Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
ORBS shut down by above.net

By mbrubeck in News
Tue Jul 18, 2000 at 10:52:51 AM EST
Tags: Internet (all tags)
Internet

ORBS has shut down its anti-spam service because above.net had been advertising routes that were a short-cut to /dev/null. This essentially means that they were telling packets that they were a short-cut to ORBS, a short-cut that went into a dark alley with a group of thugs.


The ORBS administrator suspects that Paul Vixie (the author of Bind) wants to offer a commercial service similar to ORBS and would therefore like the original (free) version to be shut down. As an immediate result Alan Cox will no longer be available by email unless he knows you personally.

This story was originally submitted anonymously. This version has fixes to the HTML markup and is otherwise unchanged.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o ORBS
o above.net
o suspects
o Alan Cox
o Also by mbrubeck


Display: Sort:
ORBS shut down by above.net | 100 comments (92 topical, 8 editorial, 0 hidden)
Well gee, this is bad... (4.30 / 3) (#3)
by mnot on Tue Jul 18, 2000 at 01:03:23 AM EST

Have a look at: http://www.mail-abuse.org/rbl+/ (btw, that's not really a legal URL).

If you would like to be alerted when the RBL+ service and pricing schedule becomes available, please contact <jdfalk@mail-abuse.org>.

Looks like indeed, somebody wants to make some money.

Personally, I like MAPS; I tried to use ORBS, IRMSS, etc for a while, but MAPS RBL + DUL was the right thing for me. I'd hate to see it (and the rest) get too tied up in politics, etc.

Re: Well gee, this is bad... (none / 0) (#12)
by fluffy grue on Tue Jul 18, 2000 at 11:49:09 AM EST

It's a legal URL, but it means that if there's a directory that it's directly pointing to, then it's named 'rbl ' and not 'rbl+'. But that's only a problem for the server to deal with, not the client. :)
--
"Is not a quine" is not a quine.
I have a master's degree in science!

[ Hug Your Trikuare ]
[ Parent ]

Re: Well gee, this is bad... (none / 0) (#37)
by mnot on Tue Jul 18, 2000 at 08:56:56 PM EST

I was speaking in the scope of RFC 2396, where it is indeed clearly not legal;

2.2. Reserved Characters

Many URI include components consisting of or delimited by, certain
special characters. These characters are called "reserved", since
their usage within the URI component is limited to their reserved
purpose. If the data for a URI component would conflict with the
reserved purpose, then the conflicting data must be escaped before
forming the URI.

reserved = ";" | "/" | "?" | ":" | "@" | "&" | "=" | "+" |
"$" | ","

The "reserved" syntax class above refers to those characters that are
allowed within a URI, but which may not be allowed within a
particular component of the generic URI syntax; they are used as
delimiters of the components described in Section 3.

[ Parent ]
Re: Well gee, this is bad... (none / 0) (#51)
by fluffy grue on Wed Jul 19, 2000 at 11:17:25 AM EST

Ahh, but you see, CGIs can take parameters as part of a URI path; they don't necessarily have to come after a ?. The RFC just proposes semantics for the server-side, in any case, and there's no reason a browser would have ANY knowledge of these aspects of URIs. So yeah, it's a violation of the RFC, but it's a harmless one IMO.

FWIW, webbrowsers don't know (and don't need to know) that, say, http://www.cs.nmsu.edu/~joshagam and http://www.cs.nmsu.edu/%7Ejoshagam are the same URL. Again, the URL-encoding is taken care of at the SERVER side.
--
"Is not a quine" is not a quine.
I have a master's degree in science!

[ Hug Your Trikuare ]
[ Parent ]

Am I hallucinating? (none / 0) (#70)
by rusty on Wed Jul 19, 2000 at 05:26:45 PM EST

Did I just see fluffy offer to overlook an RFC violation? I didn't see that, did I?

;-)

____
Not the real rusty
[ Parent ]

Re: Am I hallucinating? (none / 0) (#81)
by fluffy grue on Wed Jul 19, 2000 at 10:21:26 PM EST

Yes, you did. :) Why, does this contradict something I've said in the past? It's an invalid URL assuming certain things about it, for example, assuming that the domain doesn't map directly to a CGI program - but we wouldn't know anything about THAT, Mr. http://www.kuro5hin.org/?op=comments, now would we?
--
"Is not a quine" is not a quine.
I have a master's degree in science!

[ Hug Your Trikuare ]
[ Parent ]

Couldn't happen to anyone better (4.00 / 2) (#8)
by h2odragon on Tue Jul 18, 2000 at 04:13:32 AM EST

'cept maybe AOHell.

I don't like ORBS; do not use their service (or similar services), and frankly don't much care if they fail miserably at whatever venture they're playing at today.

However, there's an entirely different issue here; the theft of address space / denial of service by abusing routing protocols. Hit the ORBS link in the story; it's involved. Looked at in a paranoid light, this could be seen as a strike against the foundations of the 'net.

Looked at in a different, perhaps more reasonable light, even temporarily closing down their service in the face of adversity doesn't seem reasonable. When freshmeat.net was taken down by its owner because people didn't like the new look; that was one thing. At the time there wasn't any pretense made that it was a professional, reliable service upon which you could rely.

Re: Couldn't happen to anyone better (none / 0) (#77)
by Anonymous Hero on Wed Jul 19, 2000 at 08:34:10 PM EST

ORBS is a hobby run by volunteers, just like Freshmeat.

[ Parent ]
where is the outcry? (3.30 / 3) (#11)
by kellan on Tue Jul 18, 2000 at 11:13:52 AM EST

is this breaking news? old news? i find the idea of an isp like above.net, being able to systematically shutdown a service like ORBS alarming to say the least. blantant censorship, and abuse of power. i would expect the geeks to come pouring out of the walls on this one.

so why no mention on slashdot? wired is already running an article on unrelated abuses by MAPS today, why not mention ORBS?

what is the whole story here?

Why not on slashdot? (2.00 / 6) (#13)
by jabber on Tue Jul 18, 2000 at 11:52:11 AM EST

Because Andover would also benefit from running this sort of service for a fee. :)
Principles go out the window once paychecks come into the picture.

[TINK5C] |"Is K5 my kapusta intellectual teddy bear?"| "Yes"
[ Parent ]

Re: Why not on slashdot? (none / 0) (#23)
by finkployd on Tue Jul 18, 2000 at 01:16:47 PM EST

A. Andover does not run slashdot, Rob and Jeff do. I've seen nothing to date to indicate that it is corporate controled and that they are censoring stories. Things have pretty much been the same since it was called Chips n Dips.

B. Why would andover decide to run a service like that for a fee. All their experience in the open source community should have taught them that all that would happen is several free (and better) services would pop up and run them out of business.

Finkployd
Sig: (This will get posted after your comments)
[ Parent ]
Re: Why not on slashdot? (4.70 / 3) (#28)
by jabber on Tue Jul 18, 2000 at 04:34:23 PM EST

For the most part, this is true. Or is it?

Over the last two years, the angle of /. has changed considerably. The stories are less consistently geeky/techie, and those that fall into this category are less subversive (for lack of a better word) snd precise than before. The notable exceptions here are DeCSS and MP3 articles, but these too are increasingly qualitative.

Has /. simply become too popular, and Taco/Hemos choose stories that appeal to a broader population? /. may not be 'controlled' by Andover, but they're not a charity either. /. is something Andover BOUGHT, and being a business, they (Andover) are getting something out of it. Is it the adds? Is it the cred? Maybe they're just counting on the rare click-thru from the main /. site, but I doubt it.

IMVHO, /. has beome very dilute in the technical aspects of it's stories. There are few posted, and those that are posted do not run deep. Too often, the techie stories are simply incorrect, or reference press releases. They are missing that critical, informative, educational content that initially drew me there.

Now, don't get me wrong, I still enjoy /., but it is now a town square where everyone with an opinion comes to be heard. Lots of good discussion results, and many points of view get hashed out - it's like accelerated, parallelized thinking about current issues - the 'shallow bug' effect applied to the latest rumour or techno-ethical concern. But I miss the analysis of the technology they used to report on. They used to be first on the scene, and they used to actually inform. Now the S/N is pretty small and they link to ArsTechnica.com.

So, the core of my origininal suspicion holds. Taco and Hemos seem to cater to the broader crowd, rather than keep the content refined. Drivvel gets posted. Why? They're smarter than to just give the public what it wants. What do they get out of feeding all those eyeballs with increasingly mediocre articles?

[TINK5C] |"Is K5 my kapusta intellectual teddy bear?"| "Yes"
[ Parent ]

Re: Why not on slashdot? (4.00 / 1) (#34)
by Anonymous Hero on Tue Jul 18, 2000 at 06:54:32 PM EST

Slashdot is only as good as it's readers, and it's readership figures have quadrupled in the last year. You could view this as a massive sucess, but you could view it as dilution of a good crowd (instead of bruce perens you get geekboy10456@aol.com). Hence the crap stories.

It remains to be seen whether any other forums could work better with 160,000 readers...



[ Parent ]
Faulty Logic At It's Best (2.33 / 3) (#42)
by Carnage4Life on Tue Jul 18, 2000 at 11:30:11 PM EST

Good god, why is kuro5hin so full of pissed off geekboys who miss the fact that they are no longer 1337 because they read slashdot?

