A reply to one of my comments in the slashdot article about ORBZ Shuts Down has pointed to a new article which reveals the identity of the party who threatened ORBZ operator Ian Gulliver with jail.
In that new article it is mentioned that Ian's lawyer advised him against releasing a copy of the search warrant. Why? Is it copyrighted?
I do know this is a standard clause in boilerplate agreements lawyers typically put together. But these things can be changed, and often do get changed during the course of negotiations. What is the dollar amount you would put on agreeing to hide the identity of someone who wronged you and is now finally agreeing to pay up for it, but won't pay as much (if any at all) if you don't agree to include that clause? And likewise, what is the dollar amount for agreeing not to submit it to slashdot/kuro5hin/etc?
I guess I'm now glad I put off learning Java. It looks like Java is headed down the other side of the hill, now. I still worry that things won't be any better with C# and.NET whatever Mono does. Microsoft could pull the same stunt as Sun, and we know Microsoft is very inclined to do such things.
What the world needs is a new clean combination procedure and object oriented language at a higher level (C++ is just OO retrofited to a low level pretending to be a HLL). Further, this language needs to come in TWO forms: (1) a purely compiled form producing fast native object code implemented on a variety of platforms (maybe generating C as an intermediate result would be one way to accomplish it)... and (2) a virtual platform hosted form (what JVM and.NET are). How the hell is my server going to share executeable code between 1000's of processes running the same program if each process is generating it's own Just-In-Time machine code as it runs in its own address space? While I might trust this to be a safe platform for more secure execution, it certainly isn't sharing memory very well, and hence puts more load on the server virtual and real memory that would be the case with the execution model we now have with C/C++/F77 and some others. This would be even worse if the libraries supporting such a thing are themselves also JIT compiled. This is why I want to have a tradition execution model as an option.
Re:There is no valid configuration which should do
on
ORBZ Shuts Down
·
· Score: 3, Insightful
Me again. Elsewhere it has been noted that IBM has in fact fixed this a while back. In this case, (someone at) IBM should be called as an expert witness to testify that the bug is fixed and that the administrator of the defective system is negligent in having failed to apply the fix. Failure to apply fixes is a major cause of security and spam problems on the net, certainly costing at least hundreds of millions of dollars a year to clean up, and lost time and bandwidth dealing with the effects. Someone who fails to apply fixes in a timely manner (30 days tops) should be slapped very very hard.
And we want to know who the hell it is that brought this complaint.
Re:The open relay testers send me unsolicited e-ma
on
ORBZ Shuts Down
·
· Score: 2
So if you post online, and your email address is available, and someone replies by email directly, instead of doing an online followup, you consider that spam? I don't.
Take a look at the history of the term "spam". It came from a skit on Monty Python's Flying Circus where the term "Spam", in reference to a processed pork meat product, was repeated extensively in the skit. Later, this skit was repeated in online MUD games, and morphed into repeats of many other words. But the term "spamming" developed there as a result of the pointless repeating. It then was used in reference to repeated online postings to multiple newsgroups in Usenet, and from there to email.
The bulk postings on Usenet don't have any particular "solicited" attribute. Spam is unacceptable because it cannot scale. It's not something that is practical for "everyone to do it" due to the lower sender cost and high receiver cost.
The term "unsolicited" was added later to distinguish the most hated forms of spam which are sent to harvested email lists gathered from various sources unrelated to preferences in receiving commercial announcements. The terms "spam" and "unsolicitted" do intersect, but are not the same set.
If you don't want to make it possible for specific parties to determine whether your mail server can or cannot be exploited by others who have bad intents, then I don't blame them for then listing your mail server as one that the safety of which cannot be determined. I would then not want to allow my mail server to accept any mail from your mail server due to the risk that such mail may in fact be the spam that has exploited your server.
All you need to do is to refuse to RELAY the mail in the probe. Then discard the bounce-back when it has the string "sender.orbz.org" in the headers. They are NOT depending on the bounceback coming back; just depending on the delivery not being completed in the orignal probe. Don't reject the probe... just reject the forwarding/relaying of the probe.
IMHO, ORBZ was doing a fine job, and doing it reasonably well. I don't see their probe as being "spam" (yes, it is technically "unsolicited", but that's not the issue I concern myself with), and I see their database as useful in rejecting delivery attempts from risky servers. I will miss them. I've already gotten 5 spams today, well exceeding my recent average of about 1 per day (with about 50 rejected per day to just my own email addresses). I hope they find a way to get back online, and I hope you find a way to make your mail server operate smoothly even with these probes. The only problem I'd see is if hundreds of people started up their own system of probes.
