Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

ORBZ shuts down

By bani in Internet
Wed Mar 20, 2002 at 10:24:43 AM EST
Tags: News (all tags)

The ORBZ project has shut down. ORBZ operated a dns-based RBL service for stopping spam, by maintaining a list of open relays that are used by spammers. Anyone could use these RBL-type services in conjunction with mail transports like sendmail to block spam.

The official notice, verbatim, is in the extended copy.

Date: Wed, 20 Mar 2002 03:20:25 +0000
From: ORBZ <admin@orbz.org>
To: secondary@orbz.org
Subject: [ORBZ-Secondary] Shutdown

Here's the email that those of you with forward sight
have been fearing since the inception of ORBZ.

As of this moment, ORBZ is shutting down. DNS zones
are going to stop resolving, the website will disappear
and mail will stop working (so furthur discussion on
this list probably won't work -- use NANAE).

I don't want to disappear in silence like ORBS, so I'll
try for as much description as possible without
compromising my own position.

I received an official court notice this afternoon to
turn over all information relation to ORBZ accounts.
This came from the 10th Judicial District court of the
State of Michigan. It appears that ORBZ may be facing
criminal charges for denial of service relating to the
Lotus Domino issue.

I was happy to try to weather any civil issues that may
have come up, and I was committed to seeing it through.
However, the threat of jail time is too much; I don't
believe in this fight quite that much.

Thank you all for all your support. I sincerely hope
that someone with the goal of carrying on the mission
of ORBZ pops up in another country with a less
foreboding legal system. Anyone who has copies of the
current zones may do with them what they wish.

For those of you stuck without good spam filtering,
please consider ORDB and SpamCop; they both provide
excellent free solutions.

Ian Gulliver


Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure


Related Links
o open relays
o sendmail
o Also by bani

Display: Sort:
ORBZ shuts down | 24 comments (16 topical, 8 editorial, 0 hidden)
Lotus Domino? (5.00 / 5) (#2)
by J'raxis on Wed Mar 20, 2002 at 05:39:21 AM EST

For anyone wondering, here is a hint on the Lotus Domino issue hinted at in the email, and here is how I found it. Apparently,
Some oddly formed mail envelopes can cause Lotus Domino to enter a mail routing loop and consume 100% CPU. … When a message is sent to a Lotus Domino server with an envelope similar to:

MAIL FROM:<bounce@[]>
RCPT TO:<address@domain.com>

where domain.com is not local to the server in question, the server attempts to bounce the message, and the bounce goes into a loop, constantly being sent back to the same server.
— The Raxis

[ J’raxis·Com | Liberty in your lifetime ]

It would appear that the problem... (4.00 / 4) (#9)
by Kugyou on Wed Mar 20, 2002 at 07:47:00 AM EST

comes from that little fiddly bit at the bottom of that email where it is stated that ORBZ creates such an envelope. Nevermind that Lotus Domino seems to be the only mailserver that has problems with this, or that workarounds have been mentioned. For some reason, the typical response in America is to shoot the messenger. If someone sneezes and a door opens, the person who owns that door is more likely to press criminal trespass charges against the poor sinus-afflicted problem-finder than they are to sue the locksmith for making such a faulty lock. It's apparently not about the cause of the problem, it's about who finds it.
Dust in the wind bores holes in mountains
[ Parent ]
Blame (5.00 / 1) (#14)
by Lord of the Wasteland on Wed Mar 20, 2002 at 03:42:44 PM EST

I agree that the American legal system does sometimes "shoot the messenger" with regard to computer security. I think it would be unfortunate if the owner of ORBZ got penalized for unwittingly causing a problem with a badly rewritten and configured piece of software. However, now that the owner of ORBZ nows that the test "envelopes" have the potential to crash systems, ceasing to send them is the only right thing to do. If you "sneeze" and a door opens, you should be protected since it was accidental. If you then go around around huffing and puffing like the big bad wolf of the fairy tale (apologies for the horrible analogy) you are delibrately doing something you know might cause harm, and should be liable.

