ORBZ Shuts Down 447
Tim Jackson writes: "In a depressing development for those wanting to protect themselves against spam, it appears that popular open relay database ORBZ (formerly at www.orbz.org) has shut down effective immediately - see here for the final post from ORBZ admin Ian Gulliver on the ORBZ list explaining the reasons behind the closure.
The 'Lotus Domino' issue he refers to is the issue he discovered in the course of running ORBZ and reported to Buqtraq, which means that certain SMTP envelopes (such as those sent by ORBZ when testing for open relays) cause Lotus Domino servers to go into a loop, effectively creating a DoS situation.
Unfortunately (but understandably), irrelevant of the merits of the case, Ian doesn't want to risk jail for the sake of spam fighting. Of course, if common sense prevailed, it would be the mail server vendor in court for producing insecure mail server software, not a third party for happening to send requests that unintentionally crash poorly-written servers."
That was quiet (Score:4, Funny)
Re:That was quiet (Score:2)
El Reg (Score:5, Informative)
Re:El Reg (Score:3, Interesting)
Re:El Reg (Score:2)
Domino... (Score:5, Insightful)
Perosnally, I think postfix or qmail are good mail servers (though postfix doesn't cope at all with accounts that have uppercase in them, and qmail is only marginally better at it...). They are simple, short, and to the point. If you must use domino for mail serving, I would suggest having some sort of minimalistic mail server to act as a go between between domino and the outside world, as domino's is flawed in so many ways...
Re:Domino... (Score:2)
Domino/Notes may have some issues, but I think many people will agree that on the backend, it does what it needs to do and it does have a significant number of advantages over Exchange.
Re:Domino... (Score:2)
Re:Domino... (Score:2, Insightful)
setting up a simple mailserver/mailproxy , they could use SpamAssassins [spamassassin.org] spamproxyd
That way they could also filter out any spam
Re:Domino... (Score:2)
Relay-testing (Score:3, Insightful)
Re:Relay-testing (Score:2, Insightful)
Before querying the server, how is orbz to know that it is lotus?
Re:Relay-testing (Score:4, Insightful)
Or both.
But to say "Gee, we crash Lotus server, too bad for them" is really poor manners.
Mind you, it isn't criminal in a sane world, but it is thoughtless.
Re:Relay-testing (Score:3, Insightful)
With regards to your (a), there wasn't anything to 'fix' on ORBZ's end. If you think so, you have a gross lack of knowledge of SMTP. If you think (b) is a viable solution, then it would only be fair to to mark all Lotus servers as open relays if they can't be tested. This would be a worse solution than simply getting people to fix their Lotus servers.
Re:Relay-testing (Score:2)
Re:Relay-testing (Score:2, Insightful)
If Netcraft crashed my servers with a standard query, I would look at it as a free security analysis(and then filter their IP until I fixed the problem
Re:Relay-testing (Score:2)
Re:Relay-testing (Score:2, Insightful)
While you have a point about good netizens not repeatedly exploiting bugs in other people's software, I wonder at what point the responsibility should shift toward the developers of said buggy software.
Is it not reasonable for us to ask Lotus developers to "catch up" to the crowd and fix the problem therein? I know Lotus Domino is proprietary software and all, but that doesn't give them a free pass (pun intended).
The scoreboard that way I look at it:
Developers of unstable, buggy proprietary software backed by an ignorant legal system 1, netizens 0.
Re:Relay-testing (Score:2, Insightful)
I don't know that they had this in place from day one, but I suspect not. Either that or someone with a bone to pick discovered some way to abuse the system in order to create this outcome.
I suspect that should the names & IPs of the parties involved in the investigation be published, those ranges are going to end up in so many private blacklists that the universe will experience heat death before it's removed from all of them.
Re:Relay-testing (Score:4, Insightful)
The open-relay checks are not made up of "bizarre malformed SMTP" commands. "HELO", "MAIL", "RCPT", "DATA", and "QUIT" are the only commands that one should be using to do relay checks. If a mail server gets into a tizzy with those, then it's a completely broken server since all other servers will be sending those commands.
As with the netcraft tests (ie: web servers unable to handle a "GET" request), it's not the fault of the person sending the request if the server is expected to know how to handle said requests.
Re:Relay-testing (Score:3, Insightful)
When I chose to use ORBZ on my mail server, I "appoint" the administrators of that DNSBL list.
The spammers using the "free speech" argument will run into the same thing; their right to free spam^H^Heech stops at the border of my private network.
Re:Relay-testing (Score:2)
Re:Relay-testing (Score:3, Insightful)
self-appointed policeman of the internet (Score:2)
I hate that term. Nobody just went and 'appointed' themselves policeman. Everything the blacklists do is completely voluntary - you (or your ISP) do not have to participate if you don't want to. This is in contrast to real police, who keep society in order as part of our social contract. We don't have a choice about that one.