Re:The open relay testers send me unsolicited e-ma
on
ORBZ Shuts Down
·
· Score: 2
``You get e-mail you don't want? That's your problem.''
Of course it's my problem. I take care of my problem by not accepting mail from places I believe may send spam. Then it's up to them to decide whether they want to continue their ways, or change their ways. ORBZ email testing did not disrupt my servers. I see no basis to believe those probes would disrupt any properly designed and properly configured servers. ORBZ provided useful information for me to further my aims to prevent incoming mail from misconfigured and broken mail servers. As long as ORBZ was not sending their probes in bulk, I don't see it as spam.
I have administered Lotus Notes before. It was a RPITA... worse than even sendmail. It's definitely something to be avoided, and where it can't be avoided, front-ended with another mail server (which I did).
No, a probe is NOT spam - it's OPEN RELAYING
on
ORBZ Shuts Down
·
· Score: 2
The mechanism Ian was using was OPEN RELAYING. Open relaying was quite common before commercialization came to the internet, and it wasn't considered to be spam, then. Why should it be considered to be spam now? The definition of SPAM involves the bulk transmission of email. This bulk aspect is what causes the problem we fight against. Open relays are one of the mechanisms spammers have abused (remember, at one time, open relaying was a good thing when the internet was benevolent). When Ian sent a probe, as long as he didn't send bulk mail to many different addresses, it was NOT SPAM!
That said, he DID make a mistake in failing to stop sending to that server when the administrator complained. What he should have done was list the server as "will not test" and let us block mail coming from there under the principle that I cannot trust whether it is, or is not an open relay (I prefer not to accept mail delivery at the SMTP protocol layer from an server believed or suspected to be an open relay because it defeats my efforts to block sources of spam). This presumes that the administrator of that broken Notes server (double bounces as in qmail might be an annoying feature, but infinite bounces as in Notes is a blatant defect) did notify him. If not, then I place no blame on Ian whatsoever.
Re:The open relay testers send me unsolicited e-ma
on
ORBZ Shuts Down
·
· Score: 2
Ian was mimicking a spammer to carry out the test. So of course it can look like a spammer to those who fail to check the original of the connection. Most of my servers have been tested, and I've never had a problem with it. If course the tests must be specially crafted to break through the anti-relay defenses when the server is programmed or configured in a way that allows anyone to break through, as spammers can, and probably do. Calling Ian a spammer is absurd. He has not sent bulk mail.
Re:The open relay testers send me unsolicited e-ma
on
ORBZ Shuts Down
·
· Score: 2
If you want double bounce messages, that's your business. If you don't want them, you do know how to turn that off. Using local sender address is a way to fool many mail servers into relaying spam, so it is a valid test. If your mail server deals with this poorly, that's your problem. You can also filter your double bounces from your mailbox based on the headers. Do what you need to do.
Re:Lotus Notes now a Target?
on
ORBZ Shuts Down
·
· Score: 2
I have no reason to "target" Notes servers. The defect does NOT (apparently) make them open relays. So I have no reason to block them. However, when I found out who it is that pursued the complaint against ORBZ and threatened them with criminal charges, I WILL BLOCK THEM and I will send them mail explaining that they are blocked and why.
As for targeting Notes servers for DoS attacks, why would I do that? There are plenty of kids around to take care of the job:-)
Re:Domino doesn't adhere to standards?
on
ORBZ Shuts Down
·
· Score: 2
If they receive a complaint that the server is being taken down as a result of the receipt of a valid (albeit meaningless for sending valid mail) header, then just put that server in the list of (we don't test these, so they are permanently blocked for safety reasons), and move on. If it is the case that ORBZ received an initial communication about the issue from whoever runs that server, then this could have been done.
Your analogy about force feeding peanuts is false because it depends on the notion that feeding in general is a forced activity (which it it is not). It is the standard protocol for mail to be "force fed" to the recipient server... in this case it had a peanut in it. So within the context of sending email, force feeding is the norm. And further, the form used by ORBZ is valid and should never cause impact. My servers have been tested and didn't fail. My only complaint to ORBZ was that they missed one of my servers in their testing cycle:-)
The return address is perfectly valid
on
ORBZ Shuts Down
·
· Score: 2
That return address is a perfectly valid one for which bounceback loops make no sense in compliance with email standards. Some defective mail servers check the sender address to determine if the mail should be sent to the recipient address, and if that sender address is "local" it allows it to go on. The test ORBZ was doing was a perfectly valid test that should never be forwarded on (but some mail servers see it as a local sender), and wouldn't bounce infinitely in a properly designed mail server.
