rlsnyder asks: "I'm the inadvertant co-administrator of e-mail a for company that relies pretty heavily on it for daily business (e.g. sending confirmations of financial transactions). At one point in the not-too-distant past, our server was an open relay. I admit I'm a sinner for letting it happen, and I'm ready to do my pennance. Given the relatively low volume of mail our server moved that did not originate from inside, I doubt I was a major contributor to the world of SPAM. In any event, we've been blacklisted on a number of sites. Some lists have reasonable policies, and we've since been removed. Other places are a little more arbitrary as to removal policies, and although I can prove we're not a relay, we're still listed." While I approve of the basic concept of SPAM Blacklists, there are dozens of SPAM blacklists out there who are real keen on adding open relays to the list, but not so keen on taking rehabilitated hosts out. I would posit that SPAM blacklists that are not properly maintained are a part of the problem, not the solution. What are your thoughts on the subject?
rlsynder continues: "Am I way off base here, or is this self-appointed mail police thing going in the wrong direction? Given that I can't reliably deliver e-mail to a number of places due to being blocked, I've got a big exposure. Is this making spam less of a problem, or are we trading one problem (SPAM) for another (the reliablility of proper maintenance of SPAM Blacklists)?
I could draw a bunch of analogies here, but isn't the bottom line that no one owns the internet e-mail system? I realize no one makes ISP's subscribe to the blacklists, but basically, I'm trying to move data from one point to another, and some machines in the middle are discriminating against my data because a corrected, perfectly legal system configuration error. How is this helping? Has SPAM really decreased universally thanks to these lists?"
Real Pain (Score:5, Insightful)
It's anti-democratic ! There are other (better) so (Score:2, Insightful)
Therefore I'm against these lists but I would suggest another solution :
1. These list should inform you have been added
2. They should leave you 10-15 days to fix the problem before blocking you
3. They should help you. I was *very* shocked by ORBS attitude "we block you, and we don't care if you cannot correct it"
The problem 3 is quite grave : What can you do if your mail server doesn't support anti-relay ?
Or if you must buy another licence, or it it's opensource, but needs a new version of the OS, or things like that. OK, now all email servers support anti-relay. But this was not the case at this time.
And FIRST OF ALL, I would really like to have a RFC on this subject : I don't accept ORBS having decided what's permitted and what's not ! Some relaying is permitted and some not.
Example : Accept any IP address for relay except ORBS, you won't be blocked but you're an open relay
Re:It's anti-democratic ! There are other (better) (Score:4, Insightful)
If so, they're right in blocking you. You're saying "oh, we're not willing to go through the trouble of cleaning up our server, to hell with anyone who gets spammed." It's exactly those sites that they're supposed to be blocked
That's insane. Once you end up on a spamrelay list, you'll be the conduit for tons of spam within hours of even minutes. 10-15 days is an eternity in that respect.
Comment removed (Score:4, Insightful)
Bad analogy. (Score:4, Informative)
[Running an open relay is] like being ticketed for driving your car down the wrong side of the road at 90 miles per hour and then being pissed off that the cop did not provide you with free driving lessons and give you 10-15 days to stop driving like that.
Nice analogy, except that it doesn't work. If you're driving at 90 miles an hour on the wrong side of the road, then (1) your speedometer will tell you that you're driving at 90 miles an hour and (2) looking ahead will show you which side of the street you're on, which you can tell is the wrong side because of what you had to know to pass the test to get your driver's license.
With mail servers, however, there isn't, at least yet, any widespread tool that will tell you if you have an open relay (and given how such tools work, they'll probably be banned as "hacker tools" at the rate things are going these days). In fact, I found out recently that I'd been placed on a blacklist for having an open relay, which took me by surprise because I'd been careful to avoid having anything like that happen; it turned out that I had missed one of the potential avenues of abuse (specifically, using error bounces to spam people).
So until running a (secure!) mail server becomes as simple as driving a car and people need licenses to run servers, your analogy is inappropriate.
No, it's vigilanteism without responsibility (Score:3, Insightful)
Which they have all violated on numerous occasions, to the detriment of the innocent bystanders caught up in their incompetence.
And what if it isn't? There have been numerous cases where the various blacklists have included servers
I don't like open relays and spam magnets any more than you do, but I know how easy they are to overlook, and it will happen, even to generally competent people. It is in everyone's best interests to have a quiet word with the sysadmin at an open site first, because 90% of the time, that will solve the problem.
On the other hand, what we now have is a vigilante culture where totally unaccountable people can wipe out your company (quite literally, if you depend heavily on e-mail) on a whim, and there isn't jack you can do about it. As far as I'm concerned, if these people are blocking you inappropriately, they should be liable in the same way as anyone else who damaged your business by making a false claim, and you should be able to sue them to the other side of the galaxy.
No, it's not even slightly like that. Having an open relay is inconvenient but not immediately dangerous. Having an open relay is not illegal. You are not required to pass a test before running a mail server. The internet is not governed by generally well-reasoned laws. A generally competent driver will not accidentally find themselves driving at 90mph on the wrong side of the road because they just bought a new car. All in all, the two cases aren't even remotely the same.
Do you also think that the media should be able to run business-destroying stories based on complete misinformation, and then charge extra to print an apology in the next edition (even though most of the damage is already done and they don't have to pay anything for doing it)?
Re: (Score:3, Insightful)
Comment removed (Score:4, Interesting)
Re:It's anti-democratic ! There are other (better) (Score:3, Insightful)
If you were added to a list without any knowledge that you had a spam problem, you are not qualified to run a mail server. If you were in any danger of being blacklisted, your postmaster@ account must have received hundreds of spam complaints. If you just ignored them, what did you expect to happen?
2. They should leave you 10-15 days to fix the problem before blocking you
Why, so spammers can abuse your servers for 10-15 more days? It was eating up YOUR bandwidth too, you know..