Re:Relay-testing (Score:3, Insightful)
First, you're wrong when you say "repeatedly exploit bugs in other people's software to bring down services". You're mixing effects and intends. The EFFECT is a crashed/hung server. The intend, however, is quite different.
Second, internet mail software must follow a set of rules defined by the relevant RFCs. If a server software do not follow these rules and crashes when they are followed by third parties on it, it shouldn't be put into use on the internet and, if it is, then the blame clearely can't be put on the external party (in particular if it can be proved that the intend wasn't to DOS the server, somthing quite easy in this case).
Now, this mostly boils down to: do the ORBZ scans follow the RFCs. Well, I've been scanned several times and, so far, I've not seen anything that wasn't abbiding to the RFCs.
Incompetant Admins (Score:5, Informative)
Any system can try and forward to 127.0.0.1 if it is set that way. There is so much information available at all the normal locations that it is really the Admins own fault. Why they should take it out on somebody who has done as all a superb service is anybodies guess.
Where to look for info:
Lotus [lotus.com]
Notes.net [notes.net]
DominoHive [dominohive.com]
SecurityTracker for Domino [securitytracker.com]
Re:Incompetant Admins (Score:3, Interesting)
Re:Incompetant Admins (Score:2)
"Should" is a dangerous word. There should be universal peace and brotherhood, but I don't behave as if that is the case. Sometimes sysadmins aren't trained or experienced in IT. Sometimes they are office coordinators who came up through the ranks of typing pools and secretarial staff. Should the employer pay $60,000 a year to hire a sysadmin who can secure the one or two servers the business operates? Even if the business doesn't have that kind of cash flow? Even if the increased costs mean they can't compete? Even when the office coordinator can get the system functional (though nonoptimal)?
The solution to this problem is to create default installs that are SECURE. Make decreasing security and enabling features an option. Provide a variety of scripts that can be run after install that will enable features/disable security in a number of standard, customer-expected ways.
In short, given the choice between controlling the behavior of a few corporations or the behavior of 1E6 computer types, I'd rather focus on the former. Focusing on the latter is pointless.
Re:Incompetant Admins (Score:2)
Should the employer pay $60,000 a year to hire a sysadmin who can secure the one or two servers the business operates? Even if the business doesn't have that kind of cash flow? Even if the increased costs mean they can't compete? Even when the office coordinator can get the system functional
Uhh yeah they should.
Should a new nuclear plant hire qualified technicians to prevent meltdowns? Even if they don't have the cashflow, even if it means they can't compete? Even if a high school student can get the plant functional?
If they can't be responsible they shouldn't be in business. It's a pretty simple concept.
There is no valid configuration which should do it (Score:4, Interesting)
There is NO VALID CONFIGURATION which should result in an infinite loop on the bounceback. If there are ways to configure to avoid it, great. But there shouldn't be a way to actually configure it to do this, and it most certainly should NEVER be the default setup.
When mail is sent to a bad name, and it attempts to bounce back to the apparent sender, it should first recognize that it is connecting to itself. Failing that, the sender of the bounce message should either be a valid box to collect failed bounces for the postmaster to clean out, or it should be a null address which gets discarded. A bounce should never trigger another bounce, either on its delivery, its failure to deliver, or its return. In this, Lotus Notes/Domino is a defective software product and needs to be fixed. I recommend that Ian Gulliver ask his attorney about filing a motion of interpleader to bring IBM into the case as a defendant, if the plaintiff continues to pursue it. If IBM (which just stuck a big ad in my face here on /. spouting off about their security) can't fix this, then they are the ones who should be paying up.
Re:There is no valid configuration which should do (Score:3, Insightful)
Me again. Elsewhere it has been noted that IBM has in fact fixed this a while back. In this case, (someone at) IBM should be called as an expert witness to testify that the bug is fixed and that the administrator of the defective system is negligent in having failed to apply the fix. Failure to apply fixes is a major cause of security and spam problems on the net, certainly costing at least hundreds of millions of dollars a year to clean up, and lost time and bandwidth dealing with the effects. Someone who fails to apply fixes in a timely manner (30 days tops) should be slapped very very hard.
And we want to know who the hell it is that brought this complaint.
Stupid question (Score:5, Insightful)
I'm sure I'm missing something here, but why can't ORBZ use a different envelope that doesn't bounce to 127.0.0.1? If they would just use an envelope that bounces back to one of their machines, for example, then they could still test open relays in a non-destructive manner.
Can someone more knowledgeable than myself explain why they would rather go out of business than slightly alter their envelope that they test with?
Re:Stupid question (Score:5, Informative)
Re:Stupid question (Score:2)
SMTP servers tend to give their version information when you connect to them, and, while they may refuse to say, they're unlikely to lie, and especially unlikely to be set up to say they're Domino, not have this bug, and be an open relay.
