Open Relays, Free Speech, and Virus Propagation 488
sirsnork writes: "There is a story about John Gilmore running an open relay that is being used by a virus to propagate running over at Newsbytes. His defence? He wants his friends to be able to send email through his server from whereever they are. You'd think he'd know better." Gilmore has been skirmishing with Verio for some time over his open mail relay. Is it a good thing because it promotes the free flow of information? Is it bad for promoting the free flow of spam? Do the ethics change because someone writes a virus that uses the server to propagate? Interesting questions.
Why an open relay? (Score:2, Informative)
SMTP Authentication!!!! (Score:3, Informative)
I do this with evolution, I know outlook and netscape support it.
i guess it's open season on him now... (Score:2, Informative)
Trying 140.174.2.1...
Connected to toad.com.
Escape character is '^]'.
220 toad.com ESMTP Sendmail 8.7.5/8.7.3; Thu, 7 Mar 2002 09:11:09 -0800 (PST)
helo toad.com
250 toad.com Hello [12.32.42.180], pleased to meet you
mail from:<asdfasdf@asdfasdf.com>
250 <asdfasdf@asdfasdf.com>... Sender ok
rcpt to:<dick@dick.com>
250 Recipient ok
data
354 Enter mail, end with "." on a line by itself
.
250 JAA03142 Message accepted for delivery
Re:I see his point though... (Score:3, Informative)
Quite a few servers use it now. My favourite "toy" server, eXtremail [extremail.com], does this by default...
Re:I see his point though... (Score:5, Informative)
Re:secure (Score:2, Informative)
Unfortunately, ALL of our business is school related. The open relay block came down. Sigh... I am still able to use the known spammer list, but it isn't as effective as the open relay.
More info on setting this up for yourself can be found at http://www.spews.org . They are kind of a clearing house for all the spam blockers.
I highly recommend using something. I use it personally and have seen a 80% drop in spam that gets through.
jas
Re:Everyone's right! (Score:3, Informative)
I largely agree with what you said, but I think part of John's complaint which you missed is that Verio is making the decision for their customers as to whether or not to accept email from John's open relay, and not allowing their customers to make that decision themselves.
Change your ISP. (Score:3, Informative)
Re:Everyone's right! (Score:3, Informative)
As long as Verio is being upfront and honest with their customers that they are using RBL, then their customers have made the choice, by choosing Verio. It would be nice if verio provided a facility for their customers to opt in or out of using the RBL list, but really that is just a convinience: their customers can easilly opt out of the RBL by choosing another ISP.
As a previous post said, "everyone is right." John has the right to run an open relay, Verio has the right to sell him service (or not), and I (as well as Verio) have the right to filter his site because I don't like his actions. His rights stop at my home's router (whether I've chosen to block him of my own accord, or because of RBL's recommendation, or not at all, is my buisiness, not his).
Re:SMTP Authentication!!!! (Score:1, Informative)
just
Re:Everyone's right! (Score:2, Informative)
> service to people who want to use it to run
> open mail relays. John Gilmore has no right to
> demand Internet service form Verio.
I think this is wrong. It sounds like the contract that governs Gilmore's internet service places NO content restrictions on his use of the service. That is what one of those links above says.
thczv
Re:Everyone's right! (Score:2, Informative)
A lot of people would have made similar arguments for Napster. Turns out that there are a number of legal principles that override the "right to free speech" under various circumstances. I sincerely doubt that any of them come into play in this case, but don't imagine that the the 1st amendment provides MAPS or any other service with blanket protection.
Why doesn't Gilmore? (Score:5, Informative)
Why doesn't Gilmore implement something like this? Then his friends could still use his relay from anywhere in the world, but spammers wouldn't be able to.
I'm inclined to agree with the comment in the article at Gilmore is "being a stubborn old fool for leaving his mail systems as open relays"
HH
Re:Free flow. (Score:3, Informative)
All you need is Authenticated SMTP (Score:2, Informative)
Using postfix [postfix.org] (Especially on OpenBSD [openbsd.org].)
Just use the ports tree and tweak [openbsd.org] the makefile to do sasl.
Follow the instructions on doing smtp-auth [thecabal.org]. Or you can go here for another howto [dhassler.com] by a friend of mine.
I run this on my OpenBSD box at home and it works great. I send my email from "anywhere" in the world and spammers are out of luck...
Please DON'T moderate me up as "interesting".
I am not Karma whoring I just want to help people be responsible...