So because slashdot is no longer the haven of the technical giants which you claim it once was, they are now censoring stories? Such a leap isn't just a jump to conclusions but indicates that have difficulty in thinking logically.

Next time consider what are you are saying before posting some paranoid rant that slanders someone else.

[ Parent ]
Hold on there a minute (4.00 / 1) (#49)
by jabber on Wed Jul 19, 2000 at 09:38:47 AM EST

Where did you get THAT?

First: At no point was /. readership a badge of 'leet' status, whatever that means. If anything, it's more so now than it ever was; because now it is a 'brand'. It used to be a more technical think-tank than a socio-political mosh-pit. My attitude reflects my priorities, and as much as I like shooting off my mouth about Columbine and other issues in the same vein, I miss the reliable and technically interesting content. That's all.

Second: Censorship? No, what I'm saying is that the stories they choose to post, in the limited amount of space and time available before a story 'expires' are now different. They seem to be more angled toward the popular and discussion-provoking rather than news-breaking and informative. What I'm questioning is WHY their heuristic for choosing stories has changed. Are they simply catering to the influx of users? Fine. But, if there are clear rewards for baiting more users by way of more easily digestable content, then I think that should be stated outright.

The mission of /. seems to have changed, from News For Nerds to Converting The Masses to MP3, DeCSS, Columbine-aftermath-impact-on-Geeks... The book containing (uncited) /. posts was a clue in this direction - and while I don't think Rob and Jeff are necessarily nefarious in what they're doing, I'm curious of their motivations.

If they are simply catering to their new-found huge reader-base, I will print my post and eat it in the middle of the next LUG I attend. But if they get rewards for running a troll-site, and are paid for eyeballs - and that's why the content is fluffier - I'd simply like to know.

[TINK5C] |"Is K5 my kapusta intellectual teddy bear?"| "Yes"
[ Parent ]

Re: Hold on there a minute (none / 0) (#53)
by IntlHarvester on Wed Jul 19, 2000 at 12:25:00 PM EST

I'm not sure which Slashdot you are talking about. In the early days, it was far less articulate than it is today, but more technical. (Posts along the lines of "Of course M$ $ux, here's how I patched my kernel...") One can go and pull some articles for the archive to see what I mean.

When you say that "It used to be a more technical think-tank than a socio-political mosh-pit.", I wonder if you are talking about the golden age of karma-whoring around the introduction of moderation points. Sure, the posts were better, but there was a lot of navel-gazing and Linux Cult GroupThink ("Here is a three part essay I wrote on why Microsoft has been an impediment to the overall growth of technology and Internet culture...")

Even back in the old days, the editors would whore for Page Views -- how many "Mindcraft" stories were there? "HellMouth Part IX"? There were articles about Pre kernels even back to the 2.0 series. Has Slashdot's "mission" changed, or is it the mission of the readers that drifted over time.

So, now traffic has shot through the roof, and the average post is overall far less articulate and far less technical than it has been in the past. Has the content really changed that much? (Maybe less Science stories..) The real problem with Slashdot is that it's impossible to maintain any sort of conversational tone when the comment count goes from 0 to 200 in an hour. Even though the stories do expire quickly, it really doesn't matter because nobody gets a word in edgewise after the first 100 posts or so.


[ Parent ]
Re: Hold on there a minute (5.00 / 1) (#55)
by jellicle on Wed Jul 19, 2000 at 01:10:01 PM EST

We're trying for more Science articles - submit them, they'll be posted. Maybe in the Science section only, as opposed to the main page, but somewhere...

-- Michael
michael@slashdot.org


[ Parent ]
Re: Hold on there a minute (none / 0) (#89)
by CodeWright on Thu Jul 20, 2000 at 07:55:52 AM EST

I know Rob & Nate & Jeff, et al... and those guys are not driven by some kind of bizarre ulterior motives. The only ulterior motive I can detect is Jeff's monomania for nanotechnology (which I share), and the fact that they are all addicted to EverQuest. :P :)

As far as I can tell, they are very conscientious about maintaining the quality of Slashdot, but are sometimes at a loss to deal with the trolls that their success has attracted. Trolls try a LOT of things to goof slashdot up. So the slashdot guys keep putting their "all" into maintaining the service under a constant barrage of negative feedback.....

...not to mention the fact that they all have lives too! (well, some of them anyway.... Jeff just got married, Rob has a girlfriend and a new house, etc,etc,etc...)

Just my $.02



--
A: Because it destroys the flow of conversation.
Q: Why is top posting dumb? --clover_kicker

[ Parent ]
Re: Faulty Logic At It's Best (none / 0) (#63)
by Anonymous Hero on Wed Jul 19, 2000 at 03:34:14 PM EST

What you need to keep in mind is that most Slashdot posters are new to computers. Most of the readership thinks that they have specialized knowledge because they know how to use Linux, and illegally steal MP3's, but in fact most of them are high school students who haven't done anything interesting.

[ Parent ]
Re: Why not on slashdot? (none / 0) (#58)
by kevin lyda on Wed Jul 19, 2000 at 01:43:23 PM EST

i'm just curious, how exactly would you react to someone saying you had no principles. further on you say you want slashdot to interview themselves and say what and why there're doing things with the site.

first, why would that make any difference - they have no principles. would you believe them if they said they were doing the same thing with the site that they always had: post up stories that interest them.

second, since you're essentially asking them to justify their (unprincipled) existence, perhaps you'd care to justify yours. what is your background? are you just some hack that works for time warner or some other publishing company?

ok, now drop everything and justify yourself.

[ Parent ]
Re: Why not on slashdot? (none / 0) (#66)
by Anonymous Hero on Wed Jul 19, 2000 at 04:20:00 PM EST

Of all the /. bashing I've read here, none of it seems very accurate. I think the truth is a bit more balanced. I would say that karma whoring is still around (the # of "M$ Sucks" posts or attatched to posts is huge), but on the other, I don't think the articles are particularly non-technical. Sure, not everything is a "How do I get the libraries to use/install the v2.0 fishstick.gz I just downloaded" or "I fixed my kernel..blah blah blah", but...Should it be? I mean, that kind of crap should be regulated to technical support groups and IRC. That isn't exactly "stuff that matters"...it only matters for about 5 seconds to one particular individual. I think that the sort of broad-range stories (new breakthroughs/science, legal/ethical issues, etc.) are much more important, and much more suited to a site that purports to be about _News_ and not tech support.

[ Parent ]
I believe breaking news (4.00 / 1) (#15)
by Anonymous Hero on Tue Jul 18, 2000 at 12:23:16 PM EST

As the original anonymous poster, I can report the following.

Alan's diary entry went up late last night. Given that he uses the service for email, I would assume that he noticed the outage pretty much immediately and likely responded quite quickly. Certainly the fact that Alan is no longer accessible for sending bug reports etc is breaking news.

I have seen no news reports beyond what has been reported here.

Cheers,
Ben

[ Parent ]
There is no outcry because clued-in people are ign (4.50 / 2) (#38)
by bkosse on Tue Jul 18, 2000 at 10:23:48 PM EST

ORBS is ranting that Above.Net won't pass their packets. Telecom.NZ (ORBS' provider) screwed up plain and simple. I'm not sure if ORBS is just too stupid to realize that their ISP is screwed up or if they're just being as bull-headed and stubborn as always and simply refusing to see that their ISP is screwed up. Go onto Deja.com and search for ORBS MAPS Paul Vixie and you'll find a few threads, one of which quite well describes the situation, including someone taking the time to read about the actual routing protocols and doing some investigation to realize that yes, indeed, MAPS has nothing to do with this and neither does Above.Net.
-- Ben Kosse
[ Parent ]
Someone fix the subject input field. (4.00 / 1) (#39)
by bkosse on Tue Jul 18, 2000 at 11:00:30 PM EST

The subject of the last message ended with "ignoring ORBS" and I typed it into the text field (not cut-n-paste to exploit a bug in NS), so I believe it should've taken the whole thing.
-- Ben Kosse
[ Parent ]

you're right (4.00 / 1) (#67)
by rusty on Wed Jul 19, 2000 at 04:25:27 PM EST

the subject input code truncates too short. sorry about that-- it's on the TODO

____
Not the real rusty
[ Parent ]
WRONG! (none / 0) (#86)
by Anonymous Hero on Thu Jul 20, 2000 at 12:50:58 AM EST

from my account at apache.org, a traceroute dies within three hops, in the above.net cloud. abovenet IS nullrouting packets to ORBS. if i traceroute ORBS from anywhere else, i get there fine. if the route aproaches an abovenet router, its nullroutes. AboveNet is lying if they say they are not messing with orbs

[ Parent ]
Re: WRONG! (none / 0) (#95)
by Anonymous Hero on Thu Jul 20, 2000 at 12:30:34 PM EST

ahem.

I believe the discussion was never if Above.net nullroute them within their own network (which they are entitled to, because it's their own frigging network) but whether or not they broadcast those nullroutes outside their network over BGP.
That's the real issue.