3. They should help you. I was *very* shocked by ORBS attitude "we block you, and we don't care if you cannot correct it"
ORBS WAS the exception, not the rule. ORBS is gone now btw, but they weren't known for their user-friendliness or their accessibility. Nevertheless, it's YOUR responsibility to fix your server, not theirs.
Example : Accept any IP address for relay except ORBS, you won't be blocked but you're an open relay
You didn't come up with this idea you know.. it's been done before. What did we call the people who did that? Oh right, spammers.
Subscribing to blacklists did not help me. (Score:5, Interesting)
Re:Subscribing to blacklists did not help me. (Score:4, Insightful)
Then we blocked all mail from mail servers who's IP numbers don't resolve. Now we have cut down on spam dramatically.. our root@ email account has gone from 200 spam emails a day to about 10
What helped us and our users the most (Score:5, Insightful)
- Implement RBL+ on our mailservers (got the load down a bit though)
- Created a global "spam filter" (weight system a la junkfilter) wich was opt-in for our users..
- We installed procmail, gave each user it's own
This recipe maker could then be accessed by each user on their own user pages, or they could just make receipts through their shell access
Our end users didn't really notice much about our use of RBL. And most of them don't know what rbl is annyway.
But giving them the possibility of filtering email on the serverside _themseve_ did make a difference! It gave them a feeling we are fighting spam, and that THEY are also in control !
And last but not least... Giving your users info on how to _avoid_ spam is important!. We did this by writing clear faqs on avoiding spam, and pointing each new user to these faqs
(b.t.w... this was my first post on
ObPeeve: SPAM(tm) vs uce spam (Score:3, Informative)
Hormel Foods has stated they don't mind the use of the word 'spam' to refer to U.C.E., or junk mail, as long as people don't use the term spelled in all-capitals. Hormel owns the trademark on the meat product, SPAM. Given their more-reasonable-than-average position on this, let's respect their request?
Re:ObPeeve: SPAM(tm) vs uce spam (Score:2)
Big Deal. Diid you know McDonald's owns a trademark on the phrase "Smile" ? (Yeah that's right. It used to be on their cups when they were running some "Smile your at McDonal's campaign or something) Kimberly-Clark owns the trademark on Kleenex, do you think the cops come after me whenever I call my no-name tissue "Kleenex"? The point is, just because they own a trademark doesn't mean you can't use the word in whatever context you like, it means that you can't sell products under that same mark in the same field, or otherwise portray your products to belonging to that mark when they don't.
Re:ObPeeve: SPAM(tm) vs uce spam (Score:2, Informative)
sheeesh, Hormel could of gotten all uppity about it, sent its lawyer out. We all know that cease and desist letters work. If you get a cease and desist letter, and don't, you end up in court. do you have enough money to fight this in court?
Now if I could only get one of those flaming SPAM hats.
Its more of a pain in the neck (Score:4, Informative)
However I fault ISPs for using them without understanding their policies. Many ISPs use these small-time black-holes because they don't want to use MAPRBL (I assume its a money thing at this point). And if you get listed, how do you know that you're listed? You don't until somebody calls somebody and says "I can't get mail through to you". There needs to be a better way.
And some sites, its not worth getting delisted. "www.joes.antispam.site.com" isn't worth the effort one way or the other.
That's a self-solving problem (mostly) (Score:5, Insightful)
Yep, that's the root of the problem: there are a number of for-free blacklists out there which are professionally managed. Those are the ones that should be used.
And as long as we publicly point out the blacklists that are being poorly run, people will stop using them, and switch to the good ones (like RBL, RSS, DUL, ORDB). The solution is not to ban or otherwise stop using blacklists, the solution is simply to (vocally) promote the ones which stay on top of the problem.
Re:That's a self-solving problem (mostly) (Score:2)
The solution is not to ban or otherwise stop using blacklists, the solution is simply to (vocally) promote the ones which stay on top of the problem.
But your .sig says:
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
Using SPAM blacklists is trying to apply a technological solution to a sociological problem, which your .sig proclaims won't work*. Either change your .sig or rethink your actions.
* And it doesn't: we still have SPAM despite the blacklists.
Re:Its more of a pain in the neck (Score:4, Informative)
I don't think it's only a money thing. MAPS is almost useless - they don't list spammers until they've tried to "educate" them. I've noticed that servers sending me spam are never on MAPS. But the fact that they're charging doesn't help.
You generally know that you're listed because some of your outbound mail bounces with a message explaining that you are listed and giving a URL for further info. Are you saying that you've had outbound mail bounced due to a spam list and there was no indication of the reason? I realize this is theoretically possible, but I don't understand why someone would set up a mail server that way.
Automate the maintenance (Score:2, Interesting)
Re:Automate the maintenance (Score:2, Insightful)
2. click 'check me now'
3. pass check.
4. turn on open relay.
5. spam as usual.
6. rinse repeat.
7. automate process
Re:Automate the maintenance (Score:2, Insightful)
Max
Re:Automate the maintenance (Score:4, Insightful)
1. Filter the open relay checker's IP.
2. Click 'check me now'.
3. Spam as usual.
This is a retarded, but effective way of avoiding the automatic blacklist generators.
You'll still get on a lot of the automatic+human checkers like MAPS' open relay list.
Re:Automate the maintenance (Score:2)
No. Deal with it. (Score:2, Interesting)
You wanna live in a crack house? Don't go whining to the cops when you can't get a pizza delivered at midnight.
You wanna get bandwidth with a company that provides services to spammers and relocates spammers to IP addresses to avoid blocking of single IP addresses, don't come whining to /. when the rest of the world wants nothing to do with your ISP.
If someone spams me, I block the IP address. If the ISP relocates the spammer to another IP address in the same netspace, I say "fuck it", and block the /24. Or the /16, if need be.
Don't like living in a crack house? Move.