There is no valid configuration which should do it
on
ORBZ Shuts Down
·
· Score: 4, Interesting
There is NO VALID CONFIGURATION which should result in an infinite loop on the bounceback. If there are ways to configure to avoid it, great. But there shouldn't be a way to actually configure it to do this, and it most certainly should NEVER be the default setup.
When mail is sent to a bad name, and it attempts to bounce back to the apparent sender, it should first recognize that it is connecting to itself. Failing that, the sender of the bounce message should either be a valid box to collect failed bounces for the postmaster to clean out, or it should be a null address which gets discarded. A bounce should never trigger another bounce, either on its delivery, its failure to deliver, or its return. In this, Lotus Notes/Domino is a defective software product and needs to be fixed. I recommend that Ian Gulliver ask his attorney about filing a motion of interpleader to bring IBM into the case as a defendant, if the plaintiff continues to pursue it. If IBM (which just stuck a big ad in my face here on/. spouting off about their security) can't fix this, then they are the ones who should be paying up.
Re:Not such a great loss as made out
on
ORBZ Shuts Down
·
· Score: 2
The only way to deal with the DADS "Dynamically Addressed Direct Spam" is to block the their whole pools one way or another. I prefer to block by domain name if they have set up the pools in separate DNS zones (smarter ISPs know to do this). If I get 2 DADS from the same domain that doesn't have a separate DNS zone, I just block the whole ISP and send them a nasty-e-mail about it telling them how to fix it (most are so incompetent they don't understand).
BTW, I also block based on the lack of reverse DNS that is correctly forward DNS verified. That does cut out a huge amount of spam. I also block China, Hong Kong, Korea, and Taiwan by IP address, and that also cuts out a huge amount of spam.
What it every/.-er sets up a small ISP business in Pennsylvania, or one that can at least in theory be used by Pennsylvanians. And what if they all let the Pennsylvanian AG office know of their existance and their agent's address? Will the AG have to send out over half a million copies of the court order?
If the Pennsylvania Attorney General thinks the law also applies to out of state ISPs hosting open proxy servers, or access lines which can be called by long distance, then in theory they should be sending this list to those ISPs as well. Whether they can enforce it or not is one thing. But they have no case at all if don't transmit the court order to that ISP. So set up a small proxy server and call yourself an ISP. Make sure the Pennsyvania AG knows of your existance, and you should start to see your copies of the orders arriving by certified mail. Now you, too, can become rich off the pedophiles outside of Pennsylvania.
Oh, and you'll need to ask the AG for a list of IP addresses in Pennsylvania, too.:-)
The definition of child porn varies around the world. What might be child porn in Pennsylvania might be a family vacation on the Mediterranean in Europe. It just depends on how far the prudes in Pennsylvania go in complaining to the AG or DAs. Do they consider children having fun at the beach with no clothes on at all to be child porn? That's certainly not the worst of what is on the net, but it is what could mark the difference between what can be shutdown at the source or not.
I'm sure someone will verify the sites. The big problem I see is how to actually go about deploying the capability to block sites on any significant scale. Would you be willing to put 1000 access list entries... for 1000 sites identified only by URLs with IP addresses and weird port numbers... into your nearly saturated 7XXX border router? Don't expect to do intercepted web caching on all those non-80 port numbers that many if the shadier porn sites use. Don't expect to do DNS A-record substitution on sites specified by IP address in the URL.
This still fails to consider the impracticality of deploying blocks for most likely forms of site identification. Is the ISP supposed to make absolutely certain there is no way for any customer to access the site by any means whatsoever? Or is it adequate that they only block the site in a way that ordinary non-technical people would be effected by? Is it enough to substitute the DNS entry for the domain name, despite the fact that people can get around that easily (if they know how), and despite the fact that it may be affecting an entire ISP hosting customer personal pages (and entirely legally at that location)? And what if the location is an IP address only? There are practical limits to how many of these may be configured into a router access list.
This sounds like a clueless PACLU lawyer working with cluless legislators and a clueless attorney general, none of whom apparently know the details involved in actually getting a site blocked. The very fact they speak of URLs in the text of the law tells me they are unaware of how a huge amount of the shadier porn (of which the child porn market would undoubtedly be a part of) is actually made available. I'd bet I could easily find an ISP in Pennsylvania that was not involved in the process. And it's unclear if the law would extend beyond the Pennsylvania state line.
