rlsnyder asks: "I'm the inadvertant co-administrator of e-mail a for company that relies pretty heavily on it for daily business (e.g. sending confirmations of financial transactions). At one point in the not-too-distant past, our server was an open relay. I admit I'm a sinner for letting it happen, and I'm ready to do my pennance. Given the relatively low volume of mail our server moved that did not originate from inside, I doubt I was a major contributor to the world of SPAM. In any event, we've been blacklisted on a number of sites. Some lists have reasonable policies, and we've since been removed. Other places are a little more arbitrary as to removal policies, and although I can prove we're not a relay, we're still listed." While I approve of the basic concept of SPAM Blacklists, there are dozens of SPAM blacklists out there who are real keen on adding open relays to the list, but not so keen on taking rehabilitated hosts out. I would posit that SPAM blacklists that are not properly maintained are a part of the problem, not the solution. What are your thoughts on the subject?
rlsynder continues: "Am I way off base here, or is this self-appointed mail police thing going in the wrong direction? Given that I can't reliably deliver e-mail to a number of places due to being blocked, I've got a big exposure. Is this making spam less of a problem, or are we trading one problem (SPAM) for another (the reliablility of proper maintenance of SPAM Blacklists)?
I could draw a bunch of analogies here, but isn't the bottom line that no one owns the internet e-mail system? I realize no one makes ISP's subscribe to the blacklists, but basically, I'm trying to move data from one point to another, and some machines in the middle are discriminating against my data because a corrected, perfectly legal system configuration error. How is this helping? Has SPAM really decreased universally thanks to these lists?"
Real Pain (Score:5, Insightful)
This is an excellent topic (Score:-1, Insightful)
Mail servers are private property (Score:5, Insightful)
This is a fallacy that continues to be propagated. I own my own mail server. The company I work for owns its mail servers. We can both decide who we want to allow to send mail to our users.
At work, we use two open relay lists; ORDB [ordb.org] and ORBZ [orbz.org]. Nobody forces us to use them; it's our server cluster, and our choice.
The reason we use those two systems, however, is due to the reasons pointed out in the article. Some blacklists are far too easy to get onto, or hosts are arbitrarily added by humans. The only way to get onto either of those lists is to be an open relay. The only way off is to be automatically retested and found to not be an open relay.
No decrease noticed on my part (Score:3, Insightful)
I've only noticed that spam is getting harder to filter because of the blacklists. No longer are they all coming from a dozen or so servers, but instead hundreds.
Sanity needs to prevail here (Score:1, Insightful)
The maintainers of these lists need to lose the judge/jury/executioner attitude and develop a bit of responsibility. These lists need to be _maintained_, not just added to. It's a trivial matter to automate the process of checking whether the sites listed in a blacklist are actually running an open relay. Hell, the spammers can do it, why can't the people who maintain these lists? It's worse than blackmail, because you can't even pay to get yourself off some of them.
That's a self-solving problem (mostly) (Score:5, Insightful)
Yep, that's the root of the problem: there are a number of for-free blacklists out there which are professionally managed. Those are the ones that should be used.
And as long as we publicly point out the blacklists that are being poorly run, people will stop using them, and switch to the good ones (like RBL, RSS, DUL, ORDB). The solution is not to ban or otherwise stop using blacklists, the solution is simply to (vocally) promote the ones which stay on top of the problem.
Yes and no (Score:2, Insightful)
Any time that happens an email should be sent to postmaster@(reverse dns of mail server IP address) to inform them of the action being taken and the specifics of their openness. Just "you are running an open relay" is insufficient.
Also the ability to quickly remove the address from the blacklist when the other mail admin repairs the problem is important.
I don't particularly like blacklists but something must be done to discourage open relays and for now they are the only option.
Re:No. Deal with it. (Score:3, Insightful)
Re:Subscribing to blacklists did not help me. (Score:4, Insightful)
Then we blocked all mail from mail servers who's IP numbers don't resolve. Now we have cut down on spam dramatically.. our root@ email account has gone from 200 spam emails a day to about 10
Re:Automate the maintenance (Score:2, Insightful)
2. click 'check me now'
3. pass check.
