Forgot your password?
typodupeerror
This discussion has been archived. No new comments can be posted.

Internet Vigilante Justice, SPAM, and Copyrights

Comments Filter:
  • I don't run or maintain any mail server that I use, so I can't beat on the spammers the way I want [spews.org]. There's no way that I can say "My server, my rules" as clearly as I could by using the SPEWS blacklist. The best I can do is send the LARTs and hope the spammers get nuked. *sigh*

    • You want to beat on spammers using spews.org? And here I thought you linked to some quite violent imagery involving a steel pipe and some quick lime.
  • His relay is open (Score:5, Insightful)

    by ccandreva (409807) <chris@westnet.com> on Wednesday September 11, 2002 @10:24AM (#4237066) Homepage
    This article demonstrates the problem we are up against getting people to secure their networks.

    His mail server is an open relay, and he still doesn't realize it. Worse, he's a lawyer. These are the people that will be setting policy.

    I wonder if it is even worth e-mailing to explain the situation to him.
    • Re:His relay is open (Score:3, Informative)

      by dattaway (3088)
      Road Runner allows [rr.com] me to run my own mailserver. This allows me to run my own spam rules and have my own domain name; however, when they scan it and find an open relay, they would shut me down in a heartbeat. I feel this is a good example of a responsible ISP.

      All ISP's need to scan customers for annoying vulnerabilities. It is not a violation of privacy, it helps everyone. Especially if we want to eliminate sources of spam.
    • Re:His relay is open (Score:5, Informative)

      by schon (31600) on Wednesday September 11, 2002 @10:38AM (#4237229)
      His mail server is an open relay, and he still doesn't realize it.

      His mail problem is that he doesn't understand what an open relay really is.

      He says "I block SOME relayed mail, so therefore my relay isn't completely open, so therefore it's not an open relay."

      Well, if a door is ajar, are you going to argue that it's not open? If it's not closed, it's open.

    • by Irvu (248207)
      If what he says is true then his server is not as secure as it could be but it is hardly completely open. What should he be doing that he is not? What standard of hackproofing should every Mom & Pop on the internet have to meet, and why?

      • Re:How? (Score:3, Insightful)

        by ptomblin (1378)
        There is no reason to allow sites from outside your LAN to relay through your mail server based just on the From line or the MAIL FROM smtp command. At the very least, it's pretty trivial to only allow mail to be sent to outside the LAN (or localhost) if it comes from inside the LAN. If you need to be able to send email through it when you're at work or away on business, for example, then set up an SSL tunnel or some sort of authentication.

        A good 10-20% of all the spam I get has headers forged to look like it came from me or from mailer-daemon on my site. Allowing mail to go through based on where it claims to be coming from, rather than where it actually is coming from, is just plain stupid. Spammers lie. Their entire business model is based on a lie, so why would you assume that they'd never lie about being from your domain?
        • Re:How? (Score:4, Interesting)

          by dougmc (70836) <dougmc+slashdot@frenzied.us> on Wednesday September 11, 2002 @12:58PM (#4238483) Homepage
          There is no reason to allow sites from outside your LAN to relay through your mail server based just on the From line or the MAIL FROM smtp command.
          Incorrect. There is a reason -- convenience. It allows him to go anywhere and send mail without even changing his relay.

          However, the reason to not do this is that it's insecure. A large percentage of the spam I receive claims to be from the domain that it's being sent to, so his system would happily relay it.

          The second reason should trump the first reason, but obviously if you're a clue resistant lawyer with a chip on your shoulder, it doesn't.

          For those who appreciate irony, consider this --

          He's basically written this big diatribe, which to spammers says `hey! you can relay through my mail server!' ... so a spammer finds it, and forges their spam to allow it to go through it, and uses it to spam the world. Then somebody gets flooded with these spams, and sues our friend Bret. They can even use his article as evidence that his mail server was open and he knew it, but that he refuses to secure it.

      • Re:How? (Score:3, Insightful)

        by Rik van Riel (4968)
        What standard of hackproofing should every Mom & Pop on the internet have to meet, and why?
        As far as I'm concerned, everybody has the right to decide exactly how secure they make their server.

        The flip-side of this liberty is that I have the full right to accept or deny any email I want and I have chosen to block email from open relays, so if Mom & Pop want to mail me, they'll have to make their server secure enough to meet my standards.

        Btw, I'm using DSBL [dsbl.org] for my open relay and open proxy blocking...

      • Re:How? (Score:3, Insightful)

        by walt-sjc (145127)
        If it's not closed, it's open. Virtually all spammers forge headers - this is a VERY WELL KNOWN fact. What he SHOULD be doing is securing his mail server against unauthorized relaying. Restricting a mail server to only relay from email addresses from your domain is NOT enough. It needs to be based on IP address, SMTP Auth, or other mechanism that truely restricts unauthorized use. Information is widely available on the net on how to secure your server, so I'm not going to repeat it here, but you can check out http://spam.abuse.net/adminhelp/ for some info.

        Most Mom & Pop's don't run thier own mail servers. If you don't have the knowledge to secure your mail server then you shouldn't be running one. You should use your ISP's. If you don't know how to drive a car, you probably shouldn't drive until you get some education. Take a cab or bus instead. It's the same thing.
    • The internet is often a useful tool for communication. It's also often a tool for complete idiots to share their useless opinions with the masses. This guy has an insecure mail server, gets blacklisted, and asks the blacklisting org to check his mailserver. He then bitches when they find a hole and get in, and decides he should sue them for illegally entering his server.

      He claims they caused damage, but all they did was fulfill HIS request to double-check his server, and didn't in any way disrupt any functionality of his server, other than using an existing hole

      Another spam-pigeon who thinks his right be leave his ass flapping in the wind overrules the rights of others who don't wish to get a gazillion messages bounced off his insecure server.

      A few quotes to laugh at:
      I asked the blackhole list service if it would kindly re-scan my mail server and make another determination as to whether it was an open relay

      For one, the Danish antispam organization falsified an email header to gain access to my mail server

      At a minimum, I ought to be able to sue the Danish company for the damage it caused me from its illegal access.

      Debating on anonymously spamming this guy with a few, 'got spam? you're a moron' messages from his owner server... - phorm
    • One could have predicted that the vast majority of Slashdot readers would have responded with, "This guy is an idiot because ... misconfiguration ... blah blah" without addressing the underlying complaint. The more important issue is that a group of unregulated volunteers (albeit well-meaning volunteers) has the power to block any server from sending mail, by placing it on a blackhole list. Nobody is holding these people accountable for the power that they wield, and their grievance procedures are either obscure or non-existent.
      • But they have a greivance procedure, and it worked exactly as it was intended to. Upon request they quickly tested and confirmed that they could still use his server to relay mail.
      • Aren't they accountable to their users? If a blacklist kept me from getting mail that I wanted, or if I thought the list maintainers were trigger happy and too eager to add unwarranted entries, then I would stop using that blacklist.
      • Well, by the same argument, a group of essentially unregulated commercial interests has the power to decide which companies can manufacture DVD players. People are trying to hold these people accountable for the power that they wield, and they don't have grievance procedures.
      • Let me first state, that it's obvious that blacklists can be abused. Only until now they're the only means to get a grip on the spam problem, and that is, what gives them so much power. If there were other ways to fight spam, noone would need to rely on these blacklists. Also they apparently do more good than bad, or they wouldn't be in wide use. In the end the operators of the mailservers decide if they rely on those lists or not. Also this system can't work if there's a large overhead and every action has to be considered for two weeks before anything is done, so a flexible organisation that isn't hindered by procedural overhead is necessary or it won't work at all.

        So while your statement is true that the blacklist operators wield much (maybe too much) power, they have that power because their system at least works. And one reason why there's no better way to deal with spammers is that there's no legislation in place so one could sue spammers and ruin their business.
    • Yes, this is pretty much what I Was going to say:
      How had it gained access to my mail server? Simple. It had forged the headers on its email to convince my mail server that the email it sent was from a permitted user. You see, my mail servers were set up to pass mail only from a domain name of which I am the only user. It blocks everything else. That's not an open relay. Unless you're a user in my domain, you can't use it.
      Blocked
      The group based in Denmark had pretended to be me, forged an email as though it had come from an address that only I am authorized to use, passed it through the mail server in my house, and then placed me on a list of people who should be blocked from sending mail. They circulated that list around the world. ISPs used by my friends and family here the United States subscribed to this list. Now, through no fault of my own--and in fact because of the trickery of Danish email activists--I was no longer able to send email to many people in my address book.
      It's hard to describe how angry this made me. The Danish consortium had lied about their identity, and I was paying for it.

      In other words, he wants to solve his security problem via legislation rather than the appropriate technical fix. He's upset because someone "lied about their identify" (gasp! on the internet? I hope he doesn't go into many chat rooms) and was thus able to send mail.

      This guy is an idiot. He has an open relay. He should be hit on the head with a lead pipe (in the conservatory?) for his idiocy, and his machine flooded out of existence for his open relay. Now THAT is vigilanteism.