[ Parent ]
Good. (3.00 / 1) (#11)
by PenguinofLight on Wed Mar 20, 2002 at 12:47:46 PM EST

Spam blacklists are fairly prejustice, and if they get you on their list even when NOTHING wrong was done on your part, it's almost impossible to get off. I'd rather spammers included a special phrase so blocking can be done locally. Of course, it would have to be a federal law for them to do it.
For the wages of sin is death; but the gift of God is eternal life through Jesus Christ our Lord. --Romans 6:23
Bad (5.00 / 2) (#12)
by gmuslera on Wed Mar 20, 2002 at 01:20:03 PM EST

Normally the blacklisted servers are open relays, and having such servers is bad for everyone (well, is only good for spammers, virus writers and maybe terrorists).

Also, blacklists don't block email, system administrators do, a blacklist only gives you a normally good information about how much you can trust in mail that comes from certain servers. You can block email, right, or you can modify headers to inform the user that this can be spam, or whatever you can do based in what you can know about the remote server.

Not using this kind of tool, well, you can do stronger policies if a lot of spam is coming to your mailbox or server, like filtering for words, or i.e. not accepting email from asia (a lot of servers are doing that because the high rate of spam coming from there), or not accept mail from unknown people, or not accept mail that don't have you in the To: field, in example, but there you will probably filter more legitimate mail than with blacklists.

Also, getting off, for well configured servers, should not be so hard. I think that i.e. SpamCop puts you in if enough people reported spam coming from your server, and put you out automatically after a few days or weeks without receiving more reports about it, and orbz had a tool for recheck servers in their blacklist to put them out if it was not an open relay anymore. But if certain blacklist can't be trusted, well, is responsibility of the administrators that use it to decide.

[ Parent ]

Poorly run blacklists considered harmful. (By me.) (5.00 / 3) (#13)
by Damien Vryce on Wed Mar 20, 2002 at 02:43:33 PM EST

Just for fun, here's another aspect of the truth. Some thoughts from the view point of a systems administrator who deals with large environments:

> Normally the blacklisted servers are open relays, and having such servers is bad for everyone.

Uncontroled relays of any kind are bad. One issue that always seems to be overloaded however is the case of dial-up resellers. Consider that most, if not all of the nationwide ISPs in the United States buy dial-up capacity from companies like Level3 and UUNet.

Often, due to lack of good technology to deal with the situation, such ISPs end up having to allow relay from network blocks owned by the third party providers.

The result is of course, is that sometimes an ISP will have to allow relay based on IP, rather than based on a certain knowledge of who the person using that IP is. It's not a situation that most ISPs like, but it's one that many are stuck with. Authenticated SMTP, where the email client persents a username and password in order to be granted relay priveleges can help solve this issue, but it's not widely used yet, and I'm uncertain how well older email clients support it.

> Also, blacklists don't block email, system administrators do

Systems administrators, in my mind, have no bussiness blocking email from servers that haven't been abusive to them personally. As you comment, headers can be modified so that users can easily have their mail programs sort their mail based on that information. This puts the users in control.

Systems administrators are affected by abusive servers, but only because those abusive servers are causing technical problems. Systems administrators can control that. Users can be affected two different ways; they can risk seeing spam, or they can risk not seeing email that's important to them. If the ISP is using blacklists, particularly blacklists that they don't control, then the user has no control at all, other than having the choice to try a different ISP.

I feel an ISP has an obligation to the users do it's best to keep the situation in balance. This means blocking servers that the ISP can prove are being knowingly abusive, and servers that are being abused. This also means that as much as possible, the choice should be in the hands of the users.

> a blacklist only gives you a normally good information about how much you can trust in mail that comes from certain servers

If all blacklists were certain to give "normally good information", the situation would be much better. I don't dislike the idea of shared blacklists, as long as I know that I can trust the content of those lists. All the of blacklists I've ppersonally seen or dealt with can be shown to list servers for reasons that are not commonly agreed on as being "bad".