Re:Not so stupid question (Score:4, Informative)
Mail servers need to be configured to relay mail from the localhost (themselves). Otherwise, things just don't work. What using the 127.0.0.1 does is attempt to fool the mail server into thinking that the mail is coming from itself. Also, it makes sysadmins aware that there's a config problem in their mail servers.
If a server can't relay, it should REJECT the mail ("error: no relay thru here") but Lotus seems to be bouncing it.
A properly configured mail server will be able to look at the mail and say to itself, "I've seen this before, let's trash it."
A mail server should NEVER crash do to malformed messages. The strongest lock is no good if the door is weak.
yeah right.... (Score:4, Interesting)
And that would leave us with how many commercial mail servers? None.
More laws like this will only make things worse. One thing we have seen proven time and time again (SSSCA, DMCA), is that legislation of technology by people who don't understand or are influenced by people who don't understand it is that it does not work.
I'd bet that nine out of ten 'insecure' or 'spamfriendly' open relays are human related errors. Granted, using sendmail is like playing with a loaded gun with the trigger welded down, but it is possible, and other MTAs are pretty damn secure and fast (I like Postfix).
Re:yeah right.... (Score:2, Interesting)
And that would leave us with how many commercial mail servers? None.
Yeah - just like all those lawsuits against car manufacturers resulted in them all going out of business!
More laws like this will only make things worse
Nobody said anything about more laws - they implied that existing laws for negligence should be used to force the appropriate parties to fix their software.
Software is not a car (Score:4, Insightful)
Who is to say what's a bug? Can I be sued because there's a feature a customer wants that I didn't implement? What if I wrote sendmail 10 years ago, and now someone sues me because I wrote an open relay? But there wasn't any spam when I wrote it. There is a grey area between bug, and undesired behavior. Let's say I write a word processor. Do I get sued because my app won't let you print from the print preview screen? Because it doesn't save your default tab stops?
You can't regulate software.. and if customers don't like something, they'll look to another vendor. This is already a self-regulated open market folks, move along..
Re:Software is not a car (Score:2)
You might as well say the same thing about car or aircraft manufacture. After all, there are doubtless rare meteorological conditions that could cause existing aircraft designs to fail. "Wow, it's impossible to design aircraft safely! Let's put a EULA on our fuselage saying we disclaim all warranties and that the risk of using the product is entirely on the airline, pilot and passengers!"
There is a constantly growing body of knowledge about proven insecure designs in software; likewise there is a growing body of knowledge about best practices in software development processes. Are they perfect, or failsafe? No. But they represent adequate due care in protecting one's customers. They can and should be applied by anyone building and distributing software. Period.
Re:Software is not a car (Score:3, Insightful)
Since customers already vote with their dollars (if you make useless, buggy software then nobody's going to buy it) why do we need artificial restrictions imposed on developers?
That's a silly argument; you could make it just as well for any product, from bonds to airplanes. Why do we need auditors and all these fussy finanical regulations? The shares in poorly run companies won't be bought, right?
If every piece of software adhered to current best practices, we wouldn't have any new innovation would we? New algorithms? They're against the law (they're not certified as secure).
There are immense numbers of regulations for things like food, cars, and financial products, and there have been for decades. But all of those have changed drastically in the last 50 years, and they'll keep on changing. Why wouldn't the same be true for software?
You haven't explained to me why we need this. Regulations should never be applied unless they are absolutely necessary - i.e. in the case of personal safety.
That's certainly not the only case where we have product regulations. The things that are entirely unregulated seem to be the things that are perfectly ok to screw up. If you make music, there's no law saying it has to be good, but if your CD doesn't play in my player, you have to take it back.
When computers are used for something equally low-risk, then not regulating software seems fine. If a game crashes once in a while, that's swell.
But some of us would like to use software for more important things, too. Suppose you run an on-line business, and you pay Microsoft a lotta dough for a fancy ecommerse setup. Then the week after you install it, some script-kiddie takes it down, steals your customer credit card data, and forwards all your pages to porn sites. By the time your clean up the mess, you're in Chapter 11.
So you turn to Microsoft, and they say, "Sorry, Charlie, no warranties express or implied. Your check cleared, so we're outta here!" Is that how things should work?
That's how they worked with investments before we regulated them up the wazoo. And far from crushing investment, our financial markets are immensely lively and highly regarded around the world.
You seem perfectly suited for bottom-line, 'no new idea is a good idea' middle management.
Yeah, ad hominem attacks against a guy with a reasonable point persuade me of your views.
Re:Software is not a car (Score:2)
I never said it WAS a car.
What I implied though, was that software companies want to be treated like a manufacturer, and they should be liable, just like other manufacturers.
Can I be sued because there's a feature a customer wants that I didn't implement?
No, but can you be sued because you're an idiot?
It's pretty obvious what constitutes a bug in this case: THE SOFTWARE CRASHED WHEN FED DATA
What if I wrote sendmail 10 years ago, and now someone sues me because I wrote an open relay?