      • Re:His relay is open (Score:4, Informative)

        by Permission Denied (551645) on Wednesday September 11, 2002 @01:37PM (#4238717) Journal
        I worked for this department that was running Appleshare IP 6.x for mail services. Of course, this wasn't my choice, and it took quite a while to convince them to move to something else (ASIP has these pointy-clicky user management tools).

        Anyway, ASIP only allows you to selectively allow relaying based on domain name, just like this guy is doing. It, of course, doesn't explain this as the documentation is truly useless. Also, it doesn't allow you to do IP-based selective relaying, which is what people actually need.

        This is a completely useless feature. You can simply do "MAIL FROM: somelocaluser@yourdomain.com" and it allows mail through. Then, in the actual mail message, you add a header "From: spammer@otherdomain.com", and the second thing is what most users (who don't read relay headers) will see.

        Someone else figured this out, and on a Friday evening, our server started spewing out LOTS of spam.

        Now, I couldn't simply put up another mail server, as ASIP keeps all of its mail in one large, monolithic file, so I couldn't, for instance, export the mail to a qmail machine. Instead, I put the ASIP box behind a firewall so that NOBODY could connect to it. Then, I set up a secondary MX record for the box pointing to a Linux machine running qmail. Then, I poked a hole in the firewall to allow mail to the ASIP box ONLY from the Linux box (and from a couple other IPs for which it actually needed to do the relaying in the first place). Yes, this is quite a hackish solution, but Apple's software was extremely defficient and I was sick of working with it.

        The point? This is an open relay, and it will be abused once some spammer runs out of open relays that don't even do "MAIL FROM:" checking. Whether or not this guy is an idiot, I don't know, but what I do know is that this guy needs a real admin.

    • I really doubt it's worth explaining. He's all excited about being able to file a lawsuit now. But here's what I might say....

      If an email server is open to spammers who choose to be dishonest about who they are (i.e. all of them) then it is open. No point trying to argue that it is closed. If these people had any honesty would they be trying to sell the questionable products and services they do? To the people sending spam it doesn't get much more open.

      What you've missed is that you're having trouble sending email because a very great number of people want you to have trouble until you close your relays in a certain way. A little group in Denmark has no power at all unless what they say is reasonable and accepted by said people. The RIAA would have to pass the same test to have addresses suspected of involvement in piracy banned also and doubt they would have the same kind of support, as they are not addressing an issue that is universally annoying (as is spam), and they have generally made asses of themselves - but they could try to do the same thing, yes. You could too - start your own campaign to have those Danish guys ignored! Oh but wait, everybody agrees with them and not you.

      Too bad you feel you have to file a lawsuit. You might win, and the guys in Denmark might have a good laugh and have their stereotypical image of an American lawyer confirmed. They might even have to stay out of the USA, but you still won't be able to send your email. The net effect is probably that you will be invited to kiss some Danish ass. For real results you would have to file suit, and win, against everyone who does not accept your email. Kind of like the RIAA choosing to target tools that facilitate copying rather than the people who actually do the copying. Has that strategy worked?

      Now the RIAA appears to be targeting individuals - finally they understand! You might like to read this if you think the RIAA could demand blocking like those guys in Denmark - ISPs don't appear ready to acts as rent-a-cops for the RIAA.

      http://news.com.com/2100-1023-957332.html

      "But at the same time, any private operator at an end point in the Internet's architecture can restrict the flow of content to a user."

      For an "internet attorney" you don't appear to understand much about the internet. Unless, as I suspect, this is just hyperbole from a guy who wants to get his own way.
  • by kramer (19951) on Wednesday September 11, 2002 @10:25AM (#4237074) Homepage
    His server was set up so poorly that all it took was a forged header saying it was from his domain to get a message through?

    Sounds like he should have been blocked. Come on, at the very least do some ip checking. It sounds like his server wasn't a textbook open relay, but it was pretty close.
  • Since his address is now blackholed anyway, maybe he should just start up a relay service, and charge spammers to use it?

    Anyway, I think he should pick up the phone and call the dudes in Denmark. I think that being on an e-mail black hole list means never being ABLE to say you're sorry...

  • Test fails = relay (Score:2, Insightful)

    by cjustus (601772)
    If test server managed to send an email through the mail server by forging mail headers, you can bet that the spammers can use the same technique...

    Authenticating by the domain that the sender says he is from is very weak...

    Holes like this are what keeps the spam coming to my mailbox...

  • by stefanb (21140) on Wednesday September 11, 2002 @10:26AM (#4237089) Homepage
    form teh article: You see, my mail servers were set up to pass mail only from a domain name of which I am the only user. It blocks everything else. That's not an open relay. Unless you're a user in my domain, you can't use it.

    Well, setting your sender's address to a trivially guessed domain name (such as the reverse-mapped address of the host), you effectivly have an open relay. Guess what spammers are doing: they are using known-good addresses, and try sending spam from those addresses MX hosts in the hope that the MTA do this foolish kind of access check.

    This has been discussed since at least five years, and has been a point in the many faqs and howtos on how to lock down your MTA for a long, long time.

    If you really need to send mail through your MTA from arbitrary IP addresses, you need to employ authentication. Again, this is hardly a new technology, and many documents explaining how to combine SSL and authentication for SMTP exist.

  • I don't get it... (Score:5, Interesting)

    by Rhubarb Crumble (581156) <r_crumble@hotmail.com> on Wednesday September 11, 2002 @10:26AM (#4237091) Homepage
    This guy's gripe is about being misidentified as an open relay. But either I'm missing something or he's full of crap:

    How had it gained access to my mail server? Simple. It had forged the headers on its email to convince my mail server that the email it sent was from a permitted user.

    One word: Authentification.

    You see, my mail servers were set up to pass mail only from a domain name of which I am the only user. It blocks everything else. That's not an open relay. Unless you're a user in my domain, you can't use it.

    Uh, it may not be a totally open relay in the literal sense of the word, but surely that still means it can be used to send spam, as long as the spammer figures out who to identify himself as - and if the Danes could do it, then it can't be that hard?

    Any spam-block that relies entirely on the "from:" header is broken by design. What, spammers disguise their identities? Never!

    • by catfood (40112) on Wednesday September 11, 2002 @10:56AM (#4237419) Homepage
      One word: Authentification.

      Yeah! Don't misunderestimate the value of authentification!

    • Part of the problem is this fella's lawyer background. He probably is thinking of "open relay" in the literal sense (i.e., accepts any message and passes it along), so by his semantic reasoning he is correct that he isn't running an open relay. Although, most people on Slashdot would accept a narrower definition and say that his mail server is essentially acting as an open relay.

      Remember: It all depends on what you mean by the word "is."

    • The mail server I admin doesn't get blamed as being an open realy, and it doesn't use authentification either. It just makes sure your IP address is from one of our customers. If you're using our mail server and you're not one of our customers for internet, use the smtp server of your provider, or go through our web mail. But this guy should do more to protect his relay.
  • I'm not even sure that I've ever clicked on a link sent to me in a piece of unsolicited commercial email.

    When that appears in the first paragraph the rest loses credibility. Anybody qualified enough to be commenting on SPAM should be aware that simply by opening the email you may have verified the address as valid (if it contains an external image).

    -----
    interested in inventions [royalinventions.com.au]?

  • Seen it all before (Score:4, Insightful)

    by odaiwai (31983) on Wednesday September 11, 2002 @10:28AM (#4237113) Homepage
    This is the kind of thing you see every day in news:news.admin.net.abuse.email.

    "Waah, I'm being blocked by your nasty list! I demand you stop blovking me or I'll drop piano's on all your heads! and I'm a lawyer!"

    "A. no-one's blocking you, they're justing *choosing* not to accept email from known open relays (or whatever the perp feels accused of)."

    "You're abusing my First Amendment Rights to 'Frea Speach'"

    "Our list is based in the Gobi Desert. *Our* first amendment guarantees the right to tea with yak butter."

    Also, searching for his email address to see if he had ranted on usenet, I found this: Archived Article [google.com]

    an Excerpt (from the above article by "R. A. Hettinga" ):
    New Architect is a Microsoft/DotNet magazine. This article is
    agitprop for Microsoft's identity solutions: UDDI, Passport, and Palladium.

    Any reputation framework that arises in the wild would reduce the
    profitability of a Microsoft solution, so they are going to badmouth it,
    sue it, etc.

    dave
    • Good call. This is indeed microsoft agitprop. "Gee, can't trust this critical function to a bunch of volunteers" segues nicely into "So what we need is a bunch of professionals to make decisions for us... [churchlady voice] Could it be... Microsoft?" I'd expect a lot more of this stuff over the next couple of years.

      And if it isn't, it still serves the bastard right for running an open relay and not getting it. Wow, you can send spam by lying to his mail server, let's sue some Danes for pointing it out.

      • But what if we really can't trust this function to a bunch of volunteers, even if we reject that Microsoft is the alternative?

        I don't use blacklists anymore. They aren't effective at blocking spam. What they are effective at is making it easy for spammers to find an open relay that the 95% of the internet not using the blacklist will accept traffic from. I wonder how much tougher the blacklists are making it on the rest of us who find them ineffective as a solution, or even as a bandaid.
        • But what if we really can't trust this function to a bunch of volunteers, even if we reject that Microsoft is the alternative?
          There is no we who needs to trust this group. Either you do, or you don't. If you don't trust them, then don't use the list.

