Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Spam Your Rights Online

ORBZ Shuts Down 447

Tim Jackson writes: "In a depressing development for those wanting to protect themselves against spam, it appears that popular open relay database ORBZ (formerly at www.orbz.org) has shut down effective immediately - see here for the final post from ORBZ admin Ian Gulliver on the ORBZ list explaining the reasons behind the closure. The 'Lotus Domino' issue he refers to is the issue he discovered in the course of running ORBZ and reported to Buqtraq, which means that certain SMTP envelopes (such as those sent by ORBZ when testing for open relays) cause Lotus Domino servers to go into a loop, effectively creating a DoS situation. Unfortunately (but understandably), irrelevant of the merits of the case, Ian doesn't want to risk jail for the sake of spam fighting. Of course, if common sense prevailed, it would be the mail server vendor in court for producing insecure mail server software, not a third party for happening to send requests that unintentionally crash poorly-written servers."
This discussion has been archived. No new comments can be posted.

ORBZ Shuts Down

Comments Filter:
  • by Big Dogs Cock ( 539391 ) on Wednesday March 20, 2002 @11:14AM (#3194312) Homepage Journal
    They should've mailed everyone to tell them.
    • No, what they *should* have done, was sent the admins with the broken servers the links to the fixes "DragonC" posted these here earlier. I mean, it's not like they couldn't find an open relay to mass email them all from, is it? ;)
  • El Reg (Score:5, Informative)

    by Mr Windows ( 91218 ) on Wednesday March 20, 2002 @11:19AM (#3194345)
    The Register [theregister.co.uk] has a little more info [theregister.co.uk]. It seems that there is a workaround [uni-stuttgart.de] which involves changing the settings in Domino, though persuading everyone in the world who's running Domino to apply the fix might be hard! It seems like orbz.org [orbz.org] is down already, and it's probably going to stay that way :(
    • Re:El Reg (Score:3, Interesting)

      by tcr ( 39109 )
      True, but Domino administrators tend to be sensitive about SMTP settings - mainly because a Domino server install defaults to being an open relay!
      • Most people I know running a Domino setup, put a server outside, this means that you don't have to expose your domino server directly to the internet, and that forwarding server can still be up when you have to take your domino server down, which seems to be fairly frequently.
  • Domino... (Score:5, Insightful)

    by Junta ( 36770 ) on Wednesday March 20, 2002 @11:20AM (#3194350)
    Is crap for a mailserver, I've always had problems out of it and avoid it like the plague when I can get away with it. For one, it tries to do too much for a mailserver, and its functionality as a mail server seems to be secondary to it's database features. Domino may work well as a workflow engine/document management, but it really isn't a good Mail server implementation. Unfortunately, so many companies use it as an Exchange replacement, even though it is intended to do much more and mail is done in a really clunky way.. Just spend a few days using Notes and you'll agree that mail does not seem to be a central concern in the scheme of domino..

    Perosnally, I think postfix or qmail are good mail servers (though postfix doesn't cope at all with accounts that have uppercase in them, and qmail is only marginally better at it...). They are simple, short, and to the point. If you must use domino for mail serving, I would suggest having some sort of minimalistic mail server to act as a go between between domino and the outside world, as domino's is flawed in so many ways...
    • You know, you can use iNotes and let your PHB still use Outlook and he won't tell the difference between Exchange and Notes.

      Domino/Notes may have some issues, but I think many people will agree that on the backend, it does what it needs to do and it does have a significant number of advantages over Exchange.
      • I worked in Lotus for the last 6+ years as a contractor and was appalled at the mail system. I came out of a DEC/Compaq background and never realized how nice it was to send mail and here the "new mail" beeps within the group cubicles immediately after sending. Even within the mail group we had people that couldn't fix simple configurations on the servers and I think I got 3 "failure" messages about mail not getting out while I was running about 60% success rate on sending outside mail. I kept my external shell account so I could send mail I needed to make sure got there and never relied on the system for anything "timely". IBM has been a good influence on them in terms of software reliablity but there's an underlying problem with the software and IBM destroyed the Lotus culture that was the one positive about working there. I wouldn't imagine Domino has much of a future with WebSphere in the picture. Lotus software is looking more and more EOL.
    • Re:Domino... (Score:2, Insightful)

      by Morpheus-NL ( 567745 )
      Great idea ...
      setting up a simple mailserver/mailproxy , they could use SpamAssassins [spamassassin.org] spamproxyd ;-)

      That way they could also filter out any spam
    • Qmail is good, but take a stroll through the code one day, there's some stuff on there that'll make your hair stand on end. A coworker found a lot of poor coding in the source, mostly performance stuff.
  • Relay-testing (Score:3, Insightful)

    by Rupert ( 28001 ) on Wednesday March 20, 2002 @11:21AM (#3194357) Homepage Journal
    I've never liked the open relay test based spam filters. Of course, they have a right to list who they want on their list, and if I run a publicly accessible SMTP server I can expect all kinds of bizarre malformed SMTP headers to arrive. However, when you are a self-appointed policeman of the internet, you should first be a good netizen. One of the things good netizens do not do is repeatedly exploit bugs in other people's software to bring down services. Imagine if netcraft started crashing some obscure OS/2 web server with its queries. We'd expect them to stop querying those servers, at the very least, and at best to fix their query.
    • Re:Relay-testing (Score:2, Insightful)

      by PhiberKut ( 9428 )
      Rupert, ORBZ has never intentionally exploited bugs in other people's software. The test involves sending an email to the mail server and having it bounced back to you. If the mail server is incapable of doing this without DOS'ing itself; well the issue is obvious.

      Before querying the server, how is orbz to know that it is lotus?
      • Re:Relay-testing (Score:4, Insightful)

        by tkrotchko ( 124118 ) on Wednesday March 20, 2002 @11:52AM (#3194572) Homepage
        You're right. But on the other hand, once you understand what you're doing is crashing servers, you should probably either (a) fix what you're doing, even though its not your fault (b) refuse to test domino servers until they get it fixed.

        Or both.

        But to say "Gee, we crash Lotus server, too bad for them" is really poor manners.

        Mind you, it isn't criminal in a sane world, but it is thoughtless.
        • Re:Relay-testing (Score:3, Insightful)

          by ftobin ( 48814 )

          You're right. But on the other hand, once you understand what you're doing is crashing servers, you should probably either (a) fix what you're doing, even though its not your fault (b) refuse to test domino servers until they get it fixed.

