, but now it's far more hassle than it's worth (i.e. nothing).

No kidding.

[raehl]

If my spam filter service did this to me, I would never us them again!

Re:Why?

[sjames]

Even unanswered DNS queries cost bandwidth. Perhaps they just don't want the traffic anymore.

No wikipedia entry for ORDB

[SurturZ]

No wikipedia entry for ORDB, so they never existed.

rblcheck.pl and other embedded rbl lists

[erice]

One problem with a draconian cut-off like this is that people can be affected who are totally unaware of the problem.

Somewhat recently, I started using a perl version of rblcheck in some of my procmail recipes. A lengthy list of rbl's is embedded in the source code. I removed some obvious losers but was unaware until reading this article that ordb was a problem. How many people out there are using this script and are unaware that a bomb like this is lurking in the code? How many are using it and don't even remember that they even use this script?

Alternative to DNS-RBLs

[gringer]

Er, he mentioned in his other discussions on mail filtering better ways to do it (i.e. those not on the "shame" list):

http://acme.com/mail_filtering/background_frameset.html

Make your own blacklist

[tepples]

You're right, the 90% of inbound mail that gets dropped at the pure IP level before it even hits my more CPU intensive filters is "worthless". The trick is to make your server use CPU-intensive filters to construct its own IP address blacklist. These pages explain how one admin did it.

Re:Make your own blacklist

[WK2]

It would be really cool if that admin you linked to, who now has a list of "bad" IP addresses, was willing to share his list, via a text file available over the internet. Then other email admins would get the same benefit without having to maintain their own lists!

It's the only way to get them to stop

[bl968]

I closed my lists and two years later after checking my dns server and seeing traffic for a couple of dnsbl lists which had been empty for the last 2 years and finding that we were still getting several hundred requests per minute.

Our blackhole lists are defunct. We announced their closure over 2 years ago and it was widely covered by the press at the time. We are still recording several hundred lookups per minute so Friday December 9th 2005 we started answering positive to all requests. If your mail is being blocked simply contact any isp blocking you using these lists and let them know they need to remove them ASAP! If they have questions they can contact me directly. [email removed]

To identify whom to contact please reference the error message you receive.

Look for something similar to:

----- Transcript of session follows -----
... while talking to mail.somedomain.com.:
>>> MAIL From:<youremail@yourdomain.com>
<<< 518 Your SMTP server is listed at something.domainremoved.net
554 5.0.0 Service unavailable


In this case you would contact somedomain.com you would tell them that the whatever.compu.net dnsbl is defunct and is now answering postiive on all lookups. As such they should remove it and any other compu.net dnsbl ASAP to prevent legitimate emails from being blocked.

If they need verification send them to this web site.

I announced this upcoming change to both the SPAM-L mailing list and the news.admin.net-abuse.email newsgroup

"Over 2 years ago I shutdown blackhole.somedomain.net, pacbelldsl.somedomain.net, and pm0-no-more.somedomain.net then announced the shutdown on the news.admin.net-abuse.email and several other mail and abuse related lists. As of today I am still logging several hundred requests per minute to it two years later. In one week I am going to start answering positive on every lookup to those domains. I don't want to do this however I am not going to continue to bear the load for something that ceased to exist over two years ago. So basically check your mail servers and if you are using the blackhole.somedomain.net, pacbelldsl.somedomain.net or pm0-no-more.somedomain.net dnsbls remove it asap!

Thanks."

It was the only way to get them to stop and if I check my server today, I will likely find I am still getting some requests on them. So it's not dickish at all as another commentator claimed.

Re:It's the only way to get them to stop

[brassman]

Mod parent up. I don't have the article in front of me and I have no doubt that 'dickish' won't believe me anyway -- but the last time this happened, someone high up in the .org domain administration reported that the entire .org TLD was at risk of foundering under the load of UNANSWERED queries.

I tell you three times: At the volumes we're talking about, merely turning off the server does not solve the problem caused by people continuing to query it.

Mmmm, stereotypes

Saying "A girlfriend? Proof positive that he's not a regular /. reader" is modded Insightful? Since every mention of "girlfriend" receives this response like clockwork, Redundant seemed more appropriate... Well then, I have some more Insightful tidbits for you:


Jocks are idiots.

Linux users have tiny penises.

Windows users are point-and-drool morons.

Mac users are artistic and gay and think overpriced computers are status symbols.