          The making-it-easy-for-spammers argument seems to be identical to the exploitable-bug-disclosure argument. You keep a vulnerability secret, and it gets exploited by a small group of abusers for a long time. Make it publicly known, and it gets exploited by a larger group of abusers for a shorter time. I guess different people have a different opinion on which of those alternatives is better.

    • Discussing this on /. is all well and good, but if he is really astroturfing, and it appears that he is, someone that understands what is going on should submit a response article to the New Architect site. The do accept submissions. Check out http://www.newarchitectmag.com/guidelines/ [newarchitectmag.com]. I would do it, but I am not an expert on setting up mail servers or on the effectiveness of the black list.
  • I fail to understand how this can be a valid argument against bad-maintained blackhole lists. The author was listed because *anyone could use his server to relay just by using a MAIL FROM command sporting his domain name*. Sheesh! When you configure your relay ACL, you use *IP ranges*, not domains (an awful lot of spammers forge all the headers in the messages they throw out). Even better, you use SMTP AUTH. That guy didn't bother to implement a technically valid solution, and thus his mail server definitely *could* be abused. No wonder it has been put on a blacklist...


    BTW, this doesn't mean there aren't stupid blacklists out there listing innocent people. But this article proves nothing. Moreover, there are now better ways to filter spam, based on message content checksum, like Vipul's razor [sourceforge.net]. This is not the first time people bitch and moan about their badly-configured relays being censored by the antispam Nazis (I remember a guy, from the EFF I believe, that did the same thing some time ago) but they simply are irrelevant. Their solution is to RTFM and play by the rules. Period (grrrr, I really dislike bad admins :-/.

    • Sheesh! When you configure your relay ACL, you use *IP ranges*, not domains (an awful lot of spammers forge all the headers in the messages they throw out).
      Forgive my ignorance*, but the article mentioned that he often checks email from hotels or foreign countries. Seems to me he's either using an IP address from the foreign point, or from an ISP with global reach. Either one would proclude using IP addresses in the ACL. So my question is, what's the best way to authenticate?
      ----
      * a phrase used on Slashdot about as often as "Why do all those Supermodels keep throwing themselves at me?"
  • Not an open relay? (Score:5, Insightful)

    by Jondor (55589) <(gerhard) (at) (frappe.xs4all.nl)> on Wednesday September 11, 2002 @10:33AM (#4237186) Homepage
    I do see a few problems with the story as written.
    • If it's so easy for the danish people to forge an acceptable identity, it's as easy for everybody else. Including spammers. If his domain is the only domain who should be allowed to use the mailserver, lock it on an ip-range.
    • If I want to make a personal list of domains from who I refuse to accept mail that's my good right. You can shout all you want, but I don't have to listen. If others like a copy of my list because they trust my judgement in this case, that's between them and me. Again, nobody can force me to accept mail.
    • As for the trespassing, he asked the danish site to re-check his mailserver. If I ask a cop to check my doors and windows, and he finds a way to get in. Can I sue him for burgelary? Or call it unfair because they used a method I didn't anticipate?

    Anyhow, IMHO this is an other blabla piece from someone who doesn't realy has an understanding of what he's doing.. Typical american sollution.. let's sue..
    • "As for the trespassing, he asked the danish site to re-check his mailserver."

      However, the fact that it's a re-check implies that the Danish site previously checked his mailserver without permission. I still think it's silly for him to sue over that, but that does give him a slightly better case.

  • by gpinzone (531794) on Wednesday September 11, 2002 @10:35AM (#4237198) Homepage Journal
    This guy admits his e-mail server WAS unsecure and is complaining that he got blacklisted. I understand his fustration, but I'm glad he was blacklisted.

    Now what's needed is a simple to use tool to help users determine if their systems can be comprimized. Any ideas?
  • For one, the Danish antispam organization falsified an email header to gain access to my mail server.

    Translation: His mail server is an open relay for anyone who forges a from: address using his domain name. No password, POP-before-SMTP or other identification and authentication mechanisms are used.

    He's whining because his open relay was correctly listed as an open relay. And he's even suggesting a tresspass-to-chattels lawsuit against the group that properly identified his server as an open relay. What a dick!

    • More accurately, he's threatening to sue them after inviting them to test his server. He's threatening legal action over an event that he explicitly invited.

      It's like me inviting you into my home and then instantly suing you for trespassing for coming into my home.
      • More accurately, he's threatening to sue them after inviting them to test his server. He's threatening legal action over an event that he explicitly invited.

        Are you sure that he requested the test or did some other entity request the test? I admit that I was somewhat rushed when I read the article.
  • First off, he's right. A black hole list has the potential for abuse, and there need to be some checks to make sure they're not abused as such.

    Second, once you're listed on a black hole, it can be hell to get off. My company had a secondary domain that was used for customer emails. It was, indeed, an open-relay due to misconfiguration. Eventually it got blackholed and our admins realized the mistake they'd made and set out to fix it. They did fix it eventually, but by that time the server was being slammed by spammers trying to use it as an open-relay. And on top of that trying to get the black hole list to remove the domain was difficult - it took well over two weeks, while the black hole-ing occurred in under a day. Eventually the entire domain was just dropped, since even with the open relay closed the spammers were still abusing the hell out of our pipe.

    That said, as best I can tell the author of the article barely even tried to remedy the situation. Yes, the black hole system forged a header to hit his open relay. Duh. So do spammers. If they could do it, so could (and will) others, and that's why you're black holed. But I'm sure he could've contacted the people running the black hole to find out what he could do to fix the problem. Instead it looks like he just wants to take them to court.

    Finally, black holes/black lists/spam filters/etc. aren't solving the problem. The bandwidth is still being chewed up, and as is pointed out in the article, the block lists act like honeypots for the spammers - everytime a new site is added the spammers find a new site to spam from. Sure, if you participate in the black hole you won't deliver the spam, but the bandwidth has already been sucked up from the backbones, and you're still using CPU power to deny the spam. As much as I'd like to see lawyers stay the hell away from the Net, I don't see any other way to stop spam than to make it illegal. It may be that most of the relays are foreign, but most of the spammers are in the US or another Western country. Anti-spam laws could significantly help.
    • Anti-spam laws could significantly help.

      I live in Utah, with a pretty good anti spam statute [com.com].

      However, though I could be in the process suing a few dozen people a day, I simply do not have the time or the desire to persue any of these. Not when Spamassain grabs about 90% of all spam, and sends it to my Spam folder, where I review the headers looking for false positives, and then they get deleted. Total time for me, 3 minutes.

      Anti-spam statutes, while good for keeping honest merchants in check, will do nothing for the multitude of pr0n, Nigerian and penis enlarger spams I get every day.

      What am I going to do, sue the entire nation of Nigeria? From what I hear, only one guy has all the money, and he is dead, or so it says in an e-mail I just got from Azabi Manzuna... :-)

      • I always wonder, how do those spams make money? I occasionally respond to the Nigerian e-mail for kicks, and have clicked on links in some of the other ones, the links are always broken, the e-mail addresses are never live... Even if I WANTED to give these people my money I can never find a way to do so, so WTF is the point of these spams?

        Kintanon
    • Second, once you're listed on a black hole, it can be hell to get off. My company had a secondary domain that was used for customer emails. It was, indeed, an open-relay due to misconfiguration. Eventually it got blackholed and our admins realized the mistake they'd made and set out to fix it. They did fix it eventually, but by that time the server was being slammed by spammers trying to use it as an open-relay. And on top of that trying to get the black hole list to remove the domain was difficult - it took well over two weeks, while the black hole-ing occurred in under a day. Eventually the entire domain was just dropped, since even with the open relay closed the spammers were still abusing the hell out of our pipe.

      I'm sorry, but I'm really failing to see what part of this is not the spammers' fault... or yours. Certainly it wasn't the listing service "abusing the hell out of [your] pipe" or slamming your servers. And you say your admins "did fix it eventually." Was that in a day, a few weeks, a year, or what? A mere two-plus weeks to be taken off the blackhole advisory list sounds very reasonable under the circumstances.

      Sounds like the blackhole service did you a favor. Certainly they limited the damage your company did to the rest of the Internet by passing along all that spam while the relay was open.

      • Was that in a day, a few weeks, a year, or what?

        A couple days I think. The issue was that the request for retesting was submitted and didn't occur for 2-3 days, followed by another week to disappear from the list.

        I can understand that it's not entirely desirable to immediately test, since less-than-honest types could "fix" the server, have it de-listed, and then remove the fix. But an immediate test followed by 2-3 retests at random intervals would be a better alternative methinks.

        When your business gets blackholed and you're unable to send email to large portions of the net, I'm sure you'll think that "2 weeks" is an entirely reasonable time period. Thankfully our primary domain wasn't the one blackholed (as it didn't have an open relay).