[ Parent ]
Re: There is no outcry because clued-in people are (4.00 / 1) (#87)
by thomas on Thu Jul 20, 2000 at 04:48:40 AM EST

IIRC, the accusation was that Telescum NZ is routing the packets to above.net, who then nullroute them.

I wouldn't put it past Telescum to do this. I'm not going to bother to recount (again) the dodgy stuff they've been up to over the last few years; suffice it to say they would give Microsoft a run for their money. If you must know the details, I listed some them in a previous message on another story, Here.

If there's a corporate conspiracy in telecommunications, don't be surprised if Telecom New Zealand is involved.

War never determines who is right; only who is left.
[ Parent ]

Fuck Slashdot! (3.00 / 8) (#44)
by Anonymous Hero on Wed Jul 19, 2000 at 01:18:50 AM EST

   Gee, Slashdot didn't cover the dude who got busted by the FBI - see the story above this one - and probably won't. His situation would be vastly improved by a Slashdot campaign, but it won't happen. They just don't have room at Slashdot the way they do things now.

   Everybody who gets frustrated by the inevitable bureaucratic nastiness that they have to face wishes that they could take it to the top. We all want to talk to the King. But the King hires a staff to help him arrange appointments, and eventually they start taking bribes, playing favorites, and soon they're more powerful than the King ever was, and you're right back where you started from.

   Slashdot doesn't cover anything that matters anymore. All they do is post reviews of various vaporware.

   They do their little "social justice" angle by posting the occasional piece of crap by John Katz now and then. And nobody even cares enough to post the ceremonial "Katz you suck" anymore.

   But you can't expect Slashdot to fight your battles for you.

   It's in the nature of these things that they wear out. As soon as Slashdot got good enough to help fight the Man, they got bought out and became the Man themselves. Meet the new boss, same as the old boss.

   We gotta get together on our own. Just cause Slashdot became our voice once, doesn't mean that we can count on it being so ever again. We have to start all over, and will have to over and over again. Slashdot was nice, but it's gone.

   Fuck Slashdot.


[ Parent ]
Re: Fuck Slashdot! (none / 0) (#56)
by kevin lyda on Wed Jul 19, 2000 at 01:33:04 PM EST

is it september already?

[ Parent ]
Re: September, Already? (none / 0) (#59)
by gaudior on Wed Jul 19, 2000 at 02:00:00 PM EST

Always. It is now forever September.
Sigh.
September, and the twilight of rational thought.



[ Parent ]

Re: September, Already? (none / 0) (#62)
by MrEd on Wed Jul 19, 2000 at 03:09:15 PM EST

Not to be a complete idiot, but is this a "back-to-school-with-mommy-and-daddy's-computer" phenomenon you're talking about?

Watch out for the k5 superiority complex!


[ Parent ]
Re: September, Already? (3.00 / 1) (#68)
by Simon Kinahan on Wed Jul 19, 2000 at 04:31:26 PM EST

Once upon a time, when I was about 17, and had only just worked out where this strange netnews stuff on our university computers came from, the net tended to be fairly clueful - and in those days the net meant usenet - except during the short period of time at the start of each school year when every new student got his computer account, discovered usenet and started to cause trouble, leading to a prompt ticking off from his admin, the temporary or permanent removal of said account, and a return of peace- usuallly achieve by early October. Hence, September. Many mailing lists would stop subscruptions for the month of september to get away from this. With the dawn of the web, the influx of users from public ISPs and the vastly increased numbers of students and workers with web access, we are now in the age of eternal september. I believe 1994- though it may have been earlier- is known in net lore as the year september didn't end. Admins no longer reprimand users, and apparently intelligent middle aged people do things 17 year old students would have been ashamed of.

Simon

If you disagree, post, don't moderate
[ Parent ]
Re: Fuck Slashdot! (2.00 / 1) (#60)
by Anonymous Hero on Wed Jul 19, 2000 at 02:17:01 PM EST

Get over it already. Postings like this long ago left the realm of usefulness and are now being considered a psychological condition known as "Slashdot Inferiority Complex." Your "anti-bureaucracy, Slashdot's a sellout" rant is infinitely more obnoxious and irrelevant than Jon Katz's articles.

Hey admin - "Any comment may be deleted by a site admin, and all spammers will be deleted." Slashdot-sux rants are getting to the point of spam...

[ Parent ]

Re: Fuck Slashdot! (none / 0) (#73)
by Anonymous Hero on Wed Jul 19, 2000 at 07:26:38 PM EST

How about fuck you, asshole? I would have expected better out of hte people on Kuro5hin (after all, I often come here to escape the inane and ridiculous comments often seen on slashdot) , but this posting is childish and stupid. As is the person who posted it. So that is a big fuck you to someone with a closed, and probably useless mind.

[ Parent ]
ORBS methods could have been better (4.00 / 2) (#14)
by scheme on Tue Jul 18, 2000 at 12:07:45 PM EST

I don't think that ORB's methods were all that great. My complaint against them was that when they were checking hosts to see if the host was an open relay, they blacklisted hosts that firewalled off. I guess this was to prevent people from blocking the ORB tester but also blacklisted servers that were blocking all incoming SMTP traffic.


"Put your hand on a hot stove for a minute, and it seems like an hour. Sit with a pretty girl for an hour, and it seems like a minute. THAT'S relativity." --Albert Einstein


Re: ORBS methods could have been better (5.00 / 1) (#16)
by Anonymous Hero on Tue Jul 18, 2000 at 12:26:38 PM EST

> I don't think that ORB's methods were all that great. My complaint
> against them was that when they were checking hosts to see if the
> host was an open relay, they blacklisted hosts that firewalled off.

ORBS offered multiple response codes. One of them was "this is a known, verified open relay" and another was "we were unable to test this system due to filters". You had a choice of which you wanted to accept mail from.

ORBS methods were great for dropping spam. 9 times out of 10, my filters killed spam because the junk came from (or went through) an open relay. It caught more spam than all of the others combined.

I did not block mail from systems that were blocking ORBS' probes. My feeling was that if the admin was smart enough to filter ORBS they were smart enough to not have an open relay. Unfortunately, this was not the case, since entire blocks (like RoadRunner cable network) were often filtered. I got a fair amount of spam from those blocks, but it was maybe 1% of the spam that got dropped from the known-relay filter.

ORBS kicked ass.

[ Parent ]

Good or bad, this makes me happy. (3.50 / 2) (#17)
by sjanes71 on Tue Jul 18, 2000 at 12:44:02 PM EST

The ORBS people were completely unaccountable for who they filtered-- if you got on their nerves you would never get off the blackhole list-- I found this to be very annoying during the 1999 part of the Presidential Election campaign where Steve Forbes' server was blackholed, the mail server was hosted on the same IP address as the web server, so as result, I could not get to the webserver or send them e-mail from my home ISP connection. Needless to say, I will always question their true motives regarding the blackholing of Forbe's server-- was it to curb spam or speech? I had no problems controlling my "subscription" to the Forbes system.

With all the talk about new kinds of "email wire taps" and SPAM and what not, I'm about 2 months away from mandating that all e-mail sent to me must be digitally signed and/or encrypted, or I just won't see it.
____
Simon Janes

Really wouldn't get off their list? (3.00 / 1) (#31)
by Anonymous Hero on Tue Jul 18, 2000 at 05:04:53 PM EST

Tell me more. They have published the exact details that they claim will get you off their list, and even provide a web-based interface which you can use. Secure your open relay and tell them to test that it is secure. Did Forbes do that? Ben

[ Parent ]
Re: Good or bad, this makes me happy. (5.00 / 1) (#46)
by Anonymous Hero on Wed Jul 19, 2000 at 03:32:39 AM EST

i was on their list also. As a matter of fact, that's how i discovered ORBs; an email bounced back w/ a message telling us to go to ORB's webpage.
It turned out that there was a hole in the version of sendmail that we were running (8.7.x), that allowed people to relay through us. I don't know if anyone was doing it, but having ORB's page describe exactly how to do it helped greatly in my effort to fix the problem.

2 months later, after it was fixed, i went to ORB's page and had them rerun the test. An hour later, we were off the blacklist. I only wish other sites had as much information (and automation) as ORB's site did.

-dilinger

[ Parent ]
Re: Good or bad, this makes me happy. (none / 0) (#84)
by mr on Wed Jul 19, 2000 at 10:42:08 PM EST

And I had a different experience.

I was probe attacked.

I asked for proof of the spam my host was sending (hint there is not spam from my host).

They list me in the database as OK, and as a static listing.

Now, e-mail hosts list my site as "selectivly open relay" when this is NOT true.




[ Parent ]
Re: Good or bad, this makes me happy. (none / 0) (#85)
by Anonymous Hero on Wed Jul 19, 2000 at 11:46:05 PM EST

Erm.. there is no spoon^H^H^Ham. Orbs doesn't care if you have spam or not, that's not what they're listing. MAPS (Mail Abuse Protection System) is about mailservers that spam. ORBS (Open Relay Blocking System) is about open relays. No word about if they send spam or not. If you're listed as selectively open, are there any hosts you *will* accept relaying from?