4. turn on open relay.
5. spam as usual.
6. rinse repeat.
7. automate process
Re:No. Deal with it. (Score:4, Insightful)
You really think this is a valid analogy? Go spend a night in one, then go back to our cushy world of sysadmin stuff.
Didn't think so.
I'm betting he was asked to install a server - prolly a turnkey type - did so, and watched it chug along for a good long time before someone found out it was open and started using it.
More like finding a crackhead in your garage, eh?
Gee, ya think maybe he missed the giant neon sticker that came with the mailserver manual that said "your box is an open relay by default. fix that. tag - you're it!" Oh, right - that's because there is no such sticker.
If they maintain the lists, they should *maintain* them, not just treat them like a brick wall and simply pile up the addresses and leave it at that. My experience with orbz is that they don't pay attention to the people in the middle - I've been there.
Just takes a little bit of hard work, and this guy's apparently willing to do his part.
Lighten up and tackle the appropriate problem.
--Jake
Going to get far worse before it gets better. (Score:5, Insightful)
What blacklists really do is get the attention of sysadmins, and get them to take the problem seriously. I, like rlsnyder, was victimized in the same way -- our mail server was an open relay, we forwarded some spam, and got blacklisted. It took me a week or so to get it straightened out, and in the process I learned quite a bit about the UCE problem. rlsnyder similarly has been enriched by the experience, whether he agrees to that at this point or not.
One always has the option of sending mail from one of the many free mail systems. If your mail is blocked while your case is being reviewed, then send it from hotmail or someplace like that. That's what we did. In took about a week for the last of the spam reporting services to delist our site, and while it was inconvenient, it wasn't devastating. It won't be for rlsnyder, either, I trust.
The big problem is that there is nothing to stop the spammers. People who relay mail through unsuspecting companies are already criminals, they will not be dissuaded by laws. The only thing that the anti-spam community can do is to try to put a finger in all 2^32 holes in the dike, and the only way to do that is to educate people. The blacklists are that education program
thad
Re:Automate the maintenance (Score:2, Insightful)
Max
Re:No. Deal with it. (Score:2, Insightful)
First of all, your crack-house metaphor is absurd. Secondly, your "if you dont like it, move" mentality is so amazingly worthless, I'm surprised i'm even taking the time to point it out.
If you don't like it, try to make it better.
Re:Automate the maintenance (Score:4, Insightful)
1. Filter the open relay checker's IP.
2. Click 'check me now'.
3. Spam as usual.
This is a retarded, but effective way of avoiding the automatic blacklist generators.
You'll still get on a lot of the automatic+human checkers like MAPS' open relay list.
Re:No. Deal with it. (Score:4, Insightful)
A good point. That's why I'd buy SPEWS a beer.
The system appears to be automated -- if the blocked host stops sending spam for a long enough period of time, SPEWS appears to unblock it.
If, on the other hand, the spam continues to issue from the blocked host, SPEWS appears not to unblock it.
From what I've read in news.admin.net-abuse.email, the length of time for which a provider remains in SPEWS appears to be proportional to the length of time the provider ignored abuse complaints.
Contrast this with a privately-run blocklist (e.g. my "fsck it, block the /24".) I can't be bothered to check if the /24 has cleaned up. There are IP address ranges all the way back to the days of Cyberpromo that I haven't been bothered to unblock.
The advantage of SPEWS and its ilk is that 1000 systems can be unblocked. The problem with the blocklist on my own system is that I can rarely be bothered to unblock it.
(In crackhouse terms, SPEWS reads police blotters, and if it stops seeing crime in a certain area, allows pizza delivery. I'm the crusty old Italian guy who says "No, you can't deliver to 48th street, it's a war zone, at least, it was the last time I tried to deliver a pie there sometime in 1996!")
It's anti-democratic ! There are other (better) so (Score:2, Insightful)
Therefore I'm against these lists but I would suggest another solution :
1. These list should inform you have been added
2. They should leave you 10-15 days to fix the problem before blocking you
3. They should help you. I was *very* shocked by ORBS attitude "we block you, and we don't care if you cannot correct it"
The problem 3 is quite grave : What can you do if your mail server doesn't support anti-relay ?