          With regards to your (a), there wasn't anything to 'fix' on ORBZ's end. If you think so, you have a gross lack of knowledge of SMTP. If you think (b) is a viable solution, then it would only be fair to to mark all Lotus servers as open relays if they can't be tested. This would be a worse solution than simply getting people to fix their Lotus servers.

    • Re:Relay-testing (Score:2, Insightful)

      by SuperBill ( 567746 )
      I totally disagree.
      If Netcraft crashed my servers with a standard query, I would look at it as a free security analysis(and then filter their IP until I fixed the problem ;) ). If a simple query crashes your server, and ONLY YOUR SERVER, you have a flawed server. It's not like ORBZ was crafting DOS packets with the intention of taking down a server.
      • If your query crashes my server, I agree, I should fix my server. But if I ask you to stop sending the query until I get it fixed, I think that's a reasonable request.
    • Re:Relay-testing (Score:2, Insightful)

      by Fastball ( 91927 )

      While you have a point about good netizens not repeatedly exploiting bugs in other people's software, I wonder at what point the responsibility should shift toward the developers of said buggy software.

      Is it not reasonable for us to ask Lotus developers to "catch up" to the crowd and fix the problem therein? I know Lotus Domino is proprietary software and all, but that doesn't give them a free pass (pun intended).

      The scoreboard that way I look at it:
      Developers of unstable, buggy proprietary software backed by an ignorant legal system 1, netizens 0.

    • Re:Relay-testing (Score:2, Insightful)

      by Anonymous Coward
      When I last used them (about two weeks ago) to test my mail server, they were running a 'confirmed opt-in' relay tester (meaning you had to submit an email addy along with the IP to test AND you had to reply to that confirmation message before the test probes would be run).

      I don't know that they had this in place from day one, but I suspect not. Either that or someone with a bone to pick discovered some way to abuse the system in order to create this outcome.

      I suspect that should the names & IPs of the parties involved in the investigation be published, those ranges are going to end up in so many private blacklists that the universe will experience heat death before it's removed from all of them.
    • Re:Relay-testing (Score:4, Insightful)

      by felicity ( 870 ) on Wednesday March 20, 2002 @11:46AM (#3194537)
      This doesn't make sense -- don't attempt a query against server type X when the query is attempting to determine if the server is type X.

      The open-relay checks are not made up of "bizarre malformed SMTP" commands. "HELO", "MAIL", "RCPT", "DATA", and "QUIT" are the only commands that one should be using to do relay checks. If a mail server gets into a tizzy with those, then it's a completely broken server since all other servers will be sending those commands.

      As with the netcraft tests (ie: web servers unable to handle a "GET" request), it's not the fault of the person sending the request if the server is expected to know how to handle said requests.

    • Re:Relay-testing (Score:3, Insightful)

      by Rik van Riel ( 4968 )
      However, when you are a self-appointed policeman of the internet ...
      They're absolutely not self-appointed.

      When I chose to use ORBZ on my mail server, I "appoint" the administrators of that DNSBL list.

      The spammers using the "free speech" argument will run into the same thing; their right to free spam^H^Heech stops at the border of my private network.

      • Who uses the list is a separate question from how they generate the list. In this instance, the method they use to generate the list is causing a problem.
    • Re:Relay-testing (Score:3, Insightful)

      by liquidsin ( 398151 )
      I realize it's not a bug, but is it responsible of slashdot to post links to small sites that don't have the bandwidth and bring down their servers? We, the slashdot community, are constantly bringing down sites. Do you blame slashdot for this? It's not his fault they haven't patched their shoddy software, and it's not a malicious attack - he's not repeatedly crashing the same servers. It's a bug - a security flaw - and it needs to be fixed.
    • self-appointed policeman of the internet

      I hate that term. Nobody just went and 'appointed' themselves policeman. Everything the blacklists do is completely voluntary - you (or your ISP) do not have to participate if you don't want to. This is in contrast to real police, who keep society in order as part of our social contract. We don't have a choice about that one.
    • Re:Relay-testing (Score:3, Insightful)

      by fulgan ( 116418 )
      You are wrwong on two accounts.

      First, you're wrong when you say "repeatedly exploit bugs in other people's software to bring down services". You're mixing effects and intends. The EFFECT is a crashed/hung server. The intend, however, is quite different.

      Second, internet mail software must follow a set of rules defined by the relevant RFCs. If a server software do not follow these rules and crashes when they are followed by third parties on it, it shouldn't be put into use on the internet and, if it is, then the blame clearely can't be put on the external party (in particular if it can be proved that the intend wasn't to DOS the server, somthing quite easy in this case).

      Now, this mostly boils down to: do the ORBZ scans follow the RFCs. Well, I've been scanned several times and, so far, I've not seen anything that wasn't abbiding to the RFCs.
  • Incompetant Admins (Score:5, Informative)

    by DragonC ( 169447 ) on Wednesday March 20, 2002 @11:21AM (#3194362)
    I run a Domino server. In fact I run lots of Domino websites. And this "Denial of Service" issue that is reported is really due to Admins who don't know what they're doing.

    Any system can try and forward to 127.0.0.1 if it is set that way. There is so much information available at all the normal locations that it is really the Admins own fault. Why they should take it out on somebody who has done as all a superb service is anybodies guess.

    Where to look for info:
    Lotus [lotus.com]
    Notes.net [notes.net]
    DominoHive [dominohive.com]
    SecurityTracker for Domino [securitytracker.com]
    • True, but remember that it's the same thing for at least 95% of security issues. Dumb and extremely busy admins will go with the default install and they usually won't even customize the software. So who gets the blame? MS, IBM, Sun, Linux, etc.
    • by Skapare ( 16644 ) on Wednesday March 20, 2002 @06:13PM (#3197022) Homepage

      There is NO VALID CONFIGURATION which should result in an infinite loop on the bounceback. If there are ways to configure to avoid it, great. But there shouldn't be a way to actually configure it to do this, and it most certainly should NEVER be the default setup.

      When mail is sent to a bad name, and it attempts to bounce back to the apparent sender, it should first recognize that it is connecting to itself. Failing that, the sender of the bounce message should either be a valid box to collect failed bounces for the postmaster to clean out, or it should be a null address which gets discarded. A bounce should never trigger another bounce, either on its delivery, its failure to deliver, or its return. In this, Lotus Notes/Domino is a defective software product and needs to be fixed. I recommend that Ian Gulliver ask his attorney about filing a motion of interpleader to bring IBM into the case as a defendant, if the plaintiff continues to pursue it. If IBM (which just stuck a big ad in my face here on /. spouting off about their security) can't fix this, then they are the ones who should be paying up.