Blocking child pornography is essentially impossible. Blocking any sort of "content" or "IP" is an extremely difficult task. It's one thing to block port 25; unfortunately the IETF has yet to standardize on a port number for kiddie porn.
Apparently the lawmakers think everything that they might wish to block can be identified using a Universal Resource Locator. So if it falls under a set of defined protocols, such as HTTP, HTTPS, FTP, and whatever others that URLs can identify, these could be blocked. This leaves open the question of HOW to block it. What Cisco IOS configuration would I use to block a URL which identifies a specific user home page in a foreign country which defines pornography differently than they do in Pennsylvania?
Of course it is possible to block whole domain names using DNS, such as making goatse.cx go to 127.0.0.1. All the viewing public then needs to do is bypass the ISP's DNS. The ISP could the block all access to port 53 and require using their DNS servers for recursive resolve. But that will also break a lot of things, too.
Now if kiddie porn starts to be traded on P2P networks... and whose to say it isn't already... how do you block that? As the RIAA knows all too well, this doesn't work. There's no URL. And newer P2P protocols are decentralized, and don't have consistent starting points, IP addresses, or in some cases even port numbers.
First, there's the problem of deciding what to block: Let's take the obvious example, of blocking a jpg. This means someone has to determine the age of the person in that jpg. I looked at about 1,000 jpgs last nite, and I pity the fool who has to monitor my drunken pr0n surf.
I doubt they are going to monitor what you surf, even if you live in Pennsylvania. Based on the legal procedures in the text of the law, I suspect it will be more a case of when someone makes the complaint to law enforcement, or local prosecutorial attorneys, or the Attorney General himself, that the blocking request would be initiated. Of course the problem still remains that if they think that 22 year old Dutch blonde looks too much like she's 15, that they would request this, anyway. The law doesn't have any requirement that they actually verify age (as if they could).
Perhaps it would be possible to use some VERY sophisticated pattern recognition algorithm, but, like spam filtering, you're never gonna block 100% of the bad stuff while letting 100% of the good stuff through. Nevermind the incredible resource hit of scanning each downloaded jpg, or the fact that your CRC-matching database of known jpgs ain't worth shit once I take the 640x480 jpg and save it as 644x483.
Oh yeah, facial recognition. A lot of the more sleazy stuff out there, blocks or blurs the faces, too. And as you say, it is a huge resource hit, and a major cost to ISPs, which would likely create a huge challenge to the law.
But that's not even the real problem. No, the real problem is THE DEFINITION OF PORNOGRAPHY. Basically it depends on things like "community standards" and such which don't really make sense on the Internet. With child pornography, the definition gets even more complicated; things that are otherwise acceptable become pornography when the subject is under 18, such as a picture which shows the outline of the vulva through clothing isn't porn if the girl is 23 but is porn if she's 9.
Now complicate this further by the fact the law, as written, is rather far reaching, and may (they might say it does) apply to ISPs outside of Pennsylvania that offer things like web proxy access via some kind of secured channel. Should an out of state ISP receive such an order that be applied to anyone using it from within Pennsylvania, will they also provide a full list of IP addresses for Pennsylvania? Of course this is a bit imaginative on my part, but this law sure looks to me like melting swiss cheese. Too bad it will leave a stink behind.
(In fact the entire laws about kiddie porn in this country are totally fucked. The gov't can offer to sell you kiddie porn, say from an ad in the back of a magazine, and then sell it to you, and then bust you for possession. This would normally be entrapment, but the Supreme Court decided that kiddie porn is such a scourge that normal constitutional protections are outweighed by the need to lock up pedophiles. Hmmm... "First they came for the pedophiles, and I didn't speak out because I wasn't a pedophile. Then they came for the Arabs..." But I digress.)
And this is a sad situation, too, because it is well known the entrapment tactics often get people to buy things they never really would buy otherwise. Hell, even telemarketers know how to do this.
To make matters worse, pornography doesn't even have to be a picture or movie. Text can be pornography. For instance, I knew it was wrong, but I couldn't stop myself from licking 15-year old Timmy's perineum as he lay unconscious. That could be construed as kiddie porn, believe it or not. Of course in this context I won't be going to jail (I hope) since my INTENT isn't prurient (but who can really tell my intent?). But if I logged on to some kiddy chat room and made that comment, I would be in big trouble, esp. if the moderator knows what a perineum is.