Or if you must buy another licence, or it it's opensource, but needs a new version of the OS, or things like that. OK, now all email servers support anti-relay. But this was not the case at this time.
And FIRST OF ALL, I would really like to have a RFC on this subject : I don't accept ORBS having decided what's permitted and what's not ! Some relaying is permitted and some not.
Example : Accept any IP address for relay except ORBS, you won't be blocked but you're an open relay
Re: Exclamation marks (Score:2, Insightful)
So, the boss realizes that perhaps my friend didn't get the message, and so the boss forwards the message to him, with a note attached, so now it reads "FW: URGENT!!! THIS IS VERY IMPORTANT!!!"
This happens two or three times before he finally figured out what was going on.
Moral of the story: quarantine spam, but don't automagically send it to a black hole. Only the addressee can truly differentiate legitimate mail from spam.
Re:It's anti-democratic ! There are other (better) (Score:4, Insightful)
If so, they're right in blocking you. You're saying "oh, we're not willing to go through the trouble of cleaning up our server, to hell with anyone who gets spammed." It's exactly those sites that they're supposed to be blocked
That's insane. Once you end up on a spamrelay list, you'll be the conduit for tons of spam within hours of even minutes. 10-15 days is an eternity in that respect.
Your IT guys are morons. (Score:2, Insightful)
My employer's corporate office email system is an open relay, so that outlying offices (like ours) can send email, and so the company can track what we're doing.
Your employer's corporate office needs to emply a VPN.
My employer is baffled why we can't get off of the blacklists, even after the move to the new ISP.
Tell him it's because th IT guys are incompetant. Point him to this message if he thinks it's just you. You NEVER need an open relay. Tell him that you need VPNs between sites - that with the email flying around unencrypted, that anyone can view all of your internal memos as they fly between sites.
I've been there... and it sucks (Score:2, Insightful)
One item of spam had been sent through our server, I spotted the problem, fixed it, and got told that I'd been blacklisted. I then applied to be retested ("oh please Mr. Self-Appointed Cop, please say that I am good"), and was not removed from the list for a long long time. It should be automatic. Maybe test that server once a day for the next few weeks to make sure that it stays closed, if you feel such an urge. But everybody loses when the lists are not updated promptly - the admins of previously-open relays cannot send email, innocent recipients of email from the previously-open relay don't receive email they were expecting, and the maintainers of systems using the blacklists lose faith in the accuracy of the list, and stop using them (hopefully!).
I really don't know why people bother using these lists - I've not seen anyone claim here that they've benefitted significantly from doing so, and many people are harmed.
Re:No. Deal with it. (Score:4, Insightful)
What about the people living next door to the crack house? Should they not be able to get a pizza as well? How about the good houses that get anonymously accused of being crack houses?
The fact of the matter is, for every legimiate spammer on the list (even the well administrated ones), there is another placed there unfairly.
In the three weeks preceding the much awaited dumping of ORBS, we started dropping mail from 4 different valid mailing lists and 1 valid business (it was a brick and mortar business - no web presence, just an e-mail server). One of the lists was LKML (and I have no idea why it was on the list), and the other three had the misfortune of being on the same web hosting service as a spammer.
The brick and mortar was on the list because of an open relay (which was a good reason to be listed), however once it was closed, they were not allowed to be removed, though their level of e-mail is about 20 - 30 message a day, and they have never send a spam in their existance.
The problem is that we are all living in close proximity here - legit businesses are only a few digits away from spammers (just like the real world). And the knee jerk reaction that most sysadmins take in dealing with the situation is similar in nature to burning half your mail daily because the postmark is similar to a known junk mailer. And burning is a reasonable analogy, because blocked emails don't get archived or analyzed, they get tossed, lock stock and barrel.
Its so easy for a sysadmin to install a blacklist and never worry about it again (unless of course, *he* starts losing messages).
The price for having a spam free existance is to constantly monitor and evaluate the system, not to light a match and walk away.