Re:No. Deal with it. (Score:3, Insightful)
Re:No. Deal with it. (Score:4, Insightful)
A good point. That's why I'd buy SPEWS a beer.
The system appears to be automated -- if the blocked host stops sending spam for a long enough period of time, SPEWS appears to unblock it.
If, on the other hand, the spam continues to issue from the blocked host, SPEWS appears not to unblock it.
From what I've read in news.admin.net-abuse.email, the length of time for which a provider remains in SPEWS appears to be proportional to the length of time the provider ignored abuse complaints.
Contrast this with a privately-run blocklist (e.g. my "fsck it, block the /24".) I can't be bothered to check if the /24 has cleaned up. There are IP address ranges all the way back to the days of Cyberpromo that I haven't been bothered to unblock.
The advantage of SPEWS and its ilk is that 1000 systems can be unblocked. The problem with the blocklist on my own system is that I can rarely be bothered to unblock it.
(In crackhouse terms, SPEWS reads police blotters, and if it stops seeing crime in a certain area, allows pizza delivery. I'm the crusty old Italian guy who says "No, you can't deliver to 48th street, it's a war zone, at least, it was the last time I tried to deliver a pie there sometime in 1996!")
Re:No. Deal with it. (Score:4, Insightful)
You really think this is a valid analogy? Go spend a night in one, then go back to our cushy world of sysadmin stuff.
Didn't think so.
I'm betting he was asked to install a server - prolly a turnkey type - did so, and watched it chug along for a good long time before someone found out it was open and started using it.
More like finding a crackhead in your garage, eh?
Gee, ya think maybe he missed the giant neon sticker that came with the mailserver manual that said "your box is an open relay by default. fix that. tag - you're it!" Oh, right - that's because there is no such sticker.
If they maintain the lists, they should *maintain* them, not just treat them like a brick wall and simply pile up the addresses and leave it at that. My experience with orbz is that they don't pay attention to the people in the middle - I've been there.
Just takes a little bit of hard work, and this guy's apparently willing to do his part.
Lighten up and tackle the appropriate problem.
--Jake
Re:No. Deal with it. (Score:2)
*nodding* - I'd never recommend anyone other than "me" use my blacklist. (And that's why I don't publish it :)
I'm too lazy to take entries out on a day-by-day basis. I believe public blacklists (in general) are a Good Thing, on the grounds that they're easier (for the admin) to use than private blacklists, easier (for the admin) to maintain, and easier (for legitimate customers if and when the ISP cleans up its act) to get out of.
Re:No. Deal with it. (Score:3, Informative)
Re:No. Deal with it. (Score:2)
If you do the crime, be prepared to do time on the blacklist. Ignorance of spam administration is no excuse.
Re:No. Deal with it. (Score:2, Insightful)
First of all, your crack-house metaphor is absurd. Secondly, your "if you dont like it, move" mentality is so amazingly worthless, I'm surprised i'm even taking the time to point it out.
If you don't like it, try to make it better.
Re:No. Deal with it. (Score:3, Insightful)
>
> If you don't like it, try to make it better.
Moderators - give that guy back a point.
I really should have written "If you don't like it, ask your landlord to evict the dealers. Then think about moving."
Or "If you don't like being listed in SPEWS, and you're not a spammer, ask your ISP to boot the spammers. You, as a customer of the listed ISP, have a hell of a lot more pull with that ISP than the spam recipients do."
Amen. (Score:2)
[...]
You wanna get bandwidth with a company that provides services to spammers and relocates spammers to IP addresses to avoid blocking of single IP addresses, don't come whining to
Thank you.
The only way you get blacklisted is if you (or your ISP) is stupid enough to run a promiscuous mail server that allows anyone to use it as a maildrop/forwarder. Fix the problem (either getting a new ISP, closing up your server, or highering competent people to run your service) and you will be de-blacklisted.
If you cannot be bothered to do any of these things you (and your company) don't deserve to be on the internet, and certainly don't diserve to have any contact whatsoever with me.
Since all of these lists are voluntary, if I have chosen to shun you on the basis of one that is my choice. You do not have a right to be able to contact me if I don't wish to allow it, so get over it, learn from your mistakes, and don't make them again. If you can't be bothered to learn, then, well, enjoy being a component particle of the Black Hole.
Re:No. Deal with it. (Score:4, Insightful)
What about the people living next door to the crack house? Should they not be able to get a pizza as well? How about the good houses that get anonymously accused of being crack houses?
The fact of the matter is, for every legimiate spammer on the list (even the well administrated ones), there is another placed there unfairly.
In the three weeks preceding the much awaited dumping of ORBS, we started dropping mail from 4 different valid mailing lists and 1 valid business (it was a brick and mortar business - no web presence, just an e-mail server). One of the lists was LKML (and I have no idea why it was on the list), and the other three had the misfortune of being on the same web hosting service as a spammer.
The brick and mortar was on the list because of an open relay (which was a good reason to be listed), however once it was closed, they were not allowed to be removed, though their level of e-mail is about 20 - 30 message a day, and they have never send a spam in their existance.
The problem is that we are all living in close proximity here - legit businesses are only a few digits away from spammers (just like the real world). And the knee jerk reaction that most sysadmins take in dealing with the situation is similar in nature to burning half your mail daily because the postmark is similar to a known junk mailer. And burning is a reasonable analogy, because blocked emails don't get archived or analyzed, they get tossed, lock stock and barrel.
Its so easy for a sysadmin to install a blacklist and never worry about it again (unless of course, *he* starts losing messages).
The price for having a spam free existance is to constantly monitor and evaluate the system, not to light a match and walk away.
Re:No. Deal with it. (Score:2)
Re:No. Deal with it. (Score:3, Informative)
So, I guess you've never wound up the victim of a poorly-administered blacklist, have you?
My experience with open relays is virtually identical to that of the person who inspired this thread. My server was used as an open relay for part of a weekend.