Re:It's bad. (Score:2, Informative)
Re:It's bad. (Score:2, Informative)
Who is John Gilmore? (Score:5, Informative)
Gilmore is a true Internet pioneer and activist, a dedicated supporter of free speech. A short list of his accomplishments is available here [isoc.org], including being one of the first employees at Sun and helping found the EFF. In addition he was an early activist in getting the Usenet alt. groups going as an alternative to the rest of the hierarchy where tight controls were in place. He has been active in supporting free access to cryptography, helping found the Cypherpunks and participating in a number of law suits and FOIA actions to get the government to reduce restrictions on crypto. He has funded the FreeSwan effort to build transparent point to point crypto into the Linux kernel.
He also founded Cygnus Support, probably the first company to prove that you could make money off of open source software. The company was sold to Red Hat in 1999 for $674 million.
John Gilmore was fighting for free speech and the right to communicate before most of us had ever heard of the Internet. If his actions seem out of step with an increasingly paranoid and closed Internet community, I suggest that we not be so quick to assume that everyone else is right and Gilmore is wrong. History has shown him to be a far sighted thinker who has been on the right side of virtually every issue.
Re:It's bad. (Score:2, Informative)
Yes, but in this country there is a concept referred to as negligence. I am not a lawyer, but if my understanding of the law is correct if you are knowingly negligent in securing a resource which is known to be able to cause harm (monetarily or otherwise) when stolen, you are in some manner liable for the damages caused. Correct me if I am wrong, but if I ran a gun store and refused to lock the door when i left at night, despite being warned that kids were walking in and stealing the guns, I would be guiltily of manslaughter (at least) if one of those guns was used in a murder. Given that I premeditatedly chose to keep the store unlocked despite being advised of the risks, it might even be 1st degree murder (I'm not sure, IANAL as I already said).
I am not an "expert" in the field of mailserver security either, but it is my opinion that this is a cut-and-dry case of negligence on Johns part, and I am disgusted that he would go so far as to try to abuse the first amendment in this manner.
This security problem is so well known, and so well documented there's even an RFC on the matter, RFC 2505. And while this RFC is a description of current best practices, not a protocol requirements document, the list of recommendations under section 2 specifically states:
1) MUST be able to restrict unauthorized use as Mail Relay.
Don't believe me, go here:
http://www.ietf.org/rfc/rfc2505.txt
This implies to me that despite the existence of technical methods to solve this problem (SMTP authentication for one), and having been advised of the impact this is having on others, John Gilmore is bent on ignoring industry standard practices for properly securing a mailserver. Even Yahoo can figure out how to configure their SMTP server to use authentication, and the eudora mail client that Gilmore specifically mentions on his page is capable of using SMTP auth (I know, I use eudora and have a yahoo account).
So how exactly is this a matter of free speech and not an attempt to contain the damage caused by a negligently configured mailserver operated by an administrator who is not ignorant to the industry standard methods of preventing the problem, and appears to be merely ignoring such standards for the sake of convenience? Sounds a lot like a "well, locking my store is a hassle because I have to remember to bring my keys with me when I go to work so I leave my gun store unlocked" argument. (admittedly the damage caused by this is much lower than a gun store, but it is fundamentally the same argument he's making)
On his page Gilmore also makes the argument that the filter Verio has placed upon his internet connection is sufficient to stop the damage, this gives them no grounds to terminate him. What I believe that Gilmore is failing to realize is that he is placing the responsibility for correcting his own security problems on Verio. Now, due to the negligence of one of their customers, Vero has to maintain a filter to ensure that customer does no damage, and you could even make the argument that if the filter fails, now *they* are negligent and liable for the damage caused. If I ran and ISP I certainly would not want that liability.
Now Verio is considering not disconnecting him because he's agreed to do some form of rate limiting? Sorry, this is not the proper solution to this simple problem.. it merely reduces the rate of damage caused to a less problematic level.
(yeah, I'll secure the gun cases so you can only take one gun out every five minutes, which will prevent someone from coming in and taking more than one gun at a time, because I still don't want to put a lock on my door, even though the lock is free and I can install it myself.)
I'm sorry Gilmore, you've been around the internet block several times more than I have, but I don't see how your arguments of free speech hold water. I'm also quite concerned that your actions are weakening the strength of the name of the EFF by associating them with a free speech argument which seems to consist of little more than baseless litigation. I expect legal cases with common-sense holes the size of Texas in them from the legal department of Amazon (patenting affiliation sales?) but I do not expect the name of the EFF to be associated with such frivolous matters.
Censorship? Bah! Get off dead center and secure your systems properly.