I'll address this because this is the ONLY thing that's remotely on-topic..
If you write a commercial program, and it HAS A BUG which causes a crash, which you never fix, and you never release the source, then yes, you should be liable.
If the software isn't commercial, or it's not a bug (see above), or a newer version of your software doesn't have the bug, then you shouldn't be liable.
It's really pretty simple. If you want to be treated like a manufacturer, then you should get treated like a manufacturer. PERIOD.
A dread Portent (Score:3, Insightful)
Re:A dread Portent (Score:2, Interesting)
Some people think that Free Software is about keeping the commercial software developers in check. To paraphrase Linus Torvalds: "when Microsoft starts producing better code, we'll have won".
But that's not what it's about at all. Microsoft has been cranking out decent code for more than half a decade now, and anybody who is still harping on Windows for being crash-prone and slow is quite frankly living in the past.
I've said it before, I'll say it again. It doesn't matter whether you agree with RMS or not. The only thing that matters is that whatever business you are in today, you can be sure it will be a Microsoft subsidiary tomorrow. Don't attack Microsoft. Defend your freedom.
SpamCop Testimonial (Score:5, Interesting)
SpamCop [spamcop.net] seems to have been a very effective way of nullifying spam. A couple of months ago I was getting two or three pieces of spam per day advertising cheap loans and pr0n. After seeing SpamCop refered to in some
It wasn't until reading the ORBZ shutdown notice that I realized that my spam had died down. The only spam I get now is from companies I remember opting into and from which I can opt out again if I choose.
Couldn't comment on the other Spam guys....
IMHO, as per
J:)
SpamAssassin, too! Was: Re:SpamCop Testimonial (Score:2)
SpamCop is very, very cool. Another SPAM fighting tool that I like is SpamAssassin [sourceforge.net]. Basicially, it's a filter that looks for hundreds of different signs of SPAM, and assigns a score to every piece of email in your mailbox. Since there are so many rules, and no single rule determines if your mail is spam or not, it's pretty reliable AND hard for spammers to defeat.
I have it tag all email with a score above 8 as probable spam, which I then forward (by hand, I still want to double check it) to SpamCop. SpamAssassin is pretty entertaining sometimes ("Mail contains the phrase "OPT OUT"...score +2") and SpamCop makes me feel like I'm being proactive about spam. They're both great services, highly recommended.
Re:SpamCop Testimonial - *NOT* (Score:2)
It appears that a *user* of my ISP (Sprint broadband) had left an SMTP server on his user machine open to relay, and some SPAM had been relayed through that.
Rather than block that user, spamcop blocked my the intermediate server (my ISP). BUT... the intermediate server was
So it looks like SpamCop is hurting innocent users and their innocent ISP.
If SpamCop does this much longer, they are going also going to be sued off the air! I suspect the only reason Sprint hasn't gone after them is that their support people, taking my complaint, were too dumb to realize what had happened to them.
And if you use spamcop, how much legitimate mail are you missing because they are identifying large ISP's with large user bases as spammers?
My ISP uses Spaminator, which seems to do a good job. I don't think it uses this same approach (I hope not).
Finally, people need to realize that open relays are *not* the real problem. If you eliminated every open relay in the internet, spam would continue.
How, you ask? There are plenty of Spam programa available on the net which talk *directly* to the receiving SMTP server. After all, if an ISP's SMTP server can do it, so can anyone else's!
See this spamcop page [spamcop.net] for this case and a list of how many times the server was incorrectly listed.
Re:SpamCop Testimonial - *NOT* (Score:2)
- Not Relaying - it was sending mail from within its own domain by its own user.
- Not the offending SMTP server - just the last in the chain!
So it looks like SpamCop is hurting innocent users and their innocent ISP.SpamCop wasn't hurting innocent users, your ISP was. Each ISP in question recives mail about what's happening, and they have an opportunity to stop the spammers from abusing their (and our) networks; that your ISP chose to ignore those messages, does not place the blame on SpamCop. Sorry, but you're not going to illicit many tears from me.
Re:SpamCop Testimonial - *NOT* (Score:2)
Oh, you mean they should adopt a policy of not allowing users to operate relaying SMTP servers... so we have to have our ISP testing our SMTP servers for us?
Right.
I want my ISP go give me a pipe to the net, and an SMTP server (and a few other servers) for common utility functions.
Funny that Slashdotters would implicitly argue that my ISP should be doing *content* regulation.
Re:SpamCop Testimonial - *NOT* (Score:3, Insightful)
That would be one valid solution to the problem, even if it is the lazy solution. Verio has adopted that stance in certain markets. Other ISPs may opt to keep track of port 25 traffic from their customers so that they know about problems (ie, 2 gigabytes of traffic over a 5 hour period) before SpamCop hears about it. It's not brain sugery we're talking about here; a clueful ISP with a Packeteer box can solve this problem easily. Linux packet shaping is coming along nicely now as well, but it's not quite ready for this without some more coding.