Near as I can tell, the first spam fired its way out of my server on Friday night around midnight. I closed off the relay on Sunday morning around 10:00 am. In that time, literally thousands of spams were sent, so I fully expected to be blacklisted and even warned my bosses and co-workers.
What I didn't expect, however, was to still be trying to get myself off those blacklists SIX MONTHS LATER.
I think blacklists can be a valuable tool for fighting spam, but only if they're sensible. Blacklists that permanently block without ever rechecking blocked IPs are irresponsible. They're adding to the difficulty of using the Internet, not improving it. They're also reducing their value to their subscribers because they're blocking IPs they shouldn't.
In short, I agree with the post that called for an RFC. If there were some sort of standard for relay blacklists, it would be a damn sight easier getting off the lists once you've resolved the problem.
Re:How to avoid SPEWS black-listings (Score:2)
Cool! (Frankly, I can't see how you'd get listed in the first place. I'm speaking primarily to the SPEWS issue, as that seems to be the "blacklist du jour", as opposed to the various open relay blocking services.)
(Yeah, I was exaggerating by implying I block the IP on the first spam. I usually don't block a /24 unless it looks like a dedicated spamming operation being hosted by a known non-responsive ISP. For dialup-through-relay spam, procmail is your friend. For my own mail, I still auto-forward-to-abuse and the FTC everything from certain ISP dialup ranges in Michigan and the Dallas-Ft. Worth area. I watch those recipes pretty quickly, and take the victim/accomplice ISPs as soon as the cockroach-in-question migrates to his next ISP.)
Re:How to avoid SPEWS black-listings (Score:2, Interesting)
(Someday, I envision a huge "I'm Spartacus!" cascade...)
> My customer goes to the newsgroup to ask to be let out of SPEWS. Group members flame my customer to a crisp because he is supporting spammers when he pays his bill every month.
As for nanae posters flaming your customer to a crisp, well, that's USENET ;-)
Seriously, I do have a problem with that, even though I understand why it happens. The problem is that if you've read nanae long enough, you've seen every spammer lie in the book, and you're very skeptical.
I don't know a solution for that one. It's disturbing - like the cop who busts everyone for minor traffic offenses, because he believes everyone's lying to him. He's heard "I left my wallet at home!" and "Gee, my speedometer must be off!" and "I just noticed the headlight burned out when I left work!" thousands of times over his career, and the thought no longer crosses his mind that once in a while, it'll be the truth.
The nanae problem, in this sense, is that your customer (unlike the poor schmuck who did leave his wallet at home, but who probably realizes he's still toast :-) has no idea how burned-out most nanae denizens have become, and is (IMHO justly) surprised and pissed-off at the rough reception he gets when he tries to make good.
As my initial /. post shows, I'm also part of that problem (too cynical for my own good), which is why I maintain my blocklist on my own box, and only lurk on nanae. But having seen the arguments in nanae so many times, and realizing many /.ers aren't regular nanae readers and haven't read them, I figured I'd throw my two bits in here.
I've been e-mailing the admins of those lists,... (Score:4, Funny)
Naughty in his sight (Score:3, Funny)
Mail servers are private property (Score:5, Insightful)
This is a fallacy that continues to be propagated. I own my own mail server. The company I work for owns its mail servers. We can both decide who we want to allow to send mail to our users.
At work, we use two open relay lists; ORDB [ordb.org] and ORBZ [orbz.org]. Nobody forces us to use them; it's our server cluster, and our choice.
The reason we use those two systems, however, is due to the reasons pointed out in the article. Some blacklists are far too easy to get onto, or hosts are arbitrarily added by humans. The only way to get onto either of those lists is to be an open relay. The only way off is to be automatically retested and found to not be an open relay.
Re:Mail servers are private property (Score:2)
he is correct, nobody owns "the system".
Re:Mail servers are private property (Score:2, Interesting)
There are numerous ISPs out there; you are not required to use any one ISP.
If an ISP doesn't fulfil your specific needs, or has policies you disagree with, then there is nothing preventing you from using a different one.
Similarly, if you're an ISP, there's nothing
No decrease noticed on my part (Score:3, Insightful)
I've only noticed that spam is getting harder to filter because of the blacklists. No longer are they all coming from a dozen or so servers, but instead hundreds.
Please list your domain. (Score:3, Funny)
P. S. And how come I never got those pics of Teen Sara27 XXX 18th birthday?
ORDB.org (Score:4, Informative)
Blacklist sites (Score:5, Interesting)
This is a good thing - and what every blacklist's ultimate goal is.
Speaking as a mail server admin, I'd be interested to know which lists are not removing you - so that I can make sure I'm not using them.
Seriously - letting people know about this is the best way to get what you want. If your site is not a relay, any blacklist maintainer is doing their users a disservice by listing you.
As a mail admin, I'd want to know.
Alternatively, you could do the American thing and threaten a lawsuit - most blacklist operators are immune from libel charges because they're just listing people who operate open relays (truth is defense against libel) - if you're not an open relay, then you've got a good case for libel: they're deliberately publishing false information to hurt your business.
Email virus as spam (Score:2)
Some filters require the recipient to flag your email as spam, then when a certain threshold is hit you are blacklisted.
Since only messages with title "Hahahaha" were being sent to a specific domain, we exceeded the threshhold and became blacklisted.
It would be nice to filter all of our email, but we do not have the resources or can take the responsiblity to filter email content.
shucks.
Umh, no... (Score:2, Interesting)
1) You have to prove that you weren't doing the spamming. (this is good)
2) You also have a "waiting period" to be removed from these lists. (this is also good)
The fact that you let your server become an open relay (configuration error or not) is bad. Think of it as your "slap on the wrist" for allowing it to happen.
Overall, this is a good thing. I bet you will make sure that your servers are secured properly from now on.