[ Parent ]
Re: Good or bad, this makes me happy. (none / 0) (#88)
by Anonymous Hero on Thu Jul 20, 2000 at 06:56:50 AM EST

ORBS is NOT about open relays. It is about mailservers which pass their test. For example their test will classify any mailserver which implements exponential RCPT backoffs as open relay while in reality it makes it quite useless for spammers. Netcom implemented this policy years ago in order to get off RBL. Amazingly they managed to get off ORBS after applying some presure. ISP where I was admin, has similar policy for limited number of domains and so far it worked well. Of course when I contacted ORBS they told me to fuck off in no uncertain terms. Contrast this with other lists which were willing to discuss our anti spam measures and upon reviewing the code they we were off the hook.

[ Parent ]
Re: Good or bad, this makes me happy. (none / 0) (#91)
by mr on Thu Jul 20, 2000 at 09:43:49 AM EST

>It is about mailservers which pass their test.

And people who are opposed to their testing methods.

My host is not open, and has never been open. Yet, because I have told them I do not want to be tested in the future AND have blocked their tests (in case they are rude and re-test) my host is labeled as an 'open relay'

[ Parent ]
Re: Good or bad, this makes me happy. (none / 0) (#64)
by Anonymous Hero on Wed Jul 19, 2000 at 03:40:10 PM EST

It seems very unlikely to me that an Orbs ban would lead to any inability to view a website. Orbs is about spam relaying on open relays. So if they ban an address it should only affect the smtp traffic. It is possible that someone could use orbs to route traffic to the bit bucket, but that would be overkill and mostly pointless. So considering this, I doubt very much that Orbs had anything to do with the Forbes website being inaccessible.

[ Parent ]
Re: Good or bad, this makes me happy. (none / 0) (#76)
by Anonymous Hero on Wed Jul 19, 2000 at 08:31:11 PM EST

Huh? ORBS doesn't propagate routing blackholes. If you couldn't reach a website then it's most likely your ISP was blocking access to it. ORBS also isn't in the USA and really doesn't give a flying fig about USA politics.

[ Parent ]
Dear ORBS, please go away. (1.50 / 4) (#18)
by Nat Lanza on Tue Jul 18, 2000 at 12:50:06 PM EST

I really wish the ORBS folks would just go away. Fighting spam is a fine thing, but the way they've chosen to do it is pretty much fighting network abuse with network abuse. Hopefully this squabble with Above.net will kill them, and they'll be replaced by something less antagonistic and abusive towards the admins it's supposed to be helping.

Re: Dear ORBS, please go away. (4.00 / 1) (#24)
by gleef on Tue Jul 18, 2000 at 02:21:07 PM EST

I'm no fan of ORBS myself, but don't want them to be killed by fraudulent IP routing advertisements. If the people who are doing this are allowed to get away with it, it sets a dangerous precident for the rest of the internet. Imagine the mess if, say, AOL and Earthlink were to get into a routing war.

[ Parent ]
Vixie committing fraud? (4.00 / 1) (#25)
by Demona on Tue Jul 18, 2000 at 02:53:55 PM EST

For an 'out' libertarian as Vixie has been, this is a near-criminal level of hypocrisy. When I first came on the net, Vixie was the moderator of an objectivism mailing list that I subscribed to for a time, and I remember being very impressed when I found out that this same person had helped create such a critical part of the Internet infrastructure (BIND). When the Communications Decency Act threatened, Vixie also helped create an organization of "concerned parents" fighting against overly broad regulation of speech on the Internet, putting a face on the 'opposition' which the statists and Big Mothers ignored at their peril.

However, I remember reading a quote from Vixie at one point that took me more than a little aback (and which frustrates me to no end that I can't find it right now), to the effect that "there can be only one" -- that there could be no competition in the root name servers, that a monopoly was The Only Way. It shocked the hell out of me, frankly. If Vixie is committing the acts he is accused of, he is guilty of fraud at the very least.

Hopefully OpenNIC will be one more step toward a net where the damage from things like this gets routed around.

"Anyone can set up a private TLD, and that has no more significance concerning the IANA root servers than the claims of the various militia groups concerning US territory."

- Kent Crispin, Chairman

gTLD-MoU Policy Advisory Body

August 21st, 1998

-dj

the trouble with an information superhighway is that everyone wants to be a traffic cop

[ Parent ]

Re: Dear ORBS, please go away. (3.00 / 1) (#32)
by Anonymous Hero on Tue Jul 18, 2000 at 05:25:05 PM EST

As many pointed out, these were not 'bogus routing requests' or anything. Those who received and used these announcements *chose* to receive these requests via BGP. They were not 'slipped in' with real requests.. they were deliberate. if above.net wants to filter their traffic, that's their perogative. And it's their customer's perogative to leave.

[ Parent ]
Dear Hypocrites, Get a clue (1.00 / 1) (#35)
by Anonymous Hero on Tue Jul 18, 2000 at 07:33:15 PM EST

You, sir, are a hypocrite. ORBs is forced on people, but sending their traffic to the bit-bucket is not coercive? If ORBS is abusing their power, don't fucking use them. I don't. But pissing into the stream of public traffic is not the way to fight this, and it smacks of gangsterism. It certainly will knock Above.net off my list of ISPs.

FYI , I use the MAPS RBL for my mail, but if those who claim HELP me stop SPAM decide to screw the net up with fucked up ego games - and this goes for ORBS, too, as respects not letting people get off their list - then the net will be much the poorer. And then I won't use anyones cruddy ban list.

If MAPs thinks ORBS is doing a bad job, they should show that they have better resolution procedures and they will win in the end. The sneering tone of some of the stuff at mail-abuse.org does nothing to make their case against the Direct Marketing Association, for example.

I am not a major ISP, so I'm not going to pay for these services as an outsourcing of my SPAM patrol. If I were an ISP who would consider paying for the service, I would not do it unless I knew that there were procedures for dealing fairly with those who run afoul of these lists, since my reputation would then become involved.

[ Parent ]

simple spam filter (5.00 / 1) (#19)
by Anonymous Hero on Tue Jul 18, 2000 at 12:57:32 PM EST

After noticing that nearly 100% of the spam I receive isn't addressed to my email address, I wrote a simple filter which is executed through ~/.forward. It simply looks through the email, checks the To:, CC:, and BCC: fields, and if my email address isn't included, places that email (now "spam" at this point) into a separate file.

I've got two questions: first, how reliable is this system? Am I just getting spam from dumb spammers who send to a.friend@juno.com?

Second, how does this mail get to me in the first place? My email address doesn't appear anywhere in the message, and I don't see how mail can go from point A to point B when point B isn't listed anywhere in the message. Hmm. Something to ponder.

---
chahast at pangaea foo dhs foo org
s/foo/dot

Re: simple spam filter (5.00 / 1) (#21)
by Nat Lanza on Tue Jul 18, 2000 at 01:08:20 PM EST

If your address needed to appear in the message for delivery, then how would mailing lists or blind carbon copies ever work?

The bit you're missing is the envelope address. The address on the message itself is essentially like the address on a formal letter; it's nice and it indicates who the message is for, but it isn't required for delivery. What SMTP actually cares about is the envelope address. Unfortunately, by the time you're actually reading your mail, the envelope is stripped off, and you can't get to that address.

As for your spam filter, I use something fairly similar (toss it into INBOX.spam if it isn't to/cc me directly, from the local domain, or to a known mailing list). I barely get any spam at all anymore.

[ Parent ]
Re: simple spam filter (none / 0) (#22)
by Anonymous Hero on Tue Jul 18, 2000 at 01:13:35 PM EST

The funny thing is that I've done the "telnet localhost 25" thing to play around with sendmail. I've even sent myself dumb messages from god@heaven.org etc. and not realized that the RCPT TO: doesn't show up.

Oh well...

---
chahast at pangaea foo dhs foo org
s/foo/dot

[ Parent ]

Re: simple spam filter (none / 0) (#33)
by KindBud on Tue Jul 18, 2000 at 06:03:50 PM EST

If you are running a recent sendmail (8.8 or 8.9) the Received header added by your MTA should indicate the envelope recipient.

Received: from mail.yahoo.com (mail.yahoo.com [216.115.106.213])
        by a.mx.thekindbud.com (8.9.3/2000012901) with ESMTP id MAA27129
        for <smokin@thekindbud.com>; Wed, 17 May 2000 12:05:01 -0700 (PDT)


--
just roll a fatty

[ Parent ]
This is indeed an outrage (3.50 / 4) (#20)
by DontTreadOnMe on Tue Jul 18, 2000 at 01:07:20 PM EST

I do not use ORBS, and I have no opinion on the quality, fairness, or effectiveness of their SPAM filtering service.

However, irrespective of how good or bad ORBS may be, what above.net has done is an absolute outrage and an unacceptable attack on the very foundations of the internet.

According to the ORBS page, what they have done is also illegal, at least in the UK. Anyone residing there care to file a criminal charge? You would IMHO be doing the entire intenet a service.