Of course, if your ISP is run by morons, then I think the solution is obvious... They could always hire me to come and "monitor" their SMTP traffic for problems. I'll charge a one-time fee to install a shaper that has a fairly steep throttle after a generous initial gradient, which will allow good users to still run their own SMTP servers, but cause no end of headaches for spammers.
Just silly (Score:4, Informative)
- MAIL FROM:<bounce@[127.0.0.1]>
Why IBM decided to pursue criminal prosecution rather than releasing a simple bugfix is beyond me.RCPT TO:<address@domain.com>
Re:Just silly (Score:3, Informative)
I'd be curious to know (Score:4, Interesting)
If it is IBM, they deserve to be bitchslapped. Hard.
However, I'd be very curious to know who is actually doing the suing and issuing the legal threats.
I suspect they are incompetent admins, trying to cover their own incompetency by pointing an accusing finger at the innocent, in this case ORBZ.
Incompetents banding together has to be one of the more sinister forces in our society: far more common than intelligent and neferious conspiracies (which probably can be counted on one hand, if that), far more wide reaching, and far more destructive.
OTOH, for the more paranoid: what are the odds that some SPAMMERs themselves have set up Domino servers with the explicit knowledge of this bug, in order to have legal grounds to threaten and sue one of their most effective opponents out of existence? Actually, I was writing the previous sentence as a joke, but as I type it I don't find the scenerio nearly as unlikely as I first thought.
Re:I'd be curious to know (Score:2)
Ian Gulliver talked about facing criminal charges. Criminal charges have nothing to do with suits (those are civil matters), and are brought by the state, not individual citizens.
Re:I'd be curious to know (Score:2)
True, which is why I said "suing and issuing the legal threats." Criminal charges are only filed if their is a complaint
Incompetent admins? (Most likely)
IBM? (only if they are profoundly stupid)
SPAMMERs deliberately setting ORBZ up? (possible)
Domino doesn't adhere to standards? (Score:2, Interesting)
ORBS, ORBZ, and MAPS Previously on Slashdot (Score:3, Informative)
Not his problem (Score:2, Insightful)
So what this is saying is that Ian is willing to stop his client because a specific (and not nearly as widespread as its competitors) mail server has poorly written bugs. If anything, it is Lotus who should patch their servers. This just reeks of poor engineering decisions.
And Jail Time! heh. Give us a break. You can't be put in jail for writing good software. You can be put in jail for writing intentionally destructive software. If their server has a terrible bug, it's not your fault that it just happens to be exposed by a correctly functioning program that performs a useful task.
I can just imagine Lotus/IBM sending a cease and desist letter for the production of software that breaks their mail server... Except that the software is already out, the knowledge that the problem exists is widespread to the hackers (i.e. slashdot readers), and IBM better close those bugs before _we_ do.
Re:Not his problem (Score:3, Insightful)
Oh really? [freesklyarov.org]
Re:Not his problem (Score:2)
Dude, you need to get educated before you program on your Dell! The legal systems could care less whether your program is well written, well intentioned or performing a useful task. If you cross arbitrary lines, you can be prosecuted, and jailed for a *long time!*
At least in the US, the jail time for doing this to TWO sites (2 counts) is more than the average murderer gets! Is this dumb? You bet, but it is real.
A quick run-down of what ORBZ is (i.e. was) (Score:5, Informative)
The short story is that it is a replacement to the now-dead ORBS, which stood for "Open Relay Behaviour-modification System", and was basically a system of centrally "policing" open mail relays by occasionally testing them with scripts. Any system that failed the test eventually entered ORBS's "black list", which some mail admin's used to bounce email with a path through them. Well, that project died, so ORBZ was born: the "Open Relay Blackhole Zones".
Now, it too, is dead.
And we can go back to blocking the whole of china, rather than just open relays on it.
shrug.
--
m iso socially aware artistic geek pen-pal, m or f, in '1337 edu. jazz, poetry a must.
Re:A quick run-down of what ORBZ is (i.e. was) (Score:2)
Combined, there were 105, which is pretty typical.
I checked these 105 with the handy web page that is unfortunately no longer available (http://orbz.org/ [orbz.org])
That web page checked inputs.orbz.org, outputs.orbz.org, relays.ordb.org,
orbs.dorkslayers.com, dev.null.dk, relays.osirusoft.com, bl.spamcop.net, and relays.visi.com.
outputs.orbz.org listed the largest number as open relays at 43.
By combining orbz.inputs, orbz.outputs, dorkslayers, dev_null and visi,
the total went up 5, to 48.
In other words, using standard block lists that only list open relays would have stopped 46% of the spam received.
Spam cop caught 65, Osirus caught 51.
Spam cop and Osirus (despite the name relays.osirusoft.com) do not just list open relays.
Combining all these together caught 82, or 78% of the spam.