Also a GoodThing (Score:2, Interesting)
Back in the day, I tried to email a resume to a credit union and found my email bounced even getting to them, because their open relay had been abused. It no doubt made doing business very difficult for them.
This of course is no real help to anyone who brings in a contractor to set things up and leaves the door open. Maybe worth wording into a contract that contractor is responsible for certain damages due to oversight. I know contractors are advised to carry insurance, I wonder how this example would play out.
What's your definition of "reasonable"? (Score:2)
Additionally, as someone else pointed out, those list maintainers are doing a disservice to those who use their blacklists, because the validity of the data is called into question. Yes, a.b.c.d WAS an open relay 6 months ago. It is not anymore, and hasn't been for over 5 months. To continue to list that IP as an open relay when it's not is simply wrong, and is anything BUT "perfectly reasonable".
"Reason" would dictate that once a server is not an open relay it would be removed. The poster was complaining about lists they can't seem to get removed from.
Re:Umh, no... (Score:2)
The burden should be on them to prove your open relay was being used for SPAM.
Shout out for SpamAssassin (Score:5, Informative)
If you haven't heard of it, it's an elegant system that assigns a weight to each email message based on hundreds of different tests, and if the email scores over 5 (configurable), it is marked as spam.
One of the nice things about it that is it uses most of the email blacklists, but they're only worth ~2 points, so being in a blacklist alone isn't enough to kill a message. That's good for those blacklists that throw far too many people in that don't belong (osirusoft). It also uses razor, but that is only worth three points, so if someone is piping bugtraq to razor-report (that happened for a while) you won't lose all that email.
There's a really interesting set of tests (it's fun to read them) each with an obscure set of points including:
HTML with a non-white bgcolor (1.2)
Claims conformance to obscure spam law (1.0)
HTML mail with no text portion (3.33)
Various spam phrases (various points depending on how many "hits" there are)
Subject ends in an exclamation point (0.5)
The points have apparently been calculated using some program to give the best accuracy.
Anyway, SpamAssassin is the best of the spam removal programs I've seen. Give it a shot!
Re: Exclamation marks (Score:3, Informative)
more than 2 exclamation marks
more than 2 dollar signs
All caps
etc etc.
Worked pretty well, for its simplicity.
Re: Exclamation marks (Score:2, Insightful)
So, the boss realizes that perhaps my friend didn't get the message, and so the boss forwards the message to him, with a note attached, so now it reads "FW: URGENT!!! THIS IS VERY IMPORTANT!!!"
This happens two or three times before he finally figured out what was going on.
Moral of the story: quarantine spam, but don't automagically send it to a black hole. Only the addressee can truly differentiate legitimate mail from spam.
Re:Shout out for ... spamcop.net (Score:2, Informative)
Yes Big Kudos to Spamassasin (Score:2)
The way I use it is have all spam messages get dumped to a common directory. This way I can verify that I didn't lose something important. In the 169 messages it filtered out during my last cleaning, 3 (all from mailing lists I'm on) we filtered improperly, and none of them were that important.
The beauty of this approach is that I can deal with wiping the spam out all at once and not have to be digging through my mail box wondering from subject lines if something is worth reading or if it's spam. I'll just do a "grep Subject: * | less" in the directory I use for storing the filtered messages and check for any mistakes. I add the mistakes into my procmail filter and voila, I get maybe half a dozen spams a week now.
Yes and no (Score:2, Insightful)
Any time that happens an email should be sent to postmaster@(reverse dns of mail server IP address) to inform them of the action being taken and the specifics of their openness. Just "you are running an open relay" is insufficient.
Also the ability to quickly remove the address from the blacklist when the other mail admin repairs the problem is important.
I don't particularly like blacklists but something must be done to discourage open relays and for now they are the only option.
Easier solution (Score:2)
Re:Easier solution (Score:2)
Re:Easier solution (Score:3, Interesting)
Re:Easier solution (Score:2)
Ah, I get it now. Thanks.
It's possible to connect to the mail server for the address supplied and verify that the user exists, but in most cases, due to server configuration, that would require actually sending a message (thus putting you at risk of getting into a bizarre authentication loop).
Wouldn't it possible to initiate an SMTP transaction and then abort that transaction just before the email was actually sent, while still verifying that email could be sent?
It would also seriously add to the overhead of sending a message, something larger sites would not be able to cope with.
Well, yeah, but as a mail filter for your email client, it should work pretty well. Test each email as you receive it. No?
When you set up a mail server... (Score:2)
host_accept_relay = localhost:192.168.1.0/2
when what you want is
host_accept_relay = localhost:192.168.1.0/30
It took me ten long hours to figure out that I allowed 1/4 of the whole Earth to use my relay, when I wanted 4 computers on a private network. And it was probably the worst 1/4 of the Earth, every C-class network... It was a long day which I will never forget. In this ten hours I read more about smtp than ever before... So remember kids, don't do this at home!
Protecting my server, thank you very much (Score:5, Informative)
Your problem is twofold. First, while you've cleaned up your open relay, plenty of spammers and spam-friendly hosts make the same claim and lie (Rule #1: Spammers lie). So you may have to be patient.
More importantly, your server ip may now be sitting in hundreds of private blacklists of mail servers whose admins don't like to use the centralized lists, and just reject/blackhole spammers on their own. It is the presence of well-trusted centralized blacklist services that gives you even the hope of ever having decent communication, because without them, you'd get into a thousand tiny blacklists and never get out.
(P.S. Note that if you're checking your status using the rblcheck tool at http://relays.osirusoft.com, it will tell you about a lot of blacklists that are not intended to be publicly used and not part of the usual osirusoft dnsbl, as well...)
Black lists probably work (Score:3, Interesting)
Re:Black lists probably work (Score:2)
RBL can be useful... (Score:3, Interesting)
I agree that some BL's are not properly managed. The old ORBS system was a perfect example of this. They would add you if you were an open relay, but getting OUT of the database was pretty much impossible if the guy that ran it didn't like you or your attitude toward his "service".