And my intent is only to show what text I am replying to. And this isn't even that good of an example. There was a case here in Texas about a man who had taken his computer back to the store where he had bought it as a used item, because they had forgotten to erase the hard drive and re-install the OS, which didn't boot properly. The repair tech getting the work thought he'd take a shortcut and managed to fix the system in safe mode. But once fixed, while checking to make sure things worked, found lots of pictures right on the desktop. As it turns out, these pictures were the kids of the previous computer owner who had taken some of the pictures while they were in the bathtub. But this was not before the new owner was arrested and hauled away from his place of employment in handcuffs. The problem is, too many people trying to do what they think is the right thing, end up harming a lot of innocent people. Of course, if the police used the practice of actually asking questions before jumping the gun and invading someone's place of work, they could get things resolved in the innocent cases. I hope this guy manages to sue both the police department as well as the store for a few million.
So not only do you have to filter the content, which is a subjective process in the first place, you have to ascertain the context of that content. In other words you have to Meta-Moderate, and we all know how much fun that is!
No, this will never work, and the "blacklist" that gets passed from the Penn. A.G. to the ISP's will have all the same problems as the anti-spam blacklists: How do you get off it, do you notify someone that they're on it, or would that just tell them it's time to get a new IP address, etc.
And what if it ends up blocking a whole domain because it's just some user's home page with his kids in the bathtub, or at the beach, which is considered perfectly normal in much of the world (and even some places in the USA, depending on just what's there)
It has always been that way. Want control your own root? You can do that right now.
You're right. I've been doing it for years. It's just a matter of knowing you can. Knowledge can be a powerful thing... and dangerous to those who would try to control us. But consider why 99% are "sheep". Many don't even know you can (not that they'd ever get it right). Many are afraid to (it really does work). Many just don't know where to get the info (My zone file is from ORSC).
You really think any major ISP will point COM/NET/ORG anywhere other than where they are pointed now? But if they do, it's a chance to break up a monopoly. And you can still use a DNS server other than your bandwidth provider. Maybe the AOL crowd won't know how to do that, but the/. crowd will.
A reply to one of my comments in the slashdot article about ORBZ Shuts Down has pointed to a new article which reveals the identity of the party who threatened ORBZ operator Ian Gulliver with jail.
In that new article it is mentioned that Ian's lawyer advised him against releasing a copy of the search warrant. Why? Is it copyrighted?
I do know this is a standard clause in boilerplate agreements lawyers typically put together. But these things can be changed, and often do get changed during the course of negotiations. What is the dollar amount you would put on agreeing to hide the identity of someone who wronged you and is now finally agreeing to pay up for it, but won't pay as much (if any at all) if you don't agree to include that clause? And likewise, what is the dollar amount for agreeing not to submit it to slashdot/kuro5hin/etc?
I'm sure this will be great for coffee, tea, soups, and such. But what about beer? I think the better way to carry beer has been a longer quest.
I guess I'm now glad I put off learning Java. It looks like Java is headed down the other side of the hill, now. I still worry that things won't be any better with C# and .NET whatever Mono does. Microsoft could pull the same stunt as Sun, and we know Microsoft is very inclined to do such things.
What the world needs is a new clean combination procedure and object oriented language at a higher level (C++ is just OO retrofited to a low level pretending to be a HLL). Further, this language needs to come in TWO forms: (1) a purely compiled form producing fast native object code implemented on a variety of platforms (maybe generating C as an intermediate result would be one way to accomplish it) ... and (2) a virtual platform hosted form (what JVM and .NET are). How the hell is my server going to share executeable code between 1000's of processes running the same program if each process is generating it's own Just-In-Time machine code as it runs in its own address space? While I might trust this to be a safe platform for more secure execution, it certainly isn't sharing memory very well, and hence puts more load on the server virtual and real memory that would be the case with the execution model we now have with C/C++/F77 and some others. This would be even worse if the libraries supporting such a thing are themselves also JIT compiled. This is why I want to have a tradition execution model as an option.
Me again. Elsewhere it has been noted that IBM has in fact fixed this a while back. In this case, (someone at) IBM should be called as an expert witness to testify that the bug is fixed and that the administrator of the defective system is negligent in having failed to apply the fix. Failure to apply fixes is a major cause of security and spam problems on the net, certainly costing at least hundreds of millions of dollars a year to clean up, and lost time and bandwidth dealing with the effects. Someone who fails to apply fixes in a timely manner (30 days tops) should be slapped very very hard.
And we want to know who the hell it is that brought this complaint.
So if you post online, and your email address is available, and someone replies by email directly, instead of doing an online followup, you consider that spam? I don't.
Take a look at the history of the term "spam". It came from a skit on Monty Python's Flying Circus where the term "Spam", in reference to a processed pork meat product, was repeated extensively in the skit. Later, this skit was repeated in online MUD games, and morphed into repeats of many other words. But the term "spamming" developed there as a result of the pointless repeating. It then was used in reference to repeated online postings to multiple newsgroups in Usenet, and from there to email.