Since these were troll boxes, these is no measure of how many false positives there would have been.
Pretty strong evidence that most of the spam we receive
isn't even bounced off an open relay at all, much less a Chinese relay.
-- Spam Wolf, the best spam blocking vaporware yet! [spamwolf.com]
Re:A quick run-down of what ORBZ is (i.e. was) (Score:3, Informative)
Because of that, I bet lots of people who have never heard of ORBZ were "using" it.
But there's no reason to despair; there are many others still functioning, and new ones coming up all the time.
My favorite new one is NJABL; Not Just Another BlackList [njabl.org].
Spamcop has a lovely one, and Osirus is excellent as well.
Lawsuit lottery (Score:2)
I think that should be "in court for refusing to fix insecure mail-server software in a timely manner..."
The open relay testers send me unsolicited e-mail (Score:2, Interesting)
Re:The open relay testers send me unsolicited e-ma (Score:2, Informative)
And FWIW, one of the best things about ORBZ was how professionally it was run. They generally tried to error on the side of caution. For instance, addressing your strawman argument, the ORBZ test messages described exactly what they were, and provided links for more info.
Huh? Jail time for fighting spam? (Score:2)
Can we find out who the suing party is, so folks can let this company and their state representatives know what they think of this?
Also, could not Lotus notes servers be identified (I would imagine they spit out an ID string like other SMTP servers) and this bug either worked around, or the Lotus servers ignored? It seems that would be more constructive than shutting down.
-me
Re:Huh? Jail time for fighting spam? (Score:2)
Surely he can't be held liable by whoever is suing him, for scanning the 99.9% of non-Lotus SMTP servers out there.
-me
Re:Huh? Jail time for fighting spam? (Score:4, Insightful)
Re:Huh? Jail time for fighting spam? (Score:2)
Hmmm, this just doesn't make any sense, so maybe it would best be defended with the Chewbacca Defense.
(Sigh, maybe some day I'll get all my comments in one post. I feel like George Costanza, coming up with the witty comeback long after the fact. "The jerk store just called, and they're all out of you!")
-me
We need a RT-ORT-BL! (Score:2)
I'm not being entirely facetious either; it seems that the volume of relay testing traffic has increased signficantly over the past year.
MAPS is still alive and well. (Score:5, Informative)
Tracks open relays, dial up netblocks, etc. Works with sendmail, postfix, etc..
Does require paid subscription, but free for personal/hobbyist usage.
Where do you draw the line ?? (Score:3, Insightful)
Anybody can access a publicly available SMTP service and produce whatever type of SMTP headers they want. It is a publically available service.
However, you typical hacker does a similiar thing, he sends bytes to publically available service.
If you decide that any univited data being sent to your server is a crime, then sending an email to someone you dont know is a a crime. If you think its not a crime, then what script kidz do is a public service.
I personally hold to the latter, even though I abhor spam and hate malicious crackers. I think that by holding the server owner whos providing publicly available services accountable for his own security, that we would get more secure software out of it, and less coverups. (lawyers trying to do work that can only be done by programmers) SMTP servers should be able to handle munged headers!
I can imagine the PHB thinking now "Well since I cant sue the kiddie whos sending those bad SMTP headers, I guess im going to have to actually fix the bug in my mail server, oh the humanity!"
Of course fraud etc should still be a crime- but why should accessing publicly provided data services be one?
Just found out about ORBZ last week... (Score:2)
Not such a great loss as made out (Score:5, Interesting)
I emailed ORBZ over the issue, citing three identical spams all of which were from the same physical server (from a typo in the headers) yet from different IPs, all of which were marked as "Verified clean within the last 30 days". ORBZ' response to this was basically "use multiple RBL servers", which I already was. I stopped using them at all the same day and switched to an alternate RBL server that I could submit spam to for automatic inclusion once verified. Since then I've also set up my own local RBL server, which makes things much easier when you have multiple SMTP servers to administer...
Other side of the argument (Score:2, Interesting)
Surely if they knew the envelopes they were sending out would crash some servers, then that was at best highly irresponsible behaviour. Yes, in an ideal world all software would have no bugs and all sysadmins would be omnipotent, but I don't see that happening any time soon :-). I don't believe that ORBZ has the right to go around DOSing servers that they consider to be inadequately set up - effectively electing themselves judge, jury *and* executioners.
If ORBZ behaved a bit less arrogantly I suspect they would make fewer enemies.
Blackhole lists doomed to fail... (Score:2)
The solution is to make this process as anonymous as possible, yet maintain some degree of integrity in the process. Here's an idea: Somebody must be willing to step forward and create a script which can be fully automated to check for open relays. Generate the script signature, sign with a private key, and distribute script, signed sig, and public key. Run the script anonymously -- use anonymous relays, bogus envelopes, whatever it takes. Publish the results on Freenet, signed with the same key used to sign the sig of the script used. Obviously, the model needs some work, but I think if a public key is established as "trusted," then the results that are published anonymously on Freenet can be "trusted" with the same degree of trust.