As an example, certain blacklists have had what I consider a nasty habit of, when finding an open relay that itself relayed mail through another server (a good example is someone with a DSL line who is running a local mail server that then uses the ISPs mail server for delivery), those blacklists would block both the open relay and the ISP's mail server.

The ISP did nothing wrong, there's nothing wrong with any of the ISP's systems that it owns, controls or operates, but it still can find it's entire relay farm on a blacklist because of a single user with a badly configured machine. Of course, when the ISP's systems administrators notice, or are notified that the user has an open relay issue, the ISP needs to take, particularly if it's already being abused.

What's worse is that those running blacklists often have no commitment or even desire to contact the Systems Administrators in question before creating the listing. In the case above, a simple email to the ISPs Systems Administrators might have fixed the problem. (It also might not fix the problem, at which point, I'd feel that listing the open relay itself would be acceptable.)

> Also, getting off, for well configured servers, should not be so hard.

Sometimes it is, and sometimes it isn't. There can be great differences of opinion about what is and is not well configured. For example, certain blacklists have traditionally been very unforgiving of the case of having to relay for IP ranges because of the need for third party dial-up resellers.

There's also a question of what a well configured blacklist should do. If it's an actively scanning blacklist like ORBZ was, it should respect you if you ask it to bugger off and stop checking your network blocks. (There could be a lot of reasons for this, including the case of poorly writen servers that can't survive the checks.) The blacklist certainly should not blacklist the entire network in retaliation.

A well run blacklist should always attempt to make contact with the Systems administrators in question, and make the record of attempts public, to avoid any questions of if they really did try or not. I've seen situations where the blacklist claimed to have attempted contact, but where the other party claimed that they were never contacted. The blacklist was unable to dig up anything as simple as even a log saying "here's when we tried to make contact, how we tried, and what happened". This damaged the case for me ever trusting that blacklist again.

A well run blacklist should be intellegent. It's rather annoying to work with a blacklist to get a server off the list due to a mis-detection, only to find a few weeks later that it's been added to the list again, because of the exact same mis-detection as the last time.

Going back to the prior example of an ISP that needs to use third party dial-up resellers, doing relay tests on a mail server, from an IP address that is supposed to be allowed to relay through that mail server is a fairly obvious error, once it's pointed out that the IP address in question is in the mail server's access list.

In the end, I feel that unless the ISP can be very certain of the quality of the blacklist in question, the choice should be in the hands of the users.


In summary, I feel that well run blacklists that have a commitment to quality, communication, understanding and accuracy can be very useful to both users and Systems administrators. Sadly, I don't know of any blacklists that I trust right now. I'm not even sure that blacklists are really the correct solution. I've been playing with per-message based anti-spam systems lately, and I think that the future of spam fighting could be there.

DCC may have a lot of potential in that regard. DCC servers work based on distributed, somewhat "fuzzy" checksums. As long as only real spam is submitted to a DCC server, it's content should be quite trustworthy.

If I had the bandwidth, and a domain that would get a lot of spammers doing dictionary based spamming attacks against it, I'd be tempted to build a spam trap with it, and feed the spam traps into a DCC server that accepted new checksum only from the spam trap system, but would openly share it's checksums with anyone.

[ Parent ]
hrm, how can i put this politely? (5.00 / 1) (#15)
by Hakamadare on Wed Mar 20, 2002 at 04:43:35 PM EST


as a contract sysadmin, i've had to deal with a number of different blacklist services (whether because of my own goofs or because of the goofs of my predecessors). while i do agree that a few blacklists are somewhat extreme in their attitude (xbl.selwerd.cx comes to mind), i've never had trouble getting a mail server unblocked once i had actually locked down the open relay. many databases offer an automated mechanism for scheduling your mail server for a retest, and once it passes the retest (which, in my experience, usually takes no longer than a day or two), they'll generally remove your server automatically.