On another constructive note, has anyone considered measures to "mirror" the ORBS service, under new/different names, new and different iP addresses, etc. This could force above.net to be even more flagrant in their abuse (and be an even wider invitation to lawsuits, especially if commercial mirrors are affected). Which brings up my final question: has this impacted Red Hat and Alan Cox's ability to work on the Linux kernel? If so, that is quantifiable damage that above.net's illegal abuses of the net have caused, and certainly actionable in the US.
--
http://openflick.org - Fighting Copyright with Free Media
Please check your information before you post it. (4.90 / 8) (#26)
by freakazoid on Tue Jul 18, 2000 at 02:56:15 PM EST

As far as I can tell, ORBS was added to the RBL because MAPS considers their scanning attempts to be abuse, as do RBL customers. ORBS says that AboveNet is advertising their routes and then blackholing traffic to them, but all of the sites that receive the BGP4 version of the RBL do so voluntarily and *want* these routes. As far as I have been able to tell, AboveNet is *not* announcing these routes to anyone without the explicit permission of the people to whom they are announcing the routes, i.e. the people receiving the routes are RBL customers. To say that AboveNet is announcing their routes illegally is disingenuous at best and downright dishonest at worst. If MAPS customers think that ORBS is a good service and shouldn't be blocked by MAPS, they should either block these announcements or stop using the RBL, or at least the BGP version of it.

In addition, their claim that Vixie is doing this because he wants to make money off his own service shows that a) they don't know Vixie, and b) they don't understand how the RBL works. If a) and b) aren't true, then ORBS is just plain lying to us. Either way, they should get the hell off the net until they learn how to play well with others.

ORBS is a net.terrorist! (3.20 / 4) (#27)
by mr on Tue Jul 18, 2000 at 03:40:22 PM EST

ORBS launched a probe attack against my host.

I wrote to the people running ORBS, and asked:

1) why my host was attacked by thier probe.
2) what proof they had that my host was involved in spam.
3) that they should MAIL me this in a letter, as I was going to add them to my access list as reject.

The reaction of ORBS? 'cartoonie threats', and now my e-mail is tagged as 'selectivly open relay'. Yet,,,in the database, my host is listed as OK.

And, to date, the systems that FLAG my mail, their postmasters won't answer mail about why they are flagging my mail.


So, if you don't like orbs methods....they apply them to you!

Re: ORBS is a net.terrorist! (none / 0) (#52)
by Anonymous Hero on Wed Jul 19, 2000 at 12:24:43 PM EST

a probe isn't an attack.

Don't be paranoid.



[ Parent ]
Re: ORBS is a net.terrorist! (none / 0) (#83)
by mr on Wed Jul 19, 2000 at 10:32:42 PM EST

ORBS is WORSE than the spammers.

A spammer tries one, sometimes two relay attempts.

ORBS tries 10+ times. And keeps trying.

Oh, and they can't provide proof of why they probe your host when you ask them.



[ Parent ]
Re: ORBS is a net.terrorist! (none / 0) (#72)
by Anonymous Hero on Wed Jul 19, 2000 at 05:49:29 PM EST

If you are so g-damn stupid you think that their probing is an attack on your server, you have no business running a server.

[ Parent ]
Re: ORBS is a net.terrorist! (none / 0) (#82)
by mr on Wed Jul 19, 2000 at 10:30:21 PM EST

>If you are so g-damn stupid you think that their probing is an attack on your server, you have no business running a server.

Shots from a 13 clip gun is an attack. Shots from a machine gun is an attack. Having the 5th division firing is an attack. Or, is the only way you see an attack in this kind of example is the 5th division, and a handgun is just checking to see if you are bulletproof?

A probe attack is a probe attack. One, 13, or 10,000, it is still an attack.

And to say "we are doing this to help you" is a cop-out.

Go visit the NANOG list (North American Network Operators Group) and see how many other 'g-damn stupid' people run the Internet in the US and think ORBS is a net.terrorist.

[ Parent ]
Re: ORBS is a net.terrorist! (none / 0) (#90)
by Anonymous Hero on Thu Jul 20, 2000 at 09:34:03 AM EST

Shots from a 13 clip gun is an attack. Shots from a machine gun is an attack. Having the 5th division firing is an attack. Or, is the only way you see an attack in this kind of example is the 5th division, and a handgun is just checking to see if you are bulletproof?

But walking down the alley behind your business with a flashlight looking for open doors is not an attack or a trespass. It's a probe. The person doing the probe maybe a black hat that is going to exploit any open doors they find, or a white hat that is just trying to be helpful by informing people that have a vulnerability. In neither case is the simple act of shining their flashlight on your property actionable - if it's a black hat the actions taken AFTER doing this will be actionable, but the simple act of shining the flashlight is, at worst, only suspicious.

What you are doing is very much like the case of the crazy old shop owner that went off on the neighborhood watch, chasing after them with his broom and calling the cops to arrest them for daring to project photons onto his property without permission.

What exactly does ORBS do?

They call up your server and try to send an email. If it goes through you are an open relay, and they inform you of the open relay and if you do not correct it within 30 days they list you as an open relay. If you bounce the mail properly, they go on their way. If you block their probe entirely, they list you as 'cannot probe.' Under none of these cases are they attacking you. You placed your box on a public network, and you must know that lots of people out there, most of them (unlike ORBS) with less than honorable intentions are going to be probing you. So how does this test constitute an attack? You want it to be analogous to shooting at you, but shining a flashlight across your building is a much more accurate analogy.

I agree that 'to say "we are doing this to help you" is a cop-out.' IF they were doing anything out of line to begin with - but they aren't. Next I suppose you'll tell me that trying to ping you or do a reverse lookup of your ip is an attack? Please.

If you don't want them probing you, that's fine, block it. That gets you listed only as 'cannot probe' not as an open relay, which is the appropriate and correct classification, and one that most ORBS customers do not block, and those that do block you, well, that's their right and their paranoia. If you are really so concerned about losing connectivity to the most paranoid subset of ORBS subscribers then you know what to do about it, I don't have to tell you. But you obviously are not concerned about that, your own account makes it clear you want nothing more than to be listed in ORBS so you can whine on public forums about their 'fascism.'

You talk as if you think that anyone that's going to send packets to your box is required to get your permission first. This is clearly not the case. By putting it on the public network you've implicitly agreed to have contact with the rest of the network, isn't that the whole point? If you don't want that then for gods sake unplug your NIC.

A more constructive response from you would have been to contact ORBS in a mature manner instead of sending them 'cartoonie threats' and 'demanding' that they answer your assinine questions - 1) why my host was attacked by thier probe. - there was no attack. 2) what proof they had that my host was involved in spam. - doh! none, nor do they need any, do you have a clue how ORBS works? It's not MAPS, it's proactive, they look for systems that COULD be abused and notify sysadmins when they find them, the listing part of the service is a last resort. You act like their probing was the equivelent of an FBI raid, and want to know what probable cause they had, when in fact it's nothing of the kind, they aren't trespassing on your server, they are just sending a request that you damn well know can be sent to your server by anyone that chooses, by virtue of your connection to the network, and observing how you deal with the request. Again, the analogy is much more like an inspection from the street with a searchlight, not as you would have it a SWAT raid and tearing your furniture apart. 3) that they should MAIL me this in a letter, as I was going to add them to my access list as reject.- translation, I don't want to talk to you, I'm going to throw a hissy fit and stick my fingers in my ear when you try to talk with me, but I DEMAND that you make me hear anyhow, and when you inevitably fail I will take that as proof that you have nothing to say. The whole thing smacks of you wanting to get yourself listed and deliberately pushing them to do just that, and I've at this point only heard YOUR side of it.

Please, grow up. ORBS isn't perfect, and there are some reasonable people that think they are overzealous, but in comparison to your juvenile response they are gods of moderation. The fact that you are loudly announcing your actions in this matter just goes to show what a profound idiot you must be - you should be ashamed of yourself.



[ Parent ]
Re: ORBS is a net.terrorist! (none / 0) (#93)
by mr on Thu Jul 20, 2000 at 10:06:50 AM EST

>If you don't want them probing you, that's fine, block it. That gets you listed only as 'cannot probe' not as an open relay, which is the appropriate and correct classification,

Then explain this:
X-RBL-Warning: (relays.orbs.org) Selectively open relay

Looks to me like a host:
1) that is listed as 'tested OK'
2) that is queued for re-test (when it was requested to NOT re-test)
3) is in the static listings as 'cartoonie threats'
is listed as an open relay out of simple spite.

How do you get 'untestable' == " Selectively open relay"

>I've at this point only heard YOUR side of it.

Given ORBS is a net.terrorist, and their unwillingness to provide any proof in the form of spam comming from my host, if ORBS were to open their mouth, you would be able to tell they are net.terrorists.

>By putting it on the public network you've implicitly agreed to have contact with the rest of the network,

And any one spammer who tries to use my box as an open relay sends one, sometimes two attacks. ORBS does 10+
ORBS is WORSE than the spammers.
A spammer tries using my box as an open relay, and moves on.
ORBS keeps re-trying. ORBS is worse than the spammers.

>I'm going to throw a hissy fit and stick my fingers in my ear when you try to talk with me
No, that would have been asking for the information and blocking their future attacks WITHOUT telling them they would have to snail-mail the information. They COULD have e-mailed it to me from yahoo.com, hotmail.com or some other site. As they have no proof of my host being used for spam or as an open relay, ORBS *COULD* not respond, because they had no proof.

>But walking down the alley behind your business with a flashlight looking for open doors is not an attack or a trespass. It's a probe.
Sorry no. Being behind my business *IS* tresspass.
Nice try to justify the net.terrorists existance, but you did fail.