The bulk postings on Usenet don't have any particular "solicited" attribute. Spam is unacceptable because it cannot scale. It's not something that is practical for "everyone to do it" due to the lower sender cost and high receiver cost.
The term "unsolicited" was added later to distinguish the most hated forms of spam which are sent to harvested email lists gathered from various sources unrelated to preferences in receiving commercial announcements. The terms "spam" and "unsolicitted" do intersect, but are not the same set.
If you don't want to make it possible for specific parties to determine whether your mail server can or cannot be exploited by others who have bad intents, then I don't blame them for then listing your mail server as one that the safety of which cannot be determined. I would then not want to allow my mail server to accept any mail from your mail server due to the risk that such mail may in fact be the spam that has exploited your server.
All you need to do is to refuse to RELAY the mail in the probe. Then discard the bounce-back when it has the string "sender.orbz.org" in the headers. They are NOT depending on the bounceback coming back; just depending on the delivery not being completed in the orignal probe. Don't reject the probe ... just reject the forwarding/relaying of the probe.
IMHO, ORBZ was doing a fine job, and doing it reasonably well. I don't see their probe as being "spam" (yes, it is technically "unsolicited", but that's not the issue I concern myself with), and I see their database as useful in rejecting delivery attempts from risky servers. I will miss them. I've already gotten 5 spams today, well exceeding my recent average of about 1 per day (with about 50 rejected per day to just my own email addresses). I hope they find a way to get back online, and I hope you find a way to make your mail server operate smoothly even with these probes. The only problem I'd see is if hundreds of people started up their own system of probes.
Of course it's my problem. I take care of my problem by not accepting mail from places I believe may send spam. Then it's up to them to decide whether they want to continue their ways, or change their ways. ORBZ email testing did not disrupt my servers. I see no basis to believe those probes would disrupt any properly designed and properly configured servers. ORBZ provided useful information for me to further my aims to prevent incoming mail from misconfigured and broken mail servers. As long as ORBZ was not sending their probes in bulk, I don't see it as spam.
I have administered Lotus Notes before. It was a RPITA ... worse than even sendmail. It's definitely something to be avoided, and where it can't be avoided, front-ended with another mail server (which I did).
The mechanism Ian was using was OPEN RELAYING. Open relaying was quite common before commercialization came to the internet, and it wasn't considered to be spam, then. Why should it be considered to be spam now? The definition of SPAM involves the bulk transmission of email. This bulk aspect is what causes the problem we fight against. Open relays are one of the mechanisms spammers have abused (remember, at one time, open relaying was a good thing when the internet was benevolent). When Ian sent a probe, as long as he didn't send bulk mail to many different addresses, it was NOT SPAM!
That said, he DID make a mistake in failing to stop sending to that server when the administrator complained. What he should have done was list the server as "will not test" and let us block mail coming from there under the principle that I cannot trust whether it is, or is not an open relay (I prefer not to accept mail delivery at the SMTP protocol layer from an server believed or suspected to be an open relay because it defeats my efforts to block sources of spam). This presumes that the administrator of that broken Notes server (double bounces as in qmail might be an annoying feature, but infinite bounces as in Notes is a blatant defect) did notify him. If not, then I place no blame on Ian whatsoever.
Ian was mimicking a spammer to carry out the test. So of course it can look like a spammer to those who fail to check the original of the connection. Most of my servers have been tested, and I've never had a problem with it. If course the tests must be specially crafted to break through the anti-relay defenses when the server is programmed or configured in a way that allows anyone to break through, as spammers can, and probably do. Calling Ian a spammer is absurd. He has not sent bulk mail.
If you want double bounce messages, that's your business. If you don't want them, you do know how to turn that off. Using local sender address is a way to fool many mail servers into relaying spam, so it is a valid test. If your mail server deals with this poorly, that's your problem. You can also filter your double bounces from your mailbox based on the headers. Do what you need to do.
I have no reason to "target" Notes servers. The defect does NOT (apparently) make them open relays. So I have no reason to block them. However, when I found out who it is that pursued the complaint against ORBZ and threatened them with criminal charges, I WILL BLOCK THEM and I will send them mail explaining that they are blocked and why.
As for targeting Notes servers for DoS attacks, why would I do that? There are plenty of kids around to take care of the job :-)
If they receive a complaint that the server is being taken down as a result of the receipt of a valid (albeit meaningless for sending valid mail) header, then just put that server in the list of (we don't test these, so they are permanently blocked for safety reasons), and move on. If it is the case that ORBZ received an initial communication about the issue from whoever runs that server, then this could have been done.