Or something like that...
No no no no NO! (Score:3, Insightful)
You are so wrong! Think about what you are saying for a second. You are saying that software vendors should be held liable for producing faulty software. What does this apply to? Only Lotus, Microsoft, and the big guys? What about holding Alan Cox and Linus liable for bugs in the Linux kernel? I hope you don't want to hold security programmers liable for demos of exploits. Software is fundamentally different from a product that can be recalled and judged unsafe. The marginal cost of software is zero, and it is not a physical product - it's just information.
Do you have any idea how it would cripple the software industry if they operated under the constant threat of product liability suits? What about old software? Really old versions of Sendmail were set to open relay by default. Certainly it's not the fault of the programmers that they didn't protect against spam, BEFORE SPAM EXISTED. Now think about a software industry where a pack of lawyers has to review every design document, every line of code in the name of 'product safety.'
This is clearly a case where the free market already solves these problems, and your foolish solution would only serve to artificially disable an industry. If companies are upset with Domino, they will eventually switch to a better software package. If Lotus cared about their customers, they would have patched their software. I can't believe it when people like you say these things without thinking of the consequences.
You did hit on one correct point - intent. It's unfortunate that ORBZ was in danger of being sued. They shouldn't be in danger, due to intent. They have no intent to DOS random Lotus Domino servers.. but it seems like they just can't risk it. If I intentionally exploited the Domino bug to crash servers, well that's another story. It's not Domino's problem, it's mine, and I should be carted to jail for that.
Comment removed (Score:5, Interesting)
Political correctness taken to the next level! (Score:3, Funny)
There's something here we're not seeing (Score:3, Interesting)
"It appears"? It is or it isn't. Funnily enough, I'd got the impression that cases were filed before courts ordered documents to be handed over.
Further to that, isn't the case going to be about past behaviour? So isn't taking ORBZ down is response to it a de facto admission of guilt? Is this some sort of preemptive plea bargain attempt?
Ian Gulliver has never struck me as being stupid or cowardly. I can't help but feel that there must be more communication going on here, i.e. an offer to drop the charges if ORBZ just goes away. Frankly, I find that highly distasteful, as it's edging very close to barratry [dictionary.com].
I don't blame Ian one bit for shutting down, I just think that he's been shown a carrot as well as a stick so that this never has to reach a court.
Re:There's something here we're not seeing (Score:5, Informative)
This shutdown isn't so much for this time, but for next time. I'm stuck fighting this one, but I don't have the time or inclination in my life to fight stupid pointless criminal charges on a weekly basis. Unfortunately, the way this world works, this'll be the tip of the iceberg once people realize that they can. Therefore, I'm out of this game.
Black hats are going to love this (Score:3, Insightful)
This vulnerability is public knowledge now so how many black hats are going to be doing this just for fun and giggles?
I can't help feeling that when a company gets shutdown rather than a obvious corrective action being taken that there is a hidden agenda lurking about. Just my suspicious nature taking over.
ORBZ was too aggressive (Score:3, Interesting)
FEATURE(dnsbl,`or.orbl.org', `Mail from $&{client_addr} refused: See http://or.orbl.org/ (ORBL)')
FEATURE(dnsbl,`relays.ordb.org', `Mail from $&{client_addr} refused: relays.ordb.org. See http://www.ordb.org/')
FEATURE(dnsbl,`or.orbl.org', `Mail from $&{client_addr} refused: or.orbl.org. See http://www.orbl.org/')
FEATURE(dnsbl,`spamhaus.relays.orisusoft.com', `Mail from $&{client_addr} refused: spamhaus.relays.osirusoft.org. See http://relays.orirusoft.com/')
FEATURE(dnsbl,`spews.relays.orisusoft.com', `Mail from $&{client_addr} refused: spews.relays.osirusoft.org. See http://www.spews.org/bounce.html')
FEATURE(dnsbl,`rbl-plus.mail-abuse.org',`Mail from $&{client_addr} refused by RBL+. See http://www.mail-abuse.org/')
hooorayyyyy (Score:5, Interesting)
The sheer volume of mail that we received as "probes" to test for relays which we have NEVER supported, is SPAM in itself, in my opinion.
Worst of all, I sent repeated requests to people like orbs.org asking to be excluded and they replied with very rude e-mails which contained vulgarities, etc. Real professional guys - glad to see another one bite the dust...
Check your logs. (Score:4, Funny)
I suggest the prosecution track down the owner of that IP, and haul him into court instead of orbz.
With this logic... (Score:2)
If ORBZ is testing for obsure bugs/holes, you can bet that the spammers are doing it too.