      • Me again. Elsewhere it has been noted that IBM has in fact fixed this a while back. In this case, (someone at) IBM should be called as an expert witness to testify that the bug is fixed and that the administrator of the defective system is negligent in having failed to apply the fix. Failure to apply fixes is a major cause of security and spam problems on the net, certainly costing at least hundreds of millions of dollars a year to clean up, and lost time and bandwidth dealing with the effects. Someone who fails to apply fixes in a timely manner (30 days tops) should be slapped very very hard.

        And we want to know who the hell it is that brought this complaint.

  • Stupid question (Score:5, Insightful)

    by ethereal ( 13958 ) on Wednesday March 20, 2002 @11:21AM (#3194365) Journal

    I'm sure I'm missing something here, but why can't ORBZ use a different envelope that doesn't bounce to 127.0.0.1? If they would just use an envelope that bounces back to one of their machines, for example, then they could still test open relays in a non-destructive manner.

    Can someone more knowledgeable than myself explain why they would rather go out of business than slightly alter their envelope that they test with?

    • Re:Stupid question (Score:5, Informative)

      by Ioldanach ( 88584 ) on Wednesday March 20, 2002 @11:28AM (#3194419)
      why can't ORBZ use a different envelope that doesn't bounce to 127.0.0.1
      Because they're testing for obscure bugs that allow spammers to use a server as an open relay even when its configured properly.
      • Why, then, can't they detect that it's a Domino server and skip the check? If the obscure bug, in this case, causes the server to crash, rather than sending the message to its destination, the server isn't an open relay (and likely not to remain open at all if a spammer tries to use it).

        SMTP servers tend to give their version information when you connect to them, and, while they may refuse to say, they're unlikely to lie, and especially unlikely to be set up to say they're Domino, not have this bug, and be an open relay.
    • by Webmoth ( 75878 ) on Wednesday March 20, 2002 @11:53AM (#3194576) Homepage
      why can't ORBZ use a different envelope that doesn't bounce to 127.0.0.1?

      Mail servers need to be configured to relay mail from the localhost (themselves). Otherwise, things just don't work. What using the 127.0.0.1 does is attempt to fool the mail server into thinking that the mail is coming from itself. Also, it makes sysadmins aware that there's a config problem in their mail servers. :-)

      If a server can't relay, it should REJECT the mail ("error: no relay thru here") but Lotus seems to be bouncing it.

      A properly configured mail server will be able to look at the mail and say to itself, "I've seen this before, let's trash it."

      A mail server should NEVER crash do to malformed messages. The strongest lock is no good if the door is weak.
  • yeah right.... (Score:4, Interesting)

    by reaper20 ( 23396 ) on Wednesday March 20, 2002 @11:22AM (#3194372) Homepage
    Of course, if common sense prevailed, it would be the mail server vendor in court for producing insecure mail server software.

    And that would leave us with how many commercial mail servers? None. :)

    More laws like this will only make things worse. One thing we have seen proven time and time again (SSSCA, DMCA), is that legislation of technology by people who don't understand or are influenced by people who don't understand it is that it does not work.

    I'd bet that nine out of ten 'insecure' or 'spamfriendly' open relays are human related errors. Granted, using sendmail is like playing with a loaded gun with the trigger welded down, but it is possible, and other MTAs are pretty damn secure and fast (I like Postfix).

    • Re:yeah right.... (Score:2, Interesting)

      by schon ( 31600 )
      of course, if common sense prevailed, it would be the mail server vendor in court for producing insecure mail server software.

      And that would leave us with how many commercial mail servers? None. :)


      Yeah - just like all those lawsuits against car manufacturers resulted in them all going out of business!

      More laws like this will only make things worse

      Nobody said anything about more laws - they implied that existing laws for negligence should be used to force the appropriate parties to fix their software.
      • by CaptainSuperBoy ( 17170 ) on Wednesday March 20, 2002 @12:08PM (#3194654) Homepage Journal
        Software isn't a car. Software isn't a cigarette. Read your EULA - there is no warranty on software that says it will meet your needs. It's just information, just a bunch of bits. It's not a product that can be regulated, or made 'safely.'

        Who is to say what's a bug? Can I be sued because there's a feature a customer wants that I didn't implement? What if I wrote sendmail 10 years ago, and now someone sues me because I wrote an open relay? But there wasn't any spam when I wrote it. There is a grey area between bug, and undesired behavior. Let's say I write a word processor. Do I get sued because my app won't let you print from the print preview screen? Because it doesn't save your default tab stops?

        You can't regulate software.. and if customers don't like something, they'll look to another vendor. This is already a self-regulated open market folks, move along..

        • It's not a product that can be regulated, or made 'safely.'
          That is such a load of shit. Please don't ever apply for a job as a software developer at my company.

          You might as well say the same thing about car or aircraft manufacture. After all, there are doubtless rare meteorological conditions that could cause existing aircraft designs to fail. "Wow, it's impossible to design aircraft safely! Let's put a EULA on our fuselage saying we disclaim all warranties and that the risk of using the product is entirely on the airline, pilot and passengers!"

          There is a constantly growing body of knowledge about proven insecure designs in software; likewise there is a growing body of knowledge about best practices in software development processes. Are they perfect, or failsafe? No. But they represent adequate due care in protecting one's customers. They can and should be applied by anyone building and distributing software. Period.

        • Software isn't a car.

          I never said it WAS a car.

          What I implied though, was that software companies want to be treated like a manufacturer, and they should be liable, just like other manufacturers.

          Can I be sued because there's a feature a customer wants that I didn't implement?

          No, but can you be sued because you're an idiot?

          It's pretty obvious what constitutes a bug in this case: THE SOFTWARE CRASHED WHEN FED DATA

          What if I wrote sendmail 10 years ago, and now someone sues me because I wrote an open relay?

          I'll address this because this is the ONLY thing that's remotely on-topic..

          If you write a commercial program, and it HAS A BUG which causes a crash, which you never fix, and you never release the source, then yes, you should be liable.

          If the software isn't commercial, or it's not a bug (see above), or a newer version of your software doesn't have the bug, then you shouldn't be liable.

          It's really pretty simple. If you want to be treated like a manufacturer, then you should get treated like a manufacturer. PERIOD.
  • A dread Portent (Score:3, Insightful)

    by WinterSolstice ( 223271 ) on Wednesday March 20, 2002 @11:24AM (#3194388)
    Roberts? ( I just couldn't pass that up, sorry :) ) I think this is a bad sign. A small company that finds a bug in a large company's code should not be forced out of business. Of course, between this, MS, and the H-Paq merger, it looks like the computer industry will have a "big 5"-like computer aristocracy. Woe to whomever wants to create new code these days. You'll get sued if it fixes someone's bugs, sued if it points out someone's bugs, sued if it has its own bugs, and taken over if it actually works. Sounds like a bad industry to be in. -WS
    • Another soul sees the light.