        Certainly they limited the damage your company did to the rest of the Internet by passing along all that spam while the relay was open

        Nice theory, except that mail logs show that no spam was forwarded through the open relay until it appeared on the black hole list. This was a domain that had been setup for at least a year and wasn't used anywhere except for a domain registration and private, customer-only email use.
    • Finally, black holes/black lists/spam filters/etc. aren't solving the problem. The bandwidth is still being chewed up

      Blacklists ARE solving the problem. I subscribe to SpamCop.net [spamcop.net] and I get about 50 spams filtered out daily. Bandwidth is NOT chewed up because the message is never sent--just a small rejection notice.

  • I'm afraid I've got little sympathy for the author of the article. He is running an open relay. Yes, for someone to abuse it they've got to forge the headers. That spammers do this is news? I don't think so. So, he runs an open relay, it gets detected, he gets added to a blackhole list until he closes it, he's now upset that the list operator won't accept "Well, someone would have to lie to abuse my server, so it shouldn't count." as an excuse. Pardon my complete lack of sympathy for him. This isn't vigilante justice, this is simple shunning by the community. If he wants to restrict his server to authorized users, he should do just that. POP-before-SMTP and SMTP AUTH exist, they can be used. Requiring that someone forge his domain in a From: header is not securing a relay.

  • Follow up article... (Score:5, Informative)

    by silverhalide (584408) on Wednesday September 11, 2002 @10:39AM (#4237249)
    If you subscribe to New Architect, this guy wrote a followup article to this one after receiving a boat load of mail pointing out the he was in fact running an open relay. He admitted to being behind the times, etc, said he was sorry. He still doesn't take back the fact he's mad at the vigilantes out there. Sorry, there's no link yet, I think NA has a lag between the print and web editions.

    Point being, if they can forge a header to get on your computer, a spammer can very easily do the same thing. An interesting thing on my campus is the technology department regularly scans and tries to hack into FTP sites running on campus, and sends an e-mail to the admins if they're successful. Some students got mad, but the moral of the story is, better to have someone trustworthy find your weakness rather than someone who's going to exploit it. This seems to be a new effective form of security that's emerging, since we can't depend everyone to stay up to date with the latest security issues, such as the Mr. Faussett in the article. I think vigilante is the wrong term, these blacklist ops are doing everyone a favor by helping to clean up insecure sites, which in the end saves everyone money. I propose we call them "Freelance Security Advisors" or something like that. :-)

    • Some students got mad, but the moral of the story is, better to have someone trustworthy find your weakness rather than someone who's going to exploit it.

      Sometime in the next week or so, I am going to stop by your home and probe for any security problems that a burglar might exploit. I know we have never met before but its in your best interests. Since I have the best of intentions, I am sure you won't mind. You wouldn't want to leave your home with security holes in it?

      • by FreeUser (11483) on Wednesday September 11, 2002 @12:56PM (#4238469)
        Some students got mad, but the moral of the story is, better to have someone trustworthy find your weakness rather than someone who's going to exploit it.

        Sometime in the next week or so, I am going to stop by your home and probe for any security problems that a burglar might exploit.


        You sir, are of subhuman intelligence.

        There is a distinct difference between a University testing the security of systems directly connected to its own network and jackasses like yourself equating it to random strangers "testing" a systems security.

        To clarify in terms of the flawed analogy you provide, no one should have trouble with their landlord testing their home's security, as the landlord is the one who is responsible, and who fixes it when it is broken. That is not the same as inviting any random stranger off the street to do likewise.
        • You sir, are of subhuman intelligence.

          Wow! Coming from an expert, that must be a compliment. My analogy stands as we are talking about an unknown third party probing your mail server without your permission. The poster I responded to narrowed that focus. I re-expanded it to the subject being discussed in the thread.

          Now grow up, child. Take the insults elsewhere.

  • Blacklists are a lot like a security blanket, they make you feel comfortable but they don't do anything about the real problems. A recent employer (a university) was placed on earthlink's blacklist simply because a customer had pressed a wrong button and reported an email to earthlink as spam. (Admittedly, the manager who insisted on handling the mailserver himself was technically clueless...but there wasn't any ACTUAL spam we could find traced to our server)

    First off, why is earthlink who is the domain of quite a bit of spam itself running a blacklist? Secondly, why couldn't they have at least bothered to send a courtesy automail to let us know? We finally found out when the sender of the original "spam" tried to send another email to her friend at earthlink. At that time it took a series of calls to earthlink to even find the department we needed to talk to! And then I found out that we'd been on their blacklist for MONTHS!

    Blacklists should be carefully administered and you should develop your own as it's really not that difficult to set up blocks for individual domains. Too many domains are blocked by error or because one company put another on a blocklist that got circulated but never bothered to circulate that spamming domain had been fixed and removed from teh list.

    Of course, a contributing problem is that many mailserver admins don't bother to keep proper security (or even keep their security patches up to day) for their server. It's way too easy to find a mail server that is VERY open to people outside the actual domain. But any truly working solution to the problem will have to involve responsible actions on the part of the "blacklisters" and the mail admins.
    • they make you feel comfortable but they don't do anything about the real problems.

      I heartily disagree with you.

      Theft of bandwidth is a real problem.
      Harrassment is a real problem.

      RBL's go a long way to solving these real problems for me.

      So, exactly what real problems don't the blacklists address?
    • Your concern about failing to circulate blacklist removals is misplaced with regard to DNS based blacklists. The data expires in a finite amount of time from the cache, and removal processes are working pretty damned good. I've watched a number of notices posted on news.admin.net-abuse.email asking to be removed from the SPEWS list, and I check out whether they have fixed the problem or not. In most cases I find that the data had already been removed from SPEWS by the time I checked that (so now I check SPEWS first before checking to see if the problem is fixed).

      Private blacklists are a problem because there's virtually no way to track them all down and get removed from everywhere (once you fix the problem). That's why we need central DNS based blacklists. But what we also need is to shield these central lists from stupid lawsuits from people who refuse to fix their problems or simply don't have a clue. Those who even so much as threaten to sue the list operators instantly get their IP addresses and domain names put in thousands of private blacklists where no one even looks to see if anything is ever fixed. And when they end up shutting down the central lists, they make things worse due to all the private lists. That's the primary reason SPEWS is so secret. Sure, it comes across to people who didn't know about it as a "Star Chamber" thing. And I didn't use it for several months until I verified it actually works to list what needs to be listed, and removes things when fixed.

  • There are a variety of solutions to the technical problems that arise from wide-ranging internet access by the public. Those of us who were using the net in the late '80s recall sending and recieving email, unincombered by large volumes of spam. As internet usage gained popularity, so to did unacceptable practices undertaken by businesses and indeviduals.

    SPAM is as much a social problem as a technical problem. Blackhole lists attempt to solve the social aspects of the problem with a technical solution - the idea being that the sender of spam is shunned and ignored when trying to communicate. I don't have all the answers but solutions like Vipul's Razor [sourceforge.net] seem a bit more like technical solutions to the technical aspects of the problem.

    Likewise, domain registration operates much like the wild west. He who hets there first, gets the loot. I was attempting to register an expiring domain at one point. It had expired 90 days previous and still had not been released by Verisign. I consulted my perfered domain registrar, who's generally vary helpful staff gave me this wild west analogy and suggested that my only recourse was to lodge a complaint with ICANN. We all know how helpful ICANN can be [icannwatch.org]...

    Any new technology opens up oportunities for baser elements of human nature to bear their collective ugly head. Over time the practices will iron themselves out and until then people like the lawyer, author if this article will probably have to suffer unless they want to contribute a positive solution. The Internet will eventually grow out indulging these childish behaviors but until then, we can only do what's best to protect ourselves from the poor choices of others.

    --CTH
  • This article really turned my crank. What a load of hogs-wallop. To wit:

    For one, the Danish antispam organization falsified an email header to gain access to my mail server. Illegal access to a computer system is, if not a criminal violation, then a trespass on my private property.

    Except that he previously admitted to asking the antispam people to check his mail server. So it isn't trespass if you invite them in. Or it's entrapment on his part, right?

    As I've discussed previously in this space, one of the novel legal theories now catching on for these kinds of unacceptable accesses to computer systems is a centuries-old tort called "trespass to chattels." At a minimum, I ought to be able to sue the Danish company for the damage it caused me from its illegal access.

    Alternatively, you could secure your f'ing mail server properly.

    But in spite of all that, I could probably get an injunction, or least a dollar or two to compensate me for my injuries and establish that I have been wronged.

    Always the lawyer ... :)

    Who knows whether the organization is a real legal entity or just some name cooked up by a group of self righteous individuals.

    At some point along here I gave up reading. This guy is a whining, deluded, litiginous fuckwad. And a bit xenophobic (maybe he had a bad experience with a Danish girl once ... I dunno). His actions are not only irresponsible, they are just plain stupid.

    Okay ... I skipped to the end and read:

    It isn't difficult to imagine that the RIAA could pressure a sufficient number of ISPs into subscribing to this copyright blackhole list and blocking access to their users, or to any traffic emanating from them.

    Except (you half-wit), the RIAA would likely use pressure. The anti-spam list doesn't force ISPs to use it ... ISPs use it voluntarily. Hell, switch ISPs if you don't like the level of access they provide you with!