it sounds to me like you're unhappy about being forced to close up your open relays. well, tough :) i'm far more unhappy about the floods of spam my users get that have been relayed from your mail server, and from the fact that your organization's IT people have no interest in cooperating with me to stop it. (incidentally - i hope i don't have to state explicitly that i have no specific beef with PenguinOfLight's organization, and that i am simply using him as a stand-in for irresponsible mail admins everywhere. but i suspect that i do.) for a more accurate statement, i would change the "almost impossible to get off" in the parent post to "almost impossible to get off without actually doing what the maintainers of the blacklist want me to do".

now, on to the drivel about the "special phrase" which would be mandated by "federal law": please bear in mind that spammers, by definition, do not care about what other people think of their actions. their goal is to get their message to as many recipients as possible as cheaply as possible while remaining as difficult as possible to trace, and to hell with all other considerations. what possible incentive could they have to give their recipients an easy way to block their message? how could they claim to have, say, a mailing list of five million verified email addresses, when any prospective client knows that a significant (but unknown) portion of that five million will be blocking the message because of some keyword the spammer put into the message?

federal law. feh. there are state laws in place which enable recipients of UCE to impose financial penalties on spammers. while these do create occasional high-profile cases to make geeks cheer, they certainly haven't stopped spam. what sort of federal law were you envisioning? one which sent the FBI after spammers? i'm glad you're so generous with my tax money. :)

Schopenhauer is not featuring heavily on the "Review Hidden Comments" page at the moment. - Herring
[ Parent ]

I won't miss them (none / 0) (#16)
by Tatarigami on Wed Mar 20, 2002 at 05:02:19 PM EST

There's no question, the administrators of some blacklisting databases do step over the line. A couple of years ago, the company that employs me in a roundabout way got listed -- not for having an open relay, but for failing to give the administrator a discount on services other local ISPs were paying us full price for.

When confronted, he was unapologetic about it. As far as he was concerned, this constituted an 'attack on the continued operation of the database' and listing us was justified. We turned the case over to the Bottom Feeding Lawyers, and the courts resolved it in our favour.

Now our customers get their email returned with the error message 'blocked for suing anti-spammers'. There ain't no justice.

Not ORBZ (5.00 / 1) (#17)
by CaptainSuperBoy on Wed Mar 20, 2002 at 06:24:11 PM EST

ORBZ was just a list of open relays, and it's up to ISPs to subscribe to any blacklist. I would never sign up for a list that was as irresponsible as the one that listed you. I'm not sure how they got any subscribers if they blacklisted people on a whim..

jimmysquid.com - I take pictures.
[ Parent ]
Really? (none / 0) (#19)
by J'raxis on Wed Mar 20, 2002 at 07:11:19 PM EST

The RBL liked to block ORBS’s servers because they were competitors; I think ORBS at one point returned the favor. Slashdot also had an article about the RBL being used to censor various sites. ORBS was also quite militant about blocking anyone who refused to allow them to test for open relays (guilty until proven innocent?). Their lists made no differentiation between actual open relay and merely someone refusing to cooperate with the testing. I think they changed these policies toward the end, but they’re gone now so I cannot find out for sure.

Despite these tactics, they got plenty of subscribers in their day, and the RBL still does.

— The Raxis

[ J’raxis·Com | Liberty in your lifetime ]
[ Parent ]

RBL (5.00 / 1) (#21)
by CaptainSuperBoy on Thu Mar 21, 2002 at 12:15:21 AM EST

The RBL has been controversial.. but they are completely out in the open about what they do. They post all their blocks along with e-mail logs for perusal. They don't hide their identities (i.e. SPEWS). And they are accessible.. they are always willing to work with admins to solve problems, and they always offer to help before they block.

Media3 were blocked because they were a spamhaus.. and RBL chose to block ALL their netblocks, which is standard operating procedure to coerce an ISP who won't budge otherwise. I'm disappointed you chose to link to that rant by Jamie - he's Slashdot's outspoken critic of all the evil forces conspiring to destroy "your rights online." Plus, he posted a rant on K5 during the whole 'offtopic thread' moderation fiasco. No, Media3 wasn't 'censored' by the RBL.