      Some people think that Free Software is about keeping the commercial software developers in check. To paraphrase Linus Torvalds: "when Microsoft starts producing better code, we'll have won".

      But that's not what it's about at all. Microsoft has been cranking out decent code for more than half a decade now, and anybody who is still harping on Windows for being crash-prone and slow is quite frankly living in the past.

      I've said it before, I'll say it again. It doesn't matter whether you agree with RMS or not. The only thing that matters is that whatever business you are in today, you can be sure it will be a Microsoft subsidiary tomorrow. Don't attack Microsoft. Defend your freedom.

  • SpamCop Testimonial (Score:5, Interesting)

    by _J_ ( 30559 ) <jasonlives AT gmail DOT com> on Wednesday March 20, 2002 @11:25AM (#3194390) Journal

    SpamCop [spamcop.net] seems to have been a very effective way of nullifying spam. A couple of months ago I was getting two or three pieces of spam per day advertising cheap loans and pr0n. After seeing SpamCop refered to in some /. discussion I tried it out. Nothing quite like seeing the "Yum, Yum, Fresh Spam" message.:)

    It wasn't until reading the ORBZ shutdown notice that I realized that my spam had died down. The only spam I get now is from companies I remember opting into and from which I can opt out again if I choose.

    Couldn't comment on the other Spam guys....

    IMHO, as per

    J:)
    • SpamCop is very, very cool. Another SPAM fighting tool that I like is SpamAssassin [sourceforge.net]. Basicially, it's a filter that looks for hundreds of different signs of SPAM, and assigns a score to every piece of email in your mailbox. Since there are so many rules, and no single rule determines if your mail is spam or not, it's pretty reliable AND hard for spammers to defeat.

      I have it tag all email with a score above 8 as probable spam, which I then forward (by hand, I still want to double check it) to SpamCop. SpamAssassin is pretty entertaining sometimes ("Mail contains the phrase "OPT OUT"...score +2") and SpamCop makes me feel like I'm being proactive about spam. They're both great services, highly recommended.

    • SpamCop does a more than nullify spam some spam. I had some of my Sprint Broadband Direct mail blocked by SpamCop, for an unjustified reason... read on.

      It appears that a *user* of my ISP (Sprint broadband) had left an SMTP server on his user machine open to relay, and some SPAM had been relayed through that.

      Rather than block that user, spamcop blocked my the intermediate server (my ISP). BUT... the intermediate server was

      1. Not Relaying - it was sending mail from within its own domain by its own user.
      2. Not the offending SMTP server - just the last in the chain!

      So it looks like SpamCop is hurting innocent users and their innocent ISP.

      If SpamCop does this much longer, they are going also going to be sued off the air! I suspect the only reason Sprint hasn't gone after them is that their support people, taking my complaint, were too dumb to realize what had happened to them.

      And if you use spamcop, how much legitimate mail are you missing because they are identifying large ISP's with large user bases as spammers?

      My ISP uses Spaminator, which seems to do a good job. I don't think it uses this same approach (I hope not).

      Finally, people need to realize that open relays are *not* the real problem. If you eliminated every open relay in the internet, spam would continue.

      How, you ask? There are plenty of Spam programa available on the net which talk *directly* to the receiving SMTP server. After all, if an ISP's SMTP server can do it, so can anyone else's!

      See this spamcop page [spamcop.net] for this case and a list of how many times the server was incorrectly listed.

      • Rather than block that user, spamcop blocked my the intermediate server (my ISP). BUT... the intermediate server was
        1. Not Relaying - it was sending mail from within its own domain by its own user.
        2. Not the offending SMTP server - just the last in the chain!
        So it looks like SpamCop is hurting innocent users and their innocent ISP.

        SpamCop wasn't hurting innocent users, your ISP was. Each ISP in question recives mail about what's happening, and they have an opportunity to stop the spammers from abusing their (and our) networks; that your ISP chose to ignore those messages, does not place the blame on SpamCop. Sorry, but you're not going to illicit many tears from me.

        • Yes, I guess you are right. My ISP should immediately adopt a policy of not allowing users to operate SMTP servers. We would all love that, right?

          Oh, you mean they should adopt a policy of not allowing users to operate relaying SMTP servers... so we have to have our ISP testing our SMTP servers for us?

          Right.

          I want my ISP go give me a pipe to the net, and an SMTP server (and a few other servers) for common utility functions.

          Funny that Slashdotters would implicitly argue that my ISP should be doing *content* regulation.

          • Yes, I guess you are right. My ISP should immediately adopt a policy of not allowing users to operate SMTP servers. We would all love that, right?

            That would be one valid solution to the problem, even if it is the lazy solution. Verio has adopted that stance in certain markets. Other ISPs may opt to keep track of port 25 traffic from their customers so that they know about problems (ie, 2 gigabytes of traffic over a 5 hour period) before SpamCop hears about it. It's not brain sugery we're talking about here; a clueful ISP with a Packeteer box can solve this problem easily. Linux packet shaping is coming along nicely now as well, but it's not quite ready for this without some more coding.

            Of course, if your ISP is run by morons, then I think the solution is obvious... They could always hire me to come and "monitor" their SMTP traffic for problems. I'll charge a one-time fee to install a shaper that has a fairly steep throttle after a generous initial gradient, which will allow good users to still run their own SMTP servers, but cause no end of headaches for spammers.

  • Just silly (Score:4, Informative)

    by interiot ( 50685 ) on Wednesday March 20, 2002 @11:25AM (#3194395) Homepage
    The "DoS" is simply a mail header of the form:
    • MAIL FROM:<bounce@[127.0.0.1]>
      RCPT TO:<address@domain.com>
    Why IBM decided to pursue criminal prosecution rather than releasing a simple bugfix is beyond me.
    • Re:Just silly (Score:3, Informative)

      by larien ( 5608 )
      My guess is that it isn't IBM, but the admins of the crashing mail servers doing the suing.
    • by FreeUser ( 11483 ) on Wednesday March 20, 2002 @11:41AM (#3194511)
      Why IBM decided to pursue criminal prosecution rather than releasing a simple bugfix is beyond me.

      If it is IBM, they deserve to be bitchslapped. Hard.