Your analogy about force feeding peanuts is false because it depends on the notion that feeding in general is a forced activity (which it it is not). It is the standard protocol for mail to be "force fed" to the recipient server ... in this case it had a peanut in it. So within the context of sending email, force feeding is the norm. And further, the form used by ORBZ is valid and should never cause impact. My servers have been tested and didn't fail. My only complaint to ORBZ was that they missed one of my servers in their testing cycle :-)
That return address is a perfectly valid one for which bounceback loops make no sense in compliance with email standards. Some defective mail servers check the sender address to determine if the mail should be sent to the recipient address, and if that sender address is "local" it allows it to go on. The test ORBZ was doing was a perfectly valid test that should never be forwarded on (but some mail servers see it as a local sender), and wouldn't bounce infinitely in a properly designed mail server.
There is NO VALID CONFIGURATION which should result in an infinite loop on the bounceback. If there are ways to configure to avoid it, great. But there shouldn't be a way to actually configure it to do this, and it most certainly should NEVER be the default setup.
When mail is sent to a bad name, and it attempts to bounce back to the apparent sender, it should first recognize that it is connecting to itself. Failing that, the sender of the bounce message should either be a valid box to collect failed bounces for the postmaster to clean out, or it should be a null address which gets discarded. A bounce should never trigger another bounce, either on its delivery, its failure to deliver, or its return. In this, Lotus Notes/Domino is a defective software product and needs to be fixed. I recommend that Ian Gulliver ask his attorney about filing a motion of interpleader to bring IBM into the case as a defendant, if the plaintiff continues to pursue it. If IBM (which just stuck a big ad in my face here on /. spouting off about their security) can't fix this, then they are the ones who should be paying up.
The only way to deal with the DADS "Dynamically Addressed Direct Spam" is to block the their whole pools one way or another. I prefer to block by domain name if they have set up the pools in separate DNS zones (smarter ISPs know to do this). If I get 2 DADS from the same domain that doesn't have a separate DNS zone, I just block the whole ISP and send them a nasty-e-mail about it telling them how to fix it (most are so incompetent they don't understand).
BTW, I also block based on the lack of reverse DNS that is correctly forward DNS verified. That does cut out a huge amount of spam. I also block China, Hong Kong, Korea, and Taiwan by IP address, and that also cuts out a huge amount of spam.
What it every /.-er sets up a small ISP business in Pennsylvania, or one that can at least in theory be used by Pennsylvanians. And what if they all let the Pennsylvanian AG office know of their existance and their agent's address? Will the AG have to send out over half a million copies of the court order?
If the Pennsylvania Attorney General thinks the law also applies to out of state ISPs hosting open proxy servers, or access lines which can be called by long distance, then in theory they should be sending this list to those ISPs as well. Whether they can enforce it or not is one thing. But they have no case at all if don't transmit the court order to that ISP. So set up a small proxy server and call yourself an ISP. Make sure the Pennsyvania AG knows of your existance, and you should start to see your copies of the orders arriving by certified mail. Now you, too, can become rich off the pedophiles outside of Pennsylvania.
Oh, and you'll need to ask the AG for a list of IP addresses in Pennsylvania, too. :-)
The definition of child porn varies around the world. What might be child porn in Pennsylvania might be a family vacation on the Mediterranean in Europe. It just depends on how far the prudes in Pennsylvania go in complaining to the AG or DAs. Do they consider children having fun at the beach with no clothes on at all to be child porn? That's certainly not the worst of what is on the net, but it is what could mark the difference between what can be shutdown at the source or not.
I'm sure someone will verify the sites. The big problem I see is how to actually go about deploying the capability to block sites on any significant scale. Would you be willing to put 1000 access list entries ... for 1000 sites identified only by URLs with IP addresses and weird port numbers ... into your nearly saturated 7XXX border router? Don't expect to do intercepted web caching on all those non-80 port numbers that many if the shadier porn sites use. Don't expect to do DNS A-record substitution on sites specified by IP address in the URL.
This still fails to consider the impracticality of deploying blocks for most likely forms of site identification. Is the ISP supposed to make absolutely certain there is no way for any customer to access the site by any means whatsoever? Or is it adequate that they only block the site in a way that ordinary non-technical people would be effected by? Is it enough to substitute the DNS entry for the domain name, despite the fact that people can get around that easily (if they know how), and despite the fact that it may be affecting an entire ISP hosting customer personal pages (and entirely legally at that location)? And what if the location is an IP address only? There are practical limits to how many of these may be configured into a router access list.