    I hate spam as much as the next guy. If I found out my mail server was an open relay (which we did at one point), I sure as hell would spend my energies fixing the problem, rather than ranting about it and plotting a lawsuit.

    I really hope that if he decides to take legal action, some judge with half a brain will say "You could've solved this yourself in half an hour ... Why are you wasting the courts' time?"

    Sheesh.
    • Except that he previously admitted to asking the antispam people to check his mail server. So it isn't trespass if you invite them in. Or it's entrapment on his part, right?

      He didn't ask them to test his server the first time they did it. The 2nd time served to reveal that their method was to trespass.

      I hate spam as much as the next guy.

      You have no idea what the next guy likes, dislikes, hates, doesn't hate, or how much he does. Part of the problem with these vigilante groups is projection. They think everybody places as much importance on their efforts as the vigilantes do. That ain't so.

      And FWIW, the DNS blacklists are no longer an effective tool for the antis. They are much more effective at providing a list of useful open relays to the spammers. This of course, creates the illusion of "just cause" in the minds of the antis: "Hey, look how many spammers are using this open relay whose IP address I am publishing to the world. I'm doing a great job." Meanwhile, the 95% who aren't receiving email through servers using the blacklists are innundated with junk mail from the relays so helpfully identified by the antis.

      Yeah. Good job.
  • by philkerr (180450) on Wednesday September 11, 2002 @11:05AM (#4237501) Homepage
    Should we recommend this guy to Bernie Shifman just in case he's still looking to sue people?
  • I was recently a victim of this problem. A machine at my former hosting provider (JTLnet, and they were already my former hosting provider before this incident) got infected by an email worm, and started propagating to everyone in that machine's address book - which seems to've included their entire customer-contact list. Being a modern email worm, it picked one address from that address book to spoof as the source of the messages, and I was the "lucky" guy so I ended up getting all the bounce messages.

    There's a lot more to the story, but it's mostly about JTLnet and it's not their faults that are relevant here. The more interesting story is the part played by Verizon (my DSL service provider). Here's a major provider to millions of people, and their mail server was set up so it would happily propagate the worm's spoofed emails. A little experimentation quickly revealed that as long as the original FROM line (the SMTP one, not the one in the header) matched my email address the message would go through, regardless of where the connection came from. Unbelievable.

    There is the tiniest shred of an excuse, though. I do remember being annoyed when they shut off SMTP access from outside their network entirely, so I couldn't reply to messages received on that account while at work. However, there are other ways to deal with the problem without allowing worms to spoof email through subscribers' accounts. SMTP authentication would be the obvious solution. A web interface for subscribers to specify which hosts could send email through their account would also have stopped the worm in its tracks. There's no excuse for a provider employing that many people to take the cheesy way out.

  • by Elias Israel (182882) <eli@promanage-inc.com> on Wednesday September 11, 2002 @11:23AM (#4237672)

    The truth is that these home-grown spam mitigation methods do have their problems.

    One of them is evident in the article: well-meaning users often do not understand what might be insecure about their server configurations, or what might need to be done to fix them. I am very comfortable with sendmail configuration, and I can tell you that setting up the authorizations correctly for mobile users to be able to send email safely is a narrow, twisty labyrinth in comparison to the big, flashing exit door marked "promiscuous relay".

    Another problem in the home-grown nature of these solutions is the tendency for them to be personality-driven, instead of professional. Often, IP addresses (or even whole ISPs) are placed on blacklists because the blacklist maintainer does not mind creating a little collateral damage if they think it might create a little extra pressure on a spammer or an ISP.

    Some blacklists have blocked out entire hosting companies, including some of the biggest ones on the net, simply because they did not think they acted with sufficient alacrity against spammers in their midsts. This kind of wild overkill is unfortunately too common, and perhaps it's a good argument in favor of for-profit blacklisting, which would probably exert some good influence on the question of list quality.

    Earthlink rejects mail from any IP address that belongs to a dial-up pool that attempts to connect to their SMTP servers.

    Ostensibly, this is done to reduce "direct-to-mx" spam, which is a very common spammer tactic. Unfortunately, it also makes life harder on the home linux enthusiast, or home business operator who might be running their own perfectly legitimate sendmail server. All part of the collateral damage in the spam wars: Internet access and Internet business are slowly becoming more expensive and possibly moving out of the reach of people with limited means.

    So what should we do?

    First, I think that current law against junk faxes should be extended to include junk emails. This would not eliminate spam, but it would give us the ability to correct the spammers who operate out in the open.

    As a Libertarian, I want to jealously guard the right of the people to freedom of expression. But that right does not and cannot include the right to expropriate other people's time or money. You have a right to make your voice heard. You do not have a right to force me to pay for it.

    Second, I think that we should be careful about the blacklists that we use, and prefer those operated by recognizable and accountable companies wherever possible.

    Finally, I think that for the forseeable future, filtering at the user desktop will be necessary.

    (Cards-on-the-table time: I am working on a new solution for end users to eliminate spam from their inboxes. It is based on a new method, and it will work for any user who uses a POP email account. It will be ready for public beta soon. Please write to me if you want to learn more.)

    The struggle against spam is definitely picking up, and I think that a new equilibrium is approaching.

  • by Lextext (121217)
    Hi folks, no need to be four hundredth person to write to me and tell me that I am operating an open relay. I received enough of those letters when this article first ran a couple of months ago. (My response to the letters is below).

    Rather than focus on what constitutes an "open relay," which is really a technical issue rather than a policy issue, I'd rather see more thought given to the damage caused by blackhole lists. Are we really interested in championing their use? Spam today, something else "offensive" tomorrow? How different is this than when Chinese ISPs decide to block Google? As vile as spam is, I don't think this is the right tool.

    My response to the original letters sent in by New Architect readers:

    When it comes to mail administration, it appears I was several years behind the curve. Since my mail server software, circa 1996, had been purring along quietly without problems since it was new, I had never upgraded it to a version capable of a higher degree of authentication. I'm also old enough to remember when an "open relay" was a relay intentionally left open for anyone to use, not one merely susceptible to misuse. Thanks to all of the readers who wrote to bring me into the new millennium. Both my software and my definition are now upgraded.

    At the same time, I labeled the blackhole list operators "vigilantes" for good reason. It was always my understanding that if you lie about your identity to gain access to something that would be closed to you if you told the truth, you've done something wrong. That's true whether you intend to send spam or prevent it. As vile as spam is, the ends don't justify the means. Regardless of whether my mail server used to be "open" or not, I stand by the legal analysis that placed fault on the blackhole operators who forged their identity.

    Thanks.

    -- Bret
    www.lextext.com [lextext.com]

    • by fizbin (2046)

      Quoth the poster:



      Regardless of whether my mail server used to be "open" or not, I stand by the legal analysis that placed fault on the blackhole operators who forged their identity.

      But you did ask the blackhole list people to check your server, yes? You do have the right to access your server in any way you see fit and to permit others the same access, correct?


      If I contracted with a security testing firm to test the security of my office, I'd be severely annoyed with them if they did not try to lie their way past the office manager who watches the front door.

    • Bret, you use the word "vigilante" so much when talking about blackhole list operators, but I really don't see much difference between those groups maintaining lists of people with open relays and, say, other groups like Cybersitter maintaining lists of offensive sites.

      1. Both groups maintain lists that are optional for subscribers. Are you willing to trust Cybersitter's judgement in what is offensive or not? Fine, buy their software and use it. Want to tweak the definition of what's "offensive"? Cybersitter lets you do that too. The most important word here is "optional" - you don't have to use Cybersitter if you don't agree that their list is fair, accurate, or otherwise useful.

        Similarly, you and/or your ISP don't have to subscribe to blackhole lists if you/they don't want. You ask what would happen if someone (say, the Chinese government) starts making a blackhole list of sites that deal with something they they consider offensive? (say, western media, Falun Gong, etc.) The answer is that you and most ISPs probably won't subscribe to such a list. They can blackhole as many sites as they want... but most of the world won't care, or even notice.

        Open-relay blackhole lists thrive not because "vigilantes" are cramming their brand of justice down our throat, but because enough people agree with their philosophies that they're freely willing to make use of the product they're offering.

      2. Both groups contain ways to get off the list. Was your site mistakenly identified by CyberSitter or some other filter software? Most of them have ways to get in touch with the list maintainers and have your site re-evaluated. Similarly, most blackhole list operators feature prominent instructions on how to get yourself removed from their list.

      You didn't mention the rest of the story in your New Architect followup, but what happened after you updated your mail software? Did you contact the blackhole list operator again? Did they test your server again and find it secure? Did they remove you from their list?

      If not, then you may still have a legitimate complaint. But if they did, then I think the system worked the way it was supposed to.

      You said that your "software and your definition are now upgraded". The opportunity for you to upgrade both your software and your understanding of what an open relay have been around for a very long time now. I think that by running your own mail server, you raise yourself to a higher level of Internet citizen. No longer just a casual web user, you have to take the responsibility of maintaining your server, keeping up with security patches and issues, and just generally being a good Net citizen. Blackhole lists are something of a last resort for people who won't/can't take care of the problem in any other way. Now that you've solved the problem and your site has emerged from the blackhole, I would take it as a lesson learned and go on from there - not spend 1/3 of a magazine column trying to figure out what the best way to sue a Danish company is.