      However, I'd be very curious to know who is actually doing the suing and issuing the legal threats.

      I suspect they are incompetent admins, trying to cover their own incompetency by pointing an accusing finger at the innocent, in this case ORBZ.

      Incompetents banding together has to be one of the more sinister forces in our society: far more common than intelligent and neferious conspiracies (which probably can be counted on one hand, if that), far more wide reaching, and far more destructive.

      OTOH, for the more paranoid: what are the odds that some SPAMMERs themselves have set up Domino servers with the explicit knowledge of this bug, in order to have legal grounds to threaten and sue one of their most effective opponents out of existence? Actually, I was writing the previous sentence as a joke, but as I type it I don't find the scenerio nearly as unlikely as I first thought.
      • However, I'd be very curious to know who is actually doing the suing and issuing the legal threats.

        Ian Gulliver talked about facing criminal charges. Criminal charges have nothing to do with suits (those are civil matters), and are brought by the state, not individual citizens.

        • Criminal charges have nothing to do with suits

          True, which is why I said "suing and issuing the legal threats." Criminal charges are only filed if their is a complaint ... so who is doing the complaining?

          Incompetent admins? (Most likely)
          IBM? (only if they are profoundly stupid)
          SPAMMERs deliberately setting ORBZ up? (possible)
  • Does this mean that Domino isn't adhering to SMTP standards? If so, then what is the problem? Domino users can't sue for DoS if their software is being used properly (according to standards).
  • by rtos ( 179649 ) on Wednesday March 20, 2002 @11:28AM (#3194420) Homepage
    Previously on Slashdot:
    ORBS Forks [slashdot.org] : "Wired is carrying this article about the shutdown of Alan Brown's Open Relay Behavior-Modification System, more commonly known as ORBS. Brown, of New Zealand, closed his operation after two local companies won legal injunctions against him for listing them." It seems the list of 94,000 open relays will be maintained by: "Open Relay Black List of Phoenix, AZ, Open Relay Block Zone (ORBZ), of Basingstoke, England, and the Open Relay Database (ORDB), of Aarhus, Denmark." We've gotten a zillion ORBS submissions since the day its website went down, but this is the first post-ORBS story with enough info to be worth a mention. Guess the dust just needed to settle."

    MAPS vs. ORBS [slashdot.org] : "It seems that the anti-spammers at MAPS and ORBS have gone from a cold war into a shooting one, with MAPS listing ORBS on their blackhole list. ORBS accuses MAPS of doing it for financial gain, MAPS accuses ORBS of attacking systems, Alan Cox gets peeved about spam, kuro5hin.org has the obligatory "Slashdot is censoring the story!" postings but has at least one seemingly clueful post, and the U.S. House passed an anti-spam bill yesterday - coincidence, or devious conspiracy?"

    ORBS Lookup Entries Undergo Major Revamping [slashdot.org] : "I noticed this morning that as of 2001/2/1 relays.orbs.org has been decommisioned, ORBS has announced. The announcement further mentions some serious new testing/checking/hostname additions, about a dozen of them, that will greatly increase the granularity of the ORBS results. A benefit seems to be the end user now has fine granularity in the results s/he will get back, obviating some of the bullshit griping that surrounds ORBS most often. More power to us and them. =)"

    It is always helpful to read current stories with a bit of historical context.
  • Not his problem (Score:2, Insightful)

    by Anonymous Coward
    "Unfortunately (but understandably), irrelevant of the merits of the case, Ian doesn't want to risk jail for the sake of spam fighting. Of course, if common sense prevailed, it would be the mail server vendor in court for producing insecure mail server software, not a third party for happening to send requests that unintentionally crash poorly-written servers."

    So what this is saying is that Ian is willing to stop his client because a specific (and not nearly as widespread as its competitors) mail server has poorly written bugs. If anything, it is Lotus who should patch their servers. This just reeks of poor engineering decisions.

    And Jail Time! heh. Give us a break. You can't be put in jail for writing good software. You can be put in jail for writing intentionally destructive software. If their server has a terrible bug, it's not your fault that it just happens to be exposed by a correctly functioning program that performs a useful task.

    I can just imagine Lotus/IBM sending a cease and desist letter for the production of software that breaks their mail server... Except that the software is already out, the knowledge that the problem exists is widespread to the hackers (i.e. slashdot readers), and IBM better close those bugs before _we_ do.
    • Re:Not his problem (Score:3, Insightful)

      by vsync64 ( 155958 )
      And Jail Time! heh. Give us a break. You can't be put in jail for writing good software.

      Oh really? [freesklyarov.org]

    • " You can't be put in jail for writing good software. You can be put in jail for writing intentionally destructive software. If their server has a terrible bug, it's not your fault that it just happens to be exposed by a correctly functioning program that performs a useful task. ."

      Dude, you need to get educated before you program on your Dell! The legal systems could care less whether your program is well written, well intentioned or performing a useful task. If you cross arbitrary lines, you can be prosecuted, and jailed for a *long time!*

      At least in the US, the jail time for doing this to TWO sites (2 counts) is more than the average murderer gets! Is this dumb? You bet, but it is real.

  • by let the storm ( 567735 ) on Wednesday March 20, 2002 @11:29AM (#3194427)
    ORBZ never came into as widespread use as it perhaps deserved, so a lot of slashdotters might be left wondering what exactly it is (was):
    The short story is that it is a replacement to the now-dead ORBS, which stood for "Open Relay Behaviour-modification System", and was basically a system of centrally "policing" open mail relays by occasionally testing them with scripts. Any system that failed the test eventually entered ORBS's "black list", which some mail admin's used to bounce email with a path through them. Well, that project died, so ORBZ was born: the "Open Relay Blackhole Zones".
    Now, it too, is dead.
    And we can go back to blocking the whole of china, rather than just open relays on it.
    shrug.

    --
    m iso socially aware artistic geek pen-pal, m or f, in '1337 edu. jazz, poetry a must.
    • On March 12, 2002, I pulled all the IPs from the spam in my trollboxes.
      Combined, there were 105, which is pretty typical.
      I checked these 105 with the handy web page that is unfortunately no longer available (http://orbz.org/ [orbz.org])
      That web page checked inputs.orbz.org, outputs.orbz.org, relays.ordb.org,
      orbs.dorkslayers.com, dev.null.dk, relays.osirusoft.com, bl.spamcop.net, and relays.visi.com.

      outputs.orbz.org listed the largest number as open relays at 43.
      By combining orbz.inputs, orbz.outputs, dorkslayers, dev_null and visi,
      the total went up 5, to 48.