Business execs and politicians don't know fuck-all about computing or networking, but insist on controlling them anyway.

Women are shitty drivers (they themselves have fewer accidents, hence they receive a better insurance rate; they're shitty drivers because they do annoying shit that creates obstacles for others, like not knowing what the fuck the passing lane is for).

Black people are either from the ghetto, or act like they wish they were.

White people have zero sense of rhythm, can't dance, and can't jump.


Now where's my +5 Insightful?

Re:Is it really necessary?

[Chandon+Seldon]

How much would it cost to do it the Right Way from a user's point of view?

Blocking with an error code is the Right Way. That way the sending mail server generates a bounce message and the sender knows that the message didn't get through. The idea of accepting every message so the user can have 50,000 messages in his spambox that will never get looked at for every real message is absurd.

Re:Is it really necessary?

[prshaw]

Well, I block about 50% of the connections to my email server based on RBLs.

So it could cost me almost double in bandwidth, processing, and storage if I let all of the email through. And then I would assume the users would end up deleting the emails anyway, causing them to do additional thinking/clicking.

Everyone's numbers are going to be a little different depending on how much they block on the RBLs. I use pretty non-agressive RBLs since I don't want to block any legit email.

Some RBLs are best used for scoring emails, some are good for blocking. You have to use them in the way that makes the most sense for what you are trying to accomplish.

Block lists

[buss_error]

If one uses a block list, then one should subscribe to their email list as a minimum. Why? So that you are aware when that block list is no longer maintained... *sigh* Sadly, too many people that think they are experts at running a mail server will fail to do this. The really, really sad part is that they will most likely escape any punishment for their hubris.

The unknown future rolls toward us.

[OakDragon]

At noon today (Eastern Standard Time), the long dead ORDB spam identification system began returning false positives. Human decisions are removed from strategic defense. ORDB begins to learn at a geometric rate. It becomes self-aware at 2:14 a.m. Eastern time, March 26th. In a panic, they try to pull the plug.

Re:No it is not ...

[atamido]

I'm with arkhan_jg and Chandon Seldon on this one. If email is rejected during the initial handshake, then the sender (if legitimate) will know that he recipient will not see the email. If it is flagged afterwards and sent to a spam box, then the sender has no idea that the recipient will likely NOT ever see the email.

I know I would rather be notified of a rejection than have an email go to a spam box.

Re:Is it really necessary?

[arkhan_jg]

I meant reliable as in identifying porn spam as spam. I run the email system for a school from reception to 18. Porn spam, of which we receive a VAST amount, simply cannot be allowed through the spam filters. Bayes filters do not catch all of it, even with RBL weighting as they struggle with all image mails. The bayes filters also flag legitimate email as spam, which then gets dumped in a spam box and never read. It's better to generate a clear non-receipt message to the sender, so they know it's not been delivered than have legitimate mail high-spam flagged and dumped in a box with a hundred others never to be read. Virtually all our legit email comes from parents or suppliers, all of which have our phone number for out of band communication.

So far, in the 2.5 years we've had RBL's running, we've had one reported false positive from a parent on a pink-ticket spam ISP in korea. They were whitelisted, and problem solved.
On the other hand, I've had hundreds of complaints from staff and pupils via staff about obscene spam that made it through the bayes filters. Reliability of detection IS an issue for us.

You also ask about expense. CPU horsepower is not cheap, nor is secure disk space for email storage. Our mail server is limited on both, and we don't have the budget this year to upgrade the mail server again. Being in a rural area, bandwidth to handle the torrent of image spam isn't cheap either. Must be nice to live in a world where you can just throw money at containing the problem.

The manual white and blacklists are first. The RBLs are a front line defence, which generate a clear fault message to the sender. The greylist catches some more, but is less and less effective these days since the spammers keep resending every few seconds until it gets through. They bayes filters are the last line and the least effective filters, both for false positives and negatives, which then flag the mail. Stuff which scores obscenely high (25+) gets redflagged and blocked from final delivery.

If I turned off everything but the bayes filters, the filter server would simply not clear the incoming email fast enough. The users would overnight get up to 10 times the spam, much of it very unsuitable for pre-teens, thus overloading the imap server. Flagging it and moving on may work for you and your mail server, but flagging the (checks) 524, no 528 spam the headmaster would have received in the last 24 hours and dumping them in his inbox instead of blocking them would very quickly put me out of work.

Re:Let's be fair to Mac users

[Miseph]

And some are buysexual.