Re:No. Deal with it. (Score:3, Insightful)
>
> If you don't like it, try to make it better.
Moderators - give that guy back a point.
I really should have written "If you don't like it, ask your landlord to evict the dealers. Then think about moving."
Or "If you don't like being listed in SPEWS, and you're not a spammer, ask your ISP to boot the spammers. You, as a customer of the listed ISP, have a hell of a lot more pull with that ISP than the spam recipients do."
The email system is under attack (Score:2, Insightful)
Email as a communication medium is under attack.
The deluge of spam itself causes some of the damage, causing people to be wary about giving out their email addresses, afraid to post publically on mailing lists, or in some cases changing their email addresses and only giving them out to close family and friends. This retreat into 'email enclaves' destroys one of the best things about email - the ability to communicate with someone on the other side of the world, even if it's just a "Hi from China, I really liked your webpage!".
The other widely used approach to avoid spam is the use of aggressive blocking lists to ghettoize huge sections of the internet, preventing them from communicating with those sections of the internet that use those lists. This, too is causing massive damage to email as a medium for communication.
The third part of the problem is the fear some organizations have of being labelled spammers for behaviour that would have been considered quite reasonable a few years ago. This chilling of communication isn't as big a problem as the previous two, but it's getting worse.
A combination of spammers and ill-conceived responses to spammers is balkanizing email, making it less and less viable as a means of person-to-person communication. And losing email would be a huge, huge loss, as more than anything else it sums up what is good about the growth of the Internet - letting people talk to other people.
Comment removed (Score:4, Insightful)
It's real simple (Score:3, Insightful)
However, those who repent and fix their open relays should be immediately removed from any open relay blacklist they might be listed with. It's totally irresponsible to run a blacklist without provisions for keeping them up to date in near-realtime.
An example of a great service was ORBS (the Open Relay Blackhole Service), may it rest in peace. It was largely automated, and would add and remove sites simply based on observations made by their relay-checking robot. There were some manual entries (for sites who refused to be probed), and that was cause for a bit of controversy. But by and large it was quite excellent. I can see absolutely no reason whatsoever for anyone to complain about the creation and use of such blacklists, unless they are a spammer. I have never heard a valid reason why an open relay should be considered okay (I do *not* agree with John Gilmore, just about the only slightly credible dissenter I've heard on this topic. He's just too lazy to use one of many available alternatives to what he's trying to accomplish. See this [weblogs.com] to see what I'm talking about.)
Too bad most of the great blacklist services seem to be going away or becoming (highly overpriced) commercial endeavors.
Re:It's democracy and freedom in action. (Score:2, Insightful)
There are many different blocking services out there. Orbs is one. They have an automated system to block and unblock your site. If you fix the open relay, you can fill out the form and get retested fairly easily. If you contact them, and hit them up with a bad attitude, they will respond with the same attitude.
They are one of the better filter services. I've run mail servers in the past, and dealing with them is a pain nowdays. Especially becuase of the spam problem. Using rbl and orbs blocking is getting to be a requirement because of the morons out there who have open relays and won't bother to fix them.
Giving someone 10-15 days to fix a problem is a bad idea. Having a painless way to have your server quickly is the right way to do it. If you leave an open relay there for 10-15 days waiting for some over-worked administrator to fix it won't work. Postmaster mail on an open relay will generally get buried almost immediately, and the administrators won't see it until the 10-15 days have expired, if at all. If the server is bouncing mail left and right, the administrator will be motivated to fix it quickly.
Yea, it's the Nazi approach, but that seems to be the only way that works these days. There's days where life sucks!
Unreasonable for innocent systems! (Score:2, Insightful)
Requests to remove my old IP addres were, of course, ignored. My system didn't spam, had never spammed, wasn't an open relay, and was still blacklisted.
Personally, I think the spam blacklistings are a good idea in theory. As implemented, I find them annoying and worthless.
Comment removed (Score:3, Insightful)
Re:As a newbie, I still think you deserve it (Score:3, Insightful)
At this point in my career, I am tired of dealing with half-assed admins who can't tie a shoe.