      In other words, using standard block lists that only list open relays would have stopped 46% of the spam received.
      Spam cop caught 65, Osirus caught 51.
      Spam cop and Osirus (despite the name relays.osirusoft.com) do not just list open relays.
      Combining all these together caught 82, or 78% of the spam.
      Since these were troll boxes, these is no measure of how many false positives there would have been.

      Pretty strong evidence that most of the spam we receive
      isn't even bounced off an open relay at all, much less a Chinese relay.

      -- Spam Wolf, the best spam blocking vaporware yet! [spamwolf.com]
    • It was more widely used that most people know; Spamcop used it. (And as of last check was still attempting to, although I've emailed them, perhaps they've fixed it by now.)

      Because of that, I bet lots of people who have never heard of ORBZ were "using" it.

      But there's no reason to despair; there are many others still functioning, and new ones coming up all the time.

      My favorite new one is NJABL; Not Just Another BlackList [njabl.org].

      Spamcop has a lovely one, and Osirus is excellent as well.
  • Of course, if common sense prevailed, it would be the mail server vendor in court for producing insecure mail server software

    I think that should be "in court for refusing to fix insecure mail-server software in a timely manner..."
  • When one of the open relay testers decides to test my systems (which have never been open relays), I get at least a dozen unsolicited e-mail systems double-bounced to me. Isn't it strange that a system created out of fury at unsolicited e-mail generates a fair amount of it? The double bounce messages never tell me specifically why they have decided to test my system, and they never tell me how to prevent them in the future. Shouldn't people on a moral crusade be careful about hypocrisy?
    • So fix your broken (almost certainly qmail) server.

      And FWIW, one of the best things about ORBZ was how professionally it was run. They generally tried to error on the side of caution. For instance, addressing your strawman argument, the ORBZ test messages described exactly what they were, and provided links for more info.

  • Let me get this straight. An organization whose sole purpose is fighting spam, is being shut down and afraid of facing jail time due to a bug in Lotus notes?

    Can we find out who the suing party is, so folks can let this company and their state representatives know what they think of this?

    Also, could not Lotus notes servers be identified (I would imagine they spit out an ID string like other SMTP servers) and this bug either worked around, or the Lotus servers ignored? It seems that would be more constructive than shutting down.

    -me
    • One more point: if he's being sued for something done in the past, whether or not he shuts down Orbz is irrelevant, liability-wise. If he has been given a cease-and-desists (or else face prosecution), would not simply skipping Lotus servers meet that requirement, and prevent any future liability?

      Surely he can't be held liable by whoever is suing him, for scanning the 99.9% of non-Lotus SMTP servers out there.

      -me
    • Let me get this straight. An organization whose sole purpose is fighting spam, is being shut down and afraid of facing jail time due to a bug in Lotus notes?

      Hmmm, this just doesn't make any sense, so maybe it would best be defended with the Chewbacca Defense.

      (Sigh, maybe some day I'll get all my comments in one post. I feel like George Costanza, coming up with the witty comeback long after the fact. "The jerk store just called, and they're all out of you!")

      -me
  • We need a "Real time open relay tester black list", so that people can block the queries sent by open relay testers.

    I'm not being entirely facetious either; it seems that the volume of relay testing traffic has increased signficantly over the past year.
  • by tweakt ( 325224 ) on Wednesday March 20, 2002 @11:35AM (#3194474) Homepage
    Mail Abuse Prevention System [mail-abuse.org]

    Tracks open relays, dial up netblocks, etc. Works with sendmail, postfix, etc..
    Does require paid subscription, but free for personal/hobbyist usage.
  • by Srin Tuar ( 147269 ) <zeroday26@yahoo.com> on Wednesday March 20, 2002 @11:36AM (#3194479)


    Anybody can access a publicly available SMTP service and produce whatever type of SMTP headers they want. It is a publically available service.


    However, you typical hacker does a similiar thing, he sends bytes to publically available service.


    If you decide that any univited data being sent to your server is a crime, then sending an email to someone you dont know is a a crime. If you think its not a crime, then what script kidz do is a public service.


    I personally hold to the latter, even though I abhor spam and hate malicious crackers. I think that by holding the server owner whos providing publicly available services accountable for his own security, that we would get more secure software out of it, and less coverups. (lawyers trying to do work that can only be done by programmers) SMTP servers should be able to handle munged headers!


    I can imagine the PHB thinking now "Well since I cant sue the kiddie whos sending those bad SMTP headers, I guess im going to have to actually fix the bug in my mail server, oh the humanity!"


    Of course fraud etc should still be a crime- but why should accessing publicly provided data services be one?

  • ... when they tested my mail server for open relay (which it had been, but was fixed). I was setting up qmail for the first time, and in cleaning up removed a file I shouldn't have (namely rcpthosts). In any case, for those of you who don't know, remove this file, and you're an open relay. I was, and sure enough, a spammer found it and started using it. I caught it when a bunch of bad email addresses bounced to my account (that and my maillog grew by about 2000%). I figured out the problem in about an hour, and closed it up. I also reported the spammer to their ISP (pacbell.net) and cleaned out the queue (over 2000 spams ready to be sent). In any case, someone must have reported me, even though I put up apology pages and comments suggestsion. In case whoever reported me is reading this, I bear you no ill-will, I was an open relay and deserved to be reported. In any case, their test showed I wasn't open, so I never got added to their list.
  • by Zocalo ( 252965 ) on Wednesday March 20, 2002 @11:41AM (#3194515) Homepage
    I actually stopped using ORBZ some time ago because of the way their database worked in conjunction with the vast amounts of spam coming from DSL lines. Basically if an IP was verified clean then it could not be resubmitted within 30 days, fair enough I guess, but this really fell apart with spam originating from what appeared to be dynamically allocated pools of DSL users. Obviously the same servers were changing IPs, and being reused by the same spammers, but ORBZ's submission engine couldn't deal with this in my numerous attempts to submit active spammers.

    I emailed ORBZ over the issue, citing three identical spams all of which were from the same physical server (from a typo in the headers) yet from different IPs, all of which were marked as "Verified clean within the last 30 days". ORBZ' response to this was basically "use multiple RBL servers", which I already was. I stopped using them at all the same day and switched to an alternate RBL server that I could submit spam to for automatic inclusion once verified. Since then I've also set up my own local RBL server, which makes things much easier when you have multiple SMTP servers to administer...

  • by p4k ( 317034 )
    I know this isn't going to be a very popular argument, but here goes anyway...