      P.S. Here's a quick, automated way for anyone to check and see if their mail server is an open relay:

      > telnet relay-test.mail-abuse.net

    • Unlike "sharing" of "marketing information" by credit card companies, telephone companies, and banks, blackhole lists for email ar opt-in.

      You have to explicitly subscribe to someone else's judgement in order for it to have an effect on what you block.

      Your argument about the putative "RIAA P2P blacklist" is flawed, in that you would have to go out of your way to elect to subscribe to RIAA's judgement.

      A much more salient argument might be Palladium, which is effectively a black list of people who do not used Palladium, and which holds you hostage via the use of monopolistic power in the marketplace. A black list which forces you to use it -- which is not "opt-in" -- is much more of a threat.

      PS: In your original argument, you had exactly one valid point, which was that the original probe of your email server -- before you asked them to recheck it, thereby giving them permission -- was in fact a criminal trespass on your system. On the other hand, from a legal standpoint, it's probably easy to argue "attractive nuisance" in defense of the original probe, particularly if your mail server had been reported by a third party who had received SPAM via it.

      -- Terry
      • In your original argument, you had exactly one valid point, which was that the original probe of your email server -- before you asked them to recheck it, thereby giving them permission -- was in fact a criminal trespass on your system.

        The problem is that he has no direct or indirect proof that the "original probe" even occurred. I could easily imagine a scenario where an irate user forwarded a spam to the unnamed blacklist administrators who added Lextext's address based on the header contents. Since you and I don't know who the blacklist admins are, and Lextext isn't telling, we have no way of knowing that their policy requires them to verify open relays before blacklisting them.

        In a nutshell, unless Lextext has server logs to prove that the blacklist admins previously scanned his system, I have no reason to believe that they actually did so.

        I tried explaining this to him via email, but I think the point was lost on him.

    • Spam today, something else "offensive" tomorrow?

      Damn straight. I would never, ever, invite a klansman over to my house, just so he could yell hatred out of my windows. Why then should I have to allow him to yell hatred out of my TCP ports?

      Same goes for anyone that I personally have a dislike for, and that could be trivial. If I don't think that people should part their hair on the left, then I'm not going to let them on my server.

      After all, it's my server, and I pay for the bandwidth myself.
    • by Skapare (16644)
      As vile as spam is, the ends don't justify the means. Regardless of whether my mail server used to be 'open' or not, I stand by the legal analysis that placed fault on the blackhole operators who forged their identity.

      If the list operator who tested your mail server did not test it by using the proper practices, which includes doing everything that spammers are known to be doing, or known to be capable of doing, then it would be the list operator who had failed to properly and correctly test your server. If it had been marked as closed, because of that, when in fact it was still open, then it would be the list operator who would have been negligent.

      Security practices, and spam prevention is a form of security practice, do include performing tests that mimic what the security prevention is supposed to prevent. Your mail server is supposed to prevent relaying of forged addresses. So you have to do forged addresses to test that facility.

      The only thing the list operators did wrong that I can see is they failed to get your signature in writing on a piece of paper that explained it to you. Had they done so, that piece of paper would have stated that they would be performing a test that adheres to current best practices in security testing, and that test would include every form of forgery and trickery known.

      The ends not only do justify the means, they are also absolutely required!

      Also, some mail server software is defective in ways that certain types of attempts, which spammers might try, and therefore have to be tested in a thorough test, could cause that defective software to fail, and may result in damage to your mail server. If that happens, your remedy should be with the maker of the defective software, unless the defects were documented and avoidable by proper configuration.

      And if you want to have a private dialog about this, I am willing to explain it in more detail if you need that. I am not a lawyer, so I can't give it to you in purely legal terms, but I can certainly give you some real life analogies. You can find my email address a number of ways, such as the domain registration of one of my web sites.

  • Yes, blacklists aren't perfect. But if you do what it takes to plug up obvious security holes in your service, you can get off of them; it may take time, but the volunteers who run these things need to verify that you have plugged up a hole, or that your service was always secure. I'm sure there are a lot of people added to blackhole lists who shouldn't be there, because some mistake was made. At the same time, I think the vast vast majority of people griping about being unfairly placed on a blackhole list are just people who don't understand the technical security flaws in their system.

    Prime example is this idiot author. I'm not security expert -- in fact, I (gasp) don't even know how to set up a server. But I can recognize a security hole as big and obvious as the one his system has. If all someone has to do is forge a from address in the header to use your system for their e-mail without authorization, your system is completely insecure. This author displays his complete ignorance when he says, "the system was doing what it was supposed to do". Every system does what its supposed to do, and that's depends on how it was programmed by the programmers and set up by the administrator. That doesn't necessarily mean every system is doing things the right way.

    That this story was posted on /. makes me wonder about CmdrTaco. Taco, don't you read these articles at all? Or don't you even know that this is a security hole so big and obvious that even MS could have recognized it and plugged it up?

    At the very least, your service should request password and user-name verification. IP-address verification possibly, if you don't want to allow your users to be able to access it from any remote location. Someone needs to slap this author with the clue-stick. He fell off the a 300ft high dumb tree and hit every branch on the way down.

    The author does, however, make two interesting points, though these are hardly news. (1) It takes forever (i.e., weeks) to get off a blackhole list; this is understandable, since these things are run by volunteers, and it takes time to verify. (2) Blackhole lists are used by spammers, which allows them to slam any domain on the list. This is something which needs to be fixed. I think this is that rare case where security through obscurity works. The only people who should know all the domain names on a blacklist are those running it. People running domain-names that have been placed on a blacklist should be notified so they can fix it, and if they want notify the public. But because these blackhole lists are available for anyone to see, spammers use them and effectively DoS those who are on the list, making their life difficult.

    Oh yea, almost forgot. The title of this post is "Legal action needed," because I think laws are needed to deal with this problem. Spamming might not be particularly profitable, but its also not at all unprofitable; theoretically, it probably wouldn't even cost a cent to send spam to everyone on earth with an internet connection. Thus, spammers will continue spamming, because they have no reason not to. Even if only one out of a thousand people actually buy something from that "make your dick bigger by jilking" spam, it still amounts to something worthwhile for the spammer.

    They will never stop unless there is a strong cost associated with spam. So what I propose is tagging very high high fines onto any spammer -- millions of dollars. Enough to bankrupt an individual and keep him in debt for a long time, or enough to send a company into Chapter 11. I'll admit that we won't catch many spammers; maybe 1 out of a 1,000. But when you can't catch most people who do something and punish them accordingly, the way to stop an activity is to say we'll punish anyone caught inordinately.

    I strongly disagree with the misguided notion that somehow dealing with our spam-problem violates the principles the internet was founded on. This is just an example of community action to deal with a problem.

    The anonymity that the net gives us is valuable because it allows those who have controversial opinions to speak privately; because it allows those who have inordinate interests (i.e., occult or pornography) to pursue them in privacy without fear of public scrutiny; because it allows us to share information though P2P networks without fear of a slap-down from the RIAA. No useful purpose is served by spammers using annonymity; it neither promotes a public good, nor facilitates them in excercising their rights; rather, it facilitates them in doing harm to the public and violating the rights of others. The community is dealing with that problem in many ways.

    One of them is blackholes. Crude, but somewhat effective. Simplest method. It is valuable not so much because of the spam that it blocks, but because of the action it forces service providers to take -- securing their systems against spammers.

    Another is bayesian filtering, as was recently mentioned on /. This method can effectively be used to filter out messages which are spam based on the headers, via user input; i.e., the user tells the program via the header, "this is spam, that isn't". The program then analyzes the characteristics of the header and modifies previous assumptions accordingly. Think of it as going to Las Vegas and flipping a coin. If you flip the coin 100 times and you get 51 heads and 49 tails, do you conclude that the coin is unfair? Depends. You have a previous assumption about how reputable the casino is; if you think its unreputable, maybe you think the coin is unfair; if you think its reputable, you probably think its fair. What if you flip the coin 100 times and you get 2 heads and 98 tails? Then your first impression is that the coin is unfair; the evidence strongly overwhelms your previous assumption that the coin was fair, so you modify your hypothesis. But if you then flip the coin another million times and you get 500,001 heads and 499,999 thousand tails, you probably conclude that the coin is fair, despite your first impression. Same thing goes on with e-mail.

    Another method -- one I prefer -- is simply blocking any messages from those whom you don't have in your address book or on your "accepted senders list". This effectively blocks out all spam. You have to, however, keep an updated list of accepted e-mail addresses.

    There are many others.

    No method is perfect. My method blocks all spam, but also will block anything from anyone who I don't have on my accepted senders list; so I have to be vigilant in maintaining such a list. Bayesian methods effectively have no false positives or false negatives, so are pretty damn good. The primary usefulness of blackhole lists is making services secure their systems.
  • Forging the 'From:' header is one of the most common spammer tactics known. If the guy's server responds to such a forgery by sending the forged message out to the world, then yes, he is indeed running an open relay EVEN IF it won't forward messages from, say, 'spammer@here.com.'