You were hired based on a particular compentance level. You said you knew how to administer a mailserver. If you say you can administer a mailserver, you should know about open relays. If this was your first job administering a mailserver, you shouldn't have gotten the fucking job.
As an admin, YOU and you alone are responsible for what comes out of your network.
Back when codered was flooding the internet (and still is,along with nimda, based on my fucking log files), I had to call this company that was sending out codered scans from no less than 5 different IP addresses. At ONE company! I searched through internic records (I'll be damned if I was going to load the company's website) and finally got in touch with someone who claimed to be the network admin. I explained the situation to him and he proceeded to tell me that he wasn't aware that these servers were even running! How in the fuck can you not know what goes on with your network?
You see, I'm paranoid. I want to know everything that goes on with my network at any given time. I do my damndest to make sure everything is secure as possible (short of pulling the damn cat 5 out of the switch). I've got the switches locked to MAC address so no one can just plug in a machine. I've got a external mail relay that only forwards mail to our firewall that is then passed to our Exchange server ( the one halfway decent product MS makes). Not only is the external mail scanner running some stuff to check for basic attachment viruses, but our exchange server is running Norton for Exchange. The client machines have NAV as well which uses a central server to update definition files daily. The outlook clients are running the Attachment and Zone patch from Microsoft. And to top it off, you can't relay trough our server without authentication which most email clients support nowadays.
Some people call that paranoid but while our clients got slammed by the latest outlook bugs, we happily zoomed along without a single infection (should have seen the NAV logs on the email server though
The point of all this is this. You were hired to do a job. If you aren't compentant to do the job then get the hell out of the way and go work under someone who can.
Re:Fake open relays needed (Score:3, Insightful)
What you're proposing has already been thought of. It's called a Teergrube. What it does is hold the spammer's SMTP connection open for as long as possible, appearing to slowly accept mail, but in reality doing nothing but wasting the spammer's time. You can do a Usenet search on that term to get more information. Here's an FAQ [iks-jena.de] that may help you out. The post I pulled the link from is several years old, so you may want to look for something more up to date.
Re:Fake open relays needed (Score:2, Insightful)
The spammer connects to open.relay.net, and sends the first message to his/her own hotmail account made for checking purposes. If the email arrives the server is good, and the spammer sends the 50,000 messages. If it doesn't, the spammer tries another server.
How would you avoid that?
Re:Mail servers are private property (Score:2, Insightful)
I'd say it's the responsibility of the sysadmin to analyse those factors way before they even started to use the list. I know we checked over a period of months that the two services we used we well maintained. I'd like to counter a couple of the points you mentioned:
Mail is sent to an administrative account at the mail-server (or at least to common addresses like abuse@[mail-server], root@[mail-server]. Making admins manually subscribe does not satisfy this requirement.
Related to the above, such mail must contain a full itemized list of tests performed (or at least any and all items which were failed). The point of these lists is not to punish admins, but to educate them and make a better internet.
This was one of the stumbling blocks we came up against. We'd prefer the systems used a notification method like you described. However, the TXT on the lookup clearly points you to a web page detailing exactly what failed. Our reject message is also customised to suggest why the mail is being rejected.
I find ORBZ's reason for not emailing notifications [orbz.org] somewhat amusing though.
There must be a period of sufficient length (24 hours sounds good to me) to allow the admin to fix the problem, before the host is added to the list.
I disagree. One of the bonuses of both systems is their automatic notification feature. I can submit a relay for checking on the first spam from a server, and have it reject future attempts that same day.
There must be a free means of checking the lists. The current database of blocked addresses must be available for use and editing by myself. If IP blocking is enabled, it must possible to disengage, on a per-host basis.
Any server capable of limiting using RBLs is also capable of whitelisting IPs or IP ranges. We have many IPs in our whitelists, but it should be up to us to add to that whitelist. If you allow general access to the blacklists you will get moron spammers de-listing relays and then using them.
Any IP address which submits a list of open relays must be banned from submitting more relays for a reasonable period of time (3 years, maybe?) if one, when tested, is found to be adequate. Otherwise, these DBs are just DDOS attacks waiting to happen.