    Surely if they knew the envelopes they were sending out would crash some servers, then that was at best highly irresponsible behaviour. Yes, in an ideal world all software would have no bugs and all sysadmins would be omnipotent, but I don't see that happening any time soon :-). I don't believe that ORBZ has the right to go around DOSing servers that they consider to be inadequately set up - effectively electing themselves judge, jury *and* executioners.

    If ORBZ behaved a bit less arrogantly I suspect they would make fewer enemies.

  • ...as long as individuals and other non-corporate entities run them. Why? Because we've seen how painfully easy it is for corporate or well-heeled individuals to apply pressure (usually monetary) against these individuals.

    The solution is to make this process as anonymous as possible, yet maintain some degree of integrity in the process. Here's an idea: Somebody must be willing to step forward and create a script which can be fully automated to check for open relays. Generate the script signature, sign with a private key, and distribute script, signed sig, and public key. Run the script anonymously -- use anonymous relays, bogus envelopes, whatever it takes. Publish the results on Freenet, signed with the same key used to sign the sig of the script used. Obviously, the model needs some work, but I think if a public key is established as "trusted," then the results that are published anonymously on Freenet can be "trusted" with the same degree of trust.

    Or something like that...
  • No no no no NO! (Score:3, Insightful)

    by CaptainSuperBoy ( 17170 ) on Wednesday March 20, 2002 @11:58AM (#3194604) Homepage Journal
    if common sense prevailed, it would be the mail server vendor in court for producing insecure mail server software, not a third party for happening to send requests that unintentionally crash poorly-written servers

    You are so wrong! Think about what you are saying for a second. You are saying that software vendors should be held liable for producing faulty software. What does this apply to? Only Lotus, Microsoft, and the big guys? What about holding Alan Cox and Linus liable for bugs in the Linux kernel? I hope you don't want to hold security programmers liable for demos of exploits. Software is fundamentally different from a product that can be recalled and judged unsafe. The marginal cost of software is zero, and it is not a physical product - it's just information.

    Do you have any idea how it would cripple the software industry if they operated under the constant threat of product liability suits? What about old software? Really old versions of Sendmail were set to open relay by default. Certainly it's not the fault of the programmers that they didn't protect against spam, BEFORE SPAM EXISTED. Now think about a software industry where a pack of lawyers has to review every design document, every line of code in the name of 'product safety.'

    This is clearly a case where the free market already solves these problems, and your foolish solution would only serve to artificially disable an industry. If companies are upset with Domino, they will eventually switch to a better software package. If Lotus cared about their customers, they would have patched their software. I can't believe it when people like you say these things without thinking of the consequences.

    You did hit on one correct point - intent. It's unfortunate that ORBZ was in danger of being sued. They shouldn't be in danger, due to intent. They have no intent to DOS random Lotus Domino servers.. but it seems like they just can't risk it. If I intentionally exploited the Domino bug to crash servers, well that's another story. It's not Domino's problem, it's mine, and I should be carted to jail for that.

  • by BierGuzzl ( 92635 ) on Wednesday March 20, 2002 @12:01PM (#3194620)
    So now, regardless of the fact that I'm doing something completely benign, I have to also be careful about "offending" some poorly administered mail server? I won't even get into how stupid it is to set up a mail server with a local loop -- it's the principle of the matter that really pisses me off. Next I won't be allowed to surf the web with an adbuster because it confuses and even crashes some websites...eghads! What the hell is this world coming to?
  • by Rogerborg ( 306625 ) on Wednesday March 20, 2002 @12:03PM (#3194628) Homepage
    • I received an official court notice this afternoon to turn over all information relation to ORBZ accounts. This came from the 10th Judicial District court of the State of Michigan. It appears that ORBZ may be facing criminal charges for denial of service relating to the Lotus Domino issue.

    "It appears"? It is or it isn't. Funnily enough, I'd got the impression that cases were filed before courts ordered documents to be handed over.

    Further to that, isn't the case going to be about past behaviour? So isn't taking ORBZ down is response to it a de facto admission of guilt? Is this some sort of preemptive plea bargain attempt?

    Ian Gulliver has never struck me as being stupid or cowardly. I can't help but feel that there must be more communication going on here, i.e. an offer to drop the charges if ORBZ just goes away. Frankly, I find that highly distasteful, as it's edging very close to barratry [dictionary.com].

    I don't blame Ian one bit for shutting down, I just think that he's been shown a carrot as well as a stick so that this never has to reach a court.

    • by flamingcow ( 153884 ) on Wednesday March 20, 2002 @12:18PM (#3194710) Homepage
      I'm not going to comment on the current legal status. However, I will comment on the shutdown.

      This shutdown isn't so much for this time, but for next time. I'm stuck fighting this one, but I don't have the time or inclination in my life to fight stupid pointless criminal charges on a weekly basis. Unfortunately, the way this world works, this'll be the tip of the iceberg once people realize that they can. Therefore, I'm out of this game.
  • by Eric Damron ( 553630 ) on Wednesday March 20, 2002 @12:10PM (#3194666)
    I seems to me that if Orbz can send certain SMTP envelopes that cause Lotus Domino servers to go into a loop those servers are going to need to be fixed.

    This vulnerability is public knowledge now so how many black hats are going to be doing this just for fun and giggles?

    I can't help feeling that when a company gets shutdown rather than a obvious corrective action being taken that there is a hidden agenda lurking about. Just my suspicious nature taking over. :=)
  • by dananderson ( 1880 ) on Wednesday March 20, 2002 @12:14PM (#3194689) Homepage
    As an active anti-spammer, I found ORBZ was too agressive in filtering spam. A spam filter is no good if it results in too many false positives. I had to stop using it. I don't know the specifics of this situation though and it could just as well be over-agressive lawyers. Here's the filters I use. Note that RBL requires permission, but is freely given and free for individual users (organizations/companies must pay).

    FEATURE(dnsbl,`or.orbl.org', `Mail from $&{client_addr} refused: See http://or.orbl.org/ (ORBL)')
    FEATURE(dnsbl,`relays.ordb.org', `Mail from $&{client_addr} refused: relays.ordb.org. See http://www.ordb.org/')
    FEATURE(dnsbl,`or.orbl.org', `Mail from $&{client_addr} refused: or.orbl.org. See http://www.orbl.org/')
    FEATURE(dnsbl,`spamhaus.relays.orisusoft.com', `Mail from $&{client_addr} refused: spamhaus.relays.osirusoft.org. See http://relays.orirusoft.com/')
    FEATURE(dnsbl,`spews.relays.orisusoft.com', `Mail from $&{client_addr} refused: spews.relays.osirusoft.org. See http://www.spews.org/bounce.html')
    FEATURE(dnsbl,`rbl-plus.mail-abuse.org',`Mail from $&{client_addr} refused by RBL+. See http://www.mail-abuse.org/')

  • hooorayyyyy (Score:5, Interesting)

    by Ph0bia ( 24059 ) on Wednesday March 20, 2002 @12:20PM (#3194724) Homepage
    I for one am happy to see this happen and I hope the rest of them all shut down or get shut down also.