    Any mail server worth its salt needs to look at more than just the 'From:' header. It needs to look at the originating IP address of the machine trying to send the message. If said address is not part of the mail server's local domain, the traffic should be rejected with extreme prejudice.

    The article reads very much like a whine from someone who doesn't know enough about how a mail server works (or is supposed to work) to be running one; "Those Evil Censorous (sp?) Anti-Spam Nazis forged my domain name and cracked into my system! How dare they?! Even though it's the same trick a spammer might pull, how dare they?!"

    This guy needs to get a clue. Quickly. In fact, I'm going to make sure to block his server out of mine when I get in tonight.

  • Spammers never lie or forge domain names! So of course it's unfair that this lawyer's mailserver was blacklisted. . .

    Bah. With all the money lawyers make, you'd think he could buy himself a clue.

  • I just read your article
    (http://www.newarchitectmag.com/documents /s=2442/n a0802g/index.html) about
    open relays and figured I'd email you with my experience. For my day job,
    I work network security (handling spam complaints, hacking, etc) for an
    extremely large public educational institution, so I see an extremely
    large number of spam complaints, spam issues and whatnot every day.

    If your mail server is allowing mail to be relayed to it through the
    domain it advertises, it is an open relay. Period. An open relay is a
    relay that permits an unauthenticated, unidentified host on the network to
    send mail through it. Your claim that you are not running an open relay
    simply because you only allow mail from users on your domain demonstrates
    a fundamental lack of understanding of the mail protocol. The FROM
    field is not any kind of authorization, it's not a login, it's completely
    arbitrary and should never be used to allow or disallow mail except in
    rare cases where virii may email out with fixed FROM addresses that are
    known to not be legitimate.

    Your mail server advertises what domain it claims to be (and likely has
    reverse dns to supply a spammer with the domain), therefore it's trivial
    for any spammer to (as the denmark organization did) simply but a from
    address of your domain. And are they lying? It might be interesting to
    note that since your mail server is sending the message, the mail ~is~
    from the domain they put in the from field.

    The issue is not that some anti-spammers spoofed a from field. The issue
    is that your mail server allows relaying of spam email. I'm sorry you see
    it otherwise. There are other effective ways to secure your mail server
    so you can travel and still have access to it, but your current
    'protection' is not.

    If you would like more information on how exactly you can configure your
    mail server to not be an open relay and still allow remote access, please
    feel free to respond via email and I'd be glad to help.
  • by toupsie (88295) on Wednesday September 11, 2002 @12:06PM (#4237988) Homepage
    First, the author of this article is an idiot. He was running an open relay. He admits it and doesn't even know it. Just another reason to be annoyed by lawyers. Second, the folks that run these various RBL lists are arrogant jackasses. Just look at the childish behavior they exibit [osirusoft.com]. Very unprofessional.

    If they make a mistake, you and your organization are screwed until they decide to admit their mistake and correct it -- if they ever do. They have cute, pat answers to explain away any responsibility for their behavior and generally refuse to communicate with those they block. I have had a nasty experience recently with "relays.osirusoft.com" where a client of our was using them as a part of their Postfix RBL configuration. Some Nazi^H^H^H^H German nominated our mail server as a spamhaus when we were not. Without being tested, our server was blacklisted -- I checked my logs and saw no check on the date we were listed. We received no notice, no automated robot checked out server or would anyone respond to my inquiries, just accusations that I was supporting SPAM--an absolute lie. If you are listed, you have to be an evil SPAM supporter with their mentality.

    It took one month of constantly e-mailing their retest e-mail address. Daily checking of my mail logs and seeing that their robot was being rejected from relaying, yet, we were not taken off the RBL. Finally, after a month, we were removed. Nothing changed in our configuration, no notice was given as to why we were removed nor why we were added outside of the nomination origin. We were just lucky that "relays.osirusoft.com" decided to do what's right but was too cowardly to admit they were wrong. Hiding behind the anonymity of the Internet with no responsibility to the people they harm. We will never know how many e-mail messages were lost because of "relays.osirusoft.com"'s mistake.

    Pathetic.

  • by Skapare (16644) on Wednesday September 11, 2002 @12:08PM (#4238014) Homepage

    Here is what I wrote to this guy back on July 25 when the article had just come out. I never received a response from him. Was he totally embarassed by his idiocy once it was explained to him? I guess so.

    <lettertext>

    I just read the article you wrote on New Architect Magazine entitled "Blind Vigilantes; Blackhole lists offer dark prospects". I feel you have missed certain points in your analysis, and as a result, you misunderstand what is going on. That's OK, because the majority of network administrators still do, too. As a lawyer you would not be expected to know this kind of stuff. You clearly know a lot more about it than the average lawyer. I'm writing in hopes of filling in the gaps. I sincerely hope you have the time to read this. It's long, but I think this is important.

    First of all, I use these blackhole lists myself, so it is possible that your reply to me could bounce back. I can override it if I know the IP address of your mail server. But I won't know it until there is a server log telling me about it bouncing. What I'll do is get your IP address at that time, add it to the exception database, and you can repeat the reply later on. Or you can send me mail from Hotmail, which I believe is not blocked anymore.

    I want to fast forward to the point in your article where I think the main misunderstanding is:

    How had it gained access to my mail server? Simple. It had forged the headers on its email to convince my mail server that the email it sent was from a permitted user. You see, my mail servers were set up to pass mail only from a domain name of which I am the only user. It blocks everything else. That's not an open relay. Unless you're a user in my domain, you can't use it.

    One of the methods spammers use to send their mail through a mail server configured like yours is to do exactly what you are complaining about. I see upwards of 10,000 of these a day on my servers. The spammers have these massive lists of email addresses, quite many of which are valid. What they do is look up which mail server those users would use, which is not hard because that's exactly what the whole system is designed to be able to do. Every delivered piece of email had to do that. Once they have this information, then they forge that user in their FROM line and start sending mail to the user's server. In the case of a server set up to test only the domain name in the FROM line, it works, and the spam message gets sent on its way.

    That's why your mail server is considered to be an open relay, because it is possible for a spammer to use it, despite the fact that they are doing something illegal such as forging your domain name. If it lets a spammer forward mail, it's an open relay.

    The group based in Denmark had pretended to be me, forged an email as though it had come from an address that only I am authorized to use, passed it through the mail server in my house, and then placed me on a list of people who should be blocked from sending mail. They circulated that list around the world. ISPs used by my friends and family here the United States subscribed to this list. Now, through no fault of my own and in fact because of the trickery of Danish email activists I was no longer able to send email to many people in my address book.

    It is standard practice for every program (there are several available) which does the open relay tests to try dozens of different ways to fool a mail server into forwarding mail. Forging the domain name of the users of that server is one of the simpler tricks. There are some that are more complicated. These programs are simply doing exactly the same thing that a spammer would do. It's the same principle used by security test programs which test whether or not a computer can be broken into. They have to pull all the punches a hacker might try. Otherwise such programs will fail to detect a flaw and the program itself will be worthless.

    I periodically run tests on all my mail servers to make sure I have not accidentally configured out the relay controls. I watch these tests take place, and they do this forgery exactly as expected.

    It's hard to describe how angry this made me. The Danish consortium had lied about their identity, and I was paying for it.
    The worst thing about being blacklisted, however, wasn't that I could no longer send email, but that spammers began actively trying to use my mail server to send their spam. You see, blackhole lists work both ways. ISPs use it to block traffic, but as I've recently discovered, the spammers themselves use the lists as a kind of directory of servers to use for sending their mail.

    Actually, that is not true. Read on and this will be explained.

    If you look at my mail server logs, you'll see that every few seconds or so, someone, somewhere tries to access my mail server and use it to send mail. Each time, without fail, my mail server declines the request and refuses to relay the requested message. It isn't an open relay. It's just doing its job. But my machine is bombarded with requests from all over the world from spammers seeking to use its minimal capabilities to send their penis enlarging, breast enhancing, get-rich-quick messages.

    Last year, one of my client companies, a local web hosting business, had a case of one of their customers running a spamming operation right from the server they were paying my client to use, in violation of their AUP. The customer got cut off, and my client asked me to help him clean up the mess. In so doing, I obtained a copy of not only the spamming software (a special version intended for running from web servers), but also a copy of a big list of about 1.5 million addresses.

    There was something very interesting in this list. The first 1000 or so entries were email address that were familiar to me. They were OTHER SPAMMERS. That's right, other spammers have their own names in these lists. What that means is if any spammer discovers an open relay, the others find out about it fairly quickly. The "spammer network" as I might call it is very well connected. They all see the successes of the others. And much like wild animals on the African Savannah when one makes a kill, the others circle around to take their own bite out of the carcass. That's what is happening to your server.

    The anti-spam group have some of their addresses on these lists, too. That's how they first find out if your mail server is an open relay. They get spam that some spammer who found it relayed through. That's how you were first put on the list.

    The blackhole lists are run through a distributed database called DNS. This is the same thing that allows looking up a domain name to get the numeric IP address which the routers use to send packets to the correct destination. But the point about it is that DNS works as a general distributed database, and unless someone runs the DNS server wrongly, there is no mechanism to get a list of these addresses. All that can be done is to pick and address and do a lookup. Unlike a regular database, there is no means to do a query lookup like "give me all the IP addresses which are open relays".