Re:Relay still open? (Score:2, Informative)
Connecting to 140.174.2.1
220 toad.com ESMTP Sendmail 8.7.5/8.7.3; Thu, 7 Mar 2002 10:52:02 -0800 (PST)
HELO mail.2mbit.com
250 toad.com Hello bruns@summit.magenet.net [216.152.230.50], pleased to meet you
MAIL FROM:nobody@[140.174.2.1]
250 nobody@[140.174.2.1]... Sender ok
RCPT TO:bruns@mail.2mbit.com
250 Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
(message body)
250 KAA10196 Message accepted for delivery
QUIT
221 toad.com closing connection
rlytest: relay accepted - final response code 221
Still wide open.
Re:Not quite.. (Score:2, Informative)
Try reading the article. A Windows trojan [symantec.com] has this particular relay hard coded into it and uses it to send.
A good argument (Score:3, Informative)
The whole point of the internet is dumb network, smart nodes. If the end nodes aren't smart enough to deal with spam (99.9% is quite easy to identify) and viruses (hello MS, I'm talking to you), then that is the problem of the end nodes, not the network.
<possible flamebait>
If I take a bus to downtown and proceed to throw a brick through a store window, is that the fault of the city, for running the bus service? (I know this isn't a particularly good analogy, but it's the best I can come up with on short notice)
</possible flamebait>
Posting at +2 on purpose. Moderate as you like.
Re:What happened to free speech? (Score:3, Informative)
The 1st Amendment doesn't apply to this. You're attempting to raise emotions instead of solving a problem, makes me think you're trolling, but oh well.
Yes, running an open SMTP relay is bad. Best analogy is leaving your house unlocked, and leaving the liquor cabinet unlocked as well. If you did that, and some 16-year-old got into your whiskey and then behind the wheel of a car, you'd be in trouble... but it's totally legal to leave your house and liquor cabinet unlocked.
You personally may not be a bad person, but you are certainly lazy, sloppy, and remiss in your duties, since there are a number of ways you can set your machine up to relay mail from legitimate users without running a wide-open relay:
- POP/IMAP-before-SMTP (easy to do, works with all clients)
- SMTP Authentication (slightly harder but more secure, some clients may not function properly)
- Turn relaying off, SSH to your machine and use a local client (very secure, but inconvenient)
- Set up a web-mail client, access your machine from any browser.
An SMTP relay is similar to an "attractive nuisance" like a swimming pool in a residential neighborhood. Best course of action is to put a fence up, so people don't piss in your SMTP server, or fall in and sue you.Re:RMS and system security, once upon a time? (Score:3, Informative)
http://www.kde.org/food/rms.html [kde.org]
All Open Relays (Score:2, Informative)
210.242.232.25
61.129.53.82
205.200.155.2
211.21.47.218
211.97.214.53
200
210.101.186.3
210.12.164.230
202.108.
195.22.21.14
61.78.199.6
211.99.206.199
216.244.152.250
211.219.246.25
211.154.129.31
202.102.200.103
210.176.173.60
202.53.64.195
202.104.108.226
and a few non-resolveable ones.
See http://securityresponse.symantec.com/avcenter/ven
Already submitted them to ordb.
The other mail relays that the virus uses: (Score:1, Informative)
To Be Fair (Score:3, Informative)
1) It is not yet a reality.
2) it doesn't address the burden on the network of masses of unsolicited mail. His solution will actually make this much, much, WORSE. If his system works and everyone uses it. Then it makes the most sense to send your commercial email to (quite literally) everyone! Those that don't want it won't even see it (though it will have been sent to them), those that do will. Win/win for everyone right? You don't see unwanted spam though occasionally you will get an unsolicited commercial email that actually interests you (hey, it could happen). The spammer gets his message in front of every single interested potential customer in the whole freakin' world! Yay!! But behind the scenes the network is transmitting EVERY SINGLE commercial message to EVERY SINGLE user. Masses of useless data that will never even be seen - probably many orders of magnitude a greater volume of data than that which is actually going to be seen and used. Perhaps technology will make this a viable system (seems outrageously inefficient though)
Did anyone notice the verison number ? (Score:3, Informative)
Escape character is '^]'.
220 toad.com ESMTP Sendmail 8.7.5/8.7.3; Thu, 7 Mar 2002 14:40:04 -0800 (PST)
Sendmail 8.7.5 ? Forget open relay -- unless he's been patching this by hand,he's going to be rooted any minute !
http://www.netcraft.com/presentations/interop/s
basic authentication (Score:3, Informative)
This won't give 100% accessibility, but it's a reasonable compromise. If he wants 100% accessibility, he should set up a web mail server interface, again with some form of authentication.