    The sheer volume of mail that we received as "probes" to test for relays which we have NEVER supported, is SPAM in itself, in my opinion.

    Worst of all, I sent repeated requests to people like orbs.org asking to be excluded and they replied with very rude e-mails which contained vulgarities, etc. Real professional guys - glad to see another one bite the dust...

  • by AnotherBlackHat ( 265897 ) on Wednesday March 20, 2002 @12:21PM (#3194731) Homepage
    Seems to me that the majority of the DoS attacks came from 127.0.0.1.
    I suggest the prosecution track down the owner of that IP, and haul him into court instead of orbz.

  • Why don't "they" just sue the spammers out of existance? "They" would make all of our lives that much easier.

    If ORBZ is testing for obsure bugs/holes, you can bet that the spammers are doing it too.

    ~Sean
  • Anti Spam Killer (Score:2, Interesting)

    by kwerle ( 39371 )
    I have started using a-s-k to block spam, and have been pretty happy with it.

    http://sourceforge.net/projects/a-s-k/

    http://www.paganini.net/ask
  • by ONU CS Geek ( 323473 ) <ian,m,wilson&gmail,com> on Wednesday March 20, 2002 @12:25PM (#3194762) Homepage
    With that simple combo, you can keep a majority of spam out of you (and your users) inbox. I became really proactive about stopping spam after one of my (l)users installed a formmail.pl script on our web server and we became an 'open relay' for anyone who knew how to exploit the server. Subsequent emails to the abuse@ emails of the upstream providers resulted in nothing, and I still get attempts on the script. With that said, we flag the email as spam using the X-Message-Flag: header (as most of my clients use Outlook) as well as the Qmail-Scanner Tag that is injected into the message. This lets my users know that the message is spam, and I leave it to them on how to filter the messages out of their inbox.

    Spamassassin is nice in this regard, because you shouldn't need to change any configuration rules. The rule that ORBZ deals with, (RCVD_IN_ORBZ) shouldn't need to be changed, however, I'm going to weight the other rules that check for that kind of information (RCVD_IN_RELAYS_ORDB_ORG, RCVD_IN_OSIRUSOFT_COM, RCVD_IN_VISI, RCVD_IN_RFCI, and RCVD_IN_ORBS) up a few points to make up for the lost service.

  • Why the hell doesn't the ORBZ software just send out a MAIL FROM: header that doesn't have the remote side's address?

    I mean, why the hell doesn't it just send a header like: MAIL FROM: <orbz-admin@orbz-domain.com> anyway?

    This seems like it would have been such a simple technical issue to fix on ORBZ side without putting the burden of fixing the problem on Lotus or people running Domino.

    <irony>I'm against theft of resources in the form of spam, but I'm all for theft of resources in the form of forced distributed software debugging</irony>

    • Why the hell doesn't the ORBZ software just send out a MAIL FROM: header that doesn't have the remote side's address?

      Because the point is that they are trying to find any configuration that permits relaying. If they can find it, so can spammers.

      Some open relays are set up in such a way that they would not relay messages with MAIL FROM [orbz] but would with MAIL FROM [127.0.0.1].
  • Good riddance (Score:3, Informative)

    by kindbud ( 90044 ) on Wednesday March 20, 2002 @12:34PM (#3194829) Homepage
    Now I won't have to put up with anymore double-bounces from ORBZ's continual probing of my closed relays. These don't even send our OUR mail. You can't test our outgoing relays, the conversation is in the wrong direction and won't pass our firewall.

    Ian, YOU DUMBASS!! I hope you beat the criminal rap, but you got what was coming, what you were asking for. ORBZ's probes were every much a trespass as the spam itself. Why they never understood this is beyond me. Plenty of other DNSBL run a good list without intrusive probing, and are not getting put up on charges either.
  • by bovinewasteproduct ( 514128 ) <gclarkii.gmail@com> on Wednesday March 20, 2002 @01:35PM (#3195289) Homepage
    Ya, I've got a problem with spam. I had subscribed to the PHP mailing lists about 6 months ago, no big deal. Here about 2 weeks ago I no longer had a reason to need them and went to unsubscribe from them. I was told that the server would not take my email because my IP provider was in spews now.

    Now mind you, my server (on its own IP address) has NEVER sent out spam (I'm the only one who can send email from it and I've no reason to spam). It seems that some fscking idiot on one of the IPs in CA (my server is in MN) spammed and spews will BH all class C's of the owner no matter where.

    So now I get email I don't want and can't get rid of... Should I report the PHP mailing lists to spews as spammers? I'm on a list and I can't contact them to remove me, how is this different from the spammers? Easy to get on, impossiable to get off of...:)

    BWP
  • Bad Combination (Score:3, Interesting)

    by fwc ( 168330 ) on Wednesday March 20, 2002 @04:01PM (#3196206)
    I'll be interested in seeing the outcome of this and seeing what the facts of the case are.

    I'm not sure how many of the slashdot crowd know this, but it was orbz policy not to stop testing a server when requested, unless requested in writing. If it was requested in writing, then they would stop testing the server and list them in orbz as an open relay.

    So, as an administrator you had the choice between being tested and being blacklisted even if your server had never relayed a single piece of mail. It was also typical of users of orbz to submit every ip address of every mail server they received mail from regardless of it being spam or not. This was encouraged by the orbz administrator. I'm assuming that this policy, in combination with the fact that the testing caused Denial of Service for certain users might be what caused this suit. If you know you are causing a Denial of Service problem and you don't stop especially if you are requested to do so, I'd suspect that is actionable. Ian's inflexibility as to the policy of either testing (and putting up with the DoS if you were a Notes user) or being blacklisted seems like a bad idea if you rephrase it like "Either you let me crash your server or I'll blacklist you", which might be what the people on the other side are thinking.

    Again. This is just my guess. I'm really interested in seeing the facts come to light in relation to this. I suspect that the fact that there was a fix available might be a way out for Ian, but I'll be watching with interest.

"Imitation is the sincerest form of television." -- The New Mighty Mouse

Working...