One of my mail servers ended up on ORBZ as well as ORDB because I had made a mistake in the configuration, and I corrected it and was promptly removed after submitting a re-test request.
I now employ the use of RBL on my own servers, but I will only use those services which will remove "fixed" servers using an automated testing system that works properly. ORDB, ORBZ and Osirisoft's RBL's tend to be the best AFAIK. I have found that by using these systems, the level of SPAM that my users and I receive has dropped to a point where it's not entirely annoying or time-consuming to deal with it anymore.
One RBL that I stay away from using is the one operated by SpamCop (bl.spamcop.com). It's a great idea, but it ends up blocking out too much "real" e-mail as well, esp from the larger ISP's like Comcast, etc.
Going to get far worse before it gets better. (Score:5, Insightful)
What blacklists really do is get the attention of sysadmins, and get them to take the problem seriously. I, like rlsnyder, was victimized in the same way -- our mail server was an open relay, we forwarded some spam, and got blacklisted. It took me a week or so to get it straightened out, and in the process I learned quite a bit about the UCE problem. rlsnyder similarly has been enriched by the experience, whether he agrees to that at this point or not.
One always has the option of sending mail from one of the many free mail systems. If your mail is blocked while your case is being reviewed, then send it from hotmail or someplace like that. That's what we did. In took about a week for the last of the spam reporting services to delist our site, and while it was inconvenient, it wasn't devastating. It won't be for rlsnyder, either, I trust.
The big problem is that there is nothing to stop the spammers. People who relay mail through unsuspecting companies are already criminals, they will not be dissuaded by laws. The only thing that the anti-spam community can do is to try to put a finger in all 2^32 holes in the dike, and the only way to do that is to educate people. The blacklists are that education program
thad
Getting blacklisted is just lots of fun... (Score:2)
Without notice that your message was rejected, it seems like the message is getting through, but the recipient is unwilling or unable to respond. This is a real pain with eBay, especially with Paypal payments (the sellers apparently never noticed that money had magically appeared in their accounts unless they received an e-mail notice).
Basing the filter on the Reply-To header is rather stupid, because it can easily be changed or forged. Spammers can simply spam under your address until it gets blacklisted, then move on to another, leaving you screwed. Sure it is simple to just change your return address, but how do you know that you have to if nobody tells you that you're blacklisted?
How to fix this mess. (Score:2)
The person needs to contact their ISP with a lawyer on hand and give them a deadline -- if they don't remove their spammers, the person's company will sue for breech of contract and reclaim the cost of moving to a clean provider.
We need a Consumer Reports site for blacklists (Score:2, Interesting)
Blacklist maintainers would naturally want to be at the top, and this would foster competition and generate better more accurate lists.
Trust, but Verify (Score:2, Interesting)
After lurking on news.admin.net-abuse.email for a while, I've seen a lot of mail admins post asking to have their servers un-blacklisted because they've "cleaned up their act" only to have it pointed out to them that they are still hosting spammers.
Perhaps you could tell us where you have been blacklisted and what IPs are listed so we can see for ourselves the veracity of your statement?
some of thee guys are nuts (Score:4, Funny)
We fixed the problem that day and when we contacted the SPAM COP he wrote back to say, basically:
All Lotus Notes Mail Servers are insecure so we're leaving you on the list. Get another mail server.
I made achange in the Notes.INI file that made it look like I was using SendMail. And he fixed us.
Ridiculous policy. Notes is pretty secure anyway! I wonder what this guy read...
some companies deserve it (Score:4, Interesting)
Recently, spammers have discovered our open system and have been relaying at a furious rate (read: thousands of emails a day.) This caused *our* email to get reflected back to us most of the time, and it also got my employer's domain on several spammer blacklists. This is such a problem, that the corporate office recently switched ISPs over it.
Now, with the new ISP, the IT guys have "cracked down on security" by banning relaying...for 1/2 the day. In the mornings we can send all the email we want (and so can the spammers), but after we all get back from lunch, no more email can be sent out. My employer is baffled why we can't get off of the blacklists, even after the move to the new ISP. I just laugh and goof off for the rest of the afternoon.
I'm all for an appeals process of some sort in order to get off of spam blacklists, but some companies do deserve to stay there, as long as their habits and policies don't radically change.
not_anne
Your IT guys are morons. (Score:2, Insightful)
My employer's corporate office email system is an open relay, so that outlying offices (like ours) can send email, and so the company can track what we're doing.
Your employer's corporate office needs to emply a VPN.
My employer is baffled why we can't get off of the blacklists, even after the move to the new ISP.
Tell him it's because th IT guys are incompetant. Point him to this message if he thinks it's just you. You NEVER need an open relay. Tell him that you need VPNs between sites - that with the email flying around unencrypted, that anyone can view all of your internal memos as they fly between sites.
Re:some companies deserve it (Score:3, Interesting)
You *do* realise that mail servers can be configured to only accept relays from certain domains? eg from "outlying-branch-isp.com"?
And your new ISP is "cracking down" by letting it go half the day only? Hmmm
I know, it's fun to goof off, but you're doing the rest of the internet a disservice.For chrissakes, get somebody to post your system specs here on slashdot and get somebody will post the steps required to walk you through setting it up
If someone at your outlying branch isp subnet(s) discovers your mail relay after that, well it should be a simple matter for you to get them booted.
Oh, don't post any identifying details about your company, unless you want them to experience THE AWESOME POWER OF THE SLASHDOT EFFECT *evil grin*
Heh , I like the sound of that
"NOBODY EXPECTS THE SLASHDOT EFFECT!"
Kind of python-esque.
Morons are known to hire idiots in IT (Score:3, Interesting)
An open relay is not necessary in order to make email function at the outlying offices. You don't even need a VPN. The mail server can be configured with the static IP addresses of each of the offices as valid "local" addresses. Of course a VPN is much better as that also improves your security.