[ Parent ]
You just made my point (again) (none / 0) (#96)
by Anonymous Hero on Thu Jul 20, 2000 at 04:24:18 PM EST

Then explain this:
X-RBL-Warning: (relays.orbs.org) Selectively open relay

Looks to me like a host:
1) that is listed as 'tested OK'
2) that is queued for re-test (when it was requested to NOT re-test)
3) is in the static listings as 'cartoonie threats' is listed as an open relay out of simple spite.

Not only am I not at all certain that everything you imply from that header is true (1 and 2 may or may not follow, 3 is presenting your conclusion as evidence for itself) we have only your word for all this, and honestly every time you post on this your credibility goes down a notch because your axe-grinding is so apparent. I can only speculate (you haven't given your host address so I can't even verify that you are really listed like this, let alone the details of how you came to be listed like this.) If ORBS is really misclassifying you, that is sad, and should be fixed. Assuming you are telling the truth, you should be 'can not probe' not 'selective relay.' If this is the case, and you didn't insist on displaying such a horrible attitude about the case, I have every confidence that problem would be fixed, or more likely never have occured. The letter you sent, as you describe it, might easily lead a reasonable person to believe that you are indeed a selectively open relay, that blocks the ORBS test thinking you are being really clever and can therefore continue to spam with impunity. I believe you when you say this is not the case, I'm just saying that a reasonable person might well conclude otherwise from the way you responded to them. There ARE defiant open relays out there that have and do try just this.

IF your unconfirmed account is correct, ORBS made a mistake here, but an understandable one, and one that would be easily corrected if only you would quit acting like such an a-hole.

Given ORBS is a net.terrorist, and their unwillingness to provide any proof in the form of spam comming from my host, if ORBS were to open their mouth, you would be able to tell they are net.terrorists.

Given your conclusion, then your conclusion follows. This is circular logic at it's most arrogant and obvious. And there IS NO NEED (sorry for yelling, but you keep ignoring this point which has been made several times by several people to you) for ORBS to prove that spam is coming from your host as they have not alleged that spam is coming from your host! By your own account! Based entirely on what YOU are telling us, they are simply saying that based on the information they are able to gather, there is a suspicion that your host MIGHT be usable for the transmission of spam, NOT that it is being or has been actively used for that purpose yet.

You are insisting that they act like MAPS, but that is not the way they work and not they way their subscribers want them to work (if their subscribers did want this they would simply subscribe to MAPS instead and be satisfied with blocking 5% of spam instead of 90%.) ORBS works not by providing only a list of verifiable unrepentent spammers (a technique that is quite ineffective since very often the spammers have long since moved on to another host by the time MAPS can satisfy their own requirements for listing) but rather by providing lists of sites that are or may be vulnerable to misuse by spammers. The biggest benefit of ORBS comes to all as a 'public good' in that they alert countless sysadmins to unintentional and easily fixed problems before they are exploited. Subscribers to ORBS at their option may block only the verified open relays or both the verified ones and the ones that block probing. Each approach has drawbacks and advantages - ORBS is more effective at stopping spammers, but also more likely to block sites that are not actively spamming, while MAPS avoids the latter problem at the cost of being sadly ineffectual at blocking spammers - and those who subscribe to one or both services choose to use them despite the problems each one has. What part of all this is so incredibly hard for you to understand?

>But walking down the alley behind your business with a flashlight looking for open doors is not an attack or a trespass. It's a probe.

Sorry no. Being behind my business *IS* tresspass.

You really think so? You just made my point about your unreasonable and unrealistic attitude for me. The alley behind your business is NOT your private property, and someone walking down that alley with a flashlight checking your doors and windows IS suspicious, but is NOT criminal - call the cops and all they will do is question them, if they respond at all. If you try to press charges on someone for that you will be informed in no uncertain terms that you cannot because no crime has occured by your own account. The alley is not your property, and sending photons onto your property from that alley is NOT an act of trespass. IF and WHEN the guy with the flashlight steps onto your property and starts jimmying a door or window, THEN and ONLY THEN has a crime occured.

And no, the analogy isn't perfect, no analogy is, but this one is on the surface valid, as you implicitly agreed when you tried to counter it with the absurd claim quoted above. It's a helluva lot closer to what is actually going on than your analogy involving the use of firearms.



[ Parent ]
'Selectively Open Relay' (none / 0) (#92)
by Anonymous Hero on Thu Jul 20, 2000 at 09:58:24 AM EST

How does this have anything to do with ORBS first off? You said that their database shows you ok, and some other servers are adding a warning flag to your emails, right?

Secondly, perhaps I am misunderstanding (correct me if I am, please, and do bear in mind I am not a guru) but after reading several of your posts it sounds accurate. You are relying on logging and selectively blocking sites after you notice they are abusing you, correct? So, say if I want to use your server to send email anonymously (anonymous email certainly has it's place and is not a bad thing per se) you are allowing that, but if you look in the logs and see that I am sending in bulk, as opposed to an occasional message to a single recipient, you will then cut off my access to your machine - correct?

If that is indeed how you are operating, I applaud you for that, it sounds like an excellent system for anyone that doesn't mind the burden it imposes on you, and it would allow you to continue to allow anonymous email while still stopping UCE fairly well. It's a trade off of course - some spam will get through this way, but allowing anonymous access is arguably (and I would argue) worth it. But that certainly sounds like a "selectively open relay" to me.

Finally, your description of the situation definately leaves me with the impression that you had a chip on your shoulder and went out of your way to provoke ORBS simply to make a point - and the point, whatever it is, still isn't clear. The other replies to you were unpardonably rude in my opinion, but when they say that you should have handled this in a more mature and reasonable manner that much seems to be true. You fight spam, they fight spam, you have different methods of doing so - does that mean you have to fight each other too? Surely not.



[ Parent ]
Re: 'Selectively Open Relay' (none / 0) (#94)
by mr on Thu Jul 20, 2000 at 10:39:46 AM EST

>You are relying on logging and selectively blocking sites after you notice they are abusing you, correct?

Like any good sysadmin, I rely on my logs to tell me what is going on on my box. Thats why I knew named was compermised 5 mins after it happened, and why I watched the script kiddie for 40 mins...and why I typed in halt after I saw him/her issue rm -r *.

That is why I know that ORBS tried 10+ times to use my box as a relay. And I knew it 8 hours after it happened.

And my host has NEVER been an open relay. If it had been an open relay, I'd *LOVE* to see the proof, yet ORBS was unable to provide this proof. My logs don't show my box as ever having been used as an open relay.

>You fight spam,

I admin my box. Spam-fighting is a side effect. And blocking people who launch probe attacks are blocked as part of my adminning.

ORBS chooses to see the blocking not as a sign that their attacks are unwelcome, but of a sign that this host should be listed as "selectively open relay".

>they fight spam,

No, they attack hosts without proof of 'spam' And, people who oppose their methods vocally and in public are slapped with the tag "selectively open relay" due to their database entries.

>you should have handled this in a more mature and reasonable manner that much seems to be true.
Given that ORBS attacked my box without any provocation (proof that it was used as an open relay), and has listed the box as "selectively open relay", and how they act like net.terrorists, why SHOULD I go out my way to be diplomatic?

ORBS *COULD*
1) Gather proof of the open relay condition
2) contact the sysadmin
3) ask to run the probe series
ORBS does none of this. If ORBS had proof, presented this proof, I would have looked at this information and determined if it was true, fixed any holes, etc. And, because my host hasn't been used as a open relay, ORBS would have never gotten *TO* step one.

The manner they conduct the port scanning they do indicates they are nothing but net.terrorists, and as such, I respond to their attacks as one should ANY terrorist....you give the terrorist no quarter.



[ Parent ]
ORBS was the best filter available (4.00 / 5) (#29)
by Anonymous Hero on Tue Jul 18, 2000 at 04:34:50 PM EST

These comments about "my server was attacked!" are idiotic. ORBS worked by attempting to relay mail through a server. If the relay went through (ie, if it was delivered to the probe), the server was flagged as an open relay. If the mail bounced (which it would if you had configured your server in an Inernet-friendly way), you were not bothered by ORBS one bit.

Servers that did not allow ORBS to proceed (due to TCP filters or null routes or whatever), were flagged as "cannot be probed" and given a different response code.

Mail admins can choose to block mail for either of those groups. I did some tests and 9 out of 10 spam messages matched the open-relay filter. ORBS caught more spam than ALL OTHER FILTERS COMBINED, even without using the "cannot be probed" filters. FWIW, I did not filter on the "cannot be probed" responses, and neither did a lot of other sysadmins.

The result of this mess is that those of us who are FED UP with spam have lost the most accurate and powerful tool available to us. Oh but wait, MAPS will have a for-pay version of the same thing soon, except that VERIO won't be route-blocking that one....