ORBZ will not retest within 24hrs unless requested from the IP of the blocked server. ORDB does not have such a limit to my knowledge, but I agree it should have.
Re:It's anti-democratic ! There are other (better) (Score:3, Insightful)
If you were added to a list without any knowledge that you had a spam problem, you are not qualified to run a mail server. If you were in any danger of being blacklisted, your postmaster@ account must have received hundreds of spam complaints. If you just ignored them, what did you expect to happen?
2. They should leave you 10-15 days to fix the problem before blocking you
Why, so spammers can abuse your servers for 10-15 more days? It was eating up YOUR bandwidth too, you know..
3. They should help you. I was *very* shocked by ORBS attitude "we block you, and we don't care if you cannot correct it"
ORBS WAS the exception, not the rule. ORBS is gone now btw, but they weren't known for their user-friendliness or their accessibility. Nevertheless, it's YOUR responsibility to fix your server, not theirs.
Example : Accept any IP address for relay except ORBS, you won't be blocked but you're an open relay
You didn't come up with this idea you know.. it's been done before. What did we call the people who did that? Oh right, spammers.
What helped us and our users the most (Score:5, Insightful)
- Implement RBL+ on our mailservers (got the load down a bit though)
- Created a global "spam filter" (weight system a la junkfilter) wich was opt-in for our users..
- We installed procmail, gave each user it's own
This recipe maker could then be accessed by each user on their own user pages, or they could just make receipts through their shell access
Our end users didn't really notice much about our use of RBL. And most of them don't know what rbl is annyway.
But giving them the possibility of filtering email on the serverside _themseve_ did make a difference! It gave them a feeling we are fighting spam, and that THEY are also in control !
And last but not least... Giving your users info on how to _avoid_ spam is important!. We did this by writing clear faqs on avoiding spam, and pointing each new user to these faqs
(b.t.w... this was my first post on
Re:As a newbie, I still think you deserve it (Score:1, Insightful)
Its going to be ironic when you fall on your nose and screw up.
Nobody's as smart as they think they are, so I'm going to be curiuos when you screw up if you're going to 'get the hell out of the way'.
Nah, you'll make an excuse that "it wasn't your fault". Human nature I suppose.
BTW, Exchange really does suck.
If you're not using Unix for SMTP, its probably because you're not smart enough to configure it.
At least that's what smart people say.
Re:ObPeeve: SPAM(tm) vs uce spam (Score:1, Insightful)
Re:simple solution.. (Score:3, Insightful)
The only time you would have someone trying to avoid their server being detected as an open relay is when they use the server for legitimate(non-spam) purposes, but are to lazy to make the server not an open relay.
Re:simple solution.. (Score:3, Insightful)
No, it's vigilanteism without responsibility (Score:3, Insightful)
Which they have all violated on numerous occasions, to the detriment of the innocent bystanders caught up in their incompetence.
And what if it isn't? There have been numerous cases where the various blacklists have included servers
I don't like open relays and spam magnets any more than you do, but I know how easy they are to overlook, and it will happen, even to generally competent people. It is in everyone's best interests to have a quiet word with the sysadmin at an open site first, because 90% of the time, that will solve the problem.
On the other hand, what we now have is a vigilante culture where totally unaccountable people can wipe out your company (quite literally, if you depend heavily on e-mail) on a whim, and there isn't jack you can do about it. As far as I'm concerned, if these people are blocking you inappropriately, they should be liable in the same way as anyone else who damaged your business by making a false claim, and you should be able to sue them to the other side of the galaxy.
No, it's not even slightly like that. Having an open relay is inconvenient but not immediately dangerous. Having an open relay is not illegal. You are not required to pass a test before running a mail server. The internet is not governed by generally well-reasoned laws. A generally competent driver will not accidentally find themselves driving at 90mph on the wrong side of the road because they just bought a new car. All in all, the two cases aren't even remotely the same.
Do you also think that the media should be able to run business-destroying stories based on complete misinformation, and then charge extra to print an apology in the next edition (even though most of the damage is already done and they don't have to pay anything for doing it)?