As confirmed by another [slashdot.org] of your postings, your company management are morons who have apparently hired idiots for the IT department. Obviously you recognize it, and can leave if you feel that is necessary, or can stay as long as you can deal with it, and are not blamed for it. Should they ever offer to promote you into IT, be sure you insist that you be given the authority to fix the problems with no further permission from management to go ahead.
simple solution.. (Score:4, Interesting)
Maybe 100 lines in perl to accomplish this. no real effort required.
Re:simple solution.. (Score:2)
However, your 100 line perl script could be useful as a pre-emptive measure to warn admins who have carelessly left their servers open to relaying. So if it finds an open relay, it sends the admin mail saying:
"The Automated Open Relay Detection Service has determined that your server does not sufficiently deny open mail relaying.
The following test was performed:
<test details here>.
If you do not wish to be added to various blacklists services, you should probably fix it. If you need help fixing it, useful resources include:
<useful urls>"
Set that up as a distributed project, and it'd find all the open relays on the internet PDQ.
Re:simple solution.. (Score:3, Insightful)
The only time you would have someone trying to avoid their server being detected as an open relay is when they use the server for legitimate(non-spam) purposes, but are to lazy to make the server not an open relay.
Re:simple solution.. (Score:3, Insightful)
Machines in the middle? (Score:2)
Just wait a minute there Jethro... "machines in the middle" are not discriminating against your data. It's not like your mail passes through this machine that says, "Hey, you're a bad bad person! Go away."
In fact, the recipients are the servers refusing to deal with you. Sure, it's because they've subscribed to a list, but the list is not the one refusing you, it's the server that reads from it.
That said, it's not very nice to remove you from such a list once you've demonstrated your server is fixed.
Re:Machines in the middle? (Score:2)
Oops. That should have said, "It's not very nice to refuse to remove you"
Blacklist maintenance (Score:2)
I can understand the problems caused by unmaintained blacklists, or ones that operate on the roach-motel principle. All you can do is communicate directly with the blacklist maintainers, or communicate with the sites blocking you (mail to postmaster shouldn't be blocked) and see if you can convince them the blacklist is unreasonable. If sites start getting lots of reports about a blacklist refusing to delist open relays after they've been fixed, site operators may stop using those blacklists.
On the other hand, you admit to having had an open relay in your network. Back before 1995 or so this might have been excusable. If we're talking in the last 6 years, though, there's no excuse. The problems have been well-known, the solutions equally well-known and easily implemented. If you shoot yourself in the foot, even unintentionally, whose fault is the resulting pain?
Problem needs to be addressed on several fronts (Score:2)
IMO, the way it should work, to be fair, is to send a warning email to someone from the company. Then, if that email goes unnoticed, put the company in the blacklist. Even better, put something informative in that email letting people know how they can stop their server from being an open relay.
I should know. I've been in this situation, where my email server was way down on my list of priorities. I was blacklisted without warning or explanation. I had to investigate the whole matter myself, fix the problem, find the people who blacklisted me and go through their procedures to get off the blacklist. While I see the need to have blacklists, they certainly could do a better job dealing with buisnesses who have no intention of spamming and who may have just overlooked or not even known about the problem.
Pot: Kettle, you're black! (Score:2)
Please tell me what company you work for. I'd like to see how well-maintained and secure your systems, apparently employed by some type of financial company, really are.
...or feel free to move your mailserver to another IP or subnet if you can't get it unblocked. Testing it could be a pain in the butt, but isn't the spam that you let through a pain in the butt also?
Give your users the control: EXIM and RBL-Warning (Score:2, Informative)
1) Messages are checked for RBL
2) A X-RBL-Warning header is added to the message
3) Users can choose to filter these messages themselves
If you had an open relay (Score:3, Interesting)
Bankrupt a few spammers, show others it is not cheap to spam. Maybe get some charged criminally.
All spammers should be tortured, then executed.
Blacklists not the answer... (Score:3, Interesting)
I'm usually all for privacy, but I think we need to be using an email transport protocol that involves some form of authentication. I'm not sure if some such protocol exists already, but it doesn't seem like it would be too hard to create.
Am I way off base here, or wouldn't this cut way down on SPAM?
Simple solution (Score:2)
The server would connect to each address in the resubmission list and test if the relay was open. If an open relay wasn't detected then the system is put into a probationary state or taken off the list entirely. It's an automated solution that doesn't require any work by spam list administrators.
If necessary, the list of resubmissions could be distributed to volunteered machines (similar to seti) on many different networks. The volunteer machines then double-check the result. This reduces the chance of someone closing the relay exclusively for the spam list server.
A three-strikes and you're out policy could also be put into place.
Jason.
I've been there... and it sucks (Score:2, Insightful)
One item of spam had been sent through our server, I spotted the problem, fixed it, and got told that I'd been blacklisted. I then applied to be retested ("oh please Mr. Self-Appointed Cop, please say that I am good"), and was not removed from the list for a long long time. It should be automatic. Maybe test that server once a day for the next few weeks to make sure that it stays closed, if you feel such an urge. But everybody loses when the lists are not updated promptly - the admins of previously-open relays cannot send email, innocent recipients of email from the previously-open relay don't receive email they were expecting, and the maintainers of systems using the blacklists lose faith in the accuracy of the list, and stop using them (hopefully!).
I really don't know why people bother using these lists - I've not seen anyone claim here that they've benefitted significantly from doing so, and many people are harmed.
Blacklists are bad - DNS fascism is WORSE! (Score:2)
As other people here have said, blacklists can be bad but most often only need some patience to get off of.
What's far more annoying, in my opinion, is those sites who've configured their mail server to be utterly anal about DNS. Forward mapping, reverse mapping, no underscores, etc. etc. Since many otherwise decent mailservers are stuck with ISP "What's DNS?" level support, this can be a pain in the ass for completely innocent victims.