    In reality, there are sometimes some breakdowns in that security and the blocked addresses can get out. I've acquired one such list myself. But for the most part, spammers do one of two things. They scan the net at high speeds looking for open relays, and they scan through their mailbox which is on the lists to check for good pickings in recent spam they received.

    But, hey, I'm a lawyer, right? I'm supposed to be able to solve this kind of dilemma. And there are a few things I could do.
    For one, the Danish antispam organization falsified an email header to gain access to my mail server. Illegal access to a computer system is, if not a criminal violation, then a trespass on my private property. As I've discussed previously in this space, one of the novel legal theories now catching on for these kinds of unacceptable accesses to computer systems is a centuries-old tort called "trespass to chattels." At a minimum, I ought to be able to sue the Danish company for the damage it caused me from its illegal access.

    They have a legal defense. You actually gave them permission to do the scan. Although you did not know the scan involved the address forgery, their defense is that the practice is the only way to test to see if a mail server is an open relay (that is, if it could be used by a spammer who would forge the address). As mentioned above, this and many other tests like it are standard practice in security testing (and testing for an open relay is simply one form of security test).

    This is why when an open relay listing is in the database they will not remove it by periodically testing on their own accord. That would truly be illegal. They require you to consent to the test before they will do it. And again, the standard for these tests is to do exactly every know trick a spammer would try.

    Granted, the damage caused by my inability to send an email is likely not terribly significant. You can always pick up the phone, print the message out, and fax it or mail it or just use a different mail server. But in spite of all that, I could probably get an injunction, or least a dollar or two to compensate me for my injuries and establish that I have been wronged.

    It is not their test that put you in the list in the first place. It was the fact that they received a copy of spam that some spammer relayed through your server first. It is that spammer that trespassed on your server and caused you the real harm.

    The problem, of course, is that the loose organization of individuals who compiled the blackhole list is based in Denmark. Who knows whether the organization is a real legal entity or just some name cooked up by a group of self righteous individuals. However, they do have a domain name, and an IP address, and they circulate their work to ISPs around the world. In other words, there is a group for me to sue. But taking legal action on foreign entities is difficult. I would have to translate my legal documents into Danish. I would have to hire someone in Denmark to personally deliver these translated documents to the entity that I would be suing. That costs time and money.

    Those who compile the database are just the messengers. But your real problem is that these guys are just the little fish. The big ones are even harder to reach. They are rumored to be in Bulgaria, an Eastern Europe country formerly behind the infamous Iron Curtain.

    But I could sue them here in Los Angeles, California, that much I know. By sending their forged email through my mail server, which is located in my den in Los Angeles, they fulfilled certain California legal requirements that would let me sue them here. The connection to Los Angeles is also bolstered by the fact that I live here and my injury was suffered here.
    Of course, all of this is starting to sound like the kind of hypothetical legal conundrum that you might find on a law school exam. Problems like mine often remain hypothetical because the expense of bringing them to trial is so great, and the ability to gain any monetary relief from lawsuits is minimal. That's why the black hole providers have been able to get away with their vigilante justice for so long. For any individual user wronged by their efforts and from what I understand, there are a lot of people in similar situations the costs of pursuing these organizations, which are often located overseas, is too great. These groups of volunteer organizations have no assets to speak of they are volunteers after all and plaintiffs' lawyers are hesitant to take a case without the prospect of a lucrative damages judgment.

    And there is the risk that they would win if they were present to defend their practice. They would certainly bring up the point that the original listing was due to a spammer discovering your open relay, and that they received permission from you to test their server.

    Before you think that this is all just about me and the fact that my father no longer receives any email from me, there are bigger policy implications for private individuals and companies that take steps to block connectivity. Much bigger.
    I've long championed the idea that the Internet should remain largely unregulated by governments. But at the same time, any private operator at an end point in the Internet's architecture can restrict the flow of content to a user. What's wonderful about the Internet is that it enables end-to-end communication from anywhere in the world to anywhere in the world. For all of the problems caused by spam, email is still the most widely used application on the Internet. So the idea that private parties could get ISPs to block some people from talking to other people should be deeply troublesome.

    The choice to use the information from blacklists to reject delivery of email in a mail server is something the owner of the mail server would do. This becomes a private property issue. I have the right to refuse any mail into my mail server I wish (except on the basis of the few parameters law now prohibits, like gender, race, religion, etc). I have the right to get my list of IP addresses to block from anywhere I like. If Joe down the street tells me he blocked email using his private little list of IP addresses and it cut out 90% of his spam, then of course I'd like for him to share it with me.

    Could there be an issue of libel here? Sure, there could. But it's a clear line between saying "You are a spammer" and saying "Your mail server allowed a spammer (who uses forgery) to send spam to me, and when you gave me permission to test it, I found that by mimicking just what the spammer would do, it was still allowing it."

    The Danish blackhole list operators want to block access to computers that might be used for spam, but it's easy to imagine blacklists used for less noble purposes. For example, imagine that the RIAA compiled a list of IP addresses which, it contended, had at some time used peer-to-peer file sharing programs. Because these peer-to-peer systems could transmit copyrighted materials in a way that infringes on the copyright owner's rights, the RIAA could argue, those IP addresses should be blocked. It isn't difficult to imagine that the RIAA could pressure a sufficient number of ISPs into subscribing to this copyright blackhole list and blocking access to their users, or to any traffic emanating from them.

    I do worry that the techniques used to reduce and prevent spam could be put to less noble uses. I also worry that facilities that exist on the internet to allow anonymous communications (which some people sometimes need to have) are abused by spammers (there are techniques to reduce that abuse) and in turn blocked by anti-spammers.

    Personally, I don't consider the anti-spam movement to be less noble than peer-to-peer file sharing. The vast majority of what is shared on those networks is copyrighted material being shared well beyond the rights of the copyright owners. While I'm not advocating that those file sharing programs be outlawed, or the networks they use be shutdown, I do consider it to be less noble a thing that the effors of the anti-spam community to help keep mailboxes cleaner.

    Breaking end-to-end connectivity for any application, whether email or peer-to-peer or the Web, threatens the very thing that makes the Internet valuable. These are matters of principle. Which reminds me I have a lawsuit to file.

    It depends on who is doing the breaking. If I break connectivity in my own server, even if I use information from someone else that I choose to use, who offers that information to me freely (I didn't illegally copy it), then what law have I broken? What tort have I committed? Who have I harmed? If it involves my customers in a service I provide to them, then it's a matter of the business relationship between me and that customer. In practice, my customers want the spam blocking since it proves to be very effective against spam.

    As to your mail server. It is an open relay, and it needs to be closed.

    If a thief enters a building by opening an unlocked door, it is breaking and entering. Merely opening the closed door was breaking, as opposed to the door being wide open. It does not matter if there was a lock on the door or not. It does not matter if the lock was left unlocked. It is still breaking.

    Your mail server has a closed door, but it has no lock. You are making the assumption that spammers won't do the "breaking in" thing with address forgery. But they do. What you need is the equivalent of a lock on your mail server. Instead of just checking the FROM line to see if it has your domain name on it, it needs to check something that a spammer simply cannot forge at all. Usually this is an IP address. If you want to be able to use your mail server from other locations, then the IP address is not good enough. There is another method that is used which requires you to log in to READ your mail first. The way that works is when the mail reading login is done, the server notes what the IP address is from which the successful login came, and puts that IP address in a list which is valid for sending mail for some period of time, say maybe 30 minutes to an hour. Thousands of people use this technique successfully. It's typically called "SMTP after POP" (in reference to the POP protocol used to read mail in most cases).

    The following has a number of useful links to help in testing and closing an open relay:

    </lettertext>

  • Let it be a problem for those that don't know any better, or how to deal with it. Set up a SpamAssassin-enabled mail server for you, your buddies (or clients) and let the rest of the world deal with the junk.

    Junk-Filter that works. End of problem!
  • Many of us use POP to receive our email (typically when we can't use IMAP). A lot of people don't realize the POP can be used to send mail. A mail client I used to use exclusively, PMMail for OS/2, could use POP to send mail. The benefit of this is that POP is authenticated by design. When I took my OS/2 laptop from place to place, I never had to worry about finding an SMTP relay that would take my mail (although at the time, most of them were open) because my ISP's POP server would happily accept mail from me wherever I was.

    So what if mail servers accepted SMTP for inbound mail only, and required POP for outbound mail? Mail arriving from points unknown would be accepted via SMTP, but mail heading out would need that initial authentication -- no more forged headers. I think it's a great solution: it's compliant with IETF standards that are in place today. There's one problem.

    Since PMMail, and I assume its short-lived Windows version PMMail 95, I haven't seen any mail clients that support POP for outgoing mail. Given the problem with spam and forged headers, I can't believe that no one has seized upon this idea.

    Anyway, if the response is positive enough, I may be motivated to crack open some open-source mail client add support for outbound POP...

An optimist believes we live in the best world possible; a pessimist fears this is true.

Working...