Saying "I wuz attacked!" is the equivalent of saying "bounced mail fucked up my server!" If that's the case then you shouldn't be running a mail server on the Internet period.

k, thx



Re: ORBS was the best filter available (none / 0) (#50)
by Anonymous Hero on Wed Jul 19, 2000 at 10:34:33 AM EST

Yep - It blocks 90% of all spam...of course, it also blocks 30% of all other mail (at least if you receive email from very many business addresses). I know of one person (who runs their own home based business) who lost thier biggest account because ORBS rejected email from that account's server. Yes, some of this is because of poor administration of mail servers by those same businesses, but some because many businesses use PSI for thier ISP (PSI has some open relays they won't close - one reason our company quit using them). When we found ORBS rejecting our mail and contacted them, their response was basically "If you don't like it, FSCK OFF AND DIE!" - leaving us to figure out their problem with our mail. If they had been less Gestapo like and just told us what/where the problem was, we could have begun our fight with PSI sooner. Luckily most ISPs dumped ORBS shortly after starting using them due to customer complaints.

[ Parent ]
Re: ORBS was the best filter available (none / 0) (#80)
by mr on Wed Jul 19, 2000 at 10:20:56 PM EST

>If the mail bounced (which it would if you had configured your server in an Inernet-friendly way), you were not bothered by ORBS one bit.

Perhaps that is the way you run your machines without logging.

RESPONSIBLE sysadmins have logs of the ORBS attack.

Looks to me like RESPONSIBLE sysadmins are bothered. Go look at the NANOG list for people who ARE bothered by ORBS.



[ Parent ]
Alan Brown != Alan Cox (2.00 / 3) (#30)
by Anonymous Hero on Tue Jul 18, 2000 at 04:53:31 PM EST

Can I get a "d'oh" ?

This story is not the case (5.00 / 4) (#36)
by David Gerard on Tue Jul 18, 2000 at 08:54:56 PM EST

ORBS goes through Telecom NZ. Telecom NZ gave the routing to AboveNet this way.

AboveNet have told ORBS they are unwilling to route their packets, and that ORBS should tell Telecom NZ to stop advertising ORBS as routable through AboveNet.

ORBS is kicking up a stink to get AboveNet to pass their packets. But they're not an AboveNet customer.

Then they're just trying to get their users to put (none / 0) (#57)
by freakazoid on Wed Jul 19, 2000 at 01:38:13 PM EST

If this is really the case, then maybe they're not even on the RBL as I had initially thought, and they're just going for some sympathy from their users to blackmail AboveNet into routing their packets. AboveNet has much larger competitors than ORBS, so the claim that they want to promote their for-pay version of the same service seems absurd at best. I would have considered using ORBS in the past, but if they're going to shut down just because of something stupid like this, I guess I'm going to have to find a more reliable service.

Perhaps it would be better to use a more passive form of ORBS's scanning, using headers from actual spam to determine who has an open relay. Actively scanning for open relays may be more proactive, but they really should not be listing hosts they can't probe, because people will block using that list, which is bad IMHO if the goal is education. Also, as has already been mentioned, it generates more traffic. Someone who's blocking ORBS's scanning intentionally probably already knows their host is an open relay, and if people are spamming through them they should be added to a real blacklist like the RBL.

[ Parent ]
Re: This story is not the case (none / 0) (#71)
by Anonymous Hero on Wed Jul 19, 2000 at 05:29:46 PM EST

ORBS is kicking up a stink to get AboveNet to pass their packets.

Ummm... NOT!

ORBS doesn't want AboveNet to pass their packets. It wants AboveNet to quit broadcasting nullroutes to the ORBS nameservers!

AboveNet is not just refusing to carry traffic intended for ORBS - while that is stupid of them, and earns them no goodwill, that is perfectly within their rights and no one is disputing that. BUT they are ALSO advertising themselves as a route to ORBS, deliberately SOLICITING traffic intended for ORBS just so they can dump it to /dev/null.

ORBS update on the situation should be read before you go around making stupid claims like that.

Legal advice is that advertising routes to ORBS at these internet exchanges is a breach of applicable criminal laws in the UK and in Austria and may result in seizure of all above.net equipment in London Internet Exchange if anyone feels wronged enough to file a criminal complaint about the theft of packets.

If above.net do not wish to carry ORBS traffic, that is their decision and if they choose to blackhole traffic internally, that is also their decision. However advertising routes to ORBS outside their own network in order to attract network packets destined for ORBS and then dump that traffic once it is inside their network is fraudulent.

If above.net truely thought ORBS was abusive as they claim, they would be blocking packets from ORBS, not to ORBS and they would taking care not to advertise routes to ORBS pointing into their network at peering points.



[ Parent ]
Re: This story is not the case (none / 0) (#75)
by Anonymous Hero on Wed Jul 19, 2000 at 08:23:34 PM EST

ORBS did tell telecom NZ to stop advertising routes into above.net - and they did - for less than a week.. Various threats are being made at Telecom NZ by above.net, it appears that they were bullied into turning the routing adverts back on by Above.net's Dave Rand, and Paul Vixie according to reports from telecom NZ technical staff. That's why the top link on the ORBS page is to chris.thompson@team.xtra.co.nz - he's the spineless wimp responsible for kowtowing to above.net's threats.

[ Parent ]
If you ACTUALLY had a CLUE (3.20 / 5) (#40)
by Myrcurial on Tue Jul 18, 2000 at 11:05:26 PM EST

The people who are involved in this little debate - and believe me, it's all about the people. Are above reproach. They are more responsible about and for the internet than any of you dingbats. You sound like my customers complaining when I tell them to give me a password to activate their new account ("I can't tell you my password, then you could get into my account." "Yeah lady, I own the damn server, I can get into it any old time.")

Both Avi Freedman and JD Falk (above.net CTO and mail-abuse uberguru) know more about what's going on than you do. This story is about the jack-boot methods of ORBS. ORBS is a pox on the face of the internet. The way they "do business" is akin to the way that any fascist control regieme does - you do things their way - or else.

Squelching ORBS out would be a good thing for all of us. Stick with MAPS - at least Vixie and Falk have a clue about how all this stuff works. And heck, if they want to sell an advanced version to fund the free version - the more power to them.
Do not meddle in the affairs of sysadmins, for they are quick to anger, and devastating in power.
Re: If you ACTUALLY had a CLUE (none / 0) (#41)
by Myrcurial on Tue Jul 18, 2000 at 11:12:18 PM EST

Damn... get off on a rant and make a critical error... forgot a word.

Avi Freedman is the former CTO of Above.net, now the CTO of Akamai

M

Do not meddle in the affairs of sysadmins, for they are quick to anger, and devastating in power.
[ Parent ]
Re: If you ACTUALLY had a CLUE (none / 0) (#47)
by tarcus on Wed Jul 19, 2000 at 07:15:24 AM EST

You don't have to use ORBS if you don't want to so if someone disagrees with ORBS they don't use it. MAPS are trying to stop ORBS because they want their business.

[ Parent ]
Re: If you ACTUALLY had a CLUE (4.30 / 3) (#48)
by Anonymous Hero on Wed Jul 19, 2000 at 08:30:24 AM EST

above.net is blatantly and openly fucking ORBS over just to make money? Yep. Sounds like just the angle to play up if yr gonna post to news sites like kuro and the Other Site.. that'll get the geeks all self-righteous and worked up enough to write pompous messages denouncing the little children who characterize ORBS as nazis.

Don't forget Alan Cox thinks ORBS r00lz, so of course above.net gets to play the _Evil_ Stickman in this predictable scenario..

People are not kneejerking when they call ORBS a bunch of petty fascists. Frankly that isn't far from the truth. Their history is a long and dark one of dirty tricks and political games. I've seen and heard countless complaints from people who one way or another got screwed by ORBS in the past year and a half or so. I've been an admin on networks that got screwed by ORBS, including free public access servers that people relied upon for mail.

Someone above mentions that all these foolish little people are disregarding the fact that they could just switch their MTA settings to be slightly less fascist. Well, dumbass, not everyone is the admin of their own networks. Not too many people get mail straight through to their box. Instead they rely on admins like yourself to make certain that the legitimate mail gets through to their accounts. And unfortunately, as you probably already realize, many admins are either stupid or lazy about things like this. Living in the ivory tower of high technical wizardry can sort of fsck up your understanding of how important mail from some evil server with an open relay or (god forbid) a firewall up might actually be to someone.

Last but not least, the fact that ORBS likes to blacklist people who block their probes is horseshit. They'll scratch yr whole class c out if you wanna fuck around like that, buddy. But they're not fascists. Noooo..

It is JUSTICE that above.net took such drastic measures to fuck ORBS. It's the same game ORBS has been playing with lots of other people (including above.net) for ages now. Wait until someone gets a chance to document the entire sordid story here, besides the ORBS camp and their spin. Alot of you don't even act aware of the fact that ORBS _does_ have considerable power, and that they have known it and abused it for ages. You need a history lesson.

[ Parent ]
Re: If you ACTUALLY had a CLUE (none / 0) (#54)
by Anonymous Hero on Wed Jul 19, 2000 at 12:56:28 PM EST

Hey cock face: above.net is doing something far worse than blackholing someone on a voluntary service. They're blackhole routing ORBS itself. Regardless of who is doing it to whomever else, it's fucking wrong, and breaks the internet.

If you don't like what ORBS is doing to your upstream mail provider, fucking switch your service. You can't do much if above.net is poisoning the routing tables, though.

It wouldn't be any different if TimeWarner decided to blackhole Microsoft traffic.