~Sean
Anti Spam Killer (Score:2, Interesting)
http://sourceforge.net/projects/a-s-k/
http://www.paganini.net/ask
ORBZ + SpamAssassin + Razor (Score:5, Informative)
Spamassassin is nice in this regard, because you shouldn't need to change any configuration rules. The rule that ORBZ deals with, (RCVD_IN_ORBZ) shouldn't need to be changed, however, I'm going to weight the other rules that check for that kind of information (RCVD_IN_RELAYS_ORDB_ORG, RCVD_IN_OSIRUSOFT_COM, RCVD_IN_VISI, RCVD_IN_RFCI, and RCVD_IN_ORBS) up a few points to make up for the lost service.
Call me stupid, but (Score:2)
I mean, why the hell doesn't it just send a header like: MAIL FROM: <orbz-admin@orbz-domain.com> anyway?
This seems like it would have been such a simple technical issue to fix on ORBZ side without putting the burden of fixing the problem on Lotus or people running Domino.
<irony>I'm against theft of resources in the form of spam, but I'm all for theft of resources in the form of forced distributed software debugging</irony>
Re:Call me stupid, but (Score:2, Informative)
Because the point is that they are trying to find any configuration that permits relaying. If they can find it, so can spammers.
Some open relays are set up in such a way that they would not relay messages with MAIL FROM [orbz] but would with MAIL FROM [127.0.0.1].
Good riddance (Score:3, Informative)
Ian, YOU DUMBASS!! I hope you beat the criminal rap, but you got what was coming, what you were asking for. ORBZ's probes were every much a trespass as the spam itself. Why they never understood this is beyond me. Plenty of other DNSBL run a good list without intrusive probing, and are not getting put up on charges either.
So, are the PHP mailing lists spam now??? (Score:4, Interesting)
Now mind you, my server (on its own IP address) has NEVER sent out spam (I'm the only one who can send email from it and I've no reason to spam). It seems that some fscking idiot on one of the IPs in CA (my server is in MN) spammed and spews will BH all class C's of the owner no matter where.
So now I get email I don't want and can't get rid of... Should I report the PHP mailing lists to spews as spammers? I'm on a list and I can't contact them to remove me, how is this different from the spammers? Easy to get on, impossiable to get off of...:)
BWP
Bad Combination (Score:3, Interesting)
I'm not sure how many of the slashdot crowd know this, but it was orbz policy not to stop testing a server when requested, unless requested in writing. If it was requested in writing, then they would stop testing the server and list them in orbz as an open relay.
So, as an administrator you had the choice between being tested and being blacklisted even if your server had never relayed a single piece of mail. It was also typical of users of orbz to submit every ip address of every mail server they received mail from regardless of it being spam or not. This was encouraged by the orbz administrator. I'm assuming that this policy, in combination with the fact that the testing caused Denial of Service for certain users might be what caused this suit. If you know you are causing a Denial of Service problem and you don't stop especially if you are requested to do so, I'd suspect that is actionable. Ian's inflexibility as to the policy of either testing (and putting up with the DoS if you were a Notes user) or being blacklisted seems like a bad idea if you rephrase it like "Either you let me crash your server or I'll blacklist you", which might be what the people on the other side are thinking.
Again. This is just my guess. I'm really interested in seeing the facts come to light in relation to this. I suspect that the fact that there was a fix available might be a way out for Ian, but I'll be watching with interest.
Re:Sounds weak to me (Score:3, Interesting)
They used multiple envelope types when checking a relay that had requested to be taken off the list in order to make sure the site couldn't be used by a spammer. Some of the envelopes were unorthodox envelopes that spammers could use to get through a particular server's bugs, making an apparently clean mail server an open relay.
Re:Sounds weak to me (Score:5, Interesting)
But with regards to IDing the server, you can't with certainty determine what SMTP server is running. Sure you can make a reasonable guess based on what strings follow the numbers during the SMTP transaction, but for some mailservers this is configurable or even could be disabled.
Let's say there was an envelope type that postfix occasionally lets through. Now, if the admin of that for some reason actually wants to exploit this to have an open mail relay, it could fake the strings to make it look like a server that wouldn't get probed for it...
In any case, I started work for a company and one of the first things I did was fix their mail servers so that they both did not offer open mail relays, and also played nice with ORBZ testing procuedure, and it was Lotus Domino, FYI. It's not like they randomly probe you into oblivion, you request the test and have a reasonable picture of when it will happen, and if you have been digging around the mailserver and fix it right before asking, this isn't a problem. Cases like this should show companies it is worth the money to hire competent systems administrators.
IDing the server... (Score:2)
One could also try sending "HELP" which, with sendmail anyway, will give the version in the first response string.
I think that in any case, impact could have been minimized for affected Lotus Domino servers where ID could be determined.
Re:Sounds weak to me (Score:2)
The interesting thing is that very stupid bug in Lotus Domino should cause the servers to loop into oblivion everytime a potential spammer tries to relay mail through them...
Re:Just great (Score:2)
Re:Good. RIP. (Score:2)
Re:good (Score:2, Insightful)