Internet Darwinism (Score:2)
Think about it: If I run a mail server and use the biggest, least lenient blacklist provider out there, my users will start to complain when they're not getting important emails from people.
As in everything there's a middle ground between blocking too much and blocking not enough (or even none). the right answer is tu make sure mailadmins listen to their users, so they can find the right black hole list, striking the balance between spam and legitimate access.
Who knows, we may even get a responsible public organization out of this, recognized for specific rules and procedures for blacklist inclusion and removal. the sooner there's one list, the sooner we have less spam and less illegitimate blocking.
sorry, it's your problem (Score:2)
You'll just have to be more careful next time. As you discovered, the cost of relaying spam is higher than you may have thought originally. Eventually, those entries will go away. But even consumers have to wait many years before bad credit information goes away.
It's real simple (Score:3, Insightful)
However, those who repent and fix their open relays should be immediately removed from any open relay blacklist they might be listed with. It's totally irresponsible to run a blacklist without provisions for keeping them up to date in near-realtime.
An example of a great service was ORBS (the Open Relay Blackhole Service), may it rest in peace. It was largely automated, and would add and remove sites simply based on observations made by their relay-checking robot. There were some manual entries (for sites who refused to be probed), and that was cause for a bit of controversy. But by and large it was quite excellent. I can see absolutely no reason whatsoever for anyone to complain about the creation and use of such blacklists, unless they are a spammer. I have never heard a valid reason why an open relay should be considered okay (I do *not* agree with John Gilmore, just about the only slightly credible dissenter I've heard on this topic. He's just too lazy to use one of many available alternatives to what he's trying to accomplish. See this [weblogs.com] to see what I'm talking about.)
Too bad most of the great blacklist services seem to be going away or becoming (highly overpriced) commercial endeavors.
Re:if you got listed then you were major (Score:2)
Our mail relay boxen were listed in orbs for a long time. We were never a major spam source, in fact, our relays were open (and stayed open because of political reasons, took us a while to get them shut down... now we have authenticated smtp and life is good)
The fact is, we got on the orbs list not because we were a spam source, but because we could have been. We were open if (and only if) you forged your from address as being from our domain. Yea...it was dumb - but believe it or not, noone spammed through us!
In fact (I said political process right?) we had permission to shut down relaying permanantly if we got abused - we were waiting for it! It never happened. (eventually, we finnally got it shut down without abuse but... it took time)
So no... bein glisted on a blacklist doesn't mean you are a spam source, unless it is one of the better blacklists. SOme blacklists will list you because you could be one. (One of the orbs tests that caught a machine of ours was an obscure uucp test that, yes meant we were open, but again.... no real spammers were actually using)
all in all I liked orbs, I think that active testing and notification was good... it helped us fix some of the stuff we didn't know about... but in the end, it wasn't a very good blacklist to block mail by because it listed alot of places that just wetren't spam sources (like us).
-Steve
Re:Cure as bad as the illness (Score:2, Interesting)
damage.
With lists like SPEWS, collateral damage is inevitable - no one who uses SPEWS is unaware of this.
Alice isn't SOL, however...
1: She can always get an account on Hotmail, Yahoo, etc.
2: She should leave her ISP if at all possible. So long as she's at an ISP that is part of the spam problem, all she's doing is indirectly supporting spam. When she DOES leave, she should tell the ISP the reason she's leaving is due to them supporting spammers and getting blacklisted. When an ISP starts losing customers due to spam, maybe they'll change their tune - or go out of business - their choice. Either way, the result will be one less spam-friendly ISP in the world.
Is this all a bit cruel? Perhaps. But remember, there is *nothing* that says I, as an ISP, *must* accept email from you.
Re:As a newbie, I still think you deserve it (Score:3, Insightful)
At this point in my career, I am tired of dealing with half-assed admins who can't tie a shoe.
You were hired based on a particular compentance level. You said you knew how to administer a mailserver. If you say you can administer a mailserver, you should know about open relays. If this was your first job administering a mailserver, you shouldn't have gotten the fucking job.
As an admin, YOU and you alone are responsible for what comes out of your network.
Back when codered was flooding the internet (and still is,along with nimda, based on my fucking log files), I had to call this company that was sending out codered scans from no less than 5 different IP addresses. At ONE company! I searched through internic records (I'll be damned if I was going to load the company's website) and finally got in touch with someone who claimed to be the network admin. I explained the situation to him and he proceeded to tell me that he wasn't aware that these servers were even running! How in the fuck can you not know what goes on with your network?
You see, I'm paranoid. I want to know everything that goes on with my network at any given time. I do my damndest to make sure everything is secure as possible (short of pulling the damn cat 5 out of the switch). I've got the switches locked to MAC address so no one can just plug in a machine. I've got a external mail relay that only forwards mail to our firewall that is then passed to our Exchange server ( the one halfway decent product MS makes). Not only is the external mail scanner running some stuff to check for basic attachment viruses, but our exchange server is running Norton for Exchange. The client machines have NAV as well which uses a central server to update definition files daily. The outlook clients are running the Attachment and Zone patch from Microsoft. And to top it off, you can't relay trough our server without authentication which most email clients support nowadays.
Some people call that paranoid but while our clients got slammed by the latest outlook bugs, we happily zoomed along without a single infection (should have seen the NAV logs on the email server though
The point of all this is this. You were hired to do a job. If you aren't compentant to do the job then get the hell out of the way and go work under someone who can.
Re:Fake open relays needed (Score:3, Insightful)
What you're proposing has already been thought of. It's called a Teergrube. What it does is hold the spammer's SMTP connection open for as long as possible, appearing to slowly accept mail, but in reality doing nothing but wasting the spammer's time. You can do a Usenet search on that term to get more information. Here's an FAQ [iks-jena.de] that may help you out. The post I pulled the link from is several years old, so you may want to look for something more up to date.