I can't really comment on the ORBS vs. RBL issue.. bottom line is, they hated each other and it's over now. Perhaps they were both a little irresponsible, but this is all in the past. ORBS made no illusions about being nice people - they were assholes, but they ran a great service.

I'm sure it gets boring hearing this over and over, but many people are unable to grasp how the lists work. RBL, SPEWS, and the others only have as much power as administrators give them. If an ISP trusts SPEWS to make a decision about blocking someone, they will subscribe to the list. On their own, blackhole lists have no power. It's just a list of IP addresses, that other people may CHOOSE to utilize however they like. Understand, there were a LOT of admins who got very fed up with the RBL and ORBS, and stopped subscribing to their lists.

jimmysquid.com - I take pictures.
[ Parent ]

Power? Try Above.net (none / 0) (#23)
by J'raxis on Thu Mar 21, 2002 at 02:38:50 AM EST

On their own, blackhole lists have no power. It's just a list of IP addresses, that other people may CHOOSE to utilize however they like. Understand, there were a LOT of admins who got very fed up with the RBL and ORBS, and stopped subscribing to their lists.
Above.net, a rather large backbone, used the RBL, which meant any ISP relying on them was forced into it. Why would a backbone which provides service to such a multitude of ISPs take it upon itself to make that decision for all those ISPs? Well, the creator of the RBL, Paul Vixie, also happened to be cofounder of Above.net. Sound powerful enough now?

— The Raxis

[ J’raxis·Com | Liberty in your lifetime ]
[ Parent ]

Other stupidities (5.00 / 1) (#20)
by fluffy grue on Wed Mar 20, 2002 at 11:57:48 PM EST

Once upon a time, ORBS blocked cs.nmsu.edu because one of their tests mistakenly identified the mailserver as an open relay. It took days before the admin here could even find a person to mail about it! The little message on ORBS' webserver said something to the effect of, "Tough shit, your ISP harbors spammers, and complain to your admin." It didn't have any way of actually contacting them in the (hypothetical) case that I was the admin, and so on... eventually ORBS unblocked us, but in the meantime a lot of my mail bounced with a message indicating that "my ISP" was a bunch of dirty spammers or something similarly stupid.
"...but who knows, perhaps [stories about] technology and hardware will come to be [unpopular]." -- rusty the p
Parent ]
Alternatives? (none / 0) (#18)
by p0ppe on Wed Mar 20, 2002 at 06:29:07 PM EST

What would people recomend as alternatives? relays.osirusoft.com and spews.relays.osirusoft.com?

"Democracy is three wolves and a sheep voting on what to have for dinner."
No Rest For The Wicked?? (none / 0) (#22)
by flesh99 on Thu Mar 21, 2002 at 01:57:03 AM EST

I have little or no sympathy for ORBZ or the people who ran it. Working for a webhosting company and having seen customers get blacklisted for a hacked server being used to relay and then after all security issues are resolved and the relays closed, being denied removal from the list, or even better yet, someone with a legit mailing list getting blocked. The hell these people have to go through to get off these lists is insane at best. From what I have seen these lists are not a public service they are nothing more than a nusiance. There is no reason to block anyone from the host I work for. We close accounts for open relays if they are not closed, there is a 24 hours AUP notice and then the account is closed. I have seen people get a server that has the same IP that was blocked on a list, new customer, relays all secure, and they are blocked. Never having done anything. The lists have not been receptive to our attempts at requesting proof of the complaints, nor us asking to at least get a heads up so we can take care of the problem. Good riddance to bad rubbish. You don't like spam, don't give ut your e-mail addy over the web. Just like if you don't like junk mail don't sign up for things with your physical addy. Take the risk and accept it or move on.

It takes 47 muscles to frown, but only 4 to pull the trigger of a finely tuned sniper rifle.
Wired has picked up the case (none / 0) (#24)
by MmmmJoel on Thu Mar 21, 2002 at 10:05:30 AM EST

here. [wired.com]

ORBZ shuts down | 24 comments (16 topical, 8 editorial, 0 hidden)
Display: Sort:


All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!