This sounds like a clueless PACLU lawyer working with cluless legislators and a clueless attorney general, none of whom apparently know the details involved in actually getting a site blocked. The very fact they speak of URLs in the text of the law tells me they are unaware of how a huge amount of the shadier porn (of which the child porn market would undoubtedly be a part of) is actually made available. I'd bet I could easily find an ISP in Pennsylvania that was not involved in the process. And it's unclear if the law would extend beyond the Pennsylvania state line.
Are you sure that's what the question really is? Are you sure there is a question here?
Apparently the lawmakers think everything that they might wish to block can be identified using a Universal Resource Locator. So if it falls under a set of defined protocols, such as HTTP, HTTPS, FTP, and whatever others that URLs can identify, these could be blocked. This leaves open the question of HOW to block it. What Cisco IOS configuration would I use to block a URL which identifies a specific user home page in a foreign country which defines pornography differently than they do in Pennsylvania?
Of course it is possible to block whole domain names using DNS, such as making goatse.cx go to 127.0.0.1. All the viewing public then needs to do is bypass the ISP's DNS. The ISP could the block all access to port 53 and require using their DNS servers for recursive resolve. But that will also break a lot of things, too.
Now if kiddie porn starts to be traded on P2P networks ... and whose to say it isn't already ... how do you block that? As the RIAA knows all too well, this doesn't work. There's no URL. And newer P2P protocols are decentralized, and don't have consistent starting points, IP addresses, or in some cases even port numbers.
I doubt they are going to monitor what you surf, even if you live in Pennsylvania. Based on the legal procedures in the text of the law, I suspect it will be more a case of when someone makes the complaint to law enforcement, or local prosecutorial attorneys, or the Attorney General himself, that the blocking request would be initiated. Of course the problem still remains that if they think that 22 year old Dutch blonde looks too much like she's 15, that they would request this, anyway. The law doesn't have any requirement that they actually verify age (as if they could).
Oh yeah, facial recognition. A lot of the more sleazy stuff out there, blocks or blurs the faces, too. And as you say, it is a huge resource hit, and a major cost to ISPs, which would likely create a huge challenge to the law.
Now complicate this further by the fact the law, as written, is rather far reaching, and may (they might say it does) apply to ISPs outside of Pennsylvania that offer things like web proxy access via some kind of secured channel. Should an out of state ISP receive such an order that be applied to anyone using it from within Pennsylvania, will they also provide a full list of IP addresses for Pennsylvania? Of course this is a bit imaginative on my part, but this law sure looks to me like melting swiss cheese. Too bad it will leave a stink behind.
And this is a sad situation, too, because it is well known the entrapment tactics often get people to buy things they never really would buy otherwise. Hell, even telemarketers know how to do this.
And my intent is only to show what text I am replying to. And this isn't even that good of an example. There was a case here in Texas about a man who had taken his computer back to the store where he had bought it as a used item, because they had forgotten to erase the hard drive and re-install the OS, which didn't boot properly. The repair tech getting the work thought he'd take a shortcut and managed to fix the system in safe mode. But once fixed, while checking to make sure things worked, found lots of pictures right on the desktop. As it turns out, these pictures were the kids of the previous computer owner who had taken some of the pictures while they were in the bathtub. But this was not before the new owner was arrested and hauled away from his place of employment in handcuffs. The problem is, too many people trying to do what they think is the right thing, end up harming a lot of innocent people. Of course, if the police used the practice of actually asking questions before jumping the gun and invading someone's place of work, they could get things resolved in the innocent cases. I hope this guy manages to sue both the police department as well as the store for a few million.
And what if it ends up blocking a whole domain because it's just some user's home page with his kids in the bathtub, or at the beach, which is considered perfectly normal in much of the world (and even some places in the USA, depending on just what's there)
You're right. I've been doing it for years. It's just a matter of knowing you can. Knowledge can be a powerful thing ... and dangerous to those who would try to control us. But consider why 99% are "sheep". Many don't even know you can (not that they'd ever get it right). Many are afraid to (it really does work). Many just don't know where to get the info (My zone file is from ORSC).
But with DNS, we can trade root zone files. Here's mine.
You really think any major ISP will point COM/NET/ORG anywhere other than where they are pointed now? But if they do, it's a chance to break up a monopoly. And you can still use a DNS server other than your bandwidth provider. Maybe the AOL crowd won't know how to do that, but the /. crowd will.