[ Parent ]
Re: If you ACTUALLY had a CLUE (none / 0) (#65)
by Anonymous Hero on Wed Jul 19, 2000 at 04:02:02 PM EST

This may be unprofessional/inappropriate: But you're a dipshit. Based on your attitude, I wouldn't trust you to operate a light switch, much less a server. Jesus; don't bitch at the people here who might actually have an INFORMED opinion. Do you work for someone related to the MAPS system?

[ Parent ]
People Shmeople (4.50 / 2) (#43)
by Anonymous Hero on Tue Jul 18, 2000 at 11:37:30 PM EST

I know who the MAPS people are, they are good-minded, hard-working folks.

But in the end it is the technology. ORBS blocked 90% of spams, while MAPS RBL+RSS catches 5% max (until this latest fiasco, you could test this yourself by pasting the headers into spamcop.net and other sites that did the lookups on your behalf). I'll take the 90% thank you very much.

It is my mail server, and I can filter incoming on whatever I want. If you don't want to pass my filters, then fine, block them out. I'll still get your mail (as will many others) but will get it later. If you have an open relay, chances are good I didn't want to talk to you anyway.

In that light, ORBS isn't a fascist regime, but is a facilitator for a meritocratic system of operations. It's the mediocre that fear meritocracies.

Re: People Shmeople (none / 0) (#61)
by karmageddon on Wed Jul 19, 2000 at 02:29:22 PM EST

I know who the MAPS people are, they are good-minded, hard-working folks

I don't know them. Though I've seen references to this debate over the last few years, I'm new to it, and have just started to try to learn the "truth", whatever that is.

It is very hard to get information that is untainted. I will say this: the MAPS side issues many vitriolic statements against the ORBS side. The ORBS side seems to be a bit more hard-core about spam, but they also seem paradoxically less emotional. The use of so much propaganda by the MAPS side ("terrorist"?) makes me not trust the MAPS side.

Unrelated, but just the other day I was reconfiguring the rules for a newly installed sendmail, and I went to the MAPS site for some info. I saw the "volunteer to help" link and I thought, what the heck, maybe I will. In order to approve my application, they want a detailed list of what I'd done to fight spam. The paranoid person inside of me thought, "what if these guys are in cahoots with the spammers? how do I know? I'm not giving them detailed information about me!". Now, I don't mean that as FUD: I admit, I'm paranoid. But in the same way that I don't fill up Microsoft's databases with info about me, I'm not about to put the info anywhere else either.

Thank you for that 90%/5% datapoint (I hope it's accurate, but who knows :) I think I'm going to go with ORBS. MAPS just doesn't fill me with trust. I mean, the testing that ORBS does does not sound like a burden for a mail server. Understanding and ignoring the log files generated does not seem like a burden for an SA. And, above.net certainly seems to have a big conflict of interest here.

[ Parent ]

A little clarity. (4.80 / 4) (#45)
by Anonymous Hero on Wed Jul 19, 2000 at 03:16:39 AM EST

You people that complain about how ORBs blacklisted innocent people need to understand how the blacklisting is done. MTAs do host lookups through dns, to see if a host is blacklisted. For example, if host 202.202.202.202 is trying to relay mail to my mail server, exim (my MTA) will try to resolve something like 202.202.202.202.orbs.org. (note that it's been a couple months since i've played w/ this stuff, so there may be incorrect details. The point is still the same). If it could not be resolved, then the host wasn't blacklisted at all. If it resolved to 127.0.0.1, then the host was an open relay. If it resolved to 127.0.0.2, then the host was blacklist due to firewalling off ORB's relay checker. And so on. Any intelligent MTA could differentiate (Exim-3.14+ added support for it) between the blacklist type, and reject only certain types. So, for all you people complaining about places that were blacklist due to their admins refusal to let ORBs probe: you could have easily told you r MTA to allow these places' emails through. ORB's overall techniques were harsh, but they were not the nazis you people make them out to be. I for one liked ORBs, based on the fact that they stopped 90% of my spam, as opposed to RBL/RSS/etc, which seems to block, at most, 15%.

-dilinger

Re: A little clarity. (none / 0) (#79)
by mr on Wed Jul 19, 2000 at 10:13:39 PM EST

>So, for all you people complaining about places that were blacklist due to their admins refusal to let ORBs probe:

So, as an admin you should let attacks of your network and machine happen?



[ Parent ]
Re: A little clarity. (none / 0) (#97)
by Anonymous Hero on Thu Jul 20, 2000 at 07:36:50 PM EST

Attack? Perhaps we have a different definition of attack. I consider an attack to be either a DoS or an attempt to break into my servers. A portscan is a borderline attack; it may be malicious, it may not be. An attempt to send mail through my mailserver is most certainly not an attack; that's what it's there for. If it was a substantial amount of mail, then yes, i'd consider it a DoS attack.

You're connected to the internet. You're going to get scanned. You're going to get attacked. Personally, i don't mind people portscanning my machines. It's not exposing anything that couldn't have been exposed by a patient person who manually connected to all of my ports to see if they were open. As long as i have secure daemons running on my system, portscan all you want. As a matter of fact, if you find a strange port open on one of my boxes, by all means, tell/ask me about it. Who knows, i may just discover a backdoor from an unauthorized (or even authorized) user. Same goes for mail relaying. Try all you like to send mail through my servers, as long as it doesn't affect my bandwidth, and you tell me about it if there's anything wrong.

-dilinger

[ Parent ]
how I filter spam (none / 0) (#69)
by skeezix on Wed Jul 19, 2000 at 04:42:19 PM EST

I have a procmail recipe that only sends mail from a list of trusted users, i.e. my address book. Any other mail goes in a folder called "junk" which I clean out at my leisure. Just an idea some of you might find useful...

ORBS and Above.Net (none / 0) (#74)
by Anonymous Hero on Wed Jul 19, 2000 at 08:03:32 PM EST

Why is everyone confusing the RBL with AboveNet?

They aren't the same.  Paul Vixie and Dave Rand keep the RBL as a
personal matter.  Just because AboveNet subscribes to the RBL doesn't
make them the RBL.

People ALWAYS confuse this issue.

AboveNet != RBL

AboveNet blackholed ORBS because of their intrusive tests.  If ORBS had
met AboveNet on a common agreement there would be no problem.  But
no, ORBS has to be stubborn and continue to do what they were asked
not to.

If someone kept coming in your backyard to make sure your windows were
locked, you would get upset and make them stop.  Why is there such a
problem with AboveNet telling ORBS to piss off and take their "tests"
elsewhere.


Re: ORBS and Above.Net (none / 0) (#78)
by Anonymous Hero on Wed Jul 19, 2000 at 08:39:39 PM EST

Funny personal matter. MAPS is a LLC with 13 staff and fee-based options. Paul Vixie is also on the board of whitehat.com - an mailing list provider. Yesmail (another mailing list provider, with dirty lists) has sucessfully filed a temporrary restraining order against Paul Vixie's MAPS company. Whitehat.com have made media comments. How long before above.net nullroutes yesmail (if they haven't done already)? How long before Yesmail starts invoking Sherman act clauses or RICO laws? Whether Yesmail is in the wrong or not, it's a distinct possibility that they may take this tack. What happens then?

[ Parent ]
Re: ORBS and Above.Net (none / 0) (#100)
by Anonymous Hero on Fri Jul 21, 2000 at 09:45:34 AM EST

Please,

Do you think any judge in his right mind wouldn't issue a restraining order
until he can try to figure out what is hurting what.

It would be stupid not to.  MAPS will prevail, and Yesmail can eat a fat one.
They know what they do is bad, but it makes them money, so they will get
publicly spanked for trying to smooth it over with the public.


[ Parent ]
(none / 0) (#98)
by Anonymous Hero on Thu Jul 20, 2000 at 07:58:08 PM EST

Periodic testing is not an attack; it's a verification service that professional administrators of other mail systems appreciate a great deal. On the other side, I always welcomed ORBS probes, since the probes told me that my mail servers were running right.

MAPS wants it so that spammers get to tell admins when their mail servers are not running right. Ummm, no thanks, I'll take proactive notification any day.

The only people who fear the handful of bounces generated by ORBS probes were people with open relays. Is that you?



Re: Proactiveness, ORBS wasting my time, Net Hero (none / 0) (#99)
by kdz on Thu Jul 20, 2000 at 10:21:45 PM EST

Periodic testing is not an attack; it's a verification service that professional administrators of other mail systems appreciate a great deal. On the other side, I always welcomed ORBS probes, since the probes told me that my mail servers were running right. .... I'll take proactive notification any day.
I wouldn't call an administrator who waited for ORBS to test them as being proactive nor professional. Administrators should test their servers before making the available to the others.
The only people who fear the handful of bounces generated by ORBS probes were people with open relays. Is that you?
It's only a handful if you have one server. I have many. I got tired of having ORBS waste my time long ago... so into the netblock filter they went. I hope stay down for good.

As far as MAPS goes, I'll continue to use them. They try hard not to list folks. And Paul, as far as I am concerned, is a net-hero... (and I'm not talking about because of his MAPS efforts which are, in themselves, quite heroric).

[ Parent ]

ORBS shut down by above.net | 100 comments (92